MemoryMapper是一个轻量级代码库,在它的帮助下,广大研究人员可以直接使用进程注入和自注入的方式将本地程序集或托管程序集映射到内存之中。值得一提的是,该工具所提供的注入技术支持向正在运行中的进程注入程序集代码。除此之外,MemoryMapper不仅支持向内存中注入程序集代码,而且还提供了加密、解密和生成各种强加密性数据的功能。
1、 Windows 7 SP1或更高版本;
2、 .NET Framework 4.6.1;
-支持查看PE文件结构;
-从托管程序集和本机程序集读取资源;
-使用进程注入和自注入将本机程序集映射到内存中;
-使用进程注入和其他技术将托管程序集映射到内存中;
-获取任意文件大小的字节数组;
-加密和解密整个文件和原始字节;
-生成并验证文件和原始字节的校验和;
-使用SecureRandom对象生成强加密随机数据;
-捆绑了多种加密和散列算法
-加密:AES (ECB)、AES (CBC)、AES (CFB)、AES (OFB)、AES (CTR);
-哈希:MD5、RIPEMD160、SHA1、SHA256、SHA384、SHA512;
广大研究人员可以使用下列命令将项目源码克隆至本地:
git clone https://github.com/jasondrawdy/MemoryMapper.git
在这个演示样例中,我们将演示如何使用NativeLoader工具将本地程序集静态映射到内存中。该示例通过从磁盘读取文件的所有字节来加载该文件,然后将与字节相关联的PE(可移植可执行文件)直接注入进内存。使用本机加载程序和Amaterasu库中的动态代码编译,可以实现动态代码编译和向内存中注入所有代码。
using System
using System.IO;
using System.Reflection;
using MemoryMapper;
namespace Example
{
class Program
{
static void Main(string[] args)
{
// Get the bytes of the file we want to load.
var filePath = "FileToReadBytesOf";
var fileBytes = File.ReadAllBytes(filePath);
// Check if the assembly is managed or native.
bool isManaged = false;
try
{
// Note — this is one of the simplest variations of checking assemblies
var assemblyName = AssemblyName.GetAssemblyName(filePath);
if (assemblyName != null)
if (assemblyName.FullName != null)
isManaged = true;
}
catch { isManaged = false; }
// Try loading the assembly if it's truly native.
if (!isManaged
{
NativeLoader loader = new NativeLoader();
if (loader.LoadAssembly(fileBytes))
Console.WriteLine("Assembly loaded successfully!");
else
Console.WriteLine("Assembly could not be loaded.");
}
// Wait for user interaction.
Console.Read();
}
}
}
这一个演示样例将演示如何通过读取托管程序集中的字节数据(或使用嵌入式字节数组),然后使用ManagedLoader工具将代码数据注入到当前正在运行的进程,并将托管程序集静态映射到内存之中。几乎所有托管程序集都可以使用本项目提供的ManagedLoader工具进行代码映射。
using System;
using System.IO;
using System.Reflection;
using MemoryMapper;
namespace Example
{
class Program
{
static void Main(string[] args)
{
// Get the bytes of the file we want to load.
var filePath = "FileToReadBytesOf";
var fileBytes = File.ReadAllBytes(filePath);
// Check if the assembly is managed or native.
bool isManaged = false;
try
{
// Note — this is one of the simplest variations of checking assemblies
var assemblyName = AssemblyName.GetAssemblyName(filePath);
if (assemblyName != null)
if (assemblyName.FullName != null)
isManaged = true;
}
catch { isManaged = false; }
// Try loading the assembly if it's truly managed.
if (isManaged)
{
// Set the name of a surrogate process - the process we'll inject into.
var processName = "explorer.exe"; // Can also be the current process's name for self-injection.
ManagedLoader loader = new ManagedLoader();
if (loader.LoadAssembly(fileBytes, processName))
Console.WriteLine("Assembly loaded successfully!");
else
Console.WriteLine("Assembly could not be loaded.");
}
// Wait for user interaction.
Console.Read();
}
}
}