Skip to content

bananabr/CLRInjector

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Disclaimer

This tool is provided for educational purposes only. Any actions and activities related to the material contained within this repository are solely your responsibility. Misusing this tool can result in criminal charges against the persons in question. The author will not be held responsible if any criminal charges are brought against any individuals misusing the provided tool to break the law.

What is this?

A proof-of-concept process injection tool that mixes Adam Chester's (@XPN) "Weird Ways to Run Unmanaged Code in .NET" and Ceri Coburn's (@EthicalChaos) "Needles Without The Thread: Threadless Process Injection - Ceri Coburn".

How does it work?

  • List target processes
CLRInjector.exe --ps
  • Dump GC heap (similar to SOS.dll !dumpheap)
CLRInjector.exe <pid|process_name> --dump-obj
  • Dump method tables (similar to SOS.dll !dumpmt)
CLRInjector.exe <pid|process_name> --dump-mt 0x1122334455667788
  • Dump method descriptor (similar to SOS.dll !dumpmd)
CLRInjector.exe <pid|process_name> --dump-md 0x1122334455667788
  • Dump trampolines (injection targets)
CLRInjector.exe <pid|process_name> --dump-trampolines
  • Hook Jitted method and loads shellcode into preexisting RWX segment
CLRInjector.exe <pid|process_name> --inject <payload path> <method_desc>

Usage example

Usage example

Known issues

  • To reserve space for the shellcode, the tool updates the JIT Manager loader code heap m_pAllocPtr. This keeps future JIT allocations from overwriting the payload. There is a chance of a race condition if m_pAllocPtr is updated by the JIT manager after its read but before its patched by the tool.
  • For now, the shellcode must support being called as a function and return, otherwise it may crash the target process. A generic stub that loads the shellcode on its own thread would most likely solve this.

References

Todo

PRs are always welcome!

  • Support to x86 targets
  • Generic shellcode support
  • Migrate p/invoke calls to d/invoke
  • Cleanup code
  • Support real slot in MethodTable

"Buy Me A Coffee"

About

A PoC .NET-specific process injection tool

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages