Example #1
0
        static void Main(string[] args)
        {
            int lastWin32Error;

            InjectableProcess process = new InjectableProcess(TestApplication, ProcessCreationOptions.NormalPriorityClass | ProcessCreationOptions.CreateSuspended);
            MemoryWriter      writer  = process.CreateMemoryWriter(1024);

            IntPtr advapi32            = writer.WriteValue("Advapi32.dll");
            IntPtr registryKeyAddress  = writer.WriteValue(@"Pieter\Test");
            IntPtr registryHkeyAddress = writer.Alloc(4);

            writer.CallLoadLibrary(advapi32);
            writer.CallRegOpenKey(0x80000001, registryKeyAddress, registryHkeyAddress); //HKEY_CURRENT_USER
            writer.CallRegOverridePredefKey(0x80000001, registryHkeyAddress);
            writer.CallRegCloseKey(registryHkeyAddress);
            writer.CallExitThread();

            // Change page protection so we can write executable code
            //VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, MemoryProtection.ExecuteReadWrite, &oldProtect);

            Task task = process.CreateRemoteThread(writer);

            task.Wait();

            process.Resume();
        }
Example #2
0
        static void Main(string[] args)
        {
            int lastWin32Error;

            InjectableProcess process = new InjectableProcess(TestApplication, ProcessCreationOptions.NormalPriorityClass | ProcessCreationOptions.CreateSuspended);
            MemoryWriter writer = process.CreateMemoryWriter(1024);

            IntPtr advapi32 = writer.WriteValue("Advapi32.dll");
            IntPtr registryKeyAddress = writer.WriteValue(@"Pieter\Test");
            IntPtr registryHkeyAddress = writer.Alloc(4);

            writer.CallLoadLibrary(advapi32);
            writer.CallRegOpenKey(0x80000001, registryKeyAddress, registryHkeyAddress); //HKEY_CURRENT_USER
            writer.CallRegOverridePredefKey(0x80000001, registryHkeyAddress);
            writer.CallRegCloseKey(registryHkeyAddress);
            writer.CallExitThread();

            // Change page protection so we can write executable code
            //VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, MemoryProtection.ExecuteReadWrite, &oldProtect);

            Task task = process.CreateRemoteThread(writer);
            task.Wait();

            process.Resume();
        }