/// <summary>
/// Assembles mnemonics and injects resulting bytecode into given process.
/// </summary>
/// <param name="hProcess">Handle to the process into which code will be injected.</param>
/// <param name="szAssembly">Assembly mnemonics to be assembled and injected.</param>
/// <returns>Returns zero on failure, otherwise a chunk of memory that has been allocated in the target process where code was injected.</returns>
/// <remarks>Don't forget to free the memory allocated for the code when you are finished.</remarks>
public static uint InjectCode(IntPtr hProcess, string szAssembly)
{
uint dwAddress = MemoryHelper.AllocateMemory(hProcess);
return((InjectCode(hProcess, dwAddress, szAssembly)) ? dwAddress : RETURN_ERROR);
}
/// <summary>
/// Injects a dll into a process by hijacking the given thread and redirecting it to LoadLibrary.
/// </summary>
/// <param name="hProcess">Handle to process into which dll will be injected.</param>
/// <param name="hThread">Handle to thread that will be hijacked.</param>
/// <param name="szDllPath">Full path to the dll to be injected.</param>
/// <returns>Returns the base address of the injected dll on success, zero on failure.</returns>
public static uint InjectDllRedirectThread(IntPtr hProcess, IntPtr hThread, string szDllPath)
{
const uint INITIAL_EXIT_CODE = 0xFFFFFFFF;
if (hProcess == IntPtr.Zero)
{
throw new ArgumentNullException("hProcess");
}
if (hThread == IntPtr.Zero)
{
throw new ArgumentNullException("hThread");
}
if (szDllPath.Length == 0)
{
throw new ArgumentNullException("szDllPath");
}
if (!szDllPath.Contains("\\"))
{
szDllPath = System.IO.Path.GetFullPath(szDllPath);
}
if (!System.IO.File.Exists(szDllPath))
{
throw new ArgumentException("DLL not found.", "szDllPath");
}
uint dwBaseAddress = RETURN_ERROR;
uint lpLoadLibrary, lpAsmStub;
CONTEXT ctx;
StringBuilder AssemblyStub = new StringBuilder();
ManagedFasm fasm = new ManagedFasm(hProcess);
lpLoadLibrary = (uint)Imports.GetProcAddress(Imports.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (lpLoadLibrary == 0)
{
throw new Exception("Failed to get address of LoadLibraryA in kernel32.dll");
}
lpAsmStub = MemoryHelper.AllocateMemory(hProcess);
if (lpAsmStub == 0)
{
throw new Exception("Failed to allocate Memory in the Process!");
}
if (ThreadHelper.SuspendThread(hThread) != uint.MaxValue)
{
ctx = ThreadHelper.GetThreadContext(hThread, CONTEXT_FLAGS.CONTEXT_CONTROL);
if (ctx.Eip > 0)
{
try {
//located at lpAsmStub+0, where we can monitor LoadLibrary's exit code.
fasm.AddLine("lpExitCode dd 0x{0:X}", INITIAL_EXIT_CODE);
//lpAsmStub+4, where the actual code part starts
fasm.AddLine("push 0x{0:X}", ctx.Eip);
fasm.AddLine("pushad");
fasm.AddLine("push szDllPath");
fasm.AddLine("call 0x{0:X}", lpLoadLibrary);
fasm.AddLine("mov [lpExitCode], eax");
fasm.AddLine("popad");
fasm.AddLine("retn");
//dll path
fasm.AddLine("szDllPath db \'{0}\',0", szDllPath);
fasm.Inject(lpAsmStub);
} catch {
MemoryHelper.FreeMemory(hProcess, lpAsmStub);
ThreadHelper.ResumeThread(hThread);
return(RETURN_ERROR);
}
ctx.ContextFlags = CONTEXT_FLAGS.CONTEXT_CONTROL;
ctx.Eip = lpAsmStub + 4; //skip over lpExitCode data
if (ThreadHelper.SetThreadContext(hThread, ctx))
{
if (ThreadHelper.ResumeThread(hThread) != uint.MaxValue)
{
for (int i = 0; i < 400; i++)
{
System.Threading.Thread.Sleep(5);
if ((dwBaseAddress = MemoryHelper.ReadUInt(hProcess, lpAsmStub)) != INITIAL_EXIT_CODE)
{
break;
}
}
}
}
}
}
if (fasm != null)
{
fasm.Dispose();
fasm = null;
}
MemoryHelper.FreeMemory(hProcess, lpAsmStub);
return(dwBaseAddress);
}
/// <summary>
/// Writes a value to another process' memory.
