static void OnSocket(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SocketConnect, hook, process, callInfo); if (report == null) { return; } var param = new ConnectionParameter(); int len = callInfo.Params().GetAt(2).LongVal; byte[] buf = new byte[len]; GCHandle h = GCHandle.Alloc(buf, GCHandleType.Pinned); IntPtr p = h.AddrOfPinnedObject(); var add = callInfo.Params().GetAt(1); INktProcessMemory mem = add.Memory(); mem.ReadMem(p, add.PointerVal, (IntPtr)len); h.Free(); report.ID = hook.FunctionName.Contains("bind") ? APIID.SocketBind : APIID.SocketConnect; param.Port = (ushort)(buf[2] * 256 + buf[3]); param.IP = String.Format("{0}.{1}.{2}.{3}", buf[4].ToString("D3"), buf[5].ToString("D3"), buf[6].ToString("D3"), buf[7].ToString("D3")); param.Server = hook.FunctionName.Contains("bind") ? true : false; report.ID = param.Server ? APIID.SocketBind : APIID.SocketConnect; report.Parameter = param; Reports.Enqueue(report); }
static void OnShellExecute(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.ShellExecute, hook, process, callInfo); if (report == null) { return; } report.ID = APIID.ShellExecute; var param = new ShellExecuteParameter(); if (hook.FunctionName.Contains("teEx")) { INktParam p = callInfo.Params().GetAt(0).Evaluate(); param.Name = p.Fields().GetAt(4).IsNullPointer ? "" : p.Fields().GetAt(4).ReadString(); param.Parameters = p.Fields().GetAt(5).IsNullPointer ? "" : p.Fields().GetAt(5).ReadString(); param.Directory = p.Fields().GetAt(6).IsNullPointer ? "" : p.Fields().GetAt(6).ReadString(); } else { param.Name = callInfo.Params().GetAt(2).IsNullPointer ? "" : callInfo.Params().GetAt(2).ReadString(); param.Parameters = callInfo.Params().GetAt(3).IsNullPointer ? "" : callInfo.Params().GetAt(3).ReadString(); param.Directory = callInfo.Params().GetAt(4).IsNullPointer ? "" : callInfo.Params().GetAt(4).ReadString(); } report.Parameter = param; Reports.Enqueue(report); }
static void OnFindFirstFile(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.FindFirstFile, hook, process, callInfo); if (report == null) { return; } var param = new FindFirstFileParameter(); param.FileName = callInfo.Params().GetAt(0).ReadString(); report.Parameter = param; Reports.Enqueue(report); }
static void OnSetWindowsHook(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SetWindowsHook, hook, process, callInfo); if (report == null) { return; } report.ID = APIID.SetWindowsHook; var param = new SetWindowsHookParameter(); param.HookType = callInfo.Params().GetAt(0).LongVal; report.Parameter = param; Reports.Enqueue(report); }
static void OnUrlDownloadToFile(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SocketConnect, hook, process, callInfo); if (report == null) { return; } var param = new UrlDownloadToFileParameter(); param.Url = callInfo.Params().GetAt(1).ReadString(); param.FilePath = callInfo.Params().GetAt(2).ReadString(); report.ID = APIID.UrlDownloadToFile; report.Parameter = param; Reports.Enqueue(report); }
static void OnCreateService(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.CreateService, hook, process, callInfo); if (report == null) { return; } var param = new CreateServiceParameter(); param.Name = callInfo.Params().GetAt(1).IsNullPointer?"N/A":callInfo.Params().GetAt(1).ReadString(); param.Path = callInfo.Params().GetAt(7).IsNullPointer?"N/A":callInfo.Params().GetAt(7).ReadString(); param.Mode = callInfo.Params().GetAt(5).ULongVal; report.Parameter = param; Reports.Enqueue(report); }
static APIUnit Base(APIType type, APICategory cat, APIID id, NktHook hook, NktProcess process, NktHookCallInfo callInfo) { if (callInfo.StackTrace().Module(0) == null) { return(null); } string module = callInfo.StackTrace().Module(0).Name.ToUpper(); if (!Modules.Contains(module)) { return(null); } APIUnit report = new APIUnit(process.Id, hook.FunctionName, type, cat, id); report.Module = module; return(report); }