Hook Unmanaged Processes Using VB.NET DLLs

Simon-Benyo

Rate me:

4.78/5 (7 votes)

24 Jan 2013CPOL1 min read

24.8K

1.4K

Hooking unmanaged processes using VB.NET.

Introduction

In this article we will introduce a technique of hooking unmanaged processes using VB.NET DLLs.

Background

The main idea of the project is to code a VB.NET DLL that applies a hook on MessageBoxA API using delegate unmanaged pointer and the VB.NET DLL is injected by another C++ Dll used as a bridge for the injection operation which is injected by standard DLL injector.

Using the code

The hook base of the VB.NET DLL will look like this:

C++

Private Shared Function InjectHook(ByVal arg As String) As Integer
    Try
        Dim pAddr As Integer = GetProcAddress(GetModuleHandle("user32"), "MessageBoxA")
        Dim functionPointerForDelegate As Integer = _
              CInt(Marshal.GetFunctionPointerForDelegate(New MBAH(AddressOf clsHook.hook)))
        Dim lpflOldProtect As UInt32 = 0
        clsHook.VirtualProtect(pAddr, 6, &H40, lpflOldProtect)
        Dim num3 As Integer = ((functionPointerForDelegate - pAddr) - 5)
        Dim bytes As Byte() = BitConverter.GetBytes(num3)
        Dim source As Byte() = New Byte() {&HE9, bytes(0), bytes(1), bytes(2), bytes(3)}
        Marshal.Copy(source, 0, pAddr, 5)
        Return 1
    Catch ex As Exception
        Return 0
    End Try
End Function

Public Shared Function hook(ByVal hWnd As Integer, ByVal [Text] As String, _
       ByVal Caption As String, ByVal uType As Integer) As Integer
    Return clsHook.MessageBoxW(hWnd, ([Text] & " - VB.NET Hook"), "Hook", uType)
End Function

As The "InjectHook" Function will be the hook installer

if hook installation procedure completed successfully all calls to MessageBoxA API will be detoured to the function "hook".

And The C++ Bridge DLL will play the .NET Runtime start part and after that will start The "InjectHook" function in the target native process

C++

void netclr()
{
    LPWSTR Buffer=new TCHAR[BUFSIZE];
    ICLRRuntimeHost* pCLR = NULL;
    DWORD result;

    GetCurrentDirectory(BUFSIZE, Buffer);
    lstrcatW(Buffer,L"\\vhook.dll");

   // start the .NET Runtime in the current native process
   CorBindToRuntimeEx(NULL, L"wks", NULL, CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID*)&pCLR);

   pCLR->Start();

   //Fourth Param is dummy and also the fifth
   pCLR->ExecuteInDefaultAppDomain(Buffer, L"VHook.HookTest.clsHook", 
     L"InjectHook", L"Simon-Benyo", &result);
}

If whole process completed successfully the hook should be active and all MessageBoxA from the target process should be redirected to MessageBoxW after adding " - VB.NET Hook" Sentence to its second param and replacing its caption with the word "hook".

And the result in our testsample after applying the hook was successful as we see:

Points of Interest

So the whole point of this article is to show how to create a hook using VB.NET DLLs using delegates mainly and inject the hook library using a c++ Dll and all what we need is to write the hook and start .net runtime in target process and Execute Hook Installer Function.

History

First release.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By

Simon-Benyo

Student

Sweden

This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.