//Checks entropy of buffer, and that path is not REG or appdata private void writeFileH(INktHookCallInfo callInfo) { //Get written path from file handle NktTools tool = new NktTools(); string path = tool.GetFileNameFromHandle(callInfo.Params().GetAt(0).PointerVal, callInfo.Process()); //If path is relevant check entropy if (!path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase) && !path.Contains("\\REGISTRY\\")) { INktParam pBuf = callInfo.Params().GetAt(1); //Data to write INktParam pBytes = callInfo.Params().GetAt(2); //Length of data uint bytesToWrite = pBytes.ULongVal; double entropy = 0; if (pBuf.PointerVal != IntPtr.Zero && bytesToWrite > 0) { INktProcessMemory procMem = process.Memory(); byte[] buffer = new byte[bytesToWrite]; GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned); IntPtr pDest = pinnedBuffer.AddrOfPinnedObject(); procMem.ReadMem(pDest, pBuf.PointerVal, (IntPtr)bytesToWrite); pinnedBuffer.Free(); var str = System.Text.Encoding.UTF8.GetString(buffer); //Get per-byte entropy entropy = getEntropy(buffer); } if (entropy > 6) { intelligence.writeFileS(); } } }
static void OnSocket(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SocketConnect, hook, process, callInfo); if (report == null) { return; } var param = new ConnectionParameter(); int len = callInfo.Params().GetAt(2).LongVal; byte[] buf = new byte[len]; GCHandle h = GCHandle.Alloc(buf, GCHandleType.Pinned); IntPtr p = h.AddrOfPinnedObject(); var add = callInfo.Params().GetAt(1); INktProcessMemory mem = add.Memory(); mem.ReadMem(p, add.PointerVal, (IntPtr)len); h.Free(); report.ID = hook.FunctionName.Contains("bind") ? APIID.SocketBind : APIID.SocketConnect; param.Port = (ushort)(buf[2] * 256 + buf[3]); param.IP = String.Format("{0}.{1}.{2}.{3}", buf[4].ToString("D3"), buf[5].ToString("D3"), buf[6].ToString("D3"), buf[7].ToString("D3")); param.Server = hook.FunctionName.Contains("bind") ? true : false; report.ID = param.Server ? APIID.SocketBind : APIID.SocketConnect; report.Parameter = param; Reports.Enqueue(report); }
byte[] GetValue(uint pid, INktParam paramData, INktParam paramSize, bool sizeAndTypeArePtr) { byte[] buffer = null; uint valueSize; if (sizeAndTypeArePtr) { if (paramSize.IsNullPointer == false) { valueSize = paramSize.Evaluate().ULongVal; } else { valueSize = 0; } } else { valueSize = paramSize.ULongVal; } if (paramData.IsNullPointer == false) { //if (paramData.PointerVal != IntPtr.Zero) if (!paramData.PointerVal.Equals(IntPtr.Zero)) { INktProcessMemory procMem = _spyMgr.ProcessMemoryFromPID((int)pid); //var buffer = new byte[valueSize]; buffer = new byte[valueSize]; GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned); IntPtr pDest = pinnedBuffer.AddrOfPinnedObject(); //Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64(); //Int64 bytesReaded = procMem.ReadMem((int) pDest, (int)paramData.PointerVal, (int) valueSize).ToInt64(); Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64(); pinnedBuffer.Free(); /* valueData = ""; * for (int i = 0; i < bytesReaded; i++) * { * if (i != 0) * valueData += " "; * valueData += Convert.ToByte(buffer[i]).ToString("X2"); * }*/ } } return(buffer); }
static void OnRegSetValue(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleConsuming, APICategory.Registry, APIID.RegSetValue, hook, process, callInfo); if (report == null) { return; } var param = new RegSetValueParameter(); param.Handle = callInfo.Params().GetAt(0).SizeTVal; param.Value = callInfo.Params().GetAt(1).IsNullPointer ? "Default" : callInfo.Params().GetAt(1).ReadString(); string data = ""; uint type, len; INktParam pData; if (hook.FunctionName.Contains("Ex")) { type = callInfo.Params().GetAt(3).ULongVal; len = callInfo.Params().GetAt(5).ULongVal; pData = callInfo.Params().GetAt(4); } else { type = callInfo.Params().GetAt(2).ULongVal; len = callInfo.Params().GetAt(4).ULongVal; pData = callInfo.Params().GetAt(3); } if (!pData.IsNullPointer) { switch (type) { case 1: case 2: case 7: byte[] buf = new byte[len]; GCHandle h = GCHandle.Alloc(buf, GCHandleType.Pinned); IntPtr p = h.AddrOfPinnedObject(); INktProcessMemory mem = pData.Memory(); mem.ReadMem(p, pData.PointerVal, (IntPtr)len); h.Free(); if (hook.FunctionName.Contains("W")) { data = Encoding.Unicode.GetString(buf, 0, (int)len); } else { data = Encoding.ASCII.GetString(buf, 0, (int)len); } break; case 3: case 4: data = pData.Evaluate().ULongVal.ToString(); break; } } data = data.Replace('\0', ' '); data = data.Trim(); param.Type = type; param.Data = data; report.Parameter = param; Reports.Enqueue(report); }