static void Main(string[] args) { if (args.Length != 2) { Console.WriteLine("Usage: Sample.exe host port"); return; } string host = args[0]; int port = int.Parse(args[1]); Console.WriteLine("Connecting to remote thread..."); _hookSession = new HookSession(new AsmResolverParametersDetector()); _hookSession.MessageReceived += HookSessionOnMessageReceived; _hookSession.MessageSent += HookSessionOnMessageSent; _hookSession.HookTriggered += HookSessionOnHookTriggered; _hookSession.Connect(new IPEndPoint(IPAddress.Parse(host), port)); Console.Write("Enter address to hook: "); var address = new IntPtr(long.Parse(Console.ReadLine(), NumberStyles.HexNumber)); _hookSession.Set(address); Console.WriteLine("Hook set!"); Process.GetCurrentProcess().WaitForExit(); }
public static void Main(string[] args) { if (args.Length != 2) { Console.WriteLine("Usage: MessageBoxHook.exe host port"); return; } string host = args[0]; int port = int.Parse(args[1]); Console.WriteLine("Connecting to remote thread..."); _hookSession = new HookSession(new AsmResolverParametersDetector()); _hookSession.HookTriggered += HookSessionOnHookTriggered; _hookSession.Connect(new IPEndPoint(IPAddress.Parse(host), port)); Console.WriteLine("Hooking MessageBoxA..."); var address = _hookSession.GetProcAddress("user32.dll", "MessageBoxA"); _hookSession.Set(address); Console.WriteLine("Hook set!"); Process.GetCurrentProcess().WaitForExit(); }
public HookParameters Detect(HookSession session, IntPtr address) { var fixups = new List <ushort>(); // Longest x86 instruction possible is 15 bytes. We need 5 bytes at least for a call. // Therefore, in the worst case scenario, we need to read 4 + 15 bytes worth of instructions. var reader = new MemoryStreamReader(session.ReadMemory(address, 4 + 15)); var disassembler = new X86Disassembler(reader, address.ToInt64()); while (reader.Position - reader.StartPosition < 5) { var next = disassembler.ReadNextInstruction(); if (next.OpCode.Op1 == X86OpCodes.Jmp_Rel1632.Op1 || next.OpCode.Op1 == X86OpCodes.Call_Rel1632.Op1) { int offset = (int)(reader.Position - address.ToInt64() - 4); fixups.Add((ushort)offset); } } return(new HookParameters((int)reader.Position, fixups)); }