public IntPtr Inject(Core targetProcess, string filePath)
{
InjectedModule = new Module(filePath);
targetProc = targetProcess;
if (targetProcess.Is64bit)
{
try
{
log.Log(LogType.Normal, "Starting injection of the module...");
LinkedModules = GetModules();
var remoteImage = MapImage(filePath, InjectedModule.DllBytes);
CallEntrypoint(InjectedModule.DllBytes, remoteImage);
return((IntPtr)remoteImage);
}
catch (Exception ex)
{
log.Log(ex, "Something went wrong...");
return(IntPtr.Zero);
}
}
else
{
log.Log(LogType.Error, "32-bit/x86 is NOT supported yet!");
return(IntPtr.Zero);
}
}
bool InjectDependency(string dependencyFileNamePath)
{
using (var depMod = new Module(dependencyFileNamePath))
{
var loadProc = targetProc.GetLoadLibraryPtr();
if (loadProc == IntPtr.Zero)
{
log.Log(LogType.Failure, "Failed to load and initiate LoadLibrary: {0}",
Marshal.GetLastWin32Error().ToString("X"));
return(false);
}
var allocated = targetProc.AllocateAndWriteBytes(depMod.DllBytes);
if (allocated == IntPtr.Zero)
{
log.Log(LogType.Failure, "Failed to allocate and/or write dependency bytes to memory: {0}",
Marshal.GetLastWin32Error().ToString("X"));
return(false);
}
var crt = targetProc.CreateThread(loadProc, allocated);
if (crt == IntPtr.Zero)
{
log.Log(LogType.Failure, "Failed to inject dependency - CreateRemoteThread was a failure: {0}",
Marshal.GetLastWin32Error().ToString("X"));
return(false);
}
log.Log(LogType.Success, "Dependency {0} injected, and loaded succesfully!",
Path.GetFileName(dependencyFileNamePath));
return(true);
}
}
public IntPtr Inject(Core targetProcess, string filePath)
{
//Logger.StartLogger(Environment.UserInteractive ? LoggerType.Console : LoggerType.File, "Injector.QUA");
InjectedModule = new Module(filePath);
var loadLib = targetProcess.GetLoadLibraryPtr();
if (loadLib == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!");
return(IntPtr.Zero);
}
var pathBytes = Encoding.Unicode.GetBytes(filePath);
var alloc = targetProcess.Allocate(pathBytes.Length);
if (alloc == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!");
return(IntPtr.Zero);
}
if (!targetProcess.WriteBytes(pathBytes, alloc))
{
log.Log(LogType.Error, "Cannot write file-path to memory - aborting!");
return(IntPtr.Zero);
}
uint dwThreadId = 0;
var hThread = IntPtr.Zero;
dwThreadId = WinAPI.GetProcessThreadId(targetProcess.ProcessId, hThread);
var dResult = WinAPI.QueueUserAPC(loadLib, hThread, alloc);
if (dResult == 0)
{
log.Log(LogType.Error, "Failed to QueueUserAPC: {0}", Marshal.GetLastWin32Error().ToString("X"));
return(IntPtr.Zero);
}
log.Log(LogType.Success, "Injection through QueueUserAPC was a success - opened thread: 0x{0}",
Environment.Is64BitProcess ? hThread.ToInt64().ToString("X16") : hThread.ToInt32().ToString("X8"));
return(hThread);
}
public IntPtr Inject(Core targetProcess, string filePath)
{
InjectedModule = new Module(filePath);
var loadLib = targetProcess.GetLoadLibraryPtr();
if (loadLib == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!");
return(IntPtr.Zero);
}
var pathBytes = Encoding.Unicode.GetBytes(filePath);
var alloc = targetProcess.Allocate(pathBytes.Length);
if (alloc == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!");
return(IntPtr.Zero);
}
if (!targetProcess.WriteBytes(pathBytes, alloc))
{
log.Log(LogType.Error, "Cannot write file-path to memory - aborting!");
return(IntPtr.Zero);
}
var crt = targetProcess.CreateThread(loadLib, alloc);
if (crt == IntPtr.Zero)
{
log.Log(LogType.Failure, "Failed on creating thread inside attached process: {0}",
Marshal.GetLastWin32Error().ToString("X"));
}
else
{
log.Log(LogType.Success, "Thread created succesfully inside attached process: 0x{0}",
Environment.Is64BitProcess ? crt.ToInt64().ToString("X") : crt.ToInt32().ToString("X"));
}
return(crt);
}
public IntPtr Inject(Core targetProcess, string filePath)
{
//Logger.StartLogger(Environment.UserInteractive ? LoggerType.Console : LoggerType.File, "Injector.STC");
InjectedModule = new Module(filePath);
var loadLib = targetProcess.GetLoadLibraryPtr();
if (loadLib == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!");
return(IntPtr.Zero);
}
var pathBytes = Encoding.Unicode.GetBytes(filePath);
var alloc = targetProcess.Allocate(pathBytes.Length);
if (alloc == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!");
return(IntPtr.Zero);
}
if (!targetProcess.WriteBytes(pathBytes, alloc))
{
log.Log(LogType.Error, "Cannot write file-path to memory - aborting!");
return(IntPtr.Zero);
}
var code = Environment.Is64BitProcess ? shell64 : shell32;
var hThread = WinAPI.GetProcessThread(targetProcess.ProcessId);
if (hThread == IntPtr.Zero)
{
log.Log(LogType.Error, "Unable to open process's main thread: {0} - aborting!",
Marshal.GetLastWin32Error().ToString("X"));
return(IntPtr.Zero);
}
var page_size = 1 << 12;
var buffer = targetProcess.Allocate(page_size);
if (!WinAPI.SuspendThread(hThread))
{
log.Log(LogType.Error, "Unable to suspend thread: {0} - aborting!",
Marshal.GetLastWin32Error().ToString("X"));
return(IntPtr.Zero);
}
if (Environment.Is64BitProcess)
{
var ctx = new WinAPI.CONTEXT64();
ctx.ContextFlags = WinAPI.CONTEXT_FLAGS.CONTEXT_FULL;
if (!WinAPI.GetThreadContext(hThread, ref ctx))
{
log.Log(LogType.Error, "Failed to retrieve thread's context: {0} - aborting!",
Marshal.GetLastWin32Error());
return(IntPtr.Zero);
}
var buf = BitConverter.GetBytes((buffer + page_size / 2).ToInt64());
var libBuf = BitConverter.GetBytes(loadLib.ToInt64());
var ripBuf = BitConverter.GetBytes(ctx.Rip);
Array.Copy(buf, 0, code, 0x10, buf.Length);
Array.Copy(libBuf, 0, code, 0x1a, libBuf.Length);
Array.Copy(ripBuf, 0, code, 0x34, ripBuf.Length);
if (!targetProcess.WriteBytes(code, buffer))
{
log.Log(LogType.Error, "Failed to write code-cave to process: {0} - aborting!",
Marshal.GetLastWin32Error().ToString("X"));
return(IntPtr.Zero);
}
ctx.Rip = (ulong)alloc.ToInt64();
if (!WinAPI.SetThreadContext(hThread, ref ctx))
{
log.Log(LogType.Failure, "Failed to set thread's context: {0}",
Marshal.GetLastWin32Error().ToString("X"));
WinAPI.ResumeThread(hThread);
return(IntPtr.Zero);
}
log.Log(LogType.Success, "Successfully set thread's context - {0} should now be injected!",
Path.GetFileName(filePath));
return(hThread);
}
else
{
var ctx = new WinAPI.CONTEXT();
ctx.ContextFlags = WinAPI.CONTEXT_FLAGS.CONTEXT_FULL;
if (!WinAPI.GetThreadContext(hThread, ref ctx))
{
log.Log(LogType.Error, "Failed to retrieve thread's context: {0} - aborting!",
Marshal.GetLastWin32Error());
return(IntPtr.Zero);
}
var buf = BitConverter.GetBytes((buffer + page_size / 2).ToInt32());
var libBuf = BitConverter.GetBytes(loadLib.ToInt32());
var ripBuf = BitConverter.GetBytes(ctx.Eip);
Array.Copy(buf, 0, code, 2, buf.Length);
Array.Copy(libBuf, 0, code, 7, libBuf.Length);
Array.Copy(ripBuf, 0, code, 0xf, ripBuf.Length);
if (!targetProcess.WriteBytes(code, buffer))
{
log.Log(LogType.Error, "Failed to write code-cave to process: {0} - aborting!",
Marshal.GetLastWin32Error().ToString("X"));
return(IntPtr.Zero);
}
ctx.Eip = (uint)alloc.ToInt32();
if (!WinAPI.SetThreadContext(hThread, ref ctx))
{
log.Log(LogType.Failure, "Failed to set thread's context: {0}",
Marshal.GetLastWin32Error().ToString("X"));
WinAPI.ResumeThread(hThread);
return(IntPtr.Zero);
}
log.Log(LogType.Success, "Successfully set thread's context - {0} should now be injected!",
Path.GetFileName(filePath));
return(hThread);
}
}
public IntPtr Inject(Core targetProcess, string filePath)
{
//Logger.StartLogger(Environment.UserInteractive ? LoggerType.Console : LoggerType.File, "Injector.NCTE");
InjectedModule = new Module(filePath);
var loadLib = targetProcess.GetLoadLibraryPtr();
if (loadLib == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!");
return(IntPtr.Zero);
}
var pathBytes = Encoding.Unicode.GetBytes(filePath);
var alloc = targetProcess.Allocate(pathBytes.Length);
if (alloc == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!");
return(IntPtr.Zero);
}
if (!targetProcess.WriteBytes(pathBytes, alloc))
{
log.Log(LogType.Error, "Cannot write file-path to memory - aborting!");
return(IntPtr.Zero);
}
var ntdllmod = WinAPI.GetModuleHandleA("ntdll.dll");
if (ntdllmod == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve module handle for {0}: {1}",
'"' + "ntdll.dll" + '"', Marshal.GetLastWin32Error().ToString("X"));
return(IntPtr.Zero);
}
var ntCreateThreadExAddress = WinAPI.GetProcAddress(ntdllmod, "NtCreateThreadEx");
if (ntCreateThreadExAddress == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve address handle for {0} in {1}: {2}",
'"' + "NtCreateThreadEx" + '"', '"' + "ntdll.dll" + '"',
Marshal.GetLastWin32Error().ToString("X"));
return(IntPtr.Zero);
}
var ntCreateThreadEx = (NtCreateThreadEx)
Marshal.GetDelegateForFunctionPointer(ntCreateThreadExAddress, typeof(NtCreateThreadEx));
int temp1 = 0, temp2 = 0;
unsafe
{
var nb = new NtCreateThreadExBuffer
{
Size = sizeof(NtCreateThreadExBuffer),
Unknown1 = 0x10003,
Unknown2 = 0x8,
Unknown3 = new IntPtr(&temp2),
Unknown4 = 0,
Unknown5 = 0x10004,
Unknown6 = 4,
Unknown7 = new IntPtr(&temp1),
Unknown8 = 0
};
var hRemoteThread = IntPtr.Zero;
ntCreateThreadEx?.Invoke(
out hRemoteThread,
0x1FFFFF,
IntPtr.Zero,
targetProcess.ProcessHandle,
loadLib,
alloc,
0,
0,
Environment.Is64BitProcess ? 0xFFFF : 0u,
Environment.Is64BitProcess ? 0xFFFF : 0u,
Environment.Is64BitProcess ? IntPtr.Zero : new IntPtr(&nb)
);
if (hRemoteThread == IntPtr.Zero)
{
log.Log(LogType.Failure, "Failed to create thread inside attached process: {0}",
Marshal.GetLastWin32Error().ToString("X"));
}
else
{
log.Log(LogType.Success, "Thread created succesfully inside attached process: 0x{0}",
Environment.Is64BitProcess
? hRemoteThread.ToInt64().ToString("X")
: hRemoteThread.ToInt32().ToString("X"));
}
return(hRemoteThread);
}
}
public IntPtr Inject(Core targetProcess, string filePath)
{
//Logger.StartLogger(Environment.UserInteractive ? LoggerType.Console : LoggerType.File, "Injector.RCUT");
InjectedModule = new Module(filePath);
var loadLib = targetProcess.GetLoadLibraryPtr();
if (loadLib == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!");
return(IntPtr.Zero);
}
var pathBytes = Encoding.Unicode.GetBytes(filePath);
var alloc = targetProcess.Allocate(pathBytes.Length);
if (alloc == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!");
return(IntPtr.Zero);
}
if (!targetProcess.WriteBytes(pathBytes, alloc))
{
log.Log(LogType.Error, "Cannot write file-path to memory - aborting!");
return(IntPtr.Zero);
}
var ntdllmod = WinAPI.GetModuleHandleA("ntdll.dll");
if (ntdllmod == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve module handle for {0}: {1}",
'"' + "ntdll.dll" + '"', Marshal.GetLastWin32Error().ToString("X"));
return(IntPtr.Zero);
}
var rtlCreateUserThreadAddress = WinAPI.GetProcAddress(ntdllmod, "RtlCreateUserThread");
if (rtlCreateUserThreadAddress == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve address handle for {0} in {1}: {2}",
'"' + "RtlCreateUserThread" + '"', '"' + "ntdll.dll" + '"',
Marshal.GetLastWin32Error().ToString("X"));
return(IntPtr.Zero);
}
var rtlCreateUserThread =
(RtlCreateUserThread)Marshal.GetDelegateForFunctionPointer(rtlCreateUserThreadAddress,
typeof(RtlCreateUserThread));
var hRemoteThread = IntPtr.Zero;
if (rtlCreateUserThread(targetProcess.ProcessHandle, IntPtr.Zero, 0, 0, 0, 0, loadLib, alloc,
out hRemoteThread,
IntPtr.Zero) < 0)
{
log.Log(LogType.Failure, "Failed to create thread inside attached process: {0}",
Marshal.GetLastWin32Error().ToString("X"));
}
else
{
log.Log(LogType.Success, "Thread created succesfully inside attached process: 0x{0}",
Environment.Is64BitProcess
? hRemoteThread.ToInt64().ToString("X")
: hRemoteThread.ToInt32().ToString("X"));
}
return(hRemoteThread);
}
