// Token: 0x06000109 RID: 265 RVA: 0x0000C9E8 File Offset: 0x0000ABE8 public static InjectionMethod Create(InjectionMethodType type) { InjectionMethod injectionMethod; switch (type) { case InjectionMethodType.Standard: injectionMethod = new CRTInjection(); break; case InjectionMethodType.ThreadHijack: injectionMethod = new ThreadHijack(); break; case InjectionMethodType.ManualMap: injectionMethod = new ManualMap(); break; default: return(null); } if (injectionMethod != null) { injectionMethod.Type = type; } return(injectionMethod); }
/// <summary> /// Create a new InjectionMethod based on the specified MethodType /// </summary> /// <param name="type">Type of injection method to be created</param> /// <returns>A valid InjectionMethod instance if the 'type' parameter was valid, null otherwise</returns> public static InjectionMethod Create(InjectionMethodType type) { /** FACTORY CREATION **/ // So that I never have to expose individual classes to the library user. // the Create method will serve up the most appropriate InjectionMethod implementation, // and this makes it easier to hand out new versions of the library without worrying about // changing internal class names or adding new classes, etc. InjectionMethod method; switch (type) { case InjectionMethodType.ManualMap: method = new ManualMap(); break; case InjectionMethodType.Standard: method = new CRTInjection(); break; case InjectionMethodType.ThreadHijack: method = new ThreadHijack(); break; default: return(null); } if (method != null) { method.Type = type; } return(method); }
private static void PatchImports(PortableExecutable image, IntPtr hProcess, int processId) { string empty = string.Empty; string empty2 = string.Empty; foreach (IMAGE_IMPORT_DESCRIPTOR current in image.EnumImports()) { if (image.ReadString((long)((ulong)image.GetPtrFromRVA(current.Name)), SeekOrigin.Begin, out empty, -1, null)) { IntPtr intPtr = IntPtr.Zero; IntPtr arg_4F_0 = IntPtr.Zero; intPtr = ManualMap.GetRemoteModuleHandle(empty, processId); if (intPtr.IsNull()) { throw new FileNotFoundException(string.Format("Unable to load dependent module '{0}'.", empty)); } uint num = image.GetPtrFromRVA(current.FirstThunkPtr); uint num2 = (uint)Marshal.SizeOf(typeof(IMAGE_THUNK_DATA)); IMAGE_THUNK_DATA iMAGE_THUNK_DATA; while (image.Read <IMAGE_THUNK_DATA>((long)((ulong)num), SeekOrigin.Begin, out iMAGE_THUNK_DATA) && iMAGE_THUNK_DATA.u1.AddressOfData > 0u) { IntPtr intPtr2 = IntPtr.Zero; object obj; if ((iMAGE_THUNK_DATA.u1.Ordinal & 2147483648u) == 0u) { if (!image.ReadString((long)((ulong)(image.GetPtrFromRVA(iMAGE_THUNK_DATA.u1.AddressOfData) + 2u)), SeekOrigin.Begin, out empty2, -1, null)) { throw image.GetLastError(); } obj = empty2; } else { obj = (ushort)(iMAGE_THUNK_DATA.u1.Ordinal & 65535u); } if (!(intPtr2 = WinAPI.GetModuleHandleA(empty)).IsNull()) { IntPtr ptr = obj.GetType().Equals(typeof(string)) ? WinAPI.GetProcAddress(intPtr2, (string)obj) : WinAPI.GetProcAddress(intPtr2, (uint)((ushort)obj & 65535)); if (!ptr.IsNull()) { intPtr2 = intPtr.Add((long)ptr.Subtract((long)intPtr2.ToInt32()).ToInt32()); } } else { intPtr2 = WinAPI.GetProcAddressEx(hProcess, intPtr, obj); } if (intPtr2.IsNull()) { throw new EntryPointNotFoundException(string.Format("Unable to locate imported function '{0}' from module '{1}' in the remote process.", empty2, empty)); } image.Write <int>((long)((ulong)num), SeekOrigin.Begin, intPtr2.ToInt32()); num += num2; } } } }
public override bool Unload(IntPtr hModule, IntPtr hProcess) { this.ClearErrors(); if (hModule.IsNull()) { throw new ArgumentNullException("hModule", "Invalid module handle"); } if (hProcess.IsNull() || hProcess.Compare(-1L)) { throw new ArgumentException("Invalid process handle.", "hProcess"); } IntPtr intPtr = IntPtr.Zero; uint num = 0u; bool result; try { uint num2 = ManualMap.FindEntryPoint(hProcess, hModule); if (num2 != 0u) { byte[] array = (byte[])ManualMap.DLLMAIN_STUB.Clone(); BitConverter.GetBytes(hModule.ToInt32()).CopyTo(array, 11); BitConverter.GetBytes(0u).CopyTo(array, 6); BitConverter.GetBytes(1000u).CopyTo(array, 1); intPtr = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)ManualMap.DLLMAIN_STUB.Length, 12288, 64); if (intPtr.IsNull() || !WinAPI.WriteProcessMemory(hProcess, intPtr, array, array.Length, out num) || num != (uint)array.Length) { throw new InvalidOperationException("Unable to write stub to the remote process."); } IntPtr intPtr2 = WinAPI.CreateRemoteThread(hProcess, 0, 0, intPtr, (uint)hModule.Add((long)((ulong)num2)).ToInt32(), 0, 0); if ((ulong)WinAPI.WaitForSingleObject(intPtr2, 5000) == 0uL) { WinAPI.VirtualFreeEx(hProcess, intPtr, 0, 32768); WinAPI.CloseHandle(intPtr2); result = WinAPI.VirtualFreeEx(hProcess, hModule, 0, 32768); } else { result = false; } } else { result = WinAPI.VirtualFreeEx(hProcess, hModule, 0, 32768); } } catch (Exception lastError) { this.SetLastError(lastError); result = false; } return(result); }
// Token: 0x0600011A RID: 282 RVA: 0x0000D44C File Offset: 0x0000B64C public override IntPtr Inject(PortableExecutable image, IntPtr hProcess) { this.ClearErrors(); IntPtr result; try { result = ManualMap.MapModule(Utils.DeepClone <PortableExecutable>(image), hProcess, true); } catch (Exception lastError) { this.SetLastError(lastError); result = IntPtr.Zero; } return(result); }
/// <summary> /// Create a new InjectionMethod based on the specified MethodType /// </summary> /// <param name="type">Type of injection method to be created</param> /// <returns>A valid InjectionMethod instance if the 'type' parameter was valid, null otherwise</returns> public static InjectionMethod Create(InjectionMethodType type) { /** FACTORY CREATION **/ // So that I never have to expose individual classes to the library user. // the Create method will serve up the most appropriate InjectionMethod implementation, // and this makes it easier to hand out new versions of the library without worrying about // changing internal class names or adding new classes, etc. InjectionMethod method; switch (type) { case InjectionMethodType.ManualMap: method = new ManualMap(); break; case InjectionMethodType.Standard: method = new CRTInjection(); break; case InjectionMethodType.ThreadHijack: method = new ThreadHijack(); break; default: return null; } if (method != null) method.Type = type; return method; }
// Token: 0x06000124 RID: 292 RVA: 0x0000E2BC File Offset: 0x0000C4BC private static byte[] ExtractManifest(PortableExecutable image) { byte[] result = null; ResourceWalker resourceWalker = new ResourceWalker(image); ResourceWalker.ResourceDirectory resourceDirectory = null; int num = 0; while (num < resourceWalker.Root.Directories.Length && resourceDirectory == null) { if ((long)resourceWalker.Root.Directories[num].Id == 24L) { resourceDirectory = resourceWalker.Root.Directories[num]; } num++; } if (resourceDirectory != null && resourceDirectory.Directories.Length > 0 && ManualMap.IsManifestResource(resourceDirectory.Directories[0].Id) && resourceDirectory.Directories[0].Files.Length == 1) { result = resourceDirectory.Directories[0].Files[0].GetData(); } return(result); }
// Token: 0x06000123 RID: 291 RVA: 0x0000DEE4 File Offset: 0x0000C0E4 private static bool LoadDependencies(PortableExecutable image, IntPtr hProcess, int processId) { List <string> list = new List <string>(); string empty = string.Empty; bool result = false; foreach (IMAGE_IMPORT_DESCRIPTOR image_IMPORT_DESCRIPTOR in image.EnumImports()) { if (image.ReadString((long)((ulong)image.GetPtrFromRVA(image_IMPORT_DESCRIPTOR.Name)), SeekOrigin.Begin, out empty, -1, null) && !string.IsNullOrEmpty(empty) && ManualMap.GetRemoteModuleHandle(empty, processId).IsNull()) { list.Add(empty); } } if (list.Count > 0) { byte[] array = ManualMap.ExtractManifest(image); string text = string.Empty; if (array == null) { if (string.IsNullOrEmpty(image.FileLocation) || !File.Exists(Path.Combine(Path.GetDirectoryName(image.FileLocation), Path.GetFileName(image.FileLocation) + ".manifest"))) { InjectionMethod injectionMethod = InjectionMethod.Create(InjectionMethodType.Standard); IntPtr[] array2 = injectionMethod.InjectAll(list.ToArray(), hProcess); foreach (IntPtr ptr in array2) { if (ptr.IsNull()) { return(false); } } return(true); } text = Path.Combine(Path.GetDirectoryName(image.FileLocation), Path.GetFileName(image.FileLocation) + ".manifest"); } else { text = Utils.WriteTempData(array); } if (string.IsNullOrEmpty(text)) { return(false); } IntPtr intPtr = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)ManualMap.RESOLVER_STUB.Length, 12288, 64); IntPtr lpAddress = WinAPI.CreateRemotePointer(hProcess, Encoding.ASCII.GetBytes(text + "\0"), 4); IntPtr lpAddress2 = WinAPI.CreateRemotePointer(hProcess, Encoding.ASCII.GetBytes(string.Join("\0", list.ToArray()) + "\0"), 4); if (!intPtr.IsNull()) { byte[] array4 = (byte[])ManualMap.RESOLVER_STUB.Clone(); uint num = 0u; BitConverter.GetBytes(ManualMap.FN_CREATEACTCTXA.Subtract(intPtr.Add(63L)).ToInt32()).CopyTo(array4, 59); BitConverter.GetBytes(ManualMap.FN_ACTIVATEACTCTX.Subtract(intPtr.Add(88L)).ToInt32()).CopyTo(array4, 84); BitConverter.GetBytes(ManualMap.FN_GETMODULEHANDLEA.Subtract(intPtr.Add(132L)).ToInt32()).CopyTo(array4, 128); BitConverter.GetBytes(ManualMap.FN_LOADLIBRARYA.Subtract(intPtr.Add(146L)).ToInt32()).CopyTo(array4, 142); BitConverter.GetBytes(ManualMap.FN_DEACTIVATEACTCTX.Subtract(intPtr.Add(200L)).ToInt32()).CopyTo(array4, 196); BitConverter.GetBytes(ManualMap.FN_RELEASEACTCTX.Subtract(intPtr.Add(209L)).ToInt32()).CopyTo(array4, 205); BitConverter.GetBytes(lpAddress.ToInt32()).CopyTo(array4, 31); BitConverter.GetBytes(list.Count).CopyTo(array4, 40); BitConverter.GetBytes(lpAddress2.ToInt32()).CopyTo(array4, 49); if (WinAPI.WriteProcessMemory(hProcess, intPtr, array4, array4.Length, out num) && num == (uint)array4.Length) { uint num2 = WinAPI.RunThread(hProcess, intPtr, 0u, 5000); result = (num2 != uint.MaxValue && num2 != 0u); } WinAPI.VirtualFreeEx(hProcess, lpAddress2, 0, 32768); WinAPI.VirtualFreeEx(hProcess, lpAddress, 0, 32768); WinAPI.VirtualFreeEx(hProcess, intPtr, 0, 32768); } } return(result); }
// Token: 0x0600011E RID: 286 RVA: 0x0000D708 File Offset: 0x0000B908 private static IntPtr MapModule(PortableExecutable image, IntPtr hProcess, bool preserveHeaders = false) { if (!hProcess.IsNull() && !hProcess.Compare(-1L)) { if (image == null) { throw new ArgumentException("Cannot map a non-existant PE Image.", "image"); } int processId = WinAPI.GetProcessId(hProcess); if (processId == 0) { throw new ArgumentException("Provided handle doesn't have sufficient permissions to inject", "hProcess"); } IntPtr intPtr = IntPtr.Zero; IntPtr intPtr2 = IntPtr.Zero; uint num = 0u; try { intPtr = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, image.NTHeader.OptionalHeader.SizeOfImage, 12288, 4); if (intPtr.IsNull()) { throw new InvalidOperationException("Unable to allocate memory in the remote process."); } ManualMap.PatchRelocations(image, intPtr); ManualMap.LoadDependencies(image, hProcess, processId); ManualMap.PatchImports(image, hProcess, processId); if (preserveHeaders) { long num2 = (long)((ulong)image.DOSHeader.e_lfanew + (ulong)((long)Marshal.SizeOf(typeof(IMAGE_FILE_HEADER))) + 4UL + (ulong)image.NTHeader.FileHeader.SizeOfOptionalHeader); byte[] array = new byte[num2]; if (image.Read(0L, SeekOrigin.Begin, array)) { WinAPI.WriteProcessMemory(hProcess, intPtr, array, array.Length, out num); } } ManualMap.MapSections(image, hProcess, intPtr); if (image.NTHeader.OptionalHeader.AddressOfEntryPoint > 0u) { byte[] array2 = (byte[])ManualMap.DLLMAIN_STUB.Clone(); BitConverter.GetBytes(intPtr.ToInt32()).CopyTo(array2, 11); intPtr2 = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)ManualMap.DLLMAIN_STUB.Length, 12288, 64); if (!intPtr2.IsNull() && WinAPI.WriteProcessMemory(hProcess, intPtr2, array2, array2.Length, out num)) { if (num == (uint)array2.Length) { IntPtr intPtr3 = WinAPI.CreateRemoteThread(hProcess, 0, 0, intPtr2, (uint)intPtr.Add((long)((ulong)image.NTHeader.OptionalHeader.AddressOfEntryPoint)).ToInt32(), 0, 0); if ((ulong)WinAPI.WaitForSingleObject(intPtr3, 5000) != 0UL) { goto IL_23D; } WinAPI.GetExitCodeThread(intPtr3, out num); if (num == 0u) { WinAPI.VirtualFreeEx(hProcess, intPtr, 0, 32768); throw new Exception("Entry method of module reported a failure " + Marshal.GetLastWin32Error().ToString()); } WinAPI.VirtualFreeEx(hProcess, intPtr2, 0, 32768); WinAPI.CloseHandle(intPtr3); goto IL_23D; } } throw new InvalidOperationException("Unable to write stub to the remote process."); } IL_23D: return(intPtr); } catch (Exception ex) { if (!intPtr.IsNull()) { WinAPI.VirtualFreeEx(hProcess, intPtr, 0, 32768); } if (!intPtr2.IsNull()) { WinAPI.VirtualFreeEx(hProcess, intPtr, 0, 32768); } intPtr = IntPtr.Zero; throw ex; } } throw new ArgumentException("Invalid process handle.", "hProcess"); }