Beispiel #1
0
 Int32 GetModuleAddress(Process curproc, ProcessMemory curmem, string name)
 {
     if (From == GetModuleFrom.ProcessClass)
     {
         var mod = GetModule(curproc.Modules, name);
         if (mod == null)
         {
             return(0);
         }
         return(mod.BaseAddress.ToInt32());
     }
     if (From == GetModuleFrom.Mirroring)
     {
         var mod  = ProcessMemory.GetModule("ws2_32.dll");
         var info = curmem.VirtualQuery(mod);
         return(info.State != ProcessMemory.MemoryState.Free ? mod : 0);
     }
     if (From == GetModuleFrom.Toolhelp32Snapshot)
     {
         var mods = curmem.GetModuleInfos();
         var mod  = mods.FirstOrDefault(mi => mi.baseName.ToLowerInvariant() == name);
         if (mod == null)
         {
             return(0);
         }
         return(mod.baseOfDll.ToInt32());
     }
     return(-1);
 }
Beispiel #2
0
        void Inject()
        {
            using (var mem = new ProcessMemory(CurrentProcess.Id))
            {
                using (var notemem = new ProcessMemory(Process.GetCurrentProcess().Id))
                {
                    if (mem.Is64Bit())
                    {
                        throw new NotSupportedException("lolclient is running in 64bit mode which is not supported");
                    }

                    var connect = new byte[connectcc.Length];
                    connectcc.CopyTo(connect, 0);
                    int jmpaddrloc = connect.Length - 4;

                    var   mod     = ProcessMemory.GetModule("ws2_32.dll");
                    Int32 reladdr = notemem.GetAddress(mod, "connect");
                    reladdr -= mod;

                    var lolmod = GetModuleAddress(CurrentProcess, mem, "ws2_32.dll");
                    if (lolmod == 0)
                    {
                        throw new FileNotFoundException("Lolclient has not yet loaded ws2_32.dll");
                    }
                    Int32 connectaddr = lolmod + reladdr;

                    var bytes = mem.Read(connectaddr, 5);
                    if (bytes[0] == 0xe9)
                    {
                        throw new WarningException("Connect already redirected");
                    }
                    if (!bytes.SequenceEqual(safecheck))
                    {
                        bytes = mem.Read(connectaddr, 20);
                        throw new AccessViolationException(string.Format("Connect has unknown bytes [{0},{1}]", Convert.ToBase64String(bytes), From));
                    }

                    Int32 addr = mem.Alloc(connectcc.Length);
                    BitConverter.GetBytes((connectaddr + 5) - (addr + connect.Length)).CopyTo(connect, jmpaddrloc);
                    mem.Write(addr, connect);

                    var jmp = new byte[5];
                    jmp[0] = 0xE9;
                    BitConverter.GetBytes(addr - (connectaddr + 5)).CopyTo(jmp, 1);
                    mem.Write(connectaddr, jmp);
                }
            }
        }
Beispiel #3
0
		Int32 GetModuleAddress(Process curproc, ProcessMemory curmem, string name)
		{
			if (From == GetModuleFrom.ProcessClass)
			{
				var mod = GetModule(curproc.Modules, name);
				if (mod == null)
					return 0;
				return mod.BaseAddress.ToInt32();
			}
			if (From == GetModuleFrom.Mirroring)
			{
				var mod = ProcessMemory.GetModule("ws2_32.dll");
				var info = curmem.VirtualQuery(mod);
				return info.State != ProcessMemory.MemoryState.Free ? mod : 0;
			}
			if (From == GetModuleFrom.Toolhelp32Snapshot)
			{
				var mods = curmem.GetModuleInfos();
				var mod = mods.FirstOrDefault(mi => mi.baseName.ToLowerInvariant() == name);
				if (mod == null)
					return 0;
				return mod.baseOfDll.ToInt32();
			}
			return -1;
		}
Beispiel #4
0
		void Inject()
		{
			using (var mem = new ProcessMemory(CurrentProcess.Id))
			{
				using (var notemem = new ProcessMemory(Process.GetCurrentProcess().Id))
				{
					if (mem.Is64Bit())
						throw new NotSupportedException("lolclient is running in 64bit mode which is not supported");

					var connect = new byte[connectcc.Length];
					connectcc.CopyTo(connect, 0);
					int jmpaddrloc = connect.Length - 4;

					var mod = ProcessMemory.GetModule("ws2_32.dll");
					Int32 reladdr = notemem.GetAddress(mod, "connect");
					reladdr -= mod;

					var lolmod = GetModuleAddress(CurrentProcess, mem, "ws2_32.dll");
					if (lolmod == 0)
					{
						throw new FileNotFoundException("Lolclient has not yet loaded ws2_32.dll");
					}
					Int32 connectaddr = lolmod + reladdr;

					var bytes = mem.Read(connectaddr, 5);
					if (bytes[0] == 0xe9)
					{
						throw new WarningException("Connect already redirected");
					}
					if (!bytes.SequenceEqual(safecheck))
					{
						bytes = mem.Read(connectaddr, 20);
						throw new AccessViolationException(string.Format("Connect has unknown bytes [{0},{1}]", Convert.ToBase64String(bytes), From));
					}

					Int32 addr = mem.Alloc(connectcc.Length);
					BitConverter.GetBytes((connectaddr + 5) - (addr + connect.Length)).CopyTo(connect, jmpaddrloc);
					mem.Write(addr, connect);

					var jmp = new byte[5];
					jmp[0] = 0xE9;
					BitConverter.GetBytes(addr - (connectaddr + 5)).CopyTo(jmp, 1);
					mem.Write(connectaddr, jmp);
				}
			}
		}