CoreHook icon indicating copy to clipboard operation
CoreHook copied to clipboard

Published 20 hours ago verified publisher icon unknownv2

NuGet

Open Trojaner opened this issue 6 years ago • 18 comments

Do you plan to upload this to NuGet?

Trojaner avatar Jul 08 '18 12:07 Trojaner

I do plan on uploading it to NuGet. Right now there are two more features I would like to add before releasing there:

  • Create process suspended and inject DLL (right now it just starts the process)
  • IPC Helper to notify the launching process when the DLL loading has completed.

unknownv2 avatar Jul 08 '18 17:07 unknownv2

Hi @Trojaner,

I have uploaded the CoreHook project to NuGet and you can find an example that uses the NuGet package here: https://www.nuget.org/packages/CoreHook/ and the example: https://github.com/unknownv2/corehook-plugins

Does that work for what you needed?

unknownv2 avatar Nov 18 '18 04:11 unknownv2

Very nice! I will check this out as soon as possible 👍

Trojaner avatar Nov 18 '18 22:11 Trojaner

@unknownv2 do you still need help with creating a process suspended and injecting a dll?

ghost avatar Dec 17 '18 19:12 ghost

Hi @Akaion,

Yes, I would like help with that.

Currently, the Detours module has an export for creating and injecting a DLL into a suspended process but I'm not sure if there is a C# implementation of that.

When I used the Detours method, I wasn't able to figure out how to bring the Window to the front, as it would be hidden sometimes.

unknownv2 avatar Dec 17 '18 20:12 unknownv2

@unknownv2 Just some things I would like to clarify as I'm not sure I quite understand everything.

When you say the detours module has an export to create and inject a DLL , are you saying that you want you want to create (in C#) a method to create a new (suspended) process and then inject a DLL into it?

ghost avatar Dec 17 '18 21:12 ghost

@Akaion Yes, an implementation like this:

https://github.com/unknownv2/CoreHook.Hooking/blob/master/src/creatwth.cpp#L791.

I'm not sure if something like DetourUpdateProcessWithDllEx(source: https://github.com/unknownv2/CoreHook.Hooking/blob/master/src/creatwth.cpp#L584) has been implemented in C# yet.

unknownv2 avatar Dec 17 '18 21:12 unknownv2

@unknownv2 I see - Seems relatively easy to do. Is there a method of injection you're wanting (does it need to be stealth) or is CreateRemoteThread fine?

ghost avatar Dec 17 '18 22:12 ghost

@Akaion The stealthier methods would be preferred but CreateRemoteThread is fine as well since that might be easier to implement without any side-effects.

Do you have a method in mind that would be the stealthiest?

unknownv2 avatar Dec 17 '18 23:12 unknownv2

@unknownv2 If you utilize my injection library you can hijack a thread or manual map (manual mapping being the stealthiest.)

If you don't want to use my library and integrate the injection method directly into your codebase, it wouldn't really be feasible to do one of the above stealthy methods as they are quite complex (would be tedious to rewrite in your code) so I would probably end up using RtlCreateUserThread or Zw/Nt CreateThreadEx to avoid a call to CreateRemoteThread, however, these are much easier detected than hijacking a thread or manual mapping.

ghost avatar Dec 17 '18 23:12 ghost

@Akaion Thank you for the information and suggestions, your library looks great.

I will play around with those methods and I would like to use the manual map method then if it is the stealthiest.

unknownv2 avatar Dec 18 '18 00:12 unknownv2

@unknownv2 No problem. I can write a method that does what you want later and then you could play around with it if you want?

ghost avatar Dec 18 '18 00:12 ghost

@Akaion, I would appreciate that a lot if you can please!

unknownv2 avatar Dec 18 '18 00:12 unknownv2

@unknownv2 where do you want this done? I can't seem to find where you're starting the process (I swear I'm blind)

ghost avatar Dec 18 '18 05:12 ghost

And just another question, why does the process need to be started suspended?

ghost avatar Dec 18 '18 05:12 ghost

@Akaion You can find the code that starts the process here: https://github.com/unknownv2/CoreHook/blob/master/src/CoreHook.BinaryInjection/RemoteInjection/RemoteInjector.cs#L85

I definitely need to better document the usage, I'm sorry about that.

I wanted to start the process suspended to inject any DLLs in case the program is monitoring for new DLLs being loaded. I believe this would give us the chance to load the DLL before the program's entry point as described here: https://github.com/Microsoft/Detours/wiki/DetourCreateProcessWithDllEx (correct me if I'm wrong!)

unknownv2 avatar Dec 18 '18 05:12 unknownv2

@unknownv2 I don't know of any anti cheat / tamper mechanisms that check for any dll's being loaded into a process as the only trigger (they usually check the headers etc.) as anti viruses also load dll's into processes

Even if this is the case, by manually mapping the dll into the process, the process itself is unaware of any module being loaded (we essentially simulate load library) and can only be detected through very advanced memory scanning

ghost avatar Dec 18 '18 06:12 ghost

@Akaion I did not know that! That sounds perfect then. We can continue the discussion for this here if that's alright with you: https://github.com/unknownv2/CoreHook/issues/113.

Thank you!

unknownv2 avatar Dec 18 '18 06:12 unknownv2