private bool IsRootCall(INktHookCallInfo aCallInfo)
{
var count = NestedFunctionCallCountOf(aCallInfo);
// This is the only function call for aCallInfo.ThreadId. So, it's the root call.
return(count == 1);
}
private FunctionCall FunctionCallFrom(INktHookCallInfo aCallInfo)
{
var functionCallOrder = _functionCallsOrder.Value(aCallInfo);
var aFunctionCall = FunctionCall.From(aCallInfo, functionCallOrder);
return(aFunctionCall);
}
private void OnFunctionCalledPrinterStart(INktHook hhook, INktProcess proc, INktHookCallInfo callInfo)
{
if (IsWorkedPrintStart)
{
IsWorkedPrintStart = false;
return;
}
int exitcode = 0;
TypressService.eventLog1.WriteEntry("Printer Request Event!");
PageCnt = 0;
if (TypressService.packet.IsLogin == false)
{
TypressService.eventLog1.WriteEntry("LoginForm 띄움");
//System.Diagnostics.Debugger.Launch();
}
string applicationName = "C:\\Users\\jklh0\\source\\github\\Typress\\InterruptLogin\\InterruptLoginView\\InterruptLoginView\\bin\\x64\\Debug\\InterruptLoginView.exe";
ApplicationLoader.PROCESS_INFORMATION procInfo;
ApplicationLoader.StartProcessAndBypassUAC(applicationName, out procInfo);
WaitForSingleObject(procInfo.hProcess, 100000);
GetExitCodeProcess(procInfo.hProcess, ref exitcode);
//Process P = Process.Start("C:\\Users\\jklh0\\source\\github\\Typress\\InterruptLogin\\InterruptLoginView\\InterruptLoginView\\bin\\x64\\Debug\\InterruptLoginView.exe");
//P.WaitForExit(); // IsLogin 변수 바꼈는지?
IsWorkedPrintStart = true;
return;
}
//Checks entropy of buffer, and that path is not REG or appdata
private void writeFileH(INktHookCallInfo callInfo)
{
//Get written path from file handle
NktTools tool = new NktTools();
string path = tool.GetFileNameFromHandle(callInfo.Params().GetAt(0).PointerVal, callInfo.Process());
//If path is relevant check entropy
if (!path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase) &&
!path.Contains("\\REGISTRY\\"))
{
INktParam pBuf = callInfo.Params().GetAt(1); //Data to write
INktParam pBytes = callInfo.Params().GetAt(2); //Length of data
uint bytesToWrite = pBytes.ULongVal;
double entropy = 0;
if (pBuf.PointerVal != IntPtr.Zero && bytesToWrite > 0)
{
INktProcessMemory procMem = process.Memory();
byte[] buffer = new byte[bytesToWrite];
GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pDest = pinnedBuffer.AddrOfPinnedObject();
procMem.ReadMem(pDest, pBuf.PointerVal, (IntPtr)bytesToWrite);
pinnedBuffer.Free();
var str = System.Text.Encoding.UTF8.GetString(buffer);
//Get per-byte entropy
entropy = getEntropy(buffer);
}
if (entropy > 6)
{
intelligence.writeFileS();
}
}
}
private static FunctionCall FromPostCall(INktHookCallInfo aCallInfo, int order)
{
var inspectedParameters = InspectParametersFrom(aCallInfo);
var inspectedResult = InspectResultFrom(aCallInfo);
var summary = CreateSummaryFrom(inspectedParameters);
return(From(aCallInfo, order, inspectedResult, inspectedParameters, summary));
}
private static FunctionCall FromPostCall(INktHookCallInfo aCallInfo, int order)
{
var inspectedParameters = InspectParametersFrom(aCallInfo);
var inspectedResult = InspectResultFrom(aCallInfo);
var summary = CreateSummaryFrom(inspectedParameters);
return From(aCallInfo, order, inspectedResult, inspectedParameters, summary);
}
private void ProcessPreCall(INktHookCallInfo preCallInfo)
{
AssignFunctionCallOrderTo(preCallInfo);
IncrementNestedFunctionsCalledByThreadOf(preCallInfo);
var functionCall = FunctionCallFrom(preCallInfo);
Dispatch(preCallInfo,functionCall);
}
private static ParameterInspectorVisitor CreateParameterInspectorFor(INktHookCallInfo callInfo)
{
var parameterInspector = new ParameterInspectorVisitor(callInfo.Hook().FunctionName)
{
Depth = new ApplicationSettings().MaximumParameterInspectionDepth
};
return(parameterInspector);
}
private void regCreateKeyExH(INktHookCallInfo callInfo)
{
string path = callInfo.Params().GetAt(1).ReadString();
if (path.Contains("Windows\\CurrentVersion\\Run") || path.Contains("Windows\\CurrentVersion\\RunOnce"))
{
intelligence.foundStartup();
}
}
private void cryptAcquireContextH(INktHookCallInfo callInfo)
{
string csp = callInfo.Params().GetAt(2).Value;
if (csp.Contains("Microsoft Enhanced RSA and AES Cryptographic Provider"))
{
intelligence.cryptAcquireContextS();
}
}
private void deleteFileH(INktHookCallInfo callInfo)
{
string path = callInfo.Params().GetAt(0).Value;
if (!path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase))
{
intelligence.deleteFileS();
}
}
private void ProcessPreCall(INktHookCallInfo preCallInfo)
{
AssignFunctionCallOrderTo(preCallInfo);
IncrementNestedFunctionsCalledByThreadOf(preCallInfo);
var functionCall = FunctionCallFrom(preCallInfo);
Dispatch(preCallInfo, functionCall);
}
//Checks if vssadmin or bcdedit
private void winExecH(INktHookCallInfo callInfo)
{
