public int OnCreateFileW(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCreateFileW called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
try
{
if (callInfo.IsPreCall == false)
{
IntPtr fileHandle = callInfo.Result().SizeTVal;
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileHandle.ToString());
if (fileHandle != (IntPtr)(-1) && fileHandle != IntPtr.Zero)
{
string fileName = callInfo.Params().GetAt(0).ReadString();
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileName);
if (fileName.Length > 0)
{
lock (handleMap)
{
handleMap[fileHandle] = fileName;
}
}
}
}
}
catch (System.Exception ex)
{
System.Diagnostics.Trace.WriteLine(ex.ToString());
}
return(0);
}
private void MapViewOfFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
{
IntPtr map = callInfo.Result().PointerVal;
IntPtr length = callInfo.Params().GetAt(4).PointerVal;
bool is_malware = LookForMalware(map, (ulong)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also indices on native arrays are limited to int.
if (is_malware)
{
callInfo.AddByte("has_malware", 1);
callInfo.Result().PointerVal = IntPtr.Zero;
callInfo.LastError = 2;
callInfo.SkipCall();
}
else
{
callInfo.AddByte("has_malware", 0);
}
}
public int MapViewOfFileHook(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
IntPtr address = callInfo.Result().PointerVal;
byte[] buffer = new byte[1];
Marshal.Copy(address, buffer, 0, 1);
char[] chars = System.Text.Encoding.UTF8.GetString(buffer).ToCharArray();
Trace.Write(chars);
return 0;
}
public int MapViewOfFileHook(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
IntPtr address = callInfo.Result().PointerVal;
byte[] buffer = new byte[1];
Marshal.Copy(address, buffer, 0, 1);
char[] chars = System.Text.Encoding.UTF8.GetString(buffer).ToCharArray();
Trace.Write(chars);
return(0);
}
private void MapViewOfFileHook(INktHookInfo hookInfo, INktHookCallInfoPlugin callInfo)
{
IntPtr map = callInfo.Result().PointerVal;
IntPtr length = callInfo.Params().GetAt(4).PointerVal;
bool is_malware = LookForMalware(map, (ulong)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also indices on native arrays are limited to int.
if (is_malware)
{
callInfo.AddByte("has_malware", 1);
callInfo.Result().PointerVal = IntPtr.Zero;
callInfo.LastError = 2;
callInfo.SkipCall();
} else {
callInfo.AddByte("has_malware", 0);
}
}
public int OnCreateFileW(INktHookInfo hookInfo, int chainIndex, INktHookCallInfoPlugin callInfo)
{
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnCreateFileW called [Hook: " + hookInfo.FunctionName + " @ 0x" + hookInfo.Address.ToString("X") + " / Chain:" + chainIndex.ToString() + "]");
try
{
if (callInfo.IsPreCall == false)
{
IntPtr fileHandle = callInfo.Result().SizeTVal;
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileHandle.ToString());
if (fileHandle != (IntPtr)(-1) && fileHandle != IntPtr.Zero)
{
string fileName = callInfo.Params().GetAt(0).ReadString();
System.Diagnostics.Trace.WriteLine("MyFilePlugin::OnFunctionCall OnCreateFileW " + fileName);
if (fileName.Length > 0)
{
lock (handleMap)
{
handleMap[fileHandle] = fileName;
}
}
}
}
}
catch (System.Exception ex)
{
System.Diagnostics.Trace.WriteLine(ex.ToString());
}
return 0;
}