//hook function
/// <summary>
/// The ReadFile hook function. This will be called instead of the original ReadFile once hooked.
/// </summary>
/// <param name="hFile"></param>
/// <param name="lpBuffer"></param>
/// <param name="nNumberOfBytesToRead"></param>
/// <param name="lpNumberOfBytesRead"></param>
/// <param name="lpOverlapped"></param>
/// <returns></returns>
public static bool ReadFile_Hook(
IntPtr hFile,
IntPtr lpBuffer,
uint nNumberOfBytesToRead,
out uint lpNumberOfBytesRead,
IntPtr lpOverlapped)
{
string typeAfter = "-1";
bool result = ReadFile(hFile, lpBuffer, nNumberOfBytesToRead, out lpNumberOfBytesRead, lpOverlapped);
double entropy = -1;
try
{
//get entropy of buffer
byte[] buffer = new byte[lpNumberOfBytesRead];
Marshal.Copy(lpBuffer, buffer, 0, (int)lpNumberOfBytesRead);
entropy = DataEntropy.GetEntropyOfStream(buffer, (int)lpNumberOfBytesRead);
//// Retrieve filename from the file handle
StringBuilder filename = new StringBuilder(255);
GetFinalPathNameByHandle(hFile, filename, 255, 0);
filename = filename.Replace("\\\\?\\", "");
if (!filename.ToString().Equals(""))
{
typeAfter = StreamAnalyzer.getFileType(filename.ToString());
}
if ((filename != null) || (filename.ToString().Length > 0))
{
reportEvent(ReadFileStr, filename.ToString(), typeAfter, entropy + "", lpNumberOfBytesRead + "");
}
}
catch (Exception e)
{
reportEvent(ReadFileStr, "exception! " + e.ToString());
// swallow exceptions so that any issues caused by this code do not crash target process
}
return(result);
}
// hook function
public static bool WriteFile_Hook(
IntPtr hFile,
IntPtr lpBuffer,
uint nNumberOfBytesToWrite,
out uint lpNumberOfBytesWritten,
IntPtr lpOverlapped)
{
//string hashBeforeFile = "", hashAfterFile = "";
string typeBefore = "-1", typeAfter = "-1";
StringBuilder filename = new StringBuilder(255);
//int currentPid = EasyHook.RemoteHooking.GetCurrentProcessId();
double entropy = -1;
try
{
//get entropy of buffer
byte[] buffer = new byte[nNumberOfBytesToWrite];
Marshal.Copy(lpBuffer, buffer, 0, (int)nNumberOfBytesToWrite);
entropy = DataEntropy.GetEntropyOfStream(buffer, (int)nNumberOfBytesToWrite);
// Retrieve filename from the file handle
GetFinalPathNameByHandle(hFile, filename, 255, 0);
filename = filename.Replace("\\\\?\\", "");
if (!filename.ToString().Equals(""))
{
//hashBeforeFile = StreamAnalyzer.createHashToFile(filename.ToString(), "_" + currentPid + "b");
typeBefore = StreamAnalyzer.getFileType(filename.ToString());
}
}
catch (Exception e)
{
reportEvent(WriteFileStr, "exception1! " + e.ToString());
// swallow exceptions so that any issues caused by this code do not crash target process
}
bool result = false;
// Call original first so we get lpNumberOfBytesWritten
result = WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, out lpNumberOfBytesWritten, lpOverlapped);
try
{
//string hashDiffrence = "-1";
string typeDiffrence = "-1";
if (!filename.ToString().Equals(""))
{
// hashAfterFile = StreamAnalyzer.createHashToFile(filename.ToString(), "_" + currentPid + "a");
typeAfter = StreamAnalyzer.getFileType(filename.ToString());
// hashDiffrence = StreamAnalyzer.compareHashes(hashBeforeFile, hashAfterFile);
typeDiffrence = typeBefore.Equals(typeAfter) ? "1" : "0";
// //deletes temp files
//DeleteFileW("-----");
// DeleteFileW(hashAfterFile);
}
if ((filename != null) || (filename.ToString().Length > 0))
{
reportEvent(WriteFileStr, filename.ToString(), typeAfter, typeDiffrence, entropy + "", nNumberOfBytesToWrite + "");
}
}
catch (Exception e)
{
reportEvent(WriteFileStr, "exception2! " + e.ToString());
// swallow exceptions so that any issues caused by this code do not crash target process
}
return(result);
}
