📄 skmon_hookreg.c
字号:
PUCHAR pbinary;
CHAR tmp[MAXDATALEN];
UNICODE_STRING ukeyname;
ANSI_STRING akeyname;
int len, i;
switch( Type ) {
case REG_SZ:
case REG_EXPAND_SZ:
case REG_MULTI_SZ:
pstring = (PWCHAR) Data;
ukeyname.Length = (USHORT) Length;
ukeyname.MaximumLength = (USHORT) Length;
ukeyname.Buffer = pstring;
RtlUnicodeStringToAnsiString( &akeyname,
&ukeyname, TRUE );
strcat( Buffer, "\"");
strncat( Buffer+1, akeyname.Buffer, MAXPATHLEN - 6);
if( akeyname.Length > MAXPATHLEN - 6 ) strcat( Buffer,"...");
strcat( Buffer, "\"");
RtlFreeAnsiString( &akeyname );
break;
case REG_DWORD:
pulong = (PULONG) Data;
sprintf( tmp, "0x%X", *pulong );
strcat( Buffer, tmp );
break;
case REG_BINARY:
case REG_RESOURCE_LIST:
case REG_FULL_RESOURCE_DESCRIPTOR:
case REG_RESOURCE_REQUIREMENTS_LIST:
pbinary = (PCHAR) Data;
if( Length > 8 ) len = 8;
else len = Length;
for( i = 0; i < len; i++ ) {
sprintf( tmp, "%02X ", (UCHAR) pbinary[i]);
strcat( Buffer, tmp );
}
if( Length > 8) strcat( Buffer, "...");
break;
default:
AppendRegValueType( Type, Buffer );
break;
}
}
//see the thread is in forbid list?
BOOLEAN IsTheThreadDisable(ULONG dwID, char *name)
{
BOOLEAN bValue = FALSE;
bValue = Sk_dwLink_IsData_InLink( &Disable_ProcessIDTable, dwID);
if( !bValue)
bValue = Sk_dwLink_IsStr_InLink( &Disable_ProcessNameTable, name, TRUE);
return bValue;
}
//----------------------------------------------------------------------
// GetPointer
// 取得object的指针.
//----------------------------------------------------------------------
PVOID GetPointer( HANDLE handle )
{
PVOID pKey;
if( !handle ) return NULL;
//取得指针.
if( ObReferenceObjectByHandle( handle, 0, NULL, KernelMode, &pKey, NULL ) != STATUS_SUCCESS ) {
pKey = NULL;
}
return pKey;
}
void GetKeyFullName( HANDLE hKey, PUNICODE_STRING lpszSubKeyVal, PCHAR fullName)
{
char *tempName;
PVOID pKey;
HashUnit *pUnit;
UNICODE_STRING *pUniName;
ULONG actualLen;
if( !fullName) return;
tempName = ExAllocatePool( PagedPool, MAXPATHLEN);
//no memory?
if( !tempName){
strcpy( fullName, szNoMemory);
return;
}
fullName[0] = 0; tempName[0] = 0;
if( pKey = GetPointer( hKey)){
if( pKey) ObDereferenceObject( pKey);
pUnit = Sk_HashEntry_SearchItem( pKey);
if( pUnit)
strcpy( tempName, pUnit->szStr);
else{
if( pKey){
pUniName = ExAllocatePool( PagedPool, MAXPATHLEN*2+2*sizeof(ULONG));
if( !pUniName){
strcpy( fullName, szNoMemory);
ExFreePool( tempName);
return;
}
pUniName->MaximumLength = MAXPATHLEN*2;
if( NT_SUCCESS( ObQueryNameString( pKey, pUniName, MAXPATHLEN, &actualLen))){
ANSI_STRING keyname;
RtlUnicodeStringToAnsiString( &keyname, pUniName, TRUE);
if( keyname.Buffer[0] ){
strcpy( tempName,"\\");
strncat( tempName, keyname.Buffer, MAXPATHLEN-2);
}
RtlFreeAnsiString( &keyname);
}
ExFreePool( pUniName);
}
}
}
//add value.
try{
if( lpszSubKeyVal){
ANSI_STRING keyname;
keyname.Buffer = NULL;
RtlUnicodeStringToAnsiString( &keyname, lpszSubKeyVal, TRUE);
if( keyname.Buffer[0]){
strcat( tempName,"\\");
strncat( tempName, keyname.Buffer, MAXPATHLEN-1-strlen(tempName));
}
RtlFreeAnsiString( &keyname);
}
}except( EXCEPTION_EXECUTE_HANDLER){
strcat( tempName,"*** invalid name ***");
}
//discard current user's string....
//discard root key's string comparing....
strcpy( fullName, tempName);
ExFreePool( tempName);
return;
}
BOOLEAN CanLogTheThread(ULONG id, LPCTSTR str)
{
if( byLogProcessInListOnly == 0)
return TRUE;
if( Sk_dwLink_IsData_InLink( &Log_ProcessIDTable, id))
return TRUE;
if( Sk_dwLink_IsStr_InLink( &Log_ProcessNameTable, str,TRUE))
return TRUE;
return FALSE;
}
//----------------------------------------------------------------------
// AppendRegValueType
// 得到注册健值类型的名称.,并且增加到输出字符串中.
//----------------------------------------------------------------------
VOID AppendRegValueType( ULONG Type, PCHAR Buffer )
{
CHAR tmp[MAXDATALEN];
switch( Type ) {
case REG_BINARY:
strcat( Buffer, "BINARY" );
break;
case REG_DWORD_LITTLE_ENDIAN:
strcat( Buffer, "DWORD_LITTLE_END" );
break;
case REG_DWORD_BIG_ENDIAN:
strcat( Buffer, "DWORD_BIG_END" );
break;
case REG_EXPAND_SZ:
strcat( Buffer, "EXPAND_SZ" );
break;
case REG_LINK:
strcat( Buffer, "LINK" );
break;
case REG_MULTI_SZ:
strcat( Buffer, "MULTI_SZ" );
break;
case REG_NONE:
strcat( Buffer, "NONE" );
break;
case REG_SZ:
strcat( Buffer, "SZ" );
break;
case REG_RESOURCE_LIST:
strcat( Buffer, "RESOURCE_LIST" );
break;
case REG_RESOURCE_REQUIREMENTS_LIST:
strcat( Buffer, "REQ_LIST" );
break;
case REG_FULL_RESOURCE_DESCRIPTOR:
strcat( Buffer, "DESCRIPTOR" );
break;
default:
sprintf( tmp, "UNKNOWN TYPE: %d", Type );
strcat( Buffer, tmp );
break;
}
}
//remove the key handle in HashTable.
void RemoveHandleObjectInHashTable( IN HANDLE KeyHandle)
{
PVOID regObject;
regObject = GetPointer( KeyHandle);
if( regObject) ObDereferenceObject( regObject);
Sk_HashEntry_FreeUnit( regObject);
}
void SkMon_AddRegUnitToLink(IN Sk_LogUnit_Mang *pMang, IN ULONG processID,
IN char *szProcessName, IN ULONG dwRegAction,
IN BOOLEAN bEnable,
IN char *pszKeyName,
IN ULONG status,
IN PVOID otherInfo1, IN PVOID otherInfo2)
{
int iSize, iKeyNameLen;
char *lpszData, *pszWriteInfo;
PUNICODE_STRING pKeyName;
ANSI_STRING AnsiString;
REG_LOGUNIT *pRegLogUnit;
LogUnit *pNewLogUnit;
BOOLEAN bAllocMemoryForAnsi;
RtlInitAnsiString( &AnsiString, "");
bAllocMemoryForAnsi = FALSE;
switch( dwRegAction){
case REG_ACTION_OPEN:
case REG_ACTION_CREATE:
case REG_ACTION_QUERY:
case REG_ACTION_ENUMERATE_VALUE:
case REG_ACTION_ENUMERATE:
case REG_ACTION_SET_VALUE:
lpszData = otherInfo1;
break;
case REG_ACTION_DELETE_VALUE:
pKeyName = (PUNICODE_STRING)otherInfo1;
lpszData = NULL;
if( pszKeyName){
RtlUnicodeStringToAnsiString( &AnsiString, pKeyName, TRUE);
bAllocMemoryForAnsi = TRUE;
lpszData = AnsiString.Buffer;
}
break;
case REG_ACTION_CLOSE:
case REG_ACTION_DELETE:
case REG_ACTION_FLUSH:
lpszData = NULL;
break;
//next 3 does not defined.
case REG_ACTION_QUERY_VALUE:
case REG_ACTION_LOAD:
case REG_ACTION_UNLOAD:
default:
lpszData = NULL;
break;
}
iSize = iKeyNameLen = strlen(pszKeyName);
if( lpszData)
iSize += strlen( lpszData)+1;
else
iSize += 1; //data
pNewLogUnit = Sk_LogUnit_GetNewUnit_BySize( pMang, iSize + sizeof(REG_LOGUNIT));
if( pNewLogUnit){
pRegLogUnit = (REG_LOGUNIT*)pNewLogUnit->pszStr;
pRegLogUnit->chEnable = bEnable;
pRegLogUnit->dwAction = dwRegAction;
pRegLogUnit->dwProcessID = processID;
strcpy( pRegLogUnit->processName, szProcessName);
pRegLogUnit->status = status;
//set key name.
pRegLogUnit->uStrKeySize = iKeyNameLen;
strcpy( pRegLogUnit->strOtherInfo, pszKeyName);
pszWriteInfo = pRegLogUnit->strOtherInfo + iKeyNameLen+1;
if( !lpszData)
pszWriteInfo[0] = 0;
else
strcpy( pszWriteInfo, lpszData);
Sk_LogUnit_InsertUnitToLink( pMang, pNewLogUnit, TRUE);
}
if( bAllocMemoryForAnsi) //allocate AnsiString memory?
RtlFreeAnsiString( &AnsiString);
}
//----------------------------------------------------------------------
// AppendValueInformation
// 增加健值信息到BUFFER中.
//----------------------------------------------------------------------
VOID AppendValueInformation( IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
IN PVOID KeyValueInformation, PCHAR Buffer, PCHAR ValueName )
{
PKEY_VALUE_BASIC_INFORMATION pbasicinfo;
PKEY_VALUE_FULL_INFORMATION pfullinfo;
PKEY_VALUE_PARTIAL_INFORMATION ppartinfo;
UNICODE_STRING ukeyname;
ANSI_STRING akeyname;
switch( KeyValueInformationClass ) {
case KeyValueBasicInformation:
pbasicinfo = (PKEY_VALUE_BASIC_INFORMATION)
KeyValueInformation;
sprintf( Buffer, "Type: ");
AppendRegValueType( pbasicinfo->Type, Buffer );
strncat( Buffer, " Name: ", MAXDATALEN - 1 - strlen(Buffer) );
ukeyname.Length = (USHORT) pbasicinfo->NameLength;
ukeyname.MaximumLength = (USHORT) pbasicinfo->NameLength;
ukeyname.Buffer = pbasicinfo->Name;
RtlUnicodeStringToAnsiString( &akeyname, &ukeyname, TRUE );
strncat( Buffer, akeyname.Buffer, MAXDATALEN - 1 - strlen(Buffer) );
if( ValueName ) strncpy( ValueName, akeyname.Buffer, MAXDATALEN - 1 );
RtlFreeAnsiString( &akeyname );
break;
case KeyValueFullInformation:
pfullinfo = (PKEY_VALUE_FULL_INFORMATION)
KeyValueInformation;
AppendRegValueData( pfullinfo->Type,
(PVOID) ((PCHAR) pfullinfo + pfullinfo->DataOffset),
pfullinfo->DataLength, Buffer );
if( ValueName ) {
ukeyname.Length = (USHORT) pfullinfo->NameLength;
ukeyname.MaximumLength = (USHORT) pfullinfo->NameLength;
ukeyname.Buffer = pfullinfo->Name;
RtlUnicodeStringToAnsiString( &akeyname, &ukeyname, TRUE );
strncpy( ValueName, akeyname.Buffer, MAXDATALEN - 1 );
RtlFreeAnsiString( &akeyname );
}
break;
case KeyValuePartialInformation:
ppartinfo = (PKEY_VALUE_PARTIAL_INFORMATION)
KeyValueInformation;
AppendRegValueData( ppartinfo->Type,
(PVOID) ppartinfo->Data,
ppartinfo->DataLength, Buffer );
break;
default:
sprintf( Buffer, "Unknown Info Class" );
break;
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -