void EnumModules() { this.Text = "Modules from " + ProcessName + " whit PID=" + procid.ToString(); modules = ProcModule.GetModuleInfos(procid); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { Graphics g = lvmodules.CreateGraphics(); Font objFont = new Font("Microsoft Sans Serif", 8); SizeF stringSize = new SizeF(); stringSize = g.MeasureString(modules[i].baseName, objFont); int processlenght = (int)(stringSize.Width + lvmodules.Margin.Horizontal * 2); if (processlenght > modulename.Width) { modulename.Width = processlenght; } string[] prcdetails = new string[] { modules[i].baseName, modules[i].baseOfDll.ToString("X8"), modules[i].sizeOfImage.ToString("X8"), modules[i].entryPoint.ToString("X8") }; ListViewItem proc = new ListViewItem(prcdetails); lvmodules.Items.Add(proc); } } }
public static bool IsValid(this IntPtr ptr, ProcModule module = null) { if (MiniMem.AttachedProcess.ProcessHandle == IntPtr.Zero) { throw new Exception("Please attach to the game first!"); } if (ptr == IntPtr.Zero) { return(false); } if (module != null) { return(ptr.ToInt32() >= module.BaseAddress.ToInt32() && ptr.ToInt32() <= module.EndAddress.ToInt32()); } ProcModule pm = MiniMem.FindProcessModule(MiniMem.AttachedProcess.ProcessObject.ProcessName); // Get "main" module if (pm != null) { return(ptr.ToInt32() >= pm.BaseAddress.ToInt32() && ptr.ToInt32() <= pm.EndAddress.ToInt32()); } return(ptr != IntPtr.Zero); }
static void WriteUnicodeString(IntPtr Address, string istring) { UnicodeEncoding Unicode = new UnicodeEncoding(); byte[] ubytes = Unicode.GetBytes(istring); uint BytesRead = 0; ProcModule.WriteProcessMemory(hprocess, Address, ubytes, (uint)ubytes.Length, out BytesRead); }
void Button4Click(object sender, EventArgs e) { OpenFileDialog fdlg = new OpenFileDialog(); fdlg.Title = "Browse for target dll:"; fdlg.InitialDirectory = @"c:\"; if (DirectoryName != "") { fdlg.InitialDirectory = DirectoryName; } fdlg.Filter = "All files (*.dll)|*.dll"; fdlg.FilterIndex = 2; fdlg.RestoreDirectory = true; fdlg.Multiselect = false; if (fdlg.ShowDialog() == DialogResult.OK) { string FileName = fdlg.FileName; int lastslash = FileName.LastIndexOf("\\"); if (lastslash != -1) { DirectoryName = FileName.Remove(lastslash, FileName.Length - lastslash); } if (DirectoryName.Length == 2) { DirectoryName = DirectoryName + "\\"; } string error = ""; string libname = fdlg.FileName; IntPtr retaddress = ProcModule.InjectLibraryInternal((uint)procid, libname, out error); if (retaddress == IntPtr.Zero) { label2.ForeColor = Color.Red; label2.Text = "Error: " + error; } else { label2.ForeColor = Color.Blue; label2.Text = "Dll injected at address: " + retaddress.ToString("X8"); lvmodules.Items.Clear(); EnumModules(); } } }
void FreeModuleToolStripMenuItemClick(object sender, EventArgs e) { if (lvmodules.SelectedIndices.Count > 0) { string libaddress = lvmodules.Items[lvmodules.SelectedIndices[0]].SubItems[1].Text; IntPtr libaddressptr = (IntPtr)System.Convert.ToInt32(libaddress, 16); string error = ""; if (!ProcModule.FreeLibraryInternal((uint)procid, libaddressptr, out error)) { label2.ForeColor = Color.Red; label2.Text = "Error: " + error; } else { label2.ForeColor = Color.Blue; label2.Text = "Dll free succesfully!"; lvmodules.Items.Clear(); EnumModules(); } } }
public static bool WriteDump(uint processId, string fileName, DType dumpTyp) { IntPtr hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, 0, (uint)processId); if (hProcess == IntPtr.Zero) { IntPtr pDACL, pSecDesc; GetSecurityInfo((int)Process.GetCurrentProcess().Handle, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4, 0, 0, out pDACL, IntPtr.Zero, out pSecDesc); hProcess = OpenProcess(0x40000, 0, processId); SetSecurityInfo((int)hProcess, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4 | /*UNPROTECTED_DACL_SECURITY_INFORMATION*/ 0x20000000, 0, 0, pDACL, IntPtr.Zero); ProcModule.CloseHandle(hProcess); hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, 0, processId); } if (hProcess == IntPtr.Zero) { return(false); } else { using (var fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create, System.IO.FileAccess.Write, System.IO.FileShare.None)) { MiniDumpExceptionInformation exp; exp.ThreadId = GetCurrentThreadId(); exp.ClientPointers = false; exp.ExceptioonPointers = System.Runtime.InteropServices.Marshal.GetExceptionPointers(); bool bRet = MiniDumpWriteDump( GetCurrentProcess(), GetCurrentProcessId(), fs.SafeFileHandle.DangerousGetHandle(), (uint)dumpTyp, ref exp, IntPtr.Zero, IntPtr.Zero); return(bRet); } } }
static IntPtr CorBindToRuntimeExAddress() { ProcModule.ModuleInfo targetmscoree = null; ProcModule.ModuleInfo[] modules = ProcModule.GetModuleInfos((int)processid); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("mscoree.dll")) { targetmscoree = modules[i]; break; } } } if (targetmscoree == null || targetmscoree.baseOfDll == IntPtr.Zero) { return(IntPtr.Zero); } IntPtr CLRCreateInstanceAddress = IntPtr.Zero; if (hprocess != IntPtr.Zero) { int CLRCreateInstancerva = ExportTable.ProcGetExpAddress (hprocess, targetmscoree.baseOfDll, "CorBindToRuntimeEx"); if (CLRCreateInstancerva == 0) { return(IntPtr.Zero); } return((IntPtr)((long)targetmscoree.baseOfDll + (long)CLRCreateInstancerva)); } return(IntPtr.Zero); }
void HoockDetect() { textBox1.Text = "Detecting hooks for process whit the name " + ProcessName + " and PID=" + procid.ToString() + "\r\n"; byte[] Forread = new byte[0x500]; uint BytesRead = 0; int CompileAddress = 0; IntPtr processHandle = IntPtr.Zero; try { processHandle = OpenProcess(ProcessAccess.QueryInformation | ProcessAccess.VMRead, false, (uint)procid); } catch { } if (processHandle != IntPtr.Zero) { ProcModule.ModuleInfo targetmscorjit = null; ProcModule.ModuleInfo[] modules = ProcModule.GetModuleInfos(procid); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("mscorjit")) { targetmscorjit = modules[i]; break; } } } if (targetmscorjit == null) { textBox1.Text = textBox1.Text + "Seems that the target process is not a .NET process!" + "\r\n"; } else { int getJitrva = ExportTable.ProcGetExpAddress(processHandle, targetmscorjit.baseOfDll, "getJit"); bool isok = false; isok = ReadProcessMemory(processHandle, (IntPtr)((long)targetmscorjit.baseOfDll + (long)getJitrva), Forread, (uint)Forread.Length, ref BytesRead); if (isok) { int count = 0; while (Forread[count] != 0x0C3) { count++; } long cmpointer = (long)targetmscorjit.baseOfDll + getJitrva + count + 1; textBox1.Text = textBox1.Text + "Pointer of compile method : " + cmpointer.ToString("X8") + "\r\n"; CompileAddress = BitConverter.ToInt32(Forread, count + 1); textBox1.Text = textBox1.Text + "Address of compile method is : " + CompileAddress.ToString("X8") + "\r\n"; if ((CompileAddress < (int)targetmscorjit.baseOfDll) || (CompileAddress > (int)targetmscorjit.baseOfDll + targetmscorjit.sizeOfImage)) { textBox1.Text = textBox1.Text + "Address of compile method changed!!!" + "\r\n"; } else { textBox1.Text = textBox1.Text + "Address of compile method seems to be the original one!" + "\r\n"; } } else { textBox1.Text = textBox1.Text + "Failed to read from selected process!" + "\r\n"; } ProcModule.CloseHandle(processHandle); } // end if is not .NET } else { textBox1.Text = textBox1.Text + "Failed to open selected process!" + "\r\n"; } }
/// <summary> /// 检测登录二维码是否已经扫描 /// </summary> /// <param name="qqActionListener"></param> public void CheckQRCode(QQActionEventHandler qqActionListener) { ProcModule module = GetModule <ProcModule>(QQModuleType.PROC); module.CheckQRCode(qqActionListener); }
public static void HostCLR_RunMethod(String AssemblyPath, String TypeName, String MethodName, String Args, String Version) { hprocess = ProcModule.OpenProcess(ProcModule.PROCESS_QUERY_INFORMATION | ProcModule.PROCESS_VM_OPERATION | ProcModule.PROCESS_VM_WRITE | ProcModule.PROCESS_VM_READ | ProcModule.PROCESS_CREATE_THREAD, 0, (uint)processid); IntPtr CorBindToRuntimeExPtr = CorBindToRuntimeExAddress(); uint BytesRead = 0; IntPtr codeCave_Code = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 500, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ExecuteReadWrite); IntPtr CLSID_CLRRuntimeHostPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)CLSID_CLRRuntimeHost.Length * 4, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr IID_ICLRRuntimeHostPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)IID_ICLRRuntimeHost.Length, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr ClrHostPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 04, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr dwRetPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 0x4, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr AssemblyPathPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(AssemblyPath.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr TypeNamePtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(TypeName.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr MethodNamePtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(MethodName.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr ArgsPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(Args.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr BuildFlavorPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 0x10, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); ProcModule.WriteProcessMemory(hprocess, CLSID_CLRRuntimeHostPtr, CLSID_CLRRuntimeHost, (uint)CLSID_CLRRuntimeHost.Length, out BytesRead); ProcModule.WriteProcessMemory(hprocess, IID_ICLRRuntimeHostPtr, IID_ICLRRuntimeHost, (uint)IID_ICLRRuntimeHost.Length, out BytesRead); WriteUnicodeString(BuildFlavorPtr, "wks"); WriteUnicodeString(AssemblyPathPtr, AssemblyPath); WriteUnicodeString(TypeNamePtr, TypeName); WriteUnicodeString(MethodNamePtr, MethodName); WriteUnicodeString(ArgsPtr, Args); InlineASM inline = new InlineASM(); inline.PushOffset(ClrHostPtr); inline.PushOffset(IID_ICLRRuntimeHostPtr); inline.PushOffset(CLSID_CLRRuntimeHostPtr); inline.PushByte(0); inline.PushOffset(BuildFlavorPtr); inline.PushByte(0); inline.MovEaxValue(CorBindToRuntimeExPtr); inline.CallEax(); // call CorBindToRuntimeEx inline.MovEaxDwordPtr(ClrHostPtr); inline.MovEcxDwordPtrEax(); inline.MovEdxDwordPtrEcxOffset(0x0C); inline.PushEax(); inline.CallEdx(); // pClrHost->Start(); inline.PushOffset(dwRetPtr); inline.PushOffset(ArgsPtr); inline.PushOffset(MethodNamePtr); inline.PushOffset(TypeNamePtr); inline.PushOffset(AssemblyPathPtr); inline.MovEaxDwordPtr(ClrHostPtr); inline.MovEcxDwordPtrEax(); inline.PushEax(); inline.MovEaxDwordPtrEcxOffset(0x2C); inline.CallEax(); // pClrHost->ExecuteInDefaultAppDomain inline.Retn(); ProcModule.WriteProcessMemory(hprocess, codeCave_Code, inline.asm, (uint)inline.asm.Length, out BytesRead); IntPtr hThread = ProcModule.CreateRemoteThread(hprocess, IntPtr.Zero, 0, codeCave_Code, IntPtr.Zero, 0, IntPtr.Zero); /* * if (ProcModule.WaitForSingleObject(hThread,uint.MaxValue)!=0) * { * return; * } */ IntPtr retcode = IntPtr.Zero; if (!ProcModule.GetExitCodeThread(hThread, out retcode)) { return; } ProcModule.CloseHandle(hprocess); }
void DumpModule() { IntPtr hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, 0, (uint)procid); if (hProcess == IntPtr.Zero) { IntPtr pDACL, pSecDesc; GetSecurityInfo((int)Process.GetCurrentProcess().Handle, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4, 0, 0, out pDACL, IntPtr.Zero, out pSecDesc); hProcess = OpenProcess(0x40000, 0, (uint)procid); SetSecurityInfo((int)hProcess, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4 | /*UNPROTECTED_DACL_SECURITY_INFORMATION*/ 0x20000000, 0, 0, pDACL, IntPtr.Zero); ProcModule.CloseHandle(hProcess); hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, 0, (uint)procid); } if (hProcess != IntPtr.Zero) { string newdirname = DirName; if (DirName.Length < 2 || !Directory.Exists(DirName)) { newdirname = "C:\\"; } newdirname = Path.Combine(DirName, "Dumps"); System.IO.Directory.CreateDirectory(newdirname); int ImageBase = System.Convert.ToInt32(lvmodules.Items[lvmodules.SelectedIndices[0]].SubItems[1].Text, 16); string moduleName = lvmodules.Items[lvmodules.SelectedIndices[0]].SubItems[0].Text; bool isok; uint speed = 0x1000; try { SYSTEM_INFO pSI = new SYSTEM_INFO(); GetSystemInfo(ref pSI); speed = pSI.dwPageSize; } catch { } byte[] bigMem = new byte[speed]; byte[] InfoKeep = new byte[8]; uint BytesRead = 0; int nrofsection = 0; byte[] Dump = null; byte[] Partkeep = null; int filealignment = 0; int rawaddress; int address = 0; int offset = 0; bool ShouldFixrawsize = false; isok = ReadProcessMemory(hProcess, (uint)(ImageBase + 0x03C), InfoKeep, 4, ref BytesRead); int PEOffset = BitConverter.ToInt32(InfoKeep, 0); try { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + PEOffset + 0x0F8 + 20), InfoKeep, 4, ref BytesRead); byte[] PeHeader = new byte[speed]; rawaddress = BitConverter.ToInt32(InfoKeep, 0); int sizetocopy = rawaddress; if (sizetocopy > speed) { sizetocopy = (int)speed; } isok = ReadProcessMemory(hProcess, (uint)(ImageBase), PeHeader, (uint)sizetocopy, ref BytesRead); offset = offset + rawaddress; nrofsection = (int)BitConverter.ToInt16(PeHeader, PEOffset + 0x06); int sectionalignment = BitConverter.ToInt32(PeHeader, PEOffset + 0x038); filealignment = BitConverter.ToInt32(PeHeader, PEOffset + 0x03C); int sizeofimage = BitConverter.ToInt32(PeHeader, PEOffset + 0x050); int calculatedimagesize = BitConverter.ToInt32(PeHeader, PEOffset + 0x0F8 + 012); for (int i = 0; i < nrofsection; i++) { int virtualsize = BitConverter.ToInt32(PeHeader, PEOffset + 0x0F8 + 0x28 * i + 08); int toadd = (virtualsize % sectionalignment); if (toadd != 0) { toadd = sectionalignment - toadd; } calculatedimagesize = calculatedimagesize + virtualsize + toadd; } if (calculatedimagesize > sizeofimage) { sizeofimage = calculatedimagesize; } Dump = new byte[sizeofimage]; Array.Copy(PeHeader, Dump, sizetocopy); Partkeep = new byte[sizeofimage]; } catch { } int calcrawsize = 0; for (int i = 0; i < nrofsection; i++) { int rawsize, virtualsize, virtualAddress; for (int l = 0; l < nrofsection; l++) { rawsize = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * l + 16); virtualsize = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * l + 08); virtualAddress = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * l + 012); // RawSize = Virtual Size rounded on FileAlligment calcrawsize = 0; calcrawsize = virtualsize % filealignment; if (calcrawsize != 0) { calcrawsize = filealignment - calcrawsize; } calcrawsize = virtualsize + calcrawsize; if (calcrawsize != 0 && rawsize != calcrawsize && rawsize != virtualsize) { ShouldFixrawsize = true; break; } } rawsize = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * i + 16); virtualsize = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * i + 08); // RawSize = Virtual Size rounded on FileAlligment virtualAddress = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * i + 012); if (ShouldFixrawsize) { rawsize = virtualsize; BinaryWriter writer = new BinaryWriter(new MemoryStream(Dump)); writer.BaseStream.Position = PEOffset + 0x0F8 + 0x28 * i + 16; writer.Write(virtualsize); writer.BaseStream.Position = PEOffset + 0x0F8 + 0x28 * i + 20; writer.Write(virtualAddress); writer.Close(); } address = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * i + 12); isok = ReadProcessMemory(hProcess, (uint)(ImageBase + address), Partkeep, (uint)rawsize, ref BytesRead); if (!isok) { byte[] onepage = new byte[512]; for (int c = 0; c < virtualsize; c = c + 512) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + virtualAddress + c), onepage, (uint)512, ref BytesRead); Array.Copy(onepage, 0, Partkeep, c, 512); } } if (ShouldFixrawsize) { Array.Copy(Partkeep, 0, Dump, virtualAddress, rawsize); offset = virtualAddress + rawsize; } else { Array.Copy(Partkeep, 0, Dump, offset, rawsize); offset = offset + rawsize; } } if (Dump != null && Dump.Length > 0 && Dump.Length >= offset) { int ImportDirectoryRva = BitConverter.ToInt32(Dump, PEOffset + 0x080); if (ImportDirectoryRva > 0 && ImportDirectoryRva < offset) { int current = 0; int ThunkToFix = 0; int ThunkData = 0; isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ImportDirectoryRva + current + 12), Partkeep, 4, ref BytesRead); int NameOffset = BitConverter.ToInt32(Partkeep, 0); while (isok && NameOffset != 0) { byte[] mscoreeAscii = { 0x6D, 0x73, 0x63, 0x6F, 0x72, 0x65, 0x65, 0x2E, 0x64, 0x6C, 0x6C, 0x00 }; byte[] NameKeeper = new byte[mscoreeAscii.Length]; isok = ReadProcessMemory(hProcess, (uint)(ImageBase + NameOffset), NameKeeper, (uint)mscoreeAscii.Length, ref BytesRead); if (isok && BytesEqual(NameKeeper, mscoreeAscii)) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ImportDirectoryRva + current), Partkeep, 4, ref BytesRead); int OriginalFirstThunk = BitConverter.ToInt32(Partkeep, 0); // OriginalFirstThunk; if (OriginalFirstThunk > 0 && OriginalFirstThunk < offset) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + OriginalFirstThunk), Partkeep, 4, ref BytesRead); ThunkData = BitConverter.ToInt32(Partkeep, 0); if (ThunkData > 0 && ThunkData < offset) { byte[] CorExeMain = { 0x5F, 0x43, 0x6F, 0x72, 0x45, 0x78, 0x65, 0x4D, 0x61, 0x69, 0x6E, 0x00 }; byte[] CorDllMain = { 0x5F, 0x43, 0x6F, 0x72, 0x44, 0x6C, 0x6C, 0x4D, 0x61, 0x69, 0x6E, 0x00 }; NameKeeper = new byte[CorExeMain.Length]; isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ThunkData + 2), NameKeeper, (uint)CorExeMain.Length, ref BytesRead); if (isok && (BytesEqual(NameKeeper, CorExeMain) || BytesEqual(NameKeeper, CorDllMain))) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ImportDirectoryRva + current + 16), Partkeep, 4, ref BytesRead); ThunkToFix = BitConverter.ToInt32(Partkeep, 0); // FirstThunk; break; } } } } current = current + 20; // 20 size of IMAGE_IMPORT_DESCRIPTOR isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ImportDirectoryRva + current + 12), Partkeep, 4, ref BytesRead); NameOffset = BitConverter.ToInt32(Partkeep, 0); } if (ThunkToFix > 0 && ThunkToFix < offset) { BinaryWriter writer = new BinaryWriter(new MemoryStream(Dump)); isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ThunkToFix), Partkeep, 4, ref BytesRead); int ThunkValue = BitConverter.ToInt32(Partkeep, 0); if (isok && (ThunkValue < 0 || ThunkValue > offset)) { int fvirtualsize = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 08); int fvirtualAddress = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 012); int frawAddress = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 20); writer.BaseStream.Position = ThunkToFix - fvirtualAddress + frawAddress; writer.Write(ThunkData); } int EntryPoint = BitConverter.ToInt32(Dump, PEOffset + 0x028); if (EntryPoint <= 0 || EntryPoint > offset) { int ca = 0; do { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ThunkData + ca), Partkeep, 1, ref BytesRead); if (isok && Partkeep[0] == 0x0FF) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ThunkData + ca + 1), Partkeep, 1, ref BytesRead); if (isok && Partkeep[0] == 0x025) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ThunkData + ca + 2), Partkeep, 4, ref BytesRead); if (isok) { int RealEntryPoint = ThunkData + ca; writer.BaseStream.Position = PEOffset + 0x028; writer.Write(RealEntryPoint); } } } ca++; }while (isok); } writer.Close(); } } } if (Dump != null && Dump.Length > 0 && Dump.Length >= offset) { FileStream fout; string filename = newdirname + "\\" + moduleName; fout = new FileStream(filename, FileMode.Create); fout.Write(Dump, 0, offset); fout.Close(); label2.ForeColor = Color.Blue; label2.Text = "Module saved in " + filename; } else { label2.ForeColor = Color.Red; label2.Text = "Failed to dump module!"; } } else { label2.ForeColor = Color.Red; label2.Text = "Failed to open process!"; } }
void Button2Click(object sender, EventArgs e) { string filename = textBox1.Text; string enviroments = textBox2.Text; if (filename != "" && File.Exists(filename)) { int processflags = processflags = 0 | (int)ProcessCreationFlags.CREATE_SUSPENDED; IntPtr memptr = IntPtr.Zero; button2.Enabled = false; textBox3.Text = ""; GCHandle gchenv = new GCHandle(); if (enviroments.Length != 0) { if (enviroments.Length >= 3 && enviroments.Contains("=")) { textBox3.AppendText("Setting Environment Variables..."); try { char[] separator = "\r\n".ToCharArray(); string[] realvalues = enviroments.Split(separator); IntPtr newptr = memptr; bool unicode = false; if (Environment.OSVersion.Platform == PlatformID.Win32NT) { processflags = processflags | (int)ProcessCreationFlags.CREATE_UNICODE_ENVIRONMENT; unicode = true; } StringDictionary environmentVariables = new StringDictionary(); // add Environments of the parent to the child! foreach (System.Collections.DictionaryEntry entry in Environment.GetEnvironmentVariables()) { environmentVariables.Add((string)entry.Key, (string)entry.Value); } for (int i = 0; i < realvalues.Length; i++) { if (realvalues[i] != "" && realvalues[i].Contains("=")) { separator = "=".ToCharArray(); string[] currentvalue = realvalues[i].Split(separator); if (currentvalue[0] != "") { if (environmentVariables.ContainsKey(currentvalue[0])) { textBox3.AppendText("\r\n" + "The key whit the name " + currentvalue[0] + " is already on dictinonary!"); } else { environmentVariables.Add(currentvalue[0], currentvalue[1]); } } } } gchenv = GCHandle.Alloc(ToByteArray(environmentVariables, unicode), GCHandleType.Pinned); memptr = gchenv.AddrOfPinnedObject(); textBox3.AppendText("\r\n" + "Environment Variables setted!"); } catch (Exception exc) { textBox3.AppendText("\r\n" + exc.Message + "\r\n"); } } else { textBox3.AppendText("Invalid Environment Variables!" + "\r\n"); } } STARTUPINFO structure = new STARTUPINFO(); PROCESS_INFORMATION process_information = new PROCESS_INFORMATION(); IntPtr lpApplicationName = Marshal.StringToHGlobalUni(filename); try { CreateProcess(lpApplicationName, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, 0, processflags, memptr, IntPtr.Zero, ref structure, ref process_information); hprocess = process_information.hProcess; hcthread = process_information.hThread; cprocessid = process_information.dwProcessId; if (gchenv.IsAllocated) { gchenv.Free(); } textBox3.AppendText("\r\n" + "Process created"); if (checkBox1.Checked) { textBox3.AppendText(" on suspended mode"); button3.Enabled = true; } textBox3.AppendText("!" + "\r\n"); } catch (Exception ex3) { textBox3.AppendText("\r\n" + "Failed to start process whit the message" + ex3.Message + "\r\n"); return; } checktimer = new System.Windows.Forms.Timer(); checktimer.Interval = 30; checktimer.Enabled = true; checktimer.Tick += new System.EventHandler(CheckStatut); if (checkBox2.Checked) { ProcModule.ModuleInfo[] modules = null; for (int k = 0; k < 500; k++) // try it 500 times! { LoopWhileModulesAreLoadedNt(process_information.dwProcessId, process_information.hThread); modules = ProcModule.GetModuleInfos((int)process_information.dwProcessId); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("kernel32")) { targetkernel32 = modules[i]; break; } } } if (targetkernel32 != null) { break; } } if (targetkernel32 != null && targetkernel32.baseOfDll != IntPtr.Zero) { HookCreateProcess(targetkernel32.baseOfDll); } } if (checkBox3.Checked) { ProcModule.ModuleInfo[] modules = null; for (int k = 0; k < 50; k++) // try it 50 times! { LoopWhileModulesAreLoadedNt(process_information.dwProcessId, process_information.hThread); modules = ProcModule.GetModuleInfos((int)process_information.dwProcessId); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.Length > 10 && modules[i].baseName.ToLower().StartsWith("msvcr")) { targetMSVCR80 = modules[i]; break; } } } if (targetMSVCR80 != null) { break; } } if (targetMSVCR80 != null && targetMSVCR80.baseOfDll != IntPtr.Zero) { LogmemcpyInit(targetMSVCR80.baseOfDll); } } if (!checkBox1.Checked) { ResumeThread(process_information.hThread); } } else { textBox3.Text = "Please select a valid file!" + "\r\n"; } }