/// <summary>
/// The main entry point for our logic once injected within the target process.
/// This is where the hooks will be created, and a loop will be entered until host process exits.
/// EasyHook requires a matching Run method for the constructor
/// </summary>
/// <param name="context">The RemoteHooking context</param>
/// <param name="channelName">The name of the IPC channel</param>
public void Run(
EasyHook.RemoteHooking.IContext context,
string channelName)
{
// Injection is now complete and the server interface is connected
_server.IsInstalled(EasyHook.RemoteHooking.GetCurrentProcessId());
// Install hooks
// CreateFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx
//var createFileHook = EasyHook.LocalHook.Create(
// EasyHook.LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"),
// new CreateFile_Delegate(CreateFile_Hook),
// this);
//SetWindowText
var setWindowTextHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("user32.dll", "SetWindowTextW"),
new SetWindowTextDelegate(SetWindowTextHook),
this
);
var setGetLocalTimeHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("kernel32.dll", "GetLocalTime"),
new GetLocalTimeDelegate(GetLocalTimeHook),
this
);
var setGetSystemTimeAsFileTimeHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("kernel32.dll", "GetSystemTimeAsFileTime"),
new GetSystemTimeAsFileTimeDelegate(GetSystemTimeAsFileTimeHook),
this
);
var setImmSetOpenStatusHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("imm32.dll", "ImmSetOpenStatus"),
new ImmSetOpenStatusDelegate(ImmSetOpenStatusHook),
this
);
var setImmAssociateContextHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("imm32.dll", "ImmAssociateContext"),
new ImmAssociateContextDelegate(ImmAssociateContextHook),
this
);
//// ReadFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa365467(v=vs.85).aspx
//var readFileHook = EasyHook.LocalHook.Create(
// EasyHook.LocalHook.GetProcAddress("kernel32.dll", "ReadFile"),
// new ReadFile_Delegate(ReadFile_Hook),
// this);
//// WriteFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
//var writeFileHook = EasyHook.LocalHook.Create(
// EasyHook.LocalHook.GetProcAddress("kernel32.dll", "WriteFile"),
// new WriteFile_Delegate(WriteFile_Hook),
// this);
// Activate hooks on all threads except the current thread
//createFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
//readFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
//writeFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
setWindowTextHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
setGetLocalTimeHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
setGetSystemTimeAsFileTimeHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
setImmSetOpenStatusHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
setImmAssociateContextHook.ThreadACL.SetExclusiveACL(new int[] { 0 });
_server.ReportMessage("CreateFile, ReadFile and WriteFile hooks installed");
// Wake up the process (required if using RemoteHooking.CreateAndInject)
EasyHook.RemoteHooking.WakeUpProcess();
try
{
// Loop until FileMonitor closes (i.e. IPC fails)
while (true)
{
System.Threading.Thread.Sleep(500);
string[] queued = null;
lock (_messageQueue)
{
queued = _messageQueue.ToArray();
_messageQueue.Clear();
}
// Send newly monitored file accesses to FileMonitor
if (queued != null && queued.Length > 0)
{
_server.ReportMessages(queued);
}
else
{
_server.Ping();
}
}
}
catch
{
// Ping() or ReportMessages() will raise an exception if host is unreachable
}
// Remove hooks
//createFileHook.Dispose();
//readFileHook.Dispose();
//writeFileHook.Dispose();
setWindowTextHook.Dispose();
setGetLocalTimeHook.Dispose();
setGetSystemTimeAsFileTimeHook.Dispose();
setImmSetOpenStatusHook.Dispose();
setImmAssociateContextHook.Dispose();
// Finalise cleanup of hooks
EasyHook.LocalHook.Release();
}
/// <summary>
/// The main entry point for our logic once injected within the target process.
/// This is where the hooks will be created, and a loop will be entered until host process exits.
/// EasyHook requires a matching Run method for the constructor
/// </summary>
/// <param name="context">The RemoteHooking context</param>
/// <param name="channelName">The name of the IPC channel</param>
public void Run(
EasyHook.RemoteHooking.IContext context,
string channelName)
{
// Injection is now complete and the server interface is connected
_server.IsInstalled(EasyHook.RemoteHooking.GetCurrentProcessId());
LocalHook createFileHook;
LocalHook gettFileAttrAHook;
LocalHook gettFileAttrWHook;
// LocalHook readFileHook;
// LocalHook writeFileHook;
LocalHook moveFileAHook;
LocalHook moveFileWHook;
// Install hooks
try
{
// CreateFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx
createFileHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"),
new CreateFile_Delegate(CreateFile_Hook),
this);
createFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
gettFileAttrAHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("kernel32.dll", "GetFileAttributesA"),
new DGetFileAttrsA(GetFileAttributesA_Hook),
this);
gettFileAttrAHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
gettFileAttrWHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("kernel32.dll", "GetFileAttributesW"),
new DGetFileAttrsW(GetFileAttributesW_Hook),
this);
gettFileAttrWHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
/*
*
* // ReadFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa365467(v=vs.85).aspx
* readFileHook = EasyHook.LocalHook.Create(
* EasyHook.LocalHook.GetProcAddress("kernel32.dll", "ReadFile"),
* new ReadFile_Delegate(ReadFile_Hook),
* this);
*
* // WriteFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
* writeFileHook = EasyHook.LocalHook.Create(
* EasyHook.LocalHook.GetProcAddress("kernel32.dll", "WriteFile"),
* new WriteFile_Delegate(WriteFile_Hook),
* this);
*/
moveFileWHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("kernel32.dll", "MoveFileW"),
new DMoveFileW(MoveFileW_Hook), this);
moveFileWHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
moveFileAHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("kernel32.dll", "MoveFileA"),
new DMoveFileA(MoveFileA_Hook), this);
moveFileAHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
// Activate hooks on all threads except the current thread
// readFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
// writeFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
_server.ReportMessage("MoveFileW hooks installed" + Thread.CurrentThread.ManagedThreadId);
EasyHook.RemoteHooking.WakeUpProcess();
try
{
#region Report Message
// Loop until FileMonitor closes (i.e. IPC fails)
while (true)
{
if (_server.running == false)
{
_server.ReportMessages(new string[] { "Inject cancel." });
break;
}
System.Threading.Thread.Sleep(500);
string[] queued = null;
lock (_messageQueue)
{
queued = _messageQueue.ToArray();
_messageQueue.Clear();
}
// Send newly monitored file accesses to FileMonitor
if (queued != null && queued.Length > 0)
{
_server.ReportMessages(queued);
}
else
{
_server.Ping();
}
}
#endregion
}
catch
{
// Ping() or ReportMessages() will raise an exception if host is unreachable
}
_server.ReportMessage("MoveFileW hooks Removed");
// Remove hooks
createFileHook.Dispose();
// readFileHook.Dispose();
// writeFileHook.Dispose();
moveFileWHook.Dispose();
moveFileAHook.Dispose();
gettFileAttrAHook.Dispose();
gettFileAttrWHook.Dispose();
// Finalise cleanup of hooks
EasyHook.LocalHook.Release();
}
catch (Exception ex)
{
_server.ReportMessage("MoveHook failed:" + ex.Message);
// Finalise cleanup of hooks
EasyHook.LocalHook.Release();
}
}
