private InjectedModule InjectLibraryExternal(string libraryPath)
{
// Injecting remotely consists of a few steps:
// 1. GetProcAddress on kernel32 to get a pointer to LoadLibraryW
// 2. Allocate chunk of memory to write the path to our library to
// 3. CreateRemoteThread that calls LoadLibraryW and pass it a pointer to our chunk
// 4. Get thread's exit code
// 5. ????
// 6. Profit
var memory = _memory as ExternalProcessMemory;
// Realistically won't happen, but code analysis complains about it being null.
if (memory == null)
{
throw new InvalidOperationException("A valid memory instance is required for InjectLibraryExternal!");
}
if (memory.ProcessHandle.IsInvalid)
{
throw new InvalidOperationException("Can not inject library with an invalid ProcessHandle in ExternalProcessMemory!");
}
var path = Path.GetFullPath(libraryPath);
var libraryFileName = Path.GetFileName(libraryPath);
ProcessModule ourModule;
SafeMemoryHandle threadHandle = null;
SafeMemoryHandle kernel32Handle = null;
try
{
kernel32Handle = UnsafeNativeMethods.GetModuleHandle(UnsafeNativeMethods.Kernel32);
var loadLibraryPtr =
UnsafeNativeMethods.GetProcAddress(kernel32Handle.DangerousGetHandle(), "LoadLibraryW");
if (loadLibraryPtr == IntPtr.Zero)
{
throw new BlueRainInjectionException("Couldn't obtain handle to LoadLibraryW in remote process!");
}
var pathBytes = Encoding.Unicode.GetBytes(path);
using (var alloc = memory.Allocate((UIntPtr)pathBytes.Length))
{
alloc.WriteBytes(IntPtr.Zero, pathBytes);
threadHandle = UnsafeNativeMethods.CreateRemoteThread(memory.ProcessHandle.DangerousGetHandle(), IntPtr.Zero, 0x0,
loadLibraryPtr, alloc.Address, 0, IntPtr.Zero);
if (threadHandle.IsInvalid)
{
throw new BlueRainInjectionException(
"Couldn't obtain a handle to the remotely created thread for module injection!");
}
}
// ThreadWaitValue.Infinite = 0xFFFFFFFF = uint.MaxValue - Object0 = 0x0
if (UnsafeNativeMethods.WaitForSingleObject(threadHandle.DangerousGetHandle(), uint.MaxValue) != 0x0)
{
throw new BlueRainInjectionException(
"WaitForSingleObject returned an unexpected value while waiting for the remote thread to be created for module injection.");
}
uint exitCode;
if (!UnsafeNativeMethods.GetExitCodeThread(threadHandle.DangerousGetHandle(), out exitCode))
{
throw new BlueRainInjectionException("Couldn't obtain exit code for LoadLibraryW thread in remote process!");
}
// Let's make sure our module is actually present in the remote process now (assuming it's doing nothing special to hide itself..)
var moduleHandle = UnsafeNativeMethods.GetModuleHandle(libraryFileName);
if (moduleHandle.IsInvalid)
{
throw new BlueRainInjectionException(
"Couldn't obtain module handle to remotely injected library after LoadLibraryW!");
}
ourModule = memory.Process.Modules.Cast <ProcessModule>()
.FirstOrDefault(m => m.BaseAddress == moduleHandle.DangerousGetHandle());
}
finally
{
if (threadHandle != null && !threadHandle.IsClosed)
{
threadHandle.Close();
}
if (kernel32Handle != null && !kernel32Handle.IsClosed)
{
kernel32Handle.Close();
}
}
// We can safely do this - if something went wrong we wouldn't be here.
var module = new InjectedModule(ourModule, _memory);
_injectedModules.Add(path, module);
return(module);
}
