NuGet

[Trojaner]

Do you plan to upload this to NuGet?

[unknownv2]

I do plan on uploading it to NuGet. Right now there are two more features I would like to add before releasing there:

• Create process suspended and inject DLL (right now it just starts the process)
• IPC Helper to notify the launching process when the DLL loading has completed.

[unknownv2]

Hi @Trojaner,

I have uploaded the CoreHook project to NuGet and you can find an example that uses the NuGet package here: https://www.nuget.org/packages/CoreHook/ and the example: https://github.com/unknownv2/corehook-plugins

Does that work for what you needed?

[Trojaner]

Very nice!
I will check this out as soon as possible 👍

[ghost]

@unknownv2 do you still need help with creating a process suspended and injecting a dll?

[unknownv2]

Hi @Akaion,

Yes, I would like help with that.

Currently, the Detours module has an export for creating and injecting a DLL into a suspended process but I'm not sure if there is a C# implementation of that.

When I used the Detours method, I wasn't able to figure out how to bring the Window to the front, as it would be hidden sometimes.

[ghost]

@unknownv2 Just some things I would like to clarify as I'm not sure I quite understand everything.

When you say the detours module has an export to create and inject a DLL , are you saying that you want you want to create (in C#) a method to create a new (suspended) process and then inject a DLL into it?

[unknownv2]

@Akaion Yes, an implementation like this:

https://github.com/unknownv2/CoreHook.Hooking/blob/master/src/creatwth.cpp#L791.

I'm not sure if something like DetourUpdateProcessWithDllEx(source:
https://github.com/unknownv2/CoreHook.Hooking/blob/master/src/creatwth.cpp#L584) has been implemented in C# yet.

[ghost]

@unknownv2 I see - Seems relatively easy to do. Is there a method of injection you're wanting (does it need to be stealth) or is CreateRemoteThread fine?

[unknownv2]

@Akaion The stealthier methods would be preferred but CreateRemoteThread is fine as well since that might be easier to implement without any side-effects.

Do you have a method in mind that would be the stealthiest?

[ghost]

@unknownv2 If you utilize my injection library you can hijack a thread or manual map (manual mapping being the stealthiest.)

If you don't want to use my library and integrate the injection method directly into your codebase, it wouldn't really be feasible to do one of the above stealthy methods as they are quite complex (would be tedious to rewrite in your code) so I would probably end up using RtlCreateUserThread or Zw/Nt CreateThreadEx to avoid a call to CreateRemoteThread, however, these are much easier detected than hijacking a thread or manual mapping.

[unknownv2]

@Akaion Thank you for the information and suggestions, your library looks great.

I will play around with those methods and I would like to use the manual map method then if it is the stealthiest.

[ghost]

@unknownv2 No problem. I can write a method that does what you want later and then you could play around with it if you want?

[unknownv2]

@Akaion, I would appreciate that a lot if you can please!

[ghost]

@unknownv2 where do you want this done? I can't seem to find where you're starting the process (I swear I'm blind)

[ghost]

And just another question, why does the process need to be started suspended?

[unknownv2]

@Akaion You can find the code that starts the process here: https://github.com/unknownv2/CoreHook/blob/master/src/CoreHook.BinaryInjection/RemoteInjection/RemoteInjector.cs#L85

I definitely need to better document the usage, I'm sorry about that.

I wanted to start the process suspended to inject any DLLs in case the program is monitoring for new DLLs being loaded. I believe this would give us the chance to load the DLL before the program's entry point as described here: https://github.com/Microsoft/Detours/wiki/DetourCreateProcessWithDllEx (correct me if I'm wrong!)

[ghost]

@unknownv2 I don't know of any anti cheat / tamper mechanisms that check for any dll's being loaded into a process as the only trigger (they usually check the headers etc.) as anti viruses also load dll's into processes

Even if this is the case, by manually mapping the dll into the process, the process itself is unaware of any module being loaded (we essentially simulate load library) and can only be detected through very advanced memory scanning

[unknownv2]

@Akaion I did not know that! That sounds perfect then. We can continue the discussion for this here if that's alright with you: #113.

Thank you!