来自 c++/c# 的应用程序挂钩 (winsock)
我有一个调用 winsocket 函数的(旧)应用程序:
struct hostent* FAR gethostbyname(
__in const char *name
);
它当前将其导入为 ws32_dll.#52 而不是正常的名称调用。
我的目的只是能够在发生主机搜索时(应该在应用程序启动时)执行一些操作,例如打开消息框。
我尝试创建一个 c++ dll,其中 pragma 注释指向 #52 并将其放在应用程序目录中(包括“exe.local”和“exe.manifest”文件以尝试重定向它),但它加载了 c:\而是 windows\system32。
之后,我创建了 ac# 项目,启动进程本身(从而从 Process 对象获取 PID),并向其中添加 easyhook dll。
我检查了示例: http://www.codeproject.com/KB/DLL/EasyHook64 .aspx
将调用更改为:
FileMon.FileMonInterface Interface;
LocalHook CreateFileHook;
Stack<String> Queue = new Stack<String>();
public Main(
RemoteHooking.IContext InContext,
String InChannelName)
{
// connect to host...
Interface =
RemoteHooking.IpcConnectClient<FileMon.FileMonInterface>(InChannelName);
}
public void Run(
RemoteHooking.IContext InContext,
String InChannelName)
{
// install hook...
try
{
CreateFileHook = LocalHook.Create(
LocalHook.GetProcAddress("ws2_32.dll", "gethostbyname"),
new DCreateFile(GetHostByName_Hooked),
this);
CreateFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Interface.ReportException(ExtInfo);
return;
}
Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
// wait for host process termination...
try
{
while (true)
{
Thread.Sleep(500);
// transmit newly monitored file accesses...
if (Queue.Count > 0)
{
String[] Package = null;
lock (Queue)
{
Package = Queue.ToArray();
Queue.Clear();
}
Interface.OnCreateFile(RemoteHooking.GetCurrentProcessId(), Package);
}
else
Interface.Ping();
}
}
catch
{
// NET Remoting will raise an exception if host is unreachable
}
}
[UnmanagedFunctionPointer(CallingConvention.StdCall,
CharSet = CharSet.Auto,
SetLastError = true)]
delegate IntPtr DGetHostByName(
String name);
// just use a P-Invoke implementation to get native API access
// from C# (this step is not necessary for C++.NET)
[DllImport("ws2_32.dll",
CharSet = CharSet.Auto,
SetLastError = true,
CallingConvention = CallingConvention.StdCall)]
static extern IntPtr gethostbyname(
String name);
// this is where we are intercepting all file accesses!
static IntPtr GetHostByName_Hooked(
String name)
{
try
{
Main This = (Main)HookRuntimeInfo.Callback;
MessageBox.Show("hi!");
}
catch
{
}
// call original API...
return GetHostByName(
name);
}
}
}
(此处可能存在拼写错误,但项目已成功编译@home)。
问题是我不知道我需要做什么来挂钩这个方法<->应用程序本身。
我的意思是..剩下的只是用 c# easyhook 进行挂钩(假设应用程序是“foo.exe”)? 我需要为easyhook创建一个自定义的dll吗?(在这种情况下,我需要在里面定义什么内容?)
我发现它有点......对于helloworld hook来说“复杂”,呵呵。
提前致谢 ;)
I got an (old) application that calls to the winsocket function:
struct hostent* FAR gethostbyname(
__in const char *name
);
It currently imports it as ws32_dll.#52 instead the normal name calling.
My intention is just to be able to do something like opening a messagebox when a host search happens (which should be at app start).
I tried to create a c++ dll with the pragma comments pointing to #52 and putting it on the app dir (including a "exe.local" and "exe.manifest" files to try to redirect it) but it loaded the c:\windows\system32 instead.
After that, i created a c# project launching the process itself(hence getting the PID from the Process object), adding the easyhook dll to it.
I checked the example at: http://www.codeproject.com/KB/DLL/EasyHook64.aspx
Changing the calls to:
FileMon.FileMonInterface Interface;
LocalHook CreateFileHook;
Stack<String> Queue = new Stack<String>();
public Main(
RemoteHooking.IContext InContext,
String InChannelName)
{
// connect to host...
Interface =
RemoteHooking.IpcConnectClient<FileMon.FileMonInterface>(InChannelName);
}
public void Run(
RemoteHooking.IContext InContext,
String InChannelName)
{
// install hook...
try
{
CreateFileHook = LocalHook.Create(
LocalHook.GetProcAddress("ws2_32.dll", "gethostbyname"),
new DCreateFile(GetHostByName_Hooked),
this);
CreateFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Interface.ReportException(ExtInfo);
return;
}
Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
// wait for host process termination...
try
{
while (true)
{
Thread.Sleep(500);
// transmit newly monitored file accesses...
if (Queue.Count > 0)
{
String[] Package = null;
lock (Queue)
{
Package = Queue.ToArray();
Queue.Clear();
}
Interface.OnCreateFile(RemoteHooking.GetCurrentProcessId(), Package);
}
else
Interface.Ping();
}
}
catch
{
// NET Remoting will raise an exception if host is unreachable
}
}
[UnmanagedFunctionPointer(CallingConvention.StdCall,
CharSet = CharSet.Auto,
SetLastError = true)]
delegate IntPtr DGetHostByName(
String name);
// just use a P-Invoke implementation to get native API access
// from C# (this step is not necessary for C++.NET)
[DllImport("ws2_32.dll",
CharSet = CharSet.Auto,
SetLastError = true,
CallingConvention = CallingConvention.StdCall)]
static extern IntPtr gethostbyname(
String name);
// this is where we are intercepting all file accesses!
static IntPtr GetHostByName_Hooked(
String name)
{
try
{
Main This = (Main)HookRuntimeInfo.Callback;
MessageBox.Show("hi!");
}
catch
{
}
// call original API...
return GetHostByName(
name);
}
}
}
(may have made typos writing it here, but project compiled succesfully @ home).
The thing is that i dunno what I need to do the hooking this methods<-> the application itself.
I mean.. what lefts to just do the hooking with c# easyhook (assuming the app is "foo.exe")?
Do i need to create a custom dll for easyhook?(in that case, what content do i need to define inside?)
I found it a bit... "complex" for a helloworld hook,hehe.
Thanks in advance ;)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
最后,使用“Gray hack python”这本书教会了我如何用更少的行来完成这一切,并且与我想要的一样。
还没有 exe 但是...就是这样。
使用 pydbg + 钩子。
In the end, using the "Gray hack python" book taugh me how to make all this with fewer lines, and just the same i wanted.
No exe yet but... that's it.
Using pydbg + hooks.