injection into managed target kills process

Nov 30, 2009 at 1:45 PM

I have been using EasyHook for a few months and have successfully injected into native processes on Windows 7 (x64).

I am now trying to inject into managed targets. The injection succeeds and the Main() and Run() functions of the hook are executed without issue. However, I find that the managed process then dies without any warning or message.

When I look in the event viewer, there is a single error entry stating

".NET Runtime version 2.0.50727.4927 - Fatal Execution Engine Error (000007FEFBDEFA42) (80131506)"

I am at my wits end with this one. Any ideas on how to try and debug it? Thank you.

Dec 15, 2009 at 3:00 PM
Edited Dec 15, 2009 at 3:30 PM

I have exactly the same problem, it appears that injecting an already loaded process (so with segments relocation, ect... already done & more the CLR mscoree .net kernel initialized) works but  on process created in suspend mode :(

This is due by mscoree (.net kernel loader) constraints to make this language "safer" (from what I read).

 

I did lot of tests but also of research in google : http://www.google.fr/search?hl=fr&q=injection+STATUS_INVALID_IMAGE_FORMAT&meta=

& That's also really a concern for me. If you drill a little bit in details, you will see that some developes proposes to modifty the PE header in the file & to save it as a new executable :(

Help is also welcome. Here is my FileMon project modified to isolate the issue... if you debug it & set a breakpoint in RemoteHooking.InjectEx(), you will see that when giving the PID of an already running .net prog : it retuns 0, so status ok...

using System;
using System.Collections.Generic;
using System.Runtime.Remoting;
using System.Text;
using System.IO;
using EasyHook;
using System.Windows.Forms;

namespace FileMon
{
    public class FileMonInterface : MarshalByRefObject
    {
        public void IsInstalled(Int32 InClientPID)
        {
            Console.WriteLine("FileMon has been installed in target {0}.\r\n", InClientPID);
        }

        public void OnCreateFile(Int32 InClientPID, String[] InFileNames)
        {
            for (int i = 0; i < InFileNames.Length; i++)
            {
                Console.WriteLine(InFileNames[i]);
            }
        }

        public void ReportException(Exception InInfo)
        {
            Console.WriteLine("The target process has reported an error:\r\n" + InInfo.ToString());
        }

        public void Ping()
        {
        }
    }

    class Program
    {
        static String ChannelName = null;

        static void Main(string[] args)
        {
            Int32 TargetPID = 0;

            try
            {
                Config.Register(
                    "A FileMon like demo application.",
                    "FileMon.exe",
                    "FileMonInject.dll");
            }
            catch (ApplicationException)
            {
                MessageBox.Show("This is an administrative task!", "Permission denied...", MessageBoxButtons.OK);

                System.Diagnostics.Process.GetCurrentProcess().Kill();
            }

            RemoteHooking.IpcCreateServer<FileMonInterface>(ref ChannelName, WellKnownObjectMode.SingleCall);

            if ((args.Length != 1))
            {
                Console.WriteLine();
                Console.WriteLine("Usage: FileMon %PID%");
                Console.WriteLine();

                return;
            }

            try
            {
                if(!Int32.TryParse(args[0], out TargetPID))
                {
                    RemoteHooking.CreateAndInject(
                        args[0],
                        "",
                        0,
                        "FileMonInject.dll",
                        "FileMonInject.dll",
                        out TargetPID,
                        ChannelName);
                }
                else
                {
                    RemoteHooking.Inject(
                        TargetPID,
                        "FileMonInject.dll",
                        "FileMonInject.dll",
                        ChannelName);
                }
                
                Console.ReadLine();
            }
            catch (Exception ExtInfo)
            {
                Console.WriteLine("There was an error while connecting to target:\r\n{0}", ExtInfo.ToString());
            }
        }
    }
}


From my side, it runs on a Windows Server 2003 R2, so in the InjectEx, it is the CreateRemoteThread() which is called instead of NtCreateThreadEx()
but apparently, looking to the first post above, this issue exists also in Windows 7. Like above, having this issue when trying to inject a x64 .net prog.

help or workaround is welcome (please but not by modifying the .net pe header in the program file... prefere doing this dynamically with something similar to createremotethread, ect....)
thx in advance
regards
louis