/// <summary>
/// Initializes a new instance of the <see cref="AModuleFactory" /> class.
/// </summary>
/// <param name="processPlus">The reference of the <see cref="AProcessSharp" /> object.</param>
public AModuleFactory(AProcessSharp processPlus)
{
// Save the parameter
ProcessPlus = processPlus;
// Create a list containing all injected modules
InternalInjectedModules = new List <AInjectedModule>();
}
/// <summary>
/// Initializes a new instance of the <see cref="AMemoryFactory" /> class.
/// </summary>
/// <param name="process">The reference of the <see cref="Process" /> object.</param>
public AMemoryFactory(AProcessSharp process)
{
// Save the parameter
Process = process;
// Create a list containing all allocated memory
InternalRemoteAllocations = new List <IAAllocatedMemory>();
}
/// <summary>
/// Initializes a new instance of the <see cref="MarshalledValue{T}" /> class.
/// </summary>
/// <param name="process">The reference of the <see cref="Process" /> object.</param>
/// <param name="value">The value to marshal.</param>
public MarshalledValue(AProcessSharp process, T value)
{
// Save the parameters
Process = process;
Value = value;
// Marshal the value
Marshal();
}
public ASymbolLoaderThread()
{
SymbolList = new UArrayManager <ASymbol>();
Process = null;
IsLoading = false;
CurrentModuleName = "";
Terminated = false;
}
/// <summary>
/// Initializes a new instance of the <see cref="ARemoteWindow" /> class.
/// </summary>
/// <param name="processPlus">The reference of the <see cref="AProcessSharp" /> object.</param>
/// <param name="handle">The handle of a window.</param>
public ARemoteWindow(AProcessSharp processPlus, IntPtr handle)
{
// Save the parameters
ProcessPlus = processPlus;
Handle = handle;
// Create the tools
Keyboard = new AMessageKeyboard(this);
Mouse = new ASendInputMouse(this);
}
/// <summary>
/// Initializes a new instance of the <see cref="ARemoteThread" /> class.
/// </summary>
/// <param name="processPlus">The reference of the <see cref="AProcessSharp" /> object.</param>
/// <param name="thread">The native <see cref="ProcessThread" /> object.</param>
public ARemoteThread(AProcessSharp processPlus, ProcessThread thread)
{
// Save the parameters
ProcessPlus = processPlus;
Native = thread;
// Save the thread id
Id = thread.Id;
// Open the thread
Handle = AThreadHelper.OpenThread(ThreadAccessFlags.AllAccess, Id);
}
public ASymbolHandler()
{
Process = null;
_symbolLoaderThread = null;
SymbolList = new UArrayManager <ASymbol>();
UserDefinedSymbols = new UArrayManager <AUserDefinedSymbol>();
_moduleList = new AModuleInfoArray();
ShowSymbols = false;
ShowModules = false;
ShowSections = false;
}
/// <summary>
/// Initializes a new instance of the <see cref="AAllocatedMemory" /> class.
/// </summary>
/// <param name="processPlus">The reference of the <see cref="AProcessSharp" /> object.</param>
/// <param name="name"></param>
/// <param name="size">The size of the allocated memory.</param>
/// <param name="protection">The protection of the allocated memory.</param>
/// <param name="mustBeDisposed">The allocated memory will be released when the finalizer collects the object.</param>
public AAllocatedMemory(AProcessSharp processPlus, string name, int size,
MemoryProtectionFlags protection = MemoryProtectionFlags.ExecuteReadWrite,
bool mustBeDisposed = true)
: base(processPlus, AMemoryHelper.Allocate(processPlus.Handle, size, protection))
{
// Set local vars
Identifier = name;
MustBeDisposed = mustBeDisposed;
IsDisposed = false;
Size = size;
}
/// <summary>
/// Injects the specified module into the address space of the remote process.
