c#使用easyhook库进行API钩取

Posted 逐浪少年

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了c#使用easyhook库进行API钩取相关的知识,希望对你有一定的参考价值。

 

  •  目标:使calc程序输入的数自动加1

 (当别人使用时,总会得不到正确的结果,哈哈)

  • 编写注入程序

     

—————————————————————————————————
class Program中的方法,注入dll到目标进程
——————————————————————-——————————
static String ChannelName = null;

        static void Main(string[] args)
        {
            Int32.TryParse(args[0], out TargetPID) ;
            RemoteHooking.IpcCreateServer<FileMonInterface>(ref ChannelName, WellKnownObjectMode.SingleCall);
            string injectionLibrary = Path.Combine(Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), "Inject.dll");
            RemoteHooking.Inject(
                        TargetPID,
                        injectionLibrary,
                        injectionLibrary,
                        ChannelName);
            Console.WriteLine("Injected to process {0}", TargetPID);
            Console.WriteLine("<Press any key to exit>");
            Console.ReadKey();
            }
__________________________________________________
MarshalByRefObject的实现,供dll进行调用,判断是否正常
__________________________________________________
 public class FileMonInterface : MarshalByRefObject
    {
        public void IsInstalled(Int32 InClientPID)
        {
            Console.WriteLine("FileMon has been installed in target {0}.\\r\\n", InClientPID);
        }
    }

 

 

  • 编写注入使用的dll程序

—————————————————————————————————
注入成功后,调用Run方法,钩取SetWindowTextW  API,修改为DSetWindowText的委托
—————————————————————————————————
 public void Run(
            RemoteHooking.IContext InContext,
            String InChannelName)
        {
            // install hook...
                Hook = LocalHook.Create(
                    LocalHook.GetProcAddress("user32.dll", "SetWindowTextW"),
                    new DSetWindowText(SetWindowText_Hooked),
                    this);

                Hook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
         Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
            RemoteHooking.WakeUpProcess();while (true)
                {
                    Thread.Sleep(500);
                }
        }

—————————————————————————————————
委托
—————————————————————————————————
        [UnmanagedFunctionPointer(CallingConvention.StdCall,
            CharSet = CharSet.Ansi,
            SetLastError = true)]
        delegate bool DSetWindowText(
         IntPtr hWnd, //对于句柄采用IntPtr类型
         string text
     );
—————————————————————————————————
API
—————————————————————————————————
        [DllImport("user32.dll", 
        CharSet = CharSet.Ansi,
        SetLastError = true,
        CallingConvention = CallingConvention.StdCall)]
        static extern bool SetWindowText(
         IntPtr hWnd,    string text
         );
—————————————————————————————————
 傀儡API
—————————————————————————————————
    static bool SetWindowText_Hooked(
            IntPtr hWnd,
             string text)
        {
            text = (int.Parse(text.Remove(text.Length-2))+1).ToString();//修改要显示的数据
            return SetWindowText( hWnd, text);//调用API
        }

 

  • 效果图

 

以上是关于c#使用easyhook库进行API钩取的主要内容,如果未能解决你的问题,请参考以下文章

使用 EasyHook (c#) 从 ntdll.dll 挂钩 NtCreateFile API

IAT Hook

x64 下记事本WriteFile() API钩取

《逆向工程核心原理》学习笔记:API钩取

《逆向工程核心原理》学习笔记:API钩取

《逆向工程核心原理》学习笔记:API钩取