RemoteNET 1.0.4.1
See the version list below for details.
dotnet add package RemoteNET --version 1.0.4.1
NuGet\Install-Package RemoteNET -Version 1.0.4.1
<PackageReference Include="RemoteNET" Version="1.0.4.1" />
paket add RemoteNET --version 1.0.4.1
#r "nuget: RemoteNET, 1.0.4.1"
// Install RemoteNET as a Cake Addin #addin nuget:?package=RemoteNET&version=1.0.4.1 // Install RemoteNET as a Cake Tool #tool nuget:?package=RemoteNET&version=1.0.4.1
RemoteNET
This library lets you examine, create and interact with remote objects in other .NET processes.
The target app doesn't need to be explicitly compiled (or consent) to support it.
Basically this library lets you mess with objects of any other .NET app without asking for permissions 😃
👉 Try It Now: Download the RemoteNET Spy app to see this lib in action! 👈
Supported Targets
✅ .NET 5/6/7/8
✅ .NET Core 3.0/3.1
✅ .NET Framework 4.5/4.6/4.7/4.8 (incl. subversions)
✅ MSVC-compiled C++ (experimental)
Including the library in your project
There are 2 ways to get the library:
- Get it from NuGet
-or- - Clone this repo, compile then reference
RemoteNET.dll
andScubaDiver.API.dll
in your project.
Compiling
- Clone
- Initialize git modules (For
detours.net
) - Launch "x64 Native Tools Command Prompt for VS 2022"
cd <<your RemoteNET repo path>>\src
mkdir detours_build
cd detours_build
cmake ..\detours.net
msbuild ALL_BUILD.vcxproj
- Open
RemoteNET.sln
in Visual Studio - Compile the RemoteNET project
Minimal Working Example
To get the essence of how easy and usefull this library can be, see below a re-implementation of denandz/KeeFarce.
This example interacts with an open KeePass process and makes it export all credentials to a CSV file.
// Gain foothold within the target process
RemoteApp remoteApp = RemoteAppFactory.Connect("KeePass.exe", RuntimeType.Managed);
RemoteActivator rActivator = remoteApp.Activator;
// Get a remote DocumentManagerEx object
IEnumerable<CandidateObject> candidates = remoteApp.QueryInstances("KeePass.UI.DocumentManagerEx");
RemoteObject remoteDocumentManagerEx = remoteApp.GetRemoteObject(candidates.Single());
dynamic dynamicDocumentManagerEx = remoteDocumentManagerEx.Dynamify();
// Get sensitive properties to dump
dynamic activeDb = dynamicDocumentManagerEx.ActiveDatabase;
dynamic rootGroup = activeDb.RootGroup;
// Create remote PwExportInfo object (Call Ctor)
RemoteObject pwExportInfo = rActivator.CreateInstance("KeePass.DataExchange.PwExportInfo", rootGroup, activeDb, true);
// Create remote KeePassCsv1x (Call Ctor)
RemoteObject keePassCsv1x = rActivator.CreateInstance("KeePass.DataExchange.Formats.KeePassCsv1x");
dynamic dynamicCsvFormatter = keePassCsv1x.Dynamify();
// Creating a remote FileStream object
string tempOutputFile = Path.ChangeExtension(Path.GetTempFileName(), "csv");
RemoteObject exportFileStream = rActivator.CreateInstance(typeof(FileStream), tempOutputFile, FileMode.Create);
// Calling Export method of exporter
dynamicCsvFormatter.Export(pwExportInfo, exportFileStream, null);
// Showing results in default CSV editor.
Console.WriteLine($"Output written to: {tempOutputFile}");
Process.Start(tempOutputFile);
How To Use
This section documents most parts of the library's API which you'll likely need.
✳️ Setup
To start playing with a remote process you need to create a RemoteApp
object like so:
// For .NET targets
RemoteApp remoteApp = RemoteAppFactory.Connect("MyDotNetTarget.exe", RuntimeType.Managed);
// For MSVC C++ target
RemoteApp remoteApp = RemoteAppFactory.Connect("MyNativeTarget.exe", RuntimeType.Unmanaged);
If you have multiple processes running with the same name,
you can use the overload Connect(System.Diagnostics.Process p, RuntimeType r)
.
✳️ Getting Existing Remote Objects
First and foremost RemoteNET allows you to find existing objects in the remote app.
To do so you'll need to search the remote heap.
Use RemoteApp.QueryInstances()
to find possible candidate for the desired object and RemoteApp.GetRemoteObject()
to get a handle of a candidate.
IEnumerable<CandidateObject> candidates = remoteApp.QueryInstances("MyApp.PasswordContainer");
RemoteObject passwordContainer = remoteApp.GetRemoteObject(candidates.Single());
✳️ Creating New Remote Objects
Sometimes the existing objects in the remote app are not enough to do what you want.
For this reason you can also create new objects remotely.
Use the Activator
-lookalike for that cause:
// Creating a remote StringBuilder with default constructor
RemoteObject remoteSb1 = remoteApp.Activator.CreateInstance(typeof(StringBuilder));
// Creating a remote StringBuilder with the "StringBuilder(string, int)" ctor
RemoteObject remoteSb2 = remoteApp.Activator.CreateInstance(typeof(StringBuilder), "Hello", 100);
Note how we used constructor arguments in the second CreateInstance
call. Those could also be other RemoteObject
s:
// Constructing a bew StringBuilder
RemoteObject remoteStringBuilder = remoteApp.Activator.CreateInstance(typeof(StringBuilder));
// Constructing a new StringWriter using the "StringWriter(StringBuilder sb)" ctor
RemoteObject remoteStringWriter = remoteApp.Activator.CreateInstance(typeof(StringWriter), remoteStringBuilder);
✳️ Reading Remote Fields/Properties
To allow a smooth coding expereince RemoteNET is utilizing a special dynamic object which any RemoteObject
can turn into.
This object can be used to access field/properties just if they were field/properties of a local object:
// Reading the 'Capacity' property of a newly created StringBuilder
RemoteObject remoteStringBuilder = remoteApp.Activator.CreateInstance(typeof(StringBuilder));
dynamic dynamicStringBuilder = remoteStringBuilder.Dynamify();
Console.WriteLine("Remote StringBuilder's Capacity: " + dynamicStringBuilder.Capacity)
A more interesting example would be retrieving the ConnectionString
s of every SqlConnection
instance:
var sqlConCandidates = remoteApp.QueryInstances(typeof(SqlConnection));
foreach (CandidateObject candidate in sqlConCandidates)
{
RemoteObject remoteSqlConnection = remoteApp.GetRemoteObject(candidate);
dynamic dynamicSqlConnection = remoteSqlConnection.Dynamify();
Console.WriteLine("ConnectionString: " + dynamicSqlConnection.ConnectionString);
}
✳️ Invoking Remote Methods
Just like accessing fields, invoking methods can be done on the dynamic objects.
This fun example dumps all private RSA keys (which are stored in RSACryptoServiceProvider
s) found in the target's memory:
Func<byte[], string> ToHex = ba => BitConverter.ToString(ba).Replace("-", "");
// Finding every RSACryptoServiceProvider instance
var rsaProviderCandidates = remoteApp.QueryInstances(typeof(RSACryptoServiceProvider));
foreach (CandidateObject candidateRsa in rsaProviderCandidates)
{
RemoteObject rsaProv = remoteApp.GetRemoteObject(candidateRsa);
dynamic dynamicRsaProv = rsaProv.Dynamify();
// Calling remote `ExportParameters`.
// First parameter (true) indicates we want the private key.
Console.WriteLine(" * Key found:");
dynamic parameters = dynamicRsaProv.ExportParameters(true);
Console.WriteLine("Modulus: " + ToHex(parameters.Modulus));
Console.WriteLine("Exponent: " + ToHex(parameters.Exponent));
Console.WriteLine("D: " + ToHex(parameters.D));
Console.WriteLine("P: " + ToHex(parameters.P));
Console.WriteLine("Q: " + ToHex(parameters.Q));
Console.WriteLine("DP: " + ToHex(parameters.DP));
Console.WriteLine("DQ: " + ToHex(parameters.DQ));
Console.WriteLine("InverseQ: " + ToHex(parameters.InverseQ));
}
✳️ Remote Events
You can also subscribe to/unsubscribe from remote events. The syntax is similar to "normal C#" although not exact:
CandidateObject cand = remoteApp.QueryInstances("System.IO.FileSystemWatcher").Single();
RemoteObject remoteFileSysWatcher = remoteApp.GetRemoteObject(cand);
dynamic dynFileSysWatcher = remoteFileSysWatcher.Dynamify();
Action<dynamic, dynamic> callback = (dynamic o, dynamic e) => Console.WriteLine("Event Invoked!");
dynFileSysWatcher.Changed += callback;
/* ... Somewhere further ... */
dynFileSysWatcher.Changed -= callback;
The limitations:
- The parameters for the callback must be
dynamic
s - The callback must define the exact number of parameters for that event
- Lambda expression are not allowed. The callback must be cast to an
Action<...>
.
TODOs
- Static members
- Document "Reflection API" (RemoteType, RemoteMethodInfo, ... )
- Support other .NET framework CLR versions (Before .NET 4). Currently supports v4.0.30319
- Document Harmony (prefix/postfix/finalizer hooks)
- Support more Harmony features
Thanks
denandz for his interesting project KeeFarce which was a major inspiration for this project.
Also, multiple parts of this project are directly taken from KeeFarce (DLL Injection, Bootstrap, IntPtr-to-Object converter).
icons8 for the "Puppet" icon
Raymond Chen for stating this project shouldn't be done in this blog post from 2010.
I really like this qoute from the post:
If you could obtain all instances of a type, the fundamental logic behind computer programming breaks down. It effectively becomes impossible to reason about code because anything could happen to your objects at any time.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net7.0 is compatible. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net7.0
- InjectableDotNetHost.Injector (>= 1.0.12)
- Microsoft.CSharp (>= 4.7.0)
- Microsoft.Diagnostics.Runtime (>= 2.0.222201)
- NETStandard.Library (>= 2.0.3)
- Newtonsoft.Json (>= 13.0.1)
- System.IO.FileSystem.AccessControl (>= 5.0.0)
- System.Security.AccessControl (>= 6.0.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
1.0.4.17 | 93 | 11/2/2024 |
1.0.4.8 | 78 | 11/2/2024 |
1.0.4.7 | 76 | 11/2/2024 |
1.0.4.6 | 165 | 9/14/2024 |
1.0.4.2 | 129 | 6/8/2024 |
1.0.4.1 | 117 | 6/7/2024 |
1.0.3.1 | 175 | 2/17/2024 |
1.0.2.27 | 149 | 2/10/2024 |
1.0.2.15 | 139 | 1/29/2024 |
1.0.2.14 | 272 | 12/1/2023 |
1.0.2.4 | 215 | 9/1/2023 |
1.0.2.3 | 190 | 8/31/2023 |
1.0.2.2 | 237 | 8/4/2023 |
1.0.2 | 206 | 5/26/2023 |
1.0.1.28 | 238 | 4/12/2023 |
1.0.1.27 | 229 | 4/12/2023 |
1.0.1.26 | 305 | 2/3/2023 |
1.0.1.25 | 326 | 12/29/2022 |
1.0.1.24 | 308 | 12/24/2022 |
1.0.1.23 | 354 | 12/9/2022 |
1.0.1.22 | 335 | 11/18/2022 |
1.0.1.21 | 375 | 11/12/2022 |
1.0.1.20 | 335 | 11/9/2022 |
1.0.1.19 | 392 | 11/5/2022 |
1.0.1.18 | 375 | 11/5/2022 |
1.0.1.17 | 375 | 11/1/2022 |
1.0.1.16 | 374 | 11/1/2022 |
1.0.1.15 | 401 | 10/9/2022 |
1.0.1.14 | 389 | 10/5/2022 |
1.0.1.13 | 447 | 9/27/2022 |
1.0.1.11 | 477 | 3/5/2022 |
1.0.1.10 | 423 | 3/5/2022 |
1.0.1.9 | 456 | 2/21/2022 |
1.0.1.8 | 437 | 2/20/2022 |
1.0.1.7 | 444 | 2/20/2022 |
1.0.1.6 | 457 | 2/11/2022 |
1.0.1.5 | 452 | 1/24/2022 |
1.0.1.4 | 317 | 12/31/2021 |