Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Dec 01 03:21
    nine-city opened #359
  • Nov 29 20:44
    meza2003 opened #358
  • Nov 23 03:57
    chinasmu opened #357
  • Nov 08 01:04
    PhantomCloak closed #230
  • Nov 04 23:01
    meza2003 commented #355
  • Nov 03 21:16
    meza2003 commented #355
  • Nov 03 21:12
    spazzarama commented #355
  • Nov 03 21:11
    meza2003 commented #355
  • Nov 03 21:07
    meza2003 commented #355
  • Nov 03 21:06
    spazzarama commented #355
  • Nov 03 21:05
    meza2003 commented #355
  • Nov 03 21:02
    meza2003 commented #355
  • Nov 03 20:59
    spazzarama commented #355
  • Nov 03 20:53
    meza2003 commented #356
  • Nov 03 20:50
    spazzarama commented #356
  • Nov 03 19:44
    meza2003 opened #356
  • Nov 03 08:20
    meza2003 opened #355
  • Nov 02 16:36
    hapile299 closed #353
  • Nov 02 16:36
    hapile299 edited #353
  • Nov 02 12:19
    SiyerBOBO edited #354
Acidical
@Acidical

I am attempting to hook a 32bit test process with a 32bit dll and injector, just like in the native c++ beep tutorial, but i am getting the error code -1073741582 with the error Unable to find the required native entry point in the given 32-bit library.

I have followed the tutorial exactly and clearly have the entry point defined in the dll:

extern "C" void __declspec(dllexport) __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO * inRemoteInfo);

void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO *inRemoteInfo)
{
    ...etc
}
If i compile everything to 64 bit instead, and move the dll path to the 64bit library path argument in RhInjectLibrary, it is capable of injecting into a 64bit process
I dont see the reason why it is unable to find the entry point in the 32bit version since i followed the tutorial exactly, and the exact same code works for 64bit
joedemax
@joedemax
Hi
With EasyHook, can i hook keys on a specific keyboard?
I'm using C#
Ron Sigal
@ronsig_gitlab

Hi,I modified the BeepHook sample to hook CreateFileW & CreateFileA (as well as ReadFile & ReadFileEx). The call to RhInjectLibrary succeeds, but the new hooks never get called when the sample process opens & reads files.

Any idea why? (tried both 32 and 64 bit).

Justin Stenning
@spazzarama
@Acidical are you using latest NuGet? The issue is probably related to what the export name ends up in 32-bit e.g. _NativeInjectionEntryPoint@4 . Check the export name using one of many dll export tools out there
Justin Stenning
@spazzarama
@joedemax no, you can simple use a the SetWindowsHookEx Win32 API function for that (plenty of C# examples out there)
@ronsig_gitlab are you certain that the code you have written in Target.cpp actually results in calling those underlying APIs?
Justin Stenning
@spazzarama
@ronsig_gitlab I don't see anything obviously wrong with the code you sent through. One thing I would try is call the API method CreateFileW directly and see if that gets intercepted. From there I would try it all within the same process to see if that works.
@ronsig_gitlab have you attempted debugging and setting break points in the hook handler?
Justin Stenning
@spazzarama
@Acidical to clarify, in 32-bit mode the native export is assumed to be _NativeInjectionEntryPoint@4 . I'm adding support for this to be changed in a .def EXPORTS section to NativeInjectionEntryPoint just in case.
Acidical
@Acidical
image.png
I have checked the 32bit dlls export and it seems to be correct
And i am using a version i built myself from the github develop branch, ill try rebuilding with your new commit and see if it fixes the issue
Just read your commit and it does seem that would fix it, ill build it now
Justin Stenning
@spazzarama
@Acidical yeah develop branch had a bug that would have broken it
Acidical
@Acidical
confirmed working, thanks for the help
Ron Sigal
@ronsig_gitlab
@spazzarama calling directly does get intercepted! Now to figure out what to hook in order to intercept such actions as ifstream "open" and "getline" commands. In general, how do I hook std methods?
Justin Stenning
@spazzarama
@ronsig_gitlab not sure sorry. My approach to dealing with needing to have reliable notification or IO is to write a file system filter driver. You could try hooking if you can get the address and know the calling convention, otherwise you could look at using something like API monitor to see if there is another API being used there somewhere that is suitable.
Ron Sigal
@ronsig_gitlab
@spazzarama Thanks! You've given me valuable info on how to proceed. Cheers!
Jana Mohn
@Qibbi
@spazzarama how long do you think a netcore3/netstandard2.1 version will take? not being able to use unmanaged for generics is getting annoying :P
Justin Stenning
@spazzarama
@Qibbi The only incompatibility that I have identified so far is no .NET remoting. My plan is to remove any inbuilt IPC (use MMF or names pipes if something is still required internally), and provide examples using other ipc solutions. Removing reliance on .net remoting actually won’t be that hard. I just have to find the time :)
Habi Haris
@habi498
hi, i want to hook recv function of winsock.
is it possible.
Cristian Eriomenco
@cristian-eriomenco
@habi498 Check this post, but its in russian: https://habr.com/ru/post/259459/
jackwolail
@jackwolail
why
anyone here?
Joel Van Eenwyk
@joelvaneenwyk
hm link works fine for me
sometimes there is down time so maybe in your region? https://www.githubstatus.com/
Joel Van Eenwyk
@joelvaneenwyk
@spazzarama , FYI, i'm back to the grind and re-looking at formatting C#/C++ and this issue: EasyHook/EasyHook#275
Justin Stenning
@spazzarama
@joelvaneenwyk welcome back!
michael7845
@michael7845
appreciate the work you guys are doing on this library
impressive to see one 5 years old still getting updates
Justin Stenning
@spazzarama
Cheers @michael7845 not as often as i would like tho :) oh and this was on codeplex first, Christoph started it around 2005? and i started working on it in 2008.
michael7845
@michael7845
wow that's really old, gj for keeping it up dude
Rasta Mouse
@rasta-mouse
Hi all. At the risk of sounding really dumb, is there are more literature or examples for using the Easy Hook driver? I'm looking for something that can register a callback for PsSetCreateProcessNotifyRoutine and then load EasyHook's DLL.
Justin Stenning
@spazzarama
@rasta-mouse not really sorry, the driver is intended for kernel mode hooking, so probably not quite what you are after in that instance. People have certainly got it workjng but i dont support it as it is a fairly advanced topic within an already advanced topic. If you need a driver for the create process notify i would look at how to create a file system filter driver - this should give you the low level access you are after.
Rasta Mouse
@rasta-mouse
Cheers @spazzarama 👍
spacehamster
@spacehamster
is it possible to get line numbers to show up in stack traces with C# remote hooks?
Justin Stenning
@spazzarama
@spacehamster there might be a pull request for that i think, from axios?? Can’t remember exactly. I just have never got around to checking it out.
@spacehamster no pull request, this is the related issue: EasyHook/EasyHook#8
WENTION
@wention
Hi, i'm using setWindowsHook to inject my dll, and easyhook to hook APIs. But sometime it failed on LhInstallHook
image.png
and. show me dbgheap error
image.png
if it was my fault?
Call Stack:
 EasyHook32.dll!542a3be6()    未知
 [下面的框架可能不正确和/或缺失,没有为 EasyHook32.dll 加载符号]    
 EasyHook32.dll!542a440d()    未知
 EasyHook32.dll!542a43aa()    未知
 EasyHook32.dll!542a6299()    未知
 EasyHook32.dll!5429e567()    未知
 EasyHook32.dll!5428dea9()    未知
 EasyHook32.dll!54290d32()    未知
 EasyHook32.dll!54291451()    未知
 KPHookDll.dll!doHook() 行 49    C++
 KPHookDll.dll!DllMain(HINSTANCE__ * hModule=0x544e0000, unsigned long ul_reason_for_call=1, void * lpReserved=0x00000000) 行 21    C++