EDN Admin
Well-known member
(Warning, I have not slept)
Very long story short, Im trying to pinvoke VirtualAllocEx and WriteProcessMemory to call CreateRemoteThread with LoadLibrary(A/W). Aka DLL Inject, using C#. The problem is that LoadLibrary doesnt seem to be working, if I change it to "ExitProcess"
then my arbitrary victimized PIDs die--as anticipated. I am somewhat following section 2 of this article: http://www.codeproject.com/KB/threads/winspy.aspx#section_2 http://www.codeproject.com/KB/threads/winspy.aspx#section_2
<div style="color:black; background-color:white
<pre style="border:black solid 3px [DllImport(<span style="color:#a31515 "kernel32.dll", SetLastError = <span style="color:blue true)]
<span style="color:blue static <span style="color:blue extern <span style="color:blue bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, <span style="color:blue byte[] lpBuffer, <span style="color:blue uint nSize, <span style="color:blue out UIntPtr lpNumberOfBytesWritten);
[DllImport(<span style="color:#a31515 "kernel32.dll", SetLastError = <span style="color:blue true, ExactSpelling = <span style="color:blue true)]
<span style="color:blue static <span style="color:blue extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
<span style="color:blue uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
[Flags]
<span style="color:blue public <span style="color:blue enum AllocationType
{
Commit = 0x1000,
Reserve = 0x2000,
Decommit = 0x4000,
Release = 0x8000,
Reset = 0x80000,
Physical = 0x400000,
TopDown = 0x100000,
WriteWatch = 0x200000,
LargePages = 0x20000000
}
[Flags]
<span style="color:blue public <span style="color:blue enum MemoryProtection
{
Execute = 0x10,
ExecuteRead = 0x20,
ExecuteReadWrite = 0x40,
ExecuteWriteCopy = 0x80,
NoAccess = 0x01,
ReadOnly = 0x02,
ReadWrite = 0x04,
WriteCopy = 0x08,
GuardModifierflag = 0x100,
NoCacheModifierflag = 0x200,
WriteCombineModifierflag = 0x400
}
IntPtr processPtr = OpenProcess((<span style="color:blue int)ProcessAccessFlags.All, <span style="color:blue false, PID);
<span style="color:blue string LibraryPath = <span style="color:#a31515 @"C:UsersNathanDocumentsVisual Studio 2010ProjectsInjectorFormDebugPMRecorder.dll";
<span style="color:blue byte[] bLibraryPath = Encoding.Unicode.GetBytes(LibraryPath.ToCharArray());
IntPtr pLibRemote = VirtualAllocEx(processPtr, IntPtr.Zero, (<span style="color:blue uint)bLibraryPath.Length, AllocationType.Commit, MemoryProtection.ReadWrite);
UIntPtr dummy;
WriteProcessMemory(processPtr, pLibRemote, bLibraryPath, (<span style="color:blue uint)bLibraryPath.Length, <span style="color:blue out dummy);
IntPtr krnl32 = GetModuleHandle(<span style="color:#a31515 "Kernel32");
IntPtr handle =
CreateRemoteThread(processPtr, (IntPtr)<span style="color:blue null, 0, GetProcAddress(krnl32, <span style="color:#a31515 "LoadLibraryW"), pLibRemote, 0, IntPtr.Zero);
[/code]
Ive been looking, thinking, and completely lost on how to format a string at a low enough level for WriteProcessMemory (and be able to get its size) The
working C++ code Ive been porting is as follows.
<div style="color:black; background-color:white
<pre style="border:black solid 3px HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
<span style="color:blue char szLibPath[MAX_PATH] = <span style="color:#a31515 "C:\Users\Nathan\Documents\Visual Studio 2010\Projects\InjectorForm\Debug\PMRecorder.dll";
<span style="color:blue void* pLibRemote = VirtualAllocEx(proc, NULL, <span style="color:blue sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(proc, pLibRemote, (<span style="color:blue void*)szLibPath, <span style="color:blue sizeof(szLibPath), NULL);
HMODULE hKernel32 = GetModuleHandle(TEXT(<span style="color:#a31515 "Kernel32"));
HANDLE thread =
CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,<span style="color:#a31515 "LoadLibraryA"), pLibRemote, 0, NULL);
[/code]
<span style="text-decoration:underline Does anybody have a clue where to start? Im stumped on how to format it, and I dont want to have to move this code into a C++/CLI style wrapper.
<br/>
<br/>
<br/>
<br/>
View the full article
Very long story short, Im trying to pinvoke VirtualAllocEx and WriteProcessMemory to call CreateRemoteThread with LoadLibrary(A/W). Aka DLL Inject, using C#. The problem is that LoadLibrary doesnt seem to be working, if I change it to "ExitProcess"
then my arbitrary victimized PIDs die--as anticipated. I am somewhat following section 2 of this article: http://www.codeproject.com/KB/threads/winspy.aspx#section_2 http://www.codeproject.com/KB/threads/winspy.aspx#section_2
<div style="color:black; background-color:white
<pre style="border:black solid 3px [DllImport(<span style="color:#a31515 "kernel32.dll", SetLastError = <span style="color:blue true)]
<span style="color:blue static <span style="color:blue extern <span style="color:blue bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, <span style="color:blue byte[] lpBuffer, <span style="color:blue uint nSize, <span style="color:blue out UIntPtr lpNumberOfBytesWritten);
[DllImport(<span style="color:#a31515 "kernel32.dll", SetLastError = <span style="color:blue true, ExactSpelling = <span style="color:blue true)]
<span style="color:blue static <span style="color:blue extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
<span style="color:blue uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
[Flags]
<span style="color:blue public <span style="color:blue enum AllocationType
{
Commit = 0x1000,
Reserve = 0x2000,
Decommit = 0x4000,
Release = 0x8000,
Reset = 0x80000,
Physical = 0x400000,
TopDown = 0x100000,
WriteWatch = 0x200000,
LargePages = 0x20000000
}
[Flags]
<span style="color:blue public <span style="color:blue enum MemoryProtection
{
Execute = 0x10,
ExecuteRead = 0x20,
ExecuteReadWrite = 0x40,
ExecuteWriteCopy = 0x80,
NoAccess = 0x01,
ReadOnly = 0x02,
ReadWrite = 0x04,
WriteCopy = 0x08,
GuardModifierflag = 0x100,
NoCacheModifierflag = 0x200,
WriteCombineModifierflag = 0x400
}
IntPtr processPtr = OpenProcess((<span style="color:blue int)ProcessAccessFlags.All, <span style="color:blue false, PID);
<span style="color:blue string LibraryPath = <span style="color:#a31515 @"C:UsersNathanDocumentsVisual Studio 2010ProjectsInjectorFormDebugPMRecorder.dll";
<span style="color:blue byte[] bLibraryPath = Encoding.Unicode.GetBytes(LibraryPath.ToCharArray());
IntPtr pLibRemote = VirtualAllocEx(processPtr, IntPtr.Zero, (<span style="color:blue uint)bLibraryPath.Length, AllocationType.Commit, MemoryProtection.ReadWrite);
UIntPtr dummy;
WriteProcessMemory(processPtr, pLibRemote, bLibraryPath, (<span style="color:blue uint)bLibraryPath.Length, <span style="color:blue out dummy);
IntPtr krnl32 = GetModuleHandle(<span style="color:#a31515 "Kernel32");
IntPtr handle =
CreateRemoteThread(processPtr, (IntPtr)<span style="color:blue null, 0, GetProcAddress(krnl32, <span style="color:#a31515 "LoadLibraryW"), pLibRemote, 0, IntPtr.Zero);
[/code]
Ive been looking, thinking, and completely lost on how to format a string at a low enough level for WriteProcessMemory (and be able to get its size) The
working C++ code Ive been porting is as follows.
<div style="color:black; background-color:white
<pre style="border:black solid 3px HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
<span style="color:blue char szLibPath[MAX_PATH] = <span style="color:#a31515 "C:\Users\Nathan\Documents\Visual Studio 2010\Projects\InjectorForm\Debug\PMRecorder.dll";
<span style="color:blue void* pLibRemote = VirtualAllocEx(proc, NULL, <span style="color:blue sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(proc, pLibRemote, (<span style="color:blue void*)szLibPath, <span style="color:blue sizeof(szLibPath), NULL);
HMODULE hKernel32 = GetModuleHandle(TEXT(<span style="color:#a31515 "Kernel32"));
HANDLE thread =
CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,<span style="color:#a31515 "LoadLibraryA"), pLibRemote, 0, NULL);
[/code]
<span style="text-decoration:underline Does anybody have a clue where to start? Im stumped on how to format it, and I dont want to have to move this code into a C++/CLI style wrapper.
<br/>
<br/>
<br/>
<br/>
View the full article