static void Main(string[] args)
{
Process.EnterDebugMode();
Process[] wow = Process.GetProcessesByName("WoW");
IntPtr hProcess = OpenProcess(0x1F0FFF, false, (uint)wow[0].Id);
//allocate memory for codecave
uint dwBaseAddress = VirtualAllocEx(hProcess, 0, 0x1000, 0x1000, 0x40);
Fasm.ManagedFasm fasm = new Fasm.ManagedFasm(hProcess);
fasm.SetMemorySize(0x500);
//fasm.AddLine("org " + dwBaseAddress.ToString("X")); //not necessary, .Inject does automatically
fasm.AddLine("retn");
fasm.AddLine("jmp 0x410000");
fasm.AddLine("call 0x410000");
byte[] a = fasm.Assemble();
fasm.InjectAndExecute(hProcess, dwBaseAddress);
fasm.Dispose();
VirtualFreeEx(hProcess, dwBaseAddress, 0, 0x8000); //release memory
}
static void Main(string[] args)
{
Process.EnterDebugMode();
Process[] wow = Process.GetProcessesByName("WoW");
IntPtr hProcess = OpenProcess(0x1F0FFF, false, (uint)wow[0].Id);
//allocate memory for codecave
uint dwBaseAddress = VirtualAllocEx(hProcess, 0, 0x1000, 0x1000, 0x40);
Fasm.ManagedFasm fasm = new Fasm.ManagedFasm(hProcess);
fasm.SetMemorySize(0x500);
//fasm.AddLine("org " + dwBaseAddress.ToString("X")); //not necessary, .Inject does automatically
fasm.AddLine("retn");
fasm.AddLine("jmp 0x410000");
fasm.AddLine("call 0x410000");
byte[] a = fasm.Assemble();
fasm.InjectAndExecute(hProcess, dwBaseAddress);
fasm.Dispose();
VirtualFreeEx(hProcess, dwBaseAddress, 0, 0x8000); //release memory
}
public static uint ClickBox(uint x, uint y)
{
uint codeCave = MineProcess.AllocateMemory();
uint result = 0;
Fasm.ManagedFasm fasm = new Fasm.ManagedFasm(MineProcess.ProcessHandle);
fasm.AddLine("push {0}", y);
fasm.AddLine("push {0}", x);
fasm.AddLine("mov eax, 0x1003512");
fasm.AddLine("call eax");
fasm.AddLine("retn");
try
{
result = fasm.InjectAndExecute(codeCave);
}
finally
{
MineProcess.FreeMemory(codeCave);
}
return result;
}
public static uint ClickBox(uint x, uint y)
{
uint codeCave = MineProcess.AllocateMemory();
uint result = 0;
Fasm.ManagedFasm fasm = new Fasm.ManagedFasm(MineProcess.ProcessHandle);
fasm.AddLine("push {0}", y);
fasm.AddLine("push {0}", x);
fasm.AddLine("mov eax, 0x1003512");
fasm.AddLine("call eax");
fasm.AddLine("retn");
try
{
result = fasm.InjectAndExecute(codeCave);
}
finally
{
MineProcess.FreeMemory(codeCave);
}
return(result);
}
/// <summary>
/// Create a CLR in the target process that will load the assembly
/// </summary>
/// <param name="pId">Process Id to inject</param>
/// <param name="Assembly">Type of the EntryPoint</param>
/// <param name="Argument">Argement to pass to the Assembly</param>
public bool InjectAndWait(Type Assembly, string Argument = "")
{
if (Process.HasExited)
{
throw new Exception("Process no longer exist!");
}
IntPtr handle = OpenProcess(ProcessAccessFlags.All, false, Process.Id);
if (handle == IntPtr.Zero)
{
throw new Exception("Error opening process!");
}
//MethodInfo startMethod = Assembly.GetMethods(BindingFlags.Static | BindingFlags.Public).First(
// m => m.GetCustomAttributes(false).OfType<Dysis.JC2.EntryPoint>().Any());
MethodInfo startMethod = Assembly.GetMethods(BindingFlags.Static | BindingFlags.Public).First(
m => m.GetCustomAttributes(false).OfType <EntryPoint>().Any());
if (startMethod == null)
{
throw new EntryPointNotFoundException("Make sure the [EntryPoint] attribute is set on a static public method in the class");
}
var AssemblyPath = (new Uri(Assembly.Module.Assembly.CodeBase)).AbsolutePath;
var TypeName = startMethod.DeclaringType.FullName;
var MethodName = startMethod.Name;
string CLRVersion = "v4.0.30319";
Guid CLSID_CLRMetaHostGuid = new Guid(0x9280188D, 0xE8E, 0x4867, 0xb3, 0x0C, 0x7F, 0xA8, 0x38, 0x84, 0xE8, 0xDE);
Guid IID_ICLRMetaHostGuid = new Guid(0xD332DB9E, 0xB9B3, 0x4125, 0x82, 0x07, 0xA1, 0x48, 0x84, 0xF5, 0x32, 0x16);
Guid IID_ICLRRuntimeInfoGuid = new Guid(0xBD39D1D2, 0xBA2F, 0x486a, 0x89, 0xB0, 0xB4, 0xB0, 0xCB, 0x46, 0x68, 0x91);
Guid CLSID_CLRRuntimeHostGuid = new Guid(0x90F1A06E, 0x7712, 0x4762, 0x86, 0xB5, 0x7A, 0x5E, 0xBA, 0x6B, 0xDB, 0x02);
Guid IID_ICLRRuntimeHostGuid = new Guid(0x90F1A06C, 0x7712, 0x4762, 0x86, 0xB5, 0x7A, 0x5E, 0xBA, 0x6B, 0xDB, 0x02);
IntPtr CLRCreateInstancePtr = GetProcAddress(GetModuleHandle("mscoree.dll"), "CLRCreateInstance");
if (CLRCreateInstancePtr == IntPtr.Zero)
{
throw new Exception("Could not find mscoree.dll, make sure you have .NET installed");
}
IntPtr result = InjectDllCreateThread(handle, GetMsCoree.FileName);
if (handle == null)
{
throw new Exception("Could not open the process");
}
//Allocate 1 block of memory in target process
MemoryAlloc = VirtualAllocEx(handle, IntPtr.Zero, 1000, AllocationType.Commit, MemoryProtection.ExecuteReadWrite);
IntPtr VersionStringPtr = MemoryAlloc;
IntPtr AssemblyPathPtr = VersionStringPtr + CLRVersion.Length * 2 + 2; //Unicode
IntPtr TypeNamePtr = AssemblyPathPtr + AssemblyPath.Length * 2 + 2; //Unicode
IntPtr MethodNamePtr = TypeNamePtr + TypeName.Length * 2 + 2; //Unicode
IntPtr ArgumentPtr = MethodNamePtr + MethodName.Length * 2 + 2; //Unicode
IntPtr CLSID_CLRMetaHostPtr = ArgumentPtr + Argument.Length * 2 + 2; //Unicode
IntPtr IID_ICLRMetaHostPtr = CLSID_CLRMetaHostPtr + Marshal.SizeOf(CLSID_CLRMetaHostGuid) + 1;
IntPtr IID_ICLRRuntimeInfoPtr = IID_ICLRMetaHostPtr + Marshal.SizeOf(IID_ICLRMetaHostGuid) + 1;
IntPtr CLSID_CLRRuntimeHostPtr = IID_ICLRRuntimeInfoPtr + Marshal.SizeOf(IID_ICLRRuntimeInfoGuid) + 1;
IntPtr IID_ICLRRuntimeHostPtr = CLSID_CLRRuntimeHostPtr + Marshal.SizeOf(CLSID_CLRRuntimeHostGuid) + 1;
IntPtr codeCave_Code = IID_ICLRRuntimeHostPtr + Marshal.SizeOf(IID_ICLRRuntimeHostGuid) + 1;
//Copy values in target process
WriteUnicodeString(handle, VersionStringPtr, CLRVersion);
WriteUnicodeString(handle, AssemblyPathPtr, AssemblyPath);
WriteUnicodeString(handle, TypeNamePtr, TypeName);
WriteUnicodeString(handle, MethodNamePtr, MethodName);
WriteUnicodeString(handle, ArgumentPtr, Argument);
WriteBytes(handle, CLSID_CLRMetaHostPtr, CLSID_CLRMetaHostGuid.ToByteArray());
WriteBytes(handle, IID_ICLRMetaHostPtr, IID_ICLRMetaHostGuid.ToByteArray());
WriteBytes(handle, IID_ICLRRuntimeInfoPtr, IID_ICLRRuntimeInfoGuid.ToByteArray());
WriteBytes(handle, CLSID_CLRRuntimeHostPtr, CLSID_CLRRuntimeHostGuid.ToByteArray());
WriteBytes(handle, IID_ICLRRuntimeHostPtr, IID_ICLRRuntimeHostGuid.ToByteArray());
Fasm.ManagedFasm fasm = new Fasm.ManagedFasm(handle);
//Local variables
//dwRet ebp-0x2c
//Host ebp-0x20
//Info ebp-0x14
//MetaHost ebp-0x8
fasm.AddLine("push ebp");
fasm.AddLine("mov ebp, esp");
fasm.AddLine("sub esp, 0x38");
//hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost,(PVOID*)&MetaHost);
fasm.AddLine("lea eax, [ebp-0x8]"); //MetaHost
fasm.AddLine("push eax");
fasm.AddLine("push " + IID_ICLRMetaHostPtr);
fasm.AddLine("push " + CLSID_CLRMetaHostPtr);
fasm.AddLine("call " + CLRCreateInstancePtr);
//hr = MetaHost->GetRuntime(TEXT("v4.0.30319"), IID_ICLRRuntimeInfo, (PVOID*)&Info);
fasm.AddLine("lea eax, [ebp-0x14]"); //Info
fasm.AddLine("push eax");
fasm.AddLine("push " + IID_ICLRRuntimeInfoPtr);
fasm.AddLine("push " + VersionStringPtr);
fasm.AddLine("mov eax, [ebp-0x8]"); //MetaHost
fasm.AddLine("push eax"); // This push
fasm.AddLine("mov eax, [eax]"); //Pointer to Instance
fasm.AddLine("mov eax, [eax+0xC]"); // GetRuntime vTable
fasm.AddLine("call eax"); //GetRuntime
//hr = Info->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (PVOID*)&Host);
fasm.AddLine("lea eax, [ebp-0x20]"); //Host
fasm.AddLine("push eax");
fasm.AddLine("push " + IID_ICLRRuntimeHostPtr);
fasm.AddLine("push " + CLSID_CLRRuntimeHostPtr);
fasm.AddLine("mov eax, [ebp-0x14]"); //Info
fasm.AddLine("push eax"); // This push
fasm.AddLine("mov eax, [eax]"); //Pointer to Instance
fasm.AddLine("mov eax, [eax+0x24]"); // GetInterface vTable
fasm.AddLine("call eax"); //GetInterface
//hr = Host->Start();
fasm.AddLine("mov eax, [ebp-0x20]"); //Host
fasm.AddLine("push eax");
fasm.AddLine("mov eax, [eax]"); //Pointer to Instance
fasm.AddLine("mov eax, [eax+0xC]"); // Start vTable
fasm.AddLine("call eax"); //Start
//hr = Host->ExecuteInDefaultAppDomain(
//AssemblyPath, TypeName, MethodName, Argument, &dwRet);
fasm.AddLine("lea eax, [ebp-0x2C]"); //dwRet
fasm.AddLine("push eax");
fasm.AddLine("push " + ArgumentPtr);
fasm.AddLine("push " + MethodNamePtr);
fasm.AddLine("push " + TypeNamePtr);
fasm.AddLine("push " + AssemblyPathPtr);
fasm.AddLine("mov eax, [ebp-0x20]"); //Host
fasm.AddLine("push eax"); // This push
fasm.AddLine("mov eax, [eax]"); //Pointer to Instance
fasm.AddLine("mov eax, [eax+0x2C]"); // ExecuteInDefaultAppDomain vTable
fasm.AddLine("call eax");
//hr = Host->Stop();
fasm.AddLine("mov eax, [ebp-0x20]"); //Host
fasm.AddLine("push eax"); // This push
fasm.AddLine("mov eax, [eax]"); //Pointer to Instance
fasm.AddLine("mov eax, [eax+0x10]"); // Stop vTable
fasm.AddLine("call eax"); //Start
//Host->Release(); This crash Fasm for some reason
/*fasm.AddLine("mov eax, [ebp-0x20]"); //Host
* fasm.AddLine("push eax"); // This push
* fasm.AddLine("mov eax, [eax]"); //Pointer to Instance
* fasm.AddLine("mov eax, [eax+0x8]"); // Release vTable
* fasm.AddLine("call eax"); //Release*/
fasm.AddLine("add esp, 0x38");
fasm.AddLine("mov esp, ebp");
fasm.AddLine("pop ebp");
fasm.AddLine("retn");
//Inject ASM
bool injected = fasm.Inject((uint)codeCave_Code);
IntPtr lpThreadId;
//Execute the codecave
IntPtr hThread = CreateRemoteThread(handle, IntPtr.Zero, 0, codeCave_Code, IntPtr.Zero, ThreadFlags.THREAD_EXECUTE_IMMEDIATELY, out lpThreadId);
if (hThread == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
Injected = true;
//Wait till ExecuteInDefaultAppDomain end.
if (WaitForSingleObject(hThread, (uint)ThreadWaitValues.INFINITE) != (uint)ThreadWaitValues.WAIT_OBJECT_0)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
Injected = false;
IntPtr lpExitCode;
if (!GetExitCodeThread(hThread, out lpExitCode))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
//Clean up
VirtualFreeEx(handle, MemoryAlloc, 0, FreeType.Release);
CloseHandle(handle);
return(true);
}