cscの作法 その42 dllinject

概要

cscの作法、調べてみた。
dllinjectやってみた。
pidを指定するタイプやってみた。

サンプルコード

using System;
using System.Text;
using System.Diagnostics;
using System.Runtime.InteropServices;

class Test {
    [Flags]
    enum AllocationType {
        MEM_COMMIT = 0x1000,
        MEM_RESERVE = 0x2000,
    }
    [Flags]
    enum MemoryProtection {
        PAGE_EXECUTE_READWRITE = 0x40,
    }
    [Flags]
    enum FreeType {
        MEM_RELEASE = 0x8000,
    }
    [Flags]
    enum DesiredAccess {
        PROCESS_ALL_ACCESS = 0x1fffff,
        PROCESS_QUERY_INFORMATION = 0x400,
        PROCESS_CREATE_THREAD = 0x2,
        PROCESS_VM_OPERATION = 0x8,
        PROCESS_VM_WRITE = 0x20,
    }
    [DllImport("Kernel32.dll")]
    extern static IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
    [DllImport("Kernel32.dll")]
    extern static bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, FreeType dwFreeType);
    [DllImport("Kernel32.dll")]
    extern static IntPtr OpenProcess(DesiredAccess dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
    [DllImport("Kernel32.dll")]
    extern static bool CloseHandle(IntPtr handle);
    [DllImport("kernel32.dll")]
    extern static bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, String lpBuffer, uint nSize, IntPtr lpNumberOfBytesWritten);
    [DllImport("kernel32.dll")]
    extern static IntPtr LoadLibrary(String lpFileName);
    [DllImport("kernel32.dll")]
    extern static IntPtr GetProcAddress(IntPtr hModule, String lpProcName);
    [DllImport("kernel32.dll")]
    extern static IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
    static void Main(string[] args) {
        IntPtr tp,
            kh,
            dr,
            la,
            retval;
        int pid = Convert.ToInt32(args[0]);
        String dllpath = "c:\\ore\\c\\spy.dll";
        uint dllpathLength = (uint) Encoding.GetEncoding("UTF-8").GetByteCount(dllpath);
        tp = OpenProcess(DesiredAccess.PROCESS_ALL_ACCESS, false, (uint) pid);
        dr = VirtualAllocEx(tp, (IntPtr) null, dllpathLength + 1, AllocationType.MEM_COMMIT, MemoryProtection.PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(tp, dr, dllpath, dllpathLength + 1, (IntPtr) null);
        kh = LoadLibrary("kernel32.dll");
        la = GetProcAddress(kh, "LoadLibraryA");
        retval = CreateRemoteThread(tp, (IntPtr) null, 0, la, dr, 0, (IntPtr) null);
        VirtualFreeEx(tp, dr, (uint) (dllpath.Length + 1), FreeType.MEM_RELEASE);
        CloseHandle(tp);
    }
}

以上。