dll注入 进程中注入WPF dll

dll注入 进程中注入WPF dll

介绍

尝试一下向进程中注入 WPF应用程序

为什么直接注入不可以

失败的原因如下

  1. .NET DLL(也称为托管 DLL)不能注入到尚未加载 .NET 运行时的远程进程中。(目标进程并没有加载.net环境)
  2. 注入之后 目标进程没有调用.Net dll里面的方法

1.编写WPF类库

内容如下

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows;

namespace mytestDLL
{
    public class Class1
    {
        public static int TestMethod(string TestParam)
        {
            MessageBox.Show($"我们已经成功打入敌人的内部!{TestParam}");
            return 0;
        }
    }
}

生成 然后获取 mytestDLL.dll

2.编写C++类库

我们编写一个C++类库 在里面动态加载.net 运行环境

代码如下


#include <metahost.h>
#pragma comment(lib, "mscoree.lib")
int main()
{
	ICLRMetaHost* metaHost = NULL; //Declare our CLR Meta Host value as a NULL
	ICLRRuntimeInfo* runtimeInfo = NULL; //Declare our CLR Runtime Info as a Null
	ICLRRuntimeHost* runtimeHost = NULL; //Delcare our CLR HOST as a NULL

	if (CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&metaHost) == S_OK) //If Creating CLR Instance with follow parameters is successful
		if (metaHost->GetRuntime(L"v4.0.30319", IID_ICLRRuntimeInfo, (LPVOID*)&runtimeInfo) == S_OK) //If getting Runtime version is successful
			if (runtimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID*)&runtimeHost) == S_OK) //If getting the interface with the follow parameters is successful
				if (runtimeHost->Start() == S_OK) //Start the CLR (If it is successful)
				{
					DWORD pReturnValue; //Declare our return value as a DWORD

					//Invoke our method through CLR host using following parameters
					runtimeHost->ExecuteInDefaultAppDomain(L"D://mytestDLL.dll", L"mytestDLL.Class1", L"TestMethod", L"It works!!", &pReturnValue);

					//OPTIONAL: You can keep the CLR Opened depending on your needs
					runtimeInfo->Release();
					metaHost->Release();
					runtimeHost->Release();
				}
	return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	case DLL_THREAD_ATTACH:
	{
		auto Thread = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)main, 0, 0, 0);
		if (Thread)
			return TRUE;
		else
			return FALSE;
	}
	break;
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

					runtimeHost->ExecuteInDefaultAppDomain(L"D://mytestDLL.dll", L"mytestDLL.Class1", L"TestMethod", L"It works!!", &pReturnValue);

//这行代码就是我们在C++调用C#类库的函数,这里采用绝对地址

生成C++的 dll

3. 借助Dll注入工具注入

注入我们编写的C++类库的dll

我用的dll注入工具

Release v3.7.3 · master131/ExtremeInjector (github.com)

也可以自己编写dll注入。

注入C++dll即可

注意 32位应用程序不能注入64位dll

效果

随便找个qq 注入 如图

posted @ 2023-01-17 12:22  王某。。  阅读(170)  评论(0)    收藏  举报