Skip to content

StackOverflowExcept1on/net-core-injector

Repository files navigation

net-core-injector

Build Status

In the following GIF, you can see how the code on the right intercepts the static void F(int i) function. After injecting, the original program starts outputting 1337 to the console instead of the default behavior.

banner

CLI tool that can replace C# methods in .NET Core applications

Requirements

Building

Open command line and run this script

  • _build.sh on Linux
  • _build.bat on Windows

It will build

Running

This script should produce output like the GIF above

  • _run.sh on Linux

    Note: If you want to attach to an existing process on Linux, this requires root privileges. In this case, use _run.sh -a (attach).

  • _run.bat on Windows

Internal documentation

It's mostly based on Microsoft documentation: Write a custom .NET host to control the .NET runtime from your native code

TL;DR: each process that runs on .NET Core uses hostfxr.dll or libhostfxr.so. This library is loaded in its memory.

To load a custom C# assembly (also known as a DLL), you need to manipulate with hostfxr first. I did it in Bootstrapper/src/library.cpp.

net-core-injector/src/main.ts injects Bootstrapper.dll into C# process and loads custom assembly

The following command runs DemoApplication.exe on another thread and injects code.

start DemoApplication\dist\DemoApplication.exe

npm start -- inject ^
DemoApplication.exe ^
Bootstrapper\build\Release\Bootstrapper.dll ^
RuntimePatcher\dist\RuntimePatcher.runtimeconfig.json ^
RuntimePatcher\dist\RuntimePatcher.dll ^
"RuntimePatcher.Main, RuntimePatcher" "InitializePatches"

Then the execution happens in this order:

  1. get into DemoApplication.exe process memory via DLL-injection of Bootstrapper.dll
  2. call native C++ code
    bootstrapper_load_assembly(
        /*runtime_config_path = */"RuntimePatcher\\dist\\RuntimePatcher.runtimeconfig.json",
        /*assembly_path = */"RuntimePatcher\\dist\\RuntimePatcher.dll",
        /*type_name = */"RuntimePatcher.Main, RuntimePatcher",
        /*method_name = */"InitializePatches"
    )
  3. RuntimePatcher/Lib.cs attaches to code of DemoApplication.exe

Application in real world

I injected my DLL into the GitHub Actions security system and received money and a t-shirt from HackerOne

Also see: https://github.com/StackOverflowExcept1on/how-to-hack-github-actions

You can use this to mod games written in C# or to patch any software

TODO

  • I don't have macOS device so it's supported for now. External contributors are welcome.