From a354f43711f3b78b899309e2e9ac7edfe89125d0 Mon Sep 17 00:00:00 2001 From: Brad Spengler Date: Wed, 27 Jan 2016 10:03:49 -0500 Subject: [PATCH] Add a few more hooks to eliminate noise --- cuckoomon.c | 5 +++++ hook_crypto.c | 28 +++++++++++++++++++++++++++- hook_misc.c | 9 +++++++++ hooks.h | 24 ++++++++++++++++++++++++ 4 files changed, 65 insertions(+), 1 deletion(-) diff --git a/cuckoomon.c b/cuckoomon.c index fee2161..206039c 100644 --- a/cuckoomon.c +++ b/cuckoomon.c @@ -375,6 +375,7 @@ static hook_t g_hooks[] = { HOOK(imgutil, DecodeImage), HOOK(advapi32, LsaOpenPolicy), HOOK(mpr, WNetGetProviderNameW), + HOOK(rasapi32, RasValidateEntryNameW), // // Network Hooks @@ -520,6 +521,8 @@ static hook_t g_hooks[] = { HOOK(advapi32, CryptExportKey), HOOK(advapi32, CryptGenKey), HOOK(advapi32, CryptCreateHash), + HOOK(advapi32, CryptEnumProvidersA), + HOOK(advapi32, CryptEnumProvidersW), HOOK(wintrust, HTTPSCertificateTrust), HOOK(wintrust, HTTPSFinalProv), @@ -544,6 +547,8 @@ static hook_t g_hooks[] = { HOOK(cryptsp, CryptExportKey), HOOK(cryptsp, CryptGenKey), HOOK(cryptsp, CryptCreateHash), + HOOK(cryptsp, CryptEnumProvidersA), + HOOK(cryptsp, CryptEnumProvidersW), }; void set_hooks_dll(const wchar_t *library) diff --git a/hook_crypto.c b/hook_crypto.c index d7b97ac..f2a13c0 100644 --- a/hook_crypto.c +++ b/hook_crypto.c @@ -324,4 +324,30 @@ HOOKDEF(BOOL, WINAPI, CryptImportPublicKeyInfo, BOOL ret = Old_CryptImportPublicKeyInfo(hCryptProv, dwCertEncodingType, pInfo, phKey); LOQ_bool("crypto", "hsb", "CertEncodingType", dwCertEncodingType, "AlgOID", pInfo->Algorithm.pszObjId, "Blob", pInfo->PublicKey.cbData, pInfo->PublicKey.pbData); return ret; -} \ No newline at end of file +} + +HOOKDEF(BOOL, WINAPI, CryptEnumProvidersA, + _In_ DWORD dwIndex, + _In_ DWORD *pdwReserved, + _In_ DWORD dwFlags, + _Out_ DWORD *pdwProvType, + _Out_ LPSTR pszProvName, + _Inout_ DWORD *pcbProvName +) { + BOOL ret = Old_CryptEnumProvidersA(dwIndex, pdwReserved, dwFlags, pdwProvType, pszProvName, pcbProvName); + LOQ_bool("crypto", "is", "Index", dwIndex, "ProviderName", pszProvName); + return ret; +} + +HOOKDEF(BOOL, WINAPI, CryptEnumProvidersW, + _In_ DWORD dwIndex, + _In_ DWORD *pdwReserved, + _In_ DWORD dwFlags, + _Out_ DWORD *pdwProvType, + _Out_ LPWSTR pszProvName, + _Inout_ DWORD *pcbProvName +) { + BOOL ret = Old_CryptEnumProvidersW(dwIndex, pdwReserved, dwFlags, pdwProvType, pszProvName, pcbProvName); + LOQ_bool("crypto", "iu", "Index", dwIndex, "ProviderName", pszProvName); + return ret; +} diff --git a/hook_misc.c b/hook_misc.c index 8d1a03a..bef0014 100644 --- a/hook_misc.c +++ b/hook_misc.c @@ -800,3 +800,12 @@ HOOKDEF(DWORD, WINAPI, WNetGetProviderNameW, return ret; } + +HOOKDEF(DWORD, WINAPI, RasValidateEntryNameW, + _In_ LPCWSTR lpszPhonebook, + _In_ LPCWSTR lpszEntry +) { + DWORD ret = Old_RasValidateEntryNameW(lpszPhonebook, lpszEntry); + LOQ_zero("misc", "uu", "Phonebook", lpszPhonebook, "Entry", lpszEntry); + return ret; +} diff --git a/hooks.h b/hooks.h index e226d70..5cfcad0 100644 --- a/hooks.h +++ b/hooks.h @@ -1170,6 +1170,11 @@ extern HOOKDEF(NTSTATUS, WINAPI, RtlCreateUserThread, // Misc Hooks // +extern HOOKDEF(DWORD, WINAPI, RasValidateEntryNameW, + _In_ LPCWSTR lpszPhonebook, + _In_ LPCWSTR lpszEntry +); + extern HOOKDEF(void, WINAPI, GetSystemInfo, __out LPSYSTEM_INFO lpSystemInfo ); @@ -2287,6 +2292,25 @@ extern HOOKDEF(BOOL, WINAPI, CryptCreateHash, _Out_ HCRYPTHASH *phHash ); +extern HOOKDEF(BOOL, WINAPI, CryptEnumProvidersA, + _In_ DWORD dwIndex, + _In_ DWORD *pdwReserved, + _In_ DWORD dwFlags, + _Out_ DWORD *pdwProvType, + _Out_ LPSTR pszProvName, + _Inout_ DWORD *pcbProvName +); + +extern HOOKDEF(BOOL, WINAPI, CryptEnumProvidersW, + _In_ DWORD dwIndex, + _In_ DWORD *pdwReserved, + _In_ DWORD dwFlags, + _Out_ DWORD *pdwProvType, + _Out_ LPWSTR pszProvName, + _Inout_ DWORD *pcbProvName +); + + extern HOOKDEF(HRESULT, WINAPI, HTTPSCertificateTrust, PVOID data // PCRYPT_PROVIDER_DATA );