📄 tracereg.cpp
字号:
}
/////////////////////////////////////////////////////////////
// TrampolineWith
//
VOID TrampolineWith(VOID)
{
DetourFunctionWithTrampoline((PBYTE)Real_CopyFileExA,
(PBYTE)Mine_CopyFileExA);
DetourFunctionWithTrampoline((PBYTE)Mine_WaitNamedPipeW,
(PBYTE)Real_WaitNamedPipeW);
DetourFunctionWithTrampoline((PBYTE)Mine_CloseHandle,
(PBYTE)Real_CloseHandle);
DetourFunctionWithTrampoline((PBYTE)Mine_GetSystemTimeAsFileTime,
(PBYTE)Real_GetSystemTimeAsFileTime);
DetourFunctionWithTrampoline((PBYTE)Mine_SetNamedPipeHandleState,
(PBYTE)Real_SetNamedPipeHandleState);
DetourFunctionWithTrampoline((PBYTE)Mine_WriteFile,
(PBYTE)Real_WriteFile);
DetourFunctionWithTrampoline((PBYTE)Mine_CreateProcessW,
(PBYTE)Real_CreateProcessW);
DetourFunctionWithTrampoline((PBYTE)Real_CopyFileExA,
(PBYTE)Mine_CopyFileExA);
DetourFunctionWithTrampoline((PBYTE)Real_CopyFileExW,
(PBYTE)Mine_CopyFileExW);
DetourFunctionWithTrampoline((PBYTE)Real_CreateDirectoryExW,
(PBYTE)Mine_CreateDirectoryExW);
DetourFunctionWithTrampoline((PBYTE)Real_CreateDirectoryW,
(PBYTE)Mine_CreateDirectoryW);
DetourFunctionWithTrampoline((PBYTE)Real_CreateFileW,
(PBYTE)Mine_CreateFileW);
DetourFunctionWithTrampoline((PBYTE)Real_DeleteFileA,
(PBYTE)Mine_DeleteFileA);
DetourFunctionWithTrampoline((PBYTE)Real_DeleteFileW,
(PBYTE)Mine_DeleteFileW);
DetourFunctionWithTrampoline((PBYTE)Real_FindFirstFileExA,
(PBYTE)Mine_FindFirstFileExA);
DetourFunctionWithTrampoline((PBYTE)Real_FindFirstFileExW,
(PBYTE)Mine_FindFirstFileExW);
DetourFunctionWithTrampoline((PBYTE)Real_GetFileAttributesW,
(PBYTE)Mine_GetFileAttributesW);
DetourFunctionWithTrampoline((PBYTE)Real_GetModuleFileNameW,
(PBYTE)Mine_GetModuleFileNameW);
DetourFunctionWithTrampoline((PBYTE)Real_GetProcAddress,
(PBYTE)Mine_GetProcAddress);
DetourFunctionWithTrampoline((PBYTE)Real_LoadLibraryExW,
(PBYTE)Mine_LoadLibraryExW);
DetourFunctionWithTrampoline((PBYTE)Real_MoveFileA,
(PBYTE)Mine_MoveFileA);
DetourFunctionWithTrampoline((PBYTE)Real_MoveFileExA,
(PBYTE)Mine_MoveFileExA);
DetourFunctionWithTrampoline((PBYTE)Real_MoveFileExW,
(PBYTE)Mine_MoveFileExW);
DetourFunctionWithTrampoline((PBYTE)Real_MoveFileW,
(PBYTE)Mine_MoveFileW);
DetourFunctionWithTrampoline((PBYTE)Real_OpenFile,
(PBYTE)Mine_OpenFile);
DetourFunctionWithTrampoline((PBYTE)Real_RegCreateKeyExA,
(PBYTE)Mine_RegCreateKeyExA);
DetourFunctionWithTrampoline((PBYTE)Real_RegCreateKeyExW,
(PBYTE)Mine_RegCreateKeyExW);
DetourFunctionWithTrampoline((PBYTE)Real_RegDeleteKeyA,
(PBYTE)Mine_RegDeleteKeyA);
DetourFunctionWithTrampoline((PBYTE)Real_RegDeleteKeyW,
(PBYTE)Mine_RegDeleteKeyW);
DetourFunctionWithTrampoline((PBYTE)Real_RegDeleteValueA,
(PBYTE)Mine_RegDeleteValueA);
DetourFunctionWithTrampoline((PBYTE)Real_RegDeleteValueW,
(PBYTE)Mine_RegDeleteValueW);
DetourFunctionWithTrampoline((PBYTE)Real_RegEnumKeyExA,
(PBYTE)Mine_RegEnumKeyExA);
DetourFunctionWithTrampoline((PBYTE)Real_RegEnumKeyExW,
(PBYTE)Mine_RegEnumKeyExW);
DetourFunctionWithTrampoline((PBYTE)Real_RegEnumValueA,
(PBYTE)Mine_RegEnumValueA);
DetourFunctionWithTrampoline((PBYTE)Real_RegEnumValueW,
(PBYTE)Mine_RegEnumValueW);
DetourFunctionWithTrampoline((PBYTE)Real_RegOpenKeyExA,
(PBYTE)Mine_RegOpenKeyExA);
DetourFunctionWithTrampoline((PBYTE)Real_RegOpenKeyExW,
(PBYTE)Mine_RegOpenKeyExW);
DetourFunctionWithTrampoline((PBYTE)Real_RegQueryInfoKeyA,
(PBYTE)Mine_RegQueryInfoKeyA);
DetourFunctionWithTrampoline((PBYTE)Real_RegQueryInfoKeyW,
(PBYTE)Mine_RegQueryInfoKeyW);
DetourFunctionWithTrampoline((PBYTE)Real_RegQueryValueExA,
(PBYTE)Mine_RegQueryValueExA);
DetourFunctionWithTrampoline((PBYTE)Real_RegQueryValueExW,
(PBYTE)Mine_RegQueryValueExW);
DetourFunctionWithTrampoline((PBYTE)Real_RegSetValueExA,
(PBYTE)Mine_RegSetValueExA);
DetourFunctionWithTrampoline((PBYTE)Real_RegSetValueExW,
(PBYTE)Mine_RegSetValueExW);
DetourFunctionWithTrampoline((PBYTE)Real__lcreat,
(PBYTE)Mine__lcreat);
DetourFunctionWithTrampoline((PBYTE)Real__lopen,
(PBYTE)Mine__lopen);
}
//
//////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////// Logging System.
//
static BOOL s_bLog = 1;
static LONG s_nTlsIndent = -1;
static LONG s_nTlsThread = -1;
static LONG s_nThreadCnt = 0;
VOID _PrintEnter(const CHAR *psz, ...)
{
DWORD dwErr = GetLastError();
LONG nIndent = 0;
LONG nThread = 0;
if (s_nTlsIndent >= 0) {
nIndent = (LONG)TlsGetValue(s_nTlsIndent);
TlsSetValue(s_nTlsIndent, (PVOID)(nIndent + 1));
}
if (s_nTlsThread >= 0) {
nThread = (LONG)TlsGetValue(s_nTlsThread);
}
if (s_bLog && psz) {
CHAR szBuf[1024];
PCHAR pszBuf = szBuf;
LONG nLen = (nIndent > 0) ? (nIndent < 35 ? nIndent * 2 : 70) : 0;
*pszBuf++ = (CHAR)('0' + ((nThread / 100) % 10));
*pszBuf++ = (CHAR)('0' + ((nThread / 10) % 10));
*pszBuf++ = (CHAR)('0' + ((nThread / 1) % 10));
*pszBuf++ = ' ';
while (nLen-- > 0) {
*pszBuf++ = ' ';
}
va_list args;
va_start(args, psz);
while ((*pszBuf++ = *psz++) != 0) {
// Copy characters.
}
SyelogV(SYELOG_SEVERITY_INFORMATION,
szBuf, args);
va_end(args);
}
SetLastError(dwErr);
}
VOID _PrintExit(const CHAR *psz, ...)
{
DWORD dwErr = GetLastError();
LONG nIndent = 0;
LONG nThread = 0;
if (s_nTlsIndent >= 0) {
nIndent = (LONG)TlsGetValue(s_nTlsIndent) - 1;
ASSERT(nIndent >= 0);
TlsSetValue(s_nTlsIndent, (PVOID)nIndent);
}
if (s_nTlsThread >= 0) {
nThread = (LONG)TlsGetValue(s_nTlsThread);
}
if (s_bLog && psz) {
CHAR szBuf[1024];
PCHAR pszBuf = szBuf;
LONG nLen = (nIndent > 0) ? (nIndent < 35 ? nIndent * 2 : 70) : 0;
*pszBuf++ = (CHAR)('0' + ((nThread / 100) % 10));
*pszBuf++ = (CHAR)('0' + ((nThread / 10) % 10));
*pszBuf++ = (CHAR)('0' + ((nThread / 1) % 10));
*pszBuf++ = ' ';
while (nLen-- > 0) {
*pszBuf++ = ' ';
}
va_list args;
va_start(args, psz);
while ((*pszBuf++ = *psz++) != 0) {
// Copy characters.
}
SyelogV(SYELOG_SEVERITY_INFORMATION,
szBuf, args);
va_end(args);
}
SetLastError(dwErr);
}
VOID _Print(const CHAR *psz, ...)
{
DWORD dwErr = GetLastError();
LONG nIndent = 0;
LONG nThread = 0;
if (s_nTlsIndent >= 0) {
nIndent = (LONG)TlsGetValue(s_nTlsIndent);
}
if (s_nTlsThread >= 0) {
nThread = (LONG)TlsGetValue(s_nTlsThread);
}
if (s_bLog && psz) {
CHAR szBuf[1024];
PCHAR pszBuf = szBuf;
LONG nLen = (nIndent > 0) ? (nIndent < 35 ? nIndent * 2 : 70) : 0;
*pszBuf++ = (CHAR)('0' + ((nThread / 100) % 10));
*pszBuf++ = (CHAR)('0' + ((nThread / 10) % 10));
*pszBuf++ = (CHAR)('0' + ((nThread / 1) % 10));
*pszBuf++ = ' ';
while (nLen-- > 0) {
*pszBuf++ = ' ';
}
va_list args;
va_start(args, psz);
while ((*pszBuf++ = *psz++) != 0) {
// Copy characters.
}
SyelogV(SYELOG_SEVERITY_INFORMATION,
szBuf, args);
va_end(args);
}
SetLastError(dwErr);
}
VOID AssertMessage(CONST PCHAR pszMsg, CONST PCHAR pszFile, ULONG nLine)
{
Syelog(SYELOG_SEVERITY_FATAL,
"ASSERT(%s) failed in %s, line %d.\n", pszMsg, pszFile, nLine);
}
VOID NullExport()
{
}
//////////////////////////////////////////////////////////////////////////////
//
PIMAGE_NT_HEADERS NtHeadersForInstance(HINSTANCE hInst)
{
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hInst;
__try {
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader +
pDosHeader->e_lfanew);
if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) {
SetLastError(ERROR_INVALID_EXE_SIGNATURE);
return NULL;
}
if (pNtHeader->FileHeader.SizeOfOptionalHeader == 0) {
SetLastError(ERROR_EXE_MARKED_INVALID);
return NULL;
}
return pNtHeader;
} __except(EXCEPTION_EXECUTE_HANDLER) {
}
SetLastError(ERROR_EXE_MARKED_INVALID);
return NULL;
}
BOOL InstanceEnumerate(HINSTANCE hInst)
{
WCHAR wzDllName[MAX_PATH];
PIMAGE_NT_HEADERS pinh = NtHeadersForInstance(hInst);
if (pinh && Real_GetModuleFileNameW(hInst, wzDllName, ARRAYOF(wzDllName))) {
Syelog(SYELOG_SEVERITY_INFORMATION,
"### %08lx: %-43.43ls %08x\n",
hInst, wzDllName, pinh->OptionalHeader.CheckSum);
return TRUE;
}
return FALSE;
}
BOOL ProcessEnumerate()
{
Syelog(SYELOG_SEVERITY_INFORMATION,
"######################################################### Binaries\n");
for (HINSTANCE hInst = NULL; (hInst = DetourEnumerateModules(hInst)) != NULL;) {
InstanceEnumerate(hInst);
}
return TRUE;
}
//////////////////////////////////////////////////////////////////////////////
//
// DLL module information
//
BOOL ThreadAttach(HMODULE hDll)
{
if (s_nTlsIndent >= 0) {
TlsSetValue(s_nTlsIndent, (PVOID)0);
}
if (s_nTlsThread >= 0) {
LONG nThread = InterlockedIncrement(&s_nThreadCnt);
TlsSetValue(s_nTlsThread, (PVOID)nThread);
}
return TRUE;
}
BOOL ThreadDetach(HMODULE hDll)
{
if (s_nTlsIndent >= 0) {
TlsSetValue(s_nTlsIndent, (PVOID)0);
}
if (s_nTlsThread >= 0) {
TlsSetValue(s_nTlsThread, (PVOID)0);
}
return TRUE;
}
BOOL ProcessAttach(HMODULE hDll)
{
s_bLog = FALSE;
s_nTlsIndent = TlsAlloc();
s_nTlsThread = TlsAlloc();
WCHAR wzExeName[MAX_PATH];
s_hInst = hDll;
Real_GetModuleFileNameW(hDll, s_wzDllPath, ARRAYOF(s_wzDllPath));
Real_GetModuleFileNameW(NULL, wzExeName, ARRAYOF(wzExeName));
SyelogOpen("traceapi", SYELOG_FACILITY_APPLICATION);
ProcessEnumerate();
TrampolineWith();
ThreadAttach(hDll);
s_bLog = TRUE;
return TRUE;
}
BOOL ProcessDetach(HMODULE hDll)
{
ThreadDetach(hDll);
s_bLog = FALSE;
SyelogClose();
if (s_nTlsIndent >= 0) {
TlsFree(s_nTlsIndent);
}
if (s_nTlsThread >= 0) {
TlsFree(s_nTlsThread);
}
return TRUE;
}
BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD dwReason, PVOID lpReserved)
{
switch (dwReason) {
case DLL_PROCESS_ATTACH:
return ProcessAttach(hModule);
case DLL_PROCESS_DETACH:
return ProcessDetach(hModule);
case DLL_THREAD_ATTACH:
return ThreadAttach(hModule);
case DLL_THREAD_DETACH:
return ThreadDetach(hModule);
}
return TRUE;
}
//
///////////////////////////////////////////////////////////////// End of File.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -