Esempio n. 1
0
        private bool HookProcess(string proccessName)
        {
            NktProcessesEnum enumProcess = _spyMgr.Processes();
            NktProcess       tempProcess = enumProcess.First();

            while (tempProcess != null)
            {
                if (tempProcess.Name.Equals(proccessName, StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits > 0 && tempProcess.PlatformBits <= IntPtr.Size * 8)
                {
                    _process = tempProcess;

                    NktModule module = _process.ModuleByName("mshtml.dll");

                    if (module != null)
                    {
                        IntPtr EA = (IntPtr) new IntPtr(module.BaseAddress.ToInt32() + _RVA.ToInt32());

                        NktHook hook = _spyMgr.CreateHookForAddress(EA, "mshtml.dll!CStyleSheet::Notify", (int)(eNktHookFlags.flgRestrictAutoHookToSameExecutable | eNktHookFlags.flgOnlyPreCall | eNktHookFlags.flgDontCheckAddress));

                        hook.Attach(_process, true);
                        hook.Hook(true);
                    }
                }
                tempProcess = enumProcess.Next();
            }

            _process = null;
            return(false);
        }
Esempio n. 2
0
        private void btnHook_Click(object sender, EventArgs e)
        {
            VTBL vtbl = VTableList.ElementAt(listBoxVTBL.SelectedIndex);

            for (int a = 0; a < vtbl.ValuesList.Count; a++)
            {
                NktHook hook = _spyMgr.CreateHookForAddress(_process, (IntPtr)vtbl.ValuesList.ElementAt(a), "",
                                                            (int)
                                                            (eNktHookFlags.flgOnlyPreCall |
                                                             eNktHookFlags.flgDontCheckAddress));
                hook.Hook(true);
            }


            if (checkSuspended.Checked)
            {
                _spyMgr.ResumeProcess(_process, ContinueEvent);
            }
        }
Esempio n. 3
0
        public void Hook()
        {
            IntPtr EA = (IntPtr) new IntPtr(_sqlServerProcess.ModuleByName("sqllang.dll").BaseAddress.ToInt64() + _RVA_SQLSource_Execute.ToInt64());

            _functionHook = _spyMgr.CreateHookForAddress(EA, "CSQLSource_Execute", (int)eNktHookFlags.flgOnlyPreCall);

            string dllFileSpec = AppDomain.CurrentDomain.BaseDirectory + "NativePlugin.dll";

            _functionHook.AddCustomHandler(dllFileSpec, 0, _blockQuery ? "1" : "");
            _functionHook.OnStateChanged += _functionHook_OnStateChanged;

            Console.WriteLine("--- Registering custom handler DLL: {0}", dllFileSpec);

            if (_functionHook != null)
            {
                _functionHook.Attach(_sqlServerProcess, true);
                _functionHook.Hook(true);
            }
            else
            {
                throw new HookException();
            }
        }
Esempio n. 4
0
        static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
        {
            if ((callInfo.Result().ULongVal & 0x80000000) == 0)
            {
                NktParamsEnum pms;
                IntPtr        addr;
                string        s;

                //if the call succeeded, check if we are creating a class factory that belongs
                //to the CLSID we need, in our example, "ShellFolderView coclass"
                pms = callInfo.Params();
                if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}")
                {
                    s = pms.GetAt(1).GuidString;
                    if (s == "{00000001-0000-0000-C000-000000000046}")
                    {
                        //we have ShellFolderView's IClassFactory object
                        if (hookIClassFactory_CreateInstance == null)
                        {
                            lock (hookLock)
                            {
                                if (hookIClassFactory_CreateInstance == null)
                                {
                                    //get the address of the newly created object
                                    addr = pms.GetAt(2).Evaluate().PointerVal;
                                    //get object's vtable address by inspecting the first pointer
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    //because the CreateInstance method is the fourth one,
                                    //get the method entrypoint by reading memory
                                    addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress);
                                    hookIClassFactory_CreateInstance.Attach(proc.Id, true);
                                    hookIClassFactory_CreateInstance.Hook(true);
                                    hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled;
                                }
                            }
                        }
                    }
                    if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}")
                    {
                        //we have ShellFolderView's IClassFactory2 object
                        if (hookIClassFactory2_CreateInstance == null)
                        {
                            lock (hookLock)
                            {
                                if (hookIClassFactory2_CreateInstance == null)
                                {
                                    //get the address of the newly created object
                                    addr = pms.GetAt(2).Evaluate().PointerVal;
                                    //get object's vtable address by inspecting the first pointer
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    //because the CreateInstance method is the fourth one,
                                    //get the method entrypoint by reading memory
                                    addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall);
                                    hookIClassFactory2_CreateInstance.Attach(proc.Id, true);
                                    hookIClassFactory2_CreateInstance.Hook(true);
                                    hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled;
                                }

