private bool IsRootCall(INktHookCallInfo aCallInfo) { var count = NestedFunctionCallCountOf(aCallInfo); // This is the only function call for aCallInfo.ThreadId. So, it's the root call. return(count == 1); }
private FunctionCall FunctionCallFrom(INktHookCallInfo aCallInfo) { var functionCallOrder = _functionCallsOrder.Value(aCallInfo); var aFunctionCall = FunctionCall.From(aCallInfo, functionCallOrder); return(aFunctionCall); }
private void OnFunctionCalledPrinterStart(INktHook hhook, INktProcess proc, INktHookCallInfo callInfo) { if (IsWorkedPrintStart) { IsWorkedPrintStart = false; return; } int exitcode = 0; TypressService.eventLog1.WriteEntry("Printer Request Event!"); PageCnt = 0; if (TypressService.packet.IsLogin == false) { TypressService.eventLog1.WriteEntry("LoginForm 띄움"); //System.Diagnostics.Debugger.Launch(); } string applicationName = "C:\\Users\\jklh0\\source\\github\\Typress\\InterruptLogin\\InterruptLoginView\\InterruptLoginView\\bin\\x64\\Debug\\InterruptLoginView.exe"; ApplicationLoader.PROCESS_INFORMATION procInfo; ApplicationLoader.StartProcessAndBypassUAC(applicationName, out procInfo); WaitForSingleObject(procInfo.hProcess, 100000); GetExitCodeProcess(procInfo.hProcess, ref exitcode); //Process P = Process.Start("C:\\Users\\jklh0\\source\\github\\Typress\\InterruptLogin\\InterruptLoginView\\InterruptLoginView\\bin\\x64\\Debug\\InterruptLoginView.exe"); //P.WaitForExit(); // IsLogin 변수 바꼈는지? IsWorkedPrintStart = true; return; }
//Checks entropy of buffer, and that path is not REG or appdata private void writeFileH(INktHookCallInfo callInfo) { //Get written path from file handle NktTools tool = new NktTools(); string path = tool.GetFileNameFromHandle(callInfo.Params().GetAt(0).PointerVal, callInfo.Process()); //If path is relevant check entropy if (!path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase) && !path.Contains("\\REGISTRY\\")) { INktParam pBuf = callInfo.Params().GetAt(1); //Data to write INktParam pBytes = callInfo.Params().GetAt(2); //Length of data uint bytesToWrite = pBytes.ULongVal; double entropy = 0; if (pBuf.PointerVal != IntPtr.Zero && bytesToWrite > 0) { INktProcessMemory procMem = process.Memory(); byte[] buffer = new byte[bytesToWrite]; GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned); IntPtr pDest = pinnedBuffer.AddrOfPinnedObject(); procMem.ReadMem(pDest, pBuf.PointerVal, (IntPtr)bytesToWrite); pinnedBuffer.Free(); var str = System.Text.Encoding.UTF8.GetString(buffer); //Get per-byte entropy entropy = getEntropy(buffer); } if (entropy > 6) { intelligence.writeFileS(); } } }
private static FunctionCall FromPostCall(INktHookCallInfo aCallInfo, int order) { var inspectedParameters = InspectParametersFrom(aCallInfo); var inspectedResult = InspectResultFrom(aCallInfo); var summary = CreateSummaryFrom(inspectedParameters); return(From(aCallInfo, order, inspectedResult, inspectedParameters, summary)); }
private static FunctionCall FromPostCall(INktHookCallInfo aCallInfo, int order) { var inspectedParameters = InspectParametersFrom(aCallInfo); var inspectedResult = InspectResultFrom(aCallInfo); var summary = CreateSummaryFrom(inspectedParameters); return From(aCallInfo, order, inspectedResult, inspectedParameters, summary); }
private void ProcessPreCall(INktHookCallInfo preCallInfo) { AssignFunctionCallOrderTo(preCallInfo); IncrementNestedFunctionsCalledByThreadOf(preCallInfo); var functionCall = FunctionCallFrom(preCallInfo); Dispatch(preCallInfo,functionCall); }
private static ParameterInspectorVisitor CreateParameterInspectorFor(INktHookCallInfo callInfo) { var parameterInspector = new ParameterInspectorVisitor(callInfo.Hook().FunctionName) { Depth = new ApplicationSettings().MaximumParameterInspectionDepth }; return(parameterInspector); }
private void regCreateKeyExH(INktHookCallInfo callInfo) { string path = callInfo.Params().GetAt(1).ReadString(); if (path.Contains("Windows\\CurrentVersion\\Run") || path.Contains("Windows\\CurrentVersion\\RunOnce")) { intelligence.foundStartup(); } }
private void cryptAcquireContextH(INktHookCallInfo callInfo) { string csp = callInfo.Params().GetAt(2).Value; if (csp.Contains("Microsoft Enhanced RSA and AES Cryptographic Provider")) { intelligence.cryptAcquireContextS(); } }
private void deleteFileH(INktHookCallInfo callInfo) { string path = callInfo.Params().GetAt(0).Value; if (!path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase)) { intelligence.deleteFileS(); } }
private void ProcessPreCall(INktHookCallInfo preCallInfo) { AssignFunctionCallOrderTo(preCallInfo); IncrementNestedFunctionsCalledByThreadOf(preCallInfo); var functionCall = FunctionCallFrom(preCallInfo); Dispatch(preCallInfo, functionCall); }
//Checks if vssadmin or bcdedit private void winExecH(INktHookCallInfo callInfo) { string path = callInfo.Params().GetAt(0).Value; if (path.Contains("vssadmin", StringComparison.OrdinalIgnoreCase) || path.Contains("bcdedit", StringComparison.OrdinalIgnoreCase)) { intelligence.createProcessS(); } }
private void Dispatch(INktHookCallInfo aCallInfo, FunctionCall aFunctionCall) { if (IsRootCall(aCallInfo)) { _dispatchDispatchRootCall(aFunctionCall); return; } _dispatchDispatchChildCall(aFunctionCall); }
private void OnFunctionCalledPrinterEnd(INktHook hhook, INktProcess proc, INktHookCallInfo callInfo) { if (IsWorkedPrintEnd) { IsWorkedPrintEnd = false; return; } TypressService.eventLog1.WriteEntry("최종출력물 갯수 : "); TypressService.eventLog1.WriteEntry(PageCnt.ToString()); TypressService.eventLog1.WriteEntry("인쇄작업 종료!"); IsWorkedPrintEnd = true; }
public void Dispatch(INktHookCallInfo aCallInfo) { lock (_dataLock) { if (aCallInfo.IsPreCall) { ProcessPreCall(aCallInfo); return; } ProcessPostCall(aCallInfo); } }
private static InspectedParameter InspectResultFrom(INktHookCallInfo aCallInfo) { if (aCallInfo.IsPreCall) { return(InspectedParameter.Empty()); } var result = aCallInfo.Result(); var inspector = CreateParameterInspectorFor(aCallInfo); inspector.Inspect(new[] { result }); return(inspector.InspectedParameters.First()); }
private void OnFunctionCalledPrinter(INktHook hhook, INktProcess proc, INktHookCallInfo callInfo) { MyNewService.eventLog1.WriteEntry("Event."); if (num == "100") { MyNewService.eventLog1.WriteEntry("출력됩니당."); num = "0"; return; } MessageBox.Show("로그인"); if (num == "100") { MyNewService.eventLog1.WriteEntry("에엥?"); //hhook.Unhook(true); } }
private static List <InspectedParameter> InspectParametersFrom(INktHookCallInfo callInfo) { if (callInfo.IsPreCall) { return(new List <InspectedParameter>()); } var functionParameters = callInfo.Params().CollectAll(); var parameterInspector = CreateParameterInspectorFor(callInfo); parameterInspector.Inspect(functionParameters); var fn = callInfo.Hook().FunctionName; return(parameterInspector.InspectedParameters); }
private void findFirstFileH(INktHookCallInfo callInfo) { //Path to search string path = callInfo.Params().GetAt(0).Value; //Distiguishes between 2 methods of scanning: //1:Search for all files, filter later if (path.EndsWith("*") && !path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase)) { intelligence.findFirstFileS(); } //2:Search for each extension separately if (path.EndsWith("*.txt") && !path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase)) { intelligence.findFirstFileTxtS(); } }
private void OnNtWriteFile(INktHook hook, INktProcess proc, INktHookCallInfo callInfo) { var fileHandle = callInfo.Params().GetAt(0).SizeTVal; var fileName = ReadFileInfo(proc.Handle(WinEnum.PROCESS_WM_READ), fileHandle); if (fileName == null) { return; } lock (fileNames) { if (!fileNames.Contains(fileName)) { fileNames.Add(fileName); } } }
//When a hooked function executes (reflection) private void OnFunctionCalled(NktHook hook, INktProcess proc, INktHookCallInfo callInfo) { //Call the function specific handler from string //1:Split function name to the right of '!' and add the handler tag string mn = hook.FunctionName.Substring(hook.FunctionName.LastIndexOf('!') + 1) + 'H'; //2:Lowercase first letter mn = Char.ToLowerInvariant(mn[0]) + mn.Substring(1); //3:Invoke try { //3.1:Get correct hookmanager HookManager h = hManagers[proc.Id]; //3.2:Get its function handler MethodInfo mi = h.GetType().GetMethod(mn, BindingFlags.Instance | BindingFlags.NonPublic); Object[] funcParams = { callInfo }; mi.Invoke(h, funcParams); } catch (NullReferenceException) { Debug.WriteLine(mn + " has no handler"); } }
private void createRemoteThreadExH(INktHookCallInfo callInfo) { createRemoteThreadH(callInfo); }
//Send all private void suspendThreadH(INktHookCallInfo callInfo) { intelligence.suspendThreadS(); }
//Send all private void createRemoteThreadH(INktHookCallInfo callInfo) { intelligence.createRemoteThreadS(); }
private static List<InspectedParameter> InspectParametersFrom(INktHookCallInfo callInfo) { if (callInfo.IsPreCall) return new List<InspectedParameter>(); var functionParameters = callInfo.Params().CollectAll(); var parameterInspector = CreateParameterInspectorFor(callInfo); parameterInspector.Inspect(functionParameters); var fn = callInfo.Hook().FunctionName; return parameterInspector.InspectedParameters; }
private void getComputerNameH(INktHookCallInfo callInfo) { intelligence.getComputerNameS(); }
private bool IsRootCall(INktHookCallInfo aCallInfo) { var count = NestedFunctionCallCountOf(aCallInfo); // This is the only function call for aCallInfo.ThreadId. So, it's the root call. return count == 1; }
private void deleteFileWH(INktHookCallInfo callInfo) { deleteFileH(callInfo); }
private FunctionCall FunctionCallFrom(INktHookCallInfo aCallInfo) { var functionCallOrder = _functionCallsOrder.Value(aCallInfo); var aFunctionCall = FunctionCall.From(aCallInfo, functionCallOrder); return aFunctionCall; }
private void AssignFunctionCallOrderTo(INktHookCallInfo preCallInfo) { var functionCallOrder = Interlocked.Increment(ref _functionCallsCount); _functionCallsOrder.Update(preCallInfo, i => functionCallOrder); }
public static FunctionCall FromPreCall(INktHookCallInfo aPreCallInfo, int order) { return From(aPreCallInfo, order, InspectedParameter.Empty(), new List<InspectedParameter>(), string.Empty); }
private static FunctionCall From(INktHookCallInfo aCallInfo, int order, InspectedParameter inspectedResult, List<InspectedParameter> inspectedParameters, string summary) { return new FunctionCall(aCallInfo.GetHashCode(), aCallInfo.ThreadId, order, aCallInfo.Hook().ModuleName(), aCallInfo.Hook().FunctionNameWithoutModule(), summary, inspectedParameters, inspectedResult); }
private void ProcessPostCall(INktHookCallInfo postCallInfo) { UpdateFunctionCall(postCallInfo); DecrementNestedFunctionsCalledByThreadOf(postCallInfo); }
private void IncrementNestedFunctionsCalledByThreadOf(INktHookCallInfo aCallInfo) { _functionCallCountByThread.Update(aCallInfo, i => i + 1); }
private void createFileWH(INktHookCallInfo callInfo) { createFileH(callInfo); }
private static InspectedParameter InspectResultFrom(INktHookCallInfo aCallInfo) { if (aCallInfo.IsPreCall) return InspectedParameter.Empty(); var result = aCallInfo.Result(); var inspector = CreateParameterInspectorFor(aCallInfo); inspector.Inspect(new[] { result }); return inspector.InspectedParameters.First(); }
private void findFirstFileExWH(INktHookCallInfo callInfo) { findFirstFileH(callInfo); }
//Send all private void cryptDestroyKeyH(INktHookCallInfo callInfo) { intelligence.cryptDestroyKeyS(); }
private static ParameterInspectorVisitor CreateParameterInspectorFor(INktHookCallInfo callInfo) { var parameterInspector = new ParameterInspectorVisitor(callInfo.Hook().FunctionName) { Depth = new ApplicationSettings().MaximumParameterInspectionDepth }; return parameterInspector; }
private void getComputerNameExWH(INktHookCallInfo callInfo) { getComputerNameH(callInfo); }
public static FunctionCall From(INktHookCallInfo aCallInfo, int order) { return aCallInfo.IsPreCall ? FromPreCall(aCallInfo, order) : FromPostCall(aCallInfo, order); }
private int NestedFunctionCallCountOf(INktHookCallInfo aCallInfo) { return _functionCallCountByThread.ValueOrInitialize(aCallInfo); }
private void createProcessWH(INktHookCallInfo callInfo) { createProcessH(callInfo); }
private void UpdateFunctionCall(INktHookCallInfo postCallInfo) { var aFunctionCall = FunctionCallFrom(postCallInfo); _dispatchRootCallUpdate(aFunctionCall); }