// ignore_for_file: non_constant_identifier_names import 'dart:ffi'; import 'package:win32/win32.dart'; import 'package:ffi/ffi.dart'; final _kernel32 = DynamicLibrary.open('kernel32.dll'); final _CreateRemoteThread = _kernel32.lookupFunction< IntPtr Function( IntPtr hProcess, Pointer lpThreadAttributes, IntPtr dwStackSize, Pointer loadLibraryAddress, Pointer lpParameter, Uint32 dwCreationFlags, Pointer lpThreadId), int Function( int hProcess, Pointer lpThreadAttributes, int dwStackSize, Pointer loadLibraryAddress, Pointer lpParameter, int dwCreationFlags, Pointer lpThreadId)>('CreateRemoteThread'); int CreateRemoteThread( int hProcess, Pointer lpThreadAttributes, int dwStackSize, Pointer loadLibraryAddress, Pointer lpParameter, int dwCreationFlags, Pointer lpThreadId) => _CreateRemoteThread(hProcess, lpThreadAttributes, dwStackSize, loadLibraryAddress, lpParameter, dwCreationFlags, lpThreadId); Future injectDll(int pid, String dll) async { var process = OpenProcess( 0x43A, 0, pid ); var processAddress = GetProcAddress( GetModuleHandle("KERNEL32".toNativeUtf16()), "LoadLibraryA".toNativeUtf8() ); if (processAddress == nullptr) { throw Exception("Cannot get process address for pid $pid"); } var dllAddress = VirtualAllocEx( process, nullptr, dll.length + 1, 0x3000, 0x4 ); var writeMemoryResult = WriteProcessMemory( process, dllAddress, dll.toNativeUtf8(), dll.length, nullptr ); if (writeMemoryResult != 1) { throw Exception("Memory write failed"); } var createThreadResult = CreateRemoteThread( process, nullptr, 0, processAddress, dllAddress, 0, nullptr ); if (createThreadResult == -1) { throw Exception("Thread creation failed"); } var closeResult = CloseHandle(process); if(closeResult != 1){ throw Exception("Cannot close handle"); } }