Managed Dll Injection without C/C++ or Assembly

Question

How to inject managed dll in remote process using VB/C# without using any C/C++ bootstrap dll or any code cave written in assembly.

Answer 1

Dll Export is required for exporting function as native code

Classical Mechanism:

Following is the procedure of classical dll injection:

• Create C/C++ Dll
• Write Dll Path to remote process
• Create Remote thread to LoadLibraryA along with argument as Dll Path
• Dll Entry point will be invoked at this stage

Reference: Code project article

Codecave Method:

With this method you can skip C/C++ Dll but requires basic knowledge of Assembly

• Create code-cave at run-time as byte array and write to other process, or write assembly procedure (c like function) and compile it as binary code, which will load .net assembly
• Write your code to other process
• Create remote thread and your .net assembly can be loaded

Reference: Code with example [Original Link seems to expired so google cached version]

Modern Way:

This method is so easy to use and doesn't require knowledge of C/C++ or Assembly, the following is procedure

• Load your library in current process and get procedure address you want to call, it will work with procedure with one argument
• Call create remote thread in target process with LoadLibrary and argument as your managed dll path. This will not execute your code instead only loads your library in target process
• Wait for thread to exit and then get return code, this is your library module handle
• Now create remote thread at your procedure address in remote process, and its done, your procedure will be called.

Example:

Here is your dll code

Public Module Library

    <DllExport>
    Public Function Entry(Argument As String)
        MessageBox.Show("Injected With Argument: " + Argument)
        Return 0 'Success
    End Function

End Module

Here is example injection code, it is just prototype, TODO: Implement native functions and use them for extension methods used below

Public Module Program

    Public Sub Inject(Proc As Process, dll As String)
        Dim K32 = GetModuleHandle("kernel32")
        Dim LLA_Proc = GetProcAddress(K32, "LoadLibraryA")
        'TODO: extension method of process WriteMemory(Byte())
        Dim lns = Proc.WriteMemory(Encoding.ASCII.GetBytes("C:\FAKE-PATH\Inject.dll"))
        'TODO: extension method of process RemoteCallWait(IntPtr, Arg)
        Dim z = Proc.RemoteCallWait(LLA_Proc, lns)  'Calls method and waits for exit and returns exit code
        'Z should not be zero, otherwise injection is incomplete

        Dim XPTR = GetPtr("C:\FAKE-PATH\Inject.dll", "Entry")
        ''TODO: extension method of process WriteMemory(Byte())
        Dim Loc = Proc.WriteMemory(Encoding.Default.GetBytes("hello world"))
        'TODO: extension method of process RemoteCallWait(IntPtr, Arg)
        z = Proc.RemoteCallWait(XPTR, Loc)
        'Z should be 0 now
    End Sub

    Private Function GetPtr(LibraryName As String, FuncName As String) As IntPtr
        Return CULng(GetProcAddress(LoadLibrary(LibraryName), FuncName))
    End Function

End Module