Class representing a function in the remote process.
Inheritance: RemotePointer
Exemplo n.º 1
0
        const string TargetProcessName = "warmode"; // WARMODE: http://store.steampowered.com/app/391460/

        #endregion Fields

        #region Methods

        static void AttachToMainThread(RemoteFunction mono_get_root_domain, RemoteFunction mono_thread_attach)
        {
            Console.ForegroundColor = ConsoleColor.Cyan;
            Console.Write("Attaching to/Entering the primary/main mono thread/context... ");
            IntPtr mono_get_root_domain_result = mono_get_root_domain.Execute(CallingConventions.Cdecl); // Returns MonoDomain.
            IntPtr mono_thread_attach_result = mono_thread_attach.Execute(CallingConventions.Cdecl, mono_get_root_domain_result); // Returns MonoThread.
            Console.ForegroundColor = ConsoleColor.Green;
            Console.WriteLine("success.");
            Console.ForegroundColor = ConsoleColor.White;
            Console.WriteLine("{0} returned {1} (0x{2})", mono_get_root_domain.Name, mono_get_root_domain_result, mono_get_root_domain_result.ToString("X2"));
            Console.WriteLine("{0} returned {1} (0x{2})", mono_thread_attach.Name, mono_thread_attach_result, mono_thread_attach_result.ToString("X2"));
        }
Exemplo n.º 2
0
        /// <summary>
        ///     Finds the specified function in the remote module.
        /// </summary>
        /// <param name="functionName">The name of the function (case sensitive).</param>
        /// <returns>A new instance of a <see cref="RemoteFunction" /> class.</returns>
        /// <remarks>
        ///     Interesting article on how DLL loading works: http://msdn.microsoft.com/en-us/magazine/bb985014.aspx
        /// </remarks>
        public RemoteFunction FindFunction(string functionName)
        {
            // Create the tuple
            var tuple = Tuple.Create(functionName, MemorySharp.Handle);

            // Check if the function is already cached
            if (CachedFunctions.ContainsKey(tuple))
            {
                return(CachedFunctions[tuple]);
            }

            // If the function is not cached
            // Check if the local process has this module loaded
            var localModule =
                Process.GetCurrentProcess()
                .Modules.Cast <ProcessModule>()
                .FirstOrDefault(m => string.Equals(m.FileName, Path, StringComparison.CurrentCultureIgnoreCase));
            var isManuallyLoaded = false;

            try
            {
                // If this is not the case, load the module inside the local process
                if (localModule == null)
                {
                    isManuallyLoaded = true;
                    localModule      = ModuleCore.LoadLibrary(Native.FileName);
                }

                // Get the offset of the function
                var offset = ModuleCore.GetProcAddress(localModule, functionName).ToInt64() -
                             localModule.BaseAddress.ToInt64();

                // Rebase the function with the remote module
                var function = new RemoteFunction(MemorySharp, new IntPtr(Native.BaseAddress.ToInt64() + offset),
                                                  functionName);

                // Store the function in the cache
                CachedFunctions.Add(tuple, function);

                // Return the function rebased with the remote module
                return(function);
            }
            finally
            {
                // Free the module if it was manually loaded
                if (isManuallyLoaded)
                {
                    ModuleCore.FreeLibrary(localModule);
                }
            }
        }
Exemplo n.º 3
0
 //const string WebMonoDll = "mono-1-vc.dll";
 static void GetMonoRemoteFunctions(MemorySharp memorySharp, out RemoteFunction mono_get_root_domain, out RemoteFunction mono_thread_attach, out RemoteFunction mono_security_set_mode, out RemoteFunction mono_domain_get, out RemoteFunction mono_domain_assembly_open, out RemoteFunction mono_assembly_get_image, out RemoteFunction mono_class_from_name, out RemoteFunction mono_class_get_method_from_name, out RemoteFunction mono_runtime_invoke)
 {
     Console.ForegroundColor = ConsoleColor.White;
     mono_get_root_domain = memorySharp[DesktopMonoDll].FindFunction("mono_get_root_domain"); // Returns MonoDomain.
     Console.ForegroundColor = ConsoleColor.Green;
     Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_get_root_domain.Name, mono_get_root_domain.BaseAddress.ToString("X2"));
     Console.ForegroundColor = ConsoleColor.White;
     mono_thread_attach = memorySharp[DesktopMonoDll].FindFunction("mono_thread_attach"); // Returns MonoThread.
     Console.ForegroundColor = ConsoleColor.Green;
     Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_thread_attach.Name, mono_thread_attach.BaseAddress.ToString("X2"));
     Console.ForegroundColor = ConsoleColor.White;
     mono_security_set_mode = memorySharp[DesktopMonoDll].FindFunction("mono_security_set_mode"); // Returns void.
     Console.ForegroundColor = ConsoleColor.Green;
     Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_security_set_mode.Name, mono_security_set_mode.BaseAddress.ToString("X2"));
     Console.ForegroundColor = ConsoleColor.White;
     mono_domain_get = memorySharp[DesktopMonoDll].FindFunction("mono_domain_get"); // Returns MonoDomain.
     Console.ForegroundColor = ConsoleColor.Green;
     Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_domain_get.Name, mono_domain_get.BaseAddress.ToString("X2"));
     Console.ForegroundColor = ConsoleColor.White;
     mono_domain_assembly_open = memorySharp[DesktopMonoDll].FindFunction("mono_domain_assembly_open"); // Returns MonoAssembly.
     Console.ForegroundColor = ConsoleColor.Green;
     Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_domain_assembly_open.Name, mono_domain_assembly_open.BaseAddress.ToString("X2"));
     Console.ForegroundColor = ConsoleColor.White;
     mono_assembly_get_image = memorySharp[DesktopMonoDll].FindFunction("mono_assembly_get_image"); // Returns MonoImage.
     Console.ForegroundColor = ConsoleColor.Green;
     Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_assembly_get_image.Name, mono_assembly_get_image.BaseAddress.ToString("X2"));
     Console.ForegroundColor = ConsoleColor.White;
     mono_class_from_name = memorySharp[DesktopMonoDll].FindFunction("mono_class_from_name"); // Returns MonoClass.
     Console.ForegroundColor = ConsoleColor.Green;
     Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_class_from_name.Name, mono_class_from_name.BaseAddress.ToString("X2"));
     Console.ForegroundColor = ConsoleColor.White;
     mono_class_get_method_from_name = memorySharp[DesktopMonoDll].FindFunction("mono_class_get_method_from_name"); // Returns MonoMethod.
     Console.ForegroundColor = ConsoleColor.Green;
     Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_class_get_method_from_name.Name, mono_class_get_method_from_name.BaseAddress.ToString("X2"));
     Console.ForegroundColor = ConsoleColor.White;
     mono_runtime_invoke = memorySharp[DesktopMonoDll].FindFunction("mono_runtime_invoke"); // Returns MonoObject.
     Console.ForegroundColor = ConsoleColor.Green;
     Console.WriteLine("Function \"{0}\" found at 0x{1} address", mono_runtime_invoke.Name, mono_runtime_invoke.BaseAddress.ToString("X2"));
     Console.ForegroundColor = ConsoleColor.White;
 }
Exemplo n.º 4
0
        /// <summary>
        /// Finds the specified function in the remote module.
        /// </summary>
        /// <param name="functionName">The name of the function (case sensitive).</param>
        /// <returns>A new instance of a <see cref="RemoteFunction"/> class.</returns>
        /// <remarks>
        /// Interesting article on how DLL loading works: http://msdn.microsoft.com/en-us/magazine/bb985014.aspx
        /// </remarks>
        public RemoteFunction FindFunction(string functionName)
        {
            // Create the tuple
            var tuple = Tuple.Create(functionName, MemorySharp.Handle);

            // Check if the function is already cached
            if (CachedFunctions.ContainsKey(tuple))
                return CachedFunctions[tuple];

            // If the function is not cached
            // Check if the local process has this module loaded
            var localModule = Process.GetCurrentProcess().Modules.Cast<ProcessModule>().FirstOrDefault(m => m.FileName.ToLower() == Path.ToLower());
            var isManuallyLoaded = false;

            try
            {
                // If this is not the case, load the module inside the local process
                if (localModule == null)
                {
                    isManuallyLoaded = true;
                    localModule = ModuleCore.LoadLibrary(Native.FileName);
                }

                // Get the offset of the function
                var offset = ModuleCore.GetProcAddress(localModule, functionName).ToInt64() - localModule.BaseAddress.ToInt64();

                // Rebase the function with the remote module
                var function = new RemoteFunction(MemorySharp, new IntPtr(Native.BaseAddress.ToInt64() + offset), functionName);

                // Store the function in the cache
                CachedFunctions.Add(tuple, function);

                // Return the function rebased with the remote module
                return function;
            }
            finally
            {
                // Free the module if it was manually loaded
                if(isManuallyLoaded)
                    ModuleCore.FreeLibrary(localModule);
            }
        }