archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/printscan/wia/drivers/util/rwspy/readme.txt

82 lines
3.3 KiB
Raw Normal View History

Add source files
4 years ago
  1. rwspy.dll uses detours (available at
  2. http://www.research.microsoft.com/sn/detours/ or
  3. \\bustard\contrib\galenh\detours) to spy on all file or device
  4. operations for the specified file in the process in which rwpsy.dll
  5. is injected. This is what rwspy.dll output looks like:
  7. Created '\\.\Usbscan0', handle: 1f0
  8. DeviceIoControl Code=80002018, 8 bytes in:
  9. 0000 B0 04 03 01 00 01 00 00 ........
  10. 8 bytes out:
  11. 0000 B0 04 03 01 00 01 00 00 ........
  12. Wrote 8 bytes:
  13. 0000 1B 43 02 00 04 43 FF FF .C...C..
  14. DeviceIoControl Code=8000201c, 4 bytes in:
  15. 0000 01 00 00 00 ....
  16. Read 94 bytes:
  17. 0000 03 00 58 00 10 00 00 00 00 00 00 00 00 00 00 00 ..X.............
  18. 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  19. 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  20. 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  21. 0040 00 00 00 00 00 00 00 00 00 80 CF 03 00 70 1E 03 .............p..
  22. 0050 00 00 00 00 00 00 00 00 00 00 00 00 FF FF ..............
  23. Closed handle 1f0
  26. To build rwspy.dll you need detours.h and detours.lib. Either put
  27. them in this directory or modify 'sources' file.
  29. To use rwpsy.dll you'll also need either somehow inject it into target process.
  30. Detours has three samples for doing just this:
  32. a) setdll.exe /d:rwspy.dll <target binary>
  33. b) withdll.exe /d:rwpsy.dll <target command line>
  34. c) injdll.exe /d:rwspy.dll <target process id>
  36. spyon.cmd helps to use the third form.
  38. There are two registry entries controlling rwspy.dll behavior:
  40. REG_EXPAND_SZ at "HKLM\Software\Microsoft\RWSpy\Log File" specifies
  41. the log file to write. Default is %SystemRoot%\RWSpy.Log.
  43. REG_SZ at "HKLM\Software\Microsoft\RWSpy\FileToSpyOn" specifies the
  44. file to spy on. If this value is not set, RWSpy records all
  45. CreateFile() operations so you could verify if the process indeed
  46. CreateFile() the file or device you are interested in. If this entry
  47. is present (for instance, is set to \\.\UsbScan0), then RWSpy records
  48. all calls to
  50. CreateFile()
  51. ReadFile()
  52. WriteFile()
  53. FileIoControl()
  54. WriteFileEx()
  55. and (partially)
  56. ReadFileEx()
  58. Caveats of the current implementation:
  60. 1. Rwspy.dll has to be on path or in the current directory of the
  61. target process at the moment of injection. Detours can't diagnose the
  62. case when its remote thread can't load rwspy.dll. Please, use
  63. tlist.exe to make sure that rwspy.dll ineed is present in the target
  64. process.
  66. 2. You can only spy on one process at a time. We want to minimize
  67. timing disruptions induced by our spying, so our log file writing is
  68. intentionally thread-unsafe and because of this we open log file in
  69. SHARE_READ mode.
  71. 3. There is no way to stop spying while the target process is
  72. running. So if you spy on something like Explorer.exe, please, use
  73. kill.exe, but wait a few seconds for lazy log writing to flush out.
  75. 4. Since RWSPY.DLL reads as well as writes to HKLM\Software you have
  76. to have sufficient privileges to do so. (Your process have to have
  77. either Admin or SYSTEM privileges). If you have to run under lesser
  78. privileges, please feel free to modify PrepareLogger() function.
  81. If you have any questions or comments, please talk to me (akozlov).