RAMvader
1.4
A .NET library which provides access to other processes' memory space.
|
Implements the logic behind the injection of code caves and variables into a target process' memory space. More...
Inherits RAMvader.NotifyPropertyChangedAdapter.
Public Member Functions | |
Injector () | |
Constructor. The constructor of the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> class checks the code caves and variables for consistency, throwing an exception if there is any error found. More... | |
void | SetTargetProcess (Target targetProc) |
Initializes or modifies the reference to the object used by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to perform write operations to the target process' memory. The Injector<TMemoryAlterationSetID, TCodeCave, TVariable> also uses this object to know the endianness and pointer size of the target process. More... | |
Target | GetTargetProcess () |
Retrieves the current reference to the object used by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to perform write operations to the target process' memory. The Injector<TMemoryAlterationSetID, TCodeCave, TVariable> also uses this object to know the endianness and pointer size of the target process. More... | |
void | SetCodeCavesSeparationBytes (params byte[] byteSeq) |
Modifies the sequence of bytes used to separate two consecutive code caves. More... | |
byte [] | GetCodeCavesSeparationBytes () |
Retrieves the sequence of bytes used to separate two consecutive code caves. More... | |
void | SetVariablesSectionSeparationBytes (params byte[] byteSeq) |
Modifies the sequence of bytes used to separate the injected code caves section from the injected variables section. More... | |
byte [] | GetVariablesSectionSeparationBytes () |
Retrieves the sequence of bytes used to separate the injected code caves section from the injected variables section. More... | |
IntPtr | GetBaseInjectionAddress () |
Retrieves the address where the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> has injected its data on the target process. More... | |
int | GetCodeCaveOffset (TCodeCave codeCaveID) |
Retrieves the offset of a given code cave, relative to the base injection address into the target process' memory space. More... | |
AbsoluteMemoryAddress | GetInjectedCodeCaveAddress (TCodeCave codeCaveID) |
Retrieves the address of an injected code cave. This method should only be called after a base injection address has been defined for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to Inject code caves and variables. More... | |
byte [] | GetInjectedCodeCaveAddressAsBytes (TCodeCave codeCaveID) |
Retrieves the address of an injected code cave, represented as bytes stored in the target process' memory space. More... | |
bool | IsCodeCaveInjected (TCodeCave caveID) |
Verifies if a given code cave has been injected by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> on the target process' memory space. More... | |
int | GetVariableOffset (TVariable varID) |
Retrieves the offset of a given variable, relative to the base injection address into the target process' memory space. More... | |
AbsoluteMemoryAddress | GetInjectedVariableAddress (TVariable varID) |
Retrieves the address of an injected variable. This method should only be called after a base injection address has been defined for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to Inject code caves and variables. More... | |
byte [] | GetInjectedVariableAddressAsBytes (TVariable varID) |
Retrieves the address of an injected variable, represented as bytes stored in the target process' memory space. More... | |
bool | IsVariableInjected (TVariable varID) |
Verifies if a given variable has been injected by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> on the target process' memory space. More... | |
int | GetVariableSize (TVariable varID) |
Retrieves the size of a given injection variable. More... | |
int | CalculateRequiredBytesCount () |
Calculates the total number of required bytes to inject the code caves and variables into the target process' memory space. This calculation takes in consideration the separation bytes between two consecutive code caves, the separation between the code caves section and the variables section and the size of each one of the injection variables. More... | |
void | AddMemoryAlteration (TMemoryAlterationSetID memoryAlterationSetID, MemoryAlterationBase memoryAlteration) |
Adds a memory alteration to the set of alterations related to a given identifier. Memory alteration sets are kept in as list, and this method adds a memory alteration to the end of this list. The elements of a set of memory alterations are enabled/disabled in the order they get added to the list. You can then call SetMemoryAlterationsActive(TMemoryAlterationSetID, bool) to enable or disable the whole set of alterations related to an identifier. More... | |
bool | RemoveMemoryAlteration (TMemoryAlterationSetID memoryAlterationSetID, MemoryAlterationBase memoryAlteration) |
Removes a memory alteration from the set of alterations related to a given identifier. Memory alteration sets are kept in as list, and this method removes a memory alteration from this list. The elements of a set of memory alterations are enabled/disabled in the order they get added to the list. You can then call SetMemoryAlterationsActive(TMemoryAlterationSetID, bool) to enable or disable the whole set of alterations related to an identifier. More... | |
IEnumerable< MemoryAlterationBase > | GetMemoryAlterations (TMemoryAlterationSetID memoryAlterationSetID) |
Returns an enumerable object containing all memory alterations registered for a given memory alteration set. More... | |
bool | SetMemoryAlterationsActive (TMemoryAlterationSetID memoryAlterationSetID, bool bActivate) |
Activates or deactivates all the memory alterations registered for a given memory alterations set. More... | |
bool | SetAllMemoryAlterationsActive (bool bActivate) |
Activates or deactivates all the memory alterations registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. More... | |
CodeCaveBuilder< TMemoryAlterationSetID, TCodeCave, TVariable > | NewCodeCave () |
Instantiates a CodeCaveBuilder<TMemoryAlterationSetID, TCodeCave, TVariable> to allow for the creation of a new code cave that can be used with this Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. More... | |
void | Inject () |
Allocates memory into the target process' memory space and injects the code caves and variables into that allocated memory. More... | |
void | Inject (MemoryAddress baseInjectionAddress) |
int | GetCurrentInjectionOffset () |
Called during the injection procedure to retrieve the number of bytes already generated by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> instance. This method is called by lower APIs which need to use the current injection position, mainly to generate branching instructions (which need to know their exact address when they need to be generated). More... | |
void | IncreaseCurrentInjectionOffset (int increase) |
Called during the injection procedure to increase the number of bytes already generated by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> instance. This method is called by lower APIs to inform changes which should be made in the current injection position, mainly to allow for the generation branching instructions (which need to know their exact address when they need to be generated). More... | |
IntPtr | GetCurrentInjectionAddress () |
void | ResetAllocatedMemoryData () |
Resets the internal data of the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> regarding the memory region where it has injected its data. This method should be called whenever the target process is terminated or whenever the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> object needs to deallocate the memory it has allocated on the target process. More... | |
bool | WriteX86BranchInstruction (EX86BranchInstructionType instructionType, MemoryAddress branchPoint, MemoryAddress targetAddress, int instructionSize=X86Constants.INSTRUCTION_SIZE_ANY) |
Writes a x86 branch instruction at a specific point of the target process' memory space to enable the process' execution flow to be branched to another specific address. More... | |
bool | WriteVariableValue (TVariable variableID, object newValue) |
Updates the value of a given variable into the target process' memory. This method is safe, as it checks the given variable's metadata against the given value's type to see if it matches the variable's type before updating the variable's value. More... | |
bool | ReadVariableValue< T > (TVariable variableID, ref T outDestiny) |
Reads the current value of a given variable from the target process' memory. This method is safe, as it checks the given variable's metadata against the given output variable's type to see if it matches the injected variable's type before reading the output value. More... | |
void | SetCodeCaveDefinition (TCodeCave caveId, CodeCaveDefinition< TMemoryAlterationSetID, TCodeCave, TVariable > definition) |
void | SetVariableDefinition (TVariable varId, VariableDefinition definition) |
CodeCaveDefinition< TMemoryAlterationSetID, TCodeCave, TVariable > | GetCodeCaveDefinition (TCodeCave caveId) |
Retrieves the definition of the given code cave, that has been registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>, if any. More... | |
VariableDefinition | GetVariableDefinition (TVariable varId) |
Retrieves the definition of the given injection variable, that has been registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>, if any. More... | |
bool | ClearCodeCaveDefinition (TCodeCave caveId) |
bool | ClearVariableDefinition (TVariable varId) |
void | ClearAllCodeCaveDefinitions () |
void | ClearAllVariableDefinitions () |
Static Public Member Functions | |
static byte [] | GetX86BranchInstructionBytes (EX86BranchInstructionType instructionType, MemoryAddress branchInstructionAddress, MemoryAddress targetInstructionAddress, int instructionSize=X86Constants.INSTRUCTION_SIZE_ANY) |
Utility method for retrieving a sequence of bytes which represent the machine-level opcode corresponding to a x86 branch instruction, such as CALL, JMP, or a JCC ("conditional jump") instruction. More... | |
Properties | |
IntPtr | BaseInjectionAddress [get] |
Keeps the base address of the memory which was allocated for the target process. Backed by the m_baseInjectionAddress field. More... | |
bool | IsInjected [get] |
A flag that is set to true whenever the Inject() (or Inject(MemoryAddress)) method is called and succeeds, and set to false whenever theResetAllocatedMemoryData gets called. More... | |
Target | TargetProcess [get] |
The object used to attach to the target process, so that the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> can perform I/O operations into the target process' memory. Backed by the m_targetProcess field. More... | |
int | RequiredBytesCount [get] |
The total number of required bytes to inject the code caves and variables into the target process' memory space, as calculated by a call to the method CalculateRequiredBytesCount. More... | |
NestedPropertyIndexerCodeCaveOffset | CodeCaveOffset [get] |
Indexer property used to access the code cave offsets, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetCodeCaveOffset(TCodeCave) internally. Backed by the m_codeCaveOffset field. More... | |
NestedPropertyIndexerInjectedCodeCaveAddress | InjectedCodeCaveAddress [get] |
Indexer property used to access the address where a code cave has been injected, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetInjectedCodeCaveAddress(TCodeCave) internally. Backed by the m_injectedCodeCaveAddress field. More... | |
NestedPropertyIndexerVariableOffset | VariableOffset [get] |
Indexer property used to access variable offsets, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetVariableOffset(TVariable) internally. Backed by the m_variableOffset field. More... | |
NestedPropertyIndexerInjectedVariableAddress | InjectedVariableAddress [get] |
Indexer property used to access the address where a variable has been injected, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetInjectedVariableAddress(TVariable) internally. Backed by the m_injectedVariableAddress field. More... | |
NestedPropertyIndexerVariableSize | VariableSize [get] |
Indexer property used to retrieve the size of a variable, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetVariableSize(TVariable) internally. Backed by the m_variableSize field. More... | |
Additional Inherited Members | |
Protected Member Functions inherited from RAMvader.NotifyPropertyChangedAdapter | |
void | SendPropertyChangedNotification ([CallerMemberName] string propertyName="") |
This method should be called inside PROPERTY SETTER METHODS to notify listeners of the "property changed" event that the property has been updated. More... | |
Events inherited from RAMvader.NotifyPropertyChangedAdapter | |
PropertyChangedEventHandler | PropertyChanged |
Used for implementing the INotifyPropertyChanged interface. More... | |
Implements the logic behind the injection of code caves and variables into a target process' memory space.
TMemoryAlterationSetID | An enumerated type which specifies the identifiers for Memory Alteration Sets that can be enabled or disabled into the target process' memory space. |
TCodeCave | An enumerated type which specifies the identifiers for code caves. |
TVariable | An enumerated type which specifies the identifiers for variables to be injected at the target process. |
RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.Injector | ( | ) |
Constructor. The constructor of the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> class checks the code caves and variables for consistency, throwing an exception if there is any error found.
UnsupportedDataTypeException | Thrown if any of the injection variables (enumerators of the type TVariable ) has a data type that is not supported by the RAMvader library. |
InjectorGenericParametersException | Thrown in cases where there are any errors with the generic types defined for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. The types TMemoryAlterationSetID , TCodeCave and TVariable MUST be enumerations. |
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.AddMemoryAlteration | ( | TMemoryAlterationSetID | memoryAlterationSetID, |
MemoryAlterationBase | memoryAlteration | ||
) |
Adds a memory alteration to the set of alterations related to a given identifier. Memory alteration sets are kept in as list, and this method adds a memory alteration to the end of this list. The elements of a set of memory alterations are enabled/disabled in the order they get added to the list. You can then call SetMemoryAlterationsActive(TMemoryAlterationSetID, bool) to enable or disable the whole set of alterations related to an identifier.
memoryAlterationSetID | The identifier that identifies the set of alterations that can be enabled/disabled all at once. |
memoryAlteration | An object representing the memory alteration that should be added to the given set. |
int RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.CalculateRequiredBytesCount | ( | ) |
Calculates the total number of required bytes to inject the code caves and variables into the target process' memory space. This calculation takes in consideration the separation bytes between two consecutive code caves, the separation between the code caves section and the variables section and the size of each one of the injection variables.
