Questions

Oct 7, 2008 at 1:17 AM

I ran across Easyhook while researching API hooking solutions and was impressed with the features and documentation
you have developed.  I downloaded the 2.5 beta source and binary projects plus documentation.  After reading through the documentation
and trying the FileMon example, I ran into a couple if issues. I am sure you are busy, but wondered if you could briefly answer a couple of questions:

I tried running the FileMon.exe example against my System process (PID: 4) and got this error:
"Status_Access_Denied: Unable to create a remote thread. (Code: 6)."  I was running as admin, and
wondered if this would work by using RemoteHooking.ExecuteAsService(), but wasn't sure how to use this
with the existing steps...  Can this be done, or will this require an unmanaged injection library, or
a kernel-mode driver?

I want to be able to hook CreateFile() (via System process) and get the underlying thread impersonation token to identify the user for each
file access.  I don't see any way to do this in a managed fashion. Is this possible with EasyHook?

Thanks,
Mark

Oct 11, 2008 at 6:17 PM
 tried running the FileMon.exe example against my System process (PID: 4)

This won't work at all... And I also don't see the need of hooking this process. I am not sure whether you can get this working even with pure unmanaged injection and DLLs...

> RemoteHooking.ExecuteAsService(),

The managed API will try this automatically.

> Can this be done, or will this require an unmanaged injection library, or  a kernel-mode driver?

If you want to hook the whole system, a kernel mode driver is the only stable way of doing so...

> I want to be able to hook CreateFile() (via System process) and get the underlying thread impersonation token to identify the user for each
file access

You want to hook system wide?

The impersonation token might be indirectly accessible through "WindowsIdentity" or something like that. just look it up in the MSDN. To access the native token you probably need a C++.NET Dll which exports the required unmanaged code to managed classes...

> I don't see any way to do this in a managed fashion. Is this possible with EasyHook?

System wide is only possible with the easyhook kernel driver...

Managed injection is truely no option for doing anything system wide. Even umanaged injection is also no real option even it might be more successful...

regards
chris
Oct 19, 2008 at 1:17 AM

Thank you for your reply.

You mentioned that system-side hooking is only possible with the easyhook kernel driver.  Does this then require unmanaged code to access and use?
You also indicated that even unmanaged injection is not a real option for system-wide hooking?  Can you elaborate?

If I want to go this direction, can you point me to some examples or resources?

Thanks,

Mark

 

Oct 19, 2008 at 10:13 AM
Kernel mode drivers are more unmanaged than anything else. But if you don't know this you shouldn't write one ;-). Kernel mode drivers are far away from being easy to write and if you have no experiences with kernel drivers you won't be able to write a hooking solution based on them.

Unmanaged hooking is not necessarily kernel mode hooking... Unmanaged hooking refers to user-mode hooking and this is of course never a good option for system wide hooking. That's the thing why user mode exists at all, because it was designed to PREVENT it!

If you really want to safely hook the whole system you need to go for kernel mode or on 64-Bit the Windows Vista API or PatchGuard API...

regards
chris