void EnumModules() { this.Text = "Modules from " + ProcessName + " whit PID=" + procid.ToString(); modules = ProcModule.GetModuleInfos(procid); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { Graphics g = lvmodules.CreateGraphics(); Font objFont = new Font("Microsoft Sans Serif", 8); SizeF stringSize = new SizeF(); stringSize = g.MeasureString(modules[i].baseName, objFont); int processlenght = (int)(stringSize.Width + lvmodules.Margin.Horizontal * 2); if (processlenght > modulename.Width) { modulename.Width = processlenght; } string[] prcdetails = new string[] { modules[i].baseName, modules[i].baseOfDll.ToString("X8"), modules[i].sizeOfImage.ToString("X8"), modules[i].entryPoint.ToString("X8") }; ListViewItem proc = new ListViewItem(prcdetails); lvmodules.Items.Add(proc); } } }
static IntPtr CorBindToRuntimeExAddress() { ProcModule.ModuleInfo targetmscoree = null; ProcModule.ModuleInfo[] modules = ProcModule.GetModuleInfos((int)processid); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("mscoree.dll")) { targetmscoree = modules[i]; break; } } } if (targetmscoree == null || targetmscoree.baseOfDll == IntPtr.Zero) { return(IntPtr.Zero); } IntPtr CLRCreateInstanceAddress = IntPtr.Zero; if (hprocess != IntPtr.Zero) { int CLRCreateInstancerva = ExportTable.ProcGetExpAddress (hprocess, targetmscoree.baseOfDll, "CorBindToRuntimeEx"); if (CLRCreateInstancerva == 0) { return(IntPtr.Zero); } return((IntPtr)((long)targetmscoree.baseOfDll + (long)CLRCreateInstancerva)); } return(IntPtr.Zero); }
void HoockDetect() { textBox1.Text = "Detecting hooks for process whit the name " + ProcessName + " and PID=" + procid.ToString() + "\r\n"; byte[] Forread = new byte[0x500]; uint BytesRead = 0; int CompileAddress = 0; IntPtr processHandle = IntPtr.Zero; try { processHandle = OpenProcess(ProcessAccess.QueryInformation | ProcessAccess.VMRead, false, (uint)procid); } catch { } if (processHandle != IntPtr.Zero) { ProcModule.ModuleInfo targetmscorjit = null; ProcModule.ModuleInfo[] modules = ProcModule.GetModuleInfos(procid); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("mscorjit")) { targetmscorjit = modules[i]; break; } } } if (targetmscorjit == null) { textBox1.Text = textBox1.Text + "Seems that the target process is not a .NET process!" + "\r\n"; } else { int getJitrva = ExportTable.ProcGetExpAddress(processHandle, targetmscorjit.baseOfDll, "getJit"); bool isok = false; isok = ReadProcessMemory(processHandle, (IntPtr)((long)targetmscorjit.baseOfDll + (long)getJitrva), Forread, (uint)Forread.Length, ref BytesRead); if (isok) { int count = 0; while (Forread[count] != 0x0C3) { count++; } long cmpointer = (long)targetmscorjit.baseOfDll + getJitrva + count + 1; textBox1.Text = textBox1.Text + "Pointer of compile method : " + cmpointer.ToString("X8") + "\r\n"; CompileAddress = BitConverter.ToInt32(Forread, count + 1); textBox1.Text = textBox1.Text + "Address of compile method is : " + CompileAddress.ToString("X8") + "\r\n"; if ((CompileAddress < (int)targetmscorjit.baseOfDll) || (CompileAddress > (int)targetmscorjit.baseOfDll + targetmscorjit.sizeOfImage)) { textBox1.Text = textBox1.Text + "Address of compile method changed!!!" + "\r\n"; } else { textBox1.Text = textBox1.Text + "Address of compile method seems to be the original one!" + "\r\n"; } } else { textBox1.Text = textBox1.Text + "Failed to read from selected process!" + "\r\n"; } ProcModule.CloseHandle(processHandle); } // end if is not .NET } else { textBox1.Text = textBox1.Text + "Failed to open selected process!" + "\r\n"; } }
void Button2Click(object sender, EventArgs e) { string filename = textBox1.Text; string enviroments = textBox2.Text; if (filename != "" && File.Exists(filename)) { int processflags = processflags = 0 | (int)ProcessCreationFlags.CREATE_SUSPENDED; IntPtr memptr = IntPtr.Zero; button2.Enabled = false; textBox3.Text = ""; GCHandle gchenv = new GCHandle(); if (enviroments.Length != 0) { if (enviroments.Length >= 3 && enviroments.Contains("=")) { textBox3.AppendText("Setting Environment Variables..."); try { char[] separator = "\r\n".ToCharArray(); string[] realvalues = enviroments.Split(separator); IntPtr newptr = memptr; bool unicode = false; if (Environment.OSVersion.Platform == PlatformID.Win32NT) { processflags = processflags | (int)ProcessCreationFlags.CREATE_UNICODE_ENVIRONMENT; unicode = true; } StringDictionary environmentVariables = new StringDictionary(); // add Environments of the parent to the child! foreach (System.Collections.DictionaryEntry entry in Environment.GetEnvironmentVariables()) { environmentVariables.Add((string)entry.Key, (string)entry.Value); } for (int i = 0; i < realvalues.Length; i++) { if (realvalues[i] != "" && realvalues[i].Contains("=")) { separator = "=".ToCharArray(); string[] currentvalue = realvalues[i].Split(separator); if (currentvalue[0] != "") { if (environmentVariables.ContainsKey(currentvalue[0])) { textBox3.AppendText("\r\n" + "The key whit the name " + currentvalue[0] + " is already on dictinonary!"); } else { environmentVariables.Add(currentvalue[0], currentvalue[1]); } } } } gchenv = GCHandle.Alloc(ToByteArray(environmentVariables, unicode), GCHandleType.Pinned); memptr = gchenv.AddrOfPinnedObject(); textBox3.AppendText("\r\n" + "Environment Variables setted!"); } catch (Exception exc) { textBox3.AppendText("\r\n" + exc.Message + "\r\n"); } } else { textBox3.AppendText("Invalid Environment Variables!" + "\r\n"); } } STARTUPINFO structure = new STARTUPINFO(); PROCESS_INFORMATION process_information = new PROCESS_INFORMATION(); IntPtr lpApplicationName = Marshal.StringToHGlobalUni(filename); try { CreateProcess(lpApplicationName, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, 0, processflags, memptr, IntPtr.Zero, ref structure, ref process_information); hprocess = process_information.hProcess; hcthread = process_information.hThread; cprocessid = process_information.dwProcessId; if (gchenv.IsAllocated) { gchenv.Free(); } textBox3.AppendText("\r\n" + "Process created"); if (checkBox1.Checked) { textBox3.AppendText(" on suspended mode"); button3.Enabled = true; } textBox3.AppendText("!" + "\r\n"); } catch (Exception ex3) { textBox3.AppendText("\r\n" + "Failed to start process whit the message" + ex3.Message + "\r\n"); return; } checktimer = new System.Windows.Forms.Timer(); checktimer.Interval = 30; checktimer.Enabled = true; checktimer.Tick += new System.EventHandler(CheckStatut); if (checkBox2.Checked) { ProcModule.ModuleInfo[] modules = null; for (int k = 0; k < 500; k++) // try it 500 times! { LoopWhileModulesAreLoadedNt(process_information.dwProcessId, process_information.hThread); modules = ProcModule.GetModuleInfos((int)process_information.dwProcessId); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("kernel32")) { targetkernel32 = modules[i]; break; } } } if (targetkernel32 != null) { break; } } if (targetkernel32 != null && targetkernel32.baseOfDll != IntPtr.Zero) { HookCreateProcess(targetkernel32.baseOfDll); } } if (checkBox3.Checked) { ProcModule.ModuleInfo[] modules = null; for (int k = 0; k < 50; k++) // try it 50 times! { LoopWhileModulesAreLoadedNt(process_information.dwProcessId, process_information.hThread); modules = ProcModule.GetModuleInfos((int)process_information.dwProcessId); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.Length > 10 && modules[i].baseName.ToLower().StartsWith("msvcr")) { targetMSVCR80 = modules[i]; break; } } } if (targetMSVCR80 != null) { break; } } if (targetMSVCR80 != null && targetMSVCR80.baseOfDll != IntPtr.Zero) { LogmemcpyInit(targetMSVCR80.baseOfDll); } } if (!checkBox1.Checked) { ResumeThread(process_information.hThread); } } else { textBox3.Text = "Please select a valid file!" + "\r\n"; } }