def MyCreateFileA(self):
"""
Monitors the beginning of CreateFileA function
CreateFileA arguments are read from the stack
"""
"""
HANDLE WINAPI CreateFile(
_In_ LPCTSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
"""
lpFileName = Util.GetData(0x4)
self.logger.info("MyCreateFileA lpFileName is 0x%x" % lpFileName)
filePath = "".join(Util.Read(lpFileName, 1))
self.logger.info("filePath is %s" % filePath)
dwDesiredAccess = Util.GetData(0x8)
self.logger.info("dwDesiredAccess is 0x%x" % (dwDesiredAccess))
dwShareMode = Util.GetData(0xC)
self.logger.info("dwShareMode value is 0x%x" % (dwShareMode))
lpSecurityAttributes = Util.GetData(0x10)
self.logger.info("lpSecurityAttributes value is 0x%x" %
(lpSecurityAttributes))
dwCreationDisposition = Util.GetData(0x14)
self.logger.info("dwCreationDisposition value is 0x%x" %
(dwCreationDisposition))
dwFlagsAndAttributes = Util.GetData(0x18)
hTemplateFile = Util.GetData(0x1C)
fileName = os.path.basename(filePath)
self.logger.info("The filename is %s" % fileName)
retAddr = Util.GetData(0x0)
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "windowsFileIO.MyCreateFileAEnd()")
return 0
def My_fopen(self):
"""
old - FILE * fopen ( const char * filename, const char * mode );
FILE * _IO_file_fopen (fp, filename, mode, is32not64)
"""
fp = Util.GetData(0x4)
self.logger.info("fp is 0x%x" % fp)
filename = Util.GetData(0x8)
filePath = "".join(Util.Read(filename, 1))
self.logger.info("filePath is %s" % filePath)
mode = Util.GetData(0xC)
self.logger.info("mode is 0x%x" % (mode))
is32not64 = Util.GetData(0x10)
self.logger.info("is32not64 is %d" % (is32not64))
fileName = os.path.basename(filePath)
self.logger.info("The filename is %s" % fileName)
if fileName in self.filter['file']:
self.handleSet.add(fp)
self.logger.info(
"Filter matched. Add handle to the handle's dictionary to start logging."
)
else:
self.logger.info("Filter did not match.")
return 0
def MyCreateFileW(self):
"""
Monitors the the beginning of CreateFileW function
CreateFileW arguments are read from the stack
"""
"""
HANDLE WINAPI CreateFileW(
_In_ LPCTSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
"""
lpFileName = Util.GetData(0x4)
self.logger.info("MyCreateFileW lpFileName is 0x%x" % lpFileName)
filePath = "".join(Util.Read(lpFileName, 2))
self.logger.info("filePath is %s" % filePath)
dwDesiredAccess = Util.GetData(0x8)
self.logger.info("dwDesiredAccess is 0x%x" % (dwDesiredAccess))
dwShareMode = Util.GetData(0xC)
self.logger.info("dwShareMode value is 0x%x" % (dwShareMode))
lpSecurityAttributes = Util.GetData(0x10)
self.logger.info("lpSecurityAttributes value is 0x%x" %
(lpSecurityAttributes))
dwCreationDisposition = Util.GetData(0x14)
self.logger.info("dwCreationDisposition value is 0x%x" %
(dwCreationDisposition))
dwFlagsAndAttributes = Util.GetData(0x18)
hTemplateFile = Util.GetData(0x1C)
fileName = os.path.basename(filePath)
self.logger.info("The filename is %s" % fileName)
retAddr = Util.GetData(0x0)
if fileName in self.filter['file']:
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsFileIO.MyCreateFileWEnd()")
self.logger.info(
"Filter matched. Add handle to the handle's dictionary to start logging."
)
Print(
"Filter matched. Add handle to the handle's dictionary to start logging."
)
else:
if idc.CheckBpt(retAddr) >= 0:
Print("Removing un-needed breakpoint.")
self.logger.info("Removing un-needed breakpoint.")
idc.DelBpt(retAddr)
self.logger.info("Filter did not match.")
return 0