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ClearAllCodeCaveDefinitions | ( | ) |
Clears the definition of all code caves, effectively making all of them "undefined" for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
Calling this will prevent the code caves from being injected in the target process' memory space - as their definition will be voided - until they get redefined/updated.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ClearAllVariableDefinitions | ( | ) |
Clears the definition of all injection varibles, effectively making all of them "undefined" for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
Calling this will prevent the injection variables from being injected in the target process' memory space - as their definition will be voided - until they get redefined/updated.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ClearCodeCaveDefinition | ( | TCodeCave | caveId | ) |
Clears the definition of a specific code cave, effectively making it "undefined" for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
Calling this will prevent the code cave from being injected in the target process' memory space - as its definition will be voided - until it gets redefined/updated.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
caveId | The code cave whose definition will be cleared. |
bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ClearVariableDefinition | ( | TVariable | varId | ) |
Clears the definition of a specific injection variable, effectively making it "undefined" for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
Calling this will prevent the injection variable from being injected in the target process' memory space - as its definition will be voided - until it gets redefined/updated.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
varId | The injection variable whose definition will be cleared. |
IntPtr RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetBaseInjectionAddress | ( | ) |
Retrieves the address where the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> has injected its data on the target process.
CodeCaveDefinition<TMemoryAlterationSetID, TCodeCave, TVariable> RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetCodeCaveDefinition | ( | TCodeCave | caveId | ) |
Retrieves the definition of the given code cave, that has been registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>, if any.
caveId | The identifier of the code cave whose definition is to be retrieved. |
In case of failure, returns
.
int RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetCodeCaveOffset | ( | TCodeCave | codeCaveID | ) |
Retrieves the offset of a given code cave, relative to the base injection address into the target process' memory space.
codeCaveID | The identifier of the code cave. |
InjectionArtifactNotFoundException | Thrown when the artifact (injection variable or code cave) could not be found by the method. |
byte [] RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetCodeCavesSeparationBytes | ( | ) |
Retrieves the sequence of bytes used to separate two consecutive code caves.
IntPtr RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetCurrentInjectionAddress | ( | ) |
Called during the injection procedure to retrieve the address right after the last byte generated by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> instance. This method is called by lower APIs which need to use the current injection position, mainly to generate branching instructions.
The return value of this method is effectivelly the sum of BaseInjectionAddress with the return value of the GetCurrentInjectionOffset method.
int RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetCurrentInjectionOffset | ( | ) |
Called during the injection procedure to retrieve the number of bytes already generated by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> instance. This method is called by lower APIs which need to use the current injection position, mainly to generate branching instructions (which need to know their exact address when they need to be generated).
If the injection procedure hasn't started yet, or the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> finds itself in "not injected" state, the return value is zero.
If this method is called after a successful injection procedure, the return value is the total number of injected bytes (which is effectivelly the same result of calling CalculateRequiredBytesCount).
If this method is called during the injection procedure (which is usually done when processing CodeCaveArtifact<TMemoryAlterationSetID, TCodeCave, TVariable> objects that compose the code caves to be injected), the return value is the total number of bytes that have been injected so far by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
AbsoluteMemoryAddress RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetInjectedCodeCaveAddress | ( | TCodeCave | codeCaveID | ) |
Retrieves the address of an injected code cave. This method should only be called after a base injection address has been defined for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to Inject code caves and variables.
codeCaveID | The identifier of the target code cave. |
InjectionArtifactNotFoundException | Thrown when the artifact (injection variable or code cave) could not be found by the method. |
byte [] RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetInjectedCodeCaveAddressAsBytes | ( | TCodeCave | codeCaveID | ) |
Retrieves the address of an injected code cave, represented as bytes stored in the target process' memory space.
codeCaveID | The identifier of the target code cave. |
NullReferenceException | Thrown when the Target associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A Target instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(Target). |
AbsoluteMemoryAddress RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetInjectedVariableAddress | ( | TVariable | varID | ) |
Retrieves the address of an injected variable. This method should only be called after a base injection address has been defined for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to Inject code caves and variables.
varID | The identifier of the target variable. |
InjectionArtifactNotFoundException | Thrown when the artifact (injection variable or code cave) could not be found by the method. |
byte [] RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetInjectedVariableAddressAsBytes | ( | TVariable | varID | ) |
Retrieves the address of an injected variable, represented as bytes stored in the target process' memory space.
varID | The identifier of the target variable. |
NullReferenceException | Thrown when the Target associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A Target instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(Target). |
IEnumerable<MemoryAlterationBase> RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetMemoryAlterations | ( | TMemoryAlterationSetID | memoryAlterationSetID | ) |
Returns an enumerable object containing all memory alterations registered for a given memory alteration set.
memoryAlterationSetID | The identifier that identifies the set of alterations that can be enabled/disabled all at once. |
Target RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetTargetProcess | ( | ) |
Retrieves the current reference to the object used by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to perform write operations to the target process' memory. The Injector<TMemoryAlterationSetID, TCodeCave, TVariable> also uses this object to know the endianness and pointer size of the target process.
VariableDefinition RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetVariableDefinition | ( | TVariable | varId | ) |
Retrieves the definition of the given injection variable, that has been registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>, if any.
varId | The identifier of the injection variable whose definition is to be retrieved. |
In case of failure, returns
.
int RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetVariableOffset | ( | TVariable | varID | ) |
Retrieves the offset of a given variable, relative to the base injection address into the target process' memory space.
varID | The identifier of the variable whose offset is to be retrieved. |
InjectionArtifactNotFoundException | Thrown when the artifact (injection variable or code cave) could not be found by the method. |
int RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetVariableSize | ( | TVariable | varID | ) |
Retrieves the size of a given injection variable.
varID | The identifier of the variable whose size is to be retrieved. |
NullReferenceException | Thrown when the Target associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A Target instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(Target). |
byte [] RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetVariablesSectionSeparationBytes | ( | ) |
Retrieves the sequence of bytes used to separate the injected code caves section from the injected variables section.
|
static |
Utility method for retrieving a sequence of bytes which represent the machine-level opcode corresponding to a x86 branch instruction, such as CALL, JMP, or a JCC ("conditional jump") instruction.
instructionType | The specific type of branch instruction to be generated. |
branchInstructionAddress | The address where the branch instruction is supposed to be placed in the target process' memory space. |
targetInstructionAddress | The address to where the placed branch instruction will make the target process' execution flow to. |
instructionSize | When replacing an instruction in a target process' memory space by a branch instruction, this parameter specifies the size of the instruction to be replaced. If this size is larger than the size of the branch instruction, the remaining bytes are filled with NOP opcodes in the returned bytes sequence, so that the branch instruction might replace other instructions while keeping the consistency of its surrounding instructions when the flow of code returns from the branch (if that ever happens). |
If the size does not matter, X86Constants.INSTRUCTION_SIZE_ANY can be used.
UnsupportedInstructionGenerationException | Thrown when the instruction cannot be generated, because the given instruction type does not exist or has not been implemented. |
IllegalInstructionGenerationException | Thrown when the instruction cannot be generated, because the generated instruction would be illegal somehow. |
InstructionTooLargeException | Thrown when the given instruction size is less than the size required to generate the instruction. |
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.IncreaseCurrentInjectionOffset | ( | int | increase | ) |
Called during the injection procedure to increase the number of bytes already generated by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> instance. This method is called by lower APIs to inform changes which should be made in the current injection position, mainly to allow for the generation branching instructions (which need to know their exact address when they need to be generated).
increase | The amount of bytes to increase for the internal count of the injection offset value. |
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.Inject | ( | ) |
Allocates memory into the target process' memory space and injects the code caves and variables into that allocated memory.
NullReferenceException | Thrown when the Target associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A Target instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(Target). |
InstanceNotAttachedException | Thrown when the Target instance has not been attached to a target process before the method is called. |
VirtualMemoryAllocationException | Thrown when the method cannot allocate virtual memory in the target process' memory space, to inject the data in the target process. Some softwares might implement security schemes that prevent you from allocating virtual memory on them, which in turn might require you to use manual injection of data (see Inject(MemoryAddress)). |
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.Inject | ( | MemoryAddress | baseInjectionAddress | ) |
Injects the code caves and variables into the target process' memory space. This overloaded version of the Inject() method can be used to Inject the code caves into a specific point of the target process' memory space. Notice, though, that for the code caves to work correctly, they need to be injected into a memory region with appropriate permissions. Those are usually READ+WRITE+EXECUTE permissions (READ+WRITE for injected variables and EXECUTE for allowing the target process to execute the code caves). If you need to calculate the total number of bytes required by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to inject the code caves and variables, see CalculateRequiredBytesCount.
Notice that you should not use the InjectedCodeCaveMemoryAddress<TMemoryAlterationSetID, TCodeCave, TVariable> and InjectedVariableMemoryAddress<TMemoryAlterationSetID, TCodeCave, TVariable> classes to specify the injection point for this method, because for these classes to solve the right base address, they would require a previous injection to have happened already.
baseInjectionAddress | The address - into the target process' memory space - where the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> will Inject the code caves and variables. A value of "IntPtr.Zero" will cause the method to exit without any effect on the target process' memory space. |
NullReferenceException | Thrown when the Target associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A Target instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(Target). |
InstanceNotAttachedException | Thrown when the Target instance has not been attached to a target process before the method is called. |
RequiredWriteException | Thrown when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> fails to write the injection data in the target process' memory space. |
bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.IsCodeCaveInjected | ( | TCodeCave | caveID | ) |
Verifies if a given code cave has been injected by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> on the target process' memory space.
caveID | The code cave whose injection needs to be verified. |
NullReferenceException | Thrown when the TargetProcess hasn't been set for this Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. |
bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.IsVariableInjected | ( | TVariable | varID | ) |
Verifies if a given variable has been injected by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> on the target process' memory space.
varID | The variable whose injection needs to be verified. |
NullReferenceException | Thrown when the TargetProcess hasn't been set for this Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. |
CodeCaveBuilder<TMemoryAlterationSetID,TCodeCave,TVariable> RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.NewCodeCave | ( | ) |
Instantiates a CodeCaveBuilder<TMemoryAlterationSetID, TCodeCave, TVariable> to allow for the creation of a new code cave that can be used with this Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ReadVariableValue< T > | ( | TVariable | variableID, |
ref T | outDestiny | ||
) |
Reads the current value of a given variable from the target process' memory. This method is safe, as it checks the given variable's metadata against the given output variable's type to see if it matches the injected variable's type before reading the output value.
T | The type of the variable to be read, which must match the type of the injected variable. |
variableID | The identifier of the variable whose value is to be read from the target process' memory space. |
outDestiny | The result of the reading will be stored in this variable. The referenced variable's data must be of the same type as declared for the variable defined in parameter variableID |
NullReferenceException | Thrown when the Target associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A Target instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(Target). |
InstanceNotAttachedException | Thrown when the Target instance has not been attached to a target process before the method is called. |
InjectionArtifactNotFoundException | Thrown when the variable has not been injected in the target process' memory space. This happens when the variable has no definition (VariableDefinition) registered for it with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. |
bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.RemoveMemoryAlteration | ( | TMemoryAlterationSetID | memoryAlterationSetID, |
MemoryAlterationBase | memoryAlteration | ||
) |
Removes a memory alteration from the set of alterations related to a given identifier. Memory alteration sets are kept in as list, and this method removes a memory alteration from this list. The elements of a set of memory alterations are enabled/disabled in the order they get added to the list. You can then call SetMemoryAlterationsActive(TMemoryAlterationSetID, bool) to enable or disable the whole set of alterations related to an identifier.
memoryAlterationSetID | The identifier that identifies the set of alterations that can be enabled/disabled all at once. |
memoryAlteration | The memory alteration to be removed from the given set. |
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ResetAllocatedMemoryData | ( | ) |
Resets the internal data of the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> regarding the memory region where it has injected its data. This method should be called whenever the target process is terminated or whenever the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> object needs to deallocate the memory it has allocated on the target process.
bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetAllMemoryAlterationsActive | ( | bool | bActivate | ) |
Activates or deactivates all the memory alterations registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
bActivate | A flag specifying if the alterations should be activated or deactivated. |
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetCodeCaveDefinition | ( | TCodeCave | caveId, |
CodeCaveDefinition< TMemoryAlterationSetID, TCodeCave, TVariable > | definition | ||
) |
Updates the definition of a given code cave.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
caveId | The identifier of the code cave whose definition is to be updated. |
definition | An object representing the new definition of the given code cave. |
InstanceAlreadyInjectedException | Thrown when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>'s instance is already in "injected" state (this method must be called before that state is entered). |
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetCodeCavesSeparationBytes | ( | params byte [] | byteSeq | ) |
Modifies the sequence of bytes used to separate two consecutive code caves.
byteSeq | The new sequence of bytes to use as a separator. This can be an empty array, but should not be null. |
bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetMemoryAlterationsActive | ( | TMemoryAlterationSetID | memoryAlterationSetID, |
bool | bActivate | ||
) |
Activates or deactivates all the memory alterations registered for a given memory alterations set.
memoryAlterationSetID | The identifier that identifies the set of alterations that can be enabled/disabled all at once. |
bActivate | A flag specifying if the alterations should be activated or deactivated. |
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetTargetProcess | ( | Target | targetProc | ) |
Initializes or modifies the reference to the object used by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to perform write operations to the target process' memory. The Injector<TMemoryAlterationSetID, TCodeCave, TVariable> also uses this object to know the endianness and pointer size of the target process.
targetProc | The object used for performing memory I/O operations on the target process. |
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetVariableDefinition | ( | TVariable | varId, |
VariableDefinition | definition | ||
) |
Updates the definition of a given injection variable.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
varId | The identifier of the injection variable whose definition is to be updated. |
definition | An object representing the new definition of the given injection variable. |
InstanceAlreadyInjectedException | Thrown when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>'s instance is already in "injected" state (this method must be called before that state is entered). |
UnsupportedDataTypeException | Throw when the type of the |
void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetVariablesSectionSeparationBytes | ( | params byte [] | byteSeq | ) |
Modifies the sequence of bytes used to separate the injected code caves section from the injected variables section.
byteSeq | The new sequence of bytes to use as a separator. This can be an empty array, but should not be null. |
bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.WriteVariableValue | ( | TVariable | variableID, |
object | newValue | ||
) |
Updates the value of a given variable into the target process' memory. This method is safe, as it checks the given variable's metadata against the given value's type to see if it matches the variable's type before updating the variable's value.
variableID | The identifier of the injected variable whose value is to be updated. |
newValue | The new value for the variable. |
NullReferenceException | Thrown when the Target associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A Target instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(Target). |
InstanceNotAttachedException | Thrown when the Target instance has not been attached to a target process before the method is called. |
UnmatchedDataTypeException | Thrown when "newValue" does not match the injection variable's type. |
InjectionArtifactNotFoundException | Thrown when the variable has not been injected in the target process' memory space. This happens when the variable has no definition (VariableDefinition) registered for it with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. |
bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.WriteX86BranchInstruction | ( | EX86BranchInstructionType | instructionType, |
MemoryAddress | branchPoint, | ||
MemoryAddress | targetAddress, | ||
int | instructionSize = X86Constants.INSTRUCTION_SIZE_ANY |
||
) |
Writes a x86 branch instruction at a specific point of the target process' memory space to enable the process' execution flow to be branched to another specific address.
instructionType | The specific type of branch instruction to be generated. |
branchPoint | The address of the target process' memory space where the branch instruction will be written. |
targetAddress | The address to where the target process' execution should be diverted. |
instructionSize | The size of the instruction that is going to be replaced by the branch instruction. This is used to fill the remaining bytes of the instruction with NOP opcodes, so that when the execution flows back from the branch instruction (if it ever does), nothing unexpected happens. |
If the size does not matter, X86Constants.INSTRUCTION_SIZE_ANY can be used.
NullReferenceException | Thrown when the Target associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A Target instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(Target). |
InstanceNotAttachedException | Thrown when the Target instance has not been attached to a target process before the method is called. |
|
get |
Keeps the base address of the memory which was allocated for the target process. Backed by the m_baseInjectionAddress field.
|
get |
Indexer property used to access the code cave offsets, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetCodeCaveOffset(TCodeCave) internally. Backed by the m_codeCaveOffset field.
|
get |
Indexer property used to access the address where a code cave has been injected, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetInjectedCodeCaveAddress(TCodeCave) internally. Backed by the m_injectedCodeCaveAddress field.
|
get |
Indexer property used to access the address where a variable has been injected, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetInjectedVariableAddress(TVariable) internally. Backed by the m_injectedVariableAddress field.
|
get |
A flag that is set to true whenever the Inject() (or Inject(MemoryAddress)) method is called and succeeds, and set to false whenever theResetAllocatedMemoryData gets called.
|
get |
The total number of required bytes to inject the code caves and variables into the target process' memory space, as calculated by a call to the method CalculateRequiredBytesCount.
|
get |
The object used to attach to the target process, so that the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> can perform I/O operations into the target process' memory. Backed by the m_targetProcess field.
|
get |
Indexer property used to access variable offsets, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetVariableOffset(TVariable) internally. Backed by the m_variableOffset field.
|
get |
Indexer property used to retrieve the size of a variable, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetVariableSize(TVariable) internally. Backed by the m_variableSize field.