Add a hook for GetVolumeInformationByHandleW (called by GetVolumeInfo…

…rmation[A/W]) to allow us to fake the serial number used by Milicenso to key itself to a particular machine (via the serial= option)
spender-sandbox · Oct 19, 2015 · df13fa7 · df13fa7
1 parent e27a28b
commit df13fa7
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 4 deletions.
diff --git a/config.c b/config.c
@@ -138,6 +138,9 @@ int read_config(void)
             else if(!strcmp(key, "force-sleepskip")) {
                 g_config.force_sleepskip = value[0] == '1';
             }
+			else if (!strcmp(key, "serial")) {
+				g_config.serial_number = (unsigned int)strtoul(value, NULL, 16);
+			}
 			else if (!strcmp(key, "full-logs")) {
 				g_config.full_logs = value[0] == '1';
 			}

diff --git a/config.h b/config.h
@@ -64,6 +64,9 @@ struct _g_config {
     // how many milliseconds since startup
     unsigned int startup_time;
 
+	// system volume serial number (for reproducing Milicenso)
+	unsigned int serial_number;
+
     // do we force sleep-skipping despite threads?
     int force_sleepskip;
 

diff --git a/cuckoomon.c b/cuckoomon.c
@@ -140,6 +140,7 @@ static hook_t g_hooks[] = {
     HOOK(kernel32, GetDiskFreeSpaceW),
 
 	HOOK(kernel32, GetVolumeNameForVolumeMountPointW),
+	HOOK(kernel32, GetVolumeInformationByHandleW),
 
 	HOOK(shell32, SHGetFolderPathW),
 	HOOK(shell32, SHGetFileInfoW),

diff --git a/cuckoomon.vcxproj b/cuckoomon.vcxproj
@@ -382,7 +382,6 @@
     <ClInclude Include="config.h" />
     <ClInclude Include="distorm3.2-package\include\distorm.h" />
     <ClInclude Include="distorm3.2-package\include\mnemonics.h" />
-    <ClInclude Include="distorm3.2-package\src\config.h" />
     <ClInclude Include="distorm3.2-package\src\decoder.h" />
     <ClInclude Include="distorm3.2-package\src\instructions.h" />
     <ClInclude Include="distorm3.2-package\src\insts.h" />

diff --git a/cuckoomon.vcxproj.filters b/cuckoomon.vcxproj.filters
@@ -257,9 +257,6 @@
     <ClInclude Include="distorm3.2-package\include\mnemonics.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="distorm3.2-package\src\config.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
     <ClInclude Include="distorm3.2-package\src\decoder.h">
       <Filter>Header Files</Filter>
     </ClInclude>

diff --git a/hook_file.c b/hook_file.c
@@ -963,6 +963,28 @@ HOOKDEF(BOOL, WINAPI, GetVolumeNameForVolumeMountPointW,
 	return ret;
 }
 
+HOOKDEF(BOOL, WINAPI, GetVolumeInformationByHandleW,
+	_In_      HANDLE  hFile,
+	_Out_opt_ LPWSTR  lpVolumeNameBuffer,
+	_In_      DWORD   nVolumeNameSize,
+	_Out_opt_ LPDWORD lpVolumeSerialNumber,
+	_Out_opt_ LPDWORD
+	lpMaximumComponentLength,
+	_Out_opt_ LPDWORD lpFileSystemFlags,
+	_Out_opt_ LPWSTR  lpFileSystemNameBuffer,
+	_In_      DWORD   nFileSystemNameSize
+) {
+	BOOL ret = Old_GetVolumeInformationByHandleW(hFile, lpVolumeNameBuffer, nVolumeNameSize, lpVolumeSerialNumber,
+		lpMaximumComponentLength, lpFileSystemFlags, lpFileSystemNameBuffer, nFileSystemNameSize);
+
+	if (ret && lpVolumeSerialNumber && g_config.serial_number)
+		*lpVolumeSerialNumber = g_config.serial_number;
+
+	LOQ_bool("filesystem", "uH", "VolumeName", lpVolumeNameBuffer, "VolumeSerial", lpVolumeSerialNumber);
+
+	return ret;
+}
+
 HOOKDEF(HRESULT, WINAPI, SHGetFolderPathW,
 	_In_ HWND hwndOwner,
 	_In_ int nFolder,

diff --git a/hooks.h b/hooks.h
@@ -309,6 +309,18 @@ extern HOOKDEF(HANDLE, WINAPI, FindFirstChangeNotificationW,
 	_In_	DWORD dwNotifyFilter
 );
 
+extern HOOKDEF(BOOL, WINAPI, GetVolumeInformationByHandleW,
+	_In_      HANDLE  hFile,
+	_Out_opt_ LPWSTR  lpVolumeNameBuffer,
+	_In_      DWORD   nVolumeNameSize,
+	_Out_opt_ LPDWORD lpVolumeSerialNumber,
+	_Out_opt_ LPDWORD
+	lpMaximumComponentLength,
+	_Out_opt_ LPDWORD lpFileSystemFlags,
+	_Out_opt_ LPWSTR  lpFileSystemNameBuffer,
+	_In_      DWORD   nFileSystemNameSize
+);
+
 //
 // Registry Hooks
 //