时间戳

首页 > 解决方案 > C# Easyhook 奇怪的行为

c# - C# Easyhook 奇怪的行为

问题描述

我目前正在尝试构建我的应用程序,该应用程序使用 EasyHook 库挂钩其他进程的系统调用。我通过 nuget 数据包管理器安装了最新版本,并制作了由 dll 和注入器组成的简单 C#souliton。

注入器代码取自 FileMon 示例。并且 dll 也很大程度上基于 exaple。

我删除了除 createFile 之一之外的所有钩子,并为 ws2_32.dll GetAddrInfoW 函数添加了我自己的钩子。

当我一起运行它们时,两者都可以正常工作。但是当我评论 createFile 目标应用程序时,它会默默地崩溃。

我的钩子&导入&委托代码:

    [DllImport("ws2_32.dll", EntryPoint = "GetAddrInfoW", CallingConvention = CallingConvention.StdCall)]
    static extern int GetAddrInfoW([In] [MarshalAs(UnmanagedType.LPWStr)] string nodename,[In] [MarshalAs(UnmanagedType.LPWStr)] string servicename,[In] ref AddressInfoW hints,out IntPtr ptrResults);

    [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
    delegate int GetAddrInfoW_Delegate([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults);

    static int GetAddrInfoW_Hooked([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults)
    {

        try
        {
            lock (_messageQueue)
            {
                if (_messageQueue.Count < 1000)
                    _messageQueue.Enqueue("DNS Request:" + nodename);
            }               
        }
        catch { }


        return GetAddrInfoW(nodename, servicename, ref hints, out ptrResults); ;
    }

我在运行方法中设置挂钩的代码:

         var createFile_Hook   = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"),    new CreateFile_Delegate(CreateFile_Hook),      this);
         var GetAddrInfoW_Hook = LocalHook.Create(LocalHook.GetProcAddress("ws2_32.dll", "GetAddrInfoW"), new GetAddrInfoW_Delegate(GetAddrInfoW_Hooked), this);

         createFile_Hook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
         GetAddrInfoW_Hook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });

        RemoteHooking.WakeUpProcess();

更新:当我评论 createfile 部分时我的代码:

 public void Run(EasyHook.RemoteHooking.IContext context, string channelName)
    {

        _payload.IsInstalled(RemoteHooking.GetCurrentProcessId());
        LocalHook GetAddrInfoW_Hook = null;

         try
         {
            GetAddrInfoW_Hook = LocalHook.Create(LocalHook.GetProcAddress("WS2_32.dll", "GetAddrInfoW"),  new GetAddrInfoW_Delegate(GetAddrInfoW_Hooked), this);
            GetAddrInfoW_Hook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });

         } catch (Exception ExtInfo)
         {
             _payload.HandleError(ExtInfo);
         }

        _payload.ReceivedMessage("Hooks installed!");

        RemoteHooking.WakeUpProcess();

        try
        {
            while (true)
            {
                System.Threading.Thread.Sleep(10);

                string[] queued = null;
                lock (_messageQueue)
                {
                    queued = _messageQueue.ToArray();
                    _messageQueue.Clear();
                }

                // Send newly monitored file accesses to FileMonitor
                if (queued != null && queued.Length > 0)
                {
                    _payload.ReceivedMessages(RemoteHooking.GetCurrentProcessId(), queued);
                }
                else
                {
                    _payload.Ping();
                }
            }
        }
        catch
        {

        }

        GetAddrInfoW_Hook.Dispose();
        LocalHook.Release();
    }



    #region GetAddrInfoW Hook
    [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
    [return: MarshalAs(UnmanagedType.I4)]
    delegate int GetAddrInfoW_Delegate([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults);

    [DllImport("ws2_32.dll", EntryPoint = "GetAddrInfoW", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall)]
    [return: MarshalAs(UnmanagedType.I4)]
    static extern int GetAddrInfoW([In] [MarshalAs(UnmanagedType.LPWStr)] string nodename,
                                   [In] [MarshalAs(UnmanagedType.LPWStr)] string servicename,
                                   [In] ref AddressInfoW hints,
                                        out IntPtr ptrResults);





    //static int GetAddrInfoW_Hooked([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults)
    static int GetAddrInfoW_Hooked([In] string nodename, [In] string servicename, [In] ref AddressInfoW hints, [Out] out IntPtr ptrResults)
    {

        //int result = GetAddrInfoW(nodename, servicename, ref hints, out ptrResults);
        try
        {
            lock (_messageQueue)
            {
                if (_messageQueue.Count < 1000)
                    _messageQueue.Enqueue("DNS Request:" + nodename);
            }
        }
        catch { }


        return GetAddrInfoW_Hooked(nodename, servicename, ref hints, out ptrResults);
        //  return Marshal.GetDelegateForFunctionPointer<GetAddrInfoW_Delegate>(origAddr)(nodename,servicename,ref hints,out ptrResults) ;
    }
    #endregion

标签: c#hookmanagedeasyhook

解决方案

推荐阅读