public void EjectModule(RemoteModule module)
{
if (module == null || !module.IsValid)
{
throw new DllNotFoundException("Module is invalid!");
}
IntPtr moduleHandle = module.Handle;
RemoteModule kernel32Module = GetModule("kernel32");
if (kernel32Module == null)
{
throw new DllNotFoundException("Module 'kernel32' not found!");
}
RemoteFunction freeLibrary = kernel32Module.GetFunction("FreeLibrary");
if (freeLibrary == null)
{
throw new MissingMethodException("Function 'FreeLibrary' not found in kernel32");
}
try {
if (freeLibrary.Call(moduleHandle) == 0)
{
throw new MethodAccessException("FreeLibrary call failed. This usually means that you tried to eject a non existent Module");
}
} catch (Exception e) {
throw new MethodAccessException("Method FreeLibrary could not be called!", e);
}
Refresh();
}
/// <summary>
/// Injects a module, throws an exception on failure.
/// </summary>
/// <param name="filePath">The filepath of the dynamic link library.</param>
/// <returns></returns>
public RemoteModule InjectModule(string filePath)
{
filePath = Path.GetFullPath(filePath);
if (!File.Exists(filePath))
{
throw new FileNotFoundException(filePath + " could not be found");
}
RemoteModule kernel32Module = GetModule("kernel32");
if (kernel32Module == null)
{
throw new DllNotFoundException("Module 'kernel32' not found!");
}
RemoteFunction loadLibraryW = kernel32Module.GetFunction("LoadLibraryW");
if (loadLibraryW == null || loadLibraryW.Address == IntPtr.Zero)
{
throw new MissingMethodException("Function 'LoadLibraryW' not found in kernel32");
}
try {
if (loadLibraryW.Call(filePath) == 0)
{
throw new MethodAccessException("LoadLibrary call failed. This usually means that you tried to inject a incompatible 32 bit dll in a 64 bit Process, or vice versa.");
}
} catch (Exception e) {
throw new MethodAccessException("Method LoadLibraryW could not be called!", e);
}
Refresh();
return(GetModule(filePath));
}
private IntPtr GetFunctionAddress(int ordinal, int nameIndex)
{
var addressOffset =
Process.Memory.Read <int>(BaseAddress + (int)ExportDirectory.AddressOfFunctions + ordinal * sizeof(int)); //exportFunctions[ordinal];
if (addressOffset < ExportDirectoryInfo.VirtualAddress || addressOffset >= ExportDirectoryInfo.VirtualAddress + ExportDirectoryInfo.Size)
{
return(BaseAddress + addressOffset);
}
string forwardingString = Process.Memory.ReadString(BaseAddress + addressOffset);
int dot = forwardingString.IndexOf('.');
if (dot <= -1)
{
return(IntPtr.Zero);
}
string redirectModuleName = forwardingString.Substring(0, dot);
string redirectFunctionName = forwardingString.Substring(dot + 1);
RemoteModule redirectModule = Process.GetModule(redirectModuleName);
if (redirectModule == null || redirectModule.BaseAddress == BaseAddress)
{
return(IntPtr.Zero);
}
if (redirectFunctionName[0] == '#')
{
redirectFunctionName = redirectFunctionName.Remove(0, 1);
UInt32 redirectOrdinal;
UInt32.TryParse(redirectFunctionName, out redirectOrdinal);
if (redirectOrdinal == 0)
{
return(IntPtr.Zero);
}
IntPtr namePtr = ExportDirectory.AddressOfNames != 0 ? BaseAddress + Process.Memory.Read <int>(BaseAddress + (int)ExportDirectory.AddressOfNames + nameIndex * sizeof(int)) : IntPtr.Zero;
RemoteFunction foo = redirectModule.GetFunctionByOrdinal(redirectOrdinal, namePtr);
return(foo != null ? foo.Address : IntPtr.Zero);
}
else
{
RemoteFunction foo = redirectModule.GetFunction(redirectFunctionName);
return(foo != null ? foo.Address : IntPtr.Zero);
}
}
