Injection Issues

[Thongs]

I've been learning about injection over the last few days and thought that I was ready to give it a try for myself. Perhaps it's because I'm clueless about C++ (I generally use C#), or maybe my entire understanding of injection is wrong. Either way, I've searched these forums extensively, and used google, but haven't been able to figure it out. Most of my code is just copypasted right now as I'm learning the concepts before writing my own. I inject my C++ Bootstrapper, and it's successfully injected (shown in process explorer), but doesn't do anything.

From what I understand, I need to:
1. Inject a C++ DLL Bootstrapper into the WoW process using a DLL injector (I'm using _Mike's for now while testing http://www.mmowned.com/forums/world-...-injector.html)
2. Have the C++ DLL start the CLR, and then start the C# DLL DomainManager (Thanks to Apoc for his code on that).
3. The C# DomainManager will load up my target executable file, beginning at the entry point. For for testing purposes, all my executable file does when opened is display a "success" messagebox.

cppBootstrap.h

Code:

class MycppBootstrap
{
    public:
        static __declspec(dllexport) void StartTheDotNetRuntime();
}

cppBootstrap.cpp

Code:

void MycppBootstrap::StartTheDotNetRuntime()
	{
	ICLRMetaHost * lpMetaHost = NULL;
    HRESULT hr;
    hr = CLRCreateInstance(
        CLSID_CLRMetaHost,
        IID_ICLRMetaHost,
        (LPVOID *)&lpMetaHost);

	ICLRRuntimeInfo * lpRuntimeInfo = NULL;
    // Get a reference for the ICLRRuntimeInfo
    hr = lpMetaHost->GetRuntime(
        L"v4.0.21006", // 4.0 Beta2
        IID_ICLRRuntimeInfo,
        (LPVOID *)&lpRuntimeInfo);

	ICLRRuntimeHost * lpRuntimeHost = NULL;
    // Load the CLR.
    hr = lpRuntimeInfo->GetInterface(
        CLSID_CLRRuntimeHost,
        IID_ICLRRuntimeHost,
        (LPVOID *)&lpRuntimeHost);

	// Push the big START button shown above
	hr = lpRuntimeHost->Start();

	// Okay, the CLR is up and running in this (previously native) process.
	// Now call a method on our managed C# class library.
	DWORD dwRet = 0;
	hr = lpRuntimeHost->ExecuteInDefaultAppDomain(
		L"c:\\Flawtest\\DomainManager.dll",
		L"DomainManager.EntryPoint", L"Main", L"Flaw.exe", &dwRet);

	// Optionally stop the CLR runtime (we could also leave it running)
	hr = lpRuntimeHost->Stop();

	// Don't forget to clean up.
	lpRuntimeHost->Release();
	}

These two files comprise my C++ dll. Using _Mike's injector, I've tried to inject the C++ Bootstrapper into the WoW process. It gives a failure message when I try to inject the DLL with an external function specified, but a success message when I leave the external function field blank. I've tried using cppBootstrap(Namespace).MycppBootstrap.StartTheDotNetRuntime, and a number of different combinations to no avail. After this, I tried removing cppBootstrap.h, instead adding a DllMain entry point to the DLL which calls StartTheDotNetRuntime() on DLL_PROCESS_ATTACH. I then injected with no external function specified, but still nothing happened.

My domain manager which is called is just copypaste (changing namespace/classes etc) of Apoc's DomainManager on p8 here: http://www.mmowned.com/forums/world-...y-removal.html

I'm not here for somebody to simply spoonfeed me code, but I thought I understood what was going on and may be completely wrong.

Thanks.

[lanman92]

It's pretty simple to write your own C# injector that can call a function from a dll in another process.

1) No code in DLLMain.
2) Load module into injector and get offset of function using Win32/System.Diagnostics
3) Load module into desired process and get address of that module.
4) Add module address to the offset of your function.
5) CreateRemoteThread away.

The .NET loading code I use is stripped straight out of the all-in-one microsoft stuff from codeplex.

[Bananenbrot]

I inject my dll via a windows hook (SetWindowsHookEx Function (Windows)). Little tedious because of thread synchronization, but you don't have to mess around with "No LoadLibrary in DllMain" stuff. Just place your hook and wait for wow's message queue to dispatch and load your dll.

[_Mike]

What error code are you getting?
I'm just guessing here but it might have something to do with c++ name mangling and that you're exporting a class method.
Verify that the export name matches the function you're trying to call (for example using dumpbin /exports).
You might need a Module-Definition (.def) Files

Oh btw, my injector expects an int return value. It still works with void, but you will probably get some unexpected return values from it. Though it should still say the injection was successful..

[caytchen]

Theres nothing "C++" about your bootstrap so obviously just throw that pointless stuff out. You'll still need an extern "C" { ... } to avoid name mangling.
Starting the CLR from DllMain directly will just silently or not so silently (its unspecified behavior really) fail.

[Thongs]

Thanks for the replies everyone. I did what _Mike said and checked out how my DLL was exported using dumpbin, and he was correct that there was some name mangling going on. I removed my header file, added a .def file, and then just injector could successfully call my exported function. I ran into a number of other issues, which I was able to sort out myself (among other things, it took me over an hour to realize that I wasn't adding WoW's base address to the Endscene address, despite having written other bots and completely understanding the concept... fail). I now have Endscene pulsing to a function in my main C# function

Now I just have to get Endscene calling WoW's functions... I think I understand how that works though, and if not I have caytchen's cleanCore for reference. Thanks.