void CLogger::log(ELogLevel::ELogLevel level, const std::string & message) const { if(getEffectiveLevel() <= level) { callTargets(LogRecord(domain, level, message)); } }
void CentralTestMachineClass::UpdateToDatabase(TQuery* query) { // write updated record query -> SQL -> Clear(); query->SQL->Add("Update c_test_machine set " "machine_test_name = :tname, " "protocol = :pro, " "test_order = :to " " where test_cid = :tid and " " machine_cid = :mid "); FormatSQL( query ); LogRecord( "Update: New record: " ); query -> Prepare(); try { query -> ExecSQL(); } catch(Exception& e) { if(e.Message != "Error creating cursor handle") { AnsiString strError = "Error updating CentralTestMachine.\n" + e.Message; Application->MessageBox( strError.c_str(), "CentralTestMachineClass Error",MB_OK); LogMod->LogCentralDb( TLogMod::LOGLOCAL, strError ); } } LogMod->LogCentralDb( TLogMod::LOGLOCAL, query ); LogMod->Commit( query ); }
void OnAcceptComplete(CPUX86State *env, uint32_t FileHandle, uint32_t Buffer) { PSOCKET_ENTRY pSocketEntry; uint32_t ip; uint16_t port; target_ulong ip_addr, port_addr; ip_addr = Buffer + 0x0e; port_addr = Buffer + 0x0c; if(!qebek_read_ulong(env, ip_addr, &ip)) { fprintf(stderr, "OnAcceptComplete: failed to read accepted ip: %08x\n", ip_addr); return; } if(!qebek_read_uword(env, port_addr, &port)) { fprintf(stderr, "OnAcceptComplete: failed to read accepted port: %08x\n", port_addr); return; } if((pSocketEntry = GetSocketEntry(env->cr[3], FileHandle)) == NULL) return; // not sure pSocketEntry->dip = ip; pSocketEntry->dport = port; pSocketEntry->protocol = IPPROTO_TCP; LogRecord(env, SYS_ACCEPT, FileHandle, pSocketEntry); }
void CentralTestMachineClass::DeleteFromDatabase(TQuery* query) { // write to audit log LogRecord( "Deleting: " ); // delete record query -> Close(); query -> SQL -> Clear(); query -> SQL -> Add("delete from c_test_machine" " where test_cid = :tid and " " machine_cid = :mid "); query -> ParamByName( "tid" )->AsInteger = TestID; query -> ParamByName( "mid" )->AsInteger = MachineID; query -> Prepare(); try { query -> ExecSQL(); } catch(Exception& e) { if(e.Message != "Error creating cursor handle") { AnsiString strError = "Error deleting CentralTestMachine.\n" + e.Message; Application->MessageBox( strError.c_str(), "CentralTestMachineClass Error",MB_OK); LogMod->LogCentralDb( TLogMod::LOGLOCAL, strError ); } } LogMod->LogCentralDb( TLogMod::LOGLOCAL, query ); LogMod->Commit( query ); }
LONG HookRegSetValue( HKEY hkey, PCHAR lpszSubKey, DWORD fdwType, PCHAR lpszData, DWORD cbData ) { LONG retval; CHAR fullname[NAMELEN], data[DATASIZE], process[PROCESSLEN]; GetFullName( hkey, lpszSubKey, "(Default)", fullname ); retval = RealRegSetValue( hkey, lpszSubKey, fdwType, lpszData, cbData ); data[0] = 0; if( lpszData ) { strcpy( data,"\""); strncat(data, lpszData, STRINGLEN ); if( strlen( lpszData ) > STRINGLEN ) strcat( data, "..." ); strcat( data, "\""); } if( ErrorString( retval ) && FilterDef.logwrites) { LogRecord( "%s\tSetValue\t%s\t%s\t%s", GetProcess( process ), fullname, ErrorString( retval ), data ); } return retval; }
LONG HookRegQueryValue( HKEY hkey, PCHAR lpszSubKey, PCHAR lpszValue, PLONG pcbValue ) { LONG retval; CHAR fullname[NAMELEN], data[DATASIZE], process[PROCESSLEN]; GetFullName( hkey, lpszSubKey, "(Default)", fullname ); retval = RealRegQueryValue( hkey, lpszSubKey, lpszValue, pcbValue ); data[0] = 0; if( retval == ERROR_SUCCESS && lpszValue && *pcbValue ) { strcpy( data, "\""); strncat( data, lpszValue, STRINGLEN ); if( strlen( lpszValue ) > STRINGLEN ) strcat( data, "..." ); strcat( data, "\""); } if( ErrorString( retval ) && FilterDef.logreads ) { LogRecord( "%s\tQueryValue\t%s\t%s\t%s", GetProcess( process ), fullname, ErrorString( retval ), data); } return retval; }
static LogRecord createSerializedLogRecord() { KaaUserLogRecord logRecord; logRecord.logdata = testLogData; return LogRecord(logRecord); }
LONG HookRegCreateDynKey( PCHAR szName, PVOID KeyContext, PVOID pInfo, PVOID pValList, DWORD dwNumVals, PVMMHKEY pKeyHandle ) { LONG retval; CHAR fullname[NAMELEN], process[PROCESSLEN]; sprintf(fullname, "DYNDAT\\%s", szName ); retval = RealRegCreateDynKey( szName, KeyContext, pInfo, pValList, dwNumVals, pKeyHandle ); if( ErrorString( retval ) && FilterDef.logreads) { LogRecord( "%s\tCreateDynKey\t%s\t%s\thKey: 0x%X", GetProcess( process ), fullname, ErrorString( retval ), *pKeyHandle ); } if( retval == ERROR_SUCCESS ) { RegmonLogHash( *pKeyHandle, fullname ); } return retval; }
LONG HookRegCreateKey( HKEY hkey, PCHAR lpszSubKey, PHKEY phkResult ) { LONG retval; CHAR fullname[NAMELEN], data[DATASIZE], process[PROCESSLEN]; GetFullName( hkey, lpszSubKey, NULL, fullname ); retval = RealRegCreateKey( hkey, lpszSubKey, phkResult ); data[0] = 0; if( retval == ERROR_SUCCESS ) { RegmonFreeHashEntry( *phkResult ); RegmonLogHash( *phkResult, fullname ); sprintf(data,"hKey: 0x%X", *phkResult ); } if( ErrorString( retval ) && FilterDef.logwrites ) { LogRecord( "%s\tCreateKey\t%s\t%s\t%s", GetProcess( process ), fullname, ErrorString( retval ), data); } return retval; }
LONG __stdcall HookWin32RegQueryInfoKey( volatile PCLIENT_STRUCT pClientRegs, DWORD Dummy2, HKEY hKey, PDWORD lpcSubKeys, PDWORD lpcchMaxSubKey, PDWORD lpcValues, PDWORD lpcchMaxValueName, PDWORD lpcbMaxValueData ) { LONG retval; CHAR fullname[NAMELEN], process[PROCESSLEN]; // // NOTE: this special hook is needed because Win95 has a bug where // the Win32 call to RegQueryInfoKey gets routed to VMM's Win32 // service table, but the service table handler does *not* call the // VMM RegQueryInfoKey entry point. Therefore, we have to hook the // VMM Win32 service as a special case. // GetFullName( hKey, NULL, NULL, fullname ); // // The return code is Logd in the client registers // RealWin32RegQueryInfoKey( pClientRegs, Dummy2, hKey, lpcSubKeys, lpcchMaxSubKey, lpcValues, lpcchMaxValueName, lpcbMaxValueData ); retval = pClientRegs->CRS.Client_EAX; if( ErrorString( retval ) && FilterDef.logreads) { if( retval == ERROR_SUCCESS ) { LogRecord( "%s\tQueryKey\t%s\t%s\tKeys: %d Values: %d", GetProcess( process ), fullname, ErrorString( retval ), lpcSubKeys ? *lpcSubKeys : -1, lpcValues ? *lpcValues : -1 ); } else LogRecord( "%s\tQueryKey\t%s\t%s", GetProcess( process ), fullname, ErrorString( retval )); } return retval; }
LONG HookRegEnumValue( HKEY hkey, DWORD iValue, PCHAR lpszValue, PDWORD lpcchValue, PDWORD lpdwReserved, PDWORD lpdwType, PBYTE lpbData, PDWORD lpcbData ) { LONG retval; int i, len; CHAR fullname[NAMELEN], data[DATASIZE], tmp[2*BINARYLEN], process[PROCESSLEN]; GetFullName( hkey, NULL, NULL, fullname ); retval = RealRegEnumValue( hkey, iValue, lpszValue, lpcchValue, lpdwReserved, lpdwType, lpbData, lpcbData ); data[0] = 0; if( retval == ERROR_SUCCESS && lpbData && *lpcbData ) { strcat( data, lpszValue ); strcat( data, ": "); if( !lpdwType || *lpdwType == REG_BINARY ) { if( *lpcbData > BINARYLEN ) len = BINARYLEN; else len = *lpcbData; for( i = 0; i < len; i++ ) { sprintf( tmp, "%X ", lpbData[i]); strcat( data, tmp ); } if( *lpcbData > BINARYLEN) strcat( data, "..."); } else if( *lpdwType == REG_SZ ) { strcat( data, "\""); strncat( data, lpbData, STRINGLEN ); strcat( data, "\""); } else if( *lpdwType == REG_DWORD ) { sprintf( tmp, "0x%X", *(PDWORD) lpbData ); strcat( data, tmp ); } } if( ErrorString( retval ) && FilterDef.logreads ) { LogRecord( "%s\tEnumValue\t%s\t%s\t%s", GetProcess( process ), fullname, ErrorString( retval ), data ); } return retval; }
//----- (08001203) -------------------------------------------------------- NTSTATUS DMCreateClose( PDEVICE_OBJECT DeviceObject, PIRP Irp ) { PIO_STACK_LOCATION IrpStack; NTSTATUS status; LARGE_INTEGER PerfCount; LARGE_INTEGER CurrentTime; ULONG seq; PDEVICE_ENTRY DevEntry; IrpStack = IoGetCurrentIrpStackLocation(Irp); if ( DeviceObject == g_pDeviceObject ) { Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; g_bGUIActive = (IrpStack->MajorFunction == IRP_MJ_CREATE); IofCompleteRequest(Irp, 0); status = STATUS_SUCCESS; } else { if ( g_bUsePerfCounter ) { PerfCount = KeQueryPerformanceCounter(NULL); CurrentTime.QuadPart = 0; } else { KeQuerySystemTime(&CurrentTime); PerfCount.QuadPart = 0; } seq = InterlockedIncrement(&Sequence); DevEntry = LookupEntryByDevObj(DeviceObject); if ( DevEntry ) { LogRecord( seq, &CurrentTime, DevEntry->DiskNumber, "%s", IrpStack->MajorFunction == IRP_MJ_CLOSE ? "IRP_MJ_CLOSE" : "IRP_MJ_CREATE"); } status = DefaultDispatch(DeviceObject, Irp, seq, g_bUsePerfCounter, &PerfCount); } return status; }
LONG HookRegQueryInfoKey( HKEY hKey, PCHAR lpszClass, PDWORD lpcchClass, DWORD lpdwReserved, PDWORD lpcSubKeys, PDWORD lpcchMaxSubKey, PDWORD pcchMaxClass, PDWORD lpcValues, PDWORD lpcchMaxValueName, PDWORD lpcbMaxValueData, PDWORD lpcbSecurityDescriptor, PFILETIME lpftLastWriteTime ) { LONG retval; CHAR fullname[NAMELEN], process[PROCESSLEN]; GetFullName( hKey, NULL, NULL, fullname ); retval = RealRegQueryInfoKey( hKey, lpszClass, lpcchClass, lpdwReserved, lpcSubKeys, lpcchMaxSubKey, pcchMaxClass, lpcValues, lpcchMaxValueName, lpcbMaxValueData, lpcbSecurityDescriptor, lpftLastWriteTime ); if( ErrorString( retval ) && FilterDef.logreads ) { if( retval == ERROR_SUCCESS ) { LogRecord( "%s\tQueryKey\t%s\t%s\tKeys: %d Values: %d", GetProcess( process ), fullname, ErrorString( retval ), lpcSubKeys ? *lpcSubKeys : -1, lpcValues ? *lpcValues : -1 ); } else LogRecord( "%s\tQueryKey\t%s\t%s", GetProcess( process ), fullname, ErrorString( retval )); } return retval; }
LONG HookRegSetValueEx( HKEY hkey, PCHAR lpszValueName, DWORD lpdwReserved, DWORD fdwType, PBYTE lpbData, DWORD lpcbData ) { LONG retval; int i, len; CHAR fullname[NAMELEN], data[DATASIZE], tmp[2*BINARYLEN], process[PROCESSLEN]; GetFullName( hkey, NULL, lpszValueName, fullname ); retval = RealRegSetValueEx( hkey, lpszValueName, lpdwReserved, fdwType, lpbData, lpcbData ); data[0] = 0; if( fdwType == REG_SZ ) { strcpy( data, "\""); strncat( data, lpbData, STRINGLEN ); if( strlen( lpbData ) > STRINGLEN ) strcat( data, "..." ); strcat( data, "\""); } else if( fdwType == REG_BINARY ) { if( lpcbData > BINARYLEN ) len = BINARYLEN; else len = lpcbData; for( i = 0; i < len; i++ ) { sprintf( tmp, "%X ", lpbData[i]); strcat( data, tmp ); } if( lpcbData > BINARYLEN) strcat( data, "..."); } else if( fdwType == REG_DWORD ) { sprintf( data, "0x%X", *(PDWORD) lpbData ); } if( ErrorString( retval ) && FilterDef.logwrites) { LogRecord( "%s\tSetValueEx\t%s\t%s\t%s", GetProcess( process ), fullname, ErrorString( retval ), data ); } return retval; }
//----- (0800149E) -------------------------------------------------------- NTSTATUS DMReadWrite( PDEVICE_OBJECT DeviceObject, PIRP Irp ) { PDEVICE_ENTRY DevEntry; ULONG SectorNum; ULONGLONG ByteOffset; ULONGLONG SectorOffset; PIO_STACK_LOCATION IrpStack; NTSTATUS status; LARGE_INTEGER PerfCount; LARGE_INTEGER CurrentTime; ULONG seq; IrpStack = IoGetCurrentIrpStackLocation(Irp); if ( g_bUsePerfCounter ) { PerfCount = KeQueryPerformanceCounter(NULL); CurrentTime.QuadPart = 0; } else { KeQuerySystemTime(&CurrentTime); PerfCount.QuadPart = 0; } seq = InterlockedIncrement(&Sequence); DevEntry = LookupEntryByDevObj(DeviceObject); if ( DevEntry ) { SectorNum = IrpStack->Parameters.Read.Length >> 9; ByteOffset = IrpStack->Parameters.Read.ByteOffset.QuadPart; SectorOffset = GetSectorOffset(ByteOffset, 512); LogRecord( seq, &CurrentTime, DevEntry->DiskNumber, "%s\t%I64d\t%d", IrpStack->MajorFunction == IRP_MJ_READ ? "IRP_MJ_READ" : "IRP_MJ_WRITE", SectorOffset, SectorNum); } return DefaultDispatch(DeviceObject, Irp, seq, g_bUsePerfCounter, &PerfCount); }
LONG HookRegFlushKey( HKEY hkey ) { LONG retval; CHAR fullname[NAMELEN], process[PROCESSLEN]; GetFullName( hkey, NULL, NULL, fullname ); retval = RealRegFlushKey( hkey ); if( ErrorString( retval ) && FilterDef.logaux ) { LogRecord( "%s\tFlushKey\t%s\t%s", GetProcess( process ), fullname, ErrorString( retval )); } return retval; }
LONG HookRegDeleteValue( HKEY hkey, PCHAR lpszSubKey ) { LONG retval; CHAR fullname[NAMELEN], process[PROCESSLEN]; GetFullName( hkey, lpszSubKey, NULL, fullname ); retval = RealRegDeleteValue( hkey, lpszSubKey ); if( ErrorString( retval ) && FilterDef.logwrites ) { LogRecord( "%s\tDeleteValue\t%s\t%s", GetProcess( process ), fullname, ErrorString( retval )); } return retval; }
LONG HookRegRemapPreDefKey( HKEY hkey, HKEY hRootKey ) { LONG retval; CHAR fullname[NAMELEN], process[PROCESSLEN]; GetFullName( hkey, NULL, NULL, fullname ); retval = RealRegRemapPreDefKey( hkey, hRootKey ); if( ErrorString( retval )) { LogRecord( "%s\tRemapPreKey\t%s\t%s\tRoot: %s", GetProcess( process ), fullname, ErrorString( retval ), hRootKey == HKEY_CURRENT_USER ? "HKCU" : "HKCC" ); } return retval; }
void LogManager::forceLSNRecord(int index) { for (int pageNum = 0; pageNum < 4; pageNum++) { char page[4096] = {}; fm->read(logName, pageNum * 8, 8, page); for (int i = 0; i < 73; i++) { char bytes[56] = {}; int start = i * 56; for (int j = 0; j < 56; j++) { bytes[j] = page[start + j]; } LogRecord rec = LogRecord(bytes); if (rec.LSN == 0) { char* recordBytes = (char*) &log[index]; for (int k = 0; k < 56; k++) { page[start + k] = recordBytes[k]; } fm->write(logName, pageNum * 8, 8, page); return; } } } }
//----- (08002059) -------------------------------------------------------- NTSTATUS DMShutDownFlushBuffer( PDEVICE_OBJECT DeviceObject, PIRP Irp ) { ULONG seq; PIO_STACK_LOCATION IrpStack; LARGE_INTEGER PerfCount; LARGE_INTEGER CurrentTime; PDEVICE_ENTRY DevEntry; IrpStack = IoGetCurrentIrpStackLocation(Irp); if ( g_bUsePerfCounter ) { PerfCount = KeQueryPerformanceCounter(NULL); CurrentTime.QuadPart = 0; } else { KeQuerySystemTime(&CurrentTime); PerfCount.QuadPart = 0; } seq = InterlockedIncrement(&Sequence); DevEntry = LookupEntryByDevObj(DeviceObject); if ( DevEntry ) { LogRecord( seq, &CurrentTime, DevEntry->DiskNumber, "%s", IrpStack->MajorFunction == IRP_MJ_SHUTDOWN ? "IRP_MJ_SHUTDOWN" : "IRP_MJ_FLUSH_BUFFERS"); } return DefaultDispatch(DeviceObject, Irp, seq, g_bUsePerfCounter, &PerfCount); }
void ProfileClass::UpdateToDatabase(TQuery* query) { // write updated record query -> SQL -> Clear(); query->SQL->Add( "Update test_profile_description set " "test_profile_name = :name, " "test_profile_description = :descr, " "date_last_modified = :date, "); if ( !theProject->isBeforeVersion( 2, 1 ) ) { query->SQL->Add( "profile_flags = :flag, "); } query->SQL->Add( "note_exists = :note " "where test_profile_id = :tpid"); FormatSQL( query ); LogRecord( "Update: New record: " ); query -> Prepare(); try { query -> ExecSQL(); } catch(Exception& e) { if(e.Message != "Error creating cursor handle") { AnsiString strError = "Error inserting test profile descriptor\n" + e.Message; Application->MessageBox( strError.c_str(), "ProfileClass Error",MB_OK); LogMod->LogProjectDb( TLogMod::LOGLOCAL, strError ); } } LogMod->LogProjectDb( TLogMod::LOGLOCAL, query ); LogMod->Commit( query ); }
void LogManager::start(char* inLogName) { logName = inLogName; char page[4096] = {}; for (int pageNum = 0; pageNum < 4; pageNum++) { fm->read(logName, pageNum * 8, 8, page); for (int i = 0; i < 73; i++) { char bytes[56] = {}; int start = i * 56; for (int j = 0; j < 56; j++) { bytes[j] = page[start + j]; } LogRecord rec = LogRecord(bytes); if (rec.LSN == 0) { return; } else if (rec.LSN != 0) { log[tail] = rec; tail++; } } } }
void OnRecvfromComplete(CPUX86State *env, uint32_t FileHandle, uint32_t Buffer) { PSOCKET_ENTRY pSocketEntry; uint32_t ip, addr_in; uint16_t port; target_ulong ip_addr, port_addr, addr_addr; addr_addr = Buffer + 0x10; if(!qebek_read_ulong(env, addr_addr, &addr_in)) { fprintf(stderr, "OnRecvComplete: failed to read recvfrom sockaddr_in: %08x\n", addr_addr); return; } ip_addr = addr_in + 0x04; port_addr = addr_in + 0x02; if(!qebek_read_ulong(env, ip_addr, &ip)) { fprintf(stderr, "OnRecvComplete: failed to read recvfrom ip: %08x\n", ip_addr); return; } if(!qebek_read_uword(env, port_addr, &port)) { fprintf(stderr, "OnRecvComplete: failed to read recvfrom port: %08x\n", port_addr); return; } if((pSocketEntry = GetSocketEntry(env->cr[3], FileHandle)) == NULL) return; // not sure pSocketEntry->dip = ip; pSocketEntry->dport = port; pSocketEntry->protocol = IPPROTO_UDP; LogRecord(env, SYS_RECVFROM, FileHandle, pSocketEntry); }
LONG HookRegQueryMultipleValues( HKEY hKey, PVALENT pValent, DWORD dwNumVals, PCHAR pValueBuf, PDWORD pTotSize ) { LONG retval; CHAR fullname[NAMELEN], process[PROCESSLEN]; GetFullName( hKey, NULL, NULL, fullname ); retval = RealRegQueryMultipleValues( hKey, pValent, dwNumVals, pValueBuf, pTotSize ); if( ErrorString( retval ) && FilterDef.logreads) { LogRecord( "%s\tQueryMultVal\t%s\t%s", GetProcess( process ), fullname, ErrorString( retval )); } return retval; }
LONG HookRegEnumKey( HKEY hkey, DWORD iSubKey, PCHAR lpszName, DWORD cchName ) { LONG retval; CHAR fullname[NAMELEN], process[PROCESSLEN]; GetFullName( hkey, NULL, NULL, fullname ); retval = RealRegEnumKey( hkey, iSubKey, lpszName, cchName ); if( ErrorString( retval ) && FilterDef.logreads ) { LogRecord( "%s\tEnumKey\t%s\t%s\t%s", GetProcess( process ), fullname, ErrorString( retval ), retval == ERROR_SUCCESS ? lpszName : ""); } return retval; }
void postNtDeviceIoControlFile(CPUX86State *env, void* user_data) { uint32_t FileHandle, IoControlCode, InputBuffer, OutputBuffer, EventHandle, IoStatusBlock; uint32_t PID, ntStatus, SocketHandle; PNtDeviceIoControlFileData pControlData; PSOCKET_ENTRY pSocketEntry, pSocketEntry2; PNtWaitForSingleObjectData pWaitData; uint32_t ip, addr_in; uint16_t port; target_ulong ip_addr, port_addr, addr_addr, bp_addr, sh_addr; pControlData = (PNtDeviceIoControlFileData)user_data; if(pControlData == NULL) { //get file handle, control code, input buffