Created
June 17, 2021 19:07
-
-
Save Meigs2/34b903d63567aad0572ee99101f84ab1 to your computer and use it in GitHub Desktop.
Callback is called,, but breaks. Commenting out p.SetupHook(); works.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Diagnostics; | |
using System.Runtime.InteropServices; | |
using System.Text; | |
namespace TestLauncherApp | |
{ | |
class Program | |
{ | |
[StructLayout(LayoutKind.Sequential)] | |
public class SecurityAttributes | |
{ | |
public Int32 Length = 0; | |
public IntPtr lpSecurityDescriptor = IntPtr.Zero; | |
public bool bInheritHandle = false; | |
public SecurityAttributes() | |
{ | |
this.Length = Marshal.SizeOf(this); | |
} | |
} | |
[StructLayout(LayoutKind.Sequential)] | |
public class StartupInfo | |
{ | |
public Int32 cb = 0; | |
public IntPtr lpReserved = IntPtr.Zero; | |
public IntPtr lpDesktop = IntPtr.Zero; // MUST be Zero | |
public IntPtr lpTitle = IntPtr.Zero; | |
public Int32 dwX = 0; | |
public Int32 dwY = 0; | |
public Int32 dwXSize = 0; | |
public Int32 dwYSize = 0; | |
public Int32 dwXCountChars = 0; | |
public Int32 dwYCountChars = 0; | |
public Int32 dwFillAttribute = 0; | |
public Int32 dwFlags = 0; | |
public Int16 wShowWindow = 0; | |
public Int16 cbReserved2 = 0; | |
public IntPtr lpReserved2 = IntPtr.Zero; | |
public IntPtr hStdInput = IntPtr.Zero; | |
public IntPtr hStdOutput = IntPtr.Zero; | |
public IntPtr hStdError = IntPtr.Zero; | |
public StartupInfo() | |
{ | |
this.cb = Marshal.SizeOf(this); | |
} | |
} | |
[StructLayout(LayoutKind.Sequential)] | |
public struct ProcessInformation | |
{ | |
public IntPtr hProcess; | |
public IntPtr hThread; | |
public Int32 dwProcessId; | |
public Int32 dwThreadId; | |
} | |
[Flags] | |
public enum CreateProcessFlags : uint | |
{ | |
DEBUG_PROCESS = 0x00000001, | |
DEBUG_ONLY_THIS_PROCESS = 0x00000002, | |
CREATE_SUSPENDED = 0x00000004, | |
DETACHED_PROCESS = 0x00000008, | |
CREATE_NEW_CONSOLE = 0x00000010, | |
NORMAL_PRIORITY_CLASS = 0x00000020, | |
IDLE_PRIORITY_CLASS = 0x00000040, | |
HIGH_PRIORITY_CLASS = 0x00000080, | |
REALTIME_PRIORITY_CLASS = 0x00000100, | |
CREATE_NEW_PROCESS_GROUP = 0x00000200, | |
CREATE_UNICODE_ENVIRONMENT = 0x00000400, | |
CREATE_SEPARATE_WOW_VDM = 0x00000800, | |
CREATE_SHARED_WOW_VDM = 0x00001000, | |
CREATE_FORCEDOS = 0x00002000, | |
BELOW_NORMAL_PRIORITY_CLASS = 0x00004000, | |
ABOVE_NORMAL_PRIORITY_CLASS = 0x00008000, | |
INHERIT_PARENT_AFFINITY = 0x00010000, | |
INHERIT_CALLER_PRIORITY = 0x00020000, | |
CREATE_PROTECTED_PROCESS = 0x00040000, | |
EXTENDED_STARTUPINFO_PRESENT = 0x00080000, | |
PROCESS_MODE_BACKGROUND_BEGIN = 0x00100000, | |
PROCESS_MODE_BACKGROUND_END = 0x00200000, | |
CREATE_BREAKAWAY_FROM_JOB = 0x01000000, | |
CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000, | |
CREATE_DEFAULT_ERROR_MODE = 0x04000000, | |
CREATE_NO_WINDOW = 0x08000000, | |
PROFILE_USER = 0x10000000, | |
PROFILE_KERNEL = 0x20000000, | |
PROFILE_SERVER = 0x40000000, | |
CREATE_IGNORE_SYSTEM_DEFAULT = 0x80000000, | |
} | |
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] | |
public static extern bool CreateProcess | |
( | |
String lpApplicationName, | |
String lpCommandLine, | |
SecurityAttributes lpProcessAttributes, | |
SecurityAttributes lpThreadAttributes, | |
Boolean bInheritHandles, | |
CreateProcessFlags dwCreationFlags, | |
IntPtr lpEnvironment, | |
String lpCurrentDirectory, | |
[In] StartupInfo lpStartupInfo, | |
out ProcessInformation lpProcessInformation | |
); | |
[UnmanagedFunctionPointer(CallingConvention.StdCall, SetLastError = true)] | |
delegate bool CreateProcess_Delegate(String lpApplicationName, | |
String lpCommandLine, | |
SecurityAttributes lpProcessAttributes, | |
SecurityAttributes lpThreadAttributes, | |
Boolean bInheritHandles, | |
CreateProcessFlags dwCreationFlags, | |
IntPtr lpEnvironment, | |
String lpCurrentDirectory, | |
[In] StartupInfo lpStartupInfo, | |
out ProcessInformation lpProcessInformation); | |
bool CreateProcess_Hook(String lpApplicationName, | |
String lpCommandLine, | |
SecurityAttributes lpProcessAttributes, | |
SecurityAttributes lpThreadAttributes, | |
Boolean bInheritHandles, | |
CreateProcessFlags dwCreationFlags, | |
IntPtr lpEnvironment, | |
String lpCurrentDirectory, | |
[In] StartupInfo lpStartupInfo, | |
out ProcessInformation lpProcessInformation) | |
{ | |
bool result = false; | |
result = CreateProcess(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, | |
bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, out lpProcessInformation); | |
try | |
{ | |
// Add message to send to FileMonitor | |
Console.WriteLine("IT WOKRED!!!!!!"); | |
} | |
catch | |
{ | |
// swallow exceptions so that any issues caused by this code do not crash target process | |
} | |
return result; | |
} | |
static void Main(string[] args) | |
{ | |
var p = new Program(); | |
p.SetupHook(); | |
Process.Start("notepad.exe"); | |
Console.ReadKey(); | |
Console.WriteLine(Marshal.GetLastWin32Error()); | |
} | |
private void SetupHook() | |
{ | |
var createProcessHook = EasyHook.LocalHook.Create( | |
EasyHook.LocalHook.GetProcAddress("kernel32.dll", "CreateProcessW"), | |
new CreateProcess_Delegate(CreateProcess_Hook), | |
this); | |
createProcessHook.ThreadACL.SetExclusiveACL(new Int32[] { }); | |
Console.WriteLine("Hook Installed"); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment