I got an (old) application that calls to the winsocket function:
struct hostent* FAR gethostbyname(
__in const char *name
);
It currently imports it as ws32_dll.#52 instead the normal name calling.
My intention is just to be able to do something like opening a messagebox when a host search happens (which should be at app start).
I tried to create a c++ dll with the pragma comments pointing to #52 and putting it on the app dir (including a "exe.local" and "exe.manifest" files to try to redirect it) but it loaded the c:\windows\system32 instead.
After that, i created a c# project launching the process itself(hence getting the PID from the Process object), adding the easyhook dll to it.
I checked the example at: http://www.codeproject.com/KB/DLL/EasyHook64.aspx
Changing the calls to:
FileMon.FileMonInterface Interface;
LocalHook CreateFileHook;
Stack<String> Queue = new Stack<String>();
public Main(
RemoteHooking.IContext InContext,
String InChannelName)
{
// connect to host...
Interface =
RemoteHooking.IpcConnectClient<FileMon.FileMonInterface>(InChannelName);
}
public void Run(
RemoteHooking.IContext InContext,
String InChannelName)
{
// install hook...
try
{
开发者_JAVA技巧 CreateFileHook = LocalHook.Create(
LocalHook.GetProcAddress("ws2_32.dll", "gethostbyname"),
new DCreateFile(GetHostByName_Hooked),
this);
CreateFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Interface.ReportException(ExtInfo);
return;
}
Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
// wait for host process termination...
try
{
while (true)
{
Thread.Sleep(500);
// transmit newly monitored file accesses...
if (Queue.Count > 0)
{
String[] Package = null;
lock (Queue)
{
Package = Queue.ToArray();
Queue.Clear();
}
Interface.OnCreateFile(RemoteHooking.GetCurrentProcessId(), Package);
}
else
Interface.Ping();
}
}
catch
{
// NET Remoting will raise an exception if host is unreachable
}
}
[UnmanagedFunctionPointer(CallingConvention.StdCall,
CharSet = CharSet.Auto,
SetLastError = true)]
delegate IntPtr DGetHostByName(
String name);
// just use a P-Invoke implementation to get native API access
// from C# (this step is not necessary for C++.NET)
[DllImport("ws2_32.dll",
CharSet = CharSet.Auto,
SetLastError = true,
CallingConvention = CallingConvention.StdCall)]
static extern IntPtr gethostbyname(
String name);
// this is where we are intercepting all file accesses!
static IntPtr GetHostByName_Hooked(
String name)
{
try
{
Main This = (Main)HookRuntimeInfo.Callback;
MessageBox.Show("hi!");
}
catch
{
}
// call original API...
return GetHostByName(
name);
}
}
}
(may have made typos writing it here, but project compiled succesfully @ home).
The thing is that i dunno what I need to do the hooking this methods<-> the application itself.
I mean.. what lefts to just do the hooking with c# easyhook (assuming the app is "foo.exe")? Do i need to create a custom dll for easyhook?(in that case, what content do i need to define inside?)
I found it a bit... "complex" for a helloworld hook,hehe.
Thanks in advance ;)
In the end, using the "Gray hack python" book taugh me how to make all this with fewer lines, and just the same i wanted.
No exe yet but... that's it.
Using pydbg + hooks.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论