/// <summary> /// The main entry point for our logic once injected within the target process. /// This is where the hooks will be created, and a loop will be entered until host process exits. /// EasyHook requires a matching Run method for the constructor /// </summary> /// <param name="context">The RemoteHooking context</param> /// <param name="channelName">The name of the IPC channel</param> public void Run( EasyHook.RemoteHooking.IContext context, string channelName) { // Injection is now complete and the server interface is connected _server.IsInstalled(EasyHook.RemoteHooking.GetCurrentProcessId()); // Install hooks // CreateFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx //var createFileHook = EasyHook.LocalHook.Create( // EasyHook.LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"), // new CreateFile_Delegate(CreateFile_Hook), // this); //SetWindowText var setWindowTextHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("user32.dll", "SetWindowTextW"), new SetWindowTextDelegate(SetWindowTextHook), this ); var setGetLocalTimeHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("kernel32.dll", "GetLocalTime"), new GetLocalTimeDelegate(GetLocalTimeHook), this ); var setGetSystemTimeAsFileTimeHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("kernel32.dll", "GetSystemTimeAsFileTime"), new GetSystemTimeAsFileTimeDelegate(GetSystemTimeAsFileTimeHook), this ); var setImmSetOpenStatusHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("imm32.dll", "ImmSetOpenStatus"), new ImmSetOpenStatusDelegate(ImmSetOpenStatusHook), this ); var setImmAssociateContextHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("imm32.dll", "ImmAssociateContext"), new ImmAssociateContextDelegate(ImmAssociateContextHook), this ); //// ReadFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa365467(v=vs.85).aspx //var readFileHook = EasyHook.LocalHook.Create( // EasyHook.LocalHook.GetProcAddress("kernel32.dll", "ReadFile"), // new ReadFile_Delegate(ReadFile_Hook), // this); //// WriteFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx //var writeFileHook = EasyHook.LocalHook.Create( // EasyHook.LocalHook.GetProcAddress("kernel32.dll", "WriteFile"), // new WriteFile_Delegate(WriteFile_Hook), // this); // Activate hooks on all threads except the current thread //createFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); //readFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); //writeFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); setWindowTextHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); setGetLocalTimeHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); setGetSystemTimeAsFileTimeHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); setImmSetOpenStatusHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); setImmAssociateContextHook.ThreadACL.SetExclusiveACL(new int[] { 0 }); _server.ReportMessage("CreateFile, ReadFile and WriteFile hooks installed"); // Wake up the process (required if using RemoteHooking.CreateAndInject) EasyHook.RemoteHooking.WakeUpProcess(); try { // Loop until FileMonitor closes (i.e. IPC fails) while (true) { System.Threading.Thread.Sleep(500); string[] queued = null; lock (_messageQueue) { queued = _messageQueue.ToArray(); _messageQueue.Clear(); } // Send newly monitored file accesses to FileMonitor if (queued != null && queued.Length > 0) { _server.ReportMessages(queued); } else { _server.Ping(); } } } catch { // Ping() or ReportMessages() will raise an exception if host is unreachable } // Remove hooks //createFileHook.Dispose(); //readFileHook.Dispose(); //writeFileHook.Dispose(); setWindowTextHook.Dispose(); setGetLocalTimeHook.Dispose(); setGetSystemTimeAsFileTimeHook.Dispose(); setImmSetOpenStatusHook.Dispose(); setImmAssociateContextHook.Dispose(); // Finalise cleanup of hooks EasyHook.LocalHook.Release(); }
/// <summary> /// The main entry point for our logic once injected within the target process. /// This is where the hooks will be created, and a loop will be entered until host process exits. /// EasyHook requires a matching Run method for the constructor /// </summary> /// <param name="context">The RemoteHooking context</param> /// <param name="channelName">The name of the IPC channel</param> public void Run( EasyHook.RemoteHooking.IContext context, string channelName) { // Injection is now complete and the server interface is connected _server.IsInstalled(EasyHook.RemoteHooking.GetCurrentProcessId()); LocalHook createFileHook; LocalHook gettFileAttrAHook; LocalHook gettFileAttrWHook; // LocalHook readFileHook; // LocalHook writeFileHook; LocalHook moveFileAHook; LocalHook moveFileWHook; // Install hooks try { // CreateFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx createFileHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"), new CreateFile_Delegate(CreateFile_Hook), this); createFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); gettFileAttrAHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("kernel32.dll", "GetFileAttributesA"), new DGetFileAttrsA(GetFileAttributesA_Hook), this); gettFileAttrAHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); gettFileAttrWHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("kernel32.dll", "GetFileAttributesW"), new DGetFileAttrsW(GetFileAttributesW_Hook), this); gettFileAttrWHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); /* * * // ReadFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa365467(v=vs.85).aspx * readFileHook = EasyHook.LocalHook.Create( * EasyHook.LocalHook.GetProcAddress("kernel32.dll", "ReadFile"), * new ReadFile_Delegate(ReadFile_Hook), * this); * * // WriteFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx * writeFileHook = EasyHook.LocalHook.Create( * EasyHook.LocalHook.GetProcAddress("kernel32.dll", "WriteFile"), * new WriteFile_Delegate(WriteFile_Hook), * this); */ moveFileWHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("kernel32.dll", "MoveFileW"), new DMoveFileW(MoveFileW_Hook), this); moveFileWHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); moveFileAHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("kernel32.dll", "MoveFileA"), new DMoveFileA(MoveFileA_Hook), this); moveFileAHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); // Activate hooks on all threads except the current thread // readFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); // writeFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); _server.ReportMessage("MoveFileW hooks installed" + Thread.CurrentThread.ManagedThreadId); EasyHook.RemoteHooking.WakeUpProcess(); try { #region Report Message // Loop until FileMonitor closes (i.e. IPC fails) while (true) { if (_server.running == false) { _server.ReportMessages(new string[] { "Inject cancel." }); break; } System.Threading.Thread.Sleep(500); string[] queued = null; lock (_messageQueue) { queued = _messageQueue.ToArray(); _messageQueue.Clear(); } // Send newly monitored file accesses to FileMonitor if (queued != null && queued.Length > 0) { _server.ReportMessages(queued); } else { _server.Ping(); } } #endregion } catch { // Ping() or ReportMessages() will raise an exception if host is unreachable } _server.ReportMessage("MoveFileW hooks Removed"); // Remove hooks createFileHook.Dispose(); // readFileHook.Dispose(); // writeFileHook.Dispose(); moveFileWHook.Dispose(); moveFileAHook.Dispose(); gettFileAttrAHook.Dispose(); gettFileAttrWHook.Dispose(); // Finalise cleanup of hooks EasyHook.LocalHook.Release(); } catch (Exception ex) { _server.ReportMessage("MoveHook failed:" + ex.Message); // Finalise cleanup of hooks EasyHook.LocalHook.Release(); } }