C# (CSharp) SharpBlock WinAPI.WriteProcessMemoryの例

コード例 #1

ファイル: Program.cs プロジェクト: hoclamgiauus/SharpBlock

        static IntPtr WriteProgramArgs(IntPtr hProcess, string args)
        {
            //We need room for ANSI and Unicode representation of args
            IntPtr regionSize       = new IntPtr(args.Length * 2 + 2 + args.Length + 1);
            IntPtr remoteArgAddress = IntPtr.Zero;

            byte[] argBytesUnicode = Encoding.Unicode.GetBytes(args);
            byte[] argBytesANSI    = Encoding.ASCII.GetBytes(args);
            IntPtr bytesWritten;

            remoteArgAddress = Execute.DynamicInvoke.Native.NtAllocateVirtualMemory(hProcess, ref remoteArgAddress, IntPtr.Zero, ref regionSize, 0x00001000, (int)4);

            WinAPI.WriteProcessMemory(hProcess, remoteArgAddress, argBytesUnicode, argBytesUnicode.Length, out bytesWritten);
            WinAPI.WriteProcessMemory(hProcess, new IntPtr(remoteArgAddress.ToInt64() + argBytesUnicode.Length + 2), argBytesANSI, argBytesANSI.Length, out bytesWritten);

            return(remoteArgAddress);
        }

コード例 #2

ファイル: Program.cs プロジェクト: woxihuannisja/SharpBlock

        static bool WriteProcessMemory(IntPtr hProcess, IntPtr baseAddress, byte[] data, int size, out uint bytesWritten)
        {
            if (IntPtr.Size == 8)
            {
                IntPtr regionSize     = (IntPtr)size;
                IntPtr protectionBase = baseAddress;
                uint   oldProtect     = 0;
                bytesWritten = 0;
                GCHandle pinnedArray = GCHandle.Alloc(data, GCHandleType.Pinned);
                IntPtr   intptrData  = pinnedArray.AddrOfPinnedObject();

                uint result = NtProtectVirtualMemorySysCall(hProcess, ref protectionBase, ref regionSize, 0x40 /*RWX*/, ref oldProtect);

                if (result != 0)
                {
                    throw new System.ComponentModel.Win32Exception((int)result);
                }

                result = NtWriteVirtualMemorySysCall(hProcess, baseAddress, intptrData, (uint)size, ref bytesWritten);

                if (result != 0)
                {
                    throw new System.ComponentModel.Win32Exception((int)result);
                }

                result = NtProtectVirtualMemorySysCall(hProcess, ref protectionBase, ref regionSize, oldProtect, ref oldProtect);

                if (result != 0)
                {
                    throw new System.ComponentModel.Win32Exception((int)result);
                }

                return(result == 0);
            }
            else
            {
                IntPtr bytesWrittenPtr;
                bool   result = WinAPI.WriteProcessMemory(hProcess, baseAddress, data, size, out bytesWrittenPtr);
                bytesWritten = (uint)bytesWrittenPtr;
                return(result);
            }
        }

コード例 #3

        static string PatchEntryPointIfNeeded(IntPtr moduleHandle, IntPtr imageBase, IntPtr hProcess)
        {
            long          fileSize;
            StringBuilder dllPath = new StringBuilder(1024);

            if (!WinAPI.GetFileSizeEx(moduleHandle, out fileSize) || fileSize == 0)
            {
                return(null);
            }

            IntPtr handle = WinAPI.CreateFileMapping(moduleHandle, IntPtr.Zero,
                                                     WinAPI.FileMapProtection.PageReadonly | WinAPI.FileMapProtection.SectionImage, 0, 0, null);

            if (handle == IntPtr.Zero)
            {
                return(null);
            }

            IntPtr mem = WinAPI.MapViewOfFile(handle, WinAPI.FileMapAccess.FileMapRead, 0, 0, UIntPtr.Zero);

            if (mem == IntPtr.Zero)
            {
                return(null);
            }

            if (WinAPI.GetFinalPathNameByHandle(moduleHandle, dllPath, (uint)dllPath.Capacity, 0) == 0)
            {
                return(null);
            }

            dllPath = dllPath.Replace("\\\\?\\", "");

            PE.IMAGE_DOS_HEADER  dosHeader  = (PE.IMAGE_DOS_HEADER)Marshal.PtrToStructure(mem, typeof(PE.IMAGE_DOS_HEADER));
            PE.IMAGE_FILE_HEADER fileHeader = (PE.IMAGE_FILE_HEADER)Marshal.PtrToStructure(new IntPtr(mem.ToInt64() + dosHeader.e_lfanew), typeof(PE.IMAGE_FILE_HEADER));

            UInt16 IMAGE_FILE_32BIT_MACHINE = 0x0100;
            IntPtr entryPoint;

            if ((fileHeader.Characteristics & IMAGE_FILE_32BIT_MACHINE) == IMAGE_FILE_32BIT_MACHINE)
            {
                PE.IMAGE_OPTIONAL_HEADER32 optionalHeader = (PE.IMAGE_OPTIONAL_HEADER32)Marshal.PtrToStructure
                                                                (new IntPtr(mem.ToInt64() + dosHeader.e_lfanew + Marshal.SizeOf(typeof(PE.IMAGE_FILE_HEADER))), typeof(PE.IMAGE_OPTIONAL_HEADER32));

                entryPoint = new IntPtr(optionalHeader.AddressOfEntryPoint + imageBase.ToInt32());
            }
            else
            {
                PE.IMAGE_OPTIONAL_HEADER64 optionalHeader = (PE.IMAGE_OPTIONAL_HEADER64)Marshal.PtrToStructure
                                                                (new IntPtr(mem.ToInt64() + dosHeader.e_lfanew + Marshal.SizeOf(typeof(PE.IMAGE_FILE_HEADER))), typeof(PE.IMAGE_OPTIONAL_HEADER64));

                entryPoint = new IntPtr(optionalHeader.AddressOfEntryPoint + imageBase.ToInt64());
            }

            if (ShouldBlockDLL(dllPath.ToString()))
            {
                Console.WriteLine($"[+] Blocked DLL {dllPath}");

                byte[] retIns = new byte[1] {
                    0xC3
                };
                IntPtr bytesWritten;

                Console.WriteLine("[+] Patching DLL Entry Point at 0x{0:x}", entryPoint.ToInt64());

                if (WinAPI.WriteProcessMemory(hProcess, entryPoint, retIns, 1, out bytesWritten))
                {
                    Console.WriteLine("[+] Successfully patched DLL Entry Point");
                }
                else
                {
                    Console.WriteLine("[!] Failed patched DLL Entry Point");
                }
            }

            return(dllPath.ToString());
        }