### LocalHook Usage Example Source: https://easyhook.github.io/api/html/T_EasyHook_LocalHook.htm Demonstrates implementing an entry point and installing a hook using LocalHook.Create. ```C# using System; using System.Collections.Generic; using System.Text; using System.Threading; using System.Runtime.InteropServices; using EasyHook; namespace FileMonInject { public class Main : EasyHook.IEntryPoint { FileMon.FileMonInterface Interface; LocalHook CreateFileHook; Stack Queue = new Stack (); public Main( RemoteHooking.IContext InContext, String InChannelName) { // connect to host... Interface = RemoteHooking.IpcConnectClient(InChannelName); // validate connection... Interface.Ping(); } public void Run( RemoteHooking.IContext InContext, String InChannelName) { // install hook... try { CreateFileHook = LocalHook.Create( LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"), new DCreateFile(CreateFile_Hooked), this); ``` -------------------------------- ### ExecuteAsService Usage Example Source: https://easyhook.github.io/api/html/M_EasyHook_RemoteHooking_ExecuteAsService__1.htm Example demonstrating how to use ExecuteAsService to enumerate processes with administrative privileges. ```C# private static void OnProcessUpdate(Object InCallback) { ProcessTimer.Change(Timeout.Infinite, Timeout.Infinite); try { ProcessInfo[] Array = (ProcessInfo[])RemoteHooking.ExecuteAsService("EnumProcesses"); SortedDictionary Result = new SortedDictionary(); // sort by name... lock (ProcessList) { ActivePIDList.Clear(); for (int i = 0; i < Array.Length; i++) { Result.Add(System.IO.Path.GetFileName(Array[i].FileName) + "____" + i, Array[i]); ActivePIDList.Add(Array[i].Id); } Result.Values.CopyTo(Array, 0); ProcessList.Clear(); ProcessList.AddRange(Array); } } catch (AccessViolationException) { MessageBox.Show("This is an administrative task!", "Permission denied...", MessageBoxButtons.OK); Process.GetCurrentProcess().Kill(); } finally { ProcessTimer.Change(5000, 5000); } } [Serializable] public class ProcessInfo { public String FileName; public Int32 Id; public Boolean Is64Bit; public String User; } public static ProcessInfo[] EnumProcesses() { List Result = new List(); Process[] ProcList = Process.GetProcesses(); for (int i = 0; i < ProcList.Length; i++) { Process Proc = ProcList[i]; try { ProcessInfo Info = new ProcessInfo(); Info.FileName = Proc.MainModule.FileName; Info.Id = Proc.Id; Info.Is64Bit = RemoteHooking.IsX64Process(Proc.Id); Info.User = RemoteHooking.GetProcessIdentity(Proc.Id).Name; Result.Add(Info); } catch { } } return Result.ToArray(); } ``` -------------------------------- ### Install Assemblies to GAC (VB.NET) Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_GacInstallAssemblies.htm This VB.NET method allows for the installation of assemblies into the Global Assembly Cache. Specify the assembly paths, a descriptive string, and a unique ID for the installation. ```vbnet Public Shared Sub GacInstallAssemblies ( InAssemblyPaths As String(), InDescription As String, InUniqueID As String ) ``` -------------------------------- ### Full C++ EasyHook Example Source: https://easyhook.github.io/tutorials/nativehook.html This C++ code demonstrates a complete hook installation and uninstallation process using EasyHook. It hooks the Windows Beep function to intercept and modify its behavior, including error handling and thread activation. ```cpp #include #include #include #include using namespace std; BOOL WINAPI myBeepHook(DWORD dwFreq, DWORD dwDuration); BOOL WINAPI myBeepHook(DWORD dwFreq, DWORD dwDuration) { cout << "\n****All your beeps belong to us!\n\n"; return Beep(dwFreq + 800, dwDuration); } int _tmain(int argc, _TCHAR* argv[]) { HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook cout << "\n"; cout << GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"); // Install the hook NTSTATUS result = LhInstallHook( GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"), myBeepHook, NULL, &hHook); if (FAILED(result)) { wstring s(RtlGetLastErrorString()); wcout << "Failed to install hook: "; wcout << s; cout << "\n\nPress any key to exit."; cin.get(); return -1; } cout << "Beep after hook installed but not enabled.\n"; Beep(500, 500); cout << "Activating hook for current thread only.\n"; // If the threadId in the ACL is set to 0, // then internally EasyHook uses GetCurrentThreadId() ULONG ACLEntries[1] = { 0 }; LhSetInclusiveACL(ACLEntries, 1, &hHook); cout << "Beep after hook enabled.\n"; Beep(500, 500); cout << "Uninstall hook\n"; LhUninstallHook(&hHook); cout << "Beep after hook uninstalled\n"; Beep(500, 500); cout << "\n\nRestore ALL entry points of pending removals issued by LhUninstallHook()\n"; LhWaitForPendingRemovals(); cout << "Press any key to exit."; cin.get(); return 0; } ``` -------------------------------- ### RemoteHooking.WakeUpProcess Method Source: https://easyhook.github.io/api/html/M_EasyHook_RemoteHooking_WakeUpProcess.htm If the library was injected with CreateAndInject(String, String, Int32, InjectionOptions, String, String, Int32,Object[]), this will finally start the current process. You should call this method in the library Run() method after all hooks have been installed. ```APIDOC ## WakeUpProcess Method ### Description If the library was injected with CreateAndInject(String, String, Int32, InjectionOptions, String, String, Int32,Object[]), this will finally start the current process. You should call this method in the library Run() method after all hooks have been installed. ### Method static void ### Endpoint N/A (This is a class method, not an API endpoint) ### Parameters None ### Request Example None ### Response #### Success Response (void) This method does not return a value. #### Response Example None ``` -------------------------------- ### Install Assemblies to GAC (C#) Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_GacInstallAssemblies.htm Use this C# method to install one or more assemblies into the Global Assembly Cache. Provide the paths to the assemblies, a description, and a unique identifier. ```csharp public static void GacInstallAssemblies( string[] InAssemblyPaths, string InDescription, string InUniqueID ) ``` -------------------------------- ### NativeAPI.RtlInstallService Method Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_RtlInstallService.htm Installs a new EasyHook service. This method is used to register a service that can be managed by the system. ```APIDOC ## POST /NativeAPI/RtlInstallService ### Description Installs a new EasyHook service. ### Method POST ### Endpoint /NativeAPI/RtlInstallService ### Parameters #### Request Body - **InServiceName** (string) - Required - The name of the service to install. - **InExePath** (string) - Required - The full path to the executable file for the service. - **InChannelName** (string) - Required - The name of the communication channel for the service. ### Request Example ```json { "InServiceName": "MyEasyHookService", "InExePath": "C:\\Path\\To\\MyService.exe", "InChannelName": "MyServiceChannel" } ``` ### Response #### Success Response (200) - **Success** (boolean) - Indicates if the service installation was successful. #### Response Example ```json { "Success": true } ``` ``` -------------------------------- ### Accessing the GuidScheme Property Source: https://easyhook.github.io/api/html/P_System_GACManagedAccess_InstallReference_GuidScheme.htm Retrieves the GUID representing the scheme of the installation reference. ```C# public Guid GuidScheme { get; } ``` ```VB Public ReadOnly Property GuidScheme As Guid Get ``` ```C++ public: property Guid GuidScheme { Guid get (); } ``` ```F# member GuidScheme : Guid with get ``` -------------------------------- ### OsInstallGuid Constant Source: https://easyhook.github.io/api/html/T_System_GACManagedAccess_InstallReferenceGuid.htm Represents the OS Install GUID. This GUID cannot be used for installing into GAC. It is typically associated with operating system installations. ```csharp public const string OsInstallGuid = "{00000000-0000-0000-0000-000000000003}"; ``` -------------------------------- ### COMClassInfo Constructor (Guid, Guid, Int32[]) Source: https://easyhook.github.io/api/html/M_EasyHook_COMClassInfo__ctor.htm Creates a new COMClassInfo instance using the COM class and interface Guids, indexing to retrieve addresses based on the order of methods in the COM interface. ```APIDOC ## COMClassInfo Constructor (Guid, Guid, Int32[]) ### Description Creates a new COMClassInfo instance using the COM class and interface Guids. The function indexes to retrieve the addresses for as defined by the order of the methods in the COM interface. ### Parameters #### Path Parameters - **clsid** (System.Guid) - Required - The class id (CLSID) of the COM object - **iid** (System.Guid) - Required - The interface id (IID) of the COM interface. This interface MUST inherit from IUnknown. - **vTableIndexes** (System.Int32[]) - Required - One or more method indexes to retrieve the address for. Index 0 == QueryInterface, 1 == AddRef, 2 == Release, 3 == first method and so on, i.e. the order that the methods appear in the interface's C++ header file. ``` -------------------------------- ### Implement RemoteHooking and Config Source: https://easyhook.github.io/api/html/T_EasyHook_Config.htm Example demonstrating the use of Config.Register and RemoteHooking to inject a DLL into a target process. ```C# using System; using System.Collections.Generic; using System.Runtime.Remoting; using System.Text; using System.IO; using EasyHook; namespace FileMon { public class FileMonInterface : MarshalByRefObject { public void IsInstalled(Int32 InClientPID) { Console.WriteLine("FileMon has been installed in target {0}.\r\n", InClientPID); } public void OnCreateFile(Int32 InClientPID, String[] InFileNames) { for (int i = 0; i < InFileNames.Length; i++) { Console.WriteLine(InFileNames[i]); } } public void ReportException(Exception InInfo) { Console.WriteLine("The target process has reported an error:\r\n" + InInfo.ToString()); } public void Ping() { } } class Program { static String ChannelName = null; static void Main(string[] args) { try { Config.Register( "A FileMon like demo application.", "FileMon.exe", "FileMonInject.dll"); RemoteHooking.IpcCreateServer(ref ChannelName, WellKnownObjectMode.SingleCall); RemoteHooking.Inject( Int32.Parse(args[0]), "FileMonInject.dll", "FileMonInject.dll", ChannelName); Console.ReadLine(); } catch (Exception ExtInfo) { Console.WriteLine("There was an error while connecting to target:\r\n{0}", ExtInfo.ToString()); } } } } ``` -------------------------------- ### Initialize and Query COMClassInfo Source: https://easyhook.github.io/api/html/T_EasyHook_COMClassInfo.htm Demonstrates initializing COMClassInfo using types or GUIDs and querying function pointers. ```C# // 1. Use imported Class and Interface Types COMClassInfo cci1 = new COMClassInfo(typeof(CLSID_DirectInputDevice8), typeof(IID_IDirectInputDevice8W), "GetCapabilities"); // 2. Use Guid from class and interface types COMClassInfo cci2 = new COMClassInfo(typeof(CLSID_DirectInputDevice8).GUID, typeof(IID_IDirectInputDevice8W).GUID, 3); // 3. Use class and interface Guids directly (no need to have class and interface types defined) COMClassInfo cci3 = new COMClassInfo(new Guid("25E609E5-B259-11CF-BFC7-444553540000"), new Guid("54D41081-DC15-4833-A41B-748F73A38179"), 3); // Will output False if dinput8.dll is not already loaded Console.WriteLine(cci1.IsModuleLoaded()); cci1.Query(); cci2.Query(); cci3.Query(); // Will output True as dinput8.dll will be loaded by .Query() if not already Console.WriteLine(cci1.IsModuleLoaded()); // Output the function pointers we queried Console.WriteLine(cci1.FunctionPointers[0]); Console.WriteLine(cci2.FunctionPointers[0]); Console.WriteLine(cci3.FunctionPointers[0]); ... [ComVisible(true)] [Guid("25E609E5-B259-11CF-BFC7-444553540000")] public class CLSID_DirectInputDevice8 { } [ComVisible(true)] [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] [Guid("54D41081-DC15-4833-A41B-748F73A38179")] public interface IID_IDirectInputDevice8W { /*** IDirectInputDevice8W methods ***/ int GetCapabilities(IntPtr deviceCaps); // fourth method due to IUnknown methods QueryInterface, AddRef and Release // other methods... } ``` -------------------------------- ### NativeAPI.RhInstallDriver Method Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_RhInstallDriver.htm Installs a driver into the system using the specified path and driver name. ```APIDOC ## RhInstallDriver Method ### Description Installs the EasyHook support driver into the system. ### Parameters #### Path Parameters - **InDriverPath** (String) - Required - The file system path to the driver file. - **InDriverName** (String) - Required - The name to assign to the installed driver. ### Request Example RhInstallDriver("C:\\Drivers\\EasyHook.sys", "EasyHookDriver") ``` -------------------------------- ### Config.Register Method Source: https://easyhook.github.io/api/html/M_EasyHook_Config_Register.htm The Register method installs EasyHook and specified user assemblies into the GAC. It requires administrator privileges and ensures cleanup of references when the installing application shuts down. This method works transactionally, meaning if an error occurs, the GAC state remains unchanged. ```APIDOC ## Config.Register Method ### Description Installs EasyHook and user-provided .NET assemblies into the Global Assembly Cache (GAC). It manages references and ensures cleanup upon application shutdown. Requires administrator privileges. ### Method `static void Register(string InDescription, params string[] InUserAssemblies)` ### Endpoint N/A (This is a library method, not an API endpoint) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```csharp // Example usage: EasyHook.Config.Register("My Application Assemblies", "./MyAssembly.dll", "./Another.dll"); ``` ### Response #### Success Response (void) This method does not return a value upon success. #### Response Example N/A ### Exceptions - **FileNotFoundException**: If at least one of the specified files cannot be found. - **BadImageFormatException**: If unable to load at least one of the given files for reflection. - **ArgumentException**: If at least one of the given files does not have a strong name. ``` -------------------------------- ### AssemblyCache.InstallAssembly Method Source: https://easyhook.github.io/api/html/M_System_GACManagedAccess_AssemblyCache_InstallAssembly.htm Installs an assembly into the Global Assembly Cache (GAC). ```APIDOC ## AssemblyCache.InstallAssembly Method ### Description Installs an assembly into the Global Assembly Cache (GAC). ### Method Static method ### Endpoint N/A (This is a library method, not a web endpoint) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example None ### Response #### Success Response (void) This method does not return a value upon successful execution. #### Response Example None ``` -------------------------------- ### RtlInstallService Method Signatures Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_RtlInstallService.htm Method signatures for installing a service across different .NET languages. ```C# public static void RtlInstallService( string InServiceName, string InExePath, string InChannelName ) ``` ```VB Public Shared Sub RtlInstallService ( InServiceName As String, InExePath As String, InChannelName As String ) ``` ```C++ public: static void RtlInstallService( String^ InServiceName, String^ InExePath, String^ InChannelName ) ``` ```F# static member RtlInstallService : InServiceName : string * InExePath : string * InChannelName : string -> unit ``` -------------------------------- ### Config.Register Method Source: https://easyhook.github.io/api/html/T_EasyHook_Config.htm Installs EasyHook and specified user .NET assemblies into the GAC. This method requires administrative privileges. ```APIDOC ## Config.Register ### Description Installs EasyHook and all given user .NET assemblies into the GAC and ensures that all references are cleaned up if the installing application is shutdown. ### Parameters #### Request Body - **description** (String) - Required - A description for the registration. - **exePath** (String) - Required - The path to the executable. - **assemblyPath** (String) - Required - The path to the assembly to register. ### Notes - REQUIRES ADMIN PRIVILEGES. ``` -------------------------------- ### COMClassInfo Constructor (Guid, Guid, Int32[]) Source: https://easyhook.github.io/api/html/M_EasyHook_COMClassInfo__ctor.htm Initializes a new instance of the COMClassInfo class using the specified class ID, interface ID, and vTable indexes. ```C# public COMClassInfo( Guid clsid, Guid iid, params int[] vTableIndexes ) ``` ```VB Public Sub New ( clsid As Guid, iid As Guid, ParamArray vTableIndexes As Integer() ) ``` ```C++ public: COMClassInfo( Guid clsid, Guid iid, ... array^ vTableIndexes ) ``` ```F# new : clsid : Guid * iid : Guid * vTableIndexes : int[] -> COMClassInfo ``` -------------------------------- ### Install Assemblies to GAC (F#) Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_GacInstallAssemblies.htm The F# signature for installing assemblies into the Global Assembly Cache. This function takes an array of assembly paths, a description, and a unique identifier as input. ```fsharp static member GacInstallAssemblies : InAssemblyPaths : string[] * InDescription : string * InUniqueID : string -> unit ``` -------------------------------- ### InjectionEntryPoint with IPC and Hooks Source: https://easyhook.github.io/tutorials/remotefilemonitor.html This class implements EasyHook.IEntryPoint to establish an IPC connection to a server and install hooks for file operations. The constructor connects to the server and pings it, while the Run method installs hooks for CreateFileW, ReadFile, and WriteFile. ```csharp /// /// EasyHook will look for a class implementing during injection. This /// becomes the entry point within the target process after injection is complete. /// public class InjectionEntryPoint: EasyHook.IEntryPoint { /// /// Reference to the server interface within FileMonitor /// ServerInterface _server = null; /// /// Message queue of all files accessed /// Queue _messageQueue = new Queue(); /// /// EasyHook requires a constructor that matches and any additional parameters as provided /// in the original call to . /// /// Multiple constructors can exist on the same , providing that each one has a corresponding Run method (e.g. ). /// /// The RemoteHooking context /// The name of the IPC channel public InjectionEntryPoint( EasyHook.RemoteHooking.IContext context, string channelName) { // Connect to server object using provided channel name _server = EasyHook.RemoteHooking.IpcConnectClient(channelName); // If Ping fails then the Run method will be not be called _server.Ping(); } /// /// The main entry point for our logic once injected within the target process. /// This is where the hooks will be created, and a loop will be entered until host process exits. /// EasyHook requires a matching Run method for the constructor /// /// The RemoteHooking context /// The name of the IPC channel public void Run( EasyHook.RemoteHooking.IContext context, string channelName) { // Injection is now complete and the server interface is connected _server.IsInstalled(EasyHook.RemoteHooking.GetCurrentProcessId()); // Install hooks // CreateFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx var createFileHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"), new CreateFile_Delegate(CreateFile_Hook), this); // ReadFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa365467(v=vs.85).aspx var readFileHook = EasyHook.LocalHook.Create( EasyHook.LocalHook.GetProcAddress("kernel32.dll", "ReadFile"), new ReadFile_Delegate(ReadFile_Hook), this); // WriteFile https://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx var writeFileHook = EasyHook.LocalHook.Create( ``` -------------------------------- ### RemoteHooking.InstallSupportDriver Method Source: https://easyhook.github.io/api/html/M_EasyHook_RemoteHooking_InstallSupportDriver.htm Installs the EasyHook support driver. After this step, you may use InstallDriver(String, String) to install your kernel mode hooking component. ```APIDOC ## RemoteHooking.InstallSupportDriver Method ### Description Installs the EasyHook support driver. After this step you may use InstallDriver(String, String) to install your kernel mode hooking component. ### Method `static void` ### Endpoint N/A (This is a library method, not an API endpoint) ### Parameters None ### Request Example ```csharp EasyHook.RemoteHooking.InstallSupportDriver(); ``` ### Response #### Success Response (void) This method does not return a value upon successful execution. #### Response Example N/A ``` -------------------------------- ### NativeAPI.LhInstallHook Method Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_LhInstallHook.htm Installs a hook on a specified entry point. This method is part of the EasyHook library for runtime hooking. ```APIDOC ## NativeAPI.LhInstallHook Method ### Description Installs a hook on a specified entry point. This method is part of the EasyHook library for runtime hooking. ### Method `static void LhInstallHook(IntPtr InEntryPoint, IntPtr InHookProc, IntPtr InCallback, IntPtr OutHandle)` ### Endpoint N/A (This is a native method, not a web API endpoint) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example None ### Response #### Success Response (void) This method does not return a value. #### Response Example None ### Reference - NativeAPI Class - EasyHook Namespace ``` -------------------------------- ### InstallReference Properties Source: https://easyhook.github.io/api/html/Properties_T_System_GACManagedAccess_InstallReference.htm The InstallReference class provides properties to describe an assembly reference, including its description, GUID scheme, and a unique identifier. ```APIDOC ## InstallReference Properties ### Description The InstallReference type exposes the following members: | Name| Description ---|--- | Description| A string that is only understood by the entity that adds the reference. The GAC only stores this string. | GuidScheme| The entity that adds the reference. | Identifier| A unique string that identifies the application that installed the assembly. ### Class InstallReference Class ### Namespace System.GACManagedAccess ``` -------------------------------- ### InstallReference Class Source: https://easyhook.github.io/api/html/T_System_GACManagedAccess_InstallReference.htm Documentation for the InstallReference class, which represents a FUSION_INSTALL_REFERENCE structure for GAC assembly installations. ```APIDOC ## InstallReference Class ### Description The InstallReference class represents a reference that is made when an application has installed an assembly in the GAC. It maps to the FUSION_INSTALL_REFERENCE structure. ### Namespace System.GACManagedAccess ### Properties - **Description** (string) - A string that is only understood by the entity that adds the reference. The GAC only stores this string. - **GuidScheme** (string) - The entity that adds the reference. - **Identifier** (string) - A unique string that identifies the application that installed the assembly. ### Methods - **InstallReference()** - Constructor to create a new InstallReference instance. - **Equals(Object)** - Determines whether the specified Object is equal to the current Object. - **GetHashCode()** - Serves as a hash function for a particular type. - **ToString()** - Returns a string that represents the current object. ``` -------------------------------- ### Install Assemblies to GAC (C++/CLI) Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_GacInstallAssemblies.htm This C++/CLI method is used to add assemblies to the Global Assembly Cache. It requires an array of assembly paths, a description, and a unique identifier for the assemblies being installed. ```cpp public: static void GacInstallAssemblies( array^ InAssemblyPaths, String^ InDescription, String^ InUniqueID ) ``` -------------------------------- ### InstallReference.Identifier Property Source: https://easyhook.github.io/api/html/P_System_GACManagedAccess_InstallReference_Identifier.htm Retrieves the unique string identifier for the application that installed the assembly. ```APIDOC ## Property: InstallReference.Identifier ### Description A unique string that identifies the application that installed the assembly. ### Namespace System.GACManagedAccess ### Assembly EasyHook (in EasyHook.dll) Version: 2.7.6684.0 ### Property Value - **Type**: String ### Syntax - **C#**: public string Identifier { get; } - **VB**: Public ReadOnly Property Identifier As String - **C++**: property String^ Identifier { String^ get (); } - **F#**: member Identifier : string with get ``` -------------------------------- ### InstallSupportDriver Method Signatures Source: https://easyhook.github.io/api/html/M_EasyHook_RemoteHooking_InstallSupportDriver.htm Provides the method signature for installing the EasyHook support driver across multiple .NET languages. ```C# public static void InstallSupportDriver() ``` ```VB Public Shared Sub InstallSupportDriver ``` ```C++ public: static void InstallSupportDriver() ``` ```F# static member InstallSupportDriver : unit -> unit ``` -------------------------------- ### Method: InstallAssemblies Source: https://easyhook.github.io/api/html/M_System_GACManagedAccess_AssemblyCache_InstallAssemblies.htm Installs a collection of assemblies into the Global Assembly Cache (GAC) using the specified reference and commit flags. ```APIDOC ## InstallAssemblies ### Description Installs the provided assemblies to the Global Assembly Cache (GAC). ### Parameters - **assemblyPaths** (String[]) - Required - An array of file paths to the assemblies to be installed. - **reference** (InstallReference) - Required - The reference information for the installation. - **flags** (AssemblyCommitFlags) - Required - Flags specifying how the assembly should be committed to the GAC. ### Request Example { "assemblyPaths": ["C:\\path\\to\\assembly1.dll", "C:\\path\\to\\assembly2.dll"], "reference": "InstallReference object", "flags": "AssemblyCommitFlags enum value" } ``` -------------------------------- ### InstallReferenceGuid.IsValidGuidScheme Method Source: https://easyhook.github.io/api/html/M_System_GACManagedAccess_InstallReferenceGuid_IsValidGuidScheme.htm Ensures that the provided Guid is one of the valid reference guids defined in InstallReferenceGuid (excluding MsiGuid and OsInstallGuid). ```APIDOC ## InstallReferenceGuid.IsValidGuidScheme Method ### Description Ensures that the provided Guid is one of the valid reference guids defined in InstallReferenceGuid (excluding MsiGuid and OsInstallGuid). ### Method static bool ### Endpoint N/A (This is a static method, not an API endpoint) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example None ### Response #### Success Response (200) Type: Boolean Description: True if the Guid is UninstallSubkeyGuid, FilePathGuid, OpaqueGuid or Empty. #### Response Example ```json { "example": "true" } ``` ### Reference InstallReferenceGuid Class System.GACManagedAccess Namespace Assembly: EasyHook (in EasyHook.dll) Version: 2.7.6684.0 (2.7.6684.0) ``` -------------------------------- ### GetNextReference Method Signatures Source: https://easyhook.github.io/api/html/M_System_GACManagedAccess_AssemblyCacheInstallReferenceEnum_GetNextReference.htm Method signatures for retrieving the next installation reference across multiple .NET languages. ```C# public InstallReference GetNextReference() ``` ```VB Public Function GetNextReference As InstallReference ``` ```C++ public: InstallReference^ GetNextReference() ``` ```F# member GetNextReference : unit -> InstallReference ``` -------------------------------- ### Install and Uninstall EasyHook Hook Source: https://easyhook.github.io/tutorials/nativehook.html Use LhInstallHook to install the hook handler and LhUninstallHook to remove it. LhSetInclusiveACL is used to specify which threads should be intercepted. LhWaitForPendingRemovals ensures all hooks are cleaned up. ```cpp HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook NTSTATUS result = LhInstallHook( GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"), myBeepHook, NULL, &hHook); if (FAILED(result)) { // Hook could not be installed, see RtlGetLastErrorString() for details return; } // If the threadId in the ACL is set to 0, // then internally EasyHook uses GetCurrentThreadId() ULONG ACLEntries[1] = { 0 }; // Enable the hook for the provided threadIds LhSetInclusiveACL(ACLEntries, 1, &hHook); ... // Remove the hook handler LhUninstallHook(&hHook); // This will restore all functions that have any // uninstalled hooks back to their original state. LhWaitForPendingRemovals(); ``` -------------------------------- ### NativeAPI.GacInstallAssemblies Method Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_GacInstallAssemblies.htm Installs assemblies into the Global Assembly Cache (GAC). ```APIDOC ## NativeAPI.GacInstallAssemblies Method ### Description Installs assemblies into the Global Assembly Cache (GAC). ### Method static void ### Endpoint N/A (This is a library method, not a web endpoint) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example None ### Response #### Success Response (200) None (void return type) #### Response Example None ### Parameters - **InAssemblyPaths** (System.String[]) - Required - An array of strings representing the paths to the assemblies to be installed. - **InDescription** (System.String) - Required - A description for the assemblies being installed. - **InUniqueID** (System.String) - Required - A unique identifier for the installation. ``` -------------------------------- ### COMClassInfo Constructor Source: https://easyhook.github.io/api/html/Overload_EasyHook_COMClassInfo__ctor.htm Initializes a new instance of the COMClassInfo class using GUIDs or Types. ```APIDOC ## COMClassInfo Constructor ### Description Creates a new COMClassInfo instance to facilitate COM hooking. ### Parameters #### Overload 1: COMClassInfo(Guid, Guid, Int32[]) - **classGuid** (Guid) - Required - The COM class Guid. - **interfaceGuid** (Guid) - Required - The interface Guid. - **methodIndexes** (Int32[]) - Required - Indexes to retrieve the addresses as defined by the order of the methods in the COM interface. #### Overload 2: COMClassInfo(Type, Type, String[]) - **classType** (Type) - Required - The COM class type. - **interfaceType** (Type) - Required - The interface type. - **methodNames** (String[]) - Required - The function names to retrieve the addresses for. ``` -------------------------------- ### Implement RemoteHooking Interface Source: https://easyhook.github.io/api/html/T_EasyHook_RemoteHooking.htm Example implementation of a class using RemoteHooking and Config for IPC communication. ```C# using System; using System.Collections.Generic; using System.Runtime.Remoting; using System.Text; using System.IO; using EasyHook; namespace FileMon { public class FileMonInterface : MarshalByRefObject { public void IsInstalled(Int32 InClientPID) { Console.WriteLine("FileMon has been installed in target {0}.\r\n", InClientPID); } ``` -------------------------------- ### LhInstallHook Method Signatures Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_LhInstallHook.htm Method signatures for installing hooks across multiple .NET languages. ```C# public static void LhInstallHook( IntPtr InEntryPoint, IntPtr InHookProc, IntPtr InCallback, IntPtr OutHandle ) ``` ```VB Public Shared Sub LhInstallHook ( InEntryPoint As IntPtr, InHookProc As IntPtr, InCallback As IntPtr, OutHandle As IntPtr ) ``` ```C++ public: static void LhInstallHook( IntPtr InEntryPoint, IntPtr InHookProc, IntPtr InCallback, OutHandle ) ``` ```F# static member LhInstallHook : InEntryPoint : IntPtr * InHookProc : IntPtr * InCallback : IntPtr * OutHandle : IntPtr -> unit ``` -------------------------------- ### RhInstallDriver Method Signatures Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_RhInstallDriver.htm Method signatures for installing an EasyHook driver across multiple .NET languages. ```C# public static void RhInstallDriver( string InDriverPath, string InDriverName ) ``` ```VB Public Shared Sub RhInstallDriver ( InDriverPath As String, InDriverName As String ) ``` ```C++ public: static void RhInstallDriver( String^ InDriverPath, String^ InDriverName ) ``` ```F# static member RhInstallDriver : InDriverPath : string * InDriverName : string -> unit ``` -------------------------------- ### WakeUpProcess Method Signatures Source: https://easyhook.github.io/api/html/M_EasyHook_RemoteHooking_WakeUpProcess.htm Method signatures for starting an injected process across supported .NET languages. ```C# public static void WakeUpProcess() ``` ```VB Public Shared Sub WakeUpProcess ``` ```C++ public: static void WakeUpProcess() ``` ```F# static member WakeUpProcess : unit -> unit ``` -------------------------------- ### InstallAssembly Method Signatures Source: https://easyhook.github.io/api/html/M_System_GACManagedAccess_AssemblyCache_InstallAssembly.htm Provides the method signature for installing an assembly into the GAC across multiple .NET languages. ```C# public static void InstallAssembly( string assemblyPath, InstallReference reference, AssemblyCommitFlags flags ) ``` ```VB Public Shared Sub InstallAssembly ( assemblyPath As String, reference As InstallReference, flags As AssemblyCommitFlags ) ``` ```C++ public: static void InstallAssembly( String^ assemblyPath, InstallReference^ reference, AssemblyCommitFlags flags ) ``` ```F# static member InstallAssembly : assemblyPath : string * reference : InstallReference * flags : AssemblyCommitFlags -> unit ``` -------------------------------- ### InstallReferenceGuid Fields Source: https://easyhook.github.io/api/html/Fields_T_System_GACManagedAccess_InstallReferenceGuid.htm Details the available GUID fields used to identify assembly references in the GAC. ```APIDOC ## InstallReferenceGuid Fields ### Description The InstallReferenceGuid class provides static GUID fields used to specify how an assembly is referenced within the Global Assembly Cache (GAC). ### Fields - **FilePathGuid**: FUSION_REFCOUNT_FILEPATH_GUID - The assembly is referenced by an application represented by a file path. - **MsiGuid**: FUSION_REFCOUNT_MSI_GUID - The assembly is referenced by an application installed via Windows Installer. Note: This GUID cannot be used for manual installation into GAC. - **OpaqueGuid**: FUSION_REFCOUNT_OPAQUE_STRING_GUID - The assembly is referenced by an opaque string. The GAC does not perform existence checking for these references. - **OsInstallGuid**: Reserved for OS installation. Note: This GUID cannot be used for installing into GAC. - **UninstallSubkeyGuid**: FUSION_REFCOUNT_UNINSTALL_SUBKEY_GUID - The assembly is referenced by an application registered in Add/Remove Programs. ``` -------------------------------- ### InstallAssemblies Method Signatures Source: https://easyhook.github.io/api/html/M_System_GACManagedAccess_AssemblyCache_InstallAssemblies.htm Provides the method signature for installing assemblies into the GAC across multiple .NET languages. ```C# public static void InstallAssemblies( string[] assemblyPaths, InstallReference reference, AssemblyCommitFlags flags ) ``` ```VB Public Shared Sub InstallAssemblies ( assemblyPaths As String(), reference As InstallReference, flags As AssemblyCommitFlags ) ``` ```C++ public: static void InstallAssemblies( array^ assemblyPaths, InstallReference^ reference, AssemblyCommitFlags flags ) ``` ```F# static member InstallAssemblies : assemblyPaths : string[] * reference : InstallReference * flags : AssemblyCommitFlags -> unit ``` -------------------------------- ### InstallReferenceGuid Constructor Source: https://easyhook.github.io/api/html/M_System_GACManagedAccess_InstallReferenceGuid__ctor.htm Initializes a new instance of the InstallReferenceGuid class. ```APIDOC ## InstallReferenceGuid Constructor ### Description Initializes a new instance of the InstallReferenceGuid class. ### Namespace System.GACManagedAccess ### Assembly EasyHook (in EasyHook.dll) Version: 2.7.6684.0 ### Syntax - **C#**: public InstallReferenceGuid() - **VB**: Public Sub New - **C++**: public: InstallReferenceGuid() - **F#**: new : unit -> InstallReferenceGuid ``` -------------------------------- ### MsiGuid Constant Source: https://easyhook.github.io/api/html/T_System_GACManagedAccess_InstallReferenceGuid.htm Represents the FUSION_REFCOUNT_MSI_GUID. This GUID cannot be used for installing into GAC. It signifies that the assembly is referenced by an application installed via Windows Installer. This scheme should only be used by Windows Installer itself. ```csharp public const string MsiGuid = "{00000000-0000-0000-0000-000000000001}"; ``` -------------------------------- ### InstallReferenceGuid Constructor Source: https://easyhook.github.io/api/html/M_System_GACManagedAccess_InstallReferenceGuid__ctor.htm Initializes a new instance of the InstallReferenceGuid class. This is the default constructor. ```C# public InstallReferenceGuid() ``` ```VB Public Sub New ``` ```C++ public: InstallReferenceGuid() ``` ```F# new : unit -> InstallReferenceGuid ``` -------------------------------- ### Initialize Config Class Instance Source: https://easyhook.github.io/api/html/M_EasyHook_Config__ctor.htm Use this constructor to create a new instance of the Config class. No specific setup is required beyond having the EasyHook library available. ```csharp public Config() ``` ```vb Public Sub New ``` ```cpp public: Config() ``` ```fsharp new : unit -> Config ``` -------------------------------- ### Get Current Process ID - VB Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_GetCurrentProcessId.htm This method retrieves the current process identifier. It is part of the NativeAPI class and requires no additional setup. ```vb Public Shared Function GetCurrentProcessId As Integer ``` -------------------------------- ### Get Last Error Code in C# Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_RtlGetLastError.htm Use this method to retrieve the last error code from the NativeAPI. No specific setup or imports are required beyond the EasyHook library. ```csharp public static int RtlGetLastError() ``` -------------------------------- ### InstallReference Class Methods Source: https://easyhook.github.io/api/html/Methods_T_System_GACManagedAccess_InstallReference.htm This section lists the methods available for the InstallReference class, including inherited methods from the Object class. ```APIDOC ## InstallReference Methods ### Description This section lists the methods available for the InstallReference class. ### Methods - **Equals** (Inherited from Object) - Determines whether the specified Object is equal to the current Object. - **Finalize** (Inherited from Object) - Allows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. - **GetHashCode** (Inherited from Object) - Serves as a hash function for a particular type. - **GetType** (Inherited from Object) - Gets the Type of the current instance. - **MemberwiseClone** (Inherited from Object) - Creates a shallow copy of the current Object. - **ToString** (Inherited from Object) - Returns a string that represents the current object. ``` -------------------------------- ### Get Current Process ID - C# Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_GetCurrentProcessId.htm Use this method to obtain the unique identifier for the currently executing process. No specific setup or imports are required beyond the EasyHook library. ```csharp public static int GetCurrentProcessId() ``` -------------------------------- ### LocalHook.CreateUnmanaged Method Source: https://easyhook.github.io/api/html/M_EasyHook_LocalHook_CreateUnmanaged.htm Installs an unmanaged hook. After calling this, the hook must be activated by setting a proper ThreadACL. ```APIDOC ## LocalHook.CreateUnmanaged ### Description Installs an unmanaged hook. After this you'll have to activate it by setting a proper ThreadACL. HookRuntimeInfo is not supported; refer to the native "LhBarrierXxx" APIs to access unmanaged hook runtime information. ### Method Static Method ### Parameters - **InTargetProc** (IntPtr) - Required - A target entry point that should be hooked. - **InNewProc** (IntPtr) - Required - A handler with the same signature as the original entry point that will be invoked for every call. - **InCallback** (IntPtr) - Required - An uninterpreted callback that will later be available through LhBarrierGetCallback(). ### Return Value - **LocalHook** - A handle to the newly created hook. ### Exceptions - **OutOfMemoryException** - Not enough memory available to complete the operation. - **ArgumentException** - The given function pointer does not map to executable memory or null was passed as a delegate. - **NotSupportedException** - The given entry point contains machine code that cannot be hooked. - **InsufficientMemoryException** - The maximum amount of hooks (1024) has been installed. ``` -------------------------------- ### NativeAPI.RhInstallSupportDriver Method Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_RhInstallSupportDriver.htm Installs the EasyHook support driver. This method is part of the NativeAPI class and is used for driver-level operations. ```APIDOC ## NativeAPI.RhInstallSupportDriver Method ### Description Installs the EasyHook support driver. This method is part of the NativeAPI class and is used for driver-level operations. ### Method `static void` (C#), `Shared Sub` (VB), `static void` (C++), `unit -> unit` (F#) ### Endpoint N/A (This is a library method, not a web endpoint) ### Parameters None ### Request Example ```csharp EasyHook.NativeAPI.RhInstallSupportDriver(); ``` ### Response This method does not return a value. Success is indicated by the absence of exceptions. ``` -------------------------------- ### NativeAPI.LhUninstallHook Method Source: https://easyhook.github.io/api/html/M_EasyHook_NativeAPI_LhUninstallHook.htm The LhUninstallHook method is used to remove a previously installed hook. It requires a handle to the hook to be uninstalled. ```APIDOC ## LhUninstallHook Method ### Description Uninstalls a previously installed hook. ### Method `static void LhUninstallHook(IntPtr RefHandle)` ### Endpoint N/A (This is a library method, not a web endpoint) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example None ### Response #### Success Response (200) None (void return type) #### Response Example None ``` -------------------------------- ### Call HelperServiceInterface.Ping Method Source: https://easyhook.github.io/api/html/M_EasyHook_HelperServiceInterface_Ping.htm Use this method to check if the service is responsive. No setup or imports are required beyond having an instance of HelperServiceInterface. ```csharp public void Ping() ``` ```vb Public Sub Ping ``` ```cpp public: void Ping() ``` ```fsharp member Ping : unit -> unit ``` -------------------------------- ### Accessing the Identifier Property Source: https://easyhook.github.io/api/html/P_System_GACManagedAccess_InstallReference_Identifier.htm Retrieves the unique identifier string for the installation reference across multiple .NET languages. ```C# public string Identifier { get; } ``` ```VB Public ReadOnly Property Identifier As String Get ``` ```C++ public: property String^ Identifier { String^ get (); } ``` ```F# member Identifier : string with get ``` -------------------------------- ### Validate Guid Scheme - IsValidGuidScheme Source: https://easyhook.github.io/api/html/T_System_GACManagedAccess_InstallReferenceGuid.htm Ensures that the provided Guid is one of the valid reference guids defined in InstallReferenceGuid, excluding MsiGuid and OsInstallGuid. This method is useful for validating GUID inputs before they are used. ```csharp public bool IsValidGuidScheme() ``` -------------------------------- ### InstallDriver Method Signature (C#) Source: https://easyhook.github.io/api/html/M_EasyHook_RemoteHooking_InstallDriver.htm Use this method to load a driver into the kernel. Ensure you use IsX64System to determine the correct driver for your system architecture. ```csharp public static void InstallDriver( string InDriverPath, string InDriverName ) ``` ```vb Public Shared Sub InstallDriver ( InDriverPath As String, InDriverName As String ) ``` ```cpp public: static void InstallDriver( String^ InDriverPath, String^ InDriverName ) ``` ```fsharp static member InstallDriver : InDriverPath : string * InDriverName : string -> unit ``` -------------------------------- ### LocalHook.Create Method Source: https://easyhook.github.io/api/html/M_EasyHook_LocalHook_Create.htm Installs a managed hook on a specified target procedure. After creation, the hook must be activated using ThreadACL. ```APIDOC ## LocalHook.Create ### Description Installs a managed hook. After this you'll have to activate it by setting a proper ThreadACL. ### Method Static Method ### Parameters #### Parameters - **InTargetProc** (IntPtr) - Required - A target entry point that should be hooked. - **InNewProc** (Delegate) - Required - A handler with the same signature as the original entry point that will be invoked for every call. - **InCallback** (Object) - Required - An uninterpreted callback that will later be available through Callback. ### Return Value - **LocalHook** - A handle to the newly created hook. ### Exceptions - **OutOfMemoryException** - Not enough memory available to complete the operation. - **ArgumentException** - The given function pointer does not map to executable memory or null was passed as delegate. - **NotSupportedException** - The given entry point contains machine code that can not be hooked. - **InsufficientMemoryException** - The maximum amount of hooks (1024) has been installed. ``` -------------------------------- ### InstallReferenceGuid.MsiGuid Field Source: https://easyhook.github.io/api/html/F_System_GACManagedAccess_InstallReferenceGuid_MsiGuid.htm Represents the FUSION_REFCOUNT_MSI_GUID used when an assembly is referenced by an application installed via Windows Installer. ```APIDOC ## InstallReferenceGuid.MsiGuid Field ### Description This GUID represents the FUSION_REFCOUNT_MSI_GUID. It indicates that the assembly is referenced by an application installed using Windows Installer. This scheme is reserved for use by Windows Installer itself and cannot be used for manual installation into the GAC. ### Namespace System.GACManagedAccess ### Assembly EasyHook (in EasyHook.dll) Version: 2.7.6684.0 ### Field Value Type: Guid ### Implementation - C#: public static readonly Guid MsiGuid - VB: Public Shared ReadOnly MsiGuid As Guid - C++: public: static initonly Guid MsiGuid - F#: static val MsiGuid: Guid ```