EasyHook 没有拦截任何 recv 调用
EasyHook is not intercepting any recv calls
我一直在尝试使用 EasyHook 挂钩从 Chrome 和 Firefox 对 'recv' 的调用。但是,这不起作用 - 它不会因任何错误而失败,但也不会捕获任何数据包。我已经用 'CreateFile' 钩子尝试了示例程序,并且工作得很好......
由于几乎没有关于此的文档,因此我无法解决此问题。这是我的代码:
// the injected library
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using EasyHook;
using System.Runtime.InteropServices;
using System.Threading;
using System.Windows.Forms;
namespace SocketMon
{
public class Injection : EasyHook.IEntryPoint
{
SocketMonInterface Interface;
LocalHook CreateFileHook;
Stack<String> Queue = new Stack<String>();
public Injection(RemoteHooking.IContext InContext, String InChannelName)
{
// connect to host...
Interface =
RemoteHooking.IpcConnectClient<SocketMonInterface>(InChannelName);
// validate connection...
Interface.Ping();
}
public void Run(RemoteHooking.IContext InContext, String InChannelName)
{
// install hook...
try
{
CreateFileHook = LocalHook.Create(
LocalHook.GetProcAddress("Ws2_32.dll", "recv"),
new Drecv(recv_Hooked),
this);
CreateFileHook.ThreadACL.SetInclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Interface.ReportException(ExtInfo);
return;
}
Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
// wait for host process termination...
try
{
while (true)
{
Thread.Sleep(500);
if (Queue.Count > 0)
{
String[] Package = null;
MessageBox.Show(Queue.Count.ToString());
lock (Queue)
{
Package = Queue.ToArray();
Queue.Clear();
}
Interface.OnRecvData(RemoteHooking.GetCurrentProcessId(), Package);
}
else
Interface.Ping();
}
}
catch
{
// NET Remoting will raise an exception if host is unreachable
}
}
[UnmanagedFunctionPointer(CallingConvention.StdCall,
CharSet = CharSet.Unicode,
SetLastError = true)]
delegate int Drecv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
// just use a P-Invoke implementation to get native API access
// from C# (this step is not necessary for C++.NET)
[DllImport("Ws2_32.dll")]
static extern int recv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
public int recv_Hooked(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
)
{
int len = recv(socketHandle, buf, count, socketFlags);
Queue.Push(String.Format("Received {0} bytes of data on socket {1}", socketHandle, count));
return len;
}
}
}
*
//the ipc interface
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace SocketMon
{
public class SocketMonInterface : MarshalByRefObject
{
public void IsInstalled(Int32 InClientPID)
{
Console.WriteLine("SocketMon has been installed in target {0}.\r\n", InClientPID);
}
public void OnRecvData(Int32 InClientPID, String[] InSocketData)
{
for (int i = 0; i < InSocketData.Length; i++)
{
Console.WriteLine(InSocketData[i]);
}
}
public void ReportException(Exception InInfo)
{
Console.WriteLine("The target process has reported" +
" an error:\r\n" + InInfo.ToString());
}
public void Ping()
{
Console.WriteLine("Got pinged");
}
}
}
我已经尝试将 SetExclusiveACL 更改为 SetInclusiveACL,但没有帮助...
我意识到我的代码确实有效...
使用 P/Invoke 手动调用 'recv' 有效...
问题是 Chrome 和 Firefox 没有使用 'recv' - 当我使用 SpyStudio 挂钩它们时,它们实际上调用了 'wininet.dll,' 中的其他方法,而不是使用 winsocks
我一直在尝试使用 EasyHook 挂钩从 Chrome 和 Firefox 对 'recv' 的调用。但是,这不起作用 - 它不会因任何错误而失败,但也不会捕获任何数据包。我已经用 'CreateFile' 钩子尝试了示例程序,并且工作得很好...... 由于几乎没有关于此的文档,因此我无法解决此问题。这是我的代码:
// the injected library
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using EasyHook;
using System.Runtime.InteropServices;
using System.Threading;
using System.Windows.Forms;
namespace SocketMon
{
public class Injection : EasyHook.IEntryPoint
{
SocketMonInterface Interface;
LocalHook CreateFileHook;
Stack<String> Queue = new Stack<String>();
public Injection(RemoteHooking.IContext InContext, String InChannelName)
{
// connect to host...
Interface =
RemoteHooking.IpcConnectClient<SocketMonInterface>(InChannelName);
// validate connection...
Interface.Ping();
}
public void Run(RemoteHooking.IContext InContext, String InChannelName)
{
// install hook...
try
{
CreateFileHook = LocalHook.Create(
LocalHook.GetProcAddress("Ws2_32.dll", "recv"),
new Drecv(recv_Hooked),
this);
CreateFileHook.ThreadACL.SetInclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Interface.ReportException(ExtInfo);
return;
}
Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
// wait for host process termination...
try
{
while (true)
{
Thread.Sleep(500);
if (Queue.Count > 0)
{
String[] Package = null;
MessageBox.Show(Queue.Count.ToString());
lock (Queue)
{
Package = Queue.ToArray();
Queue.Clear();
}
Interface.OnRecvData(RemoteHooking.GetCurrentProcessId(), Package);
}
else
Interface.Ping();
}
}
catch
{
// NET Remoting will raise an exception if host is unreachable
}
}
[UnmanagedFunctionPointer(CallingConvention.StdCall,
CharSet = CharSet.Unicode,
SetLastError = true)]
delegate int Drecv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
// just use a P-Invoke implementation to get native API access
// from C# (this step is not necessary for C++.NET)
[DllImport("Ws2_32.dll")]
static extern int recv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
public int recv_Hooked(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
)
{
int len = recv(socketHandle, buf, count, socketFlags);
Queue.Push(String.Format("Received {0} bytes of data on socket {1}", socketHandle, count));
return len;
}
}
}
*
//the ipc interface
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace SocketMon
{
public class SocketMonInterface : MarshalByRefObject
{
public void IsInstalled(Int32 InClientPID)
{
Console.WriteLine("SocketMon has been installed in target {0}.\r\n", InClientPID);
}
public void OnRecvData(Int32 InClientPID, String[] InSocketData)
{
for (int i = 0; i < InSocketData.Length; i++)
{
Console.WriteLine(InSocketData[i]);
}
}
public void ReportException(Exception InInfo)
{
Console.WriteLine("The target process has reported" +
" an error:\r\n" + InInfo.ToString());
}
public void Ping()
{
Console.WriteLine("Got pinged");
}
}
}
我已经尝试将 SetExclusiveACL 更改为 SetInclusiveACL,但没有帮助...
我意识到我的代码确实有效...
使用 P/Invoke 手动调用 'recv' 有效...
问题是 Chrome 和 Firefox 没有使用 'recv' - 当我使用 SpyStudio 挂钩它们时,它们实际上调用了 'wininet.dll,' 中的其他方法,而不是使用 winsocks