// this is where we are intercepting all file accesses!
private UInt32 ZwCreateFile_Hooked(IntPtr ptr_to_FileHandle,
NtDllSupport.AccessRightsFlags DesiredAccess,
IntPtr ObjectAttributes,
IntPtr IoStatusBlock,
Int32 AllocationSize, Int32 FileAttributes, NtDllSupport.ShareAccessFlags ShareAccess, Int32 CreateDisposition, NtDllSupport.FileCreationFlags CreateOptions, IntPtr EaBuffer, Int32 EaLength)
{
preprocessHook();
UInt32 result = NtDllSupport.ZwCreateFile(ptr_to_FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
if (result == NtDllSupport.STATUS_SUCCESS)
{
string object_name = string.Empty;
//object_name = "YOOOO"+random.Next();
int file_handle = -1;
unsafe {
int *pfile_handle = (int *)ptr_to_FileHandle.ToPointer();
file_handle = *pfile_handle;
NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer();
NtDllSupport.UNICODE_STRING * pstrng = lpobj_attr->ObjectName;
object_name = pstrng->ToString();
}
TransferUnit transfer_unit = createTransferUnit();
transfer_unit[Color.ObjectName] = object_name;
transfer_unit[Color.FileHandle] = file_handle;
transfer_unit[Color.DesiredAccess] = DesiredAccess;
transfer_unit[Color.ShareAccess] = ShareAccess;
transfer_unit[Color.FileCreationFlags] = CreateOptions;
makeCallBack(transfer_unit);
}
return(result);
}
private UInt32 ZwCreateSection_Hooked(IntPtr ptr_SectionHandle, Int32 DesiredAccess, IntPtr ObjectAttributes, IntPtr MaximumSize, Int32 SectionPageProtection, Int32 AllocationAttributes, IntPtr FileHandle)
{
preprocessHook();
UInt32 result = NtDllSupport.ZwCreateSection(ptr_SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle);
if (result == NtDllSupport.STATUS_SUCCESS)
{
string object_name = string.Empty;
//object_name = "YOOOO" + random.Next();
int section_handle = -1;
unsafe {
section_handle = *(int *)ptr_SectionHandle.ToPointer();
NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer();
if (lpobj_attr != null)
{
NtDllSupport.UNICODE_STRING *pstrng = lpobj_attr->ObjectName;
object_name = pstrng->ToString();
}
}
TransferUnit transfer_unit = createTransferUnit();
transfer_unit[Color.ObjectName] = object_name;
transfer_unit[Color.SectionHandle] = section_handle;
transfer_unit[Color.FileHandle] = FileHandle.ToInt32();
makeCallBack(transfer_unit);
}
return(result);
}
// this is where we are intercepting all file accesses!
private UInt32 ZwReadFile_Hooked(IntPtr FileHandle, IntPtr Event, IntPtr ApcRoutine, IntPtr ApcContext, IntPtr IoStatusBlock, IntPtr Buffer, Int32 Length, IntPtr ByteOffset, IntPtr Key)
{
preprocessHook();
UInt32 result = NtDllSupport.ZwReadFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);
if (result == NtDllSupport.STATUS_SUCCESS)
{
int bytes_read = 0;
unsafe {
NtDllSupport.IO_STATUS_BLOCK *io_status_block = (NtDllSupport.IO_STATUS_BLOCK *)IoStatusBlock.ToPointer();
bytes_read = io_status_block->Information;
}
string buffer = AbstractHookDescription.extractBufferAsString(Buffer, bytes_read > BUFFER_LIMIT ? BUFFER_LIMIT : bytes_read);
TransferUnit transfer_unit = createTransferUnit();
transfer_unit["FileHandle"] = FileHandle.ToInt32();
transfer_unit["buffer"] = buffer;
transfer_unit["BytesRead"] = bytes_read;
makeCallBack(transfer_unit);
}
return(result);
}
// this is where we are intercepting all file accesses!
private UInt32 ZwOpenFile_Hooked(IntPtr ptr_to_FileHandle, Int32 DesiredAccess, IntPtr ObjectAttributes, IntPtr IoStatusBlock, Int32 ShareAccess, NtDllSupport.FileCreationFlags OpenOptions)
{
preprocessHook();
UInt32 result = NtDllSupport.ZwOpenFile(ptr_to_FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);
if (result == NtDllSupport.STATUS_SUCCESS)
{
string object_name = string.Empty;
//object_name = "YOOOO" + random.Next();
int file_handle = -1;
unsafe {
int *pfile_handle = (int *)ptr_to_FileHandle.ToPointer();
file_handle = *pfile_handle;
NtDllSupport.OBJECT_ATTRIBUTES *lpobj_attr = (NtDllSupport.OBJECT_ATTRIBUTES *)ObjectAttributes.ToPointer();
NtDllSupport.UNICODE_STRING * pstrng = lpobj_attr->ObjectName;
object_name = pstrng->ToString();
}
TransferUnit transfer_unit = createTransferUnit();
transfer_unit["ObjectName"] = object_name;
transfer_unit["FileHandle"] = file_handle;
makeCallBack(transfer_unit);
}
return(result);
}
private UInt32 ZwMapViewOfSection_Hooked(IntPtr SectionHandle, IntPtr ProcessHandle, IntPtr BaseAddress, Int32 ZeroBits, Int32 CommitSize, IntPtr SectionOffset, IntPtr ViewSize, NtDllSupport.SECTION_INHERIT InheritDisposition, Int32 AllocationType, Int32 Win32Protect)
{
preprocessHook();
UInt32 result = NtDllSupport.ZwMapViewOfSection(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset, ViewSize, InheritDisposition, AllocationType, Win32Protect);
if (result == NtDllSupport.STATUS_SUCCESS)
{
TransferUnit transfer_unit = createTransferUnit();
transfer_unit[Color.BaseAddress] = BaseAddress.ToInt32();
transfer_unit[Color.SectionHandle] = SectionHandle.ToInt32();
transfer_unit[Color.ProcessHandle] = ProcessHandle.ToInt32();
makeCallBack(transfer_unit);
}
return(result);
}
public UInt32 ZwClose_Hooked(IntPtr handle)
{
preprocessHook();
// call original API...
UInt32 result = NtDllSupport.ZwClose(handle);
//Console.Write(".");
//if (result == NtDllSupport.STATUS_SUCCESS) {
TransferUnit transfer_unit = createTransferUnit();
transfer_unit["handle"] = handle.ToInt32();
transfer_unit["ntStatus"] = result;
makeCallBack(transfer_unit);
//}
return(result);
}
public void LdrShutdownProcess_Hooked()
{
preprocessHook();
Console.WriteLine("Delay LdrShutdownProcess");
const int DELAY = 10;
for (int i = 0; i < DELAY; i++)
{
Console.Write(" " + (DELAY - i));
}
// call original API...
NtDllSupport.LdrShutdownProcess();
//Console.Write(".");
//if (result == NtDllSupport.STATUS_SUCCESS) {
//TransferUnit transfer_unit = createTransferUnit();
//makeCallBack(transfer_unit);
}
public UInt32 ZwTerminateProcess_Hooked(IntPtr ProcessHandle, UInt32 ExitStatus)
{
preprocessHook();
// call original API...
TransferUnit transfer_unit = createTransferUnit();
transfer_unit[Color.ProcessHandle] = ProcessHandle.ToInt32();
transfer_unit[Color.ExitStatus] = ExitStatus;
//transfer_unit[Color.Result] = result;
makeCallBack(transfer_unit);
Console.WriteLine("Delay ZwTerminateProcess");
const int DELAY = 10;
for (int i = 0; i < DELAY; i++)
{
Console.Write(" " + (DELAY - i));
}
UInt32 result = NtDllSupport.ZwTerminateProcess(ProcessHandle, ExitStatus);
return(result);
}
// this is where we are intercepting all file accesses!
private uint LdrLoadDll_Hooked(IntPtr PathToFile, NtDllSupport.LoadLibraryFlags dwFlags, ref NtDllSupport.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle)
{
lock (sync_object) {
Console.WriteLine("Begin ---------------------LdrLoadDll(\"" + ModuleFileName + "\")");
preprocessHook();
TransferUnit transfer_unit = createTransferUnit();
transfer_unit["PathToFile"] = PathToFile;
transfer_unit["ModuleFileName"] = ModuleFileName.ToString();
transfer_unit["dwFlags"] = dwFlags;
// call original API through our Kernel32Support class
uint result = NtDllSupport.LdrLoadDll(PathToFile, dwFlags, ref ModuleFileName, ref ModuleHandle);
transfer_unit["ModuleHandle"] = ModuleHandle;
HookRegistry.checkHooksToInstall();
makeCallBack(transfer_unit);
Console.WriteLine("End -----------------------LdrLoadDll(\"" + ModuleFileName + "\")=");
return(result);
}
}
