示例#1
0
        static void Main(string[] args)
        {
            Console.WriteLine(Process.GetCurrentProcess().Id);

            _PEB          peb     = EnvironmentBlockInfo.GetPeb();
            _PEB_LDR_DATA ldrData = _PEB_LDR_DATA.Create(peb.Ldr);

            string moduleName = "ole32.dll";

            FindModules(moduleName);

            DllOrderLink hiddenModuleLink = null;

            try
            {
                hiddenModuleLink = ldrData.HideDLL(moduleName);
                FindModules(moduleName);

                Console.ReadLine();
            }
            finally
            {
                if (hiddenModuleLink != null)
                {
                    ldrData.UnhideDLL(hiddenModuleLink);
                }
            }

            FindModules(moduleName);

            Console.WriteLine(Process.GetCurrentProcess().Id);
            Console.ReadLine();

            Console.WriteLine("[Load Order]");
            foreach (var item in ldrData.EnumerateLoadOrderModules())
            {
                Console.WriteLine("\t" + item.FullDllName.GetText());
            }

            Console.WriteLine();
            Console.WriteLine("[Memory Order]");
            foreach (var item in ldrData.EnumerateMemoryOrderModules())
            {
                Console.WriteLine("\t" + item.FullDllName.GetText());
            }
        }
示例#2
0
        public static bool MasqueradePEB(string masqBinary)
        {
            string Arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");

            // Retrieve information about the specified process
            int    dwPID      = Process.GetCurrentProcess().Id;
            IntPtr procHandle = OpenProcess(ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryRead | ProcessAccessFlags.VirtualMemoryWrite | ProcessAccessFlags.VirtualMemoryOperation, false, dwPID);

            _PROCESS_BASIC_INFORMATION pbi = new _PROCESS_BASIC_INFORMATION();
            IntPtr pbiPtr       = StructureToPtr(pbi);
            int    returnLength = 0;

            int status = NtQueryInformationProcess(procHandle, 0, pbiPtr, Marshal.SizeOf(pbi), ref returnLength);

            if (status != 0)
            {
                return(false);
            }
            pbi = PtrToStructure <_PROCESS_BASIC_INFORMATION>(pbiPtr);

            Console.WriteLine("[+] Process ID is: {0}", pbi.UniqueProcessId);

            // Read pbi PebBaseAddress into PEB Structure
            IntPtr lpNumberOfBytesRead = IntPtr.Zero;

            _PEB   peb    = new _PEB();
            IntPtr pebPtr = StructureToPtr(peb);

            if (!ReadProcessMemory(procHandle, pbi.PebBaseAddress, pebPtr, Marshal.SizeOf(peb), out lpNumberOfBytesRead))
            {
                return(false);
            }
            peb = PtrToStructure <_PEB>(pebPtr);

            // Read peb ProcessParameters into RTL_USER_PROCESS_PARAMETERS Structure
            RTL_USER_PROCESS_PARAMETERS upp = new RTL_USER_PROCESS_PARAMETERS();
            IntPtr uppPtr = StructureToPtr(upp);

            if (!ReadProcessMemory(procHandle, peb.ProcessParameters, uppPtr, Marshal.SizeOf(upp), out lpNumberOfBytesRead))
            {
                return(false);
            }
            upp = PtrToStructure <RTL_USER_PROCESS_PARAMETERS>(uppPtr);

            // Read Ldr Address into PEB_LDR_DATA Structure
            _PEB_LDR_DATA pld    = new _PEB_LDR_DATA();
            IntPtr        pldPtr = StructureToPtr(pld);

            if (!ReadProcessMemory(procHandle, peb.Ldr, pldPtr, Marshal.SizeOf(pld), out lpNumberOfBytesRead))
            {
                return(false);
            }
            pld = PtrToStructure <_PEB_LDR_DATA>(pldPtr);

            // Change Current Working Directory and Window title
            Directory.SetCurrentDirectory(Environment.SystemDirectory);

            // Set the Title of the Window
            SetWindowText(Process.GetCurrentProcess().MainWindowHandle, masqBinary);

            // Let's overwrite UNICODE_STRING structs in memory

            // Take ownership of PEB
            RtlEnterCriticalSection(peb.FastPebLock);

            // Masquerade ImagePathName and CommandLine
            IntPtr ImagePathNamePtr = IntPtr.Zero;
            IntPtr CommandLinePtr   = IntPtr.Zero;

            if (Arch == "AMD64")
            {
                ImagePathNamePtr = new IntPtr(peb.ProcessParameters.ToInt64() + 0x60);
                CommandLinePtr   = new IntPtr(peb.ProcessParameters.ToInt64() + 0x70);
            }
            else
            {
                ImagePathNamePtr = new IntPtr(peb.ProcessParameters.ToInt32() + 0x38);
                CommandLinePtr   = new IntPtr(peb.ProcessParameters.ToInt32() + 0x40);
            }

            if (!RtlInitUnicodeString(procHandle, ImagePathNamePtr, "ImagePathName", masqBinary))
            {
                return(false);
            }
            if (!RtlInitUnicodeString(procHandle, CommandLinePtr, "CommandLine", masqBinary))
            {
                return(false);
            }

            // Masquerade FullDllName and BaseDllName
            StringBuilder wModuleFileName = new StringBuilder(255);

            GetModuleFileName(IntPtr.Zero, wModuleFileName, wModuleFileName.Capacity);
            string wExeFileName = wModuleFileName.ToString();
            string wFullDllName = null;

            _PEB_LDR_DATA StartModule      = (_PEB_LDR_DATA)Marshal.PtrToStructure(peb.Ldr, typeof(_PEB_LDR_DATA));
            IntPtr        pStartModuleInfo = StartModule.InLoadOrderModuleList.Flink;
            IntPtr        pNextModuleInfo  = pld.InLoadOrderModuleList.Flink;

            do
            {
                // Read InLoadOrderModuleList.Flink Address into LDR_DATA_TABLE_ENTRY Structure
                _LDR_DATA_TABLE_ENTRY ldte = (_LDR_DATA_TABLE_ENTRY)Marshal.PtrToStructure(pNextModuleInfo, typeof(_LDR_DATA_TABLE_ENTRY));
                IntPtr FullDllNamePtr      = IntPtr.Zero;
                IntPtr BaseDllNamePtr      = IntPtr.Zero;

                if (Arch == "AMD64")
                {
                    FullDllNamePtr = new IntPtr(pNextModuleInfo.ToInt64() + 0x48);
                    BaseDllNamePtr = new IntPtr(pNextModuleInfo.ToInt64() + 0x58);
                }
                else
                {
                    FullDllNamePtr = new IntPtr(pNextModuleInfo.ToInt32() + 0x24);
                    BaseDllNamePtr = new IntPtr(pNextModuleInfo.ToInt32() + 0x2C);
                }

                // Read FullDllName into string
                wFullDllName = ldte.FullDllName.ToString();

                if (wExeFileName == wFullDllName)
                {
                    if (!RtlInitUnicodeString(procHandle, FullDllNamePtr, "FullDllName", masqBinary))
                    {
                        return(false);
                    }
                    if (!RtlInitUnicodeString(procHandle, BaseDllNamePtr, "BaseDllName", masqBinary))
                    {
                        return(false);
                    }
                    break;
                }

                pNextModuleInfo = ldte.InLoadOrderLinks.Flink;
            } while (pNextModuleInfo != pStartModuleInfo);

            //Release ownership of PEB
            RtlLeaveCriticalSection(peb.FastPebLock);

            // Release Process Handle
            CloseHandle(procHandle);

            return(true);
        }
示例#3
0
        public static _PEB Create(IntPtr pebAddress)
        {
            _PEB peb = (_PEB)Marshal.PtrToStructure(pebAddress, typeof(_PEB));

            return(peb);
        }
示例#4
0
        static void Main(string[] args)
        {
            bool   x32Architecture = false;
            string processName     = Process.GetCurrentProcess().ProcessName;

            if (IntPtr.Size == 4)
            {
                x32Architecture = true;
                Console.WriteLine("[+] Current Process is 32 bits");
            }
            else
            {
                Console.WriteLine("[+] Current Process is 64 bits");
            }

            Console.WriteLine("[+] Getting Process Information");

            IntPtr ProcHandle = Process.GetCurrentProcess().Handle;
            _PROCESS_BASIC_INFORMATION PROCESS_BASIC_INFORMATION = new _PROCESS_BASIC_INFORMATION();
            int   PROCESS_BASIC_INFORMATION_Size = System.Runtime.InteropServices.Marshal.SizeOf(PROCESS_BASIC_INFORMATION);
            Int32 returnLength = new Int32();

            int CallResult = Ntdll.NtQueryInformationProcess(ProcHandle, 0, ref PROCESS_BASIC_INFORMATION, PROCESS_BASIC_INFORMATION_Size, ref returnLength);

            Console.WriteLine("[+] PID " + PROCESS_BASIC_INFORMATION.UniqueProcessId.ToString());
            Console.WriteLine("[+] Started Value of GetCurrentProcess().MainModule.FileName ");
            Console.WriteLine("   [>] " + Process.GetCurrentProcess().MainModule.FileName);

            if (x32Architecture)
            {
                Console.WriteLine("[+] PebBaseAddress: 0x{0:X8}", PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt32());
            }
            else
            {
                Console.WriteLine("[+] PebBaseAddress: 0x{0:X16}", PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt64());
            }

            _PEB _PEB = new _PEB();

            long BufferOffset = PROCESS_BASIC_INFORMATION.PebBaseAddress.ToInt64();

            IntPtr newIntPtr = new IntPtr(BufferOffset);

            //check
            // found this somewhere in internet https://social.msdn.microsoft.com/Forums/sqlserver/en-US/64439444-c889-4d4b-a89f-b8f7e0e25827/problems-in-marshalptrtostructure?forum=clr
            _PEB PEBFlags = new _PEB();

            PEBFlags = (_PEB)Marshal.PtrToStructure(newIntPtr, typeof(_PEB));

            // FastPebLock http://www.debugwin.com/home/fastpeblock
            // This is recommended but not mandatory, just tested and works without the lock.

            if (x32Architecture)
            {
                Ntdll.RtlEnterCriticalSection(PEBFlags.FastPebLock32);
            }
            else
            {
                Ntdll.RtlEnterCriticalSection(PEBFlags.FastPebLock64);
            }

            Console.WriteLine("[+] Setting Lock to work with the PEB");
            Console.WriteLine("[!] RtlEnterCriticalSection --> &Peb->FastPebLock");


            long   ImagePathName = 0;
            long   CommandLine   = 0;
            UInt32 StructSize    = 0;

            if (x32Architecture)
            {
                long PROCESS_PARAMETERS = PEBFlags.ProcessParameters32.ToInt64();
                StructSize = 8;

                ImagePathName = PROCESS_PARAMETERS + 0x38;
                CommandLine   = PROCESS_PARAMETERS + 0x40;
            }
            else
            {
                long PROCESS_PARAMETERS = PEBFlags.ProcessParameters64.ToInt64();
                StructSize = 16;

                ImagePathName = PROCESS_PARAMETERS + 0x60;
                CommandLine   = PROCESS_PARAMETERS + 0x70;
            }

            IntPtr ImagePathNamePtr = new IntPtr(ImagePathName);
            IntPtr CommandLinePtr   = new IntPtr(CommandLine);

            if (x32Architecture)
            {
                Console.WriteLine("[+] Getting the PEB ProcessParameters.ImagePathName Address: 0x{0:X8}", ImagePathName);
                Console.WriteLine("[+] Getting the PEB ProcessParameters.CommandLine Address: 0x{0:X8}", CommandLine);
            }
            else
            {
                Console.WriteLine("[+] Getting the PEB ProcessParameters.ImagePathName Address: 0x{0:X16}", ImagePathName);
                Console.WriteLine("[+] Getting the PEB ProcessParameters.CommandLine Address: 0x{0:X16}", CommandLine);
            }

            string BinPath = @"C:\Windows\System32\notepad.exe";

            Emit_UNICODE_STRING(ProcHandle, ImagePathNamePtr, StructSize, BinPath);
            Emit_UNICODE_STRING(ProcHandle, CommandLinePtr, StructSize, BinPath);

            Console.WriteLine("[+] Printing GetCurrentProcess().MainModule.FileName value after ImagePathName & CommandLine modification ");
            Console.WriteLine("   [>] " + Process.GetCurrentProcess().MainModule.FileName);


            //&Peb->Ldr
            _PEB_LDR_DATA _PEB_LDR_DATA    = new _PEB_LDR_DATA();
            var           typePEB_LDR_DATA = _PEB_LDR_DATA.GetType();

            //reusing variables keep in mind
            if (x32Architecture)
            {
                BufferOffset = PEBFlags.Ldr32.ToInt64();
            }
            else
            {
                BufferOffset = PEBFlags.Ldr64.ToInt64();
            }

            //reusing variables keep in mind
            newIntPtr = new IntPtr(BufferOffset);
            _PEB_LDR_DATA LDRFlags = new _PEB_LDR_DATA();

            LDRFlags = (_PEB_LDR_DATA)Marshal.PtrToStructure(newIntPtr, typeof(_PEB_LDR_DATA));

            //&Peb->Ldr->InLoadOrderModuleList->Flink
            _LDR_DATA_TABLE_ENTRY _LDR_DATA_TABLE_ENTRY = new _LDR_DATA_TABLE_ENTRY();

            BufferOffset = LDRFlags.InLoadOrderModuleList.Flink.ToInt64();
            newIntPtr    = new IntPtr(BufferOffset);

            // For next session you should read: https://www.osronline.com/article.cfm%5Earticle=499.htm

            Console.WriteLine("[?] Traversing &Peb->Ldr->InLoadOrderModuleList doubly linked list");

            IntPtr ListIndex = new IntPtr();
            _LDR_DATA_TABLE_ENTRY LDREntry = new _LDR_DATA_TABLE_ENTRY();

            long FullDllName = 0;
            long BaseDllName = 0;

            while (ListIndex != LDRFlags.InLoadOrderModuleList.Blink)
            {
                LDREntry = (_LDR_DATA_TABLE_ENTRY)Marshal.PtrToStructure(newIntPtr, typeof(_LDR_DATA_TABLE_ENTRY));

                if (Marshal.PtrToStringUni(LDREntry.FullDllName.Buffer).Contains(processName))
                {
                    if (x32Architecture)
                    {
                        StructSize = 8;

                        FullDllName = BufferOffset + 0x24;
                        BaseDllName = BufferOffset + 0x2C;
                    }
                    else
                    {
                        StructSize = 16;

                        FullDllName = BufferOffset + 0x48;
                        BaseDllName = BufferOffset + 0x58;
                    }

                    // Overwrite _LDR_DATA_TABLE_ENTRY struct
                    // Can easily be extended to other UNICODE_STRING structs in _LDR_DATA_TABLE_ENTRY(/or in general)
                    IntPtr FullDllNamePtr = new IntPtr(FullDllName);
                    IntPtr BaseDllNamePtr = new IntPtr(BaseDllName);

                    if (x32Architecture)
                    {
                        Console.WriteLine("[>] Overwriting _LDR_DATA_TABLE_ENTRY.FullDllName: 0x{0:X8}", FullDllName);
                        Console.WriteLine("[>] Overwriting _LDR_DATA_TABLE_ENTRY.BaseDllName: 0x{0:X8}", BaseDllName);
                    }
                    else
                    {
                        Console.WriteLine("[>] Overwriting _LDR_DATA_TABLE_ENTRY.FullDllName: 0x{0:X16}", FullDllName);
                        Console.WriteLine("[>] Overwriting _LDR_DATA_TABLE_ENTRY.BaseDllName: 0x{0:X16}", BaseDllName);
                    }

                    Emit_UNICODE_STRING(ProcHandle, FullDllNamePtr, StructSize, BinPath);
                    Emit_UNICODE_STRING(ProcHandle, BaseDllNamePtr, StructSize, BinPath);
                }

                BufferOffset = LDREntry.InLoadOrderLinks.Flink.ToInt64();
                ListIndex    = (IntPtr)BufferOffset;
                newIntPtr    = new IntPtr(BufferOffset);
            }


            // Release ownership of PEB

            if (x32Architecture)
            {
                Ntdll.RtlLeaveCriticalSection(PEBFlags.FastPebLock32);
            }
            else
            {
                Ntdll.RtlLeaveCriticalSection(PEBFlags.FastPebLock64);
            }

            Console.WriteLine("[+] Releasing the PEB Lock");
            Console.WriteLine("[!] RtlLeaveCriticalSection --> &Peb->FastPebLock");

            Console.WriteLine("[+] Printing GetCurrentProcess().MainModule.FileName value after FullDllName & BaseDllName modification ");
            Console.WriteLine("   [>] " + Process.GetCurrentProcess().MainModule.FileName);

            Console.ReadLine();
        }