private bool HookProcess(string proccessName) { NktProcessesEnum enumProcess = _spyMgr.Processes(); NktProcess tempProcess = enumProcess.First(); while (tempProcess != null) { if (tempProcess.Name.Equals(proccessName, StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits > 0 && tempProcess.PlatformBits <= IntPtr.Size * 8) { _process = tempProcess; NktModule module = _process.ModuleByName("mshtml.dll"); if (module != null) { IntPtr EA = (IntPtr) new IntPtr(module.BaseAddress.ToInt32() + _RVA.ToInt32()); NktHook hook = _spyMgr.CreateHookForAddress(EA, "mshtml.dll!CStyleSheet::Notify", (int)(eNktHookFlags.flgRestrictAutoHookToSameExecutable | eNktHookFlags.flgOnlyPreCall | eNktHookFlags.flgDontCheckAddress)); hook.Attach(_process, true); hook.Hook(true); } } tempProcess = enumProcess.Next(); } _process = null; return(false); }
private void btnHook_Click(object sender, EventArgs e) { VTBL vtbl = VTableList.ElementAt(listBoxVTBL.SelectedIndex); for (int a = 0; a < vtbl.ValuesList.Count; a++) { NktHook hook = _spyMgr.CreateHookForAddress(_process, (IntPtr)vtbl.ValuesList.ElementAt(a), "", (int) (eNktHookFlags.flgOnlyPreCall | eNktHookFlags.flgDontCheckAddress)); hook.Hook(true); } if (checkSuspended.Checked) { _spyMgr.ResumeProcess(_process, ContinueEvent); } }
public void Hook() { IntPtr EA = (IntPtr) new IntPtr(_sqlServerProcess.ModuleByName("sqllang.dll").BaseAddress.ToInt64() + _RVA_SQLSource_Execute.ToInt64()); _functionHook = _spyMgr.CreateHookForAddress(EA, "CSQLSource_Execute", (int)eNktHookFlags.flgOnlyPreCall); string dllFileSpec = AppDomain.CurrentDomain.BaseDirectory + "NativePlugin.dll"; _functionHook.AddCustomHandler(dllFileSpec, 0, _blockQuery ? "1" : ""); _functionHook.OnStateChanged += _functionHook_OnStateChanged; Console.WriteLine("--- Registering custom handler DLL: {0}", dllFileSpec); if (_functionHook != null) { _functionHook.Attach(_sqlServerProcess, true); _functionHook.Hook(true); } else { throw new HookException(); } }
static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { if ((callInfo.Result().ULongVal & 0x80000000) == 0) { NktParamsEnum pms; IntPtr addr; string s; //if the call succeeded, check if we are creating a class factory that belongs //to the CLSID we need, in our example, "ShellFolderView coclass" pms = callInfo.Params(); if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}") { s = pms.GetAt(1).GuidString; if (s == "{00000001-0000-0000-C000-000000000046}") { //we have ShellFolderView's IClassFactory object if (hookIClassFactory_CreateInstance == null) { lock (hookLock) { if (hookIClassFactory_CreateInstance == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress); hookIClassFactory_CreateInstance.Attach(proc.Id, true); hookIClassFactory_CreateInstance.Hook(true); hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled; } } } } if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}") { //we have ShellFolderView's IClassFactory2 object if (hookIClassFactory2_CreateInstance == null) { lock (hookLock) { if (hookIClassFactory2_CreateInstance == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall); hookIClassFactory2_CreateInstance.Attach(proc.Id, true); hookIClassFactory2_CreateInstance.Hook(true); hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled; } if (hookIClassFactory2_CreateInstanceLic == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstanceLic method is the eighth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall); hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true); hookIClassFactory2_CreateInstanceLic.Hook(true); hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled; } } } } } } return; }
private static void HookXpsInterfaces(NktProcess proc) { NktProcessMemory procMem; string dllName; int pointerSize, retVal; object callParams; IntPtr remoteBuffer, ptrVal; System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (a)"); dllName = GetAppPath() + "IEPrintWatermarkHelper"; if (proc.PlatformBits == 64) { dllName += "64"; } dllName += ".dll"; pointerSize = 0; procMem = null; remoteBuffer = IntPtr.Zero; ptrVal = IntPtr.Zero; try { System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (b)"); //allocate memory for retrieving results pointerSize = proc.PlatformBits / 8; procMem = proc.Memory(); System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (c)"); remoteBuffer = procMem.AllocMem(new IntPtr(pointerSize), false); System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: Start (d)"); //load helper dll and retrieve the pointer we need spyMgr.LoadCustomDll(proc, dllName, true, true); System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: LoadCustomDll 0x" + LastCallError().ToString("X")); if (pointerSize == 4) { callParams = new int[1] { remoteBuffer.ToInt32() } } ; else { callParams = new long[1] { remoteBuffer.ToInt64() } }; retVal = spyMgr.CallCustomApi(proc, dllName, "GetXpsAddresses", ref callParams, true); System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: CallCustomApi 0x" + LastCallError().ToString("X")); spyMgr.UnloadCustomDll(proc, dllName, true); } catch (System.Exception) { retVal = -1; } System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: retVal 0x" + retVal.ToString("X")); //get IXpsOMPageReference::CollectPartResources's address if (retVal >= 0) { try { if (pointerSize == 4) { ptrVal = new IntPtr(Convert.ToInt32(procMem.Read(remoteBuffer, eNktDboFundamentalType.ftSignedDoubleWord))); } else { ptrVal = new IntPtr(Convert.ToInt64(procMem.Read(remoteBuffer, eNktDboFundamentalType.ftSignedQuadWord))); } } catch (System.Exception ex) { System.Diagnostics.Trace.WriteLine("IEPrintWatermark [X]: " + ex.ToString()); ptrVal = IntPtr.Zero; } } //free memory try { if (procMem != null && remoteBuffer != IntPtr.Zero) { procMem.FreeMem(remoteBuffer); } } catch (System.Exception) { } System.Diagnostics.Trace.WriteLine("IEPrintWatermark [HookXpsInterfaces]: ptrVal 0x" + ptrVal.ToInt32().ToString("X")); //if we have an address, create a hook for it if (ptrVal != IntPtr.Zero) { NktHook hk; hk = spyMgr.CreateHookForAddress(ptrVal, "XpsServices.dll!IXpsOMPageReference::SetPage", (int)eNktHookFlags.flgOnlyPreCall); hk.AddCustomHandler(GetAppPath() + "IEPrintWatermarkHelperCS.dll", (int)eNktHookCustomHandlerFlags.flgChDontCallIfLoaderLocked, ""); hk.Hook(true); hk.Attach(proc, true); } }