by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Aug 03 09:27
    Yangff edited #346
  • Aug 03 09:27
    Yangff edited #346
  • Aug 03 09:26
    Yangff opened #346
  • Jul 23 12:43
    abdullahtoqeer523 opened #345
  • Jul 21 22:11
    spazzarama commented #344
  • Jul 21 13:10
    albgen commented #344
  • Jul 21 13:10
    albgen commented #344
  • Jul 21 12:28
    michaelgorman commented #344
  • Jul 21 12:27
    michaelgorman commented #344
  • Jul 21 10:53
    abdullahtoqeer523 commented #343
  • Jul 21 10:37
    spazzarama closed #342
  • Jul 21 10:26
    spazzarama commented #343
  • Jul 21 10:24
    abdullahtoqeer523 commented #343
  • Jul 21 10:15
    spazzarama commented #343
  • Jul 21 09:55
    abdullahtoqeer523 commented #343
  • Jul 21 09:50
    spazzarama commented #343
  • Jul 21 09:50
    spazzarama closed #344
  • Jul 21 09:50
    spazzarama commented #344
  • Jul 21 09:44
    albgen opened #344
  • Jul 21 06:44
    abdullahtoqeer523 opened #343
Justin Stenning
@spazzarama
@SasMaster1980_twitter worked fine for me with 10.0.15063.0, can you try that version (I don't have 10.0.16299.0 SDK installed yet)

@SasMaster1980_twitter I assume your native entry point looks something like:

extern "C" void declspec(dllexport) stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO inRemoteInfo);
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO
inRemoteInfo) {...

Michael IV
@SasMaster1980_twitter
Hmm, will try that version. Yeah, the hook entry point in my app looks like that.
Michael IV
@SasMaster1980_twitter
Well,weird stuff.Today tried it again with 10.0.16299.0 and with the 10.0.15063.0 - and it worked ok. No idea what was wrong. I was messing with this issue yesterday ,like, for 2 hours..
Shit
MechanicalPen
@MechanicalPen
I'm trying to use EasyHook .NET to hook a DLL. It works great except the function I am hooking takes a c++ std::string. I can't figure out how to even pass it back into the original function without it crashing. I tried void*, IntPtr. Any ideas?
MechanicalPen
@MechanicalPen
The original function is bool sf::SoundBuffer::loadFromFile ( const std::string & filename )
Justin Stenning
@spazzarama
@MechanicalPen what does your handler signature look like?
32-/64-bit?
MechanicalPen
@MechanicalPen

[UnmanagedFunctionPointer(CallingConvention.ThisCall, SetLastError = true, CharSet = CharSet.Unicode)] [return: MarshalAs(UnmanagedType.Bool)] unsafe delegate bool SmflAudio2_SoundBuffer_loadFromFile(void* filename);

32 bit.

