Search
 
 

Display results as :
 


Rechercher Advanced Search

Latest topics
» ~=?{The future is here, TastyExploit officially open to the public}?=~
Tue Mar 02, 2010 11:00 pm by Dami

» My first aa script
Tue Mar 02, 2010 7:00 am by wafflemaster

» the real story behind Maverin
Tue Mar 02, 2010 1:33 am by SoundOfDeat

» Random spam
Mon Mar 01, 2010 11:52 pm by Danny1994

» [Request] EMS v56 Exe
Mon Mar 01, 2010 12:39 am by Dami

» [Blacklist] NX-Trading Blacklist.
Mon Mar 01, 2010 12:38 am by Danny1994

» I have a question regarding the meso farmer
Sat Feb 27, 2010 10:30 pm by Dami

» What are you listening to now?
Sat Feb 27, 2010 7:57 pm by Noname111111

» Video(s) Of The Day
Sat Feb 27, 2010 7:37 pm by Noname111111

Navigation
 Portal
 Index
 Memberlist
 Profile
 FAQ
 Search
Affiliates
free forum
 



[C#] Static Dll Injector

Go down

[C#] Static Dll Injector

Post by Dami on Fri Oct 30, 2009 3:40 am

By Samuri25404

I've created a static dll injector class (if you didn't get by the title, ).

So, here it is:
Code:
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

//This is used to actually inject the specific DLL into the selected process

namespace InjectMe
{
    public static class Inject
    {
        private static class WINAPI
        {
            [DllImport("kernel32.dll", SetLastError = true)]
            public static extern IntPtr OpenProcess(
                UInt32 dwDesiredAccess,
                Int32 bInheritHandle,
                UInt32 dwProcessId);

            [DllImport("kernel32.dll", SetLastError = true)]
            public static extern Int32 CloseHandle(
                IntPtr hObject);

            [DllImport("kernel32.dll", SetLastError = true)]
            public static extern IntPtr GetProcAddress(
                IntPtr hModule,
                string lpProcName);

            [DllImport("kernel32.dll", SetLastError = true)]
            public static extern IntPtr GetModuleHandle(
                string lpModuleName);

            [DllImport("kernel32.dll", SetLastError = true)]
            public static extern IntPtr VirtualAllocEx(
                IntPtr hProcess,
                IntPtr lpAddress,
                IntPtr dwSize,
                uint flAllocationType,
                uint flProtect);

            [DllImport("kernel32.dll", SetLastError = true)]
            public static extern Int32 WriteProcessMemory(
                IntPtr hProcess,
                IntPtr lpBaseAddress,
                byte[] buffer,
                uint size,
                out IntPtr lpNumberOfBytesWritten);

            [DllImport("kernel32.dll", SetLastError = true)]
            public static extern IntPtr CreateRemoteThread(
                IntPtr hProcess,
                IntPtr lpThreadAttribute,
                IntPtr dwStackSize,
                IntPtr lpStartAddress,
                IntPtr lpParameter,
                uint dwCreationFlags,
                IntPtr lpThreadId);

            public static class VAE_Enums
            {
                public enum AllocationType
                {
                    MEM_COMMIT = 0x1000,
                    MEM_RESERVE = 0x2000,
                    MEM_RESET = 0x80000,
                }

                public enum ProtectionConstants
                {
                    PAGE_EXECUTE = 0X10,
                    PAGE_EXECUTE_READ = 0X20,
                    PAGE_EXECUTE_READWRITE = 0X40,
                    PAGE_EXECUTE_WRITECOPY = 0X80,
                    PAGE_NOACCESS = 0X01
                }
            }
        }       

        public static bool DoInject(
            Process pToBeInjected,
            string sDllPath,
            out string sError)
        {
            IntPtr hwnd = IntPtr.Zero;
            if (!CRT(pToBeInjected, sDllPath, out sError, out hwnd)) //CreateRemoteThread
            {
                //close the handle, since the method wasn't able to get to that
                if (hwnd != (IntPtr)0)
                    WINAPI.CloseHandle(hwnd);
                return false;
            }
            int wee = Marshal.GetLastWin32Error();
            return true;
        }

        private static bool CRT(
            Process pToBeInjected,
            string sDllPath,
            out string sError,
            out IntPtr hwnd)
        {
            sError = String.Empty; //in case we encounter no errors

            IntPtr hndProc = WINAPI.OpenProcess(
                (0x2 | 0x8 | 0x10 | 0x20 | 0x400), //create thread, query info, operation
                //write, and read
                1,
                (uint)pToBeInjected.Id);

            hwnd = hndProc;

            if (hndProc == (IntPtr)0)
            {
                sError = "Unable to attatch to process.\n";
                sError += "Error code: " + Marshal.GetLastWin32Error();
                return false;
            }

            IntPtr lpLLAddress = WINAPI.GetProcAddress(
                WINAPI.GetModuleHandle("kernel32.dll"),
                "LoadLibraryA");

            if (lpLLAddress == (IntPtr)0)
            {
                sError = "Unable to find address of \"LoadLibraryA\".\n";
                sError += "Error code: " + Marshal.GetLastWin32Error();
                return false;
            }

            IntPtr lpAddress = WINAPI.VirtualAllocEx(
                hndProc,
                (IntPtr)null,
                (IntPtr)sDllPath.Length, //520 bytes should be enough
                (uint)WINAPI.VAE_Enums.AllocationType.MEM_COMMIT |
                (uint)WINAPI.VAE_Enums.AllocationType.MEM_RESERVE,
                (uint)WINAPI.VAE_Enums.ProtectionConstants.PAGE_EXECUTE_READWRITE);

            if (lpAddress == (IntPtr)0)
            {
                if (lpAddress == (IntPtr)0)
                {
                    sError = "Unable to allocate memory to target process.\n";
                    sError += "Error code: " + Marshal.GetLastWin32Error();
                    return false;
                }
            }

            byte[] bytes = CalcBytes(sDllPath);
            IntPtr ipTmp = IntPtr.Zero;

            WINAPI.WriteProcessMemory(
                hndProc,
                lpAddress,
                bytes,
                (uint)bytes.Length,
                out ipTmp);

            if (Marshal.GetLastWin32Error() != 0)
            {
                sError = "Unable to write memory to process.";
                sError += "Error code: " + Marshal.GetLastWin32Error();
                return false;
            }

            IntPtr ipThread = WINAPI.CreateRemoteThread(
                hndProc,
                (IntPtr)null,
                (IntPtr)0,
                lpLLAddress,
                lpAddress,
                0,
                (IntPtr)null);

            if (ipThread == (IntPtr)0)
            {
                sError = "Unable to load dll into memory.";
                sError += "Error code: " + Marshal.GetLastWin32Error();
                return false;
            }

            return true;
        }

        private static byte[] CalcBytes(string sToConvert)
        {
            byte[] bRet = System.Text.Encoding.ASCII.GetBytes(sToConvert);
            return bRet;
        }
    }
}
I've created a sample application using this class.

Here's a screenshot:



Basically, you load the app, browse to your dll, select your application, and click inject.

~~

Here's the code for the Main form:
Code:
using System;
using System.Diagnostics;
using System.ComponentModel;
using System.Windows.Forms;

namespace InjectMe
{
    public partial class MainUI : Form
    {
        public MainUI()
        {
            InitializeComponent();
        }

        public static Process pApplication = null;
        public static string  sApplication = String.Empty;

        private void BtnBrowseDll_Click(object sender, EventArgs e)
        {
            OpenFileDialog ofd = new OpenFileDialog();
            ofd.Filter = "Dynamic Link Library|*.dll";
            ofd.FileOk += new CancelEventHandler(dll_FileOk);
            ofd.ShowDialog();           
        }

        private void dll_FileOk(object sender, CancelEventArgs e)
        {
            OpenFileDialog ofd = (OpenFileDialog)sender;
            TxtDllPath.Text = ofd.FileName;

            //now dispose of the object

            ofd.Dispose();           
        }

        private void BtnBrowseApp_Click(object sender, EventArgs e)
        {
            ProcFrm pf = new ProcFrm();
            pf.ShowDialog(this);
            TxtApp.Text = sApplication; //It will wait for pf to close, and before pf
            //closes, it will have set sApplication
        }

        private void BtnInject_Click(object sender, EventArgs e)
        {
            string sError = String.Empty;
            if (!Inject.DoInject(pApplication, TxtDllPath.Text, out sError))
                MessageBox.Show("The following error occured while injecting the \n" +
                    "dll into the application: \n" +
                    sError);
        }
    }
}
Here's the code to the Process Form:
Code:
using System;
using System.Diagnostics;
using System.Windows.Forms;

//This class is used to select the process to inject the dll into

namespace InjectMe
{
    public partial class ProcFrm : Form
    {
        public ProcFrm()
        {
            InitializeComponent();
        }

        private void ProcFrm_Load(object sender, EventArgs e)
        {
            //populate the list box with all the running processes

            string sLstItem = String.Empty;

            foreach (Process p in Process.GetProcesses())
            {
                sLstItem = p.Id.ToString();
                sLstItem = sLstItem.PadLeft(8, '0');
                sLstItem = sLstItem + " " + p.ProcessName;
                LstProcs.Items.Add(sLstItem);
            }
           
            //now sort

            LstProcs.Sorted = true; //Some event handler somewhere sorts
            //the list box when this is changed to true
        }

        private void LstProcs_DoubleClick(object sender, EventArgs e)
        {
            BtnSelect_Click(null, null); //=D
        }

        private void BtnSelect_Click(object sender, EventArgs e)
        {
            if (LstProcs.SelectedIndex == -1)
                return;

            string sPID = String.Empty;
            string[] saData = ((string)LstProcs.Items[LstProcs.SelectedIndex]).Split(' ');
            sPID = saData[0]; //it'll be "xxxxxxxx procname"
            int iPID = int.Parse(sPID);

            MainUI.pApplication = Process.GetProcessById(iPID);

            if (MainUI.pApplication != null)
                MainUI.sApplication = MainUI.pApplication.ProcessName;

            this.Close(); //done with this form
        }
    }
}

CREDITS

Wiccaan:

For creating a post about the Dll stuff on Extalia. Since I'm no good at C++, I had to use his code to make a sample Dll to inject into minesweeper

MSDN:

For helping out with all the API crap. =)


Last edited by Dami on Wed Nov 18, 2009 3:03 am; edited 1 time in total
avatar
Dami
Dragon
Dragon

Posts : 1414
Join date : 2009-08-10
Age : 29
Location : Finland

Back to top Go down

Re: [C#] Static Dll Injector

Post by wafflemaster on Tue Nov 17, 2009 9:42 am

Here's what samurai basically used as his guide: mediafire.com ?yotymnnlmdz
(it's a word file)

wafflemaster
V.I.P
V.I.P

Posts : 123
Join date : 2009-10-27

Back to top Go down

Re: [C#] Static Dll Injector

Post by Ant on Wed Nov 18, 2009 2:16 am

Is it just me, or there's no SS?
avatar
Ant
V.I.P
V.I.P

Posts : 244
Join date : 2009-10-30
Age : 23

Back to top Go down

Re: [C#] Static Dll Injector

Post by Danny1994 on Wed Nov 18, 2009 2:27 am

Theres no SS Razz
avatar
Danny1994
Silver Member
Silver Member

Posts : 376
Join date : 2009-08-16
Age : 24
Location : Germany

Back to top Go down

Re: [C#] Static Dll Injector

Post by Dami on Wed Nov 18, 2009 3:03 am

One of those gay ass links again.
Fixed it
avatar
Dami
Dragon
Dragon

Posts : 1414
Join date : 2009-08-10
Age : 29
Location : Finland

Back to top Go down

Re: [C#] Static Dll Injector

Post by Tom on Sun Nov 29, 2009 4:19 pm

Thanks for posting this, this forum is helping me learn alot.
avatar
Tom
New member
New member

Posts : 63
Join date : 2009-09-17
Age : 22
Location : England, a dump.

http://www.1337.freevar.com

Back to top Go down

Re: [C#] Static Dll Injector

Post by Dami on Mon Nov 30, 2009 1:17 am

TomCarre wrote:Thanks for posting this, this forum is helping me learn alot.

Thats the idea Smile
avatar
Dami
Dragon
Dragon

Posts : 1414
Join date : 2009-08-10
Age : 29
Location : Finland

Back to top Go down

Re: [C#] Static Dll Injector

Post by wafflemaster on Sat Dec 05, 2009 10:38 am

If you're using this in a trainer to inject something into MS, then this can be shortened. Replace YOUR_NAMESPACE with whatever you want.


SEE MY EDIT BEFORE COPYING/PASTING THIS.
Code:
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.Threading;

namespace YOUR_NAMESPACE
{
    class Injector
    {
        #region Imports

        //OpenProcess
        [DllImport("kernel32.dll")]
        public static extern IntPtr OpenProcess(uint dwDesiredAccess, int bInheritHandle, uint dwProcessId);

        //VirtualAllocEx
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern IntPtr VirtualAllocEx( IntPtr hProcess, IntPtr lpAddress,IntPtr dwSize, uint flAllocationType, uint flProtect);

        //WriteProcessMemory
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern Int32 WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, string buffer, uint size, out IntPtr lpNumberOfBytesWritten);

        //GetProcAddress
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName);

        //GetModuleHandle
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern IntPtr GetModuleHandle(string lpModuleName);

        //CreateRemoteThread
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttribute, IntPtr dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

        //CloseHandle
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern Int32 CloseHandle(IntPtr hObject);

        //VirtualFreeEx
        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        private static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint dwFreeType);
       
