Пример #1
0
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            NktStackTrace    stack  = hookCallInfo.StackTrace();
            NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);

            UInt32 StackOpcodeSize = 50;

            byte[] StackOpcode = new byte[StackOpcodeSize];

            for (UInt32 n = 0; n < StackOpcodeSize; n++)
            {
                StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
            }

            UInt64 actualAddr  = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip);
            UInt64 nInstrSize  = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize);
            UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize;

            string str = "From: 0x" + callingAddr.ToString("x") + "    To: 0x" + actualAddr.ToString("x") + "\n";

            Output(str, false);

            actualAddr  -= SecStartAddress;
            callingAddr -= SecStartAddress;

            CROSSREF crossref = new CROSSREF();

            crossref.From = callingAddr;
            crossref.To   = actualAddr;
            CrossRefSet.Add(crossref);
        }
Пример #2
0
        static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
        {
            if ((callInfo.Result().ULongVal & 0x80000000) == 0)
            {
                NktParamsEnum pms;
                IntPtr        addr;
                string        s;

                //if the call succeeded, check if we are creating a instance that belongs
                //to the IID we need, in our example, "IShellFolderViewDual"
                pms = callInfo.Params();
                //remember that the first parameter is the interface pointer itself
                s = pms.GetAt(2).GuidString;
                if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" ||
                    s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" ||
                    s == "{88A05C00-F000-11CE-8350-444553540000}")
                {
                    //at this point we have to apply a similar code than we used to hook
                    //IClassFactory::CreateInstance above and the other methods
                    addr = pms.GetAt(3).Evaluate().PointerVal;
                    //get object's vtable address by inspecting the first pointer
                    addr = proc.Memory().get_SSizeTVal(addr);
                    //because the CreateInstance method is the fourth one,
                    //get the method entrypoint by reading memory
                    addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
                    addr = proc.Memory().get_SSizeTVal(addr);

                    /*
                     * .
                     * .
                     * .
                     */
                }
            }
        }
Пример #3
0
        private void HandleTerminatedProcess(NktProcess aProcess)
        {
            var consoleProcess = CreateConsoleProcessFrom(aProcess);

            ProcessTerminatedHandler(consoleProcess);
            _hooksByProcesses.RemoveAllHooksOf(consoleProcess);
        }
Пример #4
0
        static void OnCreateProcess(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
        {
            var report = Base(APIType.HandleCreation, APICategory.Process, APIID.CreateProcess, hook, process, callInfo);

            if (report == null)
            {
                return;
            }
            var param = new CreateProcessParameter();

            param.ProcessName = callInfo.Params().GetAt(0).IsNullPointer ? "" : callInfo.Params().GetAt(1).ReadString();
            param.Parameters  = callInfo.Params().GetAt(1).IsNullPointer ? "" : callInfo.Params().GetAt(1).ReadString();
            param.Handle      = callInfo.Params().GetAt(9).Evaluate().Fields().GetAt(0).SizeTVal;
            param.ID          = callInfo.Params().GetAt(9).Evaluate().Fields().GetAt(2).ULongVal;
            try
            {
                if (param.ProcessName == "")
                {
                    var pro = System.Diagnostics.Process.GetProcessById((int)param.ID);
                    param.ProcessName = pro.ProcessName;
                }
            }
            catch { }
            report.Parameter = param;
            Reports.Enqueue(report);
        }
Пример #5
0
        static void OnShellExecute(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
        {
            APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.ShellExecute, hook, process, callInfo);

            if (report == null)
            {
                return;
            }
            report.ID = APIID.ShellExecute;
            var param = new ShellExecuteParameter();

            if (hook.FunctionName.Contains("teEx"))
            {
                INktParam p = callInfo.Params().GetAt(0).Evaluate();
                param.Name       = p.Fields().GetAt(4).IsNullPointer ? "" : p.Fields().GetAt(4).ReadString();
                param.Parameters = p.Fields().GetAt(5).IsNullPointer ? "" : p.Fields().GetAt(5).ReadString();
                param.Directory  = p.Fields().GetAt(6).IsNullPointer ? "" : p.Fields().GetAt(6).ReadString();
            }
            else
            {
                param.Name       = callInfo.Params().GetAt(2).IsNullPointer ? "" : callInfo.Params().GetAt(2).ReadString();
                param.Parameters = callInfo.Params().GetAt(3).IsNullPointer ? "" : callInfo.Params().GetAt(3).ReadString();
                param.Directory  = callInfo.Params().GetAt(4).IsNullPointer ? "" : callInfo.Params().GetAt(4).ReadString();
            }
            report.Parameter = param;
            Reports.Enqueue(report);
        }
Пример #6
0
        static void OnSocket(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
        {
            APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SocketConnect, hook, process, callInfo);

            if (report == null)
            {
                return;
            }
            var param = new ConnectionParameter();
            int len   = callInfo.Params().GetAt(2).LongVal;

            byte[]            buf = new byte[len];
            GCHandle          h   = GCHandle.Alloc(buf, GCHandleType.Pinned);
            IntPtr            p   = h.AddrOfPinnedObject();
            var               add = callInfo.Params().GetAt(1);
            INktProcessMemory mem = add.Memory();

            mem.ReadMem(p, add.PointerVal, (IntPtr)len);
            h.Free();
            report.ID        = hook.FunctionName.Contains("bind") ? APIID.SocketBind : APIID.SocketConnect;
            param.Port       = (ushort)(buf[2] * 256 + buf[3]);
            param.IP         = String.Format("{0}.{1}.{2}.{3}", buf[4].ToString("D3"), buf[5].ToString("D3"), buf[6].ToString("D3"), buf[7].ToString("D3"));
            param.Server     = hook.FunctionName.Contains("bind") ? true : false;
            report.ID        = param.Server ? APIID.SocketBind : APIID.SocketConnect;
            report.Parameter = param;
            Reports.Enqueue(report);
        }
Пример #7
0
        private bool HookProcess(string proccessName)
        {
            NktProcessesEnum enumProcess = _spyMgr.Processes();
            NktProcess       tempProcess = enumProcess.First();

            while (tempProcess != null)
            {
                if (tempProcess.Name.Equals(proccessName, StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits > 0 && tempProcess.PlatformBits <= IntPtr.Size * 8)
                {
                    _process = tempProcess;

                    NktModule module = _process.ModuleByName("mshtml.dll");

                    if (module != null)
                    {
                        IntPtr EA = (IntPtr) new IntPtr(module.BaseAddress.ToInt32() + _RVA.ToInt32());

                        NktHook hook = _spyMgr.CreateHookForAddress(EA, "mshtml.dll!CStyleSheet::Notify", (int)(eNktHookFlags.flgRestrictAutoHookToSameExecutable | eNktHookFlags.flgOnlyPreCall | eNktHookFlags.flgDontCheckAddress));

                        hook.Attach(_process, true);
                        hook.Hook(true);
                    }
                }
                tempProcess = enumProcess.Next();
            }

            _process = null;
            return(false);
        }
Пример #8
0
        public void DvStart()
        {
            _process = GetProcess("spoolsv.exe");
            if (_process == null)
            {
                Console.WriteLine("spoolsv.exe가 실행이 안됩니다.");
                Environment.Exit(0);
            }

            //hookPrinter = _spyMgr.CreateHook("spoolsv.exe!PrvStartDocPrinterW", (int)(eNktHookFlags.flgRestrictAutoHookToSameExecutable | eNktHookFlags.flgOnlyPreCall));

            //hookPrinter = _spyMgr.CreateHook("spoolsv.exe!StartDocPrinterW", (int)eNktHookFlags.flgOnlyPreCall);
            //hookPrinter = _spyMgr.CreateHook("winspool.drv!StartDocPrinterW", (int)eNktHookFlags.flgOnlyPreCall);


            //System.Diagnostics.Debugger.Launch();

            hookPrinterStart = _spyMgr.CreateHook("spoolsv.exe!PrvStartDocPrinterW", (int)eNktHookFlags.flgOnlyPreCall);
            hookPrinterStart.OnFunctionCalled += OnFunctionCalledPrinterStart;
            hookPage = _spyMgr.CreateHook("spoolsv.exe!PrvStartPagePrinter", (int)eNktHookFlags.flgOnlyPreCall);
            hookPage.OnFunctionCalled       += OnFunctionCalledPrintPage;
            hookPrinterEnd                   = _spyMgr.CreateHook("spoolsv.exe!PrvEndDocPrinter", (int)eNktHookFlags.flgOnlyPreCall);
            hookPrinterEnd.OnFunctionCalled += OnFunctionCalledPrinterEnd;


            hookPrinterStart.Hook(true);
            hookPrinterStart.Attach(_process, true);
            hookPage.Hook(true);
            hookPage.Attach(_process, true);
            hookPrinterEnd.Hook(true);
            hookPrinterEnd.Attach(_process, true);
        }
Пример #9
0
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            string strOnFunctionCalled = hook.FunctionName + "\n";

            if (hook.FunctionName.CompareTo("D3D9.DLL!CreateDevice") == 0)
            {
                INktParamsEnum paramsEnum = hookCallInfo.Params();

                INktParam param = paramsEnum.First();

                INktParam tempParam = null;

                while (param != null)
                {
                    tempParam = param;

                    param = paramsEnum.Next();
                }

                strOnFunctionCalled +=  " " + tempParam.PointerVal.ToString() + "\n";

            }

            Output(strOnFunctionCalled);
        }
Пример #10
0
        public bool HookProcess(NktProcess process)
        {
            this.UnHook();

            bool result = false;

            result = HookFunction(process, "kernel32.dll!CreateFileW", eNktHookFlags.flgOnlyPreCall);
            if (result == false)
            {
                return(result);
            }

            result = HookFunction(process, "WS2_32.dll!connect", eNktHookFlags.flgOnlyPreCall);
            if (result == false)
            {
                return(result);
            }


            if (result == false)
            {
                return(result);
            }

            this.process = process;
            return(true);
        }
Пример #11
0
        private void btnProcess_Click(object sender, EventArgs e)
        {
            openFileDialog1 = new OpenFileDialog();
            openFileDialog1.ShowDialog();

            _process = _spyMgr.CreateProcess(openFileDialog1.FileName, checkSuspended.Checked, out ContinueEvent);
        }
Пример #12
0
        private bool HookProcess(string proccessName)
        {
            NktProcessesEnum enumProcess = _spyMgr.Processes();
            NktProcess tempProcess = enumProcess.First();
            while (tempProcess != null)
            {
                if (tempProcess.Name.Equals(proccessName, StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits > 0 && tempProcess.PlatformBits <= IntPtr.Size * 8)
                {
                    _process = tempProcess;

                    NktModule module = _process.ModuleByName("mshtml.dll");

                    if (module != null)
                    {
                        IntPtr EA = (IntPtr)new IntPtr(module.BaseAddress.ToInt32() + _RVA.ToInt32());

                        NktHook hook = _spyMgr.CreateHookForAddress(EA, "mshtml.dll!CStyleSheet::Notify", (int)(eNktHookFlags.flgRestrictAutoHookToSameExecutable | eNktHookFlags.flgOnlyPreCall | eNktHookFlags.flgDontCheckAddress));

                        hook.Attach(_process, true);
                        hook.Hook(true);
                    }

                }
                tempProcess = enumProcess.Next();
            }

            _process = null;
            return false;
        }
Пример #13
0
        private void Form1_Load(object sender, EventArgs e)
        {
            NktHook hook = _spyMgr.CreateHook("WINMM.dll!timeGetTime", (int)(eNktHookFlags.flgOnlyPostCall));

            hook.Hook(true);

            bool             bProcessFound = false;
            NktProcessesEnum enumProcess   = _spyMgr.Processes();
            NktProcess       tempProcess   = enumProcess.First();

            while (tempProcess != null)
            {
                if (tempProcess.Name.Equals("iexplore.exe", StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits == 32)
                {
                    hook.Attach(tempProcess, true);
                    bProcessFound = true;
                }
                tempProcess = enumProcess.Next();
            }

            if (!bProcessFound)
            {
                MessageBox.Show("Please run \"iexplore.exe\" before!", "Error");
                Environment.Exit(0);
            }
        }
Пример #14
0
        private void attachToolStripMenuItem_Click(object sender, EventArgs e)
        {
            FormSelectProgram fSelecProgram = new FormSelectProgram();

            fSelecProgram.StartPosition = FormStartPosition.CenterParent;
            fSelecProgram.ShowDialog();

            if (fSelecProgram.returnedValue == null)
            {
                return;
            }

            NktProcess process          = fSelecProgram.returnedValue;
            bool       hookedSuccessful = Program.hook.HookProcess(process);

            if (hookedSuccessful)
            {
                FormInfo fInfo = new FormInfo("Hook successful", 0, FormInfo.IconType.OK);
                fInfo.StartPosition = FormStartPosition.CenterParent;
                fInfo.Show(Program.formMain);

                Program.LogThis("Core", "Process " + process.Name + " hooked successfully");
            }
            else
            {
                FormInfo fInfo = new FormInfo("Error hooking", 0, FormInfo.IconType.Error);
                fInfo.StartPosition = FormStartPosition.CenterParent;
                fInfo.Show(Program.formMain);

                Program.LogThis("Core", "Error hooking " + process.Name);
            }
        }
Пример #15
0
        public static void OnConnectCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            /*
             * struct sockaddr {
             *  ushort  sa_family;
             *  char    sa_data[14];
             * };
             */
            INktParamsEnum pms = hookCallInfo.Params();
            INktParam      p;

            p = pms.GetAt(1); //get the second param (const struct sockaddr *name)
            if (p.IsNullPointer == false)
            {
                INktParam pC;
                ushort    sa_family;

                //if not null, analyze it
                p = p.Evaluate(); //now p becomes the struct itself not anymore a pointer to

                pC        = p.Field(0);
                sa_family = pC.get_UShortValAt(0);

                try
                {
                    pC = p.Field(1);
                    byte[] bytes_port = new byte[] { pC.get_ByteValAt(0), pC.get_ByteValAt(1) };
                    ushort port       = PortToUShort(bytes_port);
                    Console.WriteLine("Port: {0}", port);

                    byte[] ip          = new byte[] { pC.get_ByteValAt(2), pC.get_ByteValAt(3), pC.get_ByteValAt(4), pC.get_ByteValAt(5) };
                    string detected_ip = IPtoString(ip);
                    Console.WriteLine("IP: {0}", detected_ip);
                    if (bind_ip == "0.0.0.0" || bind_ip == "*" || IPtoString(ip) == bind_ip) // Match rule IP
                    {
                        if (bind_port == 0 || bind_port == port)                             // Match rule Port
                        {
                            byte[] target_ip = StringtoIP(forward_ip);
                            pC.set_ByteValAt(2, target_ip[0]);
                            pC.set_ByteValAt(3, target_ip[1]);
                            pC.set_ByteValAt(4, target_ip[2]);
                            pC.set_ByteValAt(5, target_ip[3]);
                            if (forward_port != 0)
                            {
                                byte[] forward_port_change = UShorttoPort(forward_port);
                                pC.set_ByteValAt(0, forward_port_change[0]);
                                pC.set_ByteValAt(1, forward_port_change[1]);
                            }
                            Console.WriteLine("Redirect From {0}:{1} to {1}", detected_ip, (bind_port == 0)?'*':bind_port, forward_ip, (forward_port == 0)?'*':forward_port);
                        }
                    }
                }
                catch (Exception e)
                {
                    Console.WriteLine("Error {0}", e);
                    throw e;
                }
            }
        }
Пример #16
0
        public FunctionWrapper(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
        {
            this.Hook     = Hook;
            this.proc     = proc;
            this.callInfo = callInfo;

            status = Status.Waiting;
        }
Пример #17
0
 static void spyMgr_OnLoadLibraryCall(NktProcess proc, string dllName, object moduleHandle)
 {
     System.Diagnostics.Trace.WriteLine("IEPrintWatermark [LoadLibraryCall]: " + dllName);
     if (dllName.ToLower().EndsWith("xpsservices.dll") != false)
     {
         HookXpsInterfaces(proc);
     }
 }
Пример #18
0
 public HookManager(NktProcess process)
 {
     this.process = process;
     this.ID      = process.Id;
     this.UI      = FormInterface.GetInstance();
     this.pw      = ProcessWatcher.GetInstance();
     intelligence = new IntelliMod(process);
 }
Пример #19
0
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            Output("Xploit CVE-2010-3971");

            MessageBox.Show("Xploit CVE-2010-3971");

            Thread.Sleep(System.Threading.Timeout.Infinite);
        }
Пример #20
0
        public FunctionWrapper(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
        {
            this.Hook = Hook;
            this.proc = proc;
            this.callInfo = callInfo;

            status = Status.Waiting;
        }
Пример #21
0
 void spyMgr_OnProcessStarted(NktProcess proc)
 {
     if (lstIDs.Exists(id => proc.ParentId == id))
     {
         lstIDs.Add(proc.Id);
         HookManager.Modules.Add(proc.Name.ToUpper());
     }
 }
Пример #22
0
 void spyMgr_OnProcessTerminated(NktProcess proc)
 {
     lstIDs.Remove(proc.Id);
     HookManager.Modules.Remove(proc.Name.ToUpper());
     if (lstIDs.Count == 0)
     {
         processTerminated.Set();
     }
 }
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            nTime++;

            if (nSpeed==-2)
                hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2);
            else if(nSpeed==2)
                hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3);
        }
Пример #24
0
        private void HandleHookStateChanged(NktHook aHook, NktProcess aProcess, eNktHookState currentState, eNktHookState previousState)
        {
            var consoleHook    = CreateConsoleHookFrom(aHook);
            var consoleProcess = CreateConsoleProcessFrom(aProcess);

            _hooksByProcesses.Update(consoleHook, consoleProcess, currentState, previousState);

            HookStateChangedHandler(consoleHook, consoleProcess, previousState, currentState);
        }
Пример #25
0
        private void StartSelectedProcess()
        {
            if (lbProcess.SelectedItem == null)
                return;

            wrappers.ProcessWrapper wrapper = (wrappers.ProcessWrapper)lbProcess.SelectedItem;
            returnedValue = wrapper.process;
            this.Close();
        }
        private void MapViewOfFileCustomHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
        {
            if (callInfo.CustomParams().Count == 1)
            {
                byte has_malware = callInfo.CustomParams().GetAt(0).ByteVal;

