// this is where we are intercepting all file accesses! public IntPtr CreateNamedPipe_Hooked(string lpName, Kernel32Support.PipeOpenModeFlags dwOpenMode, Kernel32Support.PipeModeFlags dwPipeMode, Int32 nMaxInstances, Int32 nOutBufferSize, Int32 nInBufferSize, Int32 nDefaultTimeOut, IntPtr lpSecurityAttributes) { preprocessHook(); Console.Write("Creating pipe " + lpName); // call original API... IntPtr result = Kernel32Support.CreateNamedPipe(lpName, dwOpenMode, dwPipeMode, nMaxInstances, nOutBufferSize, nInBufferSize, nDefaultTimeOut, lpSecurityAttributes); if (result.ToInt32() != Kernel32Support.INVALID_HANDLE_VALUE) { TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.PipeName] = lpName; transfer_unit[Color.PipeHandle] = result.ToInt32(); makeCallBack(transfer_unit); Console.WriteLine("\tSUCCESS "); } else { Console.WriteLine("\tFAILURE "); } return(result); }
private UInt32 ZwCreateSection_Hooked(IntPtr ptr_SectionHandle, Int32 DesiredAccess, IntPtr ObjectAttributes, IntPtr MaximumSize, Int32 SectionPageProtection, Int32 AllocationAttributes, IntPtr FileHandle) { preprocessHook(); UInt32 result = NtDllSupport.ZwCreateSection(ptr_SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle); if (result == NtDllSupport.STATUS_SUCCESS) { string object_name = string.Empty; //object_name = "YOOOO" + random.Next(); int section_handle = -1; unsafe { section_handle = *(int *)ptr_SectionHandle.ToPointer(); NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer(); if (lpobj_attr != null) { NtDllSupport.UNICODE_STRING *pstrng = lpobj_attr->ObjectName; object_name = pstrng->ToString(); } } TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.ObjectName] = object_name; transfer_unit[Color.SectionHandle] = section_handle; transfer_unit[Color.FileHandle] = FileHandle.ToInt32(); makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! public int send_Hooked(IntPtr socket_handle, IntPtr lpBuffer, int buflen, int flags) { preprocessHook(); //String z = extractBufferAsString(lpBuffer, buflen < BUFFER_SAMPLE_LENGTH ? buflen : BUFFER_SAMPLE_LENGTH); String z = extractBufferAsString(lpBuffer, buflen); z.Replace("\r\n", " "); //Console.WriteLine(z); Console.WriteLine("ws2_32.send intercepted"); Func <int, string, string> gen = null; gen = (num, symb) => num == 0?"":gen(num - 1, symb) + symb; //Console.WriteLine(gen(10,"<")+gen(10,">")); TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.Handle] = socket_handle.ToInt32(); transfer_unit[Color.Buffer] = z; int result = WS2_32Support.send(socket_handle, lpBuffer, buflen, flags); if (result != WS2_32Support.SOCKET_ERROR) { makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! private UInt32 ZwOpenFile_Hooked(IntPtr ptr_to_FileHandle, Int32 DesiredAccess, IntPtr ObjectAttributes, IntPtr IoStatusBlock, Int32 ShareAccess, NtDllSupport.FileCreationFlags OpenOptions) { preprocessHook(); UInt32 result = NtDllSupport.ZwOpenFile(ptr_to_FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions); if (result == NtDllSupport.STATUS_SUCCESS) { string object_name = string.Empty; //object_name = "YOOOO" + random.Next(); int file_handle = -1; unsafe { int *pfile_handle = (int *)ptr_to_FileHandle.ToPointer(); file_handle = *pfile_handle; NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer(); NtDllSupport.UNICODE_STRING * pstrng = lpobj_attr->ObjectName; object_name = pstrng->ToString(); } TransferUnit transfer_unit = createTransferUnit(); transfer_unit["ObjectName"] = object_name; transfer_unit["FileHandle"] = file_handle; makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! public int connect_Hooked(IntPtr socket, IntPtr lpSockAddr, int namelen) { preprocessHook(); TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.Handle] = socket.ToInt32(); // call original API... int result = WS2_32Support.connect(socket, lpSockAddr, namelen); transfer_unit[Color.Result] = result; //Discovered in opera. Connect returns -1. But opera sends data anyway through this socket. //So we disable error checking here //if (result != WS2_32Support.SOCKET_ERROR) makeCallBack(transfer_unit); //else { // int error = WS2_32Support.WSAGetLastError(); // WS2_32Support.WSASetLastError(error); //} return(result); }
// this is where we are intercepting all file accesses! private UInt32 ZwCreateFile_Hooked(IntPtr ptr_to_FileHandle, NtDllSupport.AccessRightsFlags DesiredAccess, IntPtr ObjectAttributes, IntPtr IoStatusBlock, Int32 AllocationSize, Int32 FileAttributes, NtDllSupport.ShareAccessFlags ShareAccess, Int32 CreateDisposition, NtDllSupport.FileCreationFlags CreateOptions, IntPtr EaBuffer, Int32 EaLength) { preprocessHook(); UInt32 result = NtDllSupport.ZwCreateFile(ptr_to_FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); if (result == NtDllSupport.STATUS_SUCCESS) { string object_name = string.Empty; //object_name = "YOOOO"+random.Next(); int file_handle = -1; unsafe { int *pfile_handle = (int *)ptr_to_FileHandle.ToPointer(); file_handle = *pfile_handle; NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer(); NtDllSupport.UNICODE_STRING * pstrng = lpobj_attr->ObjectName; object_name = pstrng->ToString(); } TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.ObjectName] = object_name; transfer_unit[Color.FileHandle] = file_handle; transfer_unit[Color.DesiredAccess] = DesiredAccess; transfer_unit[Color.ShareAccess] = ShareAccess; transfer_unit[Color.FileCreationFlags] = CreateOptions; makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! private UInt32 ZwReadFile_Hooked(IntPtr FileHandle, IntPtr Event, IntPtr ApcRoutine, IntPtr ApcContext, IntPtr IoStatusBlock, IntPtr Buffer, Int32 Length, IntPtr ByteOffset, IntPtr Key) { preprocessHook(); UInt32 result = NtDllSupport.ZwReadFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key); if (result == NtDllSupport.STATUS_SUCCESS) { int bytes_read = 0; unsafe { NtDllSupport.IO_STATUS_BLOCK *io_status_block = (NtDllSupport.IO_STATUS_BLOCK *)IoStatusBlock.ToPointer(); bytes_read = io_status_block->Information; } string buffer = AbstractHookDescription.extractBufferAsString(Buffer, bytes_read > BUFFER_LIMIT ? BUFFER_LIMIT : bytes_read); TransferUnit transfer_unit = createTransferUnit(); transfer_unit["FileHandle"] = FileHandle.ToInt32(); transfer_unit["buffer"] = buffer; transfer_unit["BytesRead"] = bytes_read; makeCallBack(transfer_unit); } return(result); }
public void dataHasBeenIntercepted(TransferUnit tu) { ////Console.WriteLine("Making callback for "+tu.apiCallName); //try { tu_sender.sendTransferUnit(tu); //} catch { // Console.WriteLine("Zabivaem na oshibku"); //} }
/// <summary> /// This method accepts transfer unti and dispatches it through ApiDispatcher /// which transfers it to appropriate places in CPNet /// </summary> /// <param name="tu"></param> private void receiveTransferUnit(TransferUnit tu) { try { ApiDispatcher.dispatchToken(new Token(tu)); } catch (Exception e) { Console.WriteLine(e); } }
/// <summary> /// Create new TransferUnit and fill out process Id and thread Id fields /// </summary> /// <returns>new transfer unit</returns> protected TransferUnit createTransferUnit() { TransferUnit t = new TransferUnit(); t.PID = RemoteHooking.GetCurrentProcessId(); t.TID = RemoteHooking.GetCurrentThreadId(); t.apiCallName = api_full_name; lock (hook_sequence_number_sync) { t.Hook_sequence_number = hook_sequence_number++; } return(t); }
/// <summary> /// This method should be called from the hook handlers. It routes transfer unit to the place of futher processing. /// </summary> /// <param name="tu"></param> protected void makeCallBack(TransferUnit tu) { try { callback_interface.dataHasBeenIntercepted(tu); } catch (Exception) { Console.WriteLine("Error in callback. Disposing hook <" + this.api_full_name.library_name + "." + this.api_full_name.api_name + ">"); //Console.WriteLine("-----------------------------------------------------------------------"); //Console.WriteLine(e); //Console.WriteLine("-----------------------------------------------------------------------"); hook.Dispose(); } }
/// <summary> /// Converts the bandwidth to specific unit. /// </summary> /// <param name="bandwidth"> /// The bandwidth. /// </param> /// <param name="transferUnit"> /// The transfer unit. /// </param> /// <returns> /// Conversion result. /// </returns> public static double To(this Bandwidth bandwidth, TransferUnit transferUnit) { if (TransferUnit.Kilobytes == transferUnit) { return(bandwidth.Kilobytes); } if (TransferUnit.Megabytes == transferUnit) { return(bandwidth.Megabytes); } return(bandwidth.Gigabytes); }
public UInt32 ZwClose_Hooked(IntPtr handle) { preprocessHook(); // call original API... UInt32 result = NtDllSupport.ZwClose(handle); //Console.Write("."); //if (result == NtDllSupport.STATUS_SUCCESS) { TransferUnit transfer_unit = createTransferUnit(); transfer_unit["handle"] = handle.ToInt32(); transfer_unit["ntStatus"] = result; makeCallBack(transfer_unit); //} return(result); }
// this is where we are intercepting all file accesses! public int listen_Hooked(IntPtr socket, int backlog) { preprocessHook(); // call original API... int result = WS2_32Support.listen(socket, backlog); TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.Handle] = socket.ToInt32(); if (result != WS2_32Support.SOCKET_ERROR) { makeCallBack(transfer_unit); } return(result); }
private UInt32 ZwMapViewOfSection_Hooked(IntPtr SectionHandle, IntPtr ProcessHandle, IntPtr BaseAddress, Int32 ZeroBits, Int32 CommitSize, IntPtr SectionOffset, IntPtr ViewSize, NtDllSupport.SECTION_INHERIT InheritDisposition, Int32 AllocationType, Int32 Win32Protect) { preprocessHook(); UInt32 result = NtDllSupport.ZwMapViewOfSection(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset, ViewSize, InheritDisposition, AllocationType, Win32Protect); if (result == NtDllSupport.STATUS_SUCCESS) { TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.BaseAddress] = BaseAddress.ToInt32(); transfer_unit[Color.SectionHandle] = SectionHandle.ToInt32(); transfer_unit[Color.ProcessHandle] = ProcessHandle.ToInt32(); makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! public IntPtr accept_Hooked(IntPtr socket, IntPtr lpSockAddr, IntPtr int_addrlen) { preprocessHook(); // call original API... IntPtr result = WS2_32Support.accept(socket, lpSockAddr, int_addrlen); TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.ListeningSocketHandle] = socket.ToInt32(); transfer_unit[Color.Handle] = result.ToInt32(); if (result.ToInt32() != WS2_32Support.INVALID_SOCKET) { makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! public int bind_Hooked(IntPtr socket, IntPtr lpSockAddr, int namelen) { preprocessHook(); // call original API... int result = WS2_32Support.bind(socket, lpSockAddr, namelen); TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.Handle] = socket.ToInt32(); if (result != WS2_32Support.SOCKET_ERROR) { makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! public int ConnectNamedPipe_Hooked(IntPtr hNamedPipe, IntPtr lpOverlapped) { preprocessHook(); TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.PipeHandle] = hNamedPipe.ToInt32(); // call original API... int result = Kernel32Support.ConnectNamedPipe(hNamedPipe, lpOverlapped); if (result != Kernel32Support.FALSE) { makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! public int WSAConnect_Hooked(IntPtr socket, IntPtr lpSockAddr, int namelen, IntPtr lpCallerData, IntPtr lpCalleeData, IntPtr lpSQOS, IntPtr lpGQOS) { preprocessHook(); TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.Handle] = socket.ToInt32(); // call original API... int result = WS2_32Support.WSAConnect(socket, lpSockAddr, namelen, lpCallerData, lpCalleeData, lpSQOS, lpGQOS); transfer_unit[Color.Result] = result; if (result != WS2_32Support.SOCKET_ERROR) { makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! public int WSASend_Hooked(IntPtr socket_handle, IntPtr lpBuffers, Int32 dwBufferCount, ref Int32 lpNumberOfBytesSent, int flags, IntPtr lpOverlapped, IntPtr lpCompletionRoutine) { preprocessHook(); WS2_32Support.WSABUF[] buffers = new WS2_32Support.WSABUF[dwBufferCount]; unsafe { WS2_32Support.WSABUF *lpbuffer = (WS2_32Support.WSABUF *)lpBuffers.ToPointer(); for (int i = 0; i < dwBufferCount; i++) { buffers[i] = lpbuffer[i]; } } string z = ""; for (int i = 0; i < dwBufferCount; i++) { z += AbstractHookDescription.extractBufferAsString(buffers[i].buf, (int)(buffers[i].len < BUFFER_SAMPLE_LENGTH ? buffers[i].len : buffers[i].len)); } z.Replace("\r\n", " "); //Console.WriteLine(z); Console.WriteLine("ws2_32.WSASend intercepted"); Func <int, string, string> gen = null; gen = (num, symb) => num == 0 ? "" : gen(num - 1, symb) + symb; //Console.WriteLine(gen(10, "<") + gen(10, ">")); TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.Handle] = socket_handle.ToInt32(); transfer_unit[Color.Buffer] = z; //call original API int result = WS2_32Support.WSASend(socket_handle, lpBuffers, dwBufferCount, ref lpNumberOfBytesSent, flags, lpOverlapped, lpCompletionRoutine); if (result != WS2_32Support.SOCKET_ERROR) { makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! public IntPtr WSASocket_Hooked(WS2_32Support.ADDRESS_FAMILIES af, WS2_32Support.SOCKET_TYPE socket_type, WS2_32Support.PROTOCOL protocol, IntPtr lpProtocolInfo, Int32 group, WS2_32Support.OPTION_FLAGS_PER_SOCKET dwFlags) { preprocessHook(); // call original API... IntPtr socket_handle = WS2_32Support.WSASocketW(af, socket_type, protocol, lpProtocolInfo, group, dwFlags); TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.AddressFamily] = af; transfer_unit[Color.SocketType] = socket_type; transfer_unit[Color.Protocol] = protocol; transfer_unit[Color.Flags] = dwFlags; transfer_unit[Color.Handle] = socket_handle.ToInt32(); if (socket_handle.ToInt32() != Kernel32Support.INVALID_HANDLE_VALUE) { makeCallBack(transfer_unit); } return(socket_handle); }
public UInt32 ZwTerminateProcess_Hooked(IntPtr ProcessHandle, UInt32 ExitStatus) { preprocessHook(); // call original API... TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.ProcessHandle] = ProcessHandle.ToInt32(); transfer_unit[Color.ExitStatus] = ExitStatus; //transfer_unit[Color.Result] = result; makeCallBack(transfer_unit); Console.WriteLine("Delay ZwTerminateProcess"); const int DELAY = 10; for (int i = 0; i < DELAY; i++) { Console.Write(" " + (DELAY - i)); } UInt32 result = NtDllSupport.ZwTerminateProcess(ProcessHandle, ExitStatus); return(result); }
// this is where we are intercepting all file accesses! private IntPtr OpenProcess_Hooked(Kernel32Support.ProcessAccessFlags dwDesiredAccess, bool bInheritHandle, uint dwProcessId) { preprocessHook(); TransferUnit transfer_unit = createTransferUnit(); transfer_unit["dwDesiredAccess"] = dwDesiredAccess; transfer_unit["bInheritHandle"] = bInheritHandle; transfer_unit["dwProcessId"] = dwProcessId; // call original API through our Kernel32Support class IntPtr handle = Kernel32Support.OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId); transfer_unit["handle"] = handle.ToInt32(); if (handle.ToInt32() != Kernel32Support.NULL) { makeCallBack(transfer_unit); } return(handle); }
public void ExitProcess_Hooked(uint uExitCode) { preprocessHook(); TransferUnit transfer_unit = createTransferUnit(); transfer_unit["uExitCode"] = uExitCode; makeCallBack(transfer_unit); Console.WriteLine("Delay ExitProcess"); const int DELAY = 10; for (int i = 0; i < DELAY; i++) { Console.Write(" " + (DELAY - i)); } // call original API... Kernel32Support.ExitProcess(uExitCode); //Console.Write("."); //if (result == Kernel32Support.STATUS_SUCCESS) { //} }
// this is where we are intercepting all file accesses! private uint LdrLoadDll_Hooked(IntPtr PathToFile, NtDllSupport.LoadLibraryFlags dwFlags, ref NtDllSupport.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle) { lock (sync_object) { Console.WriteLine("Begin ---------------------LdrLoadDll(\"" + ModuleFileName + "\")"); preprocessHook(); TransferUnit transfer_unit = createTransferUnit(); transfer_unit["PathToFile"] = PathToFile; transfer_unit["ModuleFileName"] = ModuleFileName.ToString(); transfer_unit["dwFlags"] = dwFlags; // call original API through our Kernel32Support class uint result = NtDllSupport.LdrLoadDll(PathToFile, dwFlags, ref ModuleFileName, ref ModuleHandle); transfer_unit["ModuleHandle"] = ModuleHandle; HookRegistry.checkHooksToInstall(); makeCallBack(transfer_unit); Console.WriteLine("End -----------------------LdrLoadDll(\"" + ModuleFileName + "\")="); return(result); } }
/// <summary> /// Changes the transfer unit. /// </summary> /// <param name="transferUnit"> /// The transfer unit. /// </param> public void ChangeTransferUnit(TransferUnit transferUnit) { this.Download = this.bandwidth.Download.To(transferUnit); this.Upload = this.bandwidth.Upload.To(transferUnit); }
public Token(TransferUnit tu) : base(tu) { }
private int CreateProcessInternalW_Hooked(Int32 unknown1, string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, Kernel32Support.ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, IntPtr lpStartupInfo, IntPtr lpProcessInformation, Int32 unknown2) { preprocessHook(); IntPtr he, ho, hi, h_process, h_thread; Int32 dwProcessId, dwThreadId; // call original API through our Kernel32Support class if (Configuration.FOLLOW_PROCESS_TREE) { dwCreationFlags |= Kernel32Support.ProcessCreationFlags.CREATE_SUSPENDED; } int result = Kernel32Support.FALSE; try { result = Kernel32Support.CreateProcessInternalW(unknown1, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, unknown2); } catch { Console.WriteLine("Failed to launch subprocess"); } unsafe { Kernel32Support.STARTUPINFO *lp_stratup_info = (Kernel32Support.STARTUPINFO *)lpStartupInfo.ToPointer(); he = lp_stratup_info->hStdError; ho = lp_stratup_info->hStdOutput; hi = lp_stratup_info->hStdInput; Kernel32Support.PROCESS_INFORMATION *lp_process_info = (Kernel32Support.PROCESS_INFORMATION *)lpProcessInformation.ToPointer(); h_process = lp_process_info->hProcess; h_thread = lp_process_info->hThread; dwProcessId = lp_process_info->dwProcessId; dwThreadId = lp_process_info->dwThreadId; } TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.StdErrHandle] = he.ToInt32(); transfer_unit[Color.StdOutHandle] = ho.ToInt32(); transfer_unit[Color.StdInHandle] = hi.ToInt32(); if ((lpApplicationName == null) && (lpCommandLine != null)) { string[] command_lines = APIMonLib.Hooks.shell32.dll.Shell32DllSupport.CommandLineToArgs(lpCommandLine); if (command_lines.Length > 0) { lpApplicationName = System.IO.Path.GetFileName(command_lines[0]); } else { throw new Exception("Hook_CreateProcessInternalW Can not infer application name"); } } transfer_unit[Color.ApplicationName] = lpApplicationName; transfer_unit[Color.CommandLine] = lpCommandLine; transfer_unit[Color.ProcessHandle] = h_process.ToInt32(); transfer_unit[Color.FirstThreadHandle] = h_thread.ToInt32(); transfer_unit[Color.ProcessId] = dwProcessId; transfer_unit[Color.FirstThreadId] = dwThreadId; transfer_unit[Color.ProcessCreationFlags] = dwCreationFlags; //if (result!=Kernel32Support.FALSE) makeCallBack(transfer_unit); return(result); }