 |
RAMvader
1.3
A C# library which provides access to other processes' memory space.
|
|
RAMvader
1.3
A C# library which provides access to other processes' memory space.
|
Implements the logic behind the injection of code caves and variables into a target process' memory space. More...
Inherits RAMvader.NotifyPropertyChangedAdapter.
Public Member Functions | |
| Injector () | |
| Constructor. The constructor of the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> class checks the code caves and variables for consistency, throwing an exception if there is any error found. More... | |
| void | SetTargetProcess (RAMvaderTarget targetProc) |
| Initializes or modifies the reference to the object used by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to perform write operations to the target process' memory. The Injector<TMemoryAlterationSetID, TCodeCave, TVariable> also uses this object to know the endianness and pointer size of the target process. More... | |
| RAMvaderTarget | GetTargetProcess () |
| Retrieves the current reference to the object used by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to perform write operations to the target process' memory. The Injector<TMemoryAlterationSetID, TCodeCave, TVariable> also uses this object to know the endianness and pointer size of the target process. More... | |
| void | SetCodeCavesSeparationBytes (byte[] byteSeq) |
| Modifies the sequence of bytes used to separate two consecutive code caves. More... | |
| byte [] | GetCodeCavesSeparationBytes () |
| Retrieves the sequence of bytes used to separate two consecutive code caves. More... | |
| void | SetVariablesSectionSeparationBytes (byte[] byteSeq) |
| Modifies the sequence of bytes used to separate the injected code caves section from the injected variables section. More... | |
| byte [] | GetVariablesSectionSeparationBytes () |
| Retrieves the sequence of bytes used to separate the injected code caves section from the injected variables section. More... | |
| IntPtr | GetBaseInjectionAddress () |
| Retrieves the address where the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> has injected its data on the target process. More... | |
| int | GetCodeCaveOffset (TCodeCave codeCaveID) |
| Retrieves the offset of a given code cave, relative to the base injection address into the target process' memory space. More... | |
| AbsoluteMemoryAddress | GetInjectedCodeCaveAddress (TCodeCave codeCaveID) |
| Retrieves the address of an injected code cave. This method should only be called after a base injection address has been defined for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to Inject code caves and variables. More... | |
| byte [] | GetInjectedCodeCaveAddressAsBytes (TCodeCave codeCaveID) |
| Retrieves the address of an injected code cave, represented as bytes stored in the target process' memory space. More... | |
| int | GetVariableOffset (TVariable varID) |
| Retrieves the offset of a given variable, relative to the base injection address into the target process' memory space. More... | |
| AbsoluteMemoryAddress | GetInjectedVariableAddress (TVariable varID) |
| Retrieves the address of an injected variable. This method should only be called after a base injection address has been defined for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to Inject code caves and variables. More... | |
| byte [] | GetInjectedVariableAddressAsBytes (TVariable varID) |
| Retrieves the address of an injected variable, represented as bytes stored in the target process' memory space. More... | |
| int | GetVariableSize (TVariable varID) |
| Retrieves the size of a given injection variable. More... | |
| int | CalculateRequiredBytesCount () |
| Calculates the total number of required bytes to inject the code caves and variables into the target process' memory space. This calculation takes in consideration the separation bytes between two consecutive code caves, the separation between the code caves section and the variables section and the size of each one of the injection variables. More... | |
| void | AddMemoryAlteration (TMemoryAlterationSetID memoryAlterationSetID, MemoryAlterationBase memoryAlteration) |
| Adds a memory alteration to the set of alterations related to a given identifier. Memory alteration sets are kept in as list, and this method adds a memory alteration to the end of this list. The elements of a set of memory alterations are enabled/disabled in the order they get added to the list. You can then call SetMemoryAlterationsActive(TMemoryAlterationSetID, bool) to enable or disable the whole set of alterations related to an identifier. More... | |
| bool | RemoveMemoryAlteration (TMemoryAlterationSetID memoryAlterationSetID, MemoryAlterationBase memoryAlteration) |
| Removes a memory alteration from the set of alterations related to a given identifier. Memory alteration sets are kept in as list, and this method removes a memory alteration from this list. The elements of a set of memory alterations are enabled/disabled in the order they get added to the list. You can then call SetMemoryAlterationsActive(TMemoryAlterationSetID, bool) to enable or disable the whole set of alterations related to an identifier. More... | |
| IEnumerable< MemoryAlterationBase > | GetMemoryAlterations (TMemoryAlterationSetID memoryAlterationSetID) |
| Returns an enumerable object containing all memory alterations registered for a given memory alteration set. More... | |
| bool | SetMemoryAlterationsActive (TMemoryAlterationSetID memoryAlterationSetID, bool bActivate) |
| Activates or deactivates all the memory alterations registered for a given memory alterations set. More... | |
| bool | SetAllMemoryAlterationsActive (bool bActivate) |
| Activates or deactivates all the memory alterations registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. More... | |
| CodeCaveBuilder< TMemoryAlterationSetID, TCodeCave, TVariable > | NewCodeCave () |
| Instantiates a CodeCaveBuilder<TMemoryAlterationSetID, TCodeCave, TVariable> to allow for the creation of a new code cave that can be used with this Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. More... | |
| void | Inject () |
| Allocates memory into the target process' memory space and injects the code caves and variables into that allocated memory. More... | |
| void | Inject (MemoryAddress baseInjectionAddress) |
| int | GetCurrentInjectionOffset () |
| Called during the injection procedure to retrieve the number of bytes already generated by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> instance. This method is called by lower APIs which need to use the current injection position, mainly to generate instructions such as NEAR/FAR JUMPs and CALLs. More... | |
| IntPtr | GetCurrentInjectionAddress () |
| void | ResetAllocatedMemoryData () |
| Resets the internal data of the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> regarding the memory region where it has injected its data. This method should be called whenever the target process is terminated or whenever the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> object needs to deallocate the memory it has allocated on the target process. More... | |
| bool | WriteX86CallInstruction (MemoryAddress detourPoint, MemoryAddress targetAddress, int instructionSize) |
| Writes a x86 CALL instruction at a specific point of the target process' memory space to enable the process' execution flow to be detoured to a specific address. More... | |
| bool | WriteX86NearJumpInstruction (EJumpInstructionType jumpInstructionType, MemoryAddress detourPoint, MemoryAddress targetAddress, int instructionSize) |
| Writes a x86 NEAR JUMP instruction at a specific point of the target process' memory space to enable the process' execution flow to be detoured to a specific address. More... | |
| bool | WriteX86FarJumpInstruction (EJumpInstructionType jumpInstructionType, MemoryAddress detourPoint, MemoryAddress targetAddress, int instructionSize) |
| Writes a x86 FAR JUMP instruction at a specific point of the target process' memory space to enable the process' execution flow to be detoured to a specific address. More... | |
| bool | WriteVariableValue (TVariable variableID, object newValue) |
| Updates the value of a given variable into the target process' memory. This method is safe, as it checks the given variable's metadata against the given value's type to see if it matches the variable's type before updating the variable's value. More... | |
| bool | ReadVariableValue< T > (TVariable variableID, ref T outDestiny) |
| Reads the current value of a given variable from the target process' memory. This method is safe, as it checks the given variable's metadata against the given output variable's type to see if it matches the injected variable's type before reading the output value. More... | |
| void | SetCodeCaveDefinition (TCodeCave caveId, CodeCaveDefinition< TMemoryAlterationSetID, TCodeCave, TVariable > definition) |
| void | SetVariableDefinition (TVariable varId, VariableDefinition definition) |
| CodeCaveDefinition< TMemoryAlterationSetID, TCodeCave, TVariable > | GetCodeCaveDefinition (TCodeCave caveId) |
| Retrieves the definition of the given code cave, that has been registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>, if any. More... | |
| VariableDefinition | GetVariableDefinition (TVariable varId) |
| Retrieves the definition of the given injection variable, that has been registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>, if any. More... | |
| bool | ClearCodeCaveDefinition (TCodeCave caveId) |
| bool | ClearVariableDefinition (TVariable varId) |
| void | ClearAllCodeCaveDefinitions () |
| void | ClearAllVariableDefinitions () |
Static Public Member Functions | |
| static byte [] | GetX86CallOpcode (MemoryAddress callInstructionAddress, MemoryAddress targetCallAddress, int instructionSize=LowLevel.INSTRUCTION_SIZE_x86_CALL, EEndianness endianness=EEndianness.evEndiannessDefault, EPointerSize pointerSize=EPointerSize.evPointerSizeDefault, EDifferentPointerSizeError diffPointerSizeError=EDifferentPointerSizeError.evThrowException) |
| Utility method for retrieving a sequence of bytes which represent the machine-level opcode corresponding to a 32-bits CALL instruction. 64-bits CALL instructions are currently not supported by the RAMvader library. More... | |
| static byte [] | GetX86NearJumpOpcode (EJumpInstructionType jumpInstructionType, MemoryAddress jumpInstructionAddress, MemoryAddress targetJumpAddress, int instructionSize=LowLevel.INSTRUCTION_SIZE_x86_NEAR_JUMP, EPointerSize pointerSize=EPointerSize.evPointerSizeDefault) |
| Utility method for retrieving a sequence of bytes which represent the machine-level opcode corresponding to a 32-bits NEAR JUMP instruction. 64-bits JUMP instructions are currently not supported by the RAMvader library. More... | |
| static byte [] | GetX86FarJumpOpcode (EJumpInstructionType jumpInstructionType, MemoryAddress jumpInstructionAddress, MemoryAddress targetJumpAddress, int instructionSize=LowLevel.INSTRUCTION_SIZE_x86_FAR_JUMP, EEndianness endianness=EEndianness.evEndiannessDefault, EPointerSize pointerSize=EPointerSize.evPointerSizeDefault, EDifferentPointerSizeError diffPointerSizeError=EDifferentPointerSizeError.evThrowException) |
| Utility method for retrieving a sequence of bytes which represent the machine-level opcode corresponding to a x86 FAR JUMP instruction. 64-bits JUMP instructions are currently not supported by the RAMvader library. More... | |
Properties | |
| IntPtr | BaseInjectionAddress [get] |
| Keeps the base address of the memory which was allocated for the target process. Backed by the m_baseInjectionAddress field. More... | |
| bool | IsInjected [get] |
| A flag that is set to true whenever the Inject() (or Inject(MemoryAddress)) method is called and succeeds, and set to false whenever theResetAllocatedMemoryData gets called. More... | |
| RAMvaderTarget | TargetProcess [get] |
| The object used to attach to the target process, so that the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> can perform I/O operations into the target process' memory. Backed by the m_targetProcess field. More... | |
| int | RequiredBytesCount [get] |
| The total number of required bytes to inject the code caves and variables into the target process' memory space, as calculated by a call to the method CalculateRequiredBytesCount. More... | |
| NestedPropertyIndexerCodeCaveOffset | CodeCaveOffset [get] |
| Indexer property used to access the code cave offsets, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetCodeCaveOffset(TCodeCave) internally. Backed by the m_codeCaveOffset field. More... | |
| NestedPropertyIndexerInjectedCodeCaveAddress | InjectedCodeCaveAddress [get] |
| Indexer property used to access the address where a code cave has been injected, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetInjectedCodeCaveAddress(TCodeCave) internally. Backed by the m_injectedCodeCaveAddress field. More... | |
| NestedPropertyIndexerVariableOffset | VariableOffset [get] |
| Indexer property used to access variable offsets, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetVariableOffset(TVariable) internally. Backed by the m_variableOffset field. More... | |
| NestedPropertyIndexerInjectedVariableAddress | InjectedVariableAddress [get] |
| Indexer property used to access the address where a variable has been injected, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetInjectedVariableAddress(TVariable) internally. Backed by the m_injectedVariableAddress field. More... | |
| NestedPropertyIndexerVariableSize | VariableSize [get] |
| Indexer property used to retrieve the size of a variable, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetVariableSize(TVariable) internally. Backed by the m_variableSize field. More... | |
Additional Inherited Members | |
 Protected Member Functions inherited from RAMvader.NotifyPropertyChangedAdapter | |
| void | SendPropertyChangedNotification ([CallerMemberName] string propertyName="") |
| This method should be called inside PROPERTY SETTER METHODS to notify listeners of the "property changed" event that the property has been updated. More... | |
| Events inherited from RAMvader.NotifyPropertyChangedAdapter | |
| PropertyChangedEventHandler | PropertyChanged |
| Used for implementing the INotifyPropertyChanged interface. More... | |
Implements the logic behind the injection of code caves and variables into a target process' memory space.
| TMemoryAlterationSetID | An enumerated type which specifies the identifiers for Memory Alteration Sets that can be enabled or disabled into the target process' memory space. |
| TCodeCave | An enumerated type which specifies the identifiers for code caves. |
| TVariable | An enumerated type which specifies the identifiers for variables to be injected at the target process. |
| RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.Injector | ( | ) |
Constructor. The constructor of the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> class checks the code caves and variables for consistency, throwing an exception if there is any error found.
| UnsupportedDataTypeException | Thrown if any of the injection variables (enumerators of the type TVariable ) has a data type that is not supported by the RAMvader library. |
| InjectorGenericParametersException | Thrown in cases where there are any errors with the generic types defined for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. The types TMemoryAlterationSetID , TCodeCave and TVariable MUST be enumerations. |
| void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.AddMemoryAlteration | ( | TMemoryAlterationSetID | memoryAlterationSetID, |
| MemoryAlterationBase | memoryAlteration | ||
| ) |
Adds a memory alteration to the set of alterations related to a given identifier. Memory alteration sets are kept in as list, and this method adds a memory alteration to the end of this list. The elements of a set of memory alterations are enabled/disabled in the order they get added to the list. You can then call SetMemoryAlterationsActive(TMemoryAlterationSetID, bool) to enable or disable the whole set of alterations related to an identifier.
| memoryAlterationSetID | The identifier that identifies the set of alterations that can be enabled/disabled all at once. |
| memoryAlteration | An object representing the memory alteration that should be added to the given set. |
| int RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.CalculateRequiredBytesCount | ( | ) |
Calculates the total number of required bytes to inject the code caves and variables into the target process' memory space. This calculation takes in consideration the separation bytes between two consecutive code caves, the separation between the code caves section and the variables section and the size of each one of the injection variables.
| void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ClearAllCodeCaveDefinitions | ( | ) |
Clears the definition of all code caves, effectively making all of them "undefined" for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
Calling this will prevent the code caves from being injected in the target process' memory space - as their definition will be voided - until they get redefined/updated.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
| void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ClearAllVariableDefinitions | ( | ) |
Clears the definition of all injection varibles, effectively making all of them "undefined" for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
Calling this will prevent the injection variables from being injected in the target process' memory space - as their definition will be voided - until they get redefined/updated.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
| bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ClearCodeCaveDefinition | ( | TCodeCave | caveId | ) |
Clears the definition of a specific code cave, effectively making it "undefined" for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
Calling this will prevent the code cave from being injected in the target process' memory space - as its definition will be voided - until it gets redefined/updated.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
| caveId | The code cave whose definition will be cleared. |
| bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ClearVariableDefinition | ( | TVariable | varId | ) |
Clears the definition of a specific injection variable, effectively making it "undefined" for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
Calling this will prevent the injection variable from being injected in the target process' memory space - as its definition will be voided - until it gets redefined/updated.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
| varId | The injection variable whose definition will be cleared. |
| IntPtr RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetBaseInjectionAddress | ( | ) |
Retrieves the address where the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> has injected its data on the target process.
| CodeCaveDefinition<TMemoryAlterationSetID, TCodeCave, TVariable> RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetCodeCaveDefinition | ( | TCodeCave | caveId | ) |
Retrieves the definition of the given code cave, that has been registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>, if any.
| caveId | The identifier of the code cave whose definition is to be retrieved. |
In case of failure, returns
.
| int RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetCodeCaveOffset | ( | TCodeCave | codeCaveID | ) |
Retrieves the offset of a given code cave, relative to the base injection address into the target process' memory space.
| codeCaveID | The identifier of the code cave. |
| InjectionArtifactNotFoundException | Thrown when the artifact (injection variable or code cave) could not be found by the method. |
| byte [] RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetCodeCavesSeparationBytes | ( | ) |
Retrieves the sequence of bytes used to separate two consecutive code caves.
| IntPtr RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetCurrentInjectionAddress | ( | ) |
Called during the injection procedure to retrieve the address right after the last byte generated by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> instance. This method is called by lower APIs which need to use the current injection position, mainly to generate instructions such as NEAR/FAR JUMPs and CALLs.
The return value of this method is effectivelly the sum of BaseInjectionAddress with the return value of the GetCurrentInjectionOffset method.
| int RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetCurrentInjectionOffset | ( | ) |
Called during the injection procedure to retrieve the number of bytes already generated by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> instance. This method is called by lower APIs which need to use the current injection position, mainly to generate instructions such as NEAR/FAR JUMPs and CALLs.
If the injection procedure hasn't started yet, or the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> finds itself in "not injected" state, the return value is zero.
If this method is called after a successful injection procedure, the return value is the total number of injected bytes (which is effectivelly the same result of calling CalculateRequiredBytesCount).
If this method is called during the injection procedure (which is usually done when processing CodeCaveArtifact<TMemoryAlterationSetID, TCodeCave, TVariable> objects that compose the code caves to be injected), the return value is the total number of bytes that have been injected so far by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
| AbsoluteMemoryAddress RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetInjectedCodeCaveAddress | ( | TCodeCave | codeCaveID | ) |
Retrieves the address of an injected code cave. This method should only be called after a base injection address has been defined for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to Inject code caves and variables.
| codeCaveID | The identifier of the target code cave. |
| InjectionArtifactNotFoundException | Thrown when the artifact (injection variable or code cave) could not be found by the method. |
| byte [] RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetInjectedCodeCaveAddressAsBytes | ( | TCodeCave | codeCaveID | ) |
Retrieves the address of an injected code cave, represented as bytes stored in the target process' memory space.
| codeCaveID | The identifier of the target code cave. |
| NullReferenceException | Thrown when the RAMvaderTarget associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A RAMvaderTarget instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(RAMvaderTarget). |
| AbsoluteMemoryAddress RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetInjectedVariableAddress | ( | TVariable | varID | ) |
Retrieves the address of an injected variable. This method should only be called after a base injection address has been defined for the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to Inject code caves and variables.
| varID | The identifier of the target variable. |
| InjectionArtifactNotFoundException | Thrown when the artifact (injection variable or code cave) could not be found by the method. |
| byte [] RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetInjectedVariableAddressAsBytes | ( | TVariable | varID | ) |
Retrieves the address of an injected variable, represented as bytes stored in the target process' memory space.
| varID | The identifier of the target variable. |
| NullReferenceException | Thrown when the RAMvaderTarget associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A RAMvaderTarget instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(RAMvaderTarget). |
| IEnumerable<MemoryAlterationBase> RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetMemoryAlterations | ( | TMemoryAlterationSetID | memoryAlterationSetID | ) |
Returns an enumerable object containing all memory alterations registered for a given memory alteration set.
| memoryAlterationSetID | The identifier that identifies the set of alterations that can be enabled/disabled all at once. |
| RAMvaderTarget RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetTargetProcess | ( | ) |
Retrieves the current reference to the object used by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to perform write operations to the target process' memory. The Injector<TMemoryAlterationSetID, TCodeCave, TVariable> also uses this object to know the endianness and pointer size of the target process.
| VariableDefinition RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetVariableDefinition | ( | TVariable | varId | ) |
Retrieves the definition of the given injection variable, that has been registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>, if any.
| varId | The identifier of the injection variable whose definition is to be retrieved. |
In case of failure, returns
.
| int RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetVariableOffset | ( | TVariable | varID | ) |
Retrieves the offset of a given variable, relative to the base injection address into the target process' memory space.
| varID | The identifier of the variable whose offset is to be retrieved. |
| InjectionArtifactNotFoundException | Thrown when the artifact (injection variable or code cave) could not be found by the method. |
| int RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetVariableSize | ( | TVariable | varID | ) |
Retrieves the size of a given injection variable.
| varID | The identifier of the variable whose size is to be retrieved. |
| NullReferenceException | Thrown when the RAMvaderTarget associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A RAMvaderTarget instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(RAMvaderTarget). |
| byte [] RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.GetVariablesSectionSeparationBytes | ( | ) |
Retrieves the sequence of bytes used to separate the injected code caves section from the injected variables section.
|
static |
Utility method for retrieving a sequence of bytes which represent the machine-level opcode corresponding to a 32-bits CALL instruction. 64-bits CALL instructions are currently not supported by the RAMvader library.
| callInstructionAddress | The address of the CALL instruction itself. |
| targetCallAddress | The address which should be called by the CALL instruction. |
| instructionSize | When replacing an instruction in a target process' memory space by a CALL instruction, this parameter specifies the size of the instruction to be replaced. If this size is larger than the size of a CALL instruction, the remaining bytes are filled with NOP opcodes in the returned bytes sequence, so that the CALL instruction might replace other instructions while keeping the consistency of its surrounding instructions when a RET instruction is used to return from the CALL. |
| endianness | The endianness to be used for the offset of the CALL opcode. |
| pointerSize | The size of pointer to be used for the offset of the CALL opcode. |
| diffPointerSizeError | The policy for handling errors regarding different sizes of pointers between RAMvader process' pointers and the pointers size defined by the "pointerSize" parameter. |
| InstructionTooLargeException | Thrown when the given instruction size is less than the size required to generate the instruction. |
|
static |
Utility method for retrieving a sequence of bytes which represent the machine-level opcode corresponding to a x86 FAR JUMP instruction. 64-bits JUMP instructions are currently not supported by the RAMvader library.
| jumpInstructionType | The specific type of jump instruction to be generated. |
| jumpInstructionAddress | The address of the JUMP instruction itself. |
| targetJumpAddress | The address to which the JUMP instruction should jump. |
| instructionSize | When replacing an instruction in a target process' memory space by a JUMP instruction, this parameter specifies the size of the instruction to be replaced. If this size is larger than the size of a JUMP instruction, the remaining bytes are filled with NOP opcodes in the returned bytes sequence, so that the JUMP instruction might replace other instructions while keeping the consistency of its surrounding instructions when the flow of code returns from the jump (if that ever happens). |
| endianness | The endianness to be used for the offset of the JUMP opcode. |
| pointerSize | The size of pointer to be used for the offset of the JUMP opcode. |
| diffPointerSizeError | The policy for handling errors regarding different sizes of pointers between RAMvader process' pointers and the pointers size defined by the "pointerSize" parameter. |
| IllegalInstructionGenerationException | Thrown when the instruction cannot be generated, because the generated instruction would be illegal. |
| InstructionTooLargeException | Thrown when the given instruction size is less than the size required to generate the instruction. |
|
static |
Utility method for retrieving a sequence of bytes which represent the machine-level opcode corresponding to a 32-bits NEAR JUMP instruction. 64-bits JUMP instructions are currently not supported by the RAMvader library.
| jumpInstructionType | The specific type of jump instruction to be generated. |
| jumpInstructionAddress | The address of the JUMP instruction itself. |
| targetJumpAddress | The address to which the JUMP instruction should jump. |
| instructionSize | When replacing an instruction in a target process' memory space by a JUMP instruction, this parameter specifies the size of the instruction to be replaced. If this size is larger than the size of a JUMP instruction, the remaining bytes are filled with NOP opcodes in the returned bytes sequence, so that the JUMP instruction might replace other instructions while keeping the consistency of its surrounding instructions when the flow of code returns from the jump (if that ever happens). |
| pointerSize | The size of pointer to be used for the offset of the JUMP opcode. |
| IllegalInstructionGenerationException | Thrown when the instruction cannot be generated, because the generated instruction would be illegal. |
| InstructionTooLargeException | Thrown when the given instruction size is less than the size required to generate the instruction. |
| void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.Inject | ( | ) |
Allocates memory into the target process' memory space and injects the code caves and variables into that allocated memory.
| NullReferenceException | Thrown when the RAMvaderTarget associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A RAMvaderTarget instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(RAMvaderTarget). |
| InstanceNotAttachedException | Thrown when the RAMvaderTarget instance has not been attached to a target process before the method is called. |
| VirtualMemoryAllocationException | Thrown when the method cannot allocate virtual memory in the target process' memory space, to inject the data in the target process. Some softwares might implement security schemes that prevent you from allocating virtual memory on them, which in turn might require you to use manual injection of data (see Inject(MemoryAddress)). |
| void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.Inject | ( | MemoryAddress | baseInjectionAddress | ) |
Injects the code caves and variables into the target process' memory space. This overloaded version of the Inject() method can be used to Inject the code caves into a specific point of the target process' memory space. Notice, though, that for the code caves to work correctly, they need to be injected into a memory region with appropriate permissions. Those are usually READ+WRITE+EXECUTE permissions (READ+WRITE for injected variables and EXECUTE for allowing the target process to execute the code caves). If you need to calculate the total number of bytes required by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to inject the code caves and variables, see CalculateRequiredBytesCount.
Notice that you should not use the InjectedCodeCaveMemoryAddress<TMemoryAlterationSetID, TCodeCave, TVariable> and InjectedVariableMemoryAddress<TMemoryAlterationSetID, TCodeCave, TVariable> classes to specify the injection point for this method, because for these classes to solve the right base address, they would require a previous injection to have happened already.
| baseInjectionAddress | The address - into the target process' memory space - where the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> will Inject the code caves and variables. A value of "IntPtr.Zero" will cause the method to exit without any effect on the target process' memory space. |
| NullReferenceException | Thrown when the RAMvaderTarget associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A RAMvaderTarget instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(RAMvaderTarget). |
| InstanceNotAttachedException | Thrown when the RAMvaderTarget instance has not been attached to a target process before the method is called. |
| RequiredWriteException | Thrown when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> fails to write the injection data in the target process' memory space. |
| CodeCaveBuilder<TMemoryAlterationSetID,TCodeCave,TVariable> RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.NewCodeCave | ( | ) |
Instantiates a CodeCaveBuilder<TMemoryAlterationSetID, TCodeCave, TVariable> to allow for the creation of a new code cave that can be used with this Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
| bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ReadVariableValue< T > | ( | TVariable | variableID, |
| ref T | outDestiny | ||
| ) |
Reads the current value of a given variable from the target process' memory. This method is safe, as it checks the given variable's metadata against the given output variable's type to see if it matches the injected variable's type before reading the output value.
| T | The type of the variable to be read, which must match the type of the injected variable. |
| variableID | The identifier of the variable whose value is to be read from the target process' memory space. |
| outDestiny | The result of the reading will be stored in this variable. The referenced variable's data must be of the same type as declared for the variable defined in parameter variableID |
| NullReferenceException | Thrown when the RAMvaderTarget associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A RAMvaderTarget instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(RAMvaderTarget). |
| InstanceNotAttachedException | Thrown when the RAMvaderTarget instance has not been attached to a target process before the method is called. |
| InjectionArtifactNotFoundException | Thrown when the variable has not been injected in the target process' memory space. This happens when the variable has no definition (VariableDefinition) registered for it with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. |
| bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.RemoveMemoryAlteration | ( | TMemoryAlterationSetID | memoryAlterationSetID, |
| MemoryAlterationBase | memoryAlteration | ||
| ) |
Removes a memory alteration from the set of alterations related to a given identifier. Memory alteration sets are kept in as list, and this method removes a memory alteration from this list. The elements of a set of memory alterations are enabled/disabled in the order they get added to the list. You can then call SetMemoryAlterationsActive(TMemoryAlterationSetID, bool) to enable or disable the whole set of alterations related to an identifier.
| memoryAlterationSetID | The identifier that identifies the set of alterations that can be enabled/disabled all at once. |
| memoryAlteration | The memory alteration to be removed from the given set. |
| void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.ResetAllocatedMemoryData | ( | ) |
Resets the internal data of the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> regarding the memory region where it has injected its data. This method should be called whenever the target process is terminated or whenever the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> object needs to deallocate the memory it has allocated on the target process.
| bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetAllMemoryAlterationsActive | ( | bool | bActivate | ) |
Activates or deactivates all the memory alterations registered with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.
| bActivate | A flag specifying if the alterations should be activated or deactivated. |
| void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetCodeCaveDefinition | ( | TCodeCave | caveId, |
| CodeCaveDefinition< TMemoryAlterationSetID, TCodeCave, TVariable > | definition | ||
| ) |
Updates the definition of a given code cave.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
| caveId | The identifier of the code cave whose definition is to be updated. |
| definition | An object representing the new definition of the given code cave. |
| InstanceAlreadyInjectedException | Thrown when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>'s instance is already in "injected" state (this method must be called before that state is entered). |
| void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetCodeCavesSeparationBytes | ( | byte [] | byteSeq | ) |
Modifies the sequence of bytes used to separate two consecutive code caves.
| byteSeq | The new sequence of bytes to use as a separator. This can be an empty array, but should not be null. |
| bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetMemoryAlterationsActive | ( | TMemoryAlterationSetID | memoryAlterationSetID, |
| bool | bActivate | ||
| ) |
Activates or deactivates all the memory alterations registered for a given memory alterations set.
| memoryAlterationSetID | The identifier that identifies the set of alterations that can be enabled/disabled all at once. |
| bActivate | A flag specifying if the alterations should be activated or deactivated. |
| void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetTargetProcess | ( | RAMvaderTarget | targetProc | ) |
Initializes or modifies the reference to the object used by the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> to perform write operations to the target process' memory. The Injector<TMemoryAlterationSetID, TCodeCave, TVariable> also uses this object to know the endianness and pointer size of the target process.
| targetProc | The object used for performing memory I/O operations on the target process. |
| void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetVariableDefinition | ( | TVariable | varId, |
| VariableDefinition | definition | ||
| ) |
Updates the definition of a given injection variable.
Currently, the definitions of code caves and injection variables can only be updated when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> is in the "not injected" state.
| varId | The identifier of the injection variable whose definition is to be updated. |
| definition | An object representing the new definition of the given injection variable. |
| InstanceAlreadyInjectedException | Thrown when the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>'s instance is already in "injected" state (this method must be called before that state is entered). |
| UnsupportedDataTypeException | Throw when the type of the |
| void RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.SetVariablesSectionSeparationBytes | ( | byte [] | byteSeq | ) |
Modifies the sequence of bytes used to separate the injected code caves section from the injected variables section.
| byteSeq | The new sequence of bytes to use as a separator. This can be an empty array, but should not be null. |
| bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.WriteVariableValue | ( | TVariable | variableID, |
| object | newValue | ||
| ) |
Updates the value of a given variable into the target process' memory. This method is safe, as it checks the given variable's metadata against the given value's type to see if it matches the variable's type before updating the variable's value.
| variableID | The identifier of the injected variable whose value is to be updated. |
| newValue | The new value for the variable. |
| NullReferenceException | Thrown when the RAMvaderTarget associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A RAMvaderTarget instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(RAMvaderTarget). |
| InstanceNotAttachedException | Thrown when the RAMvaderTarget instance has not been attached to a target process before the method is called. |
| UnmatchedDataTypeException | Thrown when "newValue" does not match the injection variable's type. |
| InjectionArtifactNotFoundException | Thrown when the variable has not been injected in the target process' memory space. This happens when the variable has no definition (VariableDefinition) registered for it with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable>. |
| bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.WriteX86CallInstruction | ( | MemoryAddress | detourPoint, |
| MemoryAddress | targetAddress, | ||
| int | instructionSize | ||
| ) |
Writes a x86 CALL instruction at a specific point of the target process' memory space to enable the process' execution flow to be detoured to a specific address.
