hi
Loader in C#
A project in C# language
that you can patch in this program with this DLL file
Code:
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Globalization;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
namespace ConsoleApplication1
{
class Program
{
[DllImport("kernel32.dll")]
static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, uint dwThreadId);
[DllImport("kernel32.dll")]
static extern uint SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll")]
static extern int ResumeThread(IntPtr hThread);
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
static extern bool CloseHandle(IntPtr handle);
//
[DllImport("kernel32.dll")]
static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Boolean bInheritHandle, UInt32 dwProcessId);
[DllImport("kernel32.dll")]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,
byte[] lpBuffer, UIntPtr nSize, uint lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
int nSize,
out IntPtr lpNumberOfBytesWritten);
static IntPtr Handle;
static IntPtr baseadd;
const int MEM_COMMIT = 0x00001000;
const int PAGE_READWRITE = 0x04;
const int PROCESS_WM_READ = 0x0010;
const int PAGE_EXECUTE_READ = 0x20;
const int PAGE_READONLY = 0x02;
const int PAGE_EXECUTE_READWRITE = 0x40;
public enum ThreadAccess : int
{
TERMINATE = (0x0001),
SUSPEND_RESUME = (0x0002),
GET_CONTEXT = (0x0008),
SET_CONTEXT = (0x0010),
SET_INFORMATION = (0x0020),
QUERY_INFORMATION = (0x0040),
SET_THREAD_TOKEN = (0x0080),
IMPERSONATE = (0x0100),
DIRECT_IMPERSONATION = (0x0200)
}
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(IntPtr hProcess, Int64 lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);
//
private static void SuspendProcess(int pid)
{
var process = Process.GetProcessById(pid);
if (process.ProcessName == string.Empty)
return;
foreach (ProcessThread pT in process.Threads)
{
IntPtr pOpenThread = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)pT.Id);
if (pOpenThread == IntPtr.Zero)
{
continue;
}
SuspendThread(pOpenThread);
CloseHandle(pOpenThread);
}
}
//
public static void ResumeProcess(int pid)
{
var process = Process.GetProcessById(pid);
if (process.ProcessName == string.Empty)
return;
foreach (ProcessThread pT in process.Threads)
{
IntPtr pOpenThread = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)pT.Id);
if (pOpenThread == IntPtr.Zero)
{
continue;
}
var suspendCount = 0;
do
{
suspendCount = ResumeThread(pOpenThread);
} while (suspendCount > 0);
CloseHandle(pOpenThread);
}
}
//
static Process prc;
static bool v;
static int b;
static void Main(string[] args)
{
try
{
//
string startupPath = @"C:\Test.exe";
using (Process myProcess = new Process())
{
ProcessStartInfo myProcessStartInfo = new ProcessStartInfo(startupPath);
myProcess.StartInfo = myProcessStartInfo;
myProcess.Start();
main1:
Thread.Sleep(1300);
//SuspendProcess for Change byte
SuspendProcess(myProcess.Id);
ProcessModule myProcessModule;
// Get all the modules associated with 'myProcess'.
ProcessModuleCollection myProcessModuleCollection = myProcess.Modules;
for (int i = 0; i < myProcessModuleCollection.Count; i++)
{
myProcessModule = myProcessModuleCollection[i];
if (myProcessModule.ModuleName == "test.dll")
{
Console.WriteLine(myProcessModule.ModuleName);
}
}
//time deley
//you change
b += 20;
ResumeProcess(myProcess.Id);
Thread.Sleep(b);
SuspendProcess(myProcess.Id);
int m = 0;
goto main1;
}
//byte orginal
string hex_to_find = "2DE1630000";
byte[] hexfbytes = ConvertHexStringToByteArray(hex_to_find);
//byte Changed
string hex_replacewith = "83E8009090"; // just return true in ilcode
byte[] hexreplacebytes = ConvertHexStringToByteArray(hex_replacewith);
//
//
//prc.WaitForInputIdle();
Handle = prc.Handle;
pat:
foreach (ProcessModule module in prc.Modules)
{
//dll moduls
if (string.Compare(module.ModuleName, "test.dll", true) == 0)
{
baseadd = module.BaseAddress + 0x1000;
IntPtr bytesRead;
byte[] buffer = new byte[module.ModuleMemorySize];
ReadProcessMemory((IntPtr)Handle, (Int64)baseadd, buffer, buffer.Length, out bytesRead);
//
for (int i = 0; i < (int)module.ModuleMemorySize; i++)
{
if (buffer[i + 0] == hexfbytes[0]) // first time check only one byte!
{
bool isfinded = true;
for (int j = 0; j < hexfbytes.Length; j++)
{
if ((i + j) >= buffer.Length || buffer[i + j] != hexfbytes[j])
{
isfinded = false;
break;
}
}
if (isfinded)
{ // if finded patch the memory:
IntPtr lpAddressWhereToPatch = (IntPtr)((long)baseadd + (long)i);
IntPtr numberofbyteswritten = IntPtr.Zero;
bool is_write_ok = WriteProcessMemory(Handle, lpAddressWhereToPatch,
hexreplacebytes, hexreplacebytes.Length,
out numberofbyteswritten);
v = true;
break;
}
}
}
}
}
if (v ==false)
{
pat1:
ResumeProcess(prc.Id);
SuspendProcess(prc.Id);
goto pat;
goto pat1;
ResumeProcess(prc.Id);
}
ResumeProcess(prc.Id);
}
catch (Exception ex)
{
ResumeProcess(prc.Id);
prc.Close();
}
}
public static byte[] ConvertHexStringToByteArray(string hexString)
{
if (hexString.Length % 2 != 0)
{
throw new ArgumentException(String.Format(CultureInfo.InvariantCulture, "The binary key cannot have an odd number of digits: {0}", hexString));
}
byte[] HexAsBytes = new byte[hexString.Length / 2];
for (int index = 0; index < HexAsBytes.Length; index++)
{
string byteValue = hexString.Substring(index * 2, 2);
HexAsBytes[index] = byte.Parse(byteValue, NumberStyles.HexNumber, CultureInfo.InvariantCulture);
}
return HexAsBytes;
}
}
}