Giter VIP home page Giter VIP logo

detours.net's Introduction

detours.net

Détours.net use CLR as hooking engine. It's based on Detours project from Microsoft, and ability of CLR to generate transition stub for managed function to be called from unmanaged code.

detours.net is as simple to use as DllImport attribute.

How to build it ?

git clone https://github.com/citronneur/detours.net
mkdir build
cd build
cmake -G "Visual Studio 15 2017 Win64" ..\detours.net

Build solution with Visual Studio. This will produce four main executables:

  • DetoursNetRuntime.exe which is the launcher
  • DetoursNetCLR.dll which is the loader
  • DetoursNet.dll which is the interface
  • DetoursDll.dll which is the hooker

How to hook anything native to managed ?

In this exemple, we want to log all GUID of COM object used by a an application using powerfull .Net API for console application. To do it we create a C# DLL project with visual studio, linked with DetoursNet.dll assembly, named myplugin.

Then you have to tell detours.net where is original method and how to call it. You just have to declare a delegate which match your target method signature, and declare your associate hook like this :

namespace myplugin
{
    public static class Logger
    {
        // Declare your delegate
        public delegate int CoCreateInstanceDelegate(
            Guid rclsid, IntPtr pUnkOuter, 
            int dwClsContext, Guid riid, ref IntPtr ppv
        );

        // And now declare your hook
        [Detours("ole32.dll", typeof(CoCreateInstanceDelegate))]
        public static int CoCreateInstance(
            Guid rclsid, IntPtr pUnkOuter,
	    int dwClsContext, Guid riid, ref IntPtr ppv
        )
        {
            // Call real function
            int result = ((CoCreateInstanceDelegate)DelegateStore.GetReal(MethodInfo.GetCurrentMethod()))(rclsid, pUnkOuter, dwClsContext, riid, ref ppv);

            Console.WriteLine(" {" + rclsid.ToString() + "} {" + riid.ToString() + "} " + result.ToString("x"));
	
            return result;
        }
    }
}

That's all. Build your assembly myplugin.dll, and run it with DetoursNetRuntime.exe.

.\DetoursNetRuntime myplugin.dll c:\windows\notepad.exe

How does it works ?

detours.net is splitted into three part :

DetoursNetRuntime.exe

detours.net is based on detours project from Microsoft, which is mostly used for API hooking. It create a process in suspended mode, and then rewrite the Import Address Table (IAT) to insert a new module at first place. This implies that Dllmain of this module will be executed first before all other code in your application. That's was be done by DetoursNetRuntime.exe, which could be view as a launcher of your targeted program then inject a special DLL called DetoursNetCLR.dll described in next chapter.

DetoursNetCLR.dll

DetoursNetCLR.dll is in charge to load CLR (Common Language Runtime) and the DetoursNet.dll assembly in current process. To do that we use CLR hosting through COM. As we seen in last chapter, the DllMain function of DetoursNetCLR.dll will be the fisrt code run in your target process. But it's forbidden to init CLR from DllMain because of Loader lock. Loader Lock is a special lock used by the loader to protect module list during process loading. To work around this issue, we used original Detours library to hook entry point of target process, and load CLR into new main function.

To sandbox CLR, and avoid some infinite loop in calling target function, we used IAT (un)hooking on clr.dll module. First of all, we cache real functions pointer, then, we hook GetProcAddress function. In most case, CLR use pinvoke to call native API, mostly in mscorlib. pinvoke use internally GetProcAddress function to resolve API. When CLR call GetProcAddress to retrieve native API, we check if it's a hooked function, and if it's true, we return real pointer.

DetoursNet.dll

DetoursNet.dll which have two main roles. On one side is used by plugin developper, firstly to use attributes to indicate all function hook, secondly to retrieve real address of hooked method. In other side is used by runtime to load plugin assembly and find all method to hook, thanks to attributes provided by plugin developper.

Plugins

Plugins are hooking dll use for a particular purpose, and provided by community. All plugins are available under plugin directory:

  • procmon log a lot of windows native API
  • proxysocks convert any windows application using socket to pass through a proxy socks

detours.net's People

Contributors

citronneur avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.