Option Explicit
'''''''''''''''''''''''''''''''''''''''''''''''''
' Autor: RHL
' Email: opRhl@hotmail.com
' Not remove this text
'''''''''''''''''''''''''''''''''''''''''''''''''
Private Declare Sub RtlMoveMemory Lib "Kernel32.dll" (Dest As Any, Src As Any, ByVal ln As Long)
Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Private Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Type KBDLLHOOKSTRUCT
vkCode As Long
scanCode As Long
flags As Long
time As Long
dwExtraInfo As Long
End Type
Private Const MSGTEXT As String = "DATA"
Private Const VKC As String = vbCrLf & "VKC: "
Private Const SCC As String = vbCrLf & "SCC: "
Private Const FLG As String = vbCrLf & "FLG: "
Private Const TME As String = vbCrLf & "TME: "
Private Const EXI As String = vbCrLf & "EXI: "
Private Const MSGCaption As String = vbCrLf & "DATA"
Public Const WH_KEYBOARD_LL As Long = 13&
Public Const SH As String = "558BEC5352578B450883F8007C3483F800752F8B550C81FA040100007D2781FA000100007522BFXXXXXXXX8B5D10558BEBB9050000008B4500890783C70483C504E2F35DE8XXXXXXXX8B15XXXXXXXXFF7510FF750CFF750852E8XXXXXXXX5F5A5B8BE55DC20C00"
private KB As KBDLLHOOKSTRUCT
private hwHook As Long
private runCode(108) As Byte
Public Function Reghook(ByVal hw As Long) As Boolean
hwHook = SetWindowsHookEx(WH_KEYBOARD_LL, AddressOf FncVBASM, App.hInstance, 0)
If hwHook Then Reghook = True
End Function
Public Sub UnHook(ByVal hw As Long)
UnhookWindowsHookEx hwHook
End Sub
' shellcode to execute
'MOV EAX,0B0
'PUSH EBP
'MOV EBP,ESP
'PUSH EBX
'PUSH EDX
'PUSH EDI
'MOV EAX,DWORD PTR SS:[EBP+8]
'CMP EAX,0
'JL $+XX
'CMP EAX,0
'JNZ $+XX
'MOV EDX,DWORD PTR SS:[EBP+C]
'CMP EDX,104
'JGE $+XX
'CMP EDX,100
'JNZ $+XX
'MOV EDI,[Struct KB]
'MOV EBX,DWORD PTR SS:[EBP+10]
'PUSH EBP
'MOV EBP,EBX
'MOV ECX,5
'MOV EAX,DWORD PTR SS:[EBP]
'MOV DWORD PTR DS:[EDI],EAX
'ADD EDI,4
'ADD EBP,4
'LOOP $
'POP EBP
'CALL MSG
'MOV EDX,DWORD PTR DS:[hHook]
'PUSH DWORD PTR SS:[EBP+10]
'PUSH DWORD PTR SS:[EBP+C]
'PUSH DWORD PTR SS:[EBP+8]
'PUSH EDX
'CALL CallNextHookEx
'POP EDI
'POP EDX
'POP EBX
'MOV ESP,EBP
'POP EBP
'RETN 0C
Public Function FncVBASM(ByVal nCode As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
FncVBASM = &H50
FncVBASM = FncVBASM + &H60
FncVBASM = FncVBASM + &H10
FncVBASM = FncVBASM + &H80
FncVBASM = FncVBASM + &H40
FncVBASM = FncVBASM + &H20
FncVBASM = FncVBASM + &H100
FncVBASM = FncVBASM - &H200
FncVBASM = FncVBASM * &H2
FncVBASM = FncVBASM - &H150
FncVBASM = FncVBASM + &H20
FncVBASM = FncVBASM + &H10
FncVBASM = FncVBASM + &H60
FncVBASM = FncVBASM + &H10
FncVBASM = FncVBASM + &H40
FncVBASM = FncVBASM + &H60
FncVBASM = FncVBASM + &H10
FncVBASM = FncVBASM + &H40
FncVBASM = FncVBASM + &H6
FncVBASM = FncVBASM + &H79
FncVBASM = FncVBASM + &H9
End Function
Public Function PreCodASM(lpFunctASM As Long) As Boolean
Dim Protect As Long
Dim lsize As Long
Dim i As Long
Dim tLng As Long
Dim tSC As String
Dim addrMSG As Long
tSC = SH
addrMSG = Getaddrf(AddressOf MSG)
tLng = getAddrCNHE
Mid(tSC, 79, 8) = Hex$(Invertlong(VarPtr(KB)))
Mid(tSC, 139, 8) = Hex$(Invertlong(addrMSG - &H5 - (lpFunctASM + 73)))
Mid(tSC, 151, 8) = Hex$(Invertlong(VarPtr(hwHook)))
Mid(tSC, 181, 8) = Hex$(Invertlong(tLng - &H5 - (lpFunctASM + 94)))
lsize = Len(tSC) \ 2
For i = 0 To lsize - 1
runCode(i) = CLng("&H" & Mid$(tSC, i * 2 + 1, 2))
Next
If 0 = VirtualProtect(ByVal lpFunctASM, lsize + 5, PAGE_EXECUTE_READWRITE, Protect) Then Exit Function
RtlMoveMemory ByVal lpFunctASM + &H5, ByVal VarPtr(runCode(0)), lsize
VirtualProtect ByVal lpFunctASM, lsize + 5, Protect, Protect
PreCodASM = True
End Function
Private Function Invertlong(ByVal llng As Long) As Long
Dim t As Long
t = (((llng And &HFF000000) \ &H1000000) And &HFF&) Or ((llng And &HFF0000) \ &H100&) Or ((llng And &HFF00&) * &H100&) Or ((llng And &H7F&) * &H1000000): If (llng And &H80&) Then t = t Or &H80000000
Invertlong = t
End Function
Private Function getAddrCNHE() As Long
Dim AddrUSER As Long
AddrUSER = GetModuleHandle("user32.dll")
getAddrCNHE = GetProcAddress(AddrUSER, "CallNextHookEx")
End Function
Public Function Getaddrf(lp As Long) As Long
Getaddrf = lp
End Function
Public Sub MSG()
MsgBox MSGTEXT & VKC & KB.vkCode & SCC & KB.scanCode & FLG & KB.flags & TME & KB.time & EXI & KB.dwExtraInfo, 0, MSGCaption
' EAX = 0
End Sub
'''''''''''''''''''''''''''''''''''''''''''''''''
' Autor: RHL
' Email: opRhl@hotmail.com
' Not remove this text
'''''''''''''''''''''''''''''''''''''''''''''''''