/*****************************************************************************\ Author: Corey Morgan (coreym) Copyright (c) 1998-2000 Microsoft Corporation \*****************************************************************************/ #include #include #include HMODULE ghModule; WCHAR *EVENTTRACE_GUIDSTRING = L"{9a5dd473-d410-11d1-b829-00c04f94c7c3}"; WCHAR *SYSMONLOG_GUIDSTRING = L"{f95e1664-7979-44f2-a040-496e7f500043}"; CLSID CLSID_CIM_EVENTTRACE; CLSID CLSID_CIM_SYSMONLOG; long g_cLock=0; EXTERN_C BOOL LibMain32(HINSTANCE hInstance, ULONG ulReason , LPVOID pvReserved) { if (DLL_PROCESS_ATTACH==ulReason) ghModule = hInstance; return TRUE; } STDAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, PPVOID ppv) { HRESULT hr; CWbemGlueFactory *pObj; CLSIDFromString(EVENTTRACE_GUIDSTRING, &CLSID_CIM_EVENTTRACE ); CLSIDFromString(SYSMONLOG_GUIDSTRING, &CLSID_CIM_SYSMONLOG ); if( CLSID_CIM_EVENTTRACE != rclsid && CLSID_CIM_SYSMONLOG != rclsid ){ return E_FAIL; } pObj= new CWbemGlueFactory(); if( NULL==pObj ){ return E_OUTOFMEMORY; } hr=pObj->QueryInterface(riid, ppv); if( FAILED(hr) ){ delete pObj; } return hr; } STDAPI DllCanUnloadNow(void) { SCODE sc; if( (0L==g_cLock) && CWbemProviderGlue::FrameworkLogoffDLL(L"EventTraceProv") && CWbemProviderGlue::FrameworkLogoffDLL(L"SmonLogProv")){ sc = S_OK; }else{ sc = S_FALSE; } return sc; } BOOL Is4OrMore(void) { OSVERSIONINFO os; os.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); if(!GetVersionEx(&os)){ return FALSE; } return os.dwMajorVersion >= 4; } STDAPI DllRegisterServer(void) { WCHAR szCLSID[512]; WCHAR szModule[MAX_PATH]; LPWSTR pName; LPWSTR pModel = L"Both"; HKEY hKey1, hKey2; // Compile Mof /* HRESULT hr; hr = CoInitialize(NULL); if( SUCCEEDED(hr) ){ WCHAR drive[_MAX_DRIVE]; WCHAR dir[_MAX_DIR]; WCHAR fname[_MAX_FNAME]; WCHAR ext[_MAX_EXT]; WBEM_COMPILE_STATUS_INFO stat; IMofCompiler *pMof = NULL; hr = CoCreateInstance( CLSID_MofCompiler, NULL, CLSCTX_INPROC_SERVER, IID_IMofCompiler, (void **)&pMof ); GetModuleFileNameW( ghModule, szModule, MAX_PATH); _wsplitpath( szModule, drive, dir, fname, ext ); _wmakepath( szModule, drive, dir, L"evntrprv.mof", L"" ); pMof->CompileFile( szModule, NULL,NULL,NULL,NULL, 0,0,0, &stat ); pMof->Release(); CoUninitialize(); } */ GetModuleFileNameW(ghModule, szModule, MAX_PATH); // Event Trace Provider pName = L"Event Trace Logger Provider"; wcscpy(szCLSID, L"SOFTWARE\\CLASSES\\CLSID\\" ); wcscat(szCLSID, EVENTTRACE_GUIDSTRING ); RegCreateKeyW(HKEY_LOCAL_MACHINE, szCLSID, &hKey1); RegSetValueExW(hKey1, NULL, 0, REG_SZ, (BYTE *)pName, (wcslen(pName)+1)*sizeof(WCHAR)); RegCreateKeyW(hKey1, L"InprocServer32", &hKey2 ); RegSetValueExW(hKey2, NULL, 0, REG_SZ, (BYTE *)szModule, (wcslen(szModule)+1)*sizeof(WCHAR)); RegSetValueExW(hKey2, L"ThreadingModel", 0, REG_SZ, (BYTE *)pModel, (wcslen(pModel)+1)*sizeof(WCHAR)); CloseHandle(hKey1); CloseHandle(hKey2); // Sysmon Log Provider pName = L"System Log Provider"; wcscpy(szCLSID, L"SOFTWARE\\CLASSES\\CLSID\\" ); wcscat(szCLSID, SYSMONLOG_GUIDSTRING ); RegCreateKeyW(HKEY_LOCAL_MACHINE, szCLSID, &hKey1); RegSetValueExW(hKey1, NULL, 0, REG_SZ, (BYTE *)pName, (wcslen(pName)+1)*sizeof(WCHAR)); RegCreateKeyW(hKey1, L"InprocServer32", &hKey2 ); RegSetValueExW(hKey2, NULL, 0, REG_SZ, (BYTE *)szModule, (wcslen(szModule)+1)*sizeof(WCHAR)); RegSetValueExW(hKey2, L"ThreadingModel", 0, REG_SZ, (BYTE *)pModel, (wcslen(pModel)+1)*sizeof(WCHAR)); CloseHandle(hKey1); CloseHandle(hKey2); return NOERROR; } STDAPI DllUnregisterServer(void) { WCHAR wcID[128]; WCHAR szCLSID[128]; HKEY hKey; // Event Trace Provider CLSIDFromString(EVENTTRACE_GUIDSTRING, &CLSID_CIM_EVENTTRACE); StringFromGUID2(CLSID_CIM_EVENTTRACE, wcID, 128); wcscpy( szCLSID, L"SOFTWARE\\CLASSES\\CLSID\\"); wcscpy( szCLSID, wcID); DWORD dwRet = RegOpenKeyW(HKEY_LOCAL_MACHINE, szCLSID, &hKey); if( dwRet == NO_ERROR ){ RegDeleteKeyW(hKey, L"InProcServer32" ); CloseHandle(hKey); } dwRet = RegOpenKeyW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\CLASSES\\CLSID\\", &hKey); if(dwRet == NO_ERROR){ RegDeleteKeyW(hKey,wcID); CloseHandle(hKey); } // System Log Provider CLSIDFromString(SYSMONLOG_GUIDSTRING, &CLSID_CIM_SYSMONLOG); StringFromGUID2(CLSID_CIM_SYSMONLOG, wcID, 128); wcscpy( szCLSID, L"SOFTWARE\\CLASSES\\CLSID\\"); wcscpy( szCLSID, wcID); dwRet = RegOpenKeyW(HKEY_LOCAL_MACHINE, szCLSID, &hKey); if( dwRet == NO_ERROR ){ RegDeleteKeyW(hKey, L"InProcServer32" ); CloseHandle(hKey); } dwRet = RegOpenKeyW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\CLASSES\\CLSID\\", &hKey); if(dwRet == NO_ERROR){ RegDeleteKeyW(hKey,wcID); CloseHandle(hKey); } return NOERROR; } BOOL APIENTRY DllMain ( HINSTANCE hInstDLL, DWORD fdwReason, LPVOID lpReserved ) { BOOL bRet = TRUE; switch( fdwReason ){ case DLL_PROCESS_ATTACH: DisableThreadLibraryCalls(hInstDLL); ghModule = hInstDLL; bRet = CWbemProviderGlue::FrameworkLoginDLL(L"EventTraceProv"); break; case DLL_THREAD_ATTACH: // Do thread-specific initialization. break; case DLL_THREAD_DETACH: // Do thread-specific cleanup. break; case DLL_PROCESS_DETACH: // Perform any necessary cleanup. break; } return bRet; }