public void Inject()
{
if (injected)
{
return;
}
Console.WriteLine("Process {0:s}", process.processEntry.szExeFile);
var dllname = "kernel32.dll";
var modules = ProcessQuery.GetModuleList(process);
ProcessQuery.MODULEENTRY32 me = ProcessQuery.GetModuleByName(process, dllname);
Console.WriteLine("kernel32 dll name: {0:s}", me.szModule);
pefile = PeParser.ParseFromProcess(process, me.modBaseAddr);
Console.WriteLine("Base address of kernel32.dll: {0:x}", (ulong)me.modBaseAddr);
Console.WriteLine("Dos signature: {0:x}", pefile.DosHeader.e_magic);
Console.WriteLine("Function names stored at {0:x}", pefile.ExportDirectory.AddressOfNames);
Console.WriteLine("Function addresses stored at {0:x}", pefile.ExportDirectory.AddressOfFunctions);
Console.WriteLine("Function ordinals stored at {0:x}", pefile.ExportDirectory.AddressOfNameOrdinals);
Console.WriteLine("Ordinal base: {0:d}", pefile.ExportDirectory.Base);
Console.WriteLine("LoadLibraryA offset: {0:x}", (ulong)pefile.Exports["LoadLibraryA"]);
Console.WriteLine("GetModuleHandleA offset: {0:x}", (ulong)pefile.Exports["GetModuleHandleA"]);
Console.WriteLine("GetModuleHandleW offset: {0:x}", (ulong)pefile.Exports["GetModuleHandleW"]);
//return;
// let's try injecting a dll
if (!File.Exists(filename))
{
Console.WriteLine("Can't load file {0:s}", filename);
return;
}
stringoffset = ProcessQuery.VirtualAllocEx(
process.hProcess,
(IntPtr)0,
(uint)filename.Length + 1,
ProcessQuery.AllocationType.Commit | ProcessQuery.AllocationType.Reserve,
ProcessQuery.MemoryProtection.ReadWrite);
ProcessQuery.WriteProcessMemory(process.hProcess, stringoffset, filename, filename.Length + 1, out _);
var hThread = ProcessQuery.CreateRemoteThread(process.hProcess, (IntPtr)0, 0, pefile.Exports["LoadLibraryA"], (IntPtr)stringoffset, 0, out _);
ProcessQuery.WaitForSingleObject(hThread, 0xFFFFFFFF);
ProcessQuery.GetExitCodeThread(hThread, out handle);
Console.WriteLine("Freeing memory at {0:x}", (ulong)stringoffset);
ProcessQuery.VirtualFreeEx(process.hProcess, stringoffset, 0, ProcessQuery.AllocationType.Release);
injected = true;
return;
}
public static IMAGE_OPTIONAL_HEADER64 GetOptionalHeader64(Process process, IntPtr baseAddress, IMAGE_DOS_HEADER dosHeader)
{
var optionalHeaderOffset = dosHeader.e_lfanew + Marshal.SizeOf(typeof(PeParser.IMAGE_FILE_HEADER));
return(PeParser.Deserialize <PeParser.IMAGE_OPTIONAL_HEADER64>(process, baseAddress + optionalHeaderOffset));
}
public static IMAGE_OPTIONAL_HEADER32 GetOptionalHeader32(byte[] dll, IMAGE_DOS_HEADER dosHeader)
{
var optionalHeaderOffset = dosHeader.e_lfanew + Marshal.SizeOf(typeof(PeParser.IMAGE_FILE_HEADER));
return(PeParser.Deserialize <PeParser.IMAGE_OPTIONAL_HEADER32>(dll, optionalHeaderOffset));
}
public static IMAGE_FILE_HEADER GetPeHeader(Process process, IntPtr baseAddress, IMAGE_DOS_HEADER dosHeader)
{
return(PeParser.Deserialize <PeParser.IMAGE_FILE_HEADER>(process, baseAddress + dosHeader.e_lfanew));
}
public static IMAGE_FILE_HEADER GetPeHeader(byte[] dll, IMAGE_DOS_HEADER dosHeader)
{
return(PeParser.Deserialize <PeParser.IMAGE_FILE_HEADER>(dll, dosHeader.e_lfanew));
}
public static IMAGE_DOS_HEADER GetDosHeader(byte[] dll)
{
return(PeParser.Deserialize <IMAGE_DOS_HEADER>(dll, 0));
}