// this is where we are intercepting all file accesses! public IntPtr CreateNamedPipe_Hooked(string lpName, Kernel32Support.PipeOpenModeFlags dwOpenMode, Kernel32Support.PipeModeFlags dwPipeMode, Int32 nMaxInstances, Int32 nOutBufferSize, Int32 nInBufferSize, Int32 nDefaultTimeOut, IntPtr lpSecurityAttributes) { preprocessHook(); Console.Write("Creating pipe " + lpName); // call original API... IntPtr result = Kernel32Support.CreateNamedPipe(lpName, dwOpenMode, dwPipeMode, nMaxInstances, nOutBufferSize, nInBufferSize, nDefaultTimeOut, lpSecurityAttributes); if (result.ToInt32() != Kernel32Support.INVALID_HANDLE_VALUE) { TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.PipeName] = lpName; transfer_unit[Color.PipeHandle] = result.ToInt32(); makeCallBack(transfer_unit); Console.WriteLine("\tSUCCESS "); } else { Console.WriteLine("\tFAILURE "); } return(result); }
// this is where we are intercepting all file accesses! public int ConnectNamedPipe_Hooked(IntPtr hNamedPipe, IntPtr lpOverlapped) { preprocessHook(); TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.PipeHandle] = hNamedPipe.ToInt32(); // call original API... int result = Kernel32Support.ConnectNamedPipe(hNamedPipe, lpOverlapped); if (result != Kernel32Support.FALSE) { makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! private IntPtr OpenProcess_Hooked(Kernel32Support.ProcessAccessFlags dwDesiredAccess, bool bInheritHandle, uint dwProcessId) { preprocessHook(); TransferUnit transfer_unit = createTransferUnit(); transfer_unit["dwDesiredAccess"] = dwDesiredAccess; transfer_unit["bInheritHandle"] = bInheritHandle; transfer_unit["dwProcessId"] = dwProcessId; // call original API through our Kernel32Support class IntPtr handle = Kernel32Support.OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId); transfer_unit["handle"] = handle.ToInt32(); if (handle.ToInt32() != Kernel32Support.NULL) { makeCallBack(transfer_unit); } return(handle); }
public void ExitProcess_Hooked(uint uExitCode) { preprocessHook(); TransferUnit transfer_unit = createTransferUnit(); transfer_unit["uExitCode"] = uExitCode; makeCallBack(transfer_unit); Console.WriteLine("Delay ExitProcess"); const int DELAY = 10; for (int i = 0; i < DELAY; i++) { Console.Write(" " + (DELAY - i)); } // call original API... Kernel32Support.ExitProcess(uExitCode); //Console.Write("."); //if (result == Kernel32Support.STATUS_SUCCESS) { //} }
private int CreateProcessInternalW_Hooked(Int32 unknown1, string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, Kernel32Support.ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, IntPtr lpStartupInfo, IntPtr lpProcessInformation, Int32 unknown2) { preprocessHook(); IntPtr he, ho, hi, h_process, h_thread; Int32 dwProcessId, dwThreadId; // call original API through our Kernel32Support class if (Configuration.FOLLOW_PROCESS_TREE) { dwCreationFlags |= Kernel32Support.ProcessCreationFlags.CREATE_SUSPENDED; } int result = Kernel32Support.FALSE; try { result = Kernel32Support.CreateProcessInternalW(unknown1, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, unknown2); } catch { Console.WriteLine("Failed to launch subprocess"); } unsafe { Kernel32Support.STARTUPINFO *lp_stratup_info = (Kernel32Support.STARTUPINFO *)lpStartupInfo.ToPointer(); he = lp_stratup_info->hStdError; ho = lp_stratup_info->hStdOutput; hi = lp_stratup_info->hStdInput; Kernel32Support.PROCESS_INFORMATION *lp_process_info = (Kernel32Support.PROCESS_INFORMATION *)lpProcessInformation.ToPointer(); h_process = lp_process_info->hProcess; h_thread = lp_process_info->hThread; dwProcessId = lp_process_info->dwProcessId; dwThreadId = lp_process_info->dwThreadId; } TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.StdErrHandle] = he.ToInt32(); transfer_unit[Color.StdOutHandle] = ho.ToInt32(); transfer_unit[Color.StdInHandle] = hi.ToInt32(); if ((lpApplicationName == null) && (lpCommandLine != null)) { string[] command_lines = APIMonLib.Hooks.shell32.dll.Shell32DllSupport.CommandLineToArgs(lpCommandLine); if (command_lines.Length > 0) { lpApplicationName = System.IO.Path.GetFileName(command_lines[0]); } else { throw new Exception("Hook_CreateProcessInternalW Can not infer application name"); } } transfer_unit[Color.ApplicationName] = lpApplicationName; transfer_unit[Color.CommandLine] = lpCommandLine; transfer_unit[Color.ProcessHandle] = h_process.ToInt32(); transfer_unit[Color.FirstThreadHandle] = h_thread.ToInt32(); transfer_unit[Color.ProcessId] = dwProcessId; transfer_unit[Color.FirstThreadId] = dwThreadId; transfer_unit[Color.ProcessCreationFlags] = dwCreationFlags; //if (result!=Kernel32Support.FALSE) makeCallBack(transfer_unit); return(result); }