public override void InstallHook()
{
CreateFileHook = LocalHook.Create(
LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"),
new DCreateFile(CreateFile_Hooked),
this.Injector);
ReadFileHook = LocalHook.Create(
LocalHook.GetProcAddress("kernel32.dll", "ReadFile"),
new DReadFile(ReadFile_Hooked),
this.Injector);
WriteFileHook = LocalHook.Create(
LocalHook.GetProcAddress("kernel32.dll", "WriteFile"),
new DWriteFile(WriteFile_Hooked),
this.Injector);
CreateFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
WriteFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
ReadFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
ReadFileFunc = LocalHook.GetProcDelegate <DReadFile>("kernel32.dll", "ReadFile");
}
public override void InstallHook()
{
CreateFileHook = LocalHook.Create(
LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"),
new DCreateFile(CreateFile_Hooked),
this.Injector);
ReadFileHook = LocalHook.Create(
LocalHook.GetProcAddress("kernel32.dll", "ReadFile"),
new DReadFile(ReadFile_Hooked),
this.Injector);
WriteFileHook = LocalHook.Create(
LocalHook.GetProcAddress("kernel32.dll", "WriteFile"),
new DWriteFile(WriteFile_Hooked),
this.Injector);
CreateFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
WriteFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
ReadFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
ReadFileFunc = LocalHook.GetProcDelegate<DReadFile>("kernel32.dll", "ReadFile");
}
public void Run(
RemoteHooking.IContext InContext,
String InChannelName)
{
// install hook...
try
{
WriteFileHook = LocalHook.Create(
LocalHook.GetProcAddress("kernel32.dll", "WriteFile"),
new DWriteFile(WriteFile_Hooked),
this);
WriteFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
//CreateFileHook = LocalHook.Create(
// LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"),
// new DCreateFile(CreateFile_Hooked),
// this);
ReadFileHook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "ReadFile"),
new DReadFile(ReadFile_Hooked),
this);
ReadFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
CreateProcessHook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "CreateProcessW"),
new DCreateProcess(CreateProcess_Hooked),
this);
CreateProcessHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
ReplaceFileHook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "ReplaceFileW"),
new DReplaceFile(ReplaceFile_Hooked),
this);
ReplaceFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Interface.ReportException(ExtInfo);
return;
}
ReadFileFunc = LocalHook.GetProcDelegate<DReadFile>("kernel32.dll", "ReadFile");
Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
RemoteHooking.WakeUpProcess();
// wait for host process termination...
try
{
while (true)
{
Thread.Sleep(500);
// transmit newly monitored file accesses...
//if (Queue.Count > 0)
//{
// String[] Package = null;
// lock (Queue)
// {
// Package = Queue.ToArray();
// Queue.Clear();
// }
// Interface.OnProcessing(RemoteHooking.GetCurrentProcessId(), Package);
//}
//else
Interface.Ping();
}
}
catch (Exception ex)
{
Interface.ReportException(ex);
// Ping() will raise an exception if host is unreachable
}
}
public void Run(
RemoteHooking.IContext InContext,
String InChannelName)
{
// install hook...
try
{
WriteFileHook = LocalHook.Create(
LocalHook.GetProcAddress("kernel32.dll", "WriteFile"),
new DWriteFile(WriteFile_Hooked),
this);
WriteFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
//CreateFileHook = LocalHook.Create(
// LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"),
// new DCreateFile(CreateFile_Hooked),
// this);
ReadFileHook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "ReadFile"),
new DReadFile(ReadFile_Hooked),
this);
ReadFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
CreateProcessHook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "CreateProcessW"),
new DCreateProcess(CreateProcess_Hooked),
this);
CreateProcessHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
//CreateFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Interface.ReportException(ExtInfo);
return;
}
ReadFileFunc = LocalHook.GetProcDelegate<DReadFile>("kernel32.dll", "ReadFile");
Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
RemoteHooking.WakeUpProcess();
// wait for host process termination...
try
{
while (true)
{
Thread.Sleep(500);
// transmit newly monitored file accesses...
//if (pIdQueue.Count > 0 && cpParams.Count > 2)
//{
// Int32[] Package = null;
// lock (pIdQueue)
// {
// Package = pIdQueue.ToArray();
// pIdQueue.Clear();
// }
// string lpApplicationName = "";
// string lpCommandline = "";
// uint dwCreationFlags = 0;
// lock (cpParams)
// {
// lpApplicationName = (string)cpParams["ApplicationName"];
// lpCommandline = (string)cpParams["CommandLine"];
// dwCreationFlags = (uint)cpParams["CreationFlags"];
// cpParams.Clear();
// }
// //Interface.OnCreateProcess(RemoteHooking.GetCurrentProcessId(), Package, oldThrId, thrOldLvl,lpApplicationName,lpCommandline,0,this.myChannelName);
//}
//if (cpParams.Count > 2)
//{
// string lpApplicationName = "";
// string lpCommandline = "";
// uint dwCreationFlags = 0;
// lock (cpParams)
// {
// lpApplicationName = (string)cpParams["ApplicationName"];
// lpCommandline = (string)cpParams["CommandLine"];
// dwCreationFlags = (uint)cpParams["CreationFlags"];
// cpParams.Clear();
// }
// if (!string.IsNullOrEmpty(lpApplicationName))
// {
// Interface.OnCreateProcess(RemoteHooking.GetCurrentProcessId(), lpApplicationName, lpCommandline, this.myChannelName);
// }
//}
if (Queue.Count > 0)
{
String[] Package = null;
lock (Queue)
{
Package = Queue.ToArray();
Queue.Clear();
}
Interface.OnWriteFile(RemoteHooking.GetCurrentProcessId(), Package);
}
else
Interface.Ping();
}
}
catch (Exception ex)
{
Interface.ReportException(ex);
// Ping() will raise an exception if host is unreachable
}
}
