RunPE | C # Reflective loader for unmanaged binaries | Reverse Engineering library

 by   nettitude C# Version: v1.0 License: BSD-3-Clause

X-RayKey FeaturesCode SnippetsCommunity Discussions(3)VulnerabilitiesInstallSupport

kandi X-RAY | RunPE Summary

kandi X-RAY | RunPE Summary

RunPE is a C# library typically used in Utilities, Reverse Engineering applications. RunPE has no bugs, it has no vulnerabilities, it has a Permissive License and it has low support. You can download it from GitHub.

C# Reflective loader for unmanaged binaries.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              RunPE has a low active ecosystem.
              It has 350 star(s) with 53 fork(s). There are 11 watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              There are 5 open issues and 7 have been closed. On average issues are closed in 211 days. There are no pull requests.
              It has a neutral sentiment in the developer community.
              The latest version of RunPE is v1.0

            kandi-Quality Quality

              RunPE has no bugs reported.

            kandi-Security Security

              RunPE has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.

            kandi-License License

              RunPE is licensed under the BSD-3-Clause License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              RunPE releases are available to install and integrate.
              Installation instructions, examples and code snippets are available.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of RunPE
            Get all kandi verified functions for this library.

            RunPE Key Features

            No Key Features are available at this moment for RunPE.

            RunPE Examples and Code Snippets

            No Code Snippets are available at this moment for RunPE.

            Community Discussions

            Trending Discussions on RunPE

            PE injection fails if injector gets launched by specific application?
            RunPE doesen't work when using a .NET file
            RunPE memory malfunction

            QUESTION

            PE injection fails if injector gets launched by specific application?
            Asked 2021-Apr-18 at 12:46

            Short disclaimer: As this question includes topics regarding hacking/pentesting, I'd like to state that this question is only asked for educational purposes as part of a school project. To prevent possible abuse, I will only post code that is necessary for understanding the problem.

            To demonstrate dangers and vulnerabilities of Windows 10, I'm currently writing a small C++/WinAPI application that utilizes two common techniques:

            • A UAC bypass using the "fodhelper technique" (this works by simply setting a specific registry value to the path of the executable which is supposed to be elevated and then launching an automatically elevated Windows executable called "fodhelper.exe", which will then read the registry value and execute it as command/launch the specified application).
            • Performing PE injection, i.e. running a PE file from the address space of the current process (based on this example from github). The PE that gets injected in my program is a simple C++ Console Application (x86) that prints a message box. The shellcode is hardcoded in the injector binary (x86).

            I managed to perform both of these techniques successfully in independent files. However, once I combine these two methods (i.e. first elevating, then injecting), a weird error appears.

            Description of the problem

            When the injector gets started manually (by double clicking), everything works fine, but when the injector is launched by System32\fodhelper.exe (x64) as a result of the UAC bypass, the following happens: After the injection has finished, the console window of the injected application appears, but instead of continuing the execution, I receive a bunch of error messages stating "The code execution cannot proceed because [garbage characters].dll was not found". This indicates that something went wrong with the offsets, and the Windows loader is trying to read the imports at a wrong position.

            To summarize: The code injection works fine, unless the injector was started by fodhelper.exe. In this case the injected PE file is unable to run.

            Things I have tried so far to find the origin of the issue
            • Debugging the injection using GetLastError and printing the various memory addresses used during the injection. There is no difference if the file is manually started (and the injection is successful) or if it gets started by fodhelper.exe (and the injection fails).
            • Replace the WriteProcessMemory calls with WriteFile to compare the output file when the injector gets manually launched or by fodhelper.exe. Both output files are exactly the same and runnable. This indicates that the injection itself is not the problem, but the Windows loader seems to act differently.
            • Manually elevating the injector using UAC or by using an elevated command prompt. In both cases, the injection is successful.
            • Copying fodhelper.exe to another location (for example to the desktop) and launching this copy. In this case, the injection is successful. The injection only fails if the injector gets started by the original fodhelper.exe in the System32 folder.

            It seems that the injection behaves completely identical, but the indicators show that due to some unknown impact of fodhelper.exe that gets passed down to the injector, the Windows loader seems to behave differently.

            I appreciate any explanation or assumption! Feel free to ask if you require more information.

            Minimal reproducible example

            (with limited debug info and comments): https://0bin.net/paste/UPRIg12n#6nJvBok72UcDvIa56c-XEss7AibIh1Zrs+c3sUzvQMj

            Note: See how the injection works if you exclude the elevateProcess function or manually elevate the exe with UAC, and how it fails when including said function.

            Edit

            According to the answer by user RbMm, this error is a result of a specific exploit protection attribute (PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY with the EnableModuleTamperingProtection value) that gets automatically applied onto fodhelper.exe and seemingly gets inherited by all child processes. According to this, removing/resetting this attribute when launching the target process should fix the error. So far I've tried the following, but couldn't achieve any change in the outcome:

            ...

            ANSWER

            Answered 2021-Apr-18 at 02:07

            when process created via RunAs with elevation - the appinfo.dll call RAiLaunchAdminProcess function (this is in some svchost.exe) and this function, pass STARTUPINFOEX (and EXTENDED_STARTUPINFO_PRESENT flag) to CreateProcessAsUser. and here - lpAttributeList, in particular PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute key is used for set several exploit mitigation policy for the child process (fodhelper.exe in your case). and here EnableModuleTamperingProtection is set for child process tree. effect of this - when system resolve import descriptor, it check (inside LdrpGetImportDescriptorForSnap) for this mitigation flag, and if it enabled - call LdrpCheckPagesForTampering api, it return true, if SharedOriginal is 0, this means this is a copy-on-write private copy of the EXE/IAT -- hence 'tampered' with. after this LdrpMapCleanModuleView is called. at this point your try begin breaking

            possible first public info about this, from Alex Ionescu -

            LdrpCheckPagesForTampering/LdrpMapCleanModuleView (RS3) are pretty cool antihollowing mitigations (EPROCESS.EnableModuleTamperingProtection)

            if you by self launch new process, you of course not call UpdateProcThreadAttribute for set PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY and in this case, your code sometime work. really only random and sometime - here exist many other errors and bad codding

            Source https://stackoverflow.com/questions/67141766

            QUESTION

            RunPE doesen't work when using a .NET file
            Asked 2020-Oct-25 at 13:38

            Disclaimer: I am using RunPE only for educational purposes and on my own computer.

            First of all: hello everyone! I am attempting to use RunPE using a file that has .NET dependencies (written in C# language).

            First of all, the code does not show any problems when using a native c++ file instead of a .NET one:

            But whenever I try to use a file coded in C# or with .NET dependencies, this happens:

            I did some digging and, on another StackOverflow thread, I found this (RunPE c++ only works with 32 console):

            1.gui applications only run on the memory of other GUI applications as well GUI application only run on memory of other cui application. because cui application on new windows run by conhost and not direct.

            2.for run .net application from memory in c++ you must repair import table and other thing.to run .net application from .net is simply with

            The answer itself it's not very good, but it shines some light on what the problem might be: the import table needs rebuilding and we need to run the application inside another GUI application, and not a console one like I am doing.

            I have no idea on how to rebuild the import table in C++, neither I know what the other "thing" is.

            Anyone has some useful documentation or knows how to rebuild the import table in C++?

            Here I leave my code for further analysis:

            ...

            ANSWER

            Answered 2020-Oct-25 at 13:38

            Compiler setting /cls fixed everything, it is important when attempting RunPE using .NET binaries.

            Source https://stackoverflow.com/questions/64406870

            QUESTION

            RunPE memory malfunction
            Asked 2020-Mar-15 at 13:15

            Whenever executing my executable file, it works 80% of the time. The other 20% of the time, I receive a 0xc00000005 error from Windows. I believe this may be a memory problem, but I'm not sure how to fix it. I have spent too much time trying to figure out how I can fix this, so I am now coming here. I'm using Visual Studio.

            I debugged the program and it's failing right here at the debug script named "Write process memory step 1: Failed."

            ...

            ANSWER

            Answered 2020-Mar-10 at 15:54

            You have an error on the calculation of your NtHeader pointer and this causes a denied access when you try to access to NtHeader->Signature. Your pointer should be calculated like this:

            Source https://stackoverflow.com/questions/60620836

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install RunPE

            Edit the compilation symbols to quickly adjust the program flow: (Right click the project in Visual Studio -> Properties -> Build -> Conditional Compilation Symbols).
            DEBUG (automatically added in Debug release mode) -> Very verbose logging
            BREAK_TO_ATTACH -> Print "Press Enter to continue..." and await input so can attach debugger
            LOG_TO_FILE -> Log the RunPE output to a file in C:\Users\Public instead of to the console

            Support

            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Reuse Trending Solutions

            build-a-realtime-voice-to-image-generator-using-generative-ai
            build-a-realtime-voice-to-image-generator-using-generative-ai
            Build a Realtime Voice-to-Image Generator using Generative AI
            image-resizing-using-opencv-in-python
            image-resizing-using-opencv-in-python
            Image Resizing using OpenCV in Python
            build-your-own-gpt4all-content-generator
            build-your-own-gpt4all-content-generator
            Build your own Custom GPT Content Generator (Open-Source ChatGPT Alternative)
            validate-an-email-address-in-javascript
            validate-an-email-address-in-javascript
            How to Validate an Email Address in JavaScript
            age-calculator-using-javascript
            age-calculator-using-javascript
            Age Calculator using JavaScript
            addressing-bias-in-ai---toolkit-for-fairness,-explainability-and-privacy
            addressing-bias-in-ai---toolkit-for-fairness,-explainability-and-privacy
            Addressing Bias in AI - Toolkit for Fairness, Explainability and Privacy
            javascript-node-js-payment-processing
            javascript-node-js-payment-processing
            15 best JavaScript Node.js Payment libraries
            build-credit-risk-predictor-using-federated-learning
            build-credit-risk-predictor-using-federated-learning
            Build Credit Risk predictor using Federated Learning
            top-10-javascript-tours-and-guides-libraries-in-2023
            top-10-javascript-tours-and-guides-libraries-in-2023
            10 Best JavaScript Tours and Guides Libraries in 2023
            disease-predictor
            disease-predictor
            Disease Predictor using Pandas & Scikit
            python-face-recognition
            python-face-recognition
            28 best Python Face Recognition libraries

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/nettitude/RunPE.git

          • CLI

            gh repo clone nettitude/RunPE

          • sshUrl

            git@github.com:nettitude/RunPE.git

            • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Reverse EngineeringUtilities

            Reuse Utilities Kits

            Dictionary App
            File Management System
            Barcode Reader
            10 best C# Build Tools libraries
            Triple_trouble Kit
            See all related Kits

            Consider Popular Reverse Engineering Libraries

            ghidra

            by NationalSecurityAgency

            radare2

            by radareorg

            ILSpy

            by icsharpcode

            bytecode-viewer

            by Konloch

            ImHex

            by WerWolv

            See all Reverse Engineering Libraries

            Try Top Libraries by nettitude

            PoshC2

            by nettitudePowerShell

            xss_payloads

            by nettitudePHP

            PoshC2_Old

            by nettitudePowerShell

            SharpSocks

            by nettitudeC#

            SharpWSUS

            by nettitudeC#

            See all Learning Libraries

            Open Weaver – Develop Applications Faster with Open Source

            kandi

            Community and Support

            Company

            Follow

            • © 2023 Open Weaver Inc.