📄 regmon.c
字号:
strcpy( data, "\"");
strncat( data, lpbData, STRINGLEN );
if( strlen( lpbData ) > STRINGLEN )
strcat( data, "..." );
strcat( data, "\"");
} else if( *lpdwType == REG_DWORD ) {
sprintf( data, "0x%X", *(PDWORD) lpbData );
}
}
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logreads) {
UpdateStore( Sequence++, "%s\tQueryValueEx\t%s\t%s\t%s",
process, fullname, ErrorString( retval ), data);
}
return retval;
}
LONG HookRegSetValue( HKEY hkey, PCHAR lpszSubKey, DWORD fdwType,
PCHAR lpszData, DWORD cbData ) {
LONG retval;
CHAR fullname[NAMELEN], data[DATASIZE], process[PROCESSLEN];
GetFullName( hkey, lpszSubKey, "(Default)", fullname );
retval = RealRegSetValue( hkey, lpszSubKey, fdwType, lpszData, cbData );
data[0] = 0;
if( lpszData ) {
strcpy( data,"\"");
strncat(data, lpszData, STRINGLEN );
if( strlen( lpszData ) > STRINGLEN )
strcat( data, "..." );
strcat( data, "\"");
}
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logwrites) {
UpdateStore( Sequence++, "%s\tSetValue\t%s\t%s\t%s",
process, fullname, ErrorString( retval ), data );
}
return retval;
}
LONG HookRegSetValueEx( HKEY hkey, PCHAR lpszValueName,
DWORD lpdwReserved, DWORD fdwType,
PBYTE lpbData, DWORD lpcbData ) {
LONG retval;
int i, len;
CHAR fullname[NAMELEN], data[DATASIZE], tmp[2*BINARYLEN], process[PROCESSLEN];
GetFullName( hkey, NULL, lpszValueName, fullname );
retval = RealRegSetValueEx( hkey, lpszValueName, lpdwReserved,
fdwType, lpbData, lpcbData );
data[0] = 0;
if( fdwType == REG_SZ ) {
strcpy( data, "\"");
strncat( data, lpbData, STRINGLEN );
if( strlen( lpbData ) > STRINGLEN )
strcat( data, "..." );
strcat( data, "\"");
} else if( fdwType == REG_BINARY ) {
if( lpcbData > BINARYLEN ) len = BINARYLEN;
else len = lpcbData;
for( i = 0; i < len; i++ ) {
sprintf( tmp, "%X ", lpbData[i]);
strcat( data, tmp );
}
if( lpcbData > BINARYLEN) strcat( data, "...");
} else if( fdwType == REG_DWORD ) {
sprintf( data, "0x%X", *(PDWORD) lpbData );
}
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logwrites) {
UpdateStore( Sequence++, "%s\tSetValueEx\t%s\t%s\t%s",
process, fullname, ErrorString( retval ), data );
}
return retval;
}
LONG HookRegRemapPreDefKey( HKEY hkey, HKEY hRootKey ) {
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hkey, NULL, NULL, fullname );
retval = RealRegRemapPreDefKey( hkey, hRootKey );
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval )) {
UpdateStore( Sequence++, "%s\tRemapPreKey\t%s\t%s\tRoot: %s",
process, fullname, ErrorString( retval ),
hRootKey == HKEY_CURRENT_USER ? "HKCU" : "HKCC" );
}
return retval;
}
LONG HookRegQueryMultipleValues( HKEY hKey, PVALENT pValent,
DWORD dwNumVals, PCHAR pValueBuf,
PDWORD pTotSize ) {
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hKey, NULL, NULL, fullname );
retval = RealRegQueryMultipleValues( hKey, pValent,
dwNumVals, pValueBuf, pTotSize );
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logreads) {
UpdateStore( Sequence++, "%s\tQueryMultVal\t%s\t%s",
process, fullname, ErrorString( retval ));
}
return retval;
}
LONG HookRegCreateDynKey( PCHAR szName, PVOID KeyContext,
PVOID pInfo, PVOID pValList,
DWORD dwNumVals, PVMMHKEY pKeyHandle ) {
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
sprintf(fullname, "DYNDAT\\%s", szName );
retval = RealRegCreateDynKey( szName, KeyContext, pInfo, pValList,
dwNumVals, pKeyHandle );
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logreads) {
UpdateStore( Sequence++, "%s\tCreateDynKey\t%s\t%s\thKey: 0x%X",
process, fullname, ErrorString( retval ),
*pKeyHandle );
}
if( retval == ERROR_SUCCESS ) {
RegmonStoreHash( *pKeyHandle, fullname );
}
return retval;
}
LONG __stdcall HookWin32RegQueryInfoKey( volatile PCLIENT_STRUCT pClientRegs, DWORD Dummy2,
HKEY hKey,
PDWORD lpcSubKeys,
PDWORD lpcchMaxSubKey,
PDWORD lpcValues, PDWORD lpcchMaxValueName,
PDWORD lpcbMaxValueData )
{
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
//
// NOTE: this special hook is needed because Win95 has a bug where
// the Win32 call to RegQueryInfoKey gets routed to VMM's Win32
// service table, but the service table handler does *not* call the
// VMM RegQueryInfoKey entry point. Therefore, we have to hook the
// VMM Win32 service as a special case.
//
GetFullName( hKey, NULL, NULL, fullname );
//
// The return code is stored in the client registers
//
RealWin32RegQueryInfoKey( pClientRegs, Dummy2,
hKey, lpcSubKeys, lpcchMaxSubKey,
lpcValues, lpcchMaxValueName,
lpcbMaxValueData );
retval = pClientRegs->CRS.Client_EAX;
if( GetProcess( process ) && ApplyNameFilter( fullname ) && ErrorString( retval ) &&
FilterDef.logreads) {
if( retval == ERROR_SUCCESS && lpcSubKeys && lpcValues )
UpdateStore( Sequence++, "%s\tQueryKey\t%s\t%s\tKeys: %d Values: %d",
process, fullname, ErrorString( retval ), *lpcSubKeys, *lpcValues );
else
UpdateStore( Sequence++, "%s\tQueryKey\t%s\t%s",
process, fullname, ErrorString( retval ));
}
return retval;
}
//----------------------------------------------------------------------
//
// OnSysDynamicDeviceInit
//
// Dynamic init. Hook all registry related VxD APIs.
//
//----------------------------------------------------------------------
BOOL OnSysDynamicDeviceInit()
{
int i;
PDDB vmmDDB;
//
// Initialize semaphores
//
StoreMutex = Create_Semaphore(1);
HashMutex = Create_Semaphore(1);
FilterMutex = Create_Semaphore(1);
//
// Zero hash table
//
for(i = 0; i < NUMHASH; i++ ) HashTable[i] = NULL;
//
// Allocate first output buffer
//
PageAllocate(STORESIZE, PG_SYS, 0, 0, 0, 0, NULL, PAGELOCKED,
(PMEMHANDLE) &Store, (PVOID) &Store );
Store->Len = 0;
Store->Next = NULL;
NumStore = 1;
//
// Hook all registry routines
//
RealRegOpenKey = Hook_Device_Service_C(___RegOpenKey, HookRegOpenKey,
&ROKThunk );
RealRegCloseKey = Hook_Device_Service_C(___RegCloseKey, HookRegCloseKey,
&RCKThunk );
RealRegCreateKey = Hook_Device_Service_C(___RegCreateKey, HookRegCreateKey,
&RCRKThunk );
RealRegDeleteKey = Hook_Device_Service_C(___RegDeleteKey, HookRegDeleteKey,
&RDKThunk );
RealRegDeleteValue = Hook_Device_Service_C(___RegDeleteValue,
HookRegDeleteValue,
&RDVThunk );
RealRegEnumKey = Hook_Device_Service_C(___RegEnumKey,
HookRegEnumKey,
&REKThunk );
RealRegEnumValue = Hook_Device_Service_C(___RegEnumValue,
HookRegEnumValue,
&REVThunk );
RealRegFlushKey = Hook_Device_Service_C(___RegFlushKey,
HookRegFlushKey,
&RFKThunk );
RealRegQueryInfoKey = Hook_Device_Service_C(___RegQueryInfoKey,
HookRegQueryInfoKey,
&RQIKThunk );
RealRegQueryValue = Hook_Device_Service_C(___RegQueryValue,
HookRegQueryValue,
&RQVThunk );
RealRegQueryValueEx = Hook_Device_Service_C(___RegQueryValueEx,
HookRegQueryValueEx,
&RQVEThunk );
RealRegSetValue = Hook_Device_Service_C(___RegSetValue,
HookRegSetValue,
&RSVThunk );
RealRegSetValueEx = Hook_Device_Service_C(___RegSetValueEx,
HookRegSetValueEx,
&RSVEThunk );
RealRegRemapPreDefKey = Hook_Device_Service_C(___RegRemapPreDefKey,
HookRegRemapPreDefKey,
&RRPDKThunk );
RealRegQueryMultipleValues = Hook_Device_Service_C(___RegQueryMultipleValues,
HookRegQueryMultipleValues,
&RQMVThunk );
RealRegCreateDynKey = Hook_Device_Service_C(___RegCreateDynKey,
HookRegCreateDynKey,
&RCDKThunk );
//
// We have to hook the Win32 service for query info key
// (isn't win95 just great?)
//
vmmDDB = Get_DDB( VMM_DEVICE_ID, "" );
VMMWin32ServiceTable = (PDWORD) vmmDDB->DDB_Win32_Service_Table;
RealWin32RegQueryInfoKey = (PVOID) VMMWin32ServiceTable[ VMMWIN32QUERYINFOKEY ];
VMMWin32ServiceTable[ VMMWIN32QUERYINFOKEY ] = (DWORD) HookWin32RegQueryInfoKey;
return TRUE;
}
//----------------------------------------------------------------------
//
// OnSysDynamicDeviceExit
//
// Dynamic exit. Unhook everything.
//
//----------------------------------------------------------------------
BOOL OnSysDynamicDeviceExit()
{
Unhook_Device_Service_C(___RegOpenKey, &ROKThunk );
Unhook_Device_Service_C(___RegCloseKey, &RCKThunk );
Unhook_Device_Service_C(___RegCreateKey, &RCRKThunk );
Unhook_Device_Service_C(___RegDeleteKey, &RDKThunk );
Unhook_Device_Service_C(___RegDeleteValue, &RDVThunk );
Unhook_Device_Service_C(___RegEnumKey, &REKThunk );
Unhook_Device_Service_C(___RegEnumValue, &REVThunk );
Unhook_Device_Service_C(___RegFlushKey, &RFKThunk );
Unhook_Device_Service_C(___RegQueryInfoKey, &RQIKThunk );
Unhook_Device_Service_C(___RegQueryValue, &RQVThunk );
Unhook_Device_Service_C(___RegQueryValueEx, &RQVEThunk );
Unhook_Device_Service_C(___RegSetValue, &RSVThunk );
Unhook_Device_Service_C(___RegSetValueEx, &RSVEThunk );
Unhook_Device_Service_C(___RegRemapPreDefKey, &RRPDKThunk );
Unhook_Device_Service_C(___RegQueryMultipleValues, &RQMVThunk );
Unhook_Device_Service_C(___RegCreateDynKey, &RCDKThunk );
VMMWin32ServiceTable[ VMMWIN32QUERYINFOKEY ] = (DWORD) RealWin32RegQueryInfoKey;
//
// Free all memory
//
RegmonHashCleanup();
RegmonFreeStore();
RegmonFreeFilters();
return TRUE;
}
//----------------------------------------------------------------------
//
// OnW32Deviceiocontrol
//
// Interface with the GUI.
//
//----------------------------------------------------------------------
DWORD OnW32Deviceiocontrol(PIOCTLPARAMS p)
{
PSTORE_BUF old;
switch( p->dioc_IOCtlCode ) {
case 0:
return 0;
case REGMON_zerostats:
Wait_Semaphore( StoreMutex, BLOCK_SVC_INTS );
while ( Store->Next ) {
//
// Release the next entry.
//
old = Store->Next;
Store->Next = old->Next;
Signal_Semaphore( StoreMutex );
PageFree( (MEMHANDLE) old, 0 );
Wait_Semaphore( StoreMutex, BLOCK_SVC_INTS );
NumStore--;
}
Store->Len = 0;
Signal_Semaphore( StoreMutex );
Sequence = 0;
return 0;
case REGMON_getstats:
//
// Copy buffer into user space.
Wait_Semaphore( StoreMutex, BLOCK_SVC_INTS );
if ( MAX_STORE > p->dioc_cbOutBuf ) {
//
// Buffer is too small. Return error.
//
Signal_Semaphore( StoreMutex );
return 1;
} else if ( Store->Len || Store->Next ) {
//
// Switch to a new buffer.
//
RegmonNewStore();
//
// Fetch the oldest buffer to give to caller.
//
old = RegmonOldestStore();
Signal_Semaphore( StoreMutex );
//
// Copy it into the caller's buffer.
//
memcpy( p->dioc_OutBuf, old->Data, old->Len );
//
// Return length of copied info.
//
*p->dioc_bytesret = old->Len;
//
// Deallocate the buffer.
//
PageFree( (MEMHANDLE) old, 0 );
NumStore--;
} else {
//
// There is no unread data.
//
Signal_Semaphore( StoreMutex );
*p->dioc_bytesret = 0;
}
return 0;
case REGMON_unhook:
FilterOn = FALSE;
return 0;
case REGMON_hook:
FilterOn = TRUE;
return 0;
case REGMON_setfilter:
FilterDef = * (PFILTER) p->dioc_InBuf;
RegmonUpdateFilters();
return 0;
}
return 0;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -