// this is where we are intercepting all file accesses!
public IntPtr CreateNamedPipe_Hooked(string lpName,
Kernel32Support.PipeOpenModeFlags dwOpenMode,
Kernel32Support.PipeModeFlags dwPipeMode,
Int32 nMaxInstances, Int32 nOutBufferSize,
Int32 nInBufferSize, Int32 nDefaultTimeOut,
IntPtr lpSecurityAttributes)
{
preprocessHook();
Console.Write("Creating pipe " + lpName);
// call original API...
IntPtr result = Kernel32Support.CreateNamedPipe(lpName, dwOpenMode, dwPipeMode, nMaxInstances, nOutBufferSize, nInBufferSize, nDefaultTimeOut, lpSecurityAttributes);
if (result.ToInt32() != Kernel32Support.INVALID_HANDLE_VALUE)
{
TransferUnit transfer_unit = createTransferUnit();
transfer_unit[Color.PipeName] = lpName;
transfer_unit[Color.PipeHandle] = result.ToInt32();
makeCallBack(transfer_unit);
Console.WriteLine("\tSUCCESS ");
}
else
{
Console.WriteLine("\tFAILURE ");
}
return(result);
}
// this is where we are intercepting all file accesses!
public int ConnectNamedPipe_Hooked(IntPtr hNamedPipe, IntPtr lpOverlapped)
{
preprocessHook();
TransferUnit transfer_unit = createTransferUnit();
transfer_unit[Color.PipeHandle] = hNamedPipe.ToInt32();
// call original API...
int result = Kernel32Support.ConnectNamedPipe(hNamedPipe, lpOverlapped);
if (result != Kernel32Support.FALSE)
{
makeCallBack(transfer_unit);
}
return(result);
}
// this is where we are intercepting all file accesses!
private IntPtr OpenProcess_Hooked(Kernel32Support.ProcessAccessFlags dwDesiredAccess, bool bInheritHandle, uint dwProcessId)
{
preprocessHook();
TransferUnit transfer_unit = createTransferUnit();
transfer_unit["dwDesiredAccess"] = dwDesiredAccess;
transfer_unit["bInheritHandle"] = bInheritHandle;
transfer_unit["dwProcessId"] = dwProcessId;
// call original API through our Kernel32Support class
IntPtr handle = Kernel32Support.OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
transfer_unit["handle"] = handle.ToInt32();
if (handle.ToInt32() != Kernel32Support.NULL)
{
makeCallBack(transfer_unit);
}
return(handle);
}
public void ExitProcess_Hooked(uint uExitCode)
{
preprocessHook();
TransferUnit transfer_unit = createTransferUnit();
transfer_unit["uExitCode"] = uExitCode;
makeCallBack(transfer_unit);
Console.WriteLine("Delay ExitProcess");
const int DELAY = 10;
for (int i = 0; i < DELAY; i++)
{
Console.Write(" " + (DELAY - i));
}
// call original API...
Kernel32Support.ExitProcess(uExitCode);
//Console.Write(".");
//if (result == Kernel32Support.STATUS_SUCCESS) {
//}
}
private int CreateProcessInternalW_Hooked(Int32 unknown1, string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, Kernel32Support.ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, IntPtr lpStartupInfo, IntPtr lpProcessInformation, Int32 unknown2)
{
preprocessHook();
IntPtr he, ho, hi, h_process, h_thread;
Int32 dwProcessId, dwThreadId;
// call original API through our Kernel32Support class
if (Configuration.FOLLOW_PROCESS_TREE)
{
dwCreationFlags |= Kernel32Support.ProcessCreationFlags.CREATE_SUSPENDED;
}
int result = Kernel32Support.FALSE;
try {
result = Kernel32Support.CreateProcessInternalW(unknown1, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, unknown2);
} catch {
Console.WriteLine("Failed to launch subprocess");
}
unsafe {
Kernel32Support.STARTUPINFO *lp_stratup_info = (Kernel32Support.STARTUPINFO *)lpStartupInfo.ToPointer();
he = lp_stratup_info->hStdError;
ho = lp_stratup_info->hStdOutput;
hi = lp_stratup_info->hStdInput;
Kernel32Support.PROCESS_INFORMATION *lp_process_info = (Kernel32Support.PROCESS_INFORMATION *)lpProcessInformation.ToPointer();
h_process = lp_process_info->hProcess;
h_thread = lp_process_info->hThread;
dwProcessId = lp_process_info->dwProcessId;
dwThreadId = lp_process_info->dwThreadId;
}
TransferUnit transfer_unit = createTransferUnit();
transfer_unit[Color.StdErrHandle] = he.ToInt32();
transfer_unit[Color.StdOutHandle] = ho.ToInt32();
transfer_unit[Color.StdInHandle] = hi.ToInt32();
if ((lpApplicationName == null) && (lpCommandLine != null))
{
string[] command_lines = APIMonLib.Hooks.shell32.dll.Shell32DllSupport.CommandLineToArgs(lpCommandLine);
if (command_lines.Length > 0)
{
lpApplicationName = System.IO.Path.GetFileName(command_lines[0]);
}
else
{
throw new Exception("Hook_CreateProcessInternalW Can not infer application name");
}
}
transfer_unit[Color.ApplicationName] = lpApplicationName;
transfer_unit[Color.CommandLine] = lpCommandLine;
transfer_unit[Color.ProcessHandle] = h_process.ToInt32();
transfer_unit[Color.FirstThreadHandle] = h_thread.ToInt32();
transfer_unit[Color.ProcessId] = dwProcessId;
transfer_unit[Color.FirstThreadId] = dwThreadId;
transfer_unit[Color.ProcessCreationFlags] = dwCreationFlags;
//if (result!=Kernel32Support.FALSE)
makeCallBack(transfer_unit);
return(result);
}
