//Checks entropy of buffer, and that path is not REG or appdata
private void writeFileH(INktHookCallInfo callInfo)
{
//Get written path from file handle
NktTools tool = new NktTools();
string path = tool.GetFileNameFromHandle(callInfo.Params().GetAt(0).PointerVal, callInfo.Process());
//If path is relevant check entropy
if (!path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase) &&
!path.Contains("\\REGISTRY\\"))
{
INktParam pBuf = callInfo.Params().GetAt(1); //Data to write
INktParam pBytes = callInfo.Params().GetAt(2); //Length of data
uint bytesToWrite = pBytes.ULongVal;
double entropy = 0;
if (pBuf.PointerVal != IntPtr.Zero && bytesToWrite > 0)
{
INktProcessMemory procMem = process.Memory();
byte[] buffer = new byte[bytesToWrite];
GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pDest = pinnedBuffer.AddrOfPinnedObject();
procMem.ReadMem(pDest, pBuf.PointerVal, (IntPtr)bytesToWrite);
pinnedBuffer.Free();
var str = System.Text.Encoding.UTF8.GetString(buffer);
//Get per-byte entropy
entropy = getEntropy(buffer);
}
if (entropy > 6)
{
intelligence.writeFileS();
}
}
}
static void OnShellExecute(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.ShellExecute, hook, process, callInfo);
if (report == null)
{
return;
}
report.ID = APIID.ShellExecute;
var param = new ShellExecuteParameter();
if (hook.FunctionName.Contains("teEx"))
{
INktParam p = callInfo.Params().GetAt(0).Evaluate();
param.Name = p.Fields().GetAt(4).IsNullPointer ? "" : p.Fields().GetAt(4).ReadString();
param.Parameters = p.Fields().GetAt(5).IsNullPointer ? "" : p.Fields().GetAt(5).ReadString();
param.Directory = p.Fields().GetAt(6).IsNullPointer ? "" : p.Fields().GetAt(6).ReadString();
}
else
{
param.Name = callInfo.Params().GetAt(2).IsNullPointer ? "" : callInfo.Params().GetAt(2).ReadString();
param.Parameters = callInfo.Params().GetAt(3).IsNullPointer ? "" : callInfo.Params().GetAt(3).ReadString();
param.Directory = callInfo.Params().GetAt(4).IsNullPointer ? "" : callInfo.Params().GetAt(4).ReadString();
}
report.Parameter = param;
Reports.Enqueue(report);
}
byte[] GetValue(uint pid, INktParam paramData, INktParam paramSize, bool sizeAndTypeArePtr)
{
byte[] buffer = null;
uint valueSize;
if (sizeAndTypeArePtr)
{
if (paramSize.IsNullPointer == false)
{
valueSize = paramSize.Evaluate().ULongVal;
}
else
{
valueSize = 0;
}
}
else
{
valueSize = paramSize.ULongVal;
}
if (paramData.IsNullPointer == false)
{
//if (paramData.PointerVal != IntPtr.Zero)
if (!paramData.PointerVal.Equals(IntPtr.Zero))
{
INktProcessMemory procMem = _spyMgr.ProcessMemoryFromPID((int)pid);
//var buffer = new byte[valueSize];
buffer = new byte[valueSize];
GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pDest = pinnedBuffer.AddrOfPinnedObject();
//Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
//Int64 bytesReaded = procMem.ReadMem((int) pDest, (int)paramData.PointerVal, (int) valueSize).ToInt64();
Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
pinnedBuffer.Free();
/* valueData = "";
* for (int i = 0; i < bytesReaded; i++)
* {
* if (i != 0)
* valueData += " ";
* valueData += Convert.ToByte(buffer[i]).ToString("X2");
* }*/
}
}
return(buffer);
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strDocument = "Document: ";
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam param = paramsEnum.First();
param = paramsEnum.Next();
param = paramsEnum.Next();
if (param.PointerVal != IntPtr.Zero)
{
INktParamsEnum paramsEnumStruct = param.Evaluate().Fields();
INktParam paramStruct = paramsEnumStruct.First();
strDocument += paramStruct.ReadString();
strDocument += "\n";
}
Output(strDocument);
}
/// <summary>
/// WriteFile调用事件处理函数
/// </summary>
/// <param name="hook"></param>
/// <param name="process"></param>
/// <param name="hookCallInfo"></param>
private void OnWriteFileCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strDocument = "Document: ";
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam hFile = paramsEnum.First();
//paramsEnum.Next();
//paramsEnum.Next();
//paramsEnum.Next();
//paramsEnum.Next();
INktParam lpBuffer = paramsEnum.Next();
INktParam nNumberOfBytesToWrite = paramsEnum.Next();
#region 着官方示例写的 毛用没有
if (hFile.PointerVal != IntPtr.Zero)
{
INktParamsEnum hFileEnumStruct = hFile.Evaluate().Fields();
INktParam hFileStruct = hFileEnumStruct.First();
}
Console.Out.WriteLine(lpBuffer.ReadString());
Console.Out.WriteLine(lpBuffer.Address);
if (lpBuffer.PointerVal != IntPtr.Zero)
{
strDocument += lpBuffer.ReadString();
strDocument += "\n";
}
Output(strDocument);
#endregion
var h_file = QueryFileHandle(hFile.Address);
ReadBuffer(lpBuffer.Address, nNumberOfBytesToWrite.Address);
}
//called when a hooked function is called
public int OnFunctionCall(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
System.Diagnostics.Trace.WriteLine("MyRegistryPlugin::OnFunctionCall called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
INktParamsEnum pms;
callInfo.AddString("sample name", "HKEY extractor sample");
pms = callInfo.Params();
for (int i = 0; i < pms.Count; i++)
{
INktParam p = pms.GetAt(i);
if (p.IsPointer)
{
p = p.Evaluate();
}
if (p != null && p.TypeName == "HKEY")
{
callInfo.AddSizeT("param#" + i.ToString(), p.SizeTVal);
}
}
return(0);
}
byte[] GetValue(uint pid, INktParam paramData, INktParam paramSize, bool sizeAndTypeArePtr)
{
byte[] buffer = null;
uint valueSize;
if (sizeAndTypeArePtr)
{
if (paramSize.IsNullPointer == false)
{
valueSize = paramSize.Evaluate().ULongVal;
}
else
{
valueSize = 0;
}
}
else
{
valueSize = paramSize.ULongVal;
}
if (paramData.IsNullPointer == false)
{
//if (paramData.PointerVal != IntPtr.Zero)
if (!paramData.PointerVal.Equals(IntPtr.Zero))
{
INktProcessMemory procMem = _spyMgr.ProcessMemoryFromPID((int)pid);
//var buffer = new byte[valueSize];
buffer = new byte[valueSize];
GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pDest = pinnedBuffer.AddrOfPinnedObject();
//Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
//Int64 bytesReaded = procMem.ReadMem((int) pDest, (int)paramData.PointerVal, (int) valueSize).ToInt64();
Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
pinnedBuffer.Free();
/* valueData = "";
for (int i = 0; i < bytesReaded; i++)
{
if (i != 0)
valueData += " ";
valueData += Convert.ToByte(buffer[i]).ToString("X2");
}*/
}
}
return buffer;
}
