.NET程序集注入非托管进程技术详解<\/h1>

1. 概述<\/h2>
本文详细介绍了如何将.NET程序集注入到非托管进程中执行的技术。主要内容包括：<\/p>
在非托管进程中启动.NET CLR(公共语言运行时)<\/li>
加载自定义.NET程序集<\/li>
在非托管进程中执行托管代码<\/li>
跨架构(32位\/64位)注入技术<\/li> <\/ul>
2. 核心目标<\/h2>
不考虑架构在任意进程中启动.NET CLR<\/li>
在任意进程中加载自定义.NET程序<\/li>
在任意进程中执行托管代码<\/li> <\/ol>
3. 技术实现步骤<\/h2>

3.1 加载CLR(初级)<\/h3>
在非托管进程中启动.NET Framework的基本方法：<\/p>
#include<\/span> <metahost.h><\/span>
<\/span><\/span><\/span>#pragma comment(lib, "mscoree.lib")
<\/span><\/span><\/span>#import "mscorlib.tlb" raw_interfaces_only \
<\/span><\/span><\/span>    high_property_prefixes("_get","_put","_putref") \
<\/span><\/span><\/span>    rename("ReportEvent", "InteropServices_ReportEvent")
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> wmain<\/span>(int<\/span> argc, wchar_t<\/span>*<\/span> argv[])
<\/span><\/span>{
<\/span><\/span>    HRESULT hr;
<\/span><\/span>    ICLRMetaHost *<\/span>pMetaHost =<\/span> NULL;
<\/span><\/span>    ICLRRuntimeInfo *<\/span>pRuntimeInfo =<\/span> NULL;
<\/span><\/span>    ICLRRuntimeHost *<\/span>pClrRuntimeHost =<\/span> NULL;
<\/span><\/span>    
<\/span><\/span>    \/\/ 构建运行时
<\/span><\/span><\/span><\/span>    hr =<\/span> CLRCreateInstance(CLSID_CLRMetaHost, IID_PPV_ARGS(&<\/span>pMetaHost));
<\/span><\/span>    hr =<\/span> pMetaHost-><\/span>GetRuntime(L<\/span>"v4.0.30319"<\/span>, IID_PPV_ARGS(&<\/span>pRuntimeInfo));
<\/span><\/span>    hr =<\/span> pRuntimeInfo-><\/span>GetInterface(CLSID_CLRRuntimeHost, IID_PPV_ARGS(&<\/span>pClrRuntimeHost));
<\/span><\/span>    
<\/span><\/span>    \/\/ 启动运行时
<\/span><\/span><\/span><\/span>    hr =<\/span> pClrRuntimeHost-><\/span>Start();
<\/span><\/span>    
<\/span><\/span>    \/\/ 释放资源
<\/span><\/span><\/span><\/span>    pMetaHost-><\/span>Release();
<\/span><\/span>    pRuntimeInfo-><\/span>Release();
<\/span><\/span>    pClrRuntimeHost-><\/span>Release();
<\/span><\/span>    
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键API说明：<\/p>

CLRCreateInstance<\/code>: 获取ICLRMetaHost<\/code>接口指针<\/li>
ICLRMetaHost::GetRuntime<\/code>: 获取特定.NET运行时的ICLRRunTimeInfo<\/code>指针<\/li>
ICLRRunTimeInfo::GetInterface<\/code>: 将CLR加载到当前进程并获取ICLRRuntimeHost<\/code>指针<\/li>
ICLRRuntimeHost::Start<\/code>: 显式启动CLR<\/li>
<\/ul>
3.2 加载CLR(高级)<\/h3>
加载自定义.NET程序集并调用方法：<\/p>
\/\/ 执行托管程序集
<\/span><\/span><\/span><\/span>DWORD pReturnValue;
<\/span><\/span>hr =<\/span> pClrRuntimeHost-><\/span>ExecuteInDefaultAppDomain(
<\/span><\/span>    L<\/span>"T:<\/span>\\<\/span>FrameworkInjection<\/span>\\<\/span>_build<\/span>\\<\/span>debug<\/span>\\<\/span>anycpu<\/span>\\<\/span>InjectExample.exe"<\/span>,
<\/span><\/span>    L<\/span>"InjectExample.Program"<\/span>,
<\/span><\/span>    L<\/span>"EntryPoint"<\/span>,
<\/span><\/span>    L<\/span>"hello .net runtime"<\/span>,
<\/span><\/span>    &<\/span>pReturnValue);
<\/span><\/span><\/code><\/pre>ExecuteInDefaultAppDomain<\/code>参数说明：<\/p>

