예제 #1
0
 private static extern bool VirtualFreeEx(SafeMemoryHandle hProcess, IntPtr lpAddress,
                                          UIntPtr dwSize, FreeType dwFreeType);
예제 #2
0
 private static extern IntPtr VirtualAllocEx(SafeMemoryHandle hProcess, IntPtr lpAddress,
                                             UIntPtr dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
예제 #3
0
        /// <summary>
        ///     Calls the specified export with the specified args.
        /// </summary>
        /// <typeparam name="T"></typeparam>
        /// <param name="exportName">Name of the export.</param>
        /// <param name="parameter">The argument.</param>
        /// <param name="callWithParameter">
        ///     if set to <c>true</c>, the specified export will be called with the specified
        ///     parameter.
        /// </param>
        /// <returns></returns>
        /// <exception cref="System.ArgumentNullException">exportName</exception>
        /// <exception cref="BlueRainException">
        ///     Couldn't resolve export named with name  + exportName +  in remotely injected
        ///     library.
        /// </exception>
        /// <exception cref="InjectionException">
        ///     WaitForSingleObject returned an unexpected value while waiting for the
        ///     remote thread to be created for export call.
        /// </exception>
        public IntPtr Call <T>(string exportName, T parameter, bool callWithParameter = false) where T : struct
        {
            // The idea behind this method's quite simple. We can only call an __stdcall export with one parameter,
            // any subsequent arguments would require injecting a stub to push the args to the stack.
            // We don't support that as of yet - we'll resort to allocating and calling the export with a single parameter for now.

            if (string.IsNullOrEmpty(exportName))
            {
                throw new ArgumentNullException(nameof(exportName));
            }

            var exportPtr = GetExportPointer(exportName);

            if (exportPtr == IntPtr.Zero)
            {
                throw new BlueRainException("Couldn't resolve export named with name " + exportName +
                                            " in remotely injected library.");
            }

            var kernel32Handle = UnsafeNativeMethods.GetModuleHandle(UnsafeNativeMethods.Kernel32);

            uint             exitCode;
            SafeMemoryHandle threadHandle = null;
            AllocatedMemory  alloc        = null;

            try
            {
                if (callWithParameter)
                {
                    var size = Marshal.SizeOf(parameter);
                    alloc = _memory.Allocate((UIntPtr)size);

                    alloc.Write(IntPtr.Zero, parameter);
                }

                threadHandle = UnsafeNativeMethods.CreateRemoteThread(kernel32Handle.DangerousGetHandle(), IntPtr.Zero, 0, exportPtr,
                                                                      alloc?.Address ?? IntPtr.Zero, 0x0, IntPtr.Zero);

                if (UnsafeNativeMethods.WaitForSingleObject(threadHandle.DangerousGetHandle(), uint.MaxValue) != 0x0)
                {
                    throw new InjectionException(
                              "WaitForSingleObject returned an unexpected value while waiting for the remote thread to be created for export call.");
                }

                UnsafeNativeMethods.GetExitCodeThread(threadHandle.DangerousGetHandle(), out exitCode);
            }
            finally
            {
                if (kernel32Handle != null && !kernel32Handle.IsClosed)
                {
                    kernel32Handle.Close();
                }

                if (threadHandle != null && !threadHandle.IsClosed)
                {
                    threadHandle.Close();
                }

                // Make sure we free the chunk for the args.
                alloc?.Dispose();
            }

            return((IntPtr)exitCode);
        }
예제 #4
0
 private static extern bool VirtualProtectEx(
     SafeMemoryHandle hProcess, IntPtr lpAddress, IntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
예제 #5
0
 private static extern bool WriteProcessMemory(
     SafeMemoryHandle hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out int lpNumberOfBytesWritten);
예제 #6
0
 private static extern unsafe bool ReadProcessMemory(
     SafeMemoryHandle hProcess, IntPtr lpBaseAddress, byte *lpBuffer, int dwSize, out int lpNumberOfBytesRead);
예제 #7
0
 protected static extern uint SuspendThread(SafeMemoryHandle hThread);
예제 #8
0
        private InjectedModule InjectLibraryExternal(string libraryPath)
        {
            // Injecting remotely consists of a few steps:
            // 1. GetProcAddress on kernel32 to get a pointer to LoadLibraryW
            // 2. Allocate chunk of memory to write the path to our library to
            // 3. CreateRemoteThread that calls LoadLibraryW and pass it a pointer to our chunk
            // 4. Get thread's exit code
            // 5. ????
            // 6. Profit
            var memory = _memory as ExternalProcessMemory;

            // Realistically won't happen, but code analysis complains about it being null.
            if (memory == null)
            {
                throw new InvalidOperationException("A valid memory instance is required for InjectLibraryExternal!");
            }

            if (memory.ProcessHandle.IsInvalid)
            {
                throw new InvalidOperationException("Can not inject library with an invalid ProcessHandle in ExternalProcessMemory!");
            }

            var path            = Path.GetFullPath(libraryPath);
            var libraryFileName = Path.GetFileName(libraryPath);

            ProcessModule ourModule;

            SafeMemoryHandle threadHandle   = null;
            SafeMemoryHandle kernel32Handle = null;

            try
            {
                kernel32Handle = UnsafeNativeMethods.GetModuleHandle(UnsafeNativeMethods.Kernel32);

                var loadLibraryPtr =
                    UnsafeNativeMethods.GetProcAddress(kernel32Handle.DangerousGetHandle(), "LoadLibraryW");

                if (loadLibraryPtr == IntPtr.Zero)
                {
                    throw new InjectionException("Couldn't obtain handle to LoadLibraryW in remote process!");
                }

                var pathBytes = Encoding.Unicode.GetBytes(path);

                using (var alloc = memory.Allocate((UIntPtr)pathBytes.Length))
                {
                    alloc.WriteBytes(IntPtr.Zero, pathBytes);

                    threadHandle = UnsafeNativeMethods.CreateRemoteThread(memory.ProcessHandle.DangerousGetHandle(), IntPtr.Zero, 0x0,
                                                                          loadLibraryPtr, alloc.Address, 0, IntPtr.Zero);

                    if (threadHandle.IsInvalid)
                    {
                        throw new InjectionException(
                                  "Couldn't obtain a handle to the remotely created thread for module injection!");
                    }
                }

                // ThreadWaitValue.Infinite = 0xFFFFFFFF = uint.MaxValue - Object0 = 0x0
                if (UnsafeNativeMethods.WaitForSingleObject(threadHandle.DangerousGetHandle(), uint.MaxValue) != 0x0)
                {
                    throw new InjectionException(
                              "WaitForSingleObject returned an unexpected value while waiting for the remote thread to be created for module injection.");
                }

                uint exitCode;
                if (!UnsafeNativeMethods.GetExitCodeThread(threadHandle.DangerousGetHandle(), out exitCode))
                {
                    throw new InjectionException("Couldn't obtain exit code for LoadLibraryW thread in remote process!");
                }

                // Let's make sure our module is actually present in the remote process now (assuming it's doing nothing special to hide itself..)
                var moduleHandle = UnsafeNativeMethods.GetModuleHandle(libraryFileName);
                if (moduleHandle.IsInvalid)
                {
                    throw new InjectionException(
                              "Couldn't obtain module handle to remotely injected library after LoadLibraryW!");
                }

                ourModule = memory.Process.Modules.Cast <ProcessModule>()
                            .FirstOrDefault(m => m.BaseAddress == moduleHandle.DangerousGetHandle());
            }
            finally
            {
                if (threadHandle != null && !threadHandle.IsClosed)
                {
                    threadHandle.Close();
                }

                if (kernel32Handle != null && !kernel32Handle.IsClosed)
                {
                    kernel32Handle.Close();
                }
            }

            // We can safely do this - if something went wrong we wouldn't be here.
            var module = new InjectedModule(ourModule, _memory);

            _injectedModules.Add(path, module);
            return(module);
        }