public static Int32 CopyFileExA( IntPtr lpExistingFileName, IntPtr lpNewFileName, IntPtr lpProgressRoutine, IntPtr lpData, IntPtr pbCancel, UInt32 dwCopyFlags) { if (DetourBlock.IsDetouring) { return OriginalFn(lpExistingFileName, lpNewFileName, lpProgressRoutine, lpData, pbCancel, dwCopyFlags); } using (var block = new DetourBlock()) { Int32 copyResult = OriginalFn(lpExistingFileName, lpNewFileName, lpProgressRoutine, lpData, pbCancel, dwCopyFlags); if (copyResult > 0) { Remoting.Scribe.DocumentFileCopy(Process.GetCurrentProcess().Id, Marshal.PtrToStringAnsi(lpExistingFileName), Marshal.PtrToStringAnsi(lpNewFileName)); } return copyResult; } }
public static UInt32 NtReadFile( IntPtr FileHandle, IntPtr Event, IntPtr ApcRoutine, IntPtr ApcContext, IntPtr IoStatusBlock, UInt32 Buffer, UInt32 Length, UInt32 ByteOffset, UInt32 Key) { if (DetourBlock.IsDetouring) { return OriginalFn(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key); } using (var block = new DetourBlock()) { var result = OriginalFn(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key); if (result == 0 /* STATUS_SUCCESS */) { Remoting.Scribe.DocumentFileRead(Process.GetCurrentProcess().Id, FileHandle); } return result; } }
public static bool CreateProcessW( IntPtr lpApplicationName, IntPtr lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, Int32 bInheritHandles, UInt32 dwCreationFlags, IntPtr lpEnvironment, IntPtr lpCurrentDirectory, IntPtr lpStartupInfo, IntPtr lpProcessInformation) { // // TODO: This can be removed by specifying the original CreateProcessX function // via DetourCreateProcessWithDll's last param. // if (DetourBlock.IsDetouring) { return OriginalFn(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); } using (var block = new DetourBlock()) { var local_applicationName = Marshal.PtrToStringUni(lpApplicationName); var local_commandLine = Marshal.PtrToStringUni(lpCommandLine); var targetExecutable = ((!string.IsNullOrEmpty(local_applicationName)) ? local_applicationName : Helpers.ExtractTargetPath(local_commandLine)).Trim('"'); // skip EXEs which we know like to stick around... if (ExeBlackList.Any(blacklisted => targetExecutable.EndsWith(blacklisted,StringComparison.CurrentCultureIgnoreCase))) { return OriginalFn(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); } string detours = Constants.DetoursDllName; bool bounced; var result = Detours.DetourCreateProcessWithDllW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, detours, Constants.CoAppTraceHost, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, local_applicationName, local_commandLine, out bounced); PROCESS_INFORMATION pi = (PROCESS_INFORMATION) Marshal.PtrToStructure(lpProcessInformation, typeof (PROCESS_INFORMATION)); if (pi.dwProcessId > 0 && !bounced) { Debug.Assert(Process.GetCurrentProcess().Id != 0); Remoting.Scribe.DocumentNewProcess(Process.GetCurrentProcess().Id, (int)pi.dwProcessId, local_commandLine, targetExecutable, Environment.CurrentDirectory); } return result; } }
public static UInt32 NtCreateFile( IntPtr FileHandle, IntPtr DesiredAccess, IntPtr ObjectAttributes, IntPtr IoStatusBlock, IntPtr AllocationSize, UInt32 FileAttributes, UInt32 ShareAccess, UInt32 CreateDisposition, UInt32 CreateOptions, IntPtr EaBuffer, UInt32 EaLength) { if (DetourBlock.IsDetouring) { return OriginalFn(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); } using (var block = new DetourBlock()) { var result = OriginalFn(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); var oa = (OBJECT_ATTRIBUTES) Marshal.PtrToStructure(ObjectAttributes, typeof (OBJECT_ATTRIBUTES)); var on = (UNICODE_STRING) Marshal.PtrToStructure(oa.ObjectName, typeof (UNICODE_STRING)); var us = Marshal.PtrToStringUni(on.Buffer, on.Length/2); var created = false; switch( CreateDisposition ) { case 0x00000000: // FILE_SUPERCEDE case 0x00000002: // FILE_CREATE case 0x00000004: // FILE_OVERWRITE case 0x00000005: // FILE_OVERWRITE_IF created = true; break; } if (result == 0 /* STATUS_SUCCESS */) { Remoting.Scribe.DocumentFileOpen(Process.GetCurrentProcess().Id, us, Marshal.ReadIntPtr(FileHandle), Environment.CurrentDirectory, created); } if ((CreateOptions & 0x00001000) == 0x00001000) { Remoting.Scribe.DocumentFileDelete(Process.GetCurrentProcess().Id, us, Environment.CurrentDirectory); } return result; } }
public static bool CreateProcessW( IntPtr lpApplicationName, IntPtr lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, Int32 bInheritHandles, UInt32 dwCreationFlags, IntPtr lpEnvironment, IntPtr lpCurrentDirectory, IntPtr lpStartupInfo, IntPtr lpProcessInformation) { // // TODO: This can be removed by specifying the original CreateProcessX function // via DetourCreateProcessWithDll's last param. // if (DetourBlock.IsDetouring) { return OriginalFn(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); } using (var block = new DetourBlock()) { string local_applicationName = Marshal.PtrToStringUni(lpApplicationName); string local_commandLine = Marshal.PtrToStringUni(lpCommandLine); string detours = Constants.DetoursDllName; string detoured = Path.Combine(Path.GetDirectoryName(detours), Constants.DetouredDllName); bool bounced; var result = Detours.DetourCreateProcessWithDll(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, detours, detoured, Constants.CoAppTraceHost, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, out bounced); PROCESS_INFORMATION pi = (PROCESS_INFORMATION) Marshal.PtrToStructure(lpProcessInformation, typeof (PROCESS_INFORMATION)); if (pi.dwProcessId > 0 && !bounced) { Debug.Assert(Process.GetCurrentProcess().Id != 0); Remoting.Scribe.DocumentNewProcess(Process.GetCurrentProcess().Id, (int)pi.dwProcessId, local_commandLine, (!string.IsNullOrEmpty(local_applicationName)) ? local_applicationName : Helpers.ExtractTargetPath(local_commandLine), Environment.CurrentDirectory); } return result; } }
public static UInt32 GetFileAttributesA(IntPtr lpFileName) { if (DetourBlock.IsDetouring) { return OriginalFn(lpFileName); } using (var block = new DetourBlock()) { UInt32 probeResult = OriginalFn(lpFileName); if (probeResult != unchecked((UInt32)(-1)) /* INVALID_FILE_ATTRIBUTES */) { Remoting.Scribe.DocumentFileProbe(Process.GetCurrentProcess().Id, Marshal.PtrToStringAnsi(lpFileName), Environment.CurrentDirectory); } return probeResult; } }
public static bool MoveFileExW(IntPtr lpExistingFileName, IntPtr lpNewFileName, UInt32 dwFlags) { if (DetourBlock.IsDetouring) { return OriginalFn(lpExistingFileName, lpNewFileName, dwFlags); } using (var block = new DetourBlock()) { var moveResult = OriginalFn(lpExistingFileName, lpNewFileName, dwFlags); if (moveResult) { Remoting.Scribe.DocumentFileMove(Process.GetCurrentProcess().Id, Marshal.PtrToStringUni(lpExistingFileName), Marshal.PtrToStringUni(lpNewFileName)); } return moveResult; } }
public static UInt32 GetEnvironmentVariableW( IntPtr lpName, IntPtr lpBuffer, UInt32 nSize) { if (DetourBlock.IsDetouring) { return OriginalFn(lpName, lpBuffer, nSize); } using (var block = new DetourBlock()) { var result = OriginalFn(lpName, lpBuffer, nSize); if (result != 0) { var varname = Marshal.PtrToStringUni(lpName); Remoting.Scribe.DocumentEnvQuery(Process.GetCurrentProcess().Id, varname); } return result; } }
public static UInt32 GetModuleHandleA(IntPtr lpFileName) { if (DetourBlock.IsDetouring || success) { return OriginalFn(lpFileName); } using (var block = new DetourBlock()) { var mh = Kernel32.GetModuleHandle("msys-1.0.dll"); if( mh.IsInvalid ) { var argc = Kernel32.GetProcAddress(mh, "__argc"); if( argc != IntPtr.Zero) { var argv = Kernel32.GetProcAddress(mh, "__argv"); if( argv != IntPtr.Zero ) { var argc_int= (Int32)Marshal.PtrToStructure(argc, typeof(Int32)); // gets the location of the char** var argv_IntPtr= (IntPtr)Marshal.PtrToStructure(argv, typeof(IntPtr)); if(argv_IntPtr != IntPtr.Zero ) { var args = new List<string>(); if (argc_int > 0) { for (var i = 0; i < argc_int; i++) { var stringLocation = (IntPtr)Marshal.PtrToStructure(new IntPtr(argv_IntPtr.ToInt32() + IntPtr.Size * i), typeof(IntPtr)); var arg = Marshal.PtrToStringAnsi(stringLocation); args.Add(arg); } if (args.Count > 0) { Remoting.Scribe.DocumentCommandLine(Process.GetCurrentProcess().Id, args.Aggregate(string.Empty, (current, each) => current + " " + QuoteIfNeeded(each)).Trim()); success = true; } } } } } } return OriginalFn(lpFileName); } }
public static UInt32 WriteFileEx( IntPtr FileHandle, IntPtr Buffer, UInt32 BytesToWrite, IntPtr Overlapped, IntPtr OverlappedCompletionRoutine) { if (DetourBlock.IsDetouring) { return OriginalFn(FileHandle, Buffer, BytesToWrite, Overlapped, OverlappedCompletionRoutine); } using (var block = new DetourBlock()) { var result = OriginalFn(FileHandle, Buffer, BytesToWrite, Overlapped, OverlappedCompletionRoutine); //if (result != 0 || Overlapped != IntPtr.Zero ) { Remoting.Scribe.DocumentFileWrite(Process.GetCurrentProcess().Id, FileHandle); //} return result; } }
public static UInt32 NtDeleteFile(IntPtr ObjectAttributes) { if (DetourBlock.IsDetouring) { return OriginalFn(ObjectAttributes); } using (var block = new DetourBlock()) { var result = OriginalFn(ObjectAttributes); var oa = (OBJECT_ATTRIBUTES) Marshal.PtrToStructure(ObjectAttributes, typeof (OBJECT_ATTRIBUTES)); var on = (UNICODE_STRING) Marshal.PtrToStructure(oa.ObjectName, typeof (UNICODE_STRING)); var us = Marshal.PtrToStringUni(on.Buffer, on.Length/2); // if (result == 0 /* STATUS_SUCCESS */) Remoting.Scribe.DocumentFileDelete(Process.GetCurrentProcess().Id, us, Environment.CurrentDirectory); return result; } }
public static UInt32 CreateFileMappingW( IntPtr FileHandle, IntPtr SecurityAttributes, UInt32 FlagsProtect, UInt32 SizeHigh, UInt32 SizeLow, IntPtr Name) { if (DetourBlock.IsDetouring) { return OriginalFn(FileHandle, SecurityAttributes, FlagsProtect, SizeHigh, SizeLow, Name); } using (var block = new DetourBlock()) { var result = OriginalFn(FileHandle, SecurityAttributes, FlagsProtect, SizeHigh, SizeLow, Name); switch (FlagsProtect) { case 0x02 : // PAGE_READONLY Remoting.Scribe.DocumentFileRead(Process.GetCurrentProcess().Id, FileHandle.ToInt64()); break; case 0x04 : // PAGE_READWRITE Remoting.Scribe.DocumentFileWrite(Process.GetCurrentProcess().Id, FileHandle.ToInt64()); Remoting.Scribe.DocumentFileRead(Process.GetCurrentProcess().Id, FileHandle.ToInt64()); break; case 0x08 : // PAGE_WRITECOPY Remoting.Scribe.DocumentFileWrite(Process.GetCurrentProcess().Id, FileHandle.ToInt64()); break; case 0x20 : // PAGE_EXECUTE_READ Remoting.Scribe.DocumentFileRead(Process.GetCurrentProcess().Id, FileHandle.ToInt64()); break; case 0x40 : // PAGE_EXECUTE_READWRITE Remoting.Scribe.DocumentFileWrite(Process.GetCurrentProcess().Id, FileHandle.ToInt64()); Remoting.Scribe.DocumentFileRead(Process.GetCurrentProcess().Id, FileHandle.ToInt64()); break; } return result; } }
public static UInt32 NtQuerySystemEnvironmentValue( IntPtr VariableName, IntPtr Value, UInt32 ValueBufferLength, IntPtr RequiredLength) { if (DetourBlock.IsDetouring) { return OriginalFn(VariableName, Value, ValueBufferLength, RequiredLength); } using (var block = new DetourBlock()) { var result = OriginalFn(VariableName, Value, ValueBufferLength, RequiredLength); if (result == 0 /* STATUS_SUCCESS */) { var us = (UNICODE_STRING) Marshal.PtrToStructure(VariableName, typeof (UNICODE_STRING)); var varname = Marshal.PtrToStringUni(us.Buffer, us.Length/2); Remoting.Scribe.DocumentEnvQuery(Process.GetCurrentProcess().Id, varname); } return result; } }