//Checks entropy of buffer, and that path is not REG or appdata
private void writeFileH(INktHookCallInfo callInfo)
{
//Get written path from file handle
NktTools tool = new NktTools();
string path = tool.GetFileNameFromHandle(callInfo.Params().GetAt(0).PointerVal, callInfo.Process());
//If path is relevant check entropy
if (!path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase) &&
!path.Contains("\\REGISTRY\\"))
{
INktParam pBuf = callInfo.Params().GetAt(1); //Data to write
INktParam pBytes = callInfo.Params().GetAt(2); //Length of data
uint bytesToWrite = pBytes.ULongVal;
double entropy = 0;
if (pBuf.PointerVal != IntPtr.Zero && bytesToWrite > 0)
{
INktProcessMemory procMem = process.Memory();
byte[] buffer = new byte[bytesToWrite];
GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pDest = pinnedBuffer.AddrOfPinnedObject();
procMem.ReadMem(pDest, pBuf.PointerVal, (IntPtr)bytesToWrite);
pinnedBuffer.Free();
var str = System.Text.Encoding.UTF8.GetString(buffer);
//Get per-byte entropy
entropy = getEntropy(buffer);
}
if (entropy > 6)
{
intelligence.writeFileS();
}
}
}
private void createProcessH(INktHookCallInfo callInfo)
{
string path = callInfo.Params().GetAt(0).Value;
string cmd = callInfo.Params().GetAt(1).Value;
if (path.Contains("vssadmin", StringComparison.OrdinalIgnoreCase) ||
path.Contains("bcdedit", StringComparison.OrdinalIgnoreCase) ||
cmd.Contains("vssadmin", StringComparison.OrdinalIgnoreCase) ||
cmd.Contains("bcdedit", StringComparison.OrdinalIgnoreCase))
{
intelligence.createProcessS();
}
}
private void deleteFileH(INktHookCallInfo callInfo)
{
string path = callInfo.Params().GetAt(0).Value;
if (!path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase))
{
intelligence.deleteFileS();
}
}
private void cryptAcquireContextH(INktHookCallInfo callInfo)
{
string csp = callInfo.Params().GetAt(2).Value;
if (csp.Contains("Microsoft Enhanced RSA and AES Cryptographic Provider"))
{
intelligence.cryptAcquireContextS();
}
}
private void regCreateKeyExH(INktHookCallInfo callInfo)
{
string path = callInfo.Params().GetAt(1).ReadString();
if (path.Contains("Windows\\CurrentVersion\\Run") || path.Contains("Windows\\CurrentVersion\\RunOnce"))
{
intelligence.foundStartup();
}
}
private void findFirstFileH(INktHookCallInfo callInfo)
{
//Path to search
string path = callInfo.Params().GetAt(0).Value;
//Distiguishes between 2 methods of scanning:
//1:Search for all files, filter later
if (path.EndsWith("*") && !path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase))
{
intelligence.findFirstFileS();
}
//2:Search for each extension separately
if (path.EndsWith("*.txt") && !path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase))
{
intelligence.findFirstFileTxtS();
}
}
private static List <InspectedParameter> InspectParametersFrom(INktHookCallInfo callInfo)
{
if (callInfo.IsPreCall)
{
return(new List <InspectedParameter>());
}
var functionParameters = callInfo.Params().CollectAll();
var parameterInspector = CreateParameterInspectorFor(callInfo);
parameterInspector.Inspect(functionParameters);
var fn = callInfo.Hook().FunctionName;
return(parameterInspector.InspectedParameters);
}
private void OnNtWriteFile(INktHook hook, INktProcess proc, INktHookCallInfo callInfo)
{
var fileHandle = callInfo.Params().GetAt(0).SizeTVal;
var fileName = ReadFileInfo(proc.Handle(WinEnum.PROCESS_WM_READ), fileHandle);
if (fileName == null)
{
return;
}
lock (fileNames)
{
if (!fileNames.Contains(fileName))
{
fileNames.Add(fileName);
}
}
}
private static List<InspectedParameter> InspectParametersFrom(INktHookCallInfo callInfo)
{
if (callInfo.IsPreCall) return new List<InspectedParameter>();
var functionParameters = callInfo.Params().CollectAll();
var parameterInspector = CreateParameterInspectorFor(callInfo);
parameterInspector.Inspect(functionParameters);
var fn = callInfo.Hook().FunctionName;
return parameterInspector.InspectedParameters;
}