| detourPoint | The address of the target process' memory space where the CALL instruction will be written. |
| targetAddress | The address to where the target process' execution should be diverted. |
| instructionSize | The size of the instruction that is going to be replaced by the CALL instruction. This is used to fill the remaining bytes of the instruction with NOP opcodes, so that when the execution flows back from the CALL instruction, nothing unexpected happens. |
| NullReferenceException | Thrown when the RAMvaderTarget associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A RAMvaderTarget instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(RAMvaderTarget). |
| InstanceNotAttachedException | Thrown when the RAMvaderTarget instance has not been attached to a target process before the method is called. |
| bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.WriteX86FarJumpInstruction | ( | EJumpInstructionType | jumpInstructionType, |
| MemoryAddress | detourPoint, | ||
| MemoryAddress | targetAddress, | ||
| int | instructionSize | ||
| ) |
Writes a x86 FAR JUMP instruction at a specific point of the target process' memory space to enable the process' execution flow to be detoured to a specific address.
| jumpInstructionType | The specific type of jump instruction to be written. |
| detourPoint | The address of the target process' memory space where the JUMP instruction will be written. |
| targetAddress | The address to where the target process' execution should be diverted. |
| instructionSize | The size of the instruction that is going to be replaced by the JUMP instruction. This is used to fill the remaining bytes of the instruction with NOP opcodes, to keep the other instructions' balance unaffected by the new jump instruction. |
| NullReferenceException | Thrown when the RAMvaderTarget associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A RAMvaderTarget instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(RAMvaderTarget). |
| InstanceNotAttachedException | Thrown when the RAMvaderTarget instance has not been attached to a target process before the method is called. |
| bool RAMvader.CodeInjection.Injector< TMemoryAlterationSetID, TCodeCave, TVariable >.WriteX86NearJumpInstruction | ( | EJumpInstructionType | jumpInstructionType, |
| MemoryAddress | detourPoint, | ||
| MemoryAddress | targetAddress, | ||
| int | instructionSize | ||
| ) |
Writes a x86 NEAR JUMP instruction at a specific point of the target process' memory space to enable the process' execution flow to be detoured to a specific address.
| jumpInstructionType | The specific type of jump instruction to be written. |
| detourPoint | The address of the target process' memory space where the JUMP instruction will be written. |
| targetAddress | The address to where the target process' execution should be diverted. |
| instructionSize | The size of the instruction that is going to be replaced by the JUMP instruction. This is used to fill the remaining bytes of the instruction with NOP opcodes, to keep the other instructions' balance unaffected by the new jump instruction. |
| NullReferenceException | Thrown when the RAMvaderTarget associated with the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> hasn't been set. A RAMvaderTarget instance can be associated to an Injector<TMemoryAlterationSetID, TCodeCave, TVariable> by calling the method Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.SetTargetProcess(RAMvaderTarget). |
| InstanceNotAttachedException | Thrown when the RAMvaderTarget instance has not been attached to a target process before the method is called. |
|
get |
Keeps the base address of the memory which was allocated for the target process. Backed by the m_baseInjectionAddress field.
|
get |
Indexer property used to access the code cave offsets, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetCodeCaveOffset(TCodeCave) internally. Backed by the m_codeCaveOffset field.
|
get |
Indexer property used to access the address where a code cave has been injected, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetInjectedCodeCaveAddress(TCodeCave) internally. Backed by the m_injectedCodeCaveAddress field.
|
get |
Indexer property used to access the address where a variable has been injected, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetInjectedVariableAddress(TVariable) internally. Backed by the m_injectedVariableAddress field.
|
get |
A flag that is set to true whenever the Inject() (or Inject(MemoryAddress)) method is called and succeeds, and set to false whenever theResetAllocatedMemoryData gets called.
|
get |
The total number of required bytes to inject the code caves and variables into the target process' memory space, as calculated by a call to the method CalculateRequiredBytesCount.
|
get |
The object used to attach to the target process, so that the Injector<TMemoryAlterationSetID, TCodeCave, TVariable> can perform I/O operations into the target process' memory. Backed by the m_targetProcess field.
|
get |
Indexer property used to access variable offsets, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetVariableOffset(TVariable) internally. Backed by the m_variableOffset field.
|
get |
Indexer property used to retrieve the size of a variable, usually for WPF Binding purposes. Calls Injector<TMemoryAlterationSetID, TCodeCave, TVariable>.GetVariableSize(TVariable) internally. Backed by the m_variableSize field.
1.8.13