📄 regmon.c
字号:
//
// Apply process name filters
//
Wait_Semaphore( FilterMutex, BLOCK_SVC_INTS );
for( i = 0; i < NumProcessExcludeFilters; i++ ) {
if( MatchWithPattern( ProcessExcludeFilters[i], ProcessName )) {
Signal_Semaphore( FilterMutex );
return NULL;
}
}
for( i = 0; i < NumProcessFilters; i++ ) {
if( MatchWithPattern( ProcessFilters[i], ProcessName ) ) {
Signal_Semaphore( FilterMutex );
return ProcessName;
}
}
Signal_Semaphore( FilterMutex );
return NULL;
}
//----------------------------------------------------------------------
//
// ApplyNameFilter
//
// If the name matches the exclusion mask, we do not log it. Else if
// it doesn't match the inclusion mask we do not log it.
//
//----------------------------------------------------------------------
BOOLEAN ApplyNameFilter( PCHAR fullname )
{
ULONG i;
//
// If it matches the exclusion string, do not log it
//
Wait_Semaphore( FilterMutex, BLOCK_SVC_INTS );
for( i = 0; i < NumPathExcludeFilters; i++ ) {
if( MatchWithPattern( PathExcludeFilters[i], fullname ) ) {
Signal_Semaphore( FilterMutex );
return FALSE;
}
}
//
// If it matches an include filter then log it
//
for( i = 0; i < NumPathIncludeFilters; i++ ) {
if( MatchWithPattern( PathIncludeFilters[i], fullname )) {
Signal_Semaphore( FilterMutex );
return TRUE;
}
}
//
// It didn't match any include filters so don't log
//
Signal_Semaphore( FilterMutex );
return FALSE;
}
//----------------------------------------------------------------------
//
// GetFullName
//
// Returns the full pathname of a key, if we can obtain one, else
// returns a handle.
//
//----------------------------------------------------------------------
void GetFullName( HKEY hKey, PCHAR lpszSubKey, PCHAR lpszValue,
PCHAR fullname )
{
PHASH_ENTRY hashEntry;
CHAR tmpkey[16];
//
// See if we find the key in the hash table
//
fullname[0] = 0;
Wait_Semaphore( HashMutex, BLOCK_SVC_INTS );
hashEntry = HashTable[ HASHOBJECT( hKey ) ];
while( hashEntry && hashEntry->hkey != hKey ) {
hashEntry = hashEntry->Next;
}
Signal_Semaphore( HashMutex );
if( hashEntry ) {
strcpy( fullname, hashEntry->FullName );
} else {
//
// Okay, make a name
//
switch( hKey ) {
case HKEY_CLASSES_ROOT:
strcat(fullname, "HKCR");
break;
case HKEY_CURRENT_USER:
strcat(fullname, "HKCU");
break;
case HKEY_LOCAL_MACHINE:
strcat(fullname, "HKLM");
break;
case HKEY_USERS:
strcat(fullname, "HKU");
break;
case HKEY_CURRENT_CONFIG:
strcat(fullname, "HKCC");
break;
case HKEY_DYN_DATA:
strcat(fullname, "HKDD");
break;
default:
//
// We will only get here if key was created before we loaded
//
sprintf( tmpkey, "0x%X", hKey );
strcat(fullname, tmpkey );
break;
}
}
//
// Append subkey and value, if they are there
//
if( lpszSubKey ) {
if( lpszSubKey[0] ) {
strcat( fullname, "\\" );
strcat( fullname, lpszSubKey );
}
}
if( lpszValue ) {
if( lpszValue[0] ) {
strcat( fullname, "\\" );
strcat( fullname, lpszValue );
}
}
}
//----------------------------------------------------------------------
// REGISTRY HOOKS
//
// All these hooks do essentially the same thing: dump API-specific
// info into the data buffer, call the original handler, and then
// dump any return information.
//----------------------------------------------------------------------
LONG HookRegOpenKey( HKEY hkey, PCHAR lpszSubKey, PHKEY phkResult) {
LONG retval;
CHAR fullname[NAMELEN], data[DATASIZE], process[PROCESSLEN];
GetFullName( hkey, lpszSubKey, NULL, fullname );
retval = RealRegOpenKey( hkey, lpszSubKey, phkResult );
data[0] = 0;
if( retval == ERROR_SUCCESS ) {
RegmonFreeHashEntry( *phkResult );
RegmonStoreHash( *phkResult, fullname );
sprintf(data,"hKey: 0x%X", *phkResult );
}
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logreads ) {
UpdateStore( Sequence++, "%s\tOpenKey\t%s\t%s\t%s",
process, fullname, ErrorString( retval ), data);
}
return retval;
}
LONG HookRegCreateKey( HKEY hkey, PCHAR lpszSubKey, PHKEY phkResult) {
LONG retval;
CHAR fullname[NAMELEN], data[DATASIZE], process[PROCESSLEN];
GetFullName( hkey, lpszSubKey, NULL, fullname );
retval = RealRegCreateKey( hkey, lpszSubKey, phkResult );
data[0] = 0;
if( retval == ERROR_SUCCESS ) {
RegmonFreeHashEntry( *phkResult );
RegmonStoreHash( *phkResult, fullname );
sprintf(data,"hKey: 0x%X", *phkResult );
}
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logwrites ) {
UpdateStore( Sequence++, "%s\tCreateKey\t%s\t%s\t%s",
process, fullname, ErrorString( retval ), data);
}
return retval;
}
LONG HookRegDeleteKey( HKEY hkey, PCHAR lpszSubKey ) {
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hkey, lpszSubKey, NULL, fullname );
retval = RealRegDeleteKey( hkey, lpszSubKey );
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logwrites ) {
UpdateStore( Sequence++, "%s\tDeleteKey\t%s\t%s",
process, fullname, ErrorString( retval ));
}
return retval;
}
LONG HookRegDeleteValue( HKEY hkey, PCHAR lpszSubKey ) {
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hkey, lpszSubKey, NULL, fullname );
retval = RealRegDeleteValue( hkey, lpszSubKey );
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logwrites ) {
UpdateStore( Sequence++, "%s\tDeleteValue\t%s\t%s",
process, fullname, ErrorString( retval ));
}
return retval;
}
LONG HookRegCloseKey(HKEY hkey) {
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hkey, NULL, NULL, fullname );
retval = RealRegCloseKey( hkey );
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logreads ) {
UpdateStore( Sequence++, "%s\tCloseKey\t%s\t%s",
process, fullname, ErrorString( retval ));
}
RegmonFreeHashEntry( hkey );
return retval;
}
LONG HookRegFlushKey( HKEY hkey ) {
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hkey, NULL, NULL, fullname );
retval = RealRegFlushKey( hkey );
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logwrites ) {
UpdateStore( Sequence++, "%s\tFlushKey\t%s\t%s",
process, fullname, ErrorString( retval ));
}
return retval;
}
LONG HookRegEnumKey(HKEY hkey, DWORD iSubKey, PCHAR lpszName, DWORD cchName) {
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hkey, NULL, NULL, fullname );
retval = RealRegEnumKey( hkey, iSubKey, lpszName, cchName );
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logreads ) {
UpdateStore( Sequence++, "%s\tEnumKey\t%s\t%s\t%s",
process, fullname,
ErrorString( retval ),
retval == ERROR_SUCCESS ? lpszName : "");
}
return retval;
}
LONG HookRegEnumValue(HKEY hkey, DWORD iValue, PCHAR lpszValue,
PDWORD lpcchValue, PDWORD lpdwReserved,
PDWORD lpdwType, PBYTE lpbData, PDWORD lpcbData) {
LONG retval;
int i, len;
CHAR fullname[NAMELEN], data[DATASIZE], tmp[2*BINARYLEN], process[PROCESSLEN];
GetFullName( hkey, NULL, NULL, fullname );
retval = RealRegEnumValue( hkey, iValue, lpszValue, lpcchValue,
lpdwReserved, lpdwType, lpbData, lpcbData );
data[0] = 0;
if( retval == ERROR_SUCCESS && lpbData && *lpcbData ) {
strcat( data, lpszValue );
strcat( data, ": ");
if( !lpdwType || *lpdwType == REG_BINARY ) {
if( *lpcbData > BINARYLEN ) len = BINARYLEN;
else len = *lpcbData;
for( i = 0; i < len; i++ ) {
sprintf( tmp, "%X ", lpbData[i]);
strcat( data, tmp );
}
if( *lpcbData > BINARYLEN) strcat( data, "...");
} else if( *lpdwType == REG_SZ ) {
strcat( data, "\"");
strncat( data, lpbData, STRINGLEN );
strcat( data, "\"");
} else if( *lpdwType == REG_DWORD ) {
sprintf( tmp, "0x%X", *(PDWORD) lpbData );
strcat( data, tmp );
}
}
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logreads ) {
UpdateStore( Sequence++, "%s\tEnumValue\t%s\t%s\t%s",
process, fullname, ErrorString( retval ),
data );
}
return retval;
}
LONG HookRegQueryInfoKey( HKEY hKey, PCHAR lpszClass, PDWORD lpcchClass,
DWORD lpdwReserved, PDWORD lpcSubKeys,
PDWORD lpcchMaxSubKey, PDWORD pcchMaxClass,
PDWORD lpcValues, PDWORD lpcchMaxValueName,
PDWORD lpcbMaxValueData,
PDWORD lpcbSecurityDescriptor,
PFILETIME lpftLastWriteTime) {
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hKey, NULL, NULL, fullname );
retval = RealRegQueryInfoKey( hKey, lpszClass, lpcchClass, lpdwReserved,
lpcSubKeys, lpcchMaxSubKey, pcchMaxClass,
lpcValues, lpcchMaxValueName,
lpcbMaxValueData,
lpcbSecurityDescriptor,
lpftLastWriteTime );
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logreads ) {
if( retval == ERROR_SUCCESS && lpcSubKeys && lpcValues )
UpdateStore( Sequence++, "%s\tQueryKey\t%s\t%s\tKeys: %d Values: %d",
process, fullname, ErrorString( retval ), *lpcSubKeys, *lpcValues );
else
UpdateStore( Sequence++, "%s\tQueryKey\t%s\t%s",
process, fullname, ErrorString( retval ));
}
return retval;
}
LONG HookRegQueryValue( HKEY hkey, PCHAR lpszSubKey, PCHAR lpszValue,
PLONG pcbValue ) {
LONG retval;
CHAR fullname[NAMELEN], data[DATASIZE], process[PROCESSLEN];
GetFullName( hkey, lpszSubKey, "(Default)", fullname );
retval = RealRegQueryValue( hkey, lpszSubKey, lpszValue, pcbValue );
data[0] = 0;
if( retval == ERROR_SUCCESS && lpszValue && *pcbValue ) {
strcpy( data, "\"");
strncat( data, lpszValue, STRINGLEN );
if( strlen( lpszValue ) > STRINGLEN )
strcat( data, "..." );
strcat( data, "\"");
}
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logreads ) {
UpdateStore( Sequence++, "%s\tQueryValue\t%s\t%s\t%s",
process, fullname, ErrorString( retval ), data);
}
return retval;
}
LONG HookRegQueryValueEx( HKEY hkey, PCHAR lpszValueName,
PDWORD lpdwReserved, PDWORD lpdwType,
PBYTE lpbData, PDWORD lpcbData ) {
LONG retval;
int i, len;
CHAR fullname[NAMELEN], data[DATASIZE], tmp[2*BINARYLEN], process[PROCESSLEN];
GetFullName( hkey, NULL, lpszValueName, fullname );
retval = RealRegQueryValueEx( hkey, lpszValueName, lpdwReserved,
lpdwType, lpbData, lpcbData );
data[0] = 0;
if( retval == ERROR_SUCCESS && lpbData ) {
if( !lpdwType || *lpdwType == REG_BINARY ) {
if( *lpcbData > BINARYLEN ) len = BINARYLEN;
else len = *lpcbData;
for( i = 0; i < len; i++ ) {
sprintf( tmp, "%X ", lpbData[i]);
strcat( data, tmp );
}
if( *lpcbData > BINARYLEN) strcat( data, "...");
} else if( *lpdwType == REG_SZ ) {
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -