internal bool Call(IntPtr dllAddress) { if (_injectionWrapper.InjectionMethod == InjectionMethod.ManualMap) { // Get the entry point of the DLL var dllEntryPointAddress = _injectionWrapper.RemoteProcess.IsWow64 ? dllAddress.AddOffset(_injectionWrapper.PeParser.GetPeHeaders().NtHeaders32.OptionalHeader.AddressOfEntryPoint) : dllAddress.AddOffset(_injectionWrapper.PeParser.GetPeHeaders().NtHeaders64.OptionalHeader.AddressOfEntryPoint); // Call the entry point of the DLL with DllProcessDetach in the remote process _injectionTools.CallRemoteFunction(dllEntryPointAddress, (ulong)dllAddress, Constants.DllProcessDetach, 0); // Free the memory region of the DLL in the remote process _injectionWrapper.MemoryManager.FreeVirtualMemory(dllAddress); return(true); } // Call FreeLibrary in the remote process _injectionTools.CallRemoteFunction("kernel32.dll", "FreeLibrary", (ulong)dllAddress); return(true); }
public IntPtr Call() { // Write the DLL path into the remote process var dllPathBuffer = _injectionWrapper.MemoryManager.AllocateVirtualMemory(_injectionWrapper.DllPath.Length); var dllPathBytes = Encoding.Unicode.GetBytes(_injectionWrapper.DllPath); _injectionWrapper.MemoryManager.WriteVirtualMemory(dllPathBuffer, dllPathBytes); // Write a UnicodeString representing the DLL path into the remote process var unicodeStringBuffer = _injectionTools.CreateRemoteUnicodeString(dllPathBuffer); // Call LdrLoadDll in the remote process var moduleHandleBuffer = _injectionWrapper.MemoryManager.AllocateVirtualMemory <IntPtr>(); _injectionTools.CallRemoteFunction("ntdll.dll", "LdrLoadDll", 0, 0, (ulong)unicodeStringBuffer, (ulong)moduleHandleBuffer); // Free the buffers allocated in the remote process _injectionWrapper.MemoryManager.FreeVirtualMemory(dllPathBuffer); _injectionWrapper.MemoryManager.FreeVirtualMemory(unicodeStringBuffer); try { return(_injectionWrapper.MemoryManager.ReadVirtualMemory <IntPtr>(moduleHandleBuffer)); } finally { _injectionWrapper.MemoryManager.FreeVirtualMemory(moduleHandleBuffer); } }
private void CallEntryPoint(IntPtr entryPointAddress) { // Call the entry point of the DLL or TLS callback with DllProcessAttach in the remote process _injectionTools.CallRemoteFunction(entryPointAddress, (ulong)_remoteDllAddress, Constants.DllProcessAttach, 0); }