Example #1
0
        public IntPtr Inject(Core targetProcess, string filePath)
        {
            InjectedModule = new Module(filePath);
            targetProc     = targetProcess;

            if (targetProcess.Is64bit)
            {
                try
                {
                    log.Log(LogType.Normal, "Starting injection of the module...");
                    LinkedModules = GetModules();

                    var remoteImage = MapImage(filePath, InjectedModule.DllBytes);
                    CallEntrypoint(InjectedModule.DllBytes, remoteImage);

                    return((IntPtr)remoteImage);
                }
                catch (Exception ex)
                {
                    log.Log(ex, "Something went wrong...");
                    return(IntPtr.Zero);
                }
            }
            else
            {
                log.Log(LogType.Error, "32-bit/x86 is NOT supported yet!");
                return(IntPtr.Zero);
            }
        }
Example #2
0
        bool InjectDependency(string dependencyFileNamePath)
        {
            using (var depMod = new Module(dependencyFileNamePath))
            {
                var loadProc = targetProc.GetLoadLibraryPtr();
                if (loadProc == IntPtr.Zero)
                {
                    log.Log(LogType.Failure, "Failed to load and initiate LoadLibrary: {0}",
                            Marshal.GetLastWin32Error().ToString("X"));
                    return(false);
                }
                var allocated = targetProc.AllocateAndWriteBytes(depMod.DllBytes);
                if (allocated == IntPtr.Zero)
                {
                    log.Log(LogType.Failure, "Failed to allocate and/or write dependency bytes to memory: {0}",
                            Marshal.GetLastWin32Error().ToString("X"));
                    return(false);
                }

                var crt = targetProc.CreateThread(loadProc, allocated);
                if (crt == IntPtr.Zero)
                {
                    log.Log(LogType.Failure, "Failed to inject dependency - CreateRemoteThread was a failure: {0}",
                            Marshal.GetLastWin32Error().ToString("X"));
                    return(false);
                }

                log.Log(LogType.Success, "Dependency {0} injected, and loaded succesfully!",
                        Path.GetFileName(dependencyFileNamePath));
                return(true);
            }
        }
Example #3
0
        public IntPtr Inject(Core targetProcess, string filePath)
        {
            //Logger.StartLogger(Environment.UserInteractive ? LoggerType.Console : LoggerType.File, "Injector.QUA");

            InjectedModule = new Module(filePath);

            var loadLib = targetProcess.GetLoadLibraryPtr();

            if (loadLib == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!");
                return(IntPtr.Zero);
            }

            var pathBytes = Encoding.Unicode.GetBytes(filePath);

            var alloc = targetProcess.Allocate(pathBytes.Length);

            if (alloc == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!");
                return(IntPtr.Zero);
            }

            if (!targetProcess.WriteBytes(pathBytes, alloc))
            {
                log.Log(LogType.Error, "Cannot write file-path to memory - aborting!");
                return(IntPtr.Zero);
            }

            uint dwThreadId = 0;
            var  hThread    = IntPtr.Zero;

            dwThreadId = WinAPI.GetProcessThreadId(targetProcess.ProcessId, hThread);

            var dResult = WinAPI.QueueUserAPC(loadLib, hThread, alloc);

            if (dResult == 0)
            {
                log.Log(LogType.Error, "Failed to QueueUserAPC: {0}", Marshal.GetLastWin32Error().ToString("X"));
                return(IntPtr.Zero);
            }

            log.Log(LogType.Success, "Injection through QueueUserAPC was a success - opened thread: 0x{0}",
                    Environment.Is64BitProcess ? hThread.ToInt64().ToString("X16") : hThread.ToInt32().ToString("X8"));
            return(hThread);
        }
Example #4
0
        public IntPtr Inject(Core targetProcess, string filePath)
        {
            InjectedModule = new Module(filePath);

            var loadLib = targetProcess.GetLoadLibraryPtr();

            if (loadLib == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!");
                return(IntPtr.Zero);
            }

            var pathBytes = Encoding.Unicode.GetBytes(filePath);

            var alloc = targetProcess.Allocate(pathBytes.Length);

            if (alloc == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!");
                return(IntPtr.Zero);
            }

            if (!targetProcess.WriteBytes(pathBytes, alloc))
            {
                log.Log(LogType.Error, "Cannot write file-path to memory - aborting!");
                return(IntPtr.Zero);
            }

            var crt = targetProcess.CreateThread(loadLib, alloc);

            if (crt == IntPtr.Zero)
            {
                log.Log(LogType.Failure, "Failed on creating thread inside attached process: {0}",
                        Marshal.GetLastWin32Error().ToString("X"));
            }
            else
            {
                log.Log(LogType.Success, "Thread created succesfully inside attached process: 0x{0}",
                        Environment.Is64BitProcess ? crt.ToInt64().ToString("X") : crt.ToInt32().ToString("X"));
            }

            return(crt);
        }
Example #5
0
        public IntPtr Inject(Core targetProcess, string filePath)
        {
            //Logger.StartLogger(Environment.UserInteractive ? LoggerType.Console : LoggerType.File, "Injector.STC");

            InjectedModule = new Module(filePath);

            var loadLib = targetProcess.GetLoadLibraryPtr();

            if (loadLib == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!");
                return(IntPtr.Zero);
            }

            var pathBytes = Encoding.Unicode.GetBytes(filePath);

            var alloc = targetProcess.Allocate(pathBytes.Length);

            if (alloc == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!");
                return(IntPtr.Zero);
            }

            if (!targetProcess.WriteBytes(pathBytes, alloc))
            {
                log.Log(LogType.Error, "Cannot write file-path to memory - aborting!");
                return(IntPtr.Zero);
            }

            var code    = Environment.Is64BitProcess ? shell64 : shell32;
            var hThread = WinAPI.GetProcessThread(targetProcess.ProcessId);

            if (hThread == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Unable to open process's main thread: {0} - aborting!",
                        Marshal.GetLastWin32Error().ToString("X"));
                return(IntPtr.Zero);
            }

            var page_size = 1 << 12;
            var buffer    = targetProcess.Allocate(page_size);

            if (!WinAPI.SuspendThread(hThread))
            {
                log.Log(LogType.Error, "Unable to suspend thread: {0} - aborting!",
                        Marshal.GetLastWin32Error().ToString("X"));
                return(IntPtr.Zero);
            }

            if (Environment.Is64BitProcess)
            {
                var ctx = new WinAPI.CONTEXT64();
                ctx.ContextFlags = WinAPI.CONTEXT_FLAGS.CONTEXT_FULL;

                if (!WinAPI.GetThreadContext(hThread, ref ctx))
                {
                    log.Log(LogType.Error, "Failed to retrieve thread's context: {0} - aborting!",
                            Marshal.GetLastWin32Error());
                    return(IntPtr.Zero);
                }

                var buf    = BitConverter.GetBytes((buffer + page_size / 2).ToInt64());
                var libBuf = BitConverter.GetBytes(loadLib.ToInt64());
                var ripBuf = BitConverter.GetBytes(ctx.Rip);

                Array.Copy(buf, 0, code, 0x10, buf.Length);
                Array.Copy(libBuf, 0, code, 0x1a, libBuf.Length);
                Array.Copy(ripBuf, 0, code, 0x34, ripBuf.Length);

                if (!targetProcess.WriteBytes(code, buffer))
                {
                    log.Log(LogType.Error, "Failed to write code-cave to process: {0} - aborting!",
                            Marshal.GetLastWin32Error().ToString("X"));
                    return(IntPtr.Zero);
                }

                ctx.Rip = (ulong)alloc.ToInt64();
                if (!WinAPI.SetThreadContext(hThread, ref ctx))
                {
                    log.Log(LogType.Failure, "Failed to set thread's context: {0}",
                            Marshal.GetLastWin32Error().ToString("X"));

                    WinAPI.ResumeThread(hThread);
                    return(IntPtr.Zero);
                }

                log.Log(LogType.Success, "Successfully set thread's context - {0} should now be injected!",
                        Path.GetFileName(filePath));
                return(hThread);
            }
            else
            {
                var ctx = new WinAPI.CONTEXT();
                ctx.ContextFlags = WinAPI.CONTEXT_FLAGS.CONTEXT_FULL;

                if (!WinAPI.GetThreadContext(hThread, ref ctx))
                {
                    log.Log(LogType.Error, "Failed to retrieve thread's context: {0} - aborting!",
                            Marshal.GetLastWin32Error());
                    return(IntPtr.Zero);
                }

                var buf    = BitConverter.GetBytes((buffer + page_size / 2).ToInt32());
                var libBuf = BitConverter.GetBytes(loadLib.ToInt32());
                var ripBuf = BitConverter.GetBytes(ctx.Eip);

                Array.Copy(buf, 0, code, 2, buf.Length);
                Array.Copy(libBuf, 0, code, 7, libBuf.Length);
                Array.Copy(ripBuf, 0, code, 0xf, ripBuf.Length);

                if (!targetProcess.WriteBytes(code, buffer))
                {
                    log.Log(LogType.Error, "Failed to write code-cave to process: {0} - aborting!",
                            Marshal.GetLastWin32Error().ToString("X"));
                    return(IntPtr.Zero);
                }

                ctx.Eip = (uint)alloc.ToInt32();
                if (!WinAPI.SetThreadContext(hThread, ref ctx))
                {
                    log.Log(LogType.Failure, "Failed to set thread's context: {0}",
                            Marshal.GetLastWin32Error().ToString("X"));

                    WinAPI.ResumeThread(hThread);
                    return(IntPtr.Zero);
                }

                log.Log(LogType.Success, "Successfully set thread's context - {0} should now be injected!",
                        Path.GetFileName(filePath));
                return(hThread);
            }
        }
Example #6
0
        public IntPtr Inject(Core targetProcess, string filePath)
        {
            //Logger.StartLogger(Environment.UserInteractive ? LoggerType.Console : LoggerType.File, "Injector.NCTE");

            InjectedModule = new Module(filePath);

            var loadLib = targetProcess.GetLoadLibraryPtr();

            if (loadLib == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!");
                return(IntPtr.Zero);
            }

            var pathBytes = Encoding.Unicode.GetBytes(filePath);

            var alloc = targetProcess.Allocate(pathBytes.Length);

            if (alloc == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!");
                return(IntPtr.Zero);
            }

            if (!targetProcess.WriteBytes(pathBytes, alloc))
            {
                log.Log(LogType.Error, "Cannot write file-path to memory - aborting!");
                return(IntPtr.Zero);
            }

            var ntdllmod = WinAPI.GetModuleHandleA("ntdll.dll");

            if (ntdllmod == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot retrieve module handle for {0}: {1}",
                        '"' + "ntdll.dll" + '"', Marshal.GetLastWin32Error().ToString("X"));
                return(IntPtr.Zero);
            }

            var ntCreateThreadExAddress = WinAPI.GetProcAddress(ntdllmod, "NtCreateThreadEx");

            if (ntCreateThreadExAddress == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot retrieve address handle for {0} in {1}: {2}",
                        '"' + "NtCreateThreadEx" + '"', '"' + "ntdll.dll" + '"',
                        Marshal.GetLastWin32Error().ToString("X"));
                return(IntPtr.Zero);
            }

            var ntCreateThreadEx = (NtCreateThreadEx)
                                   Marshal.GetDelegateForFunctionPointer(ntCreateThreadExAddress, typeof(NtCreateThreadEx));

            int temp1 = 0, temp2 = 0;

            unsafe
            {
                var nb = new NtCreateThreadExBuffer
                {
                    Size     = sizeof(NtCreateThreadExBuffer),
                    Unknown1 = 0x10003,
                    Unknown2 = 0x8,
                    Unknown3 = new IntPtr(&temp2),
                    Unknown4 = 0,
                    Unknown5 = 0x10004,
                    Unknown6 = 4,
                    Unknown7 = new IntPtr(&temp1),
                    Unknown8 = 0
                };

                var hRemoteThread = IntPtr.Zero;
                ntCreateThreadEx?.Invoke(
                    out hRemoteThread,
                    0x1FFFFF,
                    IntPtr.Zero,
                    targetProcess.ProcessHandle,
                    loadLib,
                    alloc,
                    0,
                    0,
                    Environment.Is64BitProcess ? 0xFFFF : 0u,
                    Environment.Is64BitProcess ? 0xFFFF : 0u,
                    Environment.Is64BitProcess ? IntPtr.Zero : new IntPtr(&nb)
                    );

                if (hRemoteThread == IntPtr.Zero)
                {
                    log.Log(LogType.Failure, "Failed to create thread inside attached process: {0}",
                            Marshal.GetLastWin32Error().ToString("X"));
                }
                else
                {
                    log.Log(LogType.Success, "Thread created succesfully inside attached process: 0x{0}",
                            Environment.Is64BitProcess
                            ? hRemoteThread.ToInt64().ToString("X")
                            : hRemoteThread.ToInt32().ToString("X"));
                }

                return(hRemoteThread);
            }
        }
Example #7
0
        public IntPtr Inject(Core targetProcess, string filePath)
        {
            //Logger.StartLogger(Environment.UserInteractive ? LoggerType.Console : LoggerType.File, "Injector.RCUT");

            InjectedModule = new Module(filePath);

            var loadLib = targetProcess.GetLoadLibraryPtr();

            if (loadLib == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!");
                return(IntPtr.Zero);
            }

            var pathBytes = Encoding.Unicode.GetBytes(filePath);

            var alloc = targetProcess.Allocate(pathBytes.Length);

            if (alloc == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!");
                return(IntPtr.Zero);
            }

            if (!targetProcess.WriteBytes(pathBytes, alloc))
            {
                log.Log(LogType.Error, "Cannot write file-path to memory - aborting!");
                return(IntPtr.Zero);
            }

            var ntdllmod = WinAPI.GetModuleHandleA("ntdll.dll");

            if (ntdllmod == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot retrieve module handle for {0}: {1}",
                        '"' + "ntdll.dll" + '"', Marshal.GetLastWin32Error().ToString("X"));
                return(IntPtr.Zero);
            }

            var rtlCreateUserThreadAddress = WinAPI.GetProcAddress(ntdllmod, "RtlCreateUserThread");

            if (rtlCreateUserThreadAddress == IntPtr.Zero)
            {
                log.Log(LogType.Error, "Cannot retrieve address handle for {0} in {1}: {2}",
                        '"' + "RtlCreateUserThread" + '"', '"' + "ntdll.dll" + '"',
                        Marshal.GetLastWin32Error().ToString("X"));
                return(IntPtr.Zero);
            }

            var rtlCreateUserThread =
                (RtlCreateUserThread)Marshal.GetDelegateForFunctionPointer(rtlCreateUserThreadAddress,
                                                                           typeof(RtlCreateUserThread));
            var hRemoteThread = IntPtr.Zero;

            if (rtlCreateUserThread(targetProcess.ProcessHandle, IntPtr.Zero, 0, 0, 0, 0, loadLib, alloc,
                                    out hRemoteThread,
                                    IntPtr.Zero) < 0)
            {
                log.Log(LogType.Failure, "Failed to create thread inside attached process: {0}",
                        Marshal.GetLastWin32Error().ToString("X"));
            }
            else
            {
                log.Log(LogType.Success, "Thread created succesfully inside attached process: 0x{0}",
                        Environment.Is64BitProcess
                        ? hRemoteThread.ToInt64().ToString("X")
                        : hRemoteThread.ToInt32().ToString("X"));
            }

            return(hRemoteThread);
        }