-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error when injecting into CREATE_SUSPENDED process #13
Comments
Hi, This is unfortunately a limitation of the design of this library; it can't be used on a process that has started suspended. It is also the reason why I haven't really been updating this library ever since I released it; as I myself don't actively use it. I originally wrote this library for use with Reloaded-II around 3 years ago but had to go back to the drawing board because I unfortunately ran across this exact same issue. The exact specific reason comes down to What I wound up doing is creating a much, much more basic DLL Injector that spawns an x86 process to pass its address of Kernel32 to the main code using a memory mapped file process, injector, and reuse that in the DLL injection operation. Technically speaking, I could have done the same with this library; albeit the idea of using shellcode and PE parsing used here was pretty cool; and novel; so I kept it around. Unpacking and running a binary would also raise a lot of red flags from AV software. |
I appreciate the detailed description. I'll take a look at your other solution. I assume I can still use Reloaded.Hooks once injected? |
Yeah that'll work perfectly fine. |
I was thinking about this a bit when writing the spec for Reloaded3. I just gotta get rid of some bloat (namely remove the need for PeNet, and parse the PE header in memory of target process directly. Most of the code for that already exists actually; I just need to move it out to a separate NuGet package. |
Let me know when you do, then I can try and test it with my project. |
@Sewer56, hello, how are you? :) Do you have the time and motivation to finish this task? |
I started working on 2.X, but decided to abandon it mid way through. On the Reloaded-II had to switch over to using this fork/branch due to Defender suddenly disliking the old DLL Injection code, and me receiving around 200 user reports in the span of 2 days. That API is here and a prebuilt package is here. But do note, they were made over a weekend in an emergency and are not final. Main thing that's left to do with that code is some cleanup. I've been stripping dependencies etc. to decrease the DLL size, hope to get to around 1/5th of what the original Rust library was. I wouldn't get to work on this for some months though. I need to finish the Reloaded3 spec first, and then |
I try to use your syringe method, maybe i did something wrong: Is possible have minimal example to inject simple dll with hook in not c# process (i using easyhook_vs_reloadedhooks as template with .net 9, as you know not work with suspended process). Thanks a lot for your project. `using System; using dll_syringe.Net.Sys; using Reloaded.Injector; using static Vanara.PInvoke.Kernel32; class Program
}` |
Can't comment at the current time, I still never fully finalized the work there. That said, if you want some example usage, see the Reloaded-II repository. |
I get the following exception when I create an
Injector
for a suspended process:This is the code I use to create the process and inject.
If I create the process without the CREATE_SUSPENDED flag, it launches without any errors.
For context, I'm coming from EasyHook and was looking for a more updated alternative and found Reloaded.Injector/Reloaded.Hooks.
In EasyHook, injecting into a suspended thread works as expected, where I then resume the thread from inside when I'm ready.
The text was updated successfully, but these errors were encountered: