ILMerge to combine FileMon.exe with various dll's into one exe?

Aug 15, 2010 at 4:33 AM

I've downloaded EasyHook's source, compiled and run. I figured to run Filemon.exe at minimum you'd need the following file set:
    FileMon.exe
    FileMonInject.dll
    EasyHook.dll
    EasyHook32.dll
    EasyHook32Svc.exe

We're building an corporate audit tool and we cannot have separate dll's (especially with names so easily identifiable) - as a result, I tried merge:
    ilmerge /target:winexe /out:FileMonMerged.exe FileMon.exe FileMonInject.dll EasyHook.dll EasyHook32.dll
(Put all above assembly as well as ILMerge.exe in same folder first)

ILMerged is a merge tool to combine multiple assemblies - it can be downloaded from here:
    http://www.microsoft.com/downloads/en/confirmation.aspx?familyId=22914587-b4ad-4eae-87cf-b14ae6a939b0&displayLang=en
   
PROBLEM #1: I don't think I should/can merge EasyHook32Svc.exe
PROBLEM #2: The above ilmerge command failed to merge "EasyHook32.dll"
    C:\...\EasyHook\bin>ilmerge /target:winexe /out:FileMonMerged.exe F
    ileMon.exe FileMonInject.dll EasyHook.dll EasyHook32.dll
    An exception occurred during merging:
    ILMerge.Merge: Could not load assembly from the location '...'
    syHook\bin\EasyHook32.dll'. Skipping and processing rest of arguments.
       at ILMerging.ILMerge.Merge()
       at ILMerging.ILMerge.Main(String[] args)

Q#1 - Any way we can merge all assembly into one (instead of separate)?
           (Obfuscation a separate discussion entirely of course)
Q#2 - What's purpose of "EasyHook32Svc.exe"
Q#3 - why separate "EasyHook32.dll" and "EasyHook.dll"

Thank you

Aug 21, 2010 at 7:28 PM
  1. EasyHook32Svc.exe is service runs in a very different context from the provided dlls.
  2. EasyHook32.dll and it sibling EasyHook64.dll are unmanaged code dlls and can't merged with managed code.
  3. EasyHook.dll is the managed code dll.

Each piece is there because of the need to work across managed and unmanaged layers and to address challenges such as WOW64. 

Aug 22, 2010 at 2:49 AM

Thanks, but I suppose this means that EasyHook is not very stealth