private Process _process; /* Process to DLL Inject into. */
/// <summary>
/// Initializes the DLL Injector.
/// </summary>
/// <param name="process">The process to inject DLLs into.</param>
public Injector(Process process)
{
Safety.WaitForModuleInitialization(process);
// Initiate target process.
_process = process;
_circularBuffer = new CircularBuffer(4096, new ExternalMemory(process));
_shellCode = new Shellcode(process);
}
private long _getProcAddressReturnValuePtr; /* Address of GetProcAddress' return value. */
/// <summary>
/// Builds the shellcode necessary to successfully call LoadLibraryW and GetProcAddress
/// inside the address space of another executable.
/// </summary>
/// <param name="targetProcess">Process inside which to execute.</param>
public Shellcode(Process targetProcess)
{
Safety.WaitForModuleInitialization(targetProcess);
_privateBuffer = new MemoryBufferHelper(targetProcess).CreatePrivateMemoryBuffer(4096);
_assembler = new Assembler.Assembler();
_memory = new ExternalMemory(targetProcess);
_circularBuffer = new CircularBuffer(4096, _memory);
_targetProcess = targetProcess;
// Get arch of target process.
PeFile targetPeFile = new PeFile(targetProcess.Modules[0].FileName);
_machineType = (MachineType)targetPeFile.ImageNtHeaders.FileHeader.Machine;
// Get Kernel32 load address in target.
Module kernel32Module = GetKernel32InRemoteProcess(targetProcess);
Kernel32Handle = (long)kernel32Module.BaseAddress;
// We need to change the module path if 32bit process; because the given path is not true,
// it is being actively redirected by Windows on Windows 64 (WoW64)
if (_machineType == MachineType.I386)
{
StringBuilder builder = new StringBuilder(256);
GetSystemWow64Directory(builder, (uint)builder.Capacity);
kernel32Module.ModulePath = builder.ToString() + "\\" + Path.GetFileName(kernel32Module.ModulePath);
}
// Parse Kernel32 loaded by target and get address of LoadLibrary & GetProcAddress.
PeFile kernel32PeFile = new PeFile(kernel32Module.ModulePath);
var exportedFunctions = kernel32PeFile.ExportedFunctions;
_loadLibraryWOffset = GetExportedFunctionOffset(exportedFunctions, "LoadLibraryW");
_getProcAddressOffset = GetExportedFunctionOffset(exportedFunctions, "GetProcAddress");
if (_loadLibraryWOffset == 0 || _getProcAddressOffset == 0)
{
throw new ShellCodeGeneratorException("Failed to find GetProcAddress or LoadLibraryW methods in target process' Kernel32.");
}
if (_machineType == MachineType.AMD64)
{
BuildLoadLibraryW64();
BuildGetProcAddress64();
}
else
{
BuildLoadLibraryW86();
BuildGetProcAddress86();
}
_assembler.Dispose();
_assembler = null;
}
/// <summary>
/// Retrieves the handle (memory address) of where the module with a specified name is loaded in the target process.
/// </summary>
/// <param name="moduleName">The name of the module (including extension).</param>
/// <returns>0 if the operation fails, else an address.</returns>
public IntPtr GetModuleHandleFromName(string moduleName)
{
foreach (var module in Safety.TryGetModules(_process))
{
if (Path.GetFileName(module.ModulePath) == moduleName)
{
return(module.BaseAddress);
}
}
return(IntPtr.Zero);
}
/* One off construction functions. */
private Module GetKernel32InRemoteProcess(Process process)
{
foreach (Module module in Safety.TryGetModules(process))
{
if (Path.GetFileName(module.ModulePath).Equals("KERNEL32.DLL", StringComparison.InvariantCultureIgnoreCase))
{
return(module);
}
}
throw new ShellCodeGeneratorException("Failed to find Kernel32 in target process' modules.");
}
/// <summary>
/// Retrieves the handle (memory address) of where the module with a specified file path is loaded in the target process.
/// </summary>
/// <param name="modulePath">The absolute path of the module (including extension).</param>
/// <returns>0 if the operation fails, else an address.</returns>
public IntPtr GetModuleHandleFromPath(string modulePath)
{
string fullPath = Path.GetFullPath(modulePath);
foreach (var module in Safety.TryGetModules(_process))
{
if (Path.GetFullPath(module.ModulePath) == fullPath)
{
return(module.BaseAddress);
}
}
return(IntPtr.Zero);
}