// this is where we are intercepting all file accesses! static IntPtr CreateFile_Hooked( String InFileName, UInt32 InDesiredAccess, UInt32 InShareMode, IntPtr InSecurityAttributes, UInt32 InCreationDisposition, UInt32 InFlagsAndAttributes, IntPtr InTemplateFile) { try { MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback; lock (This.Queue) { //Time + Pid + Tid + Api + Content This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "CreateFile", InFileName)); } } catch { } // call original API... return(CreateFile( InFileName, InDesiredAccess, InShareMode, InSecurityAttributes, InCreationDisposition, InFlagsAndAttributes, InTemplateFile)); }
static bool WriteFile_Hooked(IntPtr hFile, IntPtr lpBuffer, uint nNumberOfBytesToWrite, IntPtr lpNumberOfBytesWritten, IntPtr lpOverlapped) { try { MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback; lock (This.Queue) { This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "WriteFile", Marshal.PtrToStringAnsi(lpBuffer))); } } catch { } return(WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten, lpOverlapped)); }
static int sendto_Hooked(uint s, [MarshalAsAttribute(UnmanagedType.LPStr)] string buf, int len, int flags, ref sockaddr to, int tolen) { try { MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback; lock (This.Queue) { //Time + Pid + Tid + Api + Content This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "send", buf)); } } catch { } return(send(s, buf, len, flags)); }
static int RegDeleteKeyW_Hooked(IntPtr hKey, [MarshalAsAttribute(UnmanagedType.LPWStr)] string lpSubKey) { try { MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback; lock (This.Queue) { //Time + Pid + Tid + Api + Content This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "RgCreateKeyW", "")); } } catch { } return RegDeleteKeyW(hKey, lpSubKey); }
static bool TerminateThread_Hooked(IntPtr hThread, uint dwExitCode) { try { MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback; lock (This.Queue) { //Time + Pid + Tid + Api + Content This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "TerminateThread", "TheadId:")); } } catch { } return(TerminateProcess(hThread, dwExitCode)); }
static IntPtr CreateThread_Hooked(IntPtr lpThreadAttributes, uint dwStackSize, PTHREAD_START_ROUTINE lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId) { try { MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback; lock (This.Queue) { //Time + Pid + Tid + Api + Content This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "CreateThread", "")); } } catch { } return(CreateThread(lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpThreadId)); }
static bool ReadFile_Hooked(IntPtr hFile, IntPtr lpBuffer, uint nNumberOfBytesToRead, IntPtr lpNumberOfBytesRead, IntPtr lpOverlapped) { bool res = false; try { MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback; res = This.FileApis.ReadFileFunc(hFile, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped); lock (This.Queue) { This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "ReadFile", Marshal.PtrToStringAnsi(lpBuffer))); } } catch { } return(res); }
static bool TerminateProcess_Hooked(IntPtr hProcess, uint uExitCode) { try { MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback; lock (This.Queue) { //Time + Pid + Tid + Api + Content This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "TerminateProcess", "")); } } catch { } // call original API... return(TerminateProcess(hProcess, uExitCode)); }
static void ExitProcess_Hooked(uint uExitCode) { try { MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback; lock (This.Queue) { //Time + Pid + Tid + Api + Content This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "ExitProcess", "")); } } catch { } // call original API... ExitProcess(uExitCode); }
static bool CreateProcessW_Hooked([MarshalAsAttribute(UnmanagedType.LPWStr)] string lpApplicationName, IntPtr lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, [MarshalAsAttribute(UnmanagedType.Bool)] bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, [MarshalAsAttribute(UnmanagedType.LPWStr)] string lpCurrentDirectory, ref STARTUPINFOW lpStartupInfo, [OutAttribute()] out PROCESS_INFORMATION lpProcessInformation) { try { MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback; lock (This.Queue) { //Time + Pid + Tid + Api + Content This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "CreateProcessW", Marshal.PtrToStringUni(lpCommandLine))); } } catch { } // call original API... return(CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, ref lpStartupInfo, out lpProcessInformation)); }
static int recvfrom_Hooked(uint s, IntPtr buf, int len, int flags, ref sockaddr from, ref int fromlen) { int res = 0; try { MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback; res = This.NetApis.recvfromFunc(s, buf, len, flags, ref from, ref fromlen); lock (This.Queue) { //Time + Pid + Tid + Api + Content This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "recvfrom", Marshal.PtrToStringUni(buf))); } } catch { } return(res); }