|
|
#2
07-06-2020, 16:10
|
||||
|
||||
|
I did that for a .net app several months ago.
There may be some mature .Net hooking lib which can do this. Here is my way of loading-and-doing-native-hooking for .Net app. I call it the debugger-way. Use the win32 debug api to launch the .Net exe and monitor for the following events: 1. dll loading event for mscoree.dll. when hit, patch the mscoree.dll entrypoint with "int 3"(sure you can use hardware breakpoint instead). 2. breakpoint event for above addr. when hit, do remote injection(allocating remote memory, prepare some place-independent shellcode and write it to allocated remote memory, use SetThreadContext to change EIP/RIP to shellcode. The shellcode has the info(prepared by the debugger process) to restore the "int 3" of mscoree.dll and jump to the entrypoint of mscoree.dll after loading your own dll(for your hooking). The main difference between "native hooking of .Net app" and "hooking of native app" is that the entrypoint of .Net exe is never executed for new Windows OS. It's just a fake entrypoint. The actual entrypoint is in mscoree.dll.
__________________
AKA Solomon/blowfish. 
|
| The Following User Gave Reputation+1 to WhoCares For This Useful Post: | ||
niculaita (07-08-2020) | ||
| The Following User Says Thank You to WhoCares For This Useful Post: | ||
niculaita (07-08-2020) | ||
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| API Hooking | thomasantony | General Discussion | 5 | 04-22-2005 11:44 |
| API-hooking | MaRKuS-DJM | General Discussion | 11 | 03-25-2005 13:27 |
Threaded Mode