コード例 #1
0
        public static void HostCLR_RunMethod(String AssemblyPath, String TypeName, String MethodName, String Args, String Version)
        {
            hprocess = ProcModule.OpenProcess(ProcModule.PROCESS_QUERY_INFORMATION | ProcModule.PROCESS_VM_OPERATION | ProcModule.PROCESS_VM_WRITE | ProcModule.PROCESS_VM_READ | ProcModule.PROCESS_CREATE_THREAD, 0, (uint)processid);
            IntPtr CorBindToRuntimeExPtr = CorBindToRuntimeExAddress();
            uint   BytesRead             = 0;

            IntPtr codeCave_Code           = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 500, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ExecuteReadWrite);
            IntPtr CLSID_CLRRuntimeHostPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)CLSID_CLRRuntimeHost.Length * 4, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite);
            IntPtr IID_ICLRRuntimeHostPtr  = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)IID_ICLRRuntimeHost.Length, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite);
            IntPtr ClrHostPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 04, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite);
            IntPtr dwRetPtr   = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 0x4, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite);

            IntPtr AssemblyPathPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(AssemblyPath.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite);
            IntPtr TypeNamePtr     = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(TypeName.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite);
            IntPtr MethodNamePtr   = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(MethodName.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite);
            IntPtr ArgsPtr         = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(Args.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite);

            IntPtr BuildFlavorPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 0x10, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite);

            ProcModule.WriteProcessMemory(hprocess, CLSID_CLRRuntimeHostPtr, CLSID_CLRRuntimeHost, (uint)CLSID_CLRRuntimeHost.Length, out BytesRead);
            ProcModule.WriteProcessMemory(hprocess, IID_ICLRRuntimeHostPtr, IID_ICLRRuntimeHost, (uint)IID_ICLRRuntimeHost.Length, out BytesRead);
            WriteUnicodeString(BuildFlavorPtr, "wks");
            WriteUnicodeString(AssemblyPathPtr, AssemblyPath);
            WriteUnicodeString(TypeNamePtr, TypeName);
            WriteUnicodeString(MethodNamePtr, MethodName);
            WriteUnicodeString(ArgsPtr, Args);

            InlineASM inline = new InlineASM();

            inline.PushOffset(ClrHostPtr);
            inline.PushOffset(IID_ICLRRuntimeHostPtr);
            inline.PushOffset(CLSID_CLRRuntimeHostPtr);
            inline.PushByte(0);
            inline.PushOffset(BuildFlavorPtr);
            inline.PushByte(0);
            inline.MovEaxValue(CorBindToRuntimeExPtr);
            inline.CallEax(); // call CorBindToRuntimeEx

            inline.MovEaxDwordPtr(ClrHostPtr);
            inline.MovEcxDwordPtrEax();
            inline.MovEdxDwordPtrEcxOffset(0x0C);
            inline.PushEax();
            inline.CallEdx(); // pClrHost->Start();

            inline.PushOffset(dwRetPtr);
            inline.PushOffset(ArgsPtr);
            inline.PushOffset(MethodNamePtr);
            inline.PushOffset(TypeNamePtr);
            inline.PushOffset(AssemblyPathPtr);
            inline.MovEaxDwordPtr(ClrHostPtr);
            inline.MovEcxDwordPtrEax();
            inline.PushEax();
            inline.MovEaxDwordPtrEcxOffset(0x2C);
            inline.CallEax(); // pClrHost->ExecuteInDefaultAppDomain

            inline.Retn();
            ProcModule.WriteProcessMemory(hprocess, codeCave_Code, inline.asm, (uint)inline.asm.Length, out BytesRead);

            IntPtr hThread = ProcModule.CreateRemoteThread(hprocess, IntPtr.Zero, 0,
                                                           codeCave_Code, IntPtr.Zero, 0, IntPtr.Zero);

/*
 * if (ProcModule.WaitForSingleObject(hThread,uint.MaxValue)!=0)
 * {
 * return;
 * }
 */

            IntPtr retcode = IntPtr.Zero;

            if (!ProcModule.GetExitCodeThread(hThread, out retcode))
            {
                return;
            }

            ProcModule.CloseHandle(hprocess);
        }