public static void LoadDll(int pID, byte[] dllBytes)
{
PEInfomation dllPE = PELoader.Load(dllBytes, string.Empty);
IntPtr pHandle = PELoader.OpenProcessHandle(pID);
if (pHandle == IntPtr.Zero)
{
throw new Exception("Invalid PID");
}
IntPtr vAlloc = NativeMethods.VirtualAllocEx(pHandle, 0, dllPE.Overview.SizeOfImage, 0x1000, 0x40);
if (vAlloc == IntPtr.Zero)
{
throw new Exception("Alloc failed");
}
NativeMethods.WriteProcessMemory(pHandle, vAlloc, dllBytes, dllPE.Overview.SizeOfHeaders, 0);
foreach (var section in dllPE.Sections)
{
byte[] sData = new byte[section.VirtualSize];
Buffer.BlockCopy(dllBytes, (int)section.PointerToRawData, sData, 0, sData.Length);
NativeMethods.WriteProcessMemory(pHandle, new IntPtr(vAlloc.ToInt32() + section.VirtualAddress), sData, (uint)sData.Length, 0);
}
}
/// <summary>
///
/// </summary>
/// <param name="module">Main module of process being analyzed</param>
/// <param name="processPID">Process id of process being analyzed</param>
/// <returns></returns>
private bool HasRunPE(ProcessModule module, int processPID)
{
//Catch if process has been killed already
//try
//{
// Process.GetProcessById(processPID);
//}
//catch
//{
// return false;
//}
string modulePath = module.FileName;
PEInfomation procPE = PELoader.Load(processPID, module);
PEInfomation filePE = PELoader.Load(modulePath);
int unmachedValues = 0;
unmachedValues += ScanType(procPE.FileHeader, filePE.FileHeader); // File Header
unmachedValues += ScanType(procPE.OptionalHeader32, filePE.OptionalHeader32); // Optional Header
int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections));
for (int i = 0; i < sectionAmmount; i++)
{
unmachedValues += ScanType(procPE.Sections[i], filePE.Sections[i]);
}
return(unmachedValues >= 8);
}
public formStorageStreamView(PEInfomation _pe)
{
InitializeComponent();
LoadedPE = _pe;
foreach (var section in LoadedPE.NetStructures.StorageStreamHeaders)
{
lvSections.Items.Add(new NetStorageListViewItem(section));
}
}
public formViewStorageStream(PEInfomation pe, STORAGE_STREAM_HEADER targetStream)
{
InitializeComponent();
this.Text += string.Format(" ({0})", new string(targetStream.rcName).Replace("\0", ""));
try
{
rtbStorageData.Text = Encoding.UTF8.GetString(pe.ReadStorageStream(targetStream)).Replace("\0", "");//temp
}
catch
{
rtbStorageData.Text = "Failed.";
}
}
private void processToolStripMenuItem1_Click(object sender, EventArgs e)
{
using (formLoadProcess procLoadForm = new formLoadProcess())
{
if (procLoadForm.ShowDialog() == DialogResult.OK)
{
LoadedPE = PELoader.Load(procLoadForm.SelectedProcessID, procLoadForm.SelectedModule);
LoadedPE.PESource = string.Format("Process: {0}", procLoadForm.ProcessName);
lbCurrentSection.Text = "Overview";
PopulateInfo(LoadedPE.Overview, false);
}
}
}
private void button1_Click(object sender, EventArgs e)
{
lbProcessList.Items.Clear();
lvFileList.Items.Clear();
ProcessModule moduleToScan = null;
int pid = 0;
using (formLoadProcess procLoadForm = new formLoadProcess())
{
if (procLoadForm.ShowDialog() != DialogResult.OK)
{
return;
}
this.Text = string.Format("{0} ({1})", WindowText, procLoadForm.ProcessName);
moduleToScan = procLoadForm.SelectedModule;
pid = procLoadForm.SelectedProcessID;
}
string modulePath = moduleToScan.FileName;
PEInfomation procPE = PELoader.Load(pid, moduleToScan);
PEInfomation filePE = PELoader.Load(modulePath);
int unmachedValues = 0;
unmachedValues += ScanType <IMAGE_FILE_HEADER>(procPE.FileHeader, filePE.FileHeader, "File Header");
unmachedValues += ScanType <IMAGE_OPTIONAL_HEADER32>(procPE.OptionalHeader32, filePE.OptionalHeader32, "Optional Header", "ImageBase");
int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections));
for (int i = 0; i < sectionAmmount; i++)
{
unmachedValues += ScanType <IMAGE_SECTION_HEADER>(procPE.Sections[i], filePE.Sections[i], string.Format("Section {0}", i + 1));
}
Color tColor = Color.Green;
string warningText = "No RunPE Found (0 Unmached values)";
if (unmachedValues >= 1)
{
tColor = Color.DarkTurquoise;
warningText = string.Format("Possable RunPe ({0} Unmaching values)", unmachedValues);
