Beispiel #1
0
        static void Main(string[] args)
        {
            wow64cli.MEMORY_BASIC_INFORMATION64m memBasic = null;
            wow64cli.wow64Process proc = new wow64cli.wow64Process();
            byte[] buf = new byte[0x1000];
            uint status = 0;
            wow64cli.PageProtection old = 0;
            int size = 0;
            UInt64 ntdll = 0;
            var baseptr = (UInt64)Process.GetCurrentProcess().MainModule.BaseAddress;

            proc.Attach(Process.GetCurrentProcess().Id);
            ntdll  = proc.GetModuleHandle64("ntdll.dll", ref size);
            status = proc.VirtualQueryEx64(baseptr, ref memBasic);
            status = proc.ReadProcessMemory64(ntdll, ref buf, 0x1000);
            status = proc.VirtualProtectEx64(baseptr, 0x1000, wow64cli.PageProtection.page_readwrite, ref old);
            var res = proc.LoadLibrary64("C:\\windows\\system32\\kernelbase.dll");

            System.Console.WriteLine(res);
            System.Console.ReadKey(true);
        }
Beispiel #2
0
        static void Main(string[] args)
        {
            wow64cli.MEMORY_BASIC_INFORMATION64m memBasic = null;
            wow64cli.wow64Process proc = new wow64cli.wow64Process();
            byte[] buf    = new byte[0x1000];
            uint   status = 0;

            wow64cli.PageProtection old = 0;
            int    size    = 0;
            UInt64 ntdll   = 0;
            var    baseptr = (UInt64)Process.GetCurrentProcess().MainModule.BaseAddress;

            proc.Attach(Process.GetCurrentProcess().Id);
            ntdll  = proc.GetModuleHandle64("ntdll.dll", ref size);
            status = proc.VirtualQueryEx64(baseptr, ref memBasic);
            status = proc.ReadProcessMemory64(ntdll, ref buf, 0x1000);
            status = proc.VirtualProtectEx64(baseptr, 0x1000, wow64cli.PageProtection.page_readwrite, ref old);
            var res = proc.LoadLibrary64("C:\\windows\\system32\\kernelbase.dll");

            System.Console.WriteLine(res);
            System.Console.ReadKey(true);
        }