//Checks entropy of buffer, and that path is not REG or appdata
private void writeFileH(INktHookCallInfo callInfo)
{
//Get written path from file handle
NktTools tool = new NktTools();
string path = tool.GetFileNameFromHandle(callInfo.Params().GetAt(0).PointerVal, callInfo.Process());
//If path is relevant check entropy
if (!path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase) &&
!path.Contains("\\REGISTRY\\"))
{
INktParam pBuf = callInfo.Params().GetAt(1); //Data to write
INktParam pBytes = callInfo.Params().GetAt(2); //Length of data
uint bytesToWrite = pBytes.ULongVal;
double entropy = 0;
if (pBuf.PointerVal != IntPtr.Zero && bytesToWrite > 0)
{
INktProcessMemory procMem = process.Memory();
byte[] buffer = new byte[bytesToWrite];
GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pDest = pinnedBuffer.AddrOfPinnedObject();
procMem.ReadMem(pDest, pBuf.PointerVal, (IntPtr)bytesToWrite);
pinnedBuffer.Free();
var str = System.Text.Encoding.UTF8.GetString(buffer);
//Get per-byte entropy
entropy = getEntropy(buffer);
}
if (entropy > 6)
{
intelligence.writeFileS();
}
}
}
static void OnSocket(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SocketConnect, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new ConnectionParameter();
int len = callInfo.Params().GetAt(2).LongVal;
byte[] buf = new byte[len];
GCHandle h = GCHandle.Alloc(buf, GCHandleType.Pinned);
IntPtr p = h.AddrOfPinnedObject();
var add = callInfo.Params().GetAt(1);
INktProcessMemory mem = add.Memory();
mem.ReadMem(p, add.PointerVal, (IntPtr)len);
h.Free();
report.ID = hook.FunctionName.Contains("bind") ? APIID.SocketBind : APIID.SocketConnect;
param.Port = (ushort)(buf[2] * 256 + buf[3]);
param.IP = String.Format("{0}.{1}.{2}.{3}", buf[4].ToString("D3"), buf[5].ToString("D3"), buf[6].ToString("D3"), buf[7].ToString("D3"));
param.Server = hook.FunctionName.Contains("bind") ? true : false;
report.ID = param.Server ? APIID.SocketBind : APIID.SocketConnect;
report.Parameter = param;
Reports.Enqueue(report);
}
byte[] GetValue(uint pid, INktParam paramData, INktParam paramSize, bool sizeAndTypeArePtr)
{
byte[] buffer = null;
uint valueSize;
if (sizeAndTypeArePtr)
{
if (paramSize.IsNullPointer == false)
{
valueSize = paramSize.Evaluate().ULongVal;
}
else
{
valueSize = 0;
}
}
else
{
valueSize = paramSize.ULongVal;
}
if (paramData.IsNullPointer == false)
{
//if (paramData.PointerVal != IntPtr.Zero)
if (!paramData.PointerVal.Equals(IntPtr.Zero))
{
INktProcessMemory procMem = _spyMgr.ProcessMemoryFromPID((int)pid);
//var buffer = new byte[valueSize];
buffer = new byte[valueSize];
GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pDest = pinnedBuffer.AddrOfPinnedObject();
//Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
//Int64 bytesReaded = procMem.ReadMem((int) pDest, (int)paramData.PointerVal, (int) valueSize).ToInt64();
Int64 bytesReaded = procMem.ReadMem(pDest, paramData.PointerVal, (IntPtr)valueSize).ToInt64();
pinnedBuffer.Free();
/* valueData = "";
* for (int i = 0; i < bytesReaded; i++)
* {
* if (i != 0)
* valueData += " ";
* valueData += Convert.ToByte(buffer[i]).ToString("X2");
* }*/
}
}
return(buffer);
}
static void OnRegSetValue(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleConsuming, APICategory.Registry, APIID.RegSetValue, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new RegSetValueParameter();
param.Handle = callInfo.Params().GetAt(0).SizeTVal;
param.Value = callInfo.Params().GetAt(1).IsNullPointer ? "Default" : callInfo.Params().GetAt(1).ReadString();
string data = "";
uint type, len;
INktParam pData;
if (hook.FunctionName.Contains("Ex"))
{
type = callInfo.Params().GetAt(3).ULongVal;
len = callInfo.Params().GetAt(5).ULongVal;
pData = callInfo.Params().GetAt(4);
}
else
{
type = callInfo.Params().GetAt(2).ULongVal;
len = callInfo.Params().GetAt(4).ULongVal;
pData = callInfo.Params().GetAt(3);
}
if (!pData.IsNullPointer)
{
switch (type)
{
case 1:
case 2:
case 7:
byte[] buf = new byte[len];
GCHandle h = GCHandle.Alloc(buf, GCHandleType.Pinned);
IntPtr p = h.AddrOfPinnedObject();
INktProcessMemory mem = pData.Memory();
mem.ReadMem(p, pData.PointerVal, (IntPtr)len);
h.Free();
if (hook.FunctionName.Contains("W"))
{
data = Encoding.Unicode.GetString(buf, 0, (int)len);
}
else
{
data = Encoding.ASCII.GetString(buf, 0, (int)len);
}
break;
case 3:
case 4:
data = pData.Evaluate().ULongVal.ToString();
break;
}
}
data = data.Replace('\0', ' ');
data = data.Trim();
param.Type = type;
param.Data = data;
report.Parameter = param;
Reports.Enqueue(report);
}
