コード例 #1
0
        //hook function
        /// <summary>
        /// The ReadFile hook function. This will be called instead of the original ReadFile once hooked.
        /// </summary>
        /// <param name="hFile"></param>
        /// <param name="lpBuffer"></param>
        /// <param name="nNumberOfBytesToRead"></param>
        /// <param name="lpNumberOfBytesRead"></param>
        /// <param name="lpOverlapped"></param>
        /// <returns></returns>
        public static bool ReadFile_Hook(
            IntPtr hFile,
            IntPtr lpBuffer,
            uint nNumberOfBytesToRead,
            out uint lpNumberOfBytesRead,
            IntPtr lpOverlapped)
        {
            string typeAfter = "-1";
            bool   result    = ReadFile(hFile, lpBuffer, nNumberOfBytesToRead, out lpNumberOfBytesRead, lpOverlapped);
            double entropy   = -1;

            try
            {
                //get entropy of buffer
                byte[] buffer = new byte[lpNumberOfBytesRead];
                Marshal.Copy(lpBuffer, buffer, 0, (int)lpNumberOfBytesRead);
                entropy = DataEntropy.GetEntropyOfStream(buffer, (int)lpNumberOfBytesRead);

                //// Retrieve filename from the file handle
                StringBuilder filename = new StringBuilder(255);
                GetFinalPathNameByHandle(hFile, filename, 255, 0);
                filename = filename.Replace("\\\\?\\", "");
                if (!filename.ToString().Equals(""))
                {
                    typeAfter = StreamAnalyzer.getFileType(filename.ToString());
                }

                if ((filename != null) || (filename.ToString().Length > 0))
                {
                    reportEvent(ReadFileStr, filename.ToString(), typeAfter, entropy + "", lpNumberOfBytesRead + "");
                }
            }
            catch (Exception e)
            {
                reportEvent(ReadFileStr, "exception! " + e.ToString());
                // swallow exceptions so that any issues caused by this code do not crash target process
            }

            return(result);
        }
コード例 #2
0
        // hook function
        public static bool WriteFile_Hook(
            IntPtr hFile,
            IntPtr lpBuffer,
            uint nNumberOfBytesToWrite,
            out uint lpNumberOfBytesWritten,
            IntPtr lpOverlapped)
        {
            //string hashBeforeFile = "", hashAfterFile = "";
            string typeBefore = "-1", typeAfter = "-1";

            StringBuilder filename = new StringBuilder(255);
            //int currentPid = EasyHook.RemoteHooking.GetCurrentProcessId();
            double entropy = -1;

            try
            {
                //get entropy of buffer
                byte[] buffer = new byte[nNumberOfBytesToWrite];
                Marshal.Copy(lpBuffer, buffer, 0, (int)nNumberOfBytesToWrite);
                entropy = DataEntropy.GetEntropyOfStream(buffer, (int)nNumberOfBytesToWrite);


                // Retrieve filename from the file handle
                GetFinalPathNameByHandle(hFile, filename, 255, 0);
                filename = filename.Replace("\\\\?\\", "");
                if (!filename.ToString().Equals(""))
                {
                    //hashBeforeFile = StreamAnalyzer.createHashToFile(filename.ToString(), "_" + currentPid + "b");
                    typeBefore = StreamAnalyzer.getFileType(filename.ToString());
                }
            }
            catch (Exception e)
            {
                reportEvent(WriteFileStr, "exception1! " + e.ToString());
                // swallow exceptions so that any issues caused by this code do not crash target process
            }

            bool result = false;

            // Call original first so we get lpNumberOfBytesWritten
            result = WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, out lpNumberOfBytesWritten, lpOverlapped);

            try
            {
                //string hashDiffrence = "-1";
                string typeDiffrence = "-1";

                if (!filename.ToString().Equals(""))
                {
                    //    hashAfterFile = StreamAnalyzer.createHashToFile(filename.ToString(), "_" + currentPid + "a");
                    typeAfter = StreamAnalyzer.getFileType(filename.ToString());

                    //    hashDiffrence = StreamAnalyzer.compareHashes(hashBeforeFile, hashAfterFile);
                    typeDiffrence = typeBefore.Equals(typeAfter) ? "1" : "0";

                    //    //deletes temp files
                    //DeleteFileW("-----");
                    //    DeleteFileW(hashAfterFile);
                }

                if ((filename != null) || (filename.ToString().Length > 0))
                {
                    reportEvent(WriteFileStr, filename.ToString(), typeAfter, typeDiffrence, entropy + "", nNumberOfBytesToWrite + "");
                }
            }
            catch (Exception e)
            {
                reportEvent(WriteFileStr, "exception2! " + e.ToString());
                // swallow exceptions so that any issues caused by this code do not crash target process
            }

            return(result);
        }