Esempio n. 1
0
        public static bool Is64BitProcess(int pid)
        {
            SYSTEM_INFO si = new SYSTEM_INFO();

            UnsafeFunctions.GetNativeSystemInfo(ref si);

            if (si.processorArchitecture == 0)
            {
                return(false);
            }

            IntPtr hProcess = UnsafeFunctions.OpenProcess(ProcessAccessFlags.QueryInformation, false, pid);

            if (IntPtr.Zero == hProcess)
            {
                throw new Exception("Cann't open process.");
            }

            bool result;

            if (!UnsafeFunctions.IsWow64Process(hProcess, out result))
            {
                UnsafeFunctions.CloseHandle(hProcess);
                throw new InvalidOperationException();
            }

            UnsafeFunctions.CloseHandle(hProcess);

            return(!result);
        }
Esempio n. 2
0
        private IntPtr GetFunctionAddress(ProcessModule remoteKernel32, string name)
        {
            Process       process  = Process.GetCurrentProcess();
            ProcessModule kernel32 = GetKernel32Module(process);
            IntPtr        proc     = UnsafeFunctions.GetProcAddress(kernel32.BaseAddress, name);

            if (IntPtr.Zero == proc)
            {
                throw new Exception("Cann't get process address.");
            }

            return(new IntPtr(remoteKernel32.BaseAddress.ToInt64() + (proc.ToInt64() - kernel32.BaseAddress.ToInt64())));
        }
Esempio n. 3
0
        protected void adjustDebugPriv(int pid)
        {
            IntPtr hProcess = UnsafeFunctions.OpenProcess(ProcessAccessFlags.All, false, pid);

            if (IntPtr.Zero == hProcess)
            {
                throw new Exception("Cann't open process.");
            }

            TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES();

            tp.PrivilegeCount = 1;
            tp.Attributes     = SE_NAMES.SE_PRIVILEGE_ENABLED;

            if (!UnsafeFunctions.LookupPrivilegeValue(null, SE_NAMES.SE_DEBUG_NAME, out tp.Luid))
            {
                UnsafeFunctions.CloseHandle(hProcess);
                throw new Exception("Cann't lookup value");
            }

            IntPtr hToken;

            if (!UnsafeFunctions.OpenProcessToken(hProcess, TOKEN_ACCESS.TOKEN_ADJUST_PRIVILEGES, out hToken))
            {
                UnsafeFunctions.CloseHandle(hProcess);
                throw new Exception("Cann't open process token value");
            }

            if (!UnsafeFunctions.AdjustTokenPrivileges(hToken, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero))
            {
                UnsafeFunctions.CloseHandle(hProcess);
                UnsafeFunctions.CloseHandle(hToken);
                throw new Exception("Cann't AdjustTokenPrivileges");
            }

            UnsafeFunctions.CloseHandle(hProcess);
            UnsafeFunctions.CloseHandle(hToken);
        }
Esempio n. 4
0
        public int Inject(int pid, string bootstrapPath, string runtimeVersion, string injecteePath, string injecteeClass, string injecteeFunc)
        {
            adjustDebugPriv(Process.GetCurrentProcess().Id);

            ProcessModule remoteKernel32 = GetKernel32Module(Process.GetProcessById(pid));

            IntPtr loadLibraryAddress    = GetFunctionAddress(remoteKernel32, "LoadLibraryA");
            IntPtr getProcAddressAddress = GetFunctionAddress(remoteKernel32, "GetProcAddress");

            IntPtr hProcess = UnsafeFunctions.OpenProcess(
                ProcessAccessFlags.CreateThread |
                ProcessAccessFlags.VMWrite |
                ProcessAccessFlags.VMOperation |
                ProcessAccessFlags.VMRead |
                ProcessAccessFlags.QueryInformation,
                false, pid
                );

            if (IntPtr.Zero == hProcess)
            {
                throw new Exception("Cann't open process.");
            }

            bool is64BitTargetProcess = Is64BitProcess(pid);

            byte[] bootstrap = File.ReadAllBytes(bootstrapPath);

            List <byte[]> param = new List <byte[]>();

            param.Add(Encoding.Unicode.GetBytes(runtimeVersion + "\0"));
            param.Add(Encoding.Unicode.GetBytes(injecteePath + "\0"));
            param.Add(Encoding.Unicode.GetBytes(injecteeClass + "\0"));
            param.Add(Encoding.Unicode.GetBytes(injecteeFunc + "\0"));

            int sum = 0;

            for (int i = 0; i < param.Count; i++)
            {
                sum += param[i].Length;
            }

            int totalSize = bootstrap.Length                                     // code
                            + (param.Count + 2) * (is64BitTargetProcess ? 8 : 4) // addresses of params
                            + sum;                                               // params

            IntPtr memory = UnsafeFunctions.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)totalSize, AllocationType.Commit, MemoryProtection.ExecuteReadWrite);

            if (IntPtr.Zero == memory)
            {
                UnsafeFunctions.CloseHandle(hProcess);
                throw new Exception("Cann't alloc memory.");
            }

            int length = param.Count;

            if (is64BitTargetProcess)
            {
                param.Add(BitConverter.GetBytes(loadLibraryAddress.ToInt64()));
                param.Add(BitConverter.GetBytes(getProcAddressAddress.ToInt64()));
            }
            else
            {
                param.Add(BitConverter.GetBytes(loadLibraryAddress.ToInt32()));
                param.Add(BitConverter.GetBytes(getProcAddressAddress.ToInt32()));
            }


            long address = memory.ToInt64() + bootstrap.Length;

            for (int i = 0; i < length; i++)
            {
                byte[] b;

                if (is64BitTargetProcess)
                {
                    b = BitConverter.GetBytes(address);
                }
                else
                {
                    b = BitConverter.GetBytes((int)address);
                }

                param.Add(b);
                address += param[i].Length;
            }


            byte[] injectedData = new byte[totalSize];
            Array.Copy(bootstrap, 0, injectedData, 0, bootstrap.Length);
            int position = bootstrap.Length;

            foreach (byte[] p in param)
            {
                Array.Copy(p, 0, injectedData, position, p.Length);
                position += p.Length;
            }

            UIntPtr written;

            if (!UnsafeFunctions.WriteProcessMemory(hProcess, memory, injectedData, (uint)injectedData.Length, out written) || injectedData.Length != written.ToUInt32())
            {
                UnsafeFunctions.CloseHandle(hProcess);
                throw new Exception("Cann't write memory.");
            }

            IntPtr threadId;
            IntPtr thread = UnsafeFunctions.CreateRemoteThread(hProcess, IntPtr.Zero, 0x20000 /*at least 0x10000*/, memory, new IntPtr(address), 0, out threadId);

            if (IntPtr.Zero == thread)
            {
                Debug.WriteLine(Marshal.GetLastWin32Error().ToString("X"));
                UnsafeFunctions.CloseHandle(hProcess);
                throw new Exception("Cann't create thread.");
            }

            UnsafeFunctions.CloseHandle(hProcess);
            UnsafeFunctions.CloseHandle(thread);

            return(0);
        }