private void EjectDll()
{
// Get address of FreeLibrary function in kernel32.
IntPtr addrFreeLibrary = WinApi.GetProcAddress(_hKernel32, "FreeLibrary");
if (addrFreeLibrary == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error(),
"Cannot find FreeLibrary function in kernel32 module.");
}
// Create remote thread to free library from target process.
int threadId;
IntPtr hThread = WinApi.CreateRemoteThread(_hProcess, IntPtr.Zero, 0, addrFreeLibrary,
_hModule, 0, out threadId);
if (hThread == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error(),
"Error creating remote thread in target process.");
}
// Wait for thread to finish.
int waitRet = WinApi.WaitForSingleObject(hThread, 10000);
if (waitRet == WinApi.WAIT_FAILED)
{
throw new Win32Exception();
}
if (waitRet == WinApi.WAIT_TIMEOUT)
{
throw new TimeoutException();
}
// Clean up.
WinApi.CloseHandle(hThread);
}
private void InjectDll(string dllFileName)
{
bool retValue;
// Get handle to target process.
_hProcess = WinApi.OpenProcess(ProcessAccessFlags.All, false, _procInfo.dwProcessId);
if (_hProcess == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error(),
string.Format("Cannot open process with ID {0}.", _procInfo.dwProcessId));
}
// Get address of LoadLibrary function in kernel32.
_hKernel32 = WinApi.GetModuleHandle("kernel32");
if (_hKernel32 == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error(),
"Cannot get handle to kernel32 module.");
}
// LoadLibraryA (ascii)/LoadLibraryW (unicode)
IntPtr addrLoadLibrary = WinApi.GetProcAddress(_hKernel32, "LoadLibraryA");
if (addrLoadLibrary == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error(),
"Cannot find LoadLibrary function in kernel32 module.");
}
// Write file name of DLL into process memory.
_procBaseAddress = WinApi.VirtualAllocEx(_hProcess, IntPtr.Zero, dllFileName.Length,
WinApi.MEM_COMMIT, WinApi.PAGE_READWRITE);
if (_procBaseAddress == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error(),
"Error allocating virtual memory in target process.");
}
int bytesWritten;
retValue = WinApi.WriteProcessMemory(_hProcess, _procBaseAddress,
Encoding.ASCII.GetBytes(dllFileName), dllFileName.Length, out bytesWritten);
if (!retValue)
{
throw new Win32Exception(Marshal.GetLastWin32Error(),
"Error writing DLL file name in target process memory.");
}
// Create remote thread to load library into target process.
IntPtr hThread = WinApi.CreateRemoteThread(_hProcess, IntPtr.Zero, 0, addrLoadLibrary,
_procBaseAddress, 0, out _threadId);
if (hThread == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error(),
"Error creating remote thread in target process.");
}
// Wait for thread to finish.
int waitRet = WinApi.WaitForSingleObject(hThread, 10000);
if (waitRet == WinApi.WAIT_FAILED)
{
throw new Win32Exception();
}
if (waitRet == WinApi.WAIT_TIMEOUT)
{
throw new TimeoutException();
}
// Get handle to loaded module from exit code.
// Note: exit code will be zero unless DLL has already terminated.
int exitCode;
WinApi.GetExitCodeThread(hThread, out exitCode);
_hModule = (IntPtr)exitCode;
// Clean up.
WinApi.VirtualFreeEx(_hProcess, _procBaseAddress, dllFileName.Length, WinApi.MEM_RELEASE);
WinApi.CloseHandle(hThread);
}
