coolzoom · September 7, 2022 05:42
diff --git a/dllinjection.cs b/dllinjection.cs
 using System;
 using System.Diagnostics;
 using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
 using System.Security;
 using System.Text;

 namespace ch1_hello_world
 {
    public class BasicInject
    {
        [Flags]
        public enum AllocationType
        {
            Commit = 0x1000,
            Reserve = 0x2000,
            Decommit = 0x4000,
            Release = 0x8000,
            Reset = 0x80000,
            Physical = 0x400000,
            TopDown = 0x100000,
            WriteWatch = 0x200000,
            LargePages = 0x20000000
        }
        
        [DllImport("kernel32.dll")]
        public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
        
        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        public static extern IntPtr GetModuleHandle(string lpModuleName);
        
        [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
        static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
        
        [DllImport("kernel32.dll", ExactSpelling = true, SetLastError = true)]
        static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType,
            uint flProtect);
        
        [DllImport("kernel32.dll", SetLastError = true)]
        static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize,
            out UIntPtr lpNumberOfBytesWritten);
        
        [DllImport("kernel32.dll")]
        static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize,
            IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

        [DllImport("kernel32.dll", SetLastError=true, ExactSpelling=true)]
        static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress,
            int dwSize, AllocationType dwFreeType);
        
        [DllImport("kernel32.dll", SetLastError=true)]
        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
        [SuppressUnmanagedCodeSecurity]
        [return: MarshalAs(UnmanagedType.Bool)]
        static extern bool CloseHandle(IntPtr hObject);
        
        const int PROCESS_CREATE_THREAD = 0x0002;
        const int PROCESS_QUERY_INFORMATION = 0x0400;
        const int PROCESS_VM_OPERATION = 0x0008;
        const int PROCESS_VM_WRITE = 0x0020;
        const int PROCESS_VM_READ = 0x0010;

        const uint MEM_COMMIT = 0x00001000;
        const uint MEM_RESERVE = 0x00002000;
        const uint PAGE_READWRITE = 0x4;

        public static void Main(string[] args)
        {
            Process targetProcess = Process.GetProcessesByName("hxd")[0];
            Console.WriteLine("hxd.exe PID: " + targetProcess.Id);
            
            // attach to process
            IntPtr hProcess =
                OpenProcess(
                    PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | 
                    PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
            Console.WriteLine("Process Handle: " + hProcess);

            // allocate memory in the process
 //            string dllName = "c:\\bind.dll";
 //            string dllName = "c:\\hello-world-x86.dll";
            string dllName = "c:\\umuc.dll";

            IntPtr szRemoteFileName = VirtualAllocEx(hProcess, IntPtr.Zero,
 //                (uint) ((dllName.Length) * Marshal.SizeOf(typeof(char))), MEM_COMMIT, PAGE_READWRITE);
                (uint) ((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT, PAGE_READWRITE);
            Console.WriteLine("VirtualAllocEx: " + szRemoteFileName);
            
            // write path to dll in process
            UIntPtr bytesWritten;
            WriteProcessMemory(hProcess, szRemoteFileName, Encoding.Default.GetBytes(dllName),
 //                (uint) ((dllName.Length) * Marshal.SizeOf(typeof(char))), out bytesWritten);
                (uint) ((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
            Console.WriteLine("Bytes Written: " + bytesWritten);
                
            // get address of LoadLibraryA
            IntPtr pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
            Console.WriteLine("Kernel32 Address: " + pfnThreadRtn);
            
            // execute DLL
            IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, pfnThreadRtn, szRemoteFileName, 0, IntPtr.Zero);

            VirtualFreeEx(hProcess, szRemoteFileName, 0, AllocationType.Release);
            CloseHandle(hThread);
            CloseHandle(hProcess);
            
            return;
        }

    }
 }
	using System;
	using System.Diagnostics;
	using System.Runtime.ConstrainedExecution;
	using System.Runtime.InteropServices;
	using System.Security;
	using System.Text;

	namespace ch1_hello_world
	{
	public class BasicInject
	{
	[Flags]
	public enum AllocationType
	{
	Commit = 0x1000,
	Reserve = 0x2000,
	Decommit = 0x4000,
	Release = 0x8000,
	Reset = 0x80000,
	Physical = 0x400000,
	TopDown = 0x100000,
	WriteWatch = 0x200000,
	LargePages = 0x20000000
	}

	[DllImport("kernel32.dll")]
	public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

	[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
	public static extern IntPtr GetModuleHandle(string lpModuleName);

	[DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
	static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

	[DllImport("kernel32.dll", ExactSpelling = true, SetLastError = true)]
	static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType,
	uint flProtect);

	[DllImport("kernel32.dll", SetLastError = true)]
	static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize,
	out UIntPtr lpNumberOfBytesWritten);

	[DllImport("kernel32.dll")]
	static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize,
	IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

	[DllImport("kernel32.dll", SetLastError=true, ExactSpelling=true)]
	static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress,
	int dwSize, AllocationType dwFreeType);

	[DllImport("kernel32.dll", SetLastError=true)]
	[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
	[SuppressUnmanagedCodeSecurity]
	[return: MarshalAs(UnmanagedType.Bool)]
	static extern bool CloseHandle(IntPtr hObject);

	const int PROCESS_CREATE_THREAD = 0x0002;
	const int PROCESS_QUERY_INFORMATION = 0x0400;
	const int PROCESS_VM_OPERATION = 0x0008;
	const int PROCESS_VM_WRITE = 0x0020;
	const int PROCESS_VM_READ = 0x0010;

	const uint MEM_COMMIT = 0x00001000;
	const uint MEM_RESERVE = 0x00002000;
	const uint PAGE_READWRITE = 0x4;

	public static void Main(string[] args)
	{
	Process targetProcess = Process.GetProcessesByName("hxd")[0];
	Console.WriteLine("hxd.exe PID: " + targetProcess.Id);

	// attach to process
	IntPtr hProcess =
	OpenProcess(
	PROCESS_CREATE_THREAD \| PROCESS_QUERY_INFORMATION \| PROCESS_VM_OPERATION \|
	PROCESS_VM_WRITE \| PROCESS_VM_READ, false, targetProcess.Id);
	Console.WriteLine("Process Handle: " + hProcess);

	// allocate memory in the process
	// string dllName = "c:\\bind.dll";
	// string dllName = "c:\\hello-world-x86.dll";
	string dllName = "c:\\umuc.dll";

	IntPtr szRemoteFileName = VirtualAllocEx(hProcess, IntPtr.Zero,
	// (uint) ((dllName.Length) * Marshal.SizeOf(typeof(char))), MEM_COMMIT, PAGE_READWRITE);
	(uint) ((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT, PAGE_READWRITE);
	Console.WriteLine("VirtualAllocEx: " + szRemoteFileName);

	// write path to dll in process
	UIntPtr bytesWritten;
	WriteProcessMemory(hProcess, szRemoteFileName, Encoding.Default.GetBytes(dllName),
	// (uint) ((dllName.Length) * Marshal.SizeOf(typeof(char))), out bytesWritten);
	(uint) ((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
	Console.WriteLine("Bytes Written: " + bytesWritten);

	// get address of LoadLibraryA
	IntPtr pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
	Console.WriteLine("Kernel32 Address: " + pfnThreadRtn);

	// execute DLL
	IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, pfnThreadRtn, szRemoteFileName, 0, IntPtr.Zero);

	VirtualFreeEx(hProcess, szRemoteFileName, 0, AllocationType.Release);
	CloseHandle(hThread);
	CloseHandle(hProcess);

	return;
	}

	}
	}