📄 wslog2exe.cpp
字号:
#define WIN32_LEAN_AND_MEAN
//#define UNICODE
#ifdef UNICODE
#define _UNICODE
#endif
#include <stdio.h>
#include <conio.h>
#include <string.h>
#include <windows.h>
#include <tchar.h>
#ifdef _UNICODE
#undef UNICODE
#endif
#include <tlhelp32.h>
#ifdef _UNICODE
#define UNICODE
#endif
//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>
#include "WSLog2.h"
/////////////////////////////////////////////////////////
LONG EnumPIDs(DWORD **pPIDs) {
LONG r=0, s=r+1, t;
DWORD *buf=NULL;
while(s>r) {
r=s+0x100;
if(buf)
LocalFree(buf);
if(buf=(LPDWORD)LocalAlloc(LPTR, r*sizeof(LONG)))
if((s = BuildPIDList(buf, r, PW_ALLSESSIONS)) == PW_MEMERROR)
return((LONG)LocalFree(buf));
else
*pPIDs = buf;
else
return(0);
}
return(s);
}
/////////////////////////////////////////////////////////
typedef union {
COORD coord;
WORD wsize[2];
} LCC32_COORD;
VOID _tmain(VOID) {
LCC32_COORD cbsize = {{80, 0x910}};
HANDLE hMS, hEV, hMU, StdOut, hThread;
BYTE sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
SECURITY_ATTRIBUTES sa = {sizeof(sa), &sd, FALSE}, *psa = NULL;
FILE *hFI;
DWORD i = 0, nchars, HostPID;
TCHAR LogFileName[MAX_PATH];
TCHAR LogFile[MAX_PATH];
BYTE Msg[MS_MAX_MSG_SIZE+sizeof(TCHAR)];
FreeConsole();
AllocConsole();
SetConsoleTitle(TEXT("WSLog"));
//enable debug privilege (in order to spy your colleagues at other terminals)
HINSTANCE hntdll;
BYTE WasEn;
typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, BYTE*);
TRAP RAP = NULL;
if(hntdll = GetModuleHandle(_T("ntdll.dll")))
if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
RAP(20, TRUE, 0, &WasEn);
if(InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
if(SetSecurityDescriptorDacl(&sd, TRUE, (PACL)NULL, FALSE))
psa = &sa;
if((hMS = CreateMailslot(MSName, MS_MAX_MSG_SIZE, 3000, psa)) == INVALID_HANDLE_VALUE)
_tprintf(TEXT("Can't create mailslot!"));
else {
if((hMU = CreateMutex(psa, FALSE, MUName)) == 0)
hMU = CreateMutex(psa, FALSE, BaseMUName);
if(hMU == 0) {
_tprintf(TEXT("Can't create mutex!"));
return;
}
BOOL BrandNew = FALSE;
if((hEV = OpenEvent(EVENT_MODIFY_STATE, FALSE, EVName)) == 0)
hEV = OpenEvent(EVENT_MODIFY_STATE, FALSE, BaseEVName);
if(hEV == 0) {
BrandNew = TRUE;
if((hEV = CreateEvent(psa, TRUE, FALSE, EVName)) == 0)
hEV = CreateEvent(psa, TRUE, FALSE, BaseEVName);
if(hEV == 0) {
_tprintf(TEXT("Can't create event!"));
return;
}
}
ResetEvent(hEV);
if((nchars = GetModuleFileName(NULL, LogFileName, sizeof(LogFileName)/sizeof(TCHAR))) != 0) {
while((LogFileName[nchars] != '\\') && (nchars >0))
LogFileName[nchars--] = '\0';
}
else
_tcscpy(LogFileName, LogFileDefaultDirectory);
_tcscat(LogFileName, LogFileBaseName);
_stprintf(LogFile, LogFileName, i++);
while( (hFI = _tfopen(LogFile, TEXT("rb"))) && (i<100) ) {
fclose(hFI);
_stprintf(LogFile, LogFileName, i++);
}
StdOut = GetStdHandle(STD_OUTPUT_HANDLE);
while(!SetConsoleScreenBufferSize(StdOut, cbsize.coord))
cbsize.wsize[1] -= 0x10;
if(BrandNew) {
HostPID = IsNT ? GetCurrentProcessId() : ProcessName2PID(_T("KERNEL32.DLL"));
TCHAR Hooks_DLL[MAX_PATH];
nchars = GetModuleFileName(NULL, Hooks_DLL, sizeof(Hooks_DLL)/sizeof(TCHAR));
Hooks_DLL[nchars-1] = 'L';
Hooks_DLL[nchars-2] = 'L';
Hooks_DLL[nchars-3] = 'D';
if(EstablishApiHooks(NULL, Hooks_DLL, HostPID, 5000) == ErrorAWSuccess) {
DWORD i, nPIDs, *PIDs;
if(nPIDs = EnumPIDs(&PIDs))
for(i=0; i<nPIDs; i++) {
if(PIDs[i] != HostPID) {
DWORD Params[2] = {PIDs[i], FALSE};
LoadAndCall(NULL, Hooks_DLL, HostPID, 5000, 0, _T("HookProcess"), 2, Params);
}
}
}
}
hFI = _tfopen(LogFile, TEXT("wb+"));
do {
if(ReadFile(hMS, Msg, MS_MAX_MSG_SIZE, &i, NULL)) {
*(TCHAR*)(Msg+i) = '\0';
_tprintf(TEXT("%s"), Msg);
if(hFI != NULL)
_ftprintf(hFI, TEXT("%s"), Msg);
}
} while(!kbhit());
SetEvent(hEV);
if(hFI != NULL)
fclose(hFI);
}
CloseHandle(hMU);
CloseHandle(hEV);
CloseHandle(hMS);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -