C# EasyHook2.5 中文翻译

 在网上找到一遍中英文的教程（但是很多地方中文没翻译好），现在也正需要学习它，看英文资料有时候会更实在，所以边学边继续帮忙翻译吧。由于本人水平有限，如果翻译有问题请及时指出以方便其他英文不太好的朋友学习。谢谢
部分翻译来自：http://blog.cuile.com/blog/archives/98
原文：http://code.google.com/p/easyhook-continuing-detours/wiki/Introduction

 

 

 

 

Continuing Detours: the reinvention of Windows API Hooking
继微软的Detour Hook :现在又一个新的HooK面世了。

Microsoft® Detours latest release was in December 2006. Now times have changed and the NET Framework has become more and more popular. Besides the well known unmanaged code hooking, EasyHook provides a way to hook unmanaged code from a managed environment. This implies several advantages:
微软的Detours最新的版本是在2006年12月发布。而现在.Net框架越来越流行，除了大家知道的非托管理代码挂接，EasyHook提供一个从托管环境挂接非托管代码的方法。这意味着几个优点：

No resource or memory leaks are left in the target
在目标中不会有资源和内存泄漏。

You can write pure managed hook handlers for unmanaged APIs
你能够针对非托管API写纯粹的托管钩子句柄

All hooks are installed and automatically removed in a stable manner
所有钩子的安装和自动移除的方式都是稳定的。

You can use all the convenience managed code provides, like NET Remoting, WCF and WPF
你可以使用所有托管代码的便利,像Net Rmoting, WCF 和 WPF。

You will be able to write injection libraries and host processes compiled for AnyCPU, which will allow you to inject your code into 32- and 64-Bit processes from 64- and 32-Bit processes by using the very same assembly in all cases.
你可以为各种CPU写注入库和托管进程，你可以用相同的汇编将你的代码注入32和64位进程。

This way hooking has become a simple task and you can now write hooking applications like FileMon or RegMon with a few lines of code.
这使得使用钩子变为一个简单的工作，你只需要少许代码就能够马上写像FileMon 或者 RegMon这样的程序。

Further EasyHook 2.5 provides additional features like:
此外EasyHook2.5提供其它的功能如下：

Experimental stealth injection for unmanaged code not raising attention of any current AV
对目前任何反病毒软件，尝试秘密注入非托管代码，都未达到被很重视的程度。（这貌似想拉拢写病毒的人）

32- and 64-Bit Kernel mode hooking support, since Windows XP.
从Windows XP以后，Hooking均支持32位和64位核心的系统。

A pure unmanaged hooking core which will improve performance, stability and compatibility.
一个纯非托管钩子核心，无疑将运作得更良好、稳定和兼容。

A solid unmanaged API for writing hooking apps and libraries without the NET Framework
一个稳定的非托管API用于在没有.NET环境下使用钩子应用和库。

The unmanaged core does not require CRT bindings and thus will reduce deployment size about some megabytes. Also Windows 2000 SP4 and Windows Server 2008 SP1 can now be targeted with the same EasyHook binary.
非托管核心不需要CRT绑定，因此将减少部署大小。并且现在有针对Windows 2000 SP4和Windows Server 2008 SP1的EasyHook二进制版本。

Minimal software requirements for end-users to execute applications using EasyHook:
Windows 2000 SP4 or later
Microsoft NET Framework 2.0 Redistributable
使用EasyHook最小软件需求：
Windows 2000 SP4 或者 更高版本
Microsoft NET Framework 2.0 Redistributable

Table of Content
1 Continuing Detours: the reinvention of Windows API Hooking
1.1 Security Advisor
1.2 A simple FileMon derivate
2 A deep look under the hook
2.1 Global Assembly Cache
2.2 Windows Defender
2.3 Injection – A burden made easy
2.3.1 Creating an already hooked process
2.4 The injected library entry point
2.4.1 The library constructor
2.4.2 The library Run-Method
2.5 Injection helper routines
2.6 How to install a hook
2.7 How to write a hook handler
2.8 Using Thread ACLs
2.9 Using handler utilities
2.10 The IPC helper API
2.11 Guidelines for stable hooking
2.12 A look into the future

ATTENTION

This Guide will cover the managed part of EasyHook only. Most things also apply to the unmanaged API. Refer to the “Unmanaged API Reference” for more information. The “Managed API Reference” also contains much additional information to the stuff covered here.

LICENSE CHANGE

EasyHook is now released under the Lesser GPL instead of the MIT License.

ProcessMonitor Screenshot

The following is a screenshot of my ProcessMonitor demo, shipping with the source code and the binary package:

It allows you to intercept CreateFile calls of any process currently running in your system.

1.1 Security Advisor

Unlike what some (commercial) hooking libraries out there are advertising to boost sales, user-mode hooking can NEVER be an option to apply additional security checks in any safe manner. If you only want to “sandbox” a dedicated process, you know well about, and the process in fact doesn’t know about EasyHook, this might succeed! But don’t ever attempt to write any security software based on user mode hooking. It won’t work, I promise you… This is also why EasyHook does not support a so called “System wide” injection, which in fact is just an illusion, because as I said, with user-mode hooks this will always be impossible. But if you want to keep this illusion you may stick with other (commercial) libraries attempting to do so…
Since EasyHook 2.5, you are able to easily hook 32-Bit kernels. Even if EasyHook would allow hooking 64-Bit kernels, I don’t recommend this because then you would get trouble with PatchGuard. Bypassing PatchGuard is possible, at least these days, but the chance of BSODing your customer’s PCs is too big. You should consider purchasing the PatchGuard API which will allow you to write security apps based on kernel mode interceptions. Kernel mode hooking (or the PatchGuard API) is the only option to apply additional security checks. Since Windows Vista, also the Windows Filtering Platform and other Vista specific APIs will be helpful to write security software!

So what is user-mode hooking for? In general, user-mode hooking is intended for API monitoring, like Mark Russinovich’s ProcessMonitor (alias FileMon/RegMon), resource leak detection, various malware which doesn’t need to care about security issues, extending applications and libraries you don’t have the source code for (also cracks may fall in this category), adding a compatibility layer for existing applications to run on newer OSes, etc.

If anyone uses security in context of user-mode hooks, your alarm bells should ring!

1.2 A simple FileMon derivate
1.2一个简单的文件监视程序

To prove that EasyHook really makes hooking simple, look at the following demo application, which will log all file accesses from a given process. We need a host process which injects the library and displays file accesses. It is possible to combine injection library and host process in one file as both are just threaded as valid NET assemblies, but I think to separate them is a more consistent approach. This demo will be used throughout the whole guide:
为了证明EasyHook的确让挂接变得简单,看看下面的常规应用,它会将所有给定进程的文件获取全部记录下来.我们需要一个托管进程将库注入并显示文件访问信息.我们可能通过注入库和托管进程在一个文件中结合并作为有效的NET程序集,但我想还是把它们分开更协调一点，该演示会在整个指南中使用。

using System;
using System.Collections.Generic;
using System.Runtime.Remoting;
using System.Text;
using EasyHook;

namespace FileMon
{
    public class FileMonInterface : MarshalByRefObject
    {
        public void IsInstalled(Int32 InClientPID)
        {
            Console.WriteLine("FileMon has been installed in target {0}.\r\n", InClientPID);
        }

        public void OnCreateFile(Int32 InClientPID, String[] InFileNames)
        {
            for (int i = 0; i < InFileNames.Length; i++)
            {
                Console.WriteLine(InFileNames[i]);
            }
        }

        public void ReportException(Exception InInfo)
        {
            Console.WriteLine("The target process has reported an error:\r\n" + InInfo.ToString());
        }

      public void Ping()
        {
        }
    }

    class Program
    {
        static String ChannelName = null;

        static void Main(string[] args)
        {
            try
            {
                Config.Install(typeof(Config).Assembly.Location);
                Config.Register(
                    "A FileMon like demo application.",
                    "FileMon.exe",
                    "FileMonInject.dll");

                RemoteHooking.IpcCreateServer<FileMonInterface>(ref ChannelName, WellKnownObjectMode.SingleCall);

                RemoteHooking.Inject(
                    Int32.Parse(args[0]),
                    InjectionOptions.None,
                    "FileMonInject.dll",
                    "FileMonInject.dll",
                    ChannelName);

                Console.ReadLine();
            }
            catch (Exception ExtInfo)
            {
                Console.WriteLine("There was an error while connecting to target:\r\n{0}", ExtInfo.ToString());
            }
        }
    }
} 

 The most complex part is the injected library which has to fulfill various requirements. We are hooking the CreateFile-API and redirecting all requests to our host process. The library will be unloaded if the host process is terminated:
最复杂的部分是应用于各种需求的注入库。我们现在挂在CreateFile-API并重定向所有的请求到我们的托管进程。如果托管进程结束，库将卸载。

using System;
using System.Collections.Generic;
using System.Text;
using System.Threading;
using System.Runtime.InteropServices;
using EasyHook;

namespace FileMonInject
{
    public class Main : EasyHook.IEntryPoint
    {