private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { string strOnFunctionCalled = hook.FunctionName + "\n"; if (hook.FunctionName.CompareTo("D3D9.DLL!CreateDevice") == 0) { INktParamsEnum paramsEnum = hookCallInfo.Params(); INktParam param = paramsEnum.First(); INktParam tempParam = null; while (param != null) { tempParam = param; param = paramsEnum.Next(); } strOnFunctionCalled += " " + tempParam.PointerVal.ToString() + "\n"; } Output(strOnFunctionCalled); }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { NktStackTrace stack = hookCallInfo.StackTrace(); NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id); UInt32 StackOpcodeSize = 50; byte[] StackOpcode = new byte[StackOpcodeSize]; for (UInt32 n = 0; n < StackOpcodeSize; n++) { StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte); } UInt64 actualAddr = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip); UInt64 nInstrSize = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize); UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize; string str = "From: 0x" + callingAddr.ToString("x") + " To: 0x" + actualAddr.ToString("x") + "\n"; Output(str, false); actualAddr -= SecStartAddress; callingAddr -= SecStartAddress; CROSSREF crossref = new CROSSREF(); crossref.From = callingAddr; crossref.To = actualAddr; CrossRefSet.Add(crossref); }
static void OnShellExecute(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.ShellExecute, hook, process, callInfo); if (report == null) { return; } report.ID = APIID.ShellExecute; var param = new ShellExecuteParameter(); if (hook.FunctionName.Contains("teEx")) { INktParam p = callInfo.Params().GetAt(0).Evaluate(); param.Name = p.Fields().GetAt(4).IsNullPointer ? "" : p.Fields().GetAt(4).ReadString(); param.Parameters = p.Fields().GetAt(5).IsNullPointer ? "" : p.Fields().GetAt(5).ReadString(); param.Directory = p.Fields().GetAt(6).IsNullPointer ? "" : p.Fields().GetAt(6).ReadString(); } else { param.Name = callInfo.Params().GetAt(2).IsNullPointer ? "" : callInfo.Params().GetAt(2).ReadString(); param.Parameters = callInfo.Params().GetAt(3).IsNullPointer ? "" : callInfo.Params().GetAt(3).ReadString(); param.Directory = callInfo.Params().GetAt(4).IsNullPointer ? "" : callInfo.Params().GetAt(4).ReadString(); } report.Parameter = param; Reports.Enqueue(report); }
static void OnSocket(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SocketConnect, hook, process, callInfo); if (report == null) { return; } var param = new ConnectionParameter(); int len = callInfo.Params().GetAt(2).LongVal; byte[] buf = new byte[len]; GCHandle h = GCHandle.Alloc(buf, GCHandleType.Pinned); IntPtr p = h.AddrOfPinnedObject(); var add = callInfo.Params().GetAt(1); INktProcessMemory mem = add.Memory(); mem.ReadMem(p, add.PointerVal, (IntPtr)len); h.Free(); report.ID = hook.FunctionName.Contains("bind") ? APIID.SocketBind : APIID.SocketConnect; param.Port = (ushort)(buf[2] * 256 + buf[3]); param.IP = String.Format("{0}.{1}.{2}.{3}", buf[4].ToString("D3"), buf[5].ToString("D3"), buf[6].ToString("D3"), buf[7].ToString("D3")); param.Server = hook.FunctionName.Contains("bind") ? true : false; report.ID = param.Server ? APIID.SocketBind : APIID.SocketConnect; report.Parameter = param; Reports.Enqueue(report); }
static void OnCreateProcess(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleCreation, APICategory.Process, APIID.CreateProcess, hook, process, callInfo); if (report == null) { return; } var param = new CreateProcessParameter(); param.ProcessName = callInfo.Params().GetAt(0).IsNullPointer ? "" : callInfo.Params().GetAt(1).ReadString(); param.Parameters = callInfo.Params().GetAt(1).IsNullPointer ? "" : callInfo.Params().GetAt(1).ReadString(); param.Handle = callInfo.Params().GetAt(9).Evaluate().Fields().GetAt(0).SizeTVal; param.ID = callInfo.Params().GetAt(9).Evaluate().Fields().GetAt(2).ULongVal; try { if (param.ProcessName == "") { var pro = System.Diagnostics.Process.GetProcessById((int)param.ID); param.ProcessName = pro.ProcessName; } } catch { } report.Parameter = param; Reports.Enqueue(report); }
public static void OnConnectCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { /* * struct sockaddr { * ushort sa_family; * char sa_data[14]; * }; */ INktParamsEnum pms = hookCallInfo.Params(); INktParam p; p = pms.GetAt(1); //get the second param (const struct sockaddr *name) if (p.IsNullPointer == false) { INktParam pC; ushort sa_family; //if not null, analyze it p = p.Evaluate(); //now p becomes the struct itself not anymore a pointer to pC = p.Field(0); sa_family = pC.get_UShortValAt(0); try { pC = p.Field(1); byte[] bytes_port = new byte[] { pC.get_ByteValAt(0), pC.get_ByteValAt(1) }; ushort port = PortToUShort(bytes_port); Console.WriteLine("Port: {0}", port); byte[] ip = new byte[] { pC.get_ByteValAt(2), pC.get_ByteValAt(3), pC.get_ByteValAt(4), pC.get_ByteValAt(5) }; string detected_ip = IPtoString(ip); Console.WriteLine("IP: {0}", detected_ip); if (bind_ip == "0.0.0.0" || bind_ip == "*" || IPtoString(ip) == bind_ip) // Match rule IP { if (bind_port == 0 || bind_port == port) // Match rule Port { byte[] target_ip = StringtoIP(forward_ip); pC.set_ByteValAt(2, target_ip[0]); pC.set_ByteValAt(3, target_ip[1]); pC.set_ByteValAt(4, target_ip[2]); pC.set_ByteValAt(5, target_ip[3]); if (forward_port != 0) { byte[] forward_port_change = UShorttoPort(forward_port); pC.set_ByteValAt(0, forward_port_change[0]); pC.set_ByteValAt(1, forward_port_change[1]); } Console.WriteLine("Redirect From {0}:{1} to {1}", detected_ip, (bind_port == 0)?'*':bind_port, forward_ip, (forward_port == 0)?'*':forward_port); } } } catch (Exception e) { Console.WriteLine("Error {0}", e); throw e; } } }
public FunctionWrapper(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo) { this.Hook = Hook; this.proc = proc; this.callInfo = callInfo; status = Status.Waiting; }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { Output("Xploit CVE-2010-3971"); MessageBox.Show("Xploit CVE-2010-3971"); Thread.Sleep(System.Threading.Timeout.Infinite); }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { nTime++; if (nSpeed==-2) hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2); else if(nSpeed==2) hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3); }
private void MapViewOfFileCustomHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo) { if (callInfo.CustomParams().Count == 1) { byte has_malware = callInfo.CustomParams().GetAt(0).ByteVal; Debug.WriteLine(String.Format("MapViewOfFileCustomHook:: with has_malware = {0}", has_malware)); } }
public void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { string function = hook.FunctionName.ToLower(); Console.WriteLine("Called function {0}", function); if (function == "WS2_32.dll!connect".ToLower()) { OnConnectCalled(hook, process, hookCallInfo); } }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { nTime++; if (nSpeed == -2) { hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2); } else if (nSpeed == 2) { hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3); } }
void _spyMgr_OnFunctionCalled(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo) { if (Hook.FunctionName == "kernel32.dll!MapViewOfFile") { if (this._use_deviare_custom_hook_plugin) { MapViewOfFileCustomHook(Hook, proc, callInfo); } else { MapViewOfFileHook(Hook, proc, callInfo); } } }
static void OnWriteProcessMemory(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleConsuming, APICategory.Process, APIID.WriteProcessMemory, hook, process, callInfo); if (report == null) { return; } var param = new WriteProcessMemoryParameter(); param.Handle = callInfo.Params().GetAt(0).SizeTVal; report.Parameter = param; Reports.Enqueue(report); }
static void OnFindFirstFile(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.FindFirstFile, hook, process, callInfo); if (report == null) { return; } var param = new FindFirstFileParameter(); param.FileName = callInfo.Params().GetAt(0).ReadString(); report.Parameter = param; Reports.Enqueue(report); }
static void OnSetWindowsHook(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SetWindowsHook, hook, process, callInfo); if (report == null) { return; } report.ID = APIID.SetWindowsHook; var param = new SetWindowsHookParameter(); param.HookType = callInfo.Params().GetAt(0).LongVal; report.Parameter = param; Reports.Enqueue(report); }
static void OnProcess32First(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleConsuming, APICategory.ToolHelp, APIID.Process32First, hook, process, callInfo); if (report == null) { return; } report.ID = APIID.Process32First; var param = new Process32FirstParameter(); param.Handle = callInfo.Params().GetAt(0).SizeTVal; report.Parameter = param; Reports.Enqueue(report); }
static void OnGetProcAddress(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleConsuming, APICategory.LibraryLoading, APIID.GetProcAddress, hook, process, callInfo); if (report == null) { return; } var param = new GetProcAddressParameter(); param.Handle = callInfo.Params().GetAt(0).SizeTVal; param.Proc = callInfo.Params().GetAt(1).ReadString(); report.Parameter = param; Reports.Enqueue(report); }
static void OnUrlDownloadToFile(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SocketConnect, hook, process, callInfo); if (report == null) { return; } var param = new UrlDownloadToFileParameter(); param.Url = callInfo.Params().GetAt(1).ReadString(); param.FilePath = callInfo.Params().GetAt(2).ReadString(); report.ID = APIID.UrlDownloadToFile; report.Parameter = param; Reports.Enqueue(report); }
static void OnCreateService(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.CreateService, hook, process, callInfo); if (report == null) { return; } var param = new CreateServiceParameter(); param.Name = callInfo.Params().GetAt(1).IsNullPointer?"N/A":callInfo.Params().GetAt(1).ReadString(); param.Path = callInfo.Params().GetAt(7).IsNullPointer?"N/A":callInfo.Params().GetAt(7).ReadString(); param.Mode = callInfo.Params().GetAt(5).ULongVal; report.Parameter = param; Reports.Enqueue(report); }
static void OnRegOpenKey(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleCreation, APICategory.Registry, APIID.RegOpenKey, hook, process, callInfo); if (report == null) { return; } var param = new RegOpenKeyParameter(); param.HKey = callInfo.Params().GetAt(0).SizeTVal; param.SubKey = callInfo.Params().GetAt(1).ReadString(); param.Handle = hook.FunctionName.ToUpper().Contains("EX") ? callInfo.Params().GetAt(4).Evaluate().SizeTVal : callInfo.Params().GetAt(2).Evaluate().SizeTVal; report.Parameter = param; Reports.Enqueue(report); }
static void OnCreateToolhelp32Snapshot(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleCreation, APICategory.ToolHelp, APIID.CreateToolhelp, hook, process, callInfo); if (report == null) { return; } report.ID = APIID.CreateToolhelp; var param = new CreateToolhelp32Snapshot(); param.Flags = callInfo.Params().GetAt(0).ULongVal; param.Handle = callInfo.Result().SizeTVal; report.Parameter = param; Reports.Enqueue(report); }
static void OnCreateFile(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleCreation, APICategory.Files, APIID.CreateFile, hook, process, callInfo); if (report == null) { return; } var param = new CreateFileParameter(); param.Path = callInfo.Params().GetAt(0).ReadString(); param.Access = callInfo.Params().GetAt(1).ULongVal; param.Mode = callInfo.Params().GetAt(4).ULongVal; param.Handle = callInfo.Result().SizeTVal; report.Parameter = param; Reports.Enqueue(report); }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { string strDocument = "Document: "; INktParamsEnum paramsEnum = hookCallInfo.Params(); INktParam param = paramsEnum.First(); param = paramsEnum.Next(); param = paramsEnum.Next(); if (param.PointerVal != IntPtr.Zero) { INktParamsEnum paramsEnumStruct = param.Evaluate().Fields(); INktParam paramStruct = paramsEnumStruct.First(); strDocument += paramStruct.ReadString(); strDocument += "\n"; } Output(strDocument); }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { Output(hook.FunctionName + "( "); bool first = true; foreach (INktParam param in hookCallInfo.Params()) { if (first) { first = false; } else { Output(", "); } Output(param.Name + " = " + param.Value.ToString()); } Output(" )" + Environment.NewLine); }
/// <summary> /// WriteFile调用事件处理函数 /// </summary> /// <param name="hook"></param> /// <param name="process"></param> /// <param name="hookCallInfo"></param> private void OnWriteFileCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { string strDocument = "Document: "; INktParamsEnum paramsEnum = hookCallInfo.Params(); INktParam hFile = paramsEnum.First(); //paramsEnum.Next(); //paramsEnum.Next(); //paramsEnum.Next(); //paramsEnum.Next(); INktParam lpBuffer = paramsEnum.Next(); INktParam nNumberOfBytesToWrite = paramsEnum.Next(); #region 着官方示例写的 毛用没有 if (hFile.PointerVal != IntPtr.Zero) { INktParamsEnum hFileEnumStruct = hFile.Evaluate().Fields(); INktParam hFileStruct = hFileEnumStruct.First(); } Console.Out.WriteLine(lpBuffer.ReadString()); Console.Out.WriteLine(lpBuffer.Address); if (lpBuffer.PointerVal != IntPtr.Zero) { strDocument += lpBuffer.ReadString(); strDocument += "\n"; } Output(strDocument); #endregion var h_file = QueryFileHandle(hFile.Address); ReadBuffer(lpBuffer.Address, nNumberOfBytesToWrite.Address); }
static void OnLoadLibrary(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleCreation, APICategory.LibraryLoading, APIID.LoadLibrary, hook, process, callInfo); if (report == null) { return; } var param = new LoadLibraryParameter(); if (callInfo.Params().GetAt(0).IsNullPointer) { param.LibraryName = "N/A"; } else { param.LibraryName = callInfo.Params().GetAt(0).ReadString(); } param.Handle = callInfo.Result().SizeTVal; report.Parameter = param; Reports.Enqueue(report); }
private void MapViewOfFileHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo) { bool is_malware = false; IntPtr maphandle = callInfo.Params().GetAt(0).PointerVal; IntPtr address = callInfo.Result().PointerVal; IntPtr length = callInfo.Params().GetAt(4).PointerVal; Debug.WriteLine(String.Format("MapViewOfFile:: with maphandle = {0} dwNumberOfBytesToMap = {1}", maphandle, length)); IntPtr process_handle = callInfo.Process().Handle(0x1FFFF); is_malware = LookForMalware(process_handle, (IntPtr)maphandle, (uint)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also Marshal.ReadByte is limited to int. if (is_malware) { callInfo.Result().PointerVal = IntPtr.Zero; callInfo.LastError = 2; callInfo.SkipCall(); } }
public void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { string function = hook.FunctionName.ToLower(); wrappers.FunctionWrapper functionWr = new wrappers.FunctionWrapper(hook, process, hookCallInfo); stackFunctions.Push(functionWr); while (functionWr.status == wrappers.FunctionWrapper.Status.Waiting) { System.Threading.Thread.Sleep(0); } if (functionWr.status == wrappers.FunctionWrapper.Status.Droped) { hookCallInfo.SkipCall(); Program.data.AceptingNewFunctions = true; return; } Program.data.AceptingNewFunctions = true; }
static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { if ((callInfo.Result().ULongVal & 0x80000000) == 0) { NktParamsEnum pms; IntPtr addr; string s; //if the call succeeded, check if we are creating a class factory that belongs //to the CLSID we need, in our example, "ShellFolderView coclass" pms = callInfo.Params(); if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}") { s = pms.GetAt(1).GuidString; if (s == "{00000001-0000-0000-C000-000000000046}") { //we have ShellFolderView's IClassFactory object if (hookIClassFactory_CreateInstance == null) { lock (hookLock) { if (hookIClassFactory_CreateInstance == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress); hookIClassFactory_CreateInstance.Attach(proc.Id, true); hookIClassFactory_CreateInstance.Hook(true); hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled; } } } } if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}") { //we have ShellFolderView's IClassFactory2 object if (hookIClassFactory2_CreateInstance == null) { lock (hookLock) { if (hookIClassFactory2_CreateInstance == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall); hookIClassFactory2_CreateInstance.Attach(proc.Id, true); hookIClassFactory2_CreateInstance.Hook(true); hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled; } if (hookIClassFactory2_CreateInstanceLic == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstanceLic method is the eighth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall); hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true); hookIClassFactory2_CreateInstanceLic.Hook(true); hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled; } } } } } } return; }
static void OnIClassFactory2CreateInstanceLicCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { //because interface instances can be created by IClassFactory2 too, may you have //to define a similar code than above }
static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { if ((callInfo.Result().ULongVal & 0x80000000) == 0) { NktParamsEnum pms; IntPtr addr; string s; //if the call succeeded, check if we are creating a instance that belongs //to the IID we need, in our example, "IShellFolderViewDual" pms = callInfo.Params(); //remember that the first parameter is the interface pointer itself s = pms.GetAt(2).GuidString; if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" || s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" || s == "{88A05C00-F000-11CE-8350-444553540000}") { //at this point we have to apply a similar code than we used to hook //IClassFactory::CreateInstance above and the other methods addr = pms.GetAt(3).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); /* * . * . * . */ } } }
private void HandleFuncionCall(NktHook aHook, NktProcess aProcess, NktHookCallInfo hookCallInfo) { FunctionCalledHandler(CreateConsoleHookFrom(aHook), CreateConsoleProcessFrom(aProcess), hookCallInfo); }
static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { if ((callInfo.Result().ULongVal & 0x80000000) == 0) { NktParamsEnum pms; IntPtr addr; string s; //if the call succeeded, check if we are creating a instance that belongs //to the IID we need, in our example, "IShellFolderViewDual" pms = callInfo.Params(); //remember that the first parameter is the interface pointer itself s = pms.GetAt(2).GuidString; if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" || s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" || s == "{88A05C00-F000-11CE-8350-444553540000}") { //at this point we have to apply a similar code than we used to hook //IClassFactory::CreateInstance above and the other methods addr = pms.GetAt(3).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); /* . . . */ } } }
void _spyMgr_OnFunctionCalled(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo) { if (Hook.FunctionName == "kernel32.dll!MapViewOfFile") { if (this._use_deviare_custom_hook_plugin) MapViewOfFileCustomHook(Hook, proc, callInfo); else MapViewOfFileHook(Hook, proc, callInfo); } }
private void FunctionCalledHandler(Hook hook, IProcess aProcess, NktHookCallInfo hookCallInfo) { var aFunctionCallInfo = new FunctionCallInfo(hook, aProcess, hookCallInfo); _functionCallHandler.Handle(aFunctionCallInfo); }
public FunctionCallInfo(Hook aHook, IProcess aProcess, NktHookCallInfo hookCallInfo) { Hook = aHook; Process = aProcess; HookCallInfo = hookCallInfo; }