                Debug.WriteLine(String.Format("MapViewOfFileCustomHook:: with has_malware = {0}", has_malware));
            }
        }
Пример #27
0
        static void spyMgr_OnCreateProcessCall(NktProcess proc, int childPid, int mainThreadId, bool is64BitProcess, bool canHookNow)
        {
            NktProcess childProc = spyMgr.ProcessFromPID(childPid);

            if (childProc != null && childProc.Name.ToLower().EndsWith("iexplore.exe") != false)
            {
                spyMgr.LoadAgent(childProc);
            }
        }
Пример #28
0
        public Form1()
        {
            InitializeComponent();

            _spyMgr = new NktSpyMgr();
            _spyMgr.Initialize();
            _spyMgr.OnFunctionCalled += new DNktSpyMgrEvents_OnFunctionCalledEventHandler(OnFunctionCalled);

            _process = _spyMgr.CreateProcess(@"C:\Program Files (x86)\Microsoft DirectX SDK (June 2010)\Samples\C++\Direct3D\Bin\x86\SkinnedMesh.exe", true, out continueevent);
        }
Пример #29
0
        void _functionHook_OnStateChanged(NktHook Hook, NktProcess proc, eNktHookState newState, eNktHookState oldState)
        {
            Console.WriteLine("--- Hook state changed {0} from {1} to {2}", Hook.FunctionName,
                              oldState.ToString(), newState.ToString());

            if (newState == eNktHookState.stRemoved)
            {
                Environment.Exit(0);
            }
        }
Пример #30
0
        public Form1()
        {
            InitializeComponent();

            _spyMgr = new NktSpyMgr();
            _spyMgr.Initialize();
            _spyMgr.OnFunctionCalled += new DNktSpyMgrEvents_OnFunctionCalledEventHandler(OnFunctionCalled);

            _process = _spyMgr.CreateProcess(@"C:\Program Files\Microsoft Games\Chess\Chess.exe", true, out continueevent);
        }
Пример #31
0
        public void FindSqlService()
        {
            NktProcessesEnum pEnum = _spyMgr.Processes();
            _sqlServerProcess = pEnum.GetByName("sqlservr.exe");

            if (_sqlServerProcess == null)
            {
                throw new SqlServiceNotFoundException();
            }
        }
Пример #32
0
        public void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            string function = hook.FunctionName.ToLower();

            Console.WriteLine("Called function {0}", function);

            if (function == "WS2_32.dll!connect".ToLower())
            {
                OnConnectCalled(hook, process, hookCallInfo);
            }
        }
Пример #33
0
    private int createProcessC       = 0; //T= C>1
    #endregion

    public IntelliMod(NktProcess process)
    {
        processID     = process.Id;
        winProc       = Process.GetProcessById(processID);
        nktProc       = process;
        this.searcher = new SectionSearch(process, false);
        //Set the timer to trigger decay() every x seconds
        timer.Elapsed += decay;
        timer.Interval = 20000;
        timer.Enabled  = true;
    }
Пример #34
0
        private void StartSelectedProcess()
        {
            if (lbProcess.SelectedItem == null)
            {
                return;
            }

            wrappers.ProcessWrapper wrapper = (wrappers.ProcessWrapper)lbProcess.SelectedItem;
            returnedValue = wrapper.process;
            this.Close();
        }
Пример #35
0
        public void FindSqlService()
        {
            NktProcessesEnum pEnum = _spyMgr.Processes();

            _sqlServerProcess = pEnum.GetByName("sqlservr.exe");

            if (_sqlServerProcess == null)
            {
                throw new SqlServiceNotFoundException();
            }
        }
Пример #36
0
        public bool HookProcess(int pid)
        {
            for (int i = 0; i < spyMgr.Processes().Count; i++)
            {
                NktProcess p = (NktProcess)spyMgr.Processes().GetAt(i);
                if (p.Id == pid)
                {
                    return(HookProcess(p));
                }
            }

            return(false);
        }
Пример #37
0
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            nTime++;

            if (nSpeed == -2)
            {
                hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2);
            }
            else if (nSpeed == 2)
            {
                hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3);
            }
        }
Пример #38
0
        static void OnWriteProcessMemory(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
        {
            var report = Base(APIType.HandleConsuming, APICategory.Process, APIID.WriteProcessMemory, hook, process, callInfo);

            if (report == null)
            {
                return;
            }
            var param = new WriteProcessMemoryParameter();

            param.Handle     = callInfo.Params().GetAt(0).SizeTVal;
            report.Parameter = param;
            Reports.Enqueue(report);
        }
        private bool GetProcess(string proccessName)
        {
            NktProcessesEnum enumProcess = _spyMgr.Processes();
            NktProcess tempProcess = enumProcess.First();
            while (tempProcess != null)
            {
                if (tempProcess.Name.Equals(proccessName, StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits > 0 && tempProcess.PlatformBits <= IntPtr.Size * 8)
                {
                    _process = tempProcess;
                    return true;
                }
                tempProcess = enumProcess.Next();
            }

            _process = null;
            return false;
        }
Пример #40
0
 private bool HookFunction(NktProcess process, string function, eNktHookFlags flag)
 {
     NktHook hook = spyMgr.CreateHook(function, (int)flag);
     
     if (hook == null)
         return false;
     try
     {
         hook.Hook(true);
         hook.Attach(process,true);// false);
     }
     catch
     {
         return false;
     }
     return true;
 }
Пример #41
0
        public static IRunningProcess From(NktProcess aProcess, ISpyManager spyManager)
        {
            var modulePathByNameAndProcess = new Dictionary<int, string>();

            if (aProcess.PlatformBits > 0 && aProcess.PlatformBits <= IntPtr.Size * 8)
            {
                var processModules = aProcess.Modules();
                if (processModules != null)
                    processModules.CollectAll().ForEach(m =>
                                                            {
                                                                var moduleKey = (m.Name + aProcess.Id).GetHashCode();
                                                                if (!modulePathByNameAndProcess.ContainsKey(moduleKey))
                                                                    modulePathByNameAndProcess.Add(moduleKey, m.Path);
                                                            });
            }

            return new RunningProcess(aProcess.Id, aProcess.Name, aProcess.Icon(), spyManager, aProcess.Path, aProcess.PlatformBits, modulePathByNameAndProcess);
        }
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            string strDocument = "Document: ";

            INktParamsEnum paramsEnum = hookCallInfo.Params();

            INktParam param = paramsEnum.First();

            param = paramsEnum.Next();

            param = paramsEnum.Next();
            if (param.PointerVal != IntPtr.Zero)
            {
                INktParamsEnum paramsEnumStruct = param.Evaluate().Fields();
                INktParam paramStruct = paramsEnumStruct.First();

                strDocument += paramStruct.ReadString();
                strDocument += "\n";
            }

            Output(strDocument);
        }
Пример #43
0
 private void btnProcess_Click(object sender, EventArgs e)
 {
     openFileDialog1 = new OpenFileDialog();
     openFileDialog1.ShowDialog();
    
     _process = _spyMgr.CreateProcess(openFileDialog1.FileName, checkSuspended.Checked, out ContinueEvent);
 }
Пример #44
0
        public bool HookProcess(NktProcess process)
        {
            this.UnHook();

            /*
             OJO: Es importante que se hookee la funcion como 'send' y no como 'Send', porque si no el hook se hará bien
                  pero la función devolverá 0 parámetros en vez de los 4 que tiene en su estructura
            */
            bool result = false;
            if (Program.data.configuration.encryptmessage)
            {
                result = HookFunction(process, "Secur32.dll!EncryptMessage", eNktHookFlags.flgOnlyPreCall);
                if (result == false)
                    return result;
            }

            if (Program.data.configuration.decryptmessage)
            {
                result = HookFunction(process, "Secur32.dll!DecryptMessage", eNktHookFlags.flgOnlyPostCall);
                if (result == false)
                    return result;
            }

            if (Program.data.configuration.send)
            {
                result = HookFunction(process, "WS2_32.dll!send", eNktHookFlags.flgOnlyPreCall);
                if (result == false)
                    return result;
            }

            if (Program.data.configuration.recv)
            {
                result = HookFunction(process, "WS2_32.dll!recv", eNktHookFlags.flgOnlyPostCall);
                if (result == false)
                    return result;
            }

            if (Program.data.configuration.sendto)
            {
                result = HookFunction(process, "WS2_32.dll!sendto", eNktHookFlags.flgOnlyPreCall);
                if (result == false)
                    return result;
            }

            if (Program.data.configuration.recvfrom)
            {
                result = HookFunction(process, "WS2_32.dll!recvfrom", eNktHookFlags.flgOnlyPostCall);
                if (result == false)
                    return result;
            }

            if (Program.data.configuration.wsasend)
            {
                result = HookFunction(process, "WS2_32.dll!WSASend", eNktHookFlags.flgOnlyPreCall);
                if (result == false)
                    return result;
            }

            if (Program.data.configuration.wsarecv)
            {
                result = HookFunction(process, "WS2_32.dll!WSARecv", eNktHookFlags.flgOnlyPostCall);
                if (result == false)
                    return result;
            }

            /*
                Estos dos hooks están comentados hasta que no estén implementados los handlers
             
                result = HookFunction(process, "WS2_32.dll!WSASendTo", eNktHookFlags.flgOnlyPreCall);
                if (result == false)
                    return result;
                result = HookFunction(process, "WS2_32.dll!WSARecvFrom", eNktHookFlags.flgOnlyPostCall);
                if (result == false)
                    return result;
            */

            if (result == false)
                return result;

            this.process = process;
           return true;
        }
Пример #45
0
 private void HandleFuncionCall(NktHook aHook, NktProcess aProcess, NktHookCallInfo hookCallInfo)
 {
     FunctionCalledHandler(CreateConsoleHookFrom(aHook), CreateConsoleProcessFrom(aProcess), hookCallInfo);
 }
Пример #46
0
        static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
        {
            if ((callInfo.Result().ULongVal & 0x80000000) == 0)
            {
                NktParamsEnum pms;
                IntPtr addr;
                string s;

                //if the call succeeded, check if we are creating a class factory that belongs
                //to the CLSID we need, in our example, "ShellFolderView coclass"
                pms = callInfo.Params();
                if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}")
                {
                    s = pms.GetAt(1).GuidString;
                    if (s == "{00000001-0000-0000-C000-000000000046}")
                    {
                        //we have ShellFolderView's IClassFactory object
                        if (hookIClassFactory_CreateInstance == null)
                        {
                            lock (hookLock)
                            {
                                if (hookIClassFactory_CreateInstance == null)
                                {
                                    //get the address of the newly created object
                                    addr = pms.GetAt(2).Evaluate().PointerVal;
                                    //get object's vtable address by inspecting the first pointer
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    //because the CreateInstance method is the fourth one,
                                    //get the method entrypoint by reading memory
                                    addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress);
                                    hookIClassFactory_CreateInstance.Attach(proc.Id, true);
                                    hookIClassFactory_CreateInstance.Hook(true);
                                    hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled;
                                }
                            }
                        }
                    }
                    if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}")
                    {
                        //we have ShellFolderView's IClassFactory2 object
                        if (hookIClassFactory2_CreateInstance == null)
                        {
                            lock (hookLock)
                            {
                                if (hookIClassFactory2_CreateInstance == null)
                                {
                                    //get the address of the newly created object
                                    addr = pms.GetAt(2).Evaluate().PointerVal;
                                    //get object's vtable address by inspecting the first pointer
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    //because the CreateInstance method is the fourth one,
                                    //get the method entrypoint by reading memory
                                    addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall);
                                    hookIClassFactory2_CreateInstance.Attach(proc.Id, true);
                                    hookIClassFactory2_CreateInstance.Hook(true);
                                    hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled;
                                }

                                if (hookIClassFactory2_CreateInstanceLic == null)
                                {
                                    //get the address of the newly created object
                                    addr = pms.GetAt(2).Evaluate().PointerVal;
                                    //get object's vtable address by inspecting the first pointer
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    //because the CreateInstanceLic method is the eighth one,
                                    //get the method entrypoint by reading memory
                                    addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size);
                                    addr = proc.Memory().get_SSizeTVal(addr);
                                    hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall);
                                    hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true);
                                    hookIClassFactory2_CreateInstanceLic.Hook(true);
                                    hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled;
                                }
                            }
                        }
                    }
                }
            }
            return;
        }
Пример #47
0
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            Output("Xploit CVE-2010-3971");

            MessageBox.Show("Xploit CVE-2010-3971");

            Thread.Sleep(System.Threading.Timeout.Infinite);
        }
 void _spyMgr_OnFunctionCalled(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
 {
     if (Hook.FunctionName == "kernel32.dll!MapViewOfFile")
     {
         if (this._use_deviare_custom_hook_plugin)
             MapViewOfFileCustomHook(Hook, proc, callInfo);
         else
             MapViewOfFileHook(Hook, proc, callInfo);
     }
 }
        private void MapViewOfFileHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
        {
            bool is_malware = false;

            IntPtr maphandle = callInfo.Params().GetAt(0).PointerVal;
            IntPtr address = callInfo.Result().PointerVal;
            IntPtr length = callInfo.Params().GetAt(4).PointerVal;
            Debug.WriteLine(String.Format("MapViewOfFile:: with maphandle = {0} dwNumberOfBytesToMap = {1}", maphandle, length));

            IntPtr process_handle = callInfo.Process().Handle(0x1FFFF);

            is_malware = LookForMalware(process_handle, (IntPtr)maphandle, (uint)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also Marshal.ReadByte is limited to int.

            if (is_malware)
            {
                callInfo.Result().PointerVal = IntPtr.Zero;
                callInfo.LastError = 2;
                callInfo.SkipCall();
            }
        }
Пример #50
0
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            NktStackTrace stack = hookCallInfo.StackTrace();
            NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);

            UInt32 StackOpcodeSize = 50;
            byte[] StackOpcode = new byte[StackOpcodeSize];

            for (UInt32 n = 0; n < StackOpcodeSize; n++)
            {
                StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
            }

            UInt64 actualAddr = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip);
            UInt64 nInstrSize = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize);
            UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize;

            string str = "From: 0x" + callingAddr.ToString("x") + "    To: 0x" + actualAddr.ToString("x") + "\n";
            Output(str, false);

            actualAddr -= SecStartAddress;
            callingAddr -= SecStartAddress;
            
            CROSSREF crossref = new CROSSREF();
            crossref.From = callingAddr;
            crossref.To = actualAddr;
            CrossRefSet.Add(crossref);
        }
Пример #51
0
 private void HandleTerminatedProcess(NktProcess aProcess)
 {
     var consoleProcess = CreateConsoleProcessFrom(aProcess);
     ProcessTerminatedHandler(consoleProcess);
     _hooksByProcesses.RemoveAllHooksOf(consoleProcess);
     
 }
Пример #52
0
 private void HandleStartedProcess(NktProcess aProcess)
 {
     ProcessStartedHandler(CreateConsoleProcessFrom(aProcess));
 }
Пример #53
0
 private void HandleAgentLoad(NktProcess aProcess, int anErrorCode)
 {
     AgentLoadHandler(CreateConsoleProcessFrom(aProcess), anErrorCode);
 }
Пример #54
0
        static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
        {
            if ((callInfo.Result().ULongVal & 0x80000000) == 0)
            {
                NktParamsEnum pms;
                IntPtr addr;
                string s;

                //if the call succeeded, check if we are creating a instance that belongs
                //to the IID we need, in our example, "IShellFolderViewDual"
                pms = callInfo.Params();
                //remember that the first parameter is the interface pointer itself
                s = pms.GetAt(2).GuidString;
                if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" ||
                    s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" ||
                    s == "{88A05C00-F000-11CE-8350-444553540000}")
                {
                    //at this point we have to apply a similar code than we used to hook
                    //IClassFactory::CreateInstance above and the other methods
                    addr = pms.GetAt(3).Evaluate().PointerVal;
                    //get object's vtable address by inspecting the first pointer
                    addr = proc.Memory().get_SSizeTVal(addr);
                    //because the CreateInstance method is the fourth one,
                    //get the method entrypoint by reading memory
                    addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
                    addr = proc.Memory().get_SSizeTVal(addr);
                    /*
                    .
                    .
                    .
                    */
                }
            }
        }
Пример #55
0
 static void OnIClassFactory2CreateInstanceLicCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
 {
     //because interface instances can be created by IClassFactory2 too, may you have
     //to define a similar code than above
 }
Пример #56
0
        public void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            string function = hook.FunctionName.ToLower();
            wrappers.FunctionWrapper functionWr = new wrappers.FunctionWrapper(hook, process, hookCallInfo);

            
            stackFunctions.Push(functionWr);

            while (functionWr.status == wrappers.FunctionWrapper.Status.Waiting)
            {
                System.Threading.Thread.Sleep(0);
            }

            if (functionWr.status == wrappers.FunctionWrapper.Status.Droped)
            {
                hookCallInfo.SkipCall();
                Program.data.AceptingNewFunctions = true;
                return;
            }

            Program.data.AceptingNewFunctions = true;
        }
Пример #57
0
        private void HandleHookStateChanged(NktHook aHook, NktProcess aProcess, eNktHookState currentState, eNktHookState previousState)
        {
            var consoleHook = CreateConsoleHookFrom(aHook);
            var consoleProcess = CreateConsoleProcessFrom(aProcess);

            _hooksByProcesses.Update(consoleHook, consoleProcess, currentState, previousState);

            HookStateChangedHandler(consoleHook, consoleProcess, previousState, currentState);
        }
Пример #58
0
 private IRunningProcess CreateConsoleProcessFrom(NktProcess aProcess)
 {
     return RunningProcess.From(aProcess, this);
 }
        private void MapViewOfFileCustomHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
        {
            if (callInfo.CustomParams().Count == 1)
            {
                byte has_malware = callInfo.CustomParams().GetAt(0).ByteVal;

                Debug.WriteLine(String.Format("MapViewOfFileCustomHook:: with has_malware = {0}", has_malware));
            }
        }
Пример #60
0
 public ProcessWrapper(NktProcess process)
 {
     this.process = process;
 }