/// </summary>
/// <param name="memorySharp">The reference of the <see cref="MemorySharp" /> object.</param>
/// <param name="path">
/// The path of the module. This can be either a library module (a .dll file) or an executable module
/// (an .exe file).
/// </param>
/// <returns>A new instance of the <see cref="AInjectedModule" />class.</returns>
/// <returns>A new instance of the <see cref="AInjectedModule"/>class.</returns>
internal static AInjectedModule InternalInject(AProcessSharp memorySharp, string path)
{
// Call LoadLibraryA remotely
var thread = memorySharp.ThreadFactory.CreateAndJoin(memorySharp["kernel32"]["LoadLibraryA"].BaseAddress, path);
// Get the inject module
if (thread.GetExitCode <IntPtr>() != IntPtr.Zero)
{
return(new AInjectedModule(memorySharp, memorySharp.ModuleFactory.NativeModules.First(m => m.BaseAddress == thread.GetExitCode <IntPtr>())));
}
return(null);
}
/// <summary>
/// Initializes a new instance of the <see cref="ARemoteThread" /> class.
/// </summary>
/// <param name="processPlus">The reference of the <see cref="MemoryManagement.MemorySharp" /> object.</param>
/// <param name="thread">The native <see cref="ProcessThread" /> object.</param>
/// <param name="parameter">The parameter passed to the thread when it was created.</param>
public ARemoteThread(AProcessSharp processPlus, ProcessThread thread, IAMarshalledValue parameter = null)
: this(processPlus, thread)
{
// Save the parameter
_parameter = parameter;
// Create the task
_parameterCleaner = new Task(() =>
{
Join();
_parameter.Dispose();
});
}
/// <summary>
/// Initializes a new instance of the <see cref="AThreadFactory" /> class.
/// </summary>
/// <param name="process">The reference of the <see cref="Process" /> object.</param>
public AThreadFactory(AProcessSharp process)
{
// Save the parameter
Process = process;
}
/// <summary>
/// Initializes a new instance of the <see cref="AInjectedModule" /> class.
/// </summary>
/// <param name="processPlus">The reference of the <see cref="AProcessSharp" /> object.</param>
/// <param name="module">The native <see cref="ProcessModule" /> object corresponding to the injected module.</param>
/// <param name="mustBeDisposed">The module will be ejected when the finalizer collects the object.</param>
public AInjectedModule(AProcessSharp processPlus, ProcessModule module, bool mustBeDisposed = true)
: base(processPlus, module)
{
// Save the parameter
MustBeDisposed = mustBeDisposed;
}
/// <summary>
/// Initializes a new instance of the <see cref="AMemoryPointer" /> class.
/// </summary>
/// <param name="process">The reference of the <see cref="AProcessSharp"></see></param>
/// <param name="address">The location where the pointer points in the remote process.</param>
public AMemoryPointer(AProcessSharp process, IntPtr address)
{
// Save the parameters
Process = process;
BaseAddress = address;
}
public ARemoteFunction(AProcessSharp processPlus, IntPtr address, string functionName) : base(processPlus, address)
{
// Save the parameter
Name = functionName;
}
static void Main(string[] args)
{
//test.a();
//var Brackets = new ACharArray('(', ')', '[', ']', '{', '}');
//var StdWordDelims = new ACharArray(',', '.', ';', '/', '\\', ':', '\'', '"', '`', '(', ')', '[', ']', '{', '}');
//StdWordDelims.AddRange(Brackets.TakeAll());
//StdWordDelims.AddRange(ACharUtils.Range('\0', ' ').TakeAll());
//
//Console.WriteLine("done");
var m = new AProcessSharp(System.Diagnostics.Process.GetProcessesByName("pacwin")[0], AMemoryType.Remote);
UTokenSp.Activate();
AAsmTools.InitTools(new ASymbolHandler());
AAsmTools.SymbolHandler.Process = m;
var a = AAsmTools.Assembler;
var b1 = new AByteArray();
//var m2 = new AProcessSharp(System.Diagnostics.Process.GetCurrentProcess(), AMemoryType.Remote);
a.SymbolHandler.Process = m;
var aa = AAsmTools.AutoAssembler;
//var result = a.Assemble("mov eax, [edx+esi+66]", 0x400300, b1); // E9 FB 01 00 00
//var result = a.Assemble("mov rax,[1122334455778899]", 0x400300, b1); // E9 FB 01 00 00
//Console.WriteLine("Result: " + result);
//Console.WriteLine("Bytes:");
//Console.WriteLine(UBinaryUtils.Expand(b1.TakeAll()));
//
//
var d = AAsmTools.Disassembler;
//var sd = "";
//using (var pt = new UBytePtr(b1.TakeAll()))
//{
// var ptt = pt.ToIntPtr().ToUIntPtr();
// d.Disassemble(ref ptt, ref sd);
//}
//Console.WriteLine(d.LastDisassembleData.Prefix + ' ' + d.LastDisassembleData.OpCode + ' ' + d.LastDisassembleData.Parameters);
var bi = AAsmTools.ByteInterpreter;
var bp = m.Memory.Read((IntPtr)0x411C88, 32);
using (var bip = new UBytePtr(bp))
{
Console.WriteLine("Found dataType: " + bi.FindTypeOfData((UIntPtr)0x411C88, bip, 8));
Console.WriteLine("Found dataType: " + bi.DataToString(bp, 8, AVariableType.Double));
}
// aa.Assembler.SymHandler.Process = m;
// var cd = @"
// 400300:
// mov rax, [411c88]
// mov rax, dword ptr[11223344556677]
// ".Trim();
// var codex = new ARefStringArray();
// codex.Assign(UStringUtils.GetLines(cd).ToArray());
// aa.RemoveComments(codex);
//
// var b = aa.Assemble(aa.SelfSymbolHandler.Process, codex);
d.IsDataOnly = false;
// d.Is64Bit = true;
// d.SymbolHandler.Process = m;
var s1 = "";
// var bytes = new UBytePtr(b[0].Bytes.TakeAll());
// //var ptr = bytes.ToIntPtr().ToUIntPtr();
//
var ptr = (UIntPtr)0x40230F;
var i = 30;
while (i-- > 0)
{
try
{
var dis = d.Disassemble(ref ptr, ref s1);
var cl = d.LastDisassembleData.Prefix + ' ' + d.LastDisassembleData.OpCode + ' ' + d.LastDisassembleData.Parameters;
var dec = d.DecodeLastParametersToString();
//Console.WriteLine(cl + " ; " + dec);
d.SplitDisassembledString(dis, false, out var address, out var bytes, out var opcode, out var special);
Console.WriteLine($"0x{address.PadRight(8)} {bytes.PadRight(20)} {opcode} {special} ; {dec}");
}
catch (Exception e)
{
Console.WriteLine("Error " + e.Message);
Console.WriteLine(e.Source);
Console.WriteLine(e.StackTrace);
break;
}
}
// Console.ReadKey();
// Environment.Exit(1);
a.SymbolHandler.Process = m;
var cc = @"
[ENABLE]
400300:
mov edx, dword ptr[411c88]
reassemble(40230f);
reassemble(pacwin.exe+2379);
cat:
reassemble(pacwin.exe+237C);
call messageboxa
jmp cat
400314:
[DISABLE]
".Trim();
var code = new ARefStringArray();
code.Assign(UStringUtils.GetLines(cc).ToArray());
aa.RemoveComments(code);
var scr = new AScriptBytesArray();
var info = new ADisableInfo();
var ret = aa.AutoAssemble(m, code, false, true, false, false, info, false, scr);
Console.WriteLine("Loaded 2");
Console.WriteLine("Result: " + ret);
aa.AutoAssemble(m, code, false, true, false, false, info, true, scr);
Console.WriteLine("Loaded 3");
foreach (var o in scr)
{
Console.WriteLine("Line: " + o.Type + " " + o.Address.ToUInt64().ToString("X") + " " + AStringUtils.BinToHexStr(o.Bytes.TakeAll()));
}
// var f = new AAssemblyFactory(m, new ASharpAsm());
// f.Inject(
// new[]
// {
// "mov, eax 7",
// "push 0",
// "add esp, 4",
// "retn"
// },
// (IntPtr) 0x400310);
//
// var v = f.Execute<int>((IntPtr)0x400310);
// Console.WriteLine("Return: " + v);
//f.InjectAndExecute(
// new[]
// {
// "alloc(storage, 1000)",
// "label(caption)",
// "label(message)",
// "push 0",
// "push caption",
// "push message",
// "push 0",
// "call MessageBoxA",
// "push 0",
// "add esp, 4",
// "retn",
// // storage zone
// "storage:",
// "caption:",
// " db 'caption', 00",
// "message:",
// " db 'message', 00",
// },
// (IntPtr)0x400300);
Console.ReadKey();
//aa.AutoAssemble(m, code, false, false, false, false, info, false, scr);
Environment.Exit(1);
}
/// <summary>
/// Initializes a new instance of the <see cref="ARemoteModule" /> class.
/// </summary>
/// <param name="processPlus"></param>
/// <param name="module">The native <see cref="ProcessModule" /> object corresponding to this module.</param>
public ARemoteModule(AProcessSharp processPlus, ProcessModule module) : base(processPlus, module.BaseAddress)
{
// Save the parameter
Native = module;
}
/// <summary>
/// Converts a pointer to a given type. This function converts the value of the pointer or the pointed value,
/// according if the data type is primitive or reference.
/// </summary>
/// <param name="memorySharp">The concerned process.</param>
/// <param name="pointer">The pointer to convert.</param>
/// <returns>The return value is the pointer converted to the given data type.</returns>
public static T PtrToObject(AProcessSharp memorySharp, IntPtr pointer)
{
return(ByteArrayToObject(CanBeStoredInRegisters
? BitConverter.GetBytes(pointer.ToInt64())
: memorySharp.Memory.Read <byte>(pointer, Size)));
}
/// <summary>
/// Marshals a given value into the remote process.
/// </summary>
/// <typeparam name="T">The type of the value. It can be a primitive or reference data type.</typeparam>
/// <param name="memorySharp">The concerned process.</param>
/// <param name="value">The value to marshal.</param>
/// <returns>The return value is an new instance of the <see cref="MarshalledValue{T}" /> class.</returns>
public static MarshalledValue <T> Marshal <T>(AProcessSharp memorySharp, T value)
{
return(new MarshalledValue <T>(memorySharp, value));
}
/// <summary>
/// Initializes a new instance of the <see cref="AWindowFactory" /> class.
/// </summary>
public AWindowFactory(AProcessSharp process)
{
// Save the parameter
_process = process;
}
public static void SetActiveProcess(AProcessSharp process)
{
SymbolHandler.Process = process; // todo add a refresh here
}
/// <summary>
/// Initializes a new instance of the <see cref="AAssemblyFactory" /> class.
/// </summary>
/// <param name="process">The process.</param>
/// <param name="assembler">The assembler.</param>
public AAssemblyFactory(AProcessSharp process, IAAssembler assembler)
{
Process = process;
Assembler = assembler;
}
/// <summary>
/// Frees the loaded dynamic-link library (DLL) module and, if necessary, decrements its reference count.
/// </summary>
/// <param name="memorySharp">The reference of the <see cref="MemorySharp" /> object.</param>
/// <param name="module">The module to eject.</param>
internal static void InternalEject(AProcessSharp memorySharp, AProcessSharpModule module)
{
// Call FreeLibrary remotely
memorySharp.ThreadFactory.CreateAndJoin(memorySharp["kernel32"]["FreeLibrary"].BaseAddress,
module.BaseAddress);
}
