static IntPtr CorBindToRuntimeExAddress()
{
ProcModule.ModuleInfo targetmscoree = null;
ProcModule.ModuleInfo[] modules = ProcModule.GetModuleInfos((int)processid);
if (modules != null && modules.Length > 0)
{
for (int i = 0; i < modules.Length; i++)
{
if (modules[i].baseName.ToLower().Contains("mscoree.dll"))
{
targetmscoree = modules[i];
break;
}
}
}
if (targetmscoree == null || targetmscoree.baseOfDll == IntPtr.Zero)
{
return(IntPtr.Zero);
}
IntPtr CLRCreateInstanceAddress = IntPtr.Zero;
if (hprocess != IntPtr.Zero)
{
int CLRCreateInstancerva = ExportTable.ProcGetExpAddress
(hprocess, targetmscoree.baseOfDll, "CorBindToRuntimeEx");
if (CLRCreateInstancerva == 0)
{
return(IntPtr.Zero);
}
return((IntPtr)((long)targetmscoree.baseOfDll + (long)CLRCreateInstancerva));
}
return(IntPtr.Zero);
}
void HoockDetect()
{
textBox1.Text = "Detecting hooks for process whit the name " + ProcessName + " and PID=" + procid.ToString() + "\r\n";
byte[] Forread = new byte[0x500];
uint BytesRead = 0;
int CompileAddress = 0;
IntPtr processHandle = IntPtr.Zero;
try
{
processHandle = OpenProcess(ProcessAccess.QueryInformation | ProcessAccess.VMRead, false, (uint)procid);
}
catch
{
}
if (processHandle != IntPtr.Zero)
{
ProcModule.ModuleInfo targetmscorjit = null;
ProcModule.ModuleInfo[] modules = ProcModule.GetModuleInfos(procid);
if (modules != null && modules.Length > 0)
{
for (int i = 0; i < modules.Length; i++)
{
if (modules[i].baseName.ToLower().Contains("mscorjit"))
{
targetmscorjit = modules[i];
break;
}
}
}
if (targetmscorjit == null)
{
textBox1.Text = textBox1.Text + "Seems that the target process is not a .NET process!" + "\r\n";
}
else
{
int getJitrva = ExportTable.ProcGetExpAddress(processHandle, targetmscorjit.baseOfDll, "getJit");
bool isok = false;
isok = ReadProcessMemory(processHandle,
(IntPtr)((long)targetmscorjit.baseOfDll + (long)getJitrva), Forread, (uint)Forread.Length, ref BytesRead);
if (isok)
{
int count = 0;
while (Forread[count] != 0x0C3)
{
count++;
}
long cmpointer = (long)targetmscorjit.baseOfDll + getJitrva + count + 1;
textBox1.Text = textBox1.Text + "Pointer of compile method : " + cmpointer.ToString("X8") + "\r\n";
CompileAddress = BitConverter.ToInt32(Forread, count + 1);
textBox1.Text = textBox1.Text + "Address of compile method is : " + CompileAddress.ToString("X8") + "\r\n";
if ((CompileAddress < (int)targetmscorjit.baseOfDll) || (CompileAddress > (int)targetmscorjit.baseOfDll + targetmscorjit.sizeOfImage))
{
textBox1.Text = textBox1.Text + "Address of compile method changed!!!" + "\r\n";
}
else
{
textBox1.Text = textBox1.Text +
"Address of compile method seems to be the original one!" + "\r\n";
}
}
else
{
textBox1.Text = textBox1.Text + "Failed to read from selected process!" + "\r\n";
}
ProcModule.CloseHandle(processHandle);
} // end if is not .NET
}
else
{
textBox1.Text = textBox1.Text + "Failed to open selected process!" + "\r\n";
}
}
/*
* MSVCR80.memcpy:
* 78144FB0 55 PUSH EBP
* 78144FB1 8BEC MOV EBP,ESP
* 78144FB3 57 PUSH EDI
* 78144FB4 56 PUSH ESI
* 78144FB5 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
* 78144FB8 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
* 78144FBB 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
* 78144FBE 8BC1 MOV EAX,ECX
*
* for finding right one: n should be >= size of one page:
* 00D40004 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
* 00D40007 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
* 00D4000A 817D 10 00100000 CMP DWORD PTR SS:[EBP+10],1000
* 00D40011 7D 01 JGE SHORT 00D40014
* 00D40013 C3 RETN
* ; do my code!
*
*
*/
public void LogmemcpyInit(IntPtr MSVCR80base)
{
if (cprocessid == 0 || hprocess == IntPtr.Zero)
{
return;
}
int memcpyRva = ExportTable.ProcGetExpAddress(
hprocess, MSVCR80base, "memcpy");
if (memcpyRva == 0)
{
return;
}
byte[] Forread = new byte[0x50];
uint BytesRead = 0;
if (!ReadProcessMemory(hprocess, (IntPtr)((long)MSVCR80base + (long)memcpyRva), Forread, 0x50, ref BytesRead))
{
return;
}
int count = 0;
while (count < Forread.Length)
{
if (Forread[count] == 0x8B && Forread[count + 1] < 0x80)
{
break;
}
count++;
}
byte[] oldbytes = new byte[6];
for (int i = 0; i < oldbytes.Length; i++)
{
oldbytes[i] = Forread[count + i];
}
// alocate memory for hook:
VirtualAlloc3 = VirtualAllocEx(hprocess, IntPtr.Zero, 512, AllocationType.Commit, MemoryProtection.ReadWrite);
if (VirtualAlloc3 == IntPtr.Zero)
{
return;
}
// write old bytes under my code cave!
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc3 + 4), oldbytes, (uint)oldbytes.Length, out BytesRead);
byte[] mycode = new byte[]
{ 0x81, 0x7D, 0x10, 0x00, 0x20, 0x00, 0x00, 0x7D, 0x01, 0xC3 };
// write my code:
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc3 + oldbytes.Length + 4), mycode, (uint)mycode.Length, out BytesRead);
// body of first hook:
byte[] hoockbody = new byte[]
{ 0x89, 0x2D, 0x34, 0x32, 0x24, 0x00,
0xEB, 0xFE,
0x90, 0x90,
0x0C3 };
byte[] fixer = BitConverter.GetBytes((int)VirtualAlloc3);
for (int k = 0; k < fixer.Length; k++)
{
hoockbody[k + 2] = fixer[k];
}
// write hoock body:
WriteProcessMemory(hprocess, (IntPtr)((long)VirtualAlloc3 + mycode.Length + oldbytes.Length + 4), hoockbody, (uint)hoockbody.Length, out BytesRead);
// jump to my hoock3:
int jumptomyhook3 = (int)VirtualAlloc3 + 4 - (int)MSVCR80base - memcpyRva - count - 5;
byte[] jumpbytes = BitConverter.GetBytes(jumptomyhook3);
oldbytes[0] = 0xE8; // E8 = call
oldbytes[5] = 0x90; // last byte nop
for (int i = 0; i < 4; i++)
{
oldbytes[i + 1] = jumpbytes[i];
}
WriteProcessMemory(hprocess, (IntPtr)((long)MSVCR80base + (long)memcpyRva + count), oldbytes, (uint)oldbytes.Length, out BytesRead);
textBox3.AppendText("Logging memcpy enabled!" + "\r\n");
}
public void HookCreateProcess(IntPtr kernelbase)
{
if (cprocessid == 0 || hprocess == IntPtr.Zero)
{
return;
}
int CreateProcessWRva = ExportTable.ProcGetExpAddress(
hprocess, kernelbase, "CreateProcessW");
int CreateProcessARva = ExportTable.ProcGetExpAddress(
hprocess, kernelbase, "CreateProcessA");
if (CreateProcessWRva == 0 || CreateProcessARva == 0)
{
return;
}
IntPtr CreateProcessWPatch1 = IntPtr.Zero;
IntPtr CreateProcessAPatch2 = IntPtr.Zero;
int tobecalled1 = 0;
int tobecalled2 = 0;
byte[] Forread = new byte[0x500];
uint BytesRead = 0;
if (!ReadProcessMemory(hprocess, (IntPtr)((long)kernelbase + (long)CreateProcessWRva), Forread, (uint)0x500, ref BytesRead))
{
return;
}
int count = 0;
while (count < Forread.Length)
{
if (Forread[count] == 0x0E8)
{
break;
}
count++;
}
long CreateProcessWcall = (long)kernelbase + (long)CreateProcessWRva + count;
tobecalled1 = BitConverter.ToInt32(Forread, count + 1);
tobecalled1 = tobecalled1 + (int)CreateProcessWcall + 5;
CreateProcessWPatch1 = (IntPtr)(CreateProcessWcall + 1);
if (!ReadProcessMemory(hprocess, (IntPtr)((long)kernelbase + (long)CreateProcessARva), Forread, (uint)0x500, ref BytesRead))
{
return;
}
count = 0;
while (count < Forread.Length)
{
if (Forread[count] == 0x0E8)
{
break;
}
count++;
}
long CreateProcessAcall = (long)kernelbase + (long)CreateProcessARva + count;
tobecalled2 = BitConverter.ToInt32(Forread, count + 1);
tobecalled2 = tobecalled2 + (int)CreateProcessAcall + 5;
CreateProcessAPatch2 = (IntPtr)(CreateProcessAcall + 1);
// alocate memory for hooks:
VirtualAlloc1 = VirtualAllocEx(hprocess, IntPtr.Zero, 512, AllocationType.Commit, MemoryProtection.ReadWrite);
VirtualAlloc2 = VirtualAllocEx(hprocess, IntPtr.Zero, 512, AllocationType.Commit, MemoryProtection.ReadWrite);
if (VirtualAlloc1 == IntPtr.Zero || VirtualAlloc2 == IntPtr.Zero)
{
return;
}
IntPtr bodyPlace1 = (IntPtr)((long)VirtualAlloc1 + 4);
IntPtr bodyPlace2 = (IntPtr)((long)VirtualAlloc2 + 4);
// body of first hook:
byte[] hoockbody = new byte[] {
0x89, 0x25, 0x34, 0x32, 0x24, 0x00,
0xEB, 0xFE,
0x90, 0x90,
0xBE, 0x35, 0x45, 0x53, 0x43,
0xFF, 0xE6
};
byte[] fixer = BitConverter.GetBytes((int)VirtualAlloc1);
for (int k = 0; k < fixer.Length; k++)
{
hoockbody[k + 2] = fixer[k];
}
fixer = BitConverter.GetBytes(tobecalled1);
for (int k = 0; k < fixer.Length; k++)
{
hoockbody[k + 11] = fixer[k];
}
WriteProcessMemory(hprocess, bodyPlace1, hoockbody, (uint)hoockbody.Length, out BytesRead);
// body of second hook:
fixer = BitConverter.GetBytes((int)VirtualAlloc2);
for (int k = 0; k < fixer.Length; k++)
{
hoockbody[k + 2] = fixer[k];
}
fixer = BitConverter.GetBytes(tobecalled2);
for (int k = 0; k < fixer.Length; k++)
{
hoockbody[k + 11] = fixer[k];
}
WriteProcessMemory(hprocess, bodyPlace2, hoockbody, (uint)hoockbody.Length, out BytesRead);
// jump to my hoock1:
int jumptomyhook1 = (int)bodyPlace1 - (int)CreateProcessWcall - 5;
byte[] jumpbytes = BitConverter.GetBytes(jumptomyhook1);
WriteProcessMemory(hprocess, CreateProcessWPatch1, jumpbytes, (uint)jumpbytes.Length, out BytesRead);
// jump to my hoock2:
int jumptomyhook2 = (int)bodyPlace2 - (int)CreateProcessAcall - 5;
jumpbytes = BitConverter.GetBytes(jumptomyhook2);
WriteProcessMemory(hprocess, CreateProcessAPatch2, jumpbytes, (uint)jumpbytes.Length, out BytesRead);
textBox3.AppendText("CreateProcess hoocked!" + "\r\n");
}