The Hack o blog

Reinventing the weel

EasyHook – The reinvention of Windows API Hooking

http://easyhook.codeplex.com/

Project Description
EasyHook starts where Microsoft Detours ends.
This project supports extending (hooking) unmanaged code (APIs) with pure managed ones, from within a fully managed environment like C# using Windows 2000 SP4 and later, including Windows XP x64, Windows Vista x64 and Windows Server 2008 x64. Also 32- and 64-bit kernel mode hooking is supported as well as an unmanaged user-mode API which allows you to hook targets without requiring a NET Framework on the customers PC. An experimental stealth injection hides hooking from most of the current AV software.

The following is an incomplete list of features:

  • A so called “Thread Deadlock Barrier” will get rid of many core problems when hooking unknown APIs; this technology is unique to EasyHook
  • You can write managed hook handlers for unmanaged APIs
  • You can use all the convenience managed code provides, like NET Remoting, WPF and WCF for example
  • A documented, pure unmanaged hooking API
  • Support for 32- and 64-bit kernel mode hooking (also check out my PatchGuard 3 bypass driver which can be found in the release list)
  • No resource or memory leaks are left in the target
  • Experimental stealth injection mechanism that won’t raise attention of any current AV Software
  • EasyHook32.dll and EasyHook64.dll are pure unmanaged modules and can be used without any NET framework installed!
  • All hooks are installed and automatically removed in a stable manner
  • Support for Windows Vista SP1 x64 and Windows Server 2008 SP1 x64 by utilizing totally undocumented APIs, to still allow hooking into any terminal session.
  • Managed/Unmanaged module stack trace inside a hook handler
  • Get calling managed/unmanaged module inside a hook handler
  • Create custom stack traces inside a hook handler
  • You will be able to write injection libraries and host processes compiled for AnyCPU, which will allow you to inject your code into 32- and 64-Bit processes from 64- and 32-Bit processes by using the very same assembly in all cases.
  • EasyHook supports RIP-relative addressing relocation for 64-Bit targets.
  • No unpacking/installation necessary.
  • The Visual Studio Redistributable is not required.

The library is now about to enter its stable state.

The following is a screenshot of the ProcessMonitor-Demo:

 screenshot of the Process Monitor

screenshot of the ProcessMonitor-Demo:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: