Пример #1
0
        public void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            string function = hook.FunctionName.ToLower();

            wrappers.FunctionWrapper functionWr = new wrappers.FunctionWrapper(hook, process, hookCallInfo);


            stackFunctions.Push(functionWr);

            while (functionWr.status == wrappers.FunctionWrapper.Status.Waiting)
            {
                System.Threading.Thread.Sleep(0);
            }

            if (functionWr.status == wrappers.FunctionWrapper.Status.Droped)
            {
                hookCallInfo.SkipCall();
                Program.data.AceptingNewFunctions = true;
                return;
            }

            Program.data.AceptingNewFunctions = true;
        }
        private void MapViewOfFileHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
        {
            bool is_malware = false;

            IntPtr maphandle = callInfo.Params().GetAt(0).PointerVal;
            IntPtr address   = callInfo.Result().PointerVal;
            IntPtr length    = callInfo.Params().GetAt(4).PointerVal;

            Debug.WriteLine(String.Format("MapViewOfFile:: with maphandle = {0} dwNumberOfBytesToMap = {1}", maphandle, length));

            IntPtr process_handle = callInfo.Process().Handle(0x1FFFF);

            is_malware = LookForMalware(process_handle, (IntPtr)maphandle, (uint)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also Marshal.ReadByte is limited to int.



            if (is_malware)
            {
                callInfo.Result().PointerVal = IntPtr.Zero;
                callInfo.LastError = 2;
                callInfo.SkipCall();
            }
        }
Пример #3
0
        public void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            string function = hook.FunctionName.ToLower();
            wrappers.FunctionWrapper functionWr = new wrappers.FunctionWrapper(hook, process, hookCallInfo);

            
            stackFunctions.Push(functionWr);

            while (functionWr.status == wrappers.FunctionWrapper.Status.Waiting)
            {
                System.Threading.Thread.Sleep(0);
            }

            if (functionWr.status == wrappers.FunctionWrapper.Status.Droped)
            {
                hookCallInfo.SkipCall();
                Program.data.AceptingNewFunctions = true;
                return;
            }

            Program.data.AceptingNewFunctions = true;
        }
        private void MapViewOfFileHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
        {
            bool is_malware = false;

            IntPtr maphandle = callInfo.Params().GetAt(0).PointerVal;
            IntPtr address = callInfo.Result().PointerVal;
            IntPtr length = callInfo.Params().GetAt(4).PointerVal;
            Debug.WriteLine(String.Format("MapViewOfFile:: with maphandle = {0} dwNumberOfBytesToMap = {1}", maphandle, length));

            IntPtr process_handle = callInfo.Process().Handle(0x1FFFF);

            is_malware = LookForMalware(process_handle, (IntPtr)maphandle, (uint)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also Marshal.ReadByte is limited to int.

            if (is_malware)
            {
                callInfo.Result().PointerVal = IntPtr.Zero;
                callInfo.LastError = 2;
                callInfo.SkipCall();
            }
        }