public int OnCreateFileW(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCreateFileW called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
try
{
if (callInfo.IsPreCall == false)
{
IntPtr fileHandle = callInfo.Result().SizeTVal;
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileHandle.ToString());
if (fileHandle != (IntPtr)(-1) && fileHandle != IntPtr.Zero)
{
string fileName = callInfo.Params().GetAt(0).ReadString();
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileName);
if (fileName.Length > 0)
{
lock (handleMap)
{
handleMap[fileHandle] = fileName;
}
}
}
}
}
catch (System.Exception ex)
{
System.Diagnostics.Trace.WriteLine(ex.ToString());
}
return(0);
}
public int OnWriteFile(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnWriteFile called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
try
{
if (callInfo.IsPreCall != false)
{
IntPtr fileHandle = callInfo.Params().GetAt(0).SizeTVal;
string s;
lock (handleMap)
{
if (handleMap.TryGetValue(fileHandle, out s) != false)
{
callInfo.AddString("WriteFile", s);
}
}
}
}
catch (System.Exception ex)
{
System.Diagnostics.Trace.WriteLine(ex.ToString());
}
return(0);
}
private void MapViewOfFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
{
IntPtr map = callInfo.Result().PointerVal;
IntPtr length = callInfo.Params().GetAt(4).PointerVal;
bool is_malware = LookForMalware(map, (ulong)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also indices on native arrays are limited to int.
if (is_malware)
{
callInfo.AddByte("has_malware", 1);
callInfo.Result().PointerVal = IntPtr.Zero;
callInfo.LastError = 2;
callInfo.SkipCall();
}
else
{
callInfo.AddByte("has_malware", 0);
}
}
//called when a hooked function is called
public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
INktParamsEnum pms;
callInfo.AddString("sample name", "HKEY extractor sample");
pms = callInfo.Params();
for (int i = 0; i < pms.Count; i++)
{
INktParam p = pms.GetAt(i);
if (p.IsPointer)
p = p.Evaluate();
if (p != null && p.TypeName == "HKEY")
{
callInfo.AddSizeT("param#" + i.ToString(), p.SizeTVal);
}
}
return 0;
}
//called when a hooked function is called
public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
INktParamsEnum pms;
callInfo.AddString("sample name", "HKEY extractor sample");
pms = callInfo.Params();
for (int i = 0; i < pms.Count; i++)
{
INktParam p = pms.GetAt(i);
if (p.IsPointer)
{
p = p.Evaluate();
}
if (p != null && p.TypeName == "HKEY")
{
callInfo.AddSizeT("param#" + i.ToString(), p.SizeTVal);
}
}
return(0);
}
private void MapViewOfFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
{
IntPtr map = callInfo.Result().PointerVal;
IntPtr length = callInfo.Params().GetAt(4).PointerVal;
bool is_malware = LookForMalware(map, (ulong)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also indices on native arrays are limited to int.
if (is_malware)
{
callInfo.AddByte("has_malware", 1);
callInfo.Result().PointerVal = IntPtr.Zero;
callInfo.LastError = 2;
callInfo.SkipCall();
} else {
callInfo.AddByte("has_malware", 0);
}
}
public int OnCloseHandle(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCloseHandle called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
try
{
if (callInfo.IsPreCall != false)
{
IntPtr fileHandle = callInfo.Params().GetAt(0).SizeTVal;
lock (handleMap)
{
handleMap.Remove(fileHandle);
}
}
}
catch (System.Exception ex)
{
System.Diagnostics.Trace.WriteLine(ex.ToString());
}
return 0;
}
public int OnCreateFileW(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCreateFileW called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
try
{
if (callInfo.IsPreCall == false)
{
IntPtr fileHandle = callInfo.Result().SizeTVal;
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileHandle.ToString());
if (fileHandle != (IntPtr)(-1) && fileHandle != IntPtr.Zero)
{
string fileName = callInfo.Params().GetAt(0).ReadString();
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileName);
if (fileName.Length > 0)
{
lock (handleMap)
{
handleMap[fileHandle] = fileName;
}
}
}
}
}
catch (System.Exception ex)
{
System.Diagnostics.Trace.WriteLine(ex.ToString());
}
return 0;
}