public static bool FreeLibraryInternal(uint processid, IntPtr libAddress, out string error) { ModuleInfo targetkernel = null; ModuleInfo[] modules = GetModuleInfos((int)processid); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("kernel32")) { targetkernel = modules[i]; break; } } } if (targetkernel == null || targetkernel.baseOfDll == IntPtr.Zero) { error = "Failed to get base of kernel32!"; return(false); } IntPtr hprocess = IntPtr.Zero; hprocess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_CREATE_THREAD, 0, processid); if (hprocess == IntPtr.Zero) { error = "Can't open selected process!"; return(false); } else { int FreeLibraryrva = ExportTable.ProcGetExpAddress (hprocess, targetkernel.baseOfDll, "FreeLibrary"); if (FreeLibraryrva == 0) { CloseHandle(hprocess); error = "Failed to get address of FreeLibrary!"; return(false); } else { IntPtr FreeLibAddress = (IntPtr)((long)targetkernel.baseOfDll + (long)FreeLibraryrva); // load dll via call to LoadLibrary using CreateRemoteThread IntPtr hThread = CreateRemoteThread(hprocess, IntPtr.Zero, 0, FreeLibAddress, libAddress, 0, IntPtr.Zero); if (hThread == IntPtr.Zero) { CloseHandle(hprocess); error = "Can't create the remote thread!"; return(false); } else { if (WaitForSingleObject(hThread, uint.MaxValue) != 0) { CloseHandle(hprocess); error = "Error on WaitForSingleObject!"; return(false); } else { error = ""; return(true); } } } } }
public static IntPtr InjectLibraryInternal(uint processid, string libFullPath, out string error) { error = PostVerify(processid, libFullPath); if (error != "") { return(IntPtr.Zero); } ModuleInfo targetkernel = null; ModuleInfo[] modules = GetModuleInfos((int)processid); if (modules != null && modules.Length > 0) { for (int i = 0; i < modules.Length; i++) { if (modules[i].baseName.ToLower().Contains("kernel32")) { targetkernel = modules[i]; break; } } } // // GetProcAddress(GetModuleHandleW("kernel32.dll"),"LoadLibraryA"); if (targetkernel == null || targetkernel.baseOfDll == IntPtr.Zero) { error = "Failed to get base of kernel32!"; return(IntPtr.Zero); } IntPtr hprocess = IntPtr.Zero; hprocess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_CREATE_THREAD, 0, processid); if (hprocess == IntPtr.Zero) { error = "Can't open selected process!"; return(IntPtr.Zero); } else { int LoadLibraryArva = ExportTable.ProcGetExpAddress (hprocess, targetkernel.baseOfDll, "LoadLibraryA"); if (LoadLibraryArva == 0) { CloseHandle(hprocess); error = "Failed to get address of LoadLibraryA!"; return(IntPtr.Zero); } IntPtr loadlibraryAddress = (IntPtr)((long)targetkernel.baseOfDll + (long)LoadLibraryArva); uint sizeAscii = (uint)Encoding.ASCII.GetByteCount(libFullPath) + 1; // allocate memory to the local process for libFullPath IntPtr pLibPath = VirtualAllocEx(hprocess, IntPtr.Zero, sizeAscii, AllocationType.Commit, MemoryProtection.ReadWrite); if (pLibPath == IntPtr.Zero) { CloseHandle(hprocess); error = "Can't alocate memory on process!"; return(IntPtr.Zero); } else { int bytesWritten = 0; // write libFullPath to pLibPath if (!WriteProcessMemory(hprocess, pLibPath, Marshal.StringToHGlobalAnsi(libFullPath), sizeAscii - 1, ref bytesWritten) || bytesWritten != (int)sizeAscii - 1) { VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release); CloseHandle(hprocess); error = "Can't write libname on process!"; return(IntPtr.Zero); } else { // load dll via call to LoadLibrary using CreateRemoteThread IntPtr hThread = CreateRemoteThread(hprocess, IntPtr.Zero, 0, loadlibraryAddress, pLibPath, 0, IntPtr.Zero); if (hThread == IntPtr.Zero) { VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release); CloseHandle(hprocess); error = "Can't create the remote thread!"; return(IntPtr.Zero); } else { if (WaitForSingleObject(hThread, uint.MaxValue) != 0) { VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release); CloseHandle(hprocess); error = "Error on WaitForSingleObject!"; return(IntPtr.Zero); } // get address of loaded module IntPtr hLibModule = IntPtr.Zero; if (!GetExitCodeThread(hThread, out hLibModule)) { VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release); CloseHandle(hprocess); error = "Error on GetExitCodeThread!"; return(IntPtr.Zero); } if (hLibModule == IntPtr.Zero) { VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release); CloseHandle(hprocess); error = "Code executed properly, but unable to get an appropriate module handle!"; return(IntPtr.Zero); } error = ""; VirtualFreeEx(hprocess, pLibPath, 0, FreeType.Release); CloseHandle(hprocess); return(hLibModule); } } } } }