📄 skmon_hookreg.c
字号:
STATUS_SUCCESS,
NULL, NULL);
//Sk_LogUnit_AddStrToLog(&skLogLink,"%d - %s +EnumerateValueKey+ ***DISABLE*** [%s]",
// dwProcessID, name, fullname);
}
}
else{
status = RealRegEnumerateValueKey( KeyHandle, longdata1, KeyInformationClass,
KeyInformation, Length, pResultLength);
if( bCanLog){
/*if( NT_SUCCESS(status)){
if( bRecordTwice)
bRecordTwice = FALSE;
else
bRecordTwice = TRUE;
}
else
bRecordTwice = FALSE;
*/
//if( !bRecordTwice){
data[0] = 0;
if( NT_SUCCESS(status )){
value[0] = 0;
AppendValueInformation( KeyInformationClass,
KeyInformation,
value,
valuename );
if( valuename[0] == 0)
strcpy( valuename,"默认");
sprintf( data,"[%s] - %s", valuename, value);
}
GetKeyFullName( KeyHandle, NULL, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_ENUMERATE_VALUE,
TRUE,
fullname,
status,
data,NULL);
//}
}
}
return status;
}
NTSTATUS SkMon_HookRegEnumerateKey( IN HANDLE KeyHandle, IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG pResultLength)
{
NTSTATUS status;
char fullname[MAXPATHLEN], data[MAXPATHLEN], name[MAXPROCNAMELEN];
ULONG dwProcessID;
BOOLEAN bCanLog;
GetProcessName( name, &dwProcessID);
bCanLog = CanLogTheThread( dwProcessID, name);
if( IsTheThreadDisable( dwProcessID, name)){
status = STATUS_ACCESS_DENIED;
if( bCanLog){
GetKeyFullName( KeyHandle, NULL, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_ENUMERATE,
FALSE,
fullname,
STATUS_SUCCESS,
NULL, NULL);
//Sk_LogUnit_AddStrToLog( &skLogLink,"%d - %s +EnumerateKey+ ***DISABLE*** [%s]",
// dwProcessID, name, fullname);
}
}
else{
status = RealRegEnumerateKey( KeyHandle, Index, KeyInformationClass, KeyInformation, Length, pResultLength);
if( bCanLog){
GetKeyFullName( KeyHandle, NULL, fullname);
data[0] = 0;
if( NT_SUCCESS(status))
AppendKeyInformation( KeyInformationClass, KeyInformation, data);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_ENUMERATE,
TRUE,
fullname,
status,
data,NULL);
//Sk_LogUnit_AddStrToLog( &skLogLink,"%d - %s +EnumerateKey+ %s %s %s",
// dwProcessID, name, fullname, ErrorString( status), data);
}
}
return status;
}
NTSTATUS SkMon_HookRegSetValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex, IN ULONG Type,
IN PVOID Data, IN ULONG DataSize )
{
NTSTATUS status;
char fullname[MAXPATHLEN], data[MAXPATHLEN], name[MAXPROCNAMELEN];
ULONG dwProcessID;
BOOLEAN bCanLog;
GetProcessName( name, &dwProcessID);
bCanLog = CanLogTheThread( dwProcessID, name);
if( IsTheThreadDisable( dwProcessID, name)){
status = STATUS_ACCESS_DENIED;
if( bCanLog){
GetKeyFullName( KeyHandle, NULL, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_SET_VALUE,
FALSE,
fullname,
STATUS_SUCCESS,
NULL, NULL);
//Sk_LogUnit_AddStrToLog( &skLogLink,"%d - %s +SetValue+ ***DISABLE*** [%s]",
// dwProcessID, name, fullname);
}
}
else{
status = RealRegSetValueKey( KeyHandle, ValueName, TitleIndex, Type, Data, DataSize);
if( bCanLog){
GetKeyFullName( KeyHandle, NULL, fullname);
data[0] = 0;
AppendRegValueData( Type, Data, DataSize, data); //Data is UnicodeString when Type is ..SZ
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_SET_VALUE,
TRUE,
fullname,
status,
data,NULL);
//Sk_LogUnit_AddStrToLog( &skLogLink,"%d - %s +SetValue+ %s %s [%s]",
// dwProcessID, name, fullname, ErrorString( status), data);
}
}
return status;
}
NTSTATUS SkMon_HookRegDeleteValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING KeyName)
{
NTSTATUS status;
char fullname[MAXPATHLEN], name[MAXPROCNAMELEN];
ULONG dwProcessID;
BOOLEAN bCanLog;
GetProcessName( name, &dwProcessID);
bCanLog = CanLogTheThread( dwProcessID, name);
if( IsTheThreadDisable( dwProcessID, name)){
status = STATUS_ACCESS_DENIED;
if( bCanLog){
GetKeyFullName( KeyHandle, NULL, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_DELETE_VALUE,
FALSE,
fullname,
STATUS_SUCCESS,
NULL, KeyName);
//Sk_LogUnit_AddStrToLog( &skLogLink,"%d - %s +DeleteValue+ ***DISABLE*** [%s] [%s]",
// dwProcessID, name, fullname, KeyName);
}
}
else{
status = RealRegDeleteValueKey( KeyHandle, KeyName);
if( bCanLog){
GetKeyFullName( KeyHandle, NULL, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_DELETE_VALUE,
TRUE,
fullname,
status,
KeyName,NULL);
//Sk_LogUnit_AddStrToLog( &skLogLink,"%d - %s +DeleteValue+ %s %s [%s]",
// dwProcessID, name, fullname, ErrorString( status), KeyName);
}
}
return status;
}
NTSTATUS SkMon_HookRegKeyParamHandle(IN HANDLE KeyHandle,
char *FunctionName, RegKeyParamFunction HandleFunc,
ULONG dwAction)
{
NTSTATUS status;
char fullname[MAXPATHLEN], name[MAXPROCNAMELEN];
ULONG dwProcessID;
BOOLEAN bCanLog;
GetProcessName( name, &dwProcessID);
bCanLog = CanLogTheThread( dwProcessID, name);
if( IsTheThreadDisable( dwProcessID, name)){
status = STATUS_ACCESS_DENIED;
if( bCanLog){
GetKeyFullName( KeyHandle, NULL, fullname);
//Sk_LogUnit_AddStrToLog( &skLogLink,"%d - %s +%s+ ***DISABLE*** [%s]",
// dwProcessID, name, FunctionName, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, dwAction,
FALSE,
fullname,
STATUS_SUCCESS,
NULL, NULL);
}
}
else{
if( bCanLog){
//at first get key's name. *** when DELETE *** after DELETE, cannot getKey's Name.
GetKeyFullName( KeyHandle, NULL, fullname);
//then, execute the function.
status = HandleFunc( KeyHandle);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, dwAction,
TRUE,
fullname,
status,
NULL, NULL);
//Sk_LogUnit_AddStrToLog( &skLogLink,"%d - %s +%s+ %s %s",
// dwProcessID, name, FunctionName, fullname, ErrorString( status));
}
else
status = HandleFunc( KeyHandle);
}
return status;
}
NTSTATUS SkMon_HookRegCloseKey( IN HANDLE KeyHandle)
{
NTSTATUS status;
PVOID pKey;
char fullname[MAXPATHLEN], name[MAXPROCNAMELEN];
ULONG dwProcessID;
LogUnit *pUnit;
if( pKey = GetPointer( KeyHandle)){
if( pKey) ObDereferenceObject( pKey);
pUnit = Sk_HashEntry_SearchItem( pKey);
if( pUnit){ //is register action's close, can log.
GetProcessName( name, &dwProcessID);
GetKeyFullName( KeyHandle, NULL, fullname);
SkMon_AddRegUnitToLink(&skLogLink, dwProcessID,
name, REG_ACTION_CLOSE,
TRUE,
fullname,
STATUS_SUCCESS,
NULL, NULL);
}
RemoveHandleObjectInHashTable( KeyHandle);
}
status = RealRegCloseKey( KeyHandle);
return status;
}
NTSTATUS SkMon_HookRegDeleteKey( IN HANDLE KeyHandle)
{
NTSTATUS status;
status = SkMon_HookRegKeyParamHandle( KeyHandle, "DeleteKey", RealRegDeleteKey,REG_ACTION_DELETE);
RemoveHandleObjectInHashTable( KeyHandle);
return status;
}
NTSTATUS SkMon_HookRegFlushKey( IN HANDLE KeyHandle)
{
NTSTATUS status;
status = SkMon_HookRegKeyParamHandle( KeyHandle, "FlushKey", RealRegFlushKey, REG_ACTION_FLUSH);
RemoveHandleObjectInHashTable( KeyHandle);
return status;
}
//add key's information into buffer.
VOID AppendKeyInformation( IN KEY_INFORMATION_CLASS KeyInformationClass,
IN PVOID KeyInformation, PCHAR Buffer )
{
PKEY_BASIC_INFORMATION pbasicinfo;
PKEY_FULL_INFORMATION pfullinfo;
PKEY_NODE_INFORMATION pnodeinfo;
PKEY_NAME_INFORMATION pnameinfo;
PKEY_VALUE_FULL_INFORMATION pkeyvaluefullinfo;
PKEY_VALUE_PARTIAL_INFORMATION pkeyvaluepartialinfo;
PKEY_VALUE_BASIC_INFORMATION pkeyvaluebasicinfo;
UNICODE_STRING ukeyname, udata;
ANSI_STRING akeyname, adata;
switch( KeyInformationClass ) {
case KeyBasicInformation:
pbasicinfo = (PKEY_BASIC_INFORMATION) KeyInformation;
ukeyname.Length = (USHORT) pbasicinfo->NameLength;
ukeyname.MaximumLength = (USHORT) pbasicinfo->NameLength;
ukeyname.Buffer = pbasicinfo->Name;
RtlUnicodeStringToAnsiString( &akeyname, &ukeyname, TRUE );
sprintf( Buffer, "Name: %s", akeyname.Buffer );
RtlFreeAnsiString( &akeyname );
break;
case KeyFullInformation:
pfullinfo = (PKEY_FULL_INFORMATION) KeyInformation;
sprintf( Buffer, "Subkeys = %d", pfullinfo->SubKeys );
break;
case KeyNodeInformation:
pnodeinfo = (PKEY_NODE_INFORMATION) KeyInformation;
/*
pkeyvaluefullinfo = (PKEY_VALUE_FULL_INFORMATION) KeyInformation;
pkeyvaluepartialinfo = (PKEY_VALUE_PARTIAL_INFORMATION) KeyInformation;
pkeyvaluebasicinfo = (PKEY_VALUE_BASIC_INFORMATION) KeyInformation;
ukeyname.MaximumLength = ukeyname.Length =
(USHORT)pkeyvaluefullinfo->DataOffset;
//(USHORT)pkeyvaluefullinfo->NameLength;
ukeyname.Buffer = pkeyvaluefullinfo->Name;
*/
ukeyname.Length = (USHORT) pnodeinfo->NameLength;
ukeyname.MaximumLength = (USHORT) pnodeinfo->NameLength;
ukeyname.Buffer = pnodeinfo->Name;
RtlUnicodeStringToAnsiString( &akeyname, &ukeyname, TRUE );
sprintf( Buffer, "Name: %s", akeyname.Buffer );
RtlFreeAnsiString( &akeyname );
//AppendRegValueData( pkeyvaluefullinfo->Type,
// pkeyvaluefullinfo->Name+pkeyvaluefullinfo->DataOffset,
// pkeyvaluefullinfo->DataLength,
// Buffer);
break;
case KeyNameInformation: // New format for Windows 2000
pnameinfo = (PKEY_NAME_INFORMATION) KeyInformation;
ukeyname.Length = (USHORT) pnameinfo->NameLength;
ukeyname.MaximumLength = (USHORT) pnameinfo->NameLength;
ukeyname.Buffer = pnameinfo->Name;
RtlUnicodeStringToAnsiString( &akeyname, &ukeyname, TRUE );
sprintf( Buffer, "Name: %s", akeyname.Buffer );
RtlFreeAnsiString( &akeyname );
break;
default:
sprintf( Buffer, "Unknown Info Class" );
break;
}
}
//----------------------------------------------------------------------
// AppendRegValueData
// 将注册项的值,添加到BUFFER中去,并按照类型不同的处理,当长度超过了最大长度,截断!
//----------------------------------------------------------------------
VOID AppendRegValueData( IN ULONG Type, IN PVOID Data, IN ULONG Length,
IN OUT PCHAR Buffer )
{
PWCHAR pstring;
PULONG pulong;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -