예제 #1
0
 public int OnCreateFileW(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
 {
     System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCreateFileW called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
     try
     {
         if (callInfo.IsPreCall == false)
         {
             IntPtr fileHandle = callInfo.Result().SizeTVal;
             System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileHandle.ToString());
             if (fileHandle != (IntPtr)(-1) && fileHandle != IntPtr.Zero)
             {
                 string fileName = callInfo.Params().GetAt(0).ReadString();
                 System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileName);
                 if (fileName.Length > 0)
                 {
                     lock (handleMap)
                     {
                         handleMap[fileHandle] = fileName;
                     }
                 }
             }
         }
     }
     catch (System.Exception ex)
     {
         System.Diagnostics.Trace.WriteLine(ex.ToString());
     }
     return(0);
 }
예제 #2
0
    public int OnWriteFile(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
    {
        System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnWriteFile called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
        try
        {
            if (callInfo.IsPreCall != false)
            {
                IntPtr fileHandle = callInfo.Params().GetAt(0).SizeTVal;
                string s;

                lock (handleMap)
                {
                    if (handleMap.TryGetValue(fileHandle, out s) != false)
                    {
                        callInfo.AddString("WriteFile", s);
                    }
                }
            }
        }
        catch (System.Exception ex)
        {
            System.Diagnostics.Trace.WriteLine(ex.ToString());
        }
        return(0);
    }
예제 #3
0
    private void MapViewOfFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
    {
        IntPtr map        = callInfo.Result().PointerVal;
        IntPtr length     = callInfo.Params().GetAt(4).PointerVal;
        bool   is_malware = LookForMalware(map, (ulong)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also indices on native arrays are limited to int.

        if (is_malware)
        {
            callInfo.AddByte("has_malware", 1);
            callInfo.Result().PointerVal = IntPtr.Zero;
            callInfo.LastError = 2;
            callInfo.SkipCall();
        }
        else
        {
            callInfo.AddByte("has_malware", 0);
        }
    }
예제 #4
0
    //called when a hooked function is called
    public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
    {
        System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
        INktParamsEnum pms;

        callInfo.AddString("sample name", "HKEY extractor sample");
        pms = callInfo.Params();
        for (int i = 0; i < pms.Count; i++)
        {
            INktParam p = pms.GetAt(i);
            if (p.IsPointer)
                p = p.Evaluate();
            if (p != null && p.TypeName == "HKEY")
            {
                callInfo.AddSizeT("param#" + i.ToString(), p.SizeTVal);
            }
        }
        return 0;
    }
예제 #5
0
    //called when a hooked function is called
    public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
    {
        System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
        INktParamsEnum pms;

        callInfo.AddString("sample name", "HKEY extractor sample");
        pms = callInfo.Params();
        for (int i = 0; i < pms.Count; i++)
        {
            INktParam p = pms.GetAt(i);
            if (p.IsPointer)
            {
                p = p.Evaluate();
            }
            if (p != null && p.TypeName == "HKEY")
            {
                callInfo.AddSizeT("param#" + i.ToString(), p.SizeTVal);
            }
        }
        return(0);
    }
    private void MapViewOfFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
    {
        IntPtr map = callInfo.Result().PointerVal;
        IntPtr length = callInfo.Params().GetAt(4).PointerVal;
        bool is_malware = LookForMalware(map, (ulong)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also indices on native arrays are limited to int.

        if (is_malware)
        {
            callInfo.AddByte("has_malware", 1);
            callInfo.Result().PointerVal = IntPtr.Zero;
            callInfo.LastError = 2;
            callInfo.SkipCall();
        } else {
            callInfo.AddByte("has_malware", 0);
        }
    }
예제 #7
0
 public int OnCloseHandle(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
 {
     System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCloseHandle called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
     try
     {
         if (callInfo.IsPreCall != false)
         {
             IntPtr fileHandle = callInfo.Params().GetAt(0).SizeTVal;
             lock (handleMap)
             {
                 handleMap.Remove(fileHandle);
             }
         }
     }
     catch (System.Exception ex)
     {
         System.Diagnostics.Trace.WriteLine(ex.ToString());
     }
     return 0;
 }
예제 #8
0
 public int OnCreateFileW(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
 {
     System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCreateFileW called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
     try
     {
         if (callInfo.IsPreCall == false)
         {
             IntPtr fileHandle = callInfo.Result().SizeTVal;
             System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileHandle.ToString());
             if (fileHandle != (IntPtr)(-1) && fileHandle != IntPtr.Zero)
             {
                 string fileName = callInfo.Params().GetAt(0).ReadString();
                 System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileName);
                 if (fileName.Length > 0)
                 {
                     lock (handleMap)
                     {
                         handleMap[fileHandle] = fileName;
                     }
                 }
             }
         }
     }
     catch (System.Exception ex)
     {
         System.Diagnostics.Trace.WriteLine(ex.ToString());
     }
     return 0;
 }