public static bool DoInject(
Process pToBeInjected,
string sDllPath,
string sDLLPath2,
out string sError)
{
IntPtr hwnd = IntPtr.Zero;
if (!CRT(pToBeInjected, sDllPath, out sError, out hwnd)) //CreateRemoteThread
{
//close the handle, since the method wasn't able to get to that
if (hwnd != (IntPtr)0)
{
WINAPI.CloseHandle(hwnd);
}
return(false);
}
int wee = Marshal.GetLastWin32Error();
if (sDLLPath2 != null && sDLLPath2 != String.Empty)
{
if (!CRT(pToBeInjected, sDLLPath2, out sError, out hwnd)) //CreateRemoteThread
{
//close the handle, since the method wasn't able to get to that
if (hwnd != (IntPtr)0)
{
WINAPI.CloseHandle(hwnd);
}
return(false);
}
int wee2 = Marshal.GetLastWin32Error();
}
return(true);
}
private void AddArchSpecificDirectory()
{
string archPath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory,
IntPtr.Size == 8 ? "x64" : "Win32");
WINAPI.SetDllDirectory(archPath);
}
public static void ReleaseMemory(bool removePages)
{
// release any unused pages
// making the numbers look good in task manager
// this is totally nonsense in programming
// but good for those users who care
// making them happier with their everyday life
// which is part of user experience
GC.Collect(GC.MaxGeneration);
GC.WaitForPendingFinalizers();
if (removePages)
{
// as some users have pointed out
// removing pages from working set will cause some IO
// which lowered user experience for another group of users
//
// so we do 2 more things here to satisfy them:
// 1. only remove pages once when configuration is changed
// 2. add more comments here to tell users that calling
// this function will not be more frequent than
// IM apps writing chat logs, or web browsers writing cache files
// if they're so concerned about their disk, they should
// uninstall all IM apps and web browsers
//
// please open an issue if you're worried about anything else in your computer
// no matter it's GPU performance, monitor contrast, audio fidelity
// or anything else in the task manager
// we'll do as much as we can to help you
//
// just kidding
WINAPI.ReleasePages(Process.GetCurrentProcess().Handle);
}
}
protected void SetBytes(Byte[] buffer)
{
Process.EnterDebugMode();
List <IntPtr> processHandles;
var pointers = GetPointers(out processHandles);
for (var i = 0; i < pointers.Count; i++)
{
if (pointers[i] != IntPtr.Zero)
{
var bytesWritten = UIntPtr.Zero;
WINAPI.WriteProcessMemory(processHandles[i], pointers[i], buffer, (UIntPtr)buffer.Length, ref bytesWritten);
if (!this.IgnoreException)
{
Int32 systemErrorCode = Marshal.GetLastWin32Error();
if (systemErrorCode != 0)
{
throw new Win32ErrorException(systemErrorCode);
}
}
}
}
CloseHandles(processHandles);
Process.LeaveDebugMode();
}
/// <summary>
/// 红外图绘制
/// </summary>
/// <param name="graphic"></param>
/// <param name="w"></param>
/// <param name="h"></param>
/// <returns></returns>
bool DrawImages(Graphics graphic, int w, int h)
{
if (!_DataDisplay.GetDevice().IsProcessingImage())
{
return(false);
}
IntPtr pIrData = IntPtr.Zero;
IntPtr pIrInfo = IntPtr.Zero;;
if (!_DataDisplay.GetDevice().GetOutputBMPdata(ref pIrData, ref pIrInfo))
{
return(false);
}
GroupSDK.CAMERA_INFO info = _DataDisplay.GetDevice().GetCamInfo();
IntPtr hDC = graphic.GetHdc();
WINAPI.SetStretchBltMode(hDC, WINAPI.StretchMode.STRETCH_HALFTONE);
WINAPI.StretchDIBits(hDC, 0, 0, w, h, 0, 0, info.intVideoWidth,
info.intVideoHeight, pIrData, pIrInfo, (uint)WINAPI.PaletteMode.DIB_RGB_COLORS,
(uint)WINAPI.ExecuteOption.SRCCOPY);
graphic.ReleaseHdc();
return(true);
}
/// <summary>
/// Closes all open process handles.
/// </summary>
/// <param name="processHandles">A list containing the process handles.</param>
protected void CloseHandles(List <IntPtr> processHandles)
{
foreach (var processHandle in processHandles)
{
WINAPI.CloseHandle(processHandle);
//var systemErrorCode = Marshal.GetLastWin32Error();
//if ((!this.IgnoreException) && (systemErrorCode != 0)) {
// throw new Win32ErrorException(systemErrorCode);
//}
}
}
private static bool doCreateRemoteThread(Process pToBeInjected, string sDllPath, out string sError, out IntPtr hwnd)
{
try
{
sError = "";
IntPtr hProcess = WINAPI.OpenProcess(0x43a, 1, (uint)pToBeInjected.Id);
hwnd = hProcess;
if (hProcess == IntPtr.Zero)
{
Console.WriteLine("Error: dCRT Code: " + Marshal.GetLastWin32Error());
return(false);
}
IntPtr procAddress = WINAPI.GetProcAddress(WINAPI.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (procAddress == IntPtr.Zero)
{
Console.WriteLine("Unable to find address of \"LoadLibraryA\".\n");
Console.WriteLine("Error code: " + Marshal.GetLastWin32Error());
return(false);
}
IntPtr lpBaseAddress = WINAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (IntPtr)sDllPath.Length, 0x3000, 0x40);
if ((lpBaseAddress == IntPtr.Zero) && (lpBaseAddress == IntPtr.Zero))
{
Console.WriteLine("Unable to allocate memory to target process.\n");
Console.WriteLine("Error code: " + Marshal.GetLastWin32Error());
return(false);
}
byte[] byteLength = GetByteLength(sDllPath);
IntPtr zero = IntPtr.Zero;
WINAPI.WriteProcessMemory(hProcess, lpBaseAddress, byteLength, (uint)byteLength.Length, out zero);
//if (Marshal.GetLastWin32Error() != 0)
//{
// sError = "Unable to write memory to process.";
// sError = sError + "Error code: " + Marshal.GetLastWin32Error();
// return false;
//}
if (WINAPI.CreateRemoteThread(hProcess, IntPtr.Zero, IntPtr.Zero, procAddress, lpBaseAddress, 0, IntPtr.Zero) == IntPtr.Zero)
{
Console.WriteLine("Memoryspace Error on LOAD_DLL\n");
Console.WriteLine("Error code: " + Marshal.GetLastWin32Error());
return(false);
}
WINAPI.VirtualFreeEx(hProcess, IntPtr.Zero, UIntPtr.Zero, 0x8000);
return(true);
}
catch (Exception exception)
{
sError = "";
hwnd = IntPtr.Zero;
Console.WriteLine(exception.ToString());
return(false);
}
}
public static bool DoInject(Process pToBeInjected, string sDllPath, out string sError)
{
IntPtr hwnd = IntPtr.Zero;
if (!CreateRemoteThread(pToBeInjected, sDllPath, out sError, out hwnd))
{
//close the handle, since the method wasn't able to get to that
if (hwnd != (IntPtr)0)
{
WINAPI.CloseHandle(hwnd);
}
return(false);
}
//int Wee = Marshal.GetLastWin32Error();
return(true);
}
public static bool DoInject(
Process pToBeInjected,
string sDllPath,
out string sError)
{
IntPtr hwnd;
if (!CRT(pToBeInjected, sDllPath, out sError, out hwnd)) //CreateRemoteThread
{
//close the handle, since the method wasn't able to get to that
if (hwnd != (IntPtr)0)
{
WINAPI.CloseHandle(hwnd);
}
return(false);
}
return(true);
}
/// <summary>
/// Opens all existing local processes with the specified name.
/// </summary>
/// <returns>A list with process handles for each process.</returns>
protected List <IntPtr> GetHandles()
{
var processes = Process.GetProcessesByName(this.ProcessName);
var processHandles = new List <IntPtr>();
foreach (var process in processes)
{
var processHandle = WINAPI.OpenProcess(this.DesiredAccess, false, process.Id);
var systemErrorCode = Marshal.GetLastWin32Error();
if ((this.IgnoreException) || (systemErrorCode == 0))
{
processHandles.Add(processHandle);
}
else
{
throw new Win32ErrorException(systemErrorCode);
}
}
return(processHandles);
}
protected List <Byte[]> GetBytes(Int32 size, Int32 offset)
{
Process.EnterDebugMode();
List <IntPtr> processHandles;
var bytes = new List <Byte[]>();
var pointers = GetPointers(out processHandles);
for (var i = 0; i < pointers.Count; i++)
{
bytes.Add(new Byte[size]);
if (pointers[i] != IntPtr.Zero)
{
var buffer = new Byte[size];
var bytesRead = UIntPtr.Zero;
WINAPI.ReadProcessMemory(processHandles[i], IntPtr.Add(pointers[i], offset), buffer, (UIntPtr)size, ref bytesRead);
if (!this.IgnoreException)
{
Int32 systemErrorCode = Marshal.GetLastWin32Error();
if (systemErrorCode != 0)
{
throw new Win32ErrorException(systemErrorCode);
}
}
for (var x = 0; x < buffer.Length; x++)
{
(bytes[i])[x] = buffer[x];
}
}
}
CloseHandles(processHandles);
Process.LeaveDebugMode();
return(bytes);
}
/// <summary>
/// 连接相机
/// </summary>
/// <param name="sIP"></param>
/// <param name="intTimeOut">ms</param>
/// <returns></returns>
public bool LinkCamera(string sIP, uint intTimeOut)
{
return(LinkCamera(WINAPI.inet_addr(sIP), intTimeOut));
}
private static bool CRT(
Process pToBeInjected,
string sDllPath,
out string sError,
out IntPtr hwnd)
{
sError = String.Empty; //in case we encounter no errors
IntPtr hndProc = WINAPI.OpenProcess((0x2 | 0x8 | 0x10 | 0x20 | 0x400), 1, (uint)pToBeInjected.Id);
hwnd = hndProc;
if (hndProc == (IntPtr)0)
{
sError = "Unable to attatch to process.\n";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
IntPtr lpLLAddress = WINAPI.GetProcAddress(
WINAPI.GetModuleHandle("kernel32.dll"),
"LoadLibraryA");
if (lpLLAddress == (IntPtr)0)
{
sError = "Unable to find address of \"LoadLibraryA\".\n";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
IntPtr lpAddress = WINAPI.VirtualAllocEx(
hndProc,
(IntPtr)null,
(IntPtr)sDllPath.Length,
//520 bytes should be enough
(uint)WINAPI.VAE_Enums.AllocationType.MEM_COMMIT |
(uint)WINAPI.VAE_Enums.AllocationType.MEM_RESERVE,
(uint)WINAPI.VAE_Enums.ProtectionConstants.PAGE_EXECUTE_READWRITE);
if (lpAddress == (IntPtr)0)
{
sError = "Unable to allocate memory to target process.\n";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
byte[] bytes = CalcBytes(sDllPath);
IntPtr ipTmp;
WINAPI.WriteProcessMemory(
hndProc,
lpAddress,
bytes,
(uint)bytes.Length,
out ipTmp);
if (Marshal.GetLastWin32Error() != 0)
{
sError = "Unable to write memory to process.\n";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
IntPtr hThread = WINAPI.CreateRemoteThread(
hndProc,
(IntPtr)null,
(IntPtr)0,
lpLLAddress,
lpAddress,
0,
(IntPtr)null);
if (hThread == (IntPtr)0)
{
sError = "Unable to load dll into memory.";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
//added so it won't crash while thread is initializing
// Time-out is 10 seconds...
int Result = WaitForSingleObject(hThread, 10 * 1000);
// Check whether thread timed out...
if (Result == 0x00000080L || Result == 0x00000102L || Result == 0xFFFFFFFF)
{
// Make sure thread handle is valid before closing... prevents crashes.
if (hThread != null)
{
//Close thread in target process
WINAPI.CloseHandle(hThread);
}
/* Thread timed out... */
throw new Exception("WaitForSingleObject failed!\n\n Call tech support.");
}
// Sleep thread for so as not to crash host
Thread.Sleep(1000);
// Clear up allocated space ( Allocmem )
VirtualFreeEx(hndProc, lpAddress, (UIntPtr)0, 0x8000);
// Make sure thread handle is valid before closing... prevents crashes.
if (hThread != null)
{
//Close thread in target process
WINAPI.CloseHandle(hThread);
}
Trace.TraceInformation("Injecter thinks all is OK");
return(true);
}
/// <summary>
/// Injects a x86 or x64 DLL into the process
/// </summary>
/// <param name="pToBeInjected">Process to be injected (obtained with Process.GetProcesses() ) </param>
/// <param name="sDllPath">Full path to the DLL to be injected</param>
/// <param name="sError">OUT parameter with an error string</param>
/// <returns></returns>
public static bool DoInject(
Process pToBeInjected,
string sDllPath,
out string sError)
{
IntPtr hwnd = IntPtr.Zero;
sError = String.Empty; //in case we encounter no errors
//Open the target process with read , write and execute priviledges
IntPtr hndProc = WINAPI.OpenProcess(
(0x000F0000 // STANDARD_RIGHTS_REQUIRED
| 0x00100000 // SYNCHRONIZE
| 0xFFFF
), 0, (uint)pToBeInjected.Id);
hwnd = hndProc;
if (hndProc == (IntPtr)0)
{
sError = "Unable to attatch to process.\n";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
//Get the address of LoadLibraryA
IntPtr lpLLAddress = WINAPI.GetProcAddress(
WINAPI.GetModuleHandle("kernel32.dll"),
"LoadLibraryA");
if (lpLLAddress == (IntPtr)0)
{
sError = "Unable to find address of \"LoadLibraryA\".\n";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
// Allocate space in the process for our DLL
IntPtr lpAddress = WINAPI.VirtualAllocEx(
hndProc,
(IntPtr)null,
(IntPtr)sDllPath.Length, //520 bytes should be enough
(uint)WINAPI.VAE_Enums.AllocationType.MEM_COMMIT |
(uint)WINAPI.VAE_Enums.AllocationType.MEM_RESERVE,
(uint)WINAPI.VAE_Enums.ProtectionConstants.PAGE_EXECUTE_READWRITE);
if (lpAddress == (IntPtr)0)
{
sError = "Unable to allocate memory to target process.\n";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
byte[] bytes = CalcBytes(sDllPath);
IntPtr ipTmp = IntPtr.Zero;
// Write the string name of our DLL in the memory allocated
int bResult = WINAPI.WriteProcessMemory(
hndProc,
lpAddress,
bytes,
(uint)bytes.Length,
out ipTmp);
// ERROR x64: "Unable to write memory to process. Error code: 1300"
if (bResult == 0)
{
sError = "Unable to write memory to process.";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
// Load our DLL
IntPtr ipThread = WINAPI.CreateRemoteThread(
hndProc,
(IntPtr)null,
(IntPtr)0,
lpLLAddress,
lpAddress,
0,
(IntPtr)null);
if (ipThread == (IntPtr)0)
{
sError = "Unable to load dll into memory.";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
WINAPI.CloseHandle(hndProc);
return(true);
}
protected List <IntPtr> GetPointers(out List <IntPtr> processHandles)
{
processHandles = GetHandles();
List <IntPtr> pointers;
if (this.address == null)
{
pointers = this.GetModuleBaseAddress(this.moduleName);
}
else
{
pointers = new List <IntPtr>();
for (var i = 0; i < processHandles.Count; i++)
{
pointers.Add((IntPtr)this.address);
}
}
for (var i = 0; i < processHandles.Count; i++)
{
if (processHandles[i] == IntPtr.Zero)
{
pointers[i] = IntPtr.Zero;
}
else
{
if ((this.Offsets != null) && (this.Offsets.Length > 0))
{
var size = UIntPtr.Size;
var buffer = new Byte[size];
var bytesRead = UIntPtr.Zero;
foreach (var offset in this.Offsets)
{
WINAPI.ReadProcessMemory(processHandles[i], pointers[i], buffer, (UIntPtr)size, ref bytesRead);
if (!this.IgnoreException)
{
Int32 systemErrorCode = Marshal.GetLastWin32Error();
if (systemErrorCode != 0)
{
throw new Win32ErrorException(systemErrorCode);
}
}
if (size == 8)
{
pointers[i] = (IntPtr)(BitConverter.ToInt64(buffer, 0));
}
else
{
pointers[i] = (IntPtr)(BitConverter.ToUInt32(buffer, 0));
}
if (pointers[i] == IntPtr.Zero)
{
break;
}
pointers[i] = IntPtr.Add(pointers[i], offset);
//Debug
//Console.WriteLine(pointers[i]);
}
}
}
}
return(pointers);
}
public static bool InjectDLL(IntPtr hProcess, String strDLLName)
{
IntPtr bytesout;
// Length of string containing the DLL file name +1 byte padding
Int32 LenWrite = strDLLName.Length + 1;
// Allocate memory within the virtual address space of the target process
IntPtr AllocMem = (IntPtr)WINAPI.VirtualAllocEx(hProcess, (IntPtr)null, (uint)LenWrite, 0x1000, 0x40);
// Write DLL file name to allocated memory in target process
WINAPI.WriteProcessMemory(hProcess, AllocMem, strDLLName, (UIntPtr)LenWrite, out bytesout);
// Function pointer "Injector"
UIntPtr Injector = (UIntPtr)WINAPI.GetProcAddress(WINAPI.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (Injector == null)
{
throw new Exception("GetProcAddress failed!\n\n Call tech support.");
}
// Create thread in target process, and store handle in hThread
IntPtr hThread = (IntPtr)WINAPI.CreateRemoteThread(hProcess, (IntPtr)null, 0, Injector, AllocMem, 0, out bytesout);
// Make sure thread handle is valid
if (hThread == null)
{
//incorrect thread handle ... return failed
throw new Exception("CreateRemoteThread failed!\n\n Call tech support.");
}
// Time-out is 10 seconds...
int Result = WINAPI.WaitForSingleObject(hThread, 10 * 1000);
// Check whether thread timed out...
if (Result == 0x00000080L || Result == 0x00000102L || Result == 0xFFFFFFFF)
{
// Make sure thread handle is valid before closing... prevents crashes.
if (hThread != null)
{
//Close thread in target process
WINAPI.CloseHandle(hThread);
}
/* Thread timed out... */
throw new Exception("WaitForSingleObject failed!\n\n Call tech support.");
}
// Sleep thread so as not to crash host
Thread.Sleep(5000);
// Clear up allocated space ( Allocmem )
WINAPI.VirtualFreeEx(hProcess, AllocMem, (UIntPtr)0, 0x8000);
// Make sure thread handle is valid before closing... prevents crashes.
if (hThread != null)
{
//Close thread in target process
WINAPI.CloseHandle(hThread);
}
return(true);
}
private static bool CRT(
Process pToBeInjected,
string sDllPath,
out string sError,
out IntPtr hwnd)
{
sError = String.Empty; //in case we encounter no errors
IntPtr hndProc = WINAPI.OpenProcess(
(0x2 | 0x8 | 0x10 | 0x20 | 0x400), //create thread, query info, operation
//write, and read
1,
(uint)pToBeInjected.Id);
hwnd = hndProc;
if (hndProc == (IntPtr)0)
{
sError = "Unable to attatch to process.\n";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
IntPtr lpLLAddress = WINAPI.GetProcAddress(
WINAPI.GetModuleHandle("kernel32.dll"),
"LoadLibraryA");
if (lpLLAddress == (IntPtr)0)
{
sError = "Unable to find address of \"LoadLibraryA\".\n";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
IntPtr lpAddress = WINAPI.VirtualAllocEx(
hndProc,
(IntPtr)null,
(IntPtr)sDllPath.Length, //520 bytes should be enough
(uint)WINAPI.VAE_Enums.AllocationType.MEM_COMMIT |
(uint)WINAPI.VAE_Enums.AllocationType.MEM_RESERVE,
(uint)WINAPI.VAE_Enums.ProtectionConstants.PAGE_EXECUTE_READWRITE);
if (lpAddress == (IntPtr)0)
{
if (lpAddress == (IntPtr)0)
{
sError = "Unable to allocate memory to target process.\n";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
}
byte[] bytes = CalcBytes(sDllPath);
IntPtr ipTmp = IntPtr.Zero;
WINAPI.WriteProcessMemory(
hndProc,
lpAddress,
bytes,
(uint)bytes.Length,
out ipTmp);
if (Marshal.GetLastWin32Error() != 0)
{
sError = "Unable to write memory to process.";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
IntPtr ipThread = WINAPI.CreateRemoteThread(
hndProc,
(IntPtr)null,
(IntPtr)0,
lpLLAddress,
lpAddress,
0,
(IntPtr)null);
if (ipThread == (IntPtr)0)
{
sError = "Unable to load dll into memory.";
sError += "Error code: " + Marshal.GetLastWin32Error();
return(false);
}
return(true);
}
public bool LinkCameraEx(string sIP, ushort shortPort, string charCloudUser, string charCloudPwd,
uint intCamSN, string charCamUser, string charCamPwd, uint intTimeOut)
{
return(LinkCameraEx(WINAPI.inet_addr(sIP), shortPort, charCloudUser, charCloudPwd,
intCamSN, charCamUser, charCamPwd, intTimeOut));
}