How to inject managed dll in remote process using VB/C# without using any C/C++ bootstrap dll or any code cave written in assembly.
Asked
Active
Viewed 2,762 times
1
-
1have you tried: https://support.microsoft.com/en-us/kb/197571 – GreatAndPowerfulOz Oct 23 '15 at 15:34
-
Can you show us the relevant code and config you tried so far? – kdbanman Oct 23 '15 at 18:26
-
This wasn't a real question then... – 404 Oct 26 '15 at 13:25
-
This was not question like this, i wanted to share my knowledge, so i answered my own question – Nauman Mustafa Oct 26 '15 at 16:11
1 Answers
1
Dll Export is required for exporting function as native code
Classical Mechanism:
Following is the procedure of classical dll injection:
- Create C/C++ Dll
- Write Dll Path to remote process
- Create Remote thread to LoadLibraryA along with argument as Dll Path
- Dll Entry point will be invoked at this stage
Reference: Code project article
Codecave Method:
With this method you can skip C/C++ Dll but requires basic knowledge of Assembly
- Create code-cave at run-time as byte array and write to other process, or write assembly procedure (c like function) and compile it as binary code, which will load .net assembly
- Write your code to other process
- Create remote thread and your .net assembly can be loaded
Reference: Code with example [Original Link seems to expired so google cached version]
Modern Way:
This method is so easy to use and doesn't require knowledge of C/C++ or Assembly, the following is procedure
- Load your library in current process and get procedure address you want to call, it will work with procedure with one argument
- Call create remote thread in target process with LoadLibrary and argument as your managed dll path. This will not execute your code instead only loads your library in target process
- Wait for thread to exit and then get return code, this is your library module handle
- Now create remote thread at your procedure address in remote process, and its done, your procedure will be called.
Example:
Here is your dll code
Public Module Library
<DllExport>
Public Function Entry(Argument As String)
MessageBox.Show("Injected With Argument: " + Argument)
Return 0 'Success
End Function
End Module
Here is example injection code, it is just prototype, TODO: Implement native functions and use them for extension methods used below
Public Module Program
Public Sub Inject(Proc As Process, dll As String)
Dim K32 = GetModuleHandle("kernel32")
Dim LLA_Proc = GetProcAddress(K32, "LoadLibraryA")
'TODO: extension method of process WriteMemory(Byte())
Dim lns = Proc.WriteMemory(Encoding.ASCII.GetBytes("C:\FAKE-PATH\Inject.dll"))
'TODO: extension method of process RemoteCallWait(IntPtr, Arg)
Dim z = Proc.RemoteCallWait(LLA_Proc, lns) 'Calls method and waits for exit and returns exit code
'Z should not be zero, otherwise injection is incomplete
Dim XPTR = GetPtr("C:\FAKE-PATH\Inject.dll", "Entry")
''TODO: extension method of process WriteMemory(Byte())
Dim Loc = Proc.WriteMemory(Encoding.Default.GetBytes("hello world"))
'TODO: extension method of process RemoteCallWait(IntPtr, Arg)
z = Proc.RemoteCallWait(XPTR, Loc)
'Z should be 0 now
End Sub
Private Function GetPtr(LibraryName As String, FuncName As String) As IntPtr
Return CULng(GetProcAddress(LoadLibrary(LibraryName), FuncName))
End Function
End Module
Nauman Mustafa
- 103
- 2
- 9