You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
298 lines
9.1 KiB
298 lines
9.1 KiB
// LoggedRegIntercept.h: interface for the CLoggedRegIntercept class.
|
|
//
|
|
//////////////////////////////////////////////////////////////////////
|
|
|
|
#if !defined(AFX_LOGGEDREGINTERCEPT_H__856F5C97_794D_40B4_B18A_DEB3C96B086F__INCLUDED_)
|
|
#define AFX_LOGGEDREGINTERCEPT_H__856F5C97_794D_40B4_B18A_DEB3C96B086F__INCLUDED_
|
|
|
|
#if _MSC_VER > 1000
|
|
#pragma once
|
|
#endif // _MSC_VER > 1000
|
|
|
|
#include "RegIntercept.h"
|
|
#include <stdio.h>
|
|
#include <tchar.h>
|
|
|
|
class CLoggedRegIntercept : public CRegIntercept
|
|
{
|
|
public:
|
|
void GetLocation(POBJECT_ATTRIBUTES ObjectAttributes, bool bAppendBackslash = true);
|
|
|
|
|
|
void LogError(LPCTSTR msg);
|
|
void SetCurrentDll(LPCTSTR DllName);
|
|
CLoggedRegIntercept(TCHAR* FileName);
|
|
virtual ~CLoggedRegIntercept();
|
|
|
|
//intercepted registry functions
|
|
|
|
virtual void NtOpenKey( PHANDLE KeyHandle,
|
|
ACCESS_MASK DesiredAccess,
|
|
POBJECT_ATTRIBUTES ObjectAttributes);
|
|
|
|
virtual void NtCreateKey(PHANDLE KeyHandle,
|
|
ACCESS_MASK DesiredAccess,
|
|
POBJECT_ATTRIBUTES ObjectAttributes,
|
|
ULONG TitleIndex,
|
|
PUNICODE_STRING Class,
|
|
ULONG CreateOptions,
|
|
PULONG Disposition);
|
|
|
|
virtual void NtDeleteKey(HANDLE KeyHandle);
|
|
|
|
virtual void NtDeleteValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName);
|
|
|
|
|
|
virtual void NtEnumerateKey(HANDLE KeyHandle, ULONG Index, KEY_INFORMATION_CLASS KeyInformationClass, PVOID KeyInformation, ULONG Length, PULONG ResultLength);
|
|
virtual void NtEnumerateValueKey(HANDLE KeyHandle, ULONG Index, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength) ;
|
|
virtual void NtQueryKey(HANDLE KeyHandle, KEY_INFORMATION_CLASS KeyInformationClass, PVOID KeyInformation, ULONG Length, PULONG ResultLength);
|
|
virtual void NtQueryValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength);
|
|
virtual void NtQueryMultipleValueKey(HANDLE KeyHandle, PKEY_VALUE_ENTRY ValueEntries, ULONG EntryCount, PVOID ValueBuffer, PULONG BufferLength, PULONG RequiredBufferLength);
|
|
virtual void NtSetValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, ULONG TitleIndex, ULONG Type, PVOID Data, ULONG DataSize);
|
|
|
|
|
|
//intercepted File System functions
|
|
virtual void NtDeleteFile(POBJECT_ATTRIBUTES ObjectAttributes);
|
|
virtual void NtQueryAttributesFile(POBJECT_ATTRIBUTES ObjectAttributes, PFILE_BASIC_INFORMATION FileInformation);
|
|
virtual void NtQueryFullAttributesFile(POBJECT_ATTRIBUTES ObjectAttributes, PFILE_NETWORK_OPEN_INFORMATION FileInformation);
|
|
virtual void NtCreateFile(
|
|
PHANDLE FileHandle,
|
|
ACCESS_MASK DesiredAccess,
|
|
POBJECT_ATTRIBUTES ObjectAttributes,
|
|
PIO_STATUS_BLOCK IoStatusBlock,
|
|
PLARGE_INTEGER AllocationSize,
|
|
ULONG FileAttributes,
|
|
ULONG ShareAccess,
|
|
ULONG CreateDisposition,
|
|
ULONG CreateOptions,
|
|
PVOID EaBuffer,
|
|
ULONG EaLength);
|
|
|
|
virtual void NtOpenFile(
|
|
PHANDLE FileHandle,
|
|
ACCESS_MASK DesiredAccess,
|
|
POBJECT_ATTRIBUTES ObjectAttributes,
|
|
PIO_STATUS_BLOCK IoStatusBlock,
|
|
ULONG ShareAccess,
|
|
ULONG OpenOptions);
|
|
|
|
//intercepted Driver functions
|
|
virtual void NtLoadDriver(PUNICODE_STRING DriverServiceName);
|
|
|
|
/* virtual void NtDeviceIoControlFile(
|
|
HANDLE FileHandle,
|
|
HANDLE Event,
|
|
PIO_APC_ROUTINE ApcRoutine,
|
|
PVOID ApcContext,
|
|
PIO_STATUS_BLOCK IoStatusBlock,
|
|
ULONG IoControlCode,
|
|
PVOID InputBuffer,
|
|
ULONG InputBufferLength,
|
|
PVOID OutputBuffer,
|
|
ULONG OutputBufferLength);
|
|
|
|
virtual void NtFsControlFile(
|
|
HANDLE FileHandle,
|
|
HANDLE Event,
|
|
PIO_APC_ROUTINE ApcRoutine,
|
|
PVOID ApcContext,
|
|
PIO_STATUS_BLOCK IoStatusBlock,
|
|
ULONG FsControlCode,
|
|
PVOID InputBuffer,
|
|
ULONG InputBufferLength,
|
|
PVOID OutputBuffer,
|
|
ULONG OutputBufferLength);
|
|
*/
|
|
|
|
|
|
virtual void NtPlugPlayControl(
|
|
IN PLUGPLAY_CONTROL_CLASS PnPControlClass,
|
|
IN OUT PVOID PnPControlData,
|
|
IN ULONG PnPControlDataLength);
|
|
|
|
virtual void NtCreateSymbolicLinkObject(
|
|
OUT PHANDLE LinkHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
IN PUNICODE_STRING LinkTarget);
|
|
|
|
virtual void NtOpenSymbolicLinkObject(
|
|
OUT PHANDLE LinkHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes);
|
|
|
|
virtual void NtCreateDirectoryObject(
|
|
OUT PHANDLE DirectoryHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes);
|
|
|
|
virtual void NtOpenDirectoryObject(
|
|
OUT PHANDLE DirectoryHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes);
|
|
|
|
virtual void NtSignalAndWaitForSingleObject(
|
|
IN HANDLE SignalHandle,
|
|
IN HANDLE WaitHandle,
|
|
IN BOOLEAN Alertable,
|
|
IN PLARGE_INTEGER Timeout);
|
|
|
|
virtual void NtWaitForSingleObject(
|
|
IN HANDLE Handle,
|
|
IN BOOLEAN Alertable,
|
|
IN PLARGE_INTEGER Timeout);
|
|
|
|
|
|
virtual void NtWaitForMultipleObjects(
|
|
IN ULONG Count,
|
|
IN HANDLE* Handles,
|
|
IN WAIT_TYPE WaitType,
|
|
IN BOOLEAN Alertable,
|
|
IN PLARGE_INTEGER Timeout);
|
|
|
|
virtual void NtCreatePort(
|
|
OUT PHANDLE PortHandle,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
IN ULONG MaxConnectionInfoLength,
|
|
IN ULONG MaxMessageLength,
|
|
IN ULONG MaxPoolUsage);
|
|
|
|
virtual void NtCreateWaitablePort(
|
|
OUT PHANDLE PortHandle,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
IN ULONG MaxConnectionInfoLength,
|
|
IN ULONG MaxMessageLength,
|
|
IN ULONG MaxPoolUsage);
|
|
|
|
virtual void NtCreateThread(
|
|
OUT PHANDLE ThreadHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|
IN HANDLE ProcessHandle,
|
|
OUT PCLIENT_ID ClientId,
|
|
IN PCONTEXT ThreadContext,
|
|
IN PINITIAL_TEB InitialTeb,
|
|
IN BOOLEAN CreateSuspended);
|
|
|
|
|
|
virtual void NtOpenThread(
|
|
OUT PHANDLE ThreadHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
IN PCLIENT_ID ClientId);
|
|
|
|
virtual void NtCreateProcess(
|
|
OUT PHANDLE ProcessHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|
IN HANDLE ParentProcess,
