Click here to Skip to main content
Click here to Skip to main content

Hook Unmanaged Processes Using VB.NET DLLs

, 24 Jan 2013 CPOL
Rate this:
Please Sign up or sign in to vote.
Hooking unmanaged processes using VB.NET.

Introduction  

In this article we will introduce a technique of hooking unmanaged processes  using VB.NET DLLs.

Background  

The main idea of the project is to code a VB.NET DLL that applies a hook on MessageBoxA API using delegate unmanaged pointer and the VB.NET DLL is injected by another C++ Dll used as a bridge for the injection operation which is injected by standard DLL injector.

Using the code 

The hook base of the VB.NET DLL will look like this:

Private Shared Function InjectHook(ByVal arg As String) As Integer
    Try
        Dim pAddr As Integer = GetProcAddress(GetModuleHandle("user32"), "MessageBoxA")
        Dim functionPointerForDelegate As Integer = _
              CInt(Marshal.GetFunctionPointerForDelegate(New MBAH(AddressOf clsHook.hook)))
        Dim lpflOldProtect As UInt32 = 0
        clsHook.VirtualProtect(pAddr, 6, &H40, lpflOldProtect)
        Dim num3 As Integer = ((functionPointerForDelegate - pAddr) - 5)
        Dim bytes As Byte() = BitConverter.GetBytes(num3)
        Dim source As Byte() = New Byte() {&HE9, bytes(0), bytes(1), bytes(2), bytes(3)}
        Marshal.Copy(source, 0, pAddr, 5)
        Return 1
    Catch ex As Exception
        Return 0
    End Try
End Function

Public Shared Function hook(ByVal hWnd As Integer, ByVal [Text] As String, _
       ByVal Caption As String, ByVal uType As Integer) As Integer
    Return clsHook.MessageBoxW(hWnd, ([Text] & " - VB.NET Hook"), "Hook", uType)
End Function

As The "InjectHook" Function will be the hook installer

if hook installation procedure completed successfully all calls to MessageBoxA API will be detoured to the function "hook".

And The C++ Bridge DLL will play the .NET Runtime start part and after that will start The "InjectHook" function in the target native process 

void netclr()
{
    LPWSTR Buffer=new TCHAR[BUFSIZE];
    ICLRRuntimeHost* pCLR = NULL;
    DWORD result;

    GetCurrentDirectory(BUFSIZE, Buffer);
    lstrcatW(Buffer,L"\\vhook.dll");

   // start the .NET Runtime in the current native process
   CorBindToRuntimeEx(NULL, L"wks", NULL, CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID*)&pCLR);

   pCLR->Start();

   //Fourth Param is dummy and also the fifth
   pCLR->ExecuteInDefaultAppDomain(Buffer, L"VHook.HookTest.clsHook", 
     L"InjectHook", L"Simon-Benyo", &result);
}

If whole process completed successfully the hook should be active and all MessageBoxA from the target process should be redirected to MessageBoxW after adding " - VB.NET Hook" Sentence to its second param and replacing its caption with the word "hook".

And the result in our testsample after applying the hook was successful as we see:

Points of Interest    

So the whole point of this article is to show how to create a hook using VB.NET DLLs using delegates mainly and inject the hook library using a c++ Dll and all what we need is to write the hook and start .net runtime in target process and Execute Hook Installer Function.

History

First release.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Simon-Benyo
Student
Syrian Arab Republic Syrian Arab Republic
No Biography provided

Comments and Discussions

 
GeneralMy vote of 5 [modified] Pinmembersafrot25-Jan-13 23:15 
GeneralRe: My vote of 5 PinmemberSimon-Benyo27-Jan-13 6:48 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.141030.1 | Last Updated 24 Jan 2013
Article Copyright 2013 by Simon-Benyo
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid