public int OnCreateFileW(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCreateFileW called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]"); try { if (callInfo.IsPreCall == false) { IntPtr fileHandle = callInfo.Result().SizeTVal; System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileHandle.ToString()); if (fileHandle != (IntPtr)(-1) && fileHandle != IntPtr.Zero) { string fileName = callInfo.Params().GetAt(0).ReadString(); System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileName); if (fileName.Length > 0) { lock (handleMap) { handleMap[fileHandle] = fileName; } } } } } catch (System.Exception ex) { System.Diagnostics.Trace.WriteLine(ex.ToString()); } return(0); }
public int OnWriteFile(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnWriteFile called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]"); try { if (callInfo.IsPreCall != false) { IntPtr fileHandle = callInfo.Params().GetAt(0).SizeTVal; string s; lock (handleMap) { if (handleMap.TryGetValue(fileHandle, out s) != false) { callInfo.AddString("WriteFile", s); } } } } catch (System.Exception ex) { System.Diagnostics.Trace.WriteLine(ex.ToString()); } return(0); }
public string GetFunctionCallbackName(INktHookInfo hookInfo, int chainIndex) { if (hookInfo.FunctionName.Equals("XpsServices.dll!IXpsOMPageReference::SetPage", StringComparison.OrdinalIgnoreCase)) { return("OnIXpsOMPageReferenceSetPage"); } return(""); }
public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { if (hookInfo.FunctionName == "MapViewOfFile") { MapViewOfFileHook(hookInfo, callInfo); } return 0; }
public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { if (hookInfo.FunctionName == "MapViewOfFile") { MapViewOfFileHook(hookInfo, callInfo); } return(0); }
public int MapViewOfFileHook(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { IntPtr address = callInfo.Result().PointerVal; byte[] buffer = new byte[1]; Marshal.Copy(address, buffer, 0, 1); char[] chars = System.Text.Encoding.UTF8.GetString(buffer).ToCharArray(); Trace.Write(chars); return 0; }
public string GetFunctionCallbackName(INktHookInfo hookInfo, int chainIndex) { switch (hookInfo.FunctionName.ToUpper()) { case "KERNEL32.DLL!CREATEFILEW": return "OnCreateFileW"; case "KERNEL32.DLL!READFILE": return "OnReadFile"; case "KERNEL32.DLL!WRITEFILE": return "OnWriteFile"; case "KERNEL32.DLL!CLOSEHANDLE": return "OnCloseHandle"; } return ""; }
public int MapViewOfFileHook(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { IntPtr address = callInfo.Result().PointerVal; byte[] buffer = new byte[1]; Marshal.Copy(address, buffer, 0, 1); char[] chars = System.Text.Encoding.UTF8.GetString(buffer).ToCharArray(); Trace.Write(chars); return(0); }
public string GetFunctionCallbackName(INktHookInfo hookInfo, int chainIndex) { switch (hookInfo.FunctionName.ToUpper()) { case "KERNEL32.DLL!CREATEFILEW": return("OnCreateFileW"); case "KERNEL32.DLL!READFILE": return("OnReadFile"); case "KERNEL32.DLL!WRITEFILE": return("OnWriteFile"); case "KERNEL32.DLL!CLOSEHANDLE": return("OnCloseHandle"); } return(""); }
private void MapViewOfFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo) { IntPtr map = callInfo.Result().PointerVal; IntPtr length = callInfo.Params().GetAt(4).PointerVal; bool is_malware = LookForMalware(map, (ulong)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also indices on native arrays are limited to int. if (is_malware) { callInfo.AddByte("has_malware", 1); callInfo.Result().PointerVal = IntPtr.Zero; callInfo.LastError = 2; callInfo.SkipCall(); } else { callInfo.AddByte("has_malware", 0); } }
//called when a hooked function is called public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]"); INktParamsEnum pms; callInfo.AddString("sample name", "HKEY extractor sample"); pms = callInfo.Params(); for (int i = 0; i < pms.Count; i++) { INktParam p = pms.GetAt(i); if (p.IsPointer) p = p.Evaluate(); if (p != null && p.TypeName == "HKEY") { callInfo.AddSizeT("param#" + i.ToString(), p.SizeTVal); } } return 0; }
//called when a hooked function is called public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]"); INktParamsEnum pms; callInfo.AddString("sample name", "HKEY extractor sample"); pms = callInfo.Params(); for (int i = 0; i < pms.Count; i++) { INktParam p = pms.GetAt(i); if (p.IsPointer) { p = p.Evaluate(); } if (p != null && p.TypeName == "HKEY") { callInfo.AddSizeT("param#" + i.ToString(), p.SizeTVal); } } return(0); }
public int OnIXpsOMPageReferenceSetPage(INktHookInfo lpHookInfo, int dwChainIndex, INktHookCallInfoPlugin lpHookCallInfoPlugin) { System.Diagnostics.Trace.WriteLine("IEPrintWaterMarkhelperCS: OnIXpsOMPageReferenceSetPage"); try { var cMod = lpHookCallInfoPlugin.StackTrace().Module(0); if (cMod.Name.ToLower().EndsWith("d2d1.dll") || cMod.Name.ToLower().EndsWith("mshtml.dll")) { System.Diagnostics.Trace.WriteLine(string.Format("calling module: {0}", cMod.Name.ToLower())); IntPtr nReg; if (IntPtr.Size == 4) { nReg = lpHookCallInfoPlugin.get_Register(eNktRegister.asmRegEsp); nReg = new IntPtr(nReg.ToInt32() + 8); nReg = (IntPtr)Marshal.PtrToStructure(nReg, typeof(IntPtr)); } else { nReg = lpHookCallInfoPlugin.get_Register(eNktRegister.asmRegRdx); } System.Diagnostics.Trace.WriteLine(string.Format("lpPage=0x{0:x}", nReg)); MSXPS.IXpsOMPage lpPage = (MSXPS.IXpsOMPage)Marshal.GetObjectForIUnknown(nReg); AddWatermark(lpPage); } lpHookCallInfoPlugin.FilterSpyMgrEvent(); } catch (Exception e) { System.Diagnostics.Trace.WriteLine(string.Format("EXCEPTION: {0}") + e.Message); } return(0); }
private void OpenFileMappingWHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo) { }
private void CloseHandleHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo) { }
private void ReadFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo) { }
private void CreateFileWHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo) { }
//called when a hooked function is called public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { // Unused return(0); }
public int OnCloseHandle(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCloseHandle called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]"); try { if (callInfo.IsPreCall != false) { IntPtr fileHandle = callInfo.Params().GetAt(0).SizeTVal; lock (handleMap) { handleMap.Remove(fileHandle); } } } catch (System.Exception ex) { System.Diagnostics.Trace.WriteLine(ex.ToString()); } return 0; }
//called when a hook is detached from this plugin public int OnHookRemoved(INktHookInfo hookInfo, int chainIndex) { System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnHookAdded called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]"); return(0); }
//called when a hooked function is called public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]"); return 0; }
//called when a hook is detached from this plugin public int OnHookRemoved(INktHookInfo hookInfo, int chainIndex) { System.Diagnostics.Trace.WriteLine("IEPrintWatermarkHelperCS OnHookRemoved called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]"); return(0); }
//called when a hook is detached from this plugin public int OnHookRemoved(INktHookInfo hookInfo, int chainIndex) { System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnHookAdded called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]"); return 0; }
public int OnCreateFileW(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo) { System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCreateFileW called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]"); try { if (callInfo.IsPreCall == false) { IntPtr fileHandle = callInfo.Result().SizeTVal; System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileHandle.ToString()); if (fileHandle != (IntPtr)(-1) && fileHandle != IntPtr.Zero) { string fileName = callInfo.Params().GetAt(0).ReadString(); System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileName); if (fileName.Length > 0) { lock (handleMap) { handleMap[fileHandle] = fileName; } } } } } catch (System.Exception ex) { System.Diagnostics.Trace.WriteLine(ex.ToString()); } return 0; }