/// <summary> /// Injects a dll into a process by creating a remote thread on LoadLibrary. /// </summary> /// <param name="hProcess">Handle to the process into which dll will be injected.</param> /// <param name="szDllPath">Full path of the dll that will be injected.</param> /// <returns>Returns the base address of the injected dll on success, zero on failure.</returns> public static uint InjectDllCreateThread(IntPtr hProcess, string szDllPath) { if (hProcess == IntPtr.Zero) { throw new ArgumentNullException("hProcess"); } if (szDllPath.Length == 0) { throw new ArgumentNullException("szDllPath"); } if (!szDllPath.Contains("\\")) { szDllPath = System.IO.Path.GetFullPath(szDllPath); } if (!System.IO.File.Exists(szDllPath)) { throw new ArgumentException("DLL not found.", "szDllPath"); } uint dwBaseAddress = RETURN_ERROR; uint lpLoadLibrary; uint lpDll; IntPtr hThread; lpLoadLibrary = (uint)Imports.GetProcAddress(Imports.GetModuleHandle("kernel32.dll"), "LoadLibraryA"); if (lpLoadLibrary == 0) { throw new Exception("Failed to get address of LoadLibraryA in kernel32.dll"); } lpDll = MemoryHelper.AllocateMemory(hProcess); if (lpDll == 0) { throw new Exception("Failed to allocate Memory in the Process!"); } if (MemoryHelper.WriteASCIIString(hProcess, lpDll, szDllPath)) { hThread = ThreadHelper.CreateRemoteThread(hProcess, lpLoadLibrary, lpDll); if (ThreadHelper.WaitForSingleObject(hThread, 5000) == WaitValues.WAIT_OBJECT_0) { dwBaseAddress = ThreadHelper.GetExitCodeThread(hThread); } Imports.CloseHandle(hThread); } MemoryHelper.FreeMemory(hProcess, lpDll); return(dwBaseAddress); }
/// <summary> /// Writes a value to another process' memory. /// </summary> /// <param name="dwAddress">Address at which value will be written.</param> /// <param name="Value">Value that will be written to memory.</param> /// <returns>Returns true on success, false on failure.</returns> public bool WriteASCIIString(uint dwAddress, string Value) { return(MemoryHelper.WriteASCIIString(this.mProcess, dwAddress, Value)); }