Reinventing the weel
EasyHook – The reinvention of Windows API Hooking
EasyHook starts where Microsoft Detours ends.
This project supports extending (hooking) unmanaged code (APIs) with pure managed ones, from within a fully managed environment like C# using Windows 2000 SP4 and later, including Windows XP x64, Windows Vista x64 and Windows Server 2008 x64. Also 32- and 64-bit kernel mode hooking is supported as well as an unmanaged user-mode API which allows you to hook targets without requiring a NET Framework on the customers PC. An experimental stealth injection hides hooking from most of the current AV software.
The following is an incomplete list of features:
- A so called “Thread Deadlock Barrier” will get rid of many core problems when hooking unknown APIs; this technology is unique to EasyHook
- You can write managed hook handlers for unmanaged APIs
- You can use all the convenience managed code provides, like NET Remoting, WPF and WCF for example
- A documented, pure unmanaged hooking API
- Support for 32- and 64-bit kernel mode hooking (also check out my PatchGuard 3 bypass driver which can be found in the release list)
- No resource or memory leaks are left in the target
- Experimental stealth injection mechanism that won’t raise attention of any current AV Software
- EasyHook32.dll and EasyHook64.dll are pure unmanaged modules and can be used without any NET framework installed!
- All hooks are installed and automatically removed in a stable manner
- Support for Windows Vista SP1 x64 and Windows Server 2008 SP1 x64 by utilizing totally undocumented APIs, to still allow hooking into any terminal session.
- Managed/Unmanaged module stack trace inside a hook handler
- Get calling managed/unmanaged module inside a hook handler
- Create custom stack traces inside a hook handler
- You will be able to write injection libraries and host processes compiled for AnyCPU, which will allow you to inject your code into 32- and 64-Bit processes from 64- and 32-Bit processes by using the very same assembly in all cases.
- EasyHook supports RIP-relative addressing relocation for 64-Bit targets.
- No unpacking/installation necessary.
- The Visual Studio Redistributable is not required.
The library is now about to enter its stable state.
The following is a screenshot of the ProcessMonitor-Demo: