Injector

1. using System;
2. using System.Collections.Generic;
3. using System.Diagnostics;
4. using System.IO;
5. using System.Linq;
6. using System.Runtime.InteropServices;
7. using System.Text;
8. using WinAPI.Kernel32;
9.  
10. namespace Injector
11. {
12.     public class Injector
13.     {
14.         private readonly CloseHandleDelegate _closeHandle;
15.         private readonly CreateRemoteThreadDelegate _createRemoteThread;
16.         private readonly WaitForSingleObjectDelegate _waitForSingleObject;
17.         private readonly ImpersonateSelfDelegate _impersonateSelf;
18.         private readonly RevertToSelfDelegate _revertToSelf;
19.         private readonly GetModuleHandleDelegate _getModuleHandle;
20.         private readonly GetProcAddressDelegate _getProcAddress;
21.         private readonly ExternalModuleLocator _externalModuleLocator;
22.         private readonly OpenProcessDelegate _openProcess;
23.         private readonly VirtualAllocExDelegate _virtualAllocEx;
24.         private readonly WriteProcessMemoryDelegate _writeProcessMemory;
25.  
26.  
27.         [DllImport("kernel32.dll")]
28.         private static extern IntPtr LoadLibrary(string lpModuleName);
29.  
30.         public Injector(ExternalModuleLocator externalModuleLocator, OpenProcessDelegate openProcess,
31.             CloseHandleDelegate closeHandle,
32.             GetProcAddressDelegate getProcAddress, GetModuleHandleDelegate getModuleHandle,
33.             VirtualAllocExDelegate virtualAllocEx, WriteProcessMemoryDelegate writeProcessMemory,
34.             CreateRemoteThreadDelegate createRemoteThread, WaitForSingleObjectDelegate waitForSingleObject,
35.             ImpersonateSelfDelegate impersonateSelf, RevertToSelfDelegate revertToSelf)
36.         {
37.             _externalModuleLocator = externalModuleLocator;
38.             _openProcess = openProcess;
39.             _closeHandle = closeHandle;
40.             _getProcAddress = getProcAddress;
41.             _getModuleHandle = getModuleHandle;
42.             _virtualAllocEx = virtualAllocEx;
43.             _writeProcessMemory = writeProcessMemory;
44.             _createRemoteThread = createRemoteThread;
45.             _waitForSingleObject = waitForSingleObject;
46.             _impersonateSelf = impersonateSelf;
47.             _revertToSelf = revertToSelf;
48.         }
49.  
50.         public InjectorResult InjectTo(string targetProcessName, string targetDllFilename)
51.         {
52.             if (!File.Exists(targetDllFilename))
53.             {
54.                 return new InjectorResult(InjectorResult.InjectorStatusCode.TargetDllNotFound);
55.             }
56.  
57.             var procs = Process.GetProcesses();
58.             var procId = (from t in procs where t.ProcessName == targetProcessName select t.Id).FirstOrDefault();
59.  
60.             // ReSharper disable once ConvertIfStatementToReturnStatement
61.             if (procId == 0)
62.             {
63.                 return new InjectorResult(InjectorResult.InjectorStatusCode.ProcessNotFound);
64.             }
65.             return InjectTo(procId, targetDllFilename);
66.         }
67.  
68.         public InjectorResult InjectTo(int targetProcessId, string targetDllFilename)
69.         {
70.             var hndProc = _openProcess(0x2 | 0x8 | 0x10 | 0x20 | 0x400, 1, (uint) targetProcessId);
71.  
72.             if (hndProc == IntPtr.Zero)
73.             {
74.                 return new InjectorResult(InjectorResult.InjectorStatusCode.OpenThreadFailed);
75.             }
76.  
77.             var lpLlAddress = _getProcAddress(_getModuleHandle("kernel32.dll"), "LoadLibraryA");
78.  
79.             if (lpLlAddress == IntPtr.Zero)
80.             {
81.                 return new InjectorResult(InjectorResult.InjectorStatusCode.RetrieveLoadLibraryFailed);
82.             }
83.  
84.             var lpAddress = _virtualAllocEx(hndProc, (IntPtr) null, new IntPtr(targetDllFilename.Length), 0x1000 | 0x2000,
85.                 0x40);
86.  
87.             if (lpAddress == IntPtr.Zero)
88.             {
89.                 return new InjectorResult(InjectorResult.InjectorStatusCode.AllocationFailed);
90.             }
91.  
92.             var bytes = Encoding.ASCII.GetBytes(targetDllFilename);
93.  
94.             if (_writeProcessMemory(hndProc, lpAddress, bytes, (uint) bytes.Length, 0) == 0)
95.             {
96.                 return new InjectorResult(InjectorResult.InjectorStatusCode.WritePayloadFailed);
97.             }
98.  
99.             var remoteThread = _createRemoteThread(hndProc, IntPtr.Zero, IntPtr.Zero, lpLlAddress, lpAddress, 0, IntPtr.Zero);
100.             if (IntPtr.Zero == remoteThread)
101.             {
102.                 if (!_impersonateSelf(SecurityImpersonationLevel.SecurityImpersonation))
103.                 {
104.                     return new InjectorResult(InjectorResult.InjectorStatusCode.ImpersonationFailed);
105.                 }
106.                 remoteThread = _createRemoteThread(hndProc, IntPtr.Zero, IntPtr.Zero, lpLlAddress, lpAddress, 0, IntPtr.Zero);
107.                 if (IntPtr.Zero == remoteThread)
108.                 {
109.                     return new InjectorResult(InjectorResult.InjectorStatusCode.CreateLoadLibraryThreadFailed);
110.                 }
111.                 if (!_revertToSelf())
112.                 {
113.                     return new InjectorResult(InjectorResult.InjectorStatusCode.RevertAfterImpersonationFailed);
114.  
115.                 }
116.             }
117.  
118.             if (_waitForSingleObject(remoteThread, 3000) != 0)
119.             {
120.                 return new InjectorResult(InjectorResult.InjectorStatusCode.LoadLibraryTimeoutExceeded);
121.             }
122.  
123.             var libraryName = new FileInfo(targetDllFilename).Name;
124.             var loadedModule = _externalModuleLocator.EnumProcessModules((uint) targetProcessId)
125.                 .FirstOrDefault(module => string.Equals(module.szModule, libraryName,
126.                     StringComparison.InvariantCultureIgnoreCase));
127.  
128.             if (EqualityComparer<Moduleentry32>.Default.Equals(loadedModule, default(Moduleentry32)))
129.             {
130.                 return new InjectorResult(InjectorResult.InjectorStatusCode.RetrieveLoadLibraryFailed);
131.             }
132.  
133.             var targetDllHandle = LoadLibrary(targetDllFilename);
134.             if (targetDllHandle == IntPtr.Zero)
135.             {
136.                 return new InjectorResult(InjectorResult.InjectorStatusCode.CouldNotLoadTargetDll);
137.             }
138.             var runMethodOffset = _getProcAddress(targetDllHandle, "run");
139.             if (IntPtr.Zero == runMethodOffset)
140.             {
141.                 return new InjectorResult(InjectorResult.InjectorStatusCode.ExportedRunMethodNotFound);
142.             }
143.             var remoteRunMethodAddress = loadedModule.modBaseAddr + (int) runMethodOffset - (int) targetDllHandle;
144.  
145.             remoteThread = _createRemoteThread(hndProc, IntPtr.Zero, IntPtr.Zero, remoteRunMethodAddress, IntPtr.Zero, 0,
146.                 IntPtr.Zero);
147.             if (IntPtr.Zero == remoteThread)
148.             {
149.                 return new InjectorResult(InjectorResult.InjectorStatusCode.CreateRemoteRunThreadFailed);
150.             }
151.  
152.             _closeHandle(hndProc);
153.             return new InjectorResult(lpLlAddress);
154.         }
155.     }
156. }