Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-19-2022, 23:59
mcr4ck mcr4ck is offline
Friend
 
Join Date: Nov 2019
Location: iran
Posts: 45
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 33
Thanks Rcvd at 21 Times in 15 Posts
mcr4ck Reputation: 1
Loader and Patch Dll file in C#

hi

Loader in C#
A project in C# language
that you can patch in this program with this DLL file


Code:
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Globalization;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;

namespace ConsoleApplication1
{
    class Program
    {
        [DllImport("kernel32.dll")]
        static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, uint dwThreadId);
        [DllImport("kernel32.dll")]
        static extern uint SuspendThread(IntPtr hThread);
        [DllImport("kernel32.dll")]
        static extern int ResumeThread(IntPtr hThread);
        [DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
        static extern bool CloseHandle(IntPtr handle);
        //

        [DllImport("kernel32.dll")]
        static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Boolean bInheritHandle, UInt32 dwProcessId);
        [DllImport("kernel32.dll")]
        static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,
        byte[] lpBuffer, UIntPtr nSize, uint lpNumberOfBytesWritten);

        [DllImport("kernel32.dll")]
        static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
           UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

        [DllImport("kernel32.dll", SetLastError = true)]
        static extern bool WriteProcessMemory(
            IntPtr hProcess,
            IntPtr lpBaseAddress,
            byte[] lpBuffer,
            int nSize,
            out IntPtr lpNumberOfBytesWritten);

        static IntPtr Handle;
        static IntPtr baseadd;
        const int MEM_COMMIT = 0x00001000;
        const int PAGE_READWRITE = 0x04;
        const int PROCESS_WM_READ = 0x0010;
        const int PAGE_EXECUTE_READ = 0x20;
        const int PAGE_READONLY = 0x02;
        const int PAGE_EXECUTE_READWRITE = 0x40;

        public enum ThreadAccess : int
        {
            TERMINATE = (0x0001),
            SUSPEND_RESUME = (0x0002),
            GET_CONTEXT = (0x0008),
            SET_CONTEXT = (0x0010),
            SET_INFORMATION = (0x0020),
            QUERY_INFORMATION = (0x0040),
            SET_THREAD_TOKEN = (0x0080),
            IMPERSONATE = (0x0100),
            DIRECT_IMPERSONATION = (0x0200)
        }


        [DllImport("kernel32.dll")]
        public static extern bool ReadProcessMemory(IntPtr hProcess, Int64 lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out  IntPtr lpNumberOfBytesRead);
        //
        private static void SuspendProcess(int pid)
        {
            var process = Process.GetProcessById(pid);

            if (process.ProcessName == string.Empty)
                return;

            foreach (ProcessThread pT in process.Threads)
            {
                IntPtr pOpenThread = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)pT.Id);

                if (pOpenThread == IntPtr.Zero)
                {
                    continue;
                }

                SuspendThread(pOpenThread);

                CloseHandle(pOpenThread);
            }
        }
        //
        public static void ResumeProcess(int pid)
        {
            var process = Process.GetProcessById(pid);

            if (process.ProcessName == string.Empty)
                return;

            foreach (ProcessThread pT in process.Threads)
            {
                IntPtr pOpenThread = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)pT.Id);

                if (pOpenThread == IntPtr.Zero)
                {
                    continue;
                }

                var suspendCount = 0;
                do
                {
                    suspendCount = ResumeThread(pOpenThread);
                } while (suspendCount > 0);

                CloseHandle(pOpenThread);
            }
        }

        //
    static    Process prc;
   static bool v;
  static int b;
        static void Main(string[] args)
        {
            try
            {
                //
                string startupPath = @"C:\Test.exe";
                   
                using (Process myProcess = new Process())
                {
                     ProcessStartInfo myProcessStartInfo = new ProcessStartInfo(startupPath);
                   
                    myProcess.StartInfo = myProcessStartInfo;
                   
                    myProcess.Start();
                main1:
                    Thread.Sleep(1300);
					//SuspendProcess for Change byte
                    SuspendProcess(myProcess.Id);
                   

                        ProcessModule myProcessModule;
                        // Get all the modules associated with 'myProcess'.
                        ProcessModuleCollection myProcessModuleCollection = myProcess.Modules;
                        for (int i = 0; i < myProcessModuleCollection.Count; i++)
                        {
                            
                            myProcessModule = myProcessModuleCollection[i];
                            if (myProcessModule.ModuleName == "test.dll")
                            {
                                Console.WriteLine(myProcessModule.ModuleName);
                            }
                            
                        
                        }
						//time deley
						//you change
                        b += 20;
                        ResumeProcess(myProcess.Id);
                        Thread.Sleep(b);
                        SuspendProcess(myProcess.Id);
                        int m = 0;


                        goto main1;
                   
                }

                    //byte orginal

                string hex_to_find = "2DE1630000";
                byte[] hexfbytes = ConvertHexStringToByteArray(hex_to_find);
				//byte Changed
                string hex_replacewith = "83E8009090";  // just return true in ilcode
                byte[] hexreplacebytes = ConvertHexStringToByteArray(hex_replacewith);
                //
       
              
           
            //  
              //prc.WaitForInputIdle();
                Handle = prc.Handle;
               pat:
              
               foreach (ProcessModule module in prc.Modules)
               {


                   //dll moduls

                   if (string.Compare(module.ModuleName, "test.dll", true) == 0)
                   {
                      
                       baseadd = module.BaseAddress + 0x1000;
                       IntPtr bytesRead;

                       byte[] buffer = new byte[module.ModuleMemorySize];
                       ReadProcessMemory((IntPtr)Handle, (Int64)baseadd, buffer, buffer.Length, out bytesRead);
                       //
                       for (int i = 0; i < (int)module.ModuleMemorySize; i++)
                       {
                           if (buffer[i + 0] == hexfbytes[0])  // first time check only one byte!
                           {
                               bool isfinded = true;
                               for (int j = 0; j < hexfbytes.Length; j++)
                               {

                                   if ((i + j) >= buffer.Length || buffer[i + j] != hexfbytes[j])
                                   {
                                       isfinded = false;
                                       break;
                                   }

                               }

                               if (isfinded)
                               {  // if finded patch the memory:
                                   IntPtr lpAddressWhereToPatch = (IntPtr)((long)baseadd + (long)i);
                                   IntPtr numberofbyteswritten = IntPtr.Zero;
                                   bool is_write_ok = WriteProcessMemory(Handle, lpAddressWhereToPatch,
                                                                         hexreplacebytes, hexreplacebytes.Length,
                                                                         out numberofbyteswritten);
                                  
                                   v = true;
                                  
                                   break;

                               }

                           }




                       }
                   }
               }
               if (v ==false)
               {
               pat1:
                  
                   ResumeProcess(prc.Id);
                
                   SuspendProcess(prc.Id);
                   goto pat;

                   goto pat1;
                   ResumeProcess(prc.Id);
               }
               ResumeProcess(prc.Id);
            }
            catch (Exception ex)
            {
                ResumeProcess(prc.Id);
                prc.Close();
                
            }
        }

        public static byte[] ConvertHexStringToByteArray(string hexString)
        {
            if (hexString.Length % 2 != 0)
            {
                throw new ArgumentException(String.Format(CultureInfo.InvariantCulture, "The binary key cannot have an odd number of digits: {0}", hexString));
            }

            byte[] HexAsBytes = new byte[hexString.Length / 2];
            for (int index = 0; index < HexAsBytes.Length; index++)
            {
                string byteValue = hexString.Substring(index * 2, 2);
                HexAsBytes[index] = byte.Parse(byteValue, NumberStyles.HexNumber, CultureInfo.InvariantCulture);
            }

            return HexAsBytes;
        }
    }
}
Reply With Quote
The Following 3 Users Say Thank You to mcr4ck For This Useful Post:
Mahmoudnia (08-17-2022), niculaita (06-20-2022), NoneForce (06-20-2022)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 21:41.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )