Пример #1
0
        //Checks entropy of buffer, and that path is not REG or appdata
        private void writeFileH(INktHookCallInfo callInfo)
        {
            //Get written path from file handle
            NktTools tool = new NktTools();
            string   path = tool.GetFileNameFromHandle(callInfo.Params().GetAt(0).PointerVal, callInfo.Process());

            //If path is relevant check entropy
            if (!path.Contains("\\appdata\\", StringComparison.OrdinalIgnoreCase) &&
                !path.Contains("\\REGISTRY\\"))
            {
                INktParam pBuf   = callInfo.Params().GetAt(1); //Data to write
                INktParam pBytes = callInfo.Params().GetAt(2); //Length of data

                uint   bytesToWrite = pBytes.ULongVal;
                double entropy      = 0;
                if (pBuf.PointerVal != IntPtr.Zero && bytesToWrite > 0)
                {
                    INktProcessMemory procMem      = process.Memory();
                    byte[]            buffer       = new byte[bytesToWrite];
                    GCHandle          pinnedBuffer = GCHandle.Alloc(buffer, GCHandleType.Pinned);
                    IntPtr            pDest        = pinnedBuffer.AddrOfPinnedObject();
                    procMem.ReadMem(pDest, pBuf.PointerVal, (IntPtr)bytesToWrite);
                    pinnedBuffer.Free();
                    var str = System.Text.Encoding.UTF8.GetString(buffer);
                    //Get per-byte entropy
                    entropy = getEntropy(buffer);
                }
                if (entropy > 6)
                {
                    intelligence.writeFileS();
                }
            }
        }
Пример #2
0
        private void LoadSymbolTable()
        {
            NktTools _tools = new NktTools();

            NktPdbFunctionSymbol pdbSym = _tools.LocateFunctionSymbolInPdb(@"C:\Windows\System32\mshtml.dll",
                                                                           @"CStyleSheet::Notify",
                                                                           @"http://msdl.microsoft.com/download/symbols",
                                                                           @"D:\PDB");


            if (pdbSym != null)
            {
                _RVA = pdbSym.AddrOffset;
            }
        }
Пример #3
0
        public void LoadSymbolTable()
        {
            string path = System.IO.Path.GetDirectoryName(_sqlServerProcess.Path);

            NktTools nktt = new NktTools();

            Console.WriteLine("--- DLL path: {0}", path + @"\sqllang.dll");

            NktPdbFunctionSymbol pdbSym_exec = nktt.LocateFunctionSymbolInPdb(path + @"\SQLLANG.DLL",
                                                                              "CSQLSource::Execute",
                                                                              @"http://msdl.microsoft.com/download/symbols",
                                                                              @"C:\symbols");

            if (pdbSym_exec == null)
            {
                throw new SymbolNotFoundException();
            }
            else
            {
                _RVA_SQLSource_Execute = pdbSym_exec.AddrOffset;

                Console.WriteLine("--- SQLSource::Execute address offset: {0:x}", _RVA_SQLSource_Execute);
            }
        }
Пример #4
0
        private void LoadSymbolTable()
        {
            NktTools _tools = new NktTools();

            NktPdbFunctionSymbol pdbSym = _tools.LocateFunctionSymbolInPdb(@"C:\Windows\System32\mshtml.dll",
                @"CStyleSheet::Notify",
                @"http://msdl.microsoft.com/download/symbols",
                @"D:\PDB");

            if (pdbSym != null)
            {
                _RVA = pdbSym.AddrOffset;
            }
        }
Пример #5
0
        public void LoadSymbolTable()
        {
            string path = System.IO.Path.GetDirectoryName(_sqlServerProcess.Path);

            NktTools nktt = new NktTools();

            Console.WriteLine("--- DLL path: {0}", path + @"\sqllang.dll");

            NktPdbFunctionSymbol pdbSym_exec = nktt.LocateFunctionSymbolInPdb(path + @"\SQLLANG.DLL",
                "CSQLSource::Execute",
                @"http://msdl.microsoft.com/download/symbols",
                @"C:\symbols");

            if (pdbSym_exec == null)
            {
                throw new SymbolNotFoundException();
            }
            else
            {
                _RVA_SQLSource_Execute = pdbSym_exec.AddrOffset;

                Console.WriteLine("--- SQLSource::Execute address offset: {0:x}", _RVA_SQLSource_Execute);
            }
        }