Пример #1
0
        private Process _process;                   /* Process to DLL Inject into. */

        /// <summary>
        /// Initializes the DLL Injector.
        /// </summary>
        /// <param name="process">The process to inject DLLs into.</param>
        public Injector(Process process)
        {
            Safety.WaitForModuleInitialization(process);

            // Initiate target process.
            _process        = process;
            _circularBuffer = new CircularBuffer(4096, new ExternalMemory(process));
            _shellCode      = new Shellcode(process);
        }
Пример #2
0
        private long _getProcAddressReturnValuePtr; /* Address of GetProcAddress' return value. */

        /// <summary>
        /// Builds the shellcode necessary to successfully call LoadLibraryW and GetProcAddress
        /// inside the address space of another executable.
        /// </summary>
        /// <param name="targetProcess">Process inside which to execute.</param>
        public Shellcode(Process targetProcess)
        {
            Safety.WaitForModuleInitialization(targetProcess);

            _privateBuffer  = new MemoryBufferHelper(targetProcess).CreatePrivateMemoryBuffer(4096);
            _assembler      = new Assembler.Assembler();
            _memory         = new ExternalMemory(targetProcess);
            _circularBuffer = new CircularBuffer(4096, _memory);
            _targetProcess  = targetProcess;

            // Get arch of target process.
            PeFile targetPeFile = new PeFile(targetProcess.Modules[0].FileName);

            _machineType = (MachineType)targetPeFile.ImageNtHeaders.FileHeader.Machine;

            // Get Kernel32 load address in target.
            Module kernel32Module = GetKernel32InRemoteProcess(targetProcess);

            Kernel32Handle = (long)kernel32Module.BaseAddress;

            // We need to change the module path if 32bit process; because the given path is not true,
            // it is being actively redirected by Windows on Windows 64 (WoW64)
            if (_machineType == MachineType.I386)
            {
                StringBuilder builder = new StringBuilder(256);
                GetSystemWow64Directory(builder, (uint)builder.Capacity);
                kernel32Module.ModulePath = builder.ToString() + "\\" + Path.GetFileName(kernel32Module.ModulePath);
            }

            // Parse Kernel32 loaded by target and get address of LoadLibrary & GetProcAddress.
            PeFile kernel32PeFile    = new PeFile(kernel32Module.ModulePath);
            var    exportedFunctions = kernel32PeFile.ExportedFunctions;

            _loadLibraryWOffset   = GetExportedFunctionOffset(exportedFunctions, "LoadLibraryW");
            _getProcAddressOffset = GetExportedFunctionOffset(exportedFunctions, "GetProcAddress");

            if (_loadLibraryWOffset == 0 || _getProcAddressOffset == 0)
            {
                throw new ShellCodeGeneratorException("Failed to find GetProcAddress or LoadLibraryW methods in target process' Kernel32.");
            }

            if (_machineType == MachineType.AMD64)
            {
                BuildLoadLibraryW64();
                BuildGetProcAddress64();
            }
            else
            {
                BuildLoadLibraryW86();
                BuildGetProcAddress86();
            }

            _assembler.Dispose();
            _assembler = null;
        }
Пример #3
0
        /// <summary>
        /// Retrieves the handle (memory address) of where the module with a specified name is loaded in the target process.
        /// </summary>
        /// <param name="moduleName">The name of the module (including extension).</param>
        /// <returns>0 if the operation fails, else an address.</returns>
        public IntPtr GetModuleHandleFromName(string moduleName)
        {
            foreach (var module in Safety.TryGetModules(_process))
            {
                if (Path.GetFileName(module.ModulePath) == moduleName)
                {
                    return(module.BaseAddress);
                }
            }

            return(IntPtr.Zero);
        }
Пример #4
0
        /* One off construction functions. */

        private Module GetKernel32InRemoteProcess(Process process)
        {
            foreach (Module module in Safety.TryGetModules(process))
            {
                if (Path.GetFileName(module.ModulePath).Equals("KERNEL32.DLL", StringComparison.InvariantCultureIgnoreCase))
                {
                    return(module);
                }
            }

            throw new ShellCodeGeneratorException("Failed to find Kernel32 in target process' modules.");
        }
Пример #5
0
        /// <summary>
        /// Retrieves the handle (memory address) of where the module with a specified file path is loaded in the target process.
        /// </summary>
        /// <param name="modulePath">The absolute path of the module (including extension).</param>
        /// <returns>0 if the operation fails, else an address.</returns>
        public IntPtr GetModuleHandleFromPath(string modulePath)
        {
            string fullPath = Path.GetFullPath(modulePath);

            foreach (var module in Safety.TryGetModules(_process))
            {
                if (Path.GetFullPath(module.ModulePath) == fullPath)
                {
                    return(module.BaseAddress);
                }
            }

            return(IntPtr.Zero);
        }