|
You last visited: Today at 15:17
Advertisement
VB .dll injection
Discussion on VB .dll injection within the .NET Languages forum part of the Coders Den category.
06/17/2014, 22:21
|
#1
|
elite*gold: 0
Join Date: Apr 2010
Posts: 115
Received Thanks: 46
|
VB .dll injection
I've made an ingame hack in VB.NET. However it only works with a bypass.
HShield has a weakness, it doesnt detects .dll injections whe loading.
Does anyone know how to make an injectable dll ?
|
|
|
06/18/2014, 13:38
|
#2
|
elite*gold: 0
Join Date: Feb 2009
Posts: 1,137
Received Thanks: 572
|
im not sure if i talk **** now, if it is so pls correct me, but .net dlls are no "normal" windows dlls. .Net only can be used with other .Net applications, and if the game you wanna inject it to isn't written in a .Net language i guess its pretty impossible to create a injectable dll in VB.Net.
|
|
|
06/18/2014, 17:40
|
#3
|
elite*gold: 61
Join Date: Jun 2014
Posts: 71
Received Thanks: 15
|
Quote:
Originally Posted by warfley
im not sure if i talk **** now, if it is so pls correct me, but .net dlls are no "normal" windows dlls. .Net only can be used with other .Net applications, and if the game you wanna inject it to isn't written in a .Net language i guess its pretty impossible to create a injectable dll in VB.Net.
|
Not exactly.
.NET Dll's are only working on a system which has the NET Framework in the version of your .DLL, it is easy to inject .NET Dlls in other WIN32 (or others) processes.
|
|
|
06/19/2014, 13:35
|
#4
|
elite*gold: 50
Join Date: Sep 2012
Posts: 3,841
Received Thanks: 1,462
|
Quote:
Originally Posted by Queen^
Not exactly.
.NET Dll's are only working on a system which has the NET Framework in the version of your .DLL, it is easy to inject .NET Dlls in other WIN32 (or others) processes.
|
and why you dont tell kiko298 how to do that ?
|
|
|
06/21/2014, 16:20
|
#5
|
elite*gold: 61
Join Date: Jun 2014
Posts: 71
Received Thanks: 15
|
Quote:
Originally Posted by »FlutterShy™
and why you dont tell kiko298 how to do that ?
|
The code for that is public acessable in the internet
|
|
|
06/22/2014, 22:13
|
#6
|
elite*gold: 0
Join Date: Apr 2010
Posts: 115
Received Thanks: 46
|
PLs tell me how
|
|
|
06/22/2014, 23:12
|
#7
|
elite*gold: 15
Join Date: Aug 2012
Posts: 3,041
Received Thanks: 6,394
|
Found this on the net, modified here and there obvious stuff. DID NOT TESTED IT, also it looks like a vb6 to vb.net conversion but it's not that good TBH.
Code:
Imports System.Runtime.InteropServices
Imports System.Text
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Integer, ByVal dwProcessId As Integer) As Integer
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As Integer
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer() As Byte, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As UInteger) As Boolean
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Integer, ByVal lpProcName As String) As Integer
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Integer
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Integer, ByVal lpThreadAttributes As Integer, ByVal dwStackSize As Integer, ByVal lpStartAddress As Integer, ByVal lpParameter As Integer, ByVal dwCreationFlags As Integer, ByVal lpThreadId As Integer) As Integer
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Integer, ByVal dwMilliseconds As Integer) As Integer
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Integer) As Integer
Public Function injectDLL(ByVal pid As Long, ByVal dllPath As String) As Boolean
Try
Dim procHandle As Integer, memCave As Integer, refVal As UInteger, dllBytes() As Byte, startAddress As Integer, remoteThread As Integer, dllHandle As Integer
procHandle = OpenProcess(&H1F0FFF, 1, pid)
memCave = VirtualAllocEx(procHandle, 0, dllPath.Length, &H1000, &H4)
If memCave <> 0 Then
dllBytes = StrChar(dllPath)
WriteProcessMemory(procHandle, memCave, dllBytes, dllPath.Length, refVal)
dllHandle = GetModuleHandle("kernel32.dll")
startAddress = GetProcAddress(dllHandle, "LoadLibraryA")
remoteThread = CreateRemoteThread(procHandle, 0, 0, startAddress, memCave, 0, 0)
If remoteThread <> 0 Then
WaitForSingleObject(remoteThread, &HFFFF)
CloseHandle(remoteThread)
Return True
Else
Return False
End If
Else
Return False
End If
Return True
Catch ex as Exception
MsgBox("A wild exception has occured!" & vbCrlf & ex.ToString())
End Try
End Function
Private Function StrChar(ByRef str As String) As Byte()
Dim bytTemp() As Byte, i As Short
ReDim bytTemp(0)
For i = 0 To Len(str) - 1
If bytTemp(UBound(bytTemp)) <> 0 Then ReDim Preserve bytTemp(UBound(bytTemp) + 1)
bytTemp(UBound(bytTemp)) = Asc(str.Substring(i, 1))
Next
ReDim Preserve bytTemp(UBound(bytTemp) + 1)
bytTemp(UBound(bytTemp)) = 0
Return bytTemp
End Function
|
|
|
06/23/2014, 11:16
|
#8
|
elite*gold: 100
Join Date: Aug 2005
Posts: 595
Received Thanks: 208
|
Wrong Snipet @ berkay
You need to allocate Memory and write Code to load the .NET VM directly or use a native dll as bootstrap, inject it with any of the normal Injection ways and let it load the .NET VM.
EDIT:
Aside of everything i dont think loading a fullblown .NET VM with known CRC's is a good think when you want to circumvent an anticheat system. You can do it ofcourse, but it will need more work then using a nativ language.
|
|
|
06/23/2014, 14:55
|
#9
|
elite*gold: 0
Join Date: Dec 2012
Posts: 255
Received Thanks: 110
|
Hey, here is the CLR bootstrapper I wrote a while ago. It supports loading & unloading of loaded assemblies. To use it, you'd inject the clrhost once and then call it's exports. Never unload the clrhost.dll from the target process, that would cause undefined behaviour and would probably cause a crash on reattach.
So if you want to load a new .NET assembly into the target process:
- Check if clrhost.dll is already present in the process, if not: inject it
- Call the Load export along with a pointer to a ClrLoadInfo struct (allocate that in the remote process with VirtualAllocEx)
- To unload just do the same thing as above but pass a ClrUnloadInfo struct
- To check if a .NET assembly is already present, use the IsLoded export with a ClrAssemblyIdentifier struct.
Here are the struct definitions:
Code:
struct ClrLoadInfo {
const wchar_t assemblyPath[MAX_PATH]; // folder to assembly
const wchar_t assemblyName[MAX_PATH]; // filename
const wchar_t mainClassName[100]; // namespace which has "DllMain"-class
const void* loadParameter;
};
struct ClrUnloadInfo {
const wchar_t assemblyName[MAX_PATH];
const void* unloadParameter;
};
struct ClrAssemblyIdentifier {
const wchar_t assemblyName[MAX_PATH];
};
Don't forget to free these after the call, or you will leak memory inside the target process
To compile the clrhost you should create a exports definition file (.def), like this:
Code:
LIBRARY
EXPORTS
Load=LoadInternal
Unload=UnloadInternal
IsLoaded=IsLoadedInternal
And here is the code for my CLR-bootstrapper:
Code:
#include "stdafx.h"
#include <string>
#include <unordered_map>
#include "Mutex.h"
#import "asmbase.tlb" no_namespace named_guids raw_interfaces_only
struct ClrLoadInfo {
const wchar_t assemblyPath[MAX_PATH]; // folder to assembly
const wchar_t assemblyName[MAX_PATH]; // filename
const wchar_t mainClassName[100]; // namespace which has "DllMain"-class
const void* loadParameter;
};
struct ClrUnloadInfo {
const wchar_t assemblyName[MAX_PATH];
const void* unloadParameter;
};
struct ClrAssemblyIdentifier {
const wchar_t assemblyName[MAX_PATH];
};
struct AssemblyInfo {
std::wstring assemblyPath;
std::wstring assemblyName;
std::wstring mainClassName;
CComPtr<mscorlib::_AppDomain> appDomain;
CComPtr<IManagedAssembly> mainClassInstance;
};
HMODULE gModuleHandle = NULL;
CComPtr<ICorRuntimeHost> gRuntimeHost = nullptr;
SysUtils::CriticalSection gThreadLock;
std::unordered_map<std::wstring, AssemblyInfo> gLoadedModules;
CComPtr<ICorRuntimeHost> CreateRuntimeHost() {
CComPtr<ICLRMetaHost> metaHost = nullptr;
HRESULT hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, reinterpret_cast<void**>(&metaHost));
if(FAILED(hr))
throw _com_error(hr);
CComPtr<ICLRRuntimeInfo> runtimeInfo = nullptr;
hr = metaHost->GetRuntime(L"v4.0.30319", IID_ICLRRuntimeInfo, reinterpret_cast<void**>(&runtimeInfo));
if(FAILED(hr))
throw _com_error(hr);
CComPtr<ICorRuntimeHost> runtimeHost = nullptr;
hr = runtimeInfo->GetInterface(CLSID_CorRuntimeHost, IID_ICorRuntimeHost, reinterpret_cast<void**>(&runtimeHost));
if(FAILED(hr))
throw _com_error(hr);
hr = runtimeHost->Start();
if (FAILED(hr))
throw _com_error(hr);
return runtimeHost;
}
DWORD WINAPI LoadInternal(LPVOID lpParam) {
if (lpParam != nullptr) try {
if (!gRuntimeHost)
gRuntimeHost = CreateRuntimeHost();
CComPtr<IUnknown> appDomainSetupUnk = nullptr;
HRESULT hr = gRuntimeHost->CreateDomainSetup(&appDomainSetupUnk);
if (FAILED(hr))
throw _com_error(hr);
CComPtr<mscorlib::IAppDomainSetup> appDomainSetup = nullptr;
hr = appDomainSetupUnk->QueryInterface(&appDomainSetup);
if (FAILED(hr))
throw _com_error(hr);
ClrLoadInfo* loadInfo = reinterpret_cast<ClrLoadInfo*>(lpParam);
appDomainSetup->put_ApplicationBase(CComBSTR(loadInfo->assemblyPath));
appDomainSetup->put_ApplicationName(CComBSTR(loadInfo->assemblyName));
appDomainSetup->put_ShadowCopyFiles(CComBSTR("true")); // loads a shadow copy instead (allows us to "unload")
CComPtr<IUnknown> appDomainUnk = nullptr;
hr = gRuntimeHost->CreateDomainEx(loadInfo->assemblyName, appDomainSetup, nullptr, &appDomainUnk);
if (FAILED(hr))
throw _com_error(hr);
CComPtr<mscorlib::_AppDomain> appDomain = nullptr;
hr = appDomainUnk->QueryInterface(&appDomain);
if (FAILED(hr))
throw _com_error(hr);
std::wstring fullAssemblyPath;
fullAssemblyPath += loadInfo->assemblyPath;
fullAssemblyPath += L'\\';
fullAssemblyPath += loadInfo->assemblyName;
CComPtr<mscorlib::_ObjectHandle> objectHandle;
hr = appDomain->CreateInstanceFrom(CComBSTR(fullAssemblyPath.c_str()), CComBSTR(loadInfo->mainClassName), &objectHandle);
if (FAILED(hr))
throw _com_error(hr);
CComVariant mainClassVariant;
hr = objectHandle->Unwrap(&mainClassVariant);
if (FAILED(hr))
throw _com_error(hr);
if (!mainClassVariant.punkVal)
throw std::exception("AppDomain::CreateInstanceFrom failed. Cannot unwrap object!");
CComPtr<IManagedAssembly> mainClassInstance = nullptr;
hr = mainClassVariant.punkVal->QueryInterface(__uuidof(IManagedAssembly), (void**) &mainClassInstance);
if (FAILED(hr))
throw _com_error(hr);
long returnValue = FALSE;
hr = mainClassInstance->Load((long) loadInfo->loadParameter, &returnValue);
if (FAILED(hr))
throw _com_error(hr);
AssemblyInfo assemblyInfo;
assemblyInfo.appDomain = appDomain;
assemblyInfo.mainClassInstance = mainClassInstance;
assemblyInfo.assemblyPath = loadInfo->assemblyPath;
assemblyInfo.assemblyName = loadInfo->assemblyName;
assemblyInfo.mainClassName = loadInfo->mainClassName;
SysUtils::ScopedLock lockGuard(gThreadLock);
gLoadedModules[assemblyInfo.assemblyName] = assemblyInfo;
return returnValue;
}
catch (_com_error &e) {
MessageBox(nullptr, e.ErrorMessage(), e.Description(), MB_OK | MB_ICONERROR);
}
catch (std::exception &e) {
MessageBoxA(nullptr, e.what(), "Error!", MB_OK | MB_ICONERROR);
}
return FALSE;
}
DWORD WINAPI UnloadInternal(LPVOID lpParam) {
if (lpParam != nullptr) try {
SysUtils::ScopedLock lockGuard(gThreadLock);
ClrUnloadInfo* unloadInfo = reinterpret_cast<ClrUnloadInfo*>(lpParam);
auto assemblyInfoItr = gLoadedModules.find(unloadInfo->assemblyName);
if (assemblyInfoItr == gLoadedModules.end())
return FALSE;
AssemblyInfo& assemblyInfo = assemblyInfoItr->second;
if (assemblyInfo.mainClassInstance != nullptr) {
long returnValue = FALSE;
HRESULT hr = assemblyInfo.mainClassInstance->Unload(
reinterpret_cast<long>(unloadInfo->unloadParameter), &returnValue);
if (FAILED(hr))
