/// <summary>
/// Injects a dll into a process by creating a remote thread on LoadLibrary.
/// </summary>
/// <param name="hProcess">Handle to the process into which dll will be injected.</param>
/// <param name="szDllPath">Full path of the dll that will be injected.</param>
/// <returns>Returns the base address of the injected dll on success, zero on failure.</returns>
public static uint InjectDllCreateThread(IntPtr hProcess, string szDllPath)
{
if (hProcess == IntPtr.Zero)
{
throw new ArgumentNullException("hProcess");
}
if (szDllPath.Length == 0)
{
throw new ArgumentNullException("szDllPath");
}
if (!szDllPath.Contains("\\"))
{
szDllPath = System.IO.Path.GetFullPath(szDllPath);
}
if (!System.IO.File.Exists(szDllPath))
{
throw new ArgumentException("DLL not found.", "szDllPath");
}
uint dwBaseAddress = RETURN_ERROR;
uint lpLoadLibrary;
uint lpDll;
IntPtr hThread;
lpLoadLibrary = (uint)Imports.GetProcAddress(Imports.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (lpLoadLibrary == 0)
{
throw new Exception("Failed to get address of LoadLibraryA in kernel32.dll");
}
lpDll = MemoryHelper.AllocateMemory(hProcess);
if (lpDll == 0)
{
throw new Exception("Failed to allocate Memory in the Process!");
}
if (MemoryHelper.WriteASCIIString(hProcess, lpDll, szDllPath))
{
hThread = ThreadHelper.CreateRemoteThread(hProcess, lpLoadLibrary, lpDll);
if (ThreadHelper.WaitForSingleObject(hThread, 5000) == WaitValues.WAIT_OBJECT_0)
{
dwBaseAddress = ThreadHelper.GetExitCodeThread(hThread);
}
Imports.CloseHandle(hThread);
}
MemoryHelper.FreeMemory(hProcess, lpDll);
return(dwBaseAddress);
}
/// <summary>
/// Writes a value to another process' memory.
/// </summary>
/// <param name="dwAddress">Address at which value will be written.</param>
/// <param name="Value">Value that will be written to memory.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool WriteASCIIString(uint dwAddress, string Value)
{
return(MemoryHelper.WriteASCIIString(this.mProcess, dwAddress, Value));
}
