使用非托管 C++ 从 C# .exe 调用函数.dll
所以,我有一个用 C# 制作的可执行文件,我没有它的源代码,但我用 IDA 反汇编了它,它给了我很多面向对象的汇编。
我制作了一个 .exe 文件,将 .dll 注入到另一个 .exe 中,并且我已将这个新的 C++ DLL 注入到 C# .exe 中,没有任何问题,DLLMain 被调用,所以......
但是当我注入时将此 DLL 转换为用 C++ 制作的普通 .exe 文件,我可以使用 IDA 上的内存地址调用 .exe 中的函数。
问题是,面向对象的程序集没有其函数的地址,即使函数名称被反汇编。
那么,有什么方法可以使用我在 C# .exe 文件上注入的 DLL 来调用这个函数吗?
如果可能的话,有没有办法可以使用 C# .exe 文件中声明的命名空间及其所有函数和变量,甚至是私有的?
反汇编代码示例:
.namespace MyCSharpApp
{
.class public auto ansi Test extends [mscorlib]System.Object
{
.field public value class [Microsoft.Xna.Framework]Microsoft.Xna.Framework.Vector2 pos
.field public int32 foo
....
So, I have an executable file that was made with C#, I don't have its source code but I have disassembled it with IDA, and it gave me a lot of object oriented assembly.
I've made an .exe file that injects a .dll into another .exe, and I've injected this new C++ DLL into the C# .exe, with no problems, the DLLMain is called and so...
But when I inject this DLL into a normal .exe file made with C++, I can call a function in the .exe with its memory address which I can take on IDA.
The problem is, that object oriented assembly doesn't have addresses on its function, even with the function names being disassembled.
So, is there any way I can call this function with my injected DLL on the C# .exe file?
If possible, is there a way I can use the namespace declared in the C# .exe file and all its functions and variables, even being private?
Sample disassembled code:
.namespace MyCSharpApp
{
.class public auto ansi Test extends [mscorlib]System.Object
{
.field public value class [Microsoft.Xna.Framework]Microsoft.Xna.Framework.Vector2 pos
.field public int32 foo
....
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
你正在尝试做一些棘手的事情,而我不太清楚它是什么。根据您的描述,您至少有四件事:
其中一些您可以控制(即源代码),而另一些则不能。
您想要使用称为“注入”的过程来更改您无法控制的模块,以调用您确实可以控制的模块。为了做到这一点,您使用的工具要求您在进程的地址空间中有一个非托管入口点。
如果您通过非托管模块获得了您想要的结果,那么您所需要做的就是编写一个新的混合模式模块(您显然可以控制该模块)来调用您无法控制的托管 DLL。现在,您实际上拥有了一个非托管 DLL(用于导出目的),并且它被托管的问题已经消失。
要从新的非托管包装器模块调用托管代码,您可以使用这篇介绍性文章中描述的技术:
基本上,您需要一个 C++/CLI 项目,该项目引用您的黑盒托管 DLL 并调用它并导出一个非托管入口点,您可以“获取”该入口点的地址你的注射。搜索会给你带来更多的想法。
最后,您可以使用此方法调用托管 DLL(您无法控制的)中的
私有方法吗?不,不是直接。但是,它是一个托管 DLL,因此它必须具有一些公共入口点,以便对任何人有用并且您可以调用它们。如果这还不够,您可以使用 C++/CLI 的反射来调用私有方法并访问私有成员。You are trying to do something tricky and I'm not perfectly clear on what it is. From your description you have at least four things:
some of which you have control over (i.e. source code for), and some of which don't.
You want to use a process you call "injecting" to change a module you don't have control over to call a module you do have control over. In order to do this you are using a tool that requires you to have an unmanaged entry point in the address space of the process.
If you are getting what you want with unmanaged modules, then all you need to do is write a new mixed-mode module (over which you obviously have control) to call the managed DLL that you don't control. Now you effective have an unmanaged DLL (for export purposes) and the problem of it being managed has gone away.
To call managed code from your new unmanaged wrapper module, you can use the techniques described in this introductory article:
Basically you need a C++/CLI project that references your black-box managed DLL and calls it and exports an unmanaged entry point that you can "take the address of" for your injection. Searching will find you a whole lot more ideas.
Finally, can you call
privatemethods in the managed DLL (over which you have no control) using this method? No, not directly. However, its a managed DLL so it must have somepublicentry points to have ever been useful to anybody and you can call those. If that's not enough, you can use reflection from C++/CLI to call private methods and access private members.您需要使用非托管托管/调试 API。如果你可以注入一个托管DLL,这会容易得多,你可以只使用反射。
You'll need to use the unmanaged hosting/debugging APIs. If you could inject a managed DLL, this would be much easier, you could just use Reflection.