private bool HookProcess(string proccessName)
{
NktProcessesEnum enumProcess = _spyMgr.Processes();
NktProcess tempProcess = enumProcess.First();
while (tempProcess != null)
{
if (tempProcess.Name.Equals(proccessName, StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits > 0 && tempProcess.PlatformBits <= IntPtr.Size * 8)
{
_process = tempProcess;
NktModule module = _process.ModuleByName("mshtml.dll");
if (module != null)
{
IntPtr EA = (IntPtr) new IntPtr(module.BaseAddress.ToInt32() + _RVA.ToInt32());
NktHook hook = _spyMgr.CreateHookForAddress(EA, "mshtml.dll!CStyleSheet::Notify", (int)(eNktHookFlags.flgRestrictAutoHookToSameExecutable | eNktHookFlags.flgOnlyPreCall | eNktHookFlags.flgDontCheckAddress));
hook.Attach(_process, true);
hook.Hook(true);
}
}
tempProcess = enumProcess.Next();
}
_process = null;
return(false);
}
private void btnHook_Click(object sender, EventArgs e)
{
VTBL vtbl = VTableList.ElementAt(listBoxVTBL.SelectedIndex);
for (int a = 0; a < vtbl.ValuesList.Count; a++)
{
NktHook hook = _spyMgr.CreateHookForAddress(_process, (IntPtr)vtbl.ValuesList.ElementAt(a), "",
(int)
(eNktHookFlags.flgOnlyPreCall |
eNktHookFlags.flgDontCheckAddress));
hook.Hook(true);
}
if (checkSuspended.Checked)
{
_spyMgr.ResumeProcess(_process, ContinueEvent);
}
}
public void Hook()
{
IntPtr EA = (IntPtr) new IntPtr(_sqlServerProcess.ModuleByName("sqllang.dll").BaseAddress.ToInt64() + _RVA_SQLSource_Execute.ToInt64());
_functionHook = _spyMgr.CreateHookForAddress(EA, "CSQLSource_Execute", (int)eNktHookFlags.flgOnlyPreCall);
string dllFileSpec = AppDomain.CurrentDomain.BaseDirectory + "NativePlugin.dll";
_functionHook.AddCustomHandler(dllFileSpec, 0, _blockQuery ? "1" : "");
_functionHook.OnStateChanged += _functionHook_OnStateChanged;
Console.WriteLine("--- Registering custom handler DLL: {0}", dllFileSpec);
if (_functionHook != null)
{
_functionHook.Attach(_sqlServerProcess, true);
_functionHook.Hook(true);
}
else
{
throw new HookException();
}
}
static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a class factory that belongs
//to the CLSID we need, in our example, "ShellFolderView coclass"
pms = callInfo.Params();
if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}")
{
s = pms.GetAt(1).GuidString;
if (s == "{00000001-0000-0000-C000-000000000046}")
{
//we have ShellFolderView's IClassFactory object
if (hookIClassFactory_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress);
hookIClassFactory_CreateInstance.Attach(proc.Id, true);
hookIClassFactory_CreateInstance.Hook(true);
hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled;
}
}
}
}
if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}")
{
//we have ShellFolderView's IClassFactory2 object
if (hookIClassFactory2_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory2_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstance.Attach(proc.Id, true);
hookIClassFactory2_CreateInstance.Hook(true);
hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled;
}
if (hookIClassFactory2_CreateInstanceLic == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstanceLic method is the eighth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true);
hookIClassFactory2_CreateInstanceLic.Hook(true);
hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled;
}
}
}
}
}
}
return;
}
private static void HookXpsInterfaces(NktProcess proc)
{
NktProcessMemory procMem;
string dllName;
int pointerSize, retVal;
object callParams;
IntPtr remoteBuffer, ptrVal;
System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (a)");
dllName = GetAppPath() + "IEPrintWatermarkHelper";
if (proc.PlatformBits == 64)
{
dllName += "64";
}
dllName += ".dll";
pointerSize = 0;
procMem = null;
remoteBuffer = IntPtr.Zero;
ptrVal = IntPtr.Zero;
try
{
System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (b)");
//allocate memory for retrieving results
pointerSize = proc.PlatformBits / 8;
procMem = proc.Memory();
System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (c)");
remoteBuffer = procMem.AllocMem(new IntPtr(pointerSize), false);
System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (d)");
//load helper dll and retrieve the pointer we need
spyMgr.LoadCustomDll(proc, dllName, true, true);
System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: LoadCustomDll 0x" + LastCallError().ToString("X"));
if (pointerSize == 4)
{
callParams = new int[1] {
remoteBuffer.ToInt32()
}
}
;
else
{
callParams = new long[1] {
remoteBuffer.ToInt64()
}
};
retVal = spyMgr.CallCustomApi(proc, dllName, "GetXpsAddresses", ref callParams, true);
System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: CallCustomApi 0x" + LastCallError().ToString("X"));
spyMgr.UnloadCustomDll(proc, dllName, true);
}
catch (System.Exception)
{
retVal = -1;
}
System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: retVal 0x" + retVal.ToString("X"));
//get IXpsOMPageReference::CollectPartResources's address
if (retVal >= 0)
{
try
{
if (pointerSize == 4)
{
ptrVal = new IntPtr(Convert.ToInt32(procMem.Read(remoteBuffer, eNktDboFundamentalType.ftSignedDoubleWord)));
}
else
{
ptrVal = new IntPtr(Convert.ToInt64(procMem.Read(remoteBuffer, eNktDboFundamentalType.ftSignedQuadWord)));
}
}
catch (System.Exception ex)
{
System.Diagnostics.Trace.WriteLine("IEPrintWatermark [X]: " + ex.ToString());
ptrVal = IntPtr.Zero;
}
}
//free memory
try
{
if (procMem != null && remoteBuffer != IntPtr.Zero)
{
procMem.FreeMem(remoteBuffer);
}
}
catch (System.Exception)
{ }
System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: ptrVal 0x" + ptrVal.ToInt32().ToString("X"));
//if we have an address, create a hook for it
if (ptrVal != IntPtr.Zero)
{
NktHook hk;
hk = spyMgr.CreateHookForAddress(ptrVal, "XpsServices.dll!IXpsOMPageReference::SetPage", (int)eNktHookFlags.flgOnlyPreCall);
hk.AddCustomHandler(GetAppPath() + "IEPrintWatermarkHelperCS.dll", (int)eNktHookCustomHandlerFlags.flgChDontCallIfLoaderLocked, "");
hk.Hook(true);
hk.Attach(proc, true);
}
}
