예제 #1
0
        public static void LoadDll(int pID, byte[] dllBytes)
        {
            PEInfomation dllPE   = PELoader.Load(dllBytes, string.Empty);
            IntPtr       pHandle = PELoader.OpenProcessHandle(pID);

            if (pHandle == IntPtr.Zero)
            {
                throw new Exception("Invalid PID");
            }

            IntPtr vAlloc = NativeMethods.VirtualAllocEx(pHandle, 0, dllPE.Overview.SizeOfImage, 0x1000, 0x40);

            if (vAlloc == IntPtr.Zero)
            {
                throw new Exception("Alloc failed");
            }

            NativeMethods.WriteProcessMemory(pHandle, vAlloc, dllBytes, dllPE.Overview.SizeOfHeaders, 0);

            foreach (var section in dllPE.Sections)
            {
                byte[] sData = new byte[section.VirtualSize];
                Buffer.BlockCopy(dllBytes, (int)section.PointerToRawData, sData, 0, sData.Length);

                NativeMethods.WriteProcessMemory(pHandle, new IntPtr(vAlloc.ToInt32() + section.VirtualAddress), sData, (uint)sData.Length, 0);
            }
        }
예제 #2
0
        /// <summary>
        ///
        /// </summary>
        /// <param name="module">Main module of process being analyzed</param>
        /// <param name="processPID">Process id of process being analyzed</param>
        /// <returns></returns>
        private bool HasRunPE(ProcessModule module, int processPID)
        {
            //Catch if process has been killed already
            //try
            //{
            //    Process.GetProcessById(processPID);
            //}
            //catch
            //{
            //    return false;
            //}

            string       modulePath     = module.FileName;
            PEInfomation procPE         = PELoader.Load(processPID, module);
            PEInfomation filePE         = PELoader.Load(modulePath);
            int          unmachedValues = 0;

            unmachedValues += ScanType(procPE.FileHeader, filePE.FileHeader);             // File Header
            unmachedValues += ScanType(procPE.OptionalHeader32, filePE.OptionalHeader32); // Optional Header
            int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections));

            for (int i = 0; i < sectionAmmount; i++)
            {
                unmachedValues += ScanType(procPE.Sections[i], filePE.Sections[i]);
            }

            return(unmachedValues >= 8);
        }
 public formStorageStreamView(PEInfomation _pe)
 {
     InitializeComponent();
     LoadedPE = _pe;
     foreach (var section in LoadedPE.NetStructures.StorageStreamHeaders)
     {
         lvSections.Items.Add(new NetStorageListViewItem(section));
     }
 }
 public formViewStorageStream(PEInfomation pe, STORAGE_STREAM_HEADER targetStream)
 {
     InitializeComponent();
     this.Text += string.Format(" ({0})", new string(targetStream.rcName).Replace("\0", ""));
     try
     {
         rtbStorageData.Text = Encoding.UTF8.GetString(pe.ReadStorageStream(targetStream)).Replace("\0", "");//temp
     }
     catch
     {
         rtbStorageData.Text = "Failed.";
     }
 }
예제 #5
0
 private void processToolStripMenuItem1_Click(object sender, EventArgs e)
 {
     using (formLoadProcess procLoadForm = new formLoadProcess())
     {
         if (procLoadForm.ShowDialog() == DialogResult.OK)
         {
             LoadedPE              = PELoader.Load(procLoadForm.SelectedProcessID, procLoadForm.SelectedModule);
             LoadedPE.PESource     = string.Format("Process: {0}", procLoadForm.ProcessName);
             lbCurrentSection.Text = "Overview";
             PopulateInfo(LoadedPE.Overview, false);
         }
     }
 }
예제 #6
0
        private void button1_Click(object sender, EventArgs e)
        {
            lbProcessList.Items.Clear();
            lvFileList.Items.Clear();
            ProcessModule moduleToScan = null;
            int           pid          = 0;

            using (formLoadProcess procLoadForm = new formLoadProcess())
            {
                if (procLoadForm.ShowDialog() != DialogResult.OK)
                {
                    return;
                }
                this.Text    = string.Format("{0} ({1})", WindowText, procLoadForm.ProcessName);
                moduleToScan = procLoadForm.SelectedModule;
                pid          = procLoadForm.SelectedProcessID;
            }

            string       modulePath     = moduleToScan.FileName;
            PEInfomation procPE         = PELoader.Load(pid, moduleToScan);
            PEInfomation filePE         = PELoader.Load(modulePath);
            int          unmachedValues = 0;

            unmachedValues += ScanType <IMAGE_FILE_HEADER>(procPE.FileHeader, filePE.FileHeader, "File Header");
            unmachedValues += ScanType <IMAGE_OPTIONAL_HEADER32>(procPE.OptionalHeader32, filePE.OptionalHeader32, "Optional Header", "ImageBase");
            int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections));

            for (int i = 0; i < sectionAmmount; i++)
            {
                unmachedValues += ScanType <IMAGE_SECTION_HEADER>(procPE.Sections[i], filePE.Sections[i], string.Format("Section {0}", i + 1));
            }

            Color  tColor      = Color.Green;
            string warningText = "No RunPE Found (0 Unmached values)";

            if (unmachedValues >= 1)
            {
                tColor      = Color.DarkTurquoise;
                warningText = string.Format("Possable RunPe ({0} Unmaching values)", unmachedValues);
            }

            if (unmachedValues > 4)
            {
                tColor      = Color.Red;
                warningText = string.Format("RunPe Found ({0} Unmaching values)", unmachedValues);
            }

            lbRunpeStatus.Text      = warningText;
            lbRunpeStatus.ForeColor = tColor;
        }
예제 #7
0
 private void fileToolStripMenuItem1_Click(object sender, EventArgs e)
 {
     using (OpenFileDialog ofd = new OpenFileDialog())
     {
         ofd.Filter = "Executable|*.exe|Library|*.dll";
         if (ofd.ShowDialog() == DialogResult.OK)
         {
             LoadedPE              = PELoader.Load(ofd.FileName);
             LoadedPE.PESource     = ofd.FileName;
             lbCurrentSection.Text = "Overview";
             PopulateInfo(LoadedPE.Overview, false);
         }
     }
 }
예제 #8
0
        public formSectionView(PEInfomation info)
        {
            InitializeComponent();
            LoadedPE = info;

            foreach (var section in LoadedPE.Sections)
            {
                ListViewItem i = new ListViewItem(new string(section.Name));
                i.SubItems.Add(string.Format("0x{0:x2}", section.VirtualSize));
                i.SubItems.Add(string.Format("0x{0:x2}", section.VirtualAddress));
                i.SubItems.Add(string.Format("0x{0:x2}", section.SizeOfRawData));
                i.SubItems.Add(string.Format("0x{0:x2}", section.PointerToRawData));
                lvSections.Items.Add(i);
            }
        }
예제 #9
0
 private void unloadToolStripMenuItem_Click(object sender, EventArgs e)
 {
     using (formLoadProcess procLoadForm = new formLoadProcess(false))
     {
         if (procLoadForm.ShowDialog() == DialogResult.OK)
         {
             using (formModuleView dlls = new formModuleView(procLoadForm.SelectedProcessID, procLoadForm.ProcessName))
             {
                 if (dlls.ShowDialog() == DialogResult.Yes)
                 {
                     LoadedPE              = dlls.LoadInfomation;
                     LoadedPE.PESource     = string.Format("Process: {0}", procLoadForm.ProcessName);
                     lbCurrentSection.Text = "Overview";
                     PopulateInfo(LoadedPE.Overview, false);
                 }
             }
         }
     }
 }
예제 #10
0
        public ModuleListViewItem(int procID, IntPtr _handle)
        {
            ModuleInfomation = PELoader.Load(procID, _handle);
            Handle           = _handle;
            ProcessHandle    = ModuleInfomation.GetProcessHandle();

            StringBuilder sb = new StringBuilder(255);

            NativeMethods.GetModuleFileNameEx(ProcessHandle, Handle, sb, 255);
            ModulePath = sb.ToString();

            Text = Path.GetFileName(ModulePath);
            SubItems.Add(string.Format("0x{0:x2}", IntPtr.Size == 4 ? _handle.ToInt32() : _handle.ToInt64()));
            SubItems.Add(ModuleInfomation.Overview.SizeOfImage.ToString());
            if (!string.IsNullOrEmpty(Text))
            {
                SubItems.Add(ModulePath);
            }
            else
            {
                SubItems.Add("Byte loaded");
            }
        }
예제 #11
0
        static void Main(string[] args)
        {
            Console.WriteLine("Example RunPE checker using dnPE.");
            Console.Write("Process name: ");
            string pNameString = Console.ReadLine();

            Process[] processbyName = Process.GetProcessesByName(pNameString);
            if (processbyName.Length < 1)
            {
                Console.WriteLine("Invalid process.");
                Console.ReadLine();
                return;
            }

            PEInfomation PE = PEInfomation.Load(processbyName.FirstOrDefault());

            Dictionary <string, object> values = PEInfomation.ReadStructValues(PE.Overview);

            foreach (var i in values)
            {
                Console.WriteLine("{0}: {1}", i.Key, i.Value);
            }

            int unmachedValues = 0;

            unmachedValues += PEInfomation.CountDiffrences(PE.FileHeader, PE.FileHeader);
            unmachedValues += PEInfomation.CountDiffrences(PE.OptionalHeader32, PE.OptionalHeader32, "ImageBase");
            int sectionAmmount = Math.Min(Convert.ToInt32(PE.Overview.NumberOfSections), Convert.ToInt32(PE.Overview.NumberOfSections));

            for (int i = 0; i < sectionAmmount; i++)
            {
                unmachedValues += PEInfomation.CountDiffrences(PE.Sections[i], PE.Sections[i]);
            }

            Console.WriteLine("Number of PE discrepancies: {0}", unmachedValues);
            Console.ReadLine();
        }
예제 #12
0
        void DumpModule(PEInfomation procPE, string path)
        {
            byte[] buffer = new byte[procPE.Overview.SizeOfImage];

            IntPtr procHandle = procPE.GetProcessHandle();

            NativeMethods.ReadProcessMemory(procHandle, procPE.ModuleBaseAddress, buffer, Convert.ToInt32(procPE.Overview.SizeOfHeaders), 0);

            foreach (IMAGE_SECTION_HEADER section in procPE.Sections)
            {
                if (section.SizeOfRawData == 0)
                {
                    continue;
                }

                byte[] sData = new byte[section.SizeOfRawData];
                NativeMethods.ReadProcessMemory(procHandle, new IntPtr(procPE.Overview.ImageBase + section.VirtualAddress), sData, sData.Length, 0);

                Buffer.BlockCopy(sData, 0, buffer, Convert.ToInt32(section.PointerToRawData), sData.Length);
            }

            File.WriteAllBytes(path, buffer);
            procPE.CloseProcessHandle();
        }