代码比较简单,就不做注释了。 包含一个sockethookinject.DLL 和sockethook.exe
有一点不清楚,
SetExclusiveACL可以添加当前线程的hook, 但是easyhook如何 detach dll 并且释放hook呢? 知道的大神麻烦告知一下。
public class SocketInterFace : MarshalByRefObject { public delegate void LogArgsHander(BufferStruct argsbuffer); public static event LogArgsHander logEvent; public void IsInstalled(Int32 InClientPID) { Console.WriteLine("FileMon has been installed in target {0}. ", InClientPID); } public void OnRecv(byte[] RecvBuffer, int LoginIndex, int LoginIndexEx) { BufferStruct BufferArgs = new BufferStruct(); BufferArgs.Buffer = RecvBuffer; BufferArgs.BufferSize = RecvBuffer.Length; BufferArgs.ObjectType = "recv"; OnLog(BufferArgs); } public void OnSend(byte[] RecvBuffer, int LoginIndex, int LoginIndexEx) { BufferStruct BufferArgs = new BufferStruct(); BufferArgs.Buffer = RecvBuffer; BufferArgs.BufferSize = RecvBuffer.Length; BufferArgs.ObjectType = "send"; OnLog(BufferArgs); } public void OnLog(string BufferArgs) { Console.WriteLine(BufferArgs); } public void OnLog(BufferStruct buf) { if (logEvent!=null) { logEvent(buf); } } public struct BufferStruct { /// <summary> /// Socket指针 /// </summary> public IntPtr sockHander; /// <summary> /// 封包数据 /// </summary> public byte[] Buffer; /// <summary> /// 封包大小 /// </summary> public int BufferSize; /// <summary> /// 封包动态序列 /// </summary> public int[] LoginIdent; /// <summary> /// send recv /// </summary> public string ObjectType; } }
public partial class Form1 : Form { public Form1() { InitializeComponent(); SocketInterFace.logEvent += new SocketInterFace.LogArgsHander(MainSend); if (!EasyHook.RemoteHooking.IsAdministrator) MessageBox.Show("请用管理员方式启动"); } public void MainSend(socketHook.SocketInterFace.BufferStruct buff) { Console.WriteLine(string.Format("长度:{0} 类型:{2} 内容:{1}", buff.BufferSize, byteToHexStr(buff.Buffer, buff.BufferSize),buff.ObjectType)); } public static string byteToHexStr(byte[] bytes, int byteLen) { string returnStr = ""; if (bytes != null) { for (int i = 0; i < byteLen; i++) { returnStr += bytes[i].ToString("X2"); } } return returnStr; } string ChannelName = null; private void button1_Click(object sender, EventArgs e) { try { EasyHook.Config.Register(".net远程注入组建", "socketHook.exe", "sockethookinject.dll"); } catch (Exception ex) { } int id=Process.GetProcessesByName("SupARC").First().Id; if (id != 0) { EasyHook.RemoteHooking.IpcCreateServer<SocketInterFace>(ref ChannelName, System.Runtime.Remoting.WellKnownObjectMode.SingleCall); EasyHook.RemoteHooking.Inject(id, "sockethookinject.dll", "sockethookinject.dll", ChannelName); } else { MessageBox.Show("ARC没有启动"); } } private void button2_Click(object sender, EventArgs e) { } }
public class Main : IEntryPoint { SocketInterFace Interface; Stack<String> Queue = new Stack<String>(); public Main(RemoteHooking.IContext InContext,string InChannelName) { Interface = RemoteHooking.IpcConnectClient<SocketInterFace>(InChannelName); Interface.OnLog("初始化HOOK成功"); } LocalHook RecvHook; LocalHook SendHook; int MyRecv(IntPtr socket, IntPtr buffer, int length, int flags) { int bytesCount = recv(socket, buffer, length, flags); if (bytesCount>0) { byte[] RecvBuffer = new byte[bytesCount]; Marshal.Copy(buffer, RecvBuffer, 0, RecvBuffer.Length); Interface.OnRecv(RecvBuffer, 0, 0); } return bytesCount; } int MySend(IntPtr socket, IntPtr buffer, int length, int flags) { int bytesCount = send(socket, buffer, length, flags); if (bytesCount > 0) { byte[] RecvBuffer = new byte[bytesCount]; Marshal.Copy(buffer, RecvBuffer, 0, RecvBuffer.Length); Interface.OnSend(RecvBuffer, 0, 0); } return bytesCount; } public void Run(RemoteHooking.IContext InContext,string InChannelName) { RecvHook = LocalHook.Create(LocalHook.GetProcAddress("WS2_32.dll", "recv"), new DRecv(MyRecv), this); SendHook = LocalHook.Create(LocalHook.GetProcAddress("WS2_32.dll", "send"), new DSend(MySend), this); SendHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); RecvHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); Interface.IsInstalled(RemoteHooking.GetCurrentProcessId()); dwProHwnd = OpenProcess(PROCESS_ALL_ACCESS, 0, RemoteHooking.GetCurrentProcessId()); //EasyHook.RemoteHooking.WakeUpProcess(); while (true) { Thread.Sleep(500); } } [DllImport("kernel32.dll", EntryPoint = "OpenProcess")] public static extern uint OpenProcess(uint dwDesiredAccess, int bInheritHandle, int dwProcessId); public const uint PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF); public const uint SYNCHRONIZE = 0x00100000; public const uint STANDARD_RIGHTS_REQUIRED = 0x000F0000; public uint dwProHwnd = 0; [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)] delegate int DRecv(IntPtr socket, IntPtr buffer, int length, int flags); [DllImport("WS2_32.dll", CharSet = CharSet.Unicode, SetLastError = true, CallingConvention = CallingConvention.StdCall)] static extern int recv(IntPtr socket, IntPtr buffer, int length, int flags); [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)] delegate int DSend(IntPtr socket, IntPtr buffer, int length, int flags); [DllImport("WS2_32.dll", CharSet = CharSet.Unicode, SetLastError = true, CallingConvention = CallingConvention.StdCall)] static extern int send(IntPtr socket, IntPtr buffer, int length, int flags); }