SharpNeedle does not support 64-bit (CallExport: Could not find module in remote process)
Opened this issue · 17 comments
I am running Windows 10 x64. I have built the solution using VS 2015. I have ensured I am using an elevated permissions for VS 2015/command prompt I am unable to get demo app to be injected.
I get the following error: 'CallExport: Could not find module in remote process'.
Would be willing to provide any more info if I could get some help debugging this.
This has to do with a mismatch between 32-bit and 64-bit, right?
I believe that SharpNeedle's bitness needs to match the bitness of the target process in order to work. 32-bit cannot target 64-bit and vice-versa.
I just figured this out and was going to come back and ask about it! I've successfully got it working with 32-bit processes, but haven't been able to get it to work with any 64 bit.
I understand there are three moving parts here the bootstrap dll, launcher exe and example project dll. When you say SharpNeedle's bitness which are you talking about - all of those or just some?
I understand for the C# the platform target is defaulted to Any CPU - is this good?
I don't have as much experience with C++ projects. I've tried fiddling with the configuration manager but am unsure if I've switched to x64 appropriately. How do I switch those two to be x64?
If you're targeting a 64-bit process, both Launcher.exe and Bootstrapper.dll must be 64-bit. ExampleProject.dll can remain Any CPU. In Visual Studio you can change this via Build > Configuration Manager.
I just tried it out for myself and there is a handful of warnings such as 'type cast': conversion from 'DWORD' to 'LPVOID' of greater size that will need to be dealt with.
Ok I'm seeing the same now, will investigate.
I'm also landing at "CallExport: Could not find module in remote process.". The bootstrap.dll doesn't seem to be part of the process snapshot! I tried to inject it into Dependency Walker x86 .exe. In VS2017 I set it to 'Debug' and 'Win32', I also checked PE Header of the bootstrap.dll, it is x86! Do you have any idea or a quick working poc?
Hello @ChadSki
I was trying to inject putty.exe which is 32 bit process however my windows OS is 64 bit. It shows me following output.
I have tried with notepad++(which is also 32 bit) but the same output. Please advise..!
That does appear to be a 32-bit process, and Launcher.exe is able to enumerate the loaded dlls. My guess is that Bootstrapper.dll is missing because it was not successfully injected. It's hard to say why that would happen.
You might have to try step-through debugging of InjectAndRunThenUnload to see where the injection is going wrong.
Thanks for your reply @ChadSki
I have tried to debug the code but when I execute CallExport function at line 79 it generates above output and rest of the code is also executed normally. Let me give you values of function parameters. I may be doing some doltish mistake.
ProcessId 13964 unsigned long
-
DllName 0x0040f9a4 "C:\\Users\\dodtech\\Downloads\\SharpNeedle-master\\SharpNeedle-master\\src\\Launcher\\Bootstrapper.dll" const char * -
ExportName {...} const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & -
ExportArgument 0x0040f794 L"C:\\Users\\dodtech\\Downloads\\SharpNeedle-master\\SharpNeedle-master\\src\\Launcher\\ExampleProject.dll" const wchar_t * -
FreeThread {m_t=216 } Hades::EnsureCleanup<void *,&CloseHandle,0>
Thanks again
Bootstrapper.dll is also available in System32 folder. I checked it. putty.exe, even notepad++.exe too, shows 32 bit process in my task manager. Please help..!
I'm still having trouble reproducing the problem on my end. What version of Windows are you using? (You can get the OS version and build number from winver.exe)
I am using Windows 7 profession however check from command line it shows Version 6.1.7601
Ah, okay. I had initially developed this project on Windows 8 and never tested it on Windows 7. Bootstrapper tries to load .Net 4.0 which isn't included in Win7 out of the box. Check inside C:\Windows\Microsoft.NET\Framework\. Do you see a v4.0.30319 subfolder?
For debugging purposes, uncomment Bootstrapper/dllmain.cpp#L14. That will make Bootstrapper.dll try to launch a native MessageBox as it loads. If we don't see it, then we know for sure that the dll was never loaded.
If the dll still isn't loading... One assumption this project makes is that kernel32.dll will be loaded into the same location in all processes. On line 41 it reads the address of the local kernel32, and on lines 67 and 83 it uses that address on the remote process. If your OS has some sort of ASLR enabled then that assumption won't hold.
If you LoadLibraryA("Bootstrapper.dll"); from within Launcher.exe, does that work?
Hello @ChadSki
Thanks for your reply..!
Yes, v4.0.30319 subfolder is available inside Framework. Further, I tried to insert LoadLibraryA("Bootstrapper.dll"); in Launcher.cpp and it is showing Ijected MessageBox with with different pid every time I execute. But again output on Launcher.exe is the same.
Well we've narrowed things down considerably. Everything is 32-bit, it compiles correctly, and Launcher is even able to load Bootstrap. It really seems as though either creating the remote string or the remote call to LoadLibraryA is what's failing here.
One thing I've just noticed is that I get the CallExport error when step-through debugging from Visual Studio, but injection works fine if I run Launcher.exe from the command-line.
