Results 1 to 3 of 3

Thread: Hook remote process.

  1. #1
    Blacklist Hunter Kurapica's Avatar
    Join Date
    Jun 2008
    Location
    JIT compiler
    Posts
    102

    Cool Hook remote process.

    Is there a way to suspend a remote process from my local process when the remote process calls some API.

    I must find a way to start a new process and make it break on "_CorExeMain" or "_CorDllMain" which

    represent the entrypoints for any .NET PE file.

    I've been doing much research on API hooking and Code Injection.

    but I wanna see what you guys know about it.

    thanks
    Life can only be understood backwards but It must be read forwards

    http://board.b-at-s.info
    http://portal.b-at-s.info/news.php

  2. #2
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    not unless you can maintain code inside some area of a newly created process through injection or w/ can the idea you are trying to accomplish be realized.. .Net isn't really my thing but I bet taking the same approach that I am with Sin32 in a more targeted .net apps way could accomplish this task..

    Other Idea's include Creating a process suspended and writing a int3 to those locations you mentioned and registering a JIT debugger that handles the other tasks needed to be accomplished.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  3. #3
    Blacklist Hunter Kurapica's Avatar
    Join Date
    Jun 2008
    Location
    JIT compiler
    Posts
    102
    Thanks for the tip...

    I already tried what you suggested and it seems .NET modules have a problem with INT3

    anyway breaking on startup seems useless now and I will be satisfied with DLL injection after the injectee is fully loaded.

    Here is a snippet of how I coded the injection code.

    Code:
            'DLL to Load into process
            Dim DllName As String = "D:\My Documents\Delphi\DLL\Project1.dll"
    
            'Allocate memory for the DLL name in the remote process (VirtualAllocEx). 
            Dim Ret As Int32 = VirtualAllocEx(Pinfo.hProcess, 0, DllName.Length + 1, &H1000, &H40)
    
            'Write the DLL name, including full path, to the allocated memory (WriteProcessMemory). 
            Dim Length As Int32
            WriteProcessMemory(Pinfo.hProcess, Ret, StringToHGlobalAnsi(DllName), DllName.Length + 1, Length)
    
            'Map your DLL to the remote process via CreateRemoteThread & LoadLibrary. 
            hThread = CreateRemoteThread(Pinfo.hProcess, IntPtr.Zero, 0, GetProcAddress(LoadLibrary("kernel32.dll"), "LoadLibraryA"), Ret, 0, 0)

    All I have to do is finish the DLL now.
    Life can only be understood backwards but It must be read forwards

    http://board.b-at-s.info
    http://portal.b-at-s.info/news.php

Similar Threads

  1. Hook a console DLL
    By settoken in forum The Newbie Forum
    Replies: 5
    Last Post: December 10th, 2010, 16:22
  2. Replies: 0
    Last Post: April 19th, 2008, 17:16
  3. Direct3D 9 Hook v1.1
    By Ring3 Circus in forum Blogs Forum
    Replies: 3
    Last Post: February 4th, 2008, 14:26
  4. how do i display/dump process memory on remote pc?
    By FireRaven in forum Advanced Reversing and Programming
    Replies: 12
    Last Post: October 15th, 2005, 11:43
  5. Searching string literal in remote process
    By homersux in forum The Newbie Forum
    Replies: 3
    Last Post: December 26th, 2004, 10:34

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •