📄 strace.cpp
字号:
InterlockedIncrement(&StraceBufCount1);
ExReleaseFastMutex(&StraceBuf1Mutex);
}
else{
ExAcquireFastMutex(&StraceBuf2Mutex);
StraceBuf2[StraceBufCount2].CallNumber = (WORD)CallNumber;
KeQuerySystemTime(&(StraceBuf2[StraceBufCount2].Time));
StraceBuf2[StraceBufCount2].ProcessId = (WORD)ProcessId;
StraceBuf2[StraceBufCount2].ThreadId = (WORD)ThreadId;
StraceBuf2[StraceBufCount2].ParameterTable = ParameterTable;
GetProcessName(StraceBuf2[StraceBufCount2].ProcessName);
if(CallNumber<SERVICEIDUSERFROM)
StraceBuf2[StraceBufCount2].ParameterNumbers=(*(char *)((int)keSDTParameter+CallNumber))/4;
else
StraceBuf2[StraceBufCount2].ParameterNumbers=(*(char *)((int)w32SDTParameter+CallNumber-SERVICEIDUSERFROM))/4;
for(CallNumber=0;CallNumber<StraceBuf2[StraceBufCount2].ParameterNumbers;CallNumber++)
StraceBuf2[StraceBufCount2].Parameter[CallNumber]=*(DWORD *)(ParameterTable+CallNumber*sizeof(DWORD));
InterlockedIncrement(&StraceBufCount2);
ExReleaseFastMutex(&StraceBuf2Mutex);
}
KeLowerIrql(OldIrql);
}
void __declspec(naked) StraceMySystemService()
{
__asm{
pushad
pushfd
push fs
mov bx,0x30
mov fs,bx
push ds
push es
sti
call StraceInterceptSystemCall;
cli
pop es
pop ds
pop fs
popfd
popad
jmp OldSystemServiceISR;
}
}
BOOL
StraceSetSystemServiceHook(BOOL bHook)
{
PNT_IDT pidtBase = NULL;
for ( char cpu=0; cpu<*KeNumberProcessors; ++cpu )
{
PKTHREAD pThread = KeGetCurrentThread();
KeSetAffinityThread( pThread, 1<<cpu );
pidtBase = GetIDTBase();
if ( bHook )
pidtBase[NT_SYSTEM_SERVICE_IDT].Hook( StraceMySystemService, &OldSystemServiceISR);
else
pidtBase[NT_SYSTEM_SERVICE_IDT].Hook( OldSystemServiceISR );
}
PKTHREAD pThread = KeGetCurrentThread();
KeSetAffinityThread( pThread, (1<<*KeNumberProcessors)-1 );
return TRUE;
}
NTSTATUS StraceProcessDeviceControl(IN PVOID InputBuffer, IN ULONG InputBufferLength,
OUT PVOID OutbufBuffer, IN ULONG OutputBufferLength, IN ULONG IoControlCode, ULONG* pStatusInfo)
{
*pStatusInfo = 0;
BOOL bSuccess = FALSE;
switch(IoControlCode)
{
case IOCTL_STRACE_GETNTSDT:
PVOID keSDT;
PVOID w32SDT;
DWORD keSDTCount;
DWORD w32SDTCount;
LONG keSDTParameterBase;
LONG w32SDTParameterBase;
__try{
__asm{
mov eax,0xFFDFF124
mov eax, [eax]
mov ebx, [eax+0xDC]
mov ecx,[ebx+0x08]
mov edx,[ebx]
mov eax,[ebx+0x0c]
mov keSDT,edx
mov keSDTCount,ecx
mov keSDTParameterBase,eax
mov ecx,[ebx+0x18]
mov edx,[ebx+0x10]
mov eax,[ebx+0x1c]
mov w32SDT,edx
mov w32SDTCount,ecx
mov w32SDTParameterBase,eax
}
keSDTParameter = (char* ) ExAllocatePool( NonPagedPool, keSDTCount);
memcpy(keSDTParameter,(void *)keSDTParameterBase,keSDTCount);
w32SDTParameter = (char* ) ExAllocatePool( NonPagedPool, w32SDTCount);
memcpy(w32SDTParameter,(void *)w32SDTParameterBase,w32SDTCount);
NTSDT * nt_sdt = (NTSDT * )OutbufBuffer;
if( OutputBufferLength < sizeof(NTSDT)||keSDTCount>keSDTMaxCount||w32SDTCount>w32SDTMaxCount)
{
return STATUS_BUFFER_TOO_SMALL;
}
nt_sdt->keSDTCount = (WORD)keSDTCount;
nt_sdt->w32SDTCount = (WORD)w32SDTCount;
memcpy(nt_sdt->keSDTAddress,keSDT,keSDTCount*sizeof(DWORD));
memcpy(nt_sdt->w32SDTAddress,w32SDT,w32SDTCount*sizeof(DWORD));
*pStatusInfo = sizeof(NTSDT);
}
__except(1)
{
return STATUS_ACCESS_VIOLATION;
}
return STATUS_SUCCESS;
case IOCTL_STRACE_GETBUF:
STRACE_BUF_FIELD * StraceCurrentBuf;
LONG StraceBufCount;
STRACE_RESULT* strace_result;
if(StraceBufCount1 == StraceBufMaxCount1)
{
StraceCurrentBuf = StraceBuf1;
StraceBufCount = StraceBufCount1;
}
else if(StraceBufCount2 == StraceBufMaxCount2){
StraceCurrentBuf = StraceBuf2;
StraceBufCount = StraceBufCount2;
}
else{
if(StraceCurrentBufId == STRACE_FIRST_BUF)
{
StraceCurrentBuf = StraceBuf1;
StraceBufCount = StraceBufCount1;
}
else{
StraceCurrentBuf = StraceBuf2;
StraceBufCount = StraceBufCount2;
}
}
if( OutputBufferLength < (StraceBufCount * sizeof(STRACE_BUF_FIELD) + sizeof(WORD)) )
{
#ifdef DBG
DbgPrint("STATUS_BUFFER_TOO_SMALL:%ld<%ld",OutputBufferLength,(StraceBufCount * sizeof(STRACE_BUF_FIELD) + sizeof(WORD)));
_asm int 3;
#endif
return STATUS_BUFFER_TOO_SMALL;
}
strace_result = (STRACE_RESULT*)OutbufBuffer;
strace_result->EntriesCount = (WORD)StraceBufCount;
memset(strace_result->trace,0,StraceBufCount * sizeof(STRACE_BUF_FIELD));
if(StraceCurrentBuf == StraceBuf1){
ExAcquireFastMutex(&StraceBuf1Mutex);
memcpy(strace_result->trace,StraceCurrentBuf,StraceBufCount * sizeof(STRACE_BUF_FIELD));
*pStatusInfo = (StraceBufCount * sizeof(STRACE_BUF_FIELD)) + sizeof(WORD);
ExReleaseFastMutex(&StraceBuf1Mutex);
}
else{
ExAcquireFastMutex(&StraceBuf2Mutex);
memcpy(strace_result->trace,StraceCurrentBuf,StraceBufCount * sizeof(STRACE_BUF_FIELD));
*pStatusInfo = (StraceBufCount * sizeof(STRACE_BUF_FIELD))+sizeof(WORD);
ExReleaseFastMutex(&StraceBuf2Mutex);
}
ExAcquireFastMutex(&StraceCountMutex);
if(StraceCurrentBuf == StraceBuf1){
StraceBufCount1 =0;
}
else{
StraceBufCount2 =0;
}
ExReleaseFastMutex(&StraceCountMutex);
return STATUS_SUCCESS;
case IOCTL_STRACE_WAITFOR_TRACEOVERFLOW:
NTSTATUS WaitStatus;
LARGE_INTEGER Timeout;
DWORD Timeout_msec;
Timeout_msec = *(DWORD*)InputBuffer;
Timeout.QuadPart = Int32x32To64(1,-10000L*Timeout_msec);
WaitStatus = KeWaitForSingleObject(
&StraceBufOverflowEvent,
UserRequest,
KernelMode,
TRUE,
&Timeout);
KeResetEvent(&StraceBufOverflowEvent);
return WaitStatus;
case IOCTL_STRACE_STOPSPY:
SpyOn=FALSE;
return STATUS_SUCCESS;
case IOCTL_STRACE_STARTSPY:
strace_filter =(STRACE_FILTER *)&filter;
memcpy(strace_filter,InputBuffer,sizeof(filter));
StracePID=strace_filter->StracePID;
SpyOn=TRUE;
//Clear log
ExAcquireFastMutex(&StraceCountMutex);
StraceBufCount1 =0;
StraceBufCount2 =0;
StraceCurrentBufId = STRACE_FIRST_BUF;
ExReleaseFastMutex(&StraceCountMutex);
return STATUS_SUCCESS;
case IOCTL_STRACE_SETPROCESSFILER:
PROCESS_FILTER* pfilter;
pfilter = (PROCESS_FILTER* )InputBuffer;
ExAcquireFastMutex(&StraceFilterMutex);
if(ProcessFilterIdArray){
ExFreePool(ProcessFilterIdArray);
}
ProcessFilterIdArray = (WORD* ) ExAllocatePool( NonPagedPool, (pfilter->EntriesCount +1)* sizeof(WORD) );
ProcessFilterEntriesCount = pfilter->EntriesCount;
memcpy(ProcessFilterIdArray ,pfilter->ProcessIdArray,ProcessFilterEntriesCount * sizeof(WORD));
ExReleaseFastMutex(&StraceFilterMutex);
return STATUS_SUCCESS;
case IOCTL_STRACE_CLEARBUF:
ExAcquireFastMutex(&StraceCountMutex);
StraceBufCount1 =0;
StraceBufCount2 =0;
StraceCurrentBufId = STRACE_FIRST_BUF;
ExReleaseFastMutex(&StraceCountMutex);
return STATUS_SUCCESS;
}
return STATUS_INVALID_PARAMETER;
}
ULONG GetProcessNameOffset()
{
PEPROCESS curproc;
int i;
curproc = PsGetCurrentProcess();
//
// Scan for 12KB, hopping the KPEB never grows that big!
//
for( i = 0; i < 3*PAGE_SIZE; i++ ) {
if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) )) {
return i;
}
}
//
// Name not found - oh, well
//
return 0;
}
void GetProcessName( PCHAR Name )
{
PEPROCESS curproc;
char *nameptr;
ULONG i;
if( ProcessNameOffset ) {
curproc = PsGetCurrentProcess();
nameptr = (PCHAR) curproc + ProcessNameOffset;
strncpy( Name, nameptr, 16 );
} else {
strcpy( Name, "???");
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -