private static string[] TestGetProcessWorkingDirectory(string image) { List <string> ret = new List <string>(); Process[] ps = Process.GetProcessesByName(image); foreach (Process p in ps) { Console.WriteLine($"{p.ProcessName} pid: {p.Id}"); IntPtr handle = OpenProcess(p, ProcessAccessFlags.All); IntPtr pPbi = Marshal.AllocHGlobal(PROCESS_BASIC_INFORMATION.Size); IntPtr outLong = Marshal.AllocHGlobal(sizeof(long)); Console.WriteLine($"handle: {handle}"); int _ = NtQueryInformationProcess(handle, 0, pPbi, (uint)PROCESS_BASIC_INFORMATION.Size, outLong); if (_ != 0) { Console.WriteLine($"Error {ret}"); break; } PROCESS_BASIC_INFORMATION pbi = Marshal.PtrToStructure <PROCESS_BASIC_INFORMATION>(pPbi); Console.WriteLine($"peb: {pbi.PebBaseAddress}"); IntPtr pPeb = Marshal.AllocHGlobal(PEB.Size); ReadProcessMemory(handle, pbi.PebBaseAddress, pPeb, PEB.Size, outLong); PEB peb = Marshal.PtrToStructure <PEB>(pPeb); IntPtr pUpp = Marshal.AllocHGlobal(RTL_USER_PROCESS_PARAMETERS.Size); ReadProcessMemory(handle, peb.ProcessParameters, pUpp, RTL_USER_PROCESS_PARAMETERS.Size, outLong); RTL_USER_PROCESS_PARAMETERS upp = Marshal.PtrToStructure <RTL_USER_PROCESS_PARAMETERS>(pUpp); IntPtr pStr = Marshal.AllocHGlobal(upp.CurrentDirectoryPath.Length + 2); RtlZeroMemory(pStr, upp.CurrentDirectoryPath.Length + 2); ReadProcessMemory(handle, upp.CurrentDirectoryPath.Buffer, pStr, upp.CurrentDirectoryPath.Length, outLong); string cwd = Marshal.PtrToStringUni(pStr); if (!String.IsNullOrEmpty(cwd)) { ret.Add(cwd); } Console.WriteLine($"cwd: {cwd}"); CloseHandle(handle); Console.WriteLine(); } return(ret.ToArray()); }
private static List <string> GetProcessWorkingDirectoriesByImageName(string image) { List <string> result = new List <string>(); Process[] ps = Process.GetProcessesByName(image); foreach (Process p in ps) { IntPtr handle = OpenProcess(p); IntPtr pPbi = Marshal.AllocHGlobal(PROCESS_BASIC_INFORMATION.Size); IntPtr outLong = Marshal.AllocHGlobal(sizeof(long)); int ret = NtQueryInformationProcess(handle, 0, pPbi, (uint)PROCESS_BASIC_INFORMATION.Size, outLong); if (ret != 0) { continue; } PROCESS_BASIC_INFORMATION pbi = Marshal.PtrToStructure <PROCESS_BASIC_INFORMATION>(pPbi); IntPtr pPeb = Marshal.AllocHGlobal(PEB.Size); ReadProcessMemory(handle, pbi.PebBaseAddress, pPeb, PEB.Size, outLong); PEB peb = Marshal.PtrToStructure <PEB>(pPeb); IntPtr pUpp = Marshal.AllocHGlobal(RTL_USER_PROCESS_PARAMETERS.Size); ReadProcessMemory(handle, peb.ProcessParameters, pUpp, RTL_USER_PROCESS_PARAMETERS.Size, outLong); RTL_USER_PROCESS_PARAMETERS upp = Marshal.PtrToStructure <RTL_USER_PROCESS_PARAMETERS>(pUpp); IntPtr pStr = Marshal.AllocHGlobal(upp.CurrentDirectoryPath.Length + 2); RtlZeroMemory(pStr, upp.CurrentDirectoryPath.Length + 2); ReadProcessMemory(handle, upp.CurrentDirectoryPath.Buffer, pStr, upp.CurrentDirectoryPath.Length, outLong); string cwd = Marshal.PtrToStringUni(pStr); if (!String.IsNullOrEmpty(cwd)) { result.Add(cwd); } CloseHandle(handle); } return(result); }
public static bool Apply(IntPtr hProcess, string path = null, string cmdLine = null, string CurrentDirectoryPath = null) { if (hProcess == null || hProcess == IntPtr.Zero) { return(false); } try { // default Varametrs uint len; // get PROCESS_BASIC_INFORMATION var info = new PROCESS_BASIC_INFORMATION(); NtQueryInformationProcess(hProcess, 0, out info, (uint)Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)), out len); // get PROCESS_BASIC_INFORMATION var peb = new PEB(); ReadProcessMemory(hProcess, info.PebBaseAddress, (IntPtr)(&peb), (uint)Marshal.SizeOf(typeof(PEB)), out len); // get RTL_USER_PROCESS_PARAMETERS var psParam = new RTL_USER_PROCESS_PARAMETERS(); ReadProcessMemory(hProcess, peb.ProcessParameters, (IntPtr)(&psParam), (uint)Marshal.SizeOf(typeof(RTL_USER_PROCESS_PARAMETERS)), out len); // patch WriStr(hProcess, ref psParam.ImagePathName, path); WriStr(hProcess, ref psParam.CommandLine, cmdLine); WriStr(hProcess, ref psParam.CurrentDirectoryPath, CurrentDirectoryPath); // reflecet Changes return (WriteProcessMemory(hProcess, peb.ProcessParameters, (IntPtr)(&psParam), (uint)Marshal.SizeOf(typeof(RTL_USER_PROCESS_PARAMETERS)), out len)); } catch (Exception) { return(false); } }
public static bool MasqueradePEB(string masqBinary) { string Arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE"); // Retrieve information about the specified process int dwPID = Process.GetCurrentProcess().Id; IntPtr procHandle = OpenProcess(ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryRead | ProcessAccessFlags.VirtualMemoryWrite | ProcessAccessFlags.VirtualMemoryOperation, false, dwPID); _PROCESS_BASIC_INFORMATION pbi = new _PROCESS_BASIC_INFORMATION(); IntPtr pbiPtr = StructureToPtr(pbi); int returnLength = 0; int status = NtQueryInformationProcess(procHandle, 0, pbiPtr, Marshal.SizeOf(pbi), ref returnLength); if (status != 0) { return(false); } pbi = PtrToStructure <_PROCESS_BASIC_INFORMATION>(pbiPtr); Console.WriteLine("[+] Process ID is: {0}", pbi.UniqueProcessId); // Read pbi PebBaseAddress into PEB Structure IntPtr lpNumberOfBytesRead = IntPtr.Zero; _PEB peb = new _PEB(); IntPtr pebPtr = StructureToPtr(peb); if (!ReadProcessMemory(procHandle, pbi.PebBaseAddress, pebPtr, Marshal.SizeOf(peb), out lpNumberOfBytesRead)) { return(false); } peb = PtrToStructure <_PEB>(pebPtr); // Read peb ProcessParameters into RTL_USER_PROCESS_PARAMETERS Structure RTL_USER_PROCESS_PARAMETERS upp = new RTL_USER_PROCESS_PARAMETERS(); IntPtr uppPtr = StructureToPtr(upp); if (!ReadProcessMemory(procHandle, peb.ProcessParameters, uppPtr, Marshal.SizeOf(upp), out lpNumberOfBytesRead)) { return(false); } upp = PtrToStructure <RTL_USER_PROCESS_PARAMETERS>(uppPtr); // Read Ldr Address into PEB_LDR_DATA Structure _PEB_LDR_DATA pld = new _PEB_LDR_DATA(); IntPtr pldPtr = StructureToPtr(pld); if (!ReadProcessMemory(procHandle, peb.Ldr, pldPtr, Marshal.SizeOf(pld), out lpNumberOfBytesRead)) { return(false); } pld = PtrToStructure <_PEB_LDR_DATA>(pldPtr); // Change Current Working Directory and Window title Directory.SetCurrentDirectory(Environment.SystemDirectory); // Set the Title of the Window SetWindowText(Process.GetCurrentProcess().MainWindowHandle, masqBinary); // Let's overwrite UNICODE_STRING structs in memory // Take ownership of PEB RtlEnterCriticalSection(peb.FastPebLock); // Masquerade ImagePathName and CommandLine IntPtr ImagePathNamePtr = IntPtr.Zero; IntPtr CommandLinePtr = IntPtr.Zero; if (Arch == "AMD64") { ImagePathNamePtr = new IntPtr(peb.ProcessParameters.ToInt64() + 0x60); CommandLinePtr = new IntPtr(peb.ProcessParameters.ToInt64() + 0x70); } else { ImagePathNamePtr = new IntPtr(peb.ProcessParameters.ToInt32() + 0x38); CommandLinePtr = new IntPtr(peb.ProcessParameters.ToInt32() + 0x40); } if (!RtlInitUnicodeString(procHandle, ImagePathNamePtr, "ImagePathName", masqBinary)) { return(false); } if (!RtlInitUnicodeString(procHandle, CommandLinePtr, "CommandLine", masqBinary)) { return(false); } // Masquerade FullDllName and BaseDllName StringBuilder wModuleFileName = new StringBuilder(255); GetModuleFileName(IntPtr.Zero, wModuleFileName, wModuleFileName.Capacity); string wExeFileName = wModuleFileName.ToString(); string wFullDllName = null; _PEB_LDR_DATA StartModule = (_PEB_LDR_DATA)Marshal.PtrToStructure(peb.Ldr, typeof(_PEB_LDR_DATA)); IntPtr pStartModuleInfo = StartModule.InLoadOrderModuleList.Flink; IntPtr pNextModuleInfo = pld.InLoadOrderModuleList.Flink; do { // Read InLoadOrderModuleList.Flink Address into LDR_DATA_TABLE_ENTRY Structure _LDR_DATA_TABLE_ENTRY ldte = (_LDR_DATA_TABLE_ENTRY)Marshal.PtrToStructure(pNextModuleInfo, typeof(_LDR_DATA_TABLE_ENTRY)); IntPtr FullDllNamePtr = IntPtr.Zero; IntPtr BaseDllNamePtr = IntPtr.Zero; if (Arch == "AMD64") { FullDllNamePtr = new IntPtr(pNextModuleInfo.ToInt64() + 0x48); BaseDllNamePtr = new IntPtr(pNextModuleInfo.ToInt64() + 0x58); } else { FullDllNamePtr = new IntPtr(pNextModuleInfo.ToInt32() + 0x24); BaseDllNamePtr = new IntPtr(pNextModuleInfo.ToInt32() + 0x2C); } // Read FullDllName into string wFullDllName = ldte.FullDllName.ToString(); if (wExeFileName == wFullDllName) { if (!RtlInitUnicodeString(procHandle, FullDllNamePtr, "FullDllName", masqBinary)) { return(false); } if (!RtlInitUnicodeString(procHandle, BaseDllNamePtr, "BaseDllName", masqBinary)) { return(false); } break; } pNextModuleInfo = ldte.InLoadOrderLinks.Flink; } while (pNextModuleInfo != pStartModuleInfo); //Release ownership of PEB RtlLeaveCriticalSection(peb.FastPebLock); // Release Process Handle CloseHandle(procHandle); return(true); }