Ejemplo n.º 1
0
    byte[] GetValue(uint pid, INktParam paramData, INktParam paramSize, bool sizeAndTypeArePtr)
    {
        byte[] buffer = null;
        uint   valueSize;

        if (sizeAndTypeArePtr)
        {
            if (paramSize.IsNullPointer == false)
            {
                valueSize = paramSize.Evaluate().ULongVal;
            }
            else
            {
                valueSize = 0;
            }
        }
        else
        {
            valueSize = paramSize.ULongVal;
        }

        if (paramData.IsNullPointer == false)
        {
            //if (paramData.PointerVal != IntPtr.Zero)
            if (!paramData.PointerVal.Equals(IntPtr.Zero))
            {
                INktProcessMemory procMem = _spyMgr.ProcessMemoryFromPID((int)pid);
                //var buffer = new byte[valueSize];
                buffer = new byte[valueSize];

                GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
                IntPtr   pDest        = pinnedBuffer.AddrOfPinnedObject();
                //Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
                //Int64 bytesReaded = procMem.ReadMem((int) pDest, (int)paramData.PointerVal, (int) valueSize).ToInt64();
                Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
                pinnedBuffer.Free();

                /*                    valueData = "";
                 *                  for (int i = 0; i < bytesReaded; i++)
                 *                  {
                 *                      if (i != 0)
                 *                          valueData += " ";
                 *                      valueData += Convert.ToByte(buffer[i]).ToString("X2");
                 *                  }*/
            }
        }

        return(buffer);
    }
Ejemplo n.º 2
0
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            string         strDocument = "Document: ";
            INktParamsEnum paramsEnum  = hookCallInfo.Params();
            INktParam      param       = paramsEnum.First();

            param = paramsEnum.Next();
            param = paramsEnum.Next();
            if (param.PointerVal != IntPtr.Zero)
            {
                INktParamsEnum paramsEnumStruct = param.Evaluate().Fields();
                INktParam      paramStruct      = paramsEnumStruct.First();
                strDocument += paramStruct.ReadString();
                strDocument += "\n";
            }
            Output(strDocument);
        }
Ejemplo n.º 3
0
        /// <summary>
        /// WriteFile调用事件处理函数
        /// </summary>
        /// <param name="hook"></param>
        /// <param name="process"></param>
        /// <param name="hookCallInfo"></param>
        private void OnWriteFileCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            string strDocument = "Document: ";

            INktParamsEnum paramsEnum = hookCallInfo.Params();

            INktParam hFile = paramsEnum.First();

            //paramsEnum.Next();
            //paramsEnum.Next();
            //paramsEnum.Next();
            //paramsEnum.Next();

            INktParam lpBuffer = paramsEnum.Next();

            INktParam nNumberOfBytesToWrite = paramsEnum.Next();

            #region  着官方示例写的 毛用没有
            if (hFile.PointerVal != IntPtr.Zero)
            {
                INktParamsEnum hFileEnumStruct = hFile.Evaluate().Fields();
                INktParam      hFileStruct     = hFileEnumStruct.First();
            }

            Console.Out.WriteLine(lpBuffer.ReadString());

            Console.Out.WriteLine(lpBuffer.Address);

            if (lpBuffer.PointerVal != IntPtr.Zero)
            {
                strDocument += lpBuffer.ReadString();
                strDocument += "\n";
            }

            Output(strDocument);
            #endregion

            var h_file = QueryFileHandle(hFile.Address);

            ReadBuffer(lpBuffer.Address, nNumberOfBytesToWrite.Address);
        }
Ejemplo n.º 4
0
    //called when a hooked function is called
    public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
    {
        System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
        INktParamsEnum pms;

        callInfo.AddString("sample name", "HKEY extractor sample");
        pms = callInfo.Params();
        for (int i = 0; i < pms.Count; i++)
        {
            INktParam p = pms.GetAt(i);
            if (p.IsPointer)
            {
                p = p.Evaluate();
            }
            if (p != null && p.TypeName == "HKEY")
            {
                callInfo.AddSizeT("param#" + i.ToString(), p.SizeTVal);
            }
        }
        return(0);
    }
    byte[] GetValue(uint pid, INktParam paramData, INktParam paramSize, bool sizeAndTypeArePtr)
    {
        byte[] buffer = null;
        uint valueSize;

        if (sizeAndTypeArePtr)
        {
            if (paramSize.IsNullPointer == false)
            {
                valueSize = paramSize.Evaluate().ULongVal;
            }
            else
            {
                valueSize = 0;
            }
        }
        else
        {
            valueSize = paramSize.ULongVal;
        }

        if (paramData.IsNullPointer == false)
        {
            //if (paramData.PointerVal != IntPtr.Zero)
            if (!paramData.PointerVal.Equals(IntPtr.Zero))
            {
                INktProcessMemory procMem = _spyMgr.ProcessMemoryFromPID((int)pid);
                //var buffer = new byte[valueSize];
                buffer = new byte[valueSize];

                GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
                IntPtr pDest = pinnedBuffer.AddrOfPinnedObject();
                //Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
                //Int64 bytesReaded = procMem.ReadMem((int) pDest, (int)paramData.PointerVal, (int) valueSize).ToInt64();
                Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
                pinnedBuffer.Free();

                /*                    valueData = "";
                                    for (int i = 0; i < bytesReaded; i++)
                                    {
                                        if (i != 0)
                                            valueData += " ";
                                        valueData += Convert.ToByte(buffer[i]).ToString("X2");
                                    }*/
            }
        }

        return buffer;
    }