I've downloaded EasyHook's source, compiled and run. I figured to run Filemon.exe at minimum you'd need the following file set:
We're building an corporate audit tool and we cannot have separate dll's (especially with names so easily identifiable) - as a result, I tried merge:
ilmerge /target:winexe /out:FileMonMerged.exe FileMon.exe FileMonInject.dll EasyHook.dll EasyHook32.dll
(Put all above assembly as well as ILMerge.exe in same folder first)
ILMerged is a merge tool to combine multiple assemblies - it can be downloaded from here:
PROBLEM #1: I don't think I should/can merge EasyHook32Svc.exe
PROBLEM #2: The above ilmerge command failed to merge "EasyHook32.dll"
C:\...\EasyHook\bin>ilmerge /target:winexe /out:FileMonMerged.exe F
ileMon.exe FileMonInject.dll EasyHook.dll EasyHook32.dll
An exception occurred during merging:
ILMerge.Merge: Could not load assembly from the location '...'
syHook\bin\EasyHook32.dll'. Skipping and processing rest of arguments.
at ILMerging.ILMerge.Main(String args)
Q#1 - Any way we can merge all assembly into one (instead of separate)?
(Obfuscation a separate discussion entirely of course)
Q#2 - What's purpose of "EasyHook32Svc.exe"
Q#3 - why separate "EasyHook32.dll" and "EasyHook.dll"
- EasyHook32Svc.exe is service runs in a very different context from the provided dlls.
- EasyHook32.dll and it sibling EasyHook64.dll are unmanaged code dlls and can't merged with managed code.
- EasyHook.dll is the managed code dll.
Each piece is there because of the need to work across managed and unmanaged layers and to address challenges such as WOW64.
Thanks, but I suppose this means that EasyHook is not very stealth