Injecting libs through C# or whatever programming language is familiar but injecting a C# lib without any use of COM reg or CLR Runtime hosts? How?
Yeah I'm here to explain step-by-step how to do it. Before we rush to the "How to apply a hook?" part, I'm going to explain how the functionality of exporting C# functions works.
2. DLL Exporting
So I could let you all go through the pain of learning how exporting functions works but Robert Giesecke already did for you all; .
So after you downloaded his project template and put it into your "Documents\Visual Studio 20xx\Templates\ProjectTemplates" map without extracting the archive. You should have something that looks like this;
Code:
internal static class UnmanagedExports
{
[DllExport("adddays", CallingConvention = System.Runtime.InteropServices.CallingConvention.StdCall)]
static double AddDays(double dateValue, int days)
{
return DateTime.FromOADate(dateValue).AddDays(days).ToOADate();
}
}
Now let's put the main entry aside for now and let's concetrate on the hooking.
3. C# WinHook
The process memory class; (Functions in reading/writing to/from the memory)
- Create a file named ProcessMemory.cs or whatever you want to call it.
- Make it a [ public static class ].
- Following this Singleton template if you want.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;
public static class ProcessMemory
{
//Variables.
protected internal static ProcessMemory _this;
//Constructor.
internal ProcessMemory() {}
//Functions
//- Make them private/protected/internal when using this template (NOT STATIC).
//Accessors.
public static ProcessMemory This
{
get
{
if (_this == null)
_this = new Singleton();
return _this;
}
}
}
-Following with a DLL Import of VirtualProtect; Changes protection in the virtual address.
public static byte[] ReadProcessMemory(IntPtr address, int length)
{
var buffer = new byte[length];
Marshal.Copy(address, buffer, 0, length);
return buffer;
}
public static void WriteProcessMemory(IntPtr address, byte[] buffer)
{
uint oldProtect;
VirtualProtect(address, (uint)buffer.Length, 0x40, out oldProtect);
Marshal.Copy(buffer, 0, address, buffer.Length);
VirtualProtect(address, (uint)buffer.Length, oldProtect, out oldProtect);
}
- I suppose you quite understand it and are tired of the instructions now (that if you're actually following the tutorial and not just scrolling to the end because there is no download file). I don't feel like posting them anymore so now just add an interface named IDetourHook;
Code:
[ComVisible(true)]
[Guid("00000000-0000-0000-0000-000000000001"),
InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
public interface IDetourHook
{
/// <summary>
/// If the hook has been installed yet.
/// </summary>
bool IsInstalled { get; }
/// <summary>
/// Invoke original hooked function.
/// </summary>
/// <param name="args"></param>
/// <returns>Original object returned by hooked func.</returns>
object InvokeOriginal(params object[] args);
/// <summary>
/// Instal hook.
/// </summary>
/// <returns>Succession of installation</returns>
bool Install();
/// <summary>
/// Remove hook.
/// </summary>
/// <returns>Succession of uninstalling</returns>
bool Uninstall();
}
-Followed by the DetourHook Class.
Code:
public class DetourHook
: IDetourHook
{
#region Variables
protected readonly IntPtr HookPtr;
protected readonly byte[] newBytes;
protected readonly byte[] originalBytes;
protected readonly IntPtr TargetPtr;
protected readonly Delegate TargetFunc;
/// <summary>
/// Gets a value indicating whether the hook is installed.
/// </summary>
public bool IsInstalled { get; private set; }
#endregion
#region Constructor
/// <summary>
/// Initializes the variables.
/// </summary>
/// <param name="target"></param>
/// <param name="hook"></param>
public DetourHook(Delegate TargetFunc, Delegate HookFunc)
{
this.TargetPtr = Marshal.GetFunctionPointerForDelegate(TargetFunc);
this.TargetFunc = TargetFunc;
this.HookPtr = Marshal.GetFunctionPointerForDelegate(HookFunc);
originalBytes = new byte[6];
Marshal.Copy(TargetPtr, originalBytes, 0, 6);
var hookPointerBytes = BitConverter.GetBytes(HookPtr.ToInt32());
newBytes = new byte[] { 0x68, hookPointerBytes[0], hookPointerBytes[1], hookPointerBytes[2], hookPointerBytes[3], 0xC3 };
}
#endregion
#region Functions
//for documentation check the interface.
public object InvokeOriginal(params object[] args)
{
Uninstall();
var returnValue = TargetFunc.DynamicInvoke(args);//ret
Install();
return returnValue;//ret
}
public bool Install()
{
ProcessMemory.WriteProcessMemory(TargetPtr, newBytes);
IsInstalled = true;
return true;
}
public bool Uninstall()
{
ProcessMemory.WriteProcessMemory(TargetPtr, originalBytes);
IsInstalled = false;
return true;
}
#endregion
}
4. Completion and Finalization
-Sample hook class;
Code:
public static class SampleHookClass
{
public static readonly IntPtr SendPacketAddress = (IntPtr)0x6BFD0C;
public static readonly IntPtr RecvPacketAddress = (IntPtr)0x6C05E8;
[UnmanagedFunctionPointer(CallingConvention.ThisCall, SetLastError = true)]
public delegate int NetworkFunction(IntPtr self, IntPtr pckt, ushort len);//credits to IAmHawtness for correcting me
public static readonly NetworkFunction originalSendfunc = (NetworkFunction)Marshal.GetDelegateForFunctionPointer(SendPacketAddress, typeof(NetworkFunction));
public static readonly NetworkFunction originalRecvfunc = (NetworkFunction)Marshal.GetDelegateForFunctionPointer(RecvPacketAddress, typeof(NetworkFunction));
public static void InitHooks()
{
var mySendFunc = new NetworkFunction(MySendFunction);
var myRecvFunc = new NetworkFunction(MyRecvFunction);
//Add hooks.
WinHookManager.This.InitHook(originalSendfunc, mySendFunc, "Conquer::SendPacket");
WinHookManager.This.InitHook(originalRecvfunc, myRecvFunc, "Conquer::RecvPacket");
//Install hooks.
WinHookManager.This.Install("Conquer::SendPacket");
WinHookManager.This.Install("Conquer::RecvPacket");
}
private static int MySendFunction(IntPtr self, IntPtr pckt, ushort len)
{
//Do something here.
return (int)WinHookManager.This.InvokeOriginal("Conquer::SendPacket", new object[] { self, pckt, len });
}
private static int MyRecvFunction(IntPtr self, IntPtr pckt, ushort len)
{
//Do something here.
return (int)WinHookManager.This.InvokeOriginal("Conquer::RecvPacket", new object[] { self, pckt, len });
}
}
-Sample main entry;
Code:
internal static class UnmanagedExports
{
[DllExport("dll_main", CallingConvention = System.Runtime.InteropServices.CallingConvention.StdCall)]
static void main()
{
SampleHookClass.InitHooks();//Initializes&installs all specified hooks.
}
}
-Injecting the .DLL if not known (usage of the Syringe.dll);
Code:
Process proc;
proc= Process.GetProcessesByName("proc")[0];
//or create the proc yourself.
Injector injector = new Injector(proc);
injector.InjectLibrary("libname.dll");
injector.CallExport("libname.dll", "dll_main");
Console.ReadKey();
injector.EjectLibrary("libname.dll");
injector.Dispose();
Yeah, that's the one I use for my hooking, but that address is in the middle of a function that does something along the lines of:
check if packet was received -> if yes, decrypt packet -> process packet.
You have to find the "ProcessPacket" function instead, I'm not actually sure where it is since I haven't used it in a long time, but it should be somewhere further down after the "test eax, eax" at 0x6C9833
Need help with injecting 09/04/2011 - Wolfteam - 6 Replies Hello people, i know im not german but i have a question, i looked on manny sites for an injector only no 1 worked for me:( i have windows vista home premium 64 bits.
can some1 help me? thanks
Help by injecting 10/01/2010 - Combat Arms Hacks, Bots, Cheats & Exploits - 3 Replies Some people say their hacks dont work but you always can use Gordon 1.4.0
You dont need to have an account for it. Just download gordonsys loader, open it and than u see login screen. But above login screen there are some tabs, click on injector, type by process Engine.exe click on pick library, choose your .dll file
fill in by delay 0 (or 1000) click on stealth injection, (If u want to keep this settings click on Add library) click inject, And enjoy playing,
(srry for my bad english)...
Packet injecting... 03/05/2009 - S4 League - 3 Replies Alright people. lets figure something out. I want to know if I'm at a dead end before I release anything. (and no I don't really have anything yet). My friends and I have gotten around hackshield, and it still thinks it's running. I've gotten the S4Client to show up in WPE pro's process list. but it doesn't find any packets besides this:
00000000 0A:00:F0:0A:00:00:00:00:00:00 ..........
That's the only packet it gets, which is weird because I didn't get the cannot inject dll error....
.
). I don't feel like posting them anymore so now just add an interface named IDetourHook;
