internal static bool InjectUnmanagedInternal(void *processHandle, string dllPath) { void *pLoadLibrary; void *pDllPath; void *threadHandle; uint exitCode; pLoadLibrary = NativeModule.GetFunctionAddressInternal(processHandle, "kernel32.dll", "LoadLibraryW"); // 获取LoadLibrary的函数地址 pDllPath = NativeProcess.AllocMemoryInternal(processHandle, (uint)dllPath.Length * 2 + 2, MemoryProtection.ExecuteRead); try { if (pDllPath == null) { return(false); } if (!NativeProcess.WriteStringInternal(processHandle, pDllPath, dllPath, Encoding.Unicode)) { return(false); } threadHandle = CreateRemoteThread(processHandle, null, 0, pLoadLibrary, pDllPath, 0, null); if (threadHandle == null) { return(false); } WaitForSingleObject(threadHandle, INFINITE); // 等待线程结束 GetExitCodeThread(threadHandle, out exitCode); return(exitCode != 0); // LoadLibrary返回值不为0则调用成功,否则失败 } finally { NativeProcess.FreeMemoryInternal(processHandle, pDllPath); } }
internal static bool InjectManagedInternal(IntPtr processHandle, string assemblyPath, string typeName, string methodName, string argument, out int returnValue, bool wait) { bool isAssembly; bool isWow64; string clrVersion; IntPtr pEnvironment; IntPtr threadHandle; uint exitCode; returnValue = 0; assemblyPath = Path.GetFullPath(assemblyPath); // 获取绝对路径 IsAssembly(assemblyPath, out isAssembly, out clrVersion); if (!isAssembly) { throw new NotSupportedException("Not a valid .NET assembly."); } if (!IsWow64Process(processHandle, out isWow64)) { return(false); } if (!InjectUnmanagedInternal(processHandle, Path.Combine(Environment.GetEnvironmentVariable("SystemRoot"), isWow64 ? @"SysWOW64\mscoree.dll" : @"System32\mscoree.dll"))) { return(false); } // 加载对应进程位数的mscoree.dll pEnvironment = WriteMachineCode(processHandle, clrVersion, assemblyPath, typeName, methodName, argument); // 获取远程进程中启动CLR的函数指针 if (pEnvironment == IntPtr.Zero) { return(false); } threadHandle = CreateRemoteThread(processHandle, null, 0, pEnvironment, (IntPtr)((byte *)pEnvironment + ReturnValueOffset), 0, null); if (threadHandle == IntPtr.Zero) { return(false); } if (wait) { WaitForSingleObject(threadHandle, INFINITE); // 等待线程结束 if (!GetExitCodeThread(threadHandle, out exitCode)) { return(false); } if (!NativeProcess.ReadInt32Internal(processHandle, (IntPtr)((byte *)pEnvironment + ReturnValueOffset), out returnValue)) { return(false); } // 获取程序集中被调用方法的返回值 if (!NativeProcess.FreeMemoryInternal(processHandle, pEnvironment)) { return(false); } return(exitCode == 0); } return(true); }
internal static bool InjectManagedInternal(void *processHandle, string assemblyPath, string typeName, string methodName, string argument, InjectionClrVersion clrVersion, out int returnValue, bool wait) { returnValue = 0; assemblyPath = Path.GetFullPath(assemblyPath); // 获取绝对路径 IsAssembly(assemblyPath, out bool isAssembly, out var clrVersionTemp); if (clrVersion == InjectionClrVersion.Auto) { clrVersion = clrVersionTemp; } if (!isAssembly) { throw new NotSupportedException("Not a valid .NET assembly."); } if (!InjectUnmanagedInternal(processHandle, Path.Combine(Environment.GetEnvironmentVariable("SystemRoot"), @"System32\mscoree.dll"))) { return(false); } // 加载对应进程位数的mscoree.dll void *pEnvironment = WriteMachineCode(processHandle, clrVersion, assemblyPath, typeName, methodName, argument); // 获取远程进程中启动CLR的函数指针 if (pEnvironment == null) { return(false); } void *threadHandle = CreateRemoteThread(processHandle, null, 0, pEnvironment, (byte *)pEnvironment + ReturnValueOffset, 0, null); if (threadHandle == null) { return(false); } if (wait) { WaitForSingleObject(threadHandle, INFINITE); // 等待线程结束 if (!GetExitCodeThread(threadHandle, out uint exitCode)) { return(false); } if (!NativeProcess.ReadInt32Internal(processHandle, (byte *)pEnvironment + ReturnValueOffset, out returnValue)) { return(false); } // 获取程序集中被调用方法的返回值 if (!NativeProcess.FreeMemoryInternal(processHandle, pEnvironment)) { return(false); } return(exitCode == 0); } return(true); }
private static void *WriteMachineCode(void *processHandle, InjectionClrVersion clrVersion, string assemblyPath, string typeName, string methodName, string argument) { bool is64Bit; string clrVersionString; byte[] machineCode; void * pEnvironment; void * pCorBindToRuntimeEx; void * pCLRCreateInstance; if (!NativeProcess.Is64BitProcessInternal(processHandle, out is64Bit)) { return(null); } clrVersionString = clrVersion switch { InjectionClrVersion.V2 => CLR_V2, InjectionClrVersion.V4 => CLR_V4, _ => throw new ArgumentOutOfRangeException(nameof(clrVersion)), }; machineCode = GetMachineCodeTemplate(clrVersionString, assemblyPath, typeName, methodName, argument); pEnvironment = NativeProcess.AllocMemoryInternal(processHandle, 0x1000 + (argument is null ? 0 : (uint)argument.Length * 2 + 2), MemoryProtection.ExecuteReadWrite); if (pEnvironment == null) { return(null); } try { fixed(byte *p = machineCode) switch (clrVersion) { case InjectionClrVersion.V2: pCorBindToRuntimeEx = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CorBindToRuntimeEx"); if (pCorBindToRuntimeEx == null) { return(null); } if (is64Bit) { WriteMachineCode64v2(p, (ulong)pEnvironment, (ulong)pCorBindToRuntimeEx); } else { WriteMachineCode32v2(p, (uint)pEnvironment, (uint)pCorBindToRuntimeEx); } break; case InjectionClrVersion.V4: pCLRCreateInstance = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CLRCreateInstance"); if (pCLRCreateInstance == null) { return(null); } if (is64Bit) { WriteMachineCode64v4(p, (ulong)pEnvironment, (ulong)pCLRCreateInstance); } else { WriteMachineCode32v4(p, (uint)pEnvironment, (uint)pCLRCreateInstance); } break; } if (!NativeProcess.WriteBytesInternal(processHandle, pEnvironment, machineCode)) { return(null); } } catch { NativeProcess.FreeMemoryInternal(processHandle, pEnvironment); return(null); } return(pEnvironment); }
private static IntPtr WriteMachineCode(IntPtr processHandle, string clrVersion, string assemblyPath, string typeName, string methodName, string argument) { bool is64Bit; byte[] machineCode; IntPtr pEnvironment; IntPtr pCorBindToRuntimeEx; IntPtr pCLRCreateInstance; if (!NativeProcess.Is64BitProcessInternal(processHandle, out is64Bit)) { return(IntPtr.Zero); } machineCode = GetMachineCodeTemplate(clrVersion, assemblyPath, typeName, methodName, argument); pEnvironment = NativeProcess.AllocMemoryInternal(processHandle, 0x1000 + (argument == null ? 0 : (uint)argument.Length * 2 + 2), MemoryProtection.ExecuteReadWrite); if (pEnvironment == IntPtr.Zero) { return(IntPtr.Zero); } try { fixed(byte *p = machineCode) { switch (clrVersion) { case "v2.0.50727": pCorBindToRuntimeEx = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CorBindToRuntimeEx"); if (pCorBindToRuntimeEx == IntPtr.Zero) { return(IntPtr.Zero); } if (is64Bit) { SetMachineCode64v2(p, (ulong)pEnvironment, (ulong)pCorBindToRuntimeEx); } else { SetMachineCode32v2(p, (uint)pEnvironment, (uint)pCorBindToRuntimeEx); } break; case "v4.0.30319": pCLRCreateInstance = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CLRCreateInstance"); if (pCLRCreateInstance == IntPtr.Zero) { return(IntPtr.Zero); } if (is64Bit) { SetMachineCode64v4(p, (ulong)pEnvironment, (ulong)pCLRCreateInstance); } else { SetMachineCode32v4(p, (uint)pEnvironment, (uint)pCLRCreateInstance); } break; default: return(IntPtr.Zero); } } if (!NativeProcess.WriteBytesInternal(processHandle, pEnvironment, machineCode)) { return(IntPtr.Zero); } } catch { NativeProcess.FreeMemoryInternal(processHandle, pEnvironment); return(IntPtr.Zero); } return(pEnvironment); }