Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-06-2020, 10:41
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 315
Rept. Given: 2
Rept. Rcvd 19 Times in 7 Posts
Thanks Given: 1
Thanks Rcvd at 40 Times in 26 Posts
jonwil Reputation: 19
WIN32 API hooking for .NET applications?

I have a .NET application that calls some native APIs via dllimport (including APIs in system dlls like user32.dll). I do not have the ability to recompile (or modify) this .NET application. Is there a way I can hook these native APIs somehow? (i.e. intercept the user32 calls, do some stuff and then call the original user32 function)
Some of the calls I want to intercept are being made by the application itself (and dlls that are alongside it) and some are being made by .NET runtime components.
Reply With Quote
  #2  
Old 07-06-2020, 16:10
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 366
Rept. Given: 9
Rept. Rcvd 13 Times in 11 Posts
Thanks Given: 19
Thanks Rcvd at 80 Times in 37 Posts
WhoCares Reputation: 13
I did that for a .net app several months ago.

There may be some mature .Net hooking lib which can do this.

Here is my way of loading-and-doing-native-hooking for .Net app. I call it the debugger-way.

Use the win32 debug api to launch the .Net exe and monitor for the following events:

1. dll loading event for mscoree.dll.

when hit, patch the mscoree.dll entrypoint with "int 3"(sure you can use hardware breakpoint instead).

2. breakpoint event for above addr.

when hit, do remote injection(allocating remote memory, prepare some place-independent shellcode and write it to allocated remote memory, use SetThreadContext to change EIP/RIP to shellcode.
The shellcode has the info(prepared by the debugger process) to restore the "int 3" of mscoree.dll and jump to the entrypoint of mscoree.dll after loading your own dll(for your hooking).

The main difference between "native hooking of .Net app" and "hooking of native app" is that the entrypoint of .Net exe is never executed for new Windows OS. It's just a fake entrypoint. The actual entrypoint is in mscoree.dll.
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following User Gave Reputation+1 to WhoCares For This Useful Post:
niculaita (07-08-2020)
The Following User Says Thank You to WhoCares For This Useful Post:
niculaita (07-08-2020)
  #3  
Old 07-06-2020, 18:28
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 315
Rept. Given: 2
Rept. Rcvd 19 Times in 7 Posts
Thanks Given: 1
Thanks Rcvd at 40 Times in 26 Posts
jonwil Reputation: 19
As it happens, my target loads a native code dll file in the app before it makes the API calls I am interested in. So what I have been able to do is to make a dll that has the same exports as the real native dll its loading but forwarded to the real dll and then modify a copy of my target to load that dll instead of the real one.

Now I can add whatever code to the dllmain of my fake dll that I want (hooking via some off-the-shelf hooking library included)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 22:54.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )