Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Aug 19 15:59
    TurBoss commented #295
  • Aug 19 12:40
    Ilyaki commented #295
  • Aug 19 12:39
    Ilyaki opened #307
  • Aug 15 20:50
    BSG-75 edited #306
  • Aug 15 20:50
    BSG-75 opened #306
  • Aug 15 11:51
    spazzarama closed #305
  • Aug 15 11:51
    spazzarama commented #305
  • Aug 15 10:05
    ohacn opened #305
  • Aug 14 03:51
    MohMehrnia closed #291
  • Aug 08 15:09
    gsuberland opened #304
  • Aug 07 09:33
    spazzarama closed #303
  • Aug 07 09:33
    spazzarama commented #303
  • Aug 06 07:45
    abdullahtoqeer523 opened #303
  • Aug 06 06:14
    spazzarama commented #295
  • Aug 06 06:13
    spazzarama commented #295
  • Aug 06 05:33
    Ilyaki commented #295
  • Aug 02 10:24
    spazzarama closed #302
  • Aug 02 10:24
    spazzarama commented #302
  • Jul 21 15:47
    JillCrungus edited #302
  • Jul 21 15:44
    JillCrungus opened #302
99bobster99
@99bobster99
                    // start and inject into a new process
                    EasyHook.RemoteHooking.CreateAndInject(
                        targetExe, // executable to run
                        targetArg, // command line arguments for target
                        0, // additional process creation flags to pass to CreateProcess
                        EasyHook.InjectionOptions.DoNotRequireStrongName, // allow injectionLibrary to be unsigned
                        injectionRegLibrary, // 32-bit library to inject (if target is 32-bit)
                        injectionRegLibrary, // 64-bit library to inject (if target is 64-bit)
                        out targetPID, // retrieve the newly created process ID
                        regChannelName // the parameters to pass into injected library
                                       // ...
                    );
99bobster99
@99bobster99
Never mind, I got it to work out for me! I am a newbie at this and I just learned a great deal about "Set-ExecutionPolicy Unrestricted -Scope Process -Force" and "Update-Package -Reinstall"! Thank you for helping me out on my adventure. :)
Patricio Ferraggi
@Raagh
Is There a way to change the place where you drop the libraries? unless I have them all the in root of my client application
it justs fails on injection
even if I pass the address as a parameter
rgutherz
@rgutherz

Hi,

I'm using the latest EasyHook dll (32 and 64 v2.7.6789.0 ) and I'm hooking WriteConsoleW API successfully on Windows 7. I'm using the same 64 bit dll on Windows 10 and my dll is injected successfully but my hooked function is never called when running on Windows 10.
The LhInstallHook returned successfully when hooked WriteConsoleW from kernel32.dll
The process that I'm trying to hook is cmd.exe on Windows 10.
I debugged the process after my dll was injected and saw that the WindowsConsoleW entry does not contain the trampoline code to point to my WriteConsoleW function.

What can be the problem?
How can I debug it?

Any input on this would be appreciated!

Thanks,
Rony.

I'm using unmanaged code in c++
tostercx
@tostercx
Hey, I just read the tutorials, but I'm a bit confused. The ServerInterface stuff is compiled in the injectable dll but then it seems to be running in the host for the message output? Am I getting this right?
How would I go about getting the data back to the main process that did the injection?
I guess I could make a static list and poll it for data or?
tostercx
@tostercx
I must be missing something here...
tostercx
@tostercx
tostercx
@tostercx
Wait.. so the interface can be made host-side?
https://github.com/EasyHook/EasyHook/blob/master/Examples/FileMon/Program.cs#L11
And then... the dll depends on the exe for it? O___O
What sorcery is this...
Ok, I think I found what I wanted
Justin Stenning
@spazzarama
The dll that is injected is connecting to the IPC channel that is created in the host. The example filemon is more confusing as it doesn’t have the interface separated into another assembly and then the injected code is referencing the exe as if it is an assembly (which in .net it is but still confusing :)
@tostercx above
direct3dhook project on GitHub provides a clearer example if you want to check another one - also it uses a bi-directional IPC setup
tostercx
@tostercx
Thanks, will do :)
Justin Stenning
@spazzarama
@Raagh there is a path setting in Config, but I can’t remember if that is something that can be changed by you or needs a recompile.
nyxojaele
@nyxojaele
I wrote an application that's designed to hook another at startup, and attempt to properly unhook when the app window is closed. Using Process Explorer, I can see a variety of DLLs (including my payload DLL) get loaded into the target process as expected, however when closing the app window, I see a lot, but not ALL, of those DLLs get unloaded. I still see EasyHook32.dll, and EasyLoad32.dll (twice for some reason), listed as loaded into the target process. Am I not disconnecting/unloading correctly, or is this a limitation of EasyHook?
BiatuAutMiahn
@BiatuAutMiahn
Im having trouble installing multiple hooks in C++, CreateFile works, but None of the registry functions seem to work
Franco Miceli
@fmiceli24
Hi. I am having an issue where the NativeInjectionEntryPoint is being called after many DLLs are loaded by the program. Is there a way to inject my hooks before any other DLL gets loaded? I have already tested this with CreateProcess(CREATE_SUSPENDED) -> RhInjectLibrary() -> ResumeThread() and also with RhCreateAndInject() -> RhWakeUpProcess(). But the other DLLs get loaded before and cannot intervene them. Is there a way I can hook the process by being the first DLL loaded/injected? Thanks!
Franco Miceli
@fmiceli24
I have checked this behavior both with APIMonitor and ProcessMonitor
Justin Stenning
@spazzarama
@fmiceli24 I’ve replied to your issue, basically that is what RhCreateAndInject is for. When and where do you call RhWakeUpProcess?
Franco Miceli
@fmiceli24
I call RhWakeUpProcess right after all hooks are installed within NativeInjectionEntryPoint.
Icesythe7
@Icesythe7
doesnt look like anyone uses this but im trying to inject a c++ dll using c# however i keep getting badimageformat
the dll injects and works fine with any public injector btw even my own coded in c++
Justin Stenning
@spazzarama
@Icesythe7 you will need to use the native exports directly instead of the managed helper, otherwise it will assume a managed assembly
E.g
Ie RhInstallLibrary/Ex in NativeAPI namespace - check docs
@fmiceli24 and are you using RhCreateAndInject?
Icesythe7
@Icesythe7
@spazzarama I looked at them yes but the way it is setup it is hard to find stuff as it is just function names and no descriptions...I'm assuming ex frome here http://easyhook.github.io/api/html/M_EasyHook_NativeAPI_RhInjectLibraryEx.htm stands for external? also what do the params expect since I dont need x86 can it be null? whats inpassthrubuffer? can I load it as a byte array? 'm not sure what In wakeuptid is either
Justin Stenning
@spazzarama
@Icesythe7 take a look at the native remote hooking tutorial, yes just use null for 32-bit if not needed
Icesythe7
@Icesythe7
@spazzarama ah thank you, is there currently a way (in c# using easyhook) to inject dll as byte array? trying to store dll as byte array and just read url and inject it
this way user doesn't have to download a physical dll and have it in correct folder plus will be simple to push updates etc
Icesythe7
@Icesythe7
ok clearly im too dumb to figure this out can someone just post a c# example of how to simply inject a c++ dll because i cant figure it out
        NativeAPI.RhInjectLibraryEx(proc.Id, 0, 0, null, "path to dll", IntPtr.Zero, 0);
0 errors just does nothing
Franco Miceli
@fmiceli24
@spazzarama Hi. I tried both RhCreateAndInject, and CreateProcess(CREATE_SUSPENDED) -> RhInjectLibrary() -> ResumeThread() and also with RhCreateAndInject() -> RhWakeUpProcess(). None worked. I ended up changing the behavior of the program via alteration to the environment variables and registry keys at the moment of creation. Reverting back as soon as the alteration was successful.
@spazzarama Something that is happening now is that on Windows server 2019, some programs that were correctly injected on Windows 8 give the error 5 on RhInjectLibrary(). Any ideas what this error means?
Justin Stenning
@spazzarama
@Icesythe7 that code looks correct, do you have an EasyHook entrypoint defined in your native dll?
@fmiceli24 code 5 is usually access denied
@fmiceli24 someone posted recently in a github issue how they used WaitForIdle and then injected/resumed, perhaps that can help in your situation.
Icesythe7
@Icesythe7
@spazzarama idk what that is i can use any injector like extreme injector ant it works fine i just wanna use c# to call load library basically
the dll is c++ and just creates a thread on process attach i dont need the injector to call any functions the dll handles itself just litterally simply need to inject it
Franco Miceli
@fmiceli24
@spazzarama I am not familiar with WaitForIdle on C++. I will investigate and check it out.
@spazzarama What does access denied error code means? Is it related to user's permissions or not being able to access the injection DLL?
Justin Stenning
@spazzarama
@fmiceli24 usually the access denied it from trying to allocate memory in the target process (some processes run in limited security context etc).
Justin Stenning
@spazzarama
@Icesythe7 EasyHook is designed to run the exported entry point, it does try to free the library once the easyhook entry point returns. If you don't provide it then it cannot block the freeing logic (i.e. you add a while loop with whatever exit logic you need). The remove native hooking example shows you an example. It sounds like you might be better served with one of the other libraries you mentioned that are specifically for injection (just create your own managed wrapper to call the native methods if you want to use from .NET).
Franco Miceli
@fmiceli24
@spazzarama, I understand. The same process does not present this problem if run on Windows 8.1. It only happens on Windows 10 or Server 2019. Is there a way to specify the security context for a process at the moment of Creating it?