📄 xcptlogexe.cpp
字号:
#define WIN32_LEAN_AND_MEAN
//#define UNICODE
#ifdef UNICODE
#define _UNICODE
#endif
#include <stdio.h>
#include <conio.h>
#include <windows.h>
#include <tchar.h>
//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>
/////////////////////////////////////////////////////////
int WINAPI Usage(VOID) {
_tprintf(_T("Usage: XcptLog /n|/o|/u [FileName] \"ProcessName\"\n/n .. log new process\n/o .. log existing process\n/u .. end logging and unload"));
return(getch());
}
/////////////////////////////////////////////////////////
int _tmain(int argc, TCHAR** argv) {
BOOL Unload = FALSE, Existing = FALSE;
if((argc < 3) || (argc > 4)) {
return(Usage());
}
else {
LPTSTR LogFileName = NULL;
if(argv[1][0] == '/') {
switch(argv[1][1] | ' ') {
case 'u' : Unload = TRUE;
case 'o' : Existing = TRUE;
case 'n' : break;
default : return(Usage());
}
}
else {
return(Usage());
}
BOOL IsNT;
//get Hooks_DLL name assuming it's like main module name but with dll extension
TCHAR Hooks_DLL[MAX_PATH];
DWORD nc = GetModuleFileName(NULL, Hooks_DLL, sizeof(Hooks_DLL)/sizeof(TCHAR));
if(IsNT = ((INT)GetVersion() > 0)) {
DWORD WasEn;
DWORD Params[4] = {20, TRUE, 0, (DWORD)&WasEn};
LoadAndCall(NULL, _T("ntdll.dll"), GetCurrentProcessId(), 0, 0, _T("RtlAdjustPrivilege"), 4, Params);
Hooks_DLL[nc-1] = 'T';
Hooks_DLL[nc-2] = 'N';
}
else {
Hooks_DLL[nc-1] = 'X';
Hooks_DLL[nc-2] = '9';
}
Hooks_DLL[nc-3] = 'W';
for(; nc && (Hooks_DLL[nc] != '\\'); nc--);
LPTSTR ShortHooks_DLL = &Hooks_DLL[nc+1];
HANDLE hProcess;
DWORD HostPID, WatchPID;
if(!IsNT) {
HostPID = ProcessName2PID(_T("KERNEL32.DLL"));
}
DWORD UnloadPars[1] = {LACThreadBodyAlias};
if(Unload) {
if(argc != 3)
return(Usage());
else {
return(LoadAndCall(NULL, ShortHooks_DLL, IsNT ? ProcessName2PID(argv[2]) : HostPID, 1, 0, _T("StopLog"), 1, UnloadPars));
}
}
if(argc != 4)
return(Usage());
HANDLE hLogFile;
if((hLogFile = CreateFile(argv[2], GENERIC_WRITE, FILE_SHARE_READ, NULL,
OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_WRITE_THROUGH, NULL))
== INVALID_HANDLE_VALUE) {
_tprintf(_T("\nXcptLog: Can't create LogFile!"));
return(getch());
}
else
SetFilePointer(hLogFile, 0, NULL, FILE_END);
PROCESS_INFORMATION pi = {NULL, NULL, PW_MEMERROR, 0};
if(Existing) {
WatchPID = ProcessName2PID(argv[3]);
if(IsNT) {
HostPID = WatchPID;
}
if(!(hProcess = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, FALSE, WatchPID))) {
CloseHandle(hLogFile);
_tprintf(_T("\nXcptLog: Can't open '%s'!"), argv[3]);
return(getch());
}
}
else {
STARTUPINFO si = {sizeof(si)};
CreateProcess(NULL, argv[3], NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
WatchPID = pi.dwProcessId;
hProcess = pi.hProcess;
if(IsNT) {
HostPID = WatchPID;
}
}
if((WatchPID >= PW_SESERROR) || (HostPID >= PW_SESERROR)) {
CloseHandle(hLogFile);
_tprintf(_T("\nXcptLog: Can't find/create '%s'!"), argv[3]);
return(getch());
}
if(!IsNT)
LoadAndCall(NULL, ShortHooks_DLL, HostPID, 5000, 0, _T("StopLog"), 1, UnloadPars);
// It is possible to log exceptions in DllMains of statically loaded modules during
// process startup in NT - use AddProcessInitDLL. Link XcptLog.wnt with NtApiWorks
// or ApiHooks instead of ClientAW and call EAH in DllMain.
// if(IsNT)
// if(hGetProcFlags(hProcess) & RC_PF_NOTINITED)
// Added = hAddProcessInitDLL(hProcess, Hooks_DLL, 0, NULL, NULL);
// if(!Added)
EstablishApiHooks(NULL, Hooks_DLL, HostPID, 5000);
HANDLE StartLogPars[2] = {INVALID_HANDLE_VALUE, (HANDLE)WatchPID};
DuplicateHandle(GetCurrentProcess(), hLogFile, hProcess, &StartLogPars[0], 0, FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS);
LoadAndCall(NULL, Hooks_DLL, HostPID, 5000, 0, _T("StartLog"), 2, StartLogPars);
CloseHandle(hProcess);
if(!Existing) {
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
}
}
return(0);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -