/// <summary>
/// Iterates through all modules in the target process and searches them for the provided function name.
/// </summary>
/// <param name="funcName">The name of the function that is being looked up.</param>
/// <returns>Returns a vector of matching addresses.</returns>
public List <IntPtr> GetFunctionAddresses(string funcName)
{
if (!this.IsOpen)
{
this.Status.Log(
"Unable to get function addresses, because the target process has not been opened.",
Logger.Level.HIGH);
return(new List <IntPtr>());
}
List <IntPtr> addresses = new List <IntPtr>();
ProcessModuleCollection modules = this.GetLoadedModules();
if (modules == null || modules.Count == 0)
{
this.Status.Log(
"Unable to get function addresses, because the loaded module list is empty.",
Logger.Level.HIGH);
return(addresses);
}
// Iterate through each module and see if it has the function.
foreach (ProcessModule module in modules)
{
IntPtr funcAddress = WinApi.GetProcAddress(module.BaseAddress, funcName);
// If the function exists in this module, add it to the address list.
if (funcAddress != null)
{
addresses.Add(funcAddress);
}
}
return(addresses);
}
/// <summary>
/// Load a DLL in an external process.
/// </summary>
/// <param name="dllPath">The path to the DLL to be loaded.</param>
/// <returns>Returns true if the DLL was successfully loaded in the target process.</returns>
public bool InjectDll(string dllPath)
{
IntPtr injectHandle = IntPtr.Zero;
IntPtr remoteString = IntPtr.Zero;
IntPtr loadLibAddy = IntPtr.Zero;
// If the PID has not been set, then not enough information is available for the injection.
if (!this.IsOpen)
{
return(false);
}
// Get a higher level access handle than the one originally used to open the process.
injectHandle = WinApi.OpenProcess(
WinApi.ProcessRights.CREATE_THREAD |
WinApi.ProcessRights.QUERY_INFORMATION |
WinApi.ProcessRights.VM_OPERATION |
WinApi.ProcessRights.VM_WRITE |
WinApi.ProcessRights.VM_READ,
false,
(uint)this.PID);
if (injectHandle == null || injectHandle.Equals(IntPtr.Zero))
{
#if DEBUG
Console.Error.WriteLine("OpenProcess() failed: " + Marshal.GetLastWin32Error());
#endif
return(false);
}
// Get the address of the function that will load the DLL.
loadLibAddy = WinApi.GetProcAddress(WinApi.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// Allocate a section of memory in the target process to in which to store store the DLL path.
remoteString = WinApi.VirtualAllocEx(
injectHandle,
IntPtr.Zero,
(uint)dllPath.Length,
WinApi.MemoryState.MEM_RESERVE | WinApi.MemoryState.MEM_COMMIT,
WinApi.MemoryProtect.PAGE_READWRITE);
if (remoteString == null || remoteString.Equals(IntPtr.Zero))
{
#if DEBUG
Console.Error.WriteLine("VirtualAllocEx() failed: " + Marshal.GetLastWin32Error());
#endif
WinApi.CloseHandle(injectHandle);
return(false);
}
// Write the DLL name to the remote process' memory space.
uint numBytesWritten = 0;
bool wpm = WinApi.WriteProcessMemory(
injectHandle, remoteString, this.GetBytes(dllPath), (uint)dllPath.Length, out numBytesWritten);
if (!wpm)
{
#if DEBUG
Console.Error.WriteLine("WriteProcessMemory() failed: " + Marshal.GetLastWin32Error());
#endif
WinApi.CloseHandle(injectHandle);
return(false);
}
// Load the DLL, by calling the LoadLibrary function in the remote process.
uint threadId = 0;
IntPtr result = WinApi.CreateRemoteThread(
injectHandle, IntPtr.Zero, 0, loadLibAddy, remoteString, 0, out threadId);
if (result == null || result.Equals(IntPtr.Zero) || threadId == 0)
{
#if DEBUG
Console.Error.WriteLine("CreateRemoteThread() failed: " + Marshal.GetLastWin32Error());
#endif
WinApi.CloseHandle(injectHandle);
return(false);
}
// Clean up and exit.
WinApi.CloseHandle(injectHandle);
return(true);
}
