Add option to disable hooking of specific APIs or DLLs:

excluded-apis=apiname1:apiname2:apinamen
exluded-dlls=dllname1:dllname2:dllnamen
Add another rasman API
clean up the config code by adding an ascii to unicode helper

config.c

@@ -60,7 +60,8 @@ int read_config(void)
         // split key=value
         p = strchr(buf, '=');
         if(p != NULL) {
-			const char *key = buf, *value = p + 1;
+			const char *key = buf;
+			char *value = p + 1;
 
 			*p = 0;
 			vallen = (unsigned int)strlen(value);
@@ -84,37 +85,23 @@ int read_config(void)
 					if (value[1] == ':') {
 						// is a file
 						char *tmp = calloc(1, MAX_PATH);
-						wchar_t *utmp = calloc(1, MAX_PATH * sizeof(wchar_t));
-						unsigned int full_len;
 
 						ensure_absolute_ascii_path(tmp, value);
-						full_len = (unsigned int)strlen(tmp);
-						for (i = 0; i < full_len; i++)
-							utmp[i] = (wchar_t)(unsigned short)tmp[i];
+						g_config.file_of_interest = ascii_to_unicode_dup(tmp);
 						free(tmp);
-
-						g_config.file_of_interest = utmp;
 						// if the file of interest is our own executable, then don't do any special handling
-						if (wcsicmp(our_process_path, utmp))
+						if (wcsicmp(our_process_path, g_config.file_of_interest))
 							g_config.suspend_logging = TRUE;
 					}
 					else {
 						// is a URL
-						unsigned int url_len = (unsigned int)strlen(value);
-						wchar_t *utmp = calloc(1, (url_len + 1) * sizeof(wchar_t));
-						for (i = 0; i < url_len; i++)
-							utmp[i] = (wchar_t)(unsigned short)value[i];
-						g_config.url_of_interest = utmp;
+						g_config.url_of_interest = ascii_to_unicode_dup(value);
 						g_config.suspend_logging = TRUE;
 					}
 				}
 			}
 			else if (!strcmp(key, "referrer")) {
-				unsigned int ref_len = (unsigned int)strlen(value);
-				wchar_t *rtmp = calloc(1, (ref_len + 1) * sizeof(wchar_t));
-				for (i = 0; i < ref_len; i++)
-					rtmp[i] = (wchar_t)(unsigned short)value[i];
-				g_config.w_referrer = rtmp;
+				g_config.w_referrer = ascii_to_unicode_dup(value);
 				g_config.referrer = strdup(value);
 			}
 			else if (!strcmp(key, "analyzer")) {
@@ -197,6 +184,36 @@ int read_config(void)
 			else if (!strcmp(key, "large-buffer-max")) {
 				large_buffer_log_max = (unsigned int)strtoul(value, NULL, 10);
 			}
+			else if (!strcmp(key, "exclude-apis")) {
+				unsigned int x = 0;
+				char *p2;
+				p = value;
+				while (p && x < EXCLUSION_MAX) {
+					p2 = strchr(p, ':');
+					if (p2) {
+						*p2 = '\0';
+					}
+					g_config.excluded_apinames[x] = strdup(p);
+					if (p2 == NULL)
+						break;
+					p = p2 + 1;
+				}
+			}
+			else if (!strcmp(key, "exclude-dlls")) {
+				unsigned int x = 0;
+				char *p2;
+				p = value;
+				while (p && x < EXCLUSION_MAX) {
+					p2 = strchr(p, ':');
+					if (p2) {
+						*p2 = '\0';
+					}
+					g_config.excluded_dllnames[x] = ascii_to_unicode_dup(p);
+					if (p2 == NULL)
+						break;
+					p = p2 + 1;
+				}
+			}
 		}
     }
 

config.h

@@ -19,6 +19,8 @@ You should have received a copy of the GNU General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+#define EXCLUSION_MAX 128
+
 struct _g_config {
     // name of the pipe to communicate with cuckoo
     wchar_t pipe_name[MAX_PATH];
@@ -99,6 +101,9 @@ struct _g_config {
     //unsigned short host_port;
 
 	BOOLEAN suspend_logging;
+
+	char *excluded_apinames[EXCLUSION_MAX];
+	wchar_t *excluded_dllnames[EXCLUSION_MAX];
 };
 
 extern struct _g_config g_config;

cuckoomon.c

@@ -376,11 +376,11 @@ static hook_t g_hooks[] = {
 	HOOK(advapi32, LsaOpenPolicy),
 	HOOK(mpr, WNetGetProviderNameW),
 	HOOK(rasapi32, RasValidateEntryNameW),
+	HOOK(rasapi32, RasConnectionNotificationW),
 
 	//
     // Network Hooks
     //
-
 
 	HOOK(netapi32, NetUserGetInfo),
 	HOOK(netapi32, NetGetJoinInformation),

hook_misc.c

@@ -809,3 +809,13 @@ HOOKDEF(DWORD, WINAPI, RasValidateEntryNameW,
 	LOQ_zero("misc", "uu", "Phonebook", lpszPhonebook, "Entry", lpszEntry);
 	return ret;
 }
+
+HOOKDEF(DWORD, WINAPI, RasConnectionNotificationW,
+	_In_ PVOID hrasconn,
+	_In_ HANDLE   hEvent,
+	_In_ DWORD    dwFlags
+) {
+	DWORD ret = Old_RasConnectionNotificationW(hrasconn, hEvent, dwFlags);
+	LOQ_zero("misc", "");
+	return ret;
+}

hooking.c

@@ -59,6 +59,26 @@ static int set_caller_info(void *unused, ULONG_PTR addr)
 	return 0;
 }
 
+int hook_is_excluded(hook_t *h)
+{
+	unsigned int i;
+
+	for (i = 0; i < ARRAYSIZE(g_config.excluded_apinames); i++) {
+		if (!g_config.excluded_apinames[i])
+			break;
+		if (!stricmp(h->funcname, g_config.excluded_apinames[i]))
+			return 1;
+	}
+	for (i = 0; i < ARRAYSIZE(g_config.excluded_dllnames); i++) {
+		if (!g_config.excluded_dllnames[i])
+			break;
+		if (!wcsicmp(h->library, g_config.excluded_dllnames[i]))
+			return 1;
+	}
+
+	return 0;
+}
+
 int addr_in_our_dll_range(void *unused, ULONG_PTR addr)
 {
 	if (addr >= g_our_dll_base && addr < (g_our_dll_base + g_our_dll_size))

hooking.h

@@ -207,6 +207,8 @@ static __inline ULONG_PTR get_stack_bottom(void)
 #endif
 }
 
+extern int hook_is_excluded(hook_t *h);
+
 #define HOOKDEF(return_value, calling_convention, apiname, ...) \
     return_value (calling_convention *Old_##apiname)(__VA_ARGS__); \
     return_value calling_convention New_##apiname(__VA_ARGS__)

hooking_32.c

@@ -634,10 +634,13 @@ int hook_api(hook_t *h, int type)
 	};
 
     // is this address already hooked?
-    if(h->is_hooked != 0) {
+    if (h->is_hooked != 0) {
         return 0;
     }
 
+	if (hook_is_excluded(h))
+		return 0;
+
     // resolve the address to hook
     addr = h->addr;
 

hooking_64.c

@@ -859,6 +859,9 @@ int hook_api(hook_t *h, int type)
 		return 0;
 	}
 
+	if (hook_is_excluded(h))
+		return 0;
+
 	// resolve the address to hook
 	addr = h->addr;
 

hooks.h

@@ -1175,6 +1175,14 @@ extern HOOKDEF(DWORD, WINAPI, RasValidateEntryNameW,
 	_In_ LPCWSTR lpszEntry
 );
 
+extern HOOKDEF(DWORD, WINAPI, RasConnectionNotificationW,
+	_In_ PVOID hrasconn,
+	_In_ HANDLE   hEvent,
+	_In_ DWORD    dwFlags
+);
+
+
+
 extern HOOKDEF(void, WINAPI, GetSystemInfo,
 	__out LPSYSTEM_INFO lpSystemInfo
 );

misc.c

@@ -114,6 +114,16 @@ void addr_to_string(const IN_ADDR addr, char *string)
 	num_to_string(string+strlen(string), 4, chunk[3]);
 }
 
+wchar_t *ascii_to_unicode_dup(char *str)
+{
+	unsigned int len = (unsigned int)strlen(str);
+	unsigned int i;
+	wchar_t *rtmp = calloc(1, (len + 1) * sizeof(wchar_t));
+	for (i = 0; i < len; i++)
+		rtmp[i] = (wchar_t)(unsigned short)str[i];
+	return rtmp;
+}
+
 int is_stack_pivoted(void)
 {
 	hook_info_t *hookinfo = hook_info();

misc.h

@@ -184,6 +184,8 @@ PUNICODE_STRING get_basename_of_module(HMODULE module_handle);
 
 void perform_create_time_fakery(FILETIME *createtime);
 
+wchar_t *ascii_to_unicode_dup(char *str);
+
 int is_stack_pivoted(void);
 
 LONG WINAPI cuckoomon_exception_handler(__in struct _EXCEPTION_POINTERS *ExceptionInfo);