[C#] Managed Dll Injection menu

User Tag List

Page 2 of 2 FirstFirst 12
Results 16 to 27 of 27
  1. #16
    Xarg0's Avatar Member
    Reputation
    61
    Join Date
    Jan 2008
    Posts
    389
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Btw it's way easier to just create a new thread in DllMain then to call your dlls exports using another remote thread, and it is saving you from using a special injector.
    I don't get who came up with the idea of calling exports of an injected module using remote threads, but doing something like this is completly retarded if you can just setup threads in DllMain, and ofcourse don't wait for the threads to return in DllMain, that would cause yet another deadlock.
    I hacked 127.0.0.1

    [C#] Managed Dll Injection
  2. #17
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Xarg0 View Post
    Btw it's way easier to just create a new thread in DllMain then to call your dlls exports using another remote thread, and it is saving you from using a special injector.
    I don't get who came up with the idea of calling exports of an injected module using remote threads, but doing something like this is completly retarded if you can just setup threads in DllMain, and ofcourse don't wait for the threads to return in DllMain, that would cause yet another deadlock.
    You seem to be missing the fact that you're not supposed to create threads in DllMain...

    DLL Dynamic Link Library Best Practices

    You should never perform the following tasks from within DllMain:
    Call LoadLibrary or LoadLibraryEx (either directly or indirectly). This can cause a deadlock or a crash.
    Synchronize with other threads. This can cause a deadlock.
    Acquire a synchronization object that is owned by code that is waiting to acquire the loader lock. This can cause a deadlock.
    Initialize COM threads by using CoInitializeEx. Under certain conditions, this function can call LoadLibraryEx.
    Call the registry functions. These functions are implemented in Advapi32.dll. If Advapi32.dll is not initialized before your DLL, the DLL can access uninitialized memory and cause the process to crash.
    Call CreateProces. Creating a process can load another DLL.
    Call ExitThread. Exiting a thread during DLL detach can cause the loader lock to be acquired again, causing a deadlock or a crash.
    Call CreateThread. Creating a thread can work if you do not synchronize with other threads, but it is risky.
    Create a named pipe or other named object (Windows 2000 only). In Windows 2000, named objects are provided by the Terminal Services DLL. If this DLL is not initialized, calls to the DLL can cause the process to crash.
    Use the memory management function from the dynamic C Run-Time (CRT). If the CRT DLL is not initialized, calls to these functions can cause the process to crash.
    Call functions in User32.dll or Gdi32.dll. Some functions load another DLL, which may not be initialized.
    Use managed code.
    Yes, most of the time it will work, but it's still dangerous (for obvious reasons -- think: race condition on unmap because of pe loader 'failure').
    Last edited by Cypher; 05-31-2010 at 10:44 AM. Reason: formatting etc

  3. #18
    streppel's Avatar Active Member
    Reputation
    78
    Join Date
    Mar 2007
    Posts
    196
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks again for your answers. now the only problem left would be, that it does not start the "StartUp" method as it it intended to.
    how would i get around this?
    that the dll looks for the managed dll in the application folder makes sense when thinking that it runs as part of the game right after is has been injected, but i'll get some way around this.(The example was good btw,thx again )

    EDIT: did it with the injector mentioned in this thread before. calling an exported function with an argument(the argument here is the path+dll name like Directory.GetCurrentDirectory() + "\\MyHook.dll"; as the c# program knows where it is and in the same folder the other files are,so this is the perfekt solution for me )

    only thing still left now is to make it run the StartUp method
    Last edited by streppel; 05-31-2010 at 12:10 PM. Reason: adding news

  4. #19
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You need to call your export yourself.

    If your injector does not support calling remote exports then you'll need to add that or use one that does.

    Basically you just need to load the DLL locally (as data, so no code is run), get the address of the export, subtract the base address, take that offset, find the module in the remote process, add the offset, and call the function with a remote thread. May sound complicated but it's actually very easy.

  5. #20
    streppel's Avatar Active Member
    Reputation
    78
    Join Date
    Mar 2007
    Posts
    196
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Cypher View Post
    You need to call your export yourself.

    If your injector does not support calling remote exports then you'll need to add that or use one that does.

    Basically you just need to load the DLL locally (as data, so no code is run), get the address of the export, subtract the base address, take that offset, find the module in the remote process, add the offset, and call the function with a remote thread. May sound complicated but it's actually very easy.
    what you wrote actually doesn't sound too complicated(getting the difference in my own process,using it in the other process,makes sense )

    but now i don't understand what
    Code:
    hr = pClrHost->ExecuteInDefaultAppDomain(L"MyDll.dll",L"Class1.MyHook", L"StartUp", L"param", &dwRet);
    is supposed to do. ofc it loads the dll, but what does it do with the namespace/class/method information then?

  6. #21
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by streppel View Post
    what you wrote actually doesn't sound too complicated(getting the difference in my own process,using it in the other process,makes sense )

    but now i don't understand what
    Code:
    hr = pClrHost->ExecuteInDefaultAppDomain(L"MyDll.dll",L"Class1.MyHook", L"StartUp", L"param", &dwRet);
    is supposed to do. ofc it loads the dll, but what does it do with the namespace/class/method information then?
    Cool, it actually shouldn't sound complicated at all, but you'd be surprised how much some people struggle to grasp the basics around here.

    And ****, my bad, I thought 'Startup' was the export in your DLL that you were injecting to bootstrap the CLR. Sorry, I was skim-reading the thread because I was leaving to go for a swim.

    I'm about to have lunch, but if nobody has helped you by the time I get back and have some spare time to answer then I'll sort it out.

  7. #22
    Xarg0's Avatar Member
    Reputation
    61
    Join Date
    Jan 2008
    Posts
    389
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    and you're not supposed to inject dlls into a running process, well anyways I still don't understand why calling an exported function by injecting a code stub and creating a remotethread should be more safe to do then to create a thread from within dll main, I mean if DllMain is executed the dll is already loaded, so I don't quite understand what you mean by pe loader failure.
    So could you please elaborate in detail why calling a dlls export from a remote thread is more secure then doing your stuff in a thread created from dllmain?
    I hacked 127.0.0.1

  8. #23
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Xarg0 View Post
    and you're not supposed to inject dlls into a running process, well anyways I still don't understand why calling an exported function by injecting a code stub and creating a remotethread should be more safe to do then to create a thread from within dll main, I mean if DllMain is executed the dll is already loaded, so I don't quite understand what you mean by pe loader failure.
    So could you please elaborate in detail why calling a dlls export from a remote thread is more secure then doing your stuff in a thread created from dllmain?
    Bzzt. Wrong. DLL injection is required for quite a few legitimate things. The most obvious/common being windows hooks and window subclassing. DLL injection is part of programming for Windows, it is NOT some 'low level hacker tool' or w/e you seem to be implying it is.

    As for why calling an export is safer than using DllMain. First off, it's documented as dangerous, isn't that enough for you? However, to elaborate on my previous point, it's been a while since I've looked at that portion of the PE loader, but last time I checked I'm pretty sure there are some conditions that can cause the DLL to be unloaded by the PE loader after DllMain returns, if this is the case, then you'll have a nasty race condition on your hands. However, as I can't confirm that right now I'll withdraw it.

    The fact that Microsoft say "don't create threads in DLLMain" should be more than enough justification for the use of exports.

    EDIT:

    Heck, there's an entire chapter on DLL injection in the book 'Programming Windows via C/C++'.
    Last edited by Cypher; 05-31-2010 at 04:00 PM.

  9. #24
    adaephon's Avatar Active Member
    Reputation
    76
    Join Date
    May 2009
    Posts
    167
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @streppel at work ATM and can't check this or your code that well (eww iPhone). But it looks like you might not be using fully qualified class name ie L"Class1.MyHook" should be L"Namespace1.Class1.MyHook".

    Also if you're intending to use .NET 4.0 you are using outdated hosting Apis and will have to update your code to use the new ones

  10. #25
    streppel's Avatar Active Member
    Reputation
    78
    Join Date
    Mar 2007
    Posts
    196
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i switched back to .NET 3.5 for this reason,so it's not because of this

    i'll try what you said

    edit: i'm doing it the way you said. Class1 is my namespace, MyHook is my class and StartUp is my method
    Last edited by streppel; 05-31-2010 at 11:45 PM.

  11. #26
    caytchen's Avatar Contributor
    Reputation
    138
    Join Date
    Apr 2007
    Posts
    162
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by streppel View Post
    i switched back to .NET 3.5 for this reason,so it's not because of this

    i'll try what you said

    edit: i'm doing it the way you said. Class1 is my namespace, MyHook is my class and StartUp is my method
    Not quite sure what step you're at right now. Is it loading the CLR but not calling StartUp from your assembly?
    Make sure StartUp has the signature given on the MSDN "static int pwzMethodName (String pwzArgument)" and check the HRESULT.

    If you're still looking to call your exported function that is supposed to load the CLR, find the module and GetProcAddress will lead your way from there.

  12. #27
    streppel's Avatar Active Member
    Reputation
    78
    Join Date
    Mar 2007
    Posts
    196
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by caytchen View Post
    Not quite sure what step you're at right now. Is it loading the CLR but not calling StartUp from your assembly?
    Make sure StartUp has the signature given on the MSDN "static int pwzMethodName (String pwzArgument)" and check the HRESULT.

    If you're still looking to call your exported function that is supposed to load the CLR, find the module and GetProcAddress will lead your way from there.
    i love you,it works...i had the function be a void....as an int it works just fine
    you will get the rep as soon as i can give some again

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Help with managed DLL injection
    By wowsc4p3 in forum WoW Memory Editing
    Replies: 3
    Last Post: 11-29-2013, 08:44 AM
  2. Destructor's Tutorial: Managed .NET DLL Injection
    By ugkbunb in forum Programming
    Replies: 1
    Last Post: 07-30-2009, 05:15 PM
  3. [Tutorial] DLL Injection
    By jagged software in forum Programming
    Replies: 22
    Last Post: 04-21-2009, 03:27 AM
  4. DLL injection with windows SP3
    By Therrm in forum World of Warcraft Bots and Programs
    Replies: 3
    Last Post: 12-06-2008, 03:03 PM
  5. What are the risks with DLL injection?
    By object in forum WoW Memory Editing
    Replies: 14
    Last Post: 08-22-2008, 09:23 PM
All times are GMT -5. The time now is 07:49 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search