private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strOnFunctionCalled = hook.FunctionName + "\n";
if (hook.FunctionName.CompareTo("D3D9.DLL!CreateDevice") == 0)
{
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam param = paramsEnum.First();
INktParam tempParam = null;
while (param != null)
{
tempParam = param;
param = paramsEnum.Next();
}
strOnFunctionCalled += " " + tempParam.PointerVal.ToString() + "\n";
}
Output(strOnFunctionCalled);
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
NktStackTrace stack = hookCallInfo.StackTrace();
NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);
UInt32 StackOpcodeSize = 50;
byte[] StackOpcode = new byte[StackOpcodeSize];
for (UInt32 n = 0; n < StackOpcodeSize; n++)
{
StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
}
UInt64 actualAddr = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip);
UInt64 nInstrSize = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize);
UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize;
string str = "From: 0x" + callingAddr.ToString("x") + " To: 0x" + actualAddr.ToString("x") + "\n";
Output(str, false);
actualAddr -= SecStartAddress;
callingAddr -= SecStartAddress;
CROSSREF crossref = new CROSSREF();
crossref.From = callingAddr;
crossref.To = actualAddr;
CrossRefSet.Add(crossref);
}
static void OnShellExecute(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.ShellExecute, hook, process, callInfo);
if (report == null)
{
return;
}
report.ID = APIID.ShellExecute;
var param = new ShellExecuteParameter();
if (hook.FunctionName.Contains("teEx"))
{
INktParam p = callInfo.Params().GetAt(0).Evaluate();
param.Name = p.Fields().GetAt(4).IsNullPointer ? "" : p.Fields().GetAt(4).ReadString();
param.Parameters = p.Fields().GetAt(5).IsNullPointer ? "" : p.Fields().GetAt(5).ReadString();
param.Directory = p.Fields().GetAt(6).IsNullPointer ? "" : p.Fields().GetAt(6).ReadString();
}
else
{
param.Name = callInfo.Params().GetAt(2).IsNullPointer ? "" : callInfo.Params().GetAt(2).ReadString();
param.Parameters = callInfo.Params().GetAt(3).IsNullPointer ? "" : callInfo.Params().GetAt(3).ReadString();
param.Directory = callInfo.Params().GetAt(4).IsNullPointer ? "" : callInfo.Params().GetAt(4).ReadString();
}
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnSocket(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SocketConnect, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new ConnectionParameter();
int len = callInfo.Params().GetAt(2).LongVal;
byte[] buf = new byte[len];
GCHandle h = GCHandle.Alloc(buf, GCHandleType.Pinned);
IntPtr p = h.AddrOfPinnedObject();
var add = callInfo.Params().GetAt(1);
INktProcessMemory mem = add.Memory();
mem.ReadMem(p, add.PointerVal, (IntPtr)len);
h.Free();
report.ID = hook.FunctionName.Contains("bind") ? APIID.SocketBind : APIID.SocketConnect;
param.Port = (ushort)(buf[2] * 256 + buf[3]);
param.IP = String.Format("{0}.{1}.{2}.{3}", buf[4].ToString("D3"), buf[5].ToString("D3"), buf[6].ToString("D3"), buf[7].ToString("D3"));
param.Server = hook.FunctionName.Contains("bind") ? true : false;
report.ID = param.Server ? APIID.SocketBind : APIID.SocketConnect;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnCreateProcess(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleCreation, APICategory.Process, APIID.CreateProcess, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new CreateProcessParameter();
param.ProcessName = callInfo.Params().GetAt(0).IsNullPointer ? "" : callInfo.Params().GetAt(1).ReadString();
param.Parameters = callInfo.Params().GetAt(1).IsNullPointer ? "" : callInfo.Params().GetAt(1).ReadString();
param.Handle = callInfo.Params().GetAt(9).Evaluate().Fields().GetAt(0).SizeTVal;
param.ID = callInfo.Params().GetAt(9).Evaluate().Fields().GetAt(2).ULongVal;
try
{
if (param.ProcessName == "")
{
var pro = System.Diagnostics.Process.GetProcessById((int)param.ID);
param.ProcessName = pro.ProcessName;
}
}
catch { }
report.Parameter = param;
Reports.Enqueue(report);
}
public static void OnConnectCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
/*
* struct sockaddr {
* ushort sa_family;
* char sa_data[14];
* };
*/
INktParamsEnum pms = hookCallInfo.Params();
INktParam p;
p = pms.GetAt(1); //get the second param (const struct sockaddr *name)
if (p.IsNullPointer == false)
{
INktParam pC;
ushort sa_family;
//if not null, analyze it
p = p.Evaluate(); //now p becomes the struct itself not anymore a pointer to
pC = p.Field(0);
sa_family = pC.get_UShortValAt(0);
try
{
pC = p.Field(1);
byte[] bytes_port = new byte[] { pC.get_ByteValAt(0), pC.get_ByteValAt(1) };
ushort port = PortToUShort(bytes_port);
Console.WriteLine("Port: {0}", port);
byte[] ip = new byte[] { pC.get_ByteValAt(2), pC.get_ByteValAt(3), pC.get_ByteValAt(4), pC.get_ByteValAt(5) };
string detected_ip = IPtoString(ip);
Console.WriteLine("IP: {0}", detected_ip);
if (bind_ip == "0.0.0.0" || bind_ip == "*" || IPtoString(ip) == bind_ip) // Match rule IP
{
if (bind_port == 0 || bind_port == port) // Match rule Port
{
byte[] target_ip = StringtoIP(forward_ip);
pC.set_ByteValAt(2, target_ip[0]);
pC.set_ByteValAt(3, target_ip[1]);
pC.set_ByteValAt(4, target_ip[2]);
pC.set_ByteValAt(5, target_ip[3]);
if (forward_port != 0)
{
byte[] forward_port_change = UShorttoPort(forward_port);
pC.set_ByteValAt(0, forward_port_change[0]);
pC.set_ByteValAt(1, forward_port_change[1]);
}
Console.WriteLine("Redirect From {0}:{1} to {1}", detected_ip, (bind_port == 0)?'*':bind_port, forward_ip, (forward_port == 0)?'*':forward_port);
}
}
}
catch (Exception e)
{
Console.WriteLine("Error {0}", e);
throw e;
}
}
}
public FunctionWrapper(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
{
this.Hook = Hook;
this.proc = proc;
this.callInfo = callInfo;
status = Status.Waiting;
}
public FunctionWrapper(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
{
this.Hook = Hook;
this.proc = proc;
this.callInfo = callInfo;
status = Status.Waiting;
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
Output("Xploit CVE-2010-3971");
MessageBox.Show("Xploit CVE-2010-3971");
Thread.Sleep(System.Threading.Timeout.Infinite);
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
nTime++;
if (nSpeed==-2)
hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2);
else if(nSpeed==2)
hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3);
}
private void MapViewOfFileCustomHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
{
if (callInfo.CustomParams().Count == 1)
{
byte has_malware = callInfo.CustomParams().GetAt(0).ByteVal;
Debug.WriteLine(String.Format("MapViewOfFileCustomHook:: with has_malware = {0}", has_malware));
}
}
public void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string function = hook.FunctionName.ToLower();
Console.WriteLine("Called function {0}", function);
if (function == "WS2_32.dll!connect".ToLower())
{
OnConnectCalled(hook, process, hookCallInfo);
}
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
nTime++;
if (nSpeed == -2)
{
hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2);
}
else if (nSpeed == 2)
{
hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3);
}
}
void _spyMgr_OnFunctionCalled(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
{
if (Hook.FunctionName == "kernel32.dll!MapViewOfFile")
{
if (this._use_deviare_custom_hook_plugin)
{
MapViewOfFileCustomHook(Hook, proc, callInfo);
}
else
{
MapViewOfFileHook(Hook, proc, callInfo);
}
}
}
static void OnWriteProcessMemory(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleConsuming, APICategory.Process, APIID.WriteProcessMemory, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new WriteProcessMemoryParameter();
param.Handle = callInfo.Params().GetAt(0).SizeTVal;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnFindFirstFile(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.FindFirstFile, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new FindFirstFileParameter();
param.FileName = callInfo.Params().GetAt(0).ReadString();
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnSetWindowsHook(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SetWindowsHook, hook, process, callInfo);
if (report == null)
{
return;
}
report.ID = APIID.SetWindowsHook;
var param = new SetWindowsHookParameter();
param.HookType = callInfo.Params().GetAt(0).LongVal;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnProcess32First(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleConsuming, APICategory.ToolHelp, APIID.Process32First, hook, process, callInfo);
if (report == null)
{
return;
}
report.ID = APIID.Process32First;
var param = new Process32FirstParameter();
param.Handle = callInfo.Params().GetAt(0).SizeTVal;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnGetProcAddress(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleConsuming, APICategory.LibraryLoading, APIID.GetProcAddress, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new GetProcAddressParameter();
param.Handle = callInfo.Params().GetAt(0).SizeTVal;
param.Proc = callInfo.Params().GetAt(1).ReadString();
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnUrlDownloadToFile(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SocketConnect, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new UrlDownloadToFileParameter();
param.Url = callInfo.Params().GetAt(1).ReadString();
param.FilePath = callInfo.Params().GetAt(2).ReadString();
report.ID = APIID.UrlDownloadToFile;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnCreateService(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.CreateService, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new CreateServiceParameter();
param.Name = callInfo.Params().GetAt(1).IsNullPointer?"N/A":callInfo.Params().GetAt(1).ReadString();
param.Path = callInfo.Params().GetAt(7).IsNullPointer?"N/A":callInfo.Params().GetAt(7).ReadString();
param.Mode = callInfo.Params().GetAt(5).ULongVal;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnRegOpenKey(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleCreation, APICategory.Registry, APIID.RegOpenKey, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new RegOpenKeyParameter();
param.HKey = callInfo.Params().GetAt(0).SizeTVal;
param.SubKey = callInfo.Params().GetAt(1).ReadString();
param.Handle = hook.FunctionName.ToUpper().Contains("EX") ? callInfo.Params().GetAt(4).Evaluate().SizeTVal : callInfo.Params().GetAt(2).Evaluate().SizeTVal;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnCreateToolhelp32Snapshot(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleCreation, APICategory.ToolHelp, APIID.CreateToolhelp, hook, process, callInfo);
if (report == null)
{
return;
}
report.ID = APIID.CreateToolhelp;
var param = new CreateToolhelp32Snapshot();
param.Flags = callInfo.Params().GetAt(0).ULongVal;
param.Handle = callInfo.Result().SizeTVal;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnCreateFile(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleCreation, APICategory.Files, APIID.CreateFile, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new CreateFileParameter();
param.Path = callInfo.Params().GetAt(0).ReadString();
param.Access = callInfo.Params().GetAt(1).ULongVal;
param.Mode = callInfo.Params().GetAt(4).ULongVal;
param.Handle = callInfo.Result().SizeTVal;
report.Parameter = param;
Reports.Enqueue(report);
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strDocument = "Document: ";
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam param = paramsEnum.First();
param = paramsEnum.Next();
param = paramsEnum.Next();
if (param.PointerVal != IntPtr.Zero)
{
INktParamsEnum paramsEnumStruct = param.Evaluate().Fields();
INktParam paramStruct = paramsEnumStruct.First();
strDocument += paramStruct.ReadString();
strDocument += "\n";
}
Output(strDocument);
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
Output(hook.FunctionName + "( ");
bool first = true;
foreach (INktParam param in hookCallInfo.Params())
{
if (first)
{
first = false;
}
else
{
Output(", ");
}
Output(param.Name + " = " + param.Value.ToString());
}
Output(" )" + Environment.NewLine);
}
/// <summary>
/// WriteFile调用事件处理函数
/// </summary>
/// <param name="hook"></param>
/// <param name="process"></param>
/// <param name="hookCallInfo"></param>
private void OnWriteFileCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strDocument = "Document: ";
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam hFile = paramsEnum.First();
//paramsEnum.Next();
//paramsEnum.Next();
//paramsEnum.Next();
//paramsEnum.Next();
INktParam lpBuffer = paramsEnum.Next();
INktParam nNumberOfBytesToWrite = paramsEnum.Next();
#region 着官方示例写的 毛用没有
if (hFile.PointerVal != IntPtr.Zero)
{
INktParamsEnum hFileEnumStruct = hFile.Evaluate().Fields();
INktParam hFileStruct = hFileEnumStruct.First();
}
Console.Out.WriteLine(lpBuffer.ReadString());
Console.Out.WriteLine(lpBuffer.Address);
if (lpBuffer.PointerVal != IntPtr.Zero)
{
strDocument += lpBuffer.ReadString();
strDocument += "\n";
}
Output(strDocument);
#endregion
var h_file = QueryFileHandle(hFile.Address);
ReadBuffer(lpBuffer.Address, nNumberOfBytesToWrite.Address);
}
static void OnLoadLibrary(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleCreation, APICategory.LibraryLoading, APIID.LoadLibrary, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new LoadLibraryParameter();
if (callInfo.Params().GetAt(0).IsNullPointer)
{
param.LibraryName = "N/A";
}
else
{
param.LibraryName = callInfo.Params().GetAt(0).ReadString();
}
param.Handle = callInfo.Result().SizeTVal;
report.Parameter = param;
Reports.Enqueue(report);
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strDocument = "Document: ";
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam param = paramsEnum.First();
param = paramsEnum.Next();
param = paramsEnum.Next();
if (param.PointerVal != IntPtr.Zero)
{
INktParamsEnum paramsEnumStruct = param.Evaluate().Fields();
INktParam paramStruct = paramsEnumStruct.First();
strDocument += paramStruct.ReadString();
strDocument += "\n";
}
Output(strDocument);
}
private void MapViewOfFileHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
{
bool is_malware = false;
IntPtr maphandle = callInfo.Params().GetAt(0).PointerVal;
IntPtr address = callInfo.Result().PointerVal;
IntPtr length = callInfo.Params().GetAt(4).PointerVal;
Debug.WriteLine(String.Format("MapViewOfFile:: with maphandle = {0} dwNumberOfBytesToMap = {1}", maphandle, length));
IntPtr process_handle = callInfo.Process().Handle(0x1FFFF);
is_malware = LookForMalware(process_handle, (IntPtr)maphandle, (uint)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also Marshal.ReadByte is limited to int.
if (is_malware)
{
callInfo.Result().PointerVal = IntPtr.Zero;
callInfo.LastError = 2;
callInfo.SkipCall();
}
}
public void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string function = hook.FunctionName.ToLower();
wrappers.FunctionWrapper functionWr = new wrappers.FunctionWrapper(hook, process, hookCallInfo);
stackFunctions.Push(functionWr);
while (functionWr.status == wrappers.FunctionWrapper.Status.Waiting)
{
System.Threading.Thread.Sleep(0);
}
if (functionWr.status == wrappers.FunctionWrapper.Status.Droped)
{
hookCallInfo.SkipCall();
Program.data.AceptingNewFunctions = true;
return;
}
Program.data.AceptingNewFunctions = true;
}
static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a class factory that belongs
//to the CLSID we need, in our example, "ShellFolderView coclass"
pms = callInfo.Params();
if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}")
{
s = pms.GetAt(1).GuidString;
if (s == "{00000001-0000-0000-C000-000000000046}")
{
//we have ShellFolderView's IClassFactory object
if (hookIClassFactory_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress);
hookIClassFactory_CreateInstance.Attach(proc.Id, true);
hookIClassFactory_CreateInstance.Hook(true);
hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled;
}
}
}
}
if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}")
{
//we have ShellFolderView's IClassFactory2 object
if (hookIClassFactory2_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory2_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstance.Attach(proc.Id, true);
hookIClassFactory2_CreateInstance.Hook(true);
hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled;
}
if (hookIClassFactory2_CreateInstanceLic == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstanceLic method is the eighth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true);
hookIClassFactory2_CreateInstanceLic.Hook(true);
hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled;
}
}
}
}
}
}
return;
}
static void OnIClassFactory2CreateInstanceLicCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
//because interface instances can be created by IClassFactory2 too, may you have
//to define a similar code than above
}
static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a instance that belongs
//to the IID we need, in our example, "IShellFolderViewDual"
pms = callInfo.Params();
//remember that the first parameter is the interface pointer itself
s = pms.GetAt(2).GuidString;
if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" ||
s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" ||
s == "{88A05C00-F000-11CE-8350-444553540000}")
{
//at this point we have to apply a similar code than we used to hook
//IClassFactory::CreateInstance above and the other methods
addr = pms.GetAt(3).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
/*
* .
* .
* .
*/
}
}
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
NktStackTrace stack = hookCallInfo.StackTrace();
NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);
UInt32 StackOpcodeSize = 50;
byte[] StackOpcode = new byte[StackOpcodeSize];
for (UInt32 n = 0; n < StackOpcodeSize; n++)
{
StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
}
UInt64 actualAddr = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip);
UInt64 nInstrSize = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize);
UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize;
string str = "From: 0x" + callingAddr.ToString("x") + " To: 0x" + actualAddr.ToString("x") + "\n";
Output(str, false);
actualAddr -= SecStartAddress;
callingAddr -= SecStartAddress;
CROSSREF crossref = new CROSSREF();
crossref.From = callingAddr;
crossref.To = actualAddr;
CrossRefSet.Add(crossref);
}
private void HandleFuncionCall(NktHook aHook, NktProcess aProcess, NktHookCallInfo hookCallInfo)
{
FunctionCalledHandler(CreateConsoleHookFrom(aHook), CreateConsoleProcessFrom(aProcess), hookCallInfo);
}
static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a class factory that belongs
//to the CLSID we need, in our example, "ShellFolderView coclass"
pms = callInfo.Params();
if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}")
{
s = pms.GetAt(1).GuidString;
if (s == "{00000001-0000-0000-C000-000000000046}")
{
//we have ShellFolderView's IClassFactory object
if (hookIClassFactory_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress);
hookIClassFactory_CreateInstance.Attach(proc.Id, true);
hookIClassFactory_CreateInstance.Hook(true);
hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled;
}
}
}
}
if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}")
{
//we have ShellFolderView's IClassFactory2 object
if (hookIClassFactory2_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory2_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstance.Attach(proc.Id, true);
hookIClassFactory2_CreateInstance.Hook(true);
hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled;
}
if (hookIClassFactory2_CreateInstanceLic == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstanceLic method is the eighth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true);
hookIClassFactory2_CreateInstanceLic.Hook(true);
hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled;
}
}
}
}
}
}
return;
}
private void MapViewOfFileHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
{
bool is_malware = false;
IntPtr maphandle = callInfo.Params().GetAt(0).PointerVal;
IntPtr address = callInfo.Result().PointerVal;
IntPtr length = callInfo.Params().GetAt(4).PointerVal;
Debug.WriteLine(String.Format("MapViewOfFile:: with maphandle = {0} dwNumberOfBytesToMap = {1}", maphandle, length));
IntPtr process_handle = callInfo.Process().Handle(0x1FFFF);
is_malware = LookForMalware(process_handle, (IntPtr)maphandle, (uint)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also Marshal.ReadByte is limited to int.
if (is_malware)
{
callInfo.Result().PointerVal = IntPtr.Zero;
callInfo.LastError = 2;
callInfo.SkipCall();
}
}
static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a instance that belongs
//to the IID we need, in our example, "IShellFolderViewDual"
pms = callInfo.Params();
//remember that the first parameter is the interface pointer itself
s = pms.GetAt(2).GuidString;
if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" ||
s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" ||
s == "{88A05C00-F000-11CE-8350-444553540000}")
{
//at this point we have to apply a similar code than we used to hook
//IClassFactory::CreateInstance above and the other methods
addr = pms.GetAt(3).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
/*
.
.
.
*/
}
}
}
public void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string function = hook.FunctionName.ToLower();
wrappers.FunctionWrapper functionWr = new wrappers.FunctionWrapper(hook, process, hookCallInfo);
stackFunctions.Push(functionWr);
while (functionWr.status == wrappers.FunctionWrapper.Status.Waiting)
{
System.Threading.Thread.Sleep(0);
}
if (functionWr.status == wrappers.FunctionWrapper.Status.Droped)
{
hookCallInfo.SkipCall();
Program.data.AceptingNewFunctions = true;
return;
}
Program.data.AceptingNewFunctions = true;
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
Output("Xploit CVE-2010-3971");
MessageBox.Show("Xploit CVE-2010-3971");
Thread.Sleep(System.Threading.Timeout.Infinite);
}
void _spyMgr_OnFunctionCalled(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
{
if (Hook.FunctionName == "kernel32.dll!MapViewOfFile")
{
if (this._use_deviare_custom_hook_plugin)
MapViewOfFileCustomHook(Hook, proc, callInfo);
else
MapViewOfFileHook(Hook, proc, callInfo);
}
}
private void FunctionCalledHandler(Hook hook, IProcess aProcess, NktHookCallInfo hookCallInfo)
{
var aFunctionCallInfo = new FunctionCallInfo(hook, aProcess, hookCallInfo);
_functionCallHandler.Handle(aFunctionCallInfo);
}
static void OnIClassFactory2CreateInstanceLicCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
//because interface instances can be created by IClassFactory2 too, may you have
//to define a similar code than above
}
public FunctionCallInfo(Hook aHook, IProcess aProcess, NktHookCallInfo hookCallInfo)
{
Hook = aHook;
Process = aProcess;
HookCallInfo = hookCallInfo;
}
private void MapViewOfFileCustomHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
{
if (callInfo.CustomParams().Count == 1)
{
byte has_malware = callInfo.CustomParams().GetAt(0).ByteVal;
Debug.WriteLine(String.Format("MapViewOfFileCustomHook:: with has_malware = {0}", has_malware));
}
}
