Problem injecting a DLL into a C# app

nektra / Deviare-InProc

Deviare In Process Instrumentation Engine

http://nektra.com/products/deviare-api-hook-windows/deviare-in-process/

Other

328 stars 83 forks source link

Problem injecting a DLL into a C# app #4

Closed bbbscarter closed 6 years ago

bbbscarter commented 8 years ago

Hi! I'm having problems injecting a 32bit dll into a 32bit C# app.

Symptoms are as follows:

CreateProcessWithDllW returns success.
My dll fprintfs stuff out to confim it has been injected - this is not triggered.
Other pure C++ apps work fine - only seems to affect dotnet.
Using vanilla CreateProcess and then using InjectDllByHandle works, but then I have other issues (not relevant to this problem).

It looks like it's fairly easy to repro - I just did a test by creating an empty C# console app which sleeps for a few seconds, and my simple test dll fails to start.

Let me know if I'm doing anything stupid, or if you need more information.

Thanks!

Simon

mxmauro commented 8 years ago

Hi Simon,

When you use CreateProcess/InjectDllByHandle, are you using the CREATE_SUSPENDED flag too? (CreateProcess/Inject/ResumeThread)

Regards, Mauro.

bbbscarter commented 8 years ago

When using CreateProcessWithDll I wasn't using CREATE_SUSPENDED, but digging into the code it seems to do that anyway. Happy to give that a go if you think that will change things?

When using normal CreateProcess and then manually calling InjectDll I was using CREATE_SUSPENDED - but then I have no way of knowing if my dll has actually started before I resume it. (Plus, InjectDll does work with .net assemblies). On 03/11/2015 13:14:46, Mauro Leggieri notifications@github.com wrote: Hi Simon, When you use CreateProcess/InjectDllByHandle, are you using the CREATE_SUSPENDED flag? (CreateProcess/Inject/ResumeThread) Regards, Mauro. — Reply to this email directly or view it on GitHub [https://github.com/nektra/Deviare-InProc/issues/4#issuecomment-153348345].

mxmauro commented 8 years ago

CreateProcessWithDll creates the process suspended, injects the code and resumes it. By the time you execute InjectDll, because you used CreateProcess without CREATE_SUSPENDED flag, the process may be initialized and entrypoint changed to .net internals.

I suspect the problem is how .NET processes changes entrypoints and the injector code never executed.

I'll see in depth in these days.

Thank you for reporting the issue.

bbbscarter commented 8 years ago

Thanks!

Just to clarify:

CreateProcessWithDll doesn't work with .net.
CreateProcess(CREATE_SUSPENDED) + InjectDll + ResumeThread() does work (but causes me problems later on). On 03/11/2015 18:29:38, Mauro Leggieri notifications@github.com wrote: CreateProcessWithDll creates the process suspended, injects the code and resumes it. By the time you execute InjectDll, because you used CreateProcess without CREATE_SUSPENDED flag, the process may be initialized and entrypoint changed to .net internals. I suspect the problem is how .NET processes changes entrypoints and the injector code never executed. I'll see in depth in these days. Thank you for reporting the issue. — Reply to this email directly or view it on GitHub [https://github.com/nektra/Deviare-InProc/issues/4#issuecomment-153446607].