akaion / bleak Goto Github PK
View Code? Open in Web Editor NEWA Windows native DLL injection library that supports several methods of injection.
License: MIT License
A Windows native DLL injection library that supports several methods of injection.
License: MIT License
manualmap and hijackthread always close the process
get this while debugging (obviously couldn't call dllmain cause it closed the process lol)
https://i.imgur.com/7n9cJdJ.png
Hey,
if you remember you send me a pull request regarding my dll injector (FreeLibrary) etc.
Do you plan to support managed injection?
Greetings,
Daniel
I receive the following exception when trying to inject a dll into Anno 1800 game:
Dll Injector failed with unknown error. Bleak.Shared.Exceptions.PInvokeException: Failed to call NtCreateThreadEx with error code 87 at Bleak.RemoteProcess.ManagedProcess.CallFunctionInternal(FunctionCall functionCall)
//edit: just to be clear the game is not protected and injecting using Cheat Engine works fine.
This originally wasn't working because there are a few symbols that appear twice, so when adding to the dictionary, TryParse will need to be used.
This line
Can you add net 3.5 support?
Hi there,
I am currently trying to inject a byte array into csgo.exe but unfortunately it gives me the following error when I try to execute that part of my code. I have no clue why this happens.
System.ComponentModel.Win32Exception: 'Failed to query the remote process for the address of the WOW64 PEB with error code 0'
It might be an issue with the byte array that I try to inject, not sure.
I hope you are able to help me out here.
i have problem with
GetNtDllAddress (SyscallManager.cs) -
return Process.GetCurrentProcess().Modules.Cast().First(module => module.ModuleName.Equals("ntdll.dll")).BaseAddress;
when i compile at x86 application have problems because app get address to x64 ntdll.dll loaded in application i need to compile at x64 to fix this issue
Thanks.
I might have found an issue.
If I try to inject an embedded DLL resouce the program will crash with the exception FileNotFound (System.Runtime).
This is the code I used:
var injector = new Injector(target.Id, Properties.Resources.DLL, InjectionMethod.ManualMap, InjectionFlags.None);
injector.InjectDll();
Also a second issue:
If I create a new Net Framework project and try to add Bleak using NuGet I get this error:
Could not install package 'Bleak 3.0.0'. You are trying to install this package into a project that targets '.NETFramework,Version=v4.7.2', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.
Done under x64 machine
When trying to inject x64 dll (as byte array) to x64 process when compilled with x86 or AnyCpu configuration causes following exceptions (depending on method being used):
ManualMap
NtCreateThreadEx, QueueUserApc, RtlCreateUserThread, SetThreadContext and ZwCreateThreadEx
(when compilled with x64 configuration everything works fine)
I assume that ability to inject a dll must only depend on the dll and a target process architecures, not the injector's one.
make bleak compatible with old framwork for vs2017 please.
This line was throwing an exception for me.
Bleak/Bleak/PortableExecutable/PeImage.cs
Line 187 in 003883f
I fixed it by doing this
var f = exportedFunctions.Find(exportedFunction => exportedFunction.Ordinal == exportedFunctionOrdinal);
if ( f != null)
{
f.Name = exportedFunctionName;
}
I don't know why the issue with my dll was, but this seemed like a easy fix, and the injection went fine afterwards.
Currently there's a bug when attempting to ManualMap directly after downloading the PDB with the new PDB parsing.
The stacktrace is pretty extensive but the just of it is
a callback was made on a garbage collected delegate
Simply stopping the program and re running it after this exception (as the file has been downloaded at this point) poses no problem and ManualMapping works as expected after, but this bug really needs to be fixed.
As promised, although a little delayed, I'm creating an issue to track the request for reflected DLL injection.
There is already manual mapping, which does some of the work.
A very nice example in C++, which combines Simon Fewer's original solution with some best practices when it comes to Microsoft/Windows injection:
https://github.com/dismantl/ImprovedReflectiveDLLInjection
The author also has a nice blog post on it:
https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html
Here also an example of reflected injection in C#:
https://github.com/xorrior/RemoteRecon/blob/master/RemoteReconCore/Injector.cs
Currently this isn't supported.
Essentially to create support for this, the DLL needs to be relinked to all the linked lists in the PEB, the LdrpHashTable as well as the LdrpModuleIndex. Once this has been done, a simple call to LdrUnloadDll (FreeLibrary) will eject the DLL as per normal.
Some dlls have export functions. It would be great to get their memory address after injecting them with bleak using manualmap so we can call them using createremotethread.
//edit: Using manualmap symbol handlers don't find the symbols like they do when injecting with createthread so the injector would need to provide these information.
Could you add a method for invoking a remote thread/method and passing a custom parameter?
I would like to pass a dynamically generated name for a named pipe.
Or is there already something like that implemented that I missed? It looks like the needed methods are only internal.
I don't want to use a constant pipe name. That way every injector has his own communication channel. Or do you have any other idea to solve this?
Hey @Akaion, exciting followin the project.
Correct me if I'm wrong, but currently Bleak are just allocating memory with RWX permissions, like here, right?
If so, this is typically what EDR solution look for on endpoints, so I think it would be a nice improvement to first allocate the memory with RW, and after copying over the data, change the permissions to RX.
What do you think?
There is a known issue where if you inject a DLL with the HideDllFromPeb flag, eject it and then attempt to inject it again, it will not inject. This probably due to some sort of data structure maintaining a reference to the DLL and so when LoadLibrary is invoked, it thinks the DLL is already in the process.
I have yet to figure out what the problem is though, so if you have any ideas, feel free to let me know.
After blocking internet connection for bleak as workaround for #22 the injection seems successful but on deject I received an exception. The message however confuses me because on injection it successfully? has called the entry point. Why does it call the entry point another time on deject and why does it fails?
Exception:
Bleak.Shared.Exceptions.RemoteFunctionCallException
HResult=0x80131500
Message=Failed to call the entry point of the DLL in the remote process
Source=Bleak
StackTrace:
at Bleak.Injection.Extensions.EjectDll.Call(IntPtr remoteDllAddress)
at Bleak.Injection.InjectionManager.EjectDll()
at Bleak.Injector.EjectDll()
Code:
using (var injector = new Injector("process_uwp", path, InjectionMethod.ManualMap, InjectionFlags.None))
{
// Inject the DLL into the remote process
var dllBaseAddress = injector.InjectDll();
// Eject the DLL from the process
injector.EjectDll();
}
How to reproduce:
diff --git a/Bleak.Tests/InjectionTests.cs b/Bleak.Tests/InjectionTests.cs
index 1c48e61..2768e1a 100644
--- a/Bleak.Tests/InjectionTests.cs
+++ b/Bleak.Tests/InjectionTests.cs
@@ -14,9 +14,9 @@ namespace Bleak.Tests
public InjectionTests()
{
- _dllPath = Path.Combine(Path.GetFullPath(@"..\..\..\Etc\"), "TestDll.dll");
+ _dllPath = Path.Combine(Path.GetFullPath(@"C:\Users\LuK1337\source\repos\Dll1\Debug"), "Dll1.dll");
- _process = new Process {StartInfo = {CreateNoWindow = true, FileName = "notepad.exe", UseShellExecute = true, WindowStyle = ProcessWindowStyle.Hidden}};
+ _process = new Process {StartInfo = {CreateNoWindow = true, FileName = @"C:\Program Files (x86)\Steam\Steam.exe", UseShellExecute = true, WindowStyle = ProcessWindowStyle.Hidden}};
_process.Start();
Bleak.Tests.InjectionTests.TestManualMap
Source: InjectionTests.cs line: 60
Duration: 185 ms
Message:
Bleak.Shared.Exceptions.PInvokeException : Failed to call VirtualProtectEx with error code 87
Stack Trace:
at MemoryManager.ProtectVirtualMemory(IntPtr baseAddress, Int32 protectionSize, MemoryProtectionType protectionType) in MemoryManager.cs line: 51
at MemoryManager.WriteVirtualMemory[TStructure](IntPtr baseAddress, TStructure structureToWrite) in MemoryManager.cs line: 120
at HijackThread.Call() in HijackThread.cs line: 128
at InjectionManager.InjectDll() in InjectionManager.cs line: 89
at Injector.InjectDll() in Injector.cs line: 118
at ManualMap.BuildImportTable() in ManualMap.cs line: 131
at ManualMap.Call() in ManualMap.cs line: 67
at InjectionManager.InjectDll() in InjectionManager.cs line: 89
at Injector.InjectDll() in Injector.cs line: 118
at InjectionTests.TestManualMap() in InjectionTests.cs line: 64
Only problem with this is that the .Net Process class can't find loaded modules. One option is to leverage some of the many methods to manually retrieve a module list. Another option is to create a method that uses the returned base address of the DLL to verify it was loaded into the remote process for both x86 and x64 which would solve this problem.
i have read you code at https://guidedhacking.com/threads/tls-internals-ldrphandletlsdata-and-friends.14960/
You reversed ntdll ManualHandleTlsData. Very thanks for your share.But you did not specify which operating system fit your code.
Can your code use in win7 x64 32bit process?
Happy to pay if you can help.
How would I inject using csharp 7.3 and bleak 2.6
Using the ManualMapping method like this :
injector.ManualMap(p.Id, module);
I am getting AccessViolationException, even when running as administrator.
I receive the following exception on a target process when using either CreateThread or manualmap:
System.ArgumentException: An item with the same key has already been added. Key: -8
exception happens at:
Bleak/Bleak/RemoteProcess/ProcessManager.cs
Line 208 in d891950
OS: Windows 10 1909 18363.476
Dll: Any
Game: Counter-Strike Global Offensive / Discord (for testing)
Manual mapping seems to always fail for me when trying to inject into csgo, when compiled specifically for x32 it fails to read the NtQueryInformationProcess infos and when compiled for any or x64 it fails at ReadProcessMemory with error code 299
CreateThread fails on an UWP process, on all injectors (not bleak's fault), so I've tried manualmap using Bleak. I received the following exception. Please note that it IS possible using CheatEngine to inject the dll which also falls back to manual map the dll (bleak's fault):
System.AggregateException: 'Failed to call SymLoadModuleEx with error code 27.BoolToValueConverter`1[[Syst)'
PInvokeException: Failed to call SymLoadModuleEx with error code 2
StackTrace:
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()
at Bleak.ProgramDatabase.PdbFile..ctor(ManagedModule module, Boolean isWow64)
at Bleak.RemoteProcess.ManagedProcess.<.ctor>b__7_0()
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at Bleak.Injection.Methods.ManualMap.EnableExceptionHandling()
at Bleak.Injection.Methods.ManualMap.Inject()
at Bleak.Injection.InjectionManager.InjectDll()
at Bleak.Injector.InjectDll()
Code:
using (var injector = new Injector("process_uwp", path, InjectionMethod.ManualMap, InjectionFlags.None))
{
// Inject the DLL into the remote process
var dllBaseAddress = injector.InjectDll();
// Eject the DLL from the process
injector.EjectDll();
}
We spoke a bit on Discord about Byte Array injection from a remote address.
I was thinking that instead of having the dll stored on the users hard-driver you could use a function like this:
private static byte[] DownloadFile(string url)
{
byte[] result = null;
using (WebClient webClient = new WebClient())
{
result = webClient.DownloadData(url);
}
return result;
}
In order to download the file directly into the programs memory as a Byte Array and then inject using that Array we just downloaded.
So that we in the end could do something like this (or similar):
injector.CreateRemoteThread("processName", DownloadFile("http://127.0.0.1:8080/path/to/thedll.dll"));
Looks like an exception is getting thrown right here
Bleak/Bleak/ProgramDatabase/PdbFile.cs
Line 137 in a246958
http://msdl.microsoft.com/download/symbols/wntdll.pdb/d83d1c3722bdde7415892bd3c509c7ff1/wntdll.pdb
Hi there,
I am currently experiencing the following error as soon as I want to install Bleak by using NuGet into a normal C# (Windows Forms) project.
Could not install package 'Bleak 2.7.1'. You are trying to install this package into a project that targets '.NETFramework,Version=v4.7.2', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.
Not really sure how I can fix this issue, also quite new to C# and Visual Studio.
Hope someone could help me out with this.
Thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.