public static IntPtr CreateRemoteThread(IntPtr address, IntPtr param, IntPtr handle) { NtCreateThreadExBuffer buff = new NtCreateThreadExBuffer(); buff.Size = Marshal.SizeOf(buff); buff.Unknown1 = 0x10003; buff.Unknown2 = 0x8; buff.Unknown3 = Marshal.AllocHGlobal(4); buff.Unknown4 = 0; buff.Unknown5 = 0x10004; buff.Unknown6 = 4; buff.Unknown7 = Marshal.AllocHGlobal(4); buff.Unknown8 = 0; IntPtr hthread = IntPtr.Zero; IntPtr ntstatus = NtCreateThreadEx(out hthread, 0x1FFFFF, IntPtr.Zero, handle, address, param, false, 0, 0, 0, out buff); if (hthread == IntPtr.Zero) { throw new Win32Exception(Marshal.GetLastWin32Error()); } else { return(hthread); } }
public unsafe static bool NtCreateThread(IntPtr hProcess, string dllPath, IntPtr loadLibAddy) { IntPtr ntCreateThreadAddy = Imports.GetProcAddress(Imports.GetModuleHandle("ntdll.dll"), "NtCreateThreadEx"); if (ntCreateThreadAddy == IntPtr.Zero) { Imports.kernelErrMsg("Couldn't get the NtCreateThreadExaddress."); } if (loadLibAddy == IntPtr.Zero) { loadLibAddy = Imports.GetProcAddress(Imports.GetModuleHandle("Kernel32"), "LoadLibraryW"); } if (loadLibAddy == IntPtr.Zero) { Imports.kernelErrMsg("Couldn't get the LoadLibraryaddress."); return(false); } UInt32 temp1 = 0, temp2 = 0; NtCreateThreadExBuffer nb = new NtCreateThreadExBuffer { Size = sizeof(NtCreateThreadExBuffer), Unknown1 = 0x10003, Unknown2 = 0x8, Unknown3 = new UIntPtr(&temp2), Unknown4 = 0, Unknown5 = 0x10004, Unknown6 = 4, Unknown7 = new UIntPtr(&temp1), Unknown8 = 0, }; NtCreateThreadExProc ntCreateThreadEx = (NtCreateThreadEx.NtCreateThreadExProc) Marshal.GetDelegateForFunctionPointer(ntCreateThreadAddy, typeof(NtCreateThreadEx.NtCreateThreadExProc)); if (ntCreateThreadEx == null) { Imports.kernelErrMsg("Couldn't get the NtCreateThreadEx function"); return(false); } var dllPathBytes = Encoding.Unicode.GetBytes(dllPath + "\0"); IntPtr baseAddress = Imports.VirtualAllocEx(hProcess, IntPtr.Zero, dllPathBytes.Length, (0x00001000 | 0x00002000), 0x40); if (baseAddress == (IntPtr)null) { Imports.kernelErrMsg("Couldn't allocate Memory in target process."); return(false); } UIntPtr writtenBytes = (UIntPtr)null; bool written = Imports.WriteProcessMemory(hProcess, baseAddress, dllPathBytes, dllPathBytes.Length, out writtenBytes); if (!written || writtenBytes == (UIntPtr)null) { Imports.kernelErrMsg("Couldn't write bytes into target process."); return(false); } IntPtr hRemoteThread = IntPtr.Zero; ntCreateThreadEx( out hRemoteThread, 0x1FFFFF, IntPtr.Zero, hProcess, loadLibAddy, baseAddress, 0, 0, 0, 0, IntPtr.Zero); if (hRemoteThread == IntPtr.Zero) { Imports.kernelErrMsg("Couldn't create NTtype Thread"); return(false); } return(true); }
public IntPtr Inject(Core targetProcess, string filePath) { //Logger.StartLogger(Environment.UserInteractive ? LoggerType.Console : LoggerType.File, "Injector.NCTE"); InjectedModule = new Module(filePath); var loadLib = targetProcess.GetLoadLibraryPtr(); if (loadLib == IntPtr.Zero) { log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!"); return(IntPtr.Zero); } var pathBytes = Encoding.Unicode.GetBytes(filePath); var alloc = targetProcess.Allocate(pathBytes.Length); if (alloc == IntPtr.Zero) { log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!"); return(IntPtr.Zero); } if (!targetProcess.WriteBytes(pathBytes, alloc)) { log.Log(LogType.Error, "Cannot write file-path to memory - aborting!"); return(IntPtr.Zero); } var ntdllmod = WinAPI.GetModuleHandleA("ntdll.dll"); if (ntdllmod == IntPtr.Zero) { log.Log(LogType.Error, "Cannot retrieve module handle for {0}: {1}", '"' + "ntdll.dll" + '"', Marshal.GetLastWin32Error().ToString("X")); return(IntPtr.Zero); } var ntCreateThreadExAddress = WinAPI.GetProcAddress(ntdllmod, "NtCreateThreadEx"); if (ntCreateThreadExAddress == IntPtr.Zero) { log.Log(LogType.Error, "Cannot retrieve address handle for {0} in {1}: {2}", '"' + "NtCreateThreadEx" + '"', '"' + "ntdll.dll" + '"', Marshal.GetLastWin32Error().ToString("X")); return(IntPtr.Zero); } var ntCreateThreadEx = (NtCreateThreadEx) Marshal.GetDelegateForFunctionPointer(ntCreateThreadExAddress, typeof(NtCreateThreadEx)); int temp1 = 0, temp2 = 0; unsafe { var nb = new NtCreateThreadExBuffer { Size = sizeof(NtCreateThreadExBuffer), Unknown1 = 0x10003, Unknown2 = 0x8, Unknown3 = new IntPtr(&temp2), Unknown4 = 0, Unknown5 = 0x10004, Unknown6 = 4, Unknown7 = new IntPtr(&temp1), Unknown8 = 0 }; var hRemoteThread = IntPtr.Zero; ntCreateThreadEx?.Invoke( out hRemoteThread, 0x1FFFFF, IntPtr.Zero, targetProcess.ProcessHandle, loadLib, alloc, 0, 0, Environment.Is64BitProcess ? 0xFFFF : 0u, Environment.Is64BitProcess ? 0xFFFF : 0u, Environment.Is64BitProcess ? IntPtr.Zero : new IntPtr(&nb) ); if (hRemoteThread == IntPtr.Zero) { log.Log(LogType.Failure, "Failed to create thread inside attached process: {0}", Marshal.GetLastWin32Error().ToString("X")); } else { log.Log(LogType.Success, "Thread created succesfully inside attached process: 0x{0}", Environment.Is64BitProcess ? hRemoteThread.ToInt64().ToString("X") : hRemoteThread.ToInt32().ToString("X")); } return(hRemoteThread); } }
private static extern IntPtr NtCreateThreadEx(out IntPtr outhThread, int inlpvDesiredAccess, IntPtr lpObjectAttributes, IntPtr inhProcessHandle, IntPtr lpStartAddress, IntPtr lpParameter, bool inCreateSuspended, ulong inStackZeroBits, ulong inSizeOfStackCommit, ulong inSizeOfStackReserve, [MarshalAs(UnmanagedType.Struct)] out NtCreateThreadExBuffer outlpvBytesBuffer);