#1
|
|||
|
|||
WIN32 API hooking for .NET applications?
I have a .NET application that calls some native APIs via dllimport (including APIs in system dlls like user32.dll). I do not have the ability to recompile (or modify) this .NET application. Is there a way I can hook these native APIs somehow? (i.e. intercept the user32 calls, do some stuff and then call the original user32 function)
Some of the calls I want to intercept are being made by the application itself (and dlls that are alongside it) and some are being made by .NET runtime components. |
#2
|
||||
|
||||
I did that for a .net app several months ago.
There may be some mature .Net hooking lib which can do this. Here is my way of loading-and-doing-native-hooking for .Net app. I call it the debugger-way. Use the win32 debug api to launch the .Net exe and monitor for the following events: 1. dll loading event for mscoree.dll. when hit, patch the mscoree.dll entrypoint with "int 3"(sure you can use hardware breakpoint instead). 2. breakpoint event for above addr. when hit, do remote injection(allocating remote memory, prepare some place-independent shellcode and write it to allocated remote memory, use SetThreadContext to change EIP/RIP to shellcode. The shellcode has the info(prepared by the debugger process) to restore the "int 3" of mscoree.dll and jump to the entrypoint of mscoree.dll after loading your own dll(for your hooking). The main difference between "native hooking of .Net app" and "hooking of native app" is that the entrypoint of .Net exe is never executed for new Windows OS. It's just a fake entrypoint. The actual entrypoint is in mscoree.dll.
__________________
AKA Solomon/blowfish. |
The Following User Gave Reputation+1 to WhoCares For This Useful Post: | ||
niculaita (07-08-2020) |
The Following User Says Thank You to WhoCares For This Useful Post: | ||
niculaita (07-08-2020) |
#3
|
|||
|
|||
As it happens, my target loads a native code dll file in the app before it makes the API calls I am interested in. So what I have been able to do is to make a dll that has the same exports as the real native dll its loading but forwarded to the real dll and then modify a copy of my target to load that dll instead of the real one.
Now I can add whatever code to the dllmain of my fake dll that I want (hooking via some off-the-shelf hooking library included) |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
API Hooking | thomasantony | General Discussion | 5 | 04-22-2005 11:44 |