从非托管 dll 文件（注入到正在运行的进程中）调用托管 dll

Posted 2023-03-22

【中文标题】从非托管 dll 文件（注入到正在运行的进程中）调用托管 dll

【英文标题】：calling an managed dll from an unmanaged dll file (that is injected into the running process)

【发布时间】：2018-02-10 18:18:10

【问题描述】：

无法弄清楚如何使用非托管 dll 调用托管 dll 文件中的函数。

目前，我能够将非托管 dll 注入正​​在运行的进程并调用托管 dll（主要是我是 c++ 的新手），如下所示。

 #include "stdafx.h"
 #include <Windows.h>
 #include "dllmain.h"

 BOOL APIENTRY DllMain( HMODULE hModule,
                   DWORD  ul_reason_for_call,
                   LPVOID lpReserved  )

switch (ul_reason_for_call)
  
     case DLL_PROCESS_ATTACH:
    
    LoadManagedProject(L"C:\\Users\\nagaganesh.kurcheti\\Desktop\\ExampleProject.dll");
    DisplayPid();
     break;
      
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
    break;

return TRUE;


void DisplayPid()

DWORD pid = GetCurrentProcessId();
wchar_t buf[64];
wsprintf(buf, L"Hey, it worked! Pid is %d", pid);
MessageBox(NULL, buf, L"Injected NEW MessageBox", NULL);

我正在从 DLL MAIN 调用一个处理注入过程的函数，如下所示：-

DllExport void LoadManagedProject(const wchar_t * managedDllLocation)
 
HRESULT hr;
ICLRMetaHost* pClrMetaHost = NULL;
ICLRRuntimeInfo* pClrRuntimeInfo = NULL;
ICLRRuntimeHost* pClrRuntimeHost = NULL;
hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&pClrMetaHost);
if (hr == S_OK)



    hr = pClrMetaHost->GetRuntime(L"v4.0.30319", IID_PPV_ARGS(&pClrRuntimeInfo));
    if (hr == S_OK)
               
        BOOL fLoadable;
        hr = pClrRuntimeInfo->IsLoadable(&fLoadable);
        if ((hr == S_OK) && fLoadable)
                        
            hr = pClrRuntimeInfo->GetInterface(CLSID_CLRRuntimeHost,
                IID_PPV_ARGS(&pClrRuntimeHost));
            if (hr == S_OK)
            
                hr = pClrRuntimeHost->Start();
                if (hr == S_OK)
                
                    MessageBox(NULL, L"HR=SOK45STTIME", L"Injected MessageBox", NULL);

                    DWORD result;
                    hr = pClrRuntimeHost->ExecuteInDefaultAppDomain(
                        managedDllLocation,
                        L"ExampleProject.Example",
                        L"EntryPoint",
                        L"Argument",
                        &result);
                    if (hr == S_OK)
                    
                        MessageBox(NULL, L"HR=SOK6STTIME", L"Injected MessageBox", NULL);
                    

                
            
        
    

经过多次尝试后，我无法注入此进程。 我能知道我犯了什么错误，或者建议使用注入到正在运行的进程中的非托管 dll 调用托管 dll（c#）的更好方法。提前谢谢你。

更新：

如果无法通过这种方式，您能否建议任何将托管 dll 注入正​​在运行的进程的最佳方法。谢谢

【问题讨论】：

谷歌“dllmain loader lock”找出为什么这永远无法工作。

能否详细说明。我是这种情况的新手。谢谢

【参考方案1】：

您可以通过使用 EasyHook 将托管 dll 注入非托管进程来实现此目的 这是示例代码：

#include <easyhook.h>
#include <string>
#include <iostream>
#include <Windows.h>

DWORD gFreqOffset = 0;
BOOL WINAPI myBeepHook(DWORD dwFreq, DWORD dwDuration)

    std::cout << "\n    BeepHook: ****All your beeps belong to us!\n\n";
    return Beep(dwFreq + gFreqOffset, dwDuration);


// EasyHook will be looking for this export to support DLL injection. If not found then 
// DLL injection will fail.
extern "C" void __declspec(dllexport) __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo);

void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo)

    std::cout << "\n\nNativeInjectionEntryPointt(REMOTE_ENTRY_INFO* inRemoteInfo)\n\n" <<
        "IIIII           jjj               tt                dd !!! \n"
        " III  nn nnn          eee    cccc tt      eee       dd !!! \n"
        " III  nnn  nn   jjj ee   e cc     tttt  ee   e  dddddd !!! \n"
        " III  nn   nn   jjj eeeee  cc     tt    eeeee  dd   dd     \n"
        "IIIII nn   nn   jjj  eeeee  ccccc  tttt  eeeee  dddddd !!! \n"
        "              jjjj                                         \n\n";

    std::cout << "Injected by process Id: " << inRemoteInfo->HostPID << "\n";
    std::cout << "Passed in data size: " << inRemoteInfo->UserDataSize << "\n";
    if (inRemoteInfo->UserDataSize == sizeof(DWORD))
    
        gFreqOffset = *reinterpret_cast<DWORD *>(inRemoteInfo->UserData);
        std::cout << "Adjusting Beep frequency by: " << gFreqOffset << "\n";
    

    // Perform hooking
    HOOK_TRACE_INFO hHook =  NULL ; // keep track of our hook

    std::cout << "\n";
    std::cout << "Win32 Beep found at address: " << GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep") << "\n";

    // Install the hook
    NTSTATUS result = LhInstallHook(
        GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"),
        myBeepHook,
        NULL,
        &hHook);
    if (FAILED(result))
    
        std::wstring s(RtlGetLastErrorString());
        std::wcout << "Failed to install hook: ";
        std::wcout << s;
    
    else 
    
        std::cout << "Hook 'myBeepHook installed successfully.";
    

    // If the threadId in the ACL is set to 0,
    // then internally EasyHook uses GetCurrentThreadId()
    ULONG ACLEntries[1] =  0 ;

    // Disable the hook for the provided threadIds, enable for all others
    LhSetExclusiveACL(ACLEntries, 1, &hHook);

    return;

或者您可以在original source找到更多详细信息