📄 regsys.c
字号:
ExFreePool( PathExcludeFilters[i] );
}
NumProcessFilters = 0;
NumProcessExcludeFilters = 0;
NumPathIncludeFilters = 0;
NumPathExcludeFilters = 0;
}
//----------------------------------------------------------------------
//
// MakeFilterArray
//
// Takes a filter string and splits into components (a component
// is seperated with a ';')
//
//----------------------------------------------------------------------
VOID MakeFilterArray( PCHAR FilterString,
PCHAR FilterArray[],
PULONG NumFilters )
{
PCHAR filterStart;
ULONG filterLength;
//
// Scan through the process filters
//
filterStart = FilterString;
while( *filterStart ) {
filterLength = 0;
while( filterStart[filterLength] &&
filterStart[filterLength] != ';' ) {
filterLength++;
}
//
// Ignore zero-length components
//
if( filterLength ) {
FilterArray[ *NumFilters ] =
ExAllocatePool( PagedPool, filterLength + 1 );
strncpy( FilterArray[ *NumFilters ],
filterStart, filterLength );
FilterArray[ *NumFilters ][filterLength] = 0;
(*NumFilters)++;
}
//
// Are we done?
//
if( !filterStart[filterLength] ) break;
//
// Move to the next component (skip over ';')
//
filterStart += filterLength + 1;
}
}
//----------------------------------------------------------------------
//
// RegmonUpdateFilters
//
// Takes a new filter specification and updates the filter
// arrays with them.
//
//----------------------------------------------------------------------
VOID RegmonUpdateFilters()
{
//
// Free old filters (if any)
//
MUTEX_WAIT( FilterMutex );
RegmonFreeFilters();
//
// Create new filter arrays
//
MakeFilterArray( FilterDef.processfilter,
ProcessFilters, &NumProcessFilters );
MakeFilterArray( FilterDef.processexclude,
ProcessExcludeFilters, &NumProcessExcludeFilters );
MakeFilterArray( FilterDef.pathfilter,
PathIncludeFilters, &NumPathIncludeFilters );
MakeFilterArray( FilterDef.excludefilter,
PathExcludeFilters, &NumPathExcludeFilters );
MUTEX_RELEASE( FilterMutex );
}
//----------------------------------------------------------------------
//
// ApplyNameFilter
//
// If the name matches the exclusion mask, we do not log it. Else if
// it doesn't match the inclusion mask we do not log it.
//
//----------------------------------------------------------------------
BOOLEAN ApplyNameFilter( PCHAR fullname )
{
ULONG i;
//
// If it matches the exclusion string, do not log it
//
MUTEX_WAIT( FilterMutex );
for( i = 0; i < NumPathExcludeFilters; i++ ) {
if( MatchWithPattern( PathExcludeFilters[i], fullname ) ) {
MUTEX_RELEASE( FilterMutex );
return FALSE;
}
}
//
// If it matches an include filter then log it
//
for( i = 0; i < NumPathIncludeFilters; i++ ) {
if( MatchWithPattern( PathIncludeFilters[i], fullname )) {
MUTEX_RELEASE( FilterMutex );
return TRUE;
}
}
//
// It didn't match any include filters so don't log
//
MUTEX_RELEASE( FilterMutex );
return FALSE;
}
//----------------------------------------------------------------------
//
// GetFullName
//
// Returns the full pathname of a key, if we can obtain one, else
// returns a handle.
//
//----------------------------------------------------------------------
void GetFullName( HANDLE hKey, PUNICODE_STRING lpszSubKeyVal,
PCHAR fullname )
{
PHASH_ENTRY hashEntry;
POBJECT pKey = NULL;
CHAR tmpkey[16];
ANSI_STRING keyname;
PCHAR tmpname;
CHAR cmpname[MAXROOTLEN];
PCHAR nameptr;
PUNICODE_STRING fullUniName;
ULONG actualLen;
int i;
//
// Allocate a temporary buffer
//
tmpname = ExAllocatePool( PagedPool, MAXPATHLEN );
//
// Translate the hkey into a pointer
//
fullname[0] = 0;
tmpname[0] = 0;
//
// Is it a valid handle?
//
if( pKey = GetPointer( hKey )) {
//
// See if we find the key in the hash table
//
ReleasePointer( pKey );
MUTEX_WAIT( HashMutex );
hashEntry = HashTable[ HASHOBJECT( pKey ) ];
while( hashEntry && hashEntry->Object != pKey )
hashEntry = hashEntry->Next;
MUTEX_RELEASE( HashMutex );
if( hashEntry ) {
strcpy( tmpname, hashEntry->FullPathName );
} else {
//
// We will only get here if key was created before we loaded - ask the Configuration
// Manager what the name of the key is.
//
if( pKey ) {
fullUniName = ExAllocatePool( PagedPool, MAXPATHLEN*2+2*sizeof(ULONG));
fullUniName->MaximumLength = MAXPATHLEN*2;
if( NT_SUCCESS(ObQueryNameString( pKey, fullUniName, MAXPATHLEN, &actualLen ) )) {
RtlUnicodeStringToAnsiString( &keyname, fullUniName, TRUE );
if( keyname.Buffer[0] ) {
strcpy( tmpname, "\\" );
strncatZ( tmpname, keyname.Buffer, MAXPATHLEN -2 );
}
RtlFreeAnsiString( &keyname );
}
ExFreePool( fullUniName );
}
}
}
//
// Append subkey and value, if they are there
//
if( lpszSubKeyVal ) {
RtlUnicodeStringToAnsiString( &keyname, lpszSubKeyVal, TRUE );
if( keyname.Buffer[0] ) {
strcat( tmpname, "\\" );
strncatZ( tmpname, keyname.Buffer, MAXPATHLEN - 1 - strlen(tmpname) );
}
RtlFreeAnsiString( &keyname );
}
//
// See if it matches current user
//
for( i = 0; i < 2; i++ ) {
ConvertToUpper( cmpname, tmpname, CurrentUser[i].RootNameLen );
if( !strncmp( cmpname, CurrentUser[i].RootName,
CurrentUser[i].RootNameLen )) {
DbgPrint(( " CurrentUser(%d) %s ==> %s\n", i,
tmpname, CurrentUser[i].RootName ));
//
// Its current user. Process to next slash
//
nameptr = tmpname + CurrentUser[i].RootNameLen;
while( *nameptr && *nameptr != '\\' ) nameptr++;
strcpy( fullname, CurrentUser[i].RootShort );
strcat( fullname, nameptr );
ExFreePool( tmpname );
return;
}
}
//
// Now, see if we can translate a root key name
//
for( i = 0; i < NUMROOTKEYS; i++ ) {
ConvertToUpper( cmpname, tmpname, RootKey[i].RootNameLen );
if( !strncmp( cmpname, RootKey[i].RootName,
RootKey[i].RootNameLen )) {
nameptr = tmpname + RootKey[i].RootNameLen;
strcpy( fullname, RootKey[i].RootShort );
strcat( fullname, nameptr );
ExFreePool( tmpname );
return;
}
}
//
// No translation
//
strcpy( fullname, tmpname );
ExFreePool( tmpname );
}
//----------------------------------------------------------------------
//
// GetProcessNameOffset
//
// In an effort to remain version-independent, rather than using a
// hard-coded into the KPEB (Kernel Process Environment Block), we
// scan the KPEB looking for the name, which should match that
// of the GUI process
//
//----------------------------------------------------------------------
ULONG GetProcessNameOffset()
{
PEPROCESS curproc;
int i;
curproc = PsGetCurrentProcess();
//
// Scan for 12KB, hopping the KPEB never grows that big!
//
for( i = 0; i < 3*PAGE_SIZE; i++ ) {
if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) )) {
return i;
}
}
//
// Name not found - oh, well
//
return 0;
}
//----------------------------------------------------------------------
//
// GetProcess
//
// Uses undocumented data structure offsets to obtain the name of the
// currently executing process.
//
//----------------------------------------------------------------------
PCHAR GetProcess( PCHAR Name )
{
PEPROCESS curproc;
char *nameptr;
ULONG i;
//
// We only try and get the name if we located the name offset
//
if( ProcessNameOffset ) {
curproc = PsGetCurrentProcess();
nameptr = (PCHAR) curproc + ProcessNameOffset;
strncpy( Name, nameptr, 16 );
} else {
strcpy( Name, "???");
}
//
// Apply process name filters
//
MUTEX_WAIT( FilterMutex );
for( i = 0; i < NumProcessExcludeFilters; i++ ) {
if( MatchWithPattern( ProcessExcludeFilters[i], Name )) {
MUTEX_RELEASE( FilterMutex );
return NULL;
}
}
for( i = 0; i < NumProcessFilters; i++ ) {
if( MatchWithPattern( ProcessFilters[i], Name ) ) {
MUTEX_RELEASE( FilterMutex );
return Name;
}
}
MUTEX_RELEASE( FilterMutex );
return NULL;
}
//======================================================================
// H O O K R O U T I N E S
//======================================================================
//----------------------------------------------------------------------
//
// HookRegOpenKey
//
//----------------------------------------------------------------------
NTSTATUS HookRegOpenKey( IN OUT PHANDLE pHandle, IN ACCESS_MASK ReqAccess,
IN POBJECT_ATTRIBUTES pOpenInfo )
{
NTSTATUS ntstatus;
POBJECT regobj;
CHAR fullname[MAXPATHLEN], data[MAXDATALEN], name[MAXPROCNAMELEN];
GetFullName( pOpenInfo->RootDirectory, pOpenInfo->ObjectName, fullname );
ntstatus = RealRegOpenKey( pHandle, ReqAccess, pOpenInfo );
DbgPrint(("RegOpenKey: %s => %x, %x\n", fullname, *pHandle, ntstatus ));
data[0] = 0;
if( NT_SUCCESS( ntstatus )) {
regobj = GetPointer( *pHandle );
RegmonFreeHashEntry( regobj );
RegmonStoreHash( regobj, fullname );
sprintf(data,"Key: 0x%X", regobj );
ReleasePointer( regobj );
}
if( FilterDef.logreads && GetProcess( name ) && ApplyNameFilter(fullname) && ErrorString( ntstatus )) {
UpdateStore( "%s\tOpenKey\t%s\t%s\t%s", name,
fullname, ErrorString( ntstatus ), data );
}
return ntstatus;
}
//----------------------------------------------------------------------
//
// HookRegCreateKey
//
//----------------------------------------------------------------------
NTSTATUS HookRegCreateKey( OUT PHANDLE pHandle, IN ACCESS_MASK ReqAccess,
IN POBJECT_ATTRIBUTES pOpenInfo, IN ULONG TitleIndex,
IN PUNICODE_STRING Class, IN ULONG CreateOptions, OUT PULONG Disposition )
{
NTSTATUS ntstatus;
POBJECT regobj;
CHAR fullname[MAXPATHLEN], data[MAXDATALEN], name[MAXPROCNAMELEN];
GetFullName( pOpenInfo->RootDirectory, pOpenInfo->ObjectName, fullname );
ntstatus = RealRegCreateKey( pHandle, ReqAccess, pOpenInfo, TitleIndex,
Class, CreateOptions, Disposition );
DbgPrint(("RegCreateKey: %s => %x, %x\n", fullname, *pHandle, ntstatus ));
data[0] = 0;
if( NT_SUCCESS( ntstatus )) {
regobj = GetPointer( *pHandle );
RegmonFreeHashEntry( regobj );
RegmonStoreHash( regobj, fullname );
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -