예제 #1
0
        public IMemoryModule LoadLibrary(string pathToDll, bool resolveReferences = true)
        {
            byte[] loadLibraryOpcodes = LoadLibraryPayload(pathToDll);

            IMemoryAddress allocatedMemory = AllocateManagedMemory(loadLibraryOpcodes.Length);

            if (Kernel32.WriteProcessMemory(NativeProcess.Handle, allocatedMemory.Address, loadLibraryOpcodes, loadLibraryOpcodes.Length, out IntPtr _))
            {
                IMemoryModule  kernel32Module = Modules["kernel32.dll"];
                IMemoryAddress loadLibraryAddress;
                if (resolveReferences)
                {
                    loadLibraryAddress = kernel32Module.GetProcAddress("LoadLibraryW");
                }
                else
                {
                    loadLibraryAddress = kernel32Module.GetProcAddress("LoadLibraryExW");
                }

                if (loadLibraryAddress == null)
                {
                    throw new Win32Exception($"Couldn't get proc address, error code: {Marshal.GetLastWin32Error()}.");
                }

                if (CreateRemoteThread(loadLibraryAddress, allocatedMemory) == IntPtr.Zero)
                {
                    throw new Win32Exception($"Couldn't create a remote thread, error code: {Marshal.GetLastWin32Error()}.");
                }
            }

            RefreshModules();

            return(Modules[Path.GetFileName(pathToDll).ToLower()]);
        }
예제 #2
0
        protected override Delegate ToCallDelegate()
        {
            GameSharpProcess process              = GameSharpProcess.Instance;
            IMemoryModule    kernel32             = process.Modules["kernel32.dll"];
            IMemoryAddress   IsDebuggerPresentPtr = kernel32.GetProcAddress("IsDebuggerPresent");

            return(IsDebuggerPresentPtr.ToDelegate <IsDebuggerPresentDelegate>());
        }
예제 #3
0
        protected override Delegate ToCallDelegate()
        {
            GameSharpProcess process = GameSharpProcess.Instance;

            IMemoryModule ntdll = process.Modules["ntdll.dll"];

            IMemoryAddress ntQueryInformationProcessPtr = ntdll.GetProcAddress("NtQueryInformationProcess");

            return(ntQueryInformationProcessPtr.ToDelegate <NtQueryInformationProcessDelegate>());
        }
예제 #4
0
        protected override Delegate ToCallDelegate()
        {
            GameSharpProcess process = GameSharpProcess.Instance;

            IMemoryModule user32dll = process.Modules["user32.dll"];

            IMemoryAddress messageBoxWPtr = user32dll.GetProcAddress("MessageBoxW");

            return(messageBoxWPtr.ToDelegate <MessageBoxWDelegate>());
        }
예제 #5
0
        private void ValidateDbgBreakPoint()
        {
            IMemoryModule ntdll = Process.Modules["ntdll.dll"];

            IMemoryAddress dbgBreakPointPtr = ntdll.GetProcAddress("DbgBreakPoint");

            byte dbgBreakPointByte = dbgBreakPointPtr.Read <byte>();

            if (dbgBreakPointByte == 0xC3)
            {
                MemoryPatches.Add(new MemoryPatch(dbgBreakPointPtr, new byte[] { 0xCC }));
            }
        }
예제 #6
0
        public void InsertMemoryModule <T>(IMemoryModule <T> module) where T : class
        {
            var type =
                typeof(T);

            if (memorymodules.ContainsKey(type))
            {
                refcounts[type]++;
            }
            else
            {
                refcounts.Add(type, 1);
                memorymodules.Add(type, module);
            }
        }
예제 #7
0
 /// <summary>
 ///     Initializes a new instance of the <see cref="MemoryScanner" /> class.
 /// </summary>
 /// <param name="module"><see cref="ProcessModule"/> which we are going to scan.</param>
 public MemoryScanner(IMemoryModule module)
 {
     ModuleBase = module.MemoryAddress;
     Bytes      = ModuleBase.Read(module.ModuleMemorySize);
 }