public static bool WriteDump(uint processId, string fileName, DType dumpTyp) { IntPtr hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, 0, (uint)processId); if (hProcess == IntPtr.Zero) { IntPtr pDACL, pSecDesc; GetSecurityInfo((int)Process.GetCurrentProcess().Handle, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4, 0, 0, out pDACL, IntPtr.Zero, out pSecDesc); hProcess = OpenProcess(0x40000, 0, processId); SetSecurityInfo((int)hProcess, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4 | /*UNPROTECTED_DACL_SECURITY_INFORMATION*/ 0x20000000, 0, 0, pDACL, IntPtr.Zero); ProcModule.CloseHandle(hProcess); hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, 0, processId); } if (hProcess == IntPtr.Zero) { return(false); } else { using (var fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create, System.IO.FileAccess.Write, System.IO.FileShare.None)) { MiniDumpExceptionInformation exp; exp.ThreadId = GetCurrentThreadId(); exp.ClientPointers = false; exp.ExceptioonPointers = System.Runtime.InteropServices.Marshal.GetExceptionPointers(); bool bRet = MiniDumpWriteDump( GetCurrentProcess(), GetCurrentProcessId(), fs.SafeFileHandle.DangerousGetHandle(), (uint)dumpTyp, ref exp, IntPtr.Zero, IntPtr.Zero); return(bRet); } } }
void HoockDetect() { textBox1.Text = "Detecting hooks for process whit the name " + ProcessName + " and PID=" + procid.ToString() + "\r\n"; byte[] Forread = new byte[0x500]; uint BytesRead = 0; int CompileAddress = 0; IntPtr processHandle = IntPtr.Zero; try { processHandle = OpenProcess(ProcessAccess.QueryInformation | ProcessAccess.VMRead, false, (uint)procid); } catch { } if (processHandle != IntPtr.Zero) { ProcModule.ModuleInfo targetmscorjit = null; ProcModule.ModuleInfo[] modules = ProcModule.GetModuleInfos(procid); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("mscorjit")) { targetmscorjit = modules[i]; break; } } } if (targetmscorjit == null) { textBox1.Text = textBox1.Text + "Seems that the target process is not a .NET process!" + "\r\n"; } else { int getJitrva = ExportTable.ProcGetExpAddress(processHandle, targetmscorjit.baseOfDll, "getJit"); bool isok = false; isok = ReadProcessMemory(processHandle, (IntPtr)((long)targetmscorjit.baseOfDll + (long)getJitrva), Forread, (uint)Forread.Length, ref BytesRead); if (isok) { int count = 0; while (Forread[count] != 0x0C3) { count++; } long cmpointer = (long)targetmscorjit.baseOfDll + getJitrva + count + 1; textBox1.Text = textBox1.Text + "Pointer of compile method : " + cmpointer.ToString("X8") + "\r\n"; CompileAddress = BitConverter.ToInt32(Forread, count + 1); textBox1.Text = textBox1.Text + "Address of compile method is : " + CompileAddress.ToString("X8") + "\r\n"; if ((CompileAddress < (int)targetmscorjit.baseOfDll) || (CompileAddress > (int)targetmscorjit.baseOfDll + targetmscorjit.sizeOfImage)) { textBox1.Text = textBox1.Text + "Address of compile method changed!!!" + "\r\n"; } else { textBox1.Text = textBox1.Text + "Address of compile method seems to be the original one!" + "\r\n"; } } else { textBox1.Text = textBox1.Text + "Failed to read from selected process!" + "\r\n"; } ProcModule.CloseHandle(processHandle); } // end if is not .NET } else { textBox1.Text = textBox1.Text + "Failed to open selected process!" + "\r\n"; } }
public static void HostCLR_RunMethod(String AssemblyPath, String TypeName, String MethodName, String Args, String Version) { hprocess = ProcModule.OpenProcess(ProcModule.PROCESS_QUERY_INFORMATION | ProcModule.PROCESS_VM_OPERATION | ProcModule.PROCESS_VM_WRITE | ProcModule.PROCESS_VM_READ | ProcModule.PROCESS_CREATE_THREAD, 0, (uint)processid); IntPtr CorBindToRuntimeExPtr = CorBindToRuntimeExAddress(); uint BytesRead = 0; IntPtr codeCave_Code = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 500, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ExecuteReadWrite); IntPtr CLSID_CLRRuntimeHostPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)CLSID_CLRRuntimeHost.Length * 4, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr IID_ICLRRuntimeHostPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)IID_ICLRRuntimeHost.Length, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr ClrHostPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 04, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr dwRetPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 0x4, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr AssemblyPathPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(AssemblyPath.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr TypeNamePtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(TypeName.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr MethodNamePtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(MethodName.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr ArgsPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, (uint)(Args.Length * 2 + 2), ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); IntPtr BuildFlavorPtr = ProcModule.VirtualAllocEx(hprocess, IntPtr.Zero, 0x10, ProcModule.AllocationType.Commit, ProcModule.MemoryProtection.ReadWrite); ProcModule.WriteProcessMemory(hprocess, CLSID_CLRRuntimeHostPtr, CLSID_CLRRuntimeHost, (uint)CLSID_CLRRuntimeHost.Length, out BytesRead); ProcModule.WriteProcessMemory(hprocess, IID_ICLRRuntimeHostPtr, IID_ICLRRuntimeHost, (uint)IID_ICLRRuntimeHost.Length, out BytesRead); WriteUnicodeString(BuildFlavorPtr, "wks"); WriteUnicodeString(AssemblyPathPtr, AssemblyPath); WriteUnicodeString(TypeNamePtr, TypeName); WriteUnicodeString(MethodNamePtr, MethodName); WriteUnicodeString(ArgsPtr, Args); InlineASM inline = new InlineASM(); inline.PushOffset(ClrHostPtr); inline.PushOffset(IID_ICLRRuntimeHostPtr); inline.PushOffset(CLSID_CLRRuntimeHostPtr); inline.PushByte(0); inline.PushOffset(BuildFlavorPtr); inline.PushByte(0); inline.MovEaxValue(CorBindToRuntimeExPtr); inline.CallEax(); // call CorBindToRuntimeEx inline.MovEaxDwordPtr(ClrHostPtr); inline.MovEcxDwordPtrEax(); inline.MovEdxDwordPtrEcxOffset(0x0C); inline.PushEax(); inline.CallEdx(); // pClrHost->Start(); inline.PushOffset(dwRetPtr); inline.PushOffset(ArgsPtr); inline.PushOffset(MethodNamePtr); inline.PushOffset(TypeNamePtr); inline.PushOffset(AssemblyPathPtr); inline.MovEaxDwordPtr(ClrHostPtr); inline.MovEcxDwordPtrEax(); inline.PushEax(); inline.MovEaxDwordPtrEcxOffset(0x2C); inline.CallEax(); // pClrHost->ExecuteInDefaultAppDomain inline.Retn(); ProcModule.WriteProcessMemory(hprocess, codeCave_Code, inline.asm, (uint)inline.asm.Length, out BytesRead); IntPtr hThread = ProcModule.CreateRemoteThread(hprocess, IntPtr.Zero, 0, codeCave_Code, IntPtr.Zero, 0, IntPtr.Zero); /* * if (ProcModule.WaitForSingleObject(hThread,uint.MaxValue)!=0) * { * return; * } */ IntPtr retcode = IntPtr.Zero; if (!ProcModule.GetExitCodeThread(hThread, out retcode)) { return; } ProcModule.CloseHandle(hprocess); }
void DumpModule() { IntPtr hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, 0, (uint)procid); if (hProcess == IntPtr.Zero) { IntPtr pDACL, pSecDesc; GetSecurityInfo((int)Process.GetCurrentProcess().Handle, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4, 0, 0, out pDACL, IntPtr.Zero, out pSecDesc); hProcess = OpenProcess(0x40000, 0, (uint)procid); SetSecurityInfo((int)hProcess, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4 | /*UNPROTECTED_DACL_SECURITY_INFORMATION*/ 0x20000000, 0, 0, pDACL, IntPtr.Zero); ProcModule.CloseHandle(hProcess); hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, 0, (uint)procid); } if (hProcess != IntPtr.Zero) { string newdirname = DirName; if (DirName.Length < 2 || !Directory.Exists(DirName)) { newdirname = "C:\\"; } newdirname = Path.Combine(DirName, "Dumps"); System.IO.Directory.CreateDirectory(newdirname); int ImageBase = System.Convert.ToInt32(lvmodules.Items[lvmodules.SelectedIndices[0]].SubItems[1].Text, 16); string moduleName = lvmodules.Items[lvmodules.SelectedIndices[0]].SubItems[0].Text; bool isok; uint speed = 0x1000; try { SYSTEM_INFO pSI = new SYSTEM_INFO(); GetSystemInfo(ref pSI); speed = pSI.dwPageSize; } catch { } byte[] bigMem = new byte[speed]; byte[] InfoKeep = new byte[8]; uint BytesRead = 0; int nrofsection = 0; byte[] Dump = null; byte[] Partkeep = null; int filealignment = 0; int rawaddress; int address = 0; int offset = 0; bool ShouldFixrawsize = false; isok = ReadProcessMemory(hProcess, (uint)(ImageBase + 0x03C), InfoKeep, 4, ref BytesRead); int PEOffset = BitConverter.ToInt32(InfoKeep, 0); try { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + PEOffset + 0x0F8 + 20), InfoKeep, 4, ref BytesRead); byte[] PeHeader = new byte[speed]; rawaddress = BitConverter.ToInt32(InfoKeep, 0); int sizetocopy = rawaddress; if (sizetocopy > speed) { sizetocopy = (int)speed; } isok = ReadProcessMemory(hProcess, (uint)(ImageBase), PeHeader, (uint)sizetocopy, ref BytesRead); offset = offset + rawaddress; nrofsection = (int)BitConverter.ToInt16(PeHeader, PEOffset + 0x06); int sectionalignment = BitConverter.ToInt32(PeHeader, PEOffset + 0x038); filealignment = BitConverter.ToInt32(PeHeader, PEOffset + 0x03C); int sizeofimage = BitConverter.ToInt32(PeHeader, PEOffset + 0x050); int calculatedimagesize = BitConverter.ToInt32(PeHeader, PEOffset + 0x0F8 + 012); for (int i = 0; i < nrofsection; i++) { int virtualsize = BitConverter.ToInt32(PeHeader, PEOffset + 0x0F8 + 0x28 * i + 08); int toadd = (virtualsize % sectionalignment); if (toadd != 0) { toadd = sectionalignment - toadd; } calculatedimagesize = calculatedimagesize + virtualsize + toadd; } if (calculatedimagesize > sizeofimage) { sizeofimage = calculatedimagesize; } Dump = new byte[sizeofimage]; Array.Copy(PeHeader, Dump, sizetocopy); Partkeep = new byte[sizeofimage]; } catch { } int calcrawsize = 0; for (int i = 0; i < nrofsection; i++) { int rawsize, virtualsize, virtualAddress; for (int l = 0; l < nrofsection; l++) { rawsize = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * l + 16); virtualsize = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * l + 08); virtualAddress = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * l + 012); // RawSize = Virtual Size rounded on FileAlligment calcrawsize = 0; calcrawsize = virtualsize % filealignment; if (calcrawsize != 0) { calcrawsize = filealignment - calcrawsize; } calcrawsize = virtualsize + calcrawsize; if (calcrawsize != 0 && rawsize != calcrawsize && rawsize != virtualsize) { ShouldFixrawsize = true; break; } } rawsize = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * i + 16); virtualsize = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * i + 08); // RawSize = Virtual Size rounded on FileAlligment virtualAddress = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * i + 012); if (ShouldFixrawsize) { rawsize = virtualsize; BinaryWriter writer = new BinaryWriter(new MemoryStream(Dump)); writer.BaseStream.Position = PEOffset + 0x0F8 + 0x28 * i + 16; writer.Write(virtualsize); writer.BaseStream.Position = PEOffset + 0x0F8 + 0x28 * i + 20; writer.Write(virtualAddress); writer.Close(); } address = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 0x28 * i + 12); isok = ReadProcessMemory(hProcess, (uint)(ImageBase + address), Partkeep, (uint)rawsize, ref BytesRead); if (!isok) { byte[] onepage = new byte[512]; for (int c = 0; c < virtualsize; c = c + 512) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + virtualAddress + c), onepage, (uint)512, ref BytesRead); Array.Copy(onepage, 0, Partkeep, c, 512); } } if (ShouldFixrawsize) { Array.Copy(Partkeep, 0, Dump, virtualAddress, rawsize); offset = virtualAddress + rawsize; } else { Array.Copy(Partkeep, 0, Dump, offset, rawsize); offset = offset + rawsize; } } if (Dump != null && Dump.Length > 0 && Dump.Length >= offset) { int ImportDirectoryRva = BitConverter.ToInt32(Dump, PEOffset + 0x080); if (ImportDirectoryRva > 0 && ImportDirectoryRva < offset) { int current = 0; int ThunkToFix = 0; int ThunkData = 0; isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ImportDirectoryRva + current + 12), Partkeep, 4, ref BytesRead); int NameOffset = BitConverter.ToInt32(Partkeep, 0); while (isok && NameOffset != 0) { byte[] mscoreeAscii = { 0x6D, 0x73, 0x63, 0x6F, 0x72, 0x65, 0x65, 0x2E, 0x64, 0x6C, 0x6C, 0x00 }; byte[] NameKeeper = new byte[mscoreeAscii.Length]; isok = ReadProcessMemory(hProcess, (uint)(ImageBase + NameOffset), NameKeeper, (uint)mscoreeAscii.Length, ref BytesRead); if (isok && BytesEqual(NameKeeper, mscoreeAscii)) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ImportDirectoryRva + current), Partkeep, 4, ref BytesRead); int OriginalFirstThunk = BitConverter.ToInt32(Partkeep, 0); // OriginalFirstThunk; if (OriginalFirstThunk > 0 && OriginalFirstThunk < offset) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + OriginalFirstThunk), Partkeep, 4, ref BytesRead); ThunkData = BitConverter.ToInt32(Partkeep, 0); if (ThunkData > 0 && ThunkData < offset) { byte[] CorExeMain = { 0x5F, 0x43, 0x6F, 0x72, 0x45, 0x78, 0x65, 0x4D, 0x61, 0x69, 0x6E, 0x00 }; byte[] CorDllMain = { 0x5F, 0x43, 0x6F, 0x72, 0x44, 0x6C, 0x6C, 0x4D, 0x61, 0x69, 0x6E, 0x00 }; NameKeeper = new byte[CorExeMain.Length]; isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ThunkData + 2), NameKeeper, (uint)CorExeMain.Length, ref BytesRead); if (isok && (BytesEqual(NameKeeper, CorExeMain) || BytesEqual(NameKeeper, CorDllMain))) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ImportDirectoryRva + current + 16), Partkeep, 4, ref BytesRead); ThunkToFix = BitConverter.ToInt32(Partkeep, 0); // FirstThunk; break; } } } } current = current + 20; // 20 size of IMAGE_IMPORT_DESCRIPTOR isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ImportDirectoryRva + current + 12), Partkeep, 4, ref BytesRead); NameOffset = BitConverter.ToInt32(Partkeep, 0); } if (ThunkToFix > 0 && ThunkToFix < offset) { BinaryWriter writer = new BinaryWriter(new MemoryStream(Dump)); isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ThunkToFix), Partkeep, 4, ref BytesRead); int ThunkValue = BitConverter.ToInt32(Partkeep, 0); if (isok && (ThunkValue < 0 || ThunkValue > offset)) { int fvirtualsize = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 08); int fvirtualAddress = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 012); int frawAddress = BitConverter.ToInt32(Dump, PEOffset + 0x0F8 + 20); writer.BaseStream.Position = ThunkToFix - fvirtualAddress + frawAddress; writer.Write(ThunkData); } int EntryPoint = BitConverter.ToInt32(Dump, PEOffset + 0x028); if (EntryPoint <= 0 || EntryPoint > offset) { int ca = 0; do { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ThunkData + ca), Partkeep, 1, ref BytesRead); if (isok && Partkeep[0] == 0x0FF) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ThunkData + ca + 1), Partkeep, 1, ref BytesRead); if (isok && Partkeep[0] == 0x025) { isok = ReadProcessMemory(hProcess, (uint)(ImageBase + ThunkData + ca + 2), Partkeep, 4, ref BytesRead); if (isok) { int RealEntryPoint = ThunkData + ca; writer.BaseStream.Position = PEOffset + 0x028; writer.Write(RealEntryPoint); } } } ca++; }while (isok); } writer.Close(); } } } if (Dump != null && Dump.Length > 0 && Dump.Length >= offset) { FileStream fout; string filename = newdirname + "\\" + moduleName; fout = new FileStream(filename, FileMode.Create); fout.Write(Dump, 0, offset); fout.Close(); label2.ForeColor = Color.Blue; label2.Text = "Module saved in " + filename; } else { label2.ForeColor = Color.Red; label2.Text = "Failed to dump module!"; } } else { label2.ForeColor = Color.Red; label2.Text = "Failed to open process!"; } }