public static void HostCLR_RunMethod(String AssemblyPath, String TypeName, String MethodName, String Args, String Version) { hprocess = ProcModule.OpenProcess(ProcModule.PROCESS_QUERY_INFORMATION | ProcModule.PROCESS_VM_OPERATION | ProcModule.PROCESS_VM_WRITE | ProcModule.PROCESS_VM_READ | ProcModule.PROCESS_CREATE_THREAD, 0, (uint)processid); IntPtr CorBindToRuntimeExPtr = CorBindToRuntimeExAddress(); uint BytesRead = 0; IntPtr codeCave_Code = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 500, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ExecuteReadWrite); IntPtr CLSID_CLRRuntimeHostPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)CLSID_CLRRuntimeHost.Length * 4, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr IID_ICLRRuntimeHostPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)IID_ICLRRuntimeHost.Length, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr ClrHostPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 04, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr dwRetPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 0x4, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr AssemblyPathPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(AssemblyPath.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr TypeNamePtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(TypeName.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr MethodNamePtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(MethodName.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr ArgsPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(Args.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr BuildFlavorPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 0x10, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); ProcModule.WriteProcessMemory(hprocess, CLSID_CLRRuntimeHostPtr, CLSID_CLRRuntimeHost, (uint)CLSID_CLRRuntimeHost.Length, out BytesRead); ProcModule.WriteProcessMemory(hprocess, IID_ICLRRuntimeHostPtr, IID_ICLRRuntimeHost, (uint)IID_ICLRRuntimeHost.Length, out BytesRead); WriteUnicodeString(BuildFlavorPtr, "wks"); WriteUnicodeString(AssemblyPathPtr, AssemblyPath); WriteUnicodeString(TypeNamePtr, TypeName); WriteUnicodeString(MethodNamePtr, MethodName); WriteUnicodeString(ArgsPtr, Args); InlineASM inline = new InlineASM(); inline.PushOffset(ClrHostPtr); inline.PushOffset(IID_ICLRRuntimeHostPtr); inline.PushOffset(CLSID_CLRRuntimeHostPtr); inline.PushByte(0); inline.PushOffset(BuildFlavorPtr); inline.PushByte(0); inline.MovEaxValue(CorBindToRuntimeExPtr); inline.CallEax(); // call CorBindToRuntimeEx inline.MovEaxDwordPtr(ClrHostPtr); inline.MovEcxDwordPtrEax(); inline.MovEdxDwordPtrEcxOffset(0x0C); inline.PushEax(); inline.CallEdx(); // pClrHost->Start(); inline.PushOffset(dwRetPtr); inline.PushOffset(ArgsPtr); inline.PushOffset(MethodNamePtr); inline.PushOffset(TypeNamePtr); inline.PushOffset(AssemblyPathPtr); inline.MovEaxDwordPtr(ClrHostPtr); inline.MovEcxDwordPtrEax(); inline.PushEax(); inline.MovEaxDwordPtrEcxOffset(0x2C); inline.CallEax(); // pClrHost->ExecuteInDefaultAppDomain inline.Retn(); ProcModule.WriteProcessMemory(hprocess, codeCave_Code, inline.asm, (uint)inline.asm.Length, out BytesRead); IntPtr hThread = ProcModule.CreateRemoteThread(hprocess, IntPtr.Zero, 0, codeCave_Code, IntPtr.Zero, 0, IntPtr.Zero); /* * if (ProcModule.WaitForSingleObject(hThread,uint.MaxValue)!=0) * { * return; * } */ IntPtr retcode = IntPtr.Zero; if (!ProcModule.GetExitCodeThread(hThread, out retcode)) { return; } ProcModule.CloseHandle(hprocess); }