示例#1
0
        public Task CreateRemoteThread(MemoryWriter writer)
        {
            UIntPtr bytesWriten;

            Win32.WriteProcessMemory(processInfo.hProcess, writer.TargetStartAddress, writer.Buffer,
                                     (uint)writer.Size, out bytesWriten);

            //lastWin32Error = Marshal.GetLastWin32Error();

            Win32.FlushInstructionCache(processInfo.hProcess, writer.TargetStartAddress, new UIntPtr((uint)writer.Size));

            //lastWin32Error = Marshal.GetLastWin32Error();

            IntPtr hThread = Win32.CreateRemoteThread(processInfo.hProcess, IntPtr.Zero, 0, writer.CodeTargetStartAddress,
                                                      IntPtr.Zero, 0, IntPtr.Zero);

            //lastWin32Error = Marshal.GetLastWin32Error();

            Task task = new Task(() =>
            {
                Win32.WaitForSingleObject(hThread, Win32.INFINITE);

                // Free the memory in the process that we allocated
                Win32.VirtualFreeEx(processInfo.hProcess, writer.TargetStartAddress, 0, Win32.FreeType.Release);
            });

            task.Start();

            return(task);
        }
        public Task CreateRemoteThread(MemoryWriter writer)
        {
            UIntPtr bytesWriten;
            Win32.WriteProcessMemory(processInfo.hProcess, writer.TargetStartAddress, writer.Buffer,
                (uint)writer.Size, out bytesWriten);

            //lastWin32Error = Marshal.GetLastWin32Error();

            Win32.FlushInstructionCache(processInfo.hProcess, writer.TargetStartAddress, new UIntPtr((uint)writer.Size));

            //lastWin32Error = Marshal.GetLastWin32Error();

            IntPtr hThread = Win32.CreateRemoteThread(processInfo.hProcess, IntPtr.Zero, 0, writer.CodeTargetStartAddress,
                IntPtr.Zero, 0, IntPtr.Zero);

            //lastWin32Error = Marshal.GetLastWin32Error();

            Task task = new Task(() =>
                {
                    Win32.WaitForSingleObject(hThread, Win32.INFINITE);

                    // Free the memory in the process that we allocated
                    Win32.VirtualFreeEx(processInfo.hProcess, writer.TargetStartAddress, 0, Win32.FreeType.Release);
                });
            task.Start();

            return task;
        }
示例#3
0
        static void Main(string[] args)
        {
            int lastWin32Error;

            InjectableProcess process = new InjectableProcess(TestApplication, ProcessCreationOptions.NormalPriorityClass | ProcessCreationOptions.CreateSuspended);
            MemoryWriter      writer  = process.CreateMemoryWriter(1024);

            IntPtr advapi32            = writer.WriteValue("Advapi32.dll");
            IntPtr registryKeyAddress  = writer.WriteValue(@"Pieter\Test");
            IntPtr registryHkeyAddress = writer.Alloc(4);

            writer.CallLoadLibrary(advapi32);
            writer.CallRegOpenKey(0x80000001, registryKeyAddress, registryHkeyAddress); //HKEY_CURRENT_USER
            writer.CallRegOverridePredefKey(0x80000001, registryHkeyAddress);
            writer.CallRegCloseKey(registryHkeyAddress);
            writer.CallExitThread();

            // Change page protection so we can write executable code
            //VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, MemoryProtection.ExecuteReadWrite, &oldProtect);

            Task task = process.CreateRemoteThread(writer);

            task.Wait();

            process.Resume();
        }