private static bool doCreateRemoteThread(Process pToBeInjected, string sDllPath, out string sError, out IntPtr hwnd)
{
try
{
sError = "";
IntPtr hProcess = WINAPI.OpenProcess(0x43a, 1, (uint)pToBeInjected.Id);
hwnd = hProcess;
if (hProcess == IntPtr.Zero)
{
Console.WriteLine("Error: dCRT Code: " + Marshal.GetLastWin32Error());
return(false);
}
IntPtr procAddress = WINAPI.GetProcAddress(WINAPI.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (procAddress == IntPtr.Zero)
{
Console.WriteLine("Unable to find address of \"LoadLibraryA\".\n");
Console.WriteLine("Error code: " + Marshal.GetLastWin32Error());
return(false);
}
IntPtr lpBaseAddress = WINAPI.VirtualAllocEx(hProcess, IntPtr.Zero, (IntPtr)sDllPath.Length, 0x3000, 0x40);
if ((lpBaseAddress == IntPtr.Zero) && (lpBaseAddress == IntPtr.Zero))
{
Console.WriteLine("Unable to allocate memory to target process.\n");
Console.WriteLine("Error code: " + Marshal.GetLastWin32Error());
return(false);
}
byte[] byteLength = GetByteLength(sDllPath);
IntPtr zero = IntPtr.Zero;
WINAPI.WriteProcessMemory(hProcess, lpBaseAddress, byteLength, (uint)byteLength.Length, out zero);
//if (Marshal.GetLastWin32Error() != 0)
//{
// sError = "Unable to write memory to process.";
// sError = sError + "Error code: " + Marshal.GetLastWin32Error();
// return false;
//}
if (WINAPI.CreateRemoteThread(hProcess, IntPtr.Zero, IntPtr.Zero, procAddress, lpBaseAddress, 0, IntPtr.Zero) == IntPtr.Zero)
{
Console.WriteLine("Memoryspace Error on LOAD_DLL\n");
Console.WriteLine("Error code: " + Marshal.GetLastWin32Error());
return(false);
}
WINAPI.VirtualFreeEx(hProcess, IntPtr.Zero, UIntPtr.Zero, 0x8000);
return(true);
}
catch (Exception exception)
{
sError = "";
hwnd = IntPtr.Zero;
Console.WriteLine(exception.ToString());
return(false);
}
}
public static bool InjectDLL(IntPtr hProcess, String strDLLName)
{
IntPtr bytesout;
// Length of string containing the DLL file name +1 byte padding
Int32 LenWrite = strDLLName.Length + 1;
// Allocate memory within the virtual address space of the target process
IntPtr AllocMem = (IntPtr)WINAPI.VirtualAllocEx(hProcess, (IntPtr)null, (uint)LenWrite, 0x1000, 0x40);
// Write DLL file name to allocated memory in target process
WINAPI.WriteProcessMemory(hProcess, AllocMem, strDLLName, (UIntPtr)LenWrite, out bytesout);
// Function pointer "Injector"
UIntPtr Injector = (UIntPtr)WINAPI.GetProcAddress(WINAPI.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (Injector == null)
{
throw new Exception("GetProcAddress failed!\n\n Call tech support.");
}
// Create thread in target process, and store handle in hThread
IntPtr hThread = (IntPtr)WINAPI.CreateRemoteThread(hProcess, (IntPtr)null, 0, Injector, AllocMem, 0, out bytesout);
// Make sure thread handle is valid
if (hThread == null)
{
//incorrect thread handle ... return failed
throw new Exception("CreateRemoteThread failed!\n\n Call tech support.");
}
// Time-out is 10 seconds...
int Result = WINAPI.WaitForSingleObject(hThread, 10 * 1000);
// Check whether thread timed out...
if (Result == 0x00000080L || Result == 0x00000102L || Result == 0xFFFFFFFF)
{
// Make sure thread handle is valid before closing... prevents crashes.
if (hThread != null)
{
//Close thread in target process
WINAPI.CloseHandle(hThread);
}
/* Thread timed out... */
throw new Exception("WaitForSingleObject failed!\n\n Call tech support.");
}
// Sleep thread so as not to crash host
Thread.Sleep(5000);
// Clear up allocated space ( Allocmem )
WINAPI.VirtualFreeEx(hProcess, AllocMem, (UIntPtr)0, 0x8000);
// Make sure thread handle is valid before closing... prevents crashes.
if (hThread != null)
{
//Close thread in target process
WINAPI.CloseHandle(hThread);
}
return(true);
}