public override void InstallHook() { CreateFileHook = LocalHook.Create( LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"), new DCreateFile(CreateFile_Hooked), this.Injector); ReadFileHook = LocalHook.Create( LocalHook.GetProcAddress("kernel32.dll", "ReadFile"), new DReadFile(ReadFile_Hooked), this.Injector); WriteFileHook = LocalHook.Create( LocalHook.GetProcAddress("kernel32.dll", "WriteFile"), new DWriteFile(WriteFile_Hooked), this.Injector); CreateFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); WriteFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); ReadFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); ReadFileFunc = LocalHook.GetProcDelegate <DReadFile>("kernel32.dll", "ReadFile"); }
public override void InstallHook() { CreateFileHook = LocalHook.Create( LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"), new DCreateFile(CreateFile_Hooked), this.Injector); ReadFileHook = LocalHook.Create( LocalHook.GetProcAddress("kernel32.dll", "ReadFile"), new DReadFile(ReadFile_Hooked), this.Injector); WriteFileHook = LocalHook.Create( LocalHook.GetProcAddress("kernel32.dll", "WriteFile"), new DWriteFile(WriteFile_Hooked), this.Injector); CreateFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); WriteFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); ReadFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); ReadFileFunc = LocalHook.GetProcDelegate<DReadFile>("kernel32.dll", "ReadFile"); }
public void Run( RemoteHooking.IContext InContext, String InChannelName) { // install hook... try { WriteFileHook = LocalHook.Create( LocalHook.GetProcAddress("kernel32.dll", "WriteFile"), new DWriteFile(WriteFile_Hooked), this); WriteFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); //CreateFileHook = LocalHook.Create( // LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"), // new DCreateFile(CreateFile_Hooked), // this); ReadFileHook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "ReadFile"), new DReadFile(ReadFile_Hooked), this); ReadFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); CreateProcessHook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "CreateProcessW"), new DCreateProcess(CreateProcess_Hooked), this); CreateProcessHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); ReplaceFileHook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "ReplaceFileW"), new DReplaceFile(ReplaceFile_Hooked), this); ReplaceFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); } catch (Exception ExtInfo) { Interface.ReportException(ExtInfo); return; } ReadFileFunc = LocalHook.GetProcDelegate<DReadFile>("kernel32.dll", "ReadFile"); Interface.IsInstalled(RemoteHooking.GetCurrentProcessId()); RemoteHooking.WakeUpProcess(); // wait for host process termination... try { while (true) { Thread.Sleep(500); // transmit newly monitored file accesses... //if (Queue.Count > 0) //{ // String[] Package = null; // lock (Queue) // { // Package = Queue.ToArray(); // Queue.Clear(); // } // Interface.OnProcessing(RemoteHooking.GetCurrentProcessId(), Package); //} //else Interface.Ping(); } } catch (Exception ex) { Interface.ReportException(ex); // Ping() will raise an exception if host is unreachable } }
public void Run( RemoteHooking.IContext InContext, String InChannelName) { // install hook... try { WriteFileHook = LocalHook.Create( LocalHook.GetProcAddress("kernel32.dll", "WriteFile"), new DWriteFile(WriteFile_Hooked), this); WriteFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); //CreateFileHook = LocalHook.Create( // LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"), // new DCreateFile(CreateFile_Hooked), // this); ReadFileHook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "ReadFile"), new DReadFile(ReadFile_Hooked), this); ReadFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); CreateProcessHook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "CreateProcessW"), new DCreateProcess(CreateProcess_Hooked), this); CreateProcessHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); //CreateFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); } catch (Exception ExtInfo) { Interface.ReportException(ExtInfo); return; } ReadFileFunc = LocalHook.GetProcDelegate<DReadFile>("kernel32.dll", "ReadFile"); Interface.IsInstalled(RemoteHooking.GetCurrentProcessId()); RemoteHooking.WakeUpProcess(); // wait for host process termination... try { while (true) { Thread.Sleep(500); // transmit newly monitored file accesses... //if (pIdQueue.Count > 0 && cpParams.Count > 2) //{ // Int32[] Package = null; // lock (pIdQueue) // { // Package = pIdQueue.ToArray(); // pIdQueue.Clear(); // } // string lpApplicationName = ""; // string lpCommandline = ""; // uint dwCreationFlags = 0; // lock (cpParams) // { // lpApplicationName = (string)cpParams["ApplicationName"]; // lpCommandline = (string)cpParams["CommandLine"]; // dwCreationFlags = (uint)cpParams["CreationFlags"]; // cpParams.Clear(); // } // //Interface.OnCreateProcess(RemoteHooking.GetCurrentProcessId(), Package, oldThrId, thrOldLvl,lpApplicationName,lpCommandline,0,this.myChannelName); //} //if (cpParams.Count > 2) //{ // string lpApplicationName = ""; // string lpCommandline = ""; // uint dwCreationFlags = 0; // lock (cpParams) // { // lpApplicationName = (string)cpParams["ApplicationName"]; // lpCommandline = (string)cpParams["CommandLine"]; // dwCreationFlags = (uint)cpParams["CreationFlags"]; // cpParams.Clear(); // } // if (!string.IsNullOrEmpty(lpApplicationName)) // { // Interface.OnCreateProcess(RemoteHooking.GetCurrentProcessId(), lpApplicationName, lpCommandline, this.myChannelName); // } //} if (Queue.Count > 0) { String[] Package = null; lock (Queue) { Package = Queue.ToArray(); Queue.Clear(); } Interface.OnWriteFile(RemoteHooking.GetCurrentProcessId(), Package); } else Interface.Ping(); } } catch (Exception ex) { Interface.ReportException(ex); // Ping() will raise an exception if host is unreachable } }