BlackBone
Windows memory hacking library
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros
Macros | Functions | Variables
Inject.c File Reference
#include "Private.h"
#include "Routines.h"
#include "Loader.h"
#include <Ntstrsafe.h>

Macros

#define CODE_OFFSET   0x000
 
#define STRING_OFFSET   0x200
 
#define MOD_OFFSET   0x1F0
 
#define COMPLETE_OFFSET   0x1E0
 
#define CALL_COMPLETE   0xC0371E7E
 

Functions

PVOID BBGetWow64Code (IN PVOID LdrLoadDll, IN PUNICODE_STRING pPath)
 Build injection code for wow64 process Must be running in target process context More...
 
PVOID BBGetNativeCode (IN PVOID LdrLoadDll, IN PUNICODE_STRING pPath)
 Build injection code for native x64 process Must be running in target process context More...
 
NTSTATUS BBApcInject (IN PVOID pUserBuf, IN HANDLE pid, IN ULONG initRVA, IN PCWCHAR InitArg)
 Inject dll using APC Must be running in target process context More...
 
NTSTATUS BBLookupProcessThread (IN HANDLE pid, OUT PETHREAD *ppThread)
 Find first thread of the target process More...
 
VOID KernelApcPrepareCallback (PKAPC, PKNORMAL_ROUTINE *, PVOID *, PVOID *, PVOID *)
 
VOID KernelApcInjectCallback (PKAPC, PKNORMAL_ROUTINE *, PVOID *, PVOID *, PVOID *)
 
VOID ApcWaitThread (IN PVOID pUserBuf)
 
NTSTATUS BBInjectDll (IN PINJECT_DLL pData)
 Inject dll into process More...
 
NTSTATUS BBExecuteInNewThread (IN PVOID pBaseAddress, IN PVOID pParam, IN ULONG flags, IN BOOLEAN wait, OUT PNTSTATUS pExitStatus)
 Create new thread in the target process Must be running in target process context More...
 
NTSTATUS BBQueueUserApc (IN PETHREAD pThread, IN PVOID pUserFunc, IN PVOID Arg1)
 Send user-mode APC to the target thread More...
 

Variables

DYNAMIC_DATA dynData
 

Macro Definition Documentation

#define CALL_COMPLETE   0xC0371E7E
#define CODE_OFFSET   0x000
#define COMPLETE_OFFSET   0x1E0
#define MOD_OFFSET   0x1F0
#define STRING_OFFSET   0x200

Function Documentation

VOID ApcWaitThread ( IN PVOID  pUserBuf)
NTSTATUS BBApcInject ( IN PVOID  pUserBuf,
IN HANDLE  pid,
IN ULONG  initRVA,
IN PCWCHAR  InitArg 
)

Inject dll using APC Must be running in target process context

Parameters
pUserBufInjcetion code
pidTarget process ID
initRVAInit routine RVA
InitArgInit routine argument
Returns
Status code
NTSTATUS BBExecuteInNewThread ( IN PVOID  pBaseAddress,
IN PVOID  pParam,
IN ULONG  flags,
IN BOOLEAN  wait,
OUT PNTSTATUS  pExitStatus 
)

Create new thread in the target process Must be running in target process context

Create new thread in the target process

Parameters
pBaseAddressThread start address
pParamThread argument
flagsThread creation flags
waitIf set to TRUE - wait for thread completion
pExitStatusThread exit status
Returns
Status code
PVOID BBGetNativeCode ( IN PVOID  LdrLoadDll,
IN PUNICODE_STRING  pPath 
)

Build injection code for native x64 process Must be running in target process context

Parameters
LdrLoadDllLdrLoadDll address
pPathPath to the dll
Returns
Code pointer. When not needed it should be freed with ZwFreeVirtualMemory
PVOID BBGetWow64Code ( IN PVOID  LdrLoadDll,
IN PUNICODE_STRING  pPath 
)

Build injection code for wow64 process Must be running in target process context

Parameters
LdrLoadDllLdrLoadDll address
pPathPath to the dll
Returns
Code pointer. When not needed, it should be freed with ZwFreeVirtualMemory
NTSTATUS BBInjectDll ( IN PINJECT_DLL  pData)

Inject dll into process

Parameters
pidTarget PID
pPathTFull-qualified dll path
Returns
Status code
NTSTATUS BBLookupProcessThread ( IN HANDLE  pid,
OUT PETHREAD *  ppThread 
)

Find first thread of the target process

Parameters
pidTarget PID.
ppThreadFound thread. Thread object reference count is increased by 1
Returns
Status code
NTSTATUS BBQueueUserApc ( IN PETHREAD  pThread,
IN PVOID  pUserFunc,
IN PVOID  Arg1 
)

Send user-mode APC to the target thread

Parameters
pThreadTarget thread
pUserFuncAPC function
Arg1Argument 1
Returns
Status code
VOID KernelApcInjectCallback ( PKAPC  Apc,
PKNORMAL_ROUTINE *  NormalRoutine,
PVOID *  NormalContext,
PVOID *  SystemArgument1,
PVOID *  SystemArgument2 
)
VOID KernelApcPrepareCallback ( PKAPC  Apc,
PKNORMAL_ROUTINE *  NormalRoutine,
PVOID *  NormalContext,
PVOID *  SystemArgument1,
PVOID *  SystemArgument2 
)

Variable Documentation

DYNAMIC_DATA dynData