API tools faq
paste
Advertisement
HubertKromer

cuckoomon-netlog-0.6_hardening.patch

HubertKromer
May 19th, 2013
461
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Diff 5.33 KB | None | 0 0
raw download clone embed print report
  1. diff -u netlog.orig/cuckoomon.c netlog/cuckoomon.c
  2. --- netlog.orig/cuckoomon.c 2013-05-19 16:12:20.032282296 +0200
  3. +++ netlog/cuckoomon.c  2013-05-19 16:20:29.765159792 +0200
  4. @@ -76,6 +76,9 @@
  5.      HOOK(kernel32, RemoveDirectoryA),
  6.      HOOK(kernel32, RemoveDirectoryW),
  7.  
  8. +    HOOK(kernel32, GetFileAttributesA),
  9. +    HOOK(kernel32, GetFileAttributesExA),
  10. +
  11.      // lowest variant of MoveFile()
  12.      HOOK(kernel32, MoveFileWithProgressW),
  13.  
  14. Wspólne podkatalogi: netlog.orig/distorm3.2-package i netlog/distorm3.2-package
  15. Wspólne podkatalogi: netlog.orig/.git i netlog/.git
  16. diff -u netlog.orig/hook_file.c netlog/hook_file.c
  17. --- netlog.orig/hook_file.c 2013-05-19 16:12:20.036282246 +0200
  18. +++ netlog/hook_file.c  2013-05-19 16:23:16.373076907 +0200
  19. @@ -20,6 +20,7 @@
  20.  #include <ctype.h>
  21.  #include <windows.h>
  22.  #include <shlwapi.h>
  23. +#include <string.h>
  24.  #include "hooking.h"
  25.  #include "ntapi.h"
  26.  #include "log.h"
  27. @@ -494,3 +495,39 @@
  28.      LOQ("u", "FileName", lpFileName);
  29.      return ret;
  30.  }
  31. +
  32. +/* Hardened */
  33. +HOOKDEF(DWORD, WINAPI, GetFileAttributesA,
  34. +  __in      LPCTSTR lpFileName
  35. +) {
  36. +    BOOL ret;
  37. +    if (strstr(lpFileName, "VBox") != NULL) {
  38. +        ret = INVALID_FILE_ATTRIBUTES;
  39. +        LOQ("s", "Hardening", "Faked GetFileAttributesA return");
  40. +    }
  41. +    else {
  42. +        ret = Old_GetFileAttributesA(lpFileName);
  43. +    }
  44. +    LOQ("s", "GetFileAttributesA", lpFileName);
  45. +    return ret;
  46. +}
  47. +
  48. +/* Hardened */
  49. +HOOKDEF(DWORD, WINAPI, GetFileAttributesExA,
  50. +  __in      LPCTSTR lpFileName,
  51. +  __in      GET_FILEEX_INFO_LEVELS fInfoLevelId,
  52. +  __out     LPVOID lpFileInformation
  53. +) {
  54. +    BOOL ret;
  55. +    if (strstr(lpFileName, "VBox") != NULL) {
  56. +        ret = 0;
  57. +        LOQ("s", "Hardening", "Faked GetFileAttributesExA return");
  58. +    }
  59. +    else {
  60. +        ret = Old_GetFileAttributesExA(lpFileName, fInfoLevelId,
  61. +            lpFileInformation);
  62. +    }
  63. +    LOQ("s", "GetFileAttributesExA", lpFileName);
  64. +    return ret;
  65. +}
  66. +
  67. diff -u netlog.orig/hook_reg.c netlog/hook_reg.c
  68. --- netlog.orig/hook_reg.c  2013-05-19 16:12:20.037282233 +0200
  69. +++ netlog/hook_reg.c   2013-05-19 16:26:16.268827900 +0200
  70. @@ -18,12 +18,14 @@
  71.  
  72.  #include <stdio.h>
  73.  #include <windows.h>
  74. +#include <string.h>
  75.  #include "hooking.h"
  76.  #include "ntapi.h"
  77.  #include "log.h"
  78.  
  79.  static IS_SUCCESS_LONGREG();
  80.  
  81. +/* Hardened */
  82.  HOOKDEF(LONG, WINAPI, RegOpenKeyExA,
  83.    __in        HKEY hKey,
  84.    __in_opt    LPCTSTR lpSubKey,
  85. @@ -31,8 +33,19 @@
  86.    __in        REGSAM samDesired,
  87.    __out       PHKEY phkResult
  88.  ) {
  89. -    LONG ret = Old_RegOpenKeyExA(hKey, lpSubKey, ulOptions, samDesired,
  90. -        phkResult);
  91. +    LONG ret;
  92. +    if (strstr(lpSubKey, "VirtualBox") != NULL) {
  93. +        ret = 1;
  94. +        LOQ("s", "Hardening", "Faked RegOpenKeyExA return");
  95. +    }
  96. +    else if (strstr(lpSubKey, "ControlSet") != NULL) {
  97. +        ret = 1;
  98. +        LOQ("s", "Hardening", "Faked RegOpenKeyExA return");
  99. +    }
  100. +    else {
  101. +        ret = Old_RegOpenKeyExA(hKey, lpSubKey, ulOptions, samDesired,
  102. +            phkResult);
  103. +    }
  104.      LOQ("psP", "Registry", hKey, "SubKey", lpSubKey, "Handle", phkResult);
  105.      return ret;
  106.  }
  107. @@ -241,6 +254,7 @@
  108.      return ret;
  109.  }
  110.  
  111. +/* Hardened */
  112.  HOOKDEF(LONG, WINAPI, RegQueryValueExA,
  113.    __in         HKEY hKey,
  114.    __in_opt     LPCTSTR lpValueName,
  115. @@ -250,8 +264,25 @@
  116.    __inout_opt  LPDWORD lpcbData
  117.  ) {
  118.      ENSURE_DWORD(lpType);
  119. -    LONG ret = Old_RegQueryValueExA(hKey, lpValueName, lpReserved, lpType,
  120. -        lpData, lpcbData);
  121. +    LONG ret;
  122. +    /* HARDWARE\\Description\\System "SystemBiosVersion" */
  123. +    if (strstr(lpValueName, "SystemBiosVersion") != NULL) {
  124. +        ret = ERROR_SUCCESS;
  125. +        LOQ("s", "Hardening", "Faked RegQueryValueExA return");
  126. +    }
  127. +    /* HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 "Identifier" */
  128. +    else if (strstr(lpValueName, "Identifier") != NULL) {
  129. +        ret = ERROR_SUCCESS;
  130. +        LOQ("s", "Hardening", "Faked RegQueryValueExA return");
  131. +    }
  132. +    else if (strstr(lpValueName, "ProductId") != NULL) {
  133. +        ret = ERROR_SUCCESS;
  134. +        LOQ("s", "Hardening", "Faked RegQueryValueExA return");
  135. +    }
  136. +    else {
  137. +        ret = Old_RegQueryValueExA(hKey, lpValueName, lpReserved, lpType,
  138. +            lpData, lpcbData);
  139. +    }
  140.      if(ret == ERROR_SUCCESS && lpType != NULL && lpData != NULL &&
  141.              lpcbData != NULL) {
  142.          LOQ("psr", "Handle", hKey, "ValueName", lpValueName,
  143. diff -u netlog.orig/hooks.h netlog/hooks.h
  144. --- netlog.orig/hooks.h 2013-05-19 16:12:20.038282221 +0200
  145. +++ netlog/hooks.h  2013-05-19 16:27:07.082192646 +0200
  146. @@ -212,6 +212,16 @@
  147.      __in  LPWSTR lpFileName
  148.  );
  149.  
  150. +extern HOOKDEF(DWORD, WINAPI, GetFileAttributesA,
  151. +  __in      LPCTSTR lpFileName
  152. +);
  153. +
  154. +extern HOOKDEF(DWORD, WINAPI, GetFileAttributesExA,
  155. +  __in      LPCTSTR lpFileName,
  156. +  __in      GET_FILEEX_INFO_LEVELS fInfoLevelId,
  157. +  __out     LPVOID lpFileInformation
  158. +);
  159. +
  160.  //
  161.  // Registry Hooks
  162.  //
  163. diff -u netlog.orig/Makefile netlog/Makefile
  164. --- netlog.orig/Makefile    2013-05-19 16:12:20.032282296 +0200
  165. +++ netlog/Makefile 2013-05-19 16:18:27.015694372 +0200
  166. @@ -1,5 +1,5 @@
  167.  MAKEFLAGS = -j8
  168. -CC = gcc
  169. +CC = i686-pc-mingw32-gcc
  170.  CFLAGS = -Wall -std=c99 -s -O2
  171.  DLL = -shared
  172.  DIRS = -Idistorm3.2-package/include
  173. Wspólne podkatalogi: netlog.orig/tests i netlog/tests
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!