Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: [862] .NET Dll Injection

  1. #11
    Senior Member
    Join Date
    Mar 2008
    Location
    Poland
    Posts
    176

    RE: [862] .NET Dll Injection

    gratz

  2. #12

    RE: [862] .NET Dll Injection

    Quote Originally Posted by Ian
    Check this out!

    You can also do hooks just like in C++:

    [code=c#]
    [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
    static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

    [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
    public static extern IntPtr GetModuleHandleA(string lpModuleName);

    [DllImport("kernel32.dll", SetLastError = true)]
    static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize,
    Protection flNewProtect, out Protection lpflOldProtect);

    [Flags]
    public enum Protection
    {
    PAGE_NOACCESS = 0x01,
    PAGE_READONLY = 0x02,
    PAGE_READWRITE = 0x04,
    PAGE_WRITECOPY = 0x08,
    PAGE_EXECUTE = 0x10,
    PAGE_EXECUTE_READ = 0x20,
    PAGE_EXECUTE_READWRITE = 0x40,
    PAGE_EXECUTE_WRITECOPY = 0x80,
    PAGE_GUARD = 0x100,
    PAGE_NOCACHE = 0x200,
    PAGE_WRITECOMBINE = 0x400
    }

    IntPtr OrigRecv;
    IntPtr OrigRecvAddress;
    IntPtr RecvPtr = new IntPtr(0x5B25E4);
    unsafe delegate int RecvDelegate(SOCKET s, byte* buf, int len, int flags);

    private unsafe void EnableHooks()
    {
    OrigRecvAddress = GetProcAddress(GetModuleHandleA("WS2_32.dll"), "recv");
    OrigRecv = OrigRecvAddress;
    IntPtr funcAddress = Marshal.GetFunctionPointerForDelegate((RecvDelegat e)MyRecv);
    Protection oldProtect;
    VirtualProtect(RecvPtr, 4, Protection.PAGE_READWRITE, out oldProtect);
    Marshal.WriteIntPtr(RecvPtr, funcAddress);
    Protection newProtect;
    VirtualProtect(RecvPtr, 4, oldProtect, out newProtect);
    }

    unsafe int MyRecv(SOCKET s, byte* buf, int len, int flags)
    {
    var recv = Marshal.GetDelegateForFunctionPointer(OrigRecv, typeof(RecvDelegate)) as RecvDelegate;
    int bytesCount = recv(s, buf, len, flags);
    if (bytesCount > 0)
    {
    uxInfo.Text = "First byte: ";
    for (int i = 0; i < bytesCount; i++)
    {
    uxInfo.Text += buf[i].ToString("X") + " ";
    }
    }
    return bytesCount;
    }

    public unsafe struct SOCKET
    {
    private void* handle;
    private SOCKET(int _handle)
    {
    handle = (void*)_handle;
    }
    public static bool operator ==(SOCKET s, int i)
    {
    return ((int)s.handle == i);
    }
    public static bool operator !=(SOCKET s, int i)
    {
    return ((int)s.handle != i);
    }
    public static implicit operator SOCKET(int i)
    {
    return new SOCKET(i);
    }
    public static implicit operator uint(SOCKET s)
    {
    return (uint)s.handle;
    }
    public override bool Equals(object obj)
    {
    return (obj is SOCKET) ? (((SOCKET)obj).handle == this.handle) : base.Equals(obj);
    }
    public override int GetHashCode()
    {
    return (int)handle;
    }
    }
    [/code]
    I never had time to actual try hooking functions yesterday, but it's nice that you got it working Ian. Good job!

    Also I do believe it is possible to make the Booter in C#. You will probably just have to hardcode a bit of it to make it load mscoree.dll and the functions you need and then use it the same way packet.dll works.

    Edit: I did a few tests and got a printfps hook working. Which after a few minutes crashed. But I'll look into it a little bit more later on.

  3. #13

    RE: [862] .NET Dll Injection

    How could you possibly start the CLR using managed code? It has to be natively bootstrapped.

  4. #14

    RE: [862] .NET Dll Injection

    Well sure it has to be native code that boots it up, but what I'm thinking of is to allocate memory inside the client and manually input the needed code from a managed program and then use CreateRemoteThread to execute it.

