從非托管dll文件中調用托管dll（已注入到正在運行的進程中）

Question

無法弄清楚如何使用非托管dll調用托管dll文件中的函數。

目前，我能夠使用如下所示的方法將非托管的dll注入正在運行的進程中，並調用托管的dll（主要是我是c ++的新手）。

 #include "stdafx.h"
 #include <Windows.h>
 #include "dllmain.h"

 BOOL APIENTRY DllMain( HMODULE hModule,
                   DWORD  ul_reason_for_call,
                   LPVOID lpReserved  )
{
switch (ul_reason_for_call)
  {
     case DLL_PROCESS_ATTACH:
    {
    LoadManagedProject(L"C:\\Users\\nagaganesh.kurcheti\\Desktop\\ExampleProject.dll");
    DisplayPid();
     break;
    }  
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
    break;
}
return TRUE;
}

void DisplayPid()
{
DWORD pid = GetCurrentProcessId();
wchar_t buf[64];
wsprintf(buf, L"Hey, it worked! Pid is %d", pid);
MessageBox(NULL, buf, L"Injected NEW MessageBox", NULL);
}

從DLL中，我正在調用處理看起來像這樣的注入過程的功能：

DllExport void LoadManagedProject(const wchar_t * managedDllLocation)
 {
HRESULT hr;
ICLRMetaHost* pClrMetaHost = NULL;
ICLRRuntimeInfo* pClrRuntimeInfo = NULL;
ICLRRuntimeHost* pClrRuntimeHost = NULL;
hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&pClrMetaHost);
if (hr == S_OK)
{


    hr = pClrMetaHost->GetRuntime(L"v4.0.30319", IID_PPV_ARGS(&pClrRuntimeInfo));
    if (hr == S_OK)
    {           
        BOOL fLoadable;
        hr = pClrRuntimeInfo->IsLoadable(&fLoadable);
        if ((hr == S_OK) && fLoadable)
        {                
            hr = pClrRuntimeInfo->GetInterface(CLSID_CLRRuntimeHost,
                IID_PPV_ARGS(&pClrRuntimeHost));
            if (hr == S_OK)
            {
                hr = pClrRuntimeHost->Start();
                if (hr == S_OK)
                {
                    MessageBox(NULL, L"HR=SOK45STTIME", L"Injected MessageBox", NULL);

                    DWORD result;
                    hr = pClrRuntimeHost->ExecuteInDefaultAppDomain(
                        managedDllLocation,
                        L"ExampleProject.Example",
                        L"EntryPoint",
                        L"Argument",
                        &result);
                    if (hr == S_OK)
                    {
                        MessageBox(NULL, L"HR=SOK6STTIME", L"Injected MessageBox", NULL);
                    }

                }
            }
        }
    }
}
}

經過多次嘗試，我無法注入該過程。 我能得到我所犯的錯誤還是建議使用注入到正在運行的進程中的非托管dll調用托管dll（c＃）的更好方法。 先感謝您。

更新：

如果無法通過這種方式，您能否建議將托管dll注入正在運行的進程中的任何最佳方法。 謝謝

Answer 1

您可以通過使用EasyHook將托管dll注入非托管進程來實現此目的，以下是示例代碼：

#include <easyhook.h>
#include <string>
#include <iostream>
#include <Windows.h>

DWORD gFreqOffset = 0;
BOOL WINAPI myBeepHook(DWORD dwFreq, DWORD dwDuration)
{
    std::cout << "\n    BeepHook: ****All your beeps belong to us!\n\n";
    return Beep(dwFreq + gFreqOffset, dwDuration);
}

// EasyHook will be looking for this export to support DLL injection. If not found then 
// DLL injection will fail.
extern "C" void __declspec(dllexport) __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo);

void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo)
{
    std::cout << "\n\nNativeInjectionEntryPointt(REMOTE_ENTRY_INFO* inRemoteInfo)\n\n" <<
        "IIIII           jjj               tt                dd !!! \n"
        " III  nn nnn          eee    cccc tt      eee       dd !!! \n"
        " III  nnn  nn   jjj ee   e cc     tttt  ee   e  dddddd !!! \n"
        " III  nn   nn   jjj eeeee  cc     tt    eeeee  dd   dd     \n"
        "IIIII nn   nn   jjj  eeeee  ccccc  tttt  eeeee  dddddd !!! \n"
        "              jjjj                                         \n\n";

    std::cout << "Injected by process Id: " << inRemoteInfo->HostPID << "\n";
    std::cout << "Passed in data size: " << inRemoteInfo->UserDataSize << "\n";
    if (inRemoteInfo->UserDataSize == sizeof(DWORD))
    {
        gFreqOffset = *reinterpret_cast<DWORD *>(inRemoteInfo->UserData);
        std::cout << "Adjusting Beep frequency by: " << gFreqOffset << "\n";
    }

    // Perform hooking
    HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook

    std::cout << "\n";
    std::cout << "Win32 Beep found at address: " << GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep") << "\n";

    // Install the hook
    NTSTATUS result = LhInstallHook(
        GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"),
        myBeepHook,
        NULL,
        &hHook);
    if (FAILED(result))
    {
        std::wstring s(RtlGetLastErrorString());
        std::wcout << "Failed to install hook: ";
        std::wcout << s;
    }
    else 
    {
        std::cout << "Hook 'myBeepHook installed successfully.";
    }

    // If the threadId in the ACL is set to 0,
    // then internally EasyHook uses GetCurrentThreadId()
    ULONG ACLEntries[1] = { 0 };

    // Disable the hook for the provided threadIds, enable for all others
    LhSetExclusiveACL(ACLEntries, 1, &hHook);

    return;
}

或者您可以在原始來源找到更多詳細信息