In this tutorial we will create a remote file monitor using EasyHook. We will cover how to:
使用EasyHook创建一个全局文件监控程序,包括
- Inject a managed assembly into an existing target process based on the process Id
- 将托管程序集(dll)注入到已存在的进程ID
- Inject a managed assembly into a newly created (and suspended) process using path to executable
- 将托管程序集(dll)注入到新创建(并且挂起)的进程(通过该进程运行的路径注入)
- Create local hooks within the remote process to monitor 3 file operations (CreateFile, ReadFile and WriteFile)
- 通过远程程序创建本地hook,完成CreateFile, ReadFile 和WriteFile3种操作
- Report file accesses back to the main console application using .NET inter-process communication (IPC)
For this tutorial we will be creating a solution with two projects:
- FileMonitor: a C# console application; and
- FileMonitorHook: a C# class library that contains the hook logic and the IPC interface. This assembly is our injection payload.