public TargetInstanceFactory(IOptions <InjectionOptions> options, ILogger <TargetInstanceFactory <TConfiguration> > logger, IServiceConfigurationProvider <TConfigurationKey, TConfiguration> configurationProvider, IHttpContextAccessor httpContextAccessor) { _Options = options.Value; _Logger = logger; _ConfigurationProvider = configurationProvider; _HttpContextAccessor = httpContextAccessor; }
async void ProcessWatcher_ProcessStarted(object sender, ProcessStartedEventArgument e) { if (!SuspiciousProcesses.Contains(e.ProcessName)) { return; } logger.Information($"Injecting keyboard override library into process {e.ProcessName}."); var injectedLibraryName = GetInjectedLibraryName(); string channelName = null; RemoteHooking.IpcCreateServer( ref channelName, WellKnownObjectMode.SingleCall, communicator, WellKnownSidType.WorldSid); const InjectionOptions injectionOptions = InjectionOptions.DoNotRequireStrongName & InjectionOptions.NoService & InjectionOptions.NoWOW64Bypass; RemoteHooking.Inject( e.ProcessId, injectionOptions, injectedLibraryName, injectedLibraryName, channelName); logger.Information($"Keyboard override library successfully injected."); }
public bool DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath) { ClrModule dacModule; InjectionClrVersion clrVersion; InjectionOptions injectionOptions; MetadataInfoService metadataInfoService; MetadataInfo metadataInfo; byte[] peImageData; dacModule = TryGetDacModule(moduleHandle); if (dacModule is null) { return(false); } switch (dacModule.Runtime.ClrInfo.Version.Major) { case 2: clrVersion = InjectionClrVersion.V2; break; case 4: clrVersion = InjectionClrVersion.V4; break; default: return(false); } // 判断要dump的模块的CLR版本 injectionOptions = new InjectionOptions { PortName = Guid.NewGuid().ToString(), ObjectName = Guid.NewGuid().ToString() }; using (NativeProcess process = NativeProcess.Open(_processId)) if (!process.InjectManaged(typeof(MetadataInfoService).Assembly.Location, typeof(Injection).FullName, "Main", XmlSerializer.Serialize(injectionOptions), clrVersion, out int result) || result != 0) { return(false); } metadataInfoService = (MetadataInfoService)Activator.GetObject(typeof(MetadataInfoService), $"Ipc://{injectionOptions.PortName}/{injectionOptions.ObjectName}"); // 注入DLL,通过.NET Remoting获取MetadataInfoService实例 metadataInfo = XmlSerializer.Deserialize <MetadataInfo>(metadataInfoService.GetMetadataInfo(moduleHandle)); if (!metadataInfo.PEInfo.IsValid) { return(false); } imageLayout = (ImageLayout)metadataInfo.PEInfo.ImageLayout; try { peImageData = DumpModule(moduleHandle, imageLayout, metadataInfo, null); // 尝试不使用文件中的节头 } catch { peImageData = DumpModule(moduleHandle, imageLayout, metadataInfo, dacModule.FileName); // 如果出错,使用文件中的节头 } File.WriteAllBytes(filePath, peImageData); return(true); }
public static Int32 CreateAndInject( String InEXEPath, InjectionOptions InOptions, String InLibraryPath_x86, String InLibraryPath_x64, params Object[] InPassThruArgs) { return(Root_Interface.CreateAndInject(InEXEPath, InOptions, InLibraryPath_x86, InLibraryPath_x64, InPassThruArgs)); }
public static void Inject( Int32 InTargetPID, InjectionOptions InOptions, String InLibraryPath_x86, String InLibraryPath_x64, params Object[] InPassThruArgs) { Inject(InTargetPID, 0, InOptions, InLibraryPath_x86, InLibraryPath_x64, InPassThruArgs); }
internal static void Inject( Int32 InTargetPID, Int32 InWakeUpTID, InjectionOptions InOptions, String InLibraryPath_x86, String InLibraryPath_x64, params Object[] InPassThruArgs) { Root_Interface.Inject(InTargetPID, InWakeUpTID, InOptions, InLibraryPath_x86, InLibraryPath_x64, InPassThruArgs); }
public void Inject( Int32 InTargetPID, Int32 InWakeUpTID, InjectionOptions InOptions, String InLibraryPath_x86, String InLibraryPath_x64, params Object[] InPassThruArgs) { RemoteHooking.Inject(InTargetPID, InWakeUpTID, InOptions, InLibraryPath_x86, InLibraryPath_x64, InPassThruArgs); }
public static IServiceCollection AddAllServices( this IServiceCollection services, Action <InjectionOptions> options) { var opts = new InjectionOptions(); options?.Invoke(opts); return(services.AddBusiness() .AddWebHelpers() .AddDbConfig(new DbConfigation(opts))); }
/// <summary> /// Creates a new process which is started suspended until you call <see cref="WakeUpProcess"/> /// from within your injected library <c>Run()</c> method. This allows you to hook the target /// BEFORE any of its usual code is executed. In situations where a target has debugging and /// hook preventions, you will get a chance to block those mechanisms for example... /// </summary> /// <remarks> /// <para> /// Please note that this method might fail when injecting into managed processes, especially /// when the target is using the CLR hosting API and takes advantage of AppDomains. For example, /// the Internet Explorer won't be hookable with this method. In such a case your only options /// are either to hook the target with the unmanaged API or to hook it after (non-supended) creation /// with the usual <see cref="Inject"/> method. /// </para> /// <para> /// See <see cref="Inject"/> for more information. The exceptions listed here are additional /// to the ones listed for <see cref="Inject"/>. /// </para> /// </remarks> /// <param name="InEXEPath"> /// A relative or absolute path to the desired executable. /// </param> /// <param name="InCommandLine"> /// Optional command line parameters for process creation. /// </param> /// <param name="InProcessCreationFlags"> /// Internally CREATE_SUSPENDED is already passed to CreateProcess(). With this /// parameter you can add more flags like DETACHED_PROCESS, CREATE_NEW_CONSOLE or /// whatever! /// </param> /// <param name="InOptions"> /// A valid combination of options. /// </param> /// <param name="InLibraryPath_x86"> /// A partially qualified assembly name or a relative/absolute file path of the 32-bit version of your library. /// For example "MyAssembly, PublicKeyToken=248973975895496" or ".\Assemblies\\MyAssembly.dll". /// </param> /// <param name="InLibraryPath_x64"> /// A partially qualified assembly name or a relative/absolute file path of the 64-bit version of your library. /// For example "MyAssembly, PublicKeyToken=248973975895496" or ".\Assemblies\\MyAssembly.dll". /// </param> /// <param name="OutProcessId"> /// The process ID of the newly created process. /// </param> /// <param name="InPassThruArgs"> /// A serializable list of parameters being passed to your library entry points <c>Run()</c> and /// <c>Initialize()</c>. /// </param> /// <exception cref="ArgumentException"> /// The given EXE path could not be found. /// </exception> public static void CreateAndInject( String InEXEPath, String InCommandLine, Int32 InProcessCreationFlags, InjectionOptions InOptions, String InLibraryPath_x86, String InLibraryPath_x64, out Int32 OutProcessId, params Object[] InPassThruArgs) { Int32 RemotePID; Int32 RemoteTID; // create suspended process... NativeAPI.RtlCreateSuspendedProcess( InEXEPath, InCommandLine, InProcessCreationFlags, out RemotePID, out RemoteTID); try { InjectEx( NativeAPI.GetCurrentProcessId(), RemotePID, RemoteTID, 0x20000000, InLibraryPath_x86, InLibraryPath_x64, ((InOptions & InjectionOptions.NoWOW64Bypass) == 0), ((InOptions & InjectionOptions.NoService) == 0), ((InOptions & InjectionOptions.DoNotRequireStrongName) == 0), InPassThruArgs); OutProcessId = RemotePID; } catch (Exception e) { try { Process.GetProcessById(RemotePID).Kill(); } catch (Exception) { } throw e; } }
/// <summary> /// Injects the given user library into the target process. No memory leaks are left /// in the target, even if injection fails for unknown reasons. /// </summary> /// <remarks> /// <para> /// There are two possible user library paths. The first one should map to /// a 32-bit library, and the second one should map to 64-bit library. If your /// code has been compiled for "AnyCPU", like it's the default for C#, you may /// even specify one library path for both parameters. Please note that your /// library including all of it's dependencies must be registered in the /// Global Assembly Cache (GAC). Refer to <see cref="Config.Register"/> for more /// information about how to get them there. /// </para><para> /// If you inject a library into any target process please keep in mind that /// your working directory will be switched. EasyHook will automatically add /// the directory of the injecting application as first directory of the target's PATH environment /// variable. So make sure that all required dependencies are either located /// within the injecting application's directory, a system directory or any directory defaultly /// contained in the PATH variable. As all managed assemblies have to be in the GAC /// there is no need for them being in any of those directories! /// </para> <para> /// EasyHook provides extensive error information during injection. Any kind of failure is /// being catched and thrown as an exception by this method. If for example your library /// does not expose a class implementing <see cref="IEntryPoint"/>, an exception will be /// raised in the target process during injection. The exception will be redirected to this method /// and you can catch it in a try-catch statement around <see cref="Inject"/>. /// </para> <para> /// You will often have to pass parameters to your injected library. <see cref="IpcChannel"/> /// names are common, but also any other kind of data can be passed. You may add a custom list /// of objects marked with the <see cref="SerializableAttribute"/>. All common NET classes /// will be serializable by default, but if you are using your own classes you might have to provide /// serialization by yourself. The custom parameter list will be passed unchanged to your injected /// library entry points <c>Run</c> and <c>Initialize</c>. Verify that all required type libraries to deserialize /// your parameter list are in the GAC. /// </para><para> /// It is supported to inject code into 64-bit processes from within 32-bit processes and /// vice versa. It is also supported to inject code into other terminal sessions. Of course /// this will require additional processes and services to be created, but as they are managed /// internally, you won't notice them! There will be some delays when injecting the first library. /// Further injections are completed much faster! /// </para><para> /// Even if it would technically be possible to inject a library for debugging purposes into /// the current process, it will throw an exception. This is because it heavily depends on /// your injected library whether the current process will be damaged. Any kind of communication /// may lead into deadlocks if you hook the wrong APIs. Just use the capability of Visual Studio /// to debug more than one process simultanously which will allow you to debug your library /// as if it would be injected into the current process without running into any side-effects. /// </para> /// <para> /// The given exceptions are those which are thrown by EasyHook code. The NET framework might throw /// any other exception not listed here. Don't rely on the exception type. If you passed valid parameters, /// the only exceptions you should explicitly check for are <see cref="NotSupportedException"/> and /// <see cref="AccessViolationException"/>. All others /// shall be catched together and threaded as bad environment or invalid parameter error. /// </para> /// </remarks> /// <param name="InTargetPID"> /// The target process ID. /// </param> /// <param name="InOptions"> /// A valid combination of options. /// </param> /// <param name="InLibraryPath_x86"> /// A partially qualified assembly name or a relative/absolute file path of the 32-bit version of your library. /// For example "MyAssembly, PublicKeyToken=248973975895496" or ".\Assemblies\\MyAssembly.dll". /// </param> /// <param name="InLibraryPath_x64"> /// A partially qualified assembly name or a relative/absolute file path of the 64-bit version of your library. /// For example "MyAssembly, PublicKeyToken=248973975895496" or ".\Assemblies\\MyAssembly.dll". /// </param> /// <param name="InPassThruArgs"> /// A serializable list of parameters being passed to your library entry points <c>Run()</c> and /// <c>Initialize()</c>. /// </param> /// <exception cref="InvalidOperationException"> /// It is unstable to inject libraries into the same process. This exception is disabled in DEBUG mode. /// </exception> /// <exception cref="AccessViolationException"> /// Access to target process denied or the current user is not an administrator. /// </exception> /// <exception cref="ArgumentException"> /// The given process does not exist or unable to serialize/deserialize one or more pass thru arguments. /// </exception> /// <exception cref="System.IO.FileNotFoundException"> /// The given user library could not be found. /// </exception> /// <exception cref="OutOfMemoryException"> /// Unable to allocate unmanaged memory in current or target process. /// </exception> /// <exception cref="NotSupportedException"> /// It is not supported to inject into the target process. This is common on Windows Vista and Server 2008. /// </exception> /// <exception cref="TimeoutException"> /// Unable to wait for user library to be initialized. Check your library <c>Initialize()</c> handler. /// </exception> /// <exception cref="EntryPointNotFoundException"> /// The given user library does not export a class implementing the <see cref="IEntryPoint"/> interface. /// </exception> public static void Inject( Int32 InTargetPID, InjectionOptions InOptions, String InLibraryPath_x86, String InLibraryPath_x64, params Object[] InPassThruArgs) { InjectEx( GetCurrentProcessId(), InTargetPID, 0, 0, InLibraryPath_x86, InLibraryPath_x64, ((InOptions & InjectionOptions.NoWOW64Bypass) == 0), ((InOptions & InjectionOptions.NoService) == 0), InPassThruArgs); }
private void InjectButton_Click(object sender, EventArgs e) { Process[] pros = Process.GetProcessesByName("TslGame"); Console.WriteLine(pros.Length); // SANITY CHECKS if (pros.Length == 0) { Log.ShowError("请先运行游戏,并且匹配成功进入游戏等待倒计时大厅", "错误"); return; } // LOAD EXPLOITABLE DRIVER bool driverLoaded = false; if (!(driverLoaded = ElevateHandle.Driver.Load())) { Log.ShowError("CPUZ141.sys failed to load", "lol f**k"); return; } ElevateHandle.UpdateDynamicData(); // UPDATE KERNEL OFFSETS ElevateHandle.Attach(); // ATTACH TO CURRENT PROCESS ElevateHandle.Elevate((ulong)pros[0].Handle, 0x1fffff); InjectionOptions options = new InjectionOptions() { ElevateHandle = true, EraseHeaders = true, CreateLoaderReference = false, LoaderImagePath = Environment.CurrentDirectory + "\\ts.dll" }; ExecutionType executionType = ExecutionType.HijackThread; IInjectionMethod injectionMethod = new ManualMapInjection(pros[0], executionType, options); //IInjectionMethod injectionMethod = new LoadLibraryInjection(g_SelectedProcess, executionType, options); injectionMethod.InjectImage(Environment.CurrentDirectory + "\\ts.dll"); if (driverLoaded) { ElevateHandle.Driver.Unload(); } }
async void ProcessWatcher_ProcessStarted(object sender, ProcessStartedEventArgument e) { if (!SuspiciousProcesses.Contains(e.ProcessName)) { return; } logger.Information($"Injecting keyboard override library into process {e.ProcessName}.exe."); try { var injectedLibraryName = GetInjectedLibraryName(); string channelName = null; RemoteHooking.IpcCreateServer( ref channelName, WellKnownObjectMode.SingleCall, communicator, WellKnownSidType.WorldSid); const InjectionOptions injectionOptions = InjectionOptions.DoNotRequireStrongName & InjectionOptions.NoService & InjectionOptions.NoWOW64Bypass; RemoteHooking.Inject( e.ProcessId, injectionOptions, injectedLibraryName, injectedLibraryName, channelName); logger.Information($"Keyboard override library successfully injected."); } catch (DllNotFoundException ex) { logger.Error(ex, "Could not load a dependency required for keyboard dominance watching."); } catch (Exception ex) { logger.Error(ex, "An error occured while trying to watch for keyboard dominance."); } }
/// <summary> /// 构造函数 /// </summary> /// <param name="injection">注册方式</param> public InjectionAttribute(InjectionOptions injection) { Injection = injection; }
private void ButtonInitiateInjection_Click(object sender, EventArgs e) { // SANITY CHECKS if (g_SelectedProcess == null) { Log.ShowError("Please select a process!", "Lol are you f*****g retarded"); return; } if (listImageListView.Items.Count == 0) { Log.ShowError("Please select atleast one image to inject!", "Lol are you f*****g retarded"); return; } // Theme Song ;) // SoundPlayer soundPlayer = new SoundPlayer(Resources.Le_Bretonniere); // soundPlayer.Play(); // LOAD EXPLOITABLE DRIVER bool driverLoaded = false; if (chkElevateHandle.Checked) { if (!(driverLoaded = ElevateHandle.Driver.Load())) { Log.ShowError("CPUZ141.sys failed to load", "lol f**k"); return; } ElevateHandle.UpdateDynamicData(); // UPDATE KERNEL OFFSETS ElevateHandle.Attach(); // ATTACH TO CURRENT PROCESS ElevateHandle.Elevate((ulong)g_SelectedProcess.Handle, 0x1fffff); } InjectionOptions options = new InjectionOptions() { ElevateHandle = chkElevateHandle.Checked, EraseHeaders = chkEraseHeaders.Checked, CreateLoaderReference = false }; ExecutionType executionType = 0; switch (comboExecutionMethod.SelectedIndex) { case 0: executionType = ExecutionType.CreateThread; break; case 1: executionType = ExecutionType.HijackThread; break; } IInjectionMethod injectionMethod = null; switch (comboInjectionMethod.SelectedIndex) { case 0: // LOAD LIBRARY injectionMethod = new LoadLibraryInjection(g_SelectedProcess, executionType, options); break; case 1: // MANUAL MAP injectionMethod = new ManualMapInjection(g_SelectedProcess, executionType, options); break; } foreach (ListViewItem item in listImageListView.Items) { if (injectionMethod.InjectImage(item.Text)) { Log.ShowInformation($"Successfully injected {item.Text} -> {g_SelectedProcess.ProcessName}", "Success"); } else { Log.ShowError($"Failed injection {item.Text} -> {g_SelectedProcess.ProcessName}", "f**k"); } } if (driverLoaded) { ElevateHandle.Driver.Unload(); } }
private void InjectButton_Click(object sender, EventArgs e) { // SANITY CHECKS if (g_SelectedProcess == null) { Log.ShowError("Select a process!", "Error"); return; } OpenFileDialog fileDialog = new OpenFileDialog() { Filter = "Dynamic Link Library|*.dll", Multiselect = false }; if (fileDialog.ShowDialog() != DialogResult.OK) { return; } // LOAD EXPLOITABLE DRIVER bool driverLoaded = false; if (ElevateHandleCheckbox.Checked) { if (!(driverLoaded = ElevateHandle.Driver.Load())) { Log.ShowError("CPUZ141.sys failed to load", "lol f**k"); return; } ElevateHandle.UpdateDynamicData(); // UPDATE KERNEL OFFSETS ElevateHandle.Attach(); // ATTACH TO CURRENT PROCESS ElevateHandle.Elevate((ulong)g_SelectedProcess.Handle, 0x1fffff); } InjectionOptions options = new InjectionOptions() { ElevateHandle = ElevateHandleCheckbox.Checked, EraseHeaders = EraseHeadersCheckbox.Checked, CreateLoaderReference = LinkModuleCheckbox.Checked, LoaderImagePath = fileDialog.FileName }; ExecutionType executionType = 0; switch (TypeCombo.SelectedIndex) { case 0: executionType = ExecutionType.CreateThread; break; case 1: executionType = ExecutionType.HijackThread; break; } IInjectionMethod injectionMethod = null; switch (ModeCombo.SelectedIndex) { case 0: // MANUAL MAP injectionMethod = new ManualMapInjection(g_SelectedProcess, executionType, options); break; case 1: // LOAD LIBRARY injectionMethod = new LoadLibraryInjection(g_SelectedProcess, executionType, options); break; } injectionMethod.InjectImage(fileDialog.FileName); if (driverLoaded) { ElevateHandle.Driver.Unload(); } }
static void Main(string[] args) { int targetPID; if ((args.Length != 1) || !Int32.TryParse(args[0], out targetPID)) { Console.WriteLine(); Console.WriteLine("Usage: ComplexParameterTest %ProcessID%"); Console.WriteLine(); Console.Write("Please enter the target PID: "); if (!Int32.TryParse(Console.ReadLine(), out targetPID)) { Console.WriteLine("Invalid PID"); return; } } try { bool noGAC = true; //try //{ // Config.Register( // "Test passing an object parameter", // "ComplexParameterInject.dll"); //} //catch (ApplicationException ae) //{ // Console.WriteLine("This is an administrative task! Attempting without GAC..."); // noGAC = true; //} string channelName = null; RemoteHooking.IpcCreateServer <ComplexParameterInject.TestInterface>(ref channelName, WellKnownObjectMode.SingleCall); InjectionOptions options = InjectionOptions.Default; if (noGAC) { options |= InjectionOptions.DoNotRequireStrongName; } ComplexParameterInject.TestComplexParameter parameter = new ComplexParameterInject.TestComplexParameter { Message = "All your binary serializations are belong to us", HostProcessId = RemoteHooking.GetCurrentProcessId() }; RemoteHooking.Inject( targetPID, options, typeof(ComplexParameterInject.TestComplexParameter).Assembly.Location, //"ComplexParameterInject.dll", typeof(ComplexParameterInject.TestComplexParameter).Assembly.Location, //"ComplexParameterInject.dll", channelName , parameter ); } catch (Exception e) { Console.WriteLine("Injection failed: {0}:{1}", e.GetType().FullName, e.Message); } Console.WriteLine("Press <enter> to continue"); Console.ReadLine(); }