akaion / bleak Goto Github PK

manualmap and hijackthread always close the process
get this while debugging (obviously couldn't call dllmain cause it closed the process lol)
https://i.imgur.com/7n9cJdJ.png

Hey,

if you remember you send me a pull request regarding my dll injector (FreeLibrary) etc.
Do you plan to support managed injection?

Greetings,
Daniel

I receive the following exception when trying to inject a dll into Anno 1800 game:

Dll Injector failed with unknown error. Bleak.Shared.Exceptions.PInvokeException: Failed to call NtCreateThreadEx with error code 87 at Bleak.RemoteProcess.ManagedProcess.CallFunctionInternal(FunctionCall functionCall)

//edit: just to be clear the game is not protected and injecting using Cheat Engine works fine.

This originally wasn't working because there are a few symbols that appear twice, so when adding to the dictionary, TryParse will need to be used.

This line

Can you add net 3.5 support?

Hi there,

I am currently trying to inject a byte array into csgo.exe but unfortunately it gives me the following error when I try to execute that part of my code. I have no clue why this happens.

System.ComponentModel.Win32Exception: 'Failed to query the remote process for the address of the WOW64 PEB with error code 0'

It might be an issue with the byte array that I try to inject, not sure.

I hope you are able to help me out here.

i have problem with
GetNtDllAddress (SyscallManager.cs) -
return Process.GetCurrentProcess().Modules.Cast().First(module => module.ModuleName.Equals("ntdll.dll")).BaseAddress;

when i compile at x86 application have problems because app get address to x64 ntdll.dll loaded in application i need to compile at x64 to fix this issue

Thanks.

I might have found an issue.
If I try to inject an embedded DLL resouce the program will crash with the exception FileNotFound (System.Runtime).
This is the code I used:

var injector = new Injector(target.Id, Properties.Resources.DLL, InjectionMethod.ManualMap, InjectionFlags.None);
injector.InjectDll();

Also a second issue:
If I create a new Net Framework project and try to add Bleak using NuGet I get this error:

Could not install package 'Bleak 3.0.0'. You are trying to install this package into a project that targets '.NETFramework,Version=v4.7.2', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.				

Done under x64 machine
When trying to inject x64 dll (as byte array) to x64 process when compilled with x86 or AnyCpu configuration causes following exceptions (depending on method being used):
ManualMap

• System.IO.FileNotFoundException: "No file exists at the provided location"

NtCreateThreadEx, QueueUserApc, RtlCreateUserThread, SetThreadContext and ZwCreateThreadEx

• System.ComponentModel.Win32Exception: "Failed to find the address of the LoadLibraryW method in kernel32.dll with error code 1008"

(when compilled with x64 configuration everything works fine)
I assume that ability to inject a dll must only depend on the dll and a target process architecures, not the injector's one.

make bleak compatible with old framwork for vs2017 please.

This line was throwing an exception for me.

I fixed it by doing this

var f = exportedFunctions.Find(exportedFunction => exportedFunction.Ordinal == exportedFunctionOrdinal);
if ( f != null)
{
    f.Name = exportedFunctionName;
}

I don't know why the issue with my dll was, but this seemed like a easy fix, and the injection went fine afterwards.

Currently there's a bug when attempting to ManualMap directly after downloading the PDB with the new PDB parsing.

The stacktrace is pretty extensive but the just of it is

a callback was made on a garbage collected delegate

Simply stopping the program and re running it after this exception (as the file has been downloaded at this point) poses no problem and ManualMapping works as expected after, but this bug really needs to be fixed.

As promised, although a little delayed, I'm creating an issue to track the request for reflected DLL injection.

There is already manual mapping, which does some of the work.

A very nice example in C++, which combines Simon Fewer's original solution with some best practices when it comes to Microsoft/Windows injection:
https://github.com/dismantl/ImprovedReflectiveDLLInjection

The author also has a nice blog post on it:
https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html

Here also an example of reflected injection in C#:
https://github.com/xorrior/RemoteRecon/blob/master/RemoteReconCore/Injector.cs

Currently this isn't supported.

Essentially to create support for this, the DLL needs to be relinked to all the linked lists in the PEB, the LdrpHashTable as well as the LdrpModuleIndex. Once this has been done, a simple call to LdrUnloadDll (FreeLibrary) will eject the DLL as per normal.

Some dlls have export functions. It would be great to get their memory address after injecting them with bleak using manualmap so we can call them using createremotethread.

//edit: Using manualmap symbol handlers don't find the symbols like they do when injecting with createthread so the injector would need to provide these information.

Could you add a method for invoking a remote thread/method and passing a custom parameter?
I would like to pass a dynamically generated name for a named pipe.
Or is there already something like that implemented that I missed? It looks like the needed methods are only internal.

I don't want to use a constant pipe name. That way every injector has his own communication channel. Or do you have any other idea to solve this?

Hey @Akaion, exciting followin the project.

Correct me if I'm wrong, but currently Bleak are just allocating memory with RWX permissions, like here, right?

If so, this is typically what EDR solution look for on endpoints, so I think it would be a nice improvement to first allocate the memory with RW, and after copying over the data, change the permissions to RX.

What do you think?

There is a known issue where if you inject a DLL with the HideDllFromPeb flag, eject it and then attempt to inject it again, it will not inject. This probably due to some sort of data structure maintaining a reference to the DLL and so when LoadLibrary is invoked, it thinks the DLL is already in the process.

I have yet to figure out what the problem is though, so if you have any ideas, feel free to let me know.

After blocking internet connection for bleak as workaround for #22 the injection seems successful but on deject I received an exception. The message however confuses me because on injection it successfully? has called the entry point. Why does it call the entry point another time on deject and why does it fails?

Exception:

Bleak.Shared.Exceptions.RemoteFunctionCallException
  HResult=0x80131500
  Message=Failed to call the entry point of the DLL in the remote process
  Source=Bleak
  StackTrace:
   at Bleak.Injection.Extensions.EjectDll.Call(IntPtr remoteDllAddress)
   at Bleak.Injection.InjectionManager.EjectDll()
   at Bleak.Injector.EjectDll()

Code:

using (var injector = new Injector("process_uwp", path, InjectionMethod.ManualMap, InjectionFlags.None))
{
    // Inject the DLL into the remote process

    var dllBaseAddress = injector.InjectDll();

    // Eject the DLL from the process

    injector.EjectDll();
}

How to reproduce:

1. Compile empty 32-bit DLL with VS
2. Modify tests like here:

diff --git a/Bleak.Tests/InjectionTests.cs b/Bleak.Tests/InjectionTests.cs
index 1c48e61..2768e1a 100644
--- a/Bleak.Tests/InjectionTests.cs
+++ b/Bleak.Tests/InjectionTests.cs
@@ -14,9 +14,9 @@ namespace Bleak.Tests
 
         public InjectionTests()
         {
-            _dllPath = Path.Combine(Path.GetFullPath(@"..\..\..\Etc\"), "TestDll.dll");
+            _dllPath = Path.Combine(Path.GetFullPath(@"C:\Users\LuK1337\source\repos\Dll1\Debug"), "Dll1.dll");
             
-            _process = new Process {StartInfo = {CreateNoWindow = true, FileName = "notepad.exe", UseShellExecute = true, WindowStyle = ProcessWindowStyle.Hidden}};
+            _process = new Process {StartInfo = {CreateNoWindow = true, FileName = @"C:\Program Files (x86)\Steam\Steam.exe", UseShellExecute = true, WindowStyle = ProcessWindowStyle.Hidden}};
             
             _process.Start();

3. Now it should fail with following message:

 Bleak.Tests.InjectionTests.TestManualMap
   Source: InjectionTests.cs line: 60
   Duration: 185 ms

  Message: 
    Bleak.Shared.Exceptions.PInvokeException : Failed to call VirtualProtectEx with error code 87
  Stack Trace: 
    at MemoryManager.ProtectVirtualMemory(IntPtr baseAddress, Int32 protectionSize, MemoryProtectionType protectionType) in MemoryManager.cs line: 51
    at MemoryManager.WriteVirtualMemory[TStructure](IntPtr baseAddress, TStructure structureToWrite) in MemoryManager.cs line: 120
    at HijackThread.Call() in HijackThread.cs line: 128
    at InjectionManager.InjectDll() in InjectionManager.cs line: 89
    at Injector.InjectDll() in Injector.cs line: 118
    at ManualMap.BuildImportTable() in ManualMap.cs line: 131
    at ManualMap.Call() in ManualMap.cs line: 67
    at InjectionManager.InjectDll() in InjectionManager.cs line: 89
    at Injector.InjectDll() in Injector.cs line: 118
    at InjectionTests.TestManualMap() in InjectionTests.cs line: 64

Only problem with this is that the .Net Process class can't find loaded modules. One option is to leverage some of the many methods to manually retrieve a module list. Another option is to create a method that uses the returned base address of the DLL to verify it was loaded into the remote process for both x86 and x64 which would solve this problem.

i have read you code at https://guidedhacking.com/threads/tls-internals-ldrphandletlsdata-and-friends.14960/

You reversed ntdll ManualHandleTlsData. Very thanks for your share.But you did not specify which operating system fit your code.
Can your code use in win7 x64 32bit process?

Happy to pay if you can help.

How would I inject using csharp 7.3 and bleak 2.6

Using the ManualMapping method like this :
injector.ManualMap(p.Id, module);
I am getting AccessViolationException, even when running as administrator.

I receive the following exception on a target process when using either CreateThread or manualmap:
System.ArgumentException: An item with the same key has already been added. Key: -8
exception happens at:

OS: Windows 10 1909 18363.476
Dll: Any
Game: Counter-Strike Global Offensive / Discord (for testing)

Manual mapping seems to always fail for me when trying to inject into csgo, when compiled specifically for x32 it fails to read the NtQueryInformationProcess infos and when compiled for any or x64 it fails at ReadProcessMemory with error code 299

CreateThread fails on an UWP process, on all injectors (not bleak's fault), so I've tried manualmap using Bleak. I received the following exception. Please note that it IS possible using CheatEngine to inject the dll which also falls back to manual map the dll (bleak's fault):

System.AggregateException: 'Failed to call SymLoadModuleEx with error code 27.BoolToValueConverter`1[[Syst)'

PInvokeException: Failed to call SymLoadModuleEx with error code 2

  StackTrace:
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at System.Threading.Tasks.Task`1.get_Result()
   at Bleak.ProgramDatabase.PdbFile..ctor(ManagedModule module, Boolean isWow64)
   at Bleak.RemoteProcess.ManagedProcess.<.ctor>b__7_0()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
   at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
   at System.Lazy`1.CreateValue()
   at System.Lazy`1.get_Value()
   at Bleak.Injection.Methods.ManualMap.EnableExceptionHandling()
   at Bleak.Injection.Methods.ManualMap.Inject()
   at Bleak.Injection.InjectionManager.InjectDll()
   at Bleak.Injector.InjectDll()

Code:

using (var injector = new Injector("process_uwp", path, InjectionMethod.ManualMap, InjectionFlags.None))
{
    // Inject the DLL into the remote process

    var dllBaseAddress = injector.InjectDll();

    // Eject the DLL from the process

    injector.EjectDll();
}

We spoke a bit on Discord about Byte Array injection from a remote address.
I was thinking that instead of having the dll stored on the users hard-driver you could use a function like this:

    private static byte[] DownloadFile(string url)
    {
        byte[] result = null;

        using (WebClient webClient = new WebClient())
        {
            result = webClient.DownloadData(url);
        }

        return result;
    }

In order to download the file directly into the programs memory as a Byte Array and then inject using that Array we just downloaded.

So that we in the end could do something like this (or similar):

injector.CreateRemoteThread("processName", DownloadFile("http://127.0.0.1:8080/path/to/thedll.dll"));

Looks like an exception is getting thrown right here

http://msdl.microsoft.com/download/symbols/wntdll.pdb/d83d1c3722bdde7415892bd3c509c7ff1/wntdll.pdb

Hi there,

I am currently experiencing the following error as soon as I want to install Bleak by using NuGet into a normal C# (Windows Forms) project.

Could not install package 'Bleak 2.7.1'. You are trying to install this package into a project that targets '.NETFramework,Version=v4.7.2', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.

Not really sure how I can fix this issue, also quite new to C# and Visual Studio.
Hope someone could help me out with this.

Thanks.