/// <summary>
/// Executes code at a given address and returns the thread's exit code.
/// </summary>
/// <param name="dwStartAddress">Address to be executed.</param>
/// <param name="dwParameter">Parameter to be passed to the code being executed.</param>
/// <returns>Returns the exit code of the thread.</returns>
public uint Execute(uint dwStartAddress, uint dwParameter)
{
IntPtr hThread;
UIntPtr lpExitCode = UIntPtr.Zero;
bool bSuccess = false;
hThread = CreateRemoteThread(dwStartAddress, dwParameter);
if (hThread == IntPtr.Zero)
{
throw new Exception("Thread could not be remotely created.");
}
bSuccess = (SThread.WaitForSingleObject(hThread, 10000) == WaitValues.WAIT_OBJECT_0);
if (bSuccess)
{
bSuccess = Imports.GetExitCodeThread(hThread, out lpExitCode);
}
Imports.CloseHandle(hThread);
if (!bSuccess)
{
throw new Exception("Error waiting for thread to exit or getting exit code.");
}
return((uint)lpExitCode);
}
/// <summary>
/// Injects a dll into a process by creating a remote thread on LoadLibrary.
/// </summary>
/// <param name="hProcess">Handle to the process into which dll will be injected.</param>
/// <param name="szDllPath">Full path of the dll that will be injected.</param>
/// <returns>Returns the base address of the injected dll on success, zero on failure.</returns>
public static uint InjectDllCreateThread(IntPtr hProcess, string szDllPath)
{
if (hProcess == IntPtr.Zero)
{
throw new ArgumentNullException("hProcess");
}
if (szDllPath.Length == 0)
{
throw new ArgumentNullException("szDllPath");
}
if (!szDllPath.Contains("\\"))
{
szDllPath = System.IO.Path.GetFullPath(szDllPath);
}
if (!System.IO.File.Exists(szDllPath))
{
throw new ArgumentException("DLL not found.", "szDllPath");
}
uint dwBaseAddress = RETURN_ERROR;
uint lpLoadLibrary;
uint lpDll;
IntPtr hThread;
lpLoadLibrary = (uint)Imports.GetProcAddress(Imports.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (lpLoadLibrary > 0)
{
lpDll = SMemory.AllocateMemory(hProcess);
if (lpDll > 0)
{
if (SMemory.WriteASCIIString(hProcess, lpDll, szDllPath))
{
hThread = SThread.CreateRemoteThread(hProcess, lpLoadLibrary, lpDll);
//wait for thread handle to have signaled state
//exit code will be equal to the base address of the dll
if (SThread.WaitForSingleObject(hThread, 5000) == WaitValues.WAIT_OBJECT_0)
{
dwBaseAddress = SThread.GetExitCodeThread(hThread);
}
Imports.CloseHandle(hThread);
}
SMemory.FreeMemory(hProcess, lpDll);
}
}
return(dwBaseAddress);
}
/// <summary>
/// Closes the handle to the open thread (or does nothing if a thread has not been opened).
/// </summary>
public void CloseThread()
{
if (m_hThread != IntPtr.Zero)
{
Imports.CloseHandle(m_hThread);
}
m_hThread = IntPtr.Zero;
m_ThreadId = 0;
m_bThreadOpen = false;
}
/// <summary>
/// Injects a dll into a process by hijacking the process' main thread and redirecting it to LoadLibrary.
/// </summary>
/// <param name="hProcess">Handle to the process into which dll will be injected.</param>
/// <param name="dwProcessId">Id of the process into which dll will be injected.</param>
/// <param name="szDllPath">Full path to the dll to be injected.</param>
/// <returns>Returns the base address of the injected dll on success, zero on failure.</returns>
public static uint InjectDllRedirectThread(IntPtr hProcess, int dwProcessId, string szDllPath)
{
IntPtr hThread;
uint dwBaseAddress;
hThread = SThread.OpenThread(SThread.GetMainThreadId(dwProcessId));
if (hThread == IntPtr.Zero)
{
return(RETURN_ERROR);
}
dwBaseAddress = InjectDllRedirectThread(hProcess, hThread, szDllPath);
Imports.CloseHandle(hThread);
return(dwBaseAddress);
}
/// <summary>
/// Closes the handle to the open process (or does nothing if a process has not been opened).
/// </summary>
public void CloseProcess()
{
if (m_hProcess != IntPtr.Zero)
{
Imports.CloseHandle(m_hProcess);
}
m_hProcess = IntPtr.Zero;
m_hWnd = IntPtr.Zero;
m_ProcessId = 0;
m_MainModule = null;
m_Modules = null;
m_bProcessOpen = false;
Asm.SetProcessHandle(IntPtr.Zero);
}