|
|
IN BOOLEAN InheritObjectTable,
|
|
IN HANDLE SectionHandle OPTIONAL,
|
|
IN HANDLE DebugPort OPTIONAL,
|
|
IN HANDLE ExceptionPort OPTIONAL);
|
|
|
|
|
|
virtual void NtCreateProcessEx(
|
|
OUT PHANDLE ProcessHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|
IN HANDLE ParentProcess,
|
|
IN ULONG Flags,
|
|
IN HANDLE SectionHandle OPTIONAL,
|
|
IN HANDLE DebugPort OPTIONAL,
|
|
IN HANDLE ExceptionPort OPTIONAL,
|
|
IN ULONG JobMemberLevel);
|
|
|
|
virtual void NtOpenProcess(
|
|
OUT PHANDLE ProcessHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
IN PCLIENT_ID ClientId OPTIONAL);
|
|
|
|
virtual void NtQueryDefaultLocale(
|
|
IN BOOLEAN UserProfile,
|
|
OUT PLCID DefaultLocaleId);
|
|
|
|
virtual void NtSetDefaultLocale(
|
|
IN BOOLEAN UserProfile,
|
|
IN LCID DefaultLocaleId);
|
|
|
|
|
|
virtual void NtQuerySystemEnvironmentValue(
|
|
IN PUNICODE_STRING VariableName,
|
|
OUT PWSTR VariableValue,
|
|
IN USHORT ValueLength,
|
|
OUT PUSHORT ReturnLength OPTIONAL);
|
|
|
|
virtual void NtSetSystemEnvironmentValue(
|
|
IN PUNICODE_STRING VariableName,
|
|
IN PUNICODE_STRING VariableValue);
|
|
|
|
|
|
virtual void NtQuerySystemEnvironmentValueEx(
|
|
IN PUNICODE_STRING VariableName,
|
|
IN LPGUID VendorGuid,
|
|
OUT PVOID Value,
|
|
IN OUT PULONG ValueLength,
|
|
OUT PULONG Attributes OPTIONAL);
|
|
|
|
|
|
virtual void NtSetSystemEnvironmentValueEx(
|
|
IN PUNICODE_STRING VariableName,
|
|
IN LPGUID VendorGuid,
|
|
IN PVOID Value,
|
|
IN ULONG ValueLength,
|
|
IN ULONG Attributes);
|
|
|
|
virtual void NtEnumerateSystemEnvironmentValuesEx(
|
|
IN ULONG InformationClass,
|
|
OUT PVOID Buffer,
|
|
IN OUT PULONG BufferLength);
|
|
|
|
virtual void NtQuerySystemTime(
|
|
OUT PLARGE_INTEGER SystemTime);
|
|
|
|
virtual void NtSetSystemTime(
|
|
IN PLARGE_INTEGER SystemTime,
|
|
OUT PLARGE_INTEGER PreviousTime OPTIONAL);
|
|
|
|
virtual void NtQuerySystemInformation(
|
|
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
|
OUT PVOID SystemInformation,
|
|
IN ULONG SystemInformationLength,
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
virtual void NtSetSystemInformation(
|
|
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
|
IN PVOID SystemInformation,
|
|
IN ULONG SystemInformationLength);
|
|
|
|
|
|
virtual void NtQueryInformationFile(
|
|
IN HANDLE FileHandle,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
OUT PVOID FileInformation,
|
|
IN ULONG Length,
|
|
IN FILE_INFORMATION_CLASS FileInformationClass);
|
|
|
|
virtual void NtSetInformationFile(
|
|
IN HANDLE FileHandle,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
IN PVOID FileInformation,
|
|
IN ULONG Length,
|
|
IN FILE_INFORMATION_CLASS FileInformationClass);
|
|
|
|
|
|
protected:
|
|
// bool GetTempKeyName(HANDLE key);
|
|
FILE* m_LogFile;
|
|
LPCTSTR m_pDllName;
|
|
TCHAR m_TempKeyName[2048];
|
|
|
|
void LOGSTR(LPCTSTR ValueName, LPCTSTR Value);
|
|
|
|
|
|
|
|
};
|
|
|
|
#endif // !defined(AFX_LOGGEDREGINTERCEPT_H__856F5C97_794D_40B4_B18A_DEB3C96B086F__INCLUDED_)
|