def cb_create_process_internal_w(exec_ctx):
"""Callback for CreateProcessInternalW"""
stack_args = exec_ctx.get_stack_args("duuddddduddd")
logging.info("kernel32.dll.CreateProcessInternalW(0x%08x, %s, %s, " \
"0x%08x, 0x%08x, 0x%08x, 0x%08x, 0x%08x, %s, 0x%08x, " \
"0x%08x, 0x%08x)",
stack_args[0],
stack_args[1],
stack_args[2], # LPTSTR_CMD_LINE
stack_args[3],
stack_args[4],
stack_args[5],
stack_args[6],
stack_args[7],
stack_args[8],
stack_args[9],
stack_args[10], # LP_PROCESS_INFORMATION
stack_args[11])
child_proc_info = stack_args[10]
if not pybox.register_return_hook("CreateProcessInternalW_return", \
exec_ctx, \
cb_create_process_internal_w_rtn,
child_proc_info):
logging.error("Cannot install return hook for " \
"CreateProcessInternalW_return")
return
def cb_create_r_thread(exec_ctx):
"""Callback for CreateRemoteThread"""
stack_args = exec_ctx.get_stack_args("ddddddd")
logging.info("kernel32.dll.CreateRemoteThread(0x%08x, %d, %d, 0x%08x, " \
"%d, %d, 0x%08x)",
stack_args[0],
stack_args[1],
stack_args[2],
stack_args[3],
stack_args[4],
stack_args[5],
stack_args[6])
r_threadid_addr = stack_args[6]
process_handle = stack_args[0]
if process_handle != 0xFFFFFFFF:
logging.info("PROCESS_HANDLE: 0x%08x" % process_handle)
pid = emb.dllGetProcessId(process_handle)
logging.debug("PID of target host process: 0x%08x" % pid)
hookdata = (pid, r_threadid_addr)
if not pybox.register_return_hook("CreateRemoteThread_return", \
exec_ctx, \
cb_create_r_thread_rtn,
hookdata):
logging.error("Cannot install return hook for CreateRemoteThread")
else:
logging.info("CreateRemoteThread called on self")
return
def cb_create_process_internal_w(exec_ctx):
"""Callback for CreateProcessInternalW"""
stack_args = exec_ctx.get_stack_args("duuddddduddd")
logging.info("kernel32.dll.CreateProcessInternalW(0x%08x, %s, %s, " \
"0x%08x, 0x%08x, 0x%08x, 0x%08x, 0x%08x, %s, 0x%08x, " \
"0x%08x, 0x%08x)",
stack_args[0],
stack_args[1],
stack_args[2], # LPTSTR_CMD_LINE
stack_args[3],
stack_args[4],
stack_args[5],
stack_args[6],
stack_args[7],
stack_args[8],
stack_args[9],
stack_args[10], # LP_PROCESS_INFORMATION
stack_args[11])
child_proc_info = stack_args[10]
if not pybox.register_return_hook("CreateProcessInternalW_return", \
exec_ctx, \
cb_create_process_internal_w_rtn,
child_proc_info):
logging.error("Cannot install return hook for " \
"CreateProcessInternalW_return")
return
def cb_create_r_thread(exec_ctx):
"""Callback for CreateRemoteThread"""
stack_args = exec_ctx.get_stack_args("ddddddd")
logging.info("kernel32.dll.CreateRemoteThread(0x%08x, %d, %d, 0x%08x, " \
"%d, %d, 0x%08x)",
stack_args[0],
stack_args[1],
stack_args[2],
stack_args[3],
stack_args[4],
stack_args[5],
stack_args[6])
r_threadid_addr = stack_args[6]
process_handle = stack_args[0]
if process_handle != 0xFFFFFFFF:
logging.info("PROCESS_HANDLE: 0x%08x" % process_handle)
pid = emb.dllGetProcessId(process_handle)
logging.debug("PID of target host process: 0x%08x" % pid)
hookdata = (pid, r_threadid_addr)
if not pybox.register_return_hook("CreateRemoteThread_return", \
exec_ctx, \
cb_create_r_thread_rtn,
hookdata):
logging.error("Cannot install return hook for CreateRemoteThread")
else:
logging.info("CreateRemoteThread called on self")
return
def LoadLibraryA_handler(exec_ctx):
"""Callback for LoadLibraryA"""
arg = exec_ctx.get_stack_args("a")
logging.info("kernel32.dll.LoadLibraryA(%s)" % arg)
if not pybox.register_return_hook("LoadLibraryA_return", exec_ctx,
LoadLibraryA_rtn_handler):
logging.error("Cannot install return hook for LoadLibraryA")
return
def LoadLibraryA_handler(exec_ctx):
"""Callback for LoadLibraryA"""
arg = exec_ctx.get_stack_args("a")
logging.info("kernel32.dll.LoadLibraryA(%s)" % arg)
if not pybox.register_return_hook("LoadLibraryA_return", exec_ctx,
LoadLibraryA_rtn_handler):
logging.error("Cannot install return hook for LoadLibraryA")
return
def OpenProcess_handler(exec_ctx):
"""Callback for OpenProcessW"""
args = tuple(exec_ctx.get_stack_args("ddd"))
pid = os.getpid()
if (args[2] != pid):
logging.info("kernel32.dll.OpenProcess accessing external process!")
logging.info("kernel32.dll.OpenProcessW(0x%08x, %d, 0x%08x)" \
% args)
if not pybox.register_return_hook("OpenProcessW_return", exec_ctx, \
OpenProcess_rtn_handler):
logging.error("Cannot install return hook for OpenProcessW")
return
def OpenProcess_handler(exec_ctx):
"""Callback for OpenProcessW"""
args = tuple(exec_ctx.get_stack_args("ddd"))
pid = os.getpid()
if (args[2] != pid):
logging.info("kernel32.dll.OpenProcess accessing external process!")
logging.info("kernel32.dll.OpenProcessW(0x%08x, %d, 0x%08x)" \
% args)
if not pybox.register_return_hook("OpenProcessW_return", exec_ctx, \
OpenProcess_rtn_handler):
logging.error("Cannot install return hook for OpenProcessW")
return
