BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
{
if(dwReason == DLL_PROCESS_ATTACH) {
// make sure advapi32 is loaded
LoadLibrary("advapi32");
// there's a small list of processes which we don't want to inject
if(is_ignored_process()) {
return TRUE;
}
// hide our module from peb
hide_module_from_peb(hModule);
// obtain all protected pids
int pids[MAX_PROTECTED_PIDS], length = sizeof(pids);
pipe2(pids, &length, "GETPIDS");
for (int i = 0; i < length / sizeof(pids[0]); i++) {
add_protected_pid(pids[i]);
}
// initialize file stuff
file_init();
// read the config settings
read_config();
g_pipe_name = g_config.pipe_name;
// initialize the log file
log_init(g_config.host_ip, g_config.host_port, 0);
// initialize the Sleep() skipping stuff
init_sleep_skip(g_config.first_process);
// we skip a random given amount of milliseconds each run
init_startup_time(g_config.startup_time);
// disable the retaddr check if the user wants so
if(g_config.retaddr_check == 0) {
hook_disable_retaddr_check();
}
// initialize all hooks
set_hooks();
// notify analyzer.py that we've loaded
char name[64];
sprintf(name, "CuckooEvent%d", GetCurrentProcessId());
HANDLE event_handle = OpenEvent(EVENT_ALL_ACCESS, FALSE, name);
if(event_handle != NULL) {
SetEvent(event_handle);
CloseHandle(event_handle);
}
}
else if(dwReason == DLL_PROCESS_DETACH) {
log_free();
}
return TRUE;
}
void monitor_init(HMODULE module_handle)
{
// Sends crashes to the process rather than showing error popup boxes etc.
SetErrorMode(SEM_FAILCRITICALERRORS | SEM_NOALIGNMENTFAULTEXCEPT |
SEM_NOGPFAULTERRORBOX | SEM_NOOPENFILEERRORBOX);
config_t cfg;
config_read(&cfg);
// Required to be initialized before any logging starts.
mem_init();
// Initialize capstone without our custom allocator as it is
// not available yet.
hook_init(module_handle);
pipe_init(cfg.pipe_name);
native_init();
// Re-initialize capstone with our custom allocator which is now
// accessible after native_init().
hook_init2();
misc_init(module_handle, cfg.shutdown_mutex);
misc_set_hook_library(&monitor_hook);
diffing_init(cfg.hashes_path, cfg.diffing_enable);
log_init(cfg.logpipe);
ignore_init();
sleep_init(cfg.first_process, cfg.force_sleep_skip, cfg.startup_time);
unhook_init_detection(cfg.first_process);
hide_module_from_peb(module_handle);
symbol_init(module_handle);
// Should be the last as some of the other initialization routines extract
// the image size, EAT pointers, etc while the PE header is still intact.
destroy_pe_header(module_handle);
misc_set_monitor_options(cfg.track, cfg.mode);
}
