Hello.
I was screwing around a bit with the exe-files produced by .Net
Compilers and trying to understand how they work... so i ended up at the
6 Byte stub, which calls the _CorExeMain in mscoree.dll ... so i thought
"Hey, thats how it tells the Framework, that it shall load it as .Net
programm...". So i build some native code into it which should have been
executed before the .Net programm itself gets loaded. Trying that on a
XP-Machine, i realized, that it did not work quite the way i expected it
to. So after some research i found out, that it would possibly work on
any other system than XP, because of the executable-loader, which was
designed with .Net in mind. So the XP executable-loader does realize by
himself that the programm is designed for .Net and it becomes loaded
immediatly, without the native code in it being executed. Also i read,
that the loader knows that by reading the 14. directory in the
PE-Header, and thinks it is .Net, when the 14. directory exists and is
not 0. So i tried to replace both the offset and size in the 14.dir.
with 0 and my native code got loaded.... but then the .Net-Part of the
programm did not get loaded, so i was pretty much staring at my screen
and not knowing what to do then. So i finally end up here and ask the
question: Is there actually a way to burry my native code in a .Net
programm and have both of the code loaded (.Net AND native) ?
Thanks in advance,
Daniel
7  1507 
"Daniel Dünker" <dd******@uni-koblenz.de> wrote in message
news:dq**********@cache.uni-koblenz.de... So i finally end up here and ask the question: Is there actually a way to
burry my native code in a .Net programm and have both of the code loaded
(.Net AND native) ?
Both Managed C++ (VS2003) and C++/CLI (VS2005) allow you to mix native and
managed code in the same executable. In fact you can mix modes in the same
module.
As far as I know, there is no other .Net language of MS that allows you to
do that.
Regards,
Will
On Sat, 14 Jan 2006 01:17:05 +0100, Daniel Dünker
<dd******@uni-koblenz.de> wrote: So i finally end up here and ask the
question: Is there actually a way to burry my native code in a .Net
programm and have both of the code loaded (.Net AND native) ?
William has given a very good answer. For a more hacker-type answer
just put something on the end of your native code to start off the
..NET code.
rossum
--
The ultimate truth is that there is no ultimate truth
William DePalo [MVP VC++] wrote: "Daniel Dünker" <dd******@uni-koblenz.de> wrote in message
news:dq**********@cache.uni-koblenz.de...
So i finally end up here and ask the question: Is there actually a way to
burry my native code in a .Net programm and have both of the code loaded
(.Net AND native) ?
Both Managed C++ (VS2003) and C++/CLI (VS2005) allow you to mix native and
managed code in the same executable. In fact you can mix modes in the same
module.
As far as I know, there is no other .Net language of MS that allows you to
do that.
Regards,
Will
My intention was to to alter the executable after compilation, because
the compiler leaves some space in which i could burry lots of native
code after the 6 byte stub which loads the mscoree.dll
-Daniel
"Daniel Dünker" <dd******@uni-koblenz.de> wrote in message
news:dq**********@cache.uni-koblenz.de... My intention was to to alter the executable after compilation, because the
compiler leaves some space in which i could burry lots of native code
after the 6 byte stub which loads the mscoree.dll
Why do you feel the ned to resort to hackery?
Regards,
Will
Daniel Dünker wrote: Hello.
the executable-loader, which was designed with .Net in mind. So the
XP executable-loader does realize by himself that the programm is
designed for .Net and it becomes loaded immediatly, without the
native code in it being executed. Also i read, that the loader knows
that by reading the 14. directory in the PE-Header, and thinks it is
.Net, when the 14. directory exists and is not 0. So i tried to
Yup location 14 is the 'COM Descriptor Directory' which actually means
that the file is managed, you get the table pointed to by this directory
with dumpbin /clrheader.
replace both the offset and size in the 14.dir. with 0 and my native
code got loaded.... but then the .Net-Part of the programm did not
get loaded, so i was pretty much staring at my screen and not knowing
what to do then.
Naughty. You have become a virus by injecting your own code into the
process. It is for this very reason that on XP and later the unmanaged
entry point is not used. When a managed file is loaded there is no way
that native code will be run outside of .NET security.
So i finally end up here and ask the question: Is
there actually a way to burry my native code in a .Net programm and
have both of the code loaded (.Net AND native) ?
Not really. You could write your own host, but that will mean that your
users will have to run your host process instead of the process you are
trying to hijack. If the assembly calls native code through managed C++
IJW it is possible for you to change the address held in metadata to
point to your code, but any code that runs IJW must have code access
security full trust.
If an assembly has a strong name then as a side affect the hash of the
assembly is checked against the strong name and this will detect any
alterations you have done to the metadata (however on 1.0 and 1.1 it is
possible to further alter an assembly to prevent this check).
Richard
--
Fusion Tutorial: http://www.grimes.demon.co.uk/workshops/fusionWS.htm
Security Tutorial: http://www.grimes.demon.co.uk/workshops/securityWS.htm
William DePalo [MVP VC++] wrote: "Daniel Dünker" <dd******@uni-koblenz.de> wrote in message
news:dq**********@cache.uni-koblenz.de...
My intention was to to alter the executable after compilation, because the
compiler leaves some space in which i could burry lots of native code
after the 6 byte stub which loads the mscoree.dll
Why do you feel the ned to resort to hackery?
Regards,
Will
Well, i saw all the free space in it, and wondered, if it could be of
any use :)
-Daniel
Richard Grimes wrote: Daniel Dünker wrote:
Hello.
the executable-loader, which was designed with .Net in mind. So the
XP executable-loader does realize by himself that the programm is
designed for .Net and it becomes loaded immediatly, without the
native code in it being executed. Also i read, that the loader knows
that by reading the 14. directory in the PE-Header, and thinks it is
.Net, when the 14. directory exists and is not 0. So i tried to
Yup location 14 is the 'COM Descriptor Directory' which actually means
that the file is managed, you get the table pointed to by this directory
with dumpbin /clrheader.
replace both the offset and size in the 14.dir. with 0 and my native
code got loaded.... but then the .Net-Part of the programm did not
get loaded, so i was pretty much staring at my screen and not knowing
what to do then.
Naughty. You have become a virus by injecting your own code into the
process. It is for this very reason that on XP and later the unmanaged
entry point is not used. When a managed file is loaded there is no way
that native code will be run outside of .NET security.
So i finally end up here and ask the question: Is
there actually a way to burry my native code in a .Net programm and
have both of the code loaded (.Net AND native) ?
Not really. You could write your own host, but that will mean that your
users will have to run your host process instead of the process you are
trying to hijack. If the assembly calls native code through managed C++
IJW it is possible for you to change the address held in metadata to
point to your code, but any code that runs IJW must have code access
security full trust.
If an assembly has a strong name then as a side affect the hash of the
assembly is checked against the strong name and this will detect any
alterations you have done to the metadata (however on 1.0 and 1.1 it is
possible to further alter an assembly to prevent this check).
Richard
Wow, thats quite a satisying answer. Thanks for the work you had with
this one. Sad, that all this space seems to be wasted. Also it seems,
that because of the things you mentioned the usual executable packers
are not able to get rid of this waste...
Thank you very much for your answer
-Daniel This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Jacky Luk |
last post by:
Can .NET Version 2002 produce win32 native code?
I'm engaged to a Direct3D project that requires win32
Thanks
Jack
|
by: Andy Chau |
last post by:
Is there a .NET or C# to native x86 compiler? I am not looking for just a
prejitter progrom like ngen, but a true native compiler like the gcc for
java if there is such a thing.
Thanks
...
|
by: Dan |
last post by:
Hi Gurus
I got a very basic question to ask:
When a .NET exe (MSIL) is first run, the JIT-compiler will converts the IL
into native codes so that it can executes on the current machine. my...
|
by: Vishuonline |
last post by:
Hi Folks,
I have search on search engines for previous dicsussions dealing with this..
but didnt find em any useful... so here I am..
I am having a .NET (BV.NET) application. I am calling a...
|
by: Russ Ferrill |
last post by:
I have a C# application in which I need to add one Active Directory group as
a member of another group. I have tried using the same steps that work for
adding a user to a group, but that isn't...
| | |
by: vishuonline |
last post by:
Hi Folks,
I have searched on search engines for previous dicsussions dealing with
this.. but didnt find em any useful... so here I am..
I am having a .NET (BV.NET) application in which I am...
|
by: Xavi Sam |
last post by:
Hi
When I build my asp.net application the ASP.NET generates a net.assembly by
page in the directory of my pc:
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files
Theese...
|
by: Lonewolf |
last post by:
Hi all,
I'm having difficulties passing data back to managed class from my
native class when the data is generated from within a native thread in
the native class itself. I will give the following...
|
by: Reini |
last post by:
We are developing an Asp.Net 2.0 application (Web Administration) for the IIS
5.0 to 6.0 and the W2K to W2K3 operating system. The application consists of
several layers. One layer is a .Net 2.0...
|
by: Dave Calkins |
last post by:
I'm wriiting an MFC C++ application which uses a third party C# .NET API via
a DLL. The app runs fine. If I add a new, empty C++ class, and compile/link
it refuses to run, complaining about not...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
| | |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| | |
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |
