const string TargetProcessName = "warmode"; // WARMODE: http://store.steampowered.com/app/391460/ #endregion Fields #region Methods static void AttachToMainThread(RemoteFunction mono_get_root_domain, RemoteFunction mono_thread_attach) { Console.ForegroundColor = ConsoleColor.Cyan; Console.Write("Attaching to/Entering the primary/main mono thread/context... "); IntPtr mono_get_root_domain_result = mono_get_root_domain.Execute(CallingConventions.Cdecl); // Returns MonoDomain. IntPtr mono_thread_attach_result = mono_thread_attach.Execute(CallingConventions.Cdecl, mono_get_root_domain_result); // Returns MonoThread. Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("success."); Console.ForegroundColor = ConsoleColor.White; Console.WriteLine("{0} returned {1} (0x{2})", mono_get_root_domain.Name, mono_get_root_domain_result, mono_get_root_domain_result.ToString("X2")); Console.WriteLine("{0} returned {1} (0x{2})", mono_thread_attach.Name, mono_thread_attach_result, mono_thread_attach_result.ToString("X2")); }
/// <summary> /// Finds the specified function in the remote module. /// </summary> /// <param name="functionName">The name of the function (case sensitive).</param> /// <returns>A new instance of a <see cref="RemoteFunction" /> class.</returns> /// <remarks> /// Interesting article on how DLL loading works: http://msdn.microsoft.com/en-us/magazine/bb985014.aspx /// </remarks> public RemoteFunction FindFunction(string functionName) { // Create the tuple var tuple = Tuple.Create(functionName, MemorySharp.Handle); // Check if the function is already cached if (CachedFunctions.ContainsKey(tuple)) { return(CachedFunctions[tuple]); } // If the function is not cached // Check if the local process has this module loaded var localModule = Process.GetCurrentProcess() .Modules.Cast <ProcessModule>() .FirstOrDefault(m => string.Equals(m.FileName, Path, StringComparison.CurrentCultureIgnoreCase)); var isManuallyLoaded = false; try { // If this is not the case, load the module inside the local process if (localModule == null) { isManuallyLoaded = true; localModule = ModuleCore.LoadLibrary(Native.FileName); } // Get the offset of the function var offset = ModuleCore.GetProcAddress(localModule, functionName).ToInt64() - localModule.BaseAddress.ToInt64(); // Rebase the function with the remote module var function = new RemoteFunction(MemorySharp, new IntPtr(Native.BaseAddress.ToInt64() + offset), functionName); // Store the function in the cache CachedFunctions.Add(tuple, function); // Return the function rebased with the remote module return(function); } finally { // Free the module if it was manually loaded if (isManuallyLoaded) { ModuleCore.FreeLibrary(localModule); } } }
//const string WebMonoDll = "mono-1-vc.dll"; static void GetMonoRemoteFunctions(MemorySharp memorySharp, out RemoteFunction mono_get_root_domain, out RemoteFunction mono_thread_attach, out RemoteFunction mono_security_set_mode, out RemoteFunction mono_domain_get, out RemoteFunction mono_domain_assembly_open, out RemoteFunction mono_assembly_get_image, out RemoteFunction mono_class_from_name, out RemoteFunction mono_class_get_method_from_name, out RemoteFunction mono_runtime_invoke) { Console.ForegroundColor = ConsoleColor.White; mono_get_root_domain = memorySharp[DesktopMonoDll].FindFunction("mono_get_root_domain"); // Returns MonoDomain. Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_get_root_domain.Name, mono_get_root_domain.BaseAddress.ToString("X2")); Console.ForegroundColor = ConsoleColor.White; mono_thread_attach = memorySharp[DesktopMonoDll].FindFunction("mono_thread_attach"); // Returns MonoThread. Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_thread_attach.Name, mono_thread_attach.BaseAddress.ToString("X2")); Console.ForegroundColor = ConsoleColor.White; mono_security_set_mode = memorySharp[DesktopMonoDll].FindFunction("mono_security_set_mode"); // Returns void. Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_security_set_mode.Name, mono_security_set_mode.BaseAddress.ToString("X2")); Console.ForegroundColor = ConsoleColor.White; mono_domain_get = memorySharp[DesktopMonoDll].FindFunction("mono_domain_get"); // Returns MonoDomain. Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_domain_get.Name, mono_domain_get.BaseAddress.ToString("X2")); Console.ForegroundColor = ConsoleColor.White; mono_domain_assembly_open = memorySharp[DesktopMonoDll].FindFunction("mono_domain_assembly_open"); // Returns MonoAssembly. Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_domain_assembly_open.Name, mono_domain_assembly_open.BaseAddress.ToString("X2")); Console.ForegroundColor = ConsoleColor.White; mono_assembly_get_image = memorySharp[DesktopMonoDll].FindFunction("mono_assembly_get_image"); // Returns MonoImage. Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_assembly_get_image.Name, mono_assembly_get_image.BaseAddress.ToString("X2")); Console.ForegroundColor = ConsoleColor.White; mono_class_from_name = memorySharp[DesktopMonoDll].FindFunction("mono_class_from_name"); // Returns MonoClass. Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_class_from_name.Name, mono_class_from_name.BaseAddress.ToString("X2")); Console.ForegroundColor = ConsoleColor.White; mono_class_get_method_from_name = memorySharp[DesktopMonoDll].FindFunction("mono_class_get_method_from_name"); // Returns MonoMethod. Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_class_get_method_from_name.Name, mono_class_get_method_from_name.BaseAddress.ToString("X2")); Console.ForegroundColor = ConsoleColor.White; mono_runtime_invoke = memorySharp[DesktopMonoDll].FindFunction("mono_runtime_invoke"); // Returns MonoObject. Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_runtime_invoke.Name, mono_runtime_invoke.BaseAddress.ToString("X2")); Console.ForegroundColor = ConsoleColor.White; }
/// <summary> /// Finds the specified function in the remote module. /// </summary> /// <param name="functionName">The name of the function (case sensitive).</param> /// <returns>A new instance of a <see cref="RemoteFunction"/> class.</returns> /// <remarks> /// Interesting article on how DLL loading works: http://msdn.microsoft.com/en-us/magazine/bb985014.aspx /// </remarks> public RemoteFunction FindFunction(string functionName) { // Create the tuple var tuple = Tuple.Create(functionName, MemorySharp.Handle); // Check if the function is already cached if (CachedFunctions.ContainsKey(tuple)) return CachedFunctions[tuple]; // If the function is not cached // Check if the local process has this module loaded var localModule = Process.GetCurrentProcess().Modules.Cast<ProcessModule>().FirstOrDefault(m => m.FileName.ToLower() == Path.ToLower()); var isManuallyLoaded = false; try { // If this is not the case, load the module inside the local process if (localModule == null) { isManuallyLoaded = true; localModule = ModuleCore.LoadLibrary(Native.FileName); } // Get the offset of the function var offset = ModuleCore.GetProcAddress(localModule, functionName).ToInt64() - localModule.BaseAddress.ToInt64(); // Rebase the function with the remote module var function = new RemoteFunction(MemorySharp, new IntPtr(Native.BaseAddress.ToInt64() + offset), functionName); // Store the function in the cache CachedFunctions.Add(tuple, function); // Return the function rebased with the remote module return function; } finally { // Free the module if it was manually loaded if(isManuallyLoaded) ModuleCore.FreeLibrary(localModule); } }