BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
{
if(dwReason == DLL_PROCESS_ATTACH) {
// make sure advapi32 is loaded
LoadLibrary("advapi32");
// there's a small list of processes which we don't want to inject
if(is_ignored_process()) {
return TRUE;
}
// hide our module from peb
hide_module_from_peb(hModule);
// obtain all protected pids
int pids[MAX_PROTECTED_PIDS], length = sizeof(pids);
pipe2(pids, &length, "GETPIDS");
for (int i = 0; i < length / sizeof(pids[0]); i++) {
add_protected_pid(pids[i]);
}
// initialize file stuff
file_init();
// read the config settings
read_config();
g_pipe_name = g_config.pipe_name;
// initialize the log file
log_init(g_config.host_ip, g_config.host_port, 0);
// initialize the Sleep() skipping stuff
init_sleep_skip(g_config.first_process);
// we skip a random given amount of milliseconds each run
init_startup_time(g_config.startup_time);
// disable the retaddr check if the user wants so
if(g_config.retaddr_check == 0) {
hook_disable_retaddr_check();
}
// initialize all hooks
set_hooks();
// notify analyzer.py that we've loaded
char name[64];
sprintf(name, "CuckooEvent%d", GetCurrentProcessId());
HANDLE event_handle = OpenEvent(EVENT_ALL_ACCESS, FALSE, name);
if(event_handle != NULL) {
SetEvent(event_handle);
CloseHandle(event_handle);
}
}
else if(dwReason == DLL_PROCESS_DETACH) {
log_free();
}
return TRUE;
}
BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
{
(void) hModule; (void) lpReserved;
if(dwReason == DLL_PROCESS_ATTACH && is_ignored_process() == 0) {
monitor_init(hModule);
monitor_hook(NULL);
pipe("LOADED:%d,%d", get_current_process_id(), g_monitor_track);
}
return TRUE;
}
