public IMemoryModule LoadLibrary(string pathToDll, bool resolveReferences = true)
{
byte[] loadLibraryOpcodes = LoadLibraryPayload(pathToDll);
IMemoryAddress allocatedMemory = AllocateManagedMemory(loadLibraryOpcodes.Length);
if (Kernel32.WriteProcessMemory(NativeProcess.Handle, allocatedMemory.Address, loadLibraryOpcodes, loadLibraryOpcodes.Length, out IntPtr _))
{
IMemoryModule kernel32Module = Modules["kernel32.dll"];
IMemoryAddress loadLibraryAddress;
if (resolveReferences)
{
loadLibraryAddress = kernel32Module.GetProcAddress("LoadLibraryW");
}
else
{
loadLibraryAddress = kernel32Module.GetProcAddress("LoadLibraryExW");
}
if (loadLibraryAddress == null)
{
throw new Win32Exception($"Couldn't get proc address, error code: {Marshal.GetLastWin32Error()}.");
}
if (CreateRemoteThread(loadLibraryAddress, allocatedMemory) == IntPtr.Zero)
{
throw new Win32Exception($"Couldn't create a remote thread, error code: {Marshal.GetLastWin32Error()}.");
}
}
RefreshModules();
return(Modules[Path.GetFileName(pathToDll).ToLower()]);
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="address">
/// The memory address for the comparison.
/// </param>
/// <param name="comparison">
/// The value to which the memory address is compared.
/// </param>
/// <param name="trueValue">
/// The resultant value, if the comparison is true.
/// </param>
public AutoTrackAddressBool(IMemoryAddress address, byte comparison, int trueValue)
{
_address = address;
_comparison = comparison;
_trueValue = trueValue;
_address.PropertyChanged += OnMemoryChanged;
}
protected override Delegate ToCallDelegate()
{
GameSharpProcess process = GameSharpProcess.Instance;
IMemoryModule kernel32 = process.Modules["kernel32.dll"];
IMemoryAddress IsDebuggerPresentPtr = kernel32.GetProcAddress("IsDebuggerPresent");
return(IsDebuggerPresentPtr.ToDelegate <IsDebuggerPresentDelegate>());
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="address">
/// The memory address to be represented.
/// </param>
/// <param name="mask">
/// The bitwise mask of to be represented.
/// </param>
/// <param name="adjustment">
/// The number of bitwise digits to right shift the address value.
/// </param>
public AutoTrackBitwiseIntegerValue(IMemoryAddress address, byte mask, int shift)
{
_address = address;
_mask = mask;
_shift = shift;
_address.PropertyChanged += OnMemoryChanged;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="address">
/// The memory address for the comparison.
/// </param>
/// <param name="maximum">
/// The maximum valid value of the memory address.
/// </param>
/// <param name="adjustment">
/// The amount that the result value should be adjusted from the true value.
/// </param>
public AutoTrackAddressValue(IMemoryAddress address, byte maximum, int adjustment)
{
_address = address;
_maximum = maximum;
_adjustment = adjustment;
_address.PropertyChanged += OnMemoryChanged;
}
/// <summary>
/// A patch can be used to change byte(s) starting at the defined address.
/// </summary>
/// <param name="addressToPatch">The address of the byte where we want our patch to start.</param>
public MemoryPatch(IMemoryAddress addressToPatch, byte[] newBytes)
{
PatchAddress = addressToPatch;
NewBytes = newBytes;
OriginalBytes = PatchAddress.Read(NewBytes.Length);
MemoryPatches.Add(this);
}
public static T ToDelegate <T>(this IMemoryAddress memoryAddress) where T : class
{
if (typeof(T).GetCustomAttributes(typeof(UnmanagedFunctionPointerAttribute), true).Length == 0)
{
throw new InvalidOperationException("This operation can only convert to delegates adorned with the UnmanagedFunctionPointerAttribute");
}
return(Marshal.GetDelegateForFunctionPointer(memoryAddress.Address, typeof(T)) as T);
}
protected override Delegate ToCallDelegate()
{
GameSharpProcess process = GameSharpProcess.Instance;
IMemoryModule ntdll = process.Modules["ntdll.dll"];
IMemoryAddress ntQueryInformationProcessPtr = ntdll.GetProcAddress("NtQueryInformationProcess");
return(ntQueryInformationProcessPtr.ToDelegate <NtQueryInformationProcessDelegate>());
}
protected override Delegate ToCallDelegate()
{
GameSharpProcess process = GameSharpProcess.Instance;
IMemoryModule user32dll = process.Modules["user32.dll"];
IMemoryAddress messageBoxWPtr = user32dll.GetProcAddress("MessageBoxW");
return(messageBoxWPtr.ToDelegate <MessageBoxWDelegate>());
}
private void ValidateDbgBreakPoint()
{
IMemoryModule ntdll = Process.Modules["ntdll.dll"];
IMemoryAddress dbgBreakPointPtr = ntdll.GetProcAddress("DbgBreakPoint");
byte dbgBreakPointByte = dbgBreakPointPtr.Read <byte>();
if (dbgBreakPointByte == 0xC3)
{
MemoryPatches.Add(new MemoryPatch(dbgBreakPointPtr, new byte[] { 0xCC }));
}
}
private static void NtQueryInformationProcess(int flag, string flagName)
{
NtQueryInformationProcess ntQueryInformationProcess = new NtQueryInformationProcess();
using (IMemoryAddress result = GameSharpProcess.Instance.AllocateManagedMemory(IntPtr.Size))
{
int queryState = ntQueryInformationProcess.Call <int>(GameSharpProcess.Instance.Handle, flag, result.Address, (uint)4, null);
// STATUS_SUCCESS = 0, so if API call was successful queryState should contain 0.
if (queryState == 0)
{
if (!result.Read <bool>())
{
LoggingService.Info($"{flagName} => We're being debugged!");
}
}
}
}
public static byte[] GetReturnToPtr(this IMemoryAddress memoryAddress)
{
// PUSH opcode http://ref.x86asm.net/coder32.html#x68
List <byte> bytes = new List <byte> {
0x68
};
// Push our hook address onto the stack
byte[] hookPtrAddress = IntPtr.Size == 4
? BitConverter.GetBytes(memoryAddress.Address.ToInt32())
: BitConverter.GetBytes(memoryAddress.Address.ToInt64());
bytes.AddRange(hookPtrAddress);
// RETN opcode http://ref.x86asm.net/coder32.html#xC3
bytes.Add(0xC3);
return(bytes.ToArray());
}
public SafeFunction()
{
Delegate @delegate = ToCallDelegate();
MemoryAddress originalFuncPtr = @delegate.ToFunctionPtr();
MemoryModule module = originalFuncPtr.GetMyModule();
List <byte> bytes = new List <byte>();
bytes.AddRange(originalFuncPtr.GetReturnToPtr());
IMemoryAddress codeCave = module.FindCodeCaveInModule((uint)bytes.Count);
codeCave.Write(bytes.ToArray());
Type typeOfDelegate = @delegate.GetType();
SafeFunctionDelegate = Marshal.GetDelegateForFunctionPointer(codeCave.Address, typeOfDelegate);
}
public IntPtr CreateRemoteThread(IMemoryAddress entryPoint, IMemoryAddress arguments)
{
return(Kernel32.CreateRemoteThread(NativeProcess.Handle, IntPtr.Zero, 0, entryPoint.Address, arguments.Address, 0, IntPtr.Zero));
}
/// <summary>
/// Initializes a new instance of the <see cref="MemoryScanner" /> class.
/// </summary>
/// <param name="module"><see cref="ProcessModule"/> which we are going to scan.</param>
public MemoryScanner(IMemoryModule module)
{
ModuleBase = module.MemoryAddress;
Bytes = ModuleBase.Read(module.ModuleMemorySize);
}
protected override void Execute(Injectable assembly)
{
IMemoryAddress allocatedMemory = Process.AllocateManagedMemory(assembly.PathToAssemblyFile.Length);
allocatedMemory.Write(Encoding.Unicode.GetBytes(assembly.PathToAssemblyFile));
}
public MemoryModule(ProcessModule processModule) : base(processModule)
{
MemoryAddress = new MemoryAddress(NativeProcessModule.BaseAddress);
PeHeader = GeneratePeHeader();
}
