#1
|
|||
|
|||
Loader and Patch Dll file in C#
hi
Loader in C# A project in C# language that you can patch in this program with this DLL file Code:
using System; using System.Collections.Generic; using System.Diagnostics; using System.Globalization; using System.Runtime.InteropServices; using System.Text; using System.Threading; namespace ConsoleApplication1 { class Program { [DllImport("kernel32.dll")] static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, uint dwThreadId); [DllImport("kernel32.dll")] static extern uint SuspendThread(IntPtr hThread); [DllImport("kernel32.dll")] static extern int ResumeThread(IntPtr hThread); [DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)] static extern bool CloseHandle(IntPtr handle); // [DllImport("kernel32.dll")] static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Boolean bInheritHandle, UInt32 dwProcessId); [DllImport("kernel32.dll")] static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, UIntPtr nSize, uint lpNumberOfBytesWritten); [DllImport("kernel32.dll")] static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); [DllImport("kernel32.dll", SetLastError = true)] static extern bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten); static IntPtr Handle; static IntPtr baseadd; const int MEM_COMMIT = 0x00001000; const int PAGE_READWRITE = 0x04; const int PROCESS_WM_READ = 0x0010; const int PAGE_EXECUTE_READ = 0x20; const int PAGE_READONLY = 0x02; const int PAGE_EXECUTE_READWRITE = 0x40; public enum ThreadAccess : int { TERMINATE = (0x0001), SUSPEND_RESUME = (0x0002), GET_CONTEXT = (0x0008), SET_CONTEXT = (0x0010), SET_INFORMATION = (0x0020), QUERY_INFORMATION = (0x0040), SET_THREAD_TOKEN = (0x0080), IMPERSONATE = (0x0100), DIRECT_IMPERSONATION = (0x0200) } [DllImport("kernel32.dll")] public static extern bool ReadProcessMemory(IntPtr hProcess, Int64 lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead); // private static void SuspendProcess(int pid) { var process = Process.GetProcessById(pid); if (process.ProcessName == string.Empty) return; foreach (ProcessThread pT in process.Threads) { IntPtr pOpenThread = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)pT.Id); if (pOpenThread == IntPtr.Zero) { continue; } SuspendThread(pOpenThread); CloseHandle(pOpenThread); } } // public static void ResumeProcess(int pid) { var process = Process.GetProcessById(pid); if (process.ProcessName == string.Empty) return; foreach (ProcessThread pT in process.Threads) { IntPtr pOpenThread = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)pT.Id); if (pOpenThread == IntPtr.Zero) { continue; } var suspendCount = 0; do { suspendCount = ResumeThread(pOpenThread); } while (suspendCount > 0); CloseHandle(pOpenThread); } } // static Process prc; static bool v; static int b; static void Main(string[] args) { try { // string startupPath = @"C:\Test.exe"; using (Process myProcess = new Process()) { ProcessStartInfo myProcessStartInfo = new ProcessStartInfo(startupPath); myProcess.StartInfo = myProcessStartInfo; myProcess.Start(); main1: Thread.Sleep(1300); //SuspendProcess for Change byte SuspendProcess(myProcess.Id); ProcessModule myProcessModule; // Get all the modules associated with 'myProcess'. ProcessModuleCollection myProcessModuleCollection = myProcess.Modules; for (int i = 0; i < myProcessModuleCollection.Count; i++) { myProcessModule = myProcessModuleCollection[i]; if (myProcessModule.ModuleName == "test.dll") { Console.WriteLine(myProcessModule.ModuleName); } } //time deley //you change b += 20; ResumeProcess(myProcess.Id); Thread.Sleep(b); SuspendProcess(myProcess.Id); int m = 0; goto main1; } //byte orginal string hex_to_find = "2DE1630000"; byte[] hexfbytes = ConvertHexStringToByteArray(hex_to_find); //byte Changed string hex_replacewith = "83E8009090"; // just return true in ilcode byte[] hexreplacebytes = ConvertHexStringToByteArray(hex_replacewith); // // //prc.WaitForInputIdle(); Handle = prc.Handle; pat: foreach (ProcessModule module in prc.Modules) { //dll moduls if (string.Compare(module.ModuleName, "test.dll", true) == 0) { baseadd = module.BaseAddress + 0x1000; IntPtr bytesRead; byte[] buffer = new byte[module.ModuleMemorySize]; ReadProcessMemory((IntPtr)Handle, (Int64)baseadd, buffer, buffer.Length, out bytesRead); // for (int i = 0; i < (int)module.ModuleMemorySize; i++) { if (buffer[i + 0] == hexfbytes[0]) // first time check only one byte! { bool isfinded = true; for (int j = 0; j < hexfbytes.Length; j++) { if ((i + j) >= buffer.Length || buffer[i + j] != hexfbytes[j]) { isfinded = false; break; } } if (isfinded) { // if finded patch the memory: IntPtr lpAddressWhereToPatch = (IntPtr)((long)baseadd + (long)i); IntPtr numberofbyteswritten = IntPtr.Zero; bool is_write_ok = WriteProcessMemory(Handle, lpAddressWhereToPatch, hexreplacebytes, hexreplacebytes.Length, out numberofbyteswritten); v = true; break; } } } } } if (v ==false) { pat1: ResumeProcess(prc.Id); SuspendProcess(prc.Id); goto pat; goto pat1; ResumeProcess(prc.Id); } ResumeProcess(prc.Id); } catch (Exception ex) { ResumeProcess(prc.Id); prc.Close(); } } public static byte[] ConvertHexStringToByteArray(string hexString) { if (hexString.Length % 2 != 0) { throw new ArgumentException(String.Format(CultureInfo.InvariantCulture, "The binary key cannot have an odd number of digits: {0}", hexString)); } byte[] HexAsBytes = new byte[hexString.Length / 2]; for (int index = 0; index < HexAsBytes.Length; index++) { string byteValue = hexString.Substring(index * 2, 2); HexAsBytes[index] = byte.Parse(byteValue, NumberStyles.HexNumber, CultureInfo.InvariantCulture); } return HexAsBytes; } } } |
The Following 5 Users Say Thank You to mcr4ck For This Useful Post: | ||
Mahmoudnia (08-17-2022), niculaita (06-20-2022), NoneForce (06-20-2022), tacromx (11-30-2023) |
Thread Tools | |
Display Modes | |
|
|