Click or drag to resize

RemoteHooking Class

Provides all things related to library injection, inter-process-communication (IPC) and helper routines for common remote tasks.
Inheritance Hierarchy
SystemObject
  EasyHookRemoteHooking

Namespace:  EasyHook
Assembly:  EasyHook (in EasyHook.dll) Version: 2.7.6684.0 (2.7.6684.0)
Syntax
public class RemoteHooking

The RemoteHooking type exposes the following members.

Properties
  NameDescription
Public propertyStatic memberIsAdministrator
true if we are running with administrative privileges, false otherwise.
Public propertyStatic memberIsX64System
Returns true if the operating system is 64-Bit Windows, false otherwise.
Top
Methods
  NameDescription
Public methodStatic memberCreateAndInject(String, String, Int32, String, String, Int32, Object)
Creates a new process which is started suspended until you call WakeUpProcess from within your injected library Run() method. This allows you to hook the target BEFORE any of its usual code is executed. In situations where a target has debugging and hook preventions, you will get a chance to block those mechanisms for example...
Public methodStatic memberCreateAndInject(String, String, Int32, InjectionOptions, String, String, Int32, Object)
Creates a new process which is started suspended until you call WakeUpProcess from within your injected library Run() method. This allows you to hook the target BEFORE any of its usual code is executed. In situations where a target has debugging and hook preventions, you will get a chance to block those mechanisms for example...
Public methodEquals
Determines whether the specified Object is equal to the current Object.
(Inherited from Object.)
Public methodStatic memberCode exampleExecuteAsServiceTClass
Will execute the given static method under system privileges.
Protected methodFinalize
Allows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection.
(Inherited from Object.)
Public methodStatic memberGetCurrentProcessId
Returns the current native system process ID.
Public methodStatic memberGetCurrentThreadId
Returns the current native system thread ID.
Public methodGetHashCode
Serves as a hash function for a particular type.
(Inherited from Object.)
Public methodStatic memberGetProcessIdentity
Returns the WindowsIdentity of the user the target process belongs to. You need PROCESS_QUERY_INFORMATION access to the target.
Public methodGetType
Gets the Type of the current instance.
(Inherited from Object.)
Public methodStatic memberInject(Int32, String, String, Object)
Public methodStatic memberInject(Int32, InjectionOptions, String, String, Object)
Injects the given user library into the target process. No memory leaks are left in the target, even if injection fails for unknown reasons.
Public methodStatic memberInstallDriver
Loads the given driver into the kernel and immediately marks it for deletion. The installed driver will be registered with the service control manager under the InDriverName you specify. Please note that you should use IsX64System to find out which driver to load. Even if your process is running on 32-Bit this does not mean, that the OS kernel is running on 32-Bit!
Public methodStatic memberInstallSupportDriver
Installs the EasyHook support driver. After this step you may use InstallDriver(String, String) to install your kernel mode hooking component.
Public methodStatic memberIpcConnectClientTRemoteObject
Connects to a globally reachable, managed IPC port.
Public methodStatic memberIpcCreateServerTRemoteObject(String, WellKnownObjectMode, WellKnownSidType)
Creates a globally reachable, managed IPC-Port.
Public methodStatic memberIpcCreateServerTRemoteObject(String, WellKnownObjectMode, TRemoteObject, WellKnownSidType)
Creates a globally reachable, managed IPC-Port.
Public methodStatic memberIsX64Process
Determines if the target process is 64-bit or not. This will work only if the current process has PROCESS_QUERY_INFORMATION access to the target.
Protected methodMemberwiseClone
Creates a shallow copy of the current Object.
(Inherited from Object.)
Public methodToString
Returns a string that represents the current object.
(Inherited from Object.)
Public methodStatic memberWakeUpProcess
Top
Remarks
The following demonstrates how to use RemoteHooking and Config:
using System;
using System.Collections.Generic;
using System.Runtime.Remoting;
using System.Text;
using System.IO;
using EasyHook;

namespace FileMon
{
    public class FileMonInterface : MarshalByRefObject
    {
        public void IsInstalled(Int32 InClientPID)
        {
            Console.WriteLine("FileMon has been installed in target {0}.\r\n", InClientPID);
        }

        public void OnCreateFile(Int32 InClientPID, String[] InFileNames)
        {
            for (int i = 0; i < InFileNames.Length; i++)
            {
                Console.WriteLine(InFileNames[i]);
            }
        }

        public void ReportException(Exception InInfo)
        {
            Console.WriteLine("The target process has reported an error:\r\n" + InInfo.ToString());
        }

        public void Ping()
        {
        }
    }

    class Program
    {
        static String ChannelName = null;

        static void Main(string[] args)
        {
            try
            {
                Config.Register(
                    "A FileMon like demo application.",
                    "FileMon.exe",
                    "FileMonInject.dll");

                RemoteHooking.IpcCreateServer<FileMonInterface>(ref ChannelName, WellKnownObjectMode.SingleCall);

                RemoteHooking.Inject(
                    Int32.Parse(args[0]),
                    "FileMonInject.dll",
                    "FileMonInject.dll",
                    ChannelName);

                Console.ReadLine();
            }
            catch (Exception ExtInfo)
            {
                Console.WriteLine("There was an error while connecting to target:\r\n{0}", ExtInfo.ToString());
            }
        }
    }
}
See Also