/// <summary>
/// kill a process
/// </summary>
/// <param name="processName"></param>
public static void killAllProcess(string processName)
{
System.Diagnostics.Process[] myPs;
myPs = System.Diagnostics.Process.GetProcesses();
foreach (System.Diagnostics.Process p in myPs)
{
if (p.Id != 0)
{
try
{
if (p.Modules != null)
{
if (p.Modules.Count > 0)
{
System.Diagnostics.ProcessModule pm = p.Modules[0];
if (pm.ModuleName.ToLower() == processName)
{
p.Kill();
}
}
}
}
catch
{ }
}
}
}
//关掉word进程
public void killAllProcess() // 杀掉所有winword.exe进程
{
System.Diagnostics.Process[] myPs;
myPs = System.Diagnostics.Process.GetProcesses();
foreach (System.Diagnostics.Process p in myPs)
{
if (p.Id != 0)
{
string myS = "WINWORD.EXE" + p.ProcessName + " ID:" + p.Id.ToString();
try
{
if (p.Modules != null)
{
if (p.Modules.Count > 0)
{
System.Diagnostics.ProcessModule pm = p.Modules[0];
myS += "\n Modules[0].FileName:" + pm.FileName;
myS += "\n Modules[0].ModuleName:" + pm.ModuleName;
myS += "\n Modules[0].FileVersionInfo:\n" + pm.FileVersionInfo.ToString();
if (pm.ModuleName.ToLower() == "winword.exe")
{
p.Kill();
}
}
}
}
catch (System.Exception ex)
{
MessageBox.Show(ex.Message);
}
}
}
}
private static readonly string _updateServer = "http.server.cnc-online.net"; // TODO: make this a setting
public static unsafe bool ModifyPublicKey(System.Diagnostics.Process process)
{
System.Diagnostics.ProcessModule module = process.MainModule;
int index;
int oldProtection = 0;
if (!Kernel32.VirtualProtect(module.BaseAddress, module.ModuleMemorySize, 0x40, ref oldProtection))
{
_tracer.TraceException(new Win32Exception(Marshal.GetLastWin32Error()).Message);
return(false);
}
byte *pCurrentModule = (byte *)module.BaseAddress.ToPointer();
using (Stream stream = new UnmanagedMemoryStream(pCurrentModule, module.ModuleMemorySize, module.ModuleMemorySize, FileAccess.ReadWrite))
{
byte[] buffer = new byte[stream.Length];
if (stream.Read(buffer, 0, buffer.Length) != buffer.Length)
{
_tracer.TraceException("Error reading module.");
return(false);
}
index = buffer.IndexOf(_eaPublicKey);
if (index < 0)
{
_tracer.TraceException("Error finding public key.");
index = buffer.IndexOf(_cncOnlinePublicKey);
_tracer.TraceInfo("CnC Online Public Key already set.");
return(false);
}
_tracer.TraceInfo($"Public key found at 0x{index:X08}.");
stream.Position = index;
stream.Write(_cncOnlinePublicKey, 0, _cncOnlinePublicKey.Length);
}
return(true);
}
/// <summary>https://stackoverflow.com/a/54732489</summary>
static public System.IntPtr Allocate(System.Diagnostics.ProcessModule processModule, System.Int32 size)
{
Memory.GetSystemInfo(out var systemInfo);
var minimum = processModule.BaseAddress.ToInt64() > processModule.ModuleMemorySize - System.Int32.MinValue ? Math.Ceiling(processModule.BaseAddress + System.Int32.MinValue + processModule.ModuleMemorySize, systemInfo.AllocationGranularity) : System.IntPtr.Zero;
var maximum = processModule.BaseAddress.ToInt64() < (System.Int64.MaxValue - System.Int32.MaxValue) ? Math.Floor(processModule.BaseAddress + System.Int32.MaxValue, systemInfo.AllocationGranularity) : new System.IntPtr(System.Int64.MaxValue);
while (minimum.ToInt64() < maximum.ToInt64())
{
if (Memory.VirtualQuery(minimum, out var memoryBasicInformation, new System.IntPtr(System.Runtime.CompilerServices.Unsafe.SizeOf <MemoryBasicInformation>())) == System.IntPtr.Zero)
{
return(System.IntPtr.Zero);
}
minimum = new System.IntPtr(memoryBasicInformation.BaseAddress.ToInt64() + memoryBasicInformation.RegionSize.ToInt64());
if (memoryBasicInformation.State == MemoryBasicInformation.States.MemFree)
{
var baseAddress = Math.Ceiling(memoryBasicInformation.BaseAddress, systemInfo.AllocationGranularity);
// If rounding has not changed regions and the region is at least the specified size
if (baseAddress.ToInt64() < minimum.ToInt64() && (minimum.ToInt64() - baseAddress.ToInt64()) >= size)
{
var allocation = Memory.VirtualAlloc(baseAddress, new System.IntPtr(size), AllocationTypes.MemCommit | AllocationTypes.MemReserve, MemoryProtectionConstants.PageExecuteReadWrite);
if (allocation != System.IntPtr.Zero)
{
return(allocation);
}
}
}
}
return(System.IntPtr.Zero);
}
/// <summary>
/// 关闭word进程
/// </summary>
public static void KillWordProcess()
{
System.Diagnostics.Process[] myProcess;
myProcess = System.Diagnostics.Process.GetProcesses();
foreach (System.Diagnostics.Process process in myProcess)
{
if (process.Id != 0)
{
string myS = "WINWORD.EXE" + process.ProcessName + " ID:" + process.Id.ToString();
try
{
if (process.Modules != null)
{
if (process.Modules.Count > 0)
{
System.Diagnostics.ProcessModule pm = process.Modules[0];
myS += "\n Modules[0].FileName:" + pm.FileName;
myS += "\n Modules[0].ModuleName:" + pm.ModuleName;
myS += "\n Modules[0].FileVersionInfo:\n" + pm.FileVersionInfo.ToString();
if (pm.ModuleName.ToLower() == "winword.exe")
{
process.Kill();
}
}
}
}
catch
{ }
finally
{
}
}
}
}
private static IntPtr SetHook(LowLevelProc proc, bool Keyboard)
{
using (System.Diagnostics.Process curProcess = System.Diagnostics.Process.GetCurrentProcess())
using (System.Diagnostics.ProcessModule curModule = curProcess.MainModule)
{
return(SetWindowsHookEx(Keyboard ? WH_KEYBOARD_LL : WH_MOUSE_LL, proc, GetModuleHandle(curModule.ModuleName), 0));
}
}
private static IntPtr SetHookMouse(LowLevelMouseProc proc)
{
using (System.Diagnostics.Process curProcess = System.Diagnostics.Process.GetCurrentProcess())
using (System.Diagnostics.ProcessModule curModule = curProcess.MainModule)
{
return(SetWindowsHookEx(WH_MOUSE_LL, proc, GetModuleHandle(curModule.ModuleName), 0));
}
}
public LMouseDownListener()
{
this.callBack += new Native.HookProc(MouseEvents);
using (System.Diagnostics.Process process = System.Diagnostics.Process.GetCurrentProcess())
using (System.Diagnostics.ProcessModule module = process.MainModule)
{
IntPtr hModule = Native.GetModuleHandle(module.ModuleName);
_hook = Native.SetWindowsHookEx(
(int)Native.HookType.WH_MOUSE_LL,
this.callBack,
hModule,
0);
}
}
internal void DetermineModuleHandle()
{
System.Diagnostics.Process pr = System.Diagnostics.Process.GetCurrentProcess();
foreach (System.Diagnostics.ProcessModule pm in pr.Modules)
{
if (MethodPointers[0].ToInt64() >= pm.BaseAddress.ToInt64() &&
MethodPointers[0].ToInt64() <= pm.BaseAddress.ToInt64() + pm.ModuleMemorySize)
{
m_ModuleHandle = pm;
return;
}
}
m_ModuleHandle = null;
}
private IntPtr SetHook(HOOKProc proc, int hookID)
{
using (System.Diagnostics.Process curProcess = System.Diagnostics.Process.GetCurrentProcess())
using (System.Diagnostics.ProcessModule curModule = curProcess.MainModule)
{
//return SetWindowsHookEx(hookID, proc,
// GetModuleHandle(curModule.ModuleName), 0);
//uint ui = (uint)System.Threading.Thread.CurrentThread.ManagedThreadId;
//ui = (uint)AppDomain.GetCurrentThreadId();
return(SetWindowsHookEx(hookID, proc,
GetModuleHandle(curModule.ModuleName), 0));
}
}
public static void CreateHook(KeyHandler _kh)
{
System.Diagnostics.Process _this = System.Diagnostics.Process.GetCurrentProcess();
System.Diagnostics.ProcessModule mod = _this.MainModule;
hd = HookFunc;
kh = _kh;
hhk = API.SetWindowsHookEx(13, hd, API.GetModuleHandle(mod.ModuleName), 0);
//13 is the parameter specifying that we're gonna do a low-level keyboard hook
//MessageBox.Show(Marshal.GetLastWin32Error().ToString()); //for debugging
//Note that this could be a Console.WriteLine(), as well. I just happened
//to be debugging this in a Windows Application
//to get the errors, in VS 2005+ (possibly before) do Tools -> Error Lookup
}
/// <summary>
/// 安装键盘钩子
/// </summary>
public void Start()
{
Console.WriteLine("开始安装钩子");
//安装键盘钩子
if (hKeyboardHook == 0)
{
KeyboardHookProcedure = new HookProc(KeyboardHookProc);
//hKeyboardHook = SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardHookProcedure, Marshal.GetHINSTANCE(Assembly.GetExecutingAssembly().GetModules()[0]), 0);
System.Diagnostics.Process curProcess = System.Diagnostics.Process.GetCurrentProcess();
System.Diagnostics.ProcessModule curModule = curProcess.MainModule;
hKeyboardHook = SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardHookProcedure, GetModuleHandle(curModule.ModuleName), 0);
if (hKeyboardHook == 0)
{
Stop();
throw new Exception("安装键盘钩子");
}
}
}
public void Start()
{
//安装鼠标钩子
if (hMouseHook == 0)
{
//生成一个HookProc的实例.
MouseHookProcedure = new HookProc(MouseHookProc);
using (System.Diagnostics.Process curProcess = System.Diagnostics.Process.GetCurrentProcess())
using (System.Diagnostics.ProcessModule curModule = curProcess.MainModule)
hMouseHook = SetWindowsHookEx(WH_MOUSE_LL, MouseHookProcedure, GetModuleHandle(curModule.ModuleName), 0);
//如果装置失败停止钩子
if (hMouseHook == 0)
{
Stop();
throw new Exception("SetWindowsHookEx failed.");
}
}
}
static bool WriteFile_Hooked(
IntPtr hFile,
IntPtr lpBuffer, //changed
uint nNumberOfBytesToWrite,
out uint lpNumberOfBytesWritten,
[In] IntPtr lpOverlapped)
{
byte[] bytes = new byte[nNumberOfBytesToWrite];
try
{
Main This = (Main)HookRuntimeInfo.Callback;
lock (This.Queue)
{
System.Diagnostics.ProcessModule module = HookRuntimeInfo.CallingUnmanagedModule;
if (module.ModuleName == "XDE.exe")
{
for (uint i = 0; i < nNumberOfBytesToWrite; i++)
{
bytes[i] = Marshal.ReadByte(lpBuffer, (int)i);
}
//string tmpStr = InBuffer.ToString().Substring(0, (int)InNumberOfBytesToWrite).Replace("\r\n", " ");
//System.Text.Encoding encoding=new System.Text.ASCIIEncoding();
//String tmpStr = bytes.ToString().Substring(0, (int)nNumberOfBytesToWrite).Replace("\r\n", " ");
string output = "";
for (uint i = 0; i < nNumberOfBytesToWrite; i++)
{
output += (char)bytes[i];
}
This.Queue.Push(output);
}
}
}
catch
{
}
// call original API...
return(WriteFile(hFile, bytes, nNumberOfBytesToWrite, out lpNumberOfBytesWritten, lpOverlapped));
}
/// <summary>
/// Actually finds memory block for pattern
/// </summary>
/// <param name="bm">Instance of <see cref="MemoryManager"/> to use for search</param>
/// <returns>Enumerable of <see cref="IntPtr"/> with found addresses</returns>
private IEnumerable <IntPtr> FindMaskAddress(IMemoryManager bm)
{
System.Diagnostics.ProcessModule mainModule = bm.Process.MainModule;
IntPtr mainModuleBaseAddress = mainModule.BaseAddress;
long mainModuleSize = mainModule.ModuleMemorySize;
long patternLength = p_bytes.LongLength;
for (long offset = 0; offset < mainModuleSize - patternLength; offset += p_cacheSize - patternLength)
{
byte[] cacheBytes = bm.ReadBytes(mainModuleBaseAddress + (int)offset, (int)(p_cacheSize > mainModuleSize - offset ? mainModuleSize - offset : p_cacheSize));
for (uint offsetInCacheBytes = 0; offsetInCacheBytes < cacheBytes.Length - patternLength; offsetInCacheBytes++)
{
if (DataCompare(cacheBytes, offsetInCacheBytes))
{
yield return(mainModuleBaseAddress + (int)(offset + offsetInCacheBytes));
}
}
}
}
public static unsafe bool ModifyEP(System.Diagnostics.Process process)
{
System.Diagnostics.ProcessModule module = process.MainModule;
int oldProtection = 0;
if (!Kernel32.VirtualProtect(module.BaseAddress, module.ModuleMemorySize, 0x40, ref oldProtection))
{
_tracer.TraceException(new Win32Exception(Marshal.GetLastWin32Error()).Message);
return(false);
}
byte *pCurrentModule = (byte *)module.BaseAddress.ToPointer();
using (Stream stream = new UnmanagedMemoryStream(pCurrentModule, module.ModuleMemorySize, module.ModuleMemorySize, FileAccess.ReadWrite))
{
stream.Position = 0x0093b2ed;
stream.Write(_jump, 0, _jump.Length);
}
return(true);
}
public void Start()
{
//create an instance of keyhook only if it is not already installed
if (hKeyboardHook == 0)
{
KeyboardHookProcedure = new HookProc(KeyboardHookProc);
//a trap for young players
System.Diagnostics.Debug.WriteLine(
System.Reflection.Assembly.GetExecutingAssembly().GetModules()[0].FullyQualifiedName
);
//this works in .net 2 but not in 4!
System.Diagnostics.Debug.WriteLine("assembly hProc:: " +
Marshal.GetHINSTANCE(
System.Reflection.Assembly.GetExecutingAssembly().GetModules()[0]
)
);
using (System.Diagnostics.Process process = System.Diagnostics.Process.GetCurrentProcess())
using (System.Diagnostics.ProcessModule module = process.MainModule)
{
IntPtr hModule = GetModuleHandle(module.ModuleName);
System.Diagnostics.Debug.WriteLine("hModule from interop::" + hModule);
hKeyboardHook = SetWindowsHookEx(
WH_KEYBOARD_LL,
KeyboardHookProcedure,
hModule,
0
);
}
if (hKeyboardHook == 0)
{
int errorCode = Marshal.GetLastWin32Error();
System.Windows.MessageBox.Show(
errorCode.ToString(),
"error hooking keyboard"
);
Stop(false);
throw new Win32Exception(errorCode);
}
}
}//end start
public int IndexOf(System.Diagnostics.ProcessModule module)
{
return(default(int));
}
public bool Contains(System.Diagnostics.ProcessModule module)
{
return(default(bool));
}
internal void DetermineModuleHandle()
{
System.Diagnostics.Process pr = System.Diagnostics.Process.GetCurrentProcess();
foreach (System.Diagnostics.ProcessModule pm in pr.Modules)
{
if (MethodPointers[0].ToInt64() >= pm.BaseAddress.ToInt64() &&
MethodPointers[0].ToInt64() <= pm.BaseAddress.ToInt64() + pm.ModuleMemorySize)
{
m_ModuleHandle = pm;
return;
}
}
m_ModuleHandle = null;
}
private static string GetBasePath()
{
System.Diagnostics.ProcessModule processModule = System.Diagnostics.Process.GetCurrentProcess().MainModule;
return(Path.GetDirectoryName(processModule?.FileName));
}
public bool Contains(System.Diagnostics.ProcessModule module)
{
throw null;
}
public int IndexOf(System.Diagnostics.ProcessModule module)
{
throw null;
}
public Module(System.Diagnostics.ProcessModule o, BinaryAccess parent)
{
Parent = parent;
ProcessModule = o;
Process = parent.Process;
}
