by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jun 13 00:36
    spazzarama closed #340
  • Jun 13 00:36
    spazzarama commented #340
  • Jun 12 08:19
    bbday opened #340
  • Jun 11 07:14
    RussKie commented #278
  • Jun 11 07:12
    spazzarama commented #328
  • Jun 11 07:07
    spazzarama commented #334
  • Jun 11 07:05
    spazzarama commented #337
  • Jun 11 07:03
    spazzarama commented #337
  • Jun 11 07:00
    spazzarama commented #336
  • Jun 11 06:59
    spazzarama commented #336
  • Jun 11 06:57

    spazzarama on develop

    Reduce the scope of lpMsgBuf M… Merge pull request #339 from UM… (compare)

  • Jun 11 06:57
    spazzarama closed #339
  • Jun 11 06:55
    spazzarama commented #278
  • Jun 11 06:33
    RussKie commented #278
  • Jun 10 11:17
    UMU618 opened #339
  • Jun 02 13:14
    michaelgorman closed #338
  • Jun 02 13:14
    michaelgorman commented #338
  • Jun 01 18:24
    michaelgorman commented #338
  • May 25 02:12
    michaelgorman commented #338
  • May 25 02:11
    michaelgorman commented #338
Mateus Pimentel
@PimentelMateusw_twitter
Already disabled ASLR btw
image.png
Mateus Pimentel
@PimentelMateusw_twitter
@spazzarama
Mateus Pimentel
@PimentelMateusw_twitter
nvm it worked now
image.png
MechanicalPen
@MechanicalPen
Does anyone have any tips or tricks for accessing a C++ std::string from the C# EasyHook? I'm hooking a method that takes a filename as an argument.
Justin Stenning
@spazzarama
@MechanicalPen what do you need to do with the string? Just read?
@MechanicalPen I THINK in the past I have written a helper structure for dealing with std::string (can't seem to find the code at the moment), but basically you should be able to analyse the memory structure and grab the std::string IntPtr and read into your structure with the help of Marshal.PtrToStringAnsi
MechanicalPen
@MechanicalPen
Yep, I just need to read the string to figure out which file it's trying to load.
putertubbie
@putertubbie
Question: Will having one hooked function calling another hooked function (NtQueryVirtualMemory seems to be calling NtClose internally and I have hooked both) lead to the deadlock I'm seeing? If so; is this due to the "Thread Deadlock Barrier" and, if so; is there anything I can do to work around this? Thanks!
Justin Stenning
@spazzarama
@putertubbie not sure that it would cause a deadlock, you can add individual threadId's to the exclusion list at any time if you would like to exclude a specific hook. You can also call the original function bypassing the hook: see LocalHookTest.cs - e.g. (BeepDelegate)Marshal.GetDelegateForFunctionPointer(lh.HookBypassAddress, typeof(BeepDelegate));
putertubbie
@putertubbie
@spazzarama Thanks for the reply! In this case the function NtQueryVirtualMemory seems to be calling NtClose through the process IAT, ending up in the NtClose hook. I'm wondering if this could cause the TDB to deadlock?
ArunPrasad777
@ArunPrasad777

Facing the following error, when trying to hook a dll.

Exception thrown at 0x0015ED74 in Target.exe: 0xC0000005: Access Violation executing location 0x0015ED74.
If there is a handler for this exception, the program may be safely continued.

What could be the possible reasons for this Access Violation error?

pheber
@pheber
Hi, I'm having an issue with hooking some 64 bit apis which apparently have an unsupported far jump at the beginning. Is there any way around this limitation? Could EasyHook be extended (by whomever :)) to support this or is there some theoretical reason why supporting it would be infeasible?
pheber
@pheber
Completely unrelated I have another question: I have a function in ole32.dll (OleIsCurrentClipboard) which in turn calls another function (GetClipboardOwner) in user32.dll. I want to hook GetClipboardOwner and want the hook to also be called when OleIsCurrentClipboard calls it. API Monitor can hook and modify the underlying call, but when I create a LocalHook in EasyHook, it doesn't get called for the nested call to GetClipboardOwner from OleIsCurrentClipboard. Is there any way to achieve this with the current version of EasyHook?
qwdongecnu
@qwdongecnu
Hi, everyone. I have a c# winform program, I use webbrowser to load a webpage which in turn loads a swf. I hook recv/send function in the ws2_32.dll so that I can get the traffic by the flash, but when the webbrowser is refreshed, sometimes the hooked function doesn't work, this only occur randomly in different machine, does anyone know how to fix it? many thanks.
Tennn
@stonedreamforest
@qwdongecnu because a webpage a process
Justin Stenning
@spazzarama

What could be the possible reasons for this Access Violation error?

@ArunPrasad777 the most common cause is an incorrect method signature or calling convention for your hook handler / delegate.

Hi, I'm having an issue with hooking some 64 bit apis which apparently have an unsupported far jump at the beginning. Is there any way around this limitation? Could EasyHook be extended (by whomever :)) to support this or is there some theoretical reason why supporting it would be infeasible?

@pheber yes it should be possible to extend EasyHook to support this, feel free to raise a feature request.

Completely unrelated I have another question: I have a function in ole32.dll (OleIsCurrentClipboard) which in turn calls another function (GetClipboardOwner) in user32.dll. I want to hook GetClipboardOwner and want the hook to also be called when OleIsCurrentClipboard calls it. API Monitor can hook and modify the underlying call, but when I create a LocalHook in EasyHook, it doesn't get called for the nested call to GetClipboardOwner from OleIsCurrentClipboard. Is there any way to achieve this with the current version of EasyHook?

@pheber what thread ACL do you have setup? I don't see any reason why your scenario wouldn't be supported by EasyHook.

devellysian
@devellysian
hi all, would it be possible to call easyhook from rust?
Justin Stenning
@spazzarama
@devellysian Rust the game? Do you mean would it be possible to use EasyHook to inject and hook into Rust? I haven't tried, injection would depend on whether there are any memory injection protections in place that prevent it. Once injected it should all work correctly.
Philip Heber
@pheber16_twitter

@pheber what thread ACL do you have setup? I don't see any reason why your scenario wouldn't be supported by EasyHook.

We have an inclusive ACL for the current thread (SetInclusiveACL(new[] {0})) as API Monitor tells me the nested call is happening on the same thread. Is there anything else that might be wrong with my configuration or could API Monitor be wrong?

Patricio Ferraggi
@Raagh
Is it possible to use easyhook on .net standard library?
Patricio Ferraggi
@Raagh
second question. can I pass an object to the class that we use as interface between the dll and the app? I want to make comunication be hidden behind and interface so it cant be used from different clients
which let me keep a common instance for 2 sides communication and also pass a different interface from each client so that the communication is done different if its from a console, web service or wpf app.
Michael Wegge
@Firedragonweb
Hey there :) Just a quick question: Would it be possible to publish a new nuget version anytime soon-ish, that contains #247 ? We need that functionality and we would rather not switch to our own fork temporarily if possible :)
Justin Stenning
@spazzarama
@Raagh thanks for sharing - might be worth incorporating that into the EasyHook release to make that a bit easier
Justin Stenning
@spazzarama
@Firedragonweb I've merged into develop branch. I am busy until next week - will look at doing a build then.
Nikolaj Mariager
@TinkerWorX
What's the best way to debug an "Unknown error in injected assembler code."? It keeps giving random error codes. I wonder if there's some protection going on: 200209739, 161730857, 100720827
Justin Stenning
@spazzarama
@TinkerWorX does this happen during injection only?
@Raagh I'm looking at that stackoverflow question+answer and I don't see how that differs from just specifying the channelName and allowed client SIDs while passing in the ipcInterface instance.
Justin Stenning
@spazzarama
@Firedragonweb I'm testing the far jump changes for #247 at the moment. Although the changes work in this scenario, I'm not convinced yet that this is a "safe" default behaviour. I'm having a think about enabling a "allow all jumps" flag that allows you to deliberately ignore these conditions under known circumstances.
Justin Stenning
@spazzarama
Since it won't impact existing hooks I'll release the change as-is.
Justin Stenning
@spazzarama
@Firedragonweb that's been released on NuGet
Nikolaj Mariager
@TinkerWorX
@spazzarama Yeah, during injection. I have the simplest code to test it to avoid any other factors.
Justin Stenning
@spazzarama
@TinkerWorX unknown error in assembler code, usually refers to something not working with the code that is injected into the target process. This is a real pain to step through with the debugger, basically you have the target debugged and the host. The starting point is in the host at thread.c line 1292 WriteProcessMemory(hProc, RemoteInjectCode, GetInjectionPtr(), ...). The location is "RemoteInjectCode", so find that location within the target process and open the disassembler and add a break point. That code will be executed by a later call to NtCreateThreadEx.
The remote thread probably is failing to be created...
The ASM that is injected is returned by GetInjectionPtr() - returning either Injection_ASM_x64, or Injection_ASM_x86
Justin Stenning
@spazzarama
@TinkerWorX take a look at this ASM code in HookSpecific_x64/x86.asm, if it is getting as far as running this code then one of the calls in here is probably failing (in the target process - so you will have to have the disassembler window open, and pointing to the correct address from RemoteInjectCode with a break point) .
Nikolaj Mariager
@TinkerWorX
@spazzarama Thanks, I'll see if I can figure it out. Do you think my suspicion of some protection happening could be true?
Justin Stenning
@spazzarama
@TinkerWorX yeah it could be - usually protection will take the form of either allocating memory in the target failing, or LoadLibrary within the ASM code failing.
suncodeer
@suncodeer
Hi everyone , I am a fresher guy on the easyhook
suncodeer
@suncodeer
anybody online?
suncodeer
@suncodeer
anybody online?
Justin Stenning
@spazzarama
Welcome @suncodeer
Just ask questions here if you need to. End of day for me so goodnight
suncodeer
@suncodeer
anybody online?
suncodeer
@suncodeer
Could you please help me on the problem of Issue "after hook com & Iexplorer.exe crash"