|
public static RtlCreateSuspendedProcess ( String InEXEPath, String InCommandLine, |
||
| InEXEPath | String | |
| InCommandLine | String | |
| InProcessCreationFlags | ||
| OutProcessId | ||
| OutThreadId | ||
| return | void | |
/// <summary>
/// Creates a new process which is started suspended until you call <see cref="WakeUpProcess"/>
/// from within your injected library <c>Run()</c> method. This allows you to hook the target
/// BEFORE any of its usual code is executed. In situations where a target has debugging and
/// hook preventions, you will get a chance to block those mechanisms for example...
/// </summary>
/// <remarks>
/// <para>
/// Please note that this method might fail when injecting into managed processes, especially
/// when the target is using the CLR hosting API and takes advantage of AppDomains. For example,
/// the Internet Explorer won't be hookable with this method. In such a case your only options
/// are either to hook the target with the unmanaged API or to hook it after (non-supended) creation
/// with the usual <see cref="Inject"/> method.
/// </para>
/// <para>
/// See <see cref="Inject"/> for more information. The exceptions listed here are additional
/// to the ones listed for <see cref="Inject"/>.
/// </para>
/// </remarks>
/// <param name="InEXEPath">
/// A relative or absolute path to the desired executable.
/// </param>
/// <param name="InCommandLine">
/// Optional command line parameters for process creation.
/// </param>
/// <param name="InProcessCreationFlags">
/// Internally CREATE_SUSPENDED is already passed to CreateProcess(). With this
/// parameter you can add more flags like DETACHED_PROCESS, CREATE_NEW_CONSOLE or
/// whatever!
/// </param>
/// <param name="InLibraryPath_x86">
/// A partially qualified assembly name or a relative/absolute file path of the 32-bit version of your library.
/// For example "MyAssembly, PublicKeyToken=248973975895496" or ".\Assemblies\\MyAssembly.dll".
/// </param>
/// <param name="InLibraryPath_x64">
/// A partially qualified assembly name or a relative/absolute file path of the 64-bit version of your library.
/// For example "MyAssembly, PublicKeyToken=248973975895496" or ".\Assemblies\\MyAssembly.dll".
/// </param>
/// <param name="OutProcessId">
/// The process ID of the newly created process.
/// </param>
/// <param name="InPassThruArgs">
/// A serializable list of parameters being passed to your library entry points <c>Run()</c> and
/// <c>Initialize()</c>.
/// </param>
/// <exception cref="ArgumentException">
/// The given EXE path could not be found.
/// </exception>
public static void CreateAndInject(
String InEXEPath,
String InCommandLine,
Int32 InProcessCreationFlags,
String InLibraryPath_x86,
String InLibraryPath_x64,
RhAssemblyInfo[] Assemblies,
out Int32 OutProcessId,
params Object[] InPassThruArgs)
{
Int32 RemotePID;
Int32 RemoteTID;
MemoryStream PassThru = new MemoryStream();
ManagedRemoteInfo RemoteInfo = new ManagedRemoteInfo();
// create suspended process...
NativeAPI.RtlCreateSuspendedProcess(
InEXEPath,
InCommandLine,
InProcessCreationFlags,
out RemotePID,
out RemoteTID);
try
{
InjectEx(
NativeAPI.GetCurrentProcessId(),
RemotePID,
RemoteTID,
0x20000000,
InLibraryPath_x86,
InLibraryPath_x64,
Assemblies,
true,
false,
InPassThruArgs);
OutProcessId = RemotePID;
}
catch (Exception e)
{
try
{
Process.GetProcessById(RemotePID).Kill();
}
catch (Exception) { }
throw e;
}
}
/// <summary>
/// Creates a new process which is started suspended until you call <see cref="WakeUpProcess" />
/// from within your injected library <c>Run()</c> method. This allows you to hook the target
/// BEFORE any of its usual code is executed. In situations where a target has debugging and
/// hook preventions, you will get a chance to block those mechanisms for example...
/// </summary>
/// <remarks>
/// <para>
/// Please note that this method might fail when injecting into managed processes, especially
/// when the target is using the CLR hosting API and takes advantage of AppDomains. For example,
/// the Internet Explorer won't be hookable with this method. In such a case your only options
/// are either to hook the target with the unmanaged API or to hook it after (non-supended) creation
/// with the usual <see cref="Inject" /> method.
/// </para>
/// <para>
/// See <see cref="Inject" /> for more information. The exceptions listed here are additional
/// to the ones listed for <see cref="Inject" />.
/// </para>
/// </remarks>
/// <param name="InEXEPath">
/// A relative or absolute path to the desired executable.
/// </param>
/// <param name="InCommandLine">
/// Optional command line parameters for process creation.
/// </param>
/// <param name="InProcessCreationFlags">
/// Internally CREATE_SUSPENDED is already passed to CreateProcess(). With this
/// parameter you can add more flags like DETACHED_PROCESS, CREATE_NEW_CONSOLE or
/// whatever!
/// </param>
/// <param name="InLibraryPath_x86">
/// A partially qualified assembly name or a relative/absolute file path of the 32-bit version of your library.
/// For example "MyAssembly, PublicKeyToken=248973975895496" or ".\Assemblies\\MyAssembly.dll".
/// </param>
/// <param name="InLibraryPath_x64">
/// A partially qualified assembly name or a relative/absolute file path of the 64-bit version of your library.
/// For example "MyAssembly, PublicKeyToken=248973975895496" or ".\Assemblies\\MyAssembly.dll".
/// </param>
/// <param name="OutProcessId">
/// The process ID of the newly created process.
/// </param>
/// <param name="InPassThruArgs">
/// A serializable list of parameters being passed to your library entry points <c>Run()</c> and
/// <c>Initialize()</c>.
/// </param>
/// <exception cref="ArgumentException">
/// The given EXE path could not be found.
/// </exception>
public static void CreateAndInject(
String InEXEPath,
String InCommandLine,
Int32 InProcessCreationFlags,
String InLibraryPath_x86,
String InLibraryPath_x64,
out Int32 OutProcessId,
params Object[] InPassThruArgs)
{
Int32 RemotePID;
Int32 RemoteTID;
// create suspended process...
NativeAPI.RtlCreateSuspendedProcess(
InEXEPath,
InCommandLine,
InProcessCreationFlags,
out RemotePID,
out RemoteTID);
try
{
InjectEx(
NativeAPI.GetCurrentProcessId(),
RemotePID,
RemoteTID,
0x20000000,
InLibraryPath_x86,
InLibraryPath_x64,
true,
false,
true, // TODO: allow requiring a Strong Name to be an option
InPassThruArgs);
OutProcessId = RemotePID;
}
catch (Exception e)
{
try
{
Process.GetProcessById(RemotePID).Kill();
}
catch (Exception)
{
}
throw e;
}
}
/// <summary>
/// Creates a new process which is started suspended until you call <see cref="WakeUpProcess"/>
/// from within your injected library <c>Run()</c> method. This allows you to hook the target
/// BEFORE any of its usual code is executed. In situations where a target has debugging and
/// hook preventions, you will get a chance to block those mechanisms for example...
/// </summary>
/// <remarks>
/// <para>
/// Please note that this method might fail when injecting into managed processes, especially
/// when the target is using the CLR hosting API and takes advantage of AppDomains. For example,
/// the Internet Explorer won't be hookable with this method. In such a case your only options
/// are either to hook the target with the unmanaged API or to hook it after (non-supended) creation
/// with the usual <see cref="Inject"/> method.
/// </para>
/// <para>
/// See <see cref="Inject"/> for more information. The exceptions listed here are additional
/// to the ones listed for <see cref="Inject"/>.
/// </para>
/// </remarks>
/// <param name="InEXEPath">
/// A relative or absolute path to the desired executable.
/// </param>
/// <param name="InCommandLine">
/// Optional command line parameters for process creation.
/// </param>
/// <param name="InProcessCreationFlags">
/// Internally CREATE_SUSPENDED is already passed to CreateProcess(). With this
/// parameter you can add more flags like DETACHED_PROCESS, CREATE_NEW_CONSOLE or
/// whatever!
/// </param>
/// <param name="InOptions">
/// A valid combination of options.
/// </param>
/// <param name="InLibraryPath_x86">
/// A partially qualified assembly name or a relative/absolute file path of the 32-bit version of your library.
/// For example "MyAssembly, PublicKeyToken=248973975895496" or ".\Assemblies\\MyAssembly.dll".
/// </param>
/// <param name="InLibraryPath_x64">
/// A partially qualified assembly name or a relative/absolute file path of the 64-bit version of your library.
/// For example "MyAssembly, PublicKeyToken=248973975895496" or ".\Assemblies\\MyAssembly.dll".
/// </param>
/// <param name="OutProcessId">
/// The process ID of the newly created process.
/// </param>
/// <param name="InPassThruArgs">
/// A serializable list of parameters being passed to your library entry points <c>Run()</c> and
/// <c>Initialize()</c>.
/// </param>
/// <exception cref="ArgumentException">
/// The given EXE path could not be found.
/// </exception>
public static void CreateAndInject(
String InEXEPath,
String InCommandLine,
Int32 InProcessCreationFlags,
InjectionOptions InOptions,
String InLibraryPath_x86,
String InLibraryPath_x64,
out Int32 OutProcessId,
params Object[] InPassThruArgs)
{
Int32 RemotePID;
Int32 RemoteTID;
// create suspended process...
NativeAPI.RtlCreateSuspendedProcess(
InEXEPath,
InCommandLine,
InProcessCreationFlags,
out RemotePID,
out RemoteTID);
try
{
InjectEx(
NativeAPI.GetCurrentProcessId(),
RemotePID,
RemoteTID,
0x20000000,
InLibraryPath_x86,
InLibraryPath_x64,
((InOptions & InjectionOptions.NoWOW64Bypass) == 0),
((InOptions & InjectionOptions.NoService) == 0),
((InOptions & InjectionOptions.DoNotRequireStrongName) == 0),
InPassThruArgs);
OutProcessId = RemotePID;
}
catch (Exception e)
{
try
{
Process.GetProcessById(RemotePID).Kill();
}
catch (Exception) { }
throw e;
}
}
