📄 regsys.c
字号:
sprintf(data,"Key: 0x%X", regobj );
ReleasePointer( regobj );
}
if( ((NT_SUCCESS( ntstatus ) &&
(Disposition && *Disposition == REG_CREATED_NEW_KEY && FilterDef.logwrites)) ||
FilterDef.logreads ) &&
GetProcess( name ) && ApplyNameFilter(fullname) && ErrorString( ntstatus )) {
UpdateStore( "%s\tCreateKey\t%s\t%s\t%s", name,
fullname, ErrorString( ntstatus ), data);
}
return ntstatus;
}
//----------------------------------------------------------------------
//
// HookRegCloseKey
//
// This is actually a hook for NtClose which is used for closing any
// object. Therefore, we must ensure that we are seeing a close for
// a registry object that we know about.
//
//----------------------------------------------------------------------
NTSTATUS HookRegCloseKey( IN HANDLE Handle )
{
NTSTATUS ntstatus;
POBJECT regobj;
CHAR name[MAXPROCNAMELEN];
PCHAR fullname, data;
ULONG retlen;
BOOLEAN iskey = FALSE;
KEY_BASIC_INFORMATION basicInfo;
//
// Allocate data from pool since this close routine can be called from other
// drivers, where the stack space may already be strained
//
fullname = ExAllocatePool( PagedPool, MAXPATHLEN );
data = ExAllocatePool( PagedPool, MAXVALLEN );
//
// Determine if the object is a key by querying it
//
ntstatus = RealRegQueryKey( Handle, KeyBasicInformation,
&basicInfo, 0, &retlen );
if( ntstatus != STATUS_OBJECT_TYPE_MISMATCH ) {
iskey = TRUE;
GetFullName( Handle, NULL, fullname );
// get the pointer for later
regobj = GetPointer( Handle );
ReleasePointer( regobj );
}
ntstatus = RealRegCloseKey( Handle );
if( iskey ) {
DbgPrint(("RegCloseKey: %s => %x, %x\n", fullname, Handle, ntstatus ));
data[0] = 0;
if( NT_SUCCESS( ntstatus )) {
if( regobj ) RegmonFreeHashEntry( regobj );
sprintf(data,"Key: 0x%X", regobj );
if( FilterDef.logreads && GetProcess( name ) && ApplyNameFilter(fullname) && ErrorString( ntstatus )) {
UpdateStore( "%s\tCloseKey\t%s\t%s\t%s",
name, fullname, ErrorString( ntstatus ), data );
}
}
}
ExFreePool( fullname );
ExFreePool( data );
return ntstatus;
}
//----------------------------------------------------------------------
//
// HookRegFlushKey
//
//----------------------------------------------------------------------
NTSTATUS HookRegFlushKey( IN HANDLE Handle )
{
NTSTATUS ntstatus;
CHAR fullname[MAXPATHLEN], name[MAXPROCNAMELEN];
POBJECT regobj;
GetFullName( Handle, NULL, fullname );
ntstatus = RealRegFlushKey( Handle );
DbgPrint(("RegFlushKey: %s => 0x%X\n", fullname, ntstatus ));
regobj = GetPointer( Handle );
ReleasePointer( regobj );
if( FilterDef.logwrites && GetProcess( name ) && ApplyNameFilter(fullname) && ErrorString( ntstatus )) {
UpdateStore( "%s\tFlushKey\t%s\t%s\tKey: 0x%X",
name, fullname, ErrorString( ntstatus ), regobj);
}
return ntstatus;
}
//----------------------------------------------------------------------
//
// HookRegDeleteKey
//
// Once we've deleted a key, we can remove its reference in the hash
// table.
//
//----------------------------------------------------------------------
NTSTATUS HookRegDeleteKey( IN HANDLE Handle )
{
NTSTATUS ntstatus;
POBJECT regobj;
CHAR fullname[MAXPATHLEN], name[MAXPROCNAMELEN];
GetFullName( Handle, NULL, fullname );
regobj = GetPointer( Handle );
ReleasePointer( regobj );
ntstatus = RealRegDeleteKey( Handle );
DbgPrint(("RegDeleteKey: %s => 0x%X\n", fullname, ntstatus ));
if( FilterDef.logwrites && GetProcess( name ) && ApplyNameFilter(fullname) && ErrorString( ntstatus )) {
UpdateStore( "%s\tDeleteKey\t%s\t%s\tKey: 0x%X",
name, fullname,
ErrorString( ntstatus ), regobj);
}
return ntstatus;
}
//----------------------------------------------------------------------
//
// HookRegDeleteValueKey
//
//----------------------------------------------------------------------
NTSTATUS HookRegDeleteValueKey( IN HANDLE Handle, PUNICODE_STRING Name )
{
NTSTATUS ntstatus;
CHAR fullname[MAXPATHLEN], name[MAXPROCNAMELEN];
GetFullName( Handle, Name, fullname );
ntstatus = RealRegDeleteValueKey( Handle, Name );
DbgPrint(("RegDeleteValueKey: %s => %x\n", fullname, ntstatus ));
if( FilterDef.logwrites && GetProcess( name ) && ApplyNameFilter(fullname) && ErrorString( ntstatus ) ) {
UpdateStore( "%s\tDeleteValueKey\t%s\t%s\t",
name, fullname, ErrorString( ntstatus ));
}
return ntstatus;
}
//----------------------------------------------------------------------
//
// HookRegSetValueKey
//
//----------------------------------------------------------------------
NTSTATUS HookRegSetValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex, IN ULONG Type, IN PVOID Data, IN ULONG DataSize )
{
NTSTATUS ntstatus;
PUNICODE_STRING valueName;
CHAR fullname[MAXPATHLEN], data[MAXVALLEN], name[MAXPROCNAMELEN];
if( !ValueName || !ValueName->Length ) valueName = &DefaultValue;
else valueName = ValueName;
GetFullName( KeyHandle, valueName, fullname );
ntstatus = RealRegSetValueKey( KeyHandle, ValueName, TitleIndex,
Type, Data, DataSize );
data[0] = 0;
if( NT_SUCCESS( ntstatus ))
AppendRegValueData( Type, Data, DataSize, data );
DbgPrint(("SetValue: %s (%s)\n", fullname, data ));
if( FilterDef.logwrites && GetProcess( name ) && ApplyNameFilter(fullname) && ErrorString( ntstatus )) {
UpdateStore( "%s\tSetValue\t%s\t%s\t%s",
name, fullname, ErrorString( ntstatus ), data );
}
return ntstatus;
}
//----------------------------------------------------------------------
//
// HookRegEnumerateKey
//
// This is a documented Zw-class function.
//
//----------------------------------------------------------------------
NTSTATUS HookRegEnumerateKey( IN HANDLE KeyHandle, IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG pResultLength )
{
NTSTATUS ntstatus;
CHAR fullname[MAXPATHLEN], data[MAXVALLEN], name[MAXPROCNAMELEN];
GetFullName( KeyHandle, NULL, fullname );
ntstatus = RealRegEnumerateKey( KeyHandle, Index, KeyInformationClass,
KeyInformation, Length, pResultLength );
data[0] = 0;
if( NT_SUCCESS( ntstatus ))
AppendKeyInformation( KeyInformationClass, KeyInformation, data );
DbgPrint(("EnumerateKey: %s (%s) => %x\n", fullname, data, ntstatus ));
if( FilterDef.logreads && GetProcess( name ) && ApplyNameFilter(fullname) && ErrorString( ntstatus )) {
UpdateStore( "%s\tEnumerateKey\t%s\t%s\t%s",
name, fullname, ErrorString( ntstatus ), data );
}
return ntstatus;
}
//----------------------------------------------------------------------
//
// HookRegQueryKey
//
// This is a documented Zw-class function. This will get called
// from our CloseKey hook routine, because this is the only easy
// way we can determine if a registry key is being closed. Thus, we
// have to watch for those calls and not log any data about them.
//
//----------------------------------------------------------------------
NTSTATUS HookRegQueryKey( IN HANDLE KeyHandle,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation, IN ULONG Length,
OUT PULONG pResultLength )
{
NTSTATUS ntstatus;
CHAR name[MAXPROCNAMELEN];
PCHAR fullname, data;
//
// Allocate data from pool since this routine is called from the HookRegClose routine,
// which is called on non-key object and so is likely to be originating in a driver
// that may already have strained stack space.
//
fullname = ExAllocatePool( PagedPool, MAXPATHLEN );
data = ExAllocatePool( PagedPool, MAXVALLEN );
GetFullName( KeyHandle, NULL, fullname );
ntstatus = RealRegQueryKey( KeyHandle, KeyInformationClass,
KeyInformation, Length, pResultLength );
// print out different stuff depending on type of info asked for
data[0] = 0;
if( NT_SUCCESS( ntstatus ))
AppendKeyInformation( KeyInformationClass, KeyInformation, data );
DbgPrint(("QueryKey: %s (%s) => %x\n", fullname, data, ntstatus ));
if( FilterDef.logreads && GetProcess( name ) && ApplyNameFilter(fullname) && ErrorString( ntstatus )) {
UpdateStore( "%s\tQueryKey\t%s\t%s\t%s",
name, fullname, ErrorString( ntstatus ), data );
}
ExFreePool( fullname );
ExFreePool( data );
return ntstatus;
}
//----------------------------------------------------------------------
//
// HookRegEnumerateValueKey
//
// This is a documented Zw-class function.
//
//----------------------------------------------------------------------
NTSTATUS HookRegEnumerateValueKey( IN HANDLE KeyHandle, IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation, IN ULONG Length,
OUT PULONG pResultLength )
{
NTSTATUS ntstatus;
CHAR fullname[MAXPATHLEN], data[MAXVALLEN];
CHAR valuename[MAXVALLEN], name[MAXPROCNAMELEN];
GetFullName( KeyHandle, NULL, fullname );
ntstatus = RealRegEnumerateValueKey( KeyHandle, Index,
KeyValueInformationClass,
KeyValueInformation, Length,
pResultLength );
data[0] = 0;
if( NT_SUCCESS( ntstatus )) {
AppendValueInformation( KeyValueInformationClass,
KeyValueInformation, data, valuename );
strcat( fullname, "\\" );
strncatZ( fullname, valuename, MAXPATHLEN - 1 - strlen(fullname) );
}
DbgPrint(("EnumerateValue: %s (%s) =>%x\n", fullname, data, ntstatus ));
if( FilterDef.logreads && GetProcess( name ) && ApplyNameFilter(fullname) && ErrorString( ntstatus )) {
UpdateStore( "%s\tEnumerateValue\t%s\t%s\t%s",
name, fullname, ErrorString( ntstatus ), data );
}
return ntstatus;
}
//----------------------------------------------------------------------
//
// HookRegQueryValueKey
//
// This is a documented Zw-class function.
//
//----------------------------------------------------------------------
NTSTATUS HookRegQueryValueKey( IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation, IN ULONG Length,
OUT PULONG pResultLength )
{
NTSTATUS ntstatus;
PUNICODE_STRING valueName;
CHAR fullname[MAXPATHLEN], data[MAXVALLEN], name[MAXPROCNAMELEN];
if( !ValueName || !ValueName->Length ) valueName = &DefaultValue;
else valueName = ValueName;
GetFullName( KeyHandle, valueName, fullname );
ntstatus = RealRegQueryValueKey( KeyHandle, ValueName,
KeyValueInformationClass,
KeyValueInformation, Length,
pResultLength );
data[0] = 0;
if( NT_SUCCESS( ntstatus ))
AppendValueInformation( KeyValueInformationClass,
KeyValueInformation, data, FALSE );
DbgPrint(("QueryValue: %s (%s) =>%x\n", fullname, data, ntstatus ));
if( FilterDef.logreads && GetProcess( name ) && ApplyNameFilter(fullname) && ErrorString( ntstatus )) {
UpdateStore( "%s\tQueryValue\t%s\t%s\t%s",
name, fullname, ErrorString( ntstatus ), data );
}
return ntstatus;
}
//----------------------------------------------------------------------
//
// HookRegistry
//
// Replaces entries in the system service table with pointers to
// our own hook routines. We save off the real routine addresses.
//
//----------------------------------------------------------------------
VOID HookRegistry( void )
{
if( !RegHooked ) {
//
// Hook everything
//
RealRegOpenKey = SYSCALL( ZwOpenKey );
SYSCALL( ZwOpenKey ) = (PVOID) HookRegOpenKey;
RealRegQueryKey = SYSCALL( ZwQueryKey );
SYSCALL( ZwQueryKey ) = (PVOID) HookRegQueryKey;
RealRegQueryValueKey = SYSCALL( ZwQueryValueKey );
SYSCALL( ZwQueryValueKey ) = (PVOID) HookRegQueryValueKey;
RealRegEnumerateValueKey = SYSCALL( ZwEnumerateValueKey );
SYSCALL( ZwEnumerateValueKey ) = (PVOID) HookRegEnumerateValueKey;
RealRegEnumerateKey = SYSCALL( ZwEnumerateKey );
SYSCALL( ZwEnumerateKey ) = (PVOID) HookRegEnumerateKey;
RealRegDeleteKey = SYSCALL( ZwDeleteKey );
SYSCALL( ZwDeleteKey ) = (PVOID) HookRegDeleteKey;
RealRegFlushKey = SYSCALL( ZwFlushKey );
SYSCALL( ZwFlushKey ) = (PVOID) HookRegFlushKey;
RealRegSetValueKey = SYSCALL( ZwSetValueKey );
SYSCALL( ZwSetValueKey ) = (PVOID) HookRegSetValueKey;
RealRegCreateKey = SYSCALL( ZwCreateKey );
#if defined(_ALPHA_)
SYSCALL( ZwCreateKey ) = (PVOID) ((ULONG) HookRegCreateKey + ((ULONG) RealRegCreateKey & 0x00000003));
#else
SYSCALL( ZwCreateKey ) = (PVOID) HookRegCreateKey;
#endif
RealRegDeleteValueKey = SYSCALL( ZwDeleteValueKey );
SYSCALL( ZwDeleteValueKey ) = (PVOID) HookRegDeleteValueKey;
RealRegCloseKey = SYSCALL( ZwClose );
SYSCALL( ZwClose ) = (PVOID) HookRegCloseKey;
RegHooked = TRUE;
}
}
//----------------------------------------------------------------------
//
// UnhookRegistry
//
// Unhooks all registry routines by replacing the hook addresses in
// the system service table with the real routine addresses that we
// saved off.
//
//----------------------------------------------------------------------
VOID UnhookRegistry( )
{
if( RegHooked ) {
//
// Unhook everything
//
SYSCALL( ZwOpenKey ) = (PVOID) RealRegOpenKey;
SYSCALL( ZwQueryKey ) = (PVOID) RealRegQueryKey;
SYSCALL( ZwQueryValueKey ) = (PVOID) RealRegQueryValueKey;
SYSCALL( ZwEnumerateValueKey ) = (PVOID) RealRegEnumerateValueKey;
SYSCALL( ZwEnumerateKey ) = (PVOID) RealRegEnumerateKey;
SYSCALL( ZwClose ) = (PVOID) RealRegCloseKey;
SYSCALL( ZwFlushKey ) = (PVOID) RealRegFlushKey;
SYSCALL( ZwDeleteKey ) = (PVOID) RealRegDeleteKey;
SYSCALL( ZwSetValueKey ) = (PVOID) RealRegSetValueKey;
SYSCA⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -