Пример #1
0
        // this is where we are intercepting all file accesses!
        static IntPtr CreateFile_Hooked(
            String InFileName,
            UInt32 InDesiredAccess,
            UInt32 InShareMode,
            IntPtr InSecurityAttributes,
            UInt32 InCreationDisposition,
            UInt32 InFlagsAndAttributes,
            IntPtr InTemplateFile)
        {
            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    //Time + Pid + Tid + Api + Content
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "CreateFile", InFileName));
                }
            }
            catch
            {
            }

            // call original API...
            return(CreateFile(
                       InFileName,
                       InDesiredAccess,
                       InShareMode,
                       InSecurityAttributes,
                       InCreationDisposition,
                       InFlagsAndAttributes,
                       InTemplateFile));
        }
Пример #2
0
        static bool WriteFile_Hooked(IntPtr hFile, IntPtr lpBuffer, uint nNumberOfBytesToWrite, IntPtr lpNumberOfBytesWritten, IntPtr lpOverlapped)
        {
            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "WriteFile", Marshal.PtrToStringAnsi(lpBuffer)));
                }
            }
            catch
            {
            }
            return(WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten, lpOverlapped));
        }
Пример #3
0
        static int sendto_Hooked(uint s, [MarshalAsAttribute(UnmanagedType.LPStr)] string buf, int len, int flags, ref sockaddr to, int tolen)
        {
            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    //Time + Pid + Tid + Api + Content
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "send", buf));
                }
            }
            catch
            {
            }

            return(send(s, buf, len, flags));
        }
Пример #4
0
        static int RegDeleteKeyW_Hooked(IntPtr hKey, [MarshalAsAttribute(UnmanagedType.LPWStr)] string lpSubKey)
        {
            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    //Time + Pid + Tid + Api + Content
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "RgCreateKeyW", ""));
                }
            }
            catch
            {
            }

            return RegDeleteKeyW(hKey, lpSubKey);
        }
Пример #5
0
        static bool TerminateThread_Hooked(IntPtr hThread, uint dwExitCode)
        {
            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    //Time + Pid + Tid + Api + Content
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "TerminateThread", "TheadId:"));
                }
            }
            catch
            {
            }

            return(TerminateProcess(hThread, dwExitCode));
        }
Пример #6
0
        static IntPtr CreateThread_Hooked(IntPtr lpThreadAttributes, uint dwStackSize, PTHREAD_START_ROUTINE lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId)
        {
            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    //Time + Pid + Tid + Api + Content
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "CreateThread", ""));
                }
            }
            catch
            {
            }

            return(CreateThread(lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpThreadId));
        }
Пример #7
0
        static bool ReadFile_Hooked(IntPtr hFile, IntPtr lpBuffer, uint nNumberOfBytesToRead, IntPtr lpNumberOfBytesRead, IntPtr lpOverlapped)
        {
            bool res = false;

            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;
                res = This.FileApis.ReadFileFunc(hFile, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped);

                lock (This.Queue)
                {
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "ReadFile", Marshal.PtrToStringAnsi(lpBuffer)));
                }
            }
            catch
            {
            }
            return(res);
        }
Пример #8
0
        static bool TerminateProcess_Hooked(IntPtr hProcess, uint uExitCode)
        {
            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    //Time + Pid + Tid + Api + Content
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "TerminateProcess", ""));
                }
            }
            catch
            {
            }

            // call original API...
            return(TerminateProcess(hProcess, uExitCode));
        }
Пример #9
0
        static void ExitProcess_Hooked(uint uExitCode)
        {
            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    //Time + Pid + Tid + Api + Content
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "ExitProcess", ""));
                }
            }
            catch
            {
            }

            // call original API...
            ExitProcess(uExitCode);
        }
Пример #10
0
        static bool CreateProcessW_Hooked([MarshalAsAttribute(UnmanagedType.LPWStr)] string lpApplicationName, IntPtr lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, [MarshalAsAttribute(UnmanagedType.Bool)] bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, [MarshalAsAttribute(UnmanagedType.LPWStr)] string lpCurrentDirectory, ref STARTUPINFOW lpStartupInfo, [OutAttribute()] out PROCESS_INFORMATION lpProcessInformation)
        {
            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    //Time + Pid + Tid + Api + Content
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "CreateProcessW", Marshal.PtrToStringUni(lpCommandLine)));
                }
            }
            catch
            {
            }

            // call original API...
            return(CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, ref lpStartupInfo, out lpProcessInformation));
        }
Пример #11
0
        static int recvfrom_Hooked(uint s, IntPtr buf, int len, int flags, ref sockaddr from, ref int fromlen)
        {
            int res = 0;

            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;
                res = This.NetApis.recvfromFunc(s, buf, len, flags, ref from, ref fromlen);

                lock (This.Queue)
                {
                    //Time + Pid + Tid + Api + Content
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "recvfrom", Marshal.PtrToStringUni(buf)));
                }
            }
            catch
            {
            }

            return(res);
        }