private void btInject_Click(object sender, EventArgs e)
{
string typeName;
if (!File.Exists(_assemblyPath))
{
return;
}
if (cmbEntryPoint.SelectedItem == null)
{
return;
}
typeName = _entryPoint.FullName.Substring(_entryPoint.FullName.IndexOf(' ') + 1);
typeName = typeName.Substring(0, typeName.IndexOf(':'));
if (chkWaitReturn.Checked)
{
btInject.Enabled = false;
Text += _resources.GetString("StrWaiting");
new Thread(() => {
int ret;
if (_process.InjectManaged(_assemblyPath, typeName, _entryPoint.Name, _argument, out ret))
{
Invoke((Action)(() => MessageBoxStub.Show($"{_resources.GetString("StrInjectSuccessfully")}\n{_resources.GetString("StrReturnValue")} {ret.ToString()}", MessageBoxIcon.Information)));
}
else
{
Invoke((Action)(() => MessageBoxStub.Show(_resources.GetString("StrFailToInject"), MessageBoxIcon.Error)));
}
Invoke((Action)(() => {
btInject.Enabled = true;
Text = Text.Substring(0, Text.Length - 6);
}));
})
{
IsBackground = true
}.Start();
}
else
{
if (_process.InjectManaged(_assemblyPath, typeName, _entryPoint.Name, _argument))
{
MessageBoxStub.Show(_resources.GetString("StrInjectSuccessfully"), MessageBoxIcon.Information);
}
else
{
MessageBoxStub.Show(_resources.GetString("StrFailToInject"), MessageBoxIcon.Error);
}
}
}
public bool DumpModule(IntPtr moduleHandle, string filePath)
{
return(false);
Injection.Options options;
MetadataService metadataService;
MetadataInfo metadataInfo;
byte[] peImage;
options = new Injection.Options {
PortName = Guid.NewGuid().ToString(),
ObjectName = Guid.NewGuid().ToString()
};
using (NativeProcess process = NativeProcess.Open(_processId))
if (!process.InjectManaged(typeof(MetadataService).Assembly.Location, typeof(Injection).FullName, "Main", options.Serialize(), out int result) || result != 0)
{
return(false);
}
metadataService = (MetadataService)Activator.GetObject(typeof(MetadataService), $"Ipc://{options.PortName}/{options.ObjectName}");
metadataInfo = metadataService.GetMetadataInfo(moduleHandle);
PrintStreamInfo("#~ or #-", metadataInfo.TableStream);
PrintStreamInfo("#Strings", metadataInfo.StringHeap);
PrintStreamInfo("#US", metadataInfo.UserStringHeap);
PrintStreamInfo("#GUID", metadataInfo.GuidHeap);
PrintStreamInfo("#Blob", metadataInfo.BlobHeap);
peImage = DumpMemoryModule(moduleHandle);
return(true);
}
private void btInject_Click(object sender, EventArgs e)
{
if (!File.Exists(_assemblyPath))
{
return;
}
if (cmbEntryPoint.SelectedItem is null)
{
return;
}
string typeName = _entryPoint.FullName.Substring(_entryPoint.FullName.IndexOf(' ') + 1);
typeName = typeName.Substring(0, typeName.IndexOf(':'));
if (chkWaitReturn.Checked)
{
btInject.Enabled = false;
Text += "Waiting...";
new Thread(() => {
if (_process.InjectManaged(_assemblyPath, typeName, _entryPoint.Name, _argument, out int ret))
{
Invoke((Action)(() => MessageBoxStub.Show($"Inject successfully and return value is {ret}", MessageBoxIcon.Information)));
}
else
{
Invoke((Action)(() => MessageBoxStub.Show("Failed to inject", MessageBoxIcon.Error)));
}
Invoke((Action)(() => {
btInject.Enabled = true;
Text = Text.Substring(0, Text.Length - 6);
}));
})
{
IsBackground = true
}.Start();
public bool DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath)
{
ClrModule dacModule;
InjectionClrVersion clrVersion;
InjectionOptions injectionOptions;
MetadataInfoService metadataInfoService;
MetadataInfo metadataInfo;
byte[] peImageData;
dacModule = TryGetDacModule(moduleHandle);
if (dacModule is null)
{
return(false);
}
switch (dacModule.Runtime.ClrInfo.Version.Major)
{
case 2:
clrVersion = InjectionClrVersion.V2;
break;
case 4:
clrVersion = InjectionClrVersion.V4;
break;
default:
return(false);
}
// 判断要dump的模块的CLR版本
injectionOptions = new InjectionOptions {
PortName = Guid.NewGuid().ToString(),
ObjectName = Guid.NewGuid().ToString()
};
using (NativeProcess process = NativeProcess.Open(_processId))
if (!process.InjectManaged(typeof(MetadataInfoService).Assembly.Location, typeof(Injection).FullName, "Main", XmlSerializer.Serialize(injectionOptions), clrVersion, out int result) || result != 0)
{
return(false);
}
metadataInfoService = (MetadataInfoService)Activator.GetObject(typeof(MetadataInfoService), $"Ipc://{injectionOptions.PortName}/{injectionOptions.ObjectName}");
// 注入DLL,通过.NET Remoting获取MetadataInfoService实例
metadataInfo = XmlSerializer.Deserialize <MetadataInfo>(metadataInfoService.GetMetadataInfo(moduleHandle));
if (!metadataInfo.PEInfo.IsValid)
{
return(false);
}
imageLayout = (ImageLayout)metadataInfo.PEInfo.ImageLayout;
try {
peImageData = DumpModule(moduleHandle, imageLayout, metadataInfo, null);
// 尝试不使用文件中的节头
}
catch {
peImageData = DumpModule(moduleHandle, imageLayout, metadataInfo, dacModule.FileName);
// 如果出错,使用文件中的节头
}
File.WriteAllBytes(filePath, peImageData);
return(true);
}
public bool DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath)
{
ClrModule dacModule;
InjectionClrVersion clrVersion;
Injection.Options options;
AntiAntiDumpService antiAntiDumpService;
AntiAntiDumpInfo antiAntiDumpInfo;
MetadataInfo metadataInfo;
byte[] peImageData;
dacModule = TryGetDacModule(moduleHandle);
if (dacModule == null)
{
return(false);
}
switch (dacModule.Runtime.ClrInfo.Version.Major)
{
case 2:
clrVersion = InjectionClrVersion.V2;
break;
case 4:
clrVersion = InjectionClrVersion.V4;
break;
default:
return(false);
}
// 判断要dump的模块的CLR版本
options = new Injection.Options {
PortName = Guid.NewGuid().ToString(),
ObjectName = Guid.NewGuid().ToString()
};
using (NativeProcess process = NativeProcess.Open(_processId))
if (!process.InjectManaged(typeof(AntiAntiDumpService).Assembly.Location, typeof(Injection).FullName, "Main", options.Serialize(), clrVersion, out int result) || result != 0)
{
return(false);
}
antiAntiDumpService = (AntiAntiDumpService)Activator.GetObject(typeof(AntiAntiDumpService), $"Ipc://{options.PortName}/{options.ObjectName}");
// 注入DLL,通过.NET Remoting获取AntiAntiDumpService实例
antiAntiDumpInfo = antiAntiDumpService.GetAntiAntiDumpInfo(moduleHandle);
if (!antiAntiDumpInfo.CanAntiAntiDump)
{
return(false);
}
imageLayout = (ImageLayout)antiAntiDumpInfo.ImageLayout;
// 覆盖通过DAC获取的,不确定DAC获取的是否准确,毕竟DAC的bug还不少
metadataInfo = antiAntiDumpInfo.MetadataInfo;
PrintStreamInfo("#~ or #-", metadataInfo.TableStream);
PrintStreamInfo("#Strings", metadataInfo.StringHeap);
PrintStreamInfo("#US", metadataInfo.UserStringHeap);
PrintStreamInfo("#GUID", metadataInfo.GuidHeap);
PrintStreamInfo("#Blob", metadataInfo.BlobHeap);
peImageData = PEImageHelper.DirectCopy(_processId, (void *)moduleHandle, imageLayout);
FixHeader(peImageData, antiAntiDumpInfo);
peImageData = PEImageHelper.ConvertImageLayout(peImageData, imageLayout, ImageLayout.File);
File.WriteAllBytes(filePath, peImageData);
return(true);
}