private static string[] TestGetProcessWorkingDirectory(string image)
{
List <string> ret = new List <string>();
Process[] ps = Process.GetProcessesByName(image);
foreach (Process p in ps)
{
Console.WriteLine($"{p.ProcessName} pid: {p.Id}");
IntPtr handle = OpenProcess(p, ProcessAccessFlags.All);
IntPtr pPbi = Marshal.AllocHGlobal(PROCESS_BASIC_INFORMATION.Size);
IntPtr outLong = Marshal.AllocHGlobal(sizeof(long));
Console.WriteLine($"handle: {handle}");
int _ = NtQueryInformationProcess(handle, 0,
pPbi, (uint)PROCESS_BASIC_INFORMATION.Size, outLong);
if (_ != 0)
{
Console.WriteLine($"Error {ret}");
break;
}
PROCESS_BASIC_INFORMATION pbi = Marshal.PtrToStructure <PROCESS_BASIC_INFORMATION>(pPbi);
Console.WriteLine($"peb: {pbi.PebBaseAddress}");
IntPtr pPeb = Marshal.AllocHGlobal(PEB.Size);
ReadProcessMemory(handle, pbi.PebBaseAddress, pPeb, PEB.Size, outLong);
PEB peb = Marshal.PtrToStructure <PEB>(pPeb);
IntPtr pUpp = Marshal.AllocHGlobal(RTL_USER_PROCESS_PARAMETERS.Size);
ReadProcessMemory(handle, peb.ProcessParameters, pUpp, RTL_USER_PROCESS_PARAMETERS.Size, outLong);
RTL_USER_PROCESS_PARAMETERS upp = Marshal.PtrToStructure <RTL_USER_PROCESS_PARAMETERS>(pUpp);
IntPtr pStr = Marshal.AllocHGlobal(upp.CurrentDirectoryPath.Length + 2);
RtlZeroMemory(pStr, upp.CurrentDirectoryPath.Length + 2);
ReadProcessMemory(handle, upp.CurrentDirectoryPath.Buffer, pStr, upp.CurrentDirectoryPath.Length, outLong);
string cwd = Marshal.PtrToStringUni(pStr);
if (!String.IsNullOrEmpty(cwd))
{
ret.Add(cwd);
}
Console.WriteLine($"cwd: {cwd}");
CloseHandle(handle);
Console.WriteLine();
}
return(ret.ToArray());
}
private static List <string> GetProcessWorkingDirectoriesByImageName(string image)
{
List <string> result = new List <string>();
Process[] ps = Process.GetProcessesByName(image);
foreach (Process p in ps)
{
IntPtr handle = OpenProcess(p);
IntPtr pPbi = Marshal.AllocHGlobal(PROCESS_BASIC_INFORMATION.Size);
IntPtr outLong = Marshal.AllocHGlobal(sizeof(long));
int ret = NtQueryInformationProcess(handle, 0,
pPbi, (uint)PROCESS_BASIC_INFORMATION.Size, outLong);
if (ret != 0)
{
continue;
}
PROCESS_BASIC_INFORMATION pbi = Marshal.PtrToStructure <PROCESS_BASIC_INFORMATION>(pPbi);
IntPtr pPeb = Marshal.AllocHGlobal(PEB.Size);
ReadProcessMemory(handle, pbi.PebBaseAddress, pPeb, PEB.Size, outLong);
PEB peb = Marshal.PtrToStructure <PEB>(pPeb);
IntPtr pUpp = Marshal.AllocHGlobal(RTL_USER_PROCESS_PARAMETERS.Size);
ReadProcessMemory(handle, peb.ProcessParameters, pUpp, RTL_USER_PROCESS_PARAMETERS.Size, outLong);
RTL_USER_PROCESS_PARAMETERS upp = Marshal.PtrToStructure <RTL_USER_PROCESS_PARAMETERS>(pUpp);
IntPtr pStr = Marshal.AllocHGlobal(upp.CurrentDirectoryPath.Length + 2);
RtlZeroMemory(pStr, upp.CurrentDirectoryPath.Length + 2);
ReadProcessMemory(handle, upp.CurrentDirectoryPath.Buffer, pStr, upp.CurrentDirectoryPath.Length, outLong);
string cwd = Marshal.PtrToStringUni(pStr);
if (!String.IsNullOrEmpty(cwd))
{
result.Add(cwd);
}
CloseHandle(handle);
}
return(result);
}
public static bool Apply(IntPtr hProcess, string path = null, string cmdLine = null, string CurrentDirectoryPath = null)
{
if (hProcess == null ||
hProcess == IntPtr.Zero)
{
return(false);
}
try
{
// default Varametrs
uint len;
// get PROCESS_BASIC_INFORMATION
var info = new PROCESS_BASIC_INFORMATION();
NtQueryInformationProcess(hProcess, 0, out info, (uint)Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)), out len);
// get PROCESS_BASIC_INFORMATION
var peb = new PEB();
ReadProcessMemory(hProcess, info.PebBaseAddress, (IntPtr)(&peb), (uint)Marshal.SizeOf(typeof(PEB)), out len);
// get RTL_USER_PROCESS_PARAMETERS
var psParam = new RTL_USER_PROCESS_PARAMETERS();
ReadProcessMemory(hProcess, peb.ProcessParameters, (IntPtr)(&psParam), (uint)Marshal.SizeOf(typeof(RTL_USER_PROCESS_PARAMETERS)), out len);
// patch
WriStr(hProcess, ref psParam.ImagePathName, path);
WriStr(hProcess, ref psParam.CommandLine, cmdLine);
WriStr(hProcess, ref psParam.CurrentDirectoryPath, CurrentDirectoryPath);
// reflecet Changes
return
(WriteProcessMemory(hProcess, peb.ProcessParameters, (IntPtr)(&psParam), (uint)Marshal.SizeOf(typeof(RTL_USER_PROCESS_PARAMETERS)), out len));
}
catch (Exception)
{
return(false);
}
}
public static bool MasqueradePEB(string masqBinary)
{
string Arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
// Retrieve information about the specified process
int dwPID = Process.GetCurrentProcess().Id;
IntPtr procHandle = OpenProcess(ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryRead | ProcessAccessFlags.VirtualMemoryWrite | ProcessAccessFlags.VirtualMemoryOperation, false, dwPID);
_PROCESS_BASIC_INFORMATION pbi = new _PROCESS_BASIC_INFORMATION();
IntPtr pbiPtr = StructureToPtr(pbi);
int returnLength = 0;
int status = NtQueryInformationProcess(procHandle, 0, pbiPtr, Marshal.SizeOf(pbi), ref returnLength);
if (status != 0)
{
return(false);
}
pbi = PtrToStructure <_PROCESS_BASIC_INFORMATION>(pbiPtr);
Console.WriteLine("[+] Process ID is: {0}", pbi.UniqueProcessId);
// Read pbi PebBaseAddress into PEB Structure
IntPtr lpNumberOfBytesRead = IntPtr.Zero;
_PEB peb = new _PEB();
IntPtr pebPtr = StructureToPtr(peb);
if (!ReadProcessMemory(procHandle, pbi.PebBaseAddress, pebPtr, Marshal.SizeOf(peb), out lpNumberOfBytesRead))
{
return(false);
}
peb = PtrToStructure <_PEB>(pebPtr);
// Read peb ProcessParameters into RTL_USER_PROCESS_PARAMETERS Structure
RTL_USER_PROCESS_PARAMETERS upp = new RTL_USER_PROCESS_PARAMETERS();
IntPtr uppPtr = StructureToPtr(upp);
if (!ReadProcessMemory(procHandle, peb.ProcessParameters, uppPtr, Marshal.SizeOf(upp), out lpNumberOfBytesRead))
{
return(false);
}
upp = PtrToStructure <RTL_USER_PROCESS_PARAMETERS>(uppPtr);
// Read Ldr Address into PEB_LDR_DATA Structure
_PEB_LDR_DATA pld = new _PEB_LDR_DATA();
IntPtr pldPtr = StructureToPtr(pld);
if (!ReadProcessMemory(procHandle, peb.Ldr, pldPtr, Marshal.SizeOf(pld), out lpNumberOfBytesRead))
{
return(false);
}
pld = PtrToStructure <_PEB_LDR_DATA>(pldPtr);
// Change Current Working Directory and Window title
Directory.SetCurrentDirectory(Environment.SystemDirectory);
// Set the Title of the Window
SetWindowText(Process.GetCurrentProcess().MainWindowHandle, masqBinary);
// Let's overwrite UNICODE_STRING structs in memory
// Take ownership of PEB
RtlEnterCriticalSection(peb.FastPebLock);
// Masquerade ImagePathName and CommandLine
IntPtr ImagePathNamePtr = IntPtr.Zero;
IntPtr CommandLinePtr = IntPtr.Zero;
if (Arch == "AMD64")
{
ImagePathNamePtr = new IntPtr(peb.ProcessParameters.ToInt64() + 0x60);
CommandLinePtr = new IntPtr(peb.ProcessParameters.ToInt64() + 0x70);
}
else
{
ImagePathNamePtr = new IntPtr(peb.ProcessParameters.ToInt32() + 0x38);
CommandLinePtr = new IntPtr(peb.ProcessParameters.ToInt32() + 0x40);
}
if (!RtlInitUnicodeString(procHandle, ImagePathNamePtr, "ImagePathName", masqBinary))
{
return(false);
}
if (!RtlInitUnicodeString(procHandle, CommandLinePtr, "CommandLine", masqBinary))
{
return(false);
}
// Masquerade FullDllName and BaseDllName
StringBuilder wModuleFileName = new StringBuilder(255);
GetModuleFileName(IntPtr.Zero, wModuleFileName, wModuleFileName.Capacity);
string wExeFileName = wModuleFileName.ToString();
string wFullDllName = null;
_PEB_LDR_DATA StartModule = (_PEB_LDR_DATA)Marshal.PtrToStructure(peb.Ldr, typeof(_PEB_LDR_DATA));
IntPtr pStartModuleInfo = StartModule.InLoadOrderModuleList.Flink;
IntPtr pNextModuleInfo = pld.InLoadOrderModuleList.Flink;
do
{
// Read InLoadOrderModuleList.Flink Address into LDR_DATA_TABLE_ENTRY Structure
_LDR_DATA_TABLE_ENTRY ldte = (_LDR_DATA_TABLE_ENTRY)Marshal.PtrToStructure(pNextModuleInfo, typeof(_LDR_DATA_TABLE_ENTRY));
IntPtr FullDllNamePtr = IntPtr.Zero;
IntPtr BaseDllNamePtr = IntPtr.Zero;
if (Arch == "AMD64")
{
FullDllNamePtr = new IntPtr(pNextModuleInfo.ToInt64() + 0x48);
BaseDllNamePtr = new IntPtr(pNextModuleInfo.ToInt64() + 0x58);
}
else
{
FullDllNamePtr = new IntPtr(pNextModuleInfo.ToInt32() + 0x24);
BaseDllNamePtr = new IntPtr(pNextModuleInfo.ToInt32() + 0x2C);
}
// Read FullDllName into string
wFullDllName = ldte.FullDllName.ToString();
if (wExeFileName == wFullDllName)
{
if (!RtlInitUnicodeString(procHandle, FullDllNamePtr, "FullDllName", masqBinary))
{
return(false);
}
if (!RtlInitUnicodeString(procHandle, BaseDllNamePtr, "BaseDllName", masqBinary))
{
return(false);
}
break;
}
pNextModuleInfo = ldte.InLoadOrderLinks.Flink;
} while (pNextModuleInfo != pStartModuleInfo);
//Release ownership of PEB
RtlLeaveCriticalSection(peb.FastPebLock);
// Release Process Handle
CloseHandle(procHandle);
return(true);
}
