代码比较简单,就不做注释了。 包含一个sockethookinject.DLL 和sockethook.exe
有一点不清楚,
SetExclusiveACL可以添加当前线程的hook, 但是easyhook如何 detach dll 并且释放hook呢? 知道的大神麻烦告知一下。
public class SocketInterFace : MarshalByRefObject
{
public delegate void LogArgsHander(BufferStruct argsbuffer);
public static event LogArgsHander logEvent;
public void IsInstalled(Int32 InClientPID)
{
Console.WriteLine("FileMon has been installed in target {0}.\r\n", InClientPID);
}
public void OnRecv(byte[] RecvBuffer, int LoginIndex, int LoginIndexEx)
{
BufferStruct BufferArgs = new BufferStruct();
BufferArgs.Buffer = RecvBuffer;
BufferArgs.BufferSize = RecvBuffer.Length;
BufferArgs.ObjectType = "recv";
OnLog(BufferArgs);
}
public void OnSend(byte[] RecvBuffer, int LoginIndex, int LoginIndexEx)
{
BufferStruct BufferArgs = new BufferStruct();
BufferArgs.Buffer = RecvBuffer;
BufferArgs.BufferSize = RecvBuffer.Length;
BufferArgs.ObjectType = "send";
OnLog(BufferArgs);
}
public void OnLog(string BufferArgs) { Console.WriteLine(BufferArgs); }
public void OnLog(BufferStruct buf)
{
if (logEvent!=null)
{
logEvent(buf);
}
}
public struct BufferStruct
{
/// <summary>
/// Socket指针
/// </summary>
public IntPtr sockHander;
/// <summary>
/// 封包数据
/// </summary>
public byte[] Buffer;
/// <summary>
/// 封包大小
/// </summary>
public int BufferSize;
/// <summary>
/// 封包动态序列
/// </summary>
public int[] LoginIdent;
/// <summary>
/// send recv
/// </summary>
public string ObjectType;
}
}
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
SocketInterFace.logEvent += new SocketInterFace.LogArgsHander(MainSend);
if (!EasyHook.RemoteHooking.IsAdministrator)
MessageBox.Show("请用管理员方式启动");
}
public void MainSend(socketHook.SocketInterFace.BufferStruct buff)
{
Console.WriteLine(string.Format("长度:{0} 类型:{2}\r\n 内容:{1}", buff.BufferSize, byteToHexStr(buff.Buffer, buff.BufferSize),buff.ObjectType));
}
public static string byteToHexStr(byte[] bytes, int byteLen)
{
string returnStr = "";
if (bytes != null)
{
for (int i = 0; i < byteLen; i++)
{
returnStr += bytes[i].ToString("X2");
}
}
return returnStr;
}
string ChannelName = null;
private void button1_Click(object sender, EventArgs e)
{
try
{
EasyHook.Config.Register(".net远程注入组建", "socketHook.exe", "sockethookinject.dll");
}
catch (Exception ex)
{
}
int id=Process.GetProcessesByName("SupARC").First().Id;
if (id != 0) {
EasyHook.RemoteHooking.IpcCreateServer<SocketInterFace>(ref ChannelName, System.Runtime.Remoting.WellKnownObjectMode.SingleCall);
EasyHook.RemoteHooking.Inject(id, "sockethookinject.dll", "sockethookinject.dll", ChannelName);
}
else
{
MessageBox.Show("ARC没有启动");
}
}
private void button2_Click(object sender, EventArgs e)
{
}
}
public class Main : IEntryPoint
{
SocketInterFace Interface;
Stack<String> Queue = new Stack<String>();
public Main(RemoteHooking.IContext InContext,string InChannelName)
{
Interface = RemoteHooking.IpcConnectClient<SocketInterFace>(InChannelName);
Interface.OnLog("初始化HOOK成功");
}
LocalHook RecvHook;
LocalHook SendHook;
int MyRecv(IntPtr socket, IntPtr buffer, int length, int flags)
{
int bytesCount = recv(socket, buffer, length, flags);
if (bytesCount>0)
{
byte[] RecvBuffer = new byte[bytesCount];
Marshal.Copy(buffer, RecvBuffer, 0, RecvBuffer.Length);
Interface.OnRecv(RecvBuffer, 0, 0);
}
return bytesCount;
}
int MySend(IntPtr socket, IntPtr buffer, int length, int flags)
{
int bytesCount = send(socket, buffer, length, flags);
if (bytesCount > 0)
{
byte[] RecvBuffer = new byte[bytesCount];
Marshal.Copy(buffer, RecvBuffer, 0, RecvBuffer.Length);
Interface.OnSend(RecvBuffer, 0, 0);
}
return bytesCount;
}
public void Run(RemoteHooking.IContext InContext,string InChannelName)
{
RecvHook = LocalHook.Create(LocalHook.GetProcAddress("WS2_32.dll", "recv"), new DRecv(MyRecv), this);
SendHook = LocalHook.Create(LocalHook.GetProcAddress("WS2_32.dll", "send"), new DSend(MySend), this);
SendHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
RecvHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
dwProHwnd = OpenProcess(PROCESS_ALL_ACCESS, 0, RemoteHooking.GetCurrentProcessId());
//EasyHook.RemoteHooking.WakeUpProcess();
while (true) { Thread.Sleep(500); }
}
[DllImport("kernel32.dll", EntryPoint = "OpenProcess")]
public static extern uint OpenProcess(uint dwDesiredAccess, int bInheritHandle, int dwProcessId);
public const uint PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF);
public const uint SYNCHRONIZE = 0x00100000;
public const uint STANDARD_RIGHTS_REQUIRED = 0x000F0000;
public uint dwProHwnd = 0;
[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
delegate int DRecv(IntPtr socket, IntPtr buffer, int length, int flags);
[DllImport("WS2_32.dll", CharSet = CharSet.Unicode, SetLastError = true, CallingConvention = CallingConvention.StdCall)]
static extern int recv(IntPtr socket, IntPtr buffer, int length, int flags);
[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
delegate int DSend(IntPtr socket, IntPtr buffer, int length, int flags);
[DllImport("WS2_32.dll", CharSet = CharSet.Unicode, SetLastError = true, CallingConvention = CallingConvention.StdCall)]
static extern int send(IntPtr socket, IntPtr buffer, int length, int flags);
}
时间: 2024-08-02 04:27:30