Пример #1
0
        /// <summary>
        /// Removes from Target Process Memory the DNCIClrLoader
        /// </summary>
        /// <param name="targetProcessHandle">Target Process Handle</param>
        /// <param name="dnciModuleHandle">DNCIClrLoader Module Handle</param>
        private void EraseRemoteModules(IntPtr targetProcessHandle, IntPtr dnciModuleHandle)
        {
            // Resolve FreeLibrary function pointer into kernel32 address space
            IntPtr freeLibraryHandle = NativeExecution.GetProcAddress(NativeExecution.GetModuleHandle("Kernel32"), "FreeLibrary");

            // Unload DNCIClrLoader.dll from Remote Process
            NativeExecution.CreateRemoteThread(targetProcessHandle, IntPtr.Zero, 0, freeLibraryHandle, dnciModuleHandle, 0, IntPtr.Zero);
        }
Пример #2
0
        /// <summary>
        /// Inject the DNCLClrLoader.dll into Target Process Memory
        /// </summary>
        /// <param name="targetProcessHandle">Target Process Handle</param>
        /// <param name="injectorLibraryFilePath">DNCIClrLoader.dll File Path</param>
        /// <param name="moduleName">Name of Module (usually, FILE_NAME.dll)</param>
        /// <returns></returns>
        private IntPtr DNCIClrLoader(IntPtr targetProcessHandle, String injectorLibraryFilePath, String moduleName)
        {
            // Resolve LoadLibraryW function pointer into Kernel32 address space
            IntPtr loadLibraryWAddr = NativeExecution.GetProcAddress(
                NativeExecution.GetModuleHandle("kernel32.dll"),
                "LoadLibraryW"
                );

            // Inject DNCIClrLoader into Remote Process
            Inject(targetProcessHandle, loadLibraryWAddr, injectorLibraryFilePath);

            // Find the LoadDNA Function Point into Remote Process Memory
            return(FindRemoteModuleHandle(targetProcessHandle, moduleName));
        }
Пример #3
0
        /// <summary>
        /// Get Target Function OffSet
        /// </summary>
        /// <param name="libraryPath">Full Library Path</param>
        /// <param name="targetFunctionName"></param>
        /// <returns></returns>
        private uint GetFunctionOffSet(String libraryPath, String targetFunctionName)
        {
            // Load the Library
            IntPtr libHandle = NativeExecution.LoadLibrary(libraryPath);

            // Get Target Function Address
            IntPtr functionPtr = NativeExecution.GetProcAddress(libHandle, targetFunctionName);

            // Compute the OffSet Between the Library Base Address and the Target Function inside the Binary
            uint offset = (uint)functionPtr.ToInt32() - (uint)libHandle.ToInt32();

            // Unload Library from Memory
            NativeExecution.FreeLibrary(libHandle);

            return(offset);
        }