コード例 #1
0
ファイル: AgentScanner.cs プロジェクト: kumaraguruv/codeword
        /////////////////////////////////////////////////////
        //                                                 //
        // DoKernelModeHeuristics()                        //
        //                                                 //
        /////////////////////////////////////////////////////
        //Description:  Communicates with kernel-mode driver
        //              to perform advanced heuristic analysis.
        //              (oooo...aaaahhh)
        //
        //Returns:      true if successful
        //////////////////////////////////////////////////////
        private unsafe bool DoKernelModeHeuristics()
        {
            AgentHeuristicMatches.KernelModeMatches = new CwXML.KernelModeHeuristicMatches();

            AgentScanLog.AppendLine("");
            AgentScanLog.AppendLine("*********************************************");
            AgentScanLog.AppendLine("          KERNEL-MODE HEURISTICS             ");
            AgentScanLog.AppendLine("*********************************************");
            AgentScanLog.AppendLine("");

            //----------------------------------------------
            //
            //                  SSDT HOOKS
            //
            //----------------------------------------------
            #region SSDT HOOKS

            if (AgentSettings["KernelHeuristics_SSDT_DetectHooks"] == "True")
            {
                AgentScanLog.AppendLine("------------------------");
                AgentScanLog.AppendLine("    SSDT HOOKS       ");
                AgentScanLog.AppendLine("------------------------");

                CwStructures.HOOKED_SSDT_TABLE HookTable = new CwStructures.HOOKED_SSDT_TABLE();

                try
                {
                    HookTable = HeuristicsKernelModeHelper.GetSSDTHooks();
                }
                catch (Exception ex)
                {
                    AgentScanLog.AppendLine("SCAN:  Error checking for SSDT hooks:  " + ex.Message);
                }

                //save the hook table to return object.
                AgentHeuristicMatches.KernelModeMatches.SSDTHookTable = HookTable;
            }
            else
            {
                AgentHeuristicMatches.KernelModeMatches.SSDTHookTable = new CwStructures.HOOKED_SSDT_TABLE();
            }
            #endregion

            //----------------------------------------------
            //
            //                  SSDT DETOURS
            //
            //----------------------------------------------
            #region SSDT DETOURS

            if (AgentSettings["KernelHeuristics_SSDT_DetectDetours"] == "True")
            {
                AgentScanLog.AppendLine("------------------------");
                AgentScanLog.AppendLine("    SSDT DETOURS       ");
                AgentScanLog.AppendLine("------------------------");

                CwStructures.DETOURED_SSDT_TABLE DetourTable = new CwStructures.DETOURED_SSDT_TABLE();

                try
                {
                    DetourTable = HeuristicsKernelModeHelper.GetSSDTDetours();
                }
                catch (Exception ex)
                {
                    AgentScanLog.AppendLine("SCAN:  Error checking for SSDT detours:  " + ex.Message);
                }

                //save the hook table to return object.
                AgentHeuristicMatches.KernelModeMatches.SSDTDetourTable = DetourTable;
            }
            else
            {
                AgentHeuristicMatches.KernelModeMatches.SSDTDetourTable = new CwStructures.DETOURED_SSDT_TABLE();
            }

            #endregion

            //----------------------------------------------
            //
            //                  WIN32 API DETOURS
            //
            //----------------------------------------------
            //
            //TODO:  this functionality is disabled until fixed.
            //
            #region WIN32 API DETOURS
            /*
            if (AgentSettings["KernelHeuristics_Win32Api_CheckExportsForDetours"] == "True")
            {
                AgentScanLog.AppendLine("------------------------");
                AgentScanLog.AppendLine("    WIN32 API DETOURS   ");
                AgentScanLog.AppendLine("------------------------");

                string[] DirtyDlls = new string[] { "ntdll.dll","kernel32.dll","user32.dll","advapi32.dll",
                                                       "gdi32.dll","comdlg32.dll","comctl32.dll","commctrl.dll",
                                                       "shell.dll","shlwapi.dll","mshtml.dll","urlmon.dll"}; //ntdll.dll??

                //initialize return object to 12 items
                AgentHeuristicMatches.KernelModeMatches.Win32DetourTable = new CwStructures.WIN32API_DETOUR_TABLE[12];

                //loop through DLLs we care about
                for (int i = 0; i < DirtyDlls.Length; i++)
                {
                    CwStructures.WIN32API_DETOUR_TABLE ModuleDetourTable = new CwStructures.WIN32API_DETOUR_TABLE();
                    string thisDLL = DirtyDlls[i];

                    try
                    {
                        ModuleDetourTable = HeuristicsKernelModeHelper.GetModuleDetours(thisDLL);
                    }
                    catch (Exception ex)
                    {
                        AgentScanLog.AppendLine("SCAN:  Error checking for detours in module '" + thisDLL + "':  " + ex.Message);
                        continue;
                    }

                    //save the hook table to return object.
                    AgentHeuristicMatches.KernelModeMatches.Win32DetourTable[i] = ModuleDetourTable;
                }
            }
            else
            {
                AgentHeuristicMatches.KernelModeMatches.Win32DetourTable = new CwStructures.WIN32API_DETOUR_TABLE[0];
            }
            */
            #endregion

            //----------------------------------------------
            //
            //                  IRP HOOKS
            //
            //----------------------------------------------
            #region IRP HOOOKS

            if (AgentSettings["DriversHeuristics_DetectIRPHooks"] == "True" && AgentSettings.ContainsKey("AddDriverListview"))
            {
                //get the list of driver names and objects
                //it is stored in the settings variable "AddDriverListview"
                //as a comma-separated list:
                //      string[]=  {driver1,device1,driver2,device2,..}
                string drivers = AgentSettings["AddDriverListview"];

                if (drivers.IndexOf(",") != -1)
                {
                    //values were stored as comma-separated list
                    string[] items = drivers.Split(new char[] { ',' });
                    //get DRIVER_CHECK_INFO structs from the driver/device pairs
                    ArrayList driversToCheck = DriverHelper.GetDriverInfoStructs(items);

                    //bail completely
                    if (driversToCheck == null)
                    {
                        AgentHeuristicMatches.KernelModeMatches.DriverIrpHooksTable = new CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE[0];
                        return false;
                    }
                    AgentScanLog.AppendLine("------------------------");
                    AgentScanLog.AppendLine("        IRP HOOKS       ");
                    AgentScanLog.AppendLine("------------------------");
                    AgentHeuristicMatches.KernelModeMatches.DriverIrpHooksTable = new CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE[driversToCheck.Count];
                    int count = 0;

                    //loop through all drivers/device name combinations supplied by user and check for IRP hooks
                    foreach (CwStructures.DRIVER_CHECK_INFO thisDriver in (CwStructures.DRIVER_CHECK_INFO[])driversToCheck.ToArray(typeof(CwStructures.DRIVER_CHECK_INFO)))
                    {
                        CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE DriverHookTable = new CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE();

                        try
                        {
                            DriverHookTable = HeuristicsKernelModeHelper.GetHookedDispatchFunctionsInDriver(thisDriver);
                        }
                        catch (Exception ex)
                        {
                            AgentScanLog.AppendLine("SCAN:  Error checking for IRP hooks:  " + ex.Message);
                        }
                        AgentHeuristicMatches.KernelModeMatches.DriverIrpHooksTable[count] = DriverHookTable;
                        count++;
                    }
                }
                else
                {
                    AgentHeuristicMatches.KernelModeMatches.DriverIrpHooksTable = new CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE[0];
                }
            }
            else
            {
                AgentHeuristicMatches.KernelModeMatches.DriverIrpHooksTable = new CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE[0];
            }

            #endregion

            //----------------------------------------------
            //
            //                  IRP DETOURS
            //
            //----------------------------------------------
            #region IRP DETOURS

            if (AgentSettings["DriversHeuristics_CheckDispatchRoutinesForDetours"] == "True" && AgentSettings.ContainsKey("AddDriverListview"))
            {
                //get the list of driver names and objects
                //it is stored in the settings variable "AddDriverListview"
                //as a comma-separated list:
                //      string[]=  {driver1,device1,driver2,device2,..}
                string drivers = AgentSettings["AddDriverListview"];

                if (drivers.IndexOf(",") != -1)
                {
                    //values were stored as comma-separated list
                    string[] items = drivers.Split(new char[] { ',' });
                    //get DRIVER_CHECK_INFO structs from the driver/device pairs
                    ArrayList driversToCheck = DriverHelper.GetDriverInfoStructs(items);

                    //bail completely
                    if (driversToCheck == null)
                    {
                        AgentHeuristicMatches.KernelModeMatches.DriverIrpHooksTable = new CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE[0];
                        return false;
                    }

                    AgentScanLog.AppendLine("------------------------");
                    AgentScanLog.AppendLine("      IRP DETOURS       ");
                    AgentScanLog.AppendLine("------------------------");

                    AgentHeuristicMatches.KernelModeMatches.DriverIrpDetoursTable = new CwStructures.DETOURED_DISPATCH_FUNCTIONS_TABLE[driversToCheck.Count];
                    int count = 0;

                    //loop through all drivers/device name combinations supplied by user and check for IRP hooks
                    foreach (CwStructures.DRIVER_CHECK_INFO thisDriver in (CwStructures.DRIVER_CHECK_INFO[])driversToCheck.ToArray(typeof(CwStructures.DRIVER_CHECK_INFO)))
                    {
                        CwStructures.DETOURED_DISPATCH_FUNCTIONS_TABLE DriverDetoursTable = new CwStructures.DETOURED_DISPATCH_FUNCTIONS_TABLE();

                        try
                        {
                            DriverDetoursTable = HeuristicsKernelModeHelper.GetDetouredDispatchFunctionsInDriver(thisDriver);
                        }
                        catch (Exception ex)
                        {
                            AgentScanLog.AppendLine("SCAN:  Error checking for IRP hooks:  " + ex.Message);
                        }

                        AgentHeuristicMatches.KernelModeMatches.DriverIrpDetoursTable[count] = DriverDetoursTable;
                        count++;
                    }
                }
                else
                {
                    AgentHeuristicMatches.KernelModeMatches.DriverIrpDetoursTable = new CwStructures.DETOURED_DISPATCH_FUNCTIONS_TABLE[0];
                }
            }
            else
            {
                AgentHeuristicMatches.KernelModeMatches.DriverIrpDetoursTable = new CwStructures.DETOURED_DISPATCH_FUNCTIONS_TABLE[0];
            }

            #endregion

            return true;
        }
コード例 #2
0
            /////////////////////////////////////////////////////
            //                                                 //
            // GetHookedDispatchFunctionsInDriver()            //
            //                                                 //
            /////////////////////////////////////////////////////
            //Description:  Attempts to detect any hooked dispatch functions in the
            //              given driver by examining its IRP table.
            //
            //Returns:      a HOOKED_DISPATCH_FUNCTIONS_TABLE structure
            /////////////////////////////////////////////////////
            internal static CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE GetHookedDispatchFunctionsInDriver(CwStructures.DRIVER_CHECK_INFO driverInfoStruct)
            {
                //-----------------------------
                //      SEND COMMAND
                //-----------------------------
                //build the IOCTL to send to driver
                uint ioctl = Win32Helper.GetIOCTL(CwConstants.CW_DRIVER_IRP_HOOK_DETECTION, Win32Helper.METHOD_OUT_DIRECT);

                //build our buffers
                int InBufSize = Marshal.SizeOf(typeof(CwStructures.DRIVER_CHECK_INFO));
                int OutBufSize = Marshal.SizeOf(typeof(CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE));
                IntPtr lpInBuf = Marshal.AllocHGlobal(InBufSize);
                try
                {
                    Marshal.StructureToPtr(driverInfoStruct, lpInBuf, true);
                }
                catch (Exception ex)
                {
                    throw new Exception("SendDriverCommand() failed:  " + ex.Message);
                }

                IntPtr lpOutBuf = Marshal.AllocHGlobal(OutBufSize);
                int bytesReturned = 0;

                //send the IOCTL
                try
                {
                    bytesReturned = DriverHelper.SendDriverCommand(ioctl, lpInBuf, InBufSize, ref lpOutBuf, OutBufSize);
                }
                catch (Exception ex)
                {
                    Marshal.FreeHGlobal(lpInBuf);
                    throw new Exception("SendDriverCommand() failed:  " + ex.Message);
                }

                Marshal.FreeHGlobal(lpInBuf);

                if (bytesReturned == 0)
                    throw new Exception("A 0-length buffer was returned from the driver.");

                //-----------------------------
                //      PROCESS RESULTS
                //-----------------------------
                CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE DriverHookTable = new CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE();

                //try to marshal the ptr
                try
                {
                    DriverHookTable = (CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE)Marshal.PtrToStructure(lpOutBuf, typeof(CwStructures.HOOKED_DISPATCH_FUNCTIONS_TABLE));
                }
                catch (Exception ex)
                {
                    throw new Exception("Failed to marshal lpOutBuf pointer to DriverHookTable structure:  " + ex.Message);
                }

                Marshal.FreeHGlobal(lpOutBuf);

                AgentScanLog.AppendLine("SCAN:  Detected " + DriverHookTable.NumHookedEntries + " IRP hooks.");

                //loop through hooks and print them out in our log
                for (int i = 0; i < DriverHookTable.NumHookedEntries; i++)
                {
                    CwStructures.HOOKED_DISPATCH_FUNCTION_ENTRY de = new CwStructures.HOOKED_DISPATCH_FUNCTION_ENTRY();
                    de = DriverHookTable.HookedEntries[i];
                    AgentScanLog.AppendLine("SCAN:       " + de.DispatchFunctionName + "()'s major function code 0x"+de.IrpMajorFunctionHooked.ToString("x")+" is hooked to function at address 0x" + de.DispatchFunctionAddress.ToString("x"));
                }

                return DriverHookTable;
            }