/// <summary> /// Inject the "functionPointer" with "parameters" into Remote Process /// </summary> /// <param name="processHandle">Remote Process Handle</param> /// <param name="functionPointer">LoadLibraryW Function Pointer</param> /// <param name="clrLoaderFullPath">DNCIClrLoader.exe Full Path</param> private Int32 Inject(IntPtr processHandle, IntPtr functionPointer, String parameters) { // Set Array to Write byte[] toWriteData = Encoding.Unicode.GetBytes(parameters); // Compute Required Space on Remote Process uint requiredRemoteMemorySize = (uint)( (toWriteData.Length) * Marshal.SizeOf(typeof(char)) ) + (uint)Marshal.SizeOf(typeof(char)); // Alocate Required Memory Space on Remote Process IntPtr allocMemAddress = NativeExecution.VirtualAllocEx( processHandle, IntPtr.Zero, requiredRemoteMemorySize, NativeConstants.MEM_RESERVE | NativeConstants.MEM_COMMIT, NativeConstants.PAGE_READWRITE ); // Write Argument on Remote Process UIntPtr bytesWritten; bool success = NativeExecution.WriteProcessMemory( processHandle, allocMemAddress, toWriteData, requiredRemoteMemorySize, out bytesWritten ); // Create Remote Thread IntPtr createRemoteThread = NativeExecution.CreateRemoteThread( processHandle, IntPtr.Zero, 0, functionPointer, allocMemAddress, 0, IntPtr.Zero ); // Wait Thread to Exit NativeExecution.WaitForSingleObject(createRemoteThread, NativeConstants.INFINITE); // Release Memory in Remote Process NativeExecution.VirtualFreeEx(processHandle, allocMemAddress, 0, NativeConstants.MEM_RELEASE); // Get Thread Exit Code Int32 exitCode; NativeExecution.GetExitCodeThread(createRemoteThread, out exitCode); // Close Remote Handle NativeExecution.CloseHandle(createRemoteThread); return(exitCode); }
/// <summary> /// Find the "moduleName" into Remote Process /// </summary> /// <param name="targetProcessHandle">Target Process Handler</param> /// <param name="moduleName">Desired Module Name</param> /// <returns></returns> private IntPtr FindRemoteModuleHandle(IntPtr targetProcessHandle, String moduleName) { NativeStructures.MODULEENTRY32 moduleEntry = new NativeStructures.MODULEENTRY32() { dwSize = (uint)Marshal.SizeOf(typeof(NativeStructures.MODULEENTRY32)) }; uint targetProcessId = NativeExecution.GetProcessId(targetProcessHandle); IntPtr snapshotHandle = NativeExecution.CreateToolhelp32Snapshot( NativeStructures.SnapshotFlags.Module | NativeStructures.SnapshotFlags.Module32, targetProcessId ); // Check if is Valid if (!NativeExecution.Module32First(snapshotHandle, ref moduleEntry)) { NativeExecution.CloseHandle(snapshotHandle); return(IntPtr.Zero); } // Enumerate all Modules until find the "moduleName" while (NativeExecution.Module32Next(snapshotHandle, ref moduleEntry)) { if (moduleEntry.szModule == moduleName) { break; } } // Close the Handle NativeExecution.CloseHandle(snapshotHandle); // Return if Success on Search if (moduleEntry.szModule == moduleName) { return(moduleEntry.modBaseAddr); } return(IntPtr.Zero); }
/// <summary> /// Inject .NET Assembly into Remote Process /// </summary> /// <returns></returns> private InjectorResult DoInject(Int32 targetProcessId) { // Create Result Object InjectorResult hResult = new InjectorResult() { TargetProcessId = targetProcessId }; try { // Copy DNCIClrLoader.dll into Temporary Folder with Random Name String dnciLoaderLibraryPath = WriteLoaderToDisk(); // Open and get handle of the process - with required privileges IntPtr targetProcessHandle = NativeExecution.OpenProcess( NativeConstants.PROCESS_ALL_ACCESS, false, targetProcessId ); // Check Process Handle if (targetProcessHandle == null || targetProcessHandle == IntPtr.Zero) { hResult.Status = InjectorResultStatus.UNABLE_TO_GET_PROCESS_HANDLE; return(hResult); } // Get Process Name hResult.TargetProcessName = Process.GetProcessById(targetProcessId).ProcessName; // Find the LoadDNA Function Point into Remote Process Memory IntPtr dnciModuleHandle = DNCIClrLoader(targetProcessHandle, dnciLoaderLibraryPath, Path.GetFileName(dnciLoaderLibraryPath)); // Check Injector Handle if (dnciModuleHandle == null || dnciModuleHandle == IntPtr.Zero) { hResult.Status = InjectorResultStatus.UNABLE_TO_FIND_INJECTOR_HANDLE; return(hResult); } // Inject Managed Assembly LoadManagedAssemblyOnRemoteProcess(targetProcessHandle, dnciModuleHandle, this.configuration.MethodName, this.configuration.AssemblyFileLocation, this.configuration.TypeName, this.configuration.ArgumentString, dnciLoaderLibraryPath); // Erase Modules from Target Process EraseRemoteModules(targetProcessHandle, dnciModuleHandle); // Close Remote Process Handle NativeExecution.CloseHandle(targetProcessHandle); // Remove Temporary File try { File.Delete(dnciLoaderLibraryPath); } catch { } hResult.Status = InjectorResultStatus.OK; } catch { hResult.Status = InjectorResultStatus.MASTER_ERROR; } return(hResult); }