MechanicalPen
@MechanicalPen
Here's the rest of the relevant code, in case it helps. audioOpenFromFileAddress = LocalHook.GetProcAddress("sfml-audio-2.dll", "?openFromFile@InputSoundFile@sf@@QAE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z"); smfl_loadFromFile = Marshal.GetDelegateForFunctionPointer<SmflAudio2_SoundBuffer_loadFromFile>(audioOpenFromFileAddress);
unsafe bool SoundGetFromFileHook(void* filename) { return smfl_loadFromFile(filename); }
Justin Stenning
@spazzarama
@MechanicalPen try adding first param as IntPtr self as well (to store the this object). Filename can just be IntPtr also and no need for unsafe (unless you need it for another reason)
i.e.
[UnmanagedFunctionPointer(CallingConvention.ThisCall, SetLastError = true, CharSet = CharSet.Unicode)] [return: MarshalAs(UnmanagedType.Bool)] delegate bool SmflAudio2_SoundBuffer_loadFromFile(IntPtr self, IntPtr filename);
MechanicalPen
@MechanicalPen
@spazzarama Hey, that worked! So we need to store a pointer to the object when we hook a c++ object's method. (self points at the SoundBuffer in this case, correct?)
Justin Stenning
@spazzarama
@MechanicalPen correct
Jan Martin
@catmanjan
im having an issue hooking into the DoDragDrop event, if I return my own function it works in Firefox and IE, but for some reason I have to drag and drop twice to get chromium based browsers to accept my files - any ideas anyone?
Justin Stenning
@spazzarama
Is it hitting your hook each time?
@catmanjan If you have a very simple hook handler with just a call to the original does it still display the same behaviour?
Jan Martin
@catmanjan
@spazzarama yeah definitely, i believe the first drop is the original behavior - the issue is the original behavior of dropping from outlook to chrome is to reject the file so its hard to tell
it works fully in IE so i suspect a chromium issue, but i cant prove it
simon dimitriadis
@simonides
Hi can anyone help me with a hooked VirtualAlloc issue? I described it in more detail on stackoverflow. https://stackoverflow.com/questions/47844170/hooked-virtualalloc-returns-nullptr-when-called-by-system-dlls
simon dimitriadis
@simonides
Hi, is there an easy way through easyhook to call a function in an already injected dll, from the injector's process?
Justin Stenning
@spazzarama
@simonides EasyHook doesn't provide an IPC framework itself. If managed, .NET provides a number of IPC mechanisms for you (remoting etc). If unmanaged, just google to research the various IPC approaches available to you.
simon dimitriadis
@simonides
Already using pipes, thought there could an easy way in the lib :) Thank you.
Ari Seyhun
@Acidic9
Hello! Is EasyHook suited for memory hacking on Windows?
Justin Stenning
@spazzarama
@Acidic9 EasyHook does not provide any memory pattern search / patching tools. It does provide the ability to inject into a target.
simon dimitriadis
@simonides
Hi, I know how to hook VirtualAlloc but how would I hook operator new? Usual overwriting is not really an option.
Mateus Pimentel
@PimentelMateusw_twitter
someone knows if it's possible to hook native functions from a program? ( not DLL functions )
I want to hook this function:
image.png
but this did not work yet:
image.png
Already disabled ASLR btw
image.png
Mateus Pimentel
@PimentelMateusw_twitter
@spazzarama
Mateus Pimentel
@PimentelMateusw_twitter
nvm it worked now
image.png
MechanicalPen
@MechanicalPen
Does anyone have any tips or tricks for accessing a C++ std::string from the C# EasyHook? I'm hooking a method that takes a filename as an argument.
Justin Stenning
@spazzarama
@MechanicalPen what do you need to do with the string? Just read?
@MechanicalPen I THINK in the past I have written a helper structure for dealing with std::string (can't seem to find the code at the moment), but basically you should be able to analyse the memory structure and grab the std::string IntPtr and read into your structure with the help of Marshal.PtrToStringAnsi
MechanicalPen
@MechanicalPen
Yep, I just need to read the string to figure out which file it's trying to load.
putertubbie
@putertubbie
Question: Will having one hooked function calling another hooked function (NtQueryVirtualMemory seems to be calling NtClose internally and I have hooked both) lead to the deadlock I'm seeing? If so; is this due to the "Thread Deadlock Barrier" and, if so; is there anything I can do to work around this? Thanks!
Justin Stenning
@spazzarama
@putertubbie not sure that it would cause a deadlock, you can add individual threadId's to the exclusion list at any time if you would like to exclude a specific hook. You can also call the original function bypassing the hook: see LocalHookTest.cs - e.g. (BeepDelegate)Marshal.GetDelegateForFunctionPointer(lh.HookBypassAddress, typeof(BeepDelegate));
putertubbie
@putertubbie
@spazzarama Thanks for the reply! In this case the function NtQueryVirtualMemory seems to be calling NtClose through the process IAT, ending up in the NtClose hook. I'm wondering if this could cause the TDB to deadlock?
ArunPrasad777
@ArunPrasad777

Facing the following error, when trying to hook a dll.

Exception thrown at 0x0015ED74 in Target.exe: 0xC0000005: Access Violation executing location 0x0015ED74.
If there is a handler for this exception, the program may be safely continued.

What could be the possible reasons for this Access Violation error?

pheber
@pheber
Hi, I'm having an issue with hooking some 64 bit apis which apparently have an unsupported far jump at the beginning. Is there any way around this limitation? Could EasyHook be extended (by whomever :)) to support this or is there some theoretical reason why supporting it would be infeasible?
pheber
@pheber
Completely unrelated I have another question: I have a function in ole32.dll (OleIsCurrentClipboard) which in turn calls another function (GetClipboardOwner) in user32.dll. I want to hook GetClipboardOwner and want the hook to also be called when OleIsCurrentClipboard calls it. API Monitor can hook and modify the underlying call, but when I create a LocalHook in EasyHook, it doesn't get called for the nested call to GetClipboardOwner from OleIsCurrentClipboard. Is there any way to achieve this with the current version of EasyHook?
qwdongecnu
@qwdongecnu
Hi, everyone. I have a c# winform program, I use webbrowser to load a webpage which in turn loads a swf. I hook recv/send function in the ws2_32.dll so that I can get the traffic by the flash, but when the webbrowser is refreshed, sometimes the hooked function doesn't work, this only occur randomly in different machine, does anyone know how to fix it? many thanks.
Tennn
@stonedreamforest
@qwdongecnu because a webpage a process