[C#][.NET 4.0][DLL INJECTION] CLR Hosting in Native Process

[rlane187]

I am trying to write a support bot for Anarchy Online (I know, I know). I have been devouring everything I can find online about reverse engineering. I am not half bad at finding data offsets with Cheat Engine and mapping structures that I need. The three big things left on my "to learn" list are:
1) Inject a C++ dll that will get the .NET 4.0 CLR in the process.
2) How to find the memory locations and signatures of functions I need (target, cast nano, etc...). I have idapro and ollydbg and need to figure out how to use them.
3) How to call those native functions from my managed code (I have found a post using delegates that I think I will need to define, but I am leaving this at the bottom of the list for now.
This post is an attempt to discern whether or not I have succeeded at number 1.
I wrote a C++ Bootstrap and a C# Managed DLL"
[C++] C++ code: #include <Windows.h> #include "MSCorEE.h" #include <metahost.h> // - Pastebin.com


I take no credit for any of this code. It was cobbled together from several posts and I only had to play with it a little to get it working with .NET 4.0. I use Blackmagic by Shynd to inject the bootstrap into the target program. All of the message boxes (commented out in post) come up including the one from the managed c# dll. When I look at the DLLs the program has loaded using Cheat Engine I can see the Bootstrap and what looks like the CLR:



I do not see the managed DLL (AOInject.dll) that I know was called by the Bootstrap because I saw its message box. So here come the questions:

1) Did I get the .NET 4.0 CLR loaded into the native function or am I missing something?

2) Should I still see the managed DLL I called with the Bootstrap. It kind of makes sense that I do not, there is not anything to keep it in memory, but the Bootstrap is still in there. I think the right answer is that I should not. I think the whole reason I did all of this was to get the .NET runtime up and running in there and that is all. What is the answer?

3) Where do I go from here? Any good reading on how to call in-game functions now that I have the CLR loaded in game?

4) Will I need to inject another DLL that has the protoypes/signatures of the functions I find?

I am very new to all of this and have been trying to come up to speed quickly, so please, be merciful.

[Aftiagouras]

If the message box showed up, it worked.

To call the game's functions you have to declare a delegate with the same signature and use Marshal.GetDelegateForFunctionPointer. Also, since you are injected, you can use unsafe code to read values using pointers (i.e *(float*)(0xFFFFFF) ).

Check out WhiteMagic ([Release][C#]WhiteMagic - Injected .NET Helper Library) lib by Apoc and CleanLayer.