//Checks entropy of buffer, and that path is not REG or appdata
private void writeFileH(INktHookCallInfo callInfo)
{
//Get written path from file handle
NktTools tool = new NktTools();
string path = tool.GetFileNameFromHandle(callInfo.Params().GetAt(0).PointerVal, callInfo.Process());
//If path is relevant check entropy
if (!path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase) &&
!path.Contains("\\REGISTRY\\"))
{
INktParam pBuf = callInfo.Params().GetAt(1); //Data to write
INktParam pBytes = callInfo.Params().GetAt(2); //Length of data
uint bytesToWrite = pBytes.ULongVal;
double entropy = 0;
if (pBuf.PointerVal != IntPtr.Zero && bytesToWrite > 0)
{
INktProcessMemory procMem = process.Memory();
byte[] buffer = new byte[bytesToWrite];
GCHandle pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pDest = pinnedBuffer.AddrOfPinnedObject();
procMem.ReadMem(pDest, pBuf.PointerVal, (IntPtr)bytesToWrite);
pinnedBuffer.Free();
var str = System.Text.Encoding.UTF8.GetString(buffer);
//Get per-byte entropy
entropy = getEntropy(buffer);
}
if (entropy > 6)
{
intelligence.writeFileS();
}
}
}
private void LoadSymbolTable()
{
NktTools _tools = new NktTools();
NktPdbFunctionSymbol pdbSym = _tools.LocateFunctionSymbolInPdb(@"C:\Windows\System32\mshtml.dll",
@"CStyleSheet::Notify",
@"http://msdl.microsoft.com/download/symbols",
@"D:\PDB");
if (pdbSym != null)
{
_RVA = pdbSym.AddrOffset;
}
}
public void LoadSymbolTable()
{
string path = System.IO.Path.GetDirectoryName(_sqlServerProcess.Path);
NktTools nktt = new NktTools();
Console.WriteLine("--- DLL path: {0}", path + @"\sqllang.dll");
NktPdbFunctionSymbol pdbSym_exec = nktt.LocateFunctionSymbolInPdb(path + @"\SQLLANG.DLL",
"CSQLSource::Execute",
@"http://msdl.microsoft.com/download/symbols",
@"C:\symbols");
if (pdbSym_exec == null)
{
throw new SymbolNotFoundException();
}
else
{
_RVA_SQLSource_Execute = pdbSym_exec.AddrOffset;
Console.WriteLine("--- SQLSource::Execute address offset: {0:x}", _RVA_SQLSource_Execute);
}
}
private void LoadSymbolTable()
{
NktTools _tools = new NktTools();
NktPdbFunctionSymbol pdbSym = _tools.LocateFunctionSymbolInPdb(@"C:\Windows\System32\mshtml.dll",
@"CStyleSheet::Notify",
@"http://msdl.microsoft.com/download/symbols",
@"D:\PDB");
if (pdbSym != null)
{
_RVA = pdbSym.AddrOffset;
}
}
public void LoadSymbolTable()
{
string path = System.IO.Path.GetDirectoryName(_sqlServerProcess.Path);
NktTools nktt = new NktTools();
Console.WriteLine("--- DLL path: {0}", path + @"\sqllang.dll");
NktPdbFunctionSymbol pdbSym_exec = nktt.LocateFunctionSymbolInPdb(path + @"\SQLLANG.DLL",
"CSQLSource::Execute",
@"http://msdl.microsoft.com/download/symbols",
@"C:\symbols");
if (pdbSym_exec == null)
{
throw new SymbolNotFoundException();
}
else
{
_RVA_SQLSource_Execute = pdbSym_exec.AddrOffset;
Console.WriteLine("--- SQLSource::Execute address offset: {0:x}", _RVA_SQLSource_Execute);
}
}