// this is where we are intercepting all file accesses! private UInt32 ZwCreateFile_Hooked(IntPtr ptr_to_FileHandle, NtDllSupport.AccessRightsFlags DesiredAccess, IntPtr ObjectAttributes, IntPtr IoStatusBlock, Int32 AllocationSize, Int32 FileAttributes, NtDllSupport.ShareAccessFlags ShareAccess, Int32 CreateDisposition, NtDllSupport.FileCreationFlags CreateOptions, IntPtr EaBuffer, Int32 EaLength) { preprocessHook(); UInt32 result = NtDllSupport.ZwCreateFile(ptr_to_FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); if (result == NtDllSupport.STATUS_SUCCESS) { string object_name = string.Empty; //object_name = "YOOOO"+random.Next(); int file_handle = -1; unsafe { int *pfile_handle = (int *)ptr_to_FileHandle.ToPointer(); file_handle = *pfile_handle; NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer(); NtDllSupport.UNICODE_STRING * pstrng = lpobj_attr->ObjectName; object_name = pstrng->ToString(); } TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.ObjectName] = object_name; transfer_unit[Color.FileHandle] = file_handle; transfer_unit[Color.DesiredAccess] = DesiredAccess; transfer_unit[Color.ShareAccess] = ShareAccess; transfer_unit[Color.FileCreationFlags] = CreateOptions; makeCallBack(transfer_unit); } return(result); }
private UInt32 ZwCreateSection_Hooked(IntPtr ptr_SectionHandle, Int32 DesiredAccess, IntPtr ObjectAttributes, IntPtr MaximumSize, Int32 SectionPageProtection, Int32 AllocationAttributes, IntPtr FileHandle) { preprocessHook(); UInt32 result = NtDllSupport.ZwCreateSection(ptr_SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle); if (result == NtDllSupport.STATUS_SUCCESS) { string object_name = string.Empty; //object_name = "YOOOO" + random.Next(); int section_handle = -1; unsafe { section_handle = *(int *)ptr_SectionHandle.ToPointer(); NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer(); if (lpobj_attr != null) { NtDllSupport.UNICODE_STRING *pstrng = lpobj_attr->ObjectName; object_name = pstrng->ToString(); } } TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.ObjectName] = object_name; transfer_unit[Color.SectionHandle] = section_handle; transfer_unit[Color.FileHandle] = FileHandle.ToInt32(); makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! private UInt32 ZwReadFile_Hooked(IntPtr FileHandle, IntPtr Event, IntPtr ApcRoutine, IntPtr ApcContext, IntPtr IoStatusBlock, IntPtr Buffer, Int32 Length, IntPtr ByteOffset, IntPtr Key) { preprocessHook(); UInt32 result = NtDllSupport.ZwReadFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key); if (result == NtDllSupport.STATUS_SUCCESS) { int bytes_read = 0; unsafe { NtDllSupport.IO_STATUS_BLOCK *io_status_block = (NtDllSupport.IO_STATUS_BLOCK *)IoStatusBlock.ToPointer(); bytes_read = io_status_block->Information; } string buffer = AbstractHookDescription.extractBufferAsString(Buffer, bytes_read > BUFFER_LIMIT ? BUFFER_LIMIT : bytes_read); TransferUnit transfer_unit = createTransferUnit(); transfer_unit["FileHandle"] = FileHandle.ToInt32(); transfer_unit["buffer"] = buffer; transfer_unit["BytesRead"] = bytes_read; makeCallBack(transfer_unit); } return(result); }
// this is where we are intercepting all file accesses! private UInt32 ZwOpenFile_Hooked(IntPtr ptr_to_FileHandle, Int32 DesiredAccess, IntPtr ObjectAttributes, IntPtr IoStatusBlock, Int32 ShareAccess, NtDllSupport.FileCreationFlags OpenOptions) { preprocessHook(); UInt32 result = NtDllSupport.ZwOpenFile(ptr_to_FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions); if (result == NtDllSupport.STATUS_SUCCESS) { string object_name = string.Empty; //object_name = "YOOOO" + random.Next(); int file_handle = -1; unsafe { int *pfile_handle = (int *)ptr_to_FileHandle.ToPointer(); file_handle = *pfile_handle; NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer(); NtDllSupport.UNICODE_STRING * pstrng = lpobj_attr->ObjectName; object_name = pstrng->ToString(); } TransferUnit transfer_unit = createTransferUnit(); transfer_unit["ObjectName"] = object_name; transfer_unit["FileHandle"] = file_handle; makeCallBack(transfer_unit); } return(result); }
private UInt32 ZwMapViewOfSection_Hooked(IntPtr SectionHandle, IntPtr ProcessHandle, IntPtr BaseAddress, Int32 ZeroBits, Int32 CommitSize, IntPtr SectionOffset, IntPtr ViewSize, NtDllSupport.SECTION_INHERIT InheritDisposition, Int32 AllocationType, Int32 Win32Protect) { preprocessHook(); UInt32 result = NtDllSupport.ZwMapViewOfSection(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset, ViewSize, InheritDisposition, AllocationType, Win32Protect); if (result == NtDllSupport.STATUS_SUCCESS) { TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.BaseAddress] = BaseAddress.ToInt32(); transfer_unit[Color.SectionHandle] = SectionHandle.ToInt32(); transfer_unit[Color.ProcessHandle] = ProcessHandle.ToInt32(); makeCallBack(transfer_unit); } return(result); }
public UInt32 ZwClose_Hooked(IntPtr handle) { preprocessHook(); // call original API... UInt32 result = NtDllSupport.ZwClose(handle); //Console.Write("."); //if (result == NtDllSupport.STATUS_SUCCESS) { TransferUnit transfer_unit = createTransferUnit(); transfer_unit["handle"] = handle.ToInt32(); transfer_unit["ntStatus"] = result; makeCallBack(transfer_unit); //} return(result); }
public void LdrShutdownProcess_Hooked() { preprocessHook(); Console.WriteLine("Delay LdrShutdownProcess"); const int DELAY = 10; for (int i = 0; i < DELAY; i++) { Console.Write(" " + (DELAY - i)); } // call original API... NtDllSupport.LdrShutdownProcess(); //Console.Write("."); //if (result == NtDllSupport.STATUS_SUCCESS) { //TransferUnit transfer_unit = createTransferUnit(); //makeCallBack(transfer_unit); }
public UInt32 ZwTerminateProcess_Hooked(IntPtr ProcessHandle, UInt32 ExitStatus) { preprocessHook(); // call original API... TransferUnit transfer_unit = createTransferUnit(); transfer_unit[Color.ProcessHandle] = ProcessHandle.ToInt32(); transfer_unit[Color.ExitStatus] = ExitStatus; //transfer_unit[Color.Result] = result; makeCallBack(transfer_unit); Console.WriteLine("Delay ZwTerminateProcess"); const int DELAY = 10; for (int i = 0; i < DELAY; i++) { Console.Write(" " + (DELAY - i)); } UInt32 result = NtDllSupport.ZwTerminateProcess(ProcessHandle, ExitStatus); return(result); }
// this is where we are intercepting all file accesses! private uint LdrLoadDll_Hooked(IntPtr PathToFile, NtDllSupport.LoadLibraryFlags dwFlags, ref NtDllSupport.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle) { lock (sync_object) { Console.WriteLine("Begin ---------------------LdrLoadDll(\"" + ModuleFileName + "\")"); preprocessHook(); TransferUnit transfer_unit = createTransferUnit(); transfer_unit["PathToFile"] = PathToFile; transfer_unit["ModuleFileName"] = ModuleFileName.ToString(); transfer_unit["dwFlags"] = dwFlags; // call original API through our Kernel32Support class uint result = NtDllSupport.LdrLoadDll(PathToFile, dwFlags, ref ModuleFileName, ref ModuleHandle); transfer_unit["ModuleHandle"] = ModuleHandle; HookRegistry.checkHooksToInstall(); makeCallBack(transfer_unit); Console.WriteLine("End -----------------------LdrLoadDll(\"" + ModuleFileName + "\")="); return(result); } }