static IntPtr CorBindToRuntimeExAddress()
{
ProcModule.ModuleInfo targetmscoree = null;
ProcModule.ModuleInfo[] modules = ProcModule.GetModuleInfos((int)processid);
if (modules != null && modules.Length > 0)
{
for (int i = 0; i < modules.Length; i++)
{
if (modules[i].baseName.ToLower().Contains("mscoree.dll"))
{
targetmscoree = modules[i];
break;
}
}
}
if (targetmscoree == null || targetmscoree.baseOfDll == IntPtr.Zero)
{
return(IntPtr.Zero);
}
IntPtr CLRCreateInstanceAddress = IntPtr.Zero;
if (hprocess != IntPtr.Zero)
{
int CLRCreateInstancerva = ExportTable.ProcGetExpAddress
(hprocess, targetmscoree.baseOfDll, "CorBindToRuntimeEx");
if (CLRCreateInstancerva == 0)
{
return(IntPtr.Zero);
}
return((IntPtr)((long)targetmscoree.baseOfDll + (long)CLRCreateInstancerva));
}
return(IntPtr.Zero);
}
void HoockDetect()
{
textBox1.Text = "Detecting hooks for process whit the name " + ProcessName + " and PID=" + procid.ToString() + "\r\n";
byte[] Forread = new byte[0x500];
uint BytesRead = 0;
int CompileAddress = 0;
IntPtr processHandle = IntPtr.Zero;
try
{
processHandle = OpenProcess(ProcessAccess.QueryInformation | ProcessAccess.VMRead, false, (uint)procid);
}
catch
{
}
if (processHandle != IntPtr.Zero)
{
ProcModule.ModuleInfo targetmscorjit = null;
ProcModule.ModuleInfo[] modules = ProcModule.GetModuleInfos(procid);
if (modules != null && modules.Length > 0)
{
for (int i = 0; i < modules.Length; i++)
{
if (modules[i].baseName.ToLower().Contains("mscorjit"))
{
targetmscorjit = modules[i];
break;
}
}
}
if (targetmscorjit == null)
{
textBox1.Text = textBox1.Text + "Seems that the target process is not a .NET process!" + "\r\n";
}
else
{
int getJitrva = ExportTable.ProcGetExpAddress(processHandle, targetmscorjit.baseOfDll, "getJit");
bool isok = false;
isok = ReadProcessMemory(processHandle,
(IntPtr)((long)targetmscorjit.baseOfDll + (long)getJitrva), Forread, (uint)Forread.Length, ref BytesRead);
if (isok)
{
int count = 0;
while (Forread[count] != 0x0C3)
{
count++;
}
long cmpointer = (long)targetmscorjit.baseOfDll + getJitrva + count + 1;
textBox1.Text = textBox1.Text + "Pointer of compile method : " + cmpointer.ToString("X8") + "\r\n";
CompileAddress = BitConverter.ToInt32(Forread, count + 1);
textBox1.Text = textBox1.Text + "Address of compile method is : " + CompileAddress.ToString("X8") + "\r\n";
if ((CompileAddress < (int)targetmscorjit.baseOfDll) || (CompileAddress > (int)targetmscorjit.baseOfDll + targetmscorjit.sizeOfImage))
{
textBox1.Text = textBox1.Text + "Address of compile method changed!!!" + "\r\n";
}
else
{
textBox1.Text = textBox1.Text +
"Address of compile method seems to be the original one!" + "\r\n";
}
}
else
{
textBox1.Text = textBox1.Text + "Failed to read from selected process!" + "\r\n";
}
ProcModule.CloseHandle(processHandle);
} // end if is not .NET
}
else
{
textBox1.Text = textBox1.Text + "Failed to open selected process!" + "\r\n";
}
}
void Button2Click(object sender, EventArgs e)
{
string filename = textBox1.Text;
string enviroments = textBox2.Text;
if (filename != "" && File.Exists(filename))
{
int processflags = processflags = 0 | (int)ProcessCreationFlags.CREATE_SUSPENDED;
IntPtr memptr = IntPtr.Zero;
button2.Enabled = false;
textBox3.Text = "";
GCHandle gchenv = new GCHandle();
if (enviroments.Length != 0)
{
if (enviroments.Length >= 3 && enviroments.Contains("="))
{
textBox3.AppendText("Setting Environment Variables...");
try
{
char[] separator = "\r\n".ToCharArray();
string[] realvalues = enviroments.Split(separator);
IntPtr newptr = memptr;
bool unicode = false;
if (Environment.OSVersion.Platform == PlatformID.Win32NT)
{
processflags = processflags | (int)ProcessCreationFlags.CREATE_UNICODE_ENVIRONMENT;
unicode = true;
}
StringDictionary environmentVariables = new StringDictionary();
// add Environments of the parent to the child!
foreach (System.Collections.DictionaryEntry entry in Environment.GetEnvironmentVariables())
{
environmentVariables.Add((string)entry.Key, (string)entry.Value);
}
for (int i = 0; i < realvalues.Length; i++)
{
if (realvalues[i] != "" && realvalues[i].Contains("="))
{
separator = "=".ToCharArray();
string[] currentvalue = realvalues[i].Split(separator);
if (currentvalue[0] != "")
{
if (environmentVariables.ContainsKey(currentvalue[0]))
{
textBox3.AppendText("\r\n" + "The key whit the name " +
currentvalue[0] + " is already on dictinonary!");
}
else
{
environmentVariables.Add(currentvalue[0], currentvalue[1]);
}
}
}
}
gchenv = GCHandle.Alloc(ToByteArray(environmentVariables, unicode), GCHandleType.Pinned);
memptr = gchenv.AddrOfPinnedObject();
textBox3.AppendText("\r\n" + "Environment Variables setted!");
}
catch (Exception exc)
{
textBox3.AppendText("\r\n" + exc.Message + "\r\n");
}
}
else
{
textBox3.AppendText("Invalid Environment Variables!" + "\r\n");
}
}
STARTUPINFO structure = new STARTUPINFO();
PROCESS_INFORMATION process_information = new PROCESS_INFORMATION();
IntPtr lpApplicationName = Marshal.StringToHGlobalUni(filename);
try
{
CreateProcess(lpApplicationName, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, 0, processflags, memptr, IntPtr.Zero, ref structure, ref process_information);
hprocess = process_information.hProcess;
hcthread = process_information.hThread;
cprocessid = process_information.dwProcessId;
if (gchenv.IsAllocated)
{
gchenv.Free();
}
textBox3.AppendText("\r\n" + "Process created");
if (checkBox1.Checked)
{
textBox3.AppendText(" on suspended mode");
button3.Enabled = true;
}
textBox3.AppendText("!" + "\r\n");
}
catch (Exception ex3)
{
textBox3.AppendText("\r\n" + "Failed to start process whit the message" +
ex3.Message + "\r\n");
return;
}
checktimer = new System.Windows.Forms.Timer();
checktimer.Interval = 30;
checktimer.Enabled = true;
checktimer.Tick += new System.EventHandler(CheckStatut);
if (checkBox2.Checked)
{
ProcModule.ModuleInfo[] modules = null;
for (int k = 0; k < 500; k++) // try it 500 times!
{
LoopWhileModulesAreLoadedNt(process_information.dwProcessId, process_information.hThread);
modules = ProcModule.GetModuleInfos((int)process_information.dwProcessId);
if (modules != null && modules.Length > 0)
{
for (int i = 0; i < modules.Length; i++)
{
if (modules[i].baseName.ToLower().Contains("kernel32"))
{
targetkernel32 = modules[i];
break;
}
}
}
if (targetkernel32 != null)
{
break;
}
}
if (targetkernel32 != null && targetkernel32.baseOfDll != IntPtr.Zero)
{
HookCreateProcess(targetkernel32.baseOfDll);
}
}
if (checkBox3.Checked)
{
ProcModule.ModuleInfo[] modules = null;
for (int k = 0; k < 50; k++) // try it 50 times!
{
LoopWhileModulesAreLoadedNt(process_information.dwProcessId, process_information.hThread);
modules = ProcModule.GetModuleInfos((int)process_information.dwProcessId);
if (modules != null && modules.Length > 0)
{
for (int i = 0; i < modules.Length; i++)
{
if (modules[i].baseName.Length > 10 && modules[i].baseName.ToLower().StartsWith("msvcr"))
{
targetMSVCR80 = modules[i];
break;
}
}
}
if (targetMSVCR80 != null)
{
break;
}
}
if (targetMSVCR80 != null && targetMSVCR80.baseOfDll != IntPtr.Zero)
{
LogmemcpyInit(targetMSVCR80.baseOfDll);
}
}
if (!checkBox1.Checked)
{
ResumeThread(process_information.hThread);
}
}
else
{
textBox3.Text = "Please select a valid file!" + "\r\n";
}
}
public void CheckStatut(object source, EventArgs e)
{
uint exitcode = 0;
GetExitCodeProcess(hprocess, out exitcode);
if (exitcode != 259) // STILL_ACTIVE = 259
{
button2.Enabled = true;
textBox3.AppendText("\r\n" + "Process terminated, exit code: " + exitcode.ToString() + "\r\n");
checktimer.Stop();
checktimer.Dispose();
checktimer = null;
hprocess = IntPtr.Zero;
cprocessid = 0;
hcthread = IntPtr.Zero;
targetkernel32 = null;
targetMSVCR80 = null;
VirtualAlloc1 = IntPtr.Zero;
VirtualAlloc2 = IntPtr.Zero;
VirtualAlloc3 = IntPtr.Zero;
}
else
{
byte[] keeper = new byte[4];
uint BytesRead = 0;
if (VirtualAlloc1 != IntPtr.Zero && ReadProcessMemory(hprocess, VirtualAlloc1, keeper, 4, ref BytesRead))
{
if (keeper[0] != 0 || keeper[1] != 0 || keeper[2] != 0 || keeper[2] != 0)
{
int ESPvalue = BitConverter.ToInt32(keeper, 0);
byte[] eraser = new byte[] { 0, 0, 0, 0 };
byte[] infiniteloop = new byte[] { 0x0EB, 0x0FE };
byte[] nops = new byte[] { 0x090, 0x090 };
// write infinit loop to second:
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc1 + 12), infiniteloop, 2, out BytesRead);
// nop the first and write infinit loop back:
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc1 + 10), nops, 2, out BytesRead);
Sleep(2);
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc1 + 10), infiniteloop, 2, out BytesRead);
textBox3.AppendText("\r\n");
textBox3.AppendText("CreateProcessW reached:" + "\r\n");
textBox3.AppendText("Value of ESP:" + ESPvalue.ToString("X8") + "\r\n");
byte[] parbytes = new byte[14 * 4];
if (ReadProcessMemory(hprocess, (IntPtr)ESPvalue, parbytes, (uint)parbytes.Length, ref BytesRead))
{
int[] parameters = new int[14];
for (int i = 0; i < parameters.Length; i++)
{
parameters[i] = BitConverter.ToInt32(parbytes, i * 4);
}
textBox3.AppendText("Return address: " + parameters[0].ToString("X8") + "\r\n");
textBox3.AppendText("hToken: " + parameters[1].ToString("X8") + "\r\n");
textBox3.AppendText("ModuleFileName: " + parameters[2].ToString("X8") + " ");
string result = MemStringReader.ReadUnicodeString(hprocess, (IntPtr)parameters[2]);
if (result != null)
{
textBox3.AppendText(result);
}
textBox3.AppendText("\r\n");
textBox3.AppendText("CommandLine: " + parameters[3].ToString("X8") + " ");
result = MemStringReader.ReadUnicodeString(hprocess, (IntPtr)parameters[3]);
if (result != null)
{
textBox3.AppendText(result);
}
textBox3.AppendText("\r\n");
textBox3.AppendText("pProcessSecurity: " + parameters[4].ToString("X8") + "\r\n");
textBox3.AppendText("pThreadSecurity: " + parameters[5].ToString("X8") + "\r\n");
textBox3.AppendText("InheritHandles: " + parameters[6].ToString("X8") + "\r\n");
textBox3.AppendText("CreationFlags: " + parameters[7].ToString("X8") + "\r\n");
textBox3.AppendText("pEnvironment: " + parameters[8].ToString("X8") + "\r\n");
textBox3.AppendText("CurrentDir: " + parameters[9].ToString("X8") + " ");
result = MemStringReader.ReadUnicodeString(hprocess, (IntPtr)parameters[9]);
if (result != null)
{
textBox3.AppendText(result);
}
textBox3.AppendText("\r\n");
textBox3.AppendText("pStartupInfo: " + parameters[10].ToString("X8") + "\r\n");
textBox3.AppendText("pProcessInfo: " + parameters[11].ToString("X8") + "\r\n");
textBox3.AppendText("hNewToken: " + parameters[12].ToString("X8") + "\r\n");
}
// clean old value:
WriteProcessMemory(hprocess, VirtualAlloc1, eraser, 4, out BytesRead);
// suspend thread an let the user choose when to continue
SuspendThread(hcthread);
// finaly release second infinite loop:
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc1 + 12), nops, 2, out BytesRead);
}
}
if (VirtualAlloc2 != IntPtr.Zero && ReadProcessMemory(hprocess, VirtualAlloc2, keeper, 4, ref BytesRead))
{
if (keeper[0] != 0 || keeper[1] != 0 || keeper[2] != 0 || keeper[2] != 0)
{
int ESPvalue = BitConverter.ToInt32(keeper, 0);
byte[] eraser = new byte[] { 0, 0, 0, 0 };
byte[] infiniteloop = new byte[] { 0x0EB, 0x0FE };
byte[] nops = new byte[] { 0x090, 0x090 };
// write infinit loop to second:
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc2 + 12), infiniteloop, 2, out BytesRead);
// nop the first and write infinit loop back:
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc2 + 10), nops, 2, out BytesRead);
Sleep(2);
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc2 + 10), infiniteloop, 2, out BytesRead);
textBox3.AppendText("\r\n");
textBox3.AppendText("CreateProcessW reached:" + "\r\n");
textBox3.AppendText("Value of ESP:" + ESPvalue.ToString("X8") + "\r\n");
byte[] parbytes = new byte[14 * 4];
if (ReadProcessMemory(hprocess, (IntPtr)ESPvalue, parbytes, (uint)parbytes.Length, ref BytesRead))
{
int[] parameters = new int[14];
for (int i = 0; i < parameters.Length; i++)
{
parameters[i] = BitConverter.ToInt32(parbytes, i * 4);
}
textBox3.AppendText("Return address: " + parameters[0].ToString("X8") + "\r\n");
textBox3.AppendText("hToken: " + parameters[1].ToString("X8") + "\r\n");
textBox3.AppendText("ModuleFileName: " + parameters[2].ToString("X8") + " ");
string result = MemStringReader.ReadAsciiString(hprocess, (IntPtr)parameters[2]);
if (result != null)
{
textBox3.AppendText(result);
}
textBox3.AppendText("\r\n");
textBox3.AppendText("CommandLine: " + parameters[3].ToString("X8") + " ");
result = MemStringReader.ReadAsciiString(hprocess, (IntPtr)parameters[3]);
if (result != null)
{
textBox3.AppendText(result);
}
textBox3.AppendText("\r\n");
textBox3.AppendText("pProcessSecurity: " + parameters[4].ToString("X8") + "\r\n");
textBox3.AppendText("pThreadSecurity: " + parameters[5].ToString("X8") + "\r\n");
textBox3.AppendText("InheritHandles: " + parameters[6].ToString("X8") + "\r\n");
textBox3.AppendText("CreationFlags: " + parameters[7].ToString("X8") + "\r\n");
textBox3.AppendText("pEnvironment: " + parameters[8].ToString("X8") + "\r\n");
textBox3.AppendText("CurrentDir: " + parameters[9].ToString("X8") + " ");
result = MemStringReader.ReadAsciiString(hprocess, (IntPtr)parameters[9]);
if (result != null)
{
textBox3.AppendText(result);
}
textBox3.AppendText("\r\n");
textBox3.AppendText("pStartupInfo: " + parameters[10].ToString("X8") + "\r\n");
textBox3.AppendText("pProcessInfo: " + parameters[11].ToString("X8") + "\r\n");
textBox3.AppendText("hNewToken: " + parameters[12].ToString("X8") + "\r\n");
}
// clean old value:
WriteProcessMemory(hprocess, VirtualAlloc2, eraser, 4, out BytesRead);
// suspend thread an let the user choose when to continue
SuspendThread(hcthread);
// finaly release second infinite loop:
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc2 + 12), nops, 2, out BytesRead);
}
}
if (VirtualAlloc3 != IntPtr.Zero && ReadProcessMemory(hprocess, VirtualAlloc3, keeper, 4, ref BytesRead))
{
if (keeper[0] != 0 || keeper[1] != 0 || keeper[2] != 0 || keeper[2] != 0)
{
int EBPvalue = BitConverter.ToInt32(keeper, 0);
byte[] eraser = new byte[] { 0, 0, 0, 0 };
byte[] infiniteloop = new byte[] { 0x0EB, 0x0FE };
byte[] nops = new byte[] { 0x090, 0x090 };
// write infinit loop to second:
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc3 + 0x1C), infiniteloop, 2, out BytesRead);
// nop the first and write infinit loop back:
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc3 + 0x1A), nops, 2, out BytesRead);
Sleep(2);
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc3 + 0x1A), infiniteloop, 2, out BytesRead);
textBox3.AppendText("\r\n");
textBox3.AppendText("memcpy reached:" + "\r\n");
textBox3.AppendText("Value of EBP:" + EBPvalue.ToString("X8") + "\r\n");
byte[] parbytes = new byte[5 * 4];
if (ReadProcessMemory(hprocess, (IntPtr)EBPvalue, parbytes, (uint)parbytes.Length, ref BytesRead))
{
int[] parameters = new int[5];
for (int i = 0; i < parameters.Length; i++)
{
parameters[i] = BitConverter.ToInt32(parbytes, i * 4);
}
textBox3.AppendText("Old ESP: " + parameters[0].ToString("X8") + "\r\n");
textBox3.AppendText("Return Address: " + parameters[1].ToString("X8") + "\r\n");
textBox3.AppendText("Source: " + parameters[3].ToString("X8"));
string result = MemStringReader.ReadAsciiString(hprocess, (IntPtr)parameters[3]);
if (result != null)
{
textBox3.AppendText(" " + result);
}
textBox3.AppendText("\r\n");
textBox3.AppendText("len: (hex) " + parameters[4].ToString("X8") + "\r\n");
textBox3.AppendText("Destination: " + parameters[2].ToString("X8") + "\r\n");
}
// clean old value:
WriteProcessMemory(hprocess, VirtualAlloc3, eraser, 4, out BytesRead);
// suspend thread an let the user choose when to continue
SuspendThread(hcthread);
// finaly release second infinite loop:
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc3 + 0x1C), nops, 2, out BytesRead);
}
}
}
}
