Bleak
A Windows native DLL injection library written in C# that supports several methods of injection.
Injection Methods
- CreateThread
- HijackThread
- Manual
Injection Extensions
- EjectDll
- HideDllFromPeb
- RandomiseDllHeaders
Features
- Optional randomise DLL name
- WOW64 and x64 injection
Installation
- Download and install Bleak using NuGet
Getting Started
After installing Bleak, you will want to ensure that your project is being compiled under AnyCPU or x64. This will ensure that you are able to inject into both WOW64 and x64 processes from the same project.
Usage
The example below describes a basic implementation of the library.
using Bleak; var randomiseDllName = true; using (var injector = new Injector(InjectionMethod.CreateThread, "processName", "dllPath", randomiseDllName)) { // Inject the DLL into the process var dllBaseAddress = injector.InjectDll(); // Hide the injected DLL from the PEB injector.HideFromPeb(); // Eject the DLL from the process injector.EjectDll(); }
Overloads
The first of these allows you to use a process ID instead of a process name.
var injector = new Injector(InjectionMethod, processId, "dllPath");
The second of these allows you to use a byte array representing a DLL instead of a DLL path.
var injector = new Injector(InjectionMethod, "processName", dllBytes);
Caveats
-
Injecting with a byte array will result in the provided DLL being written to disk in the temporary folder, unless the method of injection is Manual.
-
Injecting into a system process requires the program to be run in Administrator mode.
-
Manual injection only supports structured exception handling. This means that you cannot use vectored exception handling (C++ uses this) if you wish to use this method of injection.
-
x86 Manual injection relies on a PDB being present for ntdll.dll, and so, the first time this method is used with a x86 process, a PDB for ntdll.dll will be downloaded and cached in the temporary folder. Note that anytime your system updates, a new PDB version may need to be downloaded and re-cached in the temporary folder. This process make take a few seconds depending on your connection speed.
Contributing
Pull requests are welcome.
For large changes, please open an issue first to discuss what you would like to add.