private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { NktStackTrace stack = hookCallInfo.StackTrace(); NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id); UInt32 StackOpcodeSize = 50; byte[] StackOpcode = new byte[StackOpcodeSize]; for (UInt32 n = 0; n < StackOpcodeSize; n++) { StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte); } UInt64 actualAddr = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip); UInt64 nInstrSize = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize); UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize; string str = "From: 0x" + callingAddr.ToString("x") + " To: 0x" + actualAddr.ToString("x") + "\n"; Output(str, false); actualAddr -= SecStartAddress; callingAddr -= SecStartAddress; CROSSREF crossref = new CROSSREF(); crossref.From = callingAddr; crossref.To = actualAddr; CrossRefSet.Add(crossref); }
static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { if ((callInfo.Result().ULongVal & 0x80000000) == 0) { NktParamsEnum pms; IntPtr addr; string s; //if the call succeeded, check if we are creating a instance that belongs //to the IID we need, in our example, "IShellFolderViewDual" pms = callInfo.Params(); //remember that the first parameter is the interface pointer itself s = pms.GetAt(2).GuidString; if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" || s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" || s == "{88A05C00-F000-11CE-8350-444553540000}") { //at this point we have to apply a similar code than we used to hook //IClassFactory::CreateInstance above and the other methods addr = pms.GetAt(3).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); /* * . * . * . */ } } }
private void HandleTerminatedProcess(NktProcess aProcess) { var consoleProcess = CreateConsoleProcessFrom(aProcess); ProcessTerminatedHandler(consoleProcess); _hooksByProcesses.RemoveAllHooksOf(consoleProcess); }
static void OnCreateProcess(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleCreation, APICategory.Process, APIID.CreateProcess, hook, process, callInfo); if (report == null) { return; } var param = new CreateProcessParameter(); param.ProcessName = callInfo.Params().GetAt(0).IsNullPointer ? "" : callInfo.Params().GetAt(1).ReadString(); param.Parameters = callInfo.Params().GetAt(1).IsNullPointer ? "" : callInfo.Params().GetAt(1).ReadString(); param.Handle = callInfo.Params().GetAt(9).Evaluate().Fields().GetAt(0).SizeTVal; param.ID = callInfo.Params().GetAt(9).Evaluate().Fields().GetAt(2).ULongVal; try { if (param.ProcessName == "") { var pro = System.Diagnostics.Process.GetProcessById((int)param.ID); param.ProcessName = pro.ProcessName; } } catch { } report.Parameter = param; Reports.Enqueue(report); }
static void OnShellExecute(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.ShellExecute, hook, process, callInfo); if (report == null) { return; } report.ID = APIID.ShellExecute; var param = new ShellExecuteParameter(); if (hook.FunctionName.Contains("teEx")) { INktParam p = callInfo.Params().GetAt(0).Evaluate(); param.Name = p.Fields().GetAt(4).IsNullPointer ? "" : p.Fields().GetAt(4).ReadString(); param.Parameters = p.Fields().GetAt(5).IsNullPointer ? "" : p.Fields().GetAt(5).ReadString(); param.Directory = p.Fields().GetAt(6).IsNullPointer ? "" : p.Fields().GetAt(6).ReadString(); } else { param.Name = callInfo.Params().GetAt(2).IsNullPointer ? "" : callInfo.Params().GetAt(2).ReadString(); param.Parameters = callInfo.Params().GetAt(3).IsNullPointer ? "" : callInfo.Params().GetAt(3).ReadString(); param.Directory = callInfo.Params().GetAt(4).IsNullPointer ? "" : callInfo.Params().GetAt(4).ReadString(); } report.Parameter = param; Reports.Enqueue(report); }
static void OnSocket(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { APIUnit report = Base(APIType.Simple, APICategory.Simple, APIID.SocketConnect, hook, process, callInfo); if (report == null) { return; } var param = new ConnectionParameter(); int len = callInfo.Params().GetAt(2).LongVal; byte[] buf = new byte[len]; GCHandle h = GCHandle.Alloc(buf, GCHandleType.Pinned); IntPtr p = h.AddrOfPinnedObject(); var add = callInfo.Params().GetAt(1); INktProcessMemory mem = add.Memory(); mem.ReadMem(p, add.PointerVal, (IntPtr)len); h.Free(); report.ID = hook.FunctionName.Contains("bind") ? APIID.SocketBind : APIID.SocketConnect; param.Port = (ushort)(buf[2] * 256 + buf[3]); param.IP = String.Format("{0}.{1}.{2}.{3}", buf[4].ToString("D3"), buf[5].ToString("D3"), buf[6].ToString("D3"), buf[7].ToString("D3")); param.Server = hook.FunctionName.Contains("bind") ? true : false; report.ID = param.Server ? APIID.SocketBind : APIID.SocketConnect; report.Parameter = param; Reports.Enqueue(report); }
private bool HookProcess(string proccessName) { NktProcessesEnum enumProcess = _spyMgr.Processes(); NktProcess tempProcess = enumProcess.First(); while (tempProcess != null) { if (tempProcess.Name.Equals(proccessName, StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits > 0 && tempProcess.PlatformBits <= IntPtr.Size * 8) { _process = tempProcess; NktModule module = _process.ModuleByName("mshtml.dll"); if (module != null) { IntPtr EA = (IntPtr) new IntPtr(module.BaseAddress.ToInt32() + _RVA.ToInt32()); NktHook hook = _spyMgr.CreateHookForAddress(EA, "mshtml.dll!CStyleSheet::Notify", (int)(eNktHookFlags.flgRestrictAutoHookToSameExecutable | eNktHookFlags.flgOnlyPreCall | eNktHookFlags.flgDontCheckAddress)); hook.Attach(_process, true); hook.Hook(true); } } tempProcess = enumProcess.Next(); } _process = null; return(false); }
public void DvStart() { _process = GetProcess("spoolsv.exe"); if (_process == null) { Console.WriteLine("spoolsv.exe가 실행이 안됩니다."); Environment.Exit(0); } //hookPrinter = _spyMgr.CreateHook("spoolsv.exe!PrvStartDocPrinterW", (int)(eNktHookFlags.flgRestrictAutoHookToSameExecutable | eNktHookFlags.flgOnlyPreCall)); //hookPrinter = _spyMgr.CreateHook("spoolsv.exe!StartDocPrinterW", (int)eNktHookFlags.flgOnlyPreCall); //hookPrinter = _spyMgr.CreateHook("winspool.drv!StartDocPrinterW", (int)eNktHookFlags.flgOnlyPreCall); //System.Diagnostics.Debugger.Launch(); hookPrinterStart = _spyMgr.CreateHook("spoolsv.exe!PrvStartDocPrinterW", (int)eNktHookFlags.flgOnlyPreCall); hookPrinterStart.OnFunctionCalled += OnFunctionCalledPrinterStart; hookPage = _spyMgr.CreateHook("spoolsv.exe!PrvStartPagePrinter", (int)eNktHookFlags.flgOnlyPreCall); hookPage.OnFunctionCalled += OnFunctionCalledPrintPage; hookPrinterEnd = _spyMgr.CreateHook("spoolsv.exe!PrvEndDocPrinter", (int)eNktHookFlags.flgOnlyPreCall); hookPrinterEnd.OnFunctionCalled += OnFunctionCalledPrinterEnd; hookPrinterStart.Hook(true); hookPrinterStart.Attach(_process, true); hookPage.Hook(true); hookPage.Attach(_process, true); hookPrinterEnd.Hook(true); hookPrinterEnd.Attach(_process, true); }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { string strOnFunctionCalled = hook.FunctionName + "\n"; if (hook.FunctionName.CompareTo("D3D9.DLL!CreateDevice") == 0) { INktParamsEnum paramsEnum = hookCallInfo.Params(); INktParam param = paramsEnum.First(); INktParam tempParam = null; while (param != null) { tempParam = param; param = paramsEnum.Next(); } strOnFunctionCalled += " " + tempParam.PointerVal.ToString() + "\n"; } Output(strOnFunctionCalled); }
public bool HookProcess(NktProcess process) { this.UnHook(); bool result = false; result = HookFunction(process, "kernel32.dll!CreateFileW", eNktHookFlags.flgOnlyPreCall); if (result == false) { return(result); } result = HookFunction(process, "WS2_32.dll!connect", eNktHookFlags.flgOnlyPreCall); if (result == false) { return(result); } if (result == false) { return(result); } this.process = process; return(true); }
private void btnProcess_Click(object sender, EventArgs e) { openFileDialog1 = new OpenFileDialog(); openFileDialog1.ShowDialog(); _process = _spyMgr.CreateProcess(openFileDialog1.FileName, checkSuspended.Checked, out ContinueEvent); }
private bool HookProcess(string proccessName) { NktProcessesEnum enumProcess = _spyMgr.Processes(); NktProcess tempProcess = enumProcess.First(); while (tempProcess != null) { if (tempProcess.Name.Equals(proccessName, StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits > 0 && tempProcess.PlatformBits <= IntPtr.Size * 8) { _process = tempProcess; NktModule module = _process.ModuleByName("mshtml.dll"); if (module != null) { IntPtr EA = (IntPtr)new IntPtr(module.BaseAddress.ToInt32() + _RVA.ToInt32()); NktHook hook = _spyMgr.CreateHookForAddress(EA, "mshtml.dll!CStyleSheet::Notify", (int)(eNktHookFlags.flgRestrictAutoHookToSameExecutable | eNktHookFlags.flgOnlyPreCall | eNktHookFlags.flgDontCheckAddress)); hook.Attach(_process, true); hook.Hook(true); } } tempProcess = enumProcess.Next(); } _process = null; return false; }
private void Form1_Load(object sender, EventArgs e) { NktHook hook = _spyMgr.CreateHook("WINMM.dll!timeGetTime", (int)(eNktHookFlags.flgOnlyPostCall)); hook.Hook(true); bool bProcessFound = false; NktProcessesEnum enumProcess = _spyMgr.Processes(); NktProcess tempProcess = enumProcess.First(); while (tempProcess != null) { if (tempProcess.Name.Equals("iexplore.exe", StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits == 32) { hook.Attach(tempProcess, true); bProcessFound = true; } tempProcess = enumProcess.Next(); } if (!bProcessFound) { MessageBox.Show("Please run \"iexplore.exe\" before!", "Error"); Environment.Exit(0); } }
private void attachToolStripMenuItem_Click(object sender, EventArgs e) { FormSelectProgram fSelecProgram = new FormSelectProgram(); fSelecProgram.StartPosition = FormStartPosition.CenterParent; fSelecProgram.ShowDialog(); if (fSelecProgram.returnedValue == null) { return; } NktProcess process = fSelecProgram.returnedValue; bool hookedSuccessful = Program.hook.HookProcess(process); if (hookedSuccessful) { FormInfo fInfo = new FormInfo("Hook successful", 0, FormInfo.IconType.OK); fInfo.StartPosition = FormStartPosition.CenterParent; fInfo.Show(Program.formMain); Program.LogThis("Core", "Process " + process.Name + " hooked successfully"); } else { FormInfo fInfo = new FormInfo("Error hooking", 0, FormInfo.IconType.Error); fInfo.StartPosition = FormStartPosition.CenterParent; fInfo.Show(Program.formMain); Program.LogThis("Core", "Error hooking " + process.Name); } }
public static void OnConnectCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { /* * struct sockaddr { * ushort sa_family; * char sa_data[14]; * }; */ INktParamsEnum pms = hookCallInfo.Params(); INktParam p; p = pms.GetAt(1); //get the second param (const struct sockaddr *name) if (p.IsNullPointer == false) { INktParam pC; ushort sa_family; //if not null, analyze it p = p.Evaluate(); //now p becomes the struct itself not anymore a pointer to pC = p.Field(0); sa_family = pC.get_UShortValAt(0); try { pC = p.Field(1); byte[] bytes_port = new byte[] { pC.get_ByteValAt(0), pC.get_ByteValAt(1) }; ushort port = PortToUShort(bytes_port); Console.WriteLine("Port: {0}", port); byte[] ip = new byte[] { pC.get_ByteValAt(2), pC.get_ByteValAt(3), pC.get_ByteValAt(4), pC.get_ByteValAt(5) }; string detected_ip = IPtoString(ip); Console.WriteLine("IP: {0}", detected_ip); if (bind_ip == "0.0.0.0" || bind_ip == "*" || IPtoString(ip) == bind_ip) // Match rule IP { if (bind_port == 0 || bind_port == port) // Match rule Port { byte[] target_ip = StringtoIP(forward_ip); pC.set_ByteValAt(2, target_ip[0]); pC.set_ByteValAt(3, target_ip[1]); pC.set_ByteValAt(4, target_ip[2]); pC.set_ByteValAt(5, target_ip[3]); if (forward_port != 0) { byte[] forward_port_change = UShorttoPort(forward_port); pC.set_ByteValAt(0, forward_port_change[0]); pC.set_ByteValAt(1, forward_port_change[1]); } Console.WriteLine("Redirect From {0}:{1} to {1}", detected_ip, (bind_port == 0)?'*':bind_port, forward_ip, (forward_port == 0)?'*':forward_port); } } } catch (Exception e) { Console.WriteLine("Error {0}", e); throw e; } } }
public FunctionWrapper(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo) { this.Hook = Hook; this.proc = proc; this.callInfo = callInfo; status = Status.Waiting; }
static void spyMgr_OnLoadLibraryCall(NktProcess proc, string dllName, object moduleHandle) { System.Diagnostics.Trace.WriteLine("IEPrintWatermark [LoadLibraryCall]: " + dllName); if (dllName.ToLower().EndsWith("xpsservices.dll") != false) { HookXpsInterfaces(proc); } }
public HookManager(NktProcess process) { this.process = process; this.ID = process.Id; this.UI = FormInterface.GetInstance(); this.pw = ProcessWatcher.GetInstance(); intelligence = new IntelliMod(process); }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { Output("Xploit CVE-2010-3971"); MessageBox.Show("Xploit CVE-2010-3971"); Thread.Sleep(System.Threading.Timeout.Infinite); }
void spyMgr_OnProcessStarted(NktProcess proc) { if (lstIDs.Exists(id => proc.ParentId == id)) { lstIDs.Add(proc.Id); HookManager.Modules.Add(proc.Name.ToUpper()); } }
void spyMgr_OnProcessTerminated(NktProcess proc) { lstIDs.Remove(proc.Id); HookManager.Modules.Remove(proc.Name.ToUpper()); if (lstIDs.Count == 0) { processTerminated.Set(); } }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { nTime++; if (nSpeed==-2) hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2); else if(nSpeed==2) hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3); }
private void HandleHookStateChanged(NktHook aHook, NktProcess aProcess, eNktHookState currentState, eNktHookState previousState) { var consoleHook = CreateConsoleHookFrom(aHook); var consoleProcess = CreateConsoleProcessFrom(aProcess); _hooksByProcesses.Update(consoleHook, consoleProcess, currentState, previousState); HookStateChangedHandler(consoleHook, consoleProcess, previousState, currentState); }
private void StartSelectedProcess() { if (lbProcess.SelectedItem == null) return; wrappers.ProcessWrapper wrapper = (wrappers.ProcessWrapper)lbProcess.SelectedItem; returnedValue = wrapper.process; this.Close(); }
private void MapViewOfFileCustomHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo) { if (callInfo.CustomParams().Count == 1) { byte has_malware = callInfo.CustomParams().GetAt(0).ByteVal; Debug.WriteLine(String.Format("MapViewOfFileCustomHook:: with has_malware = {0}", has_malware)); } }
static void spyMgr_OnCreateProcessCall(NktProcess proc, int childPid, int mainThreadId, bool is64BitProcess, bool canHookNow) { NktProcess childProc = spyMgr.ProcessFromPID(childPid); if (childProc != null && childProc.Name.ToLower().EndsWith("iexplore.exe") != false) { spyMgr.LoadAgent(childProc); } }
public Form1() { InitializeComponent(); _spyMgr = new NktSpyMgr(); _spyMgr.Initialize(); _spyMgr.OnFunctionCalled += new DNktSpyMgrEvents_OnFunctionCalledEventHandler(OnFunctionCalled); _process = _spyMgr.CreateProcess(@"C:\Program Files (x86)\Microsoft DirectX SDK (June 2010)\Samples\C++\Direct3D\Bin\x86\SkinnedMesh.exe", true, out continueevent); }
void _functionHook_OnStateChanged(NktHook Hook, NktProcess proc, eNktHookState newState, eNktHookState oldState) { Console.WriteLine("--- Hook state changed {0} from {1} to {2}", Hook.FunctionName, oldState.ToString(), newState.ToString()); if (newState == eNktHookState.stRemoved) { Environment.Exit(0); } }
public Form1() { InitializeComponent(); _spyMgr = new NktSpyMgr(); _spyMgr.Initialize(); _spyMgr.OnFunctionCalled += new DNktSpyMgrEvents_OnFunctionCalledEventHandler(OnFunctionCalled); _process = _spyMgr.CreateProcess(@"C:\Program Files\Microsoft Games\Chess\Chess.exe", true, out continueevent); }
public void FindSqlService() { NktProcessesEnum pEnum = _spyMgr.Processes(); _sqlServerProcess = pEnum.GetByName("sqlservr.exe"); if (_sqlServerProcess == null) { throw new SqlServiceNotFoundException(); } }
public void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { string function = hook.FunctionName.ToLower(); Console.WriteLine("Called function {0}", function); if (function == "WS2_32.dll!connect".ToLower()) { OnConnectCalled(hook, process, hookCallInfo); } }
private int createProcessC = 0; //T= C>1 #endregion public IntelliMod(NktProcess process) { processID = process.Id; winProc = Process.GetProcessById(processID); nktProc = process; this.searcher = new SectionSearch(process, false); //Set the timer to trigger decay() every x seconds timer.Elapsed += decay; timer.Interval = 20000; timer.Enabled = true; }
private void StartSelectedProcess() { if (lbProcess.SelectedItem == null) { return; } wrappers.ProcessWrapper wrapper = (wrappers.ProcessWrapper)lbProcess.SelectedItem; returnedValue = wrapper.process; this.Close(); }
public bool HookProcess(int pid) { for (int i = 0; i < spyMgr.Processes().Count; i++) { NktProcess p = (NktProcess)spyMgr.Processes().GetAt(i); if (p.Id == pid) { return(HookProcess(p)); } } return(false); }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { nTime++; if (nSpeed == -2) { hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal - (int)(nTime * 0.2); } else if (nSpeed == 2) { hookCallInfo.Result().LongVal = hookCallInfo.Result().LongVal + (int)(nTime * 3); } }
static void OnWriteProcessMemory(NktHook hook, NktProcess process, NktHookCallInfo callInfo) { var report = Base(APIType.HandleConsuming, APICategory.Process, APIID.WriteProcessMemory, hook, process, callInfo); if (report == null) { return; } var param = new WriteProcessMemoryParameter(); param.Handle = callInfo.Params().GetAt(0).SizeTVal; report.Parameter = param; Reports.Enqueue(report); }
private bool GetProcess(string proccessName) { NktProcessesEnum enumProcess = _spyMgr.Processes(); NktProcess tempProcess = enumProcess.First(); while (tempProcess != null) { if (tempProcess.Name.Equals(proccessName, StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits > 0 && tempProcess.PlatformBits <= IntPtr.Size * 8) { _process = tempProcess; return true; } tempProcess = enumProcess.Next(); } _process = null; return false; }
private bool HookFunction(NktProcess process, string function, eNktHookFlags flag) { NktHook hook = spyMgr.CreateHook(function, (int)flag); if (hook == null) return false; try { hook.Hook(true); hook.Attach(process,true);// false); } catch { return false; } return true; }
public static IRunningProcess From(NktProcess aProcess, ISpyManager spyManager) { var modulePathByNameAndProcess = new Dictionary<int, string>(); if (aProcess.PlatformBits > 0 && aProcess.PlatformBits <= IntPtr.Size * 8) { var processModules = aProcess.Modules(); if (processModules != null) processModules.CollectAll().ForEach(m => { var moduleKey = (m.Name + aProcess.Id).GetHashCode(); if (!modulePathByNameAndProcess.ContainsKey(moduleKey)) modulePathByNameAndProcess.Add(moduleKey, m.Path); }); } return new RunningProcess(aProcess.Id, aProcess.Name, aProcess.Icon(), spyManager, aProcess.Path, aProcess.PlatformBits, modulePathByNameAndProcess); }
private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { string strDocument = "Document: "; INktParamsEnum paramsEnum = hookCallInfo.Params(); INktParam param = paramsEnum.First(); param = paramsEnum.Next(); param = paramsEnum.Next(); if (param.PointerVal != IntPtr.Zero) { INktParamsEnum paramsEnumStruct = param.Evaluate().Fields(); INktParam paramStruct = paramsEnumStruct.First(); strDocument += paramStruct.ReadString(); strDocument += "\n"; } Output(strDocument); }
public bool HookProcess(NktProcess process) { this.UnHook(); /* OJO: Es importante que se hookee la funcion como 'send' y no como 'Send', porque si no el hook se hará bien pero la función devolverá 0 parámetros en vez de los 4 que tiene en su estructura */ bool result = false; if (Program.data.configuration.encryptmessage) { result = HookFunction(process, "Secur32.dll!EncryptMessage", eNktHookFlags.flgOnlyPreCall); if (result == false) return result; } if (Program.data.configuration.decryptmessage) { result = HookFunction(process, "Secur32.dll!DecryptMessage", eNktHookFlags.flgOnlyPostCall); if (result == false) return result; } if (Program.data.configuration.send) { result = HookFunction(process, "WS2_32.dll!send", eNktHookFlags.flgOnlyPreCall); if (result == false) return result; } if (Program.data.configuration.recv) { result = HookFunction(process, "WS2_32.dll!recv", eNktHookFlags.flgOnlyPostCall); if (result == false) return result; } if (Program.data.configuration.sendto) { result = HookFunction(process, "WS2_32.dll!sendto", eNktHookFlags.flgOnlyPreCall); if (result == false) return result; } if (Program.data.configuration.recvfrom) { result = HookFunction(process, "WS2_32.dll!recvfrom", eNktHookFlags.flgOnlyPostCall); if (result == false) return result; } if (Program.data.configuration.wsasend) { result = HookFunction(process, "WS2_32.dll!WSASend", eNktHookFlags.flgOnlyPreCall); if (result == false) return result; } if (Program.data.configuration.wsarecv) { result = HookFunction(process, "WS2_32.dll!WSARecv", eNktHookFlags.flgOnlyPostCall); if (result == false) return result; } /* Estos dos hooks están comentados hasta que no estén implementados los handlers result = HookFunction(process, "WS2_32.dll!WSASendTo", eNktHookFlags.flgOnlyPreCall); if (result == false) return result; result = HookFunction(process, "WS2_32.dll!WSARecvFrom", eNktHookFlags.flgOnlyPostCall); if (result == false) return result; */ if (result == false) return result; this.process = process; return true; }
private void HandleFuncionCall(NktHook aHook, NktProcess aProcess, NktHookCallInfo hookCallInfo) { FunctionCalledHandler(CreateConsoleHookFrom(aHook), CreateConsoleProcessFrom(aProcess), hookCallInfo); }
static void OnDllGetClassObjectCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { if ((callInfo.Result().ULongVal & 0x80000000) == 0) { NktParamsEnum pms; IntPtr addr; string s; //if the call succeeded, check if we are creating a class factory that belongs //to the CLSID we need, in our example, "ShellFolderView coclass" pms = callInfo.Params(); if (pms.GetAt(0).GuidString == "{62112AA1-EBE4-11CF-A5FB-0020AFE7292D}") { s = pms.GetAt(1).GuidString; if (s == "{00000001-0000-0000-C000-000000000046}") { //we have ShellFolderView's IClassFactory object if (hookIClassFactory_CreateInstance == null) { lock (hookLock) { if (hookIClassFactory_CreateInstance == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall | (int)eNktHookFlags.flgDontCheckAddress); hookIClassFactory_CreateInstance.Attach(proc.Id, true); hookIClassFactory_CreateInstance.Hook(true); hookIClassFactory_CreateInstance.OnFunctionCalled += OnIClassFactoryCreateInstanceCalled; } } } } if (s == "{B196B28F-BAB4-101A-B69C-00AA00341D07}") { //we have ShellFolderView's IClassFactory2 object if (hookIClassFactory2_CreateInstance == null) { lock (hookLock) { if (hookIClassFactory2_CreateInstance == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory2_CreateInstance = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstance", (int)eNktHookFlags.flgOnlyPostCall); hookIClassFactory2_CreateInstance.Attach(proc.Id, true); hookIClassFactory2_CreateInstance.Hook(true); hookIClassFactory2_CreateInstance.OnFunctionCalled += OnIClassFactory2CreateInstanceCalled; } if (hookIClassFactory2_CreateInstanceLic == null) { //get the address of the newly created object addr = pms.GetAt(2).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstanceLic method is the eighth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 7 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); hookIClassFactory2_CreateInstanceLic = spyMgr.CreateHookForAddress(addr, "IClassFactory2::CreateInstanceLic", (int)eNktHookFlags.flgOnlyPostCall); hookIClassFactory2_CreateInstanceLic.Attach(proc.Id, true); hookIClassFactory2_CreateInstanceLic.Hook(true); hookIClassFactory2_CreateInstanceLic.OnFunctionCalled += OnIClassFactory2CreateInstanceLicCalled; } } } } } } return; }
void _spyMgr_OnFunctionCalled(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo) { if (Hook.FunctionName == "kernel32.dll!MapViewOfFile") { if (this._use_deviare_custom_hook_plugin) MapViewOfFileCustomHook(Hook, proc, callInfo); else MapViewOfFileHook(Hook, proc, callInfo); } }
private void MapViewOfFileHook(NktHook Hook, NktProcess proc, NktHookCallInfo callInfo) { bool is_malware = false; IntPtr maphandle = callInfo.Params().GetAt(0).PointerVal; IntPtr address = callInfo.Result().PointerVal; IntPtr length = callInfo.Params().GetAt(4).PointerVal; Debug.WriteLine(String.Format("MapViewOfFile:: with maphandle = {0} dwNumberOfBytesToMap = {1}", maphandle, length)); IntPtr process_handle = callInfo.Process().Handle(0x1FFFF); is_malware = LookForMalware(process_handle, (IntPtr)maphandle, (uint)length); // assuming that length is int in this example. So, mapped files greater than 2^32 - 1 will not work. Also Marshal.ReadByte is limited to int. if (is_malware) { callInfo.Result().PointerVal = IntPtr.Zero; callInfo.LastError = 2; callInfo.SkipCall(); } }
private void HandleStartedProcess(NktProcess aProcess) { ProcessStartedHandler(CreateConsoleProcessFrom(aProcess)); }
private void HandleAgentLoad(NktProcess aProcess, int anErrorCode) { AgentLoadHandler(CreateConsoleProcessFrom(aProcess), anErrorCode); }
static void OnIClassFactoryCreateInstanceCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { if ((callInfo.Result().ULongVal & 0x80000000) == 0) { NktParamsEnum pms; IntPtr addr; string s; //if the call succeeded, check if we are creating a instance that belongs //to the IID we need, in our example, "IShellFolderViewDual" pms = callInfo.Params(); //remember that the first parameter is the interface pointer itself s = pms.GetAt(2).GuidString; if (s == "{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}" || s == "{31C147B6-0ADE-4A3C-B514-DDF932EF6D17}" || s == "{88A05C00-F000-11CE-8350-444553540000}") { //at this point we have to apply a similar code than we used to hook //IClassFactory::CreateInstance above and the other methods addr = pms.GetAt(3).Evaluate().PointerVal; //get object's vtable address by inspecting the first pointer addr = proc.Memory().get_SSizeTVal(addr); //because the CreateInstance method is the fourth one, //get the method entrypoint by reading memory addr = (IntPtr)(addr.ToInt64() + 3 * IntPtr.Size); addr = proc.Memory().get_SSizeTVal(addr); /* . . . */ } } }
static void OnIClassFactory2CreateInstanceLicCalled(NktHook hook, NktProcess proc, NktHookCallInfo callInfo) { //because interface instances can be created by IClassFactory2 too, may you have //to define a similar code than above }
public void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { string function = hook.FunctionName.ToLower(); wrappers.FunctionWrapper functionWr = new wrappers.FunctionWrapper(hook, process, hookCallInfo); stackFunctions.Push(functionWr); while (functionWr.status == wrappers.FunctionWrapper.Status.Waiting) { System.Threading.Thread.Sleep(0); } if (functionWr.status == wrappers.FunctionWrapper.Status.Droped) { hookCallInfo.SkipCall(); Program.data.AceptingNewFunctions = true; return; } Program.data.AceptingNewFunctions = true; }
private IRunningProcess CreateConsoleProcessFrom(NktProcess aProcess) { return RunningProcess.From(aProcess, this); }
public ProcessWrapper(NktProcess process) { this.process = process; }