/// <summary>
/// Inject the "functionPointer" with "parameters" into Remote Process
/// </summary>
/// <param name="processHandle">Remote Process Handle</param>
/// <param name="functionPointer">LoadLibraryW Function Pointer</param>
/// <param name="clrLoaderFullPath">DNCIClrLoader.exe Full Path</param>
private Int32 Inject(IntPtr processHandle, IntPtr functionPointer, String parameters)
{
// Set Array to Write
byte[] toWriteData = Encoding.Unicode.GetBytes(parameters);
// Compute Required Space on Remote Process
uint requiredRemoteMemorySize = (uint)(
(toWriteData.Length) * Marshal.SizeOf(typeof(char))
) + (uint)Marshal.SizeOf(typeof(char));
// Alocate Required Memory Space on Remote Process
IntPtr allocMemAddress = NativeExecution.VirtualAllocEx(
processHandle,
IntPtr.Zero,
requiredRemoteMemorySize,
NativeConstants.MEM_RESERVE | NativeConstants.MEM_COMMIT,
NativeConstants.PAGE_READWRITE
);
// Write Argument on Remote Process
UIntPtr bytesWritten;
bool success = NativeExecution.WriteProcessMemory(
processHandle,
allocMemAddress,
toWriteData,
requiredRemoteMemorySize,
out bytesWritten
);
// Create Remote Thread
IntPtr createRemoteThread = NativeExecution.CreateRemoteThread(
processHandle,
IntPtr.Zero,
0,
functionPointer,
allocMemAddress,
0,
IntPtr.Zero
);
// Wait Thread to Exit
NativeExecution.WaitForSingleObject(createRemoteThread, NativeConstants.INFINITE);
// Release Memory in Remote Process
NativeExecution.VirtualFreeEx(processHandle, allocMemAddress, 0, NativeConstants.MEM_RELEASE);
// Get Thread Exit Code
Int32 exitCode;
NativeExecution.GetExitCodeThread(createRemoteThread, out exitCode);
// Close Remote Handle
NativeExecution.CloseHandle(createRemoteThread);
return(exitCode);
}
/// <summary>
/// Find the "moduleName" into Remote Process
/// </summary>
/// <param name="targetProcessHandle">Target Process Handler</param>
/// <param name="moduleName">Desired Module Name</param>
/// <returns></returns>
private IntPtr FindRemoteModuleHandle(IntPtr targetProcessHandle, String moduleName)
{
NativeStructures.MODULEENTRY32 moduleEntry = new NativeStructures.MODULEENTRY32()
{
dwSize = (uint)Marshal.SizeOf(typeof(NativeStructures.MODULEENTRY32))
};
uint targetProcessId = NativeExecution.GetProcessId(targetProcessHandle);
IntPtr snapshotHandle = NativeExecution.CreateToolhelp32Snapshot(
NativeStructures.SnapshotFlags.Module | NativeStructures.SnapshotFlags.Module32,
targetProcessId
);
// Check if is Valid
if (!NativeExecution.Module32First(snapshotHandle, ref moduleEntry))
{
NativeExecution.CloseHandle(snapshotHandle);
return(IntPtr.Zero);
}
// Enumerate all Modules until find the "moduleName"
while (NativeExecution.Module32Next(snapshotHandle, ref moduleEntry))
{
if (moduleEntry.szModule == moduleName)
{
break;
}
}
// Close the Handle
NativeExecution.CloseHandle(snapshotHandle);
// Return if Success on Search
if (moduleEntry.szModule == moduleName)
{
return(moduleEntry.modBaseAddr);
}
return(IntPtr.Zero);
}
/// <summary>
/// Inject .NET Assembly into Remote Process
/// </summary>
/// <returns></returns>
private InjectorResult DoInject(Int32 targetProcessId)
{
// Create Result Object
InjectorResult hResult = new InjectorResult()
{
TargetProcessId = targetProcessId
};
try
{
// Copy DNCIClrLoader.dll into Temporary Folder with Random Name
String dnciLoaderLibraryPath = WriteLoaderToDisk();
// Open and get handle of the process - with required privileges
IntPtr targetProcessHandle = NativeExecution.OpenProcess(
NativeConstants.PROCESS_ALL_ACCESS,
false,
targetProcessId
);
// Check Process Handle
if (targetProcessHandle == null || targetProcessHandle == IntPtr.Zero)
{
hResult.Status = InjectorResultStatus.UNABLE_TO_GET_PROCESS_HANDLE;
return(hResult);
}
// Get Process Name
hResult.TargetProcessName = Process.GetProcessById(targetProcessId).ProcessName;
// Find the LoadDNA Function Point into Remote Process Memory
IntPtr dnciModuleHandle = DNCIClrLoader(targetProcessHandle, dnciLoaderLibraryPath, Path.GetFileName(dnciLoaderLibraryPath));
// Check Injector Handle
if (dnciModuleHandle == null || dnciModuleHandle == IntPtr.Zero)
{
hResult.Status = InjectorResultStatus.UNABLE_TO_FIND_INJECTOR_HANDLE;
return(hResult);
}
// Inject Managed Assembly
LoadManagedAssemblyOnRemoteProcess(targetProcessHandle, dnciModuleHandle, this.configuration.MethodName, this.configuration.AssemblyFileLocation, this.configuration.TypeName, this.configuration.ArgumentString, dnciLoaderLibraryPath);
// Erase Modules from Target Process
EraseRemoteModules(targetProcessHandle, dnciModuleHandle);
// Close Remote Process Handle
NativeExecution.CloseHandle(targetProcessHandle);
// Remove Temporary File
try
{
File.Delete(dnciLoaderLibraryPath);
}
catch { }
hResult.Status = InjectorResultStatus.OK;
}
catch
{
hResult.Status = InjectorResultStatus.MASTER_ERROR;
}
return(hResult);
}