        #endregion

        public static bool DoInject(string ProcessName, string sDllPath, out string sError)
        {
            IntPtr Handle = IntPtr.Zero;
            if (!CRT(ProcessName, sDllPath, out sError, out Handle))
            {
                sError = "Unable to inject DLL. Check to make sure that the memory isn't protected.";
                return false;
            }
            return true;
        }

        private static bool CRT(string ProcessName, string sDllPath, out string sError, out IntPtr Handle)
        {
            sError = String.Empty;

            Handle = IntPtr.Zero;

            try
            {
                uint ProcID = (uint)Process.GetProcessesByName("ProcessName")[0].Id;
                Handle = OpenProcess(0x38, 1, ProcID); //Parameters: dwDesiredAccess = (PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE); bInheritHandle = (TRUE)
                //For dwDesiredAccess, You might optionally like to use "(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION)", which is equal to "(0x2 | 0x8 | 0x10 | 0x20 | 0x400)", or in other words, "0x43A"
            }
            catch (Exception)
            {
                sError = "Unable to find process.\n";
                sError += "Error code: " + Marshal.GetLastWin32Error();
                return false;
            }

            if (Handle == IntPtr.Zero)
            {
                sError = "Unable to attatch to process.\n";
                sError += "Error code: " + Marshal.GetLastWin32Error();
                return false;
            }

            IntPtr lpAddress = VirtualAllocEx(Handle, (IntPtr)null, (IntPtr)sDllPath.Length, 0x1000, 0x40); //Parameters: flAllocationType = (MEM_COMMIT); flProtect = (PAGE_EXECUTE_READWRITE)
            //For flAllocationType, you might optionally like to use "(MEM_COMMIT | MEM_RESERVE)", which is equal to "(0x1000 | 0x2000)", or in other words, "0x3000"

            if (lpAddress == IntPtr.Zero)
            {
                if (lpAddress == IntPtr.Zero)
                {
                    sError = "Unable to allocate memory to target process.\n";
                    sError += "Error code: " + Marshal.GetLastWin32Error();
                    return false;
                }
            }

            IntPtr ipTmp;
            WriteProcessMemory(Handle, lpAddress, sDllPath, (uint)(sDllPath.Length + 1), out ipTmp);

            IntPtr lpLLAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

            if (lpLLAddress == IntPtr.Zero)
            {
                sError = "Unable to find address of \"LoadLibraryA\".\n";
                sError += "Error code: " + Marshal.GetLastWin32Error();
                return false;
            }

            if (Marshal.GetLastWin32Error() != 0)
            {
                sError = "Unable to write memory to process.";
                sError += "Error code: " + Marshal.GetLastWin32Error();
                return false;
            }

            IntPtr ipThread = CreateRemoteThread(Handle, (IntPtr)null, IntPtr.Zero, lpLLAddress, lpAddress, 0, (IntPtr)null); //Parameters: lpThreadAttribute = (IntPtr)null; dwStackSize = IntPtr.Zero; dwCreationFlags = 0; lpThreadId = (IntPtr)null
            //lpThreadAttribute is (IntPtr)null because there are no security attributes; dwStackSize is 0 to prevent stack overflow; lpStartAddress is the address of "LoadLibrary"; lpParameter is the address of the allocated memory; dwCreationFlags is 0 so the thread runs immediately after creation; lpThreadId is null because the thread id is irrevelant

            Thread.Sleep(2000);

            if (ipThread == IntPtr.Zero)
            {
                sError = "Unable to load dll into memory.";
                sError += "Error code: " + Marshal.GetLastWin32Error();
                return false;
            }
            VirtualFreeEx(Handle, lpAddress, UIntPtr.Zero, 0x8000);  //Parameters: dwSize = 0; dwFreeType = MEM_RELEASE
            //dwSize is 0 because dwFreeType is MEM_RELEASE

            return true;
        }
    }
}

Posted at: http://wafflemaster.pastebin.com/f265093a0

EDIT: I forgot to remove "Handle" as an out parameter.

Remove:
  • IntPtr Handle = IntPtr.Zero;
Fix:
  • if (!CRT(ProcessName, sDllPath, out sError))
  • private static bool CRT(string ProcessName, string sDllPath, out string sError)

wafflemaster
V.I.P
V.I.P

Posts : 123
Join date : 2009-10-27

Back to top Go down

Re: [C#] Static Dll Injector

Post by Dami on Sat Dec 05, 2009 11:19 pm

Thank you wafflemaster for improving the original script.
It wasnt planned for using for mere MS nor i spend anytime to check the information or so, as i just recovered this post from theoklibrary.

Its also good to post external links which should work even after something would happen to the site.
avatar
Dami
Dragon
Dragon

Posts : 1414
Join date : 2009-08-10
Age : 29
Location : Finland

Back to top Go down

Re: [C#] Static Dll Injector

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum