/// <summary> /// kill a process /// </summary> /// <param name="processName"></param> public static void killAllProcess(string processName) { System.Diagnostics.Process[] myPs; myPs = System.Diagnostics.Process.GetProcesses(); foreach (System.Diagnostics.Process p in myPs) { if (p.Id != 0) { try { if (p.Modules != null) { if (p.Modules.Count > 0) { System.Diagnostics.ProcessModule pm = p.Modules[0]; if (pm.ModuleName.ToLower() == processName) { p.Kill(); } } } } catch { } } } }
//关掉word进程 public void killAllProcess() // 杀掉所有winword.exe进程 { System.Diagnostics.Process[] myPs; myPs = System.Diagnostics.Process.GetProcesses(); foreach (System.Diagnostics.Process p in myPs) { if (p.Id != 0) { string myS = "WINWORD.EXE" + p.ProcessName + " ID:" + p.Id.ToString(); try { if (p.Modules != null) { if (p.Modules.Count > 0) { System.Diagnostics.ProcessModule pm = p.Modules[0]; myS += "\n Modules[0].FileName:" + pm.FileName; myS += "\n Modules[0].ModuleName:" + pm.ModuleName; myS += "\n Modules[0].FileVersionInfo:\n" + pm.FileVersionInfo.ToString(); if (pm.ModuleName.ToLower() == "winword.exe") { p.Kill(); } } } } catch (System.Exception ex) { MessageBox.Show(ex.Message); } } } }
private static readonly string _updateServer = "http.server.cnc-online.net"; // TODO: make this a setting public static unsafe bool ModifyPublicKey(System.Diagnostics.Process process) { System.Diagnostics.ProcessModule module = process.MainModule; int index; int oldProtection = 0; if (!Kernel32.VirtualProtect(module.BaseAddress, module.ModuleMemorySize, 0x40, ref oldProtection)) { _tracer.TraceException(new Win32Exception(Marshal.GetLastWin32Error()).Message); return(false); } byte *pCurrentModule = (byte *)module.BaseAddress.ToPointer(); using (Stream stream = new UnmanagedMemoryStream(pCurrentModule, module.ModuleMemorySize, module.ModuleMemorySize, FileAccess.ReadWrite)) { byte[] buffer = new byte[stream.Length]; if (stream.Read(buffer, 0, buffer.Length) != buffer.Length) { _tracer.TraceException("Error reading module."); return(false); } index = buffer.IndexOf(_eaPublicKey); if (index < 0) { _tracer.TraceException("Error finding public key."); index = buffer.IndexOf(_cncOnlinePublicKey); _tracer.TraceInfo("CnC Online Public Key already set."); return(false); } _tracer.TraceInfo($"Public key found at 0x{index:X08}."); stream.Position = index; stream.Write(_cncOnlinePublicKey, 0, _cncOnlinePublicKey.Length); } return(true); }
/// <summary>https://stackoverflow.com/a/54732489</summary> static public System.IntPtr Allocate(System.Diagnostics.ProcessModule processModule, System.Int32 size) { Memory.GetSystemInfo(out var systemInfo); var minimum = processModule.BaseAddress.ToInt64() > processModule.ModuleMemorySize - System.Int32.MinValue ? Math.Ceiling(processModule.BaseAddress + System.Int32.MinValue + processModule.ModuleMemorySize, systemInfo.AllocationGranularity) : System.IntPtr.Zero; var maximum = processModule.BaseAddress.ToInt64() < (System.Int64.MaxValue - System.Int32.MaxValue) ? Math.Floor(processModule.BaseAddress + System.Int32.MaxValue, systemInfo.AllocationGranularity) : new System.IntPtr(System.Int64.MaxValue); while (minimum.ToInt64() < maximum.ToInt64()) { if (Memory.VirtualQuery(minimum, out var memoryBasicInformation, new System.IntPtr(System.Runtime.CompilerServices.Unsafe.SizeOf <MemoryBasicInformation>())) == System.IntPtr.Zero) { return(System.IntPtr.Zero); } minimum = new System.IntPtr(memoryBasicInformation.BaseAddress.ToInt64() + memoryBasicInformation.RegionSize.ToInt64()); if (memoryBasicInformation.State == MemoryBasicInformation.States.MemFree) { var baseAddress = Math.Ceiling(memoryBasicInformation.BaseAddress, systemInfo.AllocationGranularity); // If rounding has not changed regions and the region is at least the specified size if (baseAddress.ToInt64() < minimum.ToInt64() && (minimum.ToInt64() - baseAddress.ToInt64()) >= size) { var allocation = Memory.VirtualAlloc(baseAddress, new System.IntPtr(size), AllocationTypes.MemCommit | AllocationTypes.MemReserve, MemoryProtectionConstants.PageExecuteReadWrite); if (allocation != System.IntPtr.Zero) { return(allocation); } } } } return(System.IntPtr.Zero); }
/// <summary> /// 关闭word进程 /// </summary> public static void KillWordProcess() { System.Diagnostics.Process[] myProcess; myProcess = System.Diagnostics.Process.GetProcesses(); foreach (System.Diagnostics.Process process in myProcess) { if (process.Id != 0) { string myS = "WINWORD.EXE" + process.ProcessName + " ID:" + process.Id.ToString(); try { if (process.Modules != null) { if (process.Modules.Count > 0) { System.Diagnostics.ProcessModule pm = process.Modules[0]; myS += "\n Modules[0].FileName:" + pm.FileName; myS += "\n Modules[0].ModuleName:" + pm.ModuleName; myS += "\n Modules[0].FileVersionInfo:\n" + pm.FileVersionInfo.ToString(); if (pm.ModuleName.ToLower() == "winword.exe") { process.Kill(); } } } } catch { } finally { } } } }
private static IntPtr SetHook(LowLevelProc proc, bool Keyboard) { using (System.Diagnostics.Process curProcess = System.Diagnostics.Process.GetCurrentProcess()) using (System.Diagnostics.ProcessModule curModule = curProcess.MainModule) { return(SetWindowsHookEx(Keyboard ? WH_KEYBOARD_LL : WH_MOUSE_LL, proc, GetModuleHandle(curModule.ModuleName), 0)); } }
private static IntPtr SetHookMouse(LowLevelMouseProc proc) { using (System.Diagnostics.Process curProcess = System.Diagnostics.Process.GetCurrentProcess()) using (System.Diagnostics.ProcessModule curModule = curProcess.MainModule) { return(SetWindowsHookEx(WH_MOUSE_LL, proc, GetModuleHandle(curModule.ModuleName), 0)); } }
public LMouseDownListener() { this.callBack += new Native.HookProc(MouseEvents); using (System.Diagnostics.Process process = System.Diagnostics.Process.GetCurrentProcess()) using (System.Diagnostics.ProcessModule module = process.MainModule) { IntPtr hModule = Native.GetModuleHandle(module.ModuleName); _hook = Native.SetWindowsHookEx( (int)Native.HookType.WH_MOUSE_LL, this.callBack, hModule, 0); } }
internal void DetermineModuleHandle() { System.Diagnostics.Process pr = System.Diagnostics.Process.GetCurrentProcess(); foreach (System.Diagnostics.ProcessModule pm in pr.Modules) { if (MethodPointers[0].ToInt64() >= pm.BaseAddress.ToInt64() && MethodPointers[0].ToInt64() <= pm.BaseAddress.ToInt64() + pm.ModuleMemorySize) { m_ModuleHandle = pm; return; } } m_ModuleHandle = null; }
private IntPtr SetHook(HOOKProc proc, int hookID) { using (System.Diagnostics.Process curProcess = System.Diagnostics.Process.GetCurrentProcess()) using (System.Diagnostics.ProcessModule curModule = curProcess.MainModule) { //return SetWindowsHookEx(hookID, proc, // GetModuleHandle(curModule.ModuleName), 0); //uint ui = (uint)System.Threading.Thread.CurrentThread.ManagedThreadId; //ui = (uint)AppDomain.GetCurrentThreadId(); return(SetWindowsHookEx(hookID, proc, GetModuleHandle(curModule.ModuleName), 0)); } }
public static void CreateHook(KeyHandler _kh) { System.Diagnostics.Process _this = System.Diagnostics.Process.GetCurrentProcess(); System.Diagnostics.ProcessModule mod = _this.MainModule; hd = HookFunc; kh = _kh; hhk = API.SetWindowsHookEx(13, hd, API.GetModuleHandle(mod.ModuleName), 0); //13 is the parameter specifying that we're gonna do a low-level keyboard hook //MessageBox.Show(Marshal.GetLastWin32Error().ToString()); //for debugging //Note that this could be a Console.WriteLine(), as well. I just happened //to be debugging this in a Windows Application //to get the errors, in VS 2005+ (possibly before) do Tools -> Error Lookup }
/// <summary> /// 安装键盘钩子 /// </summary> public void Start() { Console.WriteLine("开始安装钩子"); //安装键盘钩子 if (hKeyboardHook == 0) { KeyboardHookProcedure = new HookProc(KeyboardHookProc); //hKeyboardHook = SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardHookProcedure, Marshal.GetHINSTANCE(Assembly.GetExecutingAssembly().GetModules()[0]), 0); System.Diagnostics.Process curProcess = System.Diagnostics.Process.GetCurrentProcess(); System.Diagnostics.ProcessModule curModule = curProcess.MainModule; hKeyboardHook = SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardHookProcedure, GetModuleHandle(curModule.ModuleName), 0); if (hKeyboardHook == 0) { Stop(); throw new Exception("安装键盘钩子"); } } }
public void Start() { //安装鼠标钩子 if (hMouseHook == 0) { //生成一个HookProc的实例. MouseHookProcedure = new HookProc(MouseHookProc); using (System.Diagnostics.Process curProcess = System.Diagnostics.Process.GetCurrentProcess()) using (System.Diagnostics.ProcessModule curModule = curProcess.MainModule) hMouseHook = SetWindowsHookEx(WH_MOUSE_LL, MouseHookProcedure, GetModuleHandle(curModule.ModuleName), 0); //如果装置失败停止钩子 if (hMouseHook == 0) { Stop(); throw new Exception("SetWindowsHookEx failed."); } } }
static bool WriteFile_Hooked( IntPtr hFile, IntPtr lpBuffer, //changed uint nNumberOfBytesToWrite, out uint lpNumberOfBytesWritten, [In] IntPtr lpOverlapped) { byte[] bytes = new byte[nNumberOfBytesToWrite]; try { Main This = (Main)HookRuntimeInfo.Callback; lock (This.Queue) { System.Diagnostics.ProcessModule module = HookRuntimeInfo.CallingUnmanagedModule; if (module.ModuleName == "XDE.exe") { for (uint i = 0; i < nNumberOfBytesToWrite; i++) { bytes[i] = Marshal.ReadByte(lpBuffer, (int)i); } //string tmpStr = InBuffer.ToString().Substring(0, (int)InNumberOfBytesToWrite).Replace("\r\n", " "); //System.Text.Encoding encoding=new System.Text.ASCIIEncoding(); //String tmpStr = bytes.ToString().Substring(0, (int)nNumberOfBytesToWrite).Replace("\r\n", " "); string output = ""; for (uint i = 0; i < nNumberOfBytesToWrite; i++) { output += (char)bytes[i]; } This.Queue.Push(output); } } } catch { } // call original API... return(WriteFile(hFile, bytes, nNumberOfBytesToWrite, out lpNumberOfBytesWritten, lpOverlapped)); }
/// <summary> /// Actually finds memory block for pattern /// </summary> /// <param name="bm">Instance of <see cref="MemoryManager"/> to use for search</param> /// <returns>Enumerable of <see cref="IntPtr"/> with found addresses</returns> private IEnumerable <IntPtr> FindMaskAddress(IMemoryManager bm) { System.Diagnostics.ProcessModule mainModule = bm.Process.MainModule; IntPtr mainModuleBaseAddress = mainModule.BaseAddress; long mainModuleSize = mainModule.ModuleMemorySize; long patternLength = p_bytes.LongLength; for (long offset = 0; offset < mainModuleSize - patternLength; offset += p_cacheSize - patternLength) { byte[] cacheBytes = bm.ReadBytes(mainModuleBaseAddress + (int)offset, (int)(p_cacheSize > mainModuleSize - offset ? mainModuleSize - offset : p_cacheSize)); for (uint offsetInCacheBytes = 0; offsetInCacheBytes < cacheBytes.Length - patternLength; offsetInCacheBytes++) { if (DataCompare(cacheBytes, offsetInCacheBytes)) { yield return(mainModuleBaseAddress + (int)(offset + offsetInCacheBytes)); } } } }
public static unsafe bool ModifyEP(System.Diagnostics.Process process) { System.Diagnostics.ProcessModule module = process.MainModule; int oldProtection = 0; if (!Kernel32.VirtualProtect(module.BaseAddress, module.ModuleMemorySize, 0x40, ref oldProtection)) { _tracer.TraceException(new Win32Exception(Marshal.GetLastWin32Error()).Message); return(false); } byte *pCurrentModule = (byte *)module.BaseAddress.ToPointer(); using (Stream stream = new UnmanagedMemoryStream(pCurrentModule, module.ModuleMemorySize, module.ModuleMemorySize, FileAccess.ReadWrite)) { stream.Position = 0x0093b2ed; stream.Write(_jump, 0, _jump.Length); } return(true); }
public void Start() { //create an instance of keyhook only if it is not already installed if (hKeyboardHook == 0) { KeyboardHookProcedure = new HookProc(KeyboardHookProc); //a trap for young players System.Diagnostics.Debug.WriteLine( System.Reflection.Assembly.GetExecutingAssembly().GetModules()[0].FullyQualifiedName ); //this works in .net 2 but not in 4! System.Diagnostics.Debug.WriteLine("assembly hProc:: " + Marshal.GetHINSTANCE( System.Reflection.Assembly.GetExecutingAssembly().GetModules()[0] ) ); using (System.Diagnostics.Process process = System.Diagnostics.Process.GetCurrentProcess()) using (System.Diagnostics.ProcessModule module = process.MainModule) { IntPtr hModule = GetModuleHandle(module.ModuleName); System.Diagnostics.Debug.WriteLine("hModule from interop::" + hModule); hKeyboardHook = SetWindowsHookEx( WH_KEYBOARD_LL, KeyboardHookProcedure, hModule, 0 ); } if (hKeyboardHook == 0) { int errorCode = Marshal.GetLastWin32Error(); System.Windows.MessageBox.Show( errorCode.ToString(), "error hooking keyboard" ); Stop(false); throw new Win32Exception(errorCode); } } }//end start
public int IndexOf(System.Diagnostics.ProcessModule module) { return(default(int)); }
public bool Contains(System.Diagnostics.ProcessModule module) { return(default(bool)); }
internal void DetermineModuleHandle() { System.Diagnostics.Process pr = System.Diagnostics.Process.GetCurrentProcess(); foreach (System.Diagnostics.ProcessModule pm in pr.Modules) { if (MethodPointers[0].ToInt64() >= pm.BaseAddress.ToInt64() && MethodPointers[0].ToInt64() <= pm.BaseAddress.ToInt64() + pm.ModuleMemorySize) { m_ModuleHandle = pm; return; } } m_ModuleHandle = null; }
private static string GetBasePath() { System.Diagnostics.ProcessModule processModule = System.Diagnostics.Process.GetCurrentProcess().MainModule; return(Path.GetDirectoryName(processModule?.FileName)); }
public bool Contains(System.Diagnostics.ProcessModule module) { throw null; }
public int IndexOf(System.Diagnostics.ProcessModule module) { throw null; }
public Module(System.Diagnostics.ProcessModule o, BinaryAccess parent) { Parent = parent; ProcessModule = o; Process = parent.Process; }