Search code examples
c#winapiloadlibraryeasyhook

EasyHook LoadLibrary fails in crash

I am trying to use EasyHook to detect native LoadLibrary calls.

It indeed detects the loading of libraries, however the process results in freezing. This is because the LoadLibrary_Hook method below cannot load the dll or library since It returns 0 IntPtr (Probably can't find the library.).

I even tried setting the events to a "void" type but then the process simply crashes, this is probably because EasyHook expects me to return a value to overwrite the function.

Is there a way for me to return the exactly needed library to be loaded, or just simply get the name of the library that is being loaded without me having to load the library manually?

(There are also names like this which are loading in the process: 瑮汤⹬汤l邐邐讐嗿謘ౕ㍓四襗ﱝ嶉觬嶉觰嶉㯨࿓トă謀ࡅ쌻萏Ͽ䶋㬔瓋㤉ᡝ萏ϯ팻Ѵ᪉ᢉ疋㬐࿳ă㬀瓋謇ᡅᦉᢉ綋㬜 which is kinda odd...)

private static LocalHook hook;

[DllImport("kernel32.dll", CharSet=CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);

[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern IntPtr LoadLibrary(string lpFileName);

[DllImport("kernel32.dll", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
public static extern IntPtr GetProcAddress(IntPtr handle, string varormethodname);

[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
public delegate IntPtr LoadLibraryDelegate(string lpFileName);

public TestHook()
{
    IntPtr kernel32 = GetModuleHandle("kernel32.dll");
    Logger.Log("Kernel: " + kernel32);
    IntPtr address = GetProcAddress(kernel32, "LoadLibraryA");
    Logger.Log("Address: " + address);

    hook = LocalHook.Create(address,
    new LoadLibraryDelegate(LoadLibrary_Hook),
    null);
    hook.ThreadACL.SetExclusiveACL(new Int32[] {0});

    //RemoteHooking.WakeUpProcess();
}


public IntPtr LoadLibrary_Hook(string lpFileName)
{
    Logger.Log("File load: " + lpFileName);
    return LoadLibrary(lpFileName);
}
Solution

  • Solution was to call the original method using the original function address:

    public IntPtr LoadLibrary_Hook(string lpFileName)
{
    Logger.Log("File load: " + lpFileName);
    LoadLibraryDelegate origMethod = (LoadLibraryDelegate)Marshal.GetDelegateForFunctionPointer(LoadLibraryAddress, typeof(LoadLibraryDelegate));
    return origMethod(lpFileName);
}