    The same way packet.dll works but most of it probably has to be hardcoded here.



    Inject code that uses LoadLibrary on mscoree.dll, so you can use GetProcAddress to get the address of the needed functions and execute them.

    It would sure be faster just to use an extra dll made in C++ but this way it is technically possbile to use C# all the way.

  5. #15

    RE: [862] .NET Dll Injection

    Ah gotcha. Yeah, I think it is much cleaner to have the extra dll; you can include it as a resource if necessary to keep a one-binary distribution.

  6. #16

    RE: [862] .NET Dll Injection

    Code caves are funner, though.
    I may try it out not sure, been lazy

  7. #17

    RE: [862] .NET Dll Injection

    Have any luck with PrintFPS? I tried hooking print name, but it crashed:

    [code=c#]
    void PrintName(int nSurface, int nX, int nY, int nFont, int nRed, int nGreen, int nBlue, string lpText, int nAlign)
    {
    PrintText(nSurface, nX, nY, nFont, nRed, nGreen, nBlue, lpText, nAlign);
    }
    [/code]

  8. #18

    RE: [862] .NET Dll Injection

    Well I haven't had time to test it out anymore so I'm still stuck with my halfworking and unstable code.

    Would be great if there was some way to make naked functions in C# but I don't think there is any.


    #Edit
    I've now completed and stabilized my printfps hook, it now prints out "Hello World!" under fps. Check first post for source code.

  9. #19
    Moderator
    Join Date
    Oct 2009
    Posts
    482

    RE: [862] .NET Dll Injection

    Great Job Stiju!

  10. #20
    Moderator
    Join Date
    Oct 2009
    Posts
    482

    RE: [862] .NET Dll Injection

    I have a question about it - I tried to implement Drag & Drop to ListView and got an exception
    Code:
    ************** Exception Text **************
    System.InvalidOperationException: DragDrop registration did not succeed. ---> System.Threading.ThreadStateException: Current thread must be set to single thread apartment (STA) mode before OLE calls can be made. Ensure that your Main function has STAThreadAttribute marked on it.
       at System.Windows.Forms.Control.SetAcceptDrops(Boolean accept)
       --- End of inner exception stack trace ---
       at System.Windows.Forms.Control.SetAcceptDrops(Boolean accept)
       at System.Windows.Forms.Control.OnHandleCreated(EventArgs e)
       at System.Windows.Forms.ListView.OnHandleCreated(EventArgs e)
       at System.Windows.Forms.Control.WmCreate(Message& m)
       at System.Windows.Forms.Control.WndProc(Message& m)
       at System.Windows.Forms.ListView.WndProc(Message& m)
       at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
       at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
       at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
    
    
    ************** Loaded Assemblies **************
    mscorlib
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.1 (RTMRel.030319-0100)
        CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll
    ----------------------------------------
    LiteBot
        Assembly Version: 0.1.0.0
        Win32 Version: 0.1.0.0
        CodeBase: file:///C:/Users/Muttley/documents/visual%20studio%202010/Projects/LiteBot/Release/LiteBot.dll
    ----------------------------------------
    System.Windows.Forms
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.1 built by: RTMRel
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
    ----------------------------------------
    System.Drawing
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.1 built by: RTMRel
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
    ----------------------------------------
    System
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.1 built by: RTMRel
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
    ----------------------------------------
    ComponentFactory.Krypton.Toolkit
        Assembly Version: 4.3.0.0
        Win32 Version: 4.3.0.0
        CodeBase: file:///C:/Windows/assembly/GAC_MSIL/ComponentFactory.Krypton.Toolkit/4.3.0.0__a87e673e9ecb6e8e/ComponentFactory.Krypton.Toolkit.dll
    ----------------------------------------
    System.Core
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.1 built by: RTMRel
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
    ----------------------------------------
    System.Configuration
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.1 (RTMRel.030319-0100)
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
    ----------------------------------------
    System.Xml
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.1 built by: RTMRel
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
    I tried
    Code:
    [STAThread]
    public static int EntryPoint(string pwzArgument)
    {
        Application.EnableVisualStyles();
        Application.SetCompatibleTextRenderingDefault(false);
        Application.Run(new Main());
        return 0;
    }
    but it didn't work. How to make it work?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •