Hooking managed process

Oct 5, 2010 at 9:45 AM
Edited Oct 5, 2010 at 9:58 AM

Can easyhook hook managed process? if so how? how can I use the LocalHook.Create and what params should I pass - if this should be use?

the process Im trying to hook is a managed windows service which is always running and cannot be restarted.

im trying to hook  a simple method call and not win32 API

Oct 5, 2010 at 5:52 PM
Edited Oct 5, 2010 at 6:18 PM

EasyHook is for hooking unmanaged code only.

To hook managed code, check out the profiler API. I am interested in stuff like that as well, but I never had the time to investigate it further.

http://www.codeproject.com/KB/cs/IL_Rewriting.aspx

http://www.blong.com/Conferences/DCon2003/Internals/Profiling.htm

http://blogs.msdn.com/b/davbr/archive/2007/03/06/creating-an-il-rewriting-profiler.aspx

Oct 6, 2010 at 6:26 AM

thanks for the quick response.

Ive look a bit in the internet trying to find a solution that will help me hook managed code, from the little research Ive made I understand I have 2 options; IL rewrite which is bad if the dll is sign  or hook to a function pre JIT - which is also bad for me because I cant control when the function are being JITTED or not.

DO u have anything else in mind?

 

thanks anyway!!

Oct 6, 2010 at 7:03 PM
Edited Oct 6, 2010 at 7:09 PM

If the function is already jitted, then you cannot change it (that is what I understand from the third link), because they disabled the "SetFunctionReJIT" function. So attaching to a running process seems impossible, at least with "official" methods. You need to actually be there in the beginning and intercept all jit-calls.

:( looks like you need to hack the engine in order to get the pointer to the functions IL codes. maybe a good starting point is the interception of the jit-process, and then have a look where that information is actually stored. (it must be stored in some kind of table). and then hijack that table.

I dont think it will interfere with signed DLLs because we would patch it in memory. As soon as DLLs are loaded into memory, all signing stuff is useless.

Oct 7, 2010 at 2:42 PM
Edited Oct 7, 2010 at 2:42 PM

again, I thank you for your quick response.

 

I noted it is sign when reffering to IL-rewriting.

I have a lot of work ahead of me then... :-)  thanks!