reg.h

注册表监控驱动程序(以拦截ObReferenceObjectByHandle函数为主)

#define NT_DEVICE_NAME   	L"\\Device\\RegMon"
#define DOS_DEVICE_NAME     L"\\DosDevices\\RegMon"

/////////////////////结构体定义///////////////////////
typedef struct _SYSTEM_MODULE_INFORMATION { 
    ULONG Reserved[2]; 
    PVOID Base; 
    ULONG Size; 
    ULONG Flags; 
    USHORT Index; 
    USHORT Unknown; 
    USHORT LoadCount; 
    USHORT ModuleNameOffset; 
    CHAR ImageName[256]; 
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef struct _tagSysModuleList {
    ULONG ulCount;
    SYSTEM_MODULE_INFORMATION smi[1];
} SYSMODULELIST, *PSYSMODULELIST;

typedef struct _tagNTKERNELINFO	{
	ULONG 	ntBase;
	ULONG 	ntImageSize;
} NTKERNELINFO, *PNtKERNELINFO;


typedef struct _OBJECT_CREATE_INFORMATION
{
    ULONG Attributes;
    HANDLE RootDirectory;
    PVOID ParseContext;
    KPROCESSOR_MODE ProbeMode;
    ULONG PagedPoolCharge;
    ULONG NonPagedPoolCharge;
    ULONG SecurityDescriptorCharge;
    PSECURITY_DESCRIPTOR SecurityDescriptor;
    PSECURITY_QUALITY_OF_SERVICE SecurityQos;
    SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;

typedef struct _OBJECT_HEADER
{
    LONG PointerCount;
    union
    {
        LONG HandleCount;
        volatile PVOID NextToFree;
    };
    POBJECT_TYPE Type;
    UCHAR NameInfoOffset;
    UCHAR HandleInfoOffset;
    UCHAR QuotaInfoOffset;
    UCHAR Flags;
    union
    {
        POBJECT_CREATE_INFORMATION ObjectCreateInfo;
        PVOID QuotaBlockCharged;
    };
    PSECURITY_DESCRIPTOR SecurityDescriptor;
    QUAD Body;
}OBJECT_HEADER, *POBJECT_HEADER;

#define		OBJECT_TO_OBJECT_HEADER(o)	CONTAINING_RECORD( (o),OBJECT_HEADER,Body )

typedef struct _CM_NAME_HASH {
    ULONG   ConvKey;
    struct _CM_NAME_HASH *NextHash;
    USHORT  NameLength;      // Length of string value
    WCHAR   Name[1] ;        // The actual string value
} CM_NAME_HASH, *PCM_NAME_HASH;

typedef struct _CM_NAME_CONTROL_BLOCK 
{
	BOOLEAN		Compressed;       // Flags to indicate which extension we have.
	USHORT		RefCount;
    union 
    {
		CM_NAME_HASH             NameHash;
        struct 
        {
			ULONG	ConvKey;
			struct	_CM_KEY_HASH *NextHash;
			USHORT  NameLength;		// Length of string value
			WCHAR   Name[1] ;		// The actual string value
        };
    };
} CM_NAME_CONTROL_BLOCK, *PCM_NAME_CONTROL_BLOCK;

typedef struct _CM_KEY_BODY
{
	ULONG	Type;                // "ky02"
	PVOID	KeyControlBlock;
	PVOID	NotifyBlock;
	PEPROCESS 	Process;        // the owner process
	LIST_ENTRY	KeyBodyList; 	// key_nodes using the same kcb
} CM_KEY_BODY, *PCM_KEY_BODY;

#define		type_Name		0x40
#define		ParentKcb		0x018	//_CM_KEY_CONTROL_BLOCK
#define		NameBlock		0x01c	//_CM_NAME_CONTROL_BLOCK

////////////////导出函数定义/////////////////////

NTSTATUS 
PsLookupProcessByProcessId(
	IN ULONG ulProcId, 
	OUT PEPROCESS *pEProcess
);

NTKERNELAPI
HANDLE
PsGetProcessId(PEPROCESS Process);

NTKERNELAPI
PEPROCESS
PsGetThreadProcess(IN PETHREAD Thread);

NTKERNELAPI
PUCHAR
PsGetProcessImageFileName(IN PEPROCESS Process);

NTKERNELAPI
NTSTATUS
ObReferenceObjectByHandle(
__in 		HANDLE 			Handle,
__in 		ACCESS_MASK 	DesiredAccess,
__in_opt 	POBJECT_TYPE 	ObjectType,
__in 		KPROCESSOR_MODE AccessMode,
__out 		PVOID 			*Object,
__out_opt 	POBJECT_HANDLE_INFORMATION HandleInformation);                

//////////////////////////////////////////////////

//////////////////自定义函数定义///////////////////

BOOLEAN
Proxy_Function();

int
Check_Parameter(
__in 		HANDLE 			Handle,
__in 		ACCESS_MASK 	DesiredAccess,
__in_opt 	POBJECT_TYPE 	ObjectType,
__in 		KPROCESSOR_MODE AccessMode,
__out 		PVOID 			*Object,
__out_opt 	POBJECT_HANDLE_INFORMATION HandleInformation);

BOOLEAN
Re_Old_Function(
__in 		HANDLE 			Handle,
__in 		ACCESS_MASK 	DesiredAccess,
__in_opt 	POBJECT_TYPE 	ObjectType,
__in 		KPROCESSOR_MODE AccessMode,
__out 		PVOID 			*Object,
__out_opt 	POBJECT_HANDLE_INFORMATION HandleInformation);

NTSTATUS
DetourFunctionHook_ObOpenObjectByPointer(IN ULONG FunAddr);

VOID
UnHook_Function(IN ULONG FunAddr);

VOID 
UnloadDriver(IN PDRIVER_OBJECT DriverObject);

NTSTATUS 
DriverEntry(IN PDRIVER_OBJECT theDriverObject,IN PUNICODE_STRING theRegistryPath);

ULONG
GetFunctionAddr(IN PCWSTR FunctionName);

NTSTATUS
GetCmpKeyObjectTypeByInstance();

NTSTATUS
GetObjectType(PVOID Object,PUCHAR TypeName);

NTSTATUS
GetRegNameByKeyObject(PCM_KEY_BODY Object,PCHAR RegKeyName);

PVOID
GetNextRegNameByControlBlock(PVOID pControlBlock,char* Name);

void GetTheOriName(PCHAR inName,PCHAR outName);

///////////////////////////////////////////////////////