[862] .NET Dll Injection

[Stiju]

.NET Dll Injection.

First of all this is not any bot/cheat program nor a tutorial or anything like that, this is just proof of concept that it is possible to inject managed code into native.

This is an open source project which injects a managed (.net) dll into native code (in this case the Tibia client). The end product consists of 3 compiled files, 2 files written in c++ (it is possible to write them in c#) is for injecting and the last file is the actual .net dll.

The .net dll file while injected can read, write and execute memory just like any native injected dll. This program reads player information from the battlelist and also has a send message function which uses Tibias internal functions.

How it works:
It injects a native dll into Tibia which then from the inside of Tibia setups the .NET runtimehost, loads and executes the managed dll file.
You can read everything about it at http://msdn.microsoft.com/en-us/library/dd409341.aspx.


To get this program to work you must use the latest .NET Framework v4.0.30319.
http://www.microsoft.com/downloads/e...5-b386f32c0992

I hope you guys finds this information useful.


#EDIT 2010-10-08
Added a working textoutput hook, it now prints out "Hello World!" under fps. I also fixed a small memory leak.

[DarkstaR]

Yeah me and Ian have talked about this and I got it working a few days ago. Really awesome, I would be using this method for my new bot if I hadn't already written a huge core in C++.

Nice work.

[Oceansize]

I might not know much, but i can see this is freaking great.

[Jesse]

Nice job! Never knew this method.
I hate the fact that I'm busy as fuck the last couple of months. I really want to experiment with these kind of snippets&projects.

[klusbert]

Nice this will be fun to play with, thanks alot!

To bad you can't inject vb that would verry cool

[muttley]

Holy s**t! Awesome work, I never managed to use C# dll, only C++ managed worked for me (from this tutorial: http://www.maplekillers.com/forum/programming-section/9101-c-making-form-dll.html), but my C++ skills suck

[Ian]

Awesome job Stiju, thanks for doing the hard work and making a good prototype; Dark and I can talk about it all we want, but without anything to show for it, we are just hand-waving.

I believe only the BootLoader could be written in managed code; the booter has to be native. But, it shouldn't change much, so that won't present a problem for managed-only coders.

[Ian]

I modified the Booter code to do the following:
- Uninject when the .NET code exits
- Don't try to start the runtime if it is already started; this allows for reinjection
- Better error handling with FormatMessage

http://pastebin.com/XTKVPVVa

[DarkstaR]

Nice this will be fun to play with, thanks alot!

To bad you can't inject vb that would verry cool

You can, using the .NET marshaling for pointers.

[Ian]

Check this out!

You can also do hooks just like in C++:

[code=c#]
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
public static extern IntPtr GetModuleHandleA(string lpModuleName);

[DllImport("kernel32.dll", SetLastError = true)]
static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize,
Protection flNewProtect, out Protection lpflOldProtect);

[Flags]
public enum Protection
{
PAGE_NOACCESS = 0x01,
PAGE_READONLY = 0x02,
PAGE_READWRITE = 0x04,
PAGE_WRITECOPY = 0x08,
PAGE_EXECUTE = 0x10,
PAGE_EXECUTE_READ = 0x20,
PAGE_EXECUTE_READWRITE = 0x40,
PAGE_EXECUTE_WRITECOPY = 0x80,
PAGE_GUARD = 0x100,
PAGE_NOCACHE = 0x200,
PAGE_WRITECOMBINE = 0x400
}

IntPtr OrigRecv;
IntPtr OrigRecvAddress;
IntPtr RecvPtr = new IntPtr(0x5B25E4);
unsafe delegate int RecvDelegate(SOCKET s, byte* buf, int len, int flags);

private unsafe void EnableHooks()
{
OrigRecvAddress = GetProcAddress(GetModuleHandleA("WS2_32.dll"), "recv");
OrigRecv = OrigRecvAddress;
IntPtr funcAddress = Marshal.GetFunctionPointerForDelegate((RecvDelegat e)MyRecv);
Protection oldProtect;
VirtualProtect(RecvPtr, 4, Protection.PAGE_READWRITE, out oldProtect);
Marshal.WriteIntPtr(RecvPtr, funcAddress);
Protection newProtect;
VirtualProtect(RecvPtr, 4, oldProtect, out newProtect);
}

unsafe int MyRecv(SOCKET s, byte* buf, int len, int flags)
{
var recv = Marshal.GetDelegateForFunctionPointer(OrigRecv, typeof(RecvDelegate)) as RecvDelegate;
int bytesCount = recv(s, buf, len, flags);
if (bytesCount > 0)
{
uxInfo.Text = "First byte: ";
for (int i = 0; i < bytesCount; i++)
{
uxInfo.Text += buf[i].ToString("X") + " ";
}
}
return bytesCount;
}

public unsafe struct SOCKET
{
private void* handle;
private SOCKET(int _handle)
{
handle = (void*)_handle;
}
public static bool operator ==(SOCKET s, int i)
{
return ((int)s.handle == i);
}
public static bool operator !=(SOCKET s, int i)
{
return ((int)s.handle != i);
}
public static implicit operator SOCKET(int i)
{
return new SOCKET(i);
}
public static implicit operator uint(SOCKET s)
{
return (uint)s.handle;
}
public override bool Equals(object obj)
{
return (obj is SOCKET) ? (((SOCKET)obj).handle == this.handle) : base.Equals(obj);
}
public override int GetHashCode()
{
return (int)handle;
}
}
[/code]