Hook API with pure managed code

Question

I was thinking how can I hook an API with C# or VB.Net, without using a C++ Library like EasyHook or similar libs. The purpose why I like to learn this is not for anything malicous, its just to get more experience and find the limits of whats possible with .net. Lets say I like to hook the MessageBoxA API. I first import it by Importing System.Runtime.InterropServices and then add the PInvoke Signiature for The MessageBoxA API Call in user32.dll

<DllImport("user32.dll", EntryPoint:="MessageBoxW", 
           SetLastError:=True, Charset:=Charset.Unicode)> 
Public Function MessageBox(
     hwnd As IntPtr, 
     <MarshalAs(UnmanagedType.LPTSTR)>ByVal lpText As String, 
     <MarshalAs(UnmanagedType.LPTSTR)>ByVal lpCaption As String, 
     <MarshalAs(UnmanagedType.U4)>ByVal uType As MessageBoxOptions
) As <MarshalAs(UnmanagedType.U4)>MessageBoxResult
End Function

I basically like now to hook every process, which calls the MessageBoxA API get the normal text, but with the hook I like to append "hooked" at the end of the messageBox text. A friend who is very experienced with .net, but unfortunately to busy to help me with this, told me its definitly possible to do that. The steps would be, first I need the actual hooking function in a dll (library) which I will later inject in a process, then I need to determine if its a native or a managed process. If its a managed then there is no problem, but if it is a native process I need a loader. A native process doesn't have .net loaded so i need to load it manually first and then injectz the dll.

Then I need to get the Pointer to the .net method as a pointer so I know the adress where my hook should be directed to and then I can use GetProcessAdress and LoadLibraryA to get the Pointer to the API. The JMP I like to write at the beginning of the API can be realized by using WriteProcessMemory. Can someone show me how this can be realized on a simple example as mentioned above by hooking hte messagebox api and apending some text to it before it is called.

=)

Answer 1

I'm not sure if this is what you are looking for, but this is how I Hook into the mouse. Maybe it can help you figure out other hooks.

Public Class MouseDetector
    Public Event MouseLeftButtonClick(ByVal sender As Object, ByVal e As MouseEventArgs)
    Public Event MouseRightButtonClick(ByVal sender As Object, ByVal e As MouseEventArgs)
    Private Delegate Function MouseHookCallback(ByVal nCode As Integer, ByVal wParam As Integer, ByVal lParam As IntPtr) As Integer
    Private MouseHookCallbackDelegate As MouseHookCallback
    Private MouseHookID As Integer

    Public Sub New()
        If MouseHookID = 0 Then
            MouseHookCallbackDelegate = AddressOf MouseHookProc
            MouseHookID = SetWindowsHookEx(CInt(14), MouseHookCallbackDelegate, Marshal.GetHINSTANCE(Assembly.GetExecutingAssembly.GetModules()(0)), 0)
            If MouseHookID = 0 Then
                'error
            End If
        End If
    End Sub

    Public Sub Dispose()
        If Not MouseHookID = -1 Then
            UnhookWindowsHookEx(MouseHookID)
            MouseHookCallbackDelegate = Nothing
        End If
        MouseHookID = -1
    End Sub

    Private Enum MouseMessages
        WM_LeftButtonDown = 513
        WM_LeftButtonUp = 514
        WM_LeftDblClick = 515
        WM_RightButtonDown = 516
        WM_RightButtonUp = 517
        WM_RightDblClick = 518
    End Enum

    <StructLayout(LayoutKind.Sequential)> Private Structure Point
        Public x As Integer
        Public y As Integer
    End Structure

    <StructLayout(LayoutKind.Sequential)> Private Structure MouseHookStruct
        Public pt As Point
        Public hwnd As Integer
        Public wHitTestCode As Integer
        Public dwExtraInfo As Integer
    End Structure

    <DllImport("user32.dll", CharSet:=CharSet.Auto, CallingConvention:=CallingConvention.StdCall)> _
    Private Shared Function CallNextHookEx(ByVal idHook As Integer, ByVal nCode As Integer, ByVal wParam As IntPtr, ByVal lParam As IntPtr) As Integer
    End Function

    <DllImport("User32.dll", CharSet:=CharSet.Auto, CallingConvention:=CallingConvention.StdCall, SetLastError:=True)> _
    Private Shared Function SetWindowsHookEx(ByVal idHook As Integer, ByVal HookProc As MouseHookCallback, ByVal hInstance As IntPtr, ByVal wParam As Integer) As Integer
    End Function

    <DllImport("user32.dll", CharSet:=CharSet.Auto, CallingConvention:=CallingConvention.StdCall, SetLastError:=True)> _
    Private Shared Function UnhookWindowsHookEx(ByVal idHook As Integer) As Integer
    End Function

    Private Function MouseHookProc(ByVal nCode As Integer, ByVal wParam As Integer, ByVal lParam As IntPtr) As Integer
        If nCode < 0 Then
            Return CallNextHookEx(MouseHookID, nCode, wParam, lParam)
        End If
        Dim MouseData As MouseHookStruct = Marshal.PtrToStructure(lParam, GetType(MouseHookStruct))
        Select Case wParam
            Case MouseMessages.WM_LeftButtonUp
                RaiseEvent MouseLeftButtonClick(Nothing, New MouseEventArgs(MouseButtons.Left, 1, MouseData.pt.x, MouseData.pt.y, 0))
            Case MouseMessages.WM_RightButtonUp
                RaiseEvent MouseRightButtonClick(Nothing, New MouseEventArgs(MouseButtons.Right, 1, MouseData.pt.x, MouseData.pt.y, 0))
        End Select
        Return CallNextHookEx(MouseHookID, nCode, wParam, lParam)
    End Function
End Class

Private Sub MouseDetector_MouseLeftButtonClick(ByVal sender As Object, ByVal e As System.Windows.Forms.MouseEventArgs) Handles MouseDetector.MouseLeftButtonClick
        'MessageBox.Show("left")
End Sub