public Main(RemoteHooking.IContext InContext, ProcessDto procDto, SystemState state, string InChannelName) { try { _functions = new List<FunctionInjected>(); switch (state) { case SystemState.Scanning: _behaviorWrapper = RemoteHooking.IpcConnectClient<BehaviorsWrapper<FunctionBehaviorForXml>>(InChannelName); break; case SystemState.Locking: _behaviorWrapper = RemoteHooking.IpcConnectClient<BehaviorsWrapper<FunctionBehaviorForNLog>>(InChannelName); break; } foreach (var functionBehavior in _behaviorWrapper.Functions) { _functions.Add(functionBehavior.CreateAttachedTypeOfFunctionInjected(procDto)); } } catch (Exception ex) { Logger.Error(ex.Message, procDto.ProcName); } }
private void Intersept(ProcessDto processDto, SystemState state) { try { switch (state) { case SystemState.Scanning: RemoteHooking.IpcCreateServer<BehaviorsWrapper<FunctionBehaviorForXml>>(ref ChannelName, WellKnownObjectMode.SingleCall, WellKnownSidType.WorldSid); break; case SystemState.Locking: RemoteHooking.IpcCreateServer<BehaviorsWrapper<FunctionBehaviorForNLog>>(ref ChannelName, WellKnownObjectMode.SingleCall, WellKnownSidType.WorldSid); break; } var str = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "LibraryInjected.dll"); RemoteHooking.Inject(processDto.ProcId, str, str, (object)processDto, (object)state, (object)ChannelName); Logger.Info($"Injected to process {processDto.ProcId}", processDto.ProcName); } catch (Exception ex) { Logger.Error($"There was an error while connecting to target:\r\n{(object) ex.ToString()}", processDto.ProcName); } }
public InterseptDll(SystemState state, ProcessDto processDto) { if (processDto.ProcId == -1) { Logger.Error("No process exists with that name!", processDto.ProcName); return; } Intersept(processDto, state); }
public DeleteFileFunctionInjected(FunctionBehavior behavior, ProcessDto processDto) { _behavior = behavior; _processDto = processDto; _hook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "DeleteFileW"), new DDeleteFile(DeleteFile_Hooked), this); _hook.ThreadACL.SetExclusiveACL(new int[0]); }
public static void CreateNewInjectProcess(SystemState state, ProcessDto processDto) { if (ChildDomains.ContainsKey(processDto.ProcName)) { AppDomain.Unload(ChildDomains[processDto.ProcName]); ChildDomains.Remove(processDto.ProcName); } ChildDomains.Add(processDto.ProcName, AppDomain.CreateDomain(processDto.ProcName)); ChildDomains[processDto.ProcName].CreateInstanceFromAndUnwrap(AppDomain.CurrentDomain.BaseDirectory + "InterceptedModule.dll", "InterceptedModule.InterseptDll", false, BindingFlags.CreateInstance, null, new[] {(object) state, (object) processDto}, CultureInfo.InvariantCulture, null); }
public static FunctionInjected CreateAttachedTypeOfFunctionInjected(this FunctionBehavior functionBehavior, ProcessDto processDto) { FunctionInjected result = null; var attributes = functionBehavior.GetType().GetCustomAttributes<AttachedTypeAttribute>(false).ToArray(); if (attributes.Any(x => x.TypeMustCreate.IsSubclassOf(typeof (FunctionInjected)))) { result = (FunctionInjected)Activator.CreateInstance(attributes.First().TypeMustCreate, functionBehavior, processDto); } return result; }
public void Run(RemoteHooking.IContext InContext, ProcessDto procDto, SystemState state, string InChannelName) { try { RemoteHooking.WakeUpProcess(); while (true) { } } catch (Exception ex) { Logger.Error(ex.Message, procDto.ProcName); } }