我目前正在尝试构建我的应用程序,该应用程序使用 EasyHook 库挂钩其他进程的系统调用。我通过 nuget 数据包管理器安装了最新版本,并制作了由 dll 和注入器组成的简单 C#souliton。
注入器代码取自 FileMon 示例。并且 dll 也很大程度上基于 exaple。
我删除了除 createFile 之一之外的所有钩子,并为 ws2_32.dll GetAddrInfoW 函数添加了我自己的钩子。
当我一起运行它们时,两者都可以正常工作。但是当我评论 createFile 目标应用程序时,它会默默地崩溃。
我的钩子&导入&委托代码:
[DllImport("ws2_32.dll", EntryPoint = "GetAddrInfoW", CallingConvention = CallingConvention.StdCall)]
static extern int GetAddrInfoW([In] [MarshalAs(UnmanagedType.LPWStr)] string nodename,[In] [MarshalAs(UnmanagedType.LPWStr)] string servicename,[In] ref AddressInfoW hints,out IntPtr ptrResults);
[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
delegate int GetAddrInfoW_Delegate([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults);
static int GetAddrInfoW_Hooked([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults)
{
try
{
lock (_messageQueue)
{
if (_messageQueue.Count < 1000)
_messageQueue.Enqueue("DNS Request:" + nodename);
}
}
catch { }
return GetAddrInfoW(nodename, servicename, ref hints, out ptrResults); ;
}
我在运行方法中设置挂钩的代码:
var createFile_Hook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"), new CreateFile_Delegate(CreateFile_Hook), this);
var GetAddrInfoW_Hook = LocalHook.Create(LocalHook.GetProcAddress("ws2_32.dll", "GetAddrInfoW"), new GetAddrInfoW_Delegate(GetAddrInfoW_Hooked), this);
createFile_Hook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
GetAddrInfoW_Hook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
RemoteHooking.WakeUpProcess();
更新:当我评论 createfile 部分时我的代码:
public void Run(EasyHook.RemoteHooking.IContext context, string channelName)
{
_payload.IsInstalled(RemoteHooking.GetCurrentProcessId());
LocalHook GetAddrInfoW_Hook = null;
try
{
GetAddrInfoW_Hook = LocalHook.Create(LocalHook.GetProcAddress("WS2_32.dll", "GetAddrInfoW"), new GetAddrInfoW_Delegate(GetAddrInfoW_Hooked), this);
GetAddrInfoW_Hook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
} catch (Exception ExtInfo)
{
_payload.HandleError(ExtInfo);
}
_payload.ReceivedMessage("Hooks installed!");
RemoteHooking.WakeUpProcess();
try
{
while (true)
{
System.Threading.Thread.Sleep(10);
string[] queued = null;
lock (_messageQueue)
{
queued = _messageQueue.ToArray();
_messageQueue.Clear();
}
// Send newly monitored file accesses to FileMonitor
if (queued != null && queued.Length > 0)
{
_payload.ReceivedMessages(RemoteHooking.GetCurrentProcessId(), queued);
}
else
{
_payload.Ping();
}
}
}
catch
{
}
GetAddrInfoW_Hook.Dispose();
LocalHook.Release();
}
#region GetAddrInfoW Hook
[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
[return: MarshalAs(UnmanagedType.I4)]
delegate int GetAddrInfoW_Delegate([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults);
[DllImport("ws2_32.dll", EntryPoint = "GetAddrInfoW", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall)]
[return: MarshalAs(UnmanagedType.I4)]
static extern int GetAddrInfoW([In] [MarshalAs(UnmanagedType.LPWStr)] string nodename,
[In] [MarshalAs(UnmanagedType.LPWStr)] string servicename,
[In] ref AddressInfoW hints,
out IntPtr ptrResults);
//static int GetAddrInfoW_Hooked([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults)
static int GetAddrInfoW_Hooked([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults)
{
//int result = GetAddrInfoW(nodename, servicename, ref hints, out ptrResults);
try
{
lock (_messageQueue)
{
if (_messageQueue.Count < 1000)
_messageQueue.Enqueue("DNS Request:" + nodename);
}
}
catch { }
return GetAddrInfoW_Hooked(nodename, servicename, ref hints, out ptrResults);
// return Marshal.GetDelegateForFunctionPointer<GetAddrInfoW_Delegate>(origAddr)(nodename,servicename,ref hints,out ptrResults) ;
}
#endregion