📄 regmon.c
字号:
current = next;
}
//
// Move the output pointer in the buffer that's being kept
// the start of the buffer.
//
Store->Len = 0;
Store->Next = NULL;
}
//----------------------------------------------------------------------
//
// UpdateStore
//
// Add a new string to Store, if it fits.
//
//----------------------------------------------------------------------
void UpdateStore( ULONG seq, const char * format, ... )
{
PENTRY Entry;
ULONG len;
va_list arg_ptr;
static CHAR text[MAXPATHLEN];
//
// If no filtering is desired, don't bother
//
if( !FilterOn ) {
return;
}
//
// Lock the output buffer.
//
Wait_Semaphore( StoreMutex, BLOCK_SVC_INTS );
//
// Vsprintf to determine length of the buffer
//
_asm cld;
va_start( arg_ptr, format );
len = vsprintf( text, format, arg_ptr );
va_end( arg_ptr );
//
// If the current output buffer is near capacity, move to a new
// output buffer
//
if( (ULONG) (Store->Len + len + sizeof(ENTRY) +1) >= MAX_STORE ) {
RegmonNewStore();
}
//
// Extract the sequence number and store it
//
Entry = (void *)(Store->Data+Store->Len);
Entry->seq = seq;
_asm cld;
memcpy( Entry->text, text, len+1 );
//
// Store the length of the string, plus 1 for the terminating
// NULL
//
Store->Len += sizeof(Entry->seq)+len+1;
//
// Release the output buffer lock
//
Signal_Semaphore( StoreMutex );
}
//----------------------------------------------------------------------
// H A S H T A B L E M A N A G E M E N T
//----------------------------------------------------------------------
//----------------------------------------------------------------------
//
// RegmonHashCleanup
//
// Called when we are unloading to free any memory that we have
// in our possession.
//
//----------------------------------------------------------------------
VOID RegmonHashCleanup()
{
PHASH_ENTRY hashEntry, nextEntry;
ULONG i;
//
// First, free the hash table entries
//
for( i = 0; i < NUMHASH; i++ ) {
hashEntry = HashTable[i];
while( hashEntry ) {
nextEntry = hashEntry->Next;
HeapFree( hashEntry->FullName, 0 );
HeapFree( hashEntry, 0 );
hashEntry = nextEntry;
}
}
//
// Now, free structures on our free list
//
while( FreeEntries ) {
nextEntry = FreeEntries->Next;
HeapFree( FreeEntries, 0 );
FreeEntries = nextEntry;
}
}
//----------------------------------------------------------------------
//
// RegmonStoreHash
//
// Stores the key and associated fullpath in the hash table.
//
//----------------------------------------------------------------------
VOID RegmonStoreHash( HKEY hkey, PCHAR fullname )
{
PHASH_ENTRY newEntry;
Wait_Semaphore( HashMutex, BLOCK_SVC_INTS );
//
// Find or allocate an entry to use
//
if( FreeEntries ) {
newEntry = FreeEntries;
FreeEntries = FreeEntries->Next;
} else {
newEntry = HeapAllocate( sizeof(HASH_ENTRY), 0 );
}
//
// Initialize the new entry.
//
newEntry->hkey = hkey;
newEntry->FullName = HeapAllocate( strlen(fullname)+1, 0);
newEntry->Next = HashTable[ HASHOBJECT(hkey) ];
HashTable[ HASHOBJECT(hkey) ] = newEntry;
strcpy( newEntry->FullName, fullname );
Signal_Semaphore( HashMutex );
}
//----------------------------------------------------------------------
//
// RegmonFreeHashEntry
//
// When we see a file close, we can free the string we had associated
// with the fileobject being closed since we know it won't be used
// again.
//
//----------------------------------------------------------------------
VOID RegmonFreeHashEntry( HKEY hkey )
{
PHASH_ENTRY hashEntry, prevEntry;
Wait_Semaphore( HashMutex, BLOCK_SVC_INTS );
//
// Look-up the entry.
//
hashEntry = HashTable[ HASHOBJECT( hkey ) ];
prevEntry = NULL;
while( hashEntry && hashEntry->hkey != hkey ) {
prevEntry = hashEntry;
hashEntry = hashEntry->Next;
}
//
// If we fall of the hash list without finding what we're looking
// for, just return.
//
if( !hashEntry ) {
Signal_Semaphore( HashMutex );
return;
}
//
// Got it! Remove it from the list
//
if( prevEntry ) {
prevEntry->Next = hashEntry->Next;
} else {
HashTable[ HASHOBJECT( hkey )] = hashEntry->Next;
}
//
// Free the memory associated with it
//
HeapFree( hashEntry->FullName, 0 );
//
// Put it on our free list
//
hashEntry->Next = FreeEntries;
FreeEntries = hashEntry;
Signal_Semaphore( HashMutex );
}
//----------------------------------------------------------------------
// P A T H A N D P R O C E S S N A M E R O U T I N E S
//----------------------------------------------------------------------
//----------------------------------------------------------------------
//
// ErrorString
//
// Returns the string form of an error code.
//
//----------------------------------------------------------------------
PCHAR ErrorString( DWORD retval )
{
//
// Before transating, apply error filter
//
if( retval == ERROR_SUCCESS && !FilterDef.logsuccess ) return NULL;
if( retval != ERROR_SUCCESS && !FilterDef.logerror ) return NULL;
//
// Passed filter, so log it
//
switch( retval ) {
case ERROR_SUCCESS:
return "SUCCESS";
case ERROR_KEY_DELETED:
return "KEYDELETED";
case ERROR_BADKEY:
return "BADKEY";
case ERROR_REGISTRY_IO_FAILED:
return "IOFAILED";
case ERROR_REGISTRY_CORRUPT:
return "CORRUPT";
case ERROR_BADDB:
return "BADDB";
case ERROR_OUTOFMEMORY:
return "OUTOFMEM";
case ERROR_ACCESS_DENIED:
return "ACCDENIED";
case ERROR_FILE_NOT_FOUND:
return "NOTFOUND";
case ERROR_NO_MORE_ITEMS:
return "NOMORE";
case ERROR_MORE_DATA:
return "MOREDATA";
default:
sprintf(errstring, "%x\n", retval );
return errstring;
}
}
//----------------------------------------------------------------------
//
// RegmonFreeFilters
//
// Fress storage we allocated for filter strings.
//
//----------------------------------------------------------------------
VOID RegmonFreeFilters()
{
ULONG i;
for( i = 0; i < NumProcessFilters; i++ ) {
HeapFree( ProcessFilters[i], 0 );
}
for( i = 0; i < NumProcessExcludeFilters; i++ ) {
HeapFree( ProcessExcludeFilters[i], 0 );
}
for( i = 0; i < NumPathIncludeFilters; i++ ) {
HeapFree( PathIncludeFilters[i], 0 );
}
for( i = 0; i < NumPathExcludeFilters; i++ ) {
HeapFree( PathExcludeFilters[i], 0 );
}
NumProcessFilters = 0;
NumProcessExcludeFilters = 0;
NumPathIncludeFilters = 0;
NumPathExcludeFilters = 0;
}
//----------------------------------------------------------------------
//
// MakeFilterArray
//
// Takes a filter string and splits into components (a component
// is seperated with a ';')
//
//----------------------------------------------------------------------
VOID MakeFilterArray( PCHAR FilterString,
PCHAR FilterArray[],
PULONG NumFilters )
{
PCHAR filterStart;
ULONG filterLength;
//
// Scan through the process filters
//
filterStart = FilterString;
while( *filterStart ) {
filterLength = 0;
while( filterStart[filterLength] &&
filterStart[filterLength] != ';' ) {
filterLength++;
}
//
// Ignore zero-length components
//
if( filterLength ) {
FilterArray[ *NumFilters ] =
HeapAllocate( filterLength + 1, 0 );
strncpy( FilterArray[ *NumFilters ],
filterStart, filterLength );
FilterArray[ *NumFilters ][filterLength] = 0;
(*NumFilters)++;
}
//
// Are we done?
//
if( !filterStart[filterLength] ) break;
//
// Move to the next component (skip over ';')
//
filterStart += filterLength + 1;
}
}
//----------------------------------------------------------------------
//
// RegmonUpdateFilters
//
// Takes a new filter specification and updates the filter
// arrays with them.
//
//----------------------------------------------------------------------
VOID RegmonUpdateFilters()
{
//
// Free old filters (if any)
//
Wait_Semaphore( FilterMutex, BLOCK_SVC_INTS );
RegmonFreeFilters();
//
// Create new filter arrays
//
MakeFilterArray( FilterDef.processfilter,
ProcessFilters, &NumProcessFilters );
MakeFilterArray( FilterDef.processexclude,
ProcessExcludeFilters, &NumProcessExcludeFilters );
MakeFilterArray( FilterDef.pathfilter,
PathIncludeFilters, &NumPathIncludeFilters );
MakeFilterArray( FilterDef.excludefilter,
PathExcludeFilters, &NumPathExcludeFilters );
Signal_Semaphore( FilterMutex );
}
//----------------------------------------------------------------------
//
// GetProcess
//
// Retrieves the process name.
//
//----------------------------------------------------------------------
PCHAR GetProcess( PCHAR ProcessName )
{
PVOID CurProc;
PVOID ring3proc;
char *name;
ULONG i;
//
// Get the ring0 process pointer.
//
CurProc = VWIN32_GetCurrentProcessHandle();
//
// Now, map the ring3 PCB
//
ring3proc = (PVOID) SelectorMapFlat( Get_Sys_VM_Handle(),
(DWORD) (*(PDWORD) ((char *) CurProc + 0x38)) | 0x7, 0 );
if( ring3proc == (PVOID) -1 ) {
strcpy( ProcessName, "???");
return ProcessName;
}
//
// copy out the process name (max 8 characters)
//
name = ((char *)ring3proc) + 0xF2;
if( name[0] >= 'A' && name[0] < 'z' ) {
strcpy( ProcessName, name );
ProcessName[8] = 0;
} else {
strcpy( ProcessName, "???" );
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -