/// <summary>
/// Closes the handle to the process, if it is open.
/// </summary>
public void Close()
{
if (this.ProcHandle != null && !this.ProcHandle.Equals(IntPtr.Zero))
{
WinApi.CloseHandle(this.ProcHandle);
this.ProcHandle = IntPtr.Zero;
}
}
/// <summary>
/// Opens the process by id. Stores information about the target process.
/// </summary>
/// <param name="pid">The process identifier of the target process.</param>
/// <returns>Returns true on success.</returns>
public bool Open(uint pid)
{
if (!SysInteractor.IsInitialized)
{
SysInteractor.Init();
}
WinApi.ProcessRights flags =
WinApi.ProcessRights.QUERY_INFORMATION |
WinApi.ProcessRights.VM_READ |
WinApi.ProcessRights.VM_WRITE |
WinApi.ProcessRights.VM_OPERATION;
this.ProcHandle = WinApi.OpenProcess(flags, false, pid);
if (this.ProcHandle != null)
{
try
{
this.Proc = Process.GetProcessById((int)pid);
}
catch (ArgumentException)
{
WinApi.CloseHandle(this.ProcHandle);
return(false);
}
bool isWow64;
if (!WinApi.IsWow64Process(this.ProcHandle, out isWow64))
{
this.Status.Log(
"Unable to determine bitness of process: " + this.Proc.ProcessName, Logger.Level.HIGH);
}
// 64-bit process detection.
// Note: This does not take into account for PAE. No plans to support PAE currently exist.
if (isWow64)
{
// For scanning purposes, Wow64 processes will be treated as as 32-bit processes.
this.Is64Bit = false;
this.d.TargetArchitecture = Disassembler.Architecture.x86_32;
}
else
{
// If it is not Wow64, then the process is natively running, so set it according to the OS
// architecture.
this.Is64Bit = SysInteractor.Is64Bit;
this.d.TargetArchitecture =
this.Is64Bit ? Disassembler.Architecture.x86_64 : Disassembler.Architecture.x86_32;
}
return(true);
}
else
{
this.Status.Log("Unable to open the target process.", Logger.Level.HIGH);
return(false);
}
}
internal static bool HasExitedSafe(this Process p)
{
System.Runtime.InteropServices.ComTypes.FILETIME create, exit, kernel, user;
IntPtr handle = WinApi.OpenProcess(WinApi.ProcessRights.QUERY_LIMITED_INFORMATION, false, (uint)p.Id);
WinApi.GetProcessTimes(handle, out create, out exit, out kernel, out user);
WinApi.CloseHandle(handle);
return((exit.dwHighDateTime != 0) && (exit.dwLowDateTime != 0));
}
/// <summary>
/// Gets the name of the file referenced by the supplied file handle.
/// </summary>
/// <param name="fileHandle">The handle to the file.</param>
/// <returns>Returns the full path to the file.</returns>
/// <remarks>Thanks to Rudi for providing this code. http://stackoverflow.com/a/3314313</remarks>
public static string GetFileNameFromHandle(IntPtr fileHandle)
{
string fileName = string.Empty;
IntPtr fileMap = IntPtr.Zero, fileSizeHi = IntPtr.Zero;
uint fileSizeLo = 0;
fileSizeLo = WinApi.GetFileSize(fileHandle, fileSizeHi);
if (fileSizeLo == 0)
{
// Cannot map a 0 byte file.
return("Empty file.");
}
fileMap =
WinApi.CreateFileMapping(fileHandle, IntPtr.Zero, WinApi.FileMapProtection.PageReadonly, 0, 1, null);
if (fileMap != IntPtr.Zero)
{
IntPtr memPtr = WinApi.MapViewOfFile(fileMap, WinApi.FileMapAccess.FileMapRead, 0, 0, 1);
if (memPtr != IntPtr.Zero)
{
StringBuilder fn = new StringBuilder(250);
WinApi.GetMappedFileName(System.Diagnostics.Process.GetCurrentProcess().Handle, memPtr, fn, 250);
if (fn.Length > 0)
{
WinApi.UnmapViewOfFile(memPtr);
WinApi.CloseHandle(fileHandle);
return(fn.ToString());
}
else
{
WinApi.UnmapViewOfFile(memPtr);
WinApi.CloseHandle(fileHandle);
return("Empty filename.");
}
}
}
return("Empty filemap handle.");
}
/// <summary>
/// Load a DLL in an external process.
/// </summary>
/// <param name="dllPath">The path to the DLL to be loaded.</param>
/// <returns>Returns true if the DLL was successfully loaded in the target process.</returns>
public bool InjectDll(string dllPath)
{
IntPtr injectHandle = IntPtr.Zero;
IntPtr remoteString = IntPtr.Zero;
IntPtr loadLibAddy = IntPtr.Zero;
// If the PID has not been set, then not enough information is available for the injection.
if (!this.IsOpen)
{
return(false);
}
// Get a higher level access handle than the one originally used to open the process.
injectHandle = WinApi.OpenProcess(
WinApi.ProcessRights.CREATE_THREAD |
WinApi.ProcessRights.QUERY_INFORMATION |
WinApi.ProcessRights.VM_OPERATION |
WinApi.ProcessRights.VM_WRITE |
WinApi.ProcessRights.VM_READ,
false,
(uint)this.PID);
if (injectHandle == null || injectHandle.Equals(IntPtr.Zero))
{
#if DEBUG
Console.Error.WriteLine("OpenProcess() failed: " + Marshal.GetLastWin32Error());
#endif
return(false);
}
// Get the address of the function that will load the DLL.
loadLibAddy = WinApi.GetProcAddress(WinApi.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// Allocate a section of memory in the target process to in which to store store the DLL path.
remoteString = WinApi.VirtualAllocEx(
injectHandle,
IntPtr.Zero,
(uint)dllPath.Length,
WinApi.MemoryState.MEM_RESERVE | WinApi.MemoryState.MEM_COMMIT,
WinApi.MemoryProtect.PAGE_READWRITE);
if (remoteString == null || remoteString.Equals(IntPtr.Zero))
{
#if DEBUG
Console.Error.WriteLine("VirtualAllocEx() failed: " + Marshal.GetLastWin32Error());
#endif
WinApi.CloseHandle(injectHandle);
return(false);
}
// Write the DLL name to the remote process' memory space.
uint numBytesWritten = 0;
bool wpm = WinApi.WriteProcessMemory(
injectHandle, remoteString, this.GetBytes(dllPath), (uint)dllPath.Length, out numBytesWritten);
if (!wpm)
{
#if DEBUG
Console.Error.WriteLine("WriteProcessMemory() failed: " + Marshal.GetLastWin32Error());
#endif
WinApi.CloseHandle(injectHandle);
return(false);
}
// Load the DLL, by calling the LoadLibrary function in the remote process.
uint threadId = 0;
IntPtr result = WinApi.CreateRemoteThread(
injectHandle, IntPtr.Zero, 0, loadLibAddy, remoteString, 0, out threadId);
if (result == null || result.Equals(IntPtr.Zero) || threadId == 0)
{
#if DEBUG
Console.Error.WriteLine("CreateRemoteThread() failed: " + Marshal.GetLastWin32Error());
#endif
WinApi.CloseHandle(injectHandle);
return(false);
}
// Clean up and exit.
WinApi.CloseHandle(injectHandle);
return(true);
}
