TechQA.

C# Easyhook Weird behaviour

340 views Asked by At

Im curently trying to build my application that hook system calls of other process using EasyHook library. I'v instlaled latest version via nuget packet manager, and made simple C# souliton that consists of dll and injector.

Injector code is taken from FileMon example. And dll is heavily based on exaple too.

I removed all hooks except createFile one and adden my own hook for ws2_32.dll GetAddrInfoW function.

When i run em together both works just fine. But when i comment the createFile target application crashesh silently.

My hook&imports&delegate code:

    [DllImport("ws2_32.dll", EntryPoint = "GetAddrInfoW", CallingConvention = CallingConvention.StdCall)]
    static extern int GetAddrInfoW([In] [MarshalAs(UnmanagedType.LPWStr)] string nodename,[In] [MarshalAs(UnmanagedType.LPWStr)] string servicename,[In] ref AddressInfoW hints,out IntPtr ptrResults);

    [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
    delegate int GetAddrInfoW_Delegate([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults);

    static int GetAddrInfoW_Hooked([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults)
    {

        try
        {
            lock (_messageQueue)
            {
                if (_messageQueue.Count < 1000)
                    _messageQueue.Enqueue("DNS Request:" + nodename);
            }               
        }
        catch { }


        return GetAddrInfoW(nodename, servicename, ref hints, out ptrResults); ;
    }

My code for setting hooks inside run method:

         var createFile_Hook   = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"),    new CreateFile_Delegate(CreateFile_Hook),      this);
         var GetAddrInfoW_Hook = LocalHook.Create(LocalHook.GetProcAddress("ws2_32.dll", "GetAddrInfoW"), new GetAddrInfoW_Delegate(GetAddrInfoW_Hooked), this);

         createFile_Hook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
         GetAddrInfoW_Hook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });

        RemoteHooking.WakeUpProcess();

Update: My code when i comment createfile part:

 public void Run(EasyHook.RemoteHooking.IContext context, string channelName)
    {

        _payload.IsInstalled(RemoteHooking.GetCurrentProcessId());
        LocalHook GetAddrInfoW_Hook = null;

         try
         {
            GetAddrInfoW_Hook = LocalHook.Create(LocalHook.GetProcAddress("WS2_32.dll", "GetAddrInfoW"),  new GetAddrInfoW_Delegate(GetAddrInfoW_Hooked), this);
            GetAddrInfoW_Hook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });

         } catch (Exception ExtInfo)
         {
             _payload.HandleError(ExtInfo);
         }

        _payload.ReceivedMessage("Hooks installed!");

        RemoteHooking.WakeUpProcess();

        try
        {
            while (true)
            {
                System.Threading.Thread.Sleep(10);

                string[] queued = null;
                lock (_messageQueue)
                {
                    queued = _messageQueue.ToArray();
                    _messageQueue.Clear();
                }

                // Send newly monitored file accesses to FileMonitor
                if (queued != null && queued.Length > 0)
                {
                    _payload.ReceivedMessages(RemoteHooking.GetCurrentProcessId(), queued);
                }
                else
                {
                    _payload.Ping();
                }
            }
        }
        catch
        {

        }

        GetAddrInfoW_Hook.Dispose();
        LocalHook.Release();
    }



    #region GetAddrInfoW Hook
    [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
    [return: MarshalAs(UnmanagedType.I4)]
    delegate int GetAddrInfoW_Delegate([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults);

    [DllImport("ws2_32.dll", EntryPoint = "GetAddrInfoW", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall)]
    [return: MarshalAs(UnmanagedType.I4)]
    static extern int GetAddrInfoW([In] [MarshalAs(UnmanagedType.LPWStr)] string nodename,
                                   [In] [MarshalAs(UnmanagedType.LPWStr)] string servicename,
                                   [In] ref AddressInfoW hints,
                                        out IntPtr ptrResults);





    //static int GetAddrInfoW_Hooked([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults)
    static int GetAddrInfoW_Hooked([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults)
    {

        //int result = GetAddrInfoW(nodename, servicename, ref hints, out ptrResults);
        try
        {
            lock (_messageQueue)
            {
                if (_messageQueue.Count < 1000)
                    _messageQueue.Enqueue("DNS Request:" + nodename);
            }
        }
        catch { }


        return GetAddrInfoW_Hooked(nodename, servicename, ref hints, out ptrResults);
        //  return Marshal.GetDelegateForFunctionPointer<GetAddrInfoW_Delegate>(origAddr)(nodename,servicename,ref hints,out ptrResults) ;
    }
    #endregion
c# hook managed easyhook
Original Q&A
0

There are 0 answers

Related Questions in C#

Related Questions in HOOK

Related Questions in MANAGED

Related Questions in EASYHOOK

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions