[C#] [Source] KMS Tools By CODYQX4 - Extend KMSEmulator & Improve Activation

Discussion in 'Mixed Languages' started by CODYQX4, Sep 16, 2011.

  1. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,801
    44,945
    150
    #1 CODYQX4, Sep 16, 2011
    Last edited by a moderator: Apr 20, 2017
    Readme:
    Code:
    INFO:
    These are a set of tools and code using Office/Microsoft Toolkit Code by CODYQX4, used to change the PID and Port of a file, active process, or to start a new KMSEmulator from Disk or RAM.
    ---------------------------------------------------------------------------------------------------------------------
    KMS File Patcher:
    DESCRIPTION
    This will permanently patch the port and PID of a KMSEmulator.exe file. Upon running the EXE, the patched settings are always set.
    USE
    Run via commandline. These switches are all mandatory and must be done in this order.
    USE EXAMPLE
    "KMS File Patcher.exe" /File:"FullFilePath" /KMSPID:PID /Port:Port
    USE NOTES
    The FullFilePath variable must be the full file path, not a relative path. It is strongly recommended to quote the path.
    PID must be a valid PID or be empty.
    Port must be a valid port between 1 and 65535. Be sure the chosen port will no be in use on the target PC.
    ---------------------------------------------------------------------------------------------------------------------
    KMS Memory Patcher:
    DESCRIPTION
    This will change the PID of a KMSEmulator process.
    USE
    Run via commandline. These switches are all mandatory except ProcessID and must be done in this order.
    USE EXAMPLE
    "KMS Memory Patcher.exe" /KMSPID:PID /ProcessName:ProcessName /ProcessID:ID
    USE NOTES
    The ProcessName variable must be the name of the running process, without an extension. It is recommended to quote the name.
    PID must be a valid PID or be empty
    ID must be a valid and active process id. It is not a needed parameter but allows running multiple processes on different ports and changing their PID.
    ---------------------------------------------------------------------------------------------------------------------
    KMS File Execution:
    DESCRIPTION
    This will do what KMS File Patcher does, except it will create a new file, patch it, then run it.
    Run via commandline. These switches are all mandatory and must be done in this order.
    USE EXAMPLE
    "KMS File Execution.exe" /File:"FullFilePath" /KMSPID:PID /Port:Port /Hide:TF
    USE NOTES
    The FullFilePath variable must be the full file path, not a relative path. It is strongly recommended to quote the path.
    PID must be a valid PID or be empty.
    Port must be a valid port between 1 and 65535. Be sure the chosen port will no be in use on the target PC.
    TF means use either True or False, to decide whether or not to show the KMSEmulator window
    ---------------------------------------------------------------------------------------------------------------------
    KMS Memory Execution:
    DESCRIPTION
    This will create an instance of KMSEmulator with a patched port and PID, and inject it into another process (vbc.exe) so no KMSEmulator is written to disk.
    The Process will always show no window.
    Run via commandline. These switches are all mandatory and must be done in this order.
    USE EXAMPLE
    "KMS Memory Execution.exe" /KMSPID:PID /Port:Port
    USE NOTES
    PID must be a valid PID or be empty.
    Port must be a valid port between 1 and 65535. Be sure the chosen port will no be in use on the target PC.
    ---------------------------------------------------------------------------------------------------------------------
    Known Good PID
    LIST
    55041-00168-305-190595-03-1033-3790.0000-2692009 (Default ZWT PID)
    "" (NULL PID)
    55041-00096-199-000004-03-1033-7600.0000-3632009
    55041-00168-305-246209-03-1033-7600.0000-0522010
    55041-00168-305-100667-03-1033-6002.0000-2372009
    55041-00142-026-982506-03-1033-3790.0000-0962010
    55041-00152-339-725949-03-1033-3790.0000-0972010
    55041-00140-015-871562-03-1033-7078.0000-0992009
    55041-00142-026-826687-03-1033-6000.0000-3472006
    55041-00152-105-000223-03-1033-6001.0000-0692009
    55041-00168-313-440506-03-1033-7600.0000-2242010
    55041-00142-026-098258-03-1033-6000.0000-3392006
    
    Requirements:
    Microsoft .NET Framework 3.5
    Visual Studio to compile/edit code.

    Credits:
    Credits - Developers:
    CODYQX4 for All C# code except ProcessMemoryReaderLib and CMemoryExecute
    Arik Poznanski for ProcessMemoryReaderLib
    affixiate for CMemoryExecute, tweaked by CODYQX4 to hide the process window

    Credits - Other:
    ZWT for the Original KMS Keygen, and Phazor and letsgoawayhell for KMS research/improvements.

    KMS Tools Changelog:

    1.0: Initial Release

    Downloads:
    1.0
    ZIP MD5:E26910E0B9B07C969DBF067C2C725C37

    http://www.datafilehost.com/download-36c910a3.html
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Josh Cell

    Josh Cell MDL Developer

    Jan 8, 2011
    3,519
    7,100
    120
    Yeah, good work Cody, really professional developement ...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,801
    44,945
    150
    I'm hoping this is useful, and that someone could make a C++ port. I did kinda rush the "Program.cs" part though and have minimal error checking though.

    This gives people the abilities OTK adds to KMS. As in port changing (nobody else has done this before for KMS), RAM Execution, File Port/PID patch, and Memory Port/PID patch. Anyone who uses these right in their tools can use the PID change to bypass persistent 8000700D, and the "Ram Execution" is good for not writing to disk. That is probably better off embedded into a C# app than used via cmd, as AV could target that EXE just like KMSEmulator.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Josh Cell

    Josh Cell MDL Developer

    Jan 8, 2011
    3,519
    7,100
    120
    Personally, I do not like use C++ to perform code injections into memory adresses, the real ways of it, is dumping the real adress to the offset allocated into memory, taking too long and not doing an automatic search, using dumpers to calc the memory path and convert to exact DWORD on start and end, and manually patching offset by offset...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. BobSheep

    BobSheep MDL Guru

    Apr 19, 2010
    2,326
    1,358
    90
    #5 BobSheep, Sep 16, 2011
    Last edited: Sep 16, 2011
    C++ is just an extension of C and designed by Bjarne Strousup who invented the language so his friends would not have to learn assembler. Most of the kernels (Linux, Apple, Windows) are written in C or C++. What better tool exists to do the kind of manipulations that you're describing?

    And regarding code injections...? Are these code injections into processes already running?, and do they inject code into the standard Dll initialization functions that are called when every Dll is loaded (DLL_PROCESS_ATTACH, DLL_PROCESS_DETACH, DLL_THREAD_ATTACH, DLL_THREAD_DETACH) or are you patching the Dll file itself? The easiest way to create a Dll hook is to modify the DLL_THREAD_ATTACH call to call extra code which you have injected into the address space of the Dll. There are also options to modify the import tables of executables using the M$ Detours project (search for Microsoft Research Detours).

    I'm just interested in what you mean exactly.
     
  6. Josh Cell

    Josh Cell MDL Developer

    Jan 8, 2011
    3,519
    7,100
    120
    Anything is possible with these languages​​, the problem is the complexity that involves only inject a simple code in a place of memory, need to convert and manipulate everything in DWORDs;

    To simple path "55041-00168-305-190595-03-1033-3790.0000-2692009" PID Adress, you can work with 48 DWORDs, with exact location of the path one per one into memory, +48 to path other PIDs into empty offsets without crashing the application ;

    With C#, has a automated tools to path a multiple strings into memory instantly .
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. BobSheep

    BobSheep MDL Guru

    Apr 19, 2010
    2,326
    1,358
    90
    #7 BobSheep, Sep 16, 2011
    Last edited: Sep 16, 2011
    And the other question, Code Injection?

    Extra: Are these managed code Dll's or standard windows Dll's?
     
  8. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,801
    44,945
    150
    #8 CODYQX4, Sep 16, 2011
    Last edited: Sep 16, 2011
    (OP)
    As far as this tool goes, we are not injecting code, but just editing the memory, sort of like there are tools that let you cheat in games by editing stats/score in memory. I used a class called ProcessMemoryReader.cs, then built my own functions to easily convert types of strings to byte array, etc...

    Honestly, looking at the code mostly appears to be Win32 API stuff, not really a language thing there.

    PS: When we run KMS in RAM, we create a suspended process and overwrite it with KMSEmulator, this makes the exe execute as vbc.exe but has the same memory and context as KMSEmulator. This however is not code injection in the literal sense of the word. When I hear code/dll injection I think of DLLs that add a new menu item, that is real code injection. The memory execute just mimics the OS process loading process so that we can run a exe but code from a different program.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,801
    44,945
    150
    Something to consider, since any dev using this is using the same techniques of OTK, and inheriting their strengths and weaknesses.

    I compile CMemoryExecute as part of the code. It is baked into the exe 24/7 and by doing this I have caused OTK exe to start getting AV heat.

    Posted here is an idea of interest:http://leetcoders.org/forum/printthread.php?tid=207

    They use the same code for RAM Injection, but compile is as a DLL, but they base64 encrypt the dll as text and load it via reflection. We could use this so the code doesn't get called/seen until needed, less likely to create issues.

    I feel that I have ways to reduce AV positives.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...