Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trying to add clrtjit.dll into my C# #20

Open
modz2014 opened this issue Jul 12, 2022 · 8 comments
Open

trying to add clrtjit.dll into my C# #20

modz2014 opened this issue Jul 12, 2022 · 8 comments
Labels
bug Something isn't working

Comments

@modz2014
Copy link

hi im trying to add clrjit.dll into my C# to run in memory but it doesnt seem to work properly
@trungnt2910
Copy link
Owner

The library probably uses TLS memory.

The Windows TLS memory model is currently NOT supported by MemoryModule.NET, as well as the original MemoryModule project (although binaries compiled using MinGW and uses the POSIX thread model may work on MemoryModule.NET).

Why do you want to run a clrjit.dll on top of .NET anyway? Isn't it easier to directly load a managed assembly?

@modz2014
Copy link
Author

well it uses it to execute but if the User doesnt have the net frame installed in should still run in memory right or isnt that possible

@trungnt2910
Copy link
Owner

You should try using a .NET Self contained application instead.

Or, look at some forks of the original MemoryModule (the C library) that actually supports Windows TLS. These forks uses really dirty tricks that I don't understand myself, and makes your code really unstable.

Because, if you don't have a .NET runtime to load MemoryModule.NET.dll in the first place, then how would you even use my library?

@modz2014
Copy link
Author

so its not possible then

@modz2014
Copy link
Author

im trying to run this without installing netframe work stuff https://github.com/cg10036/Themida-Unpacker-for-.NET

@Invoke-Mimikatz
Copy link

I have an unmanaged application packaged as a DLL that loads the CLR.

Below is the WinDbg output of the application crash. This happens during the process of the unmanaged DLL application trying to load the CLR.

ModLoad: 00007ffc`0f520000 00007ffc`0f54c000   C:\WINDOWS\SYSTEM32\wldp.dll
ModLoad: 00007ffb`f9590000 00007ffb`f95a9000   C:\WINDOWS\SYSTEM32\amsi.dll
ModLoad: 00007ffc`0f9b0000 00007ffc`0f9de000   C:\WINDOWS\SYSTEM32\USERENV.dll
ModLoad: 00007ffc`0f9f0000 00007ffc`0fa0f000   C:\WINDOWS\SYSTEM32\profapi.dll
ModLoad: 00007ffb`f9510000 00007ffb`f9589000   C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\MpOav.dll
ModLoad: 00007ffc`01320000 00007ffc`0141c000   C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\MPCLIENT.DLL
ModLoad: 00007ffc`0e390000 00007ffc`0e3b3000   C:\WINDOWS\SYSTEM32\gpapi.dll
(1838.1dd4): C++ EH exception - code e06d7363 (first chance)
(1838.1dd4): C++ EH exception - code e06d7363 (first chance)
(1838.1dd4): C++ EH exception - code e06d7363 (first chance)
(1838.1dd4): C++ EH exception - code e06d7363 (first chance)
(1838.1dd4): C++ EH exception - code e06d7363 (first chance)
(1838.1dd4): CLR exception - code e0434352 (first chance)
(1838.1dd4): CLR exception - code e0434352 (first chance)
(1838.1dd4): Unknown exception - code c0000028 (first chance)
(1838.1dd4): Unknown exception - code c0000028 (!!! second chance !!!)
ntdll!RtlRaiseStatus+0x36:
00007ffc`12472406 65488b0c2560000000 mov   rcx,qword ptr gs:[60h] gs:00000000`00000060=????????????????

When NOT using this library, my application succeeds and gets past this point to load clrjit.dll, which is what I believe is causing this kind of crash:

ModLoad: 00007ffc`0e390000 00007ffc`0e3b3000   C:\WINDOWS\SYSTEM32\gpapi.dll
(2818.564): C++ EH exception - code e06d7363 (first chance)
(2818.564): C++ EH exception - code e06d7363 (first chance)
(2818.564): C++ EH exception - code e06d7363 (first chance)
(2818.564): C++ EH exception - code e06d7363 (first chance)
(2818.564): C++ EH exception - code e06d7363 (first chance)
(2818.564): CLR exception - code e0434352 (first chance)
(2818.564): CLR exception - code e0434352 (first chance)
ModLoad: 00007ffb`ca320000 00007ffb`ca46f000   C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll

This is a little weird since using this library to load a DLL that loads the CLR seems unintuitive, but I'm wondering if there's any way to make this work.

@trungnt2910
Copy link
Owner 

00007ffc`12472406 65488b0c2560000000 mov   rcx,qword ptr gs:[60h] gs:00000000`00000060=????????????????

The problem is displayed clearly in this line.
MemoryModule.NET has a limitation of not being able to handle Windows TLS slots properly. The same thing applies to the original MemoryModule.

As the TLS index is not initialized properly, any attempts to access thread-local storage will result in a segmentation fault.

The CLR is a complex application so I'm not surprised if it uses thread-local variables somewhere.

@trungnt2910
Copy link
Owner

Related: #34

I'm keeping this open as there might be other blockers in the future other than TLS.

@trungnt2910 trungnt2910 added the bug Something isn't working label Feb 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@modz2014 @trungnt2910 @Invoke-Mimikatz