pwzAssemblyPath<\/code>: .NET程序(exe\/dll)的完整路径<\/li>
pwzTypeName<\/code>: 要调用的方法的完整类名<\/li>
pwzMethodName<\/code>: 要调用的方法名<\/li>
pwzArgument<\/code>: 传递给方法的可选参数<\/li>
pReturnValue<\/code>: 方法返回值<\/li>
<\/ol>
可调用的方法必须具有签名：static int MethodName(String argument)<\/code><\/p>
示例.NET程序：<\/p>
using<\/span> System;
<\/span><\/span>using<\/span> System.Windows.Forms;
<\/span><\/span>
<\/span><\/span>namespace<\/span> InjectExample
<\/span><\/span>{
<\/span><\/span>    public<\/span> class<\/span> Program<\/span>
<\/span><\/span>    {
<\/span><\/span>        static<\/span> int<\/span> EntryPoint(String pwzArgument)
<\/span><\/span>        {
<\/span><\/span>            System.Media.SystemSounds.Beep.Play();
<\/span><\/span>            MessageBox.Show(
<\/span><\/span>                "I am a managed app.\n\n"<\/span> +
<\/span><\/span>                "I am running inside: ["<\/span> +
<\/span><\/span>                System.Diagnostics.Process.GetCurrentProcess().ProcessName + "]\n\n"<\/span> +
<\/span><\/span>                (String.IsNullOrEmpty(pwzArgument) ? 
<\/span><\/span>                    "I was not given an argument"<\/span> : 
<\/span><\/span>                    "I was given this argument: ["<\/span> + pwzArgument + "]"<\/span>));
<\/span><\/span>            return<\/span> 0<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 DLL注入(基础)<\/h3>
基本DLL注入技术：<\/p>
#define WIN32_LEAN_AND_MEAN
<\/span><\/span><\/span>#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>BOOL APIENTRY DllMain<\/span>(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
<\/span><\/span>{
<\/span><\/span>    switch<\/span> (ul_reason_for_call)
<\/span><\/span>    {
<\/span><\/span>        case<\/span> DLL_PROCESS_ATTACH:
<\/span><\/span>        case<\/span> DLL_THREAD_ATTACH:
<\/span><\/span>        case<\/span> DLL_THREAD_DETACH:
<\/span><\/span>        case<\/span> DLL_PROCESS_DETACH:
<\/span><\/span>            break<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> TRUE;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>注入函数实现：<\/p>
DWORD_PTR Inject<\/span>(const<\/span> HANDLE hProcess, const<\/span> LPVOID function, const<\/span> wstring&<\/span> argument)
<\/span><\/span>{
<\/span><\/span>    \/\/ 在远程进程中分配内存
<\/span><\/span><\/span><\/span>    LPVOID baseAddress =<\/span> VirtualAllocEx(hProcess, NULL, GetStringAllocSize(argument), 
<\/span><\/span>                                       MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_READWRITE);
<\/span><\/span>    
<\/span><\/span>    \/\/ 将参数写入远程进程
<\/span><\/span><\/span><\/span>    WriteProcessMemory(hProcess, baseAddress, argument.c_str(), 
<\/span><\/span>                       GetStringAllocSize(argument), NULL);
<\/span><\/span>    
<\/span><\/span>    \/\/ 在远程进程中调用函数
<\/span><\/span><\/span><\/span>    HANDLE hThread =<\/span> CreateRemoteThread(hProcess, NULL, 0<\/span>, 
