C# DLL Injecting/Hooking ?

[phize]

Quote:

Originally Posted by Fehmt

Sorry for bumping the topic, but I cant find "WinHookManager" class. Even google can't find it

If you had looked through the code you would notice that it's just a class he uses for storing/managing hooks. Just write your own.

[perfect0]

how to find SendPacket and RecvPacketAddress

[Thexunknown]

can you upload the entire project :/ ? i didn't quite understand

[Forced1988]

Bit late to the party,
But im trying to get this semi working for some packet inspecting.

PHP Code:

Address   Hex dump          Command                                  Comments
007633EA  /$ /56            PUSH ESI                                 ; Conquer.007633EA(guessed void)
007633EB  |. |8BF1          MOV ESI,ECX
007633ED  |. |E8 7B5ED6FF   CALL 004C926D                            ; [Conquer.004C926D
007633F2  |. |68 4C040000   PUSH 44C                                 ; /Arg1 = 44C
007633F7  |. |8BC8          MOV ECX,EAX                              ; |
007633F9  |. |E8 E8FAE6FF   CALL 005D2EE6                            ; \Conquer.005D2EE6
007633FE  |. |84C0          TEST AL,AL
00763400  |. |75 34         JNZ SHORT 00763436
00763402  |. |E8 2C21E2FF   CALL 00585533                            ; [Conquer.00585533
00763407  |. |0FB74E 06     MOVZX ECX,WORD PTR DS:[ESI+6]
0076340B  |. |51            PUSH ECX                                 ; /Arg1
0076340C  |. |8BC8          MOV ECX,EAX                              ; |
0076340E  |. |E8 D0AFF0FF   CALL 0066E3E3                            ; \Conquer.0066E3E3
00763413  |. |E8 1E25EBFF   CALL 00615936
00763418  |. |0FB74E 06     MOVZX ECX,WORD PTR DS:[ESI+6]
0076341C  |. |51            PUSH ECX                                 ; /Arg1
0076341D  |. |8BC8          MOV ECX,EAX                              ; |
0076341F  |. |E8 4857F5FF   CALL 006B8B6C                            ; \Conquer.006B8B6C
00763424  |. |8D46 04       LEA EAX,[ESI+4]
00763427  |. |0FB708        MOVZX ECX,WORD PTR DS:[EAX]
0076342A  |. |51            PUSH ECX                                 ; /Arg2
0076342B  |. |50            PUSH EAX                                 ; |Arg1
0076342C  |. |B9 386BA500   MOV ECX,OFFSET 00A56B38                  ; |PTR to ASCII "$.v"
00763431  |. |E8 2DFFFFFF   CALL 00763363                            ; \Conquer.00763363
00763436  |> |5E            POP ESI
00763437  \. |C3            RETN 


Using OllyDbg i found this function.

Now "Correct me if im wrong" the function we are trying to detour is the call @ 00763431.

Then why does the detour init replace it with 0x68 (Push ???) and a pointer to the C# function and returns after it (0xC3)

PHP Code:

public DetourHook(Delegate targetFunc, Delegate hookFunc)
        {
            this.TargetPtr = Marshal.GetFunctionPointerForDelegate(targetFunc);
            this.TargetFunc = targetFunc;
            this.HookPtr = Marshal.GetFunctionPointerForDelegate(hookFunc);

            originalBytes = new byte[6];
            Marshal.Copy(TargetPtr, originalBytes, 0, 6);

            var hookPointerBytes = BitConverter.GetBytes(HookPtr.ToInt32());
            //newBytes = new byte[] { 0x68, hookPointerBytes[0], hookPointerBytes[1], hookPointerBytes[2], hookPointerBytes[3], 0xC3 };
            newBytes = new byte[] { 0x68, hookPointerBytes[0], hookPointerBytes[1], hookPointerBytes[2], hookPointerBytes[3], 0xC3 };
        } 


[KraHen]

Quote:

Originally Posted by Forced1988

Bit late to the party,
...
Then why does the detour init replace it with 0x68 (Push ???) and a pointer to the C# function and returns after it (0xC3)
...

JMP replaces the call itself, since we do not want to return to the original call (hence why we use JMP). RETN on the other hand is needed to return from the outer function (2 lines before the call). Make sure to be aware of what happens with the stack/stackframe, since this RETN won't clean it up afterwards.