private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
nTime++;
if (nSpeed==-2)
hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2);
else if(nSpeed==2)
hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3);
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
nTime++;
if (nSpeed == -2)
{
hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2);
}
else if (nSpeed == 2)
{
hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3);
}
}
static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a instance that belongs
//to the IID we need, in our example, "IShellFolderViewDual"
pms = callInfo.Params();
//remember that the first parameter is the interface pointer itself
s = pms.GetAt(2).GuidString;
if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" ||
s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" ||
s == "{88A05C00-F000-11CE-8350-444553540000}")
{
//at this point we have to apply a similar code than we used to hook
//IClassFactory::CreateInstance above and the other methods
addr = pms.GetAt(3).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
/*
* .
* .
* .
*/
}
}
}
private void MapViewOfFileHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
{
bool is_malware = false;
IntPtr maphandle = callInfo.Params().GetAt(0).PointerVal;
IntPtr address = callInfo.Result().PointerVal;
IntPtr length = callInfo.Params().GetAt(4).PointerVal;
Debug.WriteLine(String.Format("MapViewOfFile:: with maphandle = {0} dwNumberOfBytesToMap = {1}", maphandle, length));
IntPtr process_handle = callInfo.Process().Handle(0x1FFFF);
is_malware = LookForMalware(process_handle, (IntPtr)maphandle, (uint)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also Marshal.ReadByte is limited to int.
if (is_malware)
{
callInfo.Result().PointerVal = IntPtr.Zero;
callInfo.LastError = 2;
callInfo.SkipCall();
}
}
static void OnCreateToolhelp32Snapshot(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleCreation, APICategory.ToolHelp, APIID.CreateToolhelp, hook, process, callInfo);
if (report == null)
{
return;
}
report.ID = APIID.CreateToolhelp;
var param = new CreateToolhelp32Snapshot();
param.Flags = callInfo.Params().GetAt(0).ULongVal;
param.Handle = callInfo.Result().SizeTVal;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnCreateFile(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleCreation, APICategory.Files, APIID.CreateFile, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new CreateFileParameter();
param.Path = callInfo.Params().GetAt(0).ReadString();
param.Access = callInfo.Params().GetAt(1).ULongVal;
param.Mode = callInfo.Params().GetAt(4).ULongVal;
param.Handle = callInfo.Result().SizeTVal;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnLoadLibrary(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleCreation, APICategory.LibraryLoading, APIID.LoadLibrary, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new LoadLibraryParameter();
if (callInfo.Params().GetAt(0).IsNullPointer)
{
param.LibraryName = "N/A";
}
else
{
param.LibraryName = callInfo.Params().GetAt(0).ReadString();
}
param.Handle = callInfo.Result().SizeTVal;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a class factory that belongs
//to the CLSID we need, in our example, "ShellFolderView coclass"
pms = callInfo.Params();
if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}")
{
s = pms.GetAt(1).GuidString;
if (s == "{00000001-0000-0000-C000-000000000046}")
{
//we have ShellFolderView's IClassFactory object
if (hookIClassFactory_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress);
hookIClassFactory_CreateInstance.Attach(proc.Id, true);
hookIClassFactory_CreateInstance.Hook(true);
hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled;
}
}
}
}
if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}")
{
//we have ShellFolderView's IClassFactory2 object
if (hookIClassFactory2_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory2_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstance.Attach(proc.Id, true);
hookIClassFactory2_CreateInstance.Hook(true);
hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled;
}
if (hookIClassFactory2_CreateInstanceLic == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstanceLic method is the eighth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true);
hookIClassFactory2_CreateInstanceLic.Hook(true);
hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled;
}
}
}
}
}
}
return;
}
static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a class factory that belongs
//to the CLSID we need, in our example, "ShellFolderView coclass"
pms = callInfo.Params();
if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}")
{
s = pms.GetAt(1).GuidString;
if (s == "{00000001-0000-0000-C000-000000000046}")
{
//we have ShellFolderView's IClassFactory object
if (hookIClassFactory_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress);
hookIClassFactory_CreateInstance.Attach(proc.Id, true);
hookIClassFactory_CreateInstance.Hook(true);
hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled;
}
}
}
}
if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}")
{
//we have ShellFolderView's IClassFactory2 object
if (hookIClassFactory2_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory2_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstance.Attach(proc.Id, true);
hookIClassFactory2_CreateInstance.Hook(true);
hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled;
}
if (hookIClassFactory2_CreateInstanceLic == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstanceLic method is the eighth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true);
hookIClassFactory2_CreateInstanceLic.Hook(true);
hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled;
}
}
}
}
}
}
return;
}
static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a instance that belongs
//to the IID we need, in our example, "IShellFolderViewDual"
pms = callInfo.Params();
//remember that the first parameter is the interface pointer itself
s = pms.GetAt(2).GuidString;
if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" ||
s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" ||
s == "{88A05C00-F000-11CE-8350-444553540000}")
{
//at this point we have to apply a similar code than we used to hook
//IClassFactory::CreateInstance above and the other methods
addr = pms.GetAt(3).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
/*
.
.
.
*/
}
}
}
private void MapViewOfFileHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
{
bool is_malware = false;
IntPtr maphandle = callInfo.Params().GetAt(0).PointerVal;
IntPtr address = callInfo.Result().PointerVal;
IntPtr length = callInfo.Params().GetAt(4).PointerVal;
Debug.WriteLine(String.Format("MapViewOfFile:: with maphandle = {0} dwNumberOfBytesToMap = {1}", maphandle, length));
IntPtr process_handle = callInfo.Process().Handle(0x1FFFF);
is_malware = LookForMalware(process_handle, (IntPtr)maphandle, (uint)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also Marshal.ReadByte is limited to int.
if (is_malware)
{
callInfo.Result().PointerVal = IntPtr.Zero;
callInfo.LastError = 2;
callInfo.SkipCall();
}
}