📄 mspyuser.c
字号:
if (parmIndex >= argc) {
//
// Not enough parameters
//
goto InterpretCommand_Usage;
}
parm = argv[parmIndex];
printf( " Attaching to %s... ", parm );
bufferLength = MultiByteToWideChar( CP_ACP,
MB_ERR_INVALID_CHARS,
parm,
-1,
(LPWSTR)buffer,
BUFFER_SIZE/sizeof( WCHAR ) );
#if (WINVER != 0x0500) // ddksplit
#pragma prefast (suppress: 209, "PREfast noise: We really do want to pass in a byte count for the 4th parameter") // ddksplit
#endif // ddksplit
hResult = FilterAttach( MINISPY_NAME,
(PWSTR)buffer,
NULL, // instance name
sizeof( instanceName ),
instanceName );
if (SUCCEEDED( hResult )) {
printf( " Instance name: %S\n", instanceName );
} else {
printf( "\n Could not attach to device: 0x%08x\n", hResult );
DisplayError( hResult );
returnValue = SUCCESS;
}
break;
case 'd':
case 'D':
//
// Detach to the specified drive letter
//
parmIndex++;
if (parmIndex >= argc) {
//
// Not enough parameters
//
goto InterpretCommand_Usage;
}
parm = argv[parmIndex];
printf( " Detaching from %s\n", parm );
bufferLength = MultiByteToWideChar( CP_ACP,
MB_ERR_INVALID_CHARS,
parm,
-1,
(LPWSTR)buffer,
BUFFER_SIZE/sizeof( WCHAR ) );
//
// Get the next argument to see if it is an InstanceId
//
parmIndex++;
if (parmIndex >= argc) {
instanceString = NULL;
} else {
if (argv[parmIndex][0] == '/') {
//
// This is just the next command, so don't
// internet it as the InstanceId.
//
instanceString = NULL;
parmIndex--;
} else {
parm = argv[parmIndex];
bufferLength = MultiByteToWideChar( CP_ACP,
MB_ERR_INVALID_CHARS,
parm,
-1,
(LPWSTR)instanceName,
sizeof( instanceName )/sizeof( WCHAR ) );
instanceString = instanceName;
}
}
//
// Detach from the volume and instance specified.
//
hResult = FilterDetach( MINISPY_NAME,
(PWSTR)buffer,
instanceString );
if (IS_ERROR( hResult )) {
printf( " Could not detach from device: 0x%08x\n", hResult );
DisplayError( hResult );
returnValue = SUCCESS;
}
break;
case 'l':
case 'L':
//
// List all devices that are currently being monitored
//
ListDevices();
break;
case 's':
case 'S':
//
// Output logging results to screen, save new value to
// instate when command interpreter is exited.
//
if (Context->NextLogToScreen) {
printf( " Turning off logging to screen\n" );
} else {
printf( " Turning on logging to screen\n" );
}
Context->NextLogToScreen = !Context->NextLogToScreen;
break;
case 'f':
case 'F':
//
// Output logging results to file
//
if (Context->LogToFile) {
printf( " Stop logging to file \n" );
Context->LogToFile = FALSE;
assert( Context->OutputFile );
fclose( Context->OutputFile );
Context->OutputFile = NULL;
} else {
parmIndex++;
if (parmIndex >= argc) {
//
// Not enough parameters
//
goto InterpretCommand_Usage;
}
parm = argv[parmIndex];
printf( " Log to file %s\n", parm );
Context->OutputFile = fopen( parm, "w" );
assert( Context->OutputFile );
Context->LogToFile = TRUE;
}
break;
default:
//
// Invalid switch, goto usage
//
goto InterpretCommand_Usage;
}
} else {
//
// Look for "go" or "g" to see if we should exit interpreter
//
if (!_strnicmp( parm,
INTERPRETER_EXIT_COMMAND1,
sizeof( INTERPRETER_EXIT_COMMAND1 ))) {
returnValue = EXIT_INTERPRETER;
goto InterpretCommand_Exit;
}
if (!_strnicmp( parm,
INTERPRETER_EXIT_COMMAND2,
sizeof( INTERPRETER_EXIT_COMMAND2 ))) {
returnValue = EXIT_INTERPRETER;
goto InterpretCommand_Exit;
}
//
// Look for "exit" to see if we should exit program
//
if (!_strnicmp( parm,
PROGRAM_EXIT_COMMAND,
sizeof( PROGRAM_EXIT_COMMAND ))) {
returnValue = EXIT_PROGRAM;
goto InterpretCommand_Exit;
}
//
// Invalid parameter
//
goto InterpretCommand_Usage;
}
}
InterpretCommand_Exit:
return returnValue;
InterpretCommand_Usage:
printf("Valid switches: [/a <drive>] [/d <drive>] [/l] [/s] [/f [<file name>]]\n"
" [/a <drive>] starts monitoring <drive>\n"
" [/d <drive> [<instance id>]] detaches filter <instance id> from <drive>\n"
" [/l] lists all the drives the monitor is currently attached to\n"
" [/s] turns on and off showing logging output on the screen\n"
" [/f [<file name>]] turns on and off logging to the specified file\n"
" If you are in command mode:\n"
" [enter] will enter command mode\n"
" [go|g] will exit command mode\n"
" [exit] will terminate this program\n"
);
returnValue = USAGE_ERROR;
goto InterpretCommand_Exit;
}
ULONG
IsAttachedToVolume(
__in PWCHAR VolumeName
)
/*++
Routine Description:
Determine if our filter is attached to this volume
Arguments:
VolumeName - The volume we are checking
Return Value:
TRUE - we are attached
FALSE - we are not attached (or we couldn't tell)
--*/
{
PWCHAR filtername;
CHAR buffer[1024];
PINSTANCE_FULL_INFORMATION data = (PINSTANCE_FULL_INFORMATION)buffer;
HANDLE volumeIterator = INVALID_HANDLE_VALUE;
ULONG bytesReturned;
ULONG instanceCount = 0;
HRESULT hResult;
//
// Enumerate all instances on this volume
//
hResult = FilterVolumeInstanceFindFirst( VolumeName,
InstanceFullInformation,
data,
sizeof(buffer)-sizeof(WCHAR),
&bytesReturned,
&volumeIterator );
if (IS_ERROR( hResult )) {
return instanceCount;
}
do {
//
// Get the name. Note that we are NULL terminating the buffer
// in place. We can do this because we don't care about the other
// information and we have guaranteed that there is room for a NULL
// at the end of the buffer.
//
filtername = Add2Ptr(data,data->FilterNameBufferOffset);
filtername[data->FilterNameLength/sizeof( WCHAR )] = L'\0';
//
// Bump the instance count when we find a match
//
if (_wcsicmp(filtername,MINISPY_NAME) == 0) {
instanceCount++;
}
} while (SUCCEEDED( FilterVolumeInstanceFindNext( volumeIterator,
InstanceFullInformation,
data,
sizeof(buffer)-sizeof(WCHAR),
&bytesReturned ) ));
//
// Close the handle
//
FilterVolumeInstanceFindClose( volumeIterator );
return instanceCount;
}
void
ListDevices(
VOID
)
/*++
Routine Description:
Display the volumes we are attached to
Arguments:
Return Value:
--*/
{
UCHAR buffer[1024];
PFILTER_VOLUME_BASIC_INFORMATION volumeBuffer = (PFILTER_VOLUME_BASIC_INFORMATION)buffer;
HANDLE volumeIterator = INVALID_HANDLE_VALUE;
ULONG volumeBytesReturned;
HRESULT hResult;
WCHAR driveLetter[15];
ULONG instanceCount;
try {
//
// Find out size of buffer needed
//
hResult = FilterVolumeFindFirst( FilterVolumeBasicInformation,
volumeBuffer,
sizeof(buffer)-sizeof(WCHAR), //save space to null terminate name
&volumeBytesReturned,
&volumeIterator );
if (INVALID_HANDLE_VALUE == volumeIterator) {
leave;
}
//
// Output the header
//
printf( "\n"
"Dos Name Volume Name Status \n"
"-------------- ------------------------------------ --------\n" );
//
// Loop through all of the filters, displaying instance information
//
do {
volumeBuffer->FilterVolumeName[volumeBuffer->FilterVolumeNameLength/sizeof( WCHAR )] = L'\0';
instanceCount = IsAttachedToVolume(volumeBuffer->FilterVolumeName);
printf( "%-14ws %-36ws %s",
(SUCCEEDED( FilterGetDosName(
volumeBuffer->FilterVolumeName,
driveLetter,
sizeof(driveLetter)/sizeof(WCHAR) )) ? driveLetter : L""),
volumeBuffer->FilterVolumeName,
(instanceCount > 0) ? "Attached" : "");
if (instanceCount > 1) {
printf( " (%d)\n", instanceCount );
} else {
printf( "\n" );
}
} while (SUCCEEDED( hResult = FilterVolumeFindNext( volumeIterator,
FilterVolumeBasicInformation,
volumeBuffer,
sizeof(buffer)-sizeof(WCHAR), //save space to null terminate name
&volumeBytesReturned ) ));
if (HRESULT_FROM_WIN32( ERROR_NO_MORE_ITEMS ) == hResult) {
hResult = S_OK;
}
} finally {
if (INVALID_HANDLE_VALUE != volumeIterator) {
FilterVolumeFindClose( volumeIterator );
}
if (IS_ERROR( hResult )) {
if (HRESULT_FROM_WIN32( ERROR_NO_MORE_ITEMS ) == hResult) {
printf( "No volumes found.\n" );
} else {
printf( "Volume listing failed with error: 0x%08x\n",
hResult );
}
}
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -