/// <summary> /// Initializes a new instance of the <see cref="AModuleFactory" /> class. /// </summary> /// <param name="processPlus">The reference of the <see cref="AProcessSharp" /> object.</param> public AModuleFactory(AProcessSharp processPlus) { // Save the parameter ProcessPlus = processPlus; // Create a list containing all injected modules InternalInjectedModules = new List <AInjectedModule>(); }
/// <summary> /// Initializes a new instance of the <see cref="AMemoryFactory" /> class. /// </summary> /// <param name="process">The reference of the <see cref="Process" /> object.</param> public AMemoryFactory(AProcessSharp process) { // Save the parameter Process = process; // Create a list containing all allocated memory InternalRemoteAllocations = new List <IAAllocatedMemory>(); }
/// <summary> /// Initializes a new instance of the <see cref="MarshalledValue{T}" /> class. /// </summary> /// <param name="process">The reference of the <see cref="Process" /> object.</param> /// <param name="value">The value to marshal.</param> public MarshalledValue(AProcessSharp process, T value) { // Save the parameters Process = process; Value = value; // Marshal the value Marshal(); }
public ASymbolLoaderThread() { SymbolList = new UArrayManager <ASymbol>(); Process = null; IsLoading = false; CurrentModuleName = ""; Terminated = false; }
/// <summary> /// Initializes a new instance of the <see cref="ARemoteWindow" /> class. /// </summary> /// <param name="processPlus">The reference of the <see cref="AProcessSharp" /> object.</param> /// <param name="handle">The handle of a window.</param> public ARemoteWindow(AProcessSharp processPlus, IntPtr handle) { // Save the parameters ProcessPlus = processPlus; Handle = handle; // Create the tools Keyboard = new AMessageKeyboard(this); Mouse = new ASendInputMouse(this); }
/// <summary> /// Initializes a new instance of the <see cref="ARemoteThread" /> class. /// </summary> /// <param name="processPlus">The reference of the <see cref="AProcessSharp" /> object.</param> /// <param name="thread">The native <see cref="ProcessThread" /> object.</param> public ARemoteThread(AProcessSharp processPlus, ProcessThread thread) { // Save the parameters ProcessPlus = processPlus; Native = thread; // Save the thread id Id = thread.Id; // Open the thread Handle = AThreadHelper.OpenThread(ThreadAccessFlags.AllAccess, Id); }
public ASymbolHandler() { Process = null; _symbolLoaderThread = null; SymbolList = new UArrayManager <ASymbol>(); UserDefinedSymbols = new UArrayManager <AUserDefinedSymbol>(); _moduleList = new AModuleInfoArray(); ShowSymbols = false; ShowModules = false; ShowSections = false; }
/// <summary> /// Initializes a new instance of the <see cref="AAllocatedMemory" /> class. /// </summary> /// <param name="processPlus">The reference of the <see cref="AProcessSharp" /> object.</param> /// <param name="name"></param> /// <param name="size">The size of the allocated memory.</param> /// <param name="protection">The protection of the allocated memory.</param> /// <param name="mustBeDisposed">The allocated memory will be released when the finalizer collects the object.</param> public AAllocatedMemory(AProcessSharp processPlus, string name, int size, MemoryProtectionFlags protection = MemoryProtectionFlags.ExecuteReadWrite, bool mustBeDisposed = true) : base(processPlus, AMemoryHelper.Allocate(processPlus.Handle, size, protection)) { // Set local vars Identifier = name; MustBeDisposed = mustBeDisposed; IsDisposed = false; Size = size; }
/// <summary> /// Injects the specified module into the address space of the remote process. /// </summary> /// <param name="memorySharp">The reference of the <see cref="MemorySharp" /> object.</param> /// <param name="path"> /// The path of the module. This can be either a library module (a .dll file) or an executable module /// (an .exe file). /// </param> /// <returns>A new instance of the <see cref="AInjectedModule" />class.</returns> /// <returns>A new instance of the <see cref="AInjectedModule"/>class.</returns> internal static AInjectedModule InternalInject(AProcessSharp memorySharp, string path) { // Call LoadLibraryA remotely var thread = memorySharp.ThreadFactory.CreateAndJoin(memorySharp["kernel32"]["LoadLibraryA"].BaseAddress, path); // Get the inject module if (thread.GetExitCode <IntPtr>() != IntPtr.Zero) { return(new AInjectedModule(memorySharp, memorySharp.ModuleFactory.NativeModules.First(m => m.BaseAddress == thread.GetExitCode <IntPtr>()))); } return(null); }
/// <summary> /// Initializes a new instance of the <see cref="ARemoteThread" /> class. /// </summary> /// <param name="processPlus">The reference of the <see cref="MemoryManagement.MemorySharp" /> object.</param> /// <param name="thread">The native <see cref="ProcessThread" /> object.</param> /// <param name="parameter">The parameter passed to the thread when it was created.</param> public ARemoteThread(AProcessSharp processPlus, ProcessThread thread, IAMarshalledValue parameter = null) : this(processPlus, thread) { // Save the parameter _parameter = parameter; // Create the task _parameterCleaner = new Task(() => { Join(); _parameter.Dispose(); }); }
/// <summary> /// Initializes a new instance of the <see cref="AThreadFactory" /> class. /// </summary> /// <param name="process">The reference of the <see cref="Process" /> object.</param> public AThreadFactory(AProcessSharp process) { // Save the parameter Process = process; }
/// <summary> /// Initializes a new instance of the <see cref="AInjectedModule" /> class. /// </summary> /// <param name="processPlus">The reference of the <see cref="AProcessSharp" /> object.</param> /// <param name="module">The native <see cref="ProcessModule" /> object corresponding to the injected module.</param> /// <param name="mustBeDisposed">The module will be ejected when the finalizer collects the object.</param> public AInjectedModule(AProcessSharp processPlus, ProcessModule module, bool mustBeDisposed = true) : base(processPlus, module) { // Save the parameter MustBeDisposed = mustBeDisposed; }
/// <summary> /// Initializes a new instance of the <see cref="AMemoryPointer" /> class. /// </summary> /// <param name="process">The reference of the <see cref="AProcessSharp"></see></param> /// <param name="address">The location where the pointer points in the remote process.</param> public AMemoryPointer(AProcessSharp process, IntPtr address) { // Save the parameters Process = process; BaseAddress = address; }
public ARemoteFunction(AProcessSharp processPlus, IntPtr address, string functionName) : base(processPlus, address) { // Save the parameter Name = functionName; }
static void Main(string[] args) { //test.a(); //var Brackets = new ACharArray('(', ')', '[', ']', '{', '}'); //var StdWordDelims = new ACharArray(',', '.', ';', '/', '\\', ':', '\'', '"', '`', '(', ')', '[', ']', '{', '}'); //StdWordDelims.AddRange(Brackets.TakeAll()); //StdWordDelims.AddRange(ACharUtils.Range('\0', ' ').TakeAll()); // //Console.WriteLine("done"); var m = new AProcessSharp(System.Diagnostics.Process.GetProcessesByName("pacwin")[0], AMemoryType.Remote); UTokenSp.Activate(); AAsmTools.InitTools(new ASymbolHandler()); AAsmTools.SymbolHandler.Process = m; var a = AAsmTools.Assembler; var b1 = new AByteArray(); //var m2 = new AProcessSharp(System.Diagnostics.Process.GetCurrentProcess(), AMemoryType.Remote); a.SymbolHandler.Process = m; var aa = AAsmTools.AutoAssembler; //var result = a.Assemble("mov eax, [edx+esi+66]", 0x400300, b1); // E9 FB 01 00 00 //var result = a.Assemble("mov rax,[1122334455778899]", 0x400300, b1); // E9 FB 01 00 00 //Console.WriteLine("Result: " + result); //Console.WriteLine("Bytes:"); //Console.WriteLine(UBinaryUtils.Expand(b1.TakeAll())); // // var d = AAsmTools.Disassembler; //var sd = ""; //using (var pt = new UBytePtr(b1.TakeAll())) //{ // var ptt = pt.ToIntPtr().ToUIntPtr(); // d.Disassemble(ref ptt, ref sd); //} //Console.WriteLine(d.LastDisassembleData.Prefix + ' ' + d.LastDisassembleData.OpCode + ' ' + d.LastDisassembleData.Parameters); var bi = AAsmTools.ByteInterpreter; var bp = m.Memory.Read((IntPtr)0x411C88, 32); using (var bip = new UBytePtr(bp)) { Console.WriteLine("Found dataType: " + bi.FindTypeOfData((UIntPtr)0x411C88, bip, 8)); Console.WriteLine("Found dataType: " + bi.DataToString(bp, 8, AVariableType.Double)); } // aa.Assembler.SymHandler.Process = m; // var cd = @" // 400300: // mov rax, [411c88] // mov rax, dword ptr[11223344556677] // ".Trim(); // var codex = new ARefStringArray(); // codex.Assign(UStringUtils.GetLines(cd).ToArray()); // aa.RemoveComments(codex); // // var b = aa.Assemble(aa.SelfSymbolHandler.Process, codex); d.IsDataOnly = false; // d.Is64Bit = true; // d.SymbolHandler.Process = m; var s1 = ""; // var bytes = new UBytePtr(b[0].Bytes.TakeAll()); // //var ptr = bytes.ToIntPtr().ToUIntPtr(); // var ptr = (UIntPtr)0x40230F; var i = 30; while (i-- > 0) { try { var dis = d.Disassemble(ref ptr, ref s1); var cl = d.LastDisassembleData.Prefix + ' ' + d.LastDisassembleData.OpCode + ' ' + d.LastDisassembleData.Parameters; var dec = d.DecodeLastParametersToString(); //Console.WriteLine(cl + " ; " + dec); d.SplitDisassembledString(dis, false, out var address, out var bytes, out var opcode, out var special); Console.WriteLine($"0x{address.PadRight(8)} {bytes.PadRight(20)} {opcode} {special} ; {dec}"); } catch (Exception e) { Console.WriteLine("Error " + e.Message); Console.WriteLine(e.Source); Console.WriteLine(e.StackTrace); break; } } // Console.ReadKey(); // Environment.Exit(1); a.SymbolHandler.Process = m; var cc = @" [ENABLE] 400300: mov edx, dword ptr[411c88] reassemble(40230f); reassemble(pacwin.exe+2379); cat: reassemble(pacwin.exe+237C); call messageboxa jmp cat 400314: [DISABLE] ".Trim(); var code = new ARefStringArray(); code.Assign(UStringUtils.GetLines(cc).ToArray()); aa.RemoveComments(code); var scr = new AScriptBytesArray(); var info = new ADisableInfo(); var ret = aa.AutoAssemble(m, code, false, true, false, false, info, false, scr); Console.WriteLine("Loaded 2"); Console.WriteLine("Result: " + ret); aa.AutoAssemble(m, code, false, true, false, false, info, true, scr); Console.WriteLine("Loaded 3"); foreach (var o in scr) { Console.WriteLine("Line: " + o.Type + " " + o.Address.ToUInt64().ToString("X") + " " + AStringUtils.BinToHexStr(o.Bytes.TakeAll())); } // var f = new AAssemblyFactory(m, new ASharpAsm()); // f.Inject( // new[] // { // "mov, eax 7", // "push 0", // "add esp, 4", // "retn" // }, // (IntPtr) 0x400310); // // var v = f.Execute<int>((IntPtr)0x400310); // Console.WriteLine("Return: " + v); //f.InjectAndExecute( // new[] // { // "alloc(storage, 1000)", // "label(caption)", // "label(message)", // "push 0", // "push caption", // "push message", // "push 0", // "call MessageBoxA", // "push 0", // "add esp, 4", // "retn", // // storage zone // "storage:", // "caption:", // " db 'caption', 00", // "message:", // " db 'message', 00", // }, // (IntPtr)0x400300); Console.ReadKey(); //aa.AutoAssemble(m, code, false, false, false, false, info, false, scr); Environment.Exit(1); }
/// <summary> /// Initializes a new instance of the <see cref="ARemoteModule" /> class. /// </summary> /// <param name="processPlus"></param> /// <param name="module">The native <see cref="ProcessModule" /> object corresponding to this module.</param> public ARemoteModule(AProcessSharp processPlus, ProcessModule module) : base(processPlus, module.BaseAddress) { // Save the parameter Native = module; }
/// <summary> /// Converts a pointer to a given type. This function converts the value of the pointer or the pointed value, /// according if the data type is primitive or reference. /// </summary> /// <param name="memorySharp">The concerned process.</param> /// <param name="pointer">The pointer to convert.</param> /// <returns>The return value is the pointer converted to the given data type.</returns> public static T PtrToObject(AProcessSharp memorySharp, IntPtr pointer) { return(ByteArrayToObject(CanBeStoredInRegisters ? BitConverter.GetBytes(pointer.ToInt64()) : memorySharp.Memory.Read <byte>(pointer, Size))); }
/// <summary> /// Marshals a given value into the remote process. /// </summary> /// <typeparam name="T">The type of the value. It can be a primitive or reference data type.</typeparam> /// <param name="memorySharp">The concerned process.</param> /// <param name="value">The value to marshal.</param> /// <returns>The return value is an new instance of the <see cref="MarshalledValue{T}" /> class.</returns> public static MarshalledValue <T> Marshal <T>(AProcessSharp memorySharp, T value) { return(new MarshalledValue <T>(memorySharp, value)); }
/// <summary> /// Initializes a new instance of the <see cref="AWindowFactory" /> class. /// </summary> public AWindowFactory(AProcessSharp process) { // Save the parameter _process = process; }
public static void SetActiveProcess(AProcessSharp process) { SymbolHandler.Process = process; // todo add a refresh here }
/// <summary> /// Initializes a new instance of the <see cref="AAssemblyFactory" /> class. /// </summary> /// <param name="process">The process.</param> /// <param name="assembler">The assembler.</param> public AAssemblyFactory(AProcessSharp process, IAAssembler assembler) { Process = process; Assembler = assembler; }
/// <summary> /// Frees the loaded dynamic-link library (DLL) module and, if necessary, decrements its reference count. /// </summary> /// <param name="memorySharp">The reference of the <see cref="MemorySharp" /> object.</param> /// <param name="module">The module to eject.</param> internal static void InternalEject(AProcessSharp memorySharp, AProcessSharpModule module) { // Call FreeLibrary remotely memorySharp.ThreadFactory.CreateAndJoin(memorySharp["kernel32"]["FreeLibrary"].BaseAddress, module.BaseAddress); }