/// <summary> /// /// </summary> /// <param name="module">Main module of process being analyzed</param> /// <param name="processPID">Process id of process being analyzed</param> /// <returns></returns> private bool HasRunPE(ProcessModule module, int processPID) { //Catch if process has been killed already //try //{ // Process.GetProcessById(processPID); //} //catch //{ // return false; //} string modulePath = module.FileName; PEInfomation procPE = PELoader.Load(processPID, module); PEInfomation filePE = PELoader.Load(modulePath); int unmachedValues = 0; unmachedValues += ScanType(procPE.FileHeader, filePE.FileHeader); // File Header unmachedValues += ScanType(procPE.OptionalHeader32, filePE.OptionalHeader32); // Optional Header int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections)); for (int i = 0; i < sectionAmmount; i++) { unmachedValues += ScanType(procPE.Sections[i], filePE.Sections[i]); } return(unmachedValues >= 8); }
public static void LoadDll(int pID, byte[] dllBytes) { PEInfomation dllPE = PELoader.Load(dllBytes, string.Empty); IntPtr pHandle = PELoader.OpenProcessHandle(pID); if (pHandle == IntPtr.Zero) { throw new Exception("Invalid PID"); } IntPtr vAlloc = NativeMethods.VirtualAllocEx(pHandle, 0, dllPE.Overview.SizeOfImage, 0x1000, 0x40); if (vAlloc == IntPtr.Zero) { throw new Exception("Alloc failed"); } NativeMethods.WriteProcessMemory(pHandle, vAlloc, dllBytes, dllPE.Overview.SizeOfHeaders, 0); foreach (var section in dllPE.Sections) { byte[] sData = new byte[section.VirtualSize]; Buffer.BlockCopy(dllBytes, (int)section.PointerToRawData, sData, 0, sData.Length); NativeMethods.WriteProcessMemory(pHandle, new IntPtr(vAlloc.ToInt32() + section.VirtualAddress), sData, (uint)sData.Length, 0); } }
private void processToolStripMenuItem1_Click(object sender, EventArgs e) { using (formLoadProcess procLoadForm = new formLoadProcess()) { if (procLoadForm.ShowDialog() == DialogResult.OK) { LoadedPE = PELoader.Load(procLoadForm.SelectedProcessID, procLoadForm.SelectedModule); LoadedPE.PESource = string.Format("Process: {0}", procLoadForm.ProcessName); lbCurrentSection.Text = "Overview"; PopulateInfo(LoadedPE.Overview, false); } } }
private void button1_Click(object sender, EventArgs e) { lbProcessList.Items.Clear(); lvFileList.Items.Clear(); ProcessModule moduleToScan = null; int pid = 0; using (formLoadProcess procLoadForm = new formLoadProcess()) { if (procLoadForm.ShowDialog() != DialogResult.OK) { return; } this.Text = string.Format("{0} ({1})", WindowText, procLoadForm.ProcessName); moduleToScan = procLoadForm.SelectedModule; pid = procLoadForm.SelectedProcessID; } string modulePath = moduleToScan.FileName; PEInfomation procPE = PELoader.Load(pid, moduleToScan); PEInfomation filePE = PELoader.Load(modulePath); int unmachedValues = 0; unmachedValues += ScanType <IMAGE_FILE_HEADER>(procPE.FileHeader, filePE.FileHeader, "File Header"); unmachedValues += ScanType <IMAGE_OPTIONAL_HEADER32>(procPE.OptionalHeader32, filePE.OptionalHeader32, "Optional Header", "ImageBase"); int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections)); for (int i = 0; i < sectionAmmount; i++) { unmachedValues += ScanType <IMAGE_SECTION_HEADER>(procPE.Sections[i], filePE.Sections[i], string.Format("Section {0}", i + 1)); } Color tColor = Color.Green; string warningText = "No RunPE Found (0 Unmached values)"; if (unmachedValues >= 1) { tColor = Color.DarkTurquoise; warningText = string.Format("Possable RunPe ({0} Unmaching values)", unmachedValues); } if (unmachedValues > 4) { tColor = Color.Red; warningText = string.Format("RunPe Found ({0} Unmaching values)", unmachedValues); } lbRunpeStatus.Text = warningText; lbRunpeStatus.ForeColor = tColor; }
private void fileToolStripMenuItem1_Click(object sender, EventArgs e) { using (OpenFileDialog ofd = new OpenFileDialog()) { ofd.Filter = "Executable|*.exe|Library|*.dll"; if (ofd.ShowDialog() == DialogResult.OK) { LoadedPE = PELoader.Load(ofd.FileName); LoadedPE.PESource = ofd.FileName; lbCurrentSection.Text = "Overview"; PopulateInfo(LoadedPE.Overview, false); } } }
public ModuleListViewItem(int procID, IntPtr _handle) { ModuleInfomation = PELoader.Load(procID, _handle); Handle = _handle; ProcessHandle = ModuleInfomation.GetProcessHandle(); StringBuilder sb = new StringBuilder(255); NativeMethods.GetModuleFileNameEx(ProcessHandle, Handle, sb, 255); ModulePath = sb.ToString(); Text = Path.GetFileName(ModulePath); SubItems.Add(string.Format("0x{0:x2}", IntPtr.Size == 4 ? _handle.ToInt32() : _handle.ToInt64())); SubItems.Add(ModuleInfomation.Overview.SizeOfImage.ToString()); if (!string.IsNullOrEmpty(Text)) { SubItems.Add(ModulePath); } else { SubItems.Add("Byte loaded"); } }
private bool ExtractCurrentData(string il2cppPath, string metadataPath, out Il2Cpp il2Cpp, out Il2CppExecutor executor, out Metadata metadata) { il2Cpp = null; executor = null; metadata = null; var metadataBytes = File.ReadAllBytes(metadataPath); metadata = new Metadata(new MemoryStream(metadataBytes)); var il2cppBytes = File.ReadAllBytes(il2cppPath); var il2cppMagic = BitConverter.ToUInt32(il2cppBytes, 0); var il2CppMemory = new MemoryStream(il2cppBytes); if (il2cppMagic != IL2CPPMAGIC_PE) { throw new Exception("Unexpected il2cpp magic number."); } il2Cpp = new PE(il2CppMemory); il2Cpp.SetProperties(metadata.Version, metadata.maxMetadataUsages); if (il2Cpp.Version >= 27 && il2Cpp is ElfBase elf && elf.IsDumped) { metadata.Address = Convert.ToUInt64(Console.ReadLine(), 16); } try { var flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length); if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { if (!flag && il2Cpp is PE) { il2Cpp = PELoader.Load(il2cppPath); il2Cpp.SetProperties(metadata.Version, metadata.maxMetadataUsages); flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length); } } if (!flag) { flag = il2Cpp.Search(); } if (!flag) { flag = il2Cpp.SymbolSearch(); } if (!flag) { var codeRegistration = Convert.ToUInt64(Console.ReadLine(), 16); var metadataRegistration = Convert.ToUInt64(Console.ReadLine(), 16); il2Cpp.Init(codeRegistration, metadataRegistration); } } catch { throw new Exception("ERROR: An error occurred while processing."); } executor = new Il2CppExecutor(metadata, il2Cpp); return(true); }
private bool Init(string il2CppPath, string metadataPath, out Metadata metadata, out Il2Cpp il2Cpp) { WriteOutput("Read config...", Color.Black); if (File.Exists(realPath + "config.json")) { _config = JsonConvert.DeserializeObject <Config>(File.ReadAllText(Application.StartupPath + Path.DirectorySeparatorChar + "config.json")); } else { _config = new Config(); WriteOutput("config.json file does not exist. Using defaults", Color.Yellow); } WriteOutput("Initializing metadata..."); var metadataBytes = File.ReadAllBytes(metadataPath); metadata = new Metadata(new MemoryStream(metadataBytes)); WriteOutput($"Metadata Version: {metadata.Version}"); WriteOutput("Initializing il2cpp file..."); var il2CppBytes = File.ReadAllBytes(il2CppPath); var il2CppMagic = BitConverter.ToUInt32(il2CppBytes, 0); var il2CppMemory = new MemoryStream(il2CppBytes); switch (il2CppMagic) { default: WriteOutput("ERROR: il2cpp file not supported."); throw new NotSupportedException("ERROR: il2cpp file not supported."); case 0x6D736100: var web = new WebAssembly(il2CppMemory); il2Cpp = web.CreateMemory(); break; case 0x304F534E: var nso = new NSO(il2CppMemory); il2Cpp = nso.UnCompress(); break; case 0x905A4D: //PE il2Cpp = new PE(il2CppMemory); break; case 0x464c457f: //ELF if (il2CppBytes[4] == 2) //ELF64 { var addressValue = ""; il2Cpp = InputBox.Show("Input il2cpp dump address or leave empty to force continue:", "", ref addressValue) != DialogResult.OK ? string.IsNullOrWhiteSpace(addressValue) ? new Elf64(il2CppMemory) : new Elf64(il2CppMemory, addressValue) : new Elf64(il2CppMemory); } else { var addressValue = ""; il2Cpp = InputBox.Show("Input il2cpp dump address or leave empty to force continue:", "", ref addressValue) != DialogResult.OK ? string.IsNullOrWhiteSpace(addressValue) ? new Elf(il2CppMemory) : new Elf(il2CppMemory, addressValue) : new Elf(il2CppMemory); } break; case 0xCAFEBABE: //FAT Mach-O case 0xBEBAFECA: var machofat = new MachoFat(new MemoryStream(il2CppBytes)); WriteOutput("Select Platform: "); for (var i = 0; i < machofat.fats.Length; i++) { var fat = machofat.fats[i]; WriteOutput(fat.magic == 0xFEEDFACF ? $"{i + 1}.64bit " : $"{i + 1}.32bit "); } WriteOutput(""); var key = Console.ReadKey(true); var index = int.Parse(key.KeyChar.ToString()) - 1; var magic = machofat.fats[index % 2].magic; il2CppBytes = machofat.GetMacho(index % 2); il2CppMemory = new MemoryStream(il2CppBytes); if (magic == 0xFEEDFACF) { goto case 0xFEEDFACF; } else { goto case 0xFEEDFACE; } case 0xFEEDFACF: // 64bit Mach-O il2Cpp = new Macho64(il2CppMemory); break; case 0xFEEDFACE: // 32bit Mach-O il2Cpp = new Macho(il2CppMemory); break; } var version = _config.ForceIl2CppVersion ? _config.ForceVersion : metadata.Version; il2Cpp.SetProperties(version, metadata.maxMetadataUsages); WriteOutput($"Il2Cpp Version: {il2Cpp.Version}"); if (il2Cpp.Version >= 27 && il2Cpp is ElfBase elf && elf.IsDumped) { var metadataValue = ""; if (InputBox.Show("Input global-metadata.dat dump address:", "", ref metadataValue) != DialogResult.OK) { return(false); } metadata.Address = Convert.ToUInt64(metadataValue, 16); WriteOutput($"global-metadata.dat dump address: {metadataValue}"); } WriteOutput("Searching..."); try { var flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length); if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && !flag && il2Cpp is PE) { WriteOutput("Use custom PE loader"); il2Cpp = PELoader.Load(il2CppPath); il2Cpp.SetProperties(version, metadata.maxMetadataUsages); flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length); } if (!flag) { flag = il2Cpp.Search(); } if (!flag) { flag = il2Cpp.SymbolSearch(); } if (!flag) { WriteOutput("ERROR: Can't use auto mode to process file, try manual mode."); WriteOutput("Input CodeRegistration: "); var codeValue = ""; if (InputBox.Show(@"Input CodeRegistration: ", "", ref codeValue) != DialogResult.OK) { return(false); } var codeRegistration = Convert.ToUInt64(codeValue, 16); WriteOutput($"CodeRegistration: {codeValue}"); var metadataValue = ""; if (InputBox.Show("Input MetadataRegistration: ", "", ref metadataValue) != DialogResult.OK) { return(false); } var metadataRegistration = Convert.ToUInt64(metadataValue, 16); WriteOutput($"MetadataRegistration: {metadataValue}"); il2Cpp.Init(codeRegistration, metadataRegistration); return(true); } } catch (Exception e) { WriteOutput(e.Message); WriteOutput("ERROR: An error occurred while processing."); return(false); } return(true); }