private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { nTime++; if (nSpeed==-2) hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2); else if(nSpeed==2) hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3); }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { nTime++; if (nSpeed == -2) { hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2); } else if (nSpeed == 2) { hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3); } }
static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { if ((callInfo.Result().ULongVal & 0x80000000) == 0) { NktParamsEnum pms; IntPtr addr; string s; //if the call succeeded, check if we are creating a instance that belongs //to the IID we need, in our example, "IShellFolderViewDual" pms = callInfo.Params(); //remember that the first parameter is the interface pointer itself s = pms.GetAt(2).GuidString; if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" || s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" || s == "{88A05C00-F000-11CE-8350-444553540000}") { //at this point we have to apply a similar code than we used to hook //IClassFactory::CreateInstance above and the other methods addr = pms.GetAt(3).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); /* * . * . * . */ } } }
private void MapViewOfFileHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo) { bool is_malware = false; IntPtr maphandle = callInfo.Params().GetAt(0).PointerVal; IntPtr address = callInfo.Result().PointerVal; IntPtr length = callInfo.Params().GetAt(4).PointerVal; Debug.WriteLine(String.Format("MapViewOfFile:: with maphandle = {0} dwNumberOfBytesToMap = {1}", maphandle, length)); IntPtr process_handle = callInfo.Process().Handle(0x1FFFF); is_malware = LookForMalware(process_handle, (IntPtr)maphandle, (uint)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also Marshal.ReadByte is limited to int. if (is_malware) { callInfo.Result().PointerVal = IntPtr.Zero; callInfo.LastError = 2; callInfo.SkipCall(); } }
static void OnCreateToolhelp32Snapshot(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleCreation, APICategory.ToolHelp, APIID.CreateToolhelp, hook, process, callInfo); if (report == null) { return; } report.ID = APIID.CreateToolhelp; var param = new CreateToolhelp32Snapshot(); param.Flags = callInfo.Params().GetAt(0).ULongVal; param.Handle = callInfo.Result().SizeTVal; report.Parameter = param; Reports.Enqueue(report); }
static void OnCreateFile(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleCreation, APICategory.Files, APIID.CreateFile, hook, process, callInfo); if (report == null) { return; } var param = new CreateFileParameter(); param.Path = callInfo.Params().GetAt(0).ReadString(); param.Access = callInfo.Params().GetAt(1).ULongVal; param.Mode = callInfo.Params().GetAt(4).ULongVal; param.Handle = callInfo.Result().SizeTVal; report.Parameter = param; Reports.Enqueue(report); }
static void OnLoadLibrary(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleCreation, APICategory.LibraryLoading, APIID.LoadLibrary, hook, process, callInfo); if (report == null) { return; } var param = new LoadLibraryParameter(); if (callInfo.Params().GetAt(0).IsNullPointer) { param.LibraryName = "N/A"; } else { param.LibraryName = callInfo.Params().GetAt(0).ReadString(); } param.Handle = callInfo.Result().SizeTVal; report.Parameter = param; Reports.Enqueue(report); }
static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { if ((callInfo.Result().ULongVal & 0x80000000) == 0) { NktParamsEnum pms; IntPtr addr; string s; //if the call succeeded, check if we are creating a class factory that belongs //to the CLSID we need, in our example, "ShellFolderView coclass" pms = callInfo.Params(); if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}") { s = pms.GetAt(1).GuidString; if (s == "{00000001-0000-0000-C000-000000000046}") { //we have ShellFolderView's IClassFactory object if (hookIClassFactory_CreateInstance == null) { lock (hookLock) { if (hookIClassFactory_CreateInstance == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress); hookIClassFactory_CreateInstance.Attach(proc.Id, true); hookIClassFactory_CreateInstance.Hook(true); hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled; } } } } if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}") { //we have ShellFolderView's IClassFactory2 object if (hookIClassFactory2_CreateInstance == null) { lock (hookLock) { if (hookIClassFactory2_CreateInstance == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall); hookIClassFactory2_CreateInstance.Attach(proc.Id, true); hookIClassFactory2_CreateInstance.Hook(true); hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled; } if (hookIClassFactory2_CreateInstanceLic == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstanceLic method is the eighth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall); hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true); hookIClassFactory2_CreateInstanceLic.Hook(true); hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled; } } } } } } return; }
static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { if ((callInfo.Result().ULongVal & 0x80000000) == 0) { NktParamsEnum pms; IntPtr addr; string s; //if the call succeeded, check if we are creating a instance that belongs //to the IID we need, in our example, "IShellFolderViewDual" pms = callInfo.Params(); //remember that the first parameter is the interface pointer itself s = pms.GetAt(2).GuidString; if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" || s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" || s == "{88A05C00-F000-11CE-8350-444553540000}") { //at this point we have to apply a similar code than we used to hook //IClassFactory::CreateInstance above and the other methods addr = pms.GetAt(3).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); /* . . . */ } } }