Advertisement
Guest User

Injector Class [VB.Net]

a guest
Jan 5th, 2013
106
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VB.NET 8.73 KB | None | 0 0
  1. #Region "Injectoc"
  2.  
  3. #Region "Imports"
  4. Imports System.Runtime.InteropServices 'for marshaling unmanaged return types.
  5. #End Region
  6.  
  7. Public Class Injectoc
  8.  
  9. #Region "API Declarations"
  10.  
  11.     Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Integer, ByVal dwProcessId As Integer) As Integer
  12.  
  13.     Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As Integer
  14.  
  15.     Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal dwFreeType As Integer) As <MarshalAs(UnmanagedType.Bool)> Boolean
  16.  
  17.     Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer() As Byte, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As UInteger) As Boolean
  18.  
  19.     Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Integer, ByVal lpProcName As String) As Integer
  20.  
  21.     Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Integer
  22.  
  23.     Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Integer, ByVal lpThreadAttributes As Integer, ByVal dwStackSize As Integer, ByVal lpStartAddress As Integer, ByVal lpParameter As Integer, ByVal dwCreationFlags As Integer, ByVal lpThreadId As Integer) As Integer
  24.  
  25.     Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Integer, ByVal dwMilliseconds As Integer) As Integer
  26.  
  27.     Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Integer) As Integer
  28.  
  29.     Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Integer, <Out()> ByRef lpExitCode As UInt32) As <MarshalAs(UnmanagedType.Bool)> Boolean
  30.  
  31. #End Region
  32.  
  33. #Region "Dispose/Die"
  34.     'Private Function Die(Optional ByVal hProc As Integer = Nothing, Optional ByVal libThread As Integer = Nothing) As Boolean
  35.     '
  36.     ' If Not hProc = Nothing Then CloseHandle(hProc)
  37.     '
  38.     '   If Not libThread = Nothing Then CloseHandle(libThread)
  39.     '
  40.     '   Return False
  41.     '
  42.     'End Function
  43. #End Region
  44.  
  45. #Region "LoadLibraryEx"
  46.     Public Shared Function LoadLibraryEx(ByVal hProcess As Integer, ByVal lpFileName As String) As UInt32
  47.         If Not IO.File.Exists(lpFileName) OrElse IntPtr.Size = 8 Then Return 0 'first thing: Make sure the file exists, and we're compiled in x86
  48.  
  49.         Dim bFileName As Byte() = System.Text.Encoding.ASCII.GetBytes(lpFileName + ControlChars.NullChar) 'convert the string to chars (add a nullbyte)
  50.         Dim lpFileAddress As Integer = VirtualAllocEx(hProcess, 0, bFileName.Length, &H1000, &H4) 'allocate the memory to put our char array in.
  51.         If lpFileAddress = 0 Then Return 0
  52.  
  53.         Dim writeSuccess As Integer = WriteProcessMemory(hProcess, lpFileAddress, bFileName, bFileName.Length, 0) 'write our chars to the process.
  54.         If writeSuccess = 0 Then Return 0
  55.  
  56.         Dim lpLoadLibrary As Integer = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA") 'find where LoadLibrary is located
  57.         If lpLoadLibrary = 0 Then Return 0 'if for some reason we couldn't get it.
  58.  
  59.         Dim libThread As Integer = CreateRemoteThread(hProcess, 0, 0, lpLoadLibrary, lpFileAddress, 0, 0) 'execute loadlibrary in the remote process.
  60.         If libThread = 0 Then Return False
  61.         Dim waitVal As Integer = WaitForSingleObject(libThread, 10000) 'wait up to 10 seconds for the thread to return.
  62.         '(be warned, if the target DLL puts a messagebox in DllMain and the user doesn't click it in 10 seconds, this function will return 0 so edit the wait time if you want.
  63.         If Not waitVal = &H0UI Then Return CloseHandle(libThread) < Int32.MinValue 'simple trick to close the handle and simultaneously return 0.
  64.  
  65.         Dim hModule As UInt32 = 0 'prepare our hModule holder.
  66.         If Not GetExitCodeThread(libThread, hModule) Then Return CloseHandle(libThread) < Int32.MinValue 'try to get the thread return value
  67.         VirtualFreeEx(hProcess, lpFileAddress, 0, &H8000) 'dont bother checking the return value of VF, we've successfully injected and if the memory fails to free there's nothing we can do.
  68.  
  69.         CloseHandle(libThread) 'dispose our thread handle, we're done with it.
  70.         Return hModule
  71.     End Function
  72. #End Region
  73.  
  74. #Region "Inject"
  75.  
  76.     Public Shared Function InjectDll(ByVal dwProcID As Integer, ByVal lpFileName As String) As UInt32
  77.         Dim hProc As Integer = OpenProcess(&H42A, True, dwProcID) 'open the process with a combination of PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_WRITE and PROCESS_QUERY_INFORMATION.
  78.         If hProc = 0 Then Return 0 'if unable to obtain a handle, quit.
  79.         Dim hModule As UInt32 = LoadLibraryEx(hProc, lpFileName) 'try and load the library
  80.         CloseHandle(hProc) 'finished our use with the handle, dispose of it.
  81.         Return hModule
  82.     End Function
  83.  
  84.  
  85.     '--------------------------------------------------------------------------------------------------------
  86.  
  87.     ' Private Function InjectDll(ByVal processID As Integer, ByVal dllLocation As String) As Boolean
  88.     '
  89.     'If Not IO.File.Exists(dllLocation) Then Return False 'if the dll doesn't exist, no point in continuing. So we return false.
  90.     '
  91.     'If IntPtr.Size = 8 Then Return False 'If the size of an IntPtr is 8, then is program was compiled as x64. x64 processes can't access x86 processes properly, so we just return false. You need to compile this program as x86.
  92.     '
  93.     'Dim hProcess As Integer = OpenProcess(&H1F0FFF, 1, processID) 'We'll open the process specified by the input process ID. With PROCESS_ALL_ACCESS access, seeing as we only need to write.
  94.     'If hProcess = 0 Then Return Die() 'If we didn't get the handle, we exit and return false. No cleanup so no params for die()
  95.     '
  96.     'Dim dllBytes As Byte() = System.Text.Encoding.ASCII.GetBytes(dllLocation + ControlChars.NullChar) 'As I mentioned earlier, we have to write the dll location as bytes to the process memory, so we take the bytes of the string using the standard encoding, adding a null byte at the end.
  97.     '    Dim pathLocation As Integer = VirtualAllocEx(hProcess, 0, dllBytes.Length, &H1000, &H4) 'Allocate memory the size of the string we need to write to memory. pathLocation now holds the address of where the memory was allocated.
  98.     '       If pathLocation = Nothing Then Return Die(hProcess) 'VirtualAllocEx returns Nothing when it fails, so we check for that and return false if we find it. We've opened a process handle so we have to pass that to Die to clean it up.
  99.     '
  100.     '    Dim wpm As Integer = WriteProcessMemory(hProcess, pathLocation, dllBytes, dllBytes.Length, 0) 'write the contents of dllBytes to the memory allocated at pathLocation.
  101.     '       If wpm = 0 Then Return Die(hProcess) ' WriteProcessMemory returns 0 if it fails.
  102.     '
  103.     '    Dim kernelMod As Integer = GetModuleHandle("kernel32.dll") 'Remember what I was saying about kernel32 being loaded into the same address space for every normal process? This means we don't have to do any fancy crap to find its location in our target process, we can get the location in our own process and safely assume it will be the same for all process. This means we can use GetModuleHandle, which only works internally.
  104.     '   Dim loadLibAddr As Integer = GetProcAddress(kernelMod, "LoadLibraryA") ' GetProcAddress gives us the address of the specified function within the module.
  105.     '      If loadLibAddr = 0 Then Return Die(hProcess) 'If GetProcAddress failed it'll return 0.
  106.     '
  107.     '   Dim procThread As Integer = CreateRemoteThread(hProcess, 0, 0, loadLibAddr, pathLocation, 0, 0) 'Okay, this is the thread creation. We pass our process handle to tell what process to create the thread on. the third param is the handle of the function to call. In this case we choose the LoadLibrary function. The next param is the arguments to pass to the function (omg remember we wrote that to memory? NOW WE PASS THE ADDRESS BACK!)
  108.     '      If procThread = 0 Then Return Die(hProcess) 'unable to create the thread. Return false
  109.     '
  110.     '  Dim waitVal As Integer = WaitForSingleObject(procThread, 5000) 'allow the LoadLibrary function 5 seconds to process.
  111.     '     If Not waitVal = &H0UI Then Return Die(hProcess, procThread) 'Function didn't signal completion. Fuck that shit abort ABORT
  112.     '
  113.     '   CloseHandle(procThread) 'close the handle to the LoadLibrary function
  114.     '
  115.     '   CloseHandle(hProcess) 'close the handle to the process
  116.     '
  117.     '   Return True 'made it, yay.
  118.     '
  119.     'End Function
  120. #End Region
  121.  
  122. End Class
  123.  
  124. #End Region
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement