private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strOnFunctionCalled = hook.FunctionName + "\n";
if (hook.FunctionName.CompareTo("D3D9.DLL!CreateDevice") == 0)
{
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam param = paramsEnum.First();
INktParam tempParam = null;
while (param != null)
{
tempParam = param;
param = paramsEnum.Next();
}
strOnFunctionCalled += " " + tempParam.PointerVal.ToString() + "\n";
}
Output(strOnFunctionCalled);
}
static void OnProcess32First(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleConsuming, APICategory.ToolHelp, APIID.Process32First, hook, process, callInfo);
if (report == null)
{
return;
}
report.ID = APIID.Process32First;
var param = new Process32FirstParameter();
param.Handle = callInfo.Params().GetAt(0).SizeTVal;
report.Parameter = param;
Reports.Enqueue(report);
}
static void OnCreateToolhelp32Snapshot(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleCreation, APICategory.ToolHelp, APIID.CreateToolhelp, hook, process, callInfo);
if (report == null)
{
return;
}
report.ID = APIID.CreateToolhelp;
var param = new CreateToolhelp32Snapshot();
param.Flags = callInfo.Params().GetAt(0).ULongVal;
param.Handle = callInfo.Result().SizeTVal;
report.Parameter = param;
Reports.Enqueue(report);
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strDocument = "Document: ";
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam param = paramsEnum.First();
param = paramsEnum.Next();
param = paramsEnum.Next();
if (param.PointerVal != IntPtr.Zero)
{
INktParamsEnum paramsEnumStruct = param.Evaluate().Fields();
INktParam paramStruct = paramsEnumStruct.First();
strDocument += paramStruct.ReadString();
strDocument += "\n";
}
Output(strDocument);
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
Output(hook.FunctionName + "( ");
bool first = true;
foreach (INktParam param in hookCallInfo.Params())
{
if (first)
{
first = false;
}
else
{
Output(", ");
}
Output(param.Name + " = " + param.Value.ToString());
}
Output(" )" + Environment.NewLine);
}
/// <summary>
/// WriteFile调用事件处理函数
/// </summary>
/// <param name="hook"></param>
/// <param name="process"></param>
/// <param name="hookCallInfo"></param>
private void OnWriteFileCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strDocument = "Document: ";
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam hFile = paramsEnum.First();
//paramsEnum.Next();
//paramsEnum.Next();
//paramsEnum.Next();
//paramsEnum.Next();
INktParam lpBuffer = paramsEnum.Next();
INktParam nNumberOfBytesToWrite = paramsEnum.Next();
#region 着官方示例写的 毛用没有
if (hFile.PointerVal != IntPtr.Zero)
{
INktParamsEnum hFileEnumStruct = hFile.Evaluate().Fields();
INktParam hFileStruct = hFileEnumStruct.First();
}
Console.Out.WriteLine(lpBuffer.ReadString());
Console.Out.WriteLine(lpBuffer.Address);
if (lpBuffer.PointerVal != IntPtr.Zero)
{
strDocument += lpBuffer.ReadString();
strDocument += "\n";
}
Output(strDocument);
#endregion
var h_file = QueryFileHandle(hFile.Address);
ReadBuffer(lpBuffer.Address, nNumberOfBytesToWrite.Address);
}
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
string strDocument = "Document: ";
INktParamsEnum paramsEnum = hookCallInfo.Params();
INktParam param = paramsEnum.First();
param = paramsEnum.Next();
param = paramsEnum.Next();
if (param.PointerVal != IntPtr.Zero)
{
INktParamsEnum paramsEnumStruct = param.Evaluate().Fields();
INktParam paramStruct = paramsEnumStruct.First();
strDocument += paramStruct.ReadString();
strDocument += "\n";
}
Output(strDocument);
}
static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a class factory that belongs
//to the CLSID we need, in our example, "ShellFolderView coclass"
pms = callInfo.Params();
if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}")
{
s = pms.GetAt(1).GuidString;
if (s == "{00000001-0000-0000-C000-000000000046}")
{
//we have ShellFolderView's IClassFactory object
if (hookIClassFactory_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress);
hookIClassFactory_CreateInstance.Attach(proc.Id, true);
hookIClassFactory_CreateInstance.Hook(true);
hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled;
}
}
}
}
if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}")
{
//we have ShellFolderView's IClassFactory2 object
if (hookIClassFactory2_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory2_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstance.Attach(proc.Id, true);
hookIClassFactory2_CreateInstance.Hook(true);
hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled;
}
if (hookIClassFactory2_CreateInstanceLic == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstanceLic method is the eighth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true);
hookIClassFactory2_CreateInstanceLic.Hook(true);
hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled;
}
}
}
}
}
}
return;
}
static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a class factory that belongs
//to the CLSID we need, in our example, "ShellFolderView coclass"
pms = callInfo.Params();
if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}")
{
s = pms.GetAt(1).GuidString;
if (s == "{00000001-0000-0000-C000-000000000046}")
{
//we have ShellFolderView's IClassFactory object
if (hookIClassFactory_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress);
hookIClassFactory_CreateInstance.Attach(proc.Id, true);
hookIClassFactory_CreateInstance.Hook(true);
hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled;
}
}
}
}
if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}")
{
//we have ShellFolderView's IClassFactory2 object
if (hookIClassFactory2_CreateInstance == null)
{
lock (hookLock)
{
if (hookIClassFactory2_CreateInstance == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstance.Attach(proc.Id, true);
hookIClassFactory2_CreateInstance.Hook(true);
hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled;
}
if (hookIClassFactory2_CreateInstanceLic == null)
{
//get the address of the newly created object
addr = pms.GetAt(2).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstanceLic method is the eighth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall);
hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true);
hookIClassFactory2_CreateInstanceLic.Hook(true);
hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled;
}
}
}
}
}
}
return;
}
static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo)
{
if ((callInfo.Result().ULongVal & 0x80000000) == 0)
{
NktParamsEnum pms;
IntPtr addr;
string s;
//if the call succeeded, check if we are creating a instance that belongs
//to the IID we need, in our example, "IShellFolderViewDual"
pms = callInfo.Params();
//remember that the first parameter is the interface pointer itself
s = pms.GetAt(2).GuidString;
if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" ||
s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" ||
s == "{88A05C00-F000-11CE-8350-444553540000}")
{
//at this point we have to apply a similar code than we used to hook
//IClassFactory::CreateInstance above and the other methods
addr = pms.GetAt(3).Evaluate().PointerVal;
//get object's vtable address by inspecting the first pointer
addr = proc.Memory().get_SSizeTVal(addr);
//because the CreateInstance method is the fourth one,
//get the method entrypoint by reading memory
addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size);
addr = proc.Memory().get_SSizeTVal(addr);
/*
.
.
.
*/
}
}
}
private void MapViewOfFileHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo)
{
bool is_malware = false;
IntPtr maphandle = callInfo.Params().GetAt(0).PointerVal;
IntPtr address = callInfo.Result().PointerVal;
IntPtr length = callInfo.Params().GetAt(4).PointerVal;
Debug.WriteLine(String.Format("MapViewOfFile:: with maphandle = {0} dwNumberOfBytesToMap = {1}", maphandle, length));
IntPtr process_handle = callInfo.Process().Handle(0x1FFFF);
is_malware = LookForMalware(process_handle, (IntPtr)maphandle, (uint)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also Marshal.ReadByte is limited to int.
if (is_malware)
{
callInfo.Result().PointerVal = IntPtr.Zero;
callInfo.LastError = 2;
callInfo.SkipCall();
}
}
static void OnRegSetValue(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleConsuming, APICategory.Registry, APIID.RegSetValue, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new RegSetValueParameter();
param.Handle = callInfo.Params().GetAt(0).SizeTVal;
param.Value = callInfo.Params().GetAt(1).IsNullPointer ? "Default" : callInfo.Params().GetAt(1).ReadString();
string data = "";
uint type, len;
INktParam pData;
if (hook.FunctionName.Contains("Ex"))
{
type = callInfo.Params().GetAt(3).ULongVal;
len = callInfo.Params().GetAt(5).ULongVal;
pData = callInfo.Params().GetAt(4);
}
else
{
type = callInfo.Params().GetAt(2).ULongVal;
len = callInfo.Params().GetAt(4).ULongVal;
pData = callInfo.Params().GetAt(3);
}
if (!pData.IsNullPointer)
{
switch (type)
{
case 1:
case 2:
case 7:
byte[] buf = new byte[len];
GCHandle h = GCHandle.Alloc(buf, GCHandleType.Pinned);
IntPtr p = h.AddrOfPinnedObject();
INktProcessMemory mem = pData.Memory();
mem.ReadMem(p, pData.PointerVal, (IntPtr)len);
h.Free();
if (hook.FunctionName.Contains("W"))
{
data = Encoding.Unicode.GetString(buf, 0, (int)len);
}
else
{
data = Encoding.ASCII.GetString(buf, 0, (int)len);
}
break;
case 3:
case 4:
data = pData.Evaluate().ULongVal.ToString();
break;
}
}
data = data.Replace('\0', ' ');
data = data.Trim();
param.Type = type;
param.Data = data;
report.Parameter = param;
Reports.Enqueue(report);
}