📄 skmon_hookreg.c
字号:
// SkMon_HookReg.c
////////////////////////////////////////////////////////////////////////////////
// Hook / Unhook Registry functions.
// and my Registry_Callback function.
////////////////////////////////////////////////////////////////////////////////
// Start by snake, 2000/9/29
// add structure output, 2000/10/16, by snake.
////////////////////////////////////////////////////////////////////////////////
#include <ntddk.h>
#include <stdio.h>
#include "SkDrv_Misc.h"
#include "SkMon_reg.h"
#include "SkDrv_RegComm.h"
//add own declare for Win2K.
enum {
KeyNameInformation = 3
};
typedef struct _KEY_NAME_INFORMATION {
ULONG NameLength;
WCHAR Name[1]; // Variable length string
} KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION;
typedef NTSTATUS(*RegKeyParamFunction)(IN HANDLE KeyHandle);
//Reg Function Declare...
NTSTATUS (*RealRegOpenKey)( IN PHANDLE, IN OUT ACCESS_MASK, IN POBJECT_ATTRIBUTES );
NTSTATUS (*RealRegQueryKey)( IN HANDLE, IN KEY_INFORMATION_CLASS,
OUT PVOID, IN ULONG, OUT PULONG );
NTSTATUS (*RealRegQueryValueKey)( IN HANDLE, IN PUNICODE_STRING,
IN KEY_VALUE_INFORMATION_CLASS,
OUT PVOID, IN ULONG, OUT PULONG );
NTSTATUS (*RealRegEnumerateValueKey)( IN HANDLE, IN ULONG,
IN KEY_VALUE_INFORMATION_CLASS,
OUT PVOID, IN ULONG, OUT PULONG );
NTSTATUS (*RealRegEnumerateKey)( IN HANDLE, IN ULONG,
IN KEY_INFORMATION_CLASS,
OUT PVOID, IN ULONG, OUT PULONG );
NTSTATUS (*RealRegSetValueKey)( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex, IN ULONG Type,
IN PVOID Data, IN ULONG DataSize );
NTSTATUS (*RealRegCreateKey)( OUT PHANDLE, IN ACCESS_MASK,
IN POBJECT_ATTRIBUTES , IN ULONG,
IN PUNICODE_STRING, IN ULONG, OUT PULONG );
NTSTATUS (*RealRegDeleteValueKey)( IN HANDLE, IN PUNICODE_STRING );
NTSTATUS (*RealRegCloseKey)( IN HANDLE );
NTSTATUS (*RealRegDeleteKey)( IN HANDLE );
NTSTATUS (*RealRegFlushKey)( IN HANDLE );
NTSTATUS (*RealRegLoadKey)( IN POBJECT_ATTRIBUTES,
IN POBJECT_ATTRIBUTES );
NTSTATUS (*RealRegUnloadKey)( IN POBJECT_ATTRIBUTES );
//Local variables.
BOOLEAN RegistryHook=FALSE;
#define GETSYSCALL(_table, _function) _table->ServiceTable[ *(PULONG)((PUCHAR)_function+1)]
//local function declaring...
NTSTATUS SkMon_HookRegOpenKey( IN OUT PHANDLE pHandle, IN ACCESS_MASK ReqAccess,
IN POBJECT_ATTRIBUTES pOpenInfo);
NTSTATUS SkMon_HookRegCreateKey( OUT PHANDLE handle, IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES pObjectAttribute, IN ULONG,
IN PUNICODE_STRING, IN ULONG, OUT PULONG);
NTSTATUS SkMon_HookRegQueryKey( IN HANDLE KeyHandle, IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG pResultLength);
NTSTATUS SkMon_HookRegEnumerateKey( IN HANDLE KeyHandle, IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG pResultLength);
NTSTATUS SkMon_HookRegFlushKey( IN HANDLE );
NTSTATUS SkMon_HookRegDeleteKey( IN HANDLE );
NTSTATUS SkMon_HookRegCloseKey( IN HANDLE KeyHandle);
NTSTATUS SkMon_HookRegKeyParamHandle(IN HANDLE KeyHandle,
char *FunctionName, RegKeyParamFunction HandleFunc, ULONG dwAction);
NTSTATUS SkMon_HookRegDeleteValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING KeyName);
NTSTATUS SkMon_HookRegSetValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex, IN ULONG Type,
IN PVOID Data, IN ULONG DataSize );
NTSTATUS SkMon_HookRegEnumerateValueKey( IN HANDLE KeyHandle, IN ULONG longdata1,
IN KEY_VALUE_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG Length, OUT PULONG pResultLength);
void GetKeyFullName( HANDLE hKey, PUNICODE_STRING lpszSubKeyVal, PCHAR fullName);
PVOID GetPointer( HANDLE handle );
BOOLEAN IsTheThreadDisable(ULONG id, char *name);
BOOLEAN CanLogTheThread(ULONG id, LPCTSTR str);
VOID AppendKeyInformation( IN KEY_INFORMATION_CLASS KeyInformationClass,
IN PVOID KeyInformation, PCHAR Buffer );
VOID AppendRegValueData( IN ULONG Type, IN PVOID Data, IN ULONG Length,
IN OUT PCHAR Buffer );
VOID AppendRegValueType( ULONG Type, PCHAR Buffer );
void RemoveHandleObjectInHashTable( IN HANDLE KeyHandle);
void SkMon_AddRegUnitToLink(IN Sk_LogUnit_Mang *pMang, IN ULONG processID,
IN char *szProcessName, IN ULONG dwRegAction,
IN BOOLEAN bEnable,
IN char *pszKeyName,
ULONG status,
IN PVOID otherInfo1, IN PVOID otherInfo2);
VOID AppendValueInformation( IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
IN PVOID KeyValueInformation, PCHAR Buffer, PCHAR ValueName );
//for special declaring RegAccessing function.
//
// Definition for Registry function prototypes not included in NTDDK.H
//
NTSYSAPI NTSTATUS NTAPI ZwDeleteValueKey( IN HANDLE, IN PUNICODE_STRING );
//NTSYSAPI NTSTATUS NTAPI ZwLoadKey( IN POBJECT_ATTRIBUTES, IN POBJECT_ATTRIBUTES );
//NTSYSAPI NTSTATUS NTAPI ZwUnloadKey( IN POBJECT_ATTRIBUTES );
void InitHookSkMonRegistry()
{
RegistryHook = FALSE;
}
void DeInitHookSkMonRegistry()
{
UnHookSkMonRegistry();
}
void UnHookSkMonRegistry()
{
if( RegistryHook){
RegistryHook = FALSE;
GETSYSCALL( ServiceTable, ZwOpenKey) = RealRegOpenKey;
GETSYSCALL( ServiceTable, ZwCreateKey) = RealRegCreateKey;
GETSYSCALL( ServiceTable, ZwQueryKey) = RealRegQueryKey;
GETSYSCALL( ServiceTable, ZwEnumerateKey) = RealRegEnumerateKey;
GETSYSCALL( ServiceTable, ZwEnumerateValueKey) = RealRegEnumerateValueKey;
GETSYSCALL( ServiceTable, ZwSetValueKey) = RealRegSetValueKey;
GETSYSCALL( ServiceTable, ZwDeleteValueKey) = RealRegDeleteValueKey;
GETSYSCALL( ServiceTable, ZwClose) = RealRegCloseKey;
GETSYSCALL( ServiceTable, ZwDeleteKey) = RealRegDeleteKey;
//GETSYSCALL( ServiceTable, ZwFlushKey) = RealRegFlushKey;
//...
}
}
void HookSkMonRegistry()
{
if( !RegistryHook){
RealRegOpenKey = GETSYSCALL( ServiceTable, ZwOpenKey);
RealRegCreateKey = GETSYSCALL( ServiceTable, ZwCreateKey);
RealRegQueryKey = GETSYSCALL( ServiceTable, ZwQueryKey);
RealRegEnumerateKey = GETSYSCALL( ServiceTable, ZwEnumerateKey);
RealRegEnumerateValueKey = GETSYSCALL( ServiceTable, ZwEnumerateValueKey);
RealRegSetValueKey = GETSYSCALL( ServiceTable, ZwSetValueKey);
RealRegDeleteValueKey = GETSYSCALL( ServiceTable, ZwDeleteValueKey);
RealRegCloseKey = GETSYSCALL( ServiceTable, ZwClose);
RealRegDeleteKey = GETSYSCALL( ServiceTable, ZwDeleteKey);
//RealRegFlushKey = GETSYSCALL( ServiceTable, ZwFlushKey);
GETSYSCALL( ServiceTable, ZwOpenKey) = (PVOID)SkMon_HookRegOpenKey;
GETSYSCALL( ServiceTable, ZwCreateKey) = (PVOID)SkMon_HookRegCreateKey;
GETSYSCALL( ServiceTable, ZwQueryKey) = (PVOID)SkMon_HookRegQueryKey;
GETSYSCALL( ServiceTable, ZwEnumerateKey) = (PVOID)SkMon_HookRegEnumerateKey;
GETSYSCALL( ServiceTable, ZwEnumerateValueKey) = (PVOID)SkMon_HookRegEnumerateValueKey;
GETSYSCALL( ServiceTable, ZwSetValueKey) = (PVOID)SkMon_HookRegSetValueKey;
GETSYSCALL( ServiceTable, ZwDeleteValueKey) = (PVOID)SkMon_HookRegDeleteValueKey;
GETSYSCALL( ServiceTable, ZwClose) = (PVOID)SkMon_HookRegCloseKey;
GETSYSCALL( ServiceTable, ZwDeleteKey) = (PVOID)SkMon_HookRegDeleteKey;
//GETSYSCALL( ServiceTable, ZwFlushKey) = (PVOID)SkMon_HookRegFlushKey;
//next to be expand...
RegistryHook = TRUE;
}
}
//----------------------------------------------------------------------
// ErrorString
// 返回错误信息.
//----------------------------------------------------------------------
#define MAXPATHLEN 512
#define MAXDATALEN 256
const char szNoMemory[]="<NOT ENOUGH MEMORY>";
NTSTATUS SkMon_HookRegOpenKey( IN OUT PHANDLE pHandle, IN ACCESS_MASK ReqAccess,
IN POBJECT_ATTRIBUTES pOpenInfo)
{
NTSTATUS status;
PVOID regObject;
CHAR fullname[MAXPATHLEN], data[MAXDATALEN], name[MAXPROCNAMELEN];
ULONG dwProcessID;
BOOLEAN CanLog;
GetProcessName( name, &dwProcessID);
CanLog = CanLogTheThread( dwProcessID, name);
if( IsTheThreadDisable(dwProcessID, name)){
if( CanLog ){ //can log this thread?
GetKeyFullName( pOpenInfo->RootDirectory, pOpenInfo->ObjectName, fullname);
//Sk_LogUnit_AddStrToLog( &skLogLink,"%d:%s +OpenKey+ DISABLE [%s] ", dwProcessID, name, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_OPEN,
FALSE,
fullname,
STATUS_SUCCESS,
NULL, NULL);
}
status = STATUS_ACCESS_DENIED; //make error !!! hahaha.
}
else{
status = RealRegOpenKey( pHandle, ReqAccess, pOpenInfo);
if( CanLog){
GetKeyFullName( pOpenInfo->RootDirectory, pOpenInfo->ObjectName, fullname);
data[0] = 0;
if( NT_SUCCESS(status)){
//get object pointer.
//RemoveHandleObjectInHashTable( *pHandle);
regObject = GetPointer( *pHandle);
Sk_HashEntry_FreeUnit( regObject);
Sk_HashEntry_AddUnit( regObject, fullname);
sprintf( data,"Key: 0x%X", regObject);
if( regObject) ObDereferenceObject( regObject);
}
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_OPEN,
TRUE,
fullname,
status,
data, NULL);
//Sk_LogUnit_AddStrToLog( &skLogLink, "%d:%s +OpenKey+ [%s] [%s] [%s]", dwProcessID, name, fullname, ErrorString(status), data);
}
}
return status;
}
NTSTATUS SkMon_HookRegCreateKey( OUT PHANDLE handle, IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES pObjectAttribute, IN ULONG TitleIndex,
IN PUNICODE_STRING Class, IN ULONG Options, OUT PULONG Disposition)
{
NTSTATUS status;
char fullname[MAXPATHLEN], data[MAXDATALEN], name[MAXPROCNAMELEN];
ULONG dwProcessID;
BOOLEAN bCanLog;
PVOID regObject;
GetProcessName( name, &dwProcessID);
bCanLog = CanLogTheThread( dwProcessID, name);
if( IsTheThreadDisable(dwProcessID, name)){
if( bCanLog){
GetKeyFullName( pObjectAttribute->RootDirectory, pObjectAttribute->ObjectName, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_CREATE,
FALSE,
fullname,
STATUS_SUCCESS,
NULL, NULL);
//Sk_LogUnit_AddStrToLog( &skLogLink,"%d - %s +CREATEKEY+DISABLE+ %s", dwProcessID, name, fullname);
}
status = STATUS_ACCESS_DENIED;
}
else{
status = RealRegCreateKey( handle, AccessMask, pObjectAttribute, TitleIndex, Class, Options, Disposition);
if( bCanLog){
GetKeyFullName( pObjectAttribute->RootDirectory, pObjectAttribute->ObjectName, fullname);
if( NT_SUCCESS(status)){
//get object pointer.
regObject = GetPointer( *handle);
Sk_HashEntry_FreeUnit( regObject);
Sk_HashEntry_AddUnit( regObject, fullname);
sprintf( data,"Key: 0x%X", regObject);
if( regObject) ObDereferenceObject( regObject);
}
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_CREATE,
TRUE,
fullname,
status,
data,NULL);
//Sk_LogUnit_AddStrToLog( &skLogLink,"%d - %s +CREATEKEY+ [%s] [%s] [%s]",
// dwProcessID, name, fullname, ErrorString( status), data);
}
}
return status;
}
NTSTATUS SkMon_HookRegQueryKey( IN HANDLE KeyHandle, IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG pResultLength)
{
NTSTATUS status;
char fullname[MAXPATHLEN], data[MAXDATALEN], name[MAXPROCNAMELEN];
ULONG dwProcessID;
BOOLEAN bCanLog;
GetProcessName( name, &dwProcessID);
bCanLog = CanLogTheThread( dwProcessID, name);
if( IsTheThreadDisable( dwProcessID, name)){
status = STATUS_ACCESS_DENIED;
if( bCanLog){
GetKeyFullName( KeyHandle, NULL, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_QUERY,
FALSE,
fullname,
STATUS_SUCCESS,
NULL,NULL);
//Sk_LogUnit_AddStrToLog(&skLogLink,"%d - %s +QueryKey+ ***DISABLE*** [%s]",
// dwProcessID, name, fullname);
}
}
else{
status = RealRegQueryKey( KeyHandle, KeyInformationClass, KeyInformation, Length, pResultLength);
if( bCanLog){
data[0] = 0;
if( NT_SUCCESS(status ))
AppendKeyInformation( KeyInformationClass, KeyInformation, data);
GetKeyFullName( KeyHandle, NULL, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_QUERY,
TRUE,
fullname,
status,
data,NULL);
}
}
return status;
}
BOOLEAN bRecordTwice = FALSE;
NTSTATUS SkMon_HookRegEnumerateValueKey( IN HANDLE KeyHandle, IN ULONG longdata1,
IN KEY_VALUE_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG Length, OUT PULONG pResultLength)
{
NTSTATUS status;
char fullname[MAXPATHLEN], data[MAXDATALEN], name[MAXPROCNAMELEN], valuename[100], value[MAXDATALEN];
ULONG dwProcessID;
BOOLEAN bCanLog;
GetProcessName( name, &dwProcessID);
bCanLog = CanLogTheThread( dwProcessID, name);
if( IsTheThreadDisable( dwProcessID, name)){
status = STATUS_ACCESS_DENIED;
if( bCanLog){
GetKeyFullName( KeyHandle, NULL, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_ENUMERATE_VALUE,
FALSE,
fullname,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -