public Task CreateRemoteThread(MemoryWriter writer)
{
UIntPtr bytesWriten;
Win32.WriteProcessMemory(processInfo.hProcess, writer.TargetStartAddress, writer.Buffer,
(uint)writer.Size, out bytesWriten);
//lastWin32Error = Marshal.GetLastWin32Error();
Win32.FlushInstructionCache(processInfo.hProcess, writer.TargetStartAddress, new UIntPtr((uint)writer.Size));
//lastWin32Error = Marshal.GetLastWin32Error();
IntPtr hThread = Win32.CreateRemoteThread(processInfo.hProcess, IntPtr.Zero, 0, writer.CodeTargetStartAddress,
IntPtr.Zero, 0, IntPtr.Zero);
//lastWin32Error = Marshal.GetLastWin32Error();
Task task = new Task(() =>
{
Win32.WaitForSingleObject(hThread, Win32.INFINITE);
// Free the memory in the process that we allocated
Win32.VirtualFreeEx(processInfo.hProcess, writer.TargetStartAddress, 0, Win32.FreeType.Release);
});
task.Start();
return(task);
}
public Task CreateRemoteThread(MemoryWriter writer)
{
UIntPtr bytesWriten;
Win32.WriteProcessMemory(processInfo.hProcess, writer.TargetStartAddress, writer.Buffer,
(uint)writer.Size, out bytesWriten);
//lastWin32Error = Marshal.GetLastWin32Error();
Win32.FlushInstructionCache(processInfo.hProcess, writer.TargetStartAddress, new UIntPtr((uint)writer.Size));
//lastWin32Error = Marshal.GetLastWin32Error();
IntPtr hThread = Win32.CreateRemoteThread(processInfo.hProcess, IntPtr.Zero, 0, writer.CodeTargetStartAddress,
IntPtr.Zero, 0, IntPtr.Zero);
//lastWin32Error = Marshal.GetLastWin32Error();
Task task = new Task(() =>
{
Win32.WaitForSingleObject(hThread, Win32.INFINITE);
// Free the memory in the process that we allocated
Win32.VirtualFreeEx(processInfo.hProcess, writer.TargetStartAddress, 0, Win32.FreeType.Release);
});
task.Start();
return task;
}
static void Main(string[] args)
{
int lastWin32Error;
InjectableProcess process = new InjectableProcess(TestApplication, ProcessCreationOptions.NormalPriorityClass | ProcessCreationOptions.CreateSuspended);
MemoryWriter writer = process.CreateMemoryWriter(1024);
IntPtr advapi32 = writer.WriteValue("Advapi32.dll");
IntPtr registryKeyAddress = writer.WriteValue(@"Pieter\Test");
IntPtr registryHkeyAddress = writer.Alloc(4);
writer.CallLoadLibrary(advapi32);
writer.CallRegOpenKey(0x80000001, registryKeyAddress, registryHkeyAddress); //HKEY_CURRENT_USER
writer.CallRegOverridePredefKey(0x80000001, registryHkeyAddress);
writer.CallRegCloseKey(registryHkeyAddress);
writer.CallExitThread();
// Change page protection so we can write executable code
//VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, MemoryProtection.ExecuteReadWrite, &oldProtect);
Task task = process.CreateRemoteThread(writer);
task.Wait();
process.Resume();
}