throw _com_error(hr);
if (!returnValue) // app returned false on unload
return FALSE;
}
HRESULT hr = gRuntimeHost->UnloadDomain(assemblyInfo.appDomain);
if (FAILED(hr))
throw _com_error(hr);
gLoadedModules.erase(assemblyInfoItr);
return TRUE;
}
catch (_com_error &e) {
MessageBox(nullptr, e.ErrorMessage(), e.Description(), MB_OK | MB_ICONERROR);
}
return FALSE;
}
DWORD WINAPI IsLoadedInternal(LPVOID lpParam) {
if (lpParam != nullptr) {
SysUtils::ScopedLock lockGuard(gThreadLock);
ClrAssemblyIdentifier* identifier = reinterpret_cast<ClrAssemblyIdentifier*>(lpParam);
auto assemblyInfoItr = gLoadedModules.find(identifier->assemblyName);
return assemblyInfoItr != gLoadedModules.end();
}
return FALSE;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
gModuleHandle = hModule;
DisableThreadLibraryCalls(hModule);
break;
case DLL_PROCESS_DETACH:
if (gRuntimeHost != nullptr)
gRuntimeHost->Stop();
break;
}
return TRUE;
}
It creates a new AppDomain for every assembly so you won't run into problems. That way you can also unload assemblies (would be impossible if you load them into the default AppDomain).
Greets
|
|
|
06/23/2014, 14:59
|
#10
|
elite*gold: 15
Join Date: Aug 2012
Posts: 3,041
Received Thanks: 6,394
|
Quote:
Originally Posted by dready
Wrong Snipet @ berkay
You need to allocate Memory and write Code to load the .NET VM directly or use a native dll as bootstrap, inject it with any of the normal Injection ways and let it load the .NET VM.
EDIT:
Aside of everything i dont think loading a fullblown .NET VM with known CRC's is a good think when you want to circumvent an anticheat system. You can do it ofcourse, but it will need more work then using a nativ language.
|
Code:
memCave = VirtualAllocEx(procHandle, 0, dllPath.Length, &H1000, &H4)
dllBytes = StrChar(dllPath)
WriteProcessMemory(procHandle, memCave, dllBytes, dllPath.Length, refVal)
dllHandle = GetModuleHandle("kernel32.dll")
startAddress = GetProcAddress(dllHandle, "LoadLibraryA")
remoteThread = CreateRemoteThread(procHandle, 0, 0, startAddress, memCave, 0, 0)
nope, it is correct. Allocates memory the size of DLL's path length, writes bytes of it to the allocated mem, and creates a remote thread hence executing the DLL inside the process... rest is up to the DLL itself. It does work and it will work, though mostly every AntiCheat out there will catch it.
|
|
|
Similar Threads
|
Dll Injection GUI
07/03/2011 - General Coding - 1 Replies
Does anyone know the basis of where I would learn to create an overlay ui in the existing game window through dll injection?
|
Sql injection
01/19/2010 - Kal Online - 34 Replies
Eine frage woher bekomme ich den Sql Injection + tut würde mich freuen wenn einer mir weiter hilft danke
|
[TIP] SQL Injection
02/11/2009 - RFO Hacks, Bots, Cheats, Exploits & Guides - 6 Replies
This is for someone here that knows the basic use of SQL Injection...
You can edit the website's database and make tweaks on that particular page... i hope you get what I mean ^_^
This is very favorable to private servers. Already done it and hell it rocked the RF World!
Peace out and I know you guys can do what i meant.. ^_^
|
SQL Injection
03/13/2008 - 9Dragons - 5 Replies
Plz can any1 post download link for this tool I was searching it some time now -.- :confused:
|
All times are GMT +2. The time now is 15:17.
|
|