InjectManagedLibrary

[Shynd]

For those of you interested in what Apoc's been obsessed with lately, here's a pretty simple native DLL that injects itself into a program of your choice, starts the .NET runtime, and calls a method from a managed DLL that you specify.

It's very simple, will have memory leaks if things fail, is more C than C++, and is overall pretty shitty. One of these days I will rewrite it to use the sort of EnsureRelease handles that are featured in Cypher's x64/x86 injector, but not today.

Anyway, it works, and have fun.

Source Download

For those of you who wish to only browse:
main.h
main.cpp


Credits:
James Devlin,
Cypher,
Kynox,
et al.

[lanman92]

Wouldn't it be better to just use easyhook...?

[lanman92]

This wasn't to bash shynd, just a statement. This is good to inform people that this is possible It's always nice to see a PoC every once in a while.

[Shynd]

Yeah, it'd probably be easier (better?) to use EasyHook, but I always prefer to write my own. Always. You learn more if you understand what's going on.

Besides, it wouldn't be the hardest thing in the world for a game to flag Dante.dll and ban/disconnect based on it being loaded, which would cause you to have to rewrite from scratch. If you start out writing from scratch, you're ahead of the game. Everything is under your control and you're not dependent on a thing.

Your definition of better differs from mine.

[Cypher]

DEFINITELY more C than C++. On that note... AAAH IT BURNS!

Seriously though. Nice contribution. I'm gonna have to do something similar for myself soon. If I can avoid using some of my private libraries in it then I might release it. Depends whether I get lazy or not.

[lanman92]

I guess I meant ease :P

[jjaa]

I’ll be posting about how to host the CLR for .NET executables so you can run them in the context of another process later on; giving examples in both Managed C++ and Unmanaged C++

Code:

#include <Windows.h>

#pragma managed
DWORD WINAPI ThreadStartRoutine(LPVOID lpThreadParameter)
{
    System::Windows::Forms::MessageBox::Show("Hello");

    return 0;
}

#pragma unmanaged
BOOL WINAPI DllMain( HMODULE hDll, DWORD dwReason, LPVOID lpReserved )
{
    if ( dwReason == DLL_PROCESS_ATTACH )
         CreateThread( NULL, 0, ThreadStartRoutine, NULL, 0, NULL );
        

    return TRUE;
}

that's your hint

[tanis2000]

Yeah, it'd probably be easier (better?) to use EasyHook, but I always prefer to write my own. Always. You learn more if you understand what's going on.

Besides, it wouldn't be the hardest thing in the world for a game to flag Dante.dll and ban/disconnect based on it being loaded, which would cause you to have to rewrite from scratch. If you start out writing from scratch, you're ahead of the game. Everything is under your control and you're not dependent on a thing.

You're right Shynd. EasyHook is really easy to use and it's good when you want to try things out as fast as possible, but it's got some big drawbacks like the fact that it loads a service upon start and that it doesn't give you much control over how your code gets loaded and injected.

It's on my todo list to rewrite all the injection stuff once I have this version of BabBot working as it is supposed to be. Relying on other people code can be a problem sometime.

But before doing that I still need to finish the work on the EndScene stuff and see how it works because right now, with the injected DLL calling the LUA code I see wow crashing even more than before

[lanman92]

Can't you hook endscene easily with easyhook?(pun intended)

[tanis2000]

Can't you hook endscene easily with easyhook?(pun intended)

Of course you can. The hard part isn't hooking it but finding out the address of EndScene at runtime. Which is something that has already been discussed extensively either here or on GD.

[Cypher]

Of course you can. The hard part isn't hooking it but finding out the address of EndScene at runtime. Which is something that has already been discussed extensively either here or on GD.

I wouldn't exactly call that the "hard part".