2.1 Global Assembly Cache 全局程序集缓存
Currently EasyHook is expecting every injected assembly including all of its dependencies in the Global Assembly Cache (GAC). This is because the CLR will only search for assemblies in directories relative to the current application base directory and the GAC and therefore a target process normally has no access to EasyHook or your injected library. EasyHook is using a reference counter to make sure that multiple installations of the same assemblies from different applications can be managed. The following will register all EasyHook components and the two user assemblies required for injection in the GAC. The first parameter is just an uninterpreted string which should describe what your service is doing. All further parameters are expected to be relative/absolute file paths referring to all assemblies that should be temporarily registered in GAC. Please note that only strongly named assemblies are accepted.
当前 EasyHook是怀着每个注入程序集包括所有的组件都在全局程序集缓存中(GAC).这是因为CLR将只在与当前应用主目录相关的当前目录程序集和GAC中搜索程序集,而GAC因此一个目标进程通常不能在你注入库中访问EasyHook.EasyHook正使用引用计数确定同一程序集不同的应用能被管理和安装。以下将注册所有的EasyHook组件和两个所需注入的用户程序集到GAC中。首先暂时在GAC中注册。请注意,只有强命名应用才可以。 Config.Register( \文件访问监视类演示程序.\, \,
\);
It is guaranteed that your libraries will be removed from GAC if the injecting process is being terminated in all common cases. Of course there are some rare exceptions, for example if you shutdown your PC by disconnecting the power cable. In such a case the assemblies will remain in the GAC, forever, which is no bad thing in end-user scenarios but truly during development. You may use the Gacutil.exe that ships with Visual Studio to remove all temporary GAC assemblies.
当注入进程在所有普通情况下终止时保证你的库会从GAC中移除。当然会有很少的异常情况,例如,直接停电导致你的电脑关闭。这时程序集还会在GAC中,这在最终用户的情况下也不怎么糟,但在开发时不大好。你可以使用Visual Stuido的Gacutil.exe工具卸除所有临时的GAC程序集。
Open the “Visual Studio Command Promt” as administrator. 以管理员身份打开“Visual Studio 命令行工具”
1. Run the command: gacutil /uf EasyHook
运行命令:gacutil /uf EasyHook
2. Run additional commands for each of your assemblies that should be
removed from the GAC…
运行其它需要移徐出GAC程序集的命令。
2.2 Windows Defender
Windows防火墙
Injection will sometimes make the Windows Defender complain. This does not only apply to EasyHook, but to every library using remote thread creation for injection: 注入有时会导至Windows防火墙的警告。这不仅仅是对EasyHook,几乎使用远程线程注入的所有库都会这样:
Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow. For more information please see the following:
Not Applicable
Scan ID: {44726E79-4262-454E-AFED-51A30D34BF67} User: Lynn-PC\\Lynn Name: Unknown ID:
Severity ID: Category ID: Path Found:
process:pid:864;service:EasyHook64Svc;file:D:\\Projects\\EasyHook 2.0.0.0\\Debug\\x64\\EasyHook64Svc.exe Alert Type: Unclassified software Detection Type:
Such warnings are immediately followed by information pointing out that Windows Defender has prevented a malicious attempt. I think this will vanish if you sign all executable binaries of EasyHook with AuthentiCode. Such blocking only occurs when injecting into essential system services.
2.3 Injection – A burden made easy 2.3注入-负担变得简单了
In general, library injection is one of the most complicated parts of any hooking library. But EasyHook goes further. It provides three layers of injection abstraction and your library is the fourth one. The first layer is pure, relocatable assembler code. It launches the second layer, an unmanaged C++ method. The assembler code itself is really stable. It provides extensive error information and is able to unload itself without leaving any resource leaks in the target. The C++ layer starts the managed injection loader and adjusts the target’s
PATH variable by adding the injecting process’ application base directory as first entry. This way you will have access to any file you would also have access to from
your injecting process. The managed injection loader uses NET Reflection and NET Remoting to provide extensive error reports in case of failure and to find a proper entry point in your injection library. It also cares about graceful hook removal and resource cleanup. It is supported to load the same library multiple times into the same target!
一般来说,库注入时所有挂接库中最复杂的部分。但是EasyHook让他不一样了。它提供了注入抽像的三个层而你的库在第四个。第一层是纯的汇编代码。它运行第二层,非托管的C++方法。汇编代码本身相当稳定。它提供很多的错误信息并能够将自己在目标中卸除不会留下资源泄露。C++层开始管理注入装载器并调整目标路径变量,通过添加进程应用主目录作为第一个入口。这样你可能访问任何你被注入进程能够访问的任何文件。托管的注入装载器使用NET反射和Net Remoting进供很多的在出错时的错误报告并发现在你注入库中的正确的入口点。它还关注挂钩的移除和资源的清除。它支持将同一个库多次的装入到同一目标中!
Another complex part is run on host side. It is supported to inject libraries into other terminal sessions, system services and even through WOW64 boundaries. To you, all cases seem the same. EasyHook will automatically select the right injection procedure. If EasyHook has succeeded injection, you can be 99% sure that your library has been successfully loaded and executed. If it fails you can be 99% sure that no resource leaks are left in the target and it remains in a stable, hookable state! Nearly all possible failures are being caught and it would be like a lottery win to see a target getting crashed by library injection!
另一个复杂的疗分时在托管这边运行。它支持将库注入到其它终端会话,系统服务甚至WOW64边界。对你来说,所以有情况都是一样。EasyHook可以自动的选择正确的注入进程。如果EasyHook成功 注入,你可99%确定你的库成功装载并运行。如果失败,则99%确保隐定和不泄露。几乎所有可能的错误都能被捕捉到,如果注入失败那时您摸彩中奖了。
Please note that Windows Vista has advanced security for its subsystem services. They are running in a protected environment like the “Protected Media Path”. It is not possible to hook such services with EasyHook or any other user-mode library. The following shows the API method that we are talking about: RemoteHooking.Inject( Int32.Parse(args[0]),
\, // 32-Bit version \, // 64-Bit version ChannelName);
The first four parameters are required. If you only want to hook either 32- or 64-Bit targets, you can set the unused path to null. You may either specify a file path that EasyHook will automatically translate to a full qualified assembly name or a partial assembly name like “FileMonInject, PublicKeyToken = 3287453648abcdef”. Currently there is only one injection option preventing EasyHook from attaching a debugger to the target but you should only set this option if the target does not like an attached debugger. EasyHook will detach it before injection is completed so in general there is nothing to worry about and it increases injection stability about magnitudes by using the target symbol addresses instead of assuming that the local
ones remain valid in the target!
You can pass as many additional parameters as you like but be aware of that you shall only pass types that are accessible through GAC, otherwise the injected library is not able to deserialize the parameter list. In such a case the exception will be redirected to the host process and you may catch it with a try-catch statement around RemoteHooking.Inject. That’s one of the great advantages!
The injected library will automatically get access to all additional parameters you specify after the fourth one. This way you can easily pass channel names to the target so that your injected library is able to connect to your host. Attention
Keep in mind that the CLR will unload your library only if the target is being terminated. Even if EasyHook releases all associated resources much earlier, you won’t be able to change the injected DLL which implies that the corresponding GAC library is not updateable until the target is terminated. So if you need to change your injected library very frequently (during development) you should always terminate the target after each debugging session. This will ensure that no application depends on the library and it can be removed from the GAC.
2.3.1 Creating an already hooked process 2.3.1创建一个已经存在的挂钩进程
Sometimes it is necessary to hook a process from the beginning. This is no big deal, just call
RemoteHooking.CreateAndInject instead of Inject. This will execute your library main method before any other instruction. You can resume the newly created process by calling RemoteHooking.WakeUpProcess from your injected library Run method. This only makes sense in conjunction with CreateAndInject, otherwise it will do nothing.
有时需要在进程开始时挂接。这没有什和大不了。不用注入调用
RemoteHooking.CreateAndInject 即可。这会在其它指令前执行你的库主方法。你可继续通过调用 RemoteHooking.WakeUpProcess 最新创建的进程从你注入库运行方法中。这只在CreatAndJnject 连接时有意义,不然没什么用。 2.4 The injected library entry point 注入库入口点
All injected libraries have to export at least one public class implementing the EasyHook.IEntryPoint interface. The interface itself is empty but identifies your class as entry point. A class marked as entry point this way, is expected to export an instance constructor and a Run instance method having the signature “void Run(IContext, %ArgumentList%)” and “.ctor(IContext, %ArgumentList%)”. Please note that “%ArgumentList%” is a placeholder for additional parameters
