mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
384 lines
8.6 KiB
384 lines
8.6 KiB
#include <windows.h>
|
|
#include <stdio.h>
|
|
#include "apimon.h"
|
|
|
|
HANDLE ApiMonMutex;
|
|
PVOID MemPtr;
|
|
PDLL_INFO DllList;
|
|
|
|
LPDWORD ApiCounter;
|
|
LPDWORD ApiTraceEnabled;
|
|
LPDWORD ApiTimingEnabled;
|
|
LPDWORD FastCounterAvail;
|
|
LPDWORD ApiOffset;
|
|
LPDWORD ApiStrings;
|
|
LPDWORD ApiCount;
|
|
LPSTR TraceFileName;
|
|
|
|
|
|
PDLL_INFO
|
|
AddDllToList(
|
|
HANDLE hProcess,
|
|
ULONG DllAddr,
|
|
LPSTR DllName,
|
|
ULONG DllSize
|
|
);
|
|
|
|
ULONG
|
|
AddApisForDll(
|
|
HANDLE hProcess,
|
|
PDLL_INFO DllInfo
|
|
);
|
|
|
|
|
|
|
|
int _cdecl
|
|
main(
|
|
int argc,
|
|
char *argv[]
|
|
)
|
|
{
|
|
HANDLE hMap;
|
|
PDLL_INFO DllInfo;
|
|
|
|
|
|
hMap = CreateFileMapping(
|
|
(HANDLE)0xffffffff,
|
|
NULL,
|
|
PAGE_READWRITE | SEC_COMMIT,
|
|
0,
|
|
MAX_MEM_ALLOC,
|
|
"ApiWatch"
|
|
);
|
|
if (!hMap) {
|
|
return 1;
|
|
}
|
|
|
|
MemPtr = (PUCHAR)MapViewOfFile(
|
|
hMap,
|
|
FILE_MAP_WRITE,
|
|
0,
|
|
0,
|
|
0
|
|
);
|
|
if (!MemPtr) {
|
|
return 1;
|
|
}
|
|
ApiMonMutex = CreateMutex( NULL, FALSE, "ApiMonMutex" );
|
|
if (!ApiMonMutex) {
|
|
return FALSE;
|
|
}
|
|
|
|
ApiCounter = (LPDWORD)MemPtr + 0;
|
|
ApiTraceEnabled = (LPDWORD)MemPtr + 1;
|
|
ApiTimingEnabled = (LPDWORD)MemPtr + 2;
|
|
FastCounterAvail = (LPDWORD)MemPtr + 3;
|
|
ApiOffset = (LPDWORD)MemPtr + 4;
|
|
ApiStrings = (LPDWORD)MemPtr + 5;
|
|
ApiCount = (LPDWORD)MemPtr + 6;
|
|
TraceFileName = (LPSTR)((LPDWORD)MemPtr + 7);
|
|
DllList = (PDLL_INFO)((LPDWORD)MemPtr + 8 + MAX_PATH);
|
|
|
|
*ApiOffset = (MAX_DLLS * sizeof(DLL_INFO)) + ((ULONG)DllList - (ULONG)MemPtr);
|
|
*ApiStrings = (MAX_APIS * sizeof(API_INFO)) + *ApiOffset;
|
|
|
|
|
|
#if 0
|
|
DllInfo = AddDllToList( NULL,
|
|
HANDLE hProcess,
|
|
ULONG DllAddr,
|
|
LPSTR DllName,
|
|
ULONG DllSize
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#endif
|
|
|
|
LoadLibrary( "apidll.dll" );
|
|
|
|
return 0;
|
|
}
|
|
|
|
BOOL
|
|
ReadMemory(
|
|
HANDLE hProcess,
|
|
PVOID Address,
|
|
PVOID Buffer,
|
|
ULONG Length
|
|
)
|
|
{
|
|
CopyMemory( Buffer, Address, Length );
|
|
return TRUE;
|
|
}
|
|
|
|
PDLL_INFO
|
|
FindDllByAddress(
|
|
ULONG DllAddr
|
|
)
|
|
{
|
|
ULONG i;
|
|
for (i=0; i<MAX_DLLS; i++) {
|
|
if (DllList[i].BaseAddress == DllAddr) {
|
|
return &DllList[i];
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
|
|
PDLL_INFO
|
|
FindDllByName(
|
|
LPSTR DllName
|
|
)
|
|
{
|
|
ULONG i;
|
|
for (i=0; i<MAX_DLLS; i++) {
|
|
if (DllList[i].Name[0] &&
|
|
_stricmp( DllList[i].Name, DllName ) == 0) {
|
|
return &DllList[i];
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
|
|
PDLL_INFO
|
|
FindAvailDll(
|
|
VOID
|
|
)
|
|
{
|
|
ULONG i;
|
|
for (i=0; i<MAX_DLLS; i++) {
|
|
if (!DllList[i].BaseAddress) {
|
|
return &DllList[i];
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
|
|
PDLL_INFO
|
|
AddDllToList(
|
|
HANDLE hProcess,
|
|
ULONG DllAddr,
|
|
LPSTR DllName,
|
|
ULONG DllSize
|
|
)
|
|
{
|
|
IMAGE_DOS_HEADER dh;
|
|
IMAGE_NT_HEADERS nh;
|
|
ULONG i;
|
|
PDLL_INFO DllInfo;
|
|
|
|
|
|
//
|
|
// first look to see if the dll is already in the list
|
|
//
|
|
DllInfo = FindDllByAddress( DllAddr );
|
|
|
|
if (!DllSize) {
|
|
//
|
|
// read the pe image headers to get the image size
|
|
//
|
|
if (!ReadMemory(
|
|
hProcess,
|
|
(PVOID) DllAddr,
|
|
&dh,
|
|
sizeof(dh)
|
|
)) {
|
|
return NULL;
|
|
}
|
|
|
|
if (dh.e_magic == IMAGE_DOS_SIGNATURE) {
|
|
if (!ReadMemory(
|
|
hProcess,
|
|
(PVOID)(DllAddr + dh.e_lfanew),
|
|
&nh,
|
|
sizeof(nh)
|
|
)) {
|
|
return NULL;
|
|
}
|
|
DllSize = nh.OptionalHeader.SizeOfImage;
|
|
} else {
|
|
DllSize = 0;
|
|
}
|
|
}
|
|
|
|
DllInfo = FindAvailDll();
|
|
if (!DllInfo) {
|
|
return NULL;
|
|
}
|
|
|
|
DllInfo->Size = DllSize;
|
|
strncat( DllInfo->Name, DllName, MAX_NAME_SZ-1 );
|
|
DllInfo->BaseAddress = DllAddr;
|
|
DllInfo->InList = FALSE;
|
|
DllInfo->Enabled = TRUE;
|
|
|
|
return DllInfo;
|
|
}
|
|
|
|
ULONG
|
|
AddApisForDll(
|
|
HANDLE hProcess,
|
|
PDLL_INFO DllInfo
|
|
)
|
|
{
|
|
IMAGE_DOS_HEADER dh;
|
|
IMAGE_NT_HEADERS nh;
|
|
IMAGE_EXPORT_DIRECTORY expdir;
|
|
PULONG names = NULL;
|
|
PULONG addrs = NULL;
|
|
PUSHORT ordinals = NULL;
|
|
PUSHORT ordidx = NULL;
|
|
PAPI_INFO ApiInfo = NULL;
|
|
ULONG cnt = 0;
|
|
ULONG idx = 0;
|
|
ULONG i;
|
|
ULONG j;
|
|
LPSTR p;
|
|
|
|
|
|
if (*ApiCount == MAX_APIS) {
|
|
goto exit;
|
|
}
|
|
|
|
if (!ReadMemory(
|
|
hProcess,
|
|
(PVOID)DllInfo->BaseAddress,
|
|
&dh,
|
|
sizeof(dh)
|
|
)) {
|
|
goto exit;
|
|
}
|
|
|
|
if (dh.e_magic != IMAGE_DOS_SIGNATURE) {
|
|
goto exit;
|
|
}
|
|
|
|
if (!ReadMemory(
|
|
hProcess,
|
|
(PVOID)(DllInfo->BaseAddress + dh.e_lfanew),
|
|
&nh,
|
|
sizeof(nh)
|
|
)) {
|
|
goto exit;
|
|
}
|
|
|
|
if (!nh.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) {
|
|
goto exit;
|
|
}
|
|
|
|
if (!ReadMemory(
|
|
hProcess,
|
|
(PVOID)(DllInfo->BaseAddress +
|
|
nh.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress),
|
|
&expdir,
|
|
sizeof(expdir)
|
|
)) {
|
|
goto exit;
|
|
}
|
|
|
|
names = (PULONG) LocalAlloc( LPTR, expdir.NumberOfNames * sizeof(ULONG) );
|
|
addrs = (PULONG) LocalAlloc( LPTR, expdir.NumberOfFunctions * sizeof(ULONG) );
|
|
ordinals = (PUSHORT) LocalAlloc( LPTR, expdir.NumberOfNames * sizeof(USHORT) );
|
|
ordidx = (PUSHORT) LocalAlloc( LPTR, expdir.NumberOfFunctions * sizeof(USHORT) );
|
|
|
|
if ((!names) || (!addrs) || (!ordinals) || (!ordidx)) {
|
|
goto exit;
|
|
}
|
|
|
|
if (!ReadMemory(
|
|
hProcess,
|
|
(PVOID)(DllInfo->BaseAddress + (ULONG)expdir.AddressOfNames),
|
|
names,
|
|
expdir.NumberOfNames * sizeof(ULONG)
|
|
)) {
|
|
goto exit;
|
|
}
|
|
|
|
if (!ReadMemory(
|
|
hProcess,
|
|
(PVOID)(DllInfo->BaseAddress + (ULONG)expdir.AddressOfFunctions),
|
|
addrs,
|
|
expdir.NumberOfFunctions * sizeof(ULONG)
|
|
)) {
|
|
goto exit;
|
|
}
|
|
|
|
if (!ReadMemory(
|
|
hProcess,
|
|
(PVOID)(DllInfo->BaseAddress + (ULONG)expdir.AddressOfNameOrdinals),
|
|
ordinals,
|
|
expdir.NumberOfNames * sizeof(USHORT)
|
|
)) {
|
|
goto exit;
|
|
}
|
|
|
|
DllInfo->ApiCount = expdir.NumberOfFunctions;
|
|
DllInfo->ApiOffset = *ApiOffset;
|
|
*ApiOffset += (DllInfo->ApiCount * sizeof(API_INFO));
|
|
ApiInfo = (PAPI_INFO)(DllInfo->ApiOffset + (ULONG)DllList);
|
|
|
|
if (*ApiCount < MAX_APIS) {
|
|
for (i=0; i<expdir.NumberOfNames; i++) {
|
|
idx = ordinals[i];
|
|
ordidx[idx] = TRUE;
|
|
ApiInfo[i].Count = 0;
|
|
ApiInfo[i].ThunkAddress = 0;
|
|
ApiInfo[i].Address = addrs[idx] + DllInfo->BaseAddress;
|
|
j = 0;
|
|
p = (LPSTR)((LPSTR)MemPtr+*ApiStrings);
|
|
do {
|
|
ReadMemory(
|
|
hProcess,
|
|
(PVOID)(DllInfo->BaseAddress + names[i] + j),
|
|
&p[j],
|
|
1
|
|
);
|
|
j += 1;
|
|
} while(p[j-1]);
|
|
ApiInfo[i].Name = *ApiStrings;
|
|
*ApiStrings += (strlen((LPSTR)((LPSTR)MemPtr+*ApiStrings)) + 1);
|
|
*ApiCount += 1;
|
|
if (*ApiCount == MAX_APIS) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
if (*ApiCount < MAX_APIS) {
|
|
for (i=0,idx=expdir.NumberOfNames; i<expdir.NumberOfFunctions; i++) {
|
|
if (!ordidx[i]) {
|
|
ApiInfo[idx].Count = 0;
|
|
ApiInfo[idx].ThunkAddress = 0;
|
|
ApiInfo[idx].Address = addrs[i] + DllInfo->BaseAddress;
|
|
sprintf(
|
|
(LPSTR)((LPSTR)MemPtr+*ApiStrings),
|
|
"Ordinal%d",
|
|
i
|
|
);
|
|
ApiInfo[idx].Name = *ApiStrings;
|
|
*ApiStrings += (strlen((LPSTR)((LPSTR)MemPtr+*ApiStrings)) + 1);
|
|
*ApiCount += 1;
|
|
if (*ApiCount == MAX_APIS) {
|
|
break;
|
|
}
|
|
idx += 1;
|
|
}
|
|
}
|
|
}
|
|
cnt = DllInfo->ApiCount;
|
|
|
|
exit:
|
|
LocalFree( names );
|
|
LocalFree( addrs );
|
|
LocalFree( ordinals );
|
|
LocalFree( ordidx );
|
|
|
|
return cnt;
|
|
}
|