/// <summary>Begins a new transaction to inject and execute assembly code into the process.</summary>
/// <param name="autoExecute">
/// Indicates whether the assembly code is executed once the object is
/// disposed.
/// </param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>The return value is a new transaction.</returns>
public AssemblyTransaction BeginTransaction(bool autoExecute = true,
IRemoteThread executingThread = null)
{
return(new AssemblyTransaction(this,
autoExecute,
executingThread));
}
/// <summary>
/// Assembles mnemonics and injects the corresponding assembly code into the remote
/// process.
/// </summary>
/// <param name="asm">An array containing the mnemonics to inject.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>The address where the assembly code is injected.</returns>
public (IAllocatedMemory, ExecutionContext) Inject(string[] asm,
IRemoteThread executingThread = null)
{
return(Inject(string.Join("\n",
asm),
executingThread));
}
/// <summary>Assembles, injects and executes the mnemonics into the remote process.</summary>
/// <param name="asm">An array containing the mnemonics to inject.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>The return value is the exit code of the thread created to execute the assembly code.</returns>
public T InjectAndExecute <T>(string[] asm,
IRemoteThread executingThread = null)
{
return(InjectAndExecute <T>(string.Join("\n",
asm),
executingThread));
}
/// <summary>
/// Assembles, injects and executes asynchronously the mnemonics into the remote process
/// at the specified address.
/// </summary>
/// <param name="asm">An array containing the mnemonics to inject.</param>
/// <param name="address">The address where the assembly code is injected.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>
/// The return value is an asynchronous operation that return the exit code of the thread
/// created to execute the assembly code.
/// </returns>
public Task <T> InjectAndExecuteAsync <T>(string[] asm,
IntPtr address,
IRemoteThread executingThread)
{
return(Task.Run(() => InjectAndExecute <T>(asm,
address,
executingThread)));
}
/// <summary>
/// Assembles, injects and executes the mnemonics into the remote process at the
/// specified address.
/// </summary>
/// <param name="asm">An array containing the mnemonics to inject.</param>
/// <param name="address">The address where the assembly code is injected.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>The return value is the exit code of the thread created to execute the assembly code.</returns>
public IntPtr InjectAndExecute(string[] asm,
IntPtr address,
IRemoteThread executingThread)
{
return(InjectAndExecute <IntPtr>(asm,
address,
executingThread));
}
/// <summary>Executes the assembly code located in the remote process at the specified address.</summary>
/// <param name="address">The address where the assembly code is located.</param>
/// <param name="callingConvention">
/// The calling convention used to execute the assembly code with
/// the parameters.
/// </param>
/// <param name="executingThread">Thread to hijack.</param>
/// <returns>The return value is the exit code of the thread created to execute the assembly code.</returns>
public IntPtr Execute(IntPtr address,
Native.Types.CallingConventions callingConvention,
IRemoteThread executingThread)
{
return(Execute <IntPtr>(address,
callingConvention,
executingThread));
}
/// <summary>
/// Executes the assembly code located in the remote process at the specified address.
/// </summary>
/// <param name="address">The address where the assembly code is located.</param>
/// <param name="parameter">The parameter used to execute the assembly code.</param>
/// <returns>The return value is the exit code of the thread created to execute the assembly code.</returns>
public T Execute <T>(IntPtr address, dynamic parameter)
{
// Execute and join the code in a new thread
IRemoteThread thread = Process.ThreadFactory.CreateAndJoin(address, parameter);
// Return the exit code of the thread
return(thread.GetExitCode <T>());
}
/// <summary>
/// Assembles, injects and executes asynchronously the mnemonics into the remote process
/// at the specified address.
/// </summary>
/// <param name="asm">An array containing the mnemonics to inject.</param>
/// <param name="address">The address where the assembly code is injected.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>
/// The return value is an asynchronous operation that return the exit code of the thread
/// created to execute the assembly code.
/// </returns>
public Task <IntPtr> InjectAndExecuteAsync(string[] asm,
IntPtr address,
IRemoteThread executingThread)
{
return(InjectAndExecuteAsync <IntPtr>(asm,
address,
executingThread));
}
/// <summary>Initializes a new instance of the <see cref="AssemblyTransaction" /> class.</summary>
/// <param name="assemblyFactory"></param>
/// <param name="autoExecute">
/// Indicates whether the assembly code is executed once the object is
/// disposed.
/// </param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
public AssemblyTransaction(IAssemblyFactory assemblyFactory,
bool autoExecute,
IRemoteThread executingThread)
: this(assemblyFactory,
IntPtr.Zero,
autoExecute,
executingThread)
{
}
public void Execute(IntPtr baseAddr,
IRemoteThread remoteThread,
params dynamic[] args)
{
Factory.Execute(baseAddr,
Convention,
remoteThread,
args);
}
/// <summary>
/// Assembles mnemonics and injects the corresponding assembly code into the remote
/// process at the specified address.
/// </summary>
/// <param name="asm">An array containing the mnemonics to inject.</param>
/// <param name="address">The address where the assembly code is injected.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
public ExecutionContext Inject(string[] asm,
IntPtr address,
IRemoteThread executingThread = null)
{
return(Inject(string.Join("\n",
asm),
address,
executingThread));
}
/// <summary>
/// Assembles, injects and executes the mnemonics into the remote process at the
/// specified address.
/// </summary>
/// <param name="asm">An array containing the mnemonics to inject.</param>
/// <param name="address">The address where the assembly code is injected.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>The return value is the exit code of the thread created to execute the assembly code.</returns>
public T InjectAndExecute <T>(string[] asm,
IntPtr address,
IRemoteThread executingThread)
{
return(InjectAndExecute <T>(string.Join("\n",
asm),
address,
executingThread));
}
public TRet Execute <TRet>(IntPtr baseAddr,
IRemoteThread remoteThread,
params dynamic[] args)
{
return(Factory.Execute <TRet>(baseAddr,
Convention,
remoteThread,
args));
}
/// <summary>
/// Executes asynchronously the assembly code located in the remote process at the
/// specified address.
/// </summary>
/// <param name="address">The address where the assembly code is located.</param>
/// <param name="callingConvention">
/// The calling convention used to execute the assembly code with
/// the parameters.
/// </param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <param name="parameters">An array of parameters used to execute the assembly code.</param>
/// <returns>
/// The return value is an asynchronous operation that return the exit code of the thread
/// created to execute the assembly code.
/// </returns>
public Task <IntPtr> ExecuteAsync(IntPtr address,
Native.Types.CallingConventions callingConvention,
IRemoteThread executingThread = null,
params dynamic[] parameters)
{
return(ExecuteAsync <IntPtr>(address,
callingConvention,
executingThread,
parameters));
}
/// <summary>Initializes a new instance of the <see cref="AssemblyTransaction" /> class.</summary>
/// <param name="assemblyFactory"></param>
/// <param name="address">The address where the assembly code is injected.</param>
/// <param name="autoExecute">
/// Indicates whether the assembly code is executed once the object is
/// disposed.
/// </param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
public AssemblyTransaction(IAssemblyFactory assemblyFactory,
IntPtr address,
bool autoExecute,
IRemoteThread executingThread)
{
_assemblyFactory = assemblyFactory;
_executingThread = executingThread;
IsAutoExecuted = autoExecute;
Address = address;
// Initialize the string builder
_mnemonics = new StringBuilder();
}
/// <summary>
/// Assembles, injects and executes the mnemonics into the remote process at the
/// specified address.
/// </summary>
/// <param name="asm">The mnemonics to inject.</param>
/// <param name="address">The address where the assembly code is injected.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>The return value is the exit code of the thread created to execute the assembly code.</returns>
public T InjectAndExecute <T>(string asm,
IntPtr address,
IRemoteThread executingThread)
{
// Inject the assembly code
var execContext = Inject(asm,
address,
executingThread);
// Execute the code
return(Execute <T>(address,
execContext));
}
/// <summary>
/// Assembles mnemonics and injects the corresponding assembly code into the remote
/// process at the specified address.
/// </summary>
/// <param name="userAsm">The mnemonics to inject.</param>
/// <param name="address">The address where the assembly code is injected.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
public ExecutionContext Inject(string userAsm,
IntPtr address,
IRemoteThread executingThread = null)
{
var(asm, assembleAddr) = AdjustAsm(userAsm,
address,
executingThread);
var asmBytes = Assembler.Assemble(asm,
assembleAddr);
return(Inject(asmBytes,
address,
executingThread));
}
private (byte[] asmBytes, int signalAddr, int retAddr) InjectThreadHijack(
byte[] asmBytes,
IntPtr address,
IRemoteThread executingThread = null)
{
int signalAddr = 0;
int retAddr = 0;
if (executingThread != null)
{
// TODO: This may cause an issue if execution is delayed
if (executingThread.Suspend() == null)
{
throw new InvalidOperationException("Thread is terminated");
}
var threadContext = executingThread.Context;
int restoreEip = threadContext.Eip;
signalAddr = address.ToInt32() + asmBytes.Length + ThreadHijackByteCodeLength;
retAddr = address.ToInt32() + asmBytes.Length + ThreadHijackByteCodeLength + 1;
threadContext.Eip = address.ToInt32();
executingThread.Context = threadContext;
StringBuilder preAsmBuilder = new StringBuilder();
preAsmBuilder.AppendLine("pushad");
preAsmBuilder.AppendLine("pushfd");
StringBuilder postAsmBuilder = new StringBuilder();
postAsmBuilder.AppendLine($"mov BYTE [0x{signalAddr:X8}], 1");
postAsmBuilder.AppendLine($"mov DWORD [0x{retAddr:X8}], eax");
postAsmBuilder.AppendLine("popfd");
postAsmBuilder.AppendLine("popad");
postAsmBuilder.AppendLine($"push {restoreEip}");
postAsmBuilder.AppendLine("retn");
var preAsmBytes = Assembler.Assemble(preAsmBuilder.ToString());
var postAsmBytes = Assembler.Assemble(postAsmBuilder.ToString());
asmBytes = Combine(preAsmBytes,
asmBytes,
postAsmBytes);
}
return(asmBytes, signalAddr, retAddr);
}
/// <summary>Assembles, injects and executes the mnemonics into the remote process.</summary>
/// <param name="asm">The mnemonics to inject.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>The return value is the exit code of the thread created to execute the assembly code.</returns>
public T InjectAndExecute <T>(string asm,
IRemoteThread executingThread = null)
{
// Inject the assembly code
var(memory, execContext) = Inject(asm,
executingThread);
try
{
// Execute the code
var ret = Execute <T>(memory.BaseAddress,
execContext);
return(ret);
}
finally
{
memory?.Dispose();
}
}
/// <summary>
/// Assembles mnemonics and injects the corresponding assembly code into the remote
/// process.
/// </summary>
/// <param name="asm">The mnemonics to inject.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>The address where the assembly code is injected.</returns>
public (IAllocatedMemory, ExecutionContext) Inject(string asm,
IRemoteThread executingThread = null)
{
// Assemble the assembly code
var asmBytes = Assembler.Assemble(asm);
// Adjust length for optional thread hijacking byte code
int codeLength = asmBytes.Length + (executingThread == null ? 0 : ThreadHijackByteCodeAndDataLength);
// Allocate a chunk of memory to store the assembly code
var memory = Process.MemoryFactory.Allocate(Randomizer.GenerateString(),
codeLength);
// Inject the code
var execContext = Inject(asm,
memory.BaseAddress,
executingThread);
// Return the memory allocated
return(memory, execContext);
}
/// <summary>Executes the assembly code located in the remote process at the specified address.</summary>
/// <param name="address">The address where the assembly code is located.</param>
/// <param name="callingConvention">
/// The calling convention used to execute the assembly code with
/// the parameters.
/// </param>
/// <param name="executingThread">Thread to hijack.</param>
/// <returns>The return value is the exit code of the thread created to execute the assembly code.</returns>
public T Execute <T>(IntPtr address,
Native.Types.CallingConventions callingConvention,
IRemoteThread executingThread)
{
// Start a transaction
AssemblyTransaction t;
using (t = BeginTransaction(true,
executingThread))
{
// Get the object dedicated to create mnemonics for the given calling convention
var calling = CallingConventionSelector.Get(callingConvention);
// Call the function
t.AddLine(calling.FormatCalling(address));
// Add the return mnemonic
t.AddLine("retn");
}
return(t.GetExitCode <T>());
}
/// <summary>Executes the assembly code located in the remote process at the specified address.</summary>
/// <param name="address">The address where the assembly code is located.</param>
/// <param name="callingConvention">
/// The calling convention used to execute the assembly code with
/// the parameters.
/// </param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <param name="parameters">An array of parameters used to execute the assembly code.</param>
/// <returns>The return value is the exit code of the thread created to execute the assembly code.</returns>
public T Execute <T>(IntPtr address,
Native.Types.CallingConventions callingConvention,
IRemoteThread executingThread = null,
params dynamic[] parameters)
{
// Marshal the parameters
var marshalledParameters =
parameters.Select(p => MarshalValue.Marshal(Process,
p)).Cast <IMarshalledValue>().ToArray();
// Start a transaction
AssemblyTransaction t;
using (t = BeginTransaction(true,
executingThread))
{
// Get the object dedicated to create mnemonics for the given calling convention
var calling = CallingConventionSelector.Get(callingConvention);
// Push the parameters
t.AddLine(calling.FormatParameters(marshalledParameters.Select(p => p.Reference).ToArray()));
// Call the function
t.AddLine(calling.FormatCalling(address));
// Clean the parameters
if (calling.Cleanup == CleanupTypes.Caller)
{
t.AddLine(calling.FormatCleaning(marshalledParameters.Length));
}
// Add the return mnemonic
t.AddLine("retn");
}
// Clean the marshalled parameters
foreach (var parameter in marshalledParameters)
{
parameter.Dispose();
}
// Return the exit code
return(t.GetExitCode <T>());
}
/// <summary>
/// Assembles mnemonics and injects the corresponding assembly code into the remote
/// process at the specified address.
/// </summary>
/// <param name="asmBytes"></param>
/// <param name="address">The address where the assembly code is injected.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
private ExecutionContext Inject(byte[] asmBytes,
IntPtr address,
IRemoteThread executingThread)
{
int signalAddr = 0;
int retAddr = 0;
if (executingThread != null)
{
(asmBytes, signalAddr, retAddr) = InjectThreadHijack(asmBytes,
address,
executingThread);
}
Process.Memory.Write(address,
asmBytes);
return(new ExecutionContext
{
Thread = executingThread,
SignalAddr = new IntPtr(signalAddr),
RetAddr = new IntPtr(retAddr)
});
}
private (string asm, IntPtr assembleAddr) AdjustAsm(string asm,
IntPtr address,
IRemoteThread executingThread)
{
if (executingThread != null)
{
asm = asm.TrimEnd('\n',
'\r',
' ',
'\t');
if (asm.EndsWith("retn"))
{
asm = asm.Substring(0,
asm.Length - 4);
}
// TODO: Replace any retn inside asm with a jmp
address = new IntPtr(address.ToInt32() + ThreadHijackBytePreCodeLength);
}
return(asm, address);
}
/// <summary>
/// Initializes a new instance of the <see cref="FrozenThread" /> class.
/// </summary>
/// <param name="thread">The frozen thread.</param>
public FrozenThread(IRemoteThread thread)
{
// Save the parameter
Thread = thread;
}
/// <summary>
/// Executes asynchronously the assembly code located in the remote process at the
/// specified address.
/// </summary>
/// <param name="address">The address where the assembly code is located.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>
/// The return value is an asynchronous operation that return the exit code of the thread
/// created to execute the assembly code.
/// </returns>
public Task <T> ExecuteAsync <T>(IntPtr address,
IRemoteThread executingThread = null)
{
return(Task.Run(() => Execute <T>(address,
executingThread)));
}
/// <summary>
/// Executes asynchronously the assembly code located in the remote process at the
/// specified address.
/// </summary>
/// <param name="address">The address where the assembly code is located.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>
/// The return value is an asynchronous operation that return the exit code of the thread
/// created to execute the assembly code.
/// </returns>
public Task <IntPtr> ExecuteAsync(IntPtr address,
IRemoteThread executingThread = null)
{
return(ExecuteAsync <IntPtr>(address,
executingThread));
}
/// <summary>Assembles, injects and executes asynchronously the mnemonics into the remote process.</summary>
/// <param name="asm">An array containing the mnemonics to inject.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>
/// The return value is an asynchronous operation that return the exit code of the thread
/// created to execute the assembly code.
/// </returns>
public Task <T> InjectAndExecuteAsync <T>(string[] asm,
IRemoteThread executingThread = null)
{
return(Task.Run(() => InjectAndExecute <T>(asm,
executingThread)));
}
/// <summary>Assembles, injects and executes asynchronously the mnemonics into the remote process.</summary>
/// <param name="asm">The mnemonics to inject.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>
/// The return value is an asynchronous operation that return the exit code of the thread
/// created to execute the assembly code.
/// </returns>
public Task <IntPtr> InjectAndExecuteAsync(string asm,
IRemoteThread executingThread = null)
{
return(InjectAndExecuteAsync <IntPtr>(asm,
executingThread));
}
/// <summary>Assembles, injects and executes the mnemonics into the remote process.</summary>
/// <param name="asm">An array containing the mnemonics to inject.</param>
/// <param name="executingThread">Thread to hijack. Will create a new thread if null.</param>
/// <returns>The return value is the exit code of the thread created to execute the assembly code.</returns>
public IntPtr InjectAndExecute(string[] asm,
IRemoteThread executingThread = null)
{
return(InjectAndExecute <IntPtr>(asm,
executingThread));
}