/// <summary> /// Removes from Target Process Memory the DNCIClrLoader /// </summary> /// <param name="targetProcessHandle">Target Process Handle</param> /// <param name="dnciModuleHandle">DNCIClrLoader Module Handle</param> private void EraseRemoteModules(IntPtr targetProcessHandle, IntPtr dnciModuleHandle) { // Resolve FreeLibrary function pointer into kernel32 address space IntPtr freeLibraryHandle = NativeExecution.GetProcAddress(NativeExecution.GetModuleHandle("Kernel32"), "FreeLibrary"); // Unload DNCIClrLoader.dll from Remote Process NativeExecution.CreateRemoteThread(targetProcessHandle, IntPtr.Zero, 0, freeLibraryHandle, dnciModuleHandle, 0, IntPtr.Zero); }
/// <summary> /// Inject the DNCLClrLoader.dll into Target Process Memory /// </summary> /// <param name="targetProcessHandle">Target Process Handle</param> /// <param name="injectorLibraryFilePath">DNCIClrLoader.dll File Path</param> /// <param name="moduleName">Name of Module (usually, FILE_NAME.dll)</param> /// <returns></returns> private IntPtr DNCIClrLoader(IntPtr targetProcessHandle, String injectorLibraryFilePath, String moduleName) { // Resolve LoadLibraryW function pointer into Kernel32 address space IntPtr loadLibraryWAddr = NativeExecution.GetProcAddress( NativeExecution.GetModuleHandle("kernel32.dll"), "LoadLibraryW" ); // Inject DNCIClrLoader into Remote Process Inject(targetProcessHandle, loadLibraryWAddr, injectorLibraryFilePath); // Find the LoadDNA Function Point into Remote Process Memory return(FindRemoteModuleHandle(targetProcessHandle, moduleName)); }