Hook CreateFile by pydbg

For malware analysis , file access is an important factor to understand what malware do. Therefore in this article, I write a small program that can hook windows createfile API.

TOOL

 I use pydbg to develop this program. pydbg is an subproject of paimei which is a well-known reverse engineering tool.

https://github.com/OpenRCE/pydbg/

https://github.com/OpenRCE/paimei/

It is not easy to install pydbg. During installing pydbg, I have encountered following error, and there are some articles solve those problems.

1.      pydasm not found

        Because pydbg need a decompiler, so we need to install pydasm first. Pydasm source can be found here. https://code.google.com/p/libdasm/. Then remove pydasm.pyd in pydbg source.

2.      unable to find vcvarsall.bat

This is due to lower version of VS compiler. We can solve this problem by install higher version of VS or use mingw instead.

http://sourceforge.net/projects/mingw/

3.  gcc: error: unrecognized command line option '-mno-cygwin'

   Option '-mno-cygwin' has been removed in gcc options.So we just remove '-mno-cygwin' in ‘distutils\cygwinccompiler.py’

http://stackoverflow.com/questions/6034390/compiling-with-cython-and-mingw-produces-gcc-error-unrecognized-command-line-o

http://code.google.com/p/malware-analysis/wiki/Installation

http://netsec.ccert.edu.cn/bobo/2012/06/12/%E5%AE%89%E8%A3%85pydbg-pydasm/

http://www.diybl.com/course/3_program/python/20110829/559096.html

program review

Due to dynamic link of createfile API, we cannot resolve address of createfile at program start. Therefore we need to hook createfile API once kernel32.dll loaded.

We write a call back function load_dll () which is triggered when dll load. And we use dbg.set_callback(LOAD_DLL_DEBUG_EVENT, load_dll) to register callback of DLL loading. In function load_dll (), we should check if kernel32.dll was loaded and hook createfile API(CreateFileW) .

file_hook.py

from pydbg import *

from pydbg.defines import *

import utils

import sys

import os

from ctypes import *

is_hook = 0

def FileCreateHook( dbg, args ):

    buffer  = ""

    offset  = 0

    while 1:

        byte = dbg.read_process_memory( args[0] + offset, 2 )

        if not ( ord(byte[0])==0 and ord(byte[1])==0) :

            buffer  += byte

            offset  += 2

            continue

        else:

            break

    print unicode(buffer,"utf-16")

    return DBG_CONTINUE

########################################################################################################################

def load_dll (pydbg):

    last_dll = pydbg.system_dlls[-1]

    print "loading:%s into:%08x size:%d" % (last_dll.name, last_dll.base, last_dll.size)

    global is_hook

    if is_hook==0 :

        

        global hooks   

        hooks = utils.hook_container()

        hook_address  = pydbg.func_resolve_debuggee("kernel32.dll","CreateFileW")

        print hook_address

        if hook_address:

            res = hooks.add( pydbg, hook_address, 7, FileCreateHook, None)

            is_hook =1

            print res

            print "[*] CreateFileW hooked at: 0x%08x" % hook_address

        else:

            print "[*] Error: Couldn't resolve hook address."

    return DBG_CONTINUE

dbg = pydbg()

dbg.set_callback(LOAD_DLL_DEBUG_EVENT, load_dll)

dbg.load(sys.argv[1])

is_hook =0

hooks=None

dbg.debug_event_loop()

reference

http://hi.baidu.com/fandango/item/f0b88f92a4bcb518934f4140

http://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx

http://www.openrce.org/forums/posts/760

http://paimei.googlecode.com/svn-history/r7/prototype_data_flow_tracker.py