archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/admin/pchealth/client/datacoll/wmiprov/pch_systemhook.cpp

399 lines
12 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /********************************************************************
  3. Copyright (c) 1999 Microsoft Corporation
  5. Module Name:
  6. PCH_SystemHook.CPP
  8. Abstract:
  9. WBEM provider class implementation for PCH_SystemHook class
  11. Revision History:
  13. Ghim-Sim Chua (gschua) 05/05/99
  14. - Created
  16. Jim Martin (a-jammar) 06/01/99
  17. - Populated data, added Dr. Watson code.
  19. ********************************************************************/
  21. #include "pchealth.h"
  22. #include "PCH_SystemHook.h"
  24. /////////////////////////////////////////////////////////////////////////////
  25. // tracing stuff
  27. #ifdef THIS_FILE
  28. #undef THIS_FILE
  29. #endif
  30. static char __szTraceSourceFile[] = __FILE__;
  31. #define THIS_FILE __szTraceSourceFile
  32. #define TRACE_ID DCID_SYSTEMHOOK
  34. CPCH_SystemHook MyPCH_SystemHookSet (PROVIDER_NAME_PCH_SYSTEMHOOK, PCH_NAMESPACE);
  36. // Property names
  38. const static WCHAR * pTimeStamp = L"TimeStamp";
  39. const static WCHAR * pChange = L"Change";
  40. const static WCHAR * pApplication = L"Application";
  41. const static WCHAR * pApplicationPath = L"ApplicationPath";
  42. const static WCHAR * pDLLPath = L"DLLPath";
  43. const static WCHAR * pFullPath = L"FullPath";
  44. const static WCHAR * pHookedBy = L"HookedBy";
  45. const static WCHAR * pHookType = L"HookType";
  47. //-----------------------------------------------------------------------------
  48. // Here's a simple collection class to hold the hook information.
  49. //-----------------------------------------------------------------------------
  51. class CHookInfo
  52. {
  53. public:
  54. CHookInfo() : m_pList(NULL) {};
  55. ~CHookInfo();
  57. BOOL QueryHooks();
  58. BOOL GetHook(DWORD dwIndex, int * iHook, char ** pszDll, char ** pszExe);
  60. private:
  61. // Functions pulled from the Dr. Watson code.
  63. BOOL NTAPI Hook_PreInit();
  64. void NTAPI Hook_RecordHook(PHOOK16 phk, PHOOKWALKINFO phwi);
  66. // A struct to hold each parsed hook.
  68. struct SHookItem
  69. {
  70. int m_iHook;
  71. char m_szHookDll[MAX_PATH];
  72. char m_szHookExe[MAX_PATH];
  73. SHookItem * m_pNext;
  75. SHookItem(int iHook, const char * szDll, const char * szExe, SHookItem * pNext)
  76. : m_iHook(iHook), m_pNext(pNext)
  77. {
  78. strcpy(m_szHookDll, szDll);
  79. strcpy(m_szHookExe, szExe);
  80. }
  81. };
  83. SHookItem * m_pList;
  84. };
  86. //-----------------------------------------------------------------------------
  87. // The destructor gets rid of the list of hooks.
  88. //-----------------------------------------------------------------------------
  90. CHookInfo::~CHookInfo()
  91. {
  92. TraceFunctEnter("CHookInfo::~CHookInfo");
  93. SHookItem * pNext;
  94. while (m_pList)
  95. {
  96. pNext = m_pList->m_pNext;
  97. delete m_pList;
  98. m_pList = pNext;
  99. }
  100. TraceFunctLeave();
  101. }
  103. //-----------------------------------------------------------------------------
  104. // QueryHooks creates the list of system hooks (by calling the Dr. Watson code).
  105. //-----------------------------------------------------------------------------
  107. extern "C" void ThunkInit(void);
  108. BOOL CHookInfo::QueryHooks()
  109. {
  110. ThunkInit();
  111. return Hook_PreInit();
  112. }
  114. //-----------------------------------------------------------------------------
  115. // GetHook returns information for the hook specified by dwIndex. If there is
  116. // no hook at that index, FALSE is returned. The string pointers are changed
  117. // to point at the appropriate strings in the CHookInfo list. This pointers
  118. // will be invalid when the CHookInfo object is destroyed.
  119. //-----------------------------------------------------------------------------
  121. BOOL CHookInfo::GetHook(DWORD dwIndex, int * iHook, char ** pszDll, char ** pszExe)
  122. {
  123. TraceFunctEnter("CHookInfo::GetHook");
  125. SHookItem * pItem = m_pList;
  126. BOOL fReturn = FALSE;
  128. for (DWORD i = 0; i < dwIndex && pItem; i++)
  129. pItem = pItem->m_pNext;
  131. if (pItem)
  132. {
  133. *iHook = pItem->m_iHook;
  134. *pszDll = pItem->m_szHookDll;
  135. *pszExe = pItem->m_szHookExe;
  136. fReturn = TRUE;
  137. }
  139. TraceFunctLeave();
  140. return fReturn;
  141. }
  143. //-----------------------------------------------------------------------------
  144. // The following table is used for indicating the hook type. It's referenced
  145. // by the iHook value returned from CHookInfo::GetHook. One has to be added
  146. // to the iHook value to reference this table, since it starts from -1.
  147. //-----------------------------------------------------------------------------
  149. LPCTSTR aszHookType[] =
  150. {
  151. _T("Message Filter"),
  152. _T("Journal Record"),
  153. _T("Journal Playback"),
  154. _T("Keyboard"),
  155. _T("GetMessage"),
  156. _T("Window Procedure"),
  157. _T("CBT"),
  158. _T("System MsgFilter"),
  159. _T("Mouse"),
  160. _T("Hardware"),
  161. _T("Debug"),
  162. _T("Shell"),
  163. _T("Foreground Idle"),
  164. _T("Window Procedure Result")
  165. };
  167. //-----------------------------------------------------------------------------
  168. // The EnumeratInstances function is called by WMI to enurate the instances
  169. // of the class. Here we use the CHookInfo class to create a list of system
  170. // hooks which we enumerate, creating a WMI object for each one.
  171. //-----------------------------------------------------------------------------
  173. HRESULT CPCH_SystemHook::EnumerateInstances(MethodContext * pMethodContext, long lFlags)
  174. {
  175. TraceFunctEnter("CPCH_SystemHook::EnumerateInstances");
  176. HRESULT hRes = WBEM_S_NO_ERROR;
  178. // Get the date and time
  180. SYSTEMTIME stUTCTime;
  181. GetSystemTime(&stUTCTime);
  183. CHookInfo hookinfo;
  184. if (hookinfo.QueryHooks())
  185. {
  186. int iHook;
  187. char * szDll;
  188. char * szExe;
  190. for (DWORD dwIndex = 0; hookinfo.GetHook(dwIndex, &iHook, &szDll, &szExe); dwIndex++)
  191. {
  192. CInstancePtr pInstance(CreateNewInstance(pMethodContext), false);
  194. // Set the change and timestamp fields to "Snapshot" and the current time.
  196. if (!pInstance->SetDateTime(pTimeStamp, WBEMTime(stUTCTime)))
  197. ErrorTrace(TRACE_ID, "SetDateTime on Timestamp field failed.");
  199. if (!pInstance->SetCHString(pChange, L"Snapshot"))
  200. ErrorTrace(TRACE_ID, "SetCHString on Change field failed.");
  202. // Set the properties we found for the hook.
  204. if (!pInstance->SetCHString(pDLLPath, szDll))
  205. ErrorTrace(TRACE_ID, "SetCHString on DLL field failed.");
  207. if (!pInstance->SetCHString(pApplicationPath, szExe))
  208. ErrorTrace(TRACE_ID, "SetCHString on application path field failed.");
  210. if (!pInstance->SetCHString(pApplication, PathFindFileName(szExe)))
  211. ErrorTrace(TRACE_ID, "SetCHString on application field failed.");
  213. if (!pInstance->SetCHString(pFullPath, szDll))
  214. ErrorTrace(TRACE_ID, "SetCHString on pFullPath field failed.");
  216. if (!pInstance->SetCHString(pHookedBy, PathFindFileName(szDll)))
  217. ErrorTrace(TRACE_ID, "SetCHString on pHookedBy field failed.");
  219. if (iHook >= -1 && iHook <= 12)
  220. {
  221. if (!pInstance->SetCHString(pHookType, aszHookType[iHook + 1]))
  222. ErrorTrace(TRACE_ID, "SetCHString on pHookType field failed.");
  223. }
  224. else
  225. ErrorTrace(TRACE_ID, "Bad hook type.");
  227. hRes = pInstance->Commit();
  228. if (FAILED(hRes))
  229. ErrorTrace(TRACE_ID, "Commit on Instance failed.");
  230. }
  231. }
  233. TraceFunctLeave();
  234. return hRes;
  235. }
  237. //-----------------------------------------------------------------------------
  238. // Gather the system hook information.
  239. //-----------------------------------------------------------------------------
  241. TCHAR g_tszShell[MAX_PATH];
  242. BOOL NTAPI CHookInfo::Hook_PreInit()
  243. {
  244. TraceFunctEnter("CHookInfo::Hook_PreInit");
  246. BOOL fRc = FALSE;
  248. // Initialize the g_tszShell variable if necessary.
  250. if (!g_tszShell[0])
  251. {
  252. TCHAR tszPath[MAX_PATH];
  253. GetPrivateProfileString(TEXT("boot"), TEXT("shell"), TEXT("explorer.exe"), tszPath, cA(tszPath), TEXT("system.ini"));
  254. lstrcpy(g_tszShell, PathFindFileName(tszPath));
  255. }
  257. if (g_pvWin16Lock)
  258. {
  259. PV pvUser = MapSL((PV)MAKELONG(0, (DWORD)g_hinstUser));
  260. LPWORD pwRghhk;
  261. DWORD dwHhk;
  263. dwHhk = GetUserHookTable();
  265. switch (HIWORD(dwHhk))
  266. {
  267. case 1:
  268. // We "know" the structure of the USER hook chain
  269. // of type 1.
  271. pwRghhk = (LPWORD)pvAddPvCb(pvUser, LOWORD(dwHhk) + 2);
  272. break;
  274. default:
  275. // Unknown hook style. Oh well.
  277. pwRghhk = 0;
  278. break;
  279. }
  281. if (pwRghhk)
  282. {
  283. // Walk the hook list (under the Win16 lock)
  284. // and parse out each installed hook.
  286. int ihk;
  287. HOOKWALKINFO hwi;
  289. EnterSysLevel(g_pvWin16Lock);
  291. for (ihk = WH_MIN; ihk <= WH_MAX; ihk++)
  292. {
  293. WORD hhk = pwRghhk[ihk];
  294. while (hhk)
  295. {
  296. PHOOK16 phk = (PHOOK16)pvAddPvCb(pvUser, hhk);
  297. if (phk->hkMagic != HK_MAGIC || phk->idHook != ihk)
  298. break; // Weird. Stop before we GPF
  299. Hook_RecordHook(phk, &hwi);
  300. hhk = phk->phkNext;
  301. fRc = TRUE;
  302. }
  303. }
  305. LeaveSysLevel(g_pvWin16Lock);
  306. }
  307. }
  309. TraceFunctLeave();
  310. return fRc;
  311. }
  313. //-----------------------------------------------------------------------------
  314. // Record information about a single hook during the hookwalk process.
  315. //-----------------------------------------------------------------------------
  317. void NTAPI CHookInfo::Hook_RecordHook(PHOOK16 phk, PHOOKWALKINFO phwi)
  318. {
  319. TraceFunctEnter("CHookInfo::Hook_RecordHook");
  321. HOOKINFO hi;
  322. PQ16 pq;
  324. ZeroX(hi);
  326. hi.iHook = phk->idHook;
  328. // Get the name of the app that installed the hook.
  329. // We wished we could pass the queue handle to GetModuleFileName,
  330. // but that will just return USER.
  331. //
  332. // It is possible that the queue is null; this means that the
  333. // hook was installed by a device driver (like XMOUSE).
  335. pq = (PQ16)MapSL((PV)MAKELONG(0, phk->hqCreator));
  336. if (pq)
  337. GetModuleFileName16(pq->htask, hi.szHookExe, cA(hi.szHookExe));
  338. else
  339. hi.szHookExe[0] = TEXT('\0');
  341. // Now get the DLL name. This varies depending on whether the
  342. // DLL is 16-bit or 32-bit.
  344. if (phk->uiFlags & HOOK_32BIT)
  345. {
  346. // If a 32-bit hook, then the DLL name is saved in an atom.
  348. GetUserAtomName(phk->atomModule, hi.szHookDll);
  349. PathAdjustCase(hi.szHookDll, 0);
  350. }
  351. else
  352. {
  353. // If a 16-bit hook, then the DLL name is saved as hmodule16.
  355. GetModuleFileName16((HMODULE16)phk->hmodOwner, hi.szHookDll, cA(hi.szHookDll));
  356. PathAdjustCase(hi.szHookDll, 1);
  357. }
  359. // Add the hook to the collection of hooks. Don't add the explorer shell to the
  360. // list.
  362. if (hi.iHook != WH_SHELL || lstrcmpi(PathFindFileName(hi.szHookExe), g_tszShell) != 0)
  363. {
  364. SHookItem * pNew = new SHookItem(hi.iHook, hi.szHookDll, hi.szHookExe, m_pList);
  365. if (pNew)
  366. m_pList = pNew;
  367. else
  368. throw CHeap_Exception(CHeap_Exception::E_ALLOCATION_ERROR);
  369. }
  371. TraceFunctLeave();
  372. }
  374. //-----------------------------------------------------------------------------
  375. // Function pulled in from Dr. Watson.
  376. //
  377. // If f16, then it is a 16-bit thing, and we uppercase it all.
  378. // If !f16, then it is a 32-bit thing, and we uppercase the
  379. // first and downcase the rest.
  380. //
  381. // If the first letter is a DBCS thing, then we don't touch it.
  382. //-----------------------------------------------------------------------------
  384. void NTAPI PathAdjustCase(LPSTR psz, BOOL f16)
  385. {
  386. TraceFunctEnter("PathAdjustCase");
  388. psz = PathFindFileName(psz);
  390. if (f16)
  391. CharUpper(psz);
  392. else if (!IsDBCSLeadByte(*psz))
  393. {
  394. CharUpperBuff(psz, 1);
  395. CharLower(psz+1);
  396. }
  398. TraceFunctLeave();
  399. }