Akaion/Bleak: A Windows native DLL injection library written in C# that supports several methods of injection.
2019-07-18 15:21:40 Author: github.com(查看原文) 阅读量:444 收藏

Bleak

Build status

A Windows native DLL injection library written in C# that supports several methods of injection.


Injection Methods

  • CreateThread
  • HijackThread
  • Manual

Injection Extensions

  • EjectDll
  • HideDllFromPeb
  • RandomiseDllHeaders

Features

  • Optional randomise DLL name
  • WOW64 and x64 injection

Installation

  • Download and install Bleak using NuGet

Getting Started

After installing Bleak, you will want to ensure that your project is being compiled under AnyCPU or x64. This will ensure that you are able to inject into both WOW64 and x64 processes from the same project.


Usage

The example below describes a basic implementation of the library.

using Bleak;

var randomiseDllName = true;

using (var injector = new Injector(InjectionMethod.CreateThread, "processName", "dllPath", randomiseDllName))
{
    // Inject the DLL into the process

    var dllBaseAddress = injector.InjectDll();

    // Hide the injected DLL from the PEB

    injector.HideFromPeb();

    // Eject the DLL from the process

    injector.EjectDll();
}

Overloads

The first of these allows you to use a process ID instead of a process name.

var injector = new Injector(InjectionMethod, processId, "dllPath");

The second of these allows you to use a byte array representing a DLL instead of a DLL path.

var injector = new Injector(InjectionMethod, "processName", dllBytes);

Caveats

  • Injecting with a byte array will result in the provided DLL being written to disk in the temporary folder, unless the method of injection is Manual.

  • Injecting into a system process requires the program to be run in Administrator mode.

  • Manual injection only supports structured exception handling. This means that you cannot use vectored exception handling (C++ uses this) if you wish to use this method of injection.

  • x86 Manual injection relies on a PDB being present for ntdll.dll, and so, the first time this method is used with a x86 process, a PDB for ntdll.dll will be downloaded and cached in the temporary folder. Note that anytime your system updates, a new PDB version may need to be downloaded and re-cached in the temporary folder. This process make take a few seconds depending on your connection speed.


Contributing

Pull requests are welcome.

For large changes, please open an issue first to discuss what you would like to add.


文章来源: https://github.com/Akaion/Bleak
如有侵权请联系:admin#unsafe.sh