void CLogger::log(ELogLevel::ELogLevel level, const std::string & message) const
{
if(getEffectiveLevel() <= level)
{
callTargets(LogRecord(domain, level, message));
}
}
void CentralTestMachineClass::UpdateToDatabase(TQuery* query)
{
// write updated record
query -> SQL -> Clear();
query->SQL->Add("Update c_test_machine set "
"machine_test_name = :tname, "
"protocol = :pro, "
"test_order = :to "
" where test_cid = :tid and "
" machine_cid = :mid ");
FormatSQL( query );
LogRecord( "Update: New record: " );
query -> Prepare();
try
{
query -> ExecSQL();
}
catch(Exception& e)
{
if(e.Message != "Error creating cursor handle")
{
AnsiString strError =
"Error updating CentralTestMachine.\n" + e.Message;
Application->MessageBox(
strError.c_str(),
"CentralTestMachineClass Error",MB_OK);
LogMod->LogCentralDb( TLogMod::LOGLOCAL, strError );
}
}
LogMod->LogCentralDb( TLogMod::LOGLOCAL, query );
LogMod->Commit( query );
}
void OnAcceptComplete(CPUX86State *env, uint32_t FileHandle, uint32_t Buffer)
{
PSOCKET_ENTRY pSocketEntry;
uint32_t ip;
uint16_t port;
target_ulong ip_addr, port_addr;
ip_addr = Buffer + 0x0e;
port_addr = Buffer + 0x0c;
if(!qebek_read_ulong(env, ip_addr, &ip))
{
fprintf(stderr, "OnAcceptComplete: failed to read accepted ip: %08x\n", ip_addr);
return;
}
if(!qebek_read_uword(env, port_addr, &port))
{
fprintf(stderr, "OnAcceptComplete: failed to read accepted port: %08x\n", port_addr);
return;
}
if((pSocketEntry = GetSocketEntry(env->cr[3], FileHandle)) == NULL)
return; // not sure
pSocketEntry->dip = ip;
pSocketEntry->dport = port;
pSocketEntry->protocol = IPPROTO_TCP;
LogRecord(env, SYS_ACCEPT, FileHandle, pSocketEntry);
}
void CentralTestMachineClass::DeleteFromDatabase(TQuery* query)
{
// write to audit log
LogRecord( "Deleting: " );
// delete record
query -> Close();
query -> SQL -> Clear();
query -> SQL -> Add("delete from c_test_machine"
" where test_cid = :tid and "
" machine_cid = :mid ");
query -> ParamByName( "tid" )->AsInteger = TestID;
query -> ParamByName( "mid" )->AsInteger = MachineID;
query -> Prepare();
try
{
query -> ExecSQL();
}
catch(Exception& e)
{
if(e.Message != "Error creating cursor handle")
{
AnsiString strError =
"Error deleting CentralTestMachine.\n" + e.Message;
Application->MessageBox(
strError.c_str(),
"CentralTestMachineClass Error",MB_OK);
LogMod->LogCentralDb( TLogMod::LOGLOCAL, strError );
}
}
LogMod->LogCentralDb( TLogMod::LOGLOCAL, query );
LogMod->Commit( query );
}
LONG
HookRegSetValue(
HKEY hkey,
PCHAR lpszSubKey,
DWORD fdwType,
PCHAR lpszData,
DWORD cbData
)
{
LONG retval;
CHAR fullname[NAMELEN], data[DATASIZE], process[PROCESSLEN];
GetFullName( hkey, lpszSubKey, "(Default)", fullname );
retval = RealRegSetValue( hkey, lpszSubKey, fdwType, lpszData, cbData );
data[0] = 0;
if( lpszData ) {
strcpy( data,"\"");
strncat(data, lpszData, STRINGLEN );
if( strlen( lpszData ) > STRINGLEN )
strcat( data, "..." );
strcat( data, "\"");
}
if( ErrorString( retval ) && FilterDef.logwrites) {
LogRecord( "%s\tSetValue\t%s\t%s\t%s",
GetProcess( process ), fullname, ErrorString( retval ), data );
}
return retval;
}
LONG
HookRegQueryValue(
HKEY hkey,
PCHAR lpszSubKey,
PCHAR lpszValue,
PLONG pcbValue
)
{
LONG retval;
CHAR fullname[NAMELEN], data[DATASIZE], process[PROCESSLEN];
GetFullName( hkey, lpszSubKey, "(Default)", fullname );
retval = RealRegQueryValue( hkey, lpszSubKey, lpszValue, pcbValue );
data[0] = 0;
if( retval == ERROR_SUCCESS && lpszValue && *pcbValue ) {
strcpy( data, "\"");
strncat( data, lpszValue, STRINGLEN );
if( strlen( lpszValue ) > STRINGLEN )
strcat( data, "..." );
strcat( data, "\"");
}
if( ErrorString( retval ) && FilterDef.logreads ) {
LogRecord( "%s\tQueryValue\t%s\t%s\t%s",
GetProcess( process ), fullname, ErrorString( retval ), data);
}
return retval;
}
static LogRecord createSerializedLogRecord()
{
KaaUserLogRecord logRecord;
logRecord.logdata = testLogData;
return LogRecord(logRecord);
}
LONG
HookRegCreateDynKey(
PCHAR szName,
PVOID KeyContext,
PVOID pInfo,
PVOID pValList,
DWORD dwNumVals,
PVMMHKEY pKeyHandle
)
{
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
sprintf(fullname, "DYNDAT\\%s", szName );
retval = RealRegCreateDynKey( szName, KeyContext, pInfo, pValList,
dwNumVals, pKeyHandle );
if( ErrorString( retval ) && FilterDef.logreads) {
LogRecord( "%s\tCreateDynKey\t%s\t%s\thKey: 0x%X",
GetProcess( process ), fullname, ErrorString( retval ),
*pKeyHandle );
}
if( retval == ERROR_SUCCESS ) {
RegmonLogHash( *pKeyHandle, fullname );
}
return retval;
}
LONG
HookRegCreateKey(
HKEY hkey,
PCHAR lpszSubKey,
PHKEY phkResult
)
{
LONG retval;
CHAR fullname[NAMELEN], data[DATASIZE], process[PROCESSLEN];
GetFullName( hkey, lpszSubKey, NULL, fullname );
retval = RealRegCreateKey( hkey, lpszSubKey, phkResult );
data[0] = 0;
if( retval == ERROR_SUCCESS ) {
RegmonFreeHashEntry( *phkResult );
RegmonLogHash( *phkResult, fullname );
sprintf(data,"hKey: 0x%X", *phkResult );
}
if( ErrorString( retval ) && FilterDef.logwrites ) {
LogRecord( "%s\tCreateKey\t%s\t%s\t%s",
GetProcess( process ), fullname, ErrorString( retval ), data);
}
return retval;
}
LONG
__stdcall HookWin32RegQueryInfoKey(
volatile PCLIENT_STRUCT pClientRegs,
DWORD Dummy2,
HKEY hKey,
PDWORD lpcSubKeys,
PDWORD lpcchMaxSubKey,
PDWORD lpcValues,
PDWORD lpcchMaxValueName,
PDWORD lpcbMaxValueData
)
{
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
//
// NOTE: this special hook is needed because Win95 has a bug where
// the Win32 call to RegQueryInfoKey gets routed to VMM's Win32
// service table, but the service table handler does *not* call the
// VMM RegQueryInfoKey entry point. Therefore, we have to hook the
// VMM Win32 service as a special case.
//
GetFullName( hKey, NULL, NULL, fullname );
//
// The return code is Logd in the client registers
//
RealWin32RegQueryInfoKey( pClientRegs, Dummy2,
hKey, lpcSubKeys, lpcchMaxSubKey,
lpcValues, lpcchMaxValueName,
lpcbMaxValueData );
retval = pClientRegs->CRS.Client_EAX;
if( ErrorString( retval ) && FilterDef.logreads) {
if( retval == ERROR_SUCCESS ) {
LogRecord( "%s\tQueryKey\t%s\t%s\tKeys: %d Values: %d",
GetProcess( process ), fullname, ErrorString( retval ),
lpcSubKeys ? *lpcSubKeys : -1,
lpcValues ? *lpcValues : -1 );
} else
LogRecord( "%s\tQueryKey\t%s\t%s",
GetProcess( process ), fullname, ErrorString( retval ));
}
return retval;
}
LONG
HookRegEnumValue(
HKEY hkey,
DWORD iValue,
PCHAR lpszValue,
PDWORD lpcchValue,
PDWORD lpdwReserved,
PDWORD lpdwType,
PBYTE lpbData,
PDWORD lpcbData
)
{
LONG retval;
int i, len;
CHAR fullname[NAMELEN], data[DATASIZE], tmp[2*BINARYLEN], process[PROCESSLEN];
GetFullName( hkey, NULL, NULL, fullname );
retval = RealRegEnumValue( hkey, iValue, lpszValue, lpcchValue,
lpdwReserved, lpdwType, lpbData, lpcbData );
data[0] = 0;
if( retval == ERROR_SUCCESS && lpbData && *lpcbData ) {
strcat( data, lpszValue );
strcat( data, ": ");
if( !lpdwType || *lpdwType == REG_BINARY ) {
if( *lpcbData > BINARYLEN ) len = BINARYLEN;
else len = *lpcbData;
for( i = 0; i < len; i++ ) {
sprintf( tmp, "%X ", lpbData[i]);
strcat( data, tmp );
}
if( *lpcbData > BINARYLEN) strcat( data, "...");
} else if( *lpdwType == REG_SZ ) {
strcat( data, "\"");
strncat( data, lpbData, STRINGLEN );
strcat( data, "\"");
} else if( *lpdwType == REG_DWORD ) {
sprintf( tmp, "0x%X", *(PDWORD) lpbData );
strcat( data, tmp );
}
}
if( ErrorString( retval ) && FilterDef.logreads ) {
LogRecord( "%s\tEnumValue\t%s\t%s\t%s",
GetProcess( process ), fullname, ErrorString( retval ),
data );
}
return retval;
}
//----- (08001203) --------------------------------------------------------
NTSTATUS
DMCreateClose(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
)
{
PIO_STACK_LOCATION IrpStack;
NTSTATUS status;
LARGE_INTEGER PerfCount;
LARGE_INTEGER CurrentTime;
ULONG seq;
PDEVICE_ENTRY DevEntry;
IrpStack = IoGetCurrentIrpStackLocation(Irp);
if ( DeviceObject == g_pDeviceObject )
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
g_bGUIActive = (IrpStack->MajorFunction == IRP_MJ_CREATE);
IofCompleteRequest(Irp, 0);
status = STATUS_SUCCESS;
}
else
{
if ( g_bUsePerfCounter )
{
PerfCount = KeQueryPerformanceCounter(NULL);
CurrentTime.QuadPart = 0;
}
else
{
KeQuerySystemTime(&CurrentTime);
PerfCount.QuadPart = 0;
}
seq = InterlockedIncrement(&Sequence);
DevEntry = LookupEntryByDevObj(DeviceObject);
if ( DevEntry )
{
LogRecord(
seq,
&CurrentTime,
DevEntry->DiskNumber,
"%s",
IrpStack->MajorFunction == IRP_MJ_CLOSE ? "IRP_MJ_CLOSE" : "IRP_MJ_CREATE");
}
status = DefaultDispatch(DeviceObject, Irp, seq, g_bUsePerfCounter, &PerfCount);
}
return status;
}
LONG
HookRegQueryInfoKey(
HKEY hKey,
PCHAR lpszClass,
PDWORD lpcchClass,
DWORD lpdwReserved,
PDWORD lpcSubKeys,
PDWORD lpcchMaxSubKey,
PDWORD pcchMaxClass,
PDWORD lpcValues,
PDWORD lpcchMaxValueName,
PDWORD lpcbMaxValueData,
PDWORD lpcbSecurityDescriptor,
PFILETIME lpftLastWriteTime
)
{
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hKey, NULL, NULL, fullname );
retval = RealRegQueryInfoKey( hKey, lpszClass, lpcchClass, lpdwReserved,
lpcSubKeys, lpcchMaxSubKey, pcchMaxClass,
lpcValues, lpcchMaxValueName,
lpcbMaxValueData,
lpcbSecurityDescriptor,
lpftLastWriteTime );
if( ErrorString( retval ) &&
FilterDef.logreads ) {
if( retval == ERROR_SUCCESS ) {
LogRecord( "%s\tQueryKey\t%s\t%s\tKeys: %d Values: %d",
GetProcess( process ), fullname, ErrorString( retval ),
lpcSubKeys ? *lpcSubKeys : -1,
lpcValues ? *lpcValues : -1 );
} else
LogRecord( "%s\tQueryKey\t%s\t%s",
GetProcess( process ), fullname, ErrorString( retval ));
}
return retval;
}
LONG
HookRegSetValueEx(
HKEY hkey,
PCHAR lpszValueName,
DWORD lpdwReserved,
DWORD fdwType,
PBYTE lpbData,
DWORD lpcbData
)
{
LONG retval;
int i, len;
CHAR fullname[NAMELEN], data[DATASIZE], tmp[2*BINARYLEN], process[PROCESSLEN];
GetFullName( hkey, NULL, lpszValueName, fullname );
retval = RealRegSetValueEx( hkey, lpszValueName, lpdwReserved,
fdwType, lpbData, lpcbData );
data[0] = 0;
if( fdwType == REG_SZ ) {
strcpy( data, "\"");
strncat( data, lpbData, STRINGLEN );
if( strlen( lpbData ) > STRINGLEN )
strcat( data, "..." );
strcat( data, "\"");
} else if( fdwType == REG_BINARY ) {
if( lpcbData > BINARYLEN ) len = BINARYLEN;
else len = lpcbData;
for( i = 0; i < len; i++ ) {
sprintf( tmp, "%X ", lpbData[i]);
strcat( data, tmp );
}
if( lpcbData > BINARYLEN) strcat( data, "...");
} else if( fdwType == REG_DWORD ) {
sprintf( data, "0x%X", *(PDWORD) lpbData );
}
if( ErrorString( retval ) && FilterDef.logwrites) {
LogRecord( "%s\tSetValueEx\t%s\t%s\t%s",
GetProcess( process ), fullname, ErrorString( retval ), data );
}
return retval;
}
//----- (0800149E) --------------------------------------------------------
NTSTATUS
DMReadWrite(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
)
{
PDEVICE_ENTRY DevEntry;
ULONG SectorNum;
ULONGLONG ByteOffset;
ULONGLONG SectorOffset;
PIO_STACK_LOCATION IrpStack;
NTSTATUS status;
LARGE_INTEGER PerfCount;
LARGE_INTEGER CurrentTime;
ULONG seq;
IrpStack = IoGetCurrentIrpStackLocation(Irp);
if ( g_bUsePerfCounter )
{
PerfCount = KeQueryPerformanceCounter(NULL);
CurrentTime.QuadPart = 0;
}
else
{
KeQuerySystemTime(&CurrentTime);
PerfCount.QuadPart = 0;
}
seq = InterlockedIncrement(&Sequence);
DevEntry = LookupEntryByDevObj(DeviceObject);
if ( DevEntry )
{
SectorNum = IrpStack->Parameters.Read.Length >> 9;
ByteOffset = IrpStack->Parameters.Read.ByteOffset.QuadPart;
SectorOffset = GetSectorOffset(ByteOffset, 512);
LogRecord(
seq,
&CurrentTime,
DevEntry->DiskNumber,
"%s\t%I64d\t%d",
IrpStack->MajorFunction == IRP_MJ_READ ? "IRP_MJ_READ" : "IRP_MJ_WRITE", SectorOffset, SectorNum);
}
return DefaultDispatch(DeviceObject, Irp, seq, g_bUsePerfCounter, &PerfCount);
}
LONG
HookRegFlushKey(
HKEY hkey
)
{
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hkey, NULL, NULL, fullname );
retval = RealRegFlushKey( hkey );
if( ErrorString( retval ) && FilterDef.logaux ) {
LogRecord( "%s\tFlushKey\t%s\t%s",
GetProcess( process ), fullname, ErrorString( retval ));
}
return retval;
}
LONG
HookRegDeleteValue(
HKEY hkey,
PCHAR lpszSubKey
)
{
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hkey, lpszSubKey, NULL, fullname );
retval = RealRegDeleteValue( hkey, lpszSubKey );
if( ErrorString( retval ) && FilterDef.logwrites ) {
LogRecord( "%s\tDeleteValue\t%s\t%s",
GetProcess( process ), fullname, ErrorString( retval ));
}
return retval;
}
LONG
HookRegRemapPreDefKey(
HKEY hkey,
HKEY hRootKey
)
{
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hkey, NULL, NULL, fullname );
retval = RealRegRemapPreDefKey( hkey, hRootKey );
if( ErrorString( retval )) {
LogRecord( "%s\tRemapPreKey\t%s\t%s\tRoot: %s",
GetProcess( process ), fullname, ErrorString( retval ),
hRootKey == HKEY_CURRENT_USER ? "HKCU" : "HKCC" );
}
return retval;
}
void LogManager::forceLSNRecord(int index) {
for (int pageNum = 0; pageNum < 4; pageNum++) {
char page[4096] = {};
fm->read(logName, pageNum * 8, 8, page);
for (int i = 0; i < 73; i++) {
char bytes[56] = {};
int start = i * 56;
for (int j = 0; j < 56; j++) { bytes[j] = page[start + j]; }
LogRecord rec = LogRecord(bytes);
if (rec.LSN == 0) {
char* recordBytes = (char*) &log[index];
for (int k = 0; k < 56; k++) { page[start + k] = recordBytes[k]; }
fm->write(logName, pageNum * 8, 8, page);
return;
}
}
}
}
//----- (08002059) --------------------------------------------------------
NTSTATUS
DMShutDownFlushBuffer(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
)
{
ULONG seq;
PIO_STACK_LOCATION IrpStack;
LARGE_INTEGER PerfCount;
LARGE_INTEGER CurrentTime;
PDEVICE_ENTRY DevEntry;
IrpStack = IoGetCurrentIrpStackLocation(Irp);
if ( g_bUsePerfCounter )
{
PerfCount = KeQueryPerformanceCounter(NULL);
CurrentTime.QuadPart = 0;
}
else
{
KeQuerySystemTime(&CurrentTime);
PerfCount.QuadPart = 0;
}
seq = InterlockedIncrement(&Sequence);
DevEntry = LookupEntryByDevObj(DeviceObject);
if ( DevEntry )
{
LogRecord(
seq,
&CurrentTime,
DevEntry->DiskNumber,
"%s",
IrpStack->MajorFunction == IRP_MJ_SHUTDOWN ? "IRP_MJ_SHUTDOWN" : "IRP_MJ_FLUSH_BUFFERS");
}
return DefaultDispatch(DeviceObject, Irp, seq, g_bUsePerfCounter, &PerfCount);
}
void ProfileClass::UpdateToDatabase(TQuery* query)
{
// write updated record
query -> SQL -> Clear();
query->SQL->Add(
"Update test_profile_description set "
"test_profile_name = :name, "
"test_profile_description = :descr, "
"date_last_modified = :date, ");
if ( !theProject->isBeforeVersion( 2, 1 ) )
{
query->SQL->Add(
"profile_flags = :flag, ");
}
query->SQL->Add(
"note_exists = :note "
"where test_profile_id = :tpid");
FormatSQL( query );
LogRecord( "Update: New record: " );
query -> Prepare();
try
{
query -> ExecSQL();
}
catch(Exception& e)
{
if(e.Message != "Error creating cursor handle")
{
AnsiString strError =
"Error inserting test profile descriptor\n" + e.Message;
Application->MessageBox(
strError.c_str(),
"ProfileClass Error",MB_OK);
LogMod->LogProjectDb( TLogMod::LOGLOCAL, strError );
}
}
LogMod->LogProjectDb( TLogMod::LOGLOCAL, query );
LogMod->Commit( query );
}
void LogManager::start(char* inLogName) {
logName = inLogName;
char page[4096] = {};
for (int pageNum = 0; pageNum < 4; pageNum++) {
fm->read(logName, pageNum * 8, 8, page);
for (int i = 0; i < 73; i++) {
char bytes[56] = {};
int start = i * 56;
for (int j = 0; j < 56; j++) { bytes[j] = page[start + j]; }
LogRecord rec = LogRecord(bytes);
if (rec.LSN == 0) { return; }
else if (rec.LSN != 0) {
log[tail] = rec;
tail++;
}
}
}
}
void OnRecvfromComplete(CPUX86State *env, uint32_t FileHandle, uint32_t Buffer)
{
PSOCKET_ENTRY pSocketEntry;
uint32_t ip, addr_in;
uint16_t port;
target_ulong ip_addr, port_addr, addr_addr;
addr_addr = Buffer + 0x10;
if(!qebek_read_ulong(env, addr_addr, &addr_in))
{
fprintf(stderr, "OnRecvComplete: failed to read recvfrom sockaddr_in: %08x\n", addr_addr);
return;
}
ip_addr = addr_in + 0x04;
port_addr = addr_in + 0x02;
if(!qebek_read_ulong(env, ip_addr, &ip))
{
fprintf(stderr, "OnRecvComplete: failed to read recvfrom ip: %08x\n", ip_addr);
return;
}
if(!qebek_read_uword(env, port_addr, &port))
{
fprintf(stderr, "OnRecvComplete: failed to read recvfrom port: %08x\n", port_addr);
return;
}
if((pSocketEntry = GetSocketEntry(env->cr[3], FileHandle)) == NULL)
return; // not sure
pSocketEntry->dip = ip;
pSocketEntry->dport = port;
pSocketEntry->protocol = IPPROTO_UDP;
LogRecord(env, SYS_RECVFROM, FileHandle, pSocketEntry);
}
LONG
HookRegQueryMultipleValues(
HKEY hKey,
PVALENT pValent,
DWORD dwNumVals,
PCHAR pValueBuf,
PDWORD pTotSize
)
{
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hKey, NULL, NULL, fullname );
retval = RealRegQueryMultipleValues( hKey, pValent,
dwNumVals, pValueBuf, pTotSize );
if( ErrorString( retval ) && FilterDef.logreads) {
LogRecord( "%s\tQueryMultVal\t%s\t%s",
GetProcess( process ), fullname, ErrorString( retval ));
}
return retval;
}
LONG
HookRegEnumKey(
HKEY hkey,
DWORD iSubKey,
PCHAR lpszName,
DWORD cchName
)
{
LONG retval;
CHAR fullname[NAMELEN], process[PROCESSLEN];
GetFullName( hkey, NULL, NULL, fullname );
retval = RealRegEnumKey( hkey, iSubKey, lpszName, cchName );
if( ErrorString( retval ) && FilterDef.logreads ) {
LogRecord( "%s\tEnumKey\t%s\t%s\t%s",
GetProcess( process ), fullname,
ErrorString( retval ),
retval == ERROR_SUCCESS ? lpszName : "");
}
return retval;
}
void postNtDeviceIoControlFile(CPUX86State *env, void* user_data)
{
uint32_t FileHandle, IoControlCode, InputBuffer, OutputBuffer, EventHandle, IoStatusBlock;
uint32_t PID, ntStatus, SocketHandle;
PNtDeviceIoControlFileData pControlData;
PSOCKET_ENTRY pSocketEntry, pSocketEntry2;
PNtWaitForSingleObjectData pWaitData;
uint32_t ip, addr_in;
uint16_t port;
target_ulong ip_addr, port_addr, addr_addr, bp_addr, sh_addr;
pControlData = (PNtDeviceIoControlFileData)user_data;
if(pControlData == NULL)
{
//get file handle, control code, input buffer and output buffer
qebek_read_ulong(env, env->regs[R_ESP] - 10 * 4, &FileHandle);
qebek_read_ulong(env, env->regs[R_ESP] - 9 * 4, &EventHandle);
qebek_read_ulong(env, env->regs[R_ESP] - 6 * 4, &IoStatusBlock);
qebek_read_ulong(env, env->regs[R_ESP] - 5 * 4, &IoControlCode);
qebek_read_ulong(env, env->regs[R_ESP] - 4 * 4, &InputBuffer);
qebek_read_ulong(env, env->regs[R_ESP] - 2 * 4, &OutputBuffer);
}
else
{
FileHandle = pControlData->FileHandle;
EventHandle = pControlData->EventHandle;
IoStatusBlock = pControlData->IoStatusBlock;
IoControlCode = pControlData->IoControlCode;
InputBuffer = pControlData->InputBuffer;
OutputBuffer = pControlData->OutputBuffer;
qemu_free(pControlData);
}
//fprintf(stderr, "postNtDeviceIoControlFile: FileHandle %08x, IoControlCode %08x, InputBuffer %08x, OutputBuffer %08x\n",
// FileHandle, IoControlCode, InputBuffer, OutputBuffer);
//if(!qebek_get_current_pid(env, &PID))
// goto remove_bp;
PID = env->cr[3];
ntStatus = env->regs[R_EAX];
if(ntStatus != 0 &&
ntStatus != 0x103 // STATUS_PENDING
)
goto remove_bp;
switch(IoControlCode)
{
case AFD_BIND:
ip_addr = InputBuffer + 0x0e;
port_addr = OutputBuffer + 0x0c;
if(!qebek_read_ulong(env, ip_addr, &ip))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to read bind ip: %08x\n", ip_addr);
break;
}
if(!qebek_read_uword(env, port_addr, &port))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to read bind port: %08x\n", port_addr);
break;
}
if((pSocketEntry = GetSocketEntry(PID, FileHandle)) == NULL)
{
if((pSocketEntry = InsertSocketHandle(PID, FileHandle)) == NULL)
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to insert socket entry\n");
break;
}
}
pSocketEntry->sip = ip;
pSocketEntry->sport = port;
break;
case AFD_CONNECT:
ip_addr = InputBuffer + 0x16;
port_addr = InputBuffer + 0x14;
if(!qebek_read_ulong(env, ip_addr, &ip))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to read connect ip: %08x\n", ip_addr);
break;
}
if(!qebek_read_uword(env, port_addr, &port))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to read connect port: %08x\n", port_addr);
break;
}
/*dip = ntohl(ip);
dport = ntohs(port);
fprintf(stderr, "connect to %hu.%hu.%hu.%hu:%hu, using handle %x\n",
(short)((dip >> 24) & 0xff), (short)((dip >> 16) & 0xff), (short)((dip >> 8) & 0xff),
(short)(dip & 0xff), dport, FileHandle);*/
SocketHandle = 0;
sh_addr = InputBuffer + 0x08;
if(!qebek_read_ulong(env, sh_addr, &SocketHandle))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to read socket handle: %08x\n", sh_addr);
}
if(SocketHandle == 0)
SocketHandle = FileHandle;
if((pSocketEntry = GetSocketEntry(PID, SocketHandle)) == NULL)
break; // not sure
pSocketEntry->dip = ip;
pSocketEntry->dport = port;
pSocketEntry->protocol = IPPROTO_TCP;
LogRecord(env, SYS_CONNECT, SocketHandle, pSocketEntry);
break;
case AFD_SEND:
if((pSocketEntry = GetSocketEntry(PID, FileHandle)) != NULL)
LogRecord(env, SYS_SENDMSG, FileHandle, pSocketEntry);
else
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to get socket entry for send: %08x\n", FileHandle);
}
break;
case AFD_RECV:
if((pSocketEntry = GetSocketEntry(PID, FileHandle)) != NULL)
LogRecord(env, SYS_RECVMSG, FileHandle, pSocketEntry);
else
{
fprintf(stderr, "postNtDeviceIoControlFIle: failed to get socket entry for recv: %08x\n", FileHandle);
}
break;
case AFD_SEND_DATAGRAM:
addr_addr = InputBuffer + 0x34;
if(!qebek_read_ulong(env, addr_addr, &addr_in))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to read sendto sockaddr_in: %08x\n", addr_addr);
break;
}
ip_addr = addr_in + 0x0a;
port_addr = addr_in + 0x08;
if(!qebek_read_ulong(env, ip_addr, &ip))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to read sendto ip: %08x\n", ip_addr);
break;
}
if(!qebek_read_uword(env, port_addr, &port))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to read sendto port: %08x\n", port_addr);
break;
}
if((pSocketEntry = GetSocketEntry(PID, FileHandle)) == NULL)
break; // not sure
pSocketEntry->dip = ip;
pSocketEntry->dport = port;
pSocketEntry->protocol = IPPROTO_UDP;
LogRecord(env, SYS_SENDTO, FileHandle, pSocketEntry);
break;
case AFD_RECV_DATAGRAM:
if(ntStatus == 0)
{
OnRecvfromComplete(env, FileHandle, InputBuffer);
}
else if(ntStatus == 0x103)
{
pWaitData = (PNtWaitForSingleObjectData)qemu_malloc(sizeof(NtWaitForSingleObjectData));
if(!pWaitData)
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to malloc wait data\n");
break;
}
pWaitData->EventHandle = EventHandle;
pWaitData->FileHandle = FileHandle;
pWaitData->IoControlCode = IoControlCode;
pWaitData->Buffer = InputBuffer;
pWaitData->Status = IoStatusBlock;
if(!qebek_bp_add(NtWaitForSingleObject, env->cr[3], env->regs[R_EBP], preNtWaitForSingleObject, pWaitData))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to add wait bp\n");
qemu_free(pWaitData);
}
}
break;
case AFD_ACCEPT:
if(ntStatus == 0)
{
OnAcceptComplete(env, FileHandle, OutputBuffer);
}
else if(ntStatus == 0x103)
{
pWaitData = (PNtWaitForSingleObjectData)qemu_malloc(sizeof(NtWaitForSingleObjectData));
if(!pWaitData)
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to malloc wait data2\n");
break;
}
pWaitData->EventHandle = EventHandle;
pWaitData->FileHandle = FileHandle;
pWaitData->IoControlCode = IoControlCode;
pWaitData->Buffer = OutputBuffer;
pWaitData->Status = IoStatusBlock;
if(!qebek_bp_add(NtWaitForSingleObject, env->cr[3], env->regs[R_EBP], preNtWaitForSingleObject, pWaitData))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to add wait bp2\n");
qemu_free(pWaitData);
}
}
break;
case AFD_DUPLICATE:
sh_addr = InputBuffer + 0x08;
if(!qebek_read_ulong(env, sh_addr, &SocketHandle))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to read new socket handle: %08x\n", sh_addr);
break;
}
if((pSocketEntry = GetSocketEntry(PID, FileHandle)) == NULL)
{
fprintf(stderr, "psotNtDeviceIoControlFile: failed to get old socket entry: %08x\n", FileHandle);
break;
}
if((pSocketEntry2 = InsertSocketHandle(PID, SocketHandle)) == NULL)
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to insert new socket entry: %08x\n", SocketHandle);
break;
}
memcpy(pSocketEntry2, pSocketEntry, sizeof(SOCKET_ENTRY));
break;
case AFD_SELECT:
//fprintf(stderr, "AFD_SELECT\n");
break;
default:
break;
}
remove_bp:
// remove return address
bp_addr = env->eip;
if(!qebek_bp_remove(bp_addr, env->cr[3], env->regs[R_EBP]))
{
fprintf(stderr, "postNtDeviceIoControlFile: failed to remove postcall interception.\n");
}
}
void LogManager::writeLogRecord(int LSN, int type, int transID, int prevLSN, int pageID, int undoNxtLSN, char* oldData, char* newData) {
log[tail] = LogRecord(LSN, type, transID, prevLSN, pageID, undoNxtLSN, oldData, newData);
tail++;
}
//----- (08001F19) --------------------------------------------------------
NTSTATUS
DMDeviceControl(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
)
{
PIO_STACK_LOCATION IrpStack;
PVOID OutputBuffer;
PVOID InputBuffer;
ULONG InputLength;
ULONG OutputLength;
NTSTATUS status;
PDEVICE_ENTRY DevEntry;
LARGE_INTEGER CurrentTime;
LARGE_INTEGER PerfCount;
ULONG seq;
char IoctlName[64] = "";
PCHAR pIoCtlName;
ULONG IoControlCode;
IrpStack = IoGetCurrentIrpStackLocation(Irp);
IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
if ( DeviceObject == g_pDeviceObject )
{
InputBuffer = Irp->AssociatedIrp.SystemBuffer;
InputLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
OutputLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
OutputBuffer = Irp->AssociatedIrp.SystemBuffer;
if ( METHOD_FROM_CTL_CODE(IoControlCode) == METHOD_NEITHER )
{
OutputBuffer = Irp->UserBuffer;
}
status = DMDeviceIoCtl(Irp, InputBuffer, InputLength, OutputBuffer, OutputLength, IoControlCode);
}
else
{
if ( g_bUsePerfCounter )
{
CurrentTime.QuadPart = 0;
PerfCount = KeQueryPerformanceCounter(0);
}
else
{
KeQuerySystemTime(&CurrentTime);
PerfCount.QuadPart = 0;
}
seq = InterlockedIncrement(&Sequence);
DevEntry = LookupEntryByDevObj(DeviceObject);
if ( DevEntry )
{
pIoCtlName = GetIoctlName(IoctlName, IrpStack->Parameters.DeviceIoControl.IoControlCode);
LogRecord(
seq,
&CurrentTime,
DevEntry->DiskNumber,
"%s(%s)",
IrpStack->MajorFunction == IRP_MJ_DEVICE_CONTROL ? "IRP_MJ_DEVICE_CONTROL" : "IRP_MJ_INTERNAL_DEVICE_CONTROL",
IoctlName);
}
status = DefaultDispatch(DeviceObject, Irp, seq, g_bUsePerfCounter, &PerfCount);
if ( IoControlCode == IOCTL_DISK_FIND_NEW_DEVICES || IoControlCode == IOCTL_DISK_SET_DRIVE_LAYOUT )
{
if ( NT_SUCCESS(status) )
{
HookDispatch(DeviceObject->DriverObject, 0);
}
}
}
return status;
}
LogManager::LogManager() {
head = 0;
tail = 0;
lastForcedLSN = -1;
for (int i = 0; i < 292; i++) { log[i] = LogRecord(); }
}