<\/span><\/span>                                       (LPTHREAD_START_ROUTINE)function, 
<\/span><\/span>                                       baseAddress, NULL, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 等待线程退出
<\/span><\/span><\/span><\/span>    WaitForSingleObject(hThread, INFINITE);
<\/span><\/span>    
<\/span><\/span>    \/\/ 释放远程进程中的内存
<\/span><\/span><\/span><\/span>    VirtualFreeEx(hProcess, baseAddress, 0<\/span>, MEM_RELEASE);
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取线程退出代码
<\/span><\/span><\/span><\/span>    DWORD exitCode =<\/span> 0<\/span>;
<\/span><\/span>    GetExitCodeThread(hThread, &<\/span>exitCode);
<\/span><\/span>    
<\/span><\/span>    \/\/ 关闭线程句柄
<\/span><\/span><\/span><\/span>    CloseHandle(hThread);
<\/span><\/span>    
<\/span><\/span>    return<\/span> exitCode;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.4 DLL注入(高级)<\/h3>
获取远程模块句柄：<\/p>
DWORD_PTR GetRemoteModuleHandle<\/span>(const<\/span> int<\/span> processId, const<\/span> wchar_t<\/span>*<\/span> moduleName)
<\/span><\/span>{
<\/span><\/span>    MODULEENTRY32 me32;
<\/span><\/span>    HANDLE hSnapshot =<\/span> INVALID_HANDLE_VALUE;
<\/span><\/span>    
<\/span><\/span>    me32.dwSize =<\/span> sizeof<\/span>(MODULEENTRY32);
<\/span><\/span>    hSnapshot =<\/span> CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, processId);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (!<\/span>Module32First(hSnapshot, &<\/span>me32))
<\/span><\/span>    {
<\/span><\/span>        CloseHandle(hSnapshot);
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    while<\/span> (wcscmp(me32.szModule, moduleName) !=<\/span> 0<\/span> &&<\/span> Module32Next(hSnapshot, &<\/span>me32));
<\/span><\/span>    
<\/span><\/span>    CloseHandle(hSnapshot);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (wcscmp(me32.szModule, moduleName) ==<\/span> 0<\/span>)
<\/span><\/span>        return<\/span> (DWORD_PTR)me32.modBaseAddr;
<\/span><\/span>    
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>计算函数偏移量：<\/p>
DWORD_PTR GetFunctionOffset<\/span>(const<\/span> wstring&<\/span> library, const<\/span> char<\/span>*<\/span> functionName)
<\/span><\/span>{
<\/span><\/span>    \/\/ 在当前进程加载库
<\/span><\/span><\/span><\/span>    HMODULE hLoaded =<\/span> LoadLibrary(library.c_str());
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取函数地址
<\/span><\/span><\/span><\/span>    void<\/span>*<\/span> lpInject =<\/span> GetProcAddress(hLoaded, functionName);
<\/span><\/span>    
<\/span><\/span>    \/\/ 计算基地址和函数地址之间的偏移量
<\/span><\/span><\/span><\/span>    DWORD_PTR offset =<\/span> (DWORD_PTR)lpInject -<\/span> (DWORD_PTR)hLoaded;
<\/span><\/span>    
<\/span><\/span>    \/\/ 卸载库
<\/span><\/span><\/span><\/span>    FreeLibrary(hLoaded);
<\/span><\/span>    
<\/span><\/span>    return<\/span> offset;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.5 综合利用<\/h3>
完整注入流程：<\/p>

注入Bootstrap.dll到远程进程<\/li>
计算ImplantDotNetAssembly函数在远程进程中的地址<\/li>
调用该函数加载CLR和执行.NET程序集<\/li>
卸载Bootstrap.dll<\/li>
<\/ol>
int<\/span> wmain<\/span>(int<\/span> argc, wchar_t<\/span>*<\/span> argv[])
<\/span><\/span>{
<\/span><\/span>    \/\/ 解析参数 (-m -i -l -a -n)
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>ParseArgs(argc, argv)) {
<\/span><\/span>        PrintUsage();
<\/span><\/span>        return<\/span> -<\/span>1<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 启用调试权限
<\/span><\/span><\/span><\/span>    EnablePrivilege(SE_DEBUG_NAME, TRUE);
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取远程进程句柄
<\/span><\/span><\/span><\/span>    HANDLE hProcess =<\/span> OpenProcess(PROCESS_ALL_ACCESS, FALSE, g_processId);
<\/span><\/span>    
<\/span><\/span>    \/\/ 注入bootstrap.dll到远程进程
<\/span><\/span><\/span><\/span>    FARPROC fnLoadLibrary =<\/span> GetProcAddress(GetModuleHandle(L<\/span>"Kernel32"<\/span>), "LoadLibraryW"<\/span>);
<\/span><\/span>    Inject(hProcess, fnLoadLibrary, GetBootstrapPath());
<\/span><\/span>    
<\/span><\/span>    \/\/ 计算远程进程中函数的地址
<\/span><\/span><\/span><\/span>    DWORD_PTR hBootstrap =<\/span> GetRemoteModuleHandle(g_processId, BOOTSTRAP_DLL);
<\/span><\/span>    DWORD_PTR offset =<\/span> GetFunctionOffset(GetBootstrapPath(), "ImplantDotNetAssembly"<\/span>);
<\/span><\/span>    DWORD_PTR fnImplant =<\/span> hBootstrap +<\/span> offset;
<\/span><\/span>    
<\/span><\/span>    \/\/ 构建参数
<\/span><\/span><\/span><\/span>    wstring argument =<\/span> g_moduleName +<\/span> DELIM +<\/span> g_typeName +<\/span> DELIM +<\/span> 
<\/span><\/span>                       g_methodName +<\/span> DELIM +<\/span> g_Argument;
<\/span><\/span>    
<\/span><\/span>    \/\/ 注入托管程序集到远程进程
<\/span><\/span><\/span><\/span>    Inject(hProcess, (LPVOID)fnImplant, argument);
<\/span><\/span>    
<\/span><\/span>    \/\/ 从远程进程中卸载bootstrap.dll
<\/span><\/span><\/span><\/span>    FARPROC fnFreeLibrary =<\/span> GetProcAddress(GetModuleHandle(L<\/span>"Kernel32"<\/span>), "FreeLibrary"<\/span>);
<\/span><\/span>    CreateRemoteThread(hProcess, NULL, 0<\/span>, (LPTHREAD_START_ROUTINE)fnFreeLibrary, 
<\/span><\/span>                      (LPVOID)hBootstrap, NULL, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 关闭进程句柄
<\/span><\/span><\/span><\/span>    CloseHandle(hProcess);
<\/span><\/span>    
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 关键注意事项<\/h2>


架构兼容性<\/strong>：<\/p>

x86架构的Inject.exe和Bootstrap.dll用于注入x86进程<\/li>
x64架构用于注入x64进程<\/li>
AnyCPU目标平台可以注入到x86或x64进程中<\/li>
<\/ul>
<\/li>

CLR初始化限制<\/strong>：<\/p>

避免在DllMain中启动CLR，会导致Windows加载器锁死<\/li>
参考MSDN文档：

loaderLock MDA<\/a><\/li>
Initialization of Mixed Assemblies<\/a><\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>

方法签名要求<\/strong>：<\/p>

通过ExecuteInDefaultAppDomain<\/code>调用的方法必须为：

static int MethodName(String argument)<\/code><\/li>
<\/ul>
<\/li>

版本兼容性<\/strong>：<\/p>

ICLRMetaHost::GetRuntime<\/code>支持的版本：

V1.0.3705<\/li>
V1.1.4322<\/li>
V2.0.50727<\/li>
V4.0.30319<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ol>
5. 实用工具扩展<\/h2>
使用.NET反射API扫描程序集获取可注入方法：<\/p>
\/\/ 查找匹配签名的方法：static int MethodName(String argument)<\/span>
<\/span><\/span>private<\/span> void<\/span> ExtractInjectableMethods()
<\/span><\/span>{
<\/span><\/span>    Assembly asm = Assembly.LoadFile(ManagedFilename);
<\/span><\/span>    
<\/span><\/span>    InjectableMethods = (from<\/span> c in<\/span> asm.GetTypes()
<\/span><\/span>                        from<\/span> m in<\/span> c.GetMethods(BindingFlags.Static | 
<\/span><\/span>                                             BindingFlags.Public | 
<\/span><\/span>                                             BindingFlags.NonPublic)
<\/span><\/span>                        where<\/span> m.ReturnType == typeof<\/span>(int<\/span>) && 
<\/span><\/span>                              m.GetParameters().Length == 1<\/span> && 
<\/span><\/span>                              m.GetParameters().First().ParameterType == typeof<\/span>(string<\/span>)
<\/span><\/span>                        select<\/span> new<\/span> MethodItem {
<\/span><\/span>                            Name = m.Name,
<\/span><\/span>                            ParameterName = m.GetParameters().First().Name,
<\/span><\/span>                            TypeName = m.ReflectedType.FullName
<\/span><\/span>                        }).ToList();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 编译环境要求<\/h2>


开发环境<\/strong>：<\/p>

Visual Studio 2012 Express+<\/li>
Visual Studio 2012 Express Update 1+<\/li>
<\/ul>
<\/li>

运行环境<\/strong>：<\/p>

.NET Framework 4.0+<\/li>
Visual C++ Redistributable for Visual Studio 2012 Update 1+<\/li>
Windows XP SP3+<\/li>
<\/ul>
<\/li>
<\/ul>
7. 命令行参数<\/h2>
Inject应用程序支持以下参数：<\/p>



参数<\/th>
描述<\/th>
示例<\/th>
<\/tr>
<\/thead>


-m<\/td>
要执行的托管方法名<\/td>
EntryPoint<\/td>
<\/tr>

-i<\/td>
托管程序的完整路径<\/td>
C:\InjectExample.exe<\/td>
<\/tr>

-l<\/td>
程序集的完整类名<\/td>
InjectExample.Program<\/td>
<\/tr>

-a<\/td>
传递给方法的参数<\/td>
"hello inject"<\/td>
<\/tr>

-n<\/td>
进程ID或名称<\/td>
1500 或 notepad.exe<\/td>
<\/tr>
<\/tbody>
<\/table>
示例命令：<\/p>
Inject.exe -m EntryPoint -i "C:\InjectExample.exe" -l InjectExample.Program -a "hello inject" -n "notepad.exe"
<\/code><\/pre>
8. 总结<\/h2>
本文详细介绍了将.NET程序集注入非托管进程的完整技术方案，包括：<\/p>

在非托管进程中启动CLR<\/li>
加载和执行自定义.NET程序集<\/li>
跨进程DLL注入技术<\/li>
跨架构兼容性处理<\/li>
实用工具扩展<\/li>
<\/ol>
通过结合非托管代码的灵活性和.NET的强大功能，可以实现强大的进程注入能力，适用于各种特殊场景的需求。<\/p>
参数<\/th>	描述<\/th>	示例<\/th> <\/tr> <\/thead>
-m<\/td>	要执行的托管方法名<\/td>	EntryPoint<\/td> <\/tr>
-i<\/td>	托管程序的完整路径<\/td>	C:\InjectExample.exe<\/td> <\/tr>
-l<\/td>	程序集的完整类名<\/td>	InjectExample.Program<\/td> <\/tr>
-a<\/td>	传递给方法的参数<\/td>	"hello inject"<\/td> <\/tr>
-n<\/td>	进程ID或名称<\/td>	1500 或 notepad.exe<\/td> <\/tr> <\/tbody> <\/table> 示例命令：<\/p> Inject.exe -m EntryPoint -i "C:\InjectExample.exe" -l InjectExample.Program -a "hello inject" -n "notepad.exe" <\/code><\/pre> 8. 总结<\/h2> 本文详细介绍了将.NET程序集注入非托管进程的完整技术方案，包括：<\/p> 在非托管进程中启动CLR<\/li> 加载和执行自定义.NET程序集<\/li> 跨进程DLL注入技术<\/li> 跨架构兼容性处理<\/li> 实用工具扩展<\/li> <\/ol> 通过结合非托管代码的灵活性和.NET的强大功能，可以实现强大的进程注入能力，适用于各种特殊场景的需求。<\/p>