byte[] GetValue(uint pid, INktParam paramData, INktParam paramSize, bool sizeAndTypeArePtr)
{
byte[] buffer = null;
uint valueSize;
if (sizeAndTypeArePtr)
{
if (paramSize.IsNullPointer == false)
{
valueSize = paramSize.Evaluate().ULongVal;
}
else
{
valueSize = 0;
}
}
else
{
valueSize = paramSize.ULongVal;
}
if (paramData.IsNullPointer == false)
{
//if (paramData.PointerVal != IntPtr.Zero)
if (!paramData.PointerVal.Equals(IntPtr.Zero))
{
INktProcessMemory procMem = _spyMgr.ProcessMemoryFromPID((int)pid);
//var buffer = new byte[valueSize];
buffer = new byte[valueSize];
GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pDest = pinnedBuffer.AddrOfPinnedObject();
//Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
//Int64 bytesReaded = procMem.ReadMem((int) pDest, (int)paramData.PointerVal, (int) valueSize).ToInt64();
Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
pinnedBuffer.Free();
/* valueData = "";
* for (int i = 0; i < bytesReaded; i++)
* {
* if (i != 0)
* valueData += " ";
* valueData += Convert.ToByte(buffer[i]).ToString("X2");
* }*/
}
}
return(buffer);
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strDocument = "Document: ";
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam param = paramsEnum.First();
param = paramsEnum.Next();
param = paramsEnum.Next();
if (param.PointerVal != IntPtr.Zero)
{
INktParamsEnum paramsEnumStruct = param.Evaluate().Fields();
INktParam paramStruct = paramsEnumStruct.First();
strDocument += paramStruct.ReadString();
strDocument += "\n";
}
Output(strDocument);
}
/// <summary>
/// WriteFile调用事件处理函数
/// </summary>
/// <param name="hook"></param>
/// <param name="process"></param>
/// <param name="hookCallInfo"></param>
private void OnWriteFileCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strDocument = "Document: ";
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam hFile = paramsEnum.First();
//paramsEnum.Next();
//paramsEnum.Next();
//paramsEnum.Next();
//paramsEnum.Next();
INktParam lpBuffer = paramsEnum.Next();
INktParam nNumberOfBytesToWrite = paramsEnum.Next();
#region 着官方示例写的 毛用没有
if (hFile.PointerVal != IntPtr.Zero)
{
INktParamsEnum hFileEnumStruct = hFile.Evaluate().Fields();
INktParam hFileStruct = hFileEnumStruct.First();
}
Console.Out.WriteLine(lpBuffer.ReadString());
Console.Out.WriteLine(lpBuffer.Address);
if (lpBuffer.PointerVal != IntPtr.Zero)
{
strDocument += lpBuffer.ReadString();
strDocument += "\n";
}
Output(strDocument);
#endregion
var h_file = QueryFileHandle(hFile.Address);
ReadBuffer(lpBuffer.Address, nNumberOfBytesToWrite.Address);
}
//called when a hooked function is called
public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
INktParamsEnum pms;
callInfo.AddString("sample name", "HKEY extractor sample");
pms = callInfo.Params();
for (int i = 0; i < pms.Count; i++)
{
INktParam p = pms.GetAt(i);
if (p.IsPointer)
{
p = p.Evaluate();
}
if (p != null && p.TypeName == "HKEY")
{
callInfo.AddSizeT("param#" + i.ToString(), p.SizeTVal);
}
}
return(0);
}
byte[] GetValue(uint pid, INktParam paramData, INktParam paramSize, bool sizeAndTypeArePtr)
{
byte[] buffer = null;
uint valueSize;
if (sizeAndTypeArePtr)
{
if (paramSize.IsNullPointer == false)
{
valueSize = paramSize.Evaluate().ULongVal;
}
else
{
valueSize = 0;
}
}
else
{
valueSize = paramSize.ULongVal;
}
if (paramData.IsNullPointer == false)
{
//if (paramData.PointerVal != IntPtr.Zero)
if (!paramData.PointerVal.Equals(IntPtr.Zero))
{
INktProcessMemory procMem = _spyMgr.ProcessMemoryFromPID((int)pid);
//var buffer = new byte[valueSize];
buffer = new byte[valueSize];
GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pDest = pinnedBuffer.AddrOfPinnedObject();
//Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
//Int64 bytesReaded = procMem.ReadMem((int) pDest, (int)paramData.PointerVal, (int) valueSize).ToInt64();
Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
pinnedBuffer.Free();
/* valueData = "";
for (int i = 0; i < bytesReaded; i++)
{
if (i != 0)
valueData += " ";
valueData += Convert.ToByte(buffer[i]).ToString("X2");
}*/
}
}
return buffer;
}