/// <summary> /// Removes from Target Process Memory the DNCIClrLoader /// </summary> /// <param name="targetProcessHandle">Target Process Handle</param> /// <param name="dnciModuleHandle">DNCIClrLoader Module Handle</param> private void EraseRemoteModules(IntPtr targetProcessHandle, IntPtr dnciModuleHandle) { // Resolve FreeLibrary function pointer into kernel32 address space IntPtr freeLibraryHandle = NativeExecution.GetProcAddress(NativeExecution.GetModuleHandle("Kernel32"), "FreeLibrary"); // Unload DNCIClrLoader.dll from Remote Process NativeExecution.CreateRemoteThread(targetProcessHandle, IntPtr.Zero, 0, freeLibraryHandle, dnciModuleHandle, 0, IntPtr.Zero); }
/// <summary> /// Inject the DNCLClrLoader.dll into Target Process Memory /// </summary> /// <param name="targetProcessHandle">Target Process Handle</param> /// <param name="injectorLibraryFilePath">DNCIClrLoader.dll File Path</param> /// <param name="moduleName">Name of Module (usually, FILE_NAME.dll)</param> /// <returns></returns> private IntPtr DNCIClrLoader(IntPtr targetProcessHandle, String injectorLibraryFilePath, String moduleName) { // Resolve LoadLibraryW function pointer into Kernel32 address space IntPtr loadLibraryWAddr = NativeExecution.GetProcAddress( NativeExecution.GetModuleHandle("kernel32.dll"), "LoadLibraryW" ); // Inject DNCIClrLoader into Remote Process Inject(targetProcessHandle, loadLibraryWAddr, injectorLibraryFilePath); // Find the LoadDNA Function Point into Remote Process Memory return(FindRemoteModuleHandle(targetProcessHandle, moduleName)); }
/// <summary> /// Get Target Function OffSet /// </summary> /// <param name="libraryPath">Full Library Path</param> /// <param name="targetFunctionName"></param> /// <returns></returns> private uint GetFunctionOffSet(String libraryPath, String targetFunctionName) { // Load the Library IntPtr libHandle = NativeExecution.LoadLibrary(libraryPath); // Get Target Function Address IntPtr functionPtr = NativeExecution.GetProcAddress(libHandle, targetFunctionName); // Compute the OffSet Between the Library Base Address and the Target Function inside the Binary uint offset = (uint)functionPtr.ToInt32() - (uint)libHandle.ToInt32(); // Unload Library from Memory NativeExecution.FreeLibrary(libHandle); return(offset); }