Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Oct 20 08:24
    zengfr commented #351
  • Oct 20 08:15
    zengfr commented #351
  • Oct 20 03:39
    zengfr commented #351
  • Oct 20 03:37
    zengfr commented #351
  • Oct 20 03:35
    zengfr closed #350
  • Oct 20 03:31
    zengfr commented #351
  • Oct 20 03:30
    zengfr commented #351
  • Oct 20 03:28
    zengfr commented #351
  • Oct 20 03:28
    zengfr commented #351
  • Oct 20 03:27
    zengfr commented #351
  • Oct 20 03:25
    zengfr commented #351
  • Oct 19 14:54
    zengfr commented #351
  • Oct 19 14:52
    zengfr commented #351
  • Oct 19 13:40
    zengfr commented #351
  • Oct 19 13:40
    zengfr commented #351
  • Oct 19 13:39
    zengfr commented #351
  • Oct 19 12:45
    spazzarama commented #351
  • Oct 19 12:18
    zengfr commented #351
  • Oct 19 12:16
    zengfr commented #351
  • Oct 19 12:14
    zengfr commented #351
Justin Stenning
@spazzarama
@catmanjan If you have a very simple hook handler with just a call to the original does it still display the same behaviour?
Jan Martin
@catmanjan
@spazzarama yeah definitely, i believe the first drop is the original behavior - the issue is the original behavior of dropping from outlook to chrome is to reject the file so its hard to tell
it works fully in IE so i suspect a chromium issue, but i cant prove it
simon dimitriadis
@simonides
Hi can anyone help me with a hooked VirtualAlloc issue? I described it in more detail on stackoverflow. https://stackoverflow.com/questions/47844170/hooked-virtualalloc-returns-nullptr-when-called-by-system-dlls
simon dimitriadis
@simonides
Hi, is there an easy way through easyhook to call a function in an already injected dll, from the injector's process?
Justin Stenning
@spazzarama
@simonides EasyHook doesn't provide an IPC framework itself. If managed, .NET provides a number of IPC mechanisms for you (remoting etc). If unmanaged, just google to research the various IPC approaches available to you.
simon dimitriadis
@simonides
Already using pipes, thought there could an easy way in the lib :) Thank you.
Ari Seyhun
@Acidic9
Hello! Is EasyHook suited for memory hacking on Windows?
Justin Stenning
@spazzarama
@Acidic9 EasyHook does not provide any memory pattern search / patching tools. It does provide the ability to inject into a target.
simon dimitriadis
@simonides
Hi, I know how to hook VirtualAlloc but how would I hook operator new? Usual overwriting is not really an option.
Mateus Pimentel
@PimentelMateusw_twitter
someone knows if it's possible to hook native functions from a program? ( not DLL functions )
I want to hook this function:
image.png
but this did not work yet:
image.png
Already disabled ASLR btw
image.png
Mateus Pimentel
@PimentelMateusw_twitter
@spazzarama
Mateus Pimentel
@PimentelMateusw_twitter
nvm it worked now
image.png
MechanicalPen
@MechanicalPen
Does anyone have any tips or tricks for accessing a C++ std::string from the C# EasyHook? I'm hooking a method that takes a filename as an argument.
Justin Stenning
@spazzarama
@MechanicalPen what do you need to do with the string? Just read?
@MechanicalPen I THINK in the past I have written a helper structure for dealing with std::string (can't seem to find the code at the moment), but basically you should be able to analyse the memory structure and grab the std::string IntPtr and read into your structure with the help of Marshal.PtrToStringAnsi
MechanicalPen
@MechanicalPen
Yep, I just need to read the string to figure out which file it's trying to load.
putertubbie
@putertubbie
Question: Will having one hooked function calling another hooked function (NtQueryVirtualMemory seems to be calling NtClose internally and I have hooked both) lead to the deadlock I'm seeing? If so; is this due to the "Thread Deadlock Barrier" and, if so; is there anything I can do to work around this? Thanks!
Justin Stenning
@spazzarama
@putertubbie not sure that it would cause a deadlock, you can add individual threadId's to the exclusion list at any time if you would like to exclude a specific hook. You can also call the original function bypassing the hook: see LocalHookTest.cs - e.g. (BeepDelegate)Marshal.GetDelegateForFunctionPointer(lh.HookBypassAddress, typeof(BeepDelegate));
putertubbie
@putertubbie
@spazzarama Thanks for the reply! In this case the function NtQueryVirtualMemory seems to be calling NtClose through the process IAT, ending up in the NtClose hook. I'm wondering if this could cause the TDB to deadlock?
ArunPrasad777
@ArunPrasad777

Facing the following error, when trying to hook a dll.

Exception thrown at 0x0015ED74 in Target.exe: 0xC0000005: Access Violation executing location 0x0015ED74.
If there is a handler for this exception, the program may be safely continued.

What could be the possible reasons for this Access Violation error?

pheber
@pheber
Hi, I'm having an issue with hooking some 64 bit apis which apparently have an unsupported far jump at the beginning. Is there any way around this limitation? Could EasyHook be extended (by whomever :)) to support this or is there some theoretical reason why supporting it would be infeasible?
pheber
@pheber
Completely unrelated I have another question: I have a function in ole32.dll (OleIsCurrentClipboard) which in turn calls another function (GetClipboardOwner) in user32.dll. I want to hook GetClipboardOwner and want the hook to also be called when OleIsCurrentClipboard calls it. API Monitor can hook and modify the underlying call, but when I create a LocalHook in EasyHook, it doesn't get called for the nested call to GetClipboardOwner from OleIsCurrentClipboard. Is there any way to achieve this with the current version of EasyHook?
qwdongecnu
@qwdongecnu
Hi, everyone. I have a c# winform program, I use webbrowser to load a webpage which in turn loads a swf. I hook recv/send function in the ws2_32.dll so that I can get the traffic by the flash, but when the webbrowser is refreshed, sometimes the hooked function doesn't work, this only occur randomly in different machine, does anyone know how to fix it? many thanks.
Tennn
@stonedreamforest
@qwdongecnu because a webpage a process
Justin Stenning
@spazzarama

What could be the possible reasons for this Access Violation error?

@ArunPrasad777 the most common cause is an incorrect method signature or calling convention for your hook handler / delegate.

Hi, I'm having an issue with hooking some 64 bit apis which apparently have an unsupported far jump at the beginning. Is there any way around this limitation? Could EasyHook be extended (by whomever :)) to support this or is there some theoretical reason why supporting it would be infeasible?

@pheber yes it should be possible to extend EasyHook to support this, feel free to raise a feature request.

Completely unrelated I have another question: I have a function in ole32.dll (OleIsCurrentClipboard) which in turn calls another function (GetClipboardOwner) in user32.dll. I want to hook GetClipboardOwner and want the hook to also be called when OleIsCurrentClipboard calls it. API Monitor can hook and modify the underlying call, but when I create a LocalHook in EasyHook, it doesn't get called for the nested call to GetClipboardOwner from OleIsCurrentClipboard. Is there any way to achieve this with the current version of EasyHook?

@pheber what thread ACL do you have setup? I don't see any reason why your scenario wouldn't be supported by EasyHook.

devellysian
@devellysian
hi all, would it be possible to call easyhook from rust?
Justin Stenning
@spazzarama
@devellysian Rust the game? Do you mean would it be possible to use EasyHook to inject and hook into Rust? I haven't tried, injection would depend on whether there are any memory injection protections in place that prevent it. Once injected it should all work correctly.
Philip Heber
@pheber16_twitter

@pheber what thread ACL do you have setup? I don't see any reason why your scenario wouldn't be supported by EasyHook.

We have an inclusive ACL for the current thread (SetInclusiveACL(new[] {0})) as API Monitor tells me the nested call is happening on the same thread. Is there anything else that might be wrong with my configuration or could API Monitor be wrong?

Patricio Ferraggi
@Raagh
Is it possible to use easyhook on .net standard library?
Patricio Ferraggi
@Raagh
second question. can I pass an object to the class that we use as interface between the dll and the app? I want to make comunication be hidden behind and interface so it cant be used from different clients
which let me keep a common instance for 2 sides communication and also pass a different interface from each client so that the communication is done different if its from a console, web service or wpf app.
Michael Wegge
@Firedragonweb
Hey there :) Just a quick question: Would it be possible to publish a new nuget version anytime soon-ish, that contains #247 ? We need that functionality and we would rather not switch to our own fork temporarily if possible :)
Justin Stenning
@spazzarama
@Raagh thanks for sharing - might be worth incorporating that into the EasyHook release to make that a bit easier
Justin Stenning
@spazzarama
@Firedragonweb I've merged into develop branch. I am busy until next week - will look at doing a build then.
Nikolaj Mariager
@TinkerWorX
What's the best way to debug an "Unknown error in injected assembler code."? It keeps giving random error codes. I wonder if there's some protection going on: 200209739, 161730857, 100720827
Justin Stenning
@spazzarama
@TinkerWorX does this happen during injection only?
@Raagh I'm looking at that stackoverflow question+answer and I don't see how that differs from just specifying the channelName and allowed client SIDs while passing in the ipcInterface instance.
Justin Stenning
@spazzarama
@Firedragonweb I'm testing the far jump changes for #247 at the moment. Although the changes work in this scenario, I'm not convinced yet that this is a "safe" default behaviour. I'm having a think about enabling a "allow all jumps" flag that allows you to deliberately ignore these conditions under known circumstances.
Justin Stenning
@spazzarama
Since it won't impact existing hooks I'll release the change as-is.