-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #12 from astron-dev/pullrequest
ManualMap Injection
- Loading branch information
Showing
31 changed files
with
2,551 additions
and
1 deletion.
There are no files selected for viewing
102 changes: 102 additions & 0 deletions
102
app/tcp-moe-client/Classes/Injection/InjectionLibrary/CRTInjection.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
namespace InjectionLibrary | ||
{ | ||
using JLibrary.Win32; | ||
using System; | ||
using System.Text; | ||
|
||
internal class CRTInjection : StandardInjectionMethod | ||
{ | ||
public override IntPtr Inject(string dllPath, IntPtr hProcess) | ||
{ | ||
this.ClearErrors(); | ||
if (hProcess.IsNull() || hProcess.Compare(-1L)) | ||
{ | ||
throw new ArgumentOutOfRangeException("hProcess", "Invalid process handle specified."); | ||
} | ||
try | ||
{ | ||
IntPtr zero = IntPtr.Zero; | ||
IntPtr procAddress = WinAPI.GetProcAddress(WinAPI.GetModuleHandleA("kernel32.dll"), "LoadLibraryW"); | ||
if (procAddress.IsNull()) | ||
{ | ||
throw new Exception("Unable to locate the LoadLibraryW entry point"); | ||
} | ||
IntPtr ptr = WinAPI.CreateRemotePointer(hProcess, Encoding.Unicode.GetBytes(dllPath + "\0"), 4); | ||
if (ptr.IsNull()) | ||
{ | ||
throw new InvalidOperationException("Failed to allocate memory in the remote process"); | ||
} | ||
try | ||
{ | ||
uint num = WinAPI.RunThread(hProcess, procAddress, (uint) ptr.ToInt32(), 0x2710); | ||
switch (num) | ||
{ | ||
case uint.MaxValue: | ||
throw new Exception("Error occurred when calling function in the remote process"); | ||
|
||
case 0: | ||
throw new Exception("Failed to load module into remote process. Error code: " + WinAPI.GetLastErrorEx(hProcess).ToString()); | ||
} | ||
zero = Win32Ptr.Create((long) num); | ||
} | ||
finally | ||
{ | ||
WinAPI.VirtualFreeEx(hProcess, ptr, 0, 0x8000); | ||
} | ||
return zero; | ||
} | ||
catch (Exception exception) | ||
{ | ||
this.SetLastError(exception); | ||
return IntPtr.Zero; | ||
} | ||
} | ||
|
||
public override IntPtr[] InjectAll(string[] dllPaths, IntPtr hProcess) | ||
{ | ||
this.ClearErrors(); | ||
if (hProcess.IsNull() || hProcess.Compare(-1L)) | ||
{ | ||
throw new ArgumentOutOfRangeException("hProcess", "Invalid process handle specified."); | ||
} | ||
try | ||
{ | ||
IntPtr zero = IntPtr.Zero; | ||
IntPtr ptr = this.CreateMultiLoadStub(dllPaths, hProcess, out zero, 0); | ||
IntPtr[] ptrArray = null; | ||
if (!ptr.IsNull()) | ||
{ | ||
try | ||
{ | ||
if (WinAPI.RunThread(hProcess, ptr, 0, 0x2710) == uint.MaxValue) | ||
{ | ||
throw new Exception("Error occurred while executing remote thread."); | ||
} | ||
byte[] buffer = WinAPI.ReadRemoteMemory(hProcess, zero, ((uint) dllPaths.Length) << 2); | ||
if (buffer == null) | ||
{ | ||
throw new InvalidOperationException("Unable to read from the remote process."); | ||
} | ||
ptrArray = new IntPtr[dllPaths.Length]; | ||
for (int i = 0; i < ptrArray.Length; i++) | ||
{ | ||
ptrArray[i] = new IntPtr(BitConverter.ToInt32(buffer, i << 2)); | ||
} | ||
} | ||
finally | ||
{ | ||
WinAPI.VirtualFreeEx(hProcess, zero, 0, 0x8000); | ||
WinAPI.VirtualFreeEx(hProcess, ptr, 0, 0x8000); | ||
} | ||
} | ||
return ptrArray; | ||
} | ||
catch (Exception exception) | ||
{ | ||
this.SetLastError(exception); | ||
return null; | ||
} | ||
} | ||
} | ||
} | ||
|
106 changes: 106 additions & 0 deletions
106
app/tcp-moe-client/Classes/Injection/InjectionLibrary/InjectionMethod.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
namespace InjectionLibrary | ||
{ | ||
using JLibrary.PortableExecutable; | ||
using JLibrary.Tools; | ||
using JLibrary.Win32; | ||
using System; | ||
using System.Runtime.CompilerServices; | ||
|
||
public abstract class InjectionMethod : ErrorBase | ||
{ | ||
protected InjectionMethod() | ||
{ | ||
} | ||
|
||
public static InjectionMethod Create(InjectionMethodType type) | ||
{ | ||
InjectionMethod method; | ||
switch (type) | ||
{ | ||
case InjectionMethodType.Standard: | ||
method = new CRTInjection(); | ||
break; | ||
|
||
case InjectionMethodType.ThreadHijack: | ||
method = new ThreadHijack(); | ||
break; | ||
|
||
case InjectionMethodType.ManualMap: | ||
method = new ManualMap(); | ||
break; | ||
|
||
default: | ||
return null; | ||
} | ||
if (method != null) | ||
{ | ||
method.Type = type; | ||
} | ||
return method; | ||
} | ||
|
||
public virtual IntPtr Inject(JLibrary.PortableExecutable.PortableExecutable image, int processId) | ||
{ | ||
this.ClearErrors(); | ||
IntPtr hProcess = WinAPI.OpenProcess(0x43a, false, processId); | ||
IntPtr ptr2 = this.Inject(image, hProcess); | ||
WinAPI.CloseHandle(hProcess); | ||
return ptr2; | ||
} | ||
|
||
public abstract IntPtr Inject(JLibrary.PortableExecutable.PortableExecutable image, IntPtr hProcess); | ||
public virtual IntPtr Inject(string dllPath, int processId) | ||
{ | ||
this.ClearErrors(); | ||
IntPtr hProcess = WinAPI.OpenProcess(0x43a, false, processId); | ||
IntPtr ptr2 = this.Inject(dllPath, hProcess); | ||
WinAPI.CloseHandle(hProcess); | ||
return ptr2; | ||
} | ||
|
||
public abstract IntPtr Inject(string dllPath, IntPtr hProcess); | ||
public virtual IntPtr[] InjectAll(JLibrary.PortableExecutable.PortableExecutable[] images, int processId) | ||
{ | ||
this.ClearErrors(); | ||
IntPtr hProcess = WinAPI.OpenProcess(0x43a, false, processId); | ||
IntPtr[] ptrArray = this.InjectAll(images, hProcess); | ||
WinAPI.CloseHandle(hProcess); | ||
return ptrArray; | ||
} | ||
|
||
public abstract IntPtr[] InjectAll(JLibrary.PortableExecutable.PortableExecutable[] images, IntPtr hProcess); | ||
public virtual IntPtr[] InjectAll(string[] dllPaths, int processId) | ||
{ | ||
this.ClearErrors(); | ||
IntPtr hProcess = WinAPI.OpenProcess(0x43a, false, processId); | ||
IntPtr[] ptrArray = this.InjectAll(dllPaths, hProcess); | ||
WinAPI.CloseHandle(hProcess); | ||
return ptrArray; | ||
} | ||
|
||
public abstract IntPtr[] InjectAll(string[] dllPaths, IntPtr hProcess); | ||
public virtual bool Unload(IntPtr hModule, int processId) | ||
{ | ||
this.ClearErrors(); | ||
IntPtr hProcess = WinAPI.OpenProcess(0x43a, false, processId); | ||
bool flag = this.Unload(hModule, hProcess); | ||
WinAPI.CloseHandle(hProcess); | ||
return flag; | ||
} | ||
|
||
public abstract bool Unload(IntPtr hModule, IntPtr hProcess); | ||
public virtual bool[] UnloadAll(IntPtr[] hModules, int processId) | ||
{ | ||
this.ClearErrors(); | ||
IntPtr hProcess = WinAPI.OpenProcess(0x43a, false, processId); | ||
bool[] flagArray = this.UnloadAll(hModules, hProcess); | ||
WinAPI.CloseHandle(hProcess); | ||
return flagArray; | ||
} | ||
|
||
public abstract bool[] UnloadAll(IntPtr[] hModules, IntPtr hProcess); | ||
|
||
public InjectionMethodType Type { get; protected set; } | ||
} | ||
} | ||
|
12 changes: 12 additions & 0 deletions
12
app/tcp-moe-client/Classes/Injection/InjectionLibrary/InjectionMethodType.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
namespace InjectionLibrary | ||
{ | ||
using System; | ||
|
||
public enum InjectionMethodType | ||
{ | ||
Standard, | ||
ThreadHijack, | ||
ManualMap | ||
} | ||
} | ||
|
Oops, something went wrong.