代码比较简单,就不做注释了。 包含一个sockethookinject.DLL 和sockethook.exe
有一点不清楚,
SetExclusiveACL可以添加当前线程的hook, 但是easyhook如何 detach dll 并且释放hook呢? 知道的大神麻烦告知一下。
public class SocketInterFace : MarshalByRefObject{public delegate void LogArgsHander(BufferStruct argsbuffer);public static event LogArgsHander logEvent;public void IsInstalled(Int32 InClientPID){Console.WriteLine("FileMon has been installed in target {0}.\r\n", InClientPID);}public void OnRecv(byte[] RecvBuffer, int LoginIndex, int LoginIndexEx){BufferStruct BufferArgs = new BufferStruct();BufferArgs.Buffer = RecvBuffer;BufferArgs.BufferSize = RecvBuffer.Length;BufferArgs.ObjectType = "recv";OnLog(BufferArgs);}public void OnSend(byte[] RecvBuffer, int LoginIndex, int LoginIndexEx){BufferStruct BufferArgs = new BufferStruct();BufferArgs.Buffer = RecvBuffer;BufferArgs.BufferSize = RecvBuffer.Length;BufferArgs.ObjectType = "send";OnLog(BufferArgs);}public void OnLog(string BufferArgs) { Console.WriteLine(BufferArgs); }public void OnLog(BufferStruct buf){if (logEvent!=null){logEvent(buf);}}public struct BufferStruct{/// <summary>/// Socket指针/// </summary>public IntPtr sockHander;/// <summary>/// 封包数据/// </summary>public byte[] Buffer;/// <summary>/// 封包大小/// </summary>public int BufferSize;/// <summary>/// 封包动态序列/// </summary>public int[] LoginIdent;/// <summary>/// send recv/// </summary>public string ObjectType;}}
public partial class Form1 : Form{public Form1(){InitializeComponent();SocketInterFace.logEvent += new SocketInterFace.LogArgsHander(MainSend);if (!EasyHook.RemoteHooking.IsAdministrator)MessageBox.Show("请用管理员方式启动");}public void MainSend(socketHook.SocketInterFace.BufferStruct buff){Console.WriteLine(string.Format("长度:{0} 类型:{2}\r\n 内容:{1}", buff.BufferSize, byteToHexStr(buff.Buffer, buff.BufferSize),buff.ObjectType));}public static string byteToHexStr(byte[] bytes, int byteLen){string returnStr = "";if (bytes != null){for (int i = 0; i < byteLen; i++){returnStr += bytes[i].ToString("X2");}}return returnStr;}string ChannelName = null;private void button1_Click(object sender, EventArgs e){try{EasyHook.Config.Register(".net远程注入组建", "socketHook.exe", "sockethookinject.dll");}catch (Exception ex){}int id=Process.GetProcessesByName("SupARC").First().Id;if (id != 0) { EasyHook.RemoteHooking.IpcCreateServer<SocketInterFace>(ref ChannelName, System.Runtime.Remoting.WellKnownObjectMode.SingleCall);EasyHook.RemoteHooking.Inject(id, "sockethookinject.dll", "sockethookinject.dll", ChannelName);}else{MessageBox.Show("ARC没有启动");}}private void button2_Click(object sender, EventArgs e){}}
public class Main : IEntryPoint{SocketInterFace Interface;Stack<String> Queue = new Stack<String>();public Main(RemoteHooking.IContext InContext,string InChannelName){Interface = RemoteHooking.IpcConnectClient<SocketInterFace>(InChannelName);Interface.OnLog("初始化HOOK成功");}LocalHook RecvHook;LocalHook SendHook;int MyRecv(IntPtr socket, IntPtr buffer, int length, int flags){int bytesCount = recv(socket, buffer, length, flags);if (bytesCount>0){byte[] RecvBuffer = new byte[bytesCount];Marshal.Copy(buffer, RecvBuffer, 0, RecvBuffer.Length);Interface.OnRecv(RecvBuffer, 0, 0);}return bytesCount;}int MySend(IntPtr socket, IntPtr buffer, int length, int flags){int bytesCount = send(socket, buffer, length, flags);if (bytesCount > 0){byte[] RecvBuffer = new byte[bytesCount];Marshal.Copy(buffer, RecvBuffer, 0, RecvBuffer.Length);Interface.OnSend(RecvBuffer, 0, 0);}return bytesCount;}public void Run(RemoteHooking.IContext InContext,string InChannelName){RecvHook = LocalHook.Create(LocalHook.GetProcAddress("WS2_32.dll", "recv"), new DRecv(MyRecv), this);SendHook = LocalHook.Create(LocalHook.GetProcAddress("WS2_32.dll", "send"), new DSend(MySend), this);SendHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });RecvHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());dwProHwnd = OpenProcess(PROCESS_ALL_ACCESS, 0, RemoteHooking.GetCurrentProcessId());//EasyHook.RemoteHooking.WakeUpProcess();while (true) { Thread.Sleep(500); }}[DllImport("kernel32.dll", EntryPoint = "OpenProcess")]public static extern uint OpenProcess(uint dwDesiredAccess, int bInheritHandle, int dwProcessId);public const uint PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF);public const uint SYNCHRONIZE = 0x00100000;public const uint STANDARD_RIGHTS_REQUIRED = 0x000F0000;public uint dwProHwnd = 0;[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]delegate int DRecv(IntPtr socket, IntPtr buffer, int length, int flags);[DllImport("WS2_32.dll", CharSet = CharSet.Unicode, SetLastError = true, CallingConvention = CallingConvention.StdCall)]static extern int recv(IntPtr socket, IntPtr buffer, int length, int flags);[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]delegate int DSend(IntPtr socket, IntPtr buffer, int length, int flags);[DllImport("WS2_32.dll", CharSet = CharSet.Unicode, SetLastError = true, CallingConvention = CallingConvention.StdCall)]static extern int send(IntPtr socket, IntPtr buffer, int length, int flags);}