}
if (unmachedValues > 4)
{
tColor = Color.Red;
warningText = string.Format("RunPe Found ({0} Unmaching values)", unmachedValues);
}
lbRunpeStatus.Text = warningText;
lbRunpeStatus.ForeColor = tColor;
}
private void fileToolStripMenuItem1_Click(object sender, EventArgs e)
{
using (OpenFileDialog ofd = new OpenFileDialog())
{
ofd.Filter = "Executable|*.exe|Library|*.dll";
if (ofd.ShowDialog() == DialogResult.OK)
{
LoadedPE = PELoader.Load(ofd.FileName);
LoadedPE.PESource = ofd.FileName;
lbCurrentSection.Text = "Overview";
PopulateInfo(LoadedPE.Overview, false);
}
}
}
public formSectionView(PEInfomation info)
{
InitializeComponent();
LoadedPE = info;
foreach (var section in LoadedPE.Sections)
{
ListViewItem i = new ListViewItem(new string(section.Name));
i.SubItems.Add(string.Format("0x{0:x2}", section.VirtualSize));
i.SubItems.Add(string.Format("0x{0:x2}", section.VirtualAddress));
i.SubItems.Add(string.Format("0x{0:x2}", section.SizeOfRawData));
i.SubItems.Add(string.Format("0x{0:x2}", section.PointerToRawData));
lvSections.Items.Add(i);
}
}
private void unloadToolStripMenuItem_Click(object sender, EventArgs e)
{
using (formLoadProcess procLoadForm = new formLoadProcess(false))
{
if (procLoadForm.ShowDialog() == DialogResult.OK)
{
using (formModuleView dlls = new formModuleView(procLoadForm.SelectedProcessID, procLoadForm.ProcessName))
{
if (dlls.ShowDialog() == DialogResult.Yes)
{
LoadedPE = dlls.LoadInfomation;
LoadedPE.PESource = string.Format("Process: {0}", procLoadForm.ProcessName);
lbCurrentSection.Text = "Overview";
PopulateInfo(LoadedPE.Overview, false);
}
}
}
}
}
public ModuleListViewItem(int procID, IntPtr _handle)
{
ModuleInfomation = PELoader.Load(procID, _handle);
Handle = _handle;
ProcessHandle = ModuleInfomation.GetProcessHandle();
StringBuilder sb = new StringBuilder(255);
NativeMethods.GetModuleFileNameEx(ProcessHandle, Handle, sb, 255);
ModulePath = sb.ToString();
Text = Path.GetFileName(ModulePath);
SubItems.Add(string.Format("0x{0:x2}", IntPtr.Size == 4 ? _handle.ToInt32() : _handle.ToInt64()));
SubItems.Add(ModuleInfomation.Overview.SizeOfImage.ToString());
if (!string.IsNullOrEmpty(Text))
{
SubItems.Add(ModulePath);
}
else
{
SubItems.Add("Byte loaded");
}
}
static void Main(string[] args)
{
Console.WriteLine("Example RunPE checker using dnPE.");
Console.Write("Process name: ");
string pNameString = Console.ReadLine();
Process[] processbyName = Process.GetProcessesByName(pNameString);
if (processbyName.Length < 1)
{
Console.WriteLine("Invalid process.");
Console.ReadLine();
return;
}
PEInfomation PE = PEInfomation.Load(processbyName.FirstOrDefault());
Dictionary <string, object> values = PEInfomation.ReadStructValues(PE.Overview);
foreach (var i in values)
{
Console.WriteLine("{0}: {1}", i.Key, i.Value);
}
int unmachedValues = 0;
unmachedValues += PEInfomation.CountDiffrences(PE.FileHeader, PE.FileHeader);
unmachedValues += PEInfomation.CountDiffrences(PE.OptionalHeader32, PE.OptionalHeader32, "ImageBase");
int sectionAmmount = Math.Min(Convert.ToInt32(PE.Overview.NumberOfSections), Convert.ToInt32(PE.Overview.NumberOfSections));
for (int i = 0; i < sectionAmmount; i++)
{
unmachedValues += PEInfomation.CountDiffrences(PE.Sections[i], PE.Sections[i]);
}
Console.WriteLine("Number of PE discrepancies: {0}", unmachedValues);
Console.ReadLine();
}
void DumpModule(PEInfomation procPE, string path)
{
byte[] buffer = new byte[procPE.Overview.SizeOfImage];
IntPtr procHandle = procPE.GetProcessHandle();
NativeMethods.ReadProcessMemory(procHandle, procPE.ModuleBaseAddress, buffer, Convert.ToInt32(procPE.Overview.SizeOfHeaders), 0);
foreach (IMAGE_SECTION_HEADER section in procPE.Sections)
{
if (section.SizeOfRawData == 0)
{
continue;
}
byte[] sData = new byte[section.SizeOfRawData];
NativeMethods.ReadProcessMemory(procHandle, new IntPtr(procPE.Overview.ImageBase + section.VirtualAddress), sData, sData.Length, 0);
Buffer.BlockCopy(sData, 0, buffer, Convert.ToInt32(section.PointerToRawData), sData.Length);
}
File.WriteAllBytes(path, buffer);
procPE.CloseProcessHandle();
}