                                if (hookIClassFactory2_CreateInstanceLic == null)
                                {
                                    //get the address of the newly created object
                                    addr = pms.GetAt(2).Evaluate().PointerVal;
                                    //get object's vtable address by inspecting the first pointer
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    //because the CreateInstanceLic method is the eighth one,
                                    //get the method entrypoint by reading memory
                                    addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size);
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall);
                                    hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true);
                                    hookIClassFactory2_CreateInstanceLic.Hook(true);
                                    hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled;
                                }
                            }
                        }
                    }
                }
            }
            return;
        }
Esempio n. 5
0
        private static void HookXpsInterfaces(NktProcess proc)
        {
            NktProcessMemory procMem;
            string           dllName;
            int    pointerSize, retVal;
            object callParams;
            IntPtr remoteBuffer, ptrVal;

            System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (a)");
            dllName = GetAppPath() + "IEPrintWatermarkHelper";
            if (proc.PlatformBits == 64)
            {
                dllName += "64";
            }
            dllName += ".dll";

            pointerSize  = 0;
            procMem      = null;
            remoteBuffer = IntPtr.Zero;
            ptrVal       = IntPtr.Zero;
            try
            {
                System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (b)");
                //allocate memory for retrieving results
                pointerSize = proc.PlatformBits / 8;
                procMem     = proc.Memory();
                System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (c)");
                remoteBuffer = procMem.AllocMem(new IntPtr(pointerSize), false);
                System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (d)");
                //load helper dll and retrieve the pointer we need
                spyMgr.LoadCustomDll(proc, dllName, true, true);
                System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: LoadCustomDll 0x" + LastCallError().ToString("X"));
                if (pointerSize == 4)
                {
                    callParams = new int[1] {
                        remoteBuffer.ToInt32()
                    }
                }
                ;
                else
                {
                    callParams = new long[1] {
                        remoteBuffer.ToInt64()
                    }
                };
                retVal = spyMgr.CallCustomApi(proc, dllName, "GetXpsAddresses", ref callParams, true);
                System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: CallCustomApi 0x" + LastCallError().ToString("X"));
                spyMgr.UnloadCustomDll(proc, dllName, true);
            }
            catch (System.Exception)
            {
                retVal = -1;
            }
            System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: retVal 0x" + retVal.ToString("X"));
            //get IXpsOMPageReference::CollectPartResources's address
            if (retVal >= 0)
            {
                try
                {
                    if (pointerSize == 4)
                    {
                        ptrVal = new IntPtr(Convert.ToInt32(procMem.Read(remoteBuffer, eNktDboFundamentalType.ftSignedDoubleWord)));
                    }
                    else
                    {
                        ptrVal = new IntPtr(Convert.ToInt64(procMem.Read(remoteBuffer, eNktDboFundamentalType.ftSignedQuadWord)));
                    }
                }
                catch (System.Exception ex)
                {
                    System.Diagnostics.Trace.WriteLine("IEPrintWatermark [X]: " + ex.ToString());
                    ptrVal = IntPtr.Zero;
                }
            }
            //free memory
            try
            {
                if (procMem != null && remoteBuffer != IntPtr.Zero)
                {
                    procMem.FreeMem(remoteBuffer);
                }
            }
            catch (System.Exception)
            { }
            System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: ptrVal 0x" + ptrVal.ToInt32().ToString("X"));

            //if we have an address, create a hook for it
            if (ptrVal != IntPtr.Zero)
            {
                NktHook hk;

                hk = spyMgr.CreateHookForAddress(ptrVal, "XpsServices.dll!IXpsOMPageReference::SetPage", (int)eNktHookFlags.flgOnlyPreCall);
                hk.AddCustomHandler(GetAppPath() + "IEPrintWatermarkHelperCS.dll", (int)eNktHookCustomHandlerFlags.flgChDontCallIfLoaderLocked, "");
                hk.Hook(true);
                hk.Attach(proc, true);
            }
        }