OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: March 13, 2011 11:36 CDT by Usman .

Hello,

I need to hook managed (C#,C++/CLI) processes, I need to find and send information about how many windows it has(its associated controls and their properties)to the target application which is written in C# managed code.

For that What I need to do?
Do I need to explore IAT (Import Address Table) & EAT(Export address Table) of that managed process?
Do I need to write injector DLL in C++?
What else apart from changing IAT and EAT , do I need?

Regards
Usman

Regards
Usman

cod		March 17, 2011 04:59.54 CDT
Read "Managed Code Rootkits" book .. It contain useful informations about this topic. A managed process normally use references to runtime classes, not native API of OS

Usman		March 18, 2011 10:12.08 CDT
Actually I need to attach a running managed C# process. After attaching process I need to get the properties of all the controls associated with that process's windows. One by one I will iterate the windows of that attached process ,will enumerate all the controls associated with that window(will get control's id,name,color,position,size etc), and will send this whole info to other app or the app which attached other apps(actually that app as host again need to redraw same controls with the usage of that information, Dont ask why I need to do this:-))

omeg		March 19, 2011 07:57.36 CDT
Read about unmanaged CLR hosting APIs. 1. Create managed DLL (assembly) containing your code that will run in the target (managed) process. Use reflection/IPC or other techniques to get information you want and send it to your other process. 2. Create unmanaged DLL that uses ICLRRuntimeHost to load second-stage managed assembly from step 1. 3. Use any DLL injection technique to inject unmanaged "proxy" from step 2 into target process. 4. ??? 5. Profit! Basically you load your managed type from step 1 assembly into target process using ICLRRuntimeHost->ExecuteInDefaultAppDomain(). This executes some method from your assembly in the target process. Once there you can use reflection to get type/object information, enumerate GUI controls as you like, or even invoke their methods (just be aware of threading issues).

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit