public static void Execute(IntPtr address)
{
IntPtr _Thread = WinAPI.CreateRemoteThread(Memory.pHandle, (IntPtr)null, IntPtr.Zero, address, (IntPtr)null, 0, (IntPtr)null);
WinAPI.WaitForSingleObject(_Thread, 0xFFFFFFFF);
WinAPI.CloseHandle(_Thread);
}
public static void Do(string tag, string name)
{
if (Address == IntPtr.Zero)
{
Alloc();
if (Address == IntPtr.Zero)
{
return;
}
int tag_addr = (int)Address + 18;
int name_addr = tag_addr + 16;
Buffer.BlockCopy(BitConverter.GetBytes(name_addr), 0, Shellcode, 1, 4);
Buffer.BlockCopy(BitConverter.GetBytes(tag_addr), 0, Shellcode, 6, 4);
Buffer.BlockCopy(BitConverter.GetBytes(Globals._signatures.dw_ChangeClanTag), 0, Shellcode, 11, 4);
}
var tag_bytes = Encoding.UTF8.GetBytes(tag + "\0");
var name_bytes = Encoding.UTF8.GetBytes(name + "\0");
Buffer.BlockCopy(tag_bytes, 0, Shellcode, 18, tag_bytes.Length);
Buffer.BlockCopy(name_bytes, 0, Shellcode, 34, name_bytes.Length);
WinAPI.WriteProcessMemory(Globals._csgo.ProcessHandle, Address, Shellcode, Shellcode.Length, 0);
IntPtr Thread = WinAPI.CreateRemoteThread(Globals._csgo.ProcessHandle, (IntPtr)null, IntPtr.Zero, Address, (IntPtr)null, 0, (IntPtr)null);
WinAPI.WaitForSingleObject(Thread, 0xFFFFFFFF);
WinAPI.CloseHandle(Thread);
}
/// <summary>
/// For each process in the system, enumerates a tuple of parent-process-id,process-id.
/// </summary>
public static IEnumerable <(int parentProcessId, int processId)> ParentChildProcessIds()
{
var procEntry = new WinAPI.PROCESSENTRY32();
procEntry.dwSize = (uint)Marshal.SizeOf(typeof(WinAPI.PROCESSENTRY32));
var handleToSnapshot = WinAPI.CreateToolhelp32Snapshot((uint)WinAPI.SnapshotFlags.Process, 0);
try
{
if (WinAPI.Process32First(handleToSnapshot, ref procEntry))
{
do
{
yield return((int)procEntry.th32ParentProcessID, (int)procEntry.th32ProcessID);
}while (WinAPI.Process32Next(handleToSnapshot, ref procEntry));
}
else
{
throw new InternalErrorException("Process enumeration failed; win32 error code: {0}".Fmt(Marshal.GetLastWin32Error()));
}
}
finally
{
WinAPI.CloseHandle(handleToSnapshot);
}
}
public bool GetDeviceDetachStatus()
{
if (!IsOpened)
{
return(false);
}
bool error_state = false;
var handle_temp = WinAPI.CreateFile(
"\\\\.\\" + PortName,
WinAPI.GENERIC_READ | WinAPI.GENERIC_WRITE,
0,
WinAPI.Null,
WinAPI.OPEN_EXISTING,
0,
WinAPI.Null);
if (handle_temp == WinAPI.INVALID_HANDLE_VALUE)
{
switch ((WinErrorCode)Marshal.GetLastWin32Error())
{
case WinErrorCode.ERROR_FILE_NOT_FOUND:
error_state = true;
break;
}
}
else
{
WinAPI.CloseHandle(handle_temp);
}
return(error_state);
}
static void CallCodeCave(IntPtr handle, byte[] codeCave)
{
//This is gonna be the address where we are gonna put our codecave
IntPtr codeCaveAddress = WinAPI.VirtualAllocEx(handle, IntPtr.Zero, codeCave.Length, WinAPI.AllocationType.Commit, WinAPI.MemoryProtection.ExecuteReadWrite);
//Write the codecave to the allocated memory space
IntPtr bytesWritten;
WinAPI.WriteProcessMemory(handle, codeCaveAddress, codeCave, codeCave.Length, out bytesWritten);
//Execute the codecave
IntPtr threadHandle = WinAPI.CreateRemoteThread(handle, IntPtr.Zero, 0, codeCaveAddress, IntPtr.Zero, 0, IntPtr.Zero);
//Wait for the codecave to complete
WinAPI.WaitForSingleObject(threadHandle, 0xFFFFFFFF);
//Free the codecave memory and close the thread
WinAPI.CloseHandle(threadHandle);
WinAPI.VirtualFreeEx(handle, codeCaveAddress, codeCave.Length, WinAPI.FreeType.Release);
}
internal ProcessorCombine(uint sendMessageQueueThreadId, int processorId)
{
_SendMessageQueueThreadId = sendMessageQueueThreadId;
IntPtr handle = WinAPI.OpenThread(WinAPI.ThreadAccess.SET_INFORMATION | WinAPI.ThreadAccess.QUERY_INFORMATION, false,
sendMessageQueueThreadId);
_ThreadAffinityMask = GetProcessorAffinity(processorId);
if (WinAPI.SetThreadAffinityMask(handle, _ThreadAffinityMask) == IntPtr.Zero)
{
//Can't set affinity mask. Maybe no enough rights.
Running = false;
WinAPI.CloseHandle(handle);
return;
}
WinAPI.CloseHandle(handle);
_ThreadIdToThreadInfo = new Dictionary <uint, ThreadInfo>();
_Thread = new Thread(ThreadProc);
_Thread.IsBackground = true;
_Thread.Start();
Running = true;
}
private bool disposedValue = false; // 重複する呼び出しを検出するには
protected virtual void Dispose(bool disposing)
{
if (!disposedValue)
{
if (disposing)
{
// TODO: マネージ状態を破棄します (マネージ オブジェクト)。
}
// アンマネージ リソース (アンマネージ オブジェクト) を解放し、下のファイナライザーをオーバーライドします。
if (SuspendedThreads != null)
{
foreach (var pOpenThread in SuspendedThreads)
{
WinAPI.CloseHandle(pOpenThread);
}
;
}
Process.Dispose();
// 大きなフィールドを null に設定します。
SuspendedThreads = null;
Process = null;
disposedValue = true;
}
}
public static string GetCaptureHardwareID_1100(string devname)
{
var hid = (string)null;
var handle = WinAPI.CreateFile(devname, 0, 0, IntPtr.Zero, WinAPI.OPEN_EXISTING, 0, IntPtr.Zero);
if (handle != WinAPI.INVALID_HANDLE_VALUE)
{
var read_buff = Marshal.AllocHGlobal(DEVICE_IO_BUFFER);
var read_size = (uint)0;
if (WinAPI.DeviceIoControl(
handle,
UsbPcapManager.IOCTL_USBPCAP_GET_HUB_SYMLINK_1100,
IntPtr.Zero,
0,
read_buff,
DEVICE_IO_BUFFER,
out read_size,
IntPtr.Zero)
)
{
if (read_size > 0)
{
hid = Marshal.PtrToStringUni(read_buff);
}
}
Marshal.FreeHGlobal(read_buff);
WinAPI.CloseHandle(handle);
}
return(hid);
}
public static void Do(string szCmd)
{
if (Address == IntPtr.Zero)
{
Alloc();
if (Address == IntPtr.Zero)
{
return;
}
}
if (szCmd.Length > 255)
{
szCmd = szCmd.Substring(0, 255);
}
var szCmd_bytes = Encoding.UTF8.GetBytes(szCmd + "\0");
WinAPI.WriteProcessMemory(Globals._csgo.ProcessHandle, Address, szCmd_bytes, szCmd_bytes.Length, 0);
IntPtr Thread = WinAPI.CreateRemoteThread(Globals._csgo.ProcessHandle, (IntPtr)null, IntPtr.Zero, new IntPtr(Globals._signatures.dw_clientcmd), Address, 0, (IntPtr)null);
WinAPI.CloseHandle(Thread);
WinAPI.WaitForSingleObject(Thread, 0xFFFFFFFF);
}
public static void Exec(string szCmd)
{
if (_address == IntPtr.Zero)
{
var allocator = new Memory.Allocator();
_address = allocator.Alloc(Size);
if (_address == IntPtr.Zero)
{
return;
}
}
if (szCmd.Length > 255)
{
szCmd = szCmd.Substring(0, 255);
}
var szCmdBytes = Encoding.UTF8.GetBytes(szCmd + "\0");
Memory.WriteProcessMemory(Memory.pHandle, _address, szCmdBytes, szCmdBytes.Length, 0);
var remoteThread = WinAPI.CreateRemoteThread(Memory.pHandle, (IntPtr)null, IntPtr.Zero,
new IntPtr(Memory.Engine + CalcedOffsets.ClientCMD), _address, 0, (IntPtr)null);
WinAPI.CloseHandle(remoteThread);
WinAPI.WaitForSingleObject(remoteThread, 0xFFFFFFFF);
}
/// <summary>
/// Retrieves the process-module with the given name, returns null if not found
/// </summary>
/// <param name="name"></param>
/// <returns></returns>
public WinAPI.MODULEENTRY32 GetModule32ByName(string name)
{
var xModule = new WinAPI.MODULEENTRY32();
try
{
IntPtr hSnap;
hSnap = WinAPI.CreateToolhelp32Snapshot(WinAPI.SnapshotFlags.Module, (uint)Process.Id);
xModule.dwSize = (uint)Marshal.SizeOf(typeof(WinAPI.MODULEENTRY32));
if (WinAPI.Module32First(hSnap, ref xModule))
{
while (WinAPI.Module32Next(hSnap, ref xModule))
{
if (xModule.szModule == name)
{
WinAPI.CloseHandle(hSnap);
return(xModule);
}
}
}
WinAPI.CloseHandle(hSnap);
}
catch
{
}
xModule.szModule = "";
return(xModule);
}
public static void Exec(string szCmd)
{
if (Address == IntPtr.Zero)
{
Address = gvar.Allocator.Alloc(Size);
if (Address == IntPtr.Zero)
{
return;
}
}
if (szCmd.Length > 255)
{
szCmd = szCmd.Substring(0, 255);
}
var szCmd_bytes = Encoding.UTF8.GetBytes(szCmd + "\0");
WinAPI.WriteProcessMemory(Memory.pHandle, Address, szCmd_bytes, szCmd_bytes.Length, 0);
var Thread = WinAPI.CreateRemoteThread(Memory.pHandle, (IntPtr)null, IntPtr.Zero,
new IntPtr(Memory.Engine + Offsets.dw_clientCmd), Address, 0, (IntPtr)null);
WinAPI.CloseHandle(Thread);
WinAPI.WaitForSingleObject(Thread, 0xFFFFFFFF);
}
public static void CloseHandle()
{
if (processHandle != IntPtr.Zero)
{
WinAPI.CloseHandle(processHandle);
}
}
public static void AcceptMatch()
{
IntPtr Thread = WinAPI.CreateRemoteThread(Globals._csgo.ProcessHandle, (IntPtr)null, IntPtr.Zero, new IntPtr(Globals._signatures.dw_AcceptMatch), IntPtr.Zero, 0, (IntPtr)null);
WinAPI.WaitForSingleObject(Thread, 0xFFFFFFFF);
WinAPI.CloseHandle(Thread);
}
public void Dispose()
{
if (hModule != IntPtr.Zero)
{
WinAPI.CloseHandle(hModule);
}
log.Dispose();
}
public static void Create(IntPtr address, byte[] shellcode)
{
WinAPI.WriteProcessMemory(Memory.pHandle, address, shellcode, shellcode.Length, 0);
IntPtr _Thread = WinAPI.CreateRemoteThread(Memory.pHandle, (IntPtr)null, IntPtr.Zero, address, (IntPtr)null, 0, (IntPtr)null);
WinAPI.WaitForSingleObject(_Thread, 0xFFFFFFFF);
WinAPI.CloseHandle(_Thread);
}
public override bool Unload(IntPtr hModule, IntPtr hProcess)
{
// Unloading a manually mapped file is fairly straightforward. There is no need to call FreeLibrary or anything
// because the file was never actually injected using LoadLibrary and doesn't need to clear any PEB entries etc.
// basically just call the Entry Point again with DLL_PROCESS_DETACH flag and not-null for the lpReserved parameter
// and then VirtualFree the remote memory.
ClearErrors();
if (hModule.IsNull())
{
throw new ArgumentNullException("hModule", "Invalid module handle");
}
if (hProcess.IsNull() || hProcess.Compare(-1))
{
throw new ArgumentException("Invalid process handle.", "hProcess");
}
IntPtr pStub = IntPtr.Zero;
uint nBytes = 0;
try
{
uint entry = FindEntryPoint(hProcess, hModule);
if (entry != 0)
{
var stub = (byte[])DLLMAIN_STUB.Clone();
BitConverter.GetBytes(hModule.ToInt32()).CopyTo(stub, 0x0B);
BitConverter.GetBytes((uint)0).CopyTo(stub, 0x06);
BitConverter.GetBytes((uint)1000).CopyTo(stub, 0x01);
pStub = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)DLLMAIN_STUB.Length, 0x1000 | 0x2000, 0x40);
if (pStub.IsNull() || (!WinAPI.WriteProcessMemory(hProcess, pStub, stub, stub.Length, out nBytes) || nBytes != (uint)stub.Length))
{
throw new InvalidOperationException("Unable to write stub to the remote process.");
}
IntPtr hStubThread = WinAPI.CreateRemoteThread(hProcess, 0, 0, pStub, (uint)hModule.Add(entry).ToInt32(), 0, 0);
if (WinAPI.WaitForSingleObject(hStubThread, 5000) == 0x0L)
{
WinAPI.VirtualFreeEx(hProcess, pStub, 0, 0x8000);
WinAPI.CloseHandle(hStubThread);
return(WinAPI.VirtualFreeEx(hProcess, hModule, 0, 0x8000));
}
return(false);
}
else
{
return(WinAPI.VirtualFreeEx(hProcess, hModule, 0, 0x8000));
}
}
catch (Exception e)
{
SetLastError(e);
return(false);
}
}
public virtual IntPtr Inject(JLibrary.PortableExecutable.PortableExecutable image, int processId)
{
this.ClearErrors();
IntPtr hProcess = WinAPI.OpenProcess(0x43a, false, processId);
IntPtr ptr2 = this.Inject(image, hProcess);
WinAPI.CloseHandle(hProcess);
return(ptr2);
}
/// <summary>
/// Inject a collection of files into a process using a unique process id as an identifier
/// </summary>
/// <param name="dllPaths">An array listing which files to inject</param>
/// <param name="processId">Unique process identifier</param>
/// <returns>An array of the same length as the 'dllPaths' parameter containing the module handles for each file</returns>
public virtual IntPtr[] InjectAll(string[] dllPaths, int processId)
{
ClearErrors();
IntPtr hProcess = WinAPI.OpenProcess(0x043A, false, processId);
IntPtr[] hModules = InjectAll(dllPaths, hProcess);
WinAPI.CloseHandle(hProcess);
return(hModules);
}
/// <summary>
/// Inject a file into a process using a unique process id as an identifier
/// </summary>
/// <param name="dllPath">Path to the file to inject</param>
/// <param name="processId">Unique process identifier</param>
/// <returns>A valid module handle if the function is successful, or IntPtr.Zero otherwise</returns>
public virtual IntPtr Inject(string dllPath, int processId)
{
ClearErrors();
IntPtr hProcess = WinAPI.OpenProcess(0x043A, false, processId);
IntPtr hModule = Inject(dllPath, hProcess);
WinAPI.CloseHandle(hProcess);
return(hModule);
}
/// <summary>
/// Attempt to unload a collection of modules from the remote process
/// </summary>
/// <param name="hModules">An array containing the handles (base address) of the modules to unload</param>
/// <param name="processId">Unique process identifier</param>
/// <returns>An array of the same length as the 'hModules' parameter containing the result for each <seealso cref="Unload(IntPtr,IntrPtr)"/>, or null if an error occured. Call <see cref="GetLastError"/> for more information</returns>
public virtual bool[] UnloadAll(IntPtr[] hModules, int processId)
{
ClearErrors();
IntPtr hProcess = WinAPI.OpenProcess(0x043A, false, processId);
bool[] unloaded = UnloadAll(hModules, hProcess);
WinAPI.CloseHandle(hProcess);
return(unloaded);
}
/// <summary>
/// Inject a collection of PortableExecutable images into a process using a unique process id as an identifier
/// </summary>
/// <param name="images">An array listing which PortableExecutable instances to inject</param>
/// <param name="processId">Unique process identifier</param>
/// <returns>An array of the same length as the 'images' parameter containing the module handles for each image, or null if the method failed. Call <see cref="GetLastError"/> for more information</returns>
public virtual IntPtr[] InjectAll(PortableExecutable[] images, int processId)
{
ClearErrors();
IntPtr hProcess = WinAPI.OpenProcess(0x043A, false, processId);
IntPtr[] hModules = InjectAll(images, hProcess);
WinAPI.CloseHandle(hProcess);
return(hModules);
}
/// <summary>
/// Inject an existing in-memory PortableExecutable image into a process using a unique process id as an identifier
/// </summary>
/// <param name="image">Any valid existing PortableExecutable instance</param>
/// <param name="processId">Unique process identifier</param>
/// <returns>A valid module handle if the function is successful, or IntPtr.Zero otherwise</returns>
public virtual IntPtr Inject(PortableExecutable image, int processId)
{
ClearErrors();
IntPtr hProcess = WinAPI.OpenProcess(0x043A, false, processId);
IntPtr hModule = Inject(image, hProcess);
WinAPI.CloseHandle(hProcess);
return(hModule);
}
public virtual IntPtr Inject(string dllPath, int processId)
{
this.ClearErrors();
IntPtr hProcess = WinAPI.OpenProcess(0x43a, false, processId);
IntPtr ptr2 = this.Inject(dllPath, hProcess);
WinAPI.CloseHandle(hProcess);
return(ptr2);
}
// Token: 0x06000108 RID: 264 RVA: 0x0000C9B4 File Offset: 0x0000ABB4
public virtual bool[] UnloadAll(IntPtr[] hModules, int processId)
{
this.ClearErrors();
IntPtr intPtr = WinAPI.OpenProcess(1082u, false, processId);
bool[] result = this.UnloadAll(hModules, intPtr);
WinAPI.CloseHandle(intPtr);
return(result);
}
// Token: 0x06000104 RID: 260 RVA: 0x0000C94C File Offset: 0x0000AB4C
public virtual IntPtr[] InjectAll(PortableExecutable[] images, int processId)
{
this.ClearErrors();
IntPtr intPtr = WinAPI.OpenProcess(1082u, false, processId);
IntPtr[] result = this.InjectAll(images, intPtr);
WinAPI.CloseHandle(intPtr);
return(result);
}
// Token: 0x06000100 RID: 256 RVA: 0x0000C8E4 File Offset: 0x0000AAE4
public virtual IntPtr[] InjectAll(string[] dllPaths, int processId)
{
this.ClearErrors();
IntPtr intPtr = WinAPI.OpenProcess(1082u, false, processId);
IntPtr[] result = this.InjectAll(dllPaths, intPtr);
WinAPI.CloseHandle(intPtr);
return(result);
}
public virtual IntPtr[] InjectAll(JLibrary.PortableExecutable.PortableExecutable[] images, int processId)
{
this.ClearErrors();
IntPtr hProcess = WinAPI.OpenProcess(0x43a, false, processId);
IntPtr[] ptrArray = this.InjectAll(images, hProcess);
WinAPI.CloseHandle(hProcess);
return(ptrArray);
}
public virtual IntPtr[] InjectAll(string[] dllPaths, int processId)
{
this.ClearErrors();
IntPtr hProcess = WinAPI.OpenProcess(0x43a, false, processId);
IntPtr[] ptrArray = this.InjectAll(dllPaths, hProcess);
WinAPI.CloseHandle(hProcess);
return(ptrArray);
}
public virtual bool Unload(IntPtr hModule, int processId)
{
this.ClearErrors();
IntPtr hProcess = WinAPI.OpenProcess(0x43a, false, processId);
bool flag = this.Unload(hModule, hProcess);
WinAPI.CloseHandle(hProcess);
return(flag);
}