📄 regsys.c
字号:
// again.
//
//----------------------------------------------------------------------
VOID RegmonFreeHashEntry( POBJECT object )
{
PHASH_ENTRY hashEntry, prevEntry;
MUTEX_WAIT( HashMutex );
//
// look-up the entry
//
hashEntry = HashTable[ HASHOBJECT( object ) ];
prevEntry = NULL;
while( hashEntry && hashEntry->Object != object ) {
prevEntry = hashEntry;
hashEntry = hashEntry->Next;
}
//
// If we fall off (didn''t find it), just return
//
if( !hashEntry ) {
MUTEX_RELEASE( HashMutex );
return;
}
//
// Remove it from the hash list
//
if( prevEntry )
prevEntry->Next = hashEntry->Next;
else
HashTable[ HASHOBJECT( object )] = hashEntry->Next;
//
// Free the memory associated with it
//
ExFreePool( hashEntry->FullPathName );
hashEntry->Next = FreeHashList;
FreeHashList = hashEntry;
MUTEX_RELEASE( HashMutex );
}
//======================================================================
// R E G I S T R Y P A R A M E T E R S U P P O R T R O U T I N E S
//======================================================================
//----------------------------------------------------------------------
//
// ConverToUpper
//
// Obvious.
//
//----------------------------------------------------------------------
VOID ConvertToUpper( PCHAR Dest, PCHAR Source, ULONG Len )
{
ULONG i;
for( i = 0; i < Len; i++ ) {
if( Source[i] >= 'a' && Source[i] <= 'z' ) {
Dest[i] = Source[i] - 'a' + 'A';
} else {
Dest[i] = Source[i];
}
}
}
//----------------------------------------------------------------------
//
// GetPointer
//
// Translates a handle to an object pointer.
//
//----------------------------------------------------------------------
POBJECT GetPointer( HANDLE handle )
{
POBJECT pKey;
//
// Ignore null handles
//
if( !handle ) return NULL;
//
// Get the pointer the handle refers to
//
if( ObReferenceObjectByHandle( handle, 0, NULL, KernelMode, &pKey, NULL ) !=
STATUS_SUCCESS ) {
DbgPrint(("Error %x getting key pointer\n"));
pKey = NULL;
}
return pKey;
}
//----------------------------------------------------------------------
//
// ReleasePointer
//
// Dereferences the object.
//
//----------------------------------------------------------------------
VOID ReleasePointer( POBJECT object )
{
if( object ) ObDereferenceObject( object );
}
//----------------------------------------------------------------------
//
// AppendKeyInformation
//
// Appends key enumerate and query information to the output buffer.
//
//----------------------------------------------------------------------
VOID AppendKeyInformation( IN KEY_INFORMATION_CLASS KeyInformationClass,
IN PVOID KeyInformation, PCHAR Buffer )
{
PKEY_BASIC_INFORMATION pbasicinfo;
PKEY_FULL_INFORMATION pfullinfo;
PKEY_NODE_INFORMATION pnodeinfo;
UNICODE_STRING ukeyname;
ANSI_STRING akeyname;
switch( KeyInformationClass ) {
case KeyBasicInformation:
pbasicinfo = (PKEY_BASIC_INFORMATION) KeyInformation;
ukeyname.Length = (USHORT) pbasicinfo->NameLength;
ukeyname.MaximumLength = (USHORT) pbasicinfo->NameLength;
ukeyname.Buffer = pbasicinfo->Name;
RtlUnicodeStringToAnsiString( &akeyname, &ukeyname, TRUE );
sprintf( Buffer, "Name: %s", akeyname.Buffer );
RtlFreeAnsiString( &akeyname );
break;
case KeyFullInformation:
pfullinfo = (PKEY_FULL_INFORMATION) KeyInformation;
sprintf( Buffer, "Subkeys = %d", pfullinfo->SubKeys );
break;
case KeyNodeInformation:
pnodeinfo = (PKEY_NODE_INFORMATION) KeyInformation;
ukeyname.Length = (USHORT) pnodeinfo->NameLength;
ukeyname.MaximumLength = (USHORT) pnodeinfo->NameLength;
ukeyname.Buffer = pnodeinfo->Name;
RtlUnicodeStringToAnsiString( &akeyname, &ukeyname, TRUE );
sprintf( Buffer, "Name: %s", akeyname.Buffer );
RtlFreeAnsiString( &akeyname );
break;
default:
sprintf( Buffer, "Unknown Info Class" );
break;
}
}
//----------------------------------------------------------------------
//
// AppendRegValueType
//
// Returns the string form of an registry value type.
//
//----------------------------------------------------------------------
VOID AppendRegValueType( ULONG Type, PCHAR Buffer )
{
CHAR tmp[MAXDATALEN];
switch( Type ) {
case REG_BINARY:
strcat( Buffer, "BINARY" );
break;
case REG_DWORD_LITTLE_ENDIAN:
strcat( Buffer, "DWORD_LITTLE_END" );
break;
case REG_DWORD_BIG_ENDIAN:
strcat( Buffer, "DWORD_BIG_END" );
break;
case REG_EXPAND_SZ:
strcat( Buffer, "EXPAND_SZ" );
break;
case REG_LINK:
strcat( Buffer, "LINK" );
break;
case REG_MULTI_SZ:
strcat( Buffer, "MULTI_SZ" );
break;
case REG_NONE:
strcat( Buffer, "NONE" );
break;
case REG_SZ:
strcat( Buffer, "SZ" );
break;
case REG_RESOURCE_LIST:
strcat( Buffer, "RESOURCE_LIST" );
break;
case REG_RESOURCE_REQUIREMENTS_LIST:
strcat( Buffer, "REQ_LIST" );
break;
case REG_FULL_RESOURCE_DESCRIPTOR:
strcat( Buffer, "DESCRIPTOR" );
break;
default:
sprintf( tmp, "UNKNOWN TYPE: %d", Type );
strcat( Buffer, tmp );
break;
}
}
//----------------------------------------------------------------------
//
// AppendRegValueData
//
// We expand certain registry types to provide more information. In
// all cases, calculate the length of the data being copied so
// we don't overflow the buffer that's passed in. The length of Buffer
// must be MAXVALLEN.
//
//----------------------------------------------------------------------
VOID AppendRegValueData( IN ULONG Type, IN PVOID Data, IN ULONG Length,
IN OUT PCHAR Buffer )
{
PWCHAR pstring;
PULONG pulong;
PUCHAR pbinary;
CHAR tmp[MAXDATALEN];
UNICODE_STRING ukeyname;
ANSI_STRING akeyname;
int len, i;
switch( Type ) {
case REG_SZ:
case REG_EXPAND_SZ:
case REG_MULTI_SZ:
pstring = (PWCHAR) Data;
ukeyname.Length = (USHORT) Length;
ukeyname.MaximumLength = (USHORT) Length;
ukeyname.Buffer = pstring;
RtlUnicodeStringToAnsiString( &akeyname,
&ukeyname, TRUE );
strcat( Buffer, "\"");
strncatZ( Buffer+1, akeyname.Buffer, MAXVALLEN - 6);
if( akeyname.Length > MAXVALLEN - 6 ) strcat( Buffer,"...");
strcat( Buffer, "\"");
RtlFreeAnsiString( &akeyname );
break;
case REG_DWORD:
pulong = (PULONG) Data;
sprintf( tmp, "0x%X", *pulong );
strcat( Buffer, tmp );
break;
case REG_BINARY:
case REG_RESOURCE_LIST:
case REG_FULL_RESOURCE_DESCRIPTOR:
case REG_RESOURCE_REQUIREMENTS_LIST:
pbinary = (PCHAR) Data;
if( Length > 8 ) len = 8;
else len = Length;
for( i = 0; i < len; i++ ) {
sprintf( tmp, "%02X ", (UCHAR) pbinary[i]);
strcat( Buffer, tmp );
}
if( Length > 8) strcat( Buffer, "...");
break;
default:
AppendRegValueType( Type, Buffer );
break;
}
}
//----------------------------------------------------------------------
//
// AppendValueInformation
//
// Appends value enumerate and query information to the output buffer.
//
//----------------------------------------------------------------------
VOID AppendValueInformation( IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
IN PVOID KeyValueInformation, PCHAR Buffer, PCHAR ValueName )
{
PKEY_VALUE_BASIC_INFORMATION pbasicinfo;
PKEY_VALUE_FULL_INFORMATION pfullinfo;
PKEY_VALUE_PARTIAL_INFORMATION ppartinfo;
UNICODE_STRING ukeyname;
ANSI_STRING akeyname;
switch( KeyValueInformationClass ) {
case KeyValueBasicInformation:
pbasicinfo = (PKEY_VALUE_BASIC_INFORMATION)
KeyValueInformation;
sprintf( Buffer, "Type: ");
AppendRegValueType( pbasicinfo->Type, Buffer );
strncatZ( Buffer, " Name: ", MAXVALLEN - 1 - strlen(Buffer) );
ukeyname.Length = (USHORT) pbasicinfo->NameLength;
ukeyname.MaximumLength = (USHORT) pbasicinfo->NameLength;
ukeyname.Buffer = pbasicinfo->Name;
RtlUnicodeStringToAnsiString( &akeyname, &ukeyname, TRUE );
strncatZ( Buffer, akeyname.Buffer, MAXVALLEN - 1 - strlen(Buffer) );
if( ValueName ) strncpy( ValueName, akeyname.Buffer, MAXVALLEN - 1 );
RtlFreeAnsiString( &akeyname );
break;
case KeyValueFullInformation:
pfullinfo = (PKEY_VALUE_FULL_INFORMATION)
KeyValueInformation;
AppendRegValueData( pfullinfo->Type,
(PVOID) ((PCHAR) pfullinfo + pfullinfo->DataOffset),
pfullinfo->DataLength, Buffer );
if( ValueName ) {
ukeyname.Length = (USHORT) pfullinfo->NameLength;
ukeyname.MaximumLength = (USHORT) pfullinfo->NameLength;
ukeyname.Buffer = pfullinfo->Name;
RtlUnicodeStringToAnsiString( &akeyname, &ukeyname, TRUE );
strncpy( ValueName, akeyname.Buffer, MAXVALLEN - 1 );
RtlFreeAnsiString( &akeyname );
}
break;
case KeyValuePartialInformation:
ppartinfo = (PKEY_VALUE_PARTIAL_INFORMATION)
KeyValueInformation;
AppendRegValueData( ppartinfo->Type,
(PVOID) ppartinfo->Data,
ppartinfo->DataLength, Buffer );
break;
default:
sprintf( Buffer, "Unknown Info Class" );
break;
}
}
//----------------------------------------------------------------------
//
// ErrorString
//
// Returns the string form of an error code.
//
//----------------------------------------------------------------------
PCHAR ErrorString( NTSTATUS retval )
{
//
// Before transating, apply error filter
//
if( retval == STATUS_SUCCESS && !FilterDef.logsuccess ) return NULL;
if( retval != STATUS_SUCCESS && !FilterDef.logerror ) return NULL;
//
// Passed filter, so log it
//
switch( retval ) {
case STATUS_BUFFER_TOO_SMALL:
return "BUFTOOSMALL";
case STATUS_SUCCESS:
return "SUCCESS";
case STATUS_KEY_DELETED:
return "KEYDELETED";
case STATUS_REGISTRY_IO_FAILED:
return "IOFAILED";
case STATUS_REGISTRY_CORRUPT:
return "CORRUPT";
case STATUS_NO_MEMORY:
return "OUTOFMEM";
case STATUS_ACCESS_DENIED:
return "ACCDENIED";
case STATUS_NO_MORE_ENTRIES:
return "NOMORE";
case STATUS_OBJECT_NAME_NOT_FOUND:
return "NOTFOUND";
case STATUS_BUFFER_OVERFLOW:
return "BUFOVRFLOW";
case STATUS_OBJECT_PATH_SYNTAX_BAD:
return "SYNTAXERR";
default:
sprintf(errstring, "%x", retval );
return errstring;
}
}
//----------------------------------------------------------------------
//
// RegmonFreeFilters
//
// Fress storage we allocated for filter strings.
//
//----------------------------------------------------------------------
VOID RegmonFreeFilters()
{
ULONG i;
for( i = 0; i < NumProcessFilters; i++ ) {
ExFreePool( ProcessFilters[i] );
}
for( i = 0; i < NumProcessExcludeFilters; i++ ) {
ExFreePool( ProcessExcludeFilters[i] );
}
for( i = 0; i < NumPathIncludeFilters; i++ ) {
ExFreePool( PathIncludeFilters[i] );
}
for( i = 0; i < NumPathExcludeFilters; i++ ) {
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -