#include <windows.h> #include <tchar.h> #include <MSCoree.h> #include <Metahost.h> #pragma comment(lib, "mscoree.lib") int APIENTRY _tWinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPTSTR lpCmdLine, _In_ int nCmdShow) { ICLRMetaHost *pMetaHost = nullptr; ICLRMetaHostPolicy *pMetaHostPolicy = nullptr; ICLRRuntimeHost *pRuntimeHost = nullptr; ICLRRuntimeInfo *pRuntimeInfo = nullptr; HRESULT hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&pMetaHost); hr = pMetaHost->GetRuntime(L"v4.0.30319", IID_PPV_ARGS(&pRuntimeInfo)); if(FAILED(hr)) { MessageBox(0,L"启动出错",L"Error",MB_OK|MB_ICONERROR); goto cleanup; } hr = pRuntimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_PPV_ARGS(&pRuntimeHost)); hr = pRuntimeHost->Start(); DWORD dwRet = 0; hr = pRuntimeHost->ExecuteInDefaultAppDomain(L"EXE或DLL全路径", //不会产生新的进程 L"类的全名", L"函数名", L"参数", &dwRet); hr = pRuntimeHost->Stop(); cleanup: if(pRuntimeInfo != nullptr) { pRuntimeInfo->Release(); pRuntimeInfo = nullptr; } if(pRuntimeHost != nullptr) { pRuntimeHost->Release(); pRuntimeHost = nullptr; } if(pMetaHost != nullptr) { pMetaHost->Release(); pMetaHost = nullptr; } return TRUE; }
被调用的程序集必须具备以下签名: static int pwzMethodName (String pwzArgument) 参考地址:http://technet.microsoft.com/zh-cn/subscriptions/ms164411(v=vs.80) 但是通过PEID可以看出我们调用了.NET的某个核心的DLL中的函数(CLRCreateInstance): 真正程序集隐藏某个地方(如'在运行时把程序还原成文件并存储到某个目录下,并且锁定目录阻止其它程序读写。用完再删除')。这样就更好了! 1 //定义函数指针类型 2 typedef HRESULT (WINAPI *MyCLRCreateInstance)(REFCLSID clsid, REFIID riid, LPVOID *ppInterface); 3 4 //将此行改为以下三行内容:CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&pMetaHost); 5 HMODULE clrmd=LoadLibrary(L"mscoree.dll"); 6 MyCLRCreateInstance func=(MyCLRCreateInstance)(GetProcAddress(clrmd,"CLRCreateInstance")); 7 HRESULT hr = func(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&pMetaHost); 8 9 //略... 10 11 //最后FreeLibrary 12 FreeLibrary(clrmd); |
