예제 #1
0
        // Token: 0x06000123 RID: 291 RVA: 0x0000DEE4 File Offset: 0x0000C0E4
        private static bool LoadDependencies(PortableExecutable image, IntPtr hProcess, int processId)
        {
            List <string> list   = new List <string>();
            string        empty  = string.Empty;
            bool          result = false;

            foreach (IMAGE_IMPORT_DESCRIPTOR image_IMPORT_DESCRIPTOR in image.EnumImports())
            {
                if (image.ReadString((long)((ulong)image.GetPtrFromRVA(image_IMPORT_DESCRIPTOR.Name)), SeekOrigin.Begin, out empty, -1, null) && !string.IsNullOrEmpty(empty) && ManualMap.GetRemoteModuleHandle(empty, processId).IsNull())
                {
                    list.Add(empty);
                }
            }
            if (list.Count > 0)
            {
                byte[] array = ManualMap.ExtractManifest(image);
                string text  = string.Empty;
                if (array == null)
                {
                    if (string.IsNullOrEmpty(image.FileLocation) || !File.Exists(Path.Combine(Path.GetDirectoryName(image.FileLocation), Path.GetFileName(image.FileLocation) + ".manifest")))
                    {
                        InjectionMethod injectionMethod = InjectionMethod.Create(InjectionMethodType.Standard);
                        IntPtr[]        array2          = injectionMethod.InjectAll(list.ToArray(), hProcess);
                        foreach (IntPtr ptr in array2)
                        {
                            if (ptr.IsNull())
                            {
                                return(false);
                            }
                        }
                        return(true);
                    }
                    text = Path.Combine(Path.GetDirectoryName(image.FileLocation), Path.GetFileName(image.FileLocation) + ".manifest");
                }
                else
                {
                    text = Utils.WriteTempData(array);
                }
                if (string.IsNullOrEmpty(text))
                {
                    return(false);
                }
                IntPtr intPtr     = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)ManualMap.RESOLVER_STUB.Length, 12288, 64);
                IntPtr lpAddress  = WinAPI.CreateRemotePointer(hProcess, Encoding.ASCII.GetBytes(text + "\0"), 4);
                IntPtr lpAddress2 = WinAPI.CreateRemotePointer(hProcess, Encoding.ASCII.GetBytes(string.Join("\0", list.ToArray()) + "\0"), 4);
                if (!intPtr.IsNull())
                {
                    byte[] array4 = (byte[])ManualMap.RESOLVER_STUB.Clone();
                    uint   num    = 0u;
                    BitConverter.GetBytes(ManualMap.FN_CREATEACTCTXA.Subtract(intPtr.Add(63L)).ToInt32()).CopyTo(array4, 59);
                    BitConverter.GetBytes(ManualMap.FN_ACTIVATEACTCTX.Subtract(intPtr.Add(88L)).ToInt32()).CopyTo(array4, 84);
                    BitConverter.GetBytes(ManualMap.FN_GETMODULEHANDLEA.Subtract(intPtr.Add(132L)).ToInt32()).CopyTo(array4, 128);
                    BitConverter.GetBytes(ManualMap.FN_LOADLIBRARYA.Subtract(intPtr.Add(146L)).ToInt32()).CopyTo(array4, 142);
                    BitConverter.GetBytes(ManualMap.FN_DEACTIVATEACTCTX.Subtract(intPtr.Add(200L)).ToInt32()).CopyTo(array4, 196);
                    BitConverter.GetBytes(ManualMap.FN_RELEASEACTCTX.Subtract(intPtr.Add(209L)).ToInt32()).CopyTo(array4, 205);
                    BitConverter.GetBytes(lpAddress.ToInt32()).CopyTo(array4, 31);
                    BitConverter.GetBytes(list.Count).CopyTo(array4, 40);
                    BitConverter.GetBytes(lpAddress2.ToInt32()).CopyTo(array4, 49);
                    if (WinAPI.WriteProcessMemory(hProcess, intPtr, array4, array4.Length, out num) && num == (uint)array4.Length)
                    {
                        uint num2 = WinAPI.RunThread(hProcess, intPtr, 0u, 5000);
                        result = (num2 != uint.MaxValue && num2 != 0u);
                    }
                    WinAPI.VirtualFreeEx(hProcess, lpAddress2, 0, 32768);
                    WinAPI.VirtualFreeEx(hProcess, lpAddress, 0, 32768);
                    WinAPI.VirtualFreeEx(hProcess, intPtr, 0, 32768);
                }
            }
            return(result);
        }
예제 #2
0
        /*
         * Handles loading of all dependent modules. Iterates the IAT entries and attempts to load (using LoadLibrary) all
         * of the necessary modules for the main module to function. The manifest is extracted and activation contexts used to
         * ensure correct loading of Side-By-Side dependencies.
         */
        private static bool LoadDependencies(PortableExecutable image, IntPtr hProcess, int processId)
        {
            List <string> neededDependencies = new List <string>();
            string        curdep             = string.Empty;
            bool          success            = false;

            foreach (var desc in image.EnumImports())
            {
                if (image.ReadString(image.GetPtrFromRVA(desc.Name), SeekOrigin.Begin, out curdep) && !string.IsNullOrEmpty(curdep))
                {
                    if (GetRemoteModuleHandle(curdep, processId).IsNull())
                    {
                        neededDependencies.Add(curdep);
                    }
                }
            }

            if (neededDependencies.Count > 0) //do we actually need to load any new modules?
            {
                byte[] bManifest    = ExtractManifest(image);
                string pathManifest = string.Empty;

                if (bManifest == null) // no internal manifest, may be an external manifest or none at all?
                {
                    if (!string.IsNullOrEmpty(image.FileLocation) && File.Exists(Path.Combine(Path.GetDirectoryName(image.FileLocation), Path.GetFileName(image.FileLocation) + ".manifest")))
                    {
                        pathManifest = Path.Combine(Path.GetDirectoryName(image.FileLocation), Path.GetFileName(image.FileLocation) + ".manifest");
                    }
                    else // no internal or external manifest, presume no side-by-side dependencies.
                    {
                        var standard = InjectionMethod.Create(InjectionMethodType.Standard);
                        var results  = standard.InjectAll(neededDependencies.ToArray(), hProcess);

                        foreach (var result in results)
                        {
                            if (result.IsNull())
                            {
                                return(false); // failed to inject a dependecy, abort mission.
                            }
                        }
                        return(true); // done loading dependencies.
                    }
                }
                else
                {
                    pathManifest = Utils.WriteTempData(bManifest);
                }

                if (string.IsNullOrEmpty(pathManifest))
                {
                    return(false);
                }

                IntPtr pResolverStub = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)RESOLVER_STUB.Length, 0x1000 | 0x2000, 0x40);
                IntPtr pManifest     = WinAPI.CreateRemotePointer(hProcess, Encoding.ASCII.GetBytes(pathManifest + "\0"), 0x04);
                IntPtr pModules      = WinAPI.CreateRemotePointer(hProcess, Encoding.ASCII.GetBytes(string.Join("\0", neededDependencies.ToArray()) + "\0"), 0x04);

                if (!pResolverStub.IsNull())
                {
                    var  resolverStub = (byte[])RESOLVER_STUB.Clone();
                    uint nBytes       = 0;

                    // Call patching. Patch the empty function addresses with the runtime addresses.
                    BitConverter.GetBytes(FN_CREATEACTCTXA.Subtract(pResolverStub.Add(0x3F)).ToInt32()).CopyTo(resolverStub, 0x3B);
                    BitConverter.GetBytes(FN_ACTIVATEACTCTX.Subtract(pResolverStub.Add(0x58)).ToInt32()).CopyTo(resolverStub, 0x54);
                    BitConverter.GetBytes(FN_GETMODULEHANDLEA.Subtract(pResolverStub.Add(0x84)).ToInt32()).CopyTo(resolverStub, 0x80);
                    BitConverter.GetBytes(FN_LOADLIBRARYA.Subtract(pResolverStub.Add(0x92)).ToInt32()).CopyTo(resolverStub, 0x8E);
                    BitConverter.GetBytes(FN_DEACTIVATEACTCTX.Subtract(pResolverStub.Add(0xC8)).ToInt32()).CopyTo(resolverStub, 0xC4);
                    BitConverter.GetBytes(FN_RELEASEACTCTX.Subtract(pResolverStub.Add(0xD1)).ToInt32()).CopyTo(resolverStub, 0xCD);

                    // Parameter patching
                    BitConverter.GetBytes(pManifest.ToInt32()).CopyTo(resolverStub, 0x1F);
                    BitConverter.GetBytes(neededDependencies.Count).CopyTo(resolverStub, 0x28);
                    BitConverter.GetBytes(pModules.ToInt32()).CopyTo(resolverStub, 0x31);

                    if (WinAPI.WriteProcessMemory(hProcess, pResolverStub, resolverStub, resolverStub.Length, out nBytes) && nBytes == (uint)resolverStub.Length)
                    {
                        uint result = WinAPI.RunThread(hProcess, pResolverStub, 0, 5000);
                        success = (result != uint.MaxValue && result != 0);
                    }

                    // Cleanup
                    WinAPI.VirtualFreeEx(hProcess, pModules, 0, 0x8000);
                    WinAPI.VirtualFreeEx(hProcess, pManifest, 0, 0x8000);
                    WinAPI.VirtualFreeEx(hProcess, pResolverStub, 0, 0x8000);
                }
            }

            return(success);
        }
예제 #3
0
        private static bool LoadDependencies(JLibrary.PortableExecutable.PortableExecutable image, IntPtr hProcess, int processId)
        {
            List <string> list     = new List <string>();
            string        lpBuffer = string.Empty;
            bool          flag     = false;

            foreach (IMAGE_IMPORT_DESCRIPTOR image_import_descriptor in image.EnumImports())
            {
                if ((image.ReadString((long)image.GetPtrFromRVA(image_import_descriptor.Name), SeekOrigin.Begin, out lpBuffer, -1, null) && !string.IsNullOrEmpty(lpBuffer)) && GetRemoteModuleHandle(lpBuffer, processId).IsNull())
                {
                    list.Add(lpBuffer);
                }
            }
            if (list.Count > 0)
            {
                byte[] data = ExtractManifest(image);
                string str2 = string.Empty;
                if (data == null)
                {
                    if (string.IsNullOrEmpty(image.FileLocation) || !File.Exists(Path.Combine(Path.GetDirectoryName(image.FileLocation), Path.GetFileName(image.FileLocation) + ".manifest")))
                    {
                        IntPtr[] ptrArray = InjectionMethod.Create(InjectionMethodType.Standard).InjectAll(list.ToArray(), hProcess);
                        foreach (IntPtr ptr in ptrArray)
                        {
                            if (ptr.IsNull())
                            {
                                return(false);
                            }
                        }
                        return(true);
                    }
                    str2 = Path.Combine(Path.GetDirectoryName(image.FileLocation), Path.GetFileName(image.FileLocation) + ".manifest");
                }
                else
                {
                    str2 = Utils.WriteTempData(data);
                }
                if (string.IsNullOrEmpty(str2))
                {
                    return(false);
                }
                IntPtr ptr2      = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)RESOLVER_STUB.Length, 0x3000, 0x40);
                IntPtr lpAddress = WinAPI.CreateRemotePointer(hProcess, Encoding.ASCII.GetBytes(str2 + "\0"), 4);
                IntPtr ptr4      = WinAPI.CreateRemotePointer(hProcess, Encoding.ASCII.GetBytes(string.Join("\0", list.ToArray()) + "\0"), 4);
                if (!ptr2.IsNull())
                {
                    byte[] array = (byte[])RESOLVER_STUB.Clone();
                    uint   lpNumberOfBytesRead = 0;
                    BitConverter.GetBytes(FN_CREATEACTCTXA.Subtract(ptr2.Add(((long)0x3fL))).ToInt32()).CopyTo(array, 0x3b);
                    BitConverter.GetBytes(FN_ACTIVATEACTCTX.Subtract(ptr2.Add(((long)0x58L))).ToInt32()).CopyTo(array, 0x54);
                    BitConverter.GetBytes(FN_GETMODULEHANDLEA.Subtract(ptr2.Add(((long)0x84L))).ToInt32()).CopyTo(array, 0x80);
                    BitConverter.GetBytes(FN_LOADLIBRARYA.Subtract(ptr2.Add(((long)0x92L))).ToInt32()).CopyTo(array, 0x8e);
                    BitConverter.GetBytes(FN_DEACTIVATEACTCTX.Subtract(ptr2.Add(((long)200L))).ToInt32()).CopyTo(array, 0xc4);
                    BitConverter.GetBytes(FN_RELEASEACTCTX.Subtract(ptr2.Add(((long)0xd1L))).ToInt32()).CopyTo(array, 0xcd);
                    BitConverter.GetBytes(lpAddress.ToInt32()).CopyTo(array, 0x1f);
                    BitConverter.GetBytes(list.Count).CopyTo(array, 40);
                    BitConverter.GetBytes(ptr4.ToInt32()).CopyTo(array, 0x31);
                    if (WinAPI.WriteProcessMemory(hProcess, ptr2, array, array.Length, out lpNumberOfBytesRead) && (lpNumberOfBytesRead == array.Length))
                    {
                        uint num2 = WinAPI.RunThread(hProcess, ptr2, 0, 0x1388);
                        flag = (num2 != uint.MaxValue) && (num2 != 0);
                    }
                    WinAPI.VirtualFreeEx(hProcess, ptr4, 0, 0x8000);
                    WinAPI.VirtualFreeEx(hProcess, lpAddress, 0, 0x8000);
                    WinAPI.VirtualFreeEx(hProcess, ptr2, 0, 0x8000);
                }
            }
            return(flag);
        }