📄 skmon_init.c
字号:
//SkMon_Init.c
/////////////////////////////////////////////////////////////////////////////////
// the file contain functions that support Monitoring eveng -- Accessing Registry Key.
/////////////////////////////////////////////////////////////////////////////////
// sart at 2000/9/29, by snake.
/////////////////////////////////////////////////////////////////////////////////
#include <ntddk.h>
#include "SkDrv_Misc.h" //custom function include.
#include "SkMon_reg.h" //snake Monitor registry header.
#define SKMON_DEVICE_NAME L"\\Device\\SnakeMon"
#define SKMON_DOSLINK_NAME L"\\DosDevices\\SNAKEMON"
#define SYSTEM_NAME "System"
#define DEVICE_SKMON_MONITOR 0x8131
#define SKMON_DRIVER_NAME "SNAKEMON"
//local function.
void SkMon_DriverUnload( IN PDRIVER_OBJECT DriverObject);
NTSTATUS SkDriverMisc_AddDevice( IN PDRIVER_OBJECT DriverObject,
IN PWSTR pwDeviceName, IN PWSTR pwDosDeviceName);
BOOLEAN ReadRegistry(IN PUNICODE_STRING RegistryPath, IN PWSTR lpwszParam, IN ULONG dwKeyType,
IN void *lpDefault, IN int dwDefaultSize,
OUT void *buff);
NTSTATUS SkMon_Dispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP pIrp);
//
// Definition for system call service table
//
extern PSRVTABLE KeServiceDescriptorTable; //System Service.
PSRVTABLE ServiceTable; //MyServiceTable.
//variables.
Sk_LogUnit_Mang skLogLink;
Sk_LogUnit_Mang Disable_ProcessIDTable;
Sk_LogUnit_Mang Disable_ProcessNameTable;
Sk_LogUnit_Mang Log_ProcessIDTable; //the process that should be write into log.
Sk_LogUnit_Mang Log_ProcessNameTable;
char byLogProcessInListOnly=0;
//functions.
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
int i;
ULONG dwStartType, dwDefaultType;
InitGetProcessName(SYSTEM_NAME); //init Get Process Name.
//next 3 link for storing data.
Sk_LogUnit_InitLink( &skLogLink); //Init Log function.
Sk_LogUnit_InitLink( &Disable_ProcessIDTable); //Init Log function.
Sk_LogUnit_InitLink( &Disable_ProcessNameTable); //Init Log function.
Sk_LogUnit_InitLink( &Log_ProcessIDTable);
Sk_LogUnit_InitLink( &Log_ProcessNameTable);
Sk_HashEntry_Init(); //Init Hash Function.
InitHookSkMonRegistry();
DriverObject->DriverUnload = SkMon_DriverUnload;
status = SkDriverMisc_AddDevice( DriverObject,
SKMON_DEVICE_NAME, SKMON_DOSLINK_NAME);
if( !NT_SUCCESS( status)){
Sk_LogUnit_DeInitLink( &skLogLink);
Sk_LogUnit_DeInitLink( &Disable_ProcessIDTable);
Sk_LogUnit_DeInitLink( &Disable_ProcessNameTable);
Sk_LogUnit_DeInitLink( &Log_ProcessIDTable);
Sk_LogUnit_DeInitLink( &Log_ProcessNameTable);
Sk_HashEntry_DeInit();
DeInitHookSkMonRegistry();
return status;
}
dwDefaultType = 0;
// if( !ReadRegistry( RegistryPath, L"Start", REG_DWORD, &dwStartType, sizeof(ULONG), &dwDefaultType)){ //read key failure.
//issue not auto start.
// }
DriverObject->MajorFunction[IRP_MJ_CREATE] = SkMon_Dispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = SkMon_Dispatch;
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = SkMon_Dispatch;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = SkMon_Dispatch;
ServiceTable = KeServiceDescriptorTable; //set System Service pointer.
//ZwDisplayString( &RegistryPath);
return status;
}
//when unload.
void SkMon_DriverUnload( IN PDRIVER_OBJECT DriverObject)
{
PSKMON_DEVICE_EXTENSION pDevExt;
UNICODE_STRING linkUnicodeString;
//DeInit my functions.
DeInitHookSkMonRegistry();
RtlInitUnicodeString( &linkUnicodeString, SKMON_DOSLINK_NAME);
IoDeleteSymbolicLink( &linkUnicodeString);
pDevExt = (PSKMON_DEVICE_EXTENSION)( DriverObject->DeviceObject->DeviceExtension);
IoDeleteDevice( pDevExt->pDeviceObject);
Sk_LogUnit_DeInitLink( &skLogLink);
Sk_LogUnit_DeInitLink( &Disable_ProcessIDTable);
Sk_LogUnit_DeInitLink( &Disable_ProcessNameTable);
Sk_LogUnit_DeInitLink( &Log_ProcessIDTable);
Sk_LogUnit_DeInitLink( &Log_ProcessNameTable);
Sk_HashEntry_DeInit();
}
//Add Device.
NTSTATUS SkDriverMisc_AddDevice( IN PDRIVER_OBJECT DriverObject,
IN PWSTR pwDeviceName,
IN PWSTR pwDosDeviceName)
{
NTSTATUS status;
UNICODE_STRING DeviceNameStr, LinkNameStr;
PDEVICE_OBJECT pDevObj;
PSKMON_DEVICE_EXTENSION pSkMonDevExt;
RtlInitUnicodeString( &DeviceNameStr, pwDeviceName);
status = IoCreateDevice( DriverObject,
sizeof( SKMON_DEVICE_EXTENSION),
&DeviceNameStr,
DEVICE_SKMON_MONITOR,
0,
FALSE,
&pDevObj);
if( !NT_SUCCESS(status))
return status;
pDevObj->Flags |= DO_BUFFERED_IO;
pSkMonDevExt = (PSKMON_DEVICE_EXTENSION)pDevObj->DeviceExtension;
pSkMonDevExt->pDeviceObject = pDevObj;
pSkMonDevExt->Type = BASE_CALLED;
RtlInitUnicodeString( &LinkNameStr, pwDosDeviceName);
status = IoCreateSymbolicLink( &LinkNameStr, &DeviceNameStr);
if( !NT_SUCCESS(status)){
IoDeleteDevice( pSkMonDevExt->pDeviceObject);
return status;
}
return STATUS_SUCCESS;
}
//Read Registry.
//if Success,return TRUE. else FAILURE.
BOOLEAN ReadRegistry(IN PUNICODE_STRING RegistryPath, IN PWSTR lpwszParam, IN ULONG dwKeyType,
IN void *lpDefault, IN int dwDefaultSize,
OUT void *buff)
{
UNICODE_STRING regPath;
NTSTATUS status;
RTL_QUERY_REGISTRY_TABLE QueryTable[2];
ULONG startType, demandStart;
regPath.Length = RegistryPath->Length + sizeof( UNICODE_NULL);
regPath.MaximumLength = regPath.Length;
regPath.Buffer = ExAllocatePool( PagedPool, regPath.Length);
if( !regPath.Buffer)
return FALSE;
RtlZeroMemory( regPath.Buffer, regPath.Length);
RtlMoveMemory( regPath.Buffer, RegistryPath->Buffer, regPath.Length);
RtlZeroMemory( &QueryTable[0], sizeof( QueryTable));
QueryTable[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
QueryTable[0].Name = lpwszParam;
QueryTable[0].EntryContext = buff; //no change as old.
QueryTable[0].DefaultType = dwKeyType; //REG_DWORD.
QueryTable[0].DefaultData = lpDefault; //default value.
QueryTable[0].DefaultLength = dwDefaultSize; //default' size.
status = RtlQueryRegistryValues( RTL_REGISTRY_ABSOLUTE,
regPath.Buffer, &QueryTable[0], NULL, NULL);
ExFreePool( regPath.Buffer);
return (status==STATUS_SUCCESS)?TRUE:FALSE;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -