📄 mspylog.c
字号:
/*++
Copyright (c) 1989-2002 Microsoft Corporation
Module Name:
mspyLog.c
Abstract:
This module contains functions used to retrieve and see the log records
recorded by MiniSpy.sys.
Environment:
User mode
--*/
#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
#include <winioctl.h>
#include "mspyLog.h"
#define TIME_BUFFER_LENGTH 20
#define TIME_ERROR "time error"
#define POLL_INTERVAL 200 // 200 milliseconds
BOOLEAN
TranslateFileTag(
__in PLOG_RECORD logRecord
)
/*++
Routine Description:
If this is a mount point reparse point, move the given name string to the
correct position in the log record structure so it will be displayed
by the common routines.
Arguments:
logRecord - The log record to update
Return Value:
TRUE - if this is a mount point reparse point
FALSE - otherwise
--*/
{
PFLT_TAG_DATA_BUFFER TagData;
ULONG Length;
//
// The reparse data structure starts in the NAME field, point to it.
//
TagData = (PFLT_TAG_DATA_BUFFER) &logRecord->Name[0];
//
// See if MOUNT POINT tag
//
if (TagData->FileTag == IO_REPARSE_TAG_MOUNT_POINT) {
//
// calculate how much to copy
//
Length = min( MAX_NAME_SPACE - sizeof(UNICODE_NULL), TagData->MountPointReparseBuffer.SubstituteNameLength );
//
// Position the reparse name at the proper position in the buffer.
// Note that we are doing an overlapped copy
//
MoveMemory( &logRecord->Name[0],
TagData->MountPointReparseBuffer.PathBuffer,
Length );
logRecord->Name[Length/sizeof(WCHAR)] = UNICODE_NULL;
return TRUE;
}
return FALSE;
}
DWORD
WINAPI
RetrieveLogRecords(
__in LPVOID lpParameter
)
/*++
Routine Description:
This runs as a separate thread. Its job is to retrieve log records
from the filter and then output them
Arguments:
lpParameter - Contains context structure for synchronizing with the
main program thread.
Return Value:
The thread successfully terminated
--*/
{
PLOG_CONTEXT context = (PLOG_CONTEXT)lpParameter;
DWORD bytesReturned = 0;
DWORD used;
PVOID alignedBuffer[BUFFER_SIZE/sizeof( PVOID )];
PCHAR buffer = (PCHAR) alignedBuffer;
HRESULT hResult;
PLOG_RECORD pLogRecord;
PRECORD_DATA pRecordData;
COMMAND_MESSAGE commandMessage;
//printf("Log: Starting up\n");
while (TRUE) {
//
// Check to see if we should shut down.
//
if (context->CleaningUp) {
break;
}
//
// Request log data from MiniSpy.
//
commandMessage.Command = GetMiniSpyLog;
hResult = FilterSendMessage( context->Port,
&commandMessage,
sizeof( COMMAND_MESSAGE ),
buffer,
sizeof(alignedBuffer),
&bytesReturned );
if (IS_ERROR( hResult )) {
if (HRESULT_FROM_WIN32( ERROR_INVALID_HANDLE ) == hResult) {
printf( "The kernel component of minispy has unloaded. Exiting\n" );
ExitProcess( 0 );
} else {
if (hResult != HRESULT_FROM_WIN32( ERROR_NO_MORE_ITEMS )) {
printf( "UNEXPECTED ERROR received: %x\n", hResult );
}
Sleep( POLL_INTERVAL );
}
continue;
}
//
// Buffer is filled with a series of LOG_RECORD structures, one
// right after another. Each LOG_RECORD says how long it is, so
// we know where the next LOG_RECORD begins.
//
pLogRecord = (PLOG_RECORD) buffer;
used = 0;
//
// Logic to write record to screen and/or file
//
for (;;) {
if (used+FIELD_OFFSET(LOG_RECORD,Name) > bytesReturned) {
break;
}
if (pLogRecord->Length < (sizeof(LOG_RECORD)+sizeof(WCHAR))) {
printf( "UNEXPECTED LOG_RECORD->Length: length=%d expected>=%d\n",
pLogRecord->Length,
(sizeof(LOG_RECORD)+sizeof(WCHAR)));
break;
}
used += pLogRecord->Length;
if (used > bytesReturned) {
printf( "UNEXPECTED LOG_RECORD size: used=%d bytesReturned=%d\n",
used,
bytesReturned);
break;
}
pRecordData = &pLogRecord->Data;
//
// See if a reparse point entry
//
if (FlagOn(pLogRecord->RecordType,RECORD_TYPE_FILETAG)) {
if (!TranslateFileTag( pLogRecord )){
//
// If this is a reparse point that can't be interpreted, move on.
//
pLogRecord = (PLOG_RECORD)Add2Ptr(pLogRecord,pLogRecord->Length);
continue;
}
}
if (context->LogToScreen) {
ScreenDump( pLogRecord->SequenceNumber,
pLogRecord->Name,
pRecordData );
}
if (context->LogToFile) {
FileDump( pLogRecord->SequenceNumber,
pLogRecord->Name,
pRecordData,
context->OutputFile );
}
//
// The RecordType could also designate that we are out of memory
// or hit our program defined memory limit, so check for these
// cases.
//
if (FlagOn(pLogRecord->RecordType,RECORD_TYPE_FLAG_OUT_OF_MEMORY)) {
if (context->LogToScreen) {
printf( "M %08X SYSTEM OUT OF MEMORY\n",
pLogRecord->SequenceNumber );
}
if (context->LogToFile) {
fprintf( context->OutputFile,
"M:\t%u",
pLogRecord->SequenceNumber );
}
} else if (FlagOn(pLogRecord->RecordType,RECORD_TYPE_FLAG_EXCEED_MEMORY_ALLOWANCE)) {
if (context->LogToScreen) {
printf( "M %08X EXCEEDED MEMORY ALLOWANCE\n",
pLogRecord->SequenceNumber );
}
if (context->LogToFile) {
fprintf( context->OutputFile,
"M:\t%u",
pLogRecord->SequenceNumber );
}
}
//
// Move to next LOG_RECORD
//
pLogRecord = (PLOG_RECORD)Add2Ptr(pLogRecord,pLogRecord->Length);
}
//
// If we didn't get any data, pause for 1/2 second
//
if (bytesReturned == 0) {
Sleep( POLL_INTERVAL );
}
}
printf( "Log: Shutting down\n" );
ReleaseSemaphore( context->ShutDown, 1, NULL );
printf( "Log: All done\n" );
return 0;
}
VOID
PrintIrpCode(
__in UCHAR MajorCode,
__in UCHAR MinorCode,
__in_opt FILE *OutputFile,
__in BOOLEAN PrintMajorCode
)
/*++
Routine Description:
Display the operation code
Arguments:
MajorCode - Major function code of operation
MinorCode - Minor function code of operation
OutputFile - If writing to a file (not the screen) the handle for that file
PrintMajorCode - Only used when printing to the display:
TRUE - if we want to display the MAJOR CODE
FALSE - if we want to display the MINOR code
Return Value:
None
--*/
{
CHAR *irpMajorString, *irpMinorString = NULL;
CHAR formatBuf[128];
CHAR errorBuf[128];
switch (MajorCode) {
case IRP_MJ_CREATE:
irpMajorString = IRP_MJ_CREATE_STRING;
break;
case IRP_MJ_CREATE_NAMED_PIPE:
irpMajorString = IRP_MJ_CREATE_NAMED_PIPE_STRING;
break;
case IRP_MJ_CLOSE:
irpMajorString = IRP_MJ_CLOSE_STRING;
break;
case IRP_MJ_READ:
irpMajorString = IRP_MJ_READ_STRING;
switch (MinorCode) {
case IRP_MN_NORMAL:
irpMinorString = IRP_MN_NORMAL_STRING;
break;
case IRP_MN_DPC:
irpMinorString = IRP_MN_DPC_STRING;
break;
case IRP_MN_MDL:
irpMinorString = IRP_MN_MDL_STRING;
break;
case IRP_MN_COMPLETE:
irpMinorString = IRP_MN_COMPLETE_STRING;
break;
case IRP_MN_COMPRESSED:
irpMinorString = IRP_MN_COMPRESSED_STRING;
break;
case IRP_MN_MDL_DPC:
irpMinorString = IRP_MN_MDL_DPC_STRING;
break;
case IRP_MN_COMPLETE_MDL:
irpMinorString = IRP_MN_COMPLETE_MDL_STRING;
break;
case IRP_MN_COMPLETE_MDL_DPC:
irpMinorString = IRP_MN_COMPLETE_MDL_DPC_STRING;
break;
default:
sprintf_s(errorBuf,sizeof(errorBuf),"Unknown Irp minor code (%u)",MinorCode);
irpMinorString = errorBuf;
}
break;
case IRP_MJ_WRITE:
irpMajorString = IRP_MJ_WRITE_STRING;
switch (MinorCode) {
case IRP_MN_NORMAL:
irpMinorString = IRP_MN_NORMAL_STRING;
break;
case IRP_MN_DPC:
irpMinorString = IRP_MN_DPC_STRING;
break;
case IRP_MN_MDL:
irpMinorString = IRP_MN_MDL_STRING;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -