Example #1
0
        static void Main(string[] args)
        {
            Process.EnterDebugMode();
            Process[] wow = Process.GetProcessesByName("WoW");
            IntPtr hProcess = OpenProcess(0x1F0FFF, false, (uint)wow[0].Id);

            //allocate memory for codecave
            uint dwBaseAddress = VirtualAllocEx(hProcess, 0, 0x1000, 0x1000, 0x40);

            Fasm.ManagedFasm fasm = new Fasm.ManagedFasm(hProcess);
            fasm.SetMemorySize(0x500);
            //fasm.AddLine("org " + dwBaseAddress.ToString("X")); //not necessary, .Inject does automatically
            fasm.AddLine("retn");
            fasm.AddLine("jmp 0x410000");
            fasm.AddLine("call 0x410000");
            byte[] a = fasm.Assemble();

            fasm.InjectAndExecute(hProcess, dwBaseAddress);
            fasm.Dispose();

            VirtualFreeEx(hProcess, dwBaseAddress, 0, 0x8000); //release memory
        }
        static void Main(string[] args)
        {
            Process.EnterDebugMode();
            Process[] wow      = Process.GetProcessesByName("WoW");
            IntPtr    hProcess = OpenProcess(0x1F0FFF, false, (uint)wow[0].Id);

            //allocate memory for codecave
            uint dwBaseAddress = VirtualAllocEx(hProcess, 0, 0x1000, 0x1000, 0x40);

            Fasm.ManagedFasm fasm = new Fasm.ManagedFasm(hProcess);
            fasm.SetMemorySize(0x500);
            //fasm.AddLine("org " + dwBaseAddress.ToString("X")); //not necessary, .Inject does automatically
            fasm.AddLine("retn");
            fasm.AddLine("jmp 0x410000");
            fasm.AddLine("call 0x410000");
            byte[] a = fasm.Assemble();

            fasm.InjectAndExecute(hProcess, dwBaseAddress);
            fasm.Dispose();

            VirtualFreeEx(hProcess, dwBaseAddress, 0, 0x8000);             //release memory
        }
Example #3
0
        public static uint ClickBox(uint x, uint y)
        {
            uint codeCave = MineProcess.AllocateMemory();
            uint result = 0;

            Fasm.ManagedFasm fasm = new Fasm.ManagedFasm(MineProcess.ProcessHandle);
            fasm.AddLine("push {0}", y);
            fasm.AddLine("push {0}", x);
            fasm.AddLine("mov eax, 0x1003512");
            fasm.AddLine("call eax");
            fasm.AddLine("retn");

            try
            {
                result = fasm.InjectAndExecute(codeCave);
            }
            finally
            {
                MineProcess.FreeMemory(codeCave);
            }

            return result;
        }
Example #4
0
        public static uint ClickBox(uint x, uint y)
        {
            uint codeCave = MineProcess.AllocateMemory();
            uint result   = 0;

            Fasm.ManagedFasm fasm = new Fasm.ManagedFasm(MineProcess.ProcessHandle);
            fasm.AddLine("push {0}", y);
            fasm.AddLine("push {0}", x);
            fasm.AddLine("mov eax, 0x1003512");
            fasm.AddLine("call eax");
            fasm.AddLine("retn");

            try
            {
                result = fasm.InjectAndExecute(codeCave);
            }
            finally
            {
                MineProcess.FreeMemory(codeCave);
            }

            return(result);
        }
        /// <summary>
        /// Create a CLR in the target process that will load the assembly
        /// </summary>
        /// <param name="pId">Process Id to inject</param>
        /// <param name="Assembly">Type of the EntryPoint</param>
        /// <param name="Argument">Argement to pass to the Assembly</param>
        public bool InjectAndWait(Type Assembly, string Argument = "")
        {
            if (Process.HasExited)
            {
                throw new Exception("Process no longer exist!");
            }

            IntPtr handle = OpenProcess(ProcessAccessFlags.All, false, Process.Id);

            if (handle == IntPtr.Zero)
            {
                throw new Exception("Error opening process!");
            }

            //MethodInfo startMethod = Assembly.GetMethods(BindingFlags.Static | BindingFlags.Public).First(
            //   m => m.GetCustomAttributes(false).OfType<Dysis.JC2.EntryPoint>().Any());

            MethodInfo startMethod = Assembly.GetMethods(BindingFlags.Static | BindingFlags.Public).First(
                m => m.GetCustomAttributes(false).OfType <EntryPoint>().Any());

            if (startMethod == null)
            {
                throw new EntryPointNotFoundException("Make sure the [EntryPoint] attribute is set on a static public method in the class");
            }

            var AssemblyPath = (new Uri(Assembly.Module.Assembly.CodeBase)).AbsolutePath;
            var TypeName     = startMethod.DeclaringType.FullName;
            var MethodName   = startMethod.Name;

            string CLRVersion = "v4.0.30319";

            Guid CLSID_CLRMetaHostGuid    = new Guid(0x9280188D, 0xE8E, 0x4867, 0xb3, 0x0C, 0x7F, 0xA8, 0x38, 0x84, 0xE8, 0xDE);
            Guid IID_ICLRMetaHostGuid     = new Guid(0xD332DB9E, 0xB9B3, 0x4125, 0x82, 0x07, 0xA1, 0x48, 0x84, 0xF5, 0x32, 0x16);
            Guid IID_ICLRRuntimeInfoGuid  = new Guid(0xBD39D1D2, 0xBA2F, 0x486a, 0x89, 0xB0, 0xB4, 0xB0, 0xCB, 0x46, 0x68, 0x91);
            Guid CLSID_CLRRuntimeHostGuid = new Guid(0x90F1A06E, 0x7712, 0x4762, 0x86, 0xB5, 0x7A, 0x5E, 0xBA, 0x6B, 0xDB, 0x02);
            Guid IID_ICLRRuntimeHostGuid  = new Guid(0x90F1A06C, 0x7712, 0x4762, 0x86, 0xB5, 0x7A, 0x5E, 0xBA, 0x6B, 0xDB, 0x02);

            IntPtr CLRCreateInstancePtr = GetProcAddress(GetModuleHandle("mscoree.dll"), "CLRCreateInstance");

            if (CLRCreateInstancePtr == IntPtr.Zero)
            {
                throw new Exception("Could not find mscoree.dll, make sure you have .NET installed");
            }

            IntPtr result = InjectDllCreateThread(handle, GetMsCoree.FileName);

            if (handle == null)
            {
                throw new Exception("Could not open the process");
            }

            //Allocate 1 block of memory in target process
            MemoryAlloc = VirtualAllocEx(handle, IntPtr.Zero, 1000, AllocationType.Commit, MemoryProtection.ExecuteReadWrite);

            IntPtr VersionStringPtr = MemoryAlloc;
            IntPtr AssemblyPathPtr  = VersionStringPtr + CLRVersion.Length * 2 + 2;  //Unicode
            IntPtr TypeNamePtr      = AssemblyPathPtr + AssemblyPath.Length * 2 + 2; //Unicode
            IntPtr MethodNamePtr    = TypeNamePtr + TypeName.Length * 2 + 2;         //Unicode
            IntPtr ArgumentPtr      = MethodNamePtr + MethodName.Length * 2 + 2;     //Unicode

            IntPtr CLSID_CLRMetaHostPtr    = ArgumentPtr + Argument.Length * 2 + 2;  //Unicode
            IntPtr IID_ICLRMetaHostPtr     = CLSID_CLRMetaHostPtr + Marshal.SizeOf(CLSID_CLRMetaHostGuid) + 1;
            IntPtr IID_ICLRRuntimeInfoPtr  = IID_ICLRMetaHostPtr + Marshal.SizeOf(IID_ICLRMetaHostGuid) + 1;
            IntPtr CLSID_CLRRuntimeHostPtr = IID_ICLRRuntimeInfoPtr + Marshal.SizeOf(IID_ICLRRuntimeInfoGuid) + 1;
            IntPtr IID_ICLRRuntimeHostPtr  = CLSID_CLRRuntimeHostPtr + Marshal.SizeOf(CLSID_CLRRuntimeHostGuid) + 1;

            IntPtr codeCave_Code = IID_ICLRRuntimeHostPtr + Marshal.SizeOf(IID_ICLRRuntimeHostGuid) + 1;

            //Copy values in target process
            WriteUnicodeString(handle, VersionStringPtr, CLRVersion);
            WriteUnicodeString(handle, AssemblyPathPtr, AssemblyPath);
            WriteUnicodeString(handle, TypeNamePtr, TypeName);
            WriteUnicodeString(handle, MethodNamePtr, MethodName);
            WriteUnicodeString(handle, ArgumentPtr, Argument);

            WriteBytes(handle, CLSID_CLRMetaHostPtr, CLSID_CLRMetaHostGuid.ToByteArray());
            WriteBytes(handle, IID_ICLRMetaHostPtr, IID_ICLRMetaHostGuid.ToByteArray());
            WriteBytes(handle, IID_ICLRRuntimeInfoPtr, IID_ICLRRuntimeInfoGuid.ToByteArray());
            WriteBytes(handle, CLSID_CLRRuntimeHostPtr, CLSID_CLRRuntimeHostGuid.ToByteArray());
            WriteBytes(handle, IID_ICLRRuntimeHostPtr, IID_ICLRRuntimeHostGuid.ToByteArray());

            Fasm.ManagedFasm fasm = new Fasm.ManagedFasm(handle);

            //Local variables
            //dwRet ebp-0x2c
            //Host ebp-0x20
            //Info ebp-0x14
            //MetaHost ebp-0x8

            fasm.AddLine("push ebp");
            fasm.AddLine("mov ebp, esp");
            fasm.AddLine("sub esp, 0x38");

            //hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost,(PVOID*)&MetaHost);
            fasm.AddLine("lea eax, [ebp-0x8]"); //MetaHost
            fasm.AddLine("push eax");
            fasm.AddLine("push " + IID_ICLRMetaHostPtr);
            fasm.AddLine("push " + CLSID_CLRMetaHostPtr);
            fasm.AddLine("call " + CLRCreateInstancePtr);

            //hr = MetaHost->GetRuntime(TEXT("v4.0.30319"), IID_ICLRRuntimeInfo, (PVOID*)&Info);
            fasm.AddLine("lea eax, [ebp-0x14]"); //Info
            fasm.AddLine("push eax");
            fasm.AddLine("push " + IID_ICLRRuntimeInfoPtr);
            fasm.AddLine("push " + VersionStringPtr);
            fasm.AddLine("mov eax, [ebp-0x8]"); //MetaHost
            fasm.AddLine("push eax");           // This push
            fasm.AddLine("mov eax, [eax]");     //Pointer to Instance
            fasm.AddLine("mov eax, [eax+0xC]"); // GetRuntime vTable
            fasm.AddLine("call eax");           //GetRuntime

            //hr = Info->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (PVOID*)&Host);
            fasm.AddLine("lea eax, [ebp-0x20]"); //Host
            fasm.AddLine("push eax");
            fasm.AddLine("push " + IID_ICLRRuntimeHostPtr);
            fasm.AddLine("push " + CLSID_CLRRuntimeHostPtr);
            fasm.AddLine("mov eax, [ebp-0x14]"); //Info
            fasm.AddLine("push eax");            // This push
            fasm.AddLine("mov eax, [eax]");      //Pointer to Instance
            fasm.AddLine("mov eax, [eax+0x24]"); // GetInterface vTable
            fasm.AddLine("call eax");            //GetInterface

            //hr = Host->Start();
            fasm.AddLine("mov eax, [ebp-0x20]"); //Host
            fasm.AddLine("push eax");
            fasm.AddLine("mov eax, [eax]");      //Pointer to Instance
            fasm.AddLine("mov eax, [eax+0xC]");  // Start vTable
            fasm.AddLine("call eax");            //Start

            //hr = Host->ExecuteInDefaultAppDomain(
            //AssemblyPath, TypeName, MethodName, Argument, &dwRet);
            fasm.AddLine("lea eax, [ebp-0x2C]"); //dwRet
            fasm.AddLine("push eax");
            fasm.AddLine("push " + ArgumentPtr);
            fasm.AddLine("push " + MethodNamePtr);
            fasm.AddLine("push " + TypeNamePtr);
            fasm.AddLine("push " + AssemblyPathPtr);
            fasm.AddLine("mov eax, [ebp-0x20]"); //Host
            fasm.AddLine("push eax");            // This push
            fasm.AddLine("mov eax, [eax]");      //Pointer to Instance
            fasm.AddLine("mov eax, [eax+0x2C]"); // ExecuteInDefaultAppDomain vTable
            fasm.AddLine("call eax");

            //hr = Host->Stop();
            fasm.AddLine("mov eax, [ebp-0x20]"); //Host
            fasm.AddLine("push eax");            // This push
            fasm.AddLine("mov eax, [eax]");      //Pointer to Instance
            fasm.AddLine("mov eax, [eax+0x10]"); // Stop vTable
            fasm.AddLine("call eax");            //Start

            //Host->Release();   This crash Fasm for some reason

            /*fasm.AddLine("mov eax, [ebp-0x20]"); //Host
             * fasm.AddLine("push eax"); // This push
             * fasm.AddLine("mov eax, [eax]"); //Pointer to Instance
             * fasm.AddLine("mov eax, [eax+0x8]"); // Release vTable
             * fasm.AddLine("call eax"); //Release*/

            fasm.AddLine("add esp, 0x38");
            fasm.AddLine("mov esp, ebp");
            fasm.AddLine("pop ebp");

            fasm.AddLine("retn");

            //Inject ASM
            bool injected = fasm.Inject((uint)codeCave_Code);

            IntPtr lpThreadId;

            //Execute the codecave
            IntPtr hThread = CreateRemoteThread(handle, IntPtr.Zero, 0, codeCave_Code, IntPtr.Zero, ThreadFlags.THREAD_EXECUTE_IMMEDIATELY, out lpThreadId);

            if (hThread == IntPtr.Zero)
            {
                throw new Win32Exception(Marshal.GetLastWin32Error());
            }

            Injected = true;

            //Wait till ExecuteInDefaultAppDomain end.
            if (WaitForSingleObject(hThread, (uint)ThreadWaitValues.INFINITE) != (uint)ThreadWaitValues.WAIT_OBJECT_0)
            {
                throw new Win32Exception(Marshal.GetLastWin32Error());
            }

            Injected = false;

            IntPtr lpExitCode;

            if (!GetExitCodeThread(hThread, out lpExitCode))
            {
                throw new Win32Exception(Marshal.GetLastWin32Error());
            }

            //Clean up
            VirtualFreeEx(handle, MemoryAlloc, 0, FreeType.Release);
            CloseHandle(handle);

            return(true);
        }