Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / desktop / Win32

Hook Unmanaged Processes Using VB.NET DLLs

4.78/5 (7 votes)
24 Jan 2013CPOL1 min read 25.8K   1.4K  
Hooking unmanaged processes using VB.NET.

Introduction  

In this article we will introduce a technique of hooking unmanaged processes  using VB.NET DLLs.

Background  

The main idea of the project is to code a VB.NET DLL that applies a hook on MessageBoxA API using delegate unmanaged pointer and the VB.NET DLL is injected by another C++ Dll used as a bridge for the injection operation which is injected by standard DLL injector.

Using the code 

The hook base of the VB.NET DLL will look like this:

C++
Private Shared Function InjectHook(ByVal arg As String) As Integer
    Try
        Dim pAddr As Integer = GetProcAddress(GetModuleHandle("user32"), "MessageBoxA")
        Dim functionPointerForDelegate As Integer = _
              CInt(Marshal.GetFunctionPointerForDelegate(New MBAH(AddressOf clsHook.hook)))
        Dim lpflOldProtect As UInt32 = 0
        clsHook.VirtualProtect(pAddr, 6, &H40, lpflOldProtect)
        Dim num3 As Integer = ((functionPointerForDelegate - pAddr) - 5)
        Dim bytes As Byte() = BitConverter.GetBytes(num3)
        Dim source As Byte() = New Byte() {&HE9, bytes(0), bytes(1), bytes(2), bytes(3)}
        Marshal.Copy(source, 0, pAddr, 5)
        Return 1
    Catch ex As Exception
        Return 0
    End Try
End Function

Public Shared Function hook(ByVal hWnd As Integer, ByVal [Text] As String, _
       ByVal Caption As String, ByVal uType As Integer) As Integer
    Return clsHook.MessageBoxW(hWnd, ([Text] & " - VB.NET Hook"), "Hook", uType)
End Function

As The "InjectHook" Function will be the hook installer

if hook installation procedure completed successfully all calls to MessageBoxA API will be detoured to the function "hook".

And The C++ Bridge DLL will play the .NET Runtime start part and after that will start The "InjectHook" function in the target native process 

C++
void netclr()
{
    LPWSTR Buffer=new TCHAR[BUFSIZE];
    ICLRRuntimeHost* pCLR = NULL;
    DWORD result;

    GetCurrentDirectory(BUFSIZE, Buffer);
    lstrcatW(Buffer,L"\\vhook.dll");

   // start the .NET Runtime in the current native process
   CorBindToRuntimeEx(NULL, L"wks", NULL, CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID*)&pCLR);

   pCLR->Start();

   //Fourth Param is dummy and also the fifth
   pCLR->ExecuteInDefaultAppDomain(Buffer, L"VHook.HookTest.clsHook", 
     L"InjectHook", L"Simon-Benyo", &result);
}

If whole process completed successfully the hook should be active and all MessageBoxA from the target process should be redirected to MessageBoxW after adding " - VB.NET Hook" Sentence to its second param and replacing its caption with the word "hook".

And the result in our testsample after applying the hook was successful as we see:

Points of Interest    

So the whole point of this article is to show how to create a hook using VB.NET DLLs using delegates mainly and inject the hook library using a c++ Dll and all what we need is to write the hook and start .net runtime in target process and Execute Hook Installer Function.

History

First release.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)