private InjectedModule InjectLibraryExternal(string libraryPath) { // Injecting remotely consists of a few steps: // 1. GetProcAddress on kernel32 to get a pointer to LoadLibraryW // 2. Allocate chunk of memory to write the path to our library to // 3. CreateRemoteThread that calls LoadLibraryW and pass it a pointer to our chunk // 4. Get thread's exit code // 5. ???? // 6. Profit var memory = _memory as ExternalProcessMemory; // Realistically won't happen, but code analysis complains about it being null. if (memory == null) { throw new InvalidOperationException("A valid memory instance is required for InjectLibraryExternal!"); } if (memory.ProcessHandle.IsInvalid) { throw new InvalidOperationException("Can not inject library with an invalid ProcessHandle in ExternalProcessMemory!"); } var path = Path.GetFullPath(libraryPath); var libraryFileName = Path.GetFileName(libraryPath); ProcessModule ourModule; SafeMemoryHandle threadHandle = null; SafeMemoryHandle kernel32Handle = null; try { kernel32Handle = UnsafeNativeMethods.GetModuleHandle(UnsafeNativeMethods.Kernel32); var loadLibraryPtr = UnsafeNativeMethods.GetProcAddress(kernel32Handle.DangerousGetHandle(), "LoadLibraryW"); if (loadLibraryPtr == IntPtr.Zero) { throw new BlueRainInjectionException("Couldn't obtain handle to LoadLibraryW in remote process!"); } var pathBytes = Encoding.Unicode.GetBytes(path); using (var alloc = memory.Allocate((UIntPtr)pathBytes.Length)) { alloc.WriteBytes(IntPtr.Zero, pathBytes); threadHandle = UnsafeNativeMethods.CreateRemoteThread(memory.ProcessHandle.DangerousGetHandle(), IntPtr.Zero, 0x0, loadLibraryPtr, alloc.Address, 0, IntPtr.Zero); if (threadHandle.IsInvalid) { throw new BlueRainInjectionException( "Couldn't obtain a handle to the remotely created thread for module injection!"); } } // ThreadWaitValue.Infinite = 0xFFFFFFFF = uint.MaxValue - Object0 = 0x0 if (UnsafeNativeMethods.WaitForSingleObject(threadHandle.DangerousGetHandle(), uint.MaxValue) != 0x0) { throw new BlueRainInjectionException( "WaitForSingleObject returned an unexpected value while waiting for the remote thread to be created for module injection."); } uint exitCode; if (!UnsafeNativeMethods.GetExitCodeThread(threadHandle.DangerousGetHandle(), out exitCode)) { throw new BlueRainInjectionException("Couldn't obtain exit code for LoadLibraryW thread in remote process!"); } // Let's make sure our module is actually present in the remote process now (assuming it's doing nothing special to hide itself..) var moduleHandle = UnsafeNativeMethods.GetModuleHandle(libraryFileName); if (moduleHandle.IsInvalid) { throw new BlueRainInjectionException( "Couldn't obtain module handle to remotely injected library after LoadLibraryW!"); } ourModule = memory.Process.Modules.Cast <ProcessModule>() .FirstOrDefault(m => m.BaseAddress == moduleHandle.DangerousGetHandle()); } finally { if (threadHandle != null && !threadHandle.IsClosed) { threadHandle.Close(); } if (kernel32Handle != null && !kernel32Handle.IsClosed) { kernel32Handle.Close(); } } // We can safely do this - if something went wrong we wouldn't be here. var module = new InjectedModule(ourModule, _memory); _injectedModules.Add(path, module); return(module); }