G0ldenGunSec/EnumCLR.c

## EnumCLR.c
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"


DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32GetModuleBaseNameA(HANDLE, HMODULE, LPSTR, DWORD);
DECLSPEC_IMPORT WINBASEAPI void WINAPI KERNEL32$Sleep(DWORD);
DECLSPEC_IMPORT int __cdecl MSVCRT$strstr(const char* _Str1, const char* _Str2);
DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$IsWow64Process(HANDLE, PBOOL);
DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle(HANDLE);

//to compile: cl.exe /c /GS- enumCLR.c /Fo./enumCLR.o

void go(char* args, int alen) {

	HMODULE hMods[256];
	DWORD aProcesses[325];
	DWORD cbNeeded;
	DWORD procNeeded;
	DWORD numProcesses;

	KERNEL32$K32EnumProcesses(aProcesses, sizeof(aProcesses), &procNeeded);

	numProcesses = procNeeded / sizeof(DWORD);

	if (numProcesses == 325)
	{
		BeaconPrintf(CALLBACK_OUTPUT, "WARNING: Process buffer filled, all running processes may not be enumerated");
	}

	for (int i = 0; i < numProcesses; i++)
	{
		HANDLE hProcess;
		hProcess = KERNEL32$OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i]);
		if (hProcess > 0)
		{
			if (KERNEL32$K32EnumProcessModulesEx(hProcess, hMods, sizeof(hMods), &cbNeeded, LIST_MODULES_ALL))
			{
				int isCLR = 0;

				for (int mod = 0; mod < (cbNeeded / sizeof(HMODULE)); mod++)
				{
					CHAR szModuleName[MAX_PATH];
					KERNEL32$K32GetModuleBaseNameA(hProcess, hMods[mod], szModuleName, sizeof(szModuleName) / sizeof(CHAR));

					//compare module (loaded dll) name to our known CLR dll value (mscor)
					int s = MSVCRT$strstr(szModuleName, "mscor");
					if (s > 0)
					{
						isCLR = 1;
						mod = cbNeeded;
					}
				}
				if (isCLR == 1)
				{
					CHAR clrProcName[MAX_PATH];
					KERNEL32$K32GetModuleBaseNameA(hProcess, hMods[0], clrProcName, sizeof(clrProcName) / sizeof(CHAR));

					int isWOW64 = 0;
					KERNEL32$IsWow64Process(hProcess, &isWOW64);

					if (isWOW64 > 0)
					{
						BeaconPrintf(CALLBACK_OUTPUT, "Found a process with CLR loaded: %s [%i] (x86)", clrProcName, aProcesses[i]);
					}
					else
					{
						BeaconPrintf(CALLBACK_OUTPUT, "Found a process with CLR loaded: %s [%i]", clrProcName, aProcesses[i]);
					}
				}
			}
			KERNEL32$CloseHandle(hProcess);
		}
		KERNEL32$Sleep(1);
	}
	BeaconPrintf(CALLBACK_OUTPUT, "Finished search, any results should be displayed above.");
}
	#include <string.h>
	#include <stdio.h>
	#include <windows.h>
	#include <psapi.h>
	#include "beacon.h"


	DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
	DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
	DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);
	DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32GetModuleBaseNameA(HANDLE, HMODULE, LPSTR, DWORD);
	DECLSPEC_IMPORT WINBASEAPI void WINAPI KERNEL32$Sleep(DWORD);
	DECLSPEC_IMPORT int __cdecl MSVCRT$strstr(const char* _Str1, const char* _Str2);
	DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$IsWow64Process(HANDLE, PBOOL);
	DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle(HANDLE);

	//to compile: cl.exe /c /GS- enumCLR.c /Fo./enumCLR.o

	void go(char* args, int alen) {

	HMODULE hMods[256];
	DWORD aProcesses[325];
	DWORD cbNeeded;
	DWORD procNeeded;
	DWORD numProcesses;

	KERNEL32$K32EnumProcesses(aProcesses, sizeof(aProcesses), &procNeeded);

	numProcesses = procNeeded / sizeof(DWORD);

	if (numProcesses == 325)
	{
	BeaconPrintf(CALLBACK_OUTPUT, "WARNING: Process buffer filled, all running processes may not be enumerated");
	}

	for (int i = 0; i < numProcesses; i++)
	{
	HANDLE hProcess;
	hProcess = KERNEL32$OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ, FALSE, aProcesses[i]);
	if (hProcess > 0)
	{
	if (KERNEL32$K32EnumProcessModulesEx(hProcess, hMods, sizeof(hMods), &cbNeeded, LIST_MODULES_ALL))
	{
	int isCLR = 0;

	for (int mod = 0; mod < (cbNeeded / sizeof(HMODULE)); mod++)
	{
	CHAR szModuleName[MAX_PATH];
	KERNEL32$K32GetModuleBaseNameA(hProcess, hMods[mod], szModuleName, sizeof(szModuleName) / sizeof(CHAR));

	//compare module (loaded dll) name to our known CLR dll value (mscor)
	int s = MSVCRT$strstr(szModuleName, "mscor");
	if (s > 0)
	{
	isCLR = 1;
	mod = cbNeeded;
	}
	}
	if (isCLR == 1)
	{
	CHAR clrProcName[MAX_PATH];
	KERNEL32$K32GetModuleBaseNameA(hProcess, hMods[0], clrProcName, sizeof(clrProcName) / sizeof(CHAR));

	int isWOW64 = 0;
	KERNEL32$IsWow64Process(hProcess, &isWOW64);

	if (isWOW64 > 0)
	{
	BeaconPrintf(CALLBACK_OUTPUT, "Found a process with CLR loaded: %s [%i] (x86)", clrProcName, aProcesses[i]);
	}
	else
	{
	BeaconPrintf(CALLBACK_OUTPUT, "Found a process with CLR loaded: %s [%i]", clrProcName, aProcesses[i]);
	}
	}
	}
	KERNEL32$CloseHandle(hProcess);
	}
	KERNEL32$Sleep(1);
	}
	BeaconPrintf(CALLBACK_OUTPUT, "Finished search, any results should be displayed above.");
	}