Пример #1
0
        internal bool Call(IntPtr dllAddress)
        {
            if (_injectionWrapper.InjectionMethod == InjectionMethod.ManualMap)
            {
                // Get the entry point of the DLL

                var dllEntryPointAddress = _injectionWrapper.RemoteProcess.IsWow64
                                         ? dllAddress.AddOffset(_injectionWrapper.PeParser.GetPeHeaders().NtHeaders32.OptionalHeader.AddressOfEntryPoint)
                                         : dllAddress.AddOffset(_injectionWrapper.PeParser.GetPeHeaders().NtHeaders64.OptionalHeader.AddressOfEntryPoint);

                // Call the entry point of the DLL with DllProcessDetach in the remote process

                _injectionTools.CallRemoteFunction(dllEntryPointAddress, (ulong)dllAddress, Constants.DllProcessDetach, 0);

                // Free the memory region of the DLL in the remote process

                _injectionWrapper.MemoryManager.FreeVirtualMemory(dllAddress);

                return(true);
            }

            // Call FreeLibrary in the remote process

            _injectionTools.CallRemoteFunction("kernel32.dll", "FreeLibrary", (ulong)dllAddress);

            return(true);
        }
Пример #2
0
        public IntPtr Call()
        {
            // Write the DLL path into the remote process

            var dllPathBuffer = _injectionWrapper.MemoryManager.AllocateVirtualMemory(_injectionWrapper.DllPath.Length);

            var dllPathBytes = Encoding.Unicode.GetBytes(_injectionWrapper.DllPath);

            _injectionWrapper.MemoryManager.WriteVirtualMemory(dllPathBuffer, dllPathBytes);

            // Write a UnicodeString representing the DLL path into the remote process

            var unicodeStringBuffer = _injectionTools.CreateRemoteUnicodeString(dllPathBuffer);

            // Call LdrLoadDll in the remote process

            var moduleHandleBuffer = _injectionWrapper.MemoryManager.AllocateVirtualMemory <IntPtr>();

            _injectionTools.CallRemoteFunction("ntdll.dll", "LdrLoadDll", 0, 0, (ulong)unicodeStringBuffer, (ulong)moduleHandleBuffer);

            // Free the buffers allocated in the remote process

            _injectionWrapper.MemoryManager.FreeVirtualMemory(dllPathBuffer);

            _injectionWrapper.MemoryManager.FreeVirtualMemory(unicodeStringBuffer);

            try
            {
                return(_injectionWrapper.MemoryManager.ReadVirtualMemory <IntPtr>(moduleHandleBuffer));
            }

            finally
            {
                _injectionWrapper.MemoryManager.FreeVirtualMemory(moduleHandleBuffer);
            }
        }
Пример #3
0
        private void CallEntryPoint(IntPtr entryPointAddress)
        {
            // Call the entry point of the DLL or TLS callback with DllProcessAttach in the remote process

            _injectionTools.CallRemoteFunction(entryPointAddress, (ulong)_remoteDllAddress, Constants.DllProcessAttach, 0);
        }