public static IntPtr CreateRemoteThread(IntPtr address, IntPtr param, IntPtr handle)
{
NtCreateThreadExBuffer buff = new NtCreateThreadExBuffer();
buff.Size = Marshal.SizeOf(buff);
buff.Unknown1 = 0x10003;
buff.Unknown2 = 0x8;
buff.Unknown3 = Marshal.AllocHGlobal(4);
buff.Unknown4 = 0;
buff.Unknown5 = 0x10004;
buff.Unknown6 = 4;
buff.Unknown7 = Marshal.AllocHGlobal(4);
buff.Unknown8 = 0;
IntPtr hthread = IntPtr.Zero;
IntPtr ntstatus = NtCreateThreadEx(out hthread, 0x1FFFFF, IntPtr.Zero, handle, address, param, false, 0, 0, 0, out buff);
if (hthread == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
{
return(hthread);
}
}
public unsafe static bool NtCreateThread(IntPtr hProcess, string dllPath, IntPtr loadLibAddy)
{
IntPtr ntCreateThreadAddy = Imports.GetProcAddress(Imports.GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
if (ntCreateThreadAddy == IntPtr.Zero)
{
Imports.kernelErrMsg("Couldn't get the NtCreateThreadExaddress.");
}
if (loadLibAddy == IntPtr.Zero)
{
loadLibAddy = Imports.GetProcAddress(Imports.GetModuleHandle("Kernel32"), "LoadLibraryW");
}
if (loadLibAddy == IntPtr.Zero)
{
Imports.kernelErrMsg("Couldn't get the LoadLibraryaddress.");
return(false);
}
UInt32 temp1 = 0, temp2 = 0;
NtCreateThreadExBuffer nb = new NtCreateThreadExBuffer
{
Size = sizeof(NtCreateThreadExBuffer),
Unknown1 = 0x10003,
Unknown2 = 0x8,
Unknown3 = new UIntPtr(&temp2),
Unknown4 = 0,
Unknown5 = 0x10004,
Unknown6 = 4,
Unknown7 = new UIntPtr(&temp1),
Unknown8 = 0,
};
NtCreateThreadExProc ntCreateThreadEx = (NtCreateThreadEx.NtCreateThreadExProc)
Marshal.GetDelegateForFunctionPointer(ntCreateThreadAddy, typeof(NtCreateThreadEx.NtCreateThreadExProc));
if (ntCreateThreadEx == null)
{
Imports.kernelErrMsg("Couldn't get the NtCreateThreadEx function");
return(false);
}
var dllPathBytes = Encoding.Unicode.GetBytes(dllPath + "\0");
IntPtr baseAddress = Imports.VirtualAllocEx(hProcess, IntPtr.Zero, dllPathBytes.Length, (0x00001000 | 0x00002000), 0x40);
if (baseAddress == (IntPtr)null)
{
Imports.kernelErrMsg("Couldn't allocate Memory in target process.");
return(false);
}
UIntPtr writtenBytes = (UIntPtr)null;
bool written = Imports.WriteProcessMemory(hProcess, baseAddress, dllPathBytes, dllPathBytes.Length, out writtenBytes);
if (!written || writtenBytes == (UIntPtr)null)
{
Imports.kernelErrMsg("Couldn't write bytes into target process.");
return(false);
}
IntPtr hRemoteThread = IntPtr.Zero;
ntCreateThreadEx(
out hRemoteThread,
0x1FFFFF,
IntPtr.Zero,
hProcess,
loadLibAddy,
baseAddress,
0,
0,
0,
0,
IntPtr.Zero);
if (hRemoteThread == IntPtr.Zero)
{
Imports.kernelErrMsg("Couldn't create NTtype Thread");
return(false);
}
return(true);
}
public IntPtr Inject(Core targetProcess, string filePath)
{
//Logger.StartLogger(Environment.UserInteractive ? LoggerType.Console : LoggerType.File, "Injector.NCTE");
InjectedModule = new Module(filePath);
var loadLib = targetProcess.GetLoadLibraryPtr();
if (loadLib == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve LoadLibraryA pointer - aborting!");
return(IntPtr.Zero);
}
var pathBytes = Encoding.Unicode.GetBytes(filePath);
var alloc = targetProcess.Allocate(pathBytes.Length);
if (alloc == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot allocate memory in attached process - aborting!");
return(IntPtr.Zero);
}
if (!targetProcess.WriteBytes(pathBytes, alloc))
{
log.Log(LogType.Error, "Cannot write file-path to memory - aborting!");
return(IntPtr.Zero);
}
var ntdllmod = WinAPI.GetModuleHandleA("ntdll.dll");
if (ntdllmod == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve module handle for {0}: {1}",
'"' + "ntdll.dll" + '"', Marshal.GetLastWin32Error().ToString("X"));
return(IntPtr.Zero);
}
var ntCreateThreadExAddress = WinAPI.GetProcAddress(ntdllmod, "NtCreateThreadEx");
if (ntCreateThreadExAddress == IntPtr.Zero)
{
log.Log(LogType.Error, "Cannot retrieve address handle for {0} in {1}: {2}",
'"' + "NtCreateThreadEx" + '"', '"' + "ntdll.dll" + '"',
Marshal.GetLastWin32Error().ToString("X"));
return(IntPtr.Zero);
}
var ntCreateThreadEx = (NtCreateThreadEx)
Marshal.GetDelegateForFunctionPointer(ntCreateThreadExAddress, typeof(NtCreateThreadEx));
int temp1 = 0, temp2 = 0;
unsafe
{
var nb = new NtCreateThreadExBuffer
{
Size = sizeof(NtCreateThreadExBuffer),
Unknown1 = 0x10003,
Unknown2 = 0x8,
Unknown3 = new IntPtr(&temp2),
Unknown4 = 0,
Unknown5 = 0x10004,
Unknown6 = 4,
Unknown7 = new IntPtr(&temp1),
Unknown8 = 0
};
var hRemoteThread = IntPtr.Zero;
ntCreateThreadEx?.Invoke(
out hRemoteThread,
0x1FFFFF,
IntPtr.Zero,
targetProcess.ProcessHandle,
loadLib,
alloc,
0,
0,
Environment.Is64BitProcess ? 0xFFFF : 0u,
Environment.Is64BitProcess ? 0xFFFF : 0u,
Environment.Is64BitProcess ? IntPtr.Zero : new IntPtr(&nb)
);
if (hRemoteThread == IntPtr.Zero)
{
log.Log(LogType.Failure, "Failed to create thread inside attached process: {0}",
Marshal.GetLastWin32Error().ToString("X"));
}
else
{
log.Log(LogType.Success, "Thread created succesfully inside attached process: 0x{0}",
Environment.Is64BitProcess
? hRemoteThread.ToInt64().ToString("X")
: hRemoteThread.ToInt32().ToString("X"));
}
return(hRemoteThread);
}
}
private static extern IntPtr NtCreateThreadEx(out IntPtr outhThread,
int inlpvDesiredAccess, IntPtr lpObjectAttributes, IntPtr inhProcessHandle,
IntPtr lpStartAddress,
IntPtr lpParameter, bool inCreateSuspended,
ulong inStackZeroBits, ulong inSizeOfStackCommit, ulong inSizeOfStackReserve,
[MarshalAs(UnmanagedType.Struct)] out NtCreateThreadExBuffer outlpvBytesBuffer);
