标签:nap tostring sap 成功 lob win64 obj ssi emulator
完整代码,原创无藏私,绝对实用。Windows10 X64 下调试通过,对 w3wp.exe, sqlserver.exe,notepad.exe,iexporer.exe 注入后,长时间运行稳定,未见异常。
要注入的全局dll(需强命名):
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Runtime.InteropServices; using EasyHook; using System.Threading; using System.Diagnostics; using System.Windows.Forms; namespace ClassLibrary1 { [Serializable] public class HookParameter { public string Msg { get; set; } public int HostProcessId { get; set; } } public class Main : EasyHook.IEntryPoint { public LocalHook MessageBoxWHook = null; public LocalHook MessageBoxAHook = null; public Main( RemoteHooking.IContext context, String channelName , HookParameter parameter ) { MessageBox.Show(parameter.Msg, "Hooked"); } public void Run( RemoteHooking.IContext context, String channelName , HookParameter parameter ) { try { MessageBoxWHook = LocalHook.Create( LocalHook.GetProcAddress("user32.dll", "MessageBoxW"), new DMessageBoxW(MessageBoxW_Hooked), this); MessageBoxWHook.ThreadACL.SetExclusiveACL(new Int32[1]); MessageBoxAHook = LocalHook.Create( LocalHook.GetProcAddress("user32.dll", "MessageBoxA"), new DMessageBoxW(MessageBoxA_Hooked), this); MessageBoxAHook.ThreadACL.SetExclusiveACL(new Int32[1]); } catch (Exception ex) { MessageBox.Show(ex.Message); return; } try { while (true) { Thread.Sleep(10); } } catch { } } #region MessageBoxW [DllImport("user32.dll", EntryPoint = "MessageBoxW", CharSet = CharSet.Unicode)] public static extern IntPtr MessageBoxW(int hWnd, string text, string caption, uint type); [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode)] delegate IntPtr DMessageBoxW(int hWnd, string text, string caption, uint type); static IntPtr MessageBoxW_Hooked(int hWnd, string text, string caption, uint type) { return MessageBoxW(hWnd, "Hooked - " + text, "Hooked - " + caption, type); } #endregion #region MessageBoxA [DllImport("user32.dll", EntryPoint = "MessageBoxA", CharSet = CharSet.Ansi)] public static extern IntPtr MessageBoxA(int hWnd, string text, string caption, uint type); [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Ansi)] delegate IntPtr DMessageBoxA(int hWnd, string text, string caption, uint type); static IntPtr MessageBoxA_Hooked(int hWnd, string text, string caption, uint type) { return MessageBoxA(hWnd, "Hooked - " + text, "Hooked - " + caption, type); } #endregion } }
注入主程序:
using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Linq; using System.Text; using System.Windows.Forms; using System.IO; using System.Threading; using System.Reflection; using ClassLibrary1; using EasyHook; using System.Diagnostics; using System.Runtime.InteropServices; namespace WindowsFormsApplication8 { public partial class Form1 : Form { [DllImport("kernel32.dll", SetLastError = true, CallingConvention = CallingConvention.Winapi)] [return: MarshalAs(UnmanagedType.Bool)] internal static extern bool IsWow64Process([In] IntPtr process, [Out] out bool wow64Process); public Form1() { InitializeComponent(); } private bool RegGACAssembly() { var dllName = "EasyHook.dll"; var dllPath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, dllName); if (!System.Runtime.InteropServices.RuntimeEnvironment.FromGlobalAccessCache(Assembly.LoadFrom(dllPath))) { new System.EnterpriseServices.Internal.Publish().GacInstall(dllPath); Thread.Sleep(100); } dllName = "ClassLibrary1.dll"; dllPath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, dllName); new System.EnterpriseServices.Internal.Publish().GacRemove(dllPath); if (!System.Runtime.InteropServices.RuntimeEnvironment.FromGlobalAccessCache(Assembly.LoadFrom(dllPath))) { new System.EnterpriseServices.Internal.Publish().GacInstall(dllPath); Thread.Sleep(100); } return true; } private static bool InstallHookInternal(int processId) { try { var parameter = new HookParameter { Msg = "已经成功注入目标进程", HostProcessId = RemoteHooking.GetCurrentProcessId() }; RemoteHooking.Inject( processId, InjectionOptions.Default, typeof(HookParameter).Assembly.Location, typeof(HookParameter).Assembly.Location, string.Empty, parameter ); } catch (Exception ex) { Debug.Print(ex.ToString()); return false; } return true; } private static bool IsWin64Emulator(int processId) { var process = Process.GetProcessById(processId); if (process == null) return false; if ((Environment.OSVersion.Version.Major > 5) || ((Environment.OSVersion.Version.Major == 5) && (Environment.OSVersion.Version.Minor >= 1))) { bool retVal; return !(IsWow64Process(process.Handle, out retVal) && retVal); } return false; // not on 64-bit Windows Emulator } private void button1_Click(object sender, EventArgs e) { var p = Process.GetProcessById(int.Parse(textBox1.Text)); if (p == null) { MessageBox.Show("指定的进程不存在!"); return; } if(IsWin64Emulator(p.Id) != IsWin64Emulator(Process.GetCurrentProcess().Id)) { var currentPlat = IsWin64Emulator(Process.GetCurrentProcess().Id) ? 64 : 32; var targetPlat = IsWin64Emulator(p.Id) ? 64 : 32; MessageBox.Show(string.Format("当前程序是{0}位程序,目标进程是{1}位程序,请调整编译选项重新编译后重试!", currentPlat, targetPlat)); return; } RegGACAssembly(); InstallHookInternal(p.Id); } private void Form1_Load(object sender, EventArgs e) { } } }
完整代码下载地址:http://download.csdn.net/download/nanfei01055/9999598
C# EasyHook MessageBox 示例(极简而全)
标签:nap tostring sap 成功 lob win64 obj ssi emulator
原文地址:http://www.cnblogs.com/nanfei/p/7787645.html
