private IntPtr LoadDll(string dllPath, int id) { try { IntPtr hProcess = PInvoke.OpenProcess(ExtendedTypes.ProcessAccessFlags.All, false, id); IntPtr hModule; IntPtr fnLoadLibraryW = PInvoke.GetProcAddress(PInvoke.GetModuleHandleA("kernel32.dll"), "LoadLibraryW"); if (fnLoadLibraryW == IntPtr.Zero) { throw new Exception("Unable to locate the LoadLibraryW entry point"); } // Create a wchar_t * in the remote process which points to the unicode version of the dll path. IntPtr pLib = Utils.CreateRemotePointer(hProcess, Encoding.Unicode.GetBytes(dllPath + "\0"), 0x04); if (pLib == IntPtr.Zero) { throw new InvalidOperationException("Failed to allocate memory in the remote process"); } try { // Call LoadLibraryW in the remote process by using CreateRemoteThread. uint hMod = Utils.RunThread(hProcess, fnLoadLibraryW, pLib, 10000); if (hMod == uint.MaxValue) { throw new Exception("Error occurred when calling function in the remote process"); } else if (hMod == 0) { throw new Exception("Failed to load module into remote process. Error code: " + Utils.GetLastErrorEx(hProcess).ToString()); } else { hModule = new IntPtr(hMod); } } finally { // Cleanup in all cases. PInvoke.VirtualFreeEx(hProcess, pLib, 0, 0x8000); } return(hModule); } catch (Exception e) { logBox.AppendText("\n" + e.Message); return(IntPtr.Zero); } }
public static IntPtr CreateRemotePointer(IntPtr hProcess, byte[] pData, int flProtect) { if (pData == null || hProcess == IntPtr.Zero) { return(IntPtr.Zero); } IntPtr lpAddress = PInvoke.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)pData.Length, 12288, flProtect); if (lpAddress != IntPtr.Zero && PInvoke.WriteProcessMemory(hProcess, lpAddress, pData, pData.Length, out uint lpNumberOfBytesRead) && lpNumberOfBytesRead == pData.Length || lpAddress == IntPtr.Zero) { return(lpAddress); } PInvoke.VirtualFreeEx(hProcess, lpAddress, 0, 32768); lpAddress = IntPtr.Zero; return(lpAddress); }