about some questions

May 7, 2009 at 1:05 PM
why pop up a mistake messagebox when run on winserver2003 x64 when i run FileMon xxxx..
the mistake messagebox point out that EasyhookSvc meet up some problem and must close..
but ,when i close the mistake messagebox ,the FileMon run well,and it can monitor the api of createfile..
who can tell me why !
tks!
Coordinator
May 8, 2009 at 1:12 PM

Well, EasyHookSvc is not essential for EasyHook to work.

Is there anything stated in the application event logs?!

 

I suppose that this has something to do with security settings on your machine.

May 11, 2009 at 1:24 AM

hi  ! thanks for your response!

in the "FileMon" demo,why i cannot  track into the function of  "createfile_hooked()" when i do the Single-step debugging.

and if i  add some print state in the function of  "createfile_hooked()" ,for example,Console.writeline("the createfile is hooked!!");   the console is not print that state.why?

May 11, 2009 at 12:20 PM

fangxing,

single-step debugging works fine for me. Are you sure you attached a debugger to the filemon *target*, not the filemon process? Same for the Console.WriteLine, does the target have a console at all? In createfile_hooked() a Console.Writeline will not write to the filemon console, the code executes in the target process.

Ben Schwehn

May 12, 2009 at 3:28 AM

hi  !bschwehn  thanks for  your response!

i want to know that when i write a state like : "MessageBox.Show("hooked creatfile!", "hehe...", MessageBoxButtons.OK); "in the createfile_hooked() function.   but the messagebox not pop up? why?

Coordinator
May 12, 2009 at 4:06 PM

Use a pure NET thread in combination with the hook queue shown in the filemon demo and display the message from plain NET code not from within a hooked method...

Single-Step might not work at all, because it should be impossible for the debugger to trace the internals of the hook handler. You can try to enable "Native code debugging" in your C# project properties. But I doubt that this will work. Just set a breakpoint in the hooked method...

May 13, 2009 at 3:10 AM

hi  ! thanks for your reply quickly.

now ,i want to know that the role of  EasyHookSvc.

another quesion ,when i inject a 32bit app in 64bit os,there are some error:

There was an error while connecting to target:
System.ComponentModel.Win32Exception: 系统找不到指定的文件。
   在 System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)
   在 EasyHook.WOW64Bypass.Install()
   在 EasyHook.WOW64Bypass.Inject(Int32 InHostPID, Int32 InTargetPID, Int32 InWakeUpTID, Int32 InNativeOptions, String InLibraryPath_x86, String InLibraryPath_x64, Object[] InPassThruArgs)
   在 EasyHook.RemoteHooking.InjectEx(Int32 InHostPID, Int32 InTargetPID, Int32 InWakeUpTID, Int32 InNativeOptions, String InLibraryPath_x86, String InLibraryPath_x64, Boolean InCanBypassWOW64, Boolean InCanCreateService, Object[] InPassThruArgs)
   在 EasyHook.RemoteHooking.Inject(Int32 InTargetPID, String InLibraryPath_x86, String InLibraryPath_x64, Object[] InPassThruArgs)
   在 FileMon.Program.Main(String[] args) 位置 C:\Documents and Settings\Administrator\Desktop\EasyHook 2.6 _fangxing_fx_0513\Examples\FileMon\Program.cs:行号 73

why? tks

May 14, 2009 at 6:54 AM

hi ,ChristophHusse!

when i run the filemon demo on the xp x64 os,all of the question are solved,  like you said :the maybe some security settings on my machine.

tks!