internal static bool InjectUnmanagedInternal(void *processHandle, string dllPath)
{
void *pLoadLibrary;
void *pDllPath;
void *threadHandle;
uint exitCode;
pLoadLibrary = NativeModule.GetFunctionAddressInternal(processHandle, "kernel32.dll", "LoadLibraryW");
// 获取LoadLibrary的函数地址
pDllPath = NativeProcess.AllocMemoryInternal(processHandle, (uint)dllPath.Length * 2 + 2, MemoryProtection.ExecuteRead);
try {
if (pDllPath == null)
{
return(false);
}
if (!NativeProcess.WriteStringInternal(processHandle, pDllPath, dllPath, Encoding.Unicode))
{
return(false);
}
threadHandle = CreateRemoteThread(processHandle, null, 0, pLoadLibrary, pDllPath, 0, null);
if (threadHandle == null)
{
return(false);
}
WaitForSingleObject(threadHandle, INFINITE);
// 等待线程结束
GetExitCodeThread(threadHandle, out exitCode);
return(exitCode != 0);
// LoadLibrary返回值不为0则调用成功,否则失败
}
finally {
NativeProcess.FreeMemoryInternal(processHandle, pDllPath);
}
}
internal static bool InjectManagedInternal(IntPtr processHandle, string assemblyPath, string typeName, string methodName, string argument, out int returnValue, bool wait)
{
bool isAssembly;
bool isWow64;
string clrVersion;
IntPtr pEnvironment;
IntPtr threadHandle;
uint exitCode;
returnValue = 0;
assemblyPath = Path.GetFullPath(assemblyPath);
// 获取绝对路径
IsAssembly(assemblyPath, out isAssembly, out clrVersion);
if (!isAssembly)
{
throw new NotSupportedException("Not a valid .NET assembly.");
}
if (!IsWow64Process(processHandle, out isWow64))
{
return(false);
}
if (!InjectUnmanagedInternal(processHandle, Path.Combine(Environment.GetEnvironmentVariable("SystemRoot"), isWow64 ? @"SysWOW64\mscoree.dll" : @"System32\mscoree.dll")))
{
return(false);
}
// 加载对应进程位数的mscoree.dll
pEnvironment = WriteMachineCode(processHandle, clrVersion, assemblyPath, typeName, methodName, argument);
// 获取远程进程中启动CLR的函数指针
if (pEnvironment == IntPtr.Zero)
{
return(false);
}
threadHandle = CreateRemoteThread(processHandle, null, 0, pEnvironment, (IntPtr)((byte *)pEnvironment + ReturnValueOffset), 0, null);
if (threadHandle == IntPtr.Zero)
{
return(false);
}
if (wait)
{
WaitForSingleObject(threadHandle, INFINITE);
// 等待线程结束
if (!GetExitCodeThread(threadHandle, out exitCode))
{
return(false);
}
if (!NativeProcess.ReadInt32Internal(processHandle, (IntPtr)((byte *)pEnvironment + ReturnValueOffset), out returnValue))
{
return(false);
}
// 获取程序集中被调用方法的返回值
if (!NativeProcess.FreeMemoryInternal(processHandle, pEnvironment))
{
return(false);
}
return(exitCode == 0);
}
return(true);
}
internal static bool InjectManagedInternal(void *processHandle, string assemblyPath, string typeName, string methodName, string argument, InjectionClrVersion clrVersion, out int returnValue, bool wait)
{
returnValue = 0;
assemblyPath = Path.GetFullPath(assemblyPath);
// 获取绝对路径
IsAssembly(assemblyPath, out bool isAssembly, out var clrVersionTemp);
if (clrVersion == InjectionClrVersion.Auto)
{
clrVersion = clrVersionTemp;
}
if (!isAssembly)
{
throw new NotSupportedException("Not a valid .NET assembly.");
}
if (!InjectUnmanagedInternal(processHandle, Path.Combine(Environment.GetEnvironmentVariable("SystemRoot"), @"System32\mscoree.dll")))
{
return(false);
}
// 加载对应进程位数的mscoree.dll
void *pEnvironment = WriteMachineCode(processHandle, clrVersion, assemblyPath, typeName, methodName, argument);
// 获取远程进程中启动CLR的函数指针
if (pEnvironment == null)
{
return(false);
}
void *threadHandle = CreateRemoteThread(processHandle, null, 0, pEnvironment, (byte *)pEnvironment + ReturnValueOffset, 0, null);
if (threadHandle == null)
{
return(false);
}
if (wait)
{
WaitForSingleObject(threadHandle, INFINITE);
// 等待线程结束
if (!GetExitCodeThread(threadHandle, out uint exitCode))
{
return(false);
}
if (!NativeProcess.ReadInt32Internal(processHandle, (byte *)pEnvironment + ReturnValueOffset, out returnValue))
{
return(false);
}
// 获取程序集中被调用方法的返回值
if (!NativeProcess.FreeMemoryInternal(processHandle, pEnvironment))
{
return(false);
}
return(exitCode == 0);
}
return(true);
}
private static void *WriteMachineCode(void *processHandle, InjectionClrVersion clrVersion, string assemblyPath, string typeName, string methodName, string argument)
{
bool is64Bit;
string clrVersionString;
byte[] machineCode;
void * pEnvironment;
void * pCorBindToRuntimeEx;
void * pCLRCreateInstance;
if (!NativeProcess.Is64BitProcessInternal(processHandle, out is64Bit))
{
return(null);
}
clrVersionString = clrVersion switch
{
InjectionClrVersion.V2 => CLR_V2,
InjectionClrVersion.V4 => CLR_V4,
_ => throw new ArgumentOutOfRangeException(nameof(clrVersion)),
};
machineCode = GetMachineCodeTemplate(clrVersionString, assemblyPath, typeName, methodName, argument);
pEnvironment = NativeProcess.AllocMemoryInternal(processHandle, 0x1000 + (argument is null ? 0 : (uint)argument.Length * 2 + 2), MemoryProtection.ExecuteReadWrite);
if (pEnvironment == null)
{
return(null);
}
try
{
fixed(byte *p = machineCode)
switch (clrVersion)
{
case InjectionClrVersion.V2:
pCorBindToRuntimeEx = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CorBindToRuntimeEx");
if (pCorBindToRuntimeEx == null)
{
return(null);
}
if (is64Bit)
{
WriteMachineCode64v2(p, (ulong)pEnvironment, (ulong)pCorBindToRuntimeEx);
}
else
{
WriteMachineCode32v2(p, (uint)pEnvironment, (uint)pCorBindToRuntimeEx);
}
break;
case InjectionClrVersion.V4:
pCLRCreateInstance = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CLRCreateInstance");
if (pCLRCreateInstance == null)
{
return(null);
}
if (is64Bit)
{
WriteMachineCode64v4(p, (ulong)pEnvironment, (ulong)pCLRCreateInstance);
}
else
{
WriteMachineCode32v4(p, (uint)pEnvironment, (uint)pCLRCreateInstance);
}
break;
}
if (!NativeProcess.WriteBytesInternal(processHandle, pEnvironment, machineCode))
{
return(null);
}
}
catch {
NativeProcess.FreeMemoryInternal(processHandle, pEnvironment);
return(null);
}
return(pEnvironment);
}
private static IntPtr WriteMachineCode(IntPtr processHandle, string clrVersion, string assemblyPath, string typeName, string methodName, string argument)
{
bool is64Bit;
byte[] machineCode;
IntPtr pEnvironment;
IntPtr pCorBindToRuntimeEx;
IntPtr pCLRCreateInstance;
if (!NativeProcess.Is64BitProcessInternal(processHandle, out is64Bit))
{
return(IntPtr.Zero);
}
machineCode = GetMachineCodeTemplate(clrVersion, assemblyPath, typeName, methodName, argument);
pEnvironment = NativeProcess.AllocMemoryInternal(processHandle, 0x1000 + (argument == null ? 0 : (uint)argument.Length * 2 + 2), MemoryProtection.ExecuteReadWrite);
if (pEnvironment == IntPtr.Zero)
{
return(IntPtr.Zero);
}
try
{
fixed(byte *p = machineCode)
{
switch (clrVersion)
{
case "v2.0.50727":
pCorBindToRuntimeEx = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CorBindToRuntimeEx");
if (pCorBindToRuntimeEx == IntPtr.Zero)
{
return(IntPtr.Zero);
}
if (is64Bit)
{
SetMachineCode64v2(p, (ulong)pEnvironment, (ulong)pCorBindToRuntimeEx);
}
else
{
SetMachineCode32v2(p, (uint)pEnvironment, (uint)pCorBindToRuntimeEx);
}
break;
case "v4.0.30319":
pCLRCreateInstance = NativeModule.GetFunctionAddressInternal(processHandle, "mscoree.dll", "CLRCreateInstance");
if (pCLRCreateInstance == IntPtr.Zero)
{
return(IntPtr.Zero);
}
if (is64Bit)
{
SetMachineCode64v4(p, (ulong)pEnvironment, (ulong)pCLRCreateInstance);
}
else
{
SetMachineCode32v4(p, (uint)pEnvironment, (uint)pCLRCreateInstance);
}
break;
default:
return(IntPtr.Zero);
}
}
if (!NativeProcess.WriteBytesInternal(processHandle, pEnvironment, machineCode))
{
return(IntPtr.Zero);
}
}
catch {
NativeProcess.FreeMemoryInternal(processHandle, pEnvironment);
return(IntPtr.Zero);
}
return(pEnvironment);
}
