[C#] Load AnyCPU exe from memory

Discussion in 'Mixed Languages' started by W00dL3cs, Jul 10, 2013.

  1. W00dL3cs

    W00dL3cs MDL Novice

    Jul 9, 2013
    3
    0
    0
    Hi everybody, I'm sorry that I had to register just to post this question (for the moment), but I really have no idea about elsewhere go to ask if not here..

    I'm working on a C# application, and I need to run some code directly from memory, and so not from an HDD.

    I've already faced this kind of problem if I have some .NET executables, simply loading them from native methods, but now I have to fight against non-NET executables: I've already given a depth look at the "KMSLibrary", but it seems that that library is only working for dlls, and not exes.

    Going around the web I found some "variants" of the famous RunPE, but it seems that non of them is working for both the x64 and x86 executables...

    So, someone could please post me some snippets which could help me to write this kind of code?

    Thanks in advance.
     
  2. Josh Cell

    Josh Cell MDL Developer

    Jan 8, 2011
    3,519
    7,100
    120
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. W00dL3cs

    W00dL3cs MDL Novice

    Jul 9, 2013
    3
    0
    0
    The code provided in that topic does not work for 64-bit executables..
     
  4. PAYMYRENT

    PAYMYRENT MDL Developer

    Jul 28, 2009
    1,462
    419
    60
    Mr Cell.. This is talk for the pros lol jkjk

    Anyways you are asking for reflection and it is better for anycpu to be loaded by anycpu or x64 for x64 and viceversa for x86 systems.

    I can give you tips and tricks for it just PM if you would like to know!
     
  5. Josh Cell

    Josh Cell MDL Developer

    Jan 8, 2011
    3,519
    7,100
    120
    :trollface:

    Will not work because the pointers has values to write in x86 areas...

    You will need to modify these pointers according to this post:

    http://forums.mydigitallife.net/threads/45192-C-64-Bit-DLL-Mapping?p=758494&viewfull=1#post758494

    Anyway the process injection is a bad way because you always will be flagged by the AV while injecting the image.

    And you can not do reflection in the same process if the image is unmanaged.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. PAYMYRENT

    PAYMYRENT MDL Developer

    Jul 28, 2009
    1,462
    419
    60
    That is correct.. You shouldnt mix pointer because it might point to the wrong location in memory and in the end your application will crash

    Incorrect most all my software has some sort of injection - whether it be a plugin or full on application it will work and i have tested with four different AV engines to confirm this - F-Secure Microsoft Symantec and ClamAV

    This is incorrect also. If from an unmanaged process you have to look into .NET Runtime hosting within your Win32 applications - Which is a very hard task but I do know how to do the basic hosting and get return values from functions.

    @OP MSDN is your best friend for this. I will show you some basic Reflection and Injection Methods when I am done writing my HashHelper Shell Ext (Which is almost ready for release)
     
  7. Josh Cell

    Josh Cell MDL Developer

    Jan 8, 2011
    3,519
    7,100
    120
    #7 Josh Cell, Jul 12, 2013
    Last edited: Jul 12, 2013
    Your 'injection' is managed. I am talking about unmanaged image injections.

    I am talking about one managed process being be injected with an unmanaged image (not library).

    Since unmanaged injections requires a lot of suspicious WinAPI calls, the AV systems is able to flag it as false-positive.

     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. PAYMYRENT

    PAYMYRENT MDL Developer

    Jul 28, 2009
    1,462
    419
    60
    #8 PAYMYRENT, Jul 12, 2013
    Last edited: Jul 12, 2013
    If you know how to call it without all those functions calls. you should only need three of them CreateProcess NTUnMap.. and Resume thread but not the one you list but the good ol' standard one. Plus my point still stands ive tested both way because my project now supports plugins using Win32 based languages lol
     
  9. Josh Cell

    Josh Cell MDL Developer

    Jan 8, 2011
    3,519
    7,100
    120
    That is I have seen:

    For me, he is looking to inject unmanaged process image into another process (KMSLibrary do it with VBC.EXE).

    Anyway, this post is the solution. If anyone is able to do the right pointers for a x64 process...

    http://forums.mydigitallife.net/threads/45192-C-64-Bit-DLL-Mapping?p=758494&viewfull=1#post758494

    If you still have issues, send a PM to him, maybe he also is able to do it for the KMSLibrary:

    http://forums.mydigitallife.net/members/328557-qad
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. W00dL3cs

    W00dL3cs MDL Novice

    Jul 9, 2013
    3
    0
    0
    Yeah, I've already given a look at that library, but it seems that it injects a dll, and not an executable: I think that the question is a bit different, no?
     
  11. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,801
    44,955
    150
    Actually, KMSLibrary is for DLL injection into your own process, to obscure loading a DLL and map it from a byte[]. It is a reworking of LoadLibrary.

    My old code did vbc.exe and used what they call a "RunPE".

    That RunPE did not work on x64, though PMR may have something in that area, he posted a few while I was discussing the KMSLibrary code.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Josh Cell

    Josh Cell MDL Developer

    Jan 8, 2011
    3,519
    7,100
    120
    Yea, with libraries is really possible because you are re-alocating the memory block inside the process...

    But is a bit hard do it with all the process image inside the same process... (Inject 100% native image in the managed .NET Process)...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. PAYMYRENT

    PAYMYRENT MDL Developer

    Jul 28, 2009
    1,462
    419
    60
  14. Josh Cell

    Josh Cell MDL Developer

    Jan 8, 2011
    3,519
    7,100
    120
    The x64 pointers will be the same even if you will inject a library or the full process image (executable)...

    You just need to implement it inside your code (if the process is x64, then set x64 pointers)...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...