VB .dll injection

kiko298 · 06/17/2014, 22:21

I've made an ingame hack in VB.NET. However it only works with a bypass.
HShield has a weakness, it doesnt detects .dll injections whe loading.
Does anyone know how to make an injectable dll ?

warfley · 06/18/2014, 13:38

im not sure if i talk **** now, if it is so pls correct me, but .net dlls are no "normal" windows dlls. .Net only can be used with other .Net applications, and if the game you wanna inject it to isn't written in a .Net language i guess its pretty impossible to create a injectable dll in VB.Net.

~~Queen^~~ · 06/18/2014, 17:40

Quote:

Originally Posted by warfley

im not sure if i talk **** now, if it is so pls correct me, but .net dlls are no "normal" windows dlls. .Net only can be used with other .Net applications, and if the game you wanna inject it to isn't written in a .Net language i guess its pretty impossible to create a injectable dll in VB.Net.

Not exactly.

.NET Dll's are only working on a system which has the NET Framework in the version of your .DLL, it is easy to inject .NET Dlls in other WIN32 (or others) processes.

YatoDev · 06/19/2014, 13:35

Quote:

Originally Posted by Queen^

Not exactly.

.NET Dll's are only working on a system which has the NET Framework in the version of your .DLL, it is easy to inject .NET Dlls in other WIN32 (or others) processes.

and why you dont tell kiko298 how to do that ?

~~Queen^~~ · 06/21/2014, 16:20

Quote:

Originally Posted by »FlutterShy™

and why you dont tell kiko298 how to do that ?

The code for that is public acessable in the internet

kiko298 · 06/22/2014, 22:13

PLs tell me how

berkay2578 · 06/22/2014, 23:12

Found this on the net, modified here and there obvious stuff. DID NOT TESTED IT, also it looks like a vb6 to vb.net conversion but it's not that good TBH.

Code:

Imports System.Runtime.InteropServices
Imports System.Text

Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Integer, ByVal dwProcessId As Integer) As Integer
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As Integer
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer() As Byte, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As UInteger) As Boolean
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Integer, ByVal lpProcName As String) As Integer
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Integer
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Integer, ByVal lpThreadAttributes As Integer, ByVal dwStackSize As Integer, ByVal lpStartAddress As Integer, ByVal lpParameter As Integer, ByVal dwCreationFlags As Integer, ByVal lpThreadId As Integer) As Integer
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Integer, ByVal dwMilliseconds As Integer) As Integer
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Integer) As Integer
Public Function injectDLL(ByVal pid As Long, ByVal dllPath As String) As Boolean
	Try
		Dim procHandle As Integer, memCave As Integer, refVal As UInteger, dllBytes() As Byte, startAddress As Integer, remoteThread As Integer, dllHandle As Integer
		procHandle = OpenProcess(&H1F0FFF, 1, pid)
		memCave = VirtualAllocEx(procHandle, 0, dllPath.Length, &H1000, &H4)
		If memCave <> 0 Then
			dllBytes = StrChar(dllPath)
			WriteProcessMemory(procHandle, memCave, dllBytes, dllPath.Length, refVal)
			dllHandle = GetModuleHandle("kernel32.dll")
			startAddress = GetProcAddress(dllHandle, "LoadLibraryA")
			remoteThread = CreateRemoteThread(procHandle, 0, 0, startAddress, memCave, 0, 0)
			If remoteThread <> 0 Then
				WaitForSingleObject(remoteThread, &HFFFF)
				CloseHandle(remoteThread)
				Return True
			Else
				Return False
			End If
		Else
			Return False
		End If
		Return True
	Catch ex as Exception
		MsgBox("A wild exception has occured!" & vbCrlf & ex.ToString())
	End Try
End Function
Private Function StrChar(ByRef str As String) As Byte()
	Dim bytTemp() As Byte, i As Short
	ReDim bytTemp(0)
	For i = 0 To Len(str) - 1
		If bytTemp(UBound(bytTemp)) <> 0 Then ReDim Preserve bytTemp(UBound(bytTemp) + 1)
		bytTemp(UBound(bytTemp)) = Asc(str.Substring(i, 1))
	Next
	ReDim Preserve bytTemp(UBound(bytTemp) + 1)
	bytTemp(UBound(bytTemp)) = 0
	Return bytTemp	
End Function

dready · 06/23/2014, 11:16

Wrong Snipet @ berkay

You need to allocate Memory and write Code to load the .NET VM directly or use a native dll as bootstrap, inject it with any of the normal Injection ways and let it load the .NET VM.

EDIT:

Aside of everything i dont think loading a fullblown .NET VM with known CRC's is a good think when you want to circumvent an anticheat system. You can do it ofcourse, but it will need more work then using a nativ language.

Master674b · 06/23/2014, 14:55

Hey, here is the CLR bootstrapper I wrote a while ago. It supports loading & unloading of loaded assemblies. To use it, you'd inject the clrhost once and then call it's exports. Never unload the clrhost.dll from the target process, that would cause undefined behaviour and would probably cause a crash on reattach.

So if you want to load a new .NET assembly into the target process:
- Check if clrhost.dll is already present in the process, if not: inject it
- Call the Load export along with a pointer to a ClrLoadInfo struct (allocate that in the remote process with VirtualAllocEx)
- To unload just do the same thing as above but pass a ClrUnloadInfo struct
- To check if a .NET assembly is already present, use the IsLoded export with a ClrAssemblyIdentifier struct.

Here are the struct definitions:

Code:

struct ClrLoadInfo {
	const wchar_t assemblyPath[MAX_PATH]; // folder to assembly
	const wchar_t assemblyName[MAX_PATH]; // filename
	const wchar_t mainClassName[100]; // namespace which has "DllMain"-class
	const void* loadParameter;
};

struct ClrUnloadInfo {
	const wchar_t assemblyName[MAX_PATH];
	const void* unloadParameter;
};

struct ClrAssemblyIdentifier {
	const wchar_t assemblyName[MAX_PATH];
};

Don't forget to free these after the call, or you will leak memory inside the target process

To compile the clrhost you should create a exports definition file (.def), like this:

Code:

LIBRARY
EXPORTS
    Load=LoadInternal
    Unload=UnloadInternal
    IsLoaded=IsLoadedInternal

And here is the code for my CLR-bootstrapper:

Code:

#include "stdafx.h"
#include <string>
#include <unordered_map>
#include "Mutex.h"

#import "asmbase.tlb" no_namespace named_guids raw_interfaces_only

struct ClrLoadInfo {
	const wchar_t assemblyPath[MAX_PATH]; // folder to assembly
	const wchar_t assemblyName[MAX_PATH]; // filename
	const wchar_t mainClassName[100]; // namespace which has "DllMain"-class
	const void* loadParameter;
};

struct ClrUnloadInfo {
	const wchar_t assemblyName[MAX_PATH];
	const void* unloadParameter;
};

struct ClrAssemblyIdentifier {
	const wchar_t assemblyName[MAX_PATH];
};

struct AssemblyInfo {
	std::wstring assemblyPath;
	std::wstring assemblyName;
	std::wstring mainClassName;

	CComPtr<mscorlib::_AppDomain> appDomain;
	CComPtr<IManagedAssembly> mainClassInstance;
};

HMODULE gModuleHandle = NULL;
CComPtr<ICorRuntimeHost> gRuntimeHost = nullptr;

SysUtils::CriticalSection gThreadLock;
std::unordered_map<std::wstring, AssemblyInfo> gLoadedModules;

CComPtr<ICorRuntimeHost> CreateRuntimeHost() {
	CComPtr<ICLRMetaHost> metaHost = nullptr;
	HRESULT hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, reinterpret_cast<void**>(&metaHost));
	if(FAILED(hr))
		throw _com_error(hr);

	CComPtr<ICLRRuntimeInfo> runtimeInfo = nullptr;
	hr = metaHost->GetRuntime(L"v4.0.30319", IID_ICLRRuntimeInfo, reinterpret_cast<void**>(&runtimeInfo));
	if(FAILED(hr))
		throw _com_error(hr);

	CComPtr<ICorRuntimeHost> runtimeHost = nullptr;
	hr = runtimeInfo->GetInterface(CLSID_CorRuntimeHost, IID_ICorRuntimeHost, reinterpret_cast<void**>(&runtimeHost));
	if(FAILED(hr))
		throw _com_error(hr);

	hr = runtimeHost->Start();
	if (FAILED(hr))
		throw _com_error(hr);

	return runtimeHost;
}

DWORD WINAPI LoadInternal(LPVOID lpParam) {
	if (lpParam != nullptr) try {
		if (!gRuntimeHost)
			gRuntimeHost = CreateRuntimeHost();
		
		CComPtr<IUnknown> appDomainSetupUnk = nullptr;
		HRESULT hr = gRuntimeHost->CreateDomainSetup(&appDomainSetupUnk);
		if (FAILED(hr))
			throw _com_error(hr);

		CComPtr<mscorlib::IAppDomainSetup> appDomainSetup = nullptr;
		hr = appDomainSetupUnk->QueryInterface(&appDomainSetup);
		if (FAILED(hr))
			throw _com_error(hr);

		ClrLoadInfo* loadInfo = reinterpret_cast<ClrLoadInfo*>(lpParam);
		appDomainSetup->put_ApplicationBase(CComBSTR(loadInfo->assemblyPath));
		appDomainSetup->put_ApplicationName(CComBSTR(loadInfo->assemblyName));
		appDomainSetup->put_ShadowCopyFiles(CComBSTR("true")); // loads a shadow copy instead (allows us to "unload")

		CComPtr<IUnknown> appDomainUnk = nullptr;
		hr = gRuntimeHost->CreateDomainEx(loadInfo->assemblyName, appDomainSetup, nullptr, &appDomainUnk);
		if (FAILED(hr))
			throw _com_error(hr);

		CComPtr<mscorlib::_AppDomain> appDomain = nullptr;
		hr = appDomainUnk->QueryInterface(&appDomain);
		if (FAILED(hr))
			throw _com_error(hr);

		std::wstring fullAssemblyPath;
		fullAssemblyPath += loadInfo->assemblyPath;
		fullAssemblyPath += L'\\';
		fullAssemblyPath += loadInfo->assemblyName;

		CComPtr<mscorlib::_ObjectHandle> objectHandle;
		hr = appDomain->CreateInstanceFrom(CComBSTR(fullAssemblyPath.c_str()), CComBSTR(loadInfo->mainClassName), &objectHandle);
		if (FAILED(hr))
			throw _com_error(hr);

		CComVariant mainClassVariant;
		hr = objectHandle->Unwrap(&mainClassVariant);
		if (FAILED(hr))
			throw _com_error(hr);

		if (!mainClassVariant.punkVal)
			throw std::exception("AppDomain::CreateInstanceFrom failed. Cannot unwrap object!");

		CComPtr<IManagedAssembly> mainClassInstance = nullptr;
		hr = mainClassVariant.punkVal->QueryInterface(__uuidof(IManagedAssembly), (void**) &mainClassInstance);
		if (FAILED(hr))
			throw _com_error(hr);

		long returnValue = FALSE;
		hr = mainClassInstance->Load((long) loadInfo->loadParameter, &returnValue);
		if (FAILED(hr))
			throw _com_error(hr);

		AssemblyInfo assemblyInfo;
		assemblyInfo.appDomain = appDomain;
		assemblyInfo.mainClassInstance = mainClassInstance;
		assemblyInfo.assemblyPath = loadInfo->assemblyPath;
		assemblyInfo.assemblyName = loadInfo->assemblyName;
		assemblyInfo.mainClassName = loadInfo->mainClassName;

		SysUtils::ScopedLock lockGuard(gThreadLock);
		gLoadedModules[assemblyInfo.assemblyName] = assemblyInfo;
		return returnValue;
	}
	catch (_com_error &e) {
		MessageBox(nullptr, e.ErrorMessage(), e.Description(), MB_OK | MB_ICONERROR);
	}
	catch (std::exception &e) {
		MessageBoxA(nullptr, e.what(), "Error!", MB_OK | MB_ICONERROR);
	}

	return FALSE;
}

DWORD WINAPI UnloadInternal(LPVOID lpParam) {
	if (lpParam != nullptr) try {
		SysUtils::ScopedLock lockGuard(gThreadLock);
		ClrUnloadInfo* unloadInfo = reinterpret_cast<ClrUnloadInfo*>(lpParam);
		auto assemblyInfoItr = gLoadedModules.find(unloadInfo->assemblyName);
		if (assemblyInfoItr == gLoadedModules.end())
			return FALSE;

		AssemblyInfo& assemblyInfo = assemblyInfoItr->second;
		if (assemblyInfo.mainClassInstance != nullptr) {
			long returnValue = FALSE;
			HRESULT hr = assemblyInfo.mainClassInstance->Unload(
				reinterpret_cast<long>(unloadInfo->unloadParameter), &returnValue);
			if (FAILED(hr))
				throw _com_error(hr);

			if (!returnValue) // app returned false on unload
				return FALSE;
		}

		HRESULT hr = gRuntimeHost->UnloadDomain(assemblyInfo.appDomain);
		if (FAILED(hr))
			throw _com_error(hr);

		gLoadedModules.erase(assemblyInfoItr);
		return TRUE;
	}
	catch (_com_error &e) {
		MessageBox(nullptr, e.ErrorMessage(), e.Description(), MB_OK | MB_ICONERROR);
	}

	return FALSE;
}

DWORD WINAPI IsLoadedInternal(LPVOID lpParam) {
	if (lpParam != nullptr) {
		SysUtils::ScopedLock lockGuard(gThreadLock);
		ClrAssemblyIdentifier* identifier = reinterpret_cast<ClrAssemblyIdentifier*>(lpParam);
		auto assemblyInfoItr = gLoadedModules.find(identifier->assemblyName);
		return assemblyInfoItr != gLoadedModules.end();
	}
	return FALSE;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		gModuleHandle = hModule;
		DisableThreadLibraryCalls(hModule);
		break;

	case DLL_PROCESS_DETACH:
		if (gRuntimeHost != nullptr)
			gRuntimeHost->Stop();
		break;
	}
	return TRUE;
}

It creates a new AppDomain for every assembly so you won't run into problems. That way you can also unload assemblies (would be impossible if you load them into the default AppDomain).

Greets

berkay2578 · 06/23/2014, 14:59

Quote:

Originally Posted by dready

Wrong Snipet @ berkay

You need to allocate Memory and write Code to load the .NET VM directly or use a native dll as bootstrap, inject it with any of the normal Injection ways and let it load the .NET VM.

EDIT:

Aside of everything i dont think loading a fullblown .NET VM with known CRC's is a good think when you want to circumvent an anticheat system. You can do it ofcourse, but it will need more work then using a nativ language.

Code:

memCave = VirtualAllocEx(procHandle, 0, dllPath.Length, &H1000, &H4)
dllBytes = StrChar(dllPath)
WriteProcessMemory(procHandle, memCave, dllBytes, dllPath.Length, refVal)
dllHandle = GetModuleHandle("kernel32.dll")
startAddress = GetProcAddress(dllHandle, "LoadLibraryA")
remoteThread = CreateRemoteThread(procHandle, 0, 0, startAddress, memCave, 0, 0)

nope, it is correct. Allocates memory the size of DLL's path length, writes bytes of it to the allocated mem, and creates a remote thread hence executing the DLL inside the process... rest is up to the DLL itself. It does work and it will work, though mostly every AntiCheat out there will catch it.