static bool PatchLogon()
{
// Patches logoncli.dll (x64) to use RPC over TCP/IP, making it work from non domain-joined
// Credit to Benjamin Delpy @gentilkiwi for the neat trick!
byte[] pattern = { 0xB8, 0x01, 0x00, 0x00, 0x00, 0x83, 0xF8, 0x01, 0x75, 0x3B };
IntPtr hProc = Process.GetCurrentProcess().Handle;
MODULEINFO modInfo = new MODULEINFO();
IntPtr hModule = LoadLibrary("logoncli.dll");
if (!GetModuleInformation(hProc, hModule, out modInfo, (uint)Marshal.SizeOf(modInfo)))
{
return(false);
}
long addr = modInfo.lpBaseOfDll.ToInt64();
long maxSize = addr + modInfo.SizeOfImage;
while (addr < maxSize)
{
byte[] buf = new byte[1024];
int bytesRead = 0;
if (!ReadProcessMemory(hProc, addr, buf, 1024, ref bytesRead))
{
return(false);
}
int index = FindPattern(buf, pattern);
if (index > -1)
{
long patchAddr = addr + index + 1;
if (!VirtualProtect(new IntPtr(patchAddr), 1024, 0x04, out uint oldProtect))
{
return(false);
}
// patch mov eax 1; => mov eax, 2;
Marshal.WriteByte(new IntPtr(patchAddr), 0x02);
if (!VirtualProtect(new IntPtr(patchAddr), 1024, oldProtect, out oldProtect))
{
return(false);
}
return(true);
}
addr += 1024;
}
return(false);
}
public static IDictionary <string, MODULEINFO> GetModules(IntPtr hProcess)
{
var dictionary = new Dictionary <string, MODULEINFO>();
var builder = new StringBuilder(260);
var hModule = IntPtr.Zero;
uint cbNeeded = 0;
while (EnumProcessModulesEx(hProcess, hModule, (uint)Marshal.SizeOf(typeof(IntPtr)), out cbNeeded, ProcessModulesFilterFlags.ListModulesDefault))
{
Debug.Assert(GetModuleBaseName(hProcess, hModule, builder, (uint)builder.Capacity) > 0);
var name = builder.ToString();
var moduleInfo = new MODULEINFO();
Debug.Assert(GetModuleInformation(hProcess, hModule, out moduleInfo, (uint)Marshal.SizeOf(moduleInfo)));
}
return(dictionary);
}
/// <summary>
/// Gets a base address of module inside of the 32-bit process.
/// </summary>
/// <param name="gameProcess">Process for which to get base address.</param>
/// <param name="moduleName">Module nume for which to get base address (lowercase!).</param>
/// <returns>Base address of a module or 0 if none found.</returns>
public static IntPtr GetWow64ModuleBase(this Process gameProcess, string moduleName)
{
const int LIST_MODULES_ALL = 5;
const int MAX_PATH = 260;
var hModules = new IntPtr[1024];
uint cb = (uint)IntPtr.Size * (uint)hModules.Length;
if (!EnumProcessModulesEx(gameProcess.Handle, hModules, cb, out uint cbNeeded, LIST_MODULES_ALL))
{
throw new Win32Exception();
}
uint numMods = cbNeeded / (uint)IntPtr.Size;
var sb = new StringBuilder(MAX_PATH);
for (int i = 0; i < numMods; i++)
{
sb.Clear();
if (GetModuleBaseName(gameProcess.Handle, hModules[i], sb, (uint)sb.Capacity) == 0)
{
throw new Win32Exception();
}
string baseName = sb.ToString();
if (baseName.ToLower() == moduleName)
{
var moduleInfo = new MODULEINFO();
if (!GetModuleInformation(gameProcess.Handle, hModules[i], out moduleInfo,
(uint)Marshal.SizeOf(moduleInfo)))
{
throw new Win32Exception();
}
return(moduleInfo.lpBaseOfDll);
}
}
return(IntPtr.Zero);
}
// this method checks if any section of AmsiDll is tampered with by comparing the hash
static Boolean AmsiIntegrityCheck(IntPtr processHandle, IntPtr amsiModuleHandle, String onDiskAmsiCodehash)
{
MODULEINFO amsiDLLInfo = new MODULEINFO();
GetModuleInformation(processHandle, amsiModuleHandle, out amsiDLLInfo, (uint)(Marshal.SizeOf(typeof(MODULEINFO))));
byte[] inMemoryAmsiDLL = new byte[amsiDLLInfo.SizeOfImage];
int bytesRead = 0;
ReadProcessMemory(processHandle, amsiModuleHandle, inMemoryAmsiDLL, inMemoryAmsiDLL.Length, ref bytesRead);
PeHeaderReader amsiReader = new PeHeaderReader(inMemoryAmsiDLL);
String inMemoryAmsiCodehash = getSectionHeaderofAmsi(amsiReader, true, inMemoryAmsiDLL);
if (inMemoryAmsiCodehash.Equals(onDiskAmsiCodehash))
{
Console.WriteLine("hash matches");
}
else
{
Console.WriteLine("Hash does not match");
}
return(false);
}
private IEnumerable <LightProcessModule> ProcessModules()
{
IntPtr[] moduleHandles = new IntPtr[1024];
uint sizeNeeded;
if (!K32EnumProcessModulesEx(_hProcess, moduleHandles, (uint)(moduleHandles.Length * IntPtr.Size),
out sizeNeeded, LIST_MODULES_ALL))
{
yield break;
}
var buffer = new StringBuilder(2048);
foreach (var moduleHandle in moduleHandles.Take((int)(sizeNeeded / IntPtr.Size)))
{
string fileName = "", baseName = "";
if (0 != K32GetModuleFileNameEx(_hProcess, moduleHandle, buffer, (uint)buffer.Capacity))
{
fileName = buffer.ToString();
}
if (0 != K32GetModuleBaseName(_hProcess, moduleHandle, buffer, (uint)buffer.Capacity))
{
baseName = buffer.ToString();
}
MODULEINFO moduleInfo = new MODULEINFO();
if (K32GetModuleInformation(_hProcess, moduleHandle, out moduleInfo, (uint)Marshal.SizeOf(moduleInfo)))
{
yield return(new LightProcessModule
{
FileName = fileName,
ModuleName = baseName,
BaseAddress = (ulong)moduleInfo.lpBaseOfDll.ToInt64(),
Size = moduleInfo.SizeOfImage
});
}
}
}
public static ProcessModuleWow64Safe[] ModulesWow64Safe(this Process p)
{
if (ModuleCache.Count > 100)
{
ModuleCache.Clear();
}
const int LIST_MODULES_ALL = 3;
const int MAX_PATH = 260;
var hModules = new IntPtr[1024];
uint cb = (uint)IntPtr.Size * (uint)hModules.Length;
uint cbNeeded;
if (!EnumProcessModulesEx(p.Handle, hModules, cb, out cbNeeded, LIST_MODULES_ALL))
{
throw new Win32Exception();
}
uint numMods = cbNeeded / (uint)IntPtr.Size;
int hash = p.StartTime.GetHashCode() + p.Id + (int)numMods;
if (ModuleCache.ContainsKey(hash))
{
return(ModuleCache[hash]);
}
var ret = new List <ProcessModuleWow64Safe>();
// everything below is fairly expensive, which is why we cache!
var sb = new StringBuilder(MAX_PATH);
for (int i = 0; i < numMods; i++)
{
sb.Clear();
if (GetModuleFileNameEx(p.Handle, hModules[i], sb, (uint)sb.Capacity) == 0)
{
throw new Win32Exception();
}
string fileName = sb.ToString();
sb.Clear();
if (GetModuleBaseName(p.Handle, hModules[i], sb, (uint)sb.Capacity) == 0)
{
throw new Win32Exception();
}
string baseName = sb.ToString();
var moduleInfo = new MODULEINFO();
if (!GetModuleInformation(p.Handle, hModules[i], out moduleInfo, (uint)Marshal.SizeOf(moduleInfo)))
{
throw new Win32Exception();
}
ret.Add(new ProcessModuleWow64Safe()
{
FileName = fileName,
BaseAddress = moduleInfo.lpBaseOfDll,
ModuleMemorySize = (int)moduleInfo.SizeOfImage,
EntryPointAddress = moduleInfo.EntryPoint,
ModuleName = baseName
});
}
ModuleCache.Add(hash, ret.ToArray());
return(ret.ToArray());
}
public static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, out MODULEINFO lpmodinfo, long cb);
public static extern bool GetModuleInformation(int ProcessHandle, IntPtr ModuleHandle, ref MODULEINFO ModInfo, int Size);
private static extern bool GetModuleInformation(
IntPtr hProcess,
IntPtr hModule,
out MODULEINFO lpmodinfo,
uint cb);
public static extern bool K32GetModuleInformation(
SafeProcessHandle hProcess,
ModuleInstance hModule,
out MODULEINFO lpmodinfo,
uint cb);
private static extern bool GetModuleInformation(IntPtr process, IntPtr module, out MODULEINFO moduleInfo, uint size);
private static extern bool GetModuleInformation(
SafeKernelObjectHandle hProcess,
IntPtr hModule,
out MODULEINFO lpmodinfo,
int cb
);
[DllImport("psapi")] static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, out MODULEINFO lpmodinfo, UInt32 cb);
public static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, [Out] out MODULEINFO lpmodinfo,
uint cb);
/// <summary>
///
/// </summary>
/// <returns></returns>
public bool Connect()
{
if (this.IsConnected())
{
return(true);
}
PROCESSENTRY32 pEntry = new PROCESSENTRY32();
pEntry.dwSize = Marshal.SizeOf(pEntry);
uint procId = 0;
int processId = -1;
bool found = false;
IntPtr snapshot = APIMethods.CreateToolhelp32Snapshot(SnapshotFlags.Process, procId);
if (APIMethods.Process32First(snapshot, ref pEntry))
{
while (APIMethods.Process32Next(snapshot, ref pEntry))
{
if (pEntry.szExeFile.ToLower() == this._executableName)
{
processId = pEntry.th32ProcessID;
found = true;
break;
}
}
}
if (!found)
{
return(false);
}
IntPtr process = APIMethods.OpenProcess(ProccessAccess.AllAccess, false, processId);
if (process == IntPtr.Zero)
{
return(false);
}
// Setting up the variable for the second argument for EnumProcessModules
IntPtr[] hMods = new IntPtr[1024];
GCHandle gch = GCHandle.Alloc(hMods, GCHandleType.Pinned); // Don't forget to free this later
IntPtr pModules = gch.AddrOfPinnedObject();
// Setting up the rest of the parameters for EnumProcessModules
uint uiSize = (uint)(Marshal.SizeOf(typeof(IntPtr)) * (hMods.Length));
uint cbNeeded = 0;
bool mainModuleFound = false;
long baseAddress = 0;
if (APIMethods.EnumProcessModulesEx(process, pModules, uiSize, out cbNeeded, DwFilterFlag.filter_all) == true)
{
Int32 uiTotalNumberofModules = (Int32)(cbNeeded / (Marshal.SizeOf(typeof(IntPtr))));
for (int i = 0; i < (int)uiTotalNumberofModules; i++)
{
StringBuilder strbld = new StringBuilder(1024);
APIMethods.GetModuleFileNameEx(process, hMods[i], strbld, (int)(strbld.Capacity));
string moduleName = strbld.ToString();
if (Path.GetFileName(moduleName).ToLower() == this._executableName)
{
MODULEINFO mi = new MODULEINFO();
if (APIMethods.GetModuleInformation(process, hMods[i], out mi, Marshal.SizeOf(typeof(MODULEINFO))))
{
baseAddress = (long)mi.lpBaseOfDll;
mainModuleFound = true;
break;
}
}
}
}
gch.Free();
if (!mainModuleFound)
{
return(false);
}
this._mainModuleAddress = baseAddress;
this._handle = process;
this._gcProcessHandle = GCHandle.Alloc(this._handle, GCHandleType.Pinned);
return(true);
}
public static extern bool GetModuleInformation(int ProcessHandle, IntPtr ModuleHandle, ref MODULEINFO ModInfo, int Size);
public static extern bool GetModuleInformation(System.IntPtr hProcess, System.IntPtr hModule, ref MODULEINFO lpmodinfo, uint cb);
internal static extern bool GetModuleInformation(
SafeProcessHandle hProcess,
IntPtr hModule,
out MODULEINFO lpmodinfo,
uint cb);
public static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, out MODULEINFO lpmodinfo, uint cb);