archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/base/ntsetup/tools/dllanalyze4/loggedregintercept.cpp

703 lines
19 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. // LoggedRegIntercept.cpp: implementation of the CLoggedRegIntercept class.
  2. //
  3. //////////////////////////////////////////////////////////////////////
  5. #include "LoggedRegIntercept.h"
  6. #include <winioctl.h>
  7. #include "..\reghandle\reghandle.h"
  9. #include "LogEntry.h"
  10. //////////////////////////////////////////////////////////////////////
  11. // Construction/Destruction
  12. //////////////////////////////////////////////////////////////////////
  14. CLoggedRegIntercept::CLoggedRegIntercept(TCHAR* FileName)
  15. : m_pDllName(NULL)
  16. {
  17. m_LogFile = _tfopen(FileName, L"wt");
  18. }
  20. CLoggedRegIntercept::~CLoggedRegIntercept()
  21. {
  22. fclose(m_LogFile);
  23. }
  25. #define LOG(X) _fputts(X, m_LogFile);
  27. #define LOGN(X) _fputts(X L"\n", m_LogFile);
  29. #define LOGNL() _fputts(L"\n", m_LogFile);
  31. void CLoggedRegIntercept::LOGSTR(LPCTSTR ValueName, LPCTSTR Value)
  32. {
  33. _ftprintf(m_LogFile, TEXT(" (%s: %s)"), ValueName, Value);
  34. }
  38. /*
  39. void CLoggedRegIntercept::LOGKEY(HANDLE key)
  40. {
  41. TCHAR buf[256];
  42. buf[0] = 0;
  44. //* switch ((int)key)
  45. {
  46. case HKEY_LOCAL_MACHINE:
  47. _tcscpy(buf, L"HKEY_LOCAL_MACHINE");
  48. break;
  50. case HKEY_CLASSES_ROOT:
  51. _tcscpy(buf, L"HKEY_CLASSES_ROOT");
  52. break;
  54. case HKEY_CURRENT_CONFIG:
  55. _tcscpy(buf, L"HKEY_CURRENT_CONFIG");
  56. break;
  58. case HKEY_CURRENT_USER:
  59. _tcscpy(buf, L"HKEY_CURRENT_USER");
  60. break;
  62. case HKEY_USERS:
  63. _tcscpy(buf, L"HKEY_USERS");
  64. break;
  66. case HKEY_PERFORMANCE_DATA:
  67. _tcscpy(buf, L"HKEY_PERFORMANCE_DATA");
  68. break;
  69. };
  71. if (buf[0] != 0)
  72. _ftprintf(m_LogFile, L" (Key: %s)", buf);
  73. else
  75. WCHAR mybuf[2048];
  77. mybuf[0]=0;
  78. HANDLE hReg = key;
  79. DWORD nb;
  81. if (DeviceIoControl(m_RegDevice.hDevice,
  82. IOCTL_REGMON_GETOBJECT,
  83. &hReg, sizeof(hReg), mybuf,
  84. sizeof(mybuf), &nb, NULL ))
  85. {
  86. _tprintf(L" (Key: %u)", key);
  87. _tprintf(L"handle returned: %s\n", mybuf);
  90. }
  91. else
  92. {
  93. printf("bad error deviceiocontrol\n");
  95. }
  98. _ftprintf(m_LogFile, TEXT(" (Key: %u)"), key);
  99. }
  100. */
  103. void CLoggedRegIntercept::SetCurrentDll(LPCTSTR DllName)
  104. {
  105. m_pDllName = DllName;
  106. }
  108. void CLoggedRegIntercept::LogError(LPCTSTR msg)
  109. {
  110. _ftprintf(m_LogFile, TEXT("***Error: %s\n"), msg);
  111. }
  112. /*
  113. bool CLoggedRegIntercept::GetTempKeyName(HANDLE key)
  114. {
  115. m_TempKeyName[0] = NULL;
  117. if ((key == 0) || (key == INVALID_HANDLE_VALUE))
  118. return true;
  120. HANDLE hReg = key;
  121. DWORD nb;
  123. if (DeviceIoControl(m_RegDevice.hDevice,
  124. IOCTL_REGMON_GETOBJECT,
  125. &hReg, sizeof(hReg), m_TempKeyName,
  126. sizeof(m_TempKeyName), &nb, NULL ))
  127. {
  128. int len = _tcslen(m_TempKeyName);
  129. if (m_TempKeyName[len-1] != L'\\')
  130. _tcscat(m_TempKeyName, L"\\");
  132. return true;
  133. }
  134. else
  135. {
  136. return false;
  137. }
  139. return CRegIntercept::GetHandleName(key, m_TempKeyName);
  140. }
  142. */
  143. /*
  144. void CLoggedRegIntercept::GetHandleName(HANDLE obj)
  145. {
  146. GetTempKeyName(obj);
  147. }*/
  149. void CLoggedRegIntercept::GetLocation(POBJECT_ATTRIBUTES ObjectAttributes, bool bAppendBackslash)
  150. {
  151. m_TempKeyName[0] = NULL;
  153. if (ObjectAttributes != NULL)
  154. {
  155. if (ObjectAttributes->RootDirectory == 0)
  156. {
  157. _tcscpy(m_TempKeyName, (LPWSTR)ObjectAttributes->ObjectName->Buffer);
  159. if (bAppendBackslash)
  160. AppendBackSlash(m_TempKeyName);
  161. }
  163. else
  164. {
  165. GetHandleName(ObjectAttributes->RootDirectory, m_TempKeyName, true);
  166. //sets m_TempKeyName to the actual name of the root key handle
  168. _tcscat(m_TempKeyName, (LPWSTR)ObjectAttributes->ObjectName->Buffer);
  170. if (bAppendBackslash)
  171. AppendBackSlash(m_TempKeyName);
  172. }
  173. }
  174. }
  176. void CLoggedRegIntercept::NtOpenKey(PHANDLE KeyHandle,
  177. ACCESS_MASK DesiredAccess,
  178. POBJECT_ATTRIBUTES ObjectAttributes)
  179. {
  180. /* LOG(TEXT("NtOpenKey"));
  181. LOGKEY(ObjectAttributes->RootDirectory);
  182. LOGSTR(TEXT("SubKey"), (LPWSTR)ObjectAttributes->ObjectName->Buffer);
  183. LOGKEY(*KeyHandle);
  184. LOGNL();
  185. */
  186. /*
  187. if (ObjectAttributes->RootDirectory == 0)
  188. _tcscpy(m_TempKeyName, (LPWSTR)ObjectAttributes->ObjectName->Buffer);
  189. else
  190. {
  191. GetTempKeyName(ObjectAttributes->RootDirectory);
  192. //sets m_TempKeyName to the actual name of the root key handle
  194. _tcscat(m_TempKeyName, (LPWSTR)ObjectAttributes->ObjectName->Buffer);
  195. }
  196. */
  197. GetLocation(ObjectAttributes);
  199. CLogEntry le(m_pDllName, L"NtOpenKey", m_TempKeyName);
  201. le.WriteToFile(m_LogFile);
  203. }
  206. void CLoggedRegIntercept::NtCreateKey(PHANDLE KeyHandle,
  207. ACCESS_MASK DesiredAccess,
  208. POBJECT_ATTRIBUTES ObjectAttributes,
  209. ULONG TitleIndex,
  210. PUNICODE_STRING Class,
  211. ULONG CreateOptions,
  212. PULONG Disposition)
  213. {
  214. /*
  215. LOG(L"NtCreateKey");
  216. LOGKEY(ObjectAttributes->RootDirectory);
  217. LOGSTR(L"SubKey", (LPWSTR)ObjectAttributes->ObjectName->Buffer);
  218. LOGKEY(*KeyHandle);
  219. LOGNL();
  220. */
  221. /* if (ObjectAttributes->RootDirectory == 0)
  222. _tcscpy(m_TempKeyName, (LPWSTR)ObjectAttributes->ObjectName->Buffer);
  223. else
  224. {
  225. GetTempKeyName(ObjectAttributes->RootDirectory);
  226. //sets m_TempKeyName to the actual name of the root key handle
  228. _tcscat(m_TempKeyName, (LPWSTR)ObjectAttributes->ObjectName->Buffer);
  229. }
  230. */
  231. GetLocation(ObjectAttributes);
  232. CLogEntry le(m_pDllName, L"NtCreateKey", m_TempKeyName);
  233. le.WriteToFile(m_LogFile);
  234. }
  237. void CLoggedRegIntercept::NtDeleteKey(HANDLE KeyHandle)
  238. {
  239. GetHandleName(KeyHandle, m_TempKeyName);
  240. CLogEntry le(m_pDllName, L"NtDeleteKey", m_TempKeyName, NULL);
  241. le.WriteToFile(m_LogFile);
  242. }
  244. void CLoggedRegIntercept::NtDeleteValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName)
  245. {
  246. GetHandleName(KeyHandle, m_TempKeyName);
  247. CLogEntry le(m_pDllName, L"NtDeleteValueKey", m_TempKeyName, ValueName->Buffer);
  248. le.WriteToFile(m_LogFile);
  249. }
  252. void CLoggedRegIntercept::NtEnumerateKey(HANDLE KeyHandle, ULONG Index, KEY_INFORMATION_CLASS KeyInformationClass, PVOID KeyInformation, ULONG Length, PULONG ResultLength)
  253. {
  254. GetHandleName(KeyHandle, m_TempKeyName);
  255. CLogEntry le(m_pDllName, L"NtEnumerateKey", m_TempKeyName, NULL);
  256. le.WriteToFile(m_LogFile);
  258. }
  261. void CLoggedRegIntercept::NtEnumerateValueKey(HANDLE KeyHandle, ULONG Index, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength)
  262. {
  263. GetHandleName(KeyHandle, m_TempKeyName);
  264. CLogEntry le(m_pDllName, L"NtEnumerateValueKey", m_TempKeyName, NULL);
  265. le.WriteToFile(m_LogFile);
  266. }
  269. void CLoggedRegIntercept::NtQueryKey(HANDLE KeyHandle, KEY_INFORMATION_CLASS KeyInformationClass, PVOID KeyInformation, ULONG Length, PULONG ResultLength)
  270. {
  271. GetHandleName(KeyHandle, m_TempKeyName);
  272. CLogEntry le(m_pDllName, L"NtQueryKey", m_TempKeyName, NULL);
  273. le.WriteToFile(m_LogFile);
  275. }
  278. void CLoggedRegIntercept::NtQueryValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength)
  279. {
  280. GetHandleName(KeyHandle, m_TempKeyName);
  281. CLogEntry le(m_pDllName, L"NtQueryValueKey", m_TempKeyName, ValueName->Buffer);
  282. le.WriteToFile(m_LogFile);
  283. }
  285. void CLoggedRegIntercept::NtQueryMultipleValueKey(HANDLE KeyHandle, PKEY_VALUE_ENTRY ValueEntries, ULONG EntryCount, PVOID ValueBuffer, PULONG BufferLength, PULONG RequiredBufferLength)
  286. {
  287. GetHandleName(KeyHandle, m_TempKeyName);
  288. CLogEntry le(m_pDllName, L"NtQueryMultipleValueKey", m_TempKeyName, NULL);
  289. le.WriteToFile(m_LogFile);
  290. }
  293. void CLoggedRegIntercept::NtSetValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, ULONG TitleIndex, ULONG Type, PVOID Data, ULONG DataSize)
  294. {
  295. GetHandleName(KeyHandle, m_TempKeyName);
  296. CLogEntry le(m_pDllName, L"NtSetValueKey", m_TempKeyName, ValueName->Buffer);
  297. le.WriteToFile(m_LogFile);
  298. }
  302. //intercepted File System functions
  303. void CLoggedRegIntercept::NtDeleteFile(POBJECT_ATTRIBUTES ObjectAttributes)
  304. {
  305. GetLocation(ObjectAttributes, false);
  306. CLogEntry le(m_pDllName, L"NtDeleteFile", m_TempKeyName);
  307. le.WriteToFile(m_LogFile);
  309. }
  312. void CLoggedRegIntercept::NtQueryAttributesFile(POBJECT_ATTRIBUTES ObjectAttributes, PFILE_BASIC_INFORMATION FileInformation)
  313. {
  314. GetLocation(ObjectAttributes, false);
  315. CLogEntry le(m_pDllName, L"NtQueryAttributesFile", m_TempKeyName);
  316. le.WriteToFile(m_LogFile);
  317. }
  320. void CLoggedRegIntercept::NtQueryFullAttributesFile(POBJECT_ATTRIBUTES ObjectAttributes, PFILE_NETWORK_OPEN_INFORMATION FileInformation)
  321. {
  322. GetLocation(ObjectAttributes, false);
  323. CLogEntry le(m_pDllName, L"NtQueryFullAttributesFile", m_TempKeyName);
  324. le.WriteToFile(m_LogFile);
  325. }
  328. void CLoggedRegIntercept::NtCreateFile(
  329. PHANDLE FileHandle,
  330. ACCESS_MASK DesiredAccess,
  331. POBJECT_ATTRIBUTES ObjectAttributes,
  332. PIO_STATUS_BLOCK IoStatusBlock,
  333. PLARGE_INTEGER AllocationSize,
  334. ULONG FileAttributes,
  335. ULONG ShareAccess,
  336. ULONG CreateDisposition,
  337. ULONG CreateOptions,
  338. PVOID EaBuffer,
  339. ULONG EaLength)
  340. {
  341. GetLocation(ObjectAttributes, false);
  342. CLogEntry le(m_pDllName, L"NtCreateFile", m_TempKeyName);
  343. le.WriteToFile(m_LogFile);
  344. }
  347. void CLoggedRegIntercept::NtOpenFile(
  348. PHANDLE FileHandle,
  349. ACCESS_MASK DesiredAccess,
  350. POBJECT_ATTRIBUTES ObjectAttributes,
  351. PIO_STATUS_BLOCK IoStatusBlock,
  352. ULONG ShareAccess,
  353. ULONG OpenOptions)
  354. {
  355. GetLocation(ObjectAttributes, false);
  356. CLogEntry le(m_pDllName, L"NtOpenFile", m_TempKeyName);
  357. le.WriteToFile(m_LogFile);
  359. }
  361. //intercepted Driver functions
  362. void CLoggedRegIntercept::NtLoadDriver(PUNICODE_STRING DriverServiceName)
  363. {
  364. CLogEntry le(m_pDllName, L"NtLoadDriver", DriverServiceName ? DriverServiceName->Buffer: 0);
  365. le.WriteToFile(m_LogFile);
  366. }
  367. /*
  368. void CLoggedRegIntercept::NtDeviceIoControlFile(
  369. HANDLE FileHandle,
  370. HANDLE Event,
  371. PIO_APC_ROUTINE ApcRoutine,
  372. PVOID ApcContext,
  373. PIO_STATUS_BLOCK IoStatusBlock,
  374. ULONG IoControlCode,
  375. PVOID InputBuffer,
  376. ULONG InputBufferLength,
  377. PVOID OutputBuffer,
  378. ULONG OutputBufferLength)
  379. {
  380. GetHandleName(KeyHandle);
  381. CLogEntry le(m_pDllName, L"NtDeviceIoControlFile", m_TempKeyName);
  382. le.WriteToFile(m_LogFile);
  383. }
  386. void CLoggedRegIntercept::NtFsControlFile(
  387. HANDLE FileHandle,
  388. HANDLE Event,
  389. PIO_APC_ROUTINE ApcRoutine,
  390. PVOID ApcContext,
  391. PIO_STATUS_BLOCK IoStatusBlock,
  392. ULONG FsControlCode,
  393. PVOID InputBuffer,
  394. ULONG InputBufferLength,
  395. PVOID OutputBuffer,
  396. ULONG OutputBufferLength)
  397. {
  399. }
  401. */
  406. void CLoggedRegIntercept::NtPlugPlayControl(
  407. IN PLUGPLAY_CONTROL_CLASS PnPControlClass,
  408. IN OUT PVOID PnPControlData,
  409. IN ULONG PnPControlDataLength)
  410. {
  411. CLogEntry le(m_pDllName, L"NtPlugPlayControl");
  412. le.WriteToFile(m_LogFile);
  413. }
  415. void CLoggedRegIntercept::NtCreateSymbolicLinkObject(
  416. OUT PHANDLE LinkHandle,
  417. IN ACCESS_MASK DesiredAccess,
  418. IN POBJECT_ATTRIBUTES ObjectAttributes,
  419. IN PUNICODE_STRING LinkTarget)
  420. {
  421. GetLocation(ObjectAttributes, false);
  422. CLogEntry le(m_pDllName, L"NtCreateSymbolicLinkObject", m_TempKeyName);
  423. le.WriteToFile(m_LogFile);
  424. }
  426. void CLoggedRegIntercept::NtOpenSymbolicLinkObject(
  427. OUT PHANDLE LinkHandle,
  428. IN ACCESS_MASK DesiredAccess,
  429. IN POBJECT_ATTRIBUTES ObjectAttributes)
  430. {
  431. GetLocation(ObjectAttributes, false);
  432. CLogEntry le(m_pDllName, L"NtOpenSymbolicLinkObject", m_TempKeyName);
  433. le.WriteToFile(m_LogFile);
  434. }
  436. void CLoggedRegIntercept::NtCreateDirectoryObject(
  437. OUT PHANDLE DirectoryHandle,
  438. IN ACCESS_MASK DesiredAccess,
  439. IN POBJECT_ATTRIBUTES ObjectAttributes)
  440. {
  441. GetLocation(ObjectAttributes);
  442. CLogEntry le(m_pDllName, L"NtCreateDirectoryObject", m_TempKeyName);
  443. le.WriteToFile(m_LogFile);
  444. }
  446. void CLoggedRegIntercept::NtOpenDirectoryObject(
  447. OUT PHANDLE DirectoryHandle,
  448. IN ACCESS_MASK DesiredAccess,
  449. IN POBJECT_ATTRIBUTES ObjectAttributes)
  450. {
  451. GetLocation(ObjectAttributes);
  452. CLogEntry le(m_pDllName, L"NtOpenDirectoryObject", m_TempKeyName);
  453. le.WriteToFile(m_LogFile);
  454. }
  456. void CLoggedRegIntercept::NtSignalAndWaitForSingleObject(
  457. IN HANDLE SignalHandle,
  458. IN HANDLE WaitHandle,
  459. IN BOOLEAN Alertable,
  460. IN PLARGE_INTEGER Timeout)
  461. {
  462. CLogEntry le(m_pDllName, L"NtSignalAndWaitForSingleObject");
  463. le.WriteToFile(m_LogFile);
  464. }
  466. void CLoggedRegIntercept::NtWaitForSingleObject(
  467. IN HANDLE Handle,
  468. IN BOOLEAN Alertable,
  469. IN PLARGE_INTEGER Timeout)
  470. {
  471. CLogEntry le(m_pDllName, L"NtWaitForSingleObject");
  472. le.WriteToFile(m_LogFile);
  473. }
  476. void CLoggedRegIntercept::NtWaitForMultipleObjects(
  477. IN ULONG Count,
  478. IN HANDLE* Handles,
  479. IN WAIT_TYPE WaitType,
  480. IN BOOLEAN Alertable,
  481. IN PLARGE_INTEGER Timeout)
  482. {
  483. CLogEntry le(m_pDllName, L"NtWaitForMultipleObjects");
  484. le.WriteToFile(m_LogFile);
  485. }
  487. void CLoggedRegIntercept::NtCreatePort(
  488. OUT PHANDLE PortHandle,
  489. IN POBJECT_ATTRIBUTES ObjectAttributes,
  490. IN ULONG MaxConnectionInfoLength,
  491. IN ULONG MaxMessageLength,
  492. IN ULONG MaxPoolUsage)
  493. {
  494. GetLocation(ObjectAttributes, false);
  495. CLogEntry le(m_pDllName, L"NtCreatePort", m_TempKeyName);
  496. le.WriteToFile(m_LogFile);
  497. }
  499. void CLoggedRegIntercept::NtCreateWaitablePort(
  500. OUT PHANDLE PortHandle,
  501. IN POBJECT_ATTRIBUTES ObjectAttributes,
  502. IN ULONG MaxConnectionInfoLength,
  503. IN ULONG MaxMessageLength,
  504. IN ULONG MaxPoolUsage)
  505. {
  506. GetLocation(ObjectAttributes, false);
  507. CLogEntry le(m_pDllName, L"NtCreateWaitablePort", m_TempKeyName);
  508. le.WriteToFile(m_LogFile);
  509. }
  511. void CLoggedRegIntercept::NtCreateThread(
  512. OUT PHANDLE ThreadHandle,
  513. IN ACCESS_MASK DesiredAccess,
  514. IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
  515. IN HANDLE ProcessHandle,
  516. OUT PCLIENT_ID ClientId,
  517. IN PCONTEXT ThreadContext,
  518. IN PINITIAL_TEB InitialTeb,
  519. IN BOOLEAN CreateSuspended)
  520. {
  521. CLogEntry le(m_pDllName, L"NtCreateThread");
  522. le.WriteToFile(m_LogFile);
  523. }
  526. void CLoggedRegIntercept::NtOpenThread(
  527. OUT PHANDLE ThreadHandle,
  528. IN ACCESS_MASK DesiredAccess,
  529. IN POBJECT_ATTRIBUTES ObjectAttributes,
  530. IN PCLIENT_ID ClientId)
  531. {
  532. CLogEntry le(m_pDllName, L"NtOpenThread");
  533. le.WriteToFile(m_LogFile);
  534. }
  536. void CLoggedRegIntercept::NtCreateProcess(
  537. OUT PHANDLE ProcessHandle,
  538. IN ACCESS_MASK DesiredAccess,
  539. IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
  540. IN HANDLE ParentProcess,
  541. IN BOOLEAN InheritObjectTable,
  542. IN HANDLE SectionHandle OPTIONAL,
  543. IN HANDLE DebugPort OPTIONAL,
  544. IN HANDLE ExceptionPort OPTIONAL)
  545. {
  546. GetLocation(ObjectAttributes, false);
  547. CLogEntry le(m_pDllName, L"NtCreateProcess");
  548. le.WriteToFile(m_LogFile);
  549. }
  552. void CLoggedRegIntercept::NtCreateProcessEx(
  553. OUT PHANDLE ProcessHandle,
  554. IN ACCESS_MASK DesiredAccess,
  555. IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
  556. IN HANDLE ParentProcess,
  557. IN ULONG Flags,
  558. IN HANDLE SectionHandle OPTIONAL,
  559. IN HANDLE DebugPort OPTIONAL,
  560. IN HANDLE ExceptionPort OPTIONAL,
  561. IN ULONG JobMemberLevel)
  562. {
  563. GetLocation(ObjectAttributes, false);
  564. CLogEntry le(m_pDllName, L"NtCreateProcessEx", m_TempKeyName);
  565. le.WriteToFile(m_LogFile);
  566. }
  568. void CLoggedRegIntercept::NtOpenProcess(
  569. OUT PHANDLE ProcessHandle,
  570. IN ACCESS_MASK DesiredAccess,
  571. IN POBJECT_ATTRIBUTES ObjectAttributes,
  572. IN PCLIENT_ID ClientId OPTIONAL)
  573. {
  574. GetLocation(ObjectAttributes, false);
  575. CLogEntry le(m_pDllName, L"NtOpenProcess", m_TempKeyName);
  576. le.WriteToFile(m_LogFile);
  577. }
  579. void CLoggedRegIntercept::NtQueryDefaultLocale(
  580. IN BOOLEAN UserProfile,
  581. OUT PLCID DefaultLocaleId)
  582. {
  583. CLogEntry le(m_pDllName, L"NtQueryDefaultLocale");
  584. le.WriteToFile(m_LogFile);
  585. }
  587. void CLoggedRegIntercept::NtSetDefaultLocale(
  588. IN BOOLEAN UserProfile,
  589. IN LCID DefaultLocaleId)
  590. {
  591. CLogEntry le(m_pDllName, L"NtSetDefaultLocale");
  592. le.WriteToFile(m_LogFile);
  593. }
  596. void CLoggedRegIntercept::NtQuerySystemEnvironmentValue(
  597. IN PUNICODE_STRING VariableName,
  598. OUT PWSTR VariableValue,
  599. IN USHORT ValueLength,
  600. OUT PUSHORT ReturnLength OPTIONAL)
  601. {
  602. CLogEntry le(m_pDllName, L"NtQuerySystemEnvironmentValue", VariableName ? VariableName->Buffer : 0);
  603. le.WriteToFile(m_LogFile);
  604. }
  606. void CLoggedRegIntercept::NtSetSystemEnvironmentValue(
  607. IN PUNICODE_STRING VariableName,
  608. IN PUNICODE_STRING VariableValue)
  609. {
  610. CLogEntry le(m_pDllName, L"NtSetSystemEnvironmentValue",VariableName ? VariableName->Buffer : 0);
  611. le.WriteToFile(m_LogFile);
  612. }
  615. void CLoggedRegIntercept::NtQuerySystemEnvironmentValueEx(
  616. IN PUNICODE_STRING VariableName,
  617. IN LPGUID VendorGuid,
  618. OUT PVOID Value,
  619. IN OUT PULONG ValueLength,
  620. OUT PULONG Attributes OPTIONAL)
  621. {
  622. CLogEntry le(m_pDllName, L"NtQuerySystemEnvironmentValueEx",VariableName ? VariableName->Buffer : 0);
  623. le.WriteToFile(m_LogFile);
  624. }
  627. void CLoggedRegIntercept::NtSetSystemEnvironmentValueEx(
  628. IN PUNICODE_STRING VariableName,
  629. IN LPGUID VendorGuid,
  630. IN PVOID Value,
  631. IN ULONG ValueLength,
  632. IN ULONG Attributes)
  633. {
  634. CLogEntry le(m_pDllName, L"NtSetSystemEnvironmentValueEx", VariableName ? VariableName->Buffer : 0);
  635. le.WriteToFile(m_LogFile);
  636. }
  638. void CLoggedRegIntercept::NtEnumerateSystemEnvironmentValuesEx(
  639. IN ULONG InformationClass,
  640. OUT PVOID Buffer,
  641. IN OUT PULONG BufferLength)
  642. {
  643. CLogEntry le(m_pDllName, L"NtEnumerateSystemEnvironmentValuesEx");
  644. le.WriteToFile(m_LogFile);
  645. }
  647. void CLoggedRegIntercept::NtQuerySystemTime(
  648. OUT PLARGE_INTEGER SystemTime)
  649. {
  650. CLogEntry le(m_pDllName, L"NtQuerySystemTime");
  651. le.WriteToFile(m_LogFile);
  652. }
  654. void CLoggedRegIntercept::NtSetSystemTime(
  655. IN PLARGE_INTEGER SystemTime,
  656. OUT PLARGE_INTEGER PreviousTime OPTIONAL)
  657. {
  658. CLogEntry le(m_pDllName, L"NtSetSystemTime");
  659. le.WriteToFile(m_LogFile);
  660. }
  662. void CLoggedRegIntercept::NtQuerySystemInformation(
  663. IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
  664. OUT PVOID SystemInformation,
  665. IN ULONG SystemInformationLength,
  666. OUT PULONG ReturnLength OPTIONAL)
  667. {
  668. CLogEntry le(m_pDllName, L"NtQuerySystemInformation");
  669. le.WriteToFile(m_LogFile);
  670. }
  672. void CLoggedRegIntercept::NtSetSystemInformation(
  673. IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
  674. IN PVOID SystemInformation,
  675. IN ULONG SystemInformationLength)
  676. {
  677. CLogEntry le(m_pDllName, L"NtSetSystemInformation");
  678. le.WriteToFile(m_LogFile);
  679. }
  681. void CLoggedRegIntercept::NtQueryInformationFile(
  682. IN HANDLE FileHandle,
  683. OUT PIO_STATUS_BLOCK IoStatusBlock,
  684. OUT PVOID FileInformation,
  685. IN ULONG Length,
  686. IN FILE_INFORMATION_CLASS FileInformationClass)
  687. {
  688. GetHandleName(FileHandle, m_TempKeyName, false);
  689. CLogEntry le(m_pDllName, L"NtQueryInformationFile", m_TempKeyName);
  690. le.WriteToFile(m_LogFile);
  691. }
  693. void CLoggedRegIntercept::NtSetInformationFile(
  694. IN HANDLE FileHandle,
  695. OUT PIO_STATUS_BLOCK IoStatusBlock,
  696. IN PVOID FileInformation,
  697. IN ULONG Length,
  698. IN FILE_INFORMATION_CLASS FileInformationClass)
  699. {
  700. GetHandleName(FileHandle, m_TempKeyName, false);
  701. CLogEntry le(m_pDllName, L"NtSetInformationFile", m_TempKeyName);
  702. le.WriteToFile(m_LogFile);
  703. }