public static bool FreeLibraryInternal(uint processid, IntPtr libAddress, out string error)
{
ModuleInfo targetkernel = null;
ModuleInfo[] modules = GetModuleInfos((int)processid);
if (modules != null && modules.Length > 0)
{
for (int i = 0; i < modules.Length; i++)
{
if (modules[i].baseName.ToLower().Contains("kernel32"))
{
targetkernel = modules[i];
break;
}
}
}
if (targetkernel == null || targetkernel.baseOfDll == IntPtr.Zero)
{
error = "Failed to get base of kernel32!";
return(false);
}
IntPtr hprocess = IntPtr.Zero;
hprocess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_CREATE_THREAD, 0, processid);
if (hprocess == IntPtr.Zero)
{
error = "Can't open selected process!";
return(false);
}
else
{
int FreeLibraryrva = ExportTable.ProcGetExpAddress
(hprocess, targetkernel.baseOfDll, "FreeLibrary");
if (FreeLibraryrva == 0)
{
CloseHandle(hprocess);
error = "Failed to get address of FreeLibrary!";
return(false);
}
else
{
IntPtr FreeLibAddress = (IntPtr)((long)targetkernel.baseOfDll + (long)FreeLibraryrva);
// load dll via call to LoadLibrary using CreateRemoteThread
IntPtr hThread = CreateRemoteThread(hprocess, IntPtr.Zero, 0,
FreeLibAddress, libAddress, 0, IntPtr.Zero);
if (hThread == IntPtr.Zero)
{
CloseHandle(hprocess);
error = "Can't create the remote thread!";
return(false);
}
else
{
if (WaitForSingleObject(hThread, uint.MaxValue) != 0)
{
CloseHandle(hprocess);
error = "Error on WaitForSingleObject!";
return(false);
}
else
{
error = "";
return(true);
}
}
}
}
}
public static IntPtr InjectLibraryInternal(uint processid, string libFullPath, out string error)
{
error = PostVerify(processid, libFullPath);
if (error != "")
{
return(IntPtr.Zero);
}
ModuleInfo targetkernel = null;
ModuleInfo[] modules = GetModuleInfos((int)processid);
if (modules != null && modules.Length > 0)
{
for (int i = 0; i < modules.Length; i++)
{
if (modules[i].baseName.ToLower().Contains("kernel32"))
{
targetkernel = modules[i];
break;
}
}
}
//
// GetProcAddress(GetModuleHandleW("kernel32.dll"),"LoadLibraryA");
if (targetkernel == null || targetkernel.baseOfDll == IntPtr.Zero)
{
error = "Failed to get base of kernel32!";
return(IntPtr.Zero);
}
IntPtr hprocess = IntPtr.Zero;
hprocess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_CREATE_THREAD, 0, processid);
if (hprocess == IntPtr.Zero)
{
error = "Can't open selected process!";
return(IntPtr.Zero);
}
else
{
int LoadLibraryArva = ExportTable.ProcGetExpAddress
(hprocess, targetkernel.baseOfDll, "LoadLibraryA");
if (LoadLibraryArva == 0)
{
CloseHandle(hprocess);
error = "Failed to get address of LoadLibraryA!";
return(IntPtr.Zero);
}
IntPtr loadlibraryAddress = (IntPtr)((long)targetkernel.baseOfDll + (long)LoadLibraryArva);
uint sizeAscii = (uint)Encoding.ASCII.GetByteCount(libFullPath) + 1;
// allocate memory to the local process for libFullPath
IntPtr pLibPath = VirtualAllocEx(hprocess, IntPtr.Zero, sizeAscii, AllocationType.Commit, MemoryProtection.ReadWrite);
if (pLibPath == IntPtr.Zero)
{
CloseHandle(hprocess);
error = "Can't alocate memory on process!";
return(IntPtr.Zero);
}
else
{
int bytesWritten = 0;
// write libFullPath to pLibPath
if (!WriteProcessMemory(hprocess, pLibPath, Marshal.StringToHGlobalAnsi(libFullPath),
sizeAscii - 1, ref bytesWritten) || bytesWritten != (int)sizeAscii - 1)
{
VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release);
CloseHandle(hprocess);
error = "Can't write libname on process!";
return(IntPtr.Zero);
}
else
{
// load dll via call to LoadLibrary using CreateRemoteThread
IntPtr hThread = CreateRemoteThread(hprocess, IntPtr.Zero, 0,
loadlibraryAddress, pLibPath, 0, IntPtr.Zero);
if (hThread == IntPtr.Zero)
{
VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release);
CloseHandle(hprocess);
error = "Can't create the remote thread!";
return(IntPtr.Zero);
}
else
{
if (WaitForSingleObject(hThread, uint.MaxValue) != 0)
{
VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release);
CloseHandle(hprocess);
error = "Error on WaitForSingleObject!";
return(IntPtr.Zero);
}
// get address of loaded module
IntPtr hLibModule = IntPtr.Zero;
if (!GetExitCodeThread(hThread, out hLibModule))
{
VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release);
CloseHandle(hprocess);
error = "Error on GetExitCodeThread!";
return(IntPtr.Zero);
}
if (hLibModule == IntPtr.Zero)
{
VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release);
CloseHandle(hprocess);
error = "Code executed properly, but unable to get an appropriate module handle!";
return(IntPtr.Zero);
}
error = "";
VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release);
CloseHandle(hprocess);
return(hLibModule);
}
}
}
}
}