string path = callInfo.Params().GetAt(0).Value;
if (path.Contains("vssadmin", StringComparison.OrdinalIgnoreCase) ||
path.Contains("bcdedit", StringComparison.OrdinalIgnoreCase))
{
intelligence.createProcessS();
}
}
private void Dispatch(INktHookCallInfo aCallInfo, FunctionCall aFunctionCall)
{
if (IsRootCall(aCallInfo))
{
_dispatchDispatchRootCall(aFunctionCall);
return;
}
_dispatchDispatchChildCall(aFunctionCall);
}
private void OnFunctionCalledPrinterEnd(INktHook hhook, INktProcess proc, INktHookCallInfo callInfo)
{
if (IsWorkedPrintEnd)
{
IsWorkedPrintEnd = false;
return;
}
TypressService.eventLog1.WriteEntry("최종출력물 갯수 : ");
TypressService.eventLog1.WriteEntry(PageCnt.ToString());
TypressService.eventLog1.WriteEntry("인쇄작업 종료!");
IsWorkedPrintEnd = true;
}
public void Dispatch(INktHookCallInfo aCallInfo)
{
lock (_dataLock)
{
if (aCallInfo.IsPreCall)
{
ProcessPreCall(aCallInfo);
return;
}
ProcessPostCall(aCallInfo);
}
}
public void Dispatch(INktHookCallInfo aCallInfo)
{
lock (_dataLock)
{
if (aCallInfo.IsPreCall)
{
ProcessPreCall(aCallInfo);
return;
}
ProcessPostCall(aCallInfo);
}
}
private static InspectedParameter InspectResultFrom(INktHookCallInfo aCallInfo)
{
if (aCallInfo.IsPreCall)
{
return(InspectedParameter.Empty());
}
var result = aCallInfo.Result();
var inspector = CreateParameterInspectorFor(aCallInfo);
inspector.Inspect(new[] { result });
return(inspector.InspectedParameters.First());
}
private void OnFunctionCalledPrinter(INktHook hhook, INktProcess proc, INktHookCallInfo callInfo)
{
MyNewService.eventLog1.WriteEntry("Event.");
if (num == "100")
{
MyNewService.eventLog1.WriteEntry("출력됩니당.");
num = "0";
return;
}
MessageBox.Show("로그인");
if (num == "100")
{
MyNewService.eventLog1.WriteEntry("에엥?");
//hhook.Unhook(true);
}
}
private static List <InspectedParameter> InspectParametersFrom(INktHookCallInfo callInfo)
{
if (callInfo.IsPreCall)
{
return(new List <InspectedParameter>());
}
var functionParameters = callInfo.Params().CollectAll();
var parameterInspector = CreateParameterInspectorFor(callInfo);
parameterInspector.Inspect(functionParameters);
var fn = callInfo.Hook().FunctionName;
return(parameterInspector.InspectedParameters);
}
private void findFirstFileH(INktHookCallInfo callInfo)
{
//Path to search
string path = callInfo.Params().GetAt(0).Value;
//Distiguishes between 2 methods of scanning:
//1:Search for all files, filter later
if (path.EndsWith("*") && !path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase))
{
intelligence.findFirstFileS();
}
//2:Search for each extension separately
if (path.EndsWith("*.txt") && !path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase))
{
intelligence.findFirstFileTxtS();
}
}
private void OnNtWriteFile(INktHook hook, INktProcess proc, INktHookCallInfo callInfo)
{
var fileHandle = callInfo.Params().GetAt(0).SizeTVal;
var fileName = ReadFileInfo(proc.Handle(WinEnum.PROCESS_WM_READ), fileHandle);
if (fileName == null)
{
return;
}
lock (fileNames)
{
if (!fileNames.Contains(fileName))
{
fileNames.Add(fileName);
}
}
}
//When a hooked function executes (reflection)
private void OnFunctionCalled(NktHook hook, INktProcess proc, INktHookCallInfo callInfo)
{
//Call the function specific handler from string
//1:Split function name to the right of '!' and add the handler tag
string mn = hook.FunctionName.Substring(hook.FunctionName.LastIndexOf('!') + 1) + 'H';
//2:Lowercase first letter
mn = Char.ToLowerInvariant(mn[0]) + mn.Substring(1);
//3:Invoke
try
{
//3.1:Get correct hookmanager
HookManager h = hManagers[proc.Id];
//3.2:Get its function handler
MethodInfo mi = h.GetType().GetMethod(mn, BindingFlags.Instance | BindingFlags.NonPublic);
Object[] funcParams = { callInfo };
mi.Invoke(h, funcParams);
}
catch (NullReferenceException)
{
Debug.WriteLine(mn + " has no handler");
}
}
private void createRemoteThreadExH(INktHookCallInfo callInfo)
{
createRemoteThreadH(callInfo);
}
//Send all
private void suspendThreadH(INktHookCallInfo callInfo)
{
intelligence.suspendThreadS();
}
//Send all
private void createRemoteThreadH(INktHookCallInfo callInfo)
{
intelligence.createRemoteThreadS();
}
private static List<InspectedParameter> InspectParametersFrom(INktHookCallInfo callInfo)
{
if (callInfo.IsPreCall) return new List<InspectedParameter>();
var functionParameters = callInfo.Params().CollectAll();
var parameterInspector = CreateParameterInspectorFor(callInfo);
parameterInspector.Inspect(functionParameters);
var fn = callInfo.Hook().FunctionName;
return parameterInspector.InspectedParameters;
}
private void getComputerNameH(INktHookCallInfo callInfo)
{
intelligence.getComputerNameS();
}
private bool IsRootCall(INktHookCallInfo aCallInfo)
{
var count = NestedFunctionCallCountOf(aCallInfo);
// This is the only function call for aCallInfo.ThreadId. So, it's the root call.
return count == 1;
}
private void deleteFileWH(INktHookCallInfo callInfo)
{
deleteFileH(callInfo);
}
private FunctionCall FunctionCallFrom(INktHookCallInfo aCallInfo)
{
var functionCallOrder = _functionCallsOrder.Value(aCallInfo);
var aFunctionCall = FunctionCall.From(aCallInfo, functionCallOrder);
return aFunctionCall;
}
private void Dispatch(INktHookCallInfo aCallInfo, FunctionCall aFunctionCall)
{
if (IsRootCall(aCallInfo))
{
_dispatchDispatchRootCall(aFunctionCall);
return;
}
_dispatchDispatchChildCall(aFunctionCall);
}
private void AssignFunctionCallOrderTo(INktHookCallInfo preCallInfo)
{
var functionCallOrder = Interlocked.Increment(ref _functionCallsCount);
_functionCallsOrder.Update(preCallInfo, i => functionCallOrder);
}
public static FunctionCall FromPreCall(INktHookCallInfo aPreCallInfo, int order)
{
return From(aPreCallInfo, order, InspectedParameter.Empty(), new List<InspectedParameter>(), string.Empty);
}
private static FunctionCall From(INktHookCallInfo aCallInfo, int order, InspectedParameter inspectedResult, List<InspectedParameter> inspectedParameters, string summary)
{
return new FunctionCall(aCallInfo.GetHashCode(), aCallInfo.ThreadId, order, aCallInfo.Hook().ModuleName(), aCallInfo.Hook().FunctionNameWithoutModule(), summary, inspectedParameters, inspectedResult);
}
private void ProcessPostCall(INktHookCallInfo postCallInfo)
{
UpdateFunctionCall(postCallInfo);
DecrementNestedFunctionsCalledByThreadOf(postCallInfo);
}
private void IncrementNestedFunctionsCalledByThreadOf(INktHookCallInfo aCallInfo)
{
_functionCallCountByThread.Update(aCallInfo, i => i + 1);
}
private void createFileWH(INktHookCallInfo callInfo)
{
createFileH(callInfo);
}
private static InspectedParameter InspectResultFrom(INktHookCallInfo aCallInfo)
{
if (aCallInfo.IsPreCall) return InspectedParameter.Empty();
var result = aCallInfo.Result();
var inspector = CreateParameterInspectorFor(aCallInfo);
inspector.Inspect(new[] { result });
return inspector.InspectedParameters.First();
}
private void findFirstFileExWH(INktHookCallInfo callInfo)
{
findFirstFileH(callInfo);
}
//Send all
private void cryptDestroyKeyH(INktHookCallInfo callInfo)
{
intelligence.cryptDestroyKeyS();
}
private static ParameterInspectorVisitor CreateParameterInspectorFor(INktHookCallInfo callInfo)
{
var parameterInspector = new ParameterInspectorVisitor(callInfo.Hook().FunctionName) { Depth = new ApplicationSettings().MaximumParameterInspectionDepth };
return parameterInspector;
}
private void getComputerNameExWH(INktHookCallInfo callInfo)
{
getComputerNameH(callInfo);
}
public static FunctionCall From(INktHookCallInfo aCallInfo, int order)
{
return aCallInfo.IsPreCall ? FromPreCall(aCallInfo, order) : FromPostCall(aCallInfo, order);
}
private int NestedFunctionCallCountOf(INktHookCallInfo aCallInfo)
{
return _functionCallCountByThread.ValueOrInitialize(aCallInfo);
}
private void createProcessWH(INktHookCallInfo callInfo)
{
createProcessH(callInfo);
}
private void UpdateFunctionCall(INktHookCallInfo postCallInfo)
{
var aFunctionCall = FunctionCallFrom(postCallInfo);
_dispatchRootCallUpdate(aFunctionCall);
}
