Hey, can someone please show me how i can write the output of OnCreateFile to a GUI? I thought the GUI would have to be declared at the bottom in the main function, so how do i then refer to it within OnCreateFile?
using System;
using System.Collections.Generic;
using System.Runtime.Remoting;
using System.Text;
using System.Diagnostics;
using System.IO;
using EasyHook;
using System.Drawing;
using System.Windows.Forms;
namespace FileMon
{
public class FileMonInterface : MarshalByRefObject
{
public void IsInstalled(Int32 InClientPID)
{
//Console.WriteLine("FileMon has been installed in target {0}.\r\n", InClientPID);
}
public void OnCreateFile(Int32 InClientPID, String[] InFileNames)
{
for (int i = 0; i < InFileNames.Length; i++)
{
String[] s = InFileNames[i].ToString().Split('\t');
if (s[0].ToString().Contains("ROpen"))
{
//Console.WriteLine(DateTime.Now.Hour+":"+DateTime.Now.Minute+":"+DateTime.Now.Second+"."+DateTime.Now.Millisecond + "\t" + s[0] + "\t" + getProcessName(int.Parse(s[1])) + "\t" + getRootHive(s[2]));
Program.ff.enterText(DateTime.Now.Hour + ":" + DateTime.Now.Minute + ":" + DateTime.Now.Second + "." + DateTime.Now.Millisecond + "\t" + s[0] + "\t" + getProcessName(int.Parse(s[1])) + "\t" + getRootHive(s[2]));
}
else if (s[0].ToString().Contains("RQuery"))
{
Console.WriteLine(DateTime.Now.Hour + ":" + DateTime.Now.Minute + ":" + DateTime.Now.Second + "." + DateTime.Now.Millisecond + "\t" + s[0] + "\t" + getProcessName(int.Parse(s[1])) + "\t" + getRootHive(s[2]));
}
else if (s[0].ToString().Contains("RDelete"))
{
Console.WriteLine(DateTime.Now.Hour + ":" + DateTime.Now.Minute + ":" + DateTime.Now.Second + "." + DateTime.Now.Millisecond + "\t" + s[0] + "\t" + getProcessName(int.Parse(s[0])) + "\t" + getRootHive(s[1]));
}
else if (s[0].ToString().Contains("FCreate"))
{
//Console.WriteLine(DateTime.Now.Hour+":"+DateTime.Now.Minute+":"+DateTime.Now.Second+"."+DateTime.Now.Millisecond + "\t" + s[0] + "\t" + getProcessName(int.Parse(s[1])) + "\t" + s[2]);
}
}
}
public void ReportException(Exception InInfo)
{
Console.WriteLine("The target process has reported an error:\r\n" + InInfo.ToString());
}
public void Ping()
{
}
public String getProcessName(int ID)
{
String name = "";
Process[] process = Process.GetProcesses();
for (int i = 0; i < process.Length; i++)
{
if (process[i].Id == ID)
{
name = process[i].ProcessName;
}
}
return name;
}
public String getRootHive(String hKey)
{
int r = hKey.CompareTo("2147483648");
int r1 = hKey.CompareTo("2147483649");
int r2 = hKey.CompareTo("2147483650");
int r3 = hKey.CompareTo("2147483651");
int r4 = hKey.CompareTo("2147483653");
if (r == 0)
{
return "HKEY_CLASSES_ROOT";
}
else if (r1 == 0)
{
return "HKEY_CURRENT_USER";
}
else if (r2 == 0)
{
return "HKEY_LOCAL_MACHINE";
}
else if (r3 == 0)
{
return "HKEY_USERS";
}
else if (r4 == 0)
{
return "HKEY_CURRENT_CONFIG";
}
else return hKey.ToString();
}
}
class Program : System.Windows.Forms.Form
{
static String ChannelName = null;
public static Form1 ff;
Program() // ADD THIS CONSTRUCTOR
{
InitializeComponent();
}
static void Main()
{
try
{
Config.Register("A FileMon like demo application.", "FileMon.exe", "FileMonInject.dll");
RemoteHooking.IpcCreateServer<FileMonInterface>(ref ChannelName, WellKnownObjectMode.SingleCall);
Process[] p = Process.GetProcesses();
for (int i = 0; i < p.Length; i++)
{
try
{
RemoteHooking.Inject(p[i].Id, "FileMonInject.dll", "FileMonInject.dll", ChannelName);
}
catch (Exception e)
{
}
}
}
catch (Exception ExtInfo)
{
Console.WriteLine("There was an error while connecting to target:\r\n{0}", ExtInfo.ToString());
}
}
}
}