nektra / deviare-inproc Goto Github PK
View Code? Open in Web Editor NEWDeviare In Process Instrumentation Engine
Home Page: http://nektra.com/products/deviare-api-hook-windows/deviare-in-process/
License: Other
Deviare In Process Instrumentation Engine
Home Page: http://nektra.com/products/deviare-api-hook-windows/deviare-in-process/
License: Other
it will return local time
I had hook kernel32.dll getlocaltime , but it no effect
when i step into the method 'Now' source , I found it invoke DateTime.GetSystemTimeAsFileTime()
so I hook DateTime.GetSystemTimeAsFileTime() and get the right result。
it is not a stylish method, how can I hook it directly?
Abstract point: how hook a c# Struct ' prop
Another nice feature would be to be able to Create a new Process with an injected DLL which is already read from the disk or downloaded from the internet.
So, eg. If I downloaded a DLL from XY website, but I don't want to write it to disk before Injecting, then I could just call this API and inject it from buffer.
I'm not sure how your Dll injection works (could you explain quickly? LoadLibrary, LdrLoadDll, Manual mapping, etc), but I'm sure it would require some kind of Manual mapping method. It would be great to see such a feature :)
(I'm not yet familiar with GitHub, so I'm not sure if I'm writing to to wrong place, actually I couldn't find any better place. Did I miss anything?)
I inject the process using NKTHOOKLIB_DisallowReentrancy
hook function
NtClose
NtOpenFile
NtCreateSection
NtQueryAttributesFile
STATUS_STACK_BUFFER_OVERRUN was raised
But without using NKTHOOKLIB_DisallowReentrancy everything works fine
Below is the dmp file
Test platform windows 11 x64 22h2
computer Alienware x17 R2
CrashDump_2a50_2022-10-07_21-48-57-595_3248.zip
The problem might be
http://forum.madshi.net/viewtopic.php?f=7&t=28896
After testing Visual Studio (2019-2022) open /CETCOMPAT the problem will reproduce,
the hardware must support CET
Here's the problem, when we call Hook(), the function calls RemoteHook() which then build the trampoline, suspend the threads and do the actual hooking. Once hooked, all the threads is resumed and one of the threads which calls the hooked functions will crash if the detoured function try to call lpOriginal function too, before the Hook() actually return and give proper lpOriginal address.
Let me illustrate a bit:
Thread 1 -------------------------- Thread 2
Hook(&lpOriginal) -----------------
RemoteHook() ----------------------
SuspendThreads() ------------------ Suspended
ActualHooking ---------------------
ResumeThreads() ------------------- Running
----------------------------------- Call hooked function
----------------------------------- Call original function (lpOriginal)
----------------------------------- crash due to lpOriginal not set yet
RemoteHook() return ---------------
Hook() return with lpOriginal set -
Hi, I would like to hook certain methods in a .NET executable while it is running. I found this sample code:
object o = cHook.Hook(typeof(SampleClass), "Call", new Type[] { typeof(string), typeof(string) }, typeof(MySampleClass), "Call", new Type[] { typeof(string), typeof(string) });
But this of course only works inside the current executable, is it possible to achieve the same thing in a remote process using Deviare In-Proc? I know it can also inject DLL's, but as far as I can see, that will only work with a native DLL, and I'd first just like to know if I can do this with C# instead.
I am trying to download and compile the source code of WinDbg. Ntkhooklib is required, but the Lib file cannot be generated normally after I compile deviare InProc. The error code is as follows:
Custom build of "..\Lib\Asm\Helpers ×64.asm;.\Lib\Asm\RelocatableCode ×64.asm..\Lib\Asm\RelocatableCodex86.asm" exited with code 1.
The generation error code of WinDbg is as follows:
LNK1181 Unable to open input file:D:\下载\浏览器下载\WingDbg-master\Deviare-InProc\Libs\2015\NktHookLib64_Debug.lib” WingDbg D:\下载\浏览器下载\WingDbg-master\WingDbg\LINK 1
My develop environment is visual studio 2019, with Windows SDK Version10.0
Thank you for your reply.
Hi,
I saw the samples and it is showing how to hook on a .net method when running within the same process.
How to do it on another dll that is loaded on another .net process? Is it possible?
Thank you
Hello Mauro,
Do you know of any Deviare-InProc example code that also writes the "NktProcessMemory" parameters?
I am trying to intercept process calls and then redirect file and registry requests to another drive location (on a network).
Is this possible to do with Deviare-InProc?
Hi, While i doing any test with .NET got a "Error type: System.ArgumentNullException"
The test case is the follow:
public class TestClass
{
public String Name;
public Object Value
{
get
{
return "the value";
}
set
{
Name=value;
}
}
}
ClassDetours
{
public String Name_detour;
public Object Value_detour
{
get
{
return "answer_detour";
}
set
{
Name_detour=value;
}
}
}
}
o = cHook.Hook(typeof(TestClass), "Value", new Type[] {} ,
typeof(ClassDetours), "Value_detour",new Type[] {});
Regards.
Hello guys,
I encountered a problem with unhooking in the next scenario.
There is a simple native x64 application:
#include <iostream>
#include <Windows.h>
#include <process.h>
#include "NktHookLib.h"
typedef int (*TheFunctionFunc)(void*);
CNktHookLib::HOOK_INFO g_hook;
int TheFunctionHook(void* p1) {
std::cout << "Hook" << std::endl;
if (g_hook.lpCallOriginal) {
return ((TheFunctionFunc)(g_hook.lpCallOriginal))(p1);
}
return 0;
}
TheFunctionFunc TheFunction;
void init() {
HMODULE hModule = LoadLibrary(L"module.dll");
if (!hModule)
return;
TheFunction = (TheFunctionFunc)GetProcAddress(hModule, "TheFunction");
}
CNktHookLib g_lib;
void install_hooks() {
g_lib.SetEnableDebugOutput(TRUE);
g_hook.lpProcToHook = TheFunction;
g_hook.lpNewProcAddr = TheFunctionHook;
g_lib.Hook(&g_hook, 1);
}
void uninstall_hooks() {
g_lib.Unhook(&g_hook, 1);
}
unsigned __stdcall run(void*) {
while (true) {
TheFunction(nullptr);
}
return 0;
}
int main() {
init();
TheFunction(nullptr);
HANDLE hThread = (HANDLE)_beginthreadex(nullptr, 2048, run, nullptr, 0, 0);
while (true) {
install_hooks();
//WaitForSingleObject(hThread, 61000);
uninstall_hooks();
//WaitForSingleObject(hThread, 1000);
}
CloseHandle(hThread);
}
This code lead to crash of the application during uninstallation of the hook in the _beginthreadex thread.
Analyzing disassembly code and NktHookLib.cpp revealed next.
*p++ = 0x48; *p++ = 0xF7; *p++ = 0x02; //test QWORD PTR [rdx], 00000101h
*((ULONG NKT_UNALIGNED*)p) = 0x00000101;
p += sizeof(ULONG);
//----
*p++ = 0x75; //jne CALL_ORIGINAL
*p++ = ((lpHookEntry->dwFlags & NKTHOOKLIB_DisallowReentrancy) != 0) ? 0x7A : 0x06;
//check for reentranct
Which as I understood lead to this code:
000007FEBA6A0022 75 06 jne 000007FEBA6A002A
000007FEBA6A0024 5A pop rdx
000007FEBA6A0025 FF 25 00 00 00 00 jmp qword ptr [7FEBA6A002Bh]
000007FEBA6A002B 4B 10 FC adc r12b,dil
000007FEBA6A002E ?? db 3fh
000007FEBA6A002F 01 00 add dword ptr [rax],eax
000007FEBA6A0031 00 00 add byte ptr [rax],al
000007FEBA6A0033 5A pop rdx
000007FEBA6A0034 4C 89 4C 24 20 mov qword ptr [rsp+20h],r9
000007FEBA6A0039 FF 25 00 00 00 00 jmp qword ptr [7FEBA6A003Fh]
but jump 000007FEBA6A002A is not correct in case of unloading. The correct address I suppose is 000007FEBA6A0033 thus offset 0x06 should be replaced with 0x0F. Doing this fixed the problem on my side.
So, if you have a chance to review this place that would be great.
Thanks,
Mikalaj
Build.bat doesn't include rules for building vs 2017.
Suppose the target exe looks like this:
namespace Target {
class Target {
static void Main(string[] args) {
while (true) {
Console.WriteLine("NOT HOOKED");
Thread.Sleep(1000);
}
}
}
}
What I want to do is to hook the Console.WriteLine method right before the target has any chance to run "Main" method, so I tried to open process with HookLib.ProcessCreationFlags.CREATE_SUSPENDED flag:
HookLib.ProcessInfo pi = cHook.CreateProcess(targetPath, "", null, null, false, HookLib.ProcessCreationFlags.CREATE_SUSPENDED, null, null, si);
Then I injected my C++ DLL which would load my C# DLL:
cHook.InjectDll(pi.procId, injecteePath, "ImplantDotNetAssembly", 0);
HRESULT __stdcall ImplantDotNetAssembly() {
//...
CLRCreateInstance(CLSID_CLRMetaHost, IID_PPV_ARGS(&metaHost));
metaHost->GetRuntime(L"v4.0.30319", IID_PPV_ARGS(&runtimeInfo));
runtimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_PPV_ARGS(&runtimeHost));
runtimeHost->Start();
runtimeHost->ExecuteInDefaultAppDomain(
L"Managed DLL.dll", // my C# DLL
L"MyCode.Program",
L"AddHandler",
L"No need",
&returnValue);
}
In my C# DLL, the code looks like this:
namespace MyCode {
public class Program {
public static int AddHandler(string arg) {
HookLib cHook;
cHook = new HookLib();
Console.WriteLine("Hook WriteLine");
var o = cHook.Hook(typeof(Console), "WriteLine", new Type[] { typeof(string) }, typeof(Handler), "Hooked_WriteLine", new Type[] { typeof(string) });
return 1;
}
public static void Hooked_WriteLine(string value) {
Console.WriteLine("HOOKED!");
}
}
}
But everytime I run it, when I resume the target process, it just crashes with an error: "CLR error: 80004005. The program will now terminate."
So is there a way to suspend it at its Main method?
Folder empty here:
NktHookLib\src\libudis86\source
About to check the development branch now. Development branch is very old
BuildNtSysCalls function not works on windows 10(14393) HRESULT_FROM_WIN32(NktHookLibHelpers::BuildNtSysCalls(...) return with "31 -
HRESULT_FROM_WIN32(ERROR_GEN_FAILURE) : A device attached to the system is not functioning"
Hi! I'm having problems injecting a 32bit dll into a 32bit C# app.
Symptoms are as follows:
It looks like it's fairly easy to repro - I just did a test by creating an empty C# console app which sleeps for a few seconds, and my simple test dll fails to start.
Let me know if I'm doing anything stupid, or if you need more information.
Thanks!
Simon
1>..\Lib\libudis86\amalgamation.c(33): fatal error C1083: Cannot open include file: 'source\libudis86\decode.h': No such file or directory
Using VS2010.
Can U give some examples ?
If I do a git clone of the repository, the project structure does not seem to match the code.
Looking just at NktHookLib to be built, I get:
1>..\Lib\libudis86\amalgamation.c(33): fatal error C1083: Cannot open include file: 'source\libudis86\decode.h': No such file or directory
amalgamation.c has includes of:
#include "stdint.h"
#include "source\libudis86\decode.h"
#include "source\libudis86\extern.h"
And the path source\libudis86\
does not exist.
Here is how the hierarchy looks:
Decode.h is under tables
not source
and in any case is under ``libudis86` not above it.
Visual Studio 2013.
I'm sure I can get it building, I just figured you might want to know.
sorry for my english i can not clear understand what difference between
Deviare2 and Deviare-InProc?
i am a c# develper and want to hook managed and unmanaged dll , which one I should Use? just they both can do it
Hi all,
I just downloaded the ZIP, unpacked it into an empty dir, loaded Src\Vs2012\NktHookLib.sln into the IDE, and started compilation. The file amalgamation.c contains the following includes, which all are not included in the ZIP (neither in the given pathes, nor anywhere else):
I also tried the build.bat in the src directory, which gave the same result:
d:\Programme\ExtC\DeviareInProc\Src>build /MSVCVERSION 2012
Microsoft (R) Microsoft Visual Studio 2012 Version 11.0.60610.1.
Copyright (C) Microsoft Corp. All rights reserved.
1>------ Rebuild All started: Project: NktHookLib, Configuration: Debug Win32 ------
1> Compiling assembler code...
1> Assembling: d:\Programme\ExtC\DeviareInProc\Src\Lib\Asm\Helpers_x86.asm
1> Compiling assembler code...
1> Assembling: d:\Programme\ExtC\DeviareInProc\Src\Lib\Asm\RelocatableCode_x86.asm
1> Done!
1> WaitableObjects.cpp
1> ThreadSuspend.cpp
1> ProcessInjection.cpp
1> ProcessEntry.cpp
1> NtSysCallGen.cpp
1> NktHookLibHelpers.cpp
1> NktHookLib.cpp
1> HookEntry.cpp
1> DynamicNtApi.cpp
1> DynamicApiFinder.cpp
1> Generating Code...
1> amalgamation.c
1>d:\programme\extc\deviareinproc\src\lib\libudis86\tables\decode.h(1): fatal error C1083: Cannot open include file: '../source/libudis86/decode.h': No such file or directory
========== Rebuild All: 0 succeeded, 1 failed, 0 skipped ==========
Errors detected while compiling project
Looks like I'm missing something, but I have no idea what to do about these missing files. Any help is highly appreciated.
Please see:
bo3b/3Dmigoto#87
In this specific case, the JNE instruction is moved into the stub, and is not fixed there, which means it's a relative jne to nowhere.
Tested in top-of-tree, and bug still exists.
Hi, i have compiled the last code source from Git.
I have tested the new updates for injection. I use visual studio 2015.
In release mode work fine. This error is for NktHookLibHelpers::CreateProcessWithDllW API.
I have compiled the sample code in debug mode for x32. When try do injection got the follow error:
Debug Assertion Failed!
Program: C:\InjectDll.exe
File: minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp
Line: 888
Expression: _CrtIsValidHeapPointer(block)
For information on how your program can cause an assertion
failure, see the Visual C++ documentation on asserts.
(Press Retry to debug the application)
Regards.
I'm getting a crash while hooking the nvapi function. It looks to me like In-Proc is not updating the relative addressing for the 'test' opcode using RIP register.
I'm using the latest version of the In-Proc code, cloned and built successfully.
Here is the original nvapi_QueryInterface function from nvapi64.dll.
00007FFD6C855E00 sub rsp,28h
00007FFD6C855E04 test byte ptr [7FFD6CC52488h],4
00007FFD6C855E0B mov r9d,ecx
00007FFD6C855E0E jne 00007FFD6C855E20
00007FFD6C855E10 cmp ecx,33C7358Ch
...
After hooking, we get the debug output from In-Proc:
NktHookLib: Disassembly 0x7FFD6C855E00 -> sub rsp, 0x28
NktHookLib: Disassembly 0x7FFD6C855E04 -> test byte [rip+0x3fc67d], 0x4
NktHookLib: Hook installed. Proc @ 0x7FFD6C855E00 -> 0x7FFD53D19C50 (Stub @ 0x7FFD2C850000)
The test byte ptr [7FFD6CC52488h],4
is using relative addressing off the RIP register. This is shown in In-Proc disassembly, although the syntax is slightly different in the VS dissassembly.
The function address then looks like (disassembly slightly off after jmp):
00007FFD6C855E00 jmp 00007FFD2C850000
00007FFD6C855E05 add eax,3FC67Dh
00007FFD6C855E0A add al,44h
00007FFD6C855E0C mov ecx,ecx
00007FFD6C855E0E jne 00007FFD6C855E20
00007FFD6C855E10 cmp ecx,33C7358Ch
00007FFD6C855E16 je 00007FFD6C855E7E
The trampoline function:
00007FFD2C850000 nop
00007FFD2C850001 nop
00007FFD2C850002 nop
00007FFD2C850003 nop
00007FFD2C850004 nop
00007FFD2C850005 nop
00007FFD2C850006 nop
00007FFD2C850007 nop
00007FFD2C850008 push rdx
00007FFD2C850009 mov rdx,7FFD2C860000h
00007FFD2C850013 test qword ptr [rdx],101h
00007FFD2C85001A jne 00007FFD2C85002B
00007FFD2C85001C pop rdx
00007FFD2C85001D jmp qword ptr [7FFD2C850023h]
00007FFD2C850023 push rax
00007FFD2C850024 pushfq
00007FFD2C850025 rcl dword ptr [rbx-3],1
00007FFD2C850028 jg 00007FFD2C85002A
00007FFD2C85002A add byte ptr [rax],al
00007FFD2C85002C sub rsp,28h <---- original function start
00007FFD2C850030 test byte ptr [7FFD2CC4C6B4h],4 <----- Bad instruction ** crash
00007FFD2C850037 jmp qword ptr [7FFD2C85003Dh]
00007FFD2C85003D or ebx,dword ptr [rsi-7Bh]
00007FFD2C850040 ins byte ptr [rdi],dx 00007FFD2C850041 std
00007FFD2C850042 jg 00007FFD2C850044
00007FFD2C850044 add byte ptr [rax],al
00007FFD2C850046 add byte ptr [rax],al
The newly hooked destination function:
void* __cdecl Hooked_nvapi_QueryInterface(
UINT32 offset)
{
00007FFD48E59BB0 mov dword ptr [rsp+8],ecx
00007FFD48E59BB4 push rdi
00007FFD48E59BB5 sub rsp,30h
00007FFD48E59BB9 mov rdi,rsp
00007FFD48E59BBC mov ecx,0Ch
00007FFD48E59BC1 mov eax,0CCCCCCCCh
00007FFD48E59BC6 rep stos dword ptr [rdi]
00007FFD48E59BC8 mov ecx,dword ptr [offset]
00007FFD48E59BCC lea rcx,[__40B02ED0_inproc_dx11@cpp (07FFD48EA8071h)]
00007FFD48E59BD3 call __CheckForDebuggerJustMyCode (07FFD48E6C9C0h)
void* ptr = pOrignvapi_QueryInterface(offset);
00007FFD48E59BD8 mov ecx,dword ptr [offset]
00007FFD48E59BDC call qword ptr [pOrignvapi_QueryInterface (07FFD48E9E000h)]
00007FFD48E59BE2 mov qword ptr [ptr],rax
return ptr;
00007FFD48E59BE7 mov rax,qword ptr [ptr]
}
00007FFD48E59BEC add rsp,30h
00007FFD48E59BF0 pop rdi
00007FFD48E59BF1 ret
Minimized Cpp code implementing hook:
void* (__cdecl *pOrignvapi_QueryInterface)(
UINT32 offset
) = nullptr;
void* __cdecl Hooked_nvapi_QueryInterface(
UINT32 offset)
{
void* ptr = pOrignvapi_QueryInterface(offset);
return ptr;
}
void HookNvapiQueryInterface()
{
HMODULE hNvapi = LoadLibrary(L"nvapi64.dll");
FARPROC pQueryInterface = GetProcAddress(hNvapi, "nvapi_QueryInterface");
nktInProc.SetEnableDebugOutput(TRUE);
SIZE_T hook_id;
DWORD dwOsErr = nktInProc.Hook(&hook_id, (void**)&pOrignvapi_QueryInterface,
pQueryInterface, Hooked_nvapi_QueryInterface, 0);
}
Hi folks,
After trying deviare-inproc, I find it does not work when I use LPHOOK_INFO aHookInfo[]
instead of HOOK_INFO aHookInfo[]
.
And I guess the issue is because of the following line, in CNktHookLib::EnableHook
, we should call EnableHookCommon
with INTERNALFLAG_HookInfoArrayIsPtr
instead of INTERNALFLAG_CallToOriginalIsPtr2Ptr
Deviare-InProc/NktHookLib/Src/NktHookLib.cpp
Lines 377 to 382 in e88b91a
Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.