static IntPtr CorBindToRuntimeExAddress() { ProcModule.ModuleInfo targetmscoree = null; ProcModule.ModuleInfo[] modules = ProcModule.GetModuleInfos((int)processid); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("mscoree.dll")) { targetmscoree = modules[i]; break; } } } if (targetmscoree == null || targetmscoree.baseOfDll == IntPtr.Zero) { return(IntPtr.Zero); } IntPtr CLRCreateInstanceAddress = IntPtr.Zero; if (hprocess != IntPtr.Zero) { int CLRCreateInstancerva = ExportTable.ProcGetExpAddress (hprocess, targetmscoree.baseOfDll, "CorBindToRuntimeEx"); if (CLRCreateInstancerva == 0) { return(IntPtr.Zero); } return((IntPtr)((long)targetmscoree.baseOfDll + (long)CLRCreateInstancerva)); } return(IntPtr.Zero); }
void HoockDetect() { textBox1.Text = "Detecting hooks for process whit the name " + ProcessName + " and PID=" + procid.ToString() + "\r\n"; byte[] Forread = new byte[0x500]; uint BytesRead = 0; int CompileAddress = 0; IntPtr processHandle = IntPtr.Zero; try { processHandle = OpenProcess(ProcessAccess.QueryInformation | ProcessAccess.VMRead, false, (uint)procid); } catch { } if (processHandle != IntPtr.Zero) { ProcModule.ModuleInfo targetmscorjit = null; ProcModule.ModuleInfo[] modules = ProcModule.GetModuleInfos(procid); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("mscorjit")) { targetmscorjit = modules[i]; break; } } } if (targetmscorjit == null) { textBox1.Text = textBox1.Text + "Seems that the target process is not a .NET process!" + "\r\n"; } else { int getJitrva = ExportTable.ProcGetExpAddress(processHandle, targetmscorjit.baseOfDll, "getJit"); bool isok = false; isok = ReadProcessMemory(processHandle, (IntPtr)((long)targetmscorjit.baseOfDll + (long)getJitrva), Forread, (uint)Forread.Length, ref BytesRead); if (isok) { int count = 0; while (Forread[count] != 0x0C3) { count++; } long cmpointer = (long)targetmscorjit.baseOfDll + getJitrva + count + 1; textBox1.Text = textBox1.Text + "Pointer of compile method : " + cmpointer.ToString("X8") + "\r\n"; CompileAddress = BitConverter.ToInt32(Forread, count + 1); textBox1.Text = textBox1.Text + "Address of compile method is : " + CompileAddress.ToString("X8") + "\r\n"; if ((CompileAddress < (int)targetmscorjit.baseOfDll) || (CompileAddress > (int)targetmscorjit.baseOfDll + targetmscorjit.sizeOfImage)) { textBox1.Text = textBox1.Text + "Address of compile method changed!!!" + "\r\n"; } else { textBox1.Text = textBox1.Text + "Address of compile method seems to be the original one!" + "\r\n"; } } else { textBox1.Text = textBox1.Text + "Failed to read from selected process!" + "\r\n"; } ProcModule.CloseHandle(processHandle); } // end if is not .NET } else { textBox1.Text = textBox1.Text + "Failed to open selected process!" + "\r\n"; } }
void Button2Click(object sender, EventArgs e) { string filename = textBox1.Text; string enviroments = textBox2.Text; if (filename != "" && File.Exists(filename)) { int processflags = processflags = 0 | (int)ProcessCreationFlags.CREATE_SUSPENDED; IntPtr memptr = IntPtr.Zero; button2.Enabled = false; textBox3.Text = ""; GCHandle gchenv = new GCHandle(); if (enviroments.Length != 0) { if (enviroments.Length >= 3 && enviroments.Contains("=")) { textBox3.AppendText("Setting Environment Variables..."); try { char[] separator = "\r\n".ToCharArray(); string[] realvalues = enviroments.Split(separator); IntPtr newptr = memptr; bool unicode = false; if (Environment.OSVersion.Platform == PlatformID.Win32NT) { processflags = processflags | (int)ProcessCreationFlags.CREATE_UNICODE_ENVIRONMENT; unicode = true; } StringDictionary environmentVariables = new StringDictionary(); // add Environments of the parent to the child! foreach (System.Collections.DictionaryEntry entry in Environment.GetEnvironmentVariables()) { environmentVariables.Add((string)entry.Key, (string)entry.Value); } for (int i = 0; i < realvalues.Length; i++) { if (realvalues[i] != "" && realvalues[i].Contains("=")) { separator = "=".ToCharArray(); string[] currentvalue = realvalues[i].Split(separator); if (currentvalue[0] != "") { if (environmentVariables.ContainsKey(currentvalue[0])) { textBox3.AppendText("\r\n" + "The key whit the name " + currentvalue[0] + " is already on dictinonary!"); } else { environmentVariables.Add(currentvalue[0], currentvalue[1]); } } } } gchenv = GCHandle.Alloc(ToByteArray(environmentVariables, unicode), GCHandleType.Pinned); memptr = gchenv.AddrOfPinnedObject(); textBox3.AppendText("\r\n" + "Environment Variables setted!"); } catch (Exception exc) { textBox3.AppendText("\r\n" + exc.Message + "\r\n"); } } else { textBox3.AppendText("Invalid Environment Variables!" + "\r\n"); } } STARTUPINFO structure = new STARTUPINFO(); PROCESS_INFORMATION process_information = new PROCESS_INFORMATION(); IntPtr lpApplicationName = Marshal.StringToHGlobalUni(filename); try { CreateProcess(lpApplicationName, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, 0, processflags, memptr, IntPtr.Zero, ref structure, ref process_information); hprocess = process_information.hProcess; hcthread = process_information.hThread; cprocessid = process_information.dwProcessId; if (gchenv.IsAllocated) { gchenv.Free(); } textBox3.AppendText("\r\n" + "Process created"); if (checkBox1.Checked) { textBox3.AppendText(" on suspended mode"); button3.Enabled = true; } textBox3.AppendText("!" + "\r\n"); } catch (Exception ex3) { textBox3.AppendText("\r\n" + "Failed to start process whit the message" + ex3.Message + "\r\n"); return; } checktimer = new System.Windows.Forms.Timer(); checktimer.Interval = 30; checktimer.Enabled = true; checktimer.Tick += new System.EventHandler(CheckStatut); if (checkBox2.Checked) { ProcModule.ModuleInfo[] modules = null; for (int k = 0; k < 500; k++) // try it 500 times! { LoopWhileModulesAreLoadedNt(process_information.dwProcessId, process_information.hThread); modules = ProcModule.GetModuleInfos((int)process_information.dwProcessId); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("kernel32")) { targetkernel32 = modules[i]; break; } } } if (targetkernel32 != null) { break; } } if (targetkernel32 != null && targetkernel32.baseOfDll != IntPtr.Zero) { HookCreateProcess(targetkernel32.baseOfDll); } } if (checkBox3.Checked) { ProcModule.ModuleInfo[] modules = null; for (int k = 0; k < 50; k++) // try it 50 times! { LoopWhileModulesAreLoadedNt(process_information.dwProcessId, process_information.hThread); modules = ProcModule.GetModuleInfos((int)process_information.dwProcessId); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.Length > 10 && modules[i].baseName.ToLower().StartsWith("msvcr")) { targetMSVCR80 = modules[i]; break; } } } if (targetMSVCR80 != null) { break; } } if (targetMSVCR80 != null && targetMSVCR80.baseOfDll != IntPtr.Zero) { LogmemcpyInit(targetMSVCR80.baseOfDll); } } if (!checkBox1.Checked) { ResumeThread(process_information.hThread); } } else { textBox3.Text = "Please select a valid file!" + "\r\n"; } }
public void CheckStatut(object source, EventArgs e) { uint exitcode = 0; GetExitCodeProcess(hprocess, out exitcode); if (exitcode != 259) // STILL_ACTIVE = 259 { button2.Enabled = true; textBox3.AppendText("\r\n" + "Process terminated, exit code: " + exitcode.ToString() + "\r\n"); checktimer.Stop(); checktimer.Dispose(); checktimer = null; hprocess = IntPtr.Zero; cprocessid = 0; hcthread = IntPtr.Zero; targetkernel32 = null; targetMSVCR80 = null; VirtualAlloc1 = IntPtr.Zero; VirtualAlloc2 = IntPtr.Zero; VirtualAlloc3 = IntPtr.Zero; } else { byte[] keeper = new byte[4]; uint BytesRead = 0; if (VirtualAlloc1 != IntPtr.Zero && ReadProcessMemory(hprocess, VirtualAlloc1, keeper, 4, ref BytesRead)) { if (keeper[0] != 0 || keeper[1] != 0 || keeper[2] != 0 || keeper[2] != 0) { int ESPvalue = BitConverter.ToInt32(keeper, 0); byte[] eraser = new byte[] { 0, 0, 0, 0 }; byte[] infiniteloop = new byte[] { 0x0EB, 0x0FE }; byte[] nops = new byte[] { 0x090, 0x090 }; // write infinit loop to second: WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc1 + 12), infiniteloop, 2, out BytesRead); // nop the first and write infinit loop back: WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc1 + 10), nops, 2, out BytesRead); Sleep(2); WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc1 + 10), infiniteloop, 2, out BytesRead); textBox3.AppendText("\r\n"); textBox3.AppendText("CreateProcessW reached:" + "\r\n"); textBox3.AppendText("Value of ESP:" + ESPvalue.ToString("X8") + "\r\n"); byte[] parbytes = new byte[14 * 4]; if (ReadProcessMemory(hprocess, (IntPtr)ESPvalue, parbytes, (uint)parbytes.Length, ref BytesRead)) { int[] parameters = new int[14]; for (int i = 0; i < parameters.Length; i++) { parameters[i] = BitConverter.ToInt32(parbytes, i * 4); } textBox3.AppendText("Return address: " + parameters[0].ToString("X8") + "\r\n"); textBox3.AppendText("hToken: " + parameters[1].ToString("X8") + "\r\n"); textBox3.AppendText("ModuleFileName: " + parameters[2].ToString("X8") + " "); string result = MemStringReader.ReadUnicodeString(hprocess, (IntPtr)parameters[2]); if (result != null) { textBox3.AppendText(result); } textBox3.AppendText("\r\n"); textBox3.AppendText("CommandLine: " + parameters[3].ToString("X8") + " "); result = MemStringReader.ReadUnicodeString(hprocess, (IntPtr)parameters[3]); if (result != null) { textBox3.AppendText(result); } textBox3.AppendText("\r\n"); textBox3.AppendText("pProcessSecurity: " + parameters[4].ToString("X8") + "\r\n"); textBox3.AppendText("pThreadSecurity: " + parameters[5].ToString("X8") + "\r\n"); textBox3.AppendText("InheritHandles: " + parameters[6].ToString("X8") + "\r\n"); textBox3.AppendText("CreationFlags: " + parameters[7].ToString("X8") + "\r\n"); textBox3.AppendText("pEnvironment: " + parameters[8].ToString("X8") + "\r\n"); textBox3.AppendText("CurrentDir: " + parameters[9].ToString("X8") + " "); result = MemStringReader.ReadUnicodeString(hprocess, (IntPtr)parameters[9]); if (result != null) { textBox3.AppendText(result); } textBox3.AppendText("\r\n"); textBox3.AppendText("pStartupInfo: " + parameters[10].ToString("X8") + "\r\n"); textBox3.AppendText("pProcessInfo: " + parameters[11].ToString("X8") + "\r\n"); textBox3.AppendText("hNewToken: " + parameters[12].ToString("X8") + "\r\n"); } // clean old value: WriteProcessMemory(hprocess, VirtualAlloc1, eraser, 4, out BytesRead); // suspend thread an let the user choose when to continue SuspendThread(hcthread); // finaly release second infinite loop: WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc1 + 12), nops, 2, out BytesRead); } } if (VirtualAlloc2 != IntPtr.Zero && ReadProcessMemory(hprocess, VirtualAlloc2, keeper, 4, ref BytesRead)) { if (keeper[0] != 0 || keeper[1] != 0 || keeper[2] != 0 || keeper[2] != 0) { int ESPvalue = BitConverter.ToInt32(keeper, 0); byte[] eraser = new byte[] { 0, 0, 0, 0 }; byte[] infiniteloop = new byte[] { 0x0EB, 0x0FE }; byte[] nops = new byte[] { 0x090, 0x090 }; // write infinit loop to second: WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc2 + 12), infiniteloop, 2, out BytesRead); // nop the first and write infinit loop back: WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc2 + 10), nops, 2, out BytesRead); Sleep(2); WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc2 + 10), infiniteloop, 2, out BytesRead); textBox3.AppendText("\r\n"); textBox3.AppendText("CreateProcessW reached:" + "\r\n"); textBox3.AppendText("Value of ESP:" + ESPvalue.ToString("X8") + "\r\n"); byte[] parbytes = new byte[14 * 4]; if (ReadProcessMemory(hprocess, (IntPtr)ESPvalue, parbytes, (uint)parbytes.Length, ref BytesRead)) { int[] parameters = new int[14]; for (int i = 0; i < parameters.Length; i++) { parameters[i] = BitConverter.ToInt32(parbytes, i * 4); } textBox3.AppendText("Return address: " + parameters[0].ToString("X8") + "\r\n"); textBox3.AppendText("hToken: " + parameters[1].ToString("X8") + "\r\n"); textBox3.AppendText("ModuleFileName: " + parameters[2].ToString("X8") + " "); string result = MemStringReader.ReadAsciiString(hprocess, (IntPtr)parameters[2]); if (result != null) { textBox3.AppendText(result); } textBox3.AppendText("\r\n"); textBox3.AppendText("CommandLine: " + parameters[3].ToString("X8") + " "); result = MemStringReader.ReadAsciiString(hprocess, (IntPtr)parameters[3]); if (result != null) { textBox3.AppendText(result); } textBox3.AppendText("\r\n"); textBox3.AppendText("pProcessSecurity: " + parameters[4].ToString("X8") + "\r\n"); textBox3.AppendText("pThreadSecurity: " + parameters[5].ToString("X8") + "\r\n"); textBox3.AppendText("InheritHandles: " + parameters[6].ToString("X8") + "\r\n"); textBox3.AppendText("CreationFlags: " + parameters[7].ToString("X8") + "\r\n"); textBox3.AppendText("pEnvironment: " + parameters[8].ToString("X8") + "\r\n"); textBox3.AppendText("CurrentDir: " + parameters[9].ToString("X8") + " "); result = MemStringReader.ReadAsciiString(hprocess, (IntPtr)parameters[9]); if (result != null) { textBox3.AppendText(result); } textBox3.AppendText("\r\n"); textBox3.AppendText("pStartupInfo: " + parameters[10].ToString("X8") + "\r\n"); textBox3.AppendText("pProcessInfo: " + parameters[11].ToString("X8") + "\r\n"); textBox3.AppendText("hNewToken: " + parameters[12].ToString("X8") + "\r\n"); } // clean old value: WriteProcessMemory(hprocess, VirtualAlloc2, eraser, 4, out BytesRead); // suspend thread an let the user choose when to continue SuspendThread(hcthread); // finaly release second infinite loop: WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc2 + 12), nops, 2, out BytesRead); } } if (VirtualAlloc3 != IntPtr.Zero && ReadProcessMemory(hprocess, VirtualAlloc3, keeper, 4, ref BytesRead)) { if (keeper[0] != 0 || keeper[1] != 0 || keeper[2] != 0 || keeper[2] != 0) { int EBPvalue = BitConverter.ToInt32(keeper, 0); byte[] eraser = new byte[] { 0, 0, 0, 0 }; byte[] infiniteloop = new byte[] { 0x0EB, 0x0FE }; byte[] nops = new byte[] { 0x090, 0x090 }; // write infinit loop to second: WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc3 + 0x1C), infiniteloop, 2, out BytesRead); // nop the first and write infinit loop back: WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc3 + 0x1A), nops, 2, out BytesRead); Sleep(2); WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc3 + 0x1A), infiniteloop, 2, out BytesRead); textBox3.AppendText("\r\n"); textBox3.AppendText("memcpy reached:" + "\r\n"); textBox3.AppendText("Value of EBP:" + EBPvalue.ToString("X8") + "\r\n"); byte[] parbytes = new byte[5 * 4]; if (ReadProcessMemory(hprocess, (IntPtr)EBPvalue, parbytes, (uint)parbytes.Length, ref BytesRead)) { int[] parameters = new int[5]; for (int i = 0; i < parameters.Length; i++) { parameters[i] = BitConverter.ToInt32(parbytes, i * 4); } textBox3.AppendText("Old ESP: " + parameters[0].ToString("X8") + "\r\n"); textBox3.AppendText("Return Address: " + parameters[1].ToString("X8") + "\r\n"); textBox3.AppendText("Source: " + parameters[3].ToString("X8")); string result = MemStringReader.ReadAsciiString(hprocess, (IntPtr)parameters[3]); if (result != null) { textBox3.AppendText(" " + result); } textBox3.AppendText("\r\n"); textBox3.AppendText("len: (hex) " + parameters[4].ToString("X8") + "\r\n"); textBox3.AppendText("Destination: " + parameters[2].ToString("X8") + "\r\n"); } // clean old value: WriteProcessMemory(hprocess, VirtualAlloc3, eraser, 4, out BytesRead); // suspend thread an let the user choose when to continue SuspendThread(hcthread); // finaly release second infinite loop: WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc3 + 0x1C), nops, 2, out BytesRead); } } } }