Hi everybody, I'm sorry that I had to register just to post this question (for the moment), but I really have no idea about elsewhere go to ask if not here.. I'm working on a C# application, and I need to run some code directly from memory, and so not from an HDD. I've already faced this kind of problem if I have some .NET executables, simply loading them from native methods, but now I have to fight against non-NET executables: I've already given a depth look at the "KMSLibrary", but it seems that that library is only working for dlls, and not exes. Going around the web I found some "variants" of the famous RunPE, but it seems that non of them is working for both the x64 and x86 executables... So, someone could please post me some snippets which could help me to write this kind of code? Thanks in advance.
You will need to inject the EXE image in one process if it is unmanaged (Not .NET): http://forums.mydigitallife.net/threads/24348-C-Run-non-NET-exe-from-memory
Mr Cell.. This is talk for the pros lol jkjk Anyways you are asking for reflection and it is better for anycpu to be loaded by anycpu or x64 for x64 and viceversa for x86 systems. I can give you tips and tricks for it just PM if you would like to know!
Will not work because the pointers has values to write in x86 areas... You will need to modify these pointers according to this post: http://forums.mydigitallife.net/threads/45192-C-64-Bit-DLL-Mapping?p=758494&viewfull=1#post758494 Anyway the process injection is a bad way because you always will be flagged by the AV while injecting the image. And you can not do reflection in the same process if the image is unmanaged.
That is correct.. You shouldnt mix pointer because it might point to the wrong location in memory and in the end your application will crash Incorrect most all my software has some sort of injection - whether it be a plugin or full on application it will work and i have tested with four different AV engines to confirm this - F-Secure Microsoft Symantec and ClamAV This is incorrect also. If from an unmanaged process you have to look into .NET Runtime hosting within your Win32 applications - Which is a very hard task but I do know how to do the basic hosting and get return values from functions. @OP MSDN is your best friend for this. I will show you some basic Reflection and Injection Methods when I am done writing my HashHelper Shell Ext (Which is almost ready for release)
Your 'injection' is managed. I am talking about unmanaged image injections. I am talking about one managed process being be injected with an unmanaged image (not library). Since unmanaged injections requires a lot of suspicious WinAPI calls, the AV systems is able to flag it as false-positive.
If you know how to call it without all those functions calls. you should only need three of them CreateProcess NTUnMap.. and Resume thread but not the one you list but the good ol' standard one. Plus my point still stands ive tested both way because my project now supports plugins using Win32 based languages lol
That is I have seen: For me, he is looking to inject unmanaged process image into another process (KMSLibrary do it with VBC.EXE). Anyway, this post is the solution. If anyone is able to do the right pointers for a x64 process... http://forums.mydigitallife.net/threads/45192-C-64-Bit-DLL-Mapping?p=758494&viewfull=1#post758494 If you still have issues, send a PM to him, maybe he also is able to do it for the KMSLibrary: http://forums.mydigitallife.net/members/328557-qad
Yeah, I've already given a look at that library, but it seems that it injects a dll, and not an executable: I think that the question is a bit different, no?
Yea, with libraries is really possible because you are re-alocating the memory block inside the process... But is a bit hard do it with all the process image inside the same process... (Inject 100% native image in the managed .NET Process)...
In the way of regular injection here is my favorite and most simple to use http://www.codeproject.com/Articles/20084/A-More-Complete-DLL-Injection-Solution-Using-Creat injects asm bytecode and calls load library and so on lol just have your lib and do some p\invoke to self inject it into the .net process.. im not sure if it works because i havent used it for that
The x64 pointers will be the same even if you will inject a library or the full process image (executable)... You just need to implement it inside your code (if the process is x64, then set x64 pointers)...