/// </summary>
/// <param name="dwAddress">Address at which value will be written.</param>
/// <param name="Value">Value that will be written to memory.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool WriteUShort(uint dwAddress, ushort Value)
{
return(MemoryHelper.WriteUShort(this.mProcess, dwAddress, Value));
}
/// <summary>
/// Writes a value to another process' memory.
/// </summary>
/// <param name="dwAddress">Address at which value will be written.</param>
/// <param name="Value">Value that will be written to memory.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool WriteInt(uint dwAddress, int Value)
{
return(MemoryHelper.WriteInt(this.mProcess, dwAddress, Value));
}
/// <summary>
/// Allocates memory inside the opened process.
/// </summary>
/// <param name="nSize">Number of bytes to allocate.</param>
/// <param name="dwAllocationType">Type of memory allocation. See <see cref="MemoryAllocType"/>.</param>
/// <param name="dwProtect">Type of memory protection. See <see cref="MemoryProtectType"/></param>
/// <returns>Returns NULL on failure, or the base address of the allocated memory on success.</returns>
public uint AllocateMemory(int nSize, uint dwAllocationType, uint dwProtect)
{
return(MemoryHelper.AllocateMemory(mProcess, nSize, dwAllocationType, dwProtect));
}
/// <summary>
/// Frees an allocated block of memory in the opened process.
/// </summary>
/// <param name="dwAddress">Base address of the block of memory to be freed.</param>
/// <param name="nSize">Number of bytes to be freed. This must be zero (0) if using <see cref="MemoryFreeType.MEM_RELEASE"/>.</param>
/// <param name="dwFreeType">Type of free operation to use. See <see cref="MemoryFreeType"/>.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool FreeMemory(uint dwAddress, int nSize, uint dwFreeType)
{
return(MemoryHelper.FreeMemory(mProcess, dwAddress, nSize, dwFreeType));
}
/// <summary>
/// Writes a value to another process' memory.
/// </summary>
/// <param name="dwAddress">Address at which value will be written.</param>
/// <param name="Value">Value that will be written to memory.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool WriteSByte(uint dwAddress, sbyte Value)
{
return(MemoryHelper.WriteSByte(this.mProcess, dwAddress, Value));
}
/// <summary>
/// Reads a value from memory.
/// </summary>
/// <param name="dwAddress">Address at which value will be read.</param>
/// <param name="nLength">Maximum number of characters to be read.</param>
/// <exception cref="Exception">Throws general exception on failure.</exception>
/// <returns>Returns the value that was read from memory.</returns>
public string ReadUnicodeString(uint dwAddress, int nLength)
{
return(MemoryHelper.ReadUnicodeString(this.mProcess, dwAddress, nLength));
}
/// <summary>
/// Writes a value to another process' memory.
/// </summary>
/// <param name="dwAddress">Address at which value will be written.</param>
/// <param name="Value">Value that will be written to memory.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool WriteUnicodeString(uint dwAddress, string Value)
{
return(MemoryHelper.WriteUnicodeString(this.mProcess, dwAddress, Value));
}
/// <summary>
/// Writes a value to another process' memory.
/// </summary>
/// <param name="dwAddress">Address at which value will be written.</param>
/// <param name="Value">Value that will be written to memory.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool WriteObject(uint dwAddress, object Value)
{
return(MemoryHelper.WriteObject(this.mProcess, dwAddress, Value, Value.GetType()));
}
/// <summary>
/// Writes a value to another process' memory.
/// </summary>
/// <param name="dwAddress">Address at which value will be written.</param>
/// <param name="Value">Value that will be written to memory.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool WriteDouble(uint dwAddress, double Value)
{
return(MemoryHelper.WriteDouble(this.mProcess, dwAddress, Value));
}
/// <summary>
/// Writes a value to another process' memory.
/// </summary>
/// <param name="dwAddress">Address at which value will be written.</param>
/// <param name="Value">Value that will be written to memory.</param>
/// <param name="nSize">Number of bytes to be written.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool WriteBytes(uint dwAddress, byte[] Value, int nSize)
{
return(MemoryHelper.WriteBytes(this.mProcess, dwAddress, Value, nSize));
}
/// <summary>
/// Writes a value to another process' memory.
/// </summary>
/// <param name="dwAddress">Address at which value will be written.</param>
/// <param name="Value">Value that will be written to memory.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool WriteUInt64(uint dwAddress, UInt64 Value)
{
return(MemoryHelper.WriteUInt64(this.mProcess, dwAddress, Value));
}
