search

kevoreilly / capemon

capemon: CAPE's monitor
GNU General Public License v3.0
97 stars 46 forks source link

CoCreateInstance(Ex) hook improvements #62

Closed heck-gd closed 1 year ago

heck-gd commented 1 year ago

I changed the hooks so that they compare against named IID constants rather than strings where it isn't clear what the specific GUID represents. I've extracted the code into a function so that it isn't duplicated across both hooks.

I also re-enabled TASKSCHED and BITS for x64 as discussed in #60, since I assume any problems with maldocs would have been caused by either INTEROP or WMI.

Finally, I added a missing GUID for an older Task Scheduler interface that some malware families use.

kevoreilly commented 1 year ago

It looks really nice - I am very grateful to see the new constant comparison, much more beautiful. Is there another header file to add which is in the code - initguid.h?

I tested re-enabling all the messages for x64 as discussed in #60 and haven't found any maldoc issues yet, I'll keep testing but in the meantime I'm happy with TASKSCHED and BITS here.

heck-gd commented 1 year ago

Is there another header file to add which is in the code - initguid.h?

This is typically a standard Windows SDK header. Were you facing any compilation errors? I was only able to test with SDK 10.0.18362 and Toolset v143 since I don't have older versions installed, but I don't think this header was a recent addition to the SDK.

kevoreilly commented 1 year ago

I hadn't tried compiling when I wrote that - I just compiled now without problem.

It was the use of double quotes in the include that threw me. I am used to using angled brackets to designate sdk header files and as far as I can tell this convention has been followed throughout capemon. So if you don't mind I will move this include to the top and switch it to using angled brackets, e.g.:

#include <stdio.h>
#include <initguid.h>
#include "ntapi.h"
#include "hooking.h"
#include "log.h"
#include "pipe.h"
#include "hook_sleep.h"
#include "misc.h"
#include "config.h"
#include "CAPE\CAPE.h"
heck-gd commented 1 year ago

My bad, I wasn't paying attention when I added the header. Changed it.

heck-gd commented 1 year ago

@kevoreilly Any verdict on this? A merge would be much appreciated so I can get rid of my custom locally built DLLs :smile:

kevoreilly commented 1 year ago

Yes sorry for the delay - I have had to do a lot of testing and have been on leave.

Thanks for this contribution, it's very much appreciated.