BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved) { if(dwReason == DLL_PROCESS_ATTACH) { // make sure advapi32 is loaded LoadLibrary("advapi32"); // there's a small list of processes which we don't want to inject if(is_ignored_process()) { return TRUE; } // hide our module from peb hide_module_from_peb(hModule); // obtain all protected pids int pids[MAX_PROTECTED_PIDS], length = sizeof(pids); pipe2(pids, &length, "GETPIDS"); for (int i = 0; i < length / sizeof(pids[0]); i++) { add_protected_pid(pids[i]); } // initialize file stuff file_init(); // read the config settings read_config(); g_pipe_name = g_config.pipe_name; // initialize the log file log_init(g_config.host_ip, g_config.host_port, 0); // initialize the Sleep() skipping stuff init_sleep_skip(g_config.first_process); // we skip a random given amount of milliseconds each run init_startup_time(g_config.startup_time); // disable the retaddr check if the user wants so if(g_config.retaddr_check == 0) { hook_disable_retaddr_check(); } // initialize all hooks set_hooks(); // notify analyzer.py that we've loaded char name[64]; sprintf(name, "CuckooEvent%d", GetCurrentProcessId()); HANDLE event_handle = OpenEvent(EVENT_ALL_ACCESS, FALSE, name); if(event_handle != NULL) { SetEvent(event_handle); CloseHandle(event_handle); } } else if(dwReason == DLL_PROCESS_DETACH) { log_free(); } return TRUE; }
BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved) { (void) hModule; (void) lpReserved; if(dwReason == DLL_PROCESS_ATTACH && is_ignored_process() == 0) { monitor_init(hModule); monitor_hook(NULL); pipe("LOADED:%d,%d", get_current_process_id(), g_monitor_track); } return TRUE; }