INktHookCallInfoPlugin C# (CSharp) Code Examples

Example #1

0

Show file

 public int OnCreateFileW(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
 {
     System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCreateFileW called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
     try
     {
         if (callInfo.IsPreCall == false)
         {
             IntPtr fileHandle = callInfo.Result().SizeTVal;
             System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileHandle.ToString());
             if (fileHandle != (IntPtr)(-1) && fileHandle != IntPtr.Zero)
             {
                 string fileName = callInfo.Params().GetAt(0).ReadString();
                 System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileName);
                 if (fileName.Length > 0)
                 {
                     lock (handleMap)
                     {
                         handleMap[fileHandle] = fileName;
                     }
                 }
             }
         }
     }
     catch (System.Exception ex)
     {
         System.Diagnostics.Trace.WriteLine(ex.ToString());
     }
     return(0);
 }

Example #2

0

Show file

    public int OnWriteFile(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
    {
        System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnWriteFile called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
        try
        {
            if (callInfo.IsPreCall != false)
            {
                IntPtr fileHandle = callInfo.Params().GetAt(0).SizeTVal;
                string s;

                lock (handleMap)
                {
                    if (handleMap.TryGetValue(fileHandle, out s) != false)
                    {
                        callInfo.AddString("WriteFile", s);
                    }
                }
            }
        }
        catch (System.Exception ex)
        {
            System.Diagnostics.Trace.WriteLine(ex.ToString());
        }
        return(0);
    }

Example #3

0

Show file

File: DeviarePlugin.cs Project: nektra/improving-deviare-hooking-performance-with-custom-hooks

    public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
    {
        if (hookInfo.FunctionName == "MapViewOfFile")
        {
            MapViewOfFileHook(hookInfo, callInfo);
        }

        return 0;
    }

Example #4

0

Show file

    public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
    {
        if (hookInfo.FunctionName == "MapViewOfFile")
        {
            MapViewOfFileHook(hookInfo, callInfo);
        }

        return(0);
    }

Example #5

0

Show file

File: DeviarePlugin.cs Project: nektra/improving-deviare-hooking-performance-with-custom-hooks

    public int MapViewOfFileHook(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
    {
        IntPtr address = callInfo.Result().PointerVal;

        byte[] buffer = new byte[1];

        Marshal.Copy(address, buffer, 0, 1);

        char[] chars = System.Text.Encoding.UTF8.GetString(buffer).ToCharArray();

        Trace.Write(chars);

        return 0;
    }

Example #6

0

Show file

    public int MapViewOfFileHook(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
    {
        IntPtr address = callInfo.Result().PointerVal;

        byte[] buffer = new byte[1];

        Marshal.Copy(address, buffer, 0, 1);

        char[] chars = System.Text.Encoding.UTF8.GetString(buffer).ToCharArray();

        Trace.Write(chars);


        return(0);
    }

Example #7

0

Show file

    private void MapViewOfFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
    {
        IntPtr map        = callInfo.Result().PointerVal;
        IntPtr length     = callInfo.Params().GetAt(4).PointerVal;
        bool   is_malware = LookForMalware(map, (ulong)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also indices on native arrays are limited to int.

        if (is_malware)
        {
            callInfo.AddByte("has_malware", 1);
            callInfo.Result().PointerVal = IntPtr.Zero;
            callInfo.LastError = 2;
            callInfo.SkipCall();
        }
        else
        {
            callInfo.AddByte("has_malware", 0);
        }
    }

Example #8

0

Show file

File: DeviarePlugin.cs Project: subTee/Deviare2

    //called when a hooked function is called
    public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
    {
        System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
        INktParamsEnum pms;

        callInfo.AddString("sample name", "HKEY extractor sample");
        pms = callInfo.Params();
        for (int i = 0; i < pms.Count; i++)
        {
            INktParam p = pms.GetAt(i);
            if (p.IsPointer)
                p = p.Evaluate();
            if (p != null && p.TypeName == "HKEY")
            {
                callInfo.AddSizeT("param#" + i.ToString(), p.SizeTVal);
            }
        }
        return 0;
    }

Example #9

0

Show file

    //called when a hooked function is called
    public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
    {
        System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
        INktParamsEnum pms;

        callInfo.AddString("sample name", "HKEY extractor sample");
        pms = callInfo.Params();
        for (int i = 0; i < pms.Count; i++)
        {
            INktParam p = pms.GetAt(i);
            if (p.IsPointer)
            {
                p = p.Evaluate();
            }
            if (p != null && p.TypeName == "HKEY")
            {
                callInfo.AddSizeT("param#" + i.ToString(), p.SizeTVal);
            }
        }
        return(0);
    }

Example #10

0

Show file

File: DeviarePlugin.cs Project: subTee/Deviare2

 public int OnCloseHandle(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
 {
     System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCloseHandle called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
     try
     {
         if (callInfo.IsPreCall != false)
         {
             IntPtr fileHandle = callInfo.Params().GetAt(0).SizeTVal;
             lock (handleMap)
             {
                 handleMap.Remove(fileHandle);
             }
         }
     }
     catch (System.Exception ex)
     {
         System.Diagnostics.Trace.WriteLine(ex.ToString());
     }
     return 0;
 }

Example #11

0

Show file

File: DeviarePlugin.cs Project: subTee/Deviare2

 public int OnCreateFileW(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
 {
     System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCreateFileW called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
     try
     {
         if (callInfo.IsPreCall == false)
         {
             IntPtr fileHandle = callInfo.Result().SizeTVal;
             System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileHandle.ToString());
             if (fileHandle != (IntPtr)(-1) && fileHandle != IntPtr.Zero)
             {
                 string fileName = callInfo.Params().GetAt(0).ReadString();
                 System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileName);
                 if (fileName.Length > 0)
                 {
                     lock (handleMap)
                     {
                         handleMap[fileHandle] = fileName;
                     }
                 }
             }
         }
     }
     catch (System.Exception ex)
     {
         System.Diagnostics.Trace.WriteLine(ex.ToString());
     }
     return 0;
 }

Example #12

0

Show file

 //called when a hooked function is called
 public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
 {
     System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
     return(0);
 }

Example #13

0

Show file

 //called when a hooked function is called
 public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
 {
     // Unused
     return(0);
 }

Example #14

0

Show file

 private void OpenFileMappingWHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
 {
 }

Example #15

0

Show file

    public int OnIXpsOMPageReferenceSetPage(INktHookInfo lpHookInfo, int dwChainIndex, INktHookCallInfoPlugin lpHookCallInfoPlugin)
    {
        System.Diagnostics.Trace.WriteLine("IEPrintWaterMarkhelperCS: OnIXpsOMPageReferenceSetPage");

        try
        {
            var cMod = lpHookCallInfoPlugin.StackTrace().Module(0);

            if (cMod.Name.ToLower().EndsWith("d2d1.dll") ||
                cMod.Name.ToLower().EndsWith("mshtml.dll"))
            {
                System.Diagnostics.Trace.WriteLine(string.Format("calling module: {0}", cMod.Name.ToLower()));

                IntPtr nReg;
                if (IntPtr.Size == 4)
                {
                    nReg = lpHookCallInfoPlugin.get_Register(eNktRegister.asmRegEsp);
                    nReg = new IntPtr(nReg.ToInt32() + 8);
                    nReg = (IntPtr)Marshal.PtrToStructure(nReg, typeof(IntPtr));
                }
                else
                {
                    nReg = lpHookCallInfoPlugin.get_Register(eNktRegister.asmRegRdx);
                }

                System.Diagnostics.Trace.WriteLine(string.Format("lpPage=0x{0:x}", nReg));
                MSXPS.IXpsOMPage lpPage = (MSXPS.IXpsOMPage)Marshal.GetObjectForIUnknown(nReg);
                AddWatermark(lpPage);
            }

            lpHookCallInfoPlugin.FilterSpyMgrEvent();
        }
        catch (Exception e)
        {
            System.Diagnostics.Trace.WriteLine(string.Format("EXCEPTION: {0}") + e.Message);
        }
        return(0);
    }

Example #16

0

Show file

 private void CloseHandleHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
 {
 }

Example #17

0

Show file

File: DeviarePlugin.cs Project: nektra/improving-deviare-hooking-performance-with-custom-hooks

    private void MapViewOfFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
    {
        IntPtr map = callInfo.Result().PointerVal;
        IntPtr length = callInfo.Params().GetAt(4).PointerVal;
        bool is_malware = LookForMalware(map, (ulong)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also indices on native arrays are limited to int.

        if (is_malware)
        {
            callInfo.AddByte("has_malware", 1);
            callInfo.Result().PointerVal = IntPtr.Zero;
            callInfo.LastError = 2;
            callInfo.SkipCall();
        } else {
            callInfo.AddByte("has_malware", 0);
        }
    }

Example #18

0

Show file

 private void CreateFileWHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
 {
 }

Example #19

0

Show file

 private void ReadFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
 {
 }

Example #20

0

Show file

File: DeviarePlugin.cs Project: nektra/improving-deviare-hooking-performance-with-custom-hooks

 private void OpenFileMappingWHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
 {
 }

Example #21

0

Show file

File: DeviarePlugin.cs Project: subTee/Deviare2

 //called when a hooked function is called
 public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
 {
     System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
     return 0;
 }

Example #22

0

Show file

File: DeviarePlugin.cs Project: nektra/improving-deviare-hooking-performance-with-custom-hooks

 private void CreateFileWHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
 {
 }

Example #23

0

Show file

File: DeviarePlugin.cs Project: nektra/improving-deviare-hooking-performance-with-custom-hooks

 private void CloseHandleHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
 {
 }

Example #24

0

Show file

File: DeviarePlugin.cs Project: nektra/improving-deviare-hooking-performance-with-custom-hooks

 private void ReadFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
 {
 }

C# (CSharp) INktHookCallInfoPlugin Examples