Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NuGet #12

Open
Trojaner opened this issue Jul 8, 2018 · 18 comments
Open

NuGet #12

Trojaner opened this issue Jul 8, 2018 · 18 comments
Assignees
@unknownv2

Comments

@Trojaner
Copy link

Trojaner commented Jul 8, 2018

Do you plan to upload this to NuGet?
@unknownv2
Copy link
Owner

I do plan on uploading it to NuGet. Right now there are two more features I would like to add before releasing there:

  • Create process suspended and inject DLL (right now it just starts the process)
  • IPC Helper to notify the launching process when the DLL loading has completed.

@unknownv2 unknownv2 self-assigned this Sep 4, 2018
@unknownv2
Copy link
Owner

unknownv2 commented Nov 18, 2018
edited
Loading

Hi @Trojaner,

I have uploaded the CoreHook project to NuGet and you can find an example that uses the NuGet package here: https://www.nuget.org/packages/CoreHook/ and the example: https://github.com/unknownv2/corehook-plugins

Does that work for what you needed?

@Trojaner
Copy link
Author

Very nice!
I will check this out as soon as possible 👍

@ghost
Copy link

ghost commented Dec 17, 2018

@unknownv2 do you still need help with creating a process suspended and injecting a dll?

@unknownv2
Copy link
Owner

Hi @Akaion,

Yes, I would like help with that.

Currently, the Detours module has an export for creating and injecting a DLL into a suspended process but I'm not sure if there is a C# implementation of that.

When I used the Detours method, I wasn't able to figure out how to bring the Window to the front, as it would be hidden sometimes.

@ghost
Copy link

ghost commented Dec 17, 2018
edited by ghost
Loading

@unknownv2 Just some things I would like to clarify as I'm not sure I quite understand everything.

When you say the detours module has an export to create and inject a DLL , are you saying that you want you want to create (in C#) a method to create a new (suspended) process and then inject a DLL into it?

@unknownv2
Copy link
Owner

@Akaion Yes, an implementation like this:

https://github.com/unknownv2/CoreHook.Hooking/blob/master/src/creatwth.cpp#L791.

I'm not sure if something like DetourUpdateProcessWithDllEx(source:
https://github.com/unknownv2/CoreHook.Hooking/blob/master/src/creatwth.cpp#L584) has been implemented in C# yet.

@ghost
Copy link

ghost commented Dec 17, 2018

@unknownv2 I see - Seems relatively easy to do. Is there a method of injection you're wanting (does it need to be stealth) or is CreateRemoteThread fine?

@unknownv2
Copy link
Owner

@Akaion The stealthier methods would be preferred but CreateRemoteThread is fine as well since that might be easier to implement without any side-effects.

Do you have a method in mind that would be the stealthiest?

@ghost
Copy link

ghost commented Dec 17, 2018
edited by ghost
Loading

@unknownv2 If you utilize my injection library you can hijack a thread or manual map (manual mapping being the stealthiest.)

If you don't want to use my library and integrate the injection method directly into your codebase, it wouldn't really be feasible to do one of the above stealthy methods as they are quite complex (would be tedious to rewrite in your code) so I would probably end up using RtlCreateUserThread or Zw/Nt CreateThreadEx to avoid a call to CreateRemoteThread, however, these are much easier detected than hijacking a thread or manual mapping.

@unknownv2
Copy link
Owner

@Akaion Thank you for the information and suggestions, your library looks great.

I will play around with those methods and I would like to use the manual map method then if it is the stealthiest.

@ghost
Copy link

ghost commented Dec 18, 2018
edited by ghost
Loading

@unknownv2 No problem. I can write a method that does what you want later and then you could play around with it if you want?

@unknownv2
Copy link
Owner

@Akaion, I would appreciate that a lot if you can please!

@ghost
Copy link

ghost commented Dec 18, 2018

@unknownv2 where do you want this done? I can't seem to find where you're starting the process (I swear I'm blind)

@ghost
Copy link

ghost commented Dec 18, 2018

And just another question, why does the process need to be started suspended?

@unknownv2
Copy link
Owner

@Akaion You can find the code that starts the process here: https://github.com/unknownv2/CoreHook/blob/master/src/CoreHook.BinaryInjection/RemoteInjection/RemoteInjector.cs#L85

I definitely need to better document the usage, I'm sorry about that.

I wanted to start the process suspended to inject any DLLs in case the program is monitoring for new DLLs being loaded. I believe this would give us the chance to load the DLL before the program's entry point as described here: https://github.com/Microsoft/Detours/wiki/DetourCreateProcessWithDllEx (correct me if I'm wrong!)

@ghost
Copy link

ghost commented Dec 18, 2018
edited by ghost
Loading

@unknownv2 I don't know of any anti cheat / tamper mechanisms that check for any dll's being loaded into a process as the only trigger (they usually check the headers etc.) as anti viruses also load dll's into processes

Even if this is the case, by manually mapping the dll into the process, the process itself is unaware of any module being loaded (we essentially simulate load library) and can only be detected through very advanced memory scanning

@unknownv2
Copy link
Owner

@Akaion I did not know that! That sounds perfect then. We can continue the discussion for this here if that's alright with you: #113.

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@unknownv2 unknownv2

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Trojaner @unknownv2