tandasat/DotNetHooking tandasat/DotNetHooking

  • Stars
    star
    202
  • Rank 187,527 (Top 4 %)
  • Language
    C#
  • License
    MIT License
  • Created over 6 years ago
  • Updated over 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
tandasat/DotNetHooking
github

tandasat

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Sample use cases of the .NET native code hooking technique

DotNetHooking

Introduction

This project demonstrates how to use the .NET native code hooking technique. For more details of the technique, see the attached presentation slides.

Source Navigation

The high level flow of this code is:

  1. This assembly is loaded via a mechanism of AppDomainManager
  2. The HookScanContent class is instantiated registering an assembly load event handler
  3. When System.Management.Automation, which contains implementation of our target method "ScanContent", is loaded, this assembly locates its native code address and installs a hook on it to redirect to the ScanContentHookHandler method
  4. When PowerShell content is executed and the ScanContent is called, our ScanContentHookHandler is executed instead of original ScanContent

Hints

Few things worth noting:

  1. This project targets .NET 2.0. This lets this assembly be loadable on practically any platforms since .NET Framework 2.0 is installed by default since Windows 7, and such an assembly can be loaded into a process using a newer version of .NET Framework. Therefore, such an assembly can be loaded into through PowerShell v2 to v5 universally.
  2. This assembly is signed and compiled as a strongly named assembly. This allows this assembly to be registered with Global Assembly Cache (GAC). Registering with GAC is required to load this assembly into any process because CLR cannot find this assembly when this assembly is registered as an AppDomainManager but not located in the folder where an EXE file of the process exists or GAC either. Registering this assembly with GAC allows CLR to find it regardless of where the EXE file exists.
  3. Code in this project intentionally emits error checks or exception handling. One using this code should add error handling as necessary.

Installation

As noted above, this assembly must be registered with GAC or located in the same folder as a target executable file (powershell.exe, in our case). While registering with GAC will be required in the real use cases, skipping registration is more convenient for debugging and testing. The below is the instructions for both ways:

No GAC Installation (+ testing with locally copied powershell.exe)

  1. Build the solution with Visual Studio 2017

  2. Launch the command prompt and navigate to an output folder

    > cd <Folder where the DLL was built>

  3. Copy powershell.exe to the current folder for testing

    > copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . /y

  4. Set environment variable to specify a custom AppDomainManager

    > set APPDOMAIN_MANAGER_ASM=HookingAssembly, Version=1.0.0.0, Culture=neutral, PublicKeyToken=c8b8e7ea5047757d, processorArchitecture=MSIL
> set APPDOMAIN_MANAGER_TYPE=HookingAssembly.CustomeAppDomainManager1

  5. Start the copied powershell.exe

    > powershell.exe
[*] AssemblyLoad event handler registered.
[*] Loading assembly System
[*] Loading assembly Microsoft.PowerShell.ConsoleHost
[*] Loading assembly System.Management.Automation
[*] The ScanContent method has been hooked.
Windows PowerShell
Copyright (C) Microsoft Corporation.All rights reserved.

GAC Installation (+ powershell.exe)

  1. Build the solution with Visual Studio 2017

  2. Launch the elevated command prompt for Visual Studio 2017 and navigate to an output folder

    > cd <Folder where the DLL was built>

  3. Install the assembly to GAC

    > gacutil /i HookingAssembly.dll
Microsoft (R) .NET Global Assembly Cache Utility.Version 4.0.30319.0
Copyright (c) Microsoft Corporation.All rights reserved.

Assembly successfully added to the cache

  4. Set environment variable to specify a custom AppDomainManager

    > set APPDOMAIN_MANAGER_ASM=HookingAssembly, Version=1.0.0.0, Culture=neutral, PublicKeyToken=c8b8e7ea5047757d, processorArchitecture=MSIL
> set APPDOMAIN_MANAGER_TYPE=HookingAssembly.CustomeAppDomainManager1

  5. Add the current folder to %PATH%, so that the hooking DLLs can be found

    > set PATH=%PATH%;%~dp0

  6. Start powershell.exe

    > powershell

To uninstall the assembly from GAC:

> gacutil /u HookingAssembly

Simulate Detection by AMSI

On the hooked PowerShell session, run this command:

PS> 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

 At line:1 char:1
 + 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* ...
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 This script contains malicious content and has been blocked by your antivirus software.
     + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
     + FullyQualifiedErrorId : ScriptContainedMaliciousContent

More Repositories

1

HyperPlatform

Intel VT-x based hypervisor aiming to provide a thin VM-exit filtering platform on Windows.
C++
1,438
star
2

DdiMon

Monitoring and controlling kernel API calls with stealth hook using EPT
C++
1,086
star
3

Hypervisor-101-in-Rust

The materials of "Hypervisor 101 in Rust", a one-day long course, to quickly learn hardware-assisted virtualization technology and its application for high-performance fuzzing on Intel/AMD processors.
Rust
935
star
4

MiniVisorPkg

The research UEFI hypervisor that supports booting an operating system.
C
478
star
5

SimpleSvmHook

SimpleSvmHook is a research purpose hypervisor for Windows on AMD processors.
C++
313
star
6

PgResarch

PatchGuard Research
C++
282
star
7

SimpleSvm

A minimalistic educational hypervisor for Windows on AMD processors.
C++
262
star
8

ExploitCapcom

This is a standalone exploit for a vulnerable feature in Capcom.sys
C++
258
star
9

MemoryMon

Detecting execution of kernel memory where is not backed by any image file
C++
239
star
10

scripts_for_RE

Python scripts for reverse engineering.
Python
173
star
11

GuardMon

Hypervisor based tool for monitoring system register accesses.
C++
141
star
12

UefiVarMonitor

The runtime DXE driver monitoring access to the UEFI variables by hooking the runtime service table.
C
132
star
13

SmmExploit

The report and the exploit of CVE-2021-26943, the kernel-to-SMM local privilege escalation vulnerability in ASUS UX360CA BIOS version 303.
122
star
14

EopMon

Elevation of privilege detector based on HyperPlatform
C++
119
star
15

Sushi

a Japanese food keeps you sane
C++
115
star
16

findpg

Windbg extension to find PatchGuard pages
C++
113
star
17

UEFI-BIOS-Security

Security Camp 2021 & GCC 2022
107
star
18

hvext

The Windbg extension that implements commands helpful to study Hyper-V on Intel processors.
JavaScript
105
star
19

WinIoCtlDecoder

IDA Plugin which decodes Windows Device I/O control code into DeviceType, FunctionCode, AccessType and MethodType.
Python
102
star
20

HelloSmm

This is an instruction to run your own SMM code.
C
95
star
21

DebugLogger

A software driver that lets you log kernel-mode debug output into a file on Windows.
C++
95
star
22

WPBT-Builder

The simple UEFI application to create a Windows Platform Binary Table (WPBT) from the UEFI shell.
C
91
star
23

FU_Hypervisor

A hypervisor hiding user-mode memory using EPT
C
90
star
24

CVE-2023-36427

Report and exploit of CVE-2023-36427
C++
89
star
25

kraft_dinner

Tool to dump UEFI runtime drivers implementing runtime services for Windows
C
85
star
26

HelloAmdHvPkg

HelloAmdHvPkg is a type-1 research hypervisor for AMD processors.
C
83
star
27

Hello-VT-rp

A simple hypervisor demonstrating the use of the Intel VT-rp (redirect protection) technology.
Rust
80
star
28

RemoteWriteMonitor

A tool to help malware analysts tell that the sample is injecting code into other process.
C++
73
star
29

Scavenger

A minifilter driver preserves all modified and deleted files.
C
71
star
30

meow

nyā
C++
70
star
31

HelloIommuPkg

The sample DXE runtime driver demonstrating how to program DMA remapping.
C
57
star
32

DumpVTable

Generates a Python script to give public interface names in an ActiveX file to an IDB file.
C++
45
star
33

DrvLoader

A command line tool to load and unload a device driver.
C++
42
star
34

CVE-2022-25949

A years-old exploit of a local EoP vulnerability in Kingsoft Antivirus KWatch Driver version 2009.3.17.77.
C++
35
star
35

cs_driver

A sample project for using Capstone from a driver in Visual Studio 2015
C
34
star
36

CVE-2014-0816

CVE-2014-0816
C++
24
star
37

CVE-2024-21305

Report and exploit of CVE-2024-21305.
C++
24
star
38

hyperplatform_log_parser

User-mode program parsing logs created by HyperPlatform
C++
18
star
39

tandasat.github.io

HTML
17
star
40

ProjectLoadTimeMonitor

The Visual Studio extension that measures load time of each project when a solution file is opened.
C#
16
star
41

CheckSDL

A tool evaluates security configurations of a given PE based on SDL without source code
C++
12
star
42

ListWorkItems

Lists work items being queued currently.
C++
12
star
43

DeviceOpener

A command line tool to check if a specified device is accessible.
C++
10
star
44

windbg_init

Windbg Init Script
9
star
45

win32_debugout

Shows debug strings on DebubView from an attached process by win32_remote.exe.
C++
8
star
46

ping_vmm

A user-mode program knocking at HyperPlatform's "backdoor"
C++
7
star
47

List-UEFI-Configuration-Tables

List UEFI Configuration Tables
Rust
7
star
48

ScopedResource

Scoped Resource - Generic RAII Wrapper for the Standard Library by Peter Sommerlad and Andrew L. Sandoval
C++
6
star
49

SecRuntimeSample

A sample usege of SecRuntime.dll on Windows Phone
C++
4
star
50

blog

Ruby
4
star
51

CopyFiles

Copy files onto the IsolatedStorage so that you can download them using IsoStoreSpy.
C#
3
star
52

mylight

Using LED of Samsung Galaxy Ace S5830
Java
2
star
53

tandasat

2
star
54

shared

Manages files that are shared with multiple boxes.
Vim Script
1
star