// Token: 0x06000109 RID: 265 RVA: 0x0000C9E8 File Offset: 0x0000ABE8
public static InjectionMethod Create(InjectionMethodType type)
{
InjectionMethod injectionMethod;
switch (type)
{
case InjectionMethodType.Standard:
injectionMethod = new CRTInjection();
break;
case InjectionMethodType.ThreadHijack:
injectionMethod = new ThreadHijack();
break;
case InjectionMethodType.ManualMap:
injectionMethod = new ManualMap();
break;
default:
return(null);
}
if (injectionMethod != null)
{
injectionMethod.Type = type;
}
return(injectionMethod);
}
/// <summary>
/// Create a new InjectionMethod based on the specified MethodType
/// </summary>
/// <param name="type">Type of injection method to be created</param>
/// <returns>A valid InjectionMethod instance if the 'type' parameter was valid, null otherwise</returns>
public static InjectionMethod Create(InjectionMethodType type)
{
/** FACTORY CREATION **/
// So that I never have to expose individual classes to the library user.
// the Create method will serve up the most appropriate InjectionMethod implementation,
// and this makes it easier to hand out new versions of the library without worrying about
// changing internal class names or adding new classes, etc.
InjectionMethod method;
switch (type)
{
case InjectionMethodType.ManualMap:
method = new ManualMap(); break;
case InjectionMethodType.Standard:
method = new CRTInjection(); break;
case InjectionMethodType.ThreadHijack:
method = new ThreadHijack(); break;
default:
return(null);
}
if (method != null)
{
method.Type = type;
}
return(method);
}
private static void PatchImports(PortableExecutable image, IntPtr hProcess, int processId)
{
string empty = string.Empty;
string empty2 = string.Empty;
foreach (IMAGE_IMPORT_DESCRIPTOR current in image.EnumImports())
{
if (image.ReadString((long)((ulong)image.GetPtrFromRVA(current.Name)), SeekOrigin.Begin, out empty, -1, null))
{
IntPtr intPtr = IntPtr.Zero;
IntPtr arg_4F_0 = IntPtr.Zero;
intPtr = ManualMap.GetRemoteModuleHandle(empty, processId);
if (intPtr.IsNull())
{
throw new FileNotFoundException(string.Format("Unable to load dependent module '{0}'.", empty));
}
uint num = image.GetPtrFromRVA(current.FirstThunkPtr);
uint num2 = (uint)Marshal.SizeOf(typeof(IMAGE_THUNK_DATA));
IMAGE_THUNK_DATA iMAGE_THUNK_DATA;
while (image.Read <IMAGE_THUNK_DATA>((long)((ulong)num), SeekOrigin.Begin, out iMAGE_THUNK_DATA) && iMAGE_THUNK_DATA.u1.AddressOfData > 0u)
{
IntPtr intPtr2 = IntPtr.Zero;
object obj;
if ((iMAGE_THUNK_DATA.u1.Ordinal & 2147483648u) == 0u)
{
if (!image.ReadString((long)((ulong)(image.GetPtrFromRVA(iMAGE_THUNK_DATA.u1.AddressOfData) + 2u)), SeekOrigin.Begin, out empty2, -1, null))
{
throw image.GetLastError();
}
obj = empty2;
}
else
{
obj = (ushort)(iMAGE_THUNK_DATA.u1.Ordinal & 65535u);
}
if (!(intPtr2 = WinAPI.GetModuleHandleA(empty)).IsNull())
{
IntPtr ptr = obj.GetType().Equals(typeof(string)) ? WinAPI.GetProcAddress(intPtr2, (string)obj) : WinAPI.GetProcAddress(intPtr2, (uint)((ushort)obj & 65535));
if (!ptr.IsNull())
{
intPtr2 = intPtr.Add((long)ptr.Subtract((long)intPtr2.ToInt32()).ToInt32());
}
}
else
{
intPtr2 = WinAPI.GetProcAddressEx(hProcess, intPtr, obj);
}
if (intPtr2.IsNull())
{
throw new EntryPointNotFoundException(string.Format("Unable to locate imported function '{0}' from module '{1}' in the remote process.", empty2, empty));
}
image.Write <int>((long)((ulong)num), SeekOrigin.Begin, intPtr2.ToInt32());
num += num2;
}
}
}
}
public override bool Unload(IntPtr hModule, IntPtr hProcess)
{
this.ClearErrors();
if (hModule.IsNull())
{
throw new ArgumentNullException("hModule", "Invalid module handle");
}
if (hProcess.IsNull() || hProcess.Compare(-1L))
{
throw new ArgumentException("Invalid process handle.", "hProcess");
}
IntPtr intPtr = IntPtr.Zero;
uint num = 0u;
bool result;
try
{
uint num2 = ManualMap.FindEntryPoint(hProcess, hModule);
if (num2 != 0u)
{
byte[] array = (byte[])ManualMap.DLLMAIN_STUB.Clone();
BitConverter.GetBytes(hModule.ToInt32()).CopyTo(array, 11);
BitConverter.GetBytes(0u).CopyTo(array, 6);
BitConverter.GetBytes(1000u).CopyTo(array, 1);
intPtr = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)ManualMap.DLLMAIN_STUB.Length, 12288, 64);
if (intPtr.IsNull() || !WinAPI.WriteProcessMemory(hProcess, intPtr, array, array.Length, out num) || num != (uint)array.Length)
{
throw new InvalidOperationException("Unable to write stub to the remote process.");
}
IntPtr intPtr2 = WinAPI.CreateRemoteThread(hProcess, 0, 0, intPtr, (uint)hModule.Add((long)((ulong)num2)).ToInt32(), 0, 0);
if ((ulong)WinAPI.WaitForSingleObject(intPtr2, 5000) == 0uL)
{
WinAPI.VirtualFreeEx(hProcess, intPtr, 0, 32768);
WinAPI.CloseHandle(intPtr2);
result = WinAPI.VirtualFreeEx(hProcess, hModule, 0, 32768);
}
else
{
result = false;
}
}
else
{
result = WinAPI.VirtualFreeEx(hProcess, hModule, 0, 32768);
}
}
catch (Exception lastError)
{
this.SetLastError(lastError);
result = false;
}
return(result);
}
// Token: 0x0600011A RID: 282 RVA: 0x0000D44C File Offset: 0x0000B64C
public override IntPtr Inject(PortableExecutable image, IntPtr hProcess)
{
this.ClearErrors();
IntPtr result;
try
{
result = ManualMap.MapModule(Utils.DeepClone <PortableExecutable>(image), hProcess, true);
}
catch (Exception lastError)
{
this.SetLastError(lastError);
result = IntPtr.Zero;
}
return(result);
}
/// <summary>
/// Create a new InjectionMethod based on the specified MethodType
/// </summary>
/// <param name="type">Type of injection method to be created</param>
/// <returns>A valid InjectionMethod instance if the 'type' parameter was valid, null otherwise</returns>
public static InjectionMethod Create(InjectionMethodType type)
{
/** FACTORY CREATION **/
// So that I never have to expose individual classes to the library user.
// the Create method will serve up the most appropriate InjectionMethod implementation,
// and this makes it easier to hand out new versions of the library without worrying about
// changing internal class names or adding new classes, etc.
InjectionMethod method;
switch (type)
{
case InjectionMethodType.ManualMap:
method = new ManualMap(); break;
case InjectionMethodType.Standard:
method = new CRTInjection(); break;
case InjectionMethodType.ThreadHijack:
method = new ThreadHijack(); break;
default:
return null;
}
if (method != null)
method.Type = type;
return method;
}
// Token: 0x06000124 RID: 292 RVA: 0x0000E2BC File Offset: 0x0000C4BC
private static byte[] ExtractManifest(PortableExecutable image)
{
byte[] result = null;
ResourceWalker resourceWalker = new ResourceWalker(image);
ResourceWalker.ResourceDirectory resourceDirectory = null;
int num = 0;
while (num < resourceWalker.Root.Directories.Length && resourceDirectory == null)
{
if ((long)resourceWalker.Root.Directories[num].Id == 24L)
{
resourceDirectory = resourceWalker.Root.Directories[num];
}
num++;
}
if (resourceDirectory != null && resourceDirectory.Directories.Length > 0 && ManualMap.IsManifestResource(resourceDirectory.Directories[0].Id) && resourceDirectory.Directories[0].Files.Length == 1)
{
result = resourceDirectory.Directories[0].Files[0].GetData();
}
return(result);
}
// Token: 0x06000123 RID: 291 RVA: 0x0000DEE4 File Offset: 0x0000C0E4
private static bool LoadDependencies(PortableExecutable image, IntPtr hProcess, int processId)
{
List <string> list = new List <string>();
string empty = string.Empty;
bool result = false;
foreach (IMAGE_IMPORT_DESCRIPTOR image_IMPORT_DESCRIPTOR in image.EnumImports())
{
if (image.ReadString((long)((ulong)image.GetPtrFromRVA(image_IMPORT_DESCRIPTOR.Name)), SeekOrigin.Begin, out empty, -1, null) && !string.IsNullOrEmpty(empty) && ManualMap.GetRemoteModuleHandle(empty, processId).IsNull())
{
list.Add(empty);
}
}
if (list.Count > 0)
{
byte[] array = ManualMap.ExtractManifest(image);
string text = string.Empty;
if (array == null)
{
if (string.IsNullOrEmpty(image.FileLocation) || !File.Exists(Path.Combine(Path.GetDirectoryName(image.FileLocation), Path.GetFileName(image.FileLocation) + ".manifest")))
{
InjectionMethod injectionMethod = InjectionMethod.Create(InjectionMethodType.Standard);
IntPtr[] array2 = injectionMethod.InjectAll(list.ToArray(), hProcess);
foreach (IntPtr ptr in array2)
{
if (ptr.IsNull())
{
return(false);
}
}
return(true);
}
text = Path.Combine(Path.GetDirectoryName(image.FileLocation), Path.GetFileName(image.FileLocation) + ".manifest");
}
else
{
text = Utils.WriteTempData(array);
}
if (string.IsNullOrEmpty(text))
{
return(false);
}
IntPtr intPtr = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)ManualMap.RESOLVER_STUB.Length, 12288, 64);
IntPtr lpAddress = WinAPI.CreateRemotePointer(hProcess, Encoding.ASCII.GetBytes(text + "\0"), 4);
IntPtr lpAddress2 = WinAPI.CreateRemotePointer(hProcess, Encoding.ASCII.GetBytes(string.Join("\0", list.ToArray()) + "\0"), 4);
if (!intPtr.IsNull())
{
byte[] array4 = (byte[])ManualMap.RESOLVER_STUB.Clone();
uint num = 0u;
BitConverter.GetBytes(ManualMap.FN_CREATEACTCTXA.Subtract(intPtr.Add(63L)).ToInt32()).CopyTo(array4, 59);
BitConverter.GetBytes(ManualMap.FN_ACTIVATEACTCTX.Subtract(intPtr.Add(88L)).ToInt32()).CopyTo(array4, 84);
BitConverter.GetBytes(ManualMap.FN_GETMODULEHANDLEA.Subtract(intPtr.Add(132L)).ToInt32()).CopyTo(array4, 128);
BitConverter.GetBytes(ManualMap.FN_LOADLIBRARYA.Subtract(intPtr.Add(146L)).ToInt32()).CopyTo(array4, 142);
BitConverter.GetBytes(ManualMap.FN_DEACTIVATEACTCTX.Subtract(intPtr.Add(200L)).ToInt32()).CopyTo(array4, 196);
BitConverter.GetBytes(ManualMap.FN_RELEASEACTCTX.Subtract(intPtr.Add(209L)).ToInt32()).CopyTo(array4, 205);
BitConverter.GetBytes(lpAddress.ToInt32()).CopyTo(array4, 31);
BitConverter.GetBytes(list.Count).CopyTo(array4, 40);
BitConverter.GetBytes(lpAddress2.ToInt32()).CopyTo(array4, 49);
if (WinAPI.WriteProcessMemory(hProcess, intPtr, array4, array4.Length, out num) && num == (uint)array4.Length)
{
uint num2 = WinAPI.RunThread(hProcess, intPtr, 0u, 5000);
result = (num2 != uint.MaxValue && num2 != 0u);
}
WinAPI.VirtualFreeEx(hProcess, lpAddress2, 0, 32768);
WinAPI.VirtualFreeEx(hProcess, lpAddress, 0, 32768);
WinAPI.VirtualFreeEx(hProcess, intPtr, 0, 32768);
}
}
return(result);
}
// Token: 0x0600011E RID: 286 RVA: 0x0000D708 File Offset: 0x0000B908
private static IntPtr MapModule(PortableExecutable image, IntPtr hProcess, bool preserveHeaders = false)
{
if (!hProcess.IsNull() && !hProcess.Compare(-1L))
{
if (image == null)
{
throw new ArgumentException("Cannot map a non-existant PE Image.", "image");
}
int processId = WinAPI.GetProcessId(hProcess);
if (processId == 0)
{
throw new ArgumentException("Provided handle doesn't have sufficient permissions to inject", "hProcess");
}
IntPtr intPtr = IntPtr.Zero;
IntPtr intPtr2 = IntPtr.Zero;
uint num = 0u;
try
{
intPtr = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, image.NTHeader.OptionalHeader.SizeOfImage, 12288, 4);
if (intPtr.IsNull())
{
throw new InvalidOperationException("Unable to allocate memory in the remote process.");
}
ManualMap.PatchRelocations(image, intPtr);
ManualMap.LoadDependencies(image, hProcess, processId);
ManualMap.PatchImports(image, hProcess, processId);
if (preserveHeaders)
{
long num2 = (long)((ulong)image.DOSHeader.e_lfanew + (ulong)((long)Marshal.SizeOf(typeof(IMAGE_FILE_HEADER))) + 4UL + (ulong)image.NTHeader.FileHeader.SizeOfOptionalHeader);
byte[] array = new byte[num2];
if (image.Read(0L, SeekOrigin.Begin, array))
{
WinAPI.WriteProcessMemory(hProcess, intPtr, array, array.Length, out num);
}
}
ManualMap.MapSections(image, hProcess, intPtr);
if (image.NTHeader.OptionalHeader.AddressOfEntryPoint > 0u)
{
byte[] array2 = (byte[])ManualMap.DLLMAIN_STUB.Clone();
BitConverter.GetBytes(intPtr.ToInt32()).CopyTo(array2, 11);
intPtr2 = WinAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)ManualMap.DLLMAIN_STUB.Length, 12288, 64);
if (!intPtr2.IsNull() && WinAPI.WriteProcessMemory(hProcess, intPtr2, array2, array2.Length, out num))
{
if (num == (uint)array2.Length)
{
IntPtr intPtr3 = WinAPI.CreateRemoteThread(hProcess, 0, 0, intPtr2, (uint)intPtr.Add((long)((ulong)image.NTHeader.OptionalHeader.AddressOfEntryPoint)).ToInt32(), 0, 0);
if ((ulong)WinAPI.WaitForSingleObject(intPtr3, 5000) != 0UL)
{
goto IL_23D;
}
WinAPI.GetExitCodeThread(intPtr3, out num);
if (num == 0u)
{
WinAPI.VirtualFreeEx(hProcess, intPtr, 0, 32768);
throw new Exception("Entry method of module reported a failure " + Marshal.GetLastWin32Error().ToString());
}
WinAPI.VirtualFreeEx(hProcess, intPtr2, 0, 32768);
WinAPI.CloseHandle(intPtr3);
goto IL_23D;
}
}
throw new InvalidOperationException("Unable to write stub to the remote process.");
}
IL_23D:
return(intPtr);
}
catch (Exception ex)
{
if (!intPtr.IsNull())
{
WinAPI.VirtualFreeEx(hProcess, intPtr, 0, 32768);
}
if (!intPtr2.IsNull())
{
WinAPI.VirtualFreeEx(hProcess, intPtr, 0, 32768);
}
intPtr = IntPtr.Zero;
throw ex;
}
}
throw new ArgumentException("Invalid process handle.", "hProcess");
}
