Injection - outsider help

[jonmcc]

does anyone have .NET injection that can get clean into .net v4??
I don't target games so much but you guys seem to be on the front lines

THK if you do

IF NOT-
a small second request: I'm injecting .NET with .NET
I am currently Bootstrapping C++ and unpacking .NET and would like to inject pure .NET and not have to go C++ DLLMain then unpack C# from that
so anyone have "the best" way to do this from .NET to bring my injected .NET-DLL to life? -> code


sorry to load this down but a third request:
I need to hop AppDomains, this is all good in .NET pre v4 and in v4 they changed objects to do this, anyone have .NET (or c/c++) code to do this?


my help in return is you can make infected Visual Studio Projects that runs code on viewing a form in the project
This is done by putting code into a user control's constructor, then drop that on a form, also check what happens if you don't rebuild but you remove the code
It is on my list to make a project cleaner to stop/hunt this

anyway if you help with this I will owe you one

[Cypher]

I have .NET 4.0 CLR hosting code in HadesMem, you could check that out, but from memory it's currently a bit of a mess so apologies in advance.

The transition process from 2.0 -> 4.0 isn't all that bad though. The main problem I had when converting was actually my own stupid fault (I forgot to set a flag my appdomain).

[highvoltz]

does anyone have .NET injection that can get clean into .net v4??
I don't target games so much but you guys seem to be on the front lines

THK if you do

IF NOT-
a small second request: I'm injecting .NET with .NET
I am currently Bootstrapping C++ and unpacking .NET and would like to inject pure .NET and not have to go C++ DLLMain then unpack C# from that
so anyone have "the best" way to do this from .NET to bring my injected .NET-DLL to life? -> code


sorry to load this down but a third request:
I need to hop AppDomains, this is all good in .NET pre v4 and in v4 they changed objects to do this, anyone have .NET (or c/c++) code to do this?


my help in return is you can make infected Visual Studio Projects that runs code on viewing a form in the project
This is done by putting code into a user control's constructor, then drop that on a form, also check what happens if you don't rebuild but you remove the code
It is on my list to make a project cleaner to stop/hunt this

anyway if you help with this I will owe you one

This is what I'm using atm.

I run this from my loader.exe, using blackmagic.

Code:

        static bool Inject(string bootstrapDll, string cSharpDll)
        {

            string path = Application.StartupPath;
            string dllPath = path + "\\" + bootstrapDll;
            string moduleName = "StartTheDotNetRuntime";
            uint args = 0, hModule, farProc;
            IntPtr moduleOffset, injectedDllAddress;
            try
            {

                if ((hModule = (uint) LoadLibrary(bootstrapDll)) == 0)
                {
                    return false;
                }
                if ((farProc = (uint) Imports.GetProcAddress((UIntPtr)hModule, moduleName)) == 0)
                {
                    return false;
                }
                moduleOffset = (IntPtr)(farProc - hModule);
                FreeLibrary((IntPtr)hModule);
                if (!File.Exists(dllPath))
                {
                    MessageBox.Show("Unable to find " + dllPath);
                    return false;
                }
                if ((injectedDllAddress = (IntPtr)wow.InjectDllCreateThread(dllPath)) == IntPtr.Zero)
                {
                    MessageBox.Show("Failed attempt to inject " + bootstrapDll);
                    return false;
                }
                dllPath = path + "\\" + cSharpDll;
                if (!File.Exists(dllPath))
                {
                    MessageBox.Show("Unable to find " + dllPath);
                    return false;
                }
                if ((args = wow.AllocateMemory(dllPath.Length + 1)) == 0)
                {
                    MessageBox.Show("memory allocation error");
                    return false;
                }
                wow.WriteUnicodeString(args, dllPath);
                if (!(wow.WriteUnicodeString(args, dllPath)))
                {
                    MessageBox.Show("memory writing error");
                    return false;
                }
                IntPtr threadHandle = wow.CreateRemoteThread((uint)injectedDllAddress + (uint)moduleOffset, args);
                Imports.WaitForSingleObject((IntPtr)threadHandle, 5000);
                Imports.TerminateThread(threadHandle, 0);
                Imports.CloseHandle(threadHandle);
                return true;
            }
            catch (Exception e)
            {
                MessageBox.Show(e.ToString());
                return false;
            }
            finally
            {
                wow.FreeMemory(args);
            }
        }

and this is the bootstrap dll.

Code:

#include "stdafx.h"
#include <string>
#include <MSCorEE.h>
#include <MetaHost.h>


extern "C" __declspec(dllexport) void StartTheDotNetRuntime(wchar_t *dllPath)
{
	ICLRMetaHost* MetaHost = NULL;
	ICLRRuntimeInfo* Info = NULL;
	ICLRRuntimeHost* Host = NULL;
	DWORD *curAppID = NULL;
	HRESULT hr;
	hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost,(PVOID*)&MetaHost);
	DWORD dwRet = 0;
	hr = MetaHost->GetRuntime(TEXT("v4.0.30319"), IID_ICLRRuntimeInfo, (PVOID*)&Info);
	hr = Info->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (PVOID*)&Host);
	if (Host == NULL)
		return;
	hr = Host->Start();
	hr = Host->ExecuteInDefaultAppDomain(dllPath, L"Trons.Trons",
		L"InitModule", L"", (DWORD*)&dwRet);
	Host->Release();
	return;
}

and InitModule in my c# dll is defines like this.

Code:

         public static int InitModule(String pwzArgument)
        {
            EndScene.InstallEndSceneHook();
            return 0;
        }

[sPeC!]

I think he want's to avoid using a c++ bootstrap highvoltz.

Unfortunately i can't be of much help either, because i also use the same method, inject c++ bootstrap -> load environment.

Btw if someone want to use the latest CLR version, instead of harcoding a specific version/build, this code that i found at some point may help:

Code:

extern "C" __declspec( dllexport ) void __cdecl StartInjection()
{
	ICLRMetaHost *pMetaHost = NULL;
	HRESULT hr;
	hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost,
		(LPVOID*)&pMetaHost);

	if (SUCCEEDED(hr))
	{
		IEnumUnknown *peunkRuntimes;
		hr = pMetaHost->EnumerateInstalledRuntimes(&peunkRuntimes);
		if (SUCCEEDED(hr))
		{
			// *** FINDING LATEST RUNTIME ***
			IUnknown *punkRuntime;
			ICLRRuntimeInfo *prtiLatest = NULL;
			WCHAR szLatestRuntimeVersion[MAX_PATH];
			while (peunkRuntimes->Next(1, &punkRuntime, NULL) == S_OK) // returns S_FALSE when no more runtimes remaining
			{
				ICLRRuntimeInfo *prtiCurrent;
				hr = punkRuntime->QueryInterface(IID_PPV_ARGS(&prtiCurrent));
				if (SUCCEEDED(hr))
				{
					if (!prtiLatest)
					{
						hr = prtiCurrent->QueryInterface(IID_PPV_ARGS(&prtiLatest));
						if (SUCCEEDED(hr))
						{
							DWORD cch = ARRAYSIZE(szLatestRuntimeVersion);
							hr = prtiLatest->GetVersionString(szLatestRuntimeVersion, &cch);
						}
					}
					else
					{
						WCHAR szCurrentRuntimeVersion[MAX_PATH];
						DWORD cch = ARRAYSIZE(szCurrentRuntimeVersion);
						hr = prtiCurrent->GetVersionString(szCurrentRuntimeVersion, &cch);
						if (SUCCEEDED(hr))
						{
							if (wcsncmp(szLatestRuntimeVersion, szCurrentRuntimeVersion, cch) < 0) // current runtime is new latest runtime
							{
								hr = prtiCurrent->GetVersionString(szLatestRuntimeVersion, &cch);
								if (SUCCEEDED(hr))
								{
									prtiLatest->Release();
									hr = prtiCurrent->QueryInterface(IID_PPV_ARGS(&prtiLatest));
								}
							}
						}
					}
					prtiCurrent->Release();
				}
				punkRuntime->Release();
			}
			peunkRuntimes->Release();

			// *** STARTING CLR ***
			if (SUCCEEDED(hr))
			{
				//std::wcout << L"Latest CLR version found: " << szLatestRuntimeVersion << std::endl;

				ICLRRuntimeHost *prth;
				hr = prtiLatest->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID*)&prth);
				if (SUCCEEDED(hr))
				{
					hr = prth->Start();
					if (SUCCEEDED(hr))
					{
						//std::wcout << L"CLR started." << std::endl;

						DWORD dwRet = 0;
						hr = prth->ExecuteInDefaultAppDomain(DLL_PATH, NAMESPACE_CLASS, FUNCTION_NAME, PARAM1, &dwRet);
						if (SUCCEEDED(hr))
						{
							//std::wcout << "Executed method, return value = " << dwRet << "." << std::endl;
						}
						hr = prth->Stop();
					}
					prth->Release();
				}
			} 
		}
		pMetaHost->Release();
	}
}*/

Cheers,

[jonmcc]

first off thanks for the welcome

HadesMem is nice good job playing in the raw world!!! it will take me a while to get a handle on your code
you could be the one to ask about for help on how to build a function pointer for a C# delegate,
so I inject C# then need to build a function pointer (with C# or c/c++) to some function I injected, then I can do a create remote thread on the function I injected - will this work... inject with C# -> build function point in target -> activate with C#
if you can do it in c/c++ i think I can convert it to C#
so if I can inject C# -> use C# to build C# delegate -> C# create Remote thread - full end to end C#(.NET) injection


on the AppDomain stuff:
I can inject and endup in the DefaultAppDomain but I can't brake out to my "target's core AppDomain", After I get into the targets running AppDomain(not DefaultAppDomain) I can pwn it
after I get in I walk use .NET to walk my targets object structure in and bend it live(replace objects, change values, change event lists)
I can do this in pre v4 (2.0->3.5)... anyway I think I can get this it will just take me a bunch of time in c/c++ land (I'm a slow c programmer), I have spent two weeks on this and it's killing me!


side not to upgrade the code posted:
something fun I did is unpacking .NET from a byte array in code or downloading from the web and injecting "not from a file", load your injection payload from a byte array, this can come in handy if it's a third+ level unpacker...
so don't touch disk just load .NET from memory
just something like:
//include CSafeArrayByteVector stuff
CSafeArrayByteVector RawAssembly;
RawAssembly.Allocate((ULONG) SIZE);
memcpy((char *) RawAssembly.GetDataPtr(), data, SIZE);

// load assembly
mscorlib::_Assembly *asmbly = NULL;
st = pCurDomain->Load_3(RawAssembly.GetSafeArray(), &asmbly);

It is the same process for C# to unpack C# (I can post the C# code as well if anyone wants)
I'm also looking for a way to do this for c++ to unpack and load C++ from c#(.NET), have not found it yet



anyway thanks much, its cool to find skill on the interwebs
chat me up

[jonmcc]

thank sPeC!
I hit that code awhile ago and it has the correct calls(I think), I hit a wall I don't know if it is something I'm doing wrong but I can not use the calls in VS 2008 and only in VS 2010
but in VS 2010 I can not use DLLMAIN to auto-start....
I'm getting closer... it's just seems to be getting messy

what I'm working on looks like
C# injects -> C++ under VS 2008 -> loads C++ under VS 2010 -> this loads C#

so no one has C# injection end-to-end.. ok