How to Simulate .net exception in hooked function

Nov 11, 2009 at 9:11 AM

I am trying to simulate the .net exception and throw it to the hooked process. For example , the following code       

static IntPtr CreateFile_Hooked(
            String InFileName,
            UInt32 InDesiredAccess,
            UInt32 InShareMode,
            IntPtr InSecurityAttributes,
            UInt32 InCreationDisposition,
            UInt32 InFlagsAndAttributes,
            IntPtr InTemplateFile)
        {
           
            try
            {
                Main This = (Main)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    This.Queue.Push("[" + RemoteHooking.GetCurrentProcessId() + ":" +
                        RemoteHooking.GetCurrentThreadId() +  "]: \"" + InFileName + "\"");
                }
            }
            catch
            {
            }

            throw new System.IO.DriveNotFoundException("c: not found");


            // call original API...
            return CreateFile(
                InFileName,
                InDesiredAccess,
                InShareMode,
                InSecurityAttributes,
                InCreationDisposition,
                InFlagsAndAttributes,
                InTemplateFile);
        }

 

For some hooked application such as a simple .net application I wrote which only do save a File

            try
            {
                Console.ReadLine();
                System.IO.File.Create("c:\\testtest");
            }

            catch (Exception ex)
            {
                Console.WriteLine("error:" + ex.Message);
            }

it works fine. But for some complicated Application such as a web service which I attached to w3wp.exe

looks like it does not work.

Anyone knows if this is the right way to throw an exception in the injection dll to the hooked application?

 

Thanks

Roger

 

Nov 11, 2009 at 10:15 PM

You should never throw exceptions in hook handlers, in stead you can return the correct error code.
For  a DriveNotFoundException this would be the integer value "3" (ERROR_PATH_NOT_FOUND)

Take a look at the following links for more information:
- http://www.pinvoke.net/default.aspx/Constants/WINERROR.html
- http://msdn.microsoft.com/en-us/library/9ztbc5s1.aspx

Nov 12, 2009 at 4:35 AM

thanks SMa

it is awesome, working but have one issue. I replace the code above using error code. But even I use different codes

return (IntPtr)Microsoft.Win32.Interop.ResultWin32.ERROR_SUCCESS;

return (IntPtr)Microsoft.Win32.Interop.ResultWin32.ERROR_DISK_FULL;

in the unmanaged application such as Notepad, it will always show the same error message

"You don't have the permission to modify the files in network location

Contact administrator per permission to modify files in this network location" 

in the managed application I share the above, it will have different error message but not exactly match the code i use. For example, ERROR_DISK_FULL, the exception I catch is

FileStream was asked to open a device that was not a file. For support for
 devices like 'com1:' or 'lpt1:', call CreateFile, then use the FileStream constructors that take an OS handle as an IntPtr.

It is not DISK FULL error.

Any idea?

 

Thanks

Roger