Exemple #1
0
        static bool PatchLogon()
        {
            // Patches logoncli.dll (x64) to use RPC over TCP/IP, making it work from non domain-joined
            // Credit to Benjamin Delpy @gentilkiwi for the neat trick!
            byte[] pattern = { 0xB8, 0x01, 0x00, 0x00, 0x00, 0x83, 0xF8, 0x01, 0x75, 0x3B };

            IntPtr     hProc   = Process.GetCurrentProcess().Handle;
            MODULEINFO modInfo = new MODULEINFO();
            IntPtr     hModule = LoadLibrary("logoncli.dll");

            if (!GetModuleInformation(hProc, hModule, out modInfo, (uint)Marshal.SizeOf(modInfo)))
            {
                return(false);
            }

            long addr    = modInfo.lpBaseOfDll.ToInt64();
            long maxSize = addr + modInfo.SizeOfImage;

            while (addr < maxSize)
            {
                byte[] buf       = new byte[1024];
                int    bytesRead = 0;
                if (!ReadProcessMemory(hProc, addr, buf, 1024, ref bytesRead))
                {
                    return(false);
                }

                int index = FindPattern(buf, pattern);
                if (index > -1)
                {
                    long patchAddr = addr + index + 1;
                    if (!VirtualProtect(new IntPtr(patchAddr), 1024, 0x04, out uint oldProtect))
                    {
                        return(false);
                    }

                    // patch mov eax 1; => mov eax, 2;
                    Marshal.WriteByte(new IntPtr(patchAddr), 0x02);

                    if (!VirtualProtect(new IntPtr(patchAddr), 1024, oldProtect, out oldProtect))
                    {
                        return(false);
                    }
                    return(true);
                }
                addr += 1024;
            }
            return(false);
        }
Exemple #2
0
        public static IDictionary <string, MODULEINFO> GetModules(IntPtr hProcess)
        {
            var  dictionary = new Dictionary <string, MODULEINFO>();
            var  builder    = new StringBuilder(260);
            var  hModule    = IntPtr.Zero;
            uint cbNeeded   = 0;

            while (EnumProcessModulesEx(hProcess, hModule, (uint)Marshal.SizeOf(typeof(IntPtr)), out cbNeeded, ProcessModulesFilterFlags.ListModulesDefault))
            {
                Debug.Assert(GetModuleBaseName(hProcess, hModule, builder, (uint)builder.Capacity) > 0);
                var name       = builder.ToString();
                var moduleInfo = new MODULEINFO();

                Debug.Assert(GetModuleInformation(hProcess, hModule, out moduleInfo, (uint)Marshal.SizeOf(moduleInfo)));
            }

            return(dictionary);
        }
        /// <summary>
        /// Gets a base address of module inside of the 32-bit process.
        /// </summary>
        /// <param name="gameProcess">Process for which to get base address.</param>
        /// <param name="moduleName">Module nume for which to get base address (lowercase!).</param>
        /// <returns>Base address of a module or 0 if none found.</returns>
        public static IntPtr GetWow64ModuleBase(this Process gameProcess, string moduleName)
        {
            const int LIST_MODULES_ALL = 5;
            const int MAX_PATH         = 260;
            var       hModules         = new IntPtr[1024];

            uint cb = (uint)IntPtr.Size * (uint)hModules.Length;

            if (!EnumProcessModulesEx(gameProcess.Handle, hModules, cb, out uint cbNeeded, LIST_MODULES_ALL))
            {
                throw new Win32Exception();
            }
            uint numMods = cbNeeded / (uint)IntPtr.Size;

            var sb = new StringBuilder(MAX_PATH);

            for (int i = 0; i < numMods; i++)
            {
                sb.Clear();
                if (GetModuleBaseName(gameProcess.Handle, hModules[i], sb, (uint)sb.Capacity) == 0)
                {
                    throw new Win32Exception();
                }
                string baseName = sb.ToString();

                if (baseName.ToLower() == moduleName)
                {
                    var moduleInfo = new MODULEINFO();
                    if (!GetModuleInformation(gameProcess.Handle, hModules[i], out moduleInfo,
                                              (uint)Marshal.SizeOf(moduleInfo)))
                    {
                        throw new Win32Exception();
                    }
                    return(moduleInfo.lpBaseOfDll);
                }
            }

            return(IntPtr.Zero);
        }
Exemple #4
0
        // this method checks if any section of AmsiDll is tampered with by comparing the hash
        static Boolean AmsiIntegrityCheck(IntPtr processHandle, IntPtr amsiModuleHandle, String onDiskAmsiCodehash)
        {
            MODULEINFO amsiDLLInfo = new MODULEINFO();

            GetModuleInformation(processHandle, amsiModuleHandle, out amsiDLLInfo, (uint)(Marshal.SizeOf(typeof(MODULEINFO))));
            byte[] inMemoryAmsiDLL = new byte[amsiDLLInfo.SizeOfImage];
            int    bytesRead       = 0;

            ReadProcessMemory(processHandle, amsiModuleHandle, inMemoryAmsiDLL, inMemoryAmsiDLL.Length, ref bytesRead);
            PeHeaderReader amsiReader = new PeHeaderReader(inMemoryAmsiDLL);

            String inMemoryAmsiCodehash = getSectionHeaderofAmsi(amsiReader, true, inMemoryAmsiDLL);

            if (inMemoryAmsiCodehash.Equals(onDiskAmsiCodehash))
            {
                Console.WriteLine("hash matches");
            }
            else
            {
                Console.WriteLine("Hash does not match");
            }
            return(false);
        }
Exemple #5
0
        private IEnumerable <LightProcessModule> ProcessModules()
        {
            IntPtr[] moduleHandles = new IntPtr[1024];
            uint     sizeNeeded;

            if (!K32EnumProcessModulesEx(_hProcess, moduleHandles, (uint)(moduleHandles.Length * IntPtr.Size),
                                         out sizeNeeded, LIST_MODULES_ALL))
            {
                yield break;
            }
            var buffer = new StringBuilder(2048);

            foreach (var moduleHandle in moduleHandles.Take((int)(sizeNeeded / IntPtr.Size)))
            {
                string fileName = "", baseName = "";
                if (0 != K32GetModuleFileNameEx(_hProcess, moduleHandle, buffer, (uint)buffer.Capacity))
                {
                    fileName = buffer.ToString();
                }
                if (0 != K32GetModuleBaseName(_hProcess, moduleHandle, buffer, (uint)buffer.Capacity))
                {
                    baseName = buffer.ToString();
                }
                MODULEINFO moduleInfo = new MODULEINFO();
                if (K32GetModuleInformation(_hProcess, moduleHandle, out moduleInfo, (uint)Marshal.SizeOf(moduleInfo)))
                {
                    yield return(new LightProcessModule
                    {
                        FileName = fileName,
                        ModuleName = baseName,
                        BaseAddress = (ulong)moduleInfo.lpBaseOfDll.ToInt64(),
                        Size = moduleInfo.SizeOfImage
                    });
                }
            }
        }
Exemple #6
0
        public static ProcessModuleWow64Safe[] ModulesWow64Safe(this Process p)
        {
            if (ModuleCache.Count > 100)
            {
                ModuleCache.Clear();
            }

            const int LIST_MODULES_ALL = 3;
            const int MAX_PATH         = 260;

            var hModules = new IntPtr[1024];

            uint cb = (uint)IntPtr.Size * (uint)hModules.Length;
            uint cbNeeded;

            if (!EnumProcessModulesEx(p.Handle, hModules, cb, out cbNeeded, LIST_MODULES_ALL))
            {
                throw new Win32Exception();
            }
            uint numMods = cbNeeded / (uint)IntPtr.Size;

            int hash = p.StartTime.GetHashCode() + p.Id + (int)numMods;

            if (ModuleCache.ContainsKey(hash))
            {
                return(ModuleCache[hash]);
            }

            var ret = new List <ProcessModuleWow64Safe>();

            // everything below is fairly expensive, which is why we cache!
            var sb = new StringBuilder(MAX_PATH);

            for (int i = 0; i < numMods; i++)
            {
                sb.Clear();
                if (GetModuleFileNameEx(p.Handle, hModules[i], sb, (uint)sb.Capacity) == 0)
                {
                    throw new Win32Exception();
                }
                string fileName = sb.ToString();

                sb.Clear();
                if (GetModuleBaseName(p.Handle, hModules[i], sb, (uint)sb.Capacity) == 0)
                {
                    throw new Win32Exception();
                }
                string baseName = sb.ToString();

                var moduleInfo = new MODULEINFO();
                if (!GetModuleInformation(p.Handle, hModules[i], out moduleInfo, (uint)Marshal.SizeOf(moduleInfo)))
                {
                    throw new Win32Exception();
                }

                ret.Add(new ProcessModuleWow64Safe()
                {
                    FileName          = fileName,
                    BaseAddress       = moduleInfo.lpBaseOfDll,
                    ModuleMemorySize  = (int)moduleInfo.SizeOfImage,
                    EntryPointAddress = moduleInfo.EntryPoint,
                    ModuleName        = baseName
                });
            }

            ModuleCache.Add(hash, ret.ToArray());

            return(ret.ToArray());
        }
Exemple #7
0
 public static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, out MODULEINFO lpmodinfo, long cb);
Exemple #8
0
 public static extern bool GetModuleInformation(int ProcessHandle, IntPtr ModuleHandle, ref MODULEINFO ModInfo, int Size);
Exemple #9
0
 private static extern bool GetModuleInformation(
     IntPtr hProcess,
     IntPtr hModule,
     out MODULEINFO lpmodinfo,
     uint cb);
 public static extern bool K32GetModuleInformation(
     SafeProcessHandle hProcess,
     ModuleInstance hModule,
     out MODULEINFO lpmodinfo,
     uint cb);
Exemple #11
0
 private static extern bool GetModuleInformation(IntPtr process, IntPtr module, out MODULEINFO moduleInfo, uint size);
 private static extern bool GetModuleInformation(
     SafeKernelObjectHandle hProcess,
     IntPtr hModule,
     out MODULEINFO lpmodinfo,
     int cb
     );
Exemple #13
0
 [DllImport("psapi")] static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, out MODULEINFO lpmodinfo, UInt32 cb);
Exemple #14
0
 public static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, [Out] out MODULEINFO lpmodinfo,
                                                uint cb);
Exemple #15
0
        /// <summary>
        ///
        /// </summary>
        /// <returns></returns>
        public bool Connect()
        {
            if (this.IsConnected())
            {
                return(true);
            }

            PROCESSENTRY32 pEntry = new PROCESSENTRY32();

            pEntry.dwSize = Marshal.SizeOf(pEntry);

            uint   procId    = 0;
            int    processId = -1;
            bool   found     = false;
            IntPtr snapshot  = APIMethods.CreateToolhelp32Snapshot(SnapshotFlags.Process, procId);

            if (APIMethods.Process32First(snapshot, ref pEntry))
            {
                while (APIMethods.Process32Next(snapshot, ref pEntry))
                {
                    if (pEntry.szExeFile.ToLower() == this._executableName)
                    {
                        processId = pEntry.th32ProcessID;
                        found     = true;
                        break;
                    }
                }
            }

            if (!found)
            {
                return(false);
            }

            IntPtr process = APIMethods.OpenProcess(ProccessAccess.AllAccess, false, processId);

            if (process == IntPtr.Zero)
            {
                return(false);
            }

            // Setting up the variable for the second argument for EnumProcessModules
            IntPtr[] hMods = new IntPtr[1024];

            GCHandle gch      = GCHandle.Alloc(hMods, GCHandleType.Pinned); // Don't forget to free this later
            IntPtr   pModules = gch.AddrOfPinnedObject();

            // Setting up the rest of the parameters for EnumProcessModules
            uint uiSize   = (uint)(Marshal.SizeOf(typeof(IntPtr)) * (hMods.Length));
            uint cbNeeded = 0;

            bool mainModuleFound = false;
            long baseAddress     = 0;

            if (APIMethods.EnumProcessModulesEx(process, pModules, uiSize, out cbNeeded, DwFilterFlag.filter_all) == true)
            {
                Int32 uiTotalNumberofModules = (Int32)(cbNeeded / (Marshal.SizeOf(typeof(IntPtr))));

                for (int i = 0; i < (int)uiTotalNumberofModules; i++)
                {
                    StringBuilder strbld = new StringBuilder(1024);
                    APIMethods.GetModuleFileNameEx(process, hMods[i], strbld, (int)(strbld.Capacity));

                    string moduleName = strbld.ToString();
                    if (Path.GetFileName(moduleName).ToLower() == this._executableName)
                    {
                        MODULEINFO mi = new MODULEINFO();
                        if (APIMethods.GetModuleInformation(process, hMods[i], out mi, Marshal.SizeOf(typeof(MODULEINFO))))
                        {
                            baseAddress = (long)mi.lpBaseOfDll;

                            mainModuleFound = true;
                            break;
                        }
                    }
                }
            }

            gch.Free();

            if (!mainModuleFound)
            {
                return(false);
            }

            this._mainModuleAddress = baseAddress;
            this._handle            = process;
            this._gcProcessHandle   = GCHandle.Alloc(this._handle, GCHandleType.Pinned);

            return(true);
        }
Exemple #16
0
 public static extern bool GetModuleInformation(int ProcessHandle, IntPtr ModuleHandle, ref MODULEINFO ModInfo, int Size);
Exemple #17
0
 public static extern bool GetModuleInformation(System.IntPtr hProcess, System.IntPtr hModule, ref MODULEINFO lpmodinfo, uint cb);
Exemple #18
0
 internal static extern bool GetModuleInformation(
     SafeProcessHandle hProcess,
     IntPtr hModule,
     out MODULEINFO lpmodinfo,
     uint cb);
 public static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, out MODULEINFO lpmodinfo, uint cb);