C++ ExecuteInDefaultAppDomain from memory?

[jimjonesOC]

Hi,

I want to load a .NET Dll into a process. I am using this code which works fine:

Code:

#include <Windows.h>
#include "MSCorEE.h"
#include <metahost.h>
#pragma unmanaged

#pragma comment(lib, "mscoree.lib")

void StartDotNet();

BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReeserved)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&StartDotNet, 0, 0, NULL);
		break;
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

void StartDotNet()
{
	HRESULT hr;
	ICLRRuntimeHost *pClrHost = NULL;
	ICLRMetaHost *pMetaHost = NULL;
	hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&pMetaHost);
	ICLRRuntimeInfo * lpRuntimeInfo = NULL;
	hr = pMetaHost->GetRuntime(L"v4.0.30319", IID_ICLRRuntimeInfo, (LPVOID*)&lpRuntimeInfo);
	ICLRRuntimeHost * lpRuntimeHost = NULL;
	hr = lpRuntimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID *)&lpRuntimeHost);
	hr = lpRuntimeHost->Start();
	DWORD dwRet = 0;

	hr = lpRuntimeHost->ExecuteInDefaultAppDomain(
		L"C:\\test\\Test.dll",
		L"Test.Class1", L"EntryPoint", L"it works", &dwRet);

	lpRuntimeHost->Release();
}

Since I don't know where users extracts the hack and the Test.dll I cannot use a constant path like "C:\\test\\Test.dll". Using a relative path means I have to place the Dll in the game folder which would work but I prefer a solution where the hack dlls stay in their own folder.

Is there any way to load the Test.dll from memory and use it in ExecuteInDefaultAppDomain?
Or are there even better approaches?

Thanks!

[Corthezz]

BOOL WINAPI DllMain(HMODULE hDll, DWORD dwReason, LPVOID lpReserved)

hDll stores the path to the dll.

[jimjonesOC]

Thanks, this works!

[lolp1]

I'm not exactly sure your goals, but if you are using C++ only to inject your .net module it's not really needed. I wrote this for just this reason - http://www.ownedcore.com/forums/worl...ls-easier.html (Injection Sharp - Inject your .net coded internals easier.). Simply point and click, the only issue is that version is broken for x64 bit due to the injector I wrote sucking, the dll works fine in x64.

You can also just make your own version - by using this(credits iceflake/scorpia for the class? I forget now):

https://github.com/lolp1/DomainWrapp.../DomainWrapper

In PatchedDomainLoader, you can either hardcore this value to yours:

Code:

   internal static string ApplicationToHostName = "WhiteVex";
 [MarshalAs(UnmanagedType.LPWStr)] internal static string ApplicationToHostDirectory = @"C:\Users\lol[1\Documents\Visual Studio 2015\Projects\WhiteVex\WhiteVex\bin\Debug\";

Or you can have it dynamicly set and then load the module - by calling this export with the desired settings:

Code:

 [DllExport("LoadDomainSettings", CallingConvention.Cdecl)]
        public static void LoadDomainHostSettings(string loadDirectory, string applicationName)
        {
            ApplicationToHostDirectory = loadDirectory;
            ApplicationToHostName = applicationName;
        }

I personally have a version built into all of my C# internal stuff to simply auto-inject it's self into the selected process, and just skip the whole gui or hard coding of any kind now. I am really lazy..

[jimjonesOC]

I haven't tested it yet but does it also work for injecting a managed DLL into an unmanaged process?
How can I execute a method of the injected DLL after injection?

[lolp1]

I haven't tested it yet but does it also work for injecting a managed DLL into an unmanaged process?

Yes it does. In fact, that is all it works for as that is what it's designed for.

IHow can I execute a method of the injected DLL after injection?

If the method is a dll export, which the above are you can call them easily with our with out third party tools. I personally wrote TealVex for mainly this reason (calling dll exports easy) - http://www.ownedcore.com/forums/worl...ted-stuff.html

MemorySharp and ExtremeInjector also do the job.

https://github.com/ZenLulz/MemorySharp

An example of how I do it in InjectionSharp using the MemorySharp lib:

Code:

      private void injectButton_Click(object sender, EventArgs e)
        {
            try
            {
                SetUpMemorySharpInstance();
                var applicationName = FormattedApplicationName();
                var applicationToHostPath = FormatedApplicationToHostPath();
                var dllName = domainHostDllNameBox.Text;
                var dllPath = FormatedDomainHostDllPath(applicationToHostPath);
                MemorySharp.Modules.Inject(dllPath);
                // Call exported method to set settings.
                MemorySharp[dllName]["LoadDomainSettings"].Execute(CallingConventions.Cdecl, applicationToHostPath,
                    applicationName);
                // Host.
                MemorySharp[dllName]["HostDomain"].Execute(CallingConventions.Cdecl);
            }
            catch (Exception exception)
            {
                HandleException(exception);
            }
        }

ExtremeInjector supports calling DllExports upon injection:
[Release] Extreme Injector v3.5.2 by master131

If you're x64 bit I suggest extreme injector or writing your own quick solution using the above. if x32 injection sharp is as easy as it gets lol.