Skip to content

Commit

Permalink
added some injection methods
Browse files Browse the repository at this point in the history 
added NtCreateThreadEx and LoadLibrary options to InjectDll. UNTESTED
  • Loading branch information
@erfg12
erfg12 committed Dec 22, 2021
1 parent 75c254b commit 4d86170
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 5 deletions.
35 changes: 35 additions & 0 deletions Memory/Structures/Imports.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,25 @@ out IntPtr lpThreadId
[DllImport("kernel32", SetLastError = true, CharSet = System.Runtime.InteropServices.CharSet.Auto)]
static extern bool Process32Next([In] IntPtr hSnapshot, ref PROCESSENTRY32 lppe);

/*
typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx)
(
OUT PHANDLE hThread,
IN ACCESS_MASK DesiredAccess,
IN LPVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN LPTHREAD_START_ROUTINE lpStartAddress,
IN LPVOID lpParameter,
IN BOOL CreateSuspended,
IN ULONG StackZeroBits,
IN ULONG SizeOfStackCommit,
IN ULONG SizeOfStackReserve,
OUT LPVOID lpBytesBuffer
);
*/
[DllImport("ntdll.dll", SetLastError = true)]
internal static extern NTSTATUS NtCreateThreadEx(out IntPtr hProcess, AccessMask desiredAccess, IntPtr objectAttributes, UIntPtr processHandle, IntPtr startAddress, IntPtr parameter, ThreadCreationFlags inCreateSuspended, Int32 stackZeroBits, Int32 sizeOfStack, Int32 maximumStackSize, IntPtr attributeList);

// privileges
public const int PROCESS_CREATE_THREAD = 0x0002;
public const int PROCESS_QUERY_INFORMATION = 0x0400;
Expand All @@ -203,6 +222,22 @@ out IntPtr lpThreadId
public const uint MEM_PRIVATE = 0x20000;
public const uint MEM_IMAGE = 0x1000000;

internal enum NTSTATUS
{
Success = 0x00
}

internal enum AccessMask
{
SpecificRightsAll = 0xFFFF,
StandardRightsAll = 0x1F0000
}
internal enum ThreadCreationFlags
{
CreateSuspended = 0x01,
HideFromDebugger = 0x04
}

internal enum MINIDUMP_TYPE
{
MiniDumpNormal = 0x00000000,
Expand Down
20 changes: 15 additions & 5 deletions Memory/memory.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -576,8 +576,10 @@ public void CloseProcess()
/// <summary>
/// Inject a DLL file.
/// </summary>
/// <param name="strDllName">path and name of DLL file.</param>
public bool InjectDll(String strDllName)
/// <param name="strDllName">path and name of DLL file. Ex: "C:\MyTrainer\inject.dll" or "inject.dll" if the DLL file is in the same directory as the trainer.</param>
/// <param name="Execute">execute dll method on injection. Default: false</param>
/// <param name="LoadLibrary">library load method. Options: LoadLibraryA, LoadLibraryExA, LoadLibraryW, LoadLibraryExW. Default: LoadLibraryA</param>
public bool InjectDll(String strDllName, bool Execute = false, string LoadLibrary = "LoadLibraryA")
{
IntPtr bytesout;

Expand All @@ -594,13 +596,21 @@ public bool InjectDll(String strDllName)
UIntPtr allocMem = VirtualAllocEx(mProc.Handle, (UIntPtr)null, (uint)lenWrite, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

WriteProcessMemory(mProc.Handle, allocMem, strDllName, (UIntPtr)lenWrite, out bytesout);
UIntPtr injector = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
UIntPtr injector = GetProcAddress(GetModuleHandle("kernel32.dll"), LoadLibrary);

if (injector == null)
return false;

IntPtr hThread = CreateRemoteThread(mProc.Handle, (IntPtr)null, 0, injector, allocMem, 0, out bytesout);
if (hThread == null)
IntPtr hThread = (IntPtr)null;

if (!Execute)
hThread = CreateRemoteThread(mProc.Handle, (IntPtr)null, 0, injector, allocMem, 0, out bytesout);
else
{
NTSTATUS status = NtCreateThreadEx(out hThread, AccessMask.StandardRightsAll, (IntPtr)null, injector, mProc.MainModule.BaseAddress, (IntPtr)null, ThreadCreationFlags.HideFromDebugger, 0, 0, 0, (IntPtr)null);
}

if (hThread == (IntPtr)null)
return false;

int Result = WaitForSingleObject(hThread, 10 * 1000);
Expand Down

0 comments on commit 4d86170

Please sign in to comment.