public IMemoryModule LoadLibrary(string pathToDll, bool resolveReferences = true) { byte[] loadLibraryOpcodes = LoadLibraryPayload(pathToDll); IMemoryAddress allocatedMemory = AllocateManagedMemory(loadLibraryOpcodes.Length); if (Kernel32.WriteProcessMemory(NativeProcess.Handle, allocatedMemory.Address, loadLibraryOpcodes, loadLibraryOpcodes.Length, out IntPtr _)) { IMemoryModule kernel32Module = Modules["kernel32.dll"]; IMemoryAddress loadLibraryAddress; if (resolveReferences) { loadLibraryAddress = kernel32Module.GetProcAddress("LoadLibraryW"); } else { loadLibraryAddress = kernel32Module.GetProcAddress("LoadLibraryExW"); } if (loadLibraryAddress == null) { throw new Win32Exception($"Couldn't get proc address, error code: {Marshal.GetLastWin32Error()}."); } if (CreateRemoteThread(loadLibraryAddress, allocatedMemory) == IntPtr.Zero) { throw new Win32Exception($"Couldn't create a remote thread, error code: {Marshal.GetLastWin32Error()}."); } } RefreshModules(); return(Modules[Path.GetFileName(pathToDll).ToLower()]); }
/// <summary> /// Constructor /// </summary> /// <param name="address"> /// The memory address for the comparison. /// </param> /// <param name="comparison"> /// The value to which the memory address is compared. /// </param> /// <param name="trueValue"> /// The resultant value, if the comparison is true. /// </param> public AutoTrackAddressBool(IMemoryAddress address, byte comparison, int trueValue) { _address = address; _comparison = comparison; _trueValue = trueValue; _address.PropertyChanged += OnMemoryChanged; }
protected override Delegate ToCallDelegate() { GameSharpProcess process = GameSharpProcess.Instance; IMemoryModule kernel32 = process.Modules["kernel32.dll"]; IMemoryAddress IsDebuggerPresentPtr = kernel32.GetProcAddress("IsDebuggerPresent"); return(IsDebuggerPresentPtr.ToDelegate <IsDebuggerPresentDelegate>()); }
/// <summary> /// Constructor /// </summary> /// <param name="address"> /// The memory address to be represented. /// </param> /// <param name="mask"> /// The bitwise mask of to be represented. /// </param> /// <param name="adjustment"> /// The number of bitwise digits to right shift the address value. /// </param> public AutoTrackBitwiseIntegerValue(IMemoryAddress address, byte mask, int shift) { _address = address; _mask = mask; _shift = shift; _address.PropertyChanged += OnMemoryChanged; }
/// <summary> /// Constructor /// </summary> /// <param name="address"> /// The memory address for the comparison. /// </param> /// <param name="maximum"> /// The maximum valid value of the memory address. /// </param> /// <param name="adjustment"> /// The amount that the result value should be adjusted from the true value. /// </param> public AutoTrackAddressValue(IMemoryAddress address, byte maximum, int adjustment) { _address = address; _maximum = maximum; _adjustment = adjustment; _address.PropertyChanged += OnMemoryChanged; }
/// <summary> /// A patch can be used to change byte(s) starting at the defined address. /// </summary> /// <param name="addressToPatch">The address of the byte where we want our patch to start.</param> public MemoryPatch(IMemoryAddress addressToPatch, byte[] newBytes) { PatchAddress = addressToPatch; NewBytes = newBytes; OriginalBytes = PatchAddress.Read(NewBytes.Length); MemoryPatches.Add(this); }
public static T ToDelegate <T>(this IMemoryAddress memoryAddress) where T : class { if (typeof(T).GetCustomAttributes(typeof(UnmanagedFunctionPointerAttribute), true).Length == 0) { throw new InvalidOperationException("This operation can only convert to delegates adorned with the UnmanagedFunctionPointerAttribute"); } return(Marshal.GetDelegateForFunctionPointer(memoryAddress.Address, typeof(T)) as T); }
protected override Delegate ToCallDelegate() { GameSharpProcess process = GameSharpProcess.Instance; IMemoryModule ntdll = process.Modules["ntdll.dll"]; IMemoryAddress ntQueryInformationProcessPtr = ntdll.GetProcAddress("NtQueryInformationProcess"); return(ntQueryInformationProcessPtr.ToDelegate <NtQueryInformationProcessDelegate>()); }
protected override Delegate ToCallDelegate() { GameSharpProcess process = GameSharpProcess.Instance; IMemoryModule user32dll = process.Modules["user32.dll"]; IMemoryAddress messageBoxWPtr = user32dll.GetProcAddress("MessageBoxW"); return(messageBoxWPtr.ToDelegate <MessageBoxWDelegate>()); }
private void ValidateDbgBreakPoint() { IMemoryModule ntdll = Process.Modules["ntdll.dll"]; IMemoryAddress dbgBreakPointPtr = ntdll.GetProcAddress("DbgBreakPoint"); byte dbgBreakPointByte = dbgBreakPointPtr.Read <byte>(); if (dbgBreakPointByte == 0xC3) { MemoryPatches.Add(new MemoryPatch(dbgBreakPointPtr, new byte[] { 0xCC })); } }
private static void NtQueryInformationProcess(int flag, string flagName) { NtQueryInformationProcess ntQueryInformationProcess = new NtQueryInformationProcess(); using (IMemoryAddress result = GameSharpProcess.Instance.AllocateManagedMemory(IntPtr.Size)) { int queryState = ntQueryInformationProcess.Call <int>(GameSharpProcess.Instance.Handle, flag, result.Address, (uint)4, null); // STATUS_SUCCESS = 0, so if API call was successful queryState should contain 0. if (queryState == 0) { if (!result.Read <bool>()) { LoggingService.Info($"{flagName} => We're being debugged!"); } } } }
public static byte[] GetReturnToPtr(this IMemoryAddress memoryAddress) { // PUSH opcode http://ref.x86asm.net/coder32.html#x68 List <byte> bytes = new List <byte> { 0x68 }; // Push our hook address onto the stack byte[] hookPtrAddress = IntPtr.Size == 4 ? BitConverter.GetBytes(memoryAddress.Address.ToInt32()) : BitConverter.GetBytes(memoryAddress.Address.ToInt64()); bytes.AddRange(hookPtrAddress); // RETN opcode http://ref.x86asm.net/coder32.html#xC3 bytes.Add(0xC3); return(bytes.ToArray()); }
public SafeFunction() { Delegate @delegate = ToCallDelegate(); MemoryAddress originalFuncPtr = @delegate.ToFunctionPtr(); MemoryModule module = originalFuncPtr.GetMyModule(); List <byte> bytes = new List <byte>(); bytes.AddRange(originalFuncPtr.GetReturnToPtr()); IMemoryAddress codeCave = module.FindCodeCaveInModule((uint)bytes.Count); codeCave.Write(bytes.ToArray()); Type typeOfDelegate = @delegate.GetType(); SafeFunctionDelegate = Marshal.GetDelegateForFunctionPointer(codeCave.Address, typeOfDelegate); }
public IntPtr CreateRemoteThread(IMemoryAddress entryPoint, IMemoryAddress arguments) { return(Kernel32.CreateRemoteThread(NativeProcess.Handle, IntPtr.Zero, 0, entryPoint.Address, arguments.Address, 0, IntPtr.Zero)); }
/// <summary> /// Initializes a new instance of the <see cref="MemoryScanner" /> class. /// </summary> /// <param name="module"><see cref="ProcessModule"/> which we are going to scan.</param> public MemoryScanner(IMemoryModule module) { ModuleBase = module.MemoryAddress; Bytes = ModuleBase.Read(module.ModuleMemorySize); }
protected override void Execute(Injectable assembly) { IMemoryAddress allocatedMemory = Process.AllocateManagedMemory(assembly.PathToAssemblyFile.Length); allocatedMemory.Write(Encoding.Unicode.GetBytes(assembly.PathToAssemblyFile)); }
public MemoryModule(ProcessModule processModule) : base(processModule) { MemoryAddress = new MemoryAddress(NativeProcessModule.BaseAddress); PeHeader = GeneratePeHeader(); }