Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (5)

Hook Unmanaged Processes Using VB.NET DLLs

By , 24 Jan 2013
 

Introduction  

In this article we will introduce a technique of hooking unmanaged processes  using VB.NET DLLs.

Background  

The main idea of the project is to code a VB.NET DLL that applies a hook on MessageBoxA API using delegate unmanaged pointer and the VB.NET DLL is injected by another C++ Dll used as a bridge for the injection operation which is injected by standard DLL injector.

Using the code 

The hook base of the VB.NET DLL will look like this:

Private Shared Function InjectHook(ByVal arg As String) As Integer
    Try
        Dim pAddr As Integer = GetProcAddress(GetModuleHandle("user32"), "MessageBoxA")
        Dim functionPointerForDelegate As Integer = _
              CInt(Marshal.GetFunctionPointerForDelegate(New MBAH(AddressOf clsHook.hook)))
        Dim lpflOldProtect As UInt32 = 0
        clsHook.VirtualProtect(pAddr, 6, &H40, lpflOldProtect)
        Dim num3 As Integer = ((functionPointerForDelegate - pAddr) - 5)
        Dim bytes As Byte() = BitConverter.GetBytes(num3)
        Dim source As Byte() = New Byte() {&HE9, bytes(0), bytes(1), bytes(2), bytes(3)}
        Marshal.Copy(source, 0, pAddr, 5)
        Return 1
    Catch ex As Exception
        Return 0
    End Try
End Function

Public Shared Function hook(ByVal hWnd As Integer, ByVal [Text] As String, _
       ByVal Caption As String, ByVal uType As Integer) As Integer
    Return clsHook.MessageBoxW(hWnd, ([Text] & " - VB.NET Hook"), "Hook", uType)
End Function

As The "InjectHook" Function will be the hook installer

if hook installation procedure completed successfully all calls to MessageBoxA API will be detoured to the function "hook".

And The C++ Bridge DLL will play the .NET Runtime start part and after that will start The "InjectHook" function in the target native process 

void netclr()
{
    LPWSTR Buffer=new TCHAR[BUFSIZE];
    ICLRRuntimeHost* pCLR = NULL;
    DWORD result;

    GetCurrentDirectory(BUFSIZE, Buffer);
    lstrcatW(Buffer,L"\\vhook.dll");

   // start the .NET Runtime in the current native process
   CorBindToRuntimeEx(NULL, L"wks", NULL, CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID*)&pCLR);

   pCLR->Start();

   //Fourth Param is dummy and also the fifth
   pCLR->ExecuteInDefaultAppDomain(Buffer, L"VHook.HookTest.clsHook", 
     L"InjectHook", L"Simon-Benyo", &result);
}

If whole process completed successfully the hook should be active and all MessageBoxA from the target process should be redirected to MessageBoxW after adding " - VB.NET Hook" Sentence to its second param and replacing its caption with the word "hook".

And the result in our testsample after applying the hook was successful as we see:

Points of Interest    

So the whole point of this article is to show how to create a hook using VB.NET DLLs using delegates mainly and inject the hook library using a c++ Dll and all what we need is to write the hook and start .net runtime in target process and Execute Hook Installer Function.

History

First release.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

 Simon-Benyo
Student
Syrian Arab Republic Syrian Arab Republic
Member
No Biography provided

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
View All ThreadsFirst Prev Next
GeneralMy vote of 5 [modified]membersafrot25 Jan '13 - 23:15 
the code shows how to get this done very clearly.. Thanks Alot.
 
just one thing:
 
LPWSTR Buffer=new TCHAR[BUFSIZE];
GetCurrentDirectory(BUFSIZE, Buffer);
 
you'r calling GetCurrentDirectoryA and passing LPWSTR ,,
we should call GetCurrentDirectoryW instead,
 
_Native Call

modified 26 Jan '13 - 5:48.
Sign In·Permalink
GeneralRe: My vote of 5 PinmemberSimon-Benyo27 Jan '13 - 6:48 
youre welcome safrot and about GetCurrentDirectoryW i am calling GetCurrentDirectory which is at unicode set as default in VisualStudio 2012 so in MSVC++6 you have to add W at end of it but in VS2012 calling GetCurrentDirectory with LPWSTR is fine Smile | :)
Sign In·Permalink
Last Visit: 31 Dec '99 - 18:00     Last Update: 25 May '13 - 14:14Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
Hooking unmanaged processes using VB.NET.
Type Tip/Trick
Licence CPOL
First Posted 24 Jan 2013
Views 4,331
Downloads 178
Bookmarked 3 times

, +
Top News

Old Japanese Man Creates Amazing Art Using Excel (Wait, Excel?)

Get the Insider News free each morning.
Related Videos
Building Websites With WordPress - 0102 The Workflow Process
Making AJAX Requests
Using Window Messages to Implement Global System Hooks in C#
Global System Hooks in .NET
Easy way to set up global API hooks
Load DLL From Embedded Resource
EasyHook - The reinvention of Windows API hooking
Global Windows Hooks
API hooking revealed
Mouse and KeyBoard Hooking utility with VC++
Push and Run .NET Code on Remote Machine
Processing Global Mouse and Keyboard Hooks in C#
APIHijack - A Library for easy DLL function hooking.
Unmanaged to Managed Calls
HookImportFunctionByName v1.0
X-Window Manager like dragging and resizing of windows
Cross Process Subclassing
Lock Windows Desktop
Hooking in Microsoft .NET
Hooks and DLLs
System Wide Hooking for the WM_CHAR Message
PasswordSpy - Retrieving lost passwords using Windows hooks
Permalink | Advertise | Privacy | Mobile
Web03 | 2.6.130523.1 | Last Updated 24 Jan 2013
Article Copyright 2013 by Simon-Benyo
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid