Beispiel #1
0
BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
{
    if(dwReason == DLL_PROCESS_ATTACH) {
        // make sure advapi32 is loaded
        LoadLibrary("advapi32");

        // there's a small list of processes which we don't want to inject
        if(is_ignored_process()) {
            return TRUE;
        }

        // hide our module from peb
        hide_module_from_peb(hModule);

        // obtain all protected pids
        int pids[MAX_PROTECTED_PIDS], length = sizeof(pids);
        pipe2(pids, &length, "GETPIDS");
        for (int i = 0; i < length / sizeof(pids[0]); i++) {
            add_protected_pid(pids[i]);
        }

        // initialize file stuff
        file_init();

        // read the config settings
        read_config();
        g_pipe_name = g_config.pipe_name;

        // initialize the log file
        log_init(g_config.host_ip, g_config.host_port, 0);

        // initialize the Sleep() skipping stuff
        init_sleep_skip(g_config.first_process);

        // we skip a random given amount of milliseconds each run
        init_startup_time(g_config.startup_time);

        // disable the retaddr check if the user wants so
        if(g_config.retaddr_check == 0) {
            hook_disable_retaddr_check();
        }

        // initialize all hooks
        set_hooks();

        // notify analyzer.py that we've loaded
        char name[64];
        sprintf(name, "CuckooEvent%d", GetCurrentProcessId());
        HANDLE event_handle = OpenEvent(EVENT_ALL_ACCESS, FALSE, name);
        if(event_handle != NULL) {
            SetEvent(event_handle);
            CloseHandle(event_handle);
        }
    }
    else if(dwReason == DLL_PROCESS_DETACH) {
        log_free();
    }

    return TRUE;
}
Beispiel #2
0
BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
{
    (void) hModule; (void) lpReserved;

    if(dwReason == DLL_PROCESS_ATTACH && is_ignored_process() == 0) {
        monitor_init(hModule);
        monitor_hook(NULL);
        pipe("LOADED:%d,%d", get_current_process_id(), g_monitor_track);
    }

    return TRUE;
}