public void EjectModule(RemoteModule module) { if (module == null || !module.IsValid) { throw new DllNotFoundException("Module is invalid!"); } IntPtr moduleHandle = module.Handle; RemoteModule kernel32Module = GetModule("kernel32"); if (kernel32Module == null) { throw new DllNotFoundException("Module 'kernel32' not found!"); } RemoteFunction freeLibrary = kernel32Module.GetFunction("FreeLibrary"); if (freeLibrary == null) { throw new MissingMethodException("Function 'FreeLibrary' not found in kernel32"); } try { if (freeLibrary.Call(moduleHandle) == 0) { throw new MethodAccessException("FreeLibrary call failed. This usually means that you tried to eject a non existent Module"); } } catch (Exception e) { throw new MethodAccessException("Method FreeLibrary could not be called!", e); } Refresh(); }
/// <summary> /// Injects a module, throws an exception on failure. /// </summary> /// <param name="filePath">The filepath of the dynamic link library.</param> /// <returns></returns> public RemoteModule InjectModule(string filePath) { filePath = Path.GetFullPath(filePath); if (!File.Exists(filePath)) { throw new FileNotFoundException(filePath + " could not be found"); } RemoteModule kernel32Module = GetModule("kernel32"); if (kernel32Module == null) { throw new DllNotFoundException("Module 'kernel32' not found!"); } RemoteFunction loadLibraryW = kernel32Module.GetFunction("LoadLibraryW"); if (loadLibraryW == null || loadLibraryW.Address == IntPtr.Zero) { throw new MissingMethodException("Function 'LoadLibraryW' not found in kernel32"); } try { if (loadLibraryW.Call(filePath) == 0) { throw new MethodAccessException("LoadLibrary call failed. This usually means that you tried to inject a incompatible 32 bit dll in a 64 bit Process, or vice versa."); } } catch (Exception e) { throw new MethodAccessException("Method LoadLibraryW could not be called!", e); } Refresh(); return(GetModule(filePath)); }
private IntPtr GetFunctionAddress(int ordinal, int nameIndex) { var addressOffset = Process.Memory.Read <int>(BaseAddress + (int)ExportDirectory.AddressOfFunctions + ordinal * sizeof(int)); //exportFunctions[ordinal]; if (addressOffset < ExportDirectoryInfo.VirtualAddress || addressOffset >= ExportDirectoryInfo.VirtualAddress + ExportDirectoryInfo.Size) { return(BaseAddress + addressOffset); } string forwardingString = Process.Memory.ReadString(BaseAddress + addressOffset); int dot = forwardingString.IndexOf('.'); if (dot <= -1) { return(IntPtr.Zero); } string redirectModuleName = forwardingString.Substring(0, dot); string redirectFunctionName = forwardingString.Substring(dot + 1); RemoteModule redirectModule = Process.GetModule(redirectModuleName); if (redirectModule == null || redirectModule.BaseAddress == BaseAddress) { return(IntPtr.Zero); } if (redirectFunctionName[0] == '#') { redirectFunctionName = redirectFunctionName.Remove(0, 1); UInt32 redirectOrdinal; UInt32.TryParse(redirectFunctionName, out redirectOrdinal); if (redirectOrdinal == 0) { return(IntPtr.Zero); } IntPtr namePtr = ExportDirectory.AddressOfNames != 0 ? BaseAddress + Process.Memory.Read <int>(BaseAddress + (int)ExportDirectory.AddressOfNames + nameIndex * sizeof(int)) : IntPtr.Zero; RemoteFunction foo = redirectModule.GetFunctionByOrdinal(redirectOrdinal, namePtr); return(foo != null ? foo.Address : IntPtr.Zero); } else { RemoteFunction foo = redirectModule.GetFunction(redirectFunctionName); return(foo != null ? foo.Address : IntPtr.Zero); } }