/// <summary> /// Assembles mnemonics and injects resulting bytecode into given process. /// </summary> /// <param name="hProcess">Handle to the process into which code will be injected.</param> /// <param name="szAssembly">Assembly mnemonics to be assembled and injected.</param> /// <returns>Returns zero on failure, otherwise a chunk of memory that has been allocated in the target process where code was injected.</returns> /// <remarks>Don't forget to free the memory allocated for the code when you are finished.</remarks> public static uint InjectCode(IntPtr hProcess, string szAssembly) { uint dwAddress = MemoryHelper.AllocateMemory(hProcess); return((InjectCode(hProcess, dwAddress, szAssembly)) ? dwAddress : RETURN_ERROR); }
/// <summary> /// Injects a dll into a process by hijacking the given thread and redirecting it to LoadLibrary. /// </summary> /// <param name="hProcess">Handle to process into which dll will be injected.</param> /// <param name="hThread">Handle to thread that will be hijacked.</param> /// <param name="szDllPath">Full path to the dll to be injected.</param> /// <returns>Returns the base address of the injected dll on success, zero on failure.</returns> public static uint InjectDllRedirectThread(IntPtr hProcess, IntPtr hThread, string szDllPath) { const uint INITIAL_EXIT_CODE = 0xFFFFFFFF; if (hProcess == IntPtr.Zero) { throw new ArgumentNullException("hProcess"); } if (hThread == IntPtr.Zero) { throw new ArgumentNullException("hThread"); } if (szDllPath.Length == 0) { throw new ArgumentNullException("szDllPath"); } if (!szDllPath.Contains("\\")) { szDllPath = System.IO.Path.GetFullPath(szDllPath); } if (!System.IO.File.Exists(szDllPath)) { throw new ArgumentException("DLL not found.", "szDllPath"); } uint dwBaseAddress = RETURN_ERROR; uint lpLoadLibrary, lpAsmStub; CONTEXT ctx; StringBuilder AssemblyStub = new StringBuilder(); ManagedFasm fasm = new ManagedFasm(hProcess); lpLoadLibrary = (uint)Imports.GetProcAddress(Imports.GetModuleHandle("kernel32.dll"), "LoadLibraryA"); if (lpLoadLibrary == 0) { throw new Exception("Failed to get address of LoadLibraryA in kernel32.dll"); } lpAsmStub = MemoryHelper.AllocateMemory(hProcess); if (lpAsmStub == 0) { throw new Exception("Failed to allocate Memory in the Process!"); } if (ThreadHelper.SuspendThread(hThread) != uint.MaxValue) { ctx = ThreadHelper.GetThreadContext(hThread, CONTEXT_FLAGS.CONTEXT_CONTROL); if (ctx.Eip > 0) { try { //located at lpAsmStub+0, where we can monitor LoadLibrary's exit code. fasm.AddLine("lpExitCode dd 0x{0:X}", INITIAL_EXIT_CODE); //lpAsmStub+4, where the actual code part starts fasm.AddLine("push 0x{0:X}", ctx.Eip); fasm.AddLine("pushad"); fasm.AddLine("push szDllPath"); fasm.AddLine("call 0x{0:X}", lpLoadLibrary); fasm.AddLine("mov [lpExitCode], eax"); fasm.AddLine("popad"); fasm.AddLine("retn"); //dll path fasm.AddLine("szDllPath db \'{0}\',0", szDllPath); fasm.Inject(lpAsmStub); } catch { MemoryHelper.FreeMemory(hProcess, lpAsmStub); ThreadHelper.ResumeThread(hThread); return(RETURN_ERROR); } ctx.ContextFlags = CONTEXT_FLAGS.CONTEXT_CONTROL; ctx.Eip = lpAsmStub + 4; //skip over lpExitCode data if (ThreadHelper.SetThreadContext(hThread, ctx)) { if (ThreadHelper.ResumeThread(hThread) != uint.MaxValue) { for (int i = 0; i < 400; i++) { System.Threading.Thread.Sleep(5); if ((dwBaseAddress = MemoryHelper.ReadUInt(hProcess, lpAsmStub)) != INITIAL_EXIT_CODE) { break; } } } } } } if (fasm != null) { fasm.Dispose(); fasm = null; } MemoryHelper.FreeMemory(hProcess, lpAsmStub); return(dwBaseAddress); }
/// <summary> /// Writes a value to another process' memory. /// </summary> /// <param name="dwAddress">Address at which value will be written.</param> /// <param name="Value">Value that will be written to memory.</param> /// <returns>Returns true on success, false on failure.</returns> public bool WriteUShort(uint dwAddress, ushort Value) { return(MemoryHelper.WriteUShort(this.mProcess, dwAddress, Value)); }
/// <summary> /// Writes a value to another process' memory. /// </summary> /// <param name="dwAddress">Address at which value will be written.</param> /// <param name="Value">Value that will be written to memory.</param> /// <returns>Returns true on success, false on failure.</returns> public bool WriteInt(uint dwAddress, int Value) { return(MemoryHelper.WriteInt(this.mProcess, dwAddress, Value)); }
/// <summary> /// Allocates memory inside the opened process. /// </summary> /// <param name="nSize">Number of bytes to allocate.</param> /// <param name="dwAllocationType">Type of memory allocation. See <see cref="MemoryAllocType"/>.</param> /// <param name="dwProtect">Type of memory protection. See <see cref="MemoryProtectType"/></param> /// <returns>Returns NULL on failure, or the base address of the allocated memory on success.</returns> public uint AllocateMemory(int nSize, uint dwAllocationType, uint dwProtect) { return(MemoryHelper.AllocateMemory(mProcess, nSize, dwAllocationType, dwProtect)); }
/// <summary> /// Frees an allocated block of memory in the opened process. /// </summary> /// <param name="dwAddress">Base address of the block of memory to be freed.</param> /// <param name="nSize">Number of bytes to be freed. This must be zero (0) if using <see cref="MemoryFreeType.MEM_RELEASE"/>.</param> /// <param name="dwFreeType">Type of free operation to use. See <see cref="MemoryFreeType"/>.</param> /// <returns>Returns true on success, false on failure.</returns> public bool FreeMemory(uint dwAddress, int nSize, uint dwFreeType) { return(MemoryHelper.FreeMemory(mProcess, dwAddress, nSize, dwFreeType)); }
/// <summary> /// Writes a value to another process' memory. /// </summary> /// <param name="dwAddress">Address at which value will be written.</param> /// <param name="Value">Value that will be written to memory.</param> /// <returns>Returns true on success, false on failure.</returns> public bool WriteSByte(uint dwAddress, sbyte Value) { return(MemoryHelper.WriteSByte(this.mProcess, dwAddress, Value)); }
/// <summary> /// Reads a value from memory. /// </summary> /// <param name="dwAddress">Address at which value will be read.</param> /// <param name="nLength">Maximum number of characters to be read.</param> /// <exception cref="Exception">Throws general exception on failure.</exception> /// <returns>Returns the value that was read from memory.</returns> public string ReadUnicodeString(uint dwAddress, int nLength) { return(MemoryHelper.ReadUnicodeString(this.mProcess, dwAddress, nLength)); }
/// <summary> /// Writes a value to another process' memory. /// </summary> /// <param name="dwAddress">Address at which value will be written.</param> /// <param name="Value">Value that will be written to memory.</param> /// <returns>Returns true on success, false on failure.</returns> public bool WriteUnicodeString(uint dwAddress, string Value) { return(MemoryHelper.WriteUnicodeString(this.mProcess, dwAddress, Value)); }
/// <summary> /// Writes a value to another process' memory. /// </summary> /// <param name="dwAddress">Address at which value will be written.</param> /// <param name="Value">Value that will be written to memory.</param> /// <returns>Returns true on success, false on failure.</returns> public bool WriteObject(uint dwAddress, object Value) { return(MemoryHelper.WriteObject(this.mProcess, dwAddress, Value, Value.GetType())); }
/// <summary> /// Writes a value to another process' memory. /// </summary> /// <param name="dwAddress">Address at which value will be written.</param> /// <param name="Value">Value that will be written to memory.</param> /// <returns>Returns true on success, false on failure.</returns> public bool WriteDouble(uint dwAddress, double Value) { return(MemoryHelper.WriteDouble(this.mProcess, dwAddress, Value)); }
/// <summary> /// Writes a value to another process' memory. /// </summary> /// <param name="dwAddress">Address at which value will be written.</param> /// <param name="Value">Value that will be written to memory.</param> /// <param name="nSize">Number of bytes to be written.</param> /// <returns>Returns true on success, false on failure.</returns> public bool WriteBytes(uint dwAddress, byte[] Value, int nSize) { return(MemoryHelper.WriteBytes(this.mProcess, dwAddress, Value, nSize)); }
/// <summary> /// Writes a value to another process' memory. /// </summary> /// <param name="dwAddress">Address at which value will be written.</param> /// <param name="Value">Value that will be written to memory.</param> /// <returns>Returns true on success, false on failure.</returns> public bool WriteUInt64(uint dwAddress, UInt64 Value) { return(MemoryHelper.WriteUInt64(this.mProcess, dwAddress, Value)); }