/// <summary> /// Removes from Target Process Memory the DNCIClrLoader /// </summary> /// <param name="targetProcessHandle">Target Process Handle</param> /// <param name="dnciModuleHandle">DNCIClrLoader Module Handle</param> private void EraseRemoteModules(IntPtr targetProcessHandle, IntPtr dnciModuleHandle) { // Resolve FreeLibrary function pointer into kernel32 address space IntPtr freeLibraryHandle = NativeExecution.GetProcAddress(NativeExecution.GetModuleHandle("Kernel32"), "FreeLibrary"); // Unload DNCIClrLoader.dll from Remote Process NativeExecution.CreateRemoteThread(targetProcessHandle, IntPtr.Zero, 0, freeLibraryHandle, dnciModuleHandle, 0, IntPtr.Zero); }
/// <summary> /// Inject the "functionPointer" with "parameters" into Remote Process /// </summary> /// <param name="processHandle">Remote Process Handle</param> /// <param name="functionPointer">LoadLibraryW Function Pointer</param> /// <param name="clrLoaderFullPath">DNCIClrLoader.exe Full Path</param> private Int32 Inject(IntPtr processHandle, IntPtr functionPointer, String parameters) { // Set Array to Write byte[] toWriteData = Encoding.Unicode.GetBytes(parameters); // Compute Required Space on Remote Process uint requiredRemoteMemorySize = (uint)( (toWriteData.Length) * Marshal.SizeOf(typeof(char)) ) + (uint)Marshal.SizeOf(typeof(char)); // Alocate Required Memory Space on Remote Process IntPtr allocMemAddress = NativeExecution.VirtualAllocEx( processHandle, IntPtr.Zero, requiredRemoteMemorySize, NativeConstants.MEM_RESERVE | NativeConstants.MEM_COMMIT, NativeConstants.PAGE_READWRITE ); // Write Argument on Remote Process UIntPtr bytesWritten; bool success = NativeExecution.WriteProcessMemory( processHandle, allocMemAddress, toWriteData, requiredRemoteMemorySize, out bytesWritten ); // Create Remote Thread IntPtr createRemoteThread = NativeExecution.CreateRemoteThread( processHandle, IntPtr.Zero, 0, functionPointer, allocMemAddress, 0, IntPtr.Zero ); // Wait Thread to Exit NativeExecution.WaitForSingleObject(createRemoteThread, NativeConstants.INFINITE); // Release Memory in Remote Process NativeExecution.VirtualFreeEx(processHandle, allocMemAddress, 0, NativeConstants.MEM_RELEASE); // Get Thread Exit Code Int32 exitCode; NativeExecution.GetExitCodeThread(createRemoteThread, out exitCode); // Close Remote Handle NativeExecution.CloseHandle(createRemoteThread); return(exitCode); }