internal static bool InjectUnmanagedInternal(void *processHandle, string dllPath)
{
void *pLoadLibrary;
void *pDllPath;
void *threadHandle;
uint exitCode;
pLoadLibrary = NativeModule.GetFunctionAddressInternal(processHandle, "kernel32.dll", "LoadLibraryW");
// 获取LoadLibrary的函数地址
pDllPath = NativeProcess.AllocMemoryInternal(processHandle, (uint)dllPath.Length * 2 + 2, MemoryProtection.ExecuteRead);
try {
if (pDllPath == null)
{
return(false);
}
if (!NativeProcess.WriteStringInternal(processHandle, pDllPath, dllPath, Encoding.Unicode))
{
return(false);
}
threadHandle = CreateRemoteThread(processHandle, null, 0, pLoadLibrary, pDllPath, 0, null);
if (threadHandle == null)
{
return(false);
}
WaitForSingleObject(threadHandle, INFINITE);
// 等待线程结束
GetExitCodeThread(threadHandle, out exitCode);
return(exitCode != 0);
// LoadLibrary返回值不为0则调用成功,否则失败
}
finally {
NativeProcess.FreeMemoryInternal(processHandle, pDllPath);
}
}
private static void *WriteMachineCode(void *processHandle, InjectionClrVersion clrVersion, string assemblyPath, string typeName, string methodName, string argument)
{
bool is64Bit;
string clrVersionString;
byte[] machineCode;
void * pEnvironment;
void * pCorBindToRuntimeEx;
void * pCLRCreateInstance;
if (!NativeProcess.Is64BitProcessInternal(processHandle, out is64Bit))
{
return(null);
}
clrVersionString = clrVersion switch
{
InjectionClrVersion.V2 => CLR_V2,
InjectionClrVersion.V4 => CLR_V4,
_ => throw new ArgumentOutOfRangeException(nameof(clrVersion)),
};
machineCode = GetMachineCodeTemplate(clrVersionString, assemblyPath, typeName, methodName, argument);
pEnvironment = NativeProcess.AllocMemoryInternal(processHandle, 0x1000 + (argument is null ? 0 : (uint)argument.Length * 2 + 2), MemoryProtection.ExecuteReadWrite);
if (pEnvironment == null)
{
return(null);
}
try
{
fixed(byte *p = machineCode)
switch (clrVersion)
{
case InjectionClrVersion.V2:
pCorBindToRuntimeEx = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CorBindToRuntimeEx");
if (pCorBindToRuntimeEx == null)
{
return(null);
}
if (is64Bit)
{
WriteMachineCode64v2(p, (ulong)pEnvironment, (ulong)pCorBindToRuntimeEx);
}
else
{
WriteMachineCode32v2(p, (uint)pEnvironment, (uint)pCorBindToRuntimeEx);
}
break;
case InjectionClrVersion.V4:
pCLRCreateInstance = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CLRCreateInstance");
if (pCLRCreateInstance == null)
{
return(null);
}
if (is64Bit)
{
WriteMachineCode64v4(p, (ulong)pEnvironment, (ulong)pCLRCreateInstance);
}
else
{
WriteMachineCode32v4(p, (uint)pEnvironment, (uint)pCLRCreateInstance);
}
break;
}
if (!NativeProcess.WriteBytesInternal(processHandle, pEnvironment, machineCode))
{
return(null);
}
}
catch {
NativeProcess.FreeMemoryInternal(processHandle, pEnvironment);
return(null);
}
return(pEnvironment);
}
private static IntPtr WriteMachineCode(IntPtr processHandle, string clrVersion, string assemblyPath, string typeName, string methodName, string argument)
{
bool is64Bit;
byte[] machineCode;
IntPtr pEnvironment;
IntPtr pCorBindToRuntimeEx;
IntPtr pCLRCreateInstance;
if (!NativeProcess.Is64BitProcessInternal(processHandle, out is64Bit))
{
return(IntPtr.Zero);
}
machineCode = GetMachineCodeTemplate(clrVersion, assemblyPath, typeName, methodName, argument);
pEnvironment = NativeProcess.AllocMemoryInternal(processHandle, 0x1000 + (argument == null ? 0 : (uint)argument.Length * 2 + 2), MemoryProtection.ExecuteReadWrite);
if (pEnvironment == IntPtr.Zero)
{
return(IntPtr.Zero);
}
try
{
fixed(byte *p = machineCode)
{
switch (clrVersion)
{
case "v2.0.50727":
pCorBindToRuntimeEx = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CorBindToRuntimeEx");
if (pCorBindToRuntimeEx == IntPtr.Zero)
{
return(IntPtr.Zero);
}
if (is64Bit)
{
SetMachineCode64v2(p, (ulong)pEnvironment, (ulong)pCorBindToRuntimeEx);
}
else
{
SetMachineCode32v2(p, (uint)pEnvironment, (uint)pCorBindToRuntimeEx);
}
break;
case "v4.0.30319":
pCLRCreateInstance = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CLRCreateInstance");
if (pCLRCreateInstance == IntPtr.Zero)
{
return(IntPtr.Zero);
}
if (is64Bit)
{
SetMachineCode64v4(p, (ulong)pEnvironment, (ulong)pCLRCreateInstance);
}
else
{
SetMachineCode32v4(p, (uint)pEnvironment, (uint)pCLRCreateInstance);
}
break;
default:
return(IntPtr.Zero);
}
}
if (!NativeProcess.WriteBytesInternal(processHandle, pEnvironment, machineCode))
{
return(IntPtr.Zero);
}
}
catch {
NativeProcess.FreeMemoryInternal(processHandle, pEnvironment);
return(IntPtr.Zero);
}
return(pEnvironment);
}