Beispiel #1
0
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            NktStackTrace    stack  = hookCallInfo.StackTrace();
            NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);

            UInt32 StackOpcodeSize = 50;

            byte[] StackOpcode = new byte[StackOpcodeSize];

            for (UInt32 n = 0; n < StackOpcodeSize; n++)
            {
                StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
            }

            UInt64 actualAddr  = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip);
            UInt64 nInstrSize  = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize);
            UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize;

            string str = "From: 0x" + callingAddr.ToString("x") + "    To: 0x" + actualAddr.ToString("x") + "\n";

            Output(str, false);

            actualAddr  -= SecStartAddress;
            callingAddr -= SecStartAddress;

            CROSSREF crossref = new CROSSREF();

            crossref.From = callingAddr;
            crossref.To   = actualAddr;
            CrossRefSet.Add(crossref);
        }
Beispiel #2
0
        static APIUnit Base(APIType type, APICategory cat, APIID id, NktHook hook, NktProcess process, NktHookCallInfo callInfo)
        {
            if (callInfo.StackTrace().Module(0) == null)
            {
                return(null);
            }
            string module = callInfo.StackTrace().Module(0).Name.ToUpper();

            if (!Modules.Contains(module))
            {
                return(null);
            }

            APIUnit report = new APIUnit(process.Id, hook.FunctionName, type, cat, id);

            report.Module = module;
            return(report);
        }
Beispiel #3
0
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            NktStackTrace stack = hookCallInfo.StackTrace();
            NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);

            UInt32 StackOpcodeSize = 50;
            byte[] StackOpcode = new byte[StackOpcodeSize];

            for (UInt32 n = 0; n < StackOpcodeSize; n++)
            {
                StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
            }

            UInt64 actualAddr = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip);
            UInt64 nInstrSize = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize);
            UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize;

            string str = "From: 0x" + callingAddr.ToString("x") + "    To: 0x" + actualAddr.ToString("x") + "\n";
            Output(str, false);

            actualAddr -= SecStartAddress;
            callingAddr -= SecStartAddress;
            
            CROSSREF crossref = new CROSSREF();
            crossref.From = callingAddr;
            crossref.To = actualAddr;
            CrossRefSet.Add(crossref);
        }