def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("kernel32.dll")
hooks = [ ("kernel32.dll", "CreateFileW", CreateFileW_handler),
("kernel32.dll", "CreateFileA", CreateFileA_handler),
("kernel32.dll", "CopyFileA", CopyFileA_handler),
("kernel32.dll", "CreateDirectoryA", CreateDirectoryA_handler),
("kernel32.dll", "DeleteFileA", DeleteFileA_handler),
("kernel32.dll", "fclose", fclose_handler),
("kernel32.dll", "fopen", fopen_handler),
("kernel32.dll", "fwrite", fwrite_handler),
("kernel32.dll", "GetSystemDirectoryA", GetSystemDirectoryA_handler),
("kernel32.dll", "GetTempPathA", GetTempPathA_handler),
("kernel32.dll", "_hwrite", hwrite_handler),
("kernel32.dll", "_lclose", lclose_handler),
("kernel32.dll", "_lcreat", lcreat_handler),
("kernel32.dll", "_lwrite", lwrite_handler),
("kernel32.dll", "MoveFileExW", MoveFileExW_handler),
("kernel32.dll", "ReadFile", ReadFile_handler),
("kernel32.dll", "WriteFile", WriteFile_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name,
func_name,
handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("kernel32.dll")
LoadLibrary("msvcrt.dll")
hooks = [ ("kernel32.dll", "CloseHandle", CloseHandle_handler),
("kernel32.dll", "CreateProcessA", CreateProcessA_handler),
("kernel32.dll", "CreateProcessW", CreateProcessW_handler),
("kernel32.dll", "CreateRemoteThread", CreateRemoteThread_handler),
("kernel32.dll", "CreateThread", CreateThread_handler),
("kernel32.dll", "ExitProcess", ExitProcess_handler),
("kernel32.dll", "ExitThread", ExitThread_handler),
("msvcrt.dll", "_execv", execv_handler),
("kernel32.dll", "GetTickCount", GetTickCount_handler),
("kernel32.dll", "OpenProcess", OpenProcess_handler),
("kernel32.dll", "SetUnhandledExceptionFilter",\
SetUnhandledExceptionFilter_handler),
("kernel32.dll", "ShellExecuteA", ShellExecuteA_handler),
("kernel32.dll", "ShellExecuteW", ShellExecuteW_handler),
("kernel32.dll", "Sleep", Sleep_handler),
("kernel32.dll", "TerminateProcess", TerminateProcess_handler),
("kernel32.dll", "WaitForSingleObject", \
WaitForSingleObject_handler),
("kernel32.dll", "WinExec", WinExec_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name, func_name, handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("kernel32.dll")
hooks = [
("kernel32.dll", "CreateFileW", CreateFileW_handler),
("kernel32.dll", "CreateFileA", CreateFileA_handler),
("kernel32.dll", "CopyFileA", CopyFileA_handler),
("kernel32.dll", "CreateDirectoryA", CreateDirectoryA_handler),
("kernel32.dll", "DeleteFileA", DeleteFileA_handler),
("kernel32.dll", "fclose", fclose_handler),
("kernel32.dll", "fopen", fopen_handler),
("kernel32.dll", "fwrite", fwrite_handler),
("kernel32.dll", "GetSystemDirectoryA", GetSystemDirectoryA_handler),
("kernel32.dll", "GetTempPathA", GetTempPathA_handler),
("kernel32.dll", "_hwrite", hwrite_handler),
("kernel32.dll", "_lclose", lclose_handler),
("kernel32.dll", "_lcreat", lcreat_handler),
("kernel32.dll", "_lwrite", lwrite_handler),
("kernel32.dll", "MoveFileExW", MoveFileExW_handler),
("kernel32.dll", "ReadFile", ReadFile_handler),
("kernel32.dll", "WriteFile", WriteFile_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name, func_name, handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
GetProcAddress = ctypes.windll.kernel32.GetProcAddress
LoadLibrary("ws2_32.dll")
LoadLibrary("wininet.dll")
t = LoadLibrary("urlmon.dll")
logging.debug("urlmon %x" % GetProcAddress(t, "URLDownloadToFileA"))
hooks = [ ("ws2_32.dll", "accept", accept_handler),
("ws2_32.dll", "bind", bind_handler),
("ws2_32.dll", "closesocket", closesocket_handler),
("ws2_32.dll", "connect", connect_handler),
("wininet.dll", "InternetOpenUrlW", InternetOpenUrlW_handler),
("ws2_32.dll", "listen", listen_handler),
("ws2_32.dll", "recv", recv_handler),
("ws2_32.dll", "recvfrom", recvfrom_handler),
("ws2_32.dll", "send", send_handler),
("ws2_32.dll", "sendto", sendto_handler),
("ws2_32.dll", "socket", socket_handler),
("ws2_32.dll", "WSASocketA", WSASocketA_handler),
("ws2_32.dll", "WSAStartup", WSAStartup_handler),
("urlmon.dll", "URLDownloadToFileA", URLDownloadToFileA_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name,
func_name,
handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
""" initializes this module and registers hooks for API functions that
can lead to the creation of new processes and threads
"""
logging.info("remote execution tracking active.")
if not pybox.register_hook("kernel32.dll", "CreateProcessInternalW",
cb_create_process_internal_w):
logging.error("Failed to register hook for CreateProcessInternalW")
if not pybox.register_hook("kernel32.dll", "CreateRemoteThread",
cb_create_r_thread):
logging.error("Failed to register hook for CreateRemoteThread")
if not pybox.register_hook("kernel32.dll", "ResumeThread",
cb_resume_thread):
logging.error("Failed to register hook for CreateRemoteThread")
return
def init():
""" initializes this module and registers hooks for API functions that
can lead to the creation of new processes and threads
"""
logging.info("remote execution tracking active.")
if not pybox.register_hook("kernel32.dll",
"CreateProcessInternalW",
cb_create_process_internal_w):
logging.error("Failed to register hook for CreateProcessInternalW")
if not pybox.register_hook("kernel32.dll",
"CreateRemoteThread",
cb_create_r_thread):
logging.error("Failed to register hook for CreateRemoteThread")
if not pybox.register_hook("kernel32.dll",
"ResumeThread",
cb_resume_thread):
logging.error("Failed to register hook for CreateRemoteThread")
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("kernel32.dll")
hooks = [
("kernel32.dll", "CreateMutexW", CreateMutexW_handler),
("kernel32.dll", "OpenMutexW", OpenMutexW_handler),
("kernel32.dll", "ReleaseMutex", ReleaseMutex_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name, func_name, handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("user32.dll")
hooks = [ ("user32.dll", "FindWindowW", FindWindowW_handler),
("kernel32.dll", "GetVersion", GetVersion_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name,
func_name,
handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("kernel32.dll")
hooks = [ ("kernel32.dll", "CreateMutexW", CreateMutexW_handler),
("kernel32.dll", "OpenMutexW", OpenMutexW_handler),
("kernel32.dll", "ReleaseMutex", ReleaseMutex_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name,
func_name,
handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("advapi32.dll")
hooks = [
("advapi32.dll", "RegCreateKeyW", RegCreateKeyW_handler),
("advapi32.dll", "RegDeleteKeyW", RegDeleteKeyW_handler),
("advapi32.dll", "RegEnumKeyExW", RegEnumKeyExW_handler),
("advapi32.dll", "RegEnumValueW", RegEnumValueW_handler),
("advapi32.dll", "RegOpenKeyExW", RegOpenKeyExW_handler),
("advapi32.dll", "RegSetValueExW", RegSetValueExW_handler),
("advapi32.dll", "RegSetKeyValueW", RegSetKeyValueW_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name, func_name, handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("kernel32.dll")
hooks = [ ("kernel32.dll", "LoadLibraryA", LoadLibraryA_handler),
("kernel32.dll", "GetProcAddress", GetProcAddress_handler),
("kernel32.dll", "malloc", malloc_handler),
("kernel32.dll", "memset", memset_handler),
("kernel32.dll", "ReadProcessMemory", ReadProcessMemory_handler),
("kernel32.dll", "VirtualAllocEx", VirtualAllocEx_handler),
("kernel32.dll", "WriteProcessMemory", \
WriteProcessMemory_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name, func_name, handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("advapi32.dll")
hooks = [ ("advapi32.dll", "OpenSCManagerW", OpenSCManagerW_handler),
("advapi32.dll", "CreateServiceA", CreateServiceA_handler),
("advapi32.dll", "CreateServiceW", CreateServiceW_handler),
("advapi32.dll", "OpenServiceW", OpenServiceW_handler),
("advapi32.dll", "StartServiceW", StartServiceW_handler),
("advapi32.dll", "ControlService", ControlService_handler),
("advapi32.dll", "DeleteService", DeleteService_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name,
func_name,
handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("advapi32.dll")
hooks = [ ("advapi32.dll", "RegCreateKeyW", RegCreateKeyW_handler),
("advapi32.dll", "RegDeleteKeyW", RegDeleteKeyW_handler),
("advapi32.dll", "RegEnumKeyExW", RegEnumKeyExW_handler),
("advapi32.dll", "RegEnumValueW", RegEnumValueW_handler),
("advapi32.dll", "RegOpenKeyExW", RegOpenKeyExW_handler),
("advapi32.dll", "RegSetValueExW", RegSetValueExW_handler),
("advapi32.dll", "RegSetKeyValueW", RegSetKeyValueW_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name,
func_name,
handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("kernel32.dll")
hooks = [ ("kernel32.dll", "LoadLibraryA", LoadLibraryA_handler),
("kernel32.dll", "GetProcAddress", GetProcAddress_handler),
("kernel32.dll", "malloc", malloc_handler),
("kernel32.dll", "memset", memset_handler),
("kernel32.dll", "ReadProcessMemory", ReadProcessMemory_handler),
("kernel32.dll", "VirtualAllocEx", VirtualAllocEx_handler),
("kernel32.dll", "WriteProcessMemory", \
WriteProcessMemory_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name,
func_name,
handler):
logging.error("Failed to register hook for %s" % func_name)
return
def init():
"""Initialize all hooks/handlers defined in this file"""
# ensure that required libraries are loaded
LoadLibrary = ctypes.windll.kernel32.LoadLibraryA
LoadLibrary("kernel32.dll")
LoadLibrary("msvcrt.dll")
hooks = [ ("kernel32.dll", "CloseHandle", CloseHandle_handler),
("kernel32.dll", "CreateProcessA", CreateProcessA_handler),
("kernel32.dll", "CreateProcessW", CreateProcessW_handler),
("kernel32.dll", "CreateRemoteThread", CreateRemoteThread_handler),
("kernel32.dll", "CreateThread", CreateThread_handler),
("kernel32.dll", "ExitProcess", ExitProcess_handler),
("kernel32.dll", "ExitThread", ExitThread_handler),
("msvcrt.dll", "_execv", execv_handler),
("kernel32.dll", "GetTickCount", GetTickCount_handler),
("kernel32.dll", "OpenProcess", OpenProcess_handler),
("kernel32.dll", "SetUnhandledExceptionFilter",\
SetUnhandledExceptionFilter_handler),
("kernel32.dll", "ShellExecuteA", ShellExecuteA_handler),
("kernel32.dll", "ShellExecuteW", ShellExecuteW_handler),
("kernel32.dll", "Sleep", Sleep_handler),
("kernel32.dll", "TerminateProcess", TerminateProcess_handler),
("kernel32.dll", "WaitForSingleObject", \
WaitForSingleObject_handler),
("kernel32.dll", "WinExec", WinExec_handler),
]
for (dll_name, func_name, handler) in hooks:
if not pybox.register_hook(dll_name,
func_name,
handler):
logging.error("Failed to register hook for %s" % func_name)
return