29a-7.006

从29A上收集的病毒源码

from  the full path of mscorlib.dll (equivalent to getting the Windows  system
directory  from the module filename of kernel32.dll).  I don't know about  any
.NET equivalent of GetSystemDirectory().

Here is the code in C#:

    Type t = typeof(System.Object); //get handle to mscorlib.dll
    Assembly a = t.Assembly;        //get its assembly
    String s = a.CodeBase;          //get full path of mscorlib.dll

Here is the code in C++:

    Type *t = __typeof(System::Object); //get handle to mscorlib.dll
    Assembly *a = t->Assembly;          //get its assembly
    String *s = a->CodeBase;            //get full path of mscorlib.dll

Here is the code in JScript:

    var t : Type = System.Object.GetType() //get handle to mscorlib.dll
    var a : Assembly = t.Assembly          //get its assembly
    var s : String = a.CodeBase            //get full path of mscorlib.dll

Here is the code in Visual Basic:

    dim o as new Object                  'create an instance of System.Object
    dim t as Type : t = o.GetType()      'get handle to mscorlib.dll
    dim a as [Assembly] : a = t.Assembly 'get its assembly
    dim s as String : s = a.CodeBase     'get full path of mscorlib.dll

Now  that  we  have  the full path of mscorlib.dll, we have  the  .NET  system
directory.   We simply replace "mscorlib.dll" with "system.dll", then load the
system.dll.  This is the .NET equivalent of LoadLibrary().

Here is the code in C#:

    s = s.Replace("mscorlib.dll", "system.dll"); //get full path of system.dll
    a = Assembly.LoadFrom(s);                    //load assembly from file

Here is the code in C++:

    s = s->Replace("mscorlib.dll", "system.dll"); //get full path of system.dll
    a = Assembly::LoadFrom(s);                    //load assembly from file

Here is the code in JScript:

    s = s.Replace("mscorlib.dll", "system.dll") //get full path of system.dll
    a = Assembly.LoadFrom(s)                    //load assembly from file

Here is the code in Visual Basic:

    s = s.Replace("mscorlib.dll", "system.dll") 'get full path of system.dll
    a = [Assembly].LoadFrom(s)                  'load assembly from file

An  assembly is the .NET equivalent of a module handle.  Using an assembly, we
can  get  the  address of any method, by using the GetType()  method  and  the
GetMethod() method.  This is the .NET equivalent of GetProcAddress().

Here is the code in C#:

    t = a.GetType("System.Diagnostics.Process");     //get class (Process)
    MethodInfo m = t.GetMethod("GetCurrentProcess"); //get method interface

Here is the code in C++:

    t = a->GetType("System.Diagnostics.Process");      //get class (Process)
    MethodInfo *m = t->GetMethod("GetCurrentProcess"); //get method interface

Here is the code in JScript:

    t = a.GetType("System.Diagnostics.Process")           //get class (Process)
    var m : MethodInfo = t.GetMethod("GetCurrentProcess") //get method interface

Here is the code in Visual Basic:

    t = a.GetType("System.Diagnostics.Process")                'get class (Process)
    dim m as MethodInfo : m = t.GetMethod("GetCurrentProcess") 'get method interface

Now we can call our method.

Here is the code in C#:

    Object o = m.Invoke(null, null); //call GetCurrentProcess()

Here is the code in C++:

    Object *o = m->Invoke(0, 0); //call GetCurrentProcess()

Here is the code in JScript:

    var o : Object = m.Invoke(null, null) //call GetCurrentProcess()

Here is the code in Visual Basic:

    o = m.Invoke(nothing, nothing) 'call GetCurrentProcess()

Okay, so now we know how to call a method dynamically.

Here is the rest of the code in C#:

    t = o.GetType();                              //get class (Process)
    PropertyInfo p = t.GetProperty("MainModule"); //get property interface
    o = p.GetValue(o, null);                      //get MainModule value
    t = o.GetType();                              //get class (ProcessModule)
    p = t.GetProperty("BaseAddress");             //get property interface
    o = p.GetValue(o, null);                      //get BaseAddress value

Here is the rest of the code in C++:

    t = o->GetType();                               //get class (Process)
    PropertyInfo *p = t->GetProperty("MainModule"); //get property interface
    o = p->GetValue(o, 0);                          //get MainModule value
    t = o->GetType();                               //get class (ProcessModule)
    p = t->GetProperty("BaseAddress");              //get property interface
    o = p->GetValue(o, 0);                          //get BaseAddress value

Here is the rest of the code in JScript:

    t = o.GetType()                                    //get class (Process)
    var p : PropertyInfo = t.GetProperty("MainModule") //get property interface
    o = p.GetValue(o, null)                            //get MainModule value
    t = o.GetType()                                    //get class (ProcessModule)
    p = t.GetProperty("BaseAddress")                   //get property interface
    o = p.GetValue(o, null)                            //get BaseAddress value

Here is the rest of the code in Visual Basic:

    t = o.GetType()                                         'get class (Process)
    dim p as PropertyInfo : p = t.GetProperty("MainModule") 'get property interface
    o = p.GetValue(o, nothing)                              'get MainModule value
    t = o.GetType()                                         'get class (ProcessModule)
    p = t.GetProperty("BaseAddress")                        'get property interface
    o = p.GetValue(o, nothing)                              'get BaseAddress value

So much code for such a simple thing.  Anyway...

Let's print the value in C#:

    Int32 i = ((IntPtr) o).ToInt32(); //convert to Int32
    Console.WriteLine("{0:x}", i);    //display it in hex

Let's print the value in C++:

    Int32 i = dynamic_cast<IntPtr *>(o)->ToInt32(); //convert to Int32
    Console.WriteLine("{0:x}", __box(i));           //display it in hex

Let's print the value in JScript:

    var i : Int32 = o.ToInt32()   //convert to Int32
    Console.WriteLine("{0:x}", i) //display it in hex

Let's print the value in Visual Basic:

    dim i as Int32 : i = DirectCast(o, IntPtr).ToInt32() 'convert to Int32
    Console.WriteLine("{0:x}", i)                        'display it in hex

This  code  also requires the #US stream, because it contains strings.  It  is
possible  to build strings dynamically to avoid creating the stream, but  that
requires  still more code.  However, if you need to access external functions,
then this is how it is done.


Building strings dynamically

In  the object-oriented world, type conversion usually happens  transparently.
This  means that a Byte value can be converted to a Char simply by storing the
Byte  value  in the Char variable.  We can make strings by storing Bytes in  a
Char  array.   We  can write multiple Bytes at a time with the  Marshal  class
methods, such as WriteInt32() and WriteInt64().  Here is an example of that:

    Char[] ourstr = new Char[8]; Marshal.WriteInt64(ourstr, 0, 0x4139322f626772);       //C#
    Char ourstr __gc[] = new Char[8]; Marshal::WriteInt64(ourstr, 0, 0x4139322f626772); //C++
    var ourstr : Char[] = new Char[8] : Marshal.WriteInt64(ourstr, 0, 0x4139322f626772) //JScript
    dim ourstr(8) as Char : Marshal.WriteInt64(ourstr, 0, &h4139322f626772)             'Visual Basic

Warning:  the  JScript .NET Compiler version 7.00.9502 (.NET  v1.0)  7.10.2292
(.NET  v1.1  final  beta)  and 7.10.3052 (.NET v1.1) has  a  bug  with  64-bit
numbers,  so the last byte is either lost or damaged (becomes 0x4139322f626774
in the example).

I  have not found any method to convert multiple Bytes to a character  string,
without an array.


Greets to friendly people (A-Z):

Active - Benny - Obleak - Prototype - Ratter - Ronin - RT Fishel -
The Gingerbread Man - Ultras - Vecna - VirusBuster - Whitehead


rgb/29A mar 2003
iam_rgb@hotmail.com