EasyHook - Downloads

The reinvention of Windows API Hooking

Home | Downloads | Documentation | Tutorials View on GitHub

EasyHook 2.7 Releases

EasyHook 2.7 brings support for .NET 4.0, Visual Studio 2013/2015 and no longer requires assemblies to be registered into the Global Assembly Cache (GAC) for remote injection (although GAC registration is still supported).

The EasyHook.IEntryPoint supports method overloads for the constructor and Run() injection entry point. A matching constructor and Run() method pair must be defined for each overloaded set of parameters.

COM interfaces are now easier to hook with the EasyHook.COMClassInfo class that simplifies retrieval of method addresses from COM interfaces.

Please report any bugs in the issue tracker.

Note: before extracting the ZIP file you may need to "Unblock" it if downloaded using Internet Explorer. See http://stackoverflow.com/a/8268636/323899

NuGet Packages

EasyHook is available on NuGet for .NET projects, and native unmanaged projects.

v2.7.6789.0 (August 03, 2018):

  • Allow far jumps to be modified in trampoline for x64 #243

v2.7.6684.0 (April 20, 2018):

  • x64 trampoline: ensure stack is 16 bytes aligned #214 and #234

v2.7.6682.0 (April 18, 2018):

  • Quoted service path to avoid path spaces vulnerability (outlined in CVE-2005-1185, CVE-2005-2938 and CVE-2000-1128)
  • Rename CLIENT_ID struct to DBG_CLIENT_ID (fix build error on Windows SDK 10.0.16299.0) #225
  • NuGet support for VS2017 (v141) native C/C++ package #181
  • Allow EasyLoad library path to be specified within Config.HelperLibraryPath - only impacts managed remote hook #220

v2.7.6270.0 (March 02, 2017):

  • CreateAndInject now supports long command lines #84 / #170
  • RhCreateRemoveStealthThread now works for 64-bit targets #91 / #159
  • Added LhGetHookBypassAddress / LocalHook.HookBypassAddress to allow bypassing the hook and call original directly without having to be within the hook handler #155

v2.7.6035.0 (July 10, 2016):

  • MAX_HOOK_COUNT increased from 128 to 1024 - #105
  • CreateAndInject fixed to support injection across user sessions (providing appropriate privileges are present)
  • RhCreateStealthRemoteThread fixed for 32-bit (still fairly experimental) - #91
  • 64-bit driver now preserves RAX register for trampoline - #78

v2.7.5870.0 (January 27, 2016):

  • License changed to the MIT License
  • Loader reverts to using default AppDomain if a new AppDomain cannot be created. This works around an issue in the .NET Framework where if an executable uses a stack commit size larger than 0x3E000 bytes, creating a new app domain fails with an OutOfMemoryException resulting in an EasyHook code 15 error message. - #66
  • COMClassInfo now queries the correct interface when specified a Guid - #46
  • Added missing X64_DRIVER define to 64bit driver project

v2.7.5726.0 (September 05, 2015):

  • Fixed bug where local Hook variable was not initialized correctly under certain circumstances - #38
  • Addressed all significant compiler warnings - #39
  • Fixed COMClassInfo XML doco example and moved to EasyHook namespace
  • EasyHook driver projects now compile under Visual Studio 2013 with WDK 8.1 - #22

v2.7.5719.0 (August 27, 2015):

New: COM interfaces are now easier to hook with the EasyHook.COMClassInfo class that simplifies retrieval of method addresses from COM interfaces.

  • Fixed bug with CreateAndInject due to GetRemoteFuncAddress - #9, #7
  • Implemented COM hooking helper, to retrieve COM class method addresses - #10, see EasyHook.COMClassInfo
  • Fix potential infinite loop in LhInstallHook - #17
  • Post build now copies EasyHook32/64.lib correctly - #4
  • Exceptions during remote assembly loading are now included in exception message - #5
  • LhWaitForPendingRemovals can now timeout - #37

v2.7.5558.0 (March 21, 2015):

  • Fixed support for multiple injections in same target - NativeAPI.RhInjectLibrary hangs on injection of multiple libraries
  • Fixed CreateAndInject command line options.
  • Now builds in Visual Studio 2013.
  • The injected AppDomain will now remain until all assembly EntryPoints have exited.
  • Improved robustness of user assembly checking during injection
  • Unhandled .NET exceptions are now caught within CompleteManagedInjection for remote hooks

v2.7.5292.0 (June 28, 2014):

  • EasyHook crashing targets, RhInjectLibrary on Win7 64bit, 32bit process, 32bit injection dll + launcher application = problem - now determines the address of GetProcAddress etc by reading the remote process’ PE image
  • Easyhook was not unloaded when host is closed, Allow RemoteHook unloading - managed EasyHook.dll and user assemblies are now loaded into a new AppDomain which is then unloaded when the custom IEntryPoint Run method returns. A new assembly - EasyLoad32/64.dll - that makes use of managed DllExport’s provides a more stable .NET framework initialisation.
  • FileMon example updated to no longer require the GAC

v2.7.5159.0 (February 15, 2014):

  • Hooking of CreateFile fails on Win 8.1 x64, Compatiblity With Windows Server 2012 And 8, Crashed Notepad in Win 8 64-bit, 2.7 FileMon crashes 64-bit processes, Do not work on Windows8 x64., relative mov in EntryPoint not handled - correctly relocates RIP addresses (64-bit). Windows 8/8.1 kernel32 APIs now all use RIP addressing when passing through to kernelbase.
  • Command-line arguments problem in RtlCreateSuspendedProcess - command line correctly passed through
  • Bug in RtlGetLastErrorString, RtlGetLastErrorString() returns empty string for invalidate parameter - fixed marshalling bug with RtlGetLastErrorString across managed boundary
  • Severe bug: LhWaitForPendingRemovals hangs forever - LhWaitForPendingRemovals endless loop under certain circumstance
  • Compiling 2.7 on VS 2012 fails with some issues - support for VS2012
  • Host process crashes when unloading hooks - fixed crashes when unloading 64-bit hooks. This also fixes the crash within the ProcessMonitor sample.

v2.7.4761.0 (January 13, 2013):

  • .Net 4.0 / Visual Studio 2010 - Implemented support for injection without using GAC registration or administrator privileges and added support for .NET 4.0 GAC interaction using managed GAC wrapper for InstallAssemblies/UninstallAssemblies
  • Eliminate GAC usage requirement - registration in the GAC is no longer a requirement to support injection
  • Memory leaks - fixed minor memory leak
  • Some programs hang during exit when hooked/EasyHook freezes terminating application - fixed target freezing when closing
  • Relocating entry point - added support for short unconditional jumps
  • Implement LhGetInstructionLength stub - implemented a new instruction length decoder (supports larger opcode set)
  • No GAC - passing complex object as inject parameter - support passing complex objects as parameters to EasyHook.IEntryPoint (even if not using GAC)
  • Support method overload in IEntryPoint - allows more flexibility when implementing EasyHook.IEntryPoint classes
  • Added build configurations for .NET 3.5 and .NET 4.0 allowing targeted builds for either framework version.
  • Added MSBuild script to build all configurations and prepare release packages
  • Build output path has been changed to ".\Build\Configuration\Platform\". E.g. ".\Build\netfx4-Debug\x64\"

Bug reports or questions

Reporting bugs is the only way to get them fixed and help other users of the library!

Please report issues and ask questions at: https://github.com/EasyHook/EasyHook/issues

Donations

Donations are greatly appreciated. If you find EasyHook useful, or are feeling generous and would like to make a donation to this project, we accept donation's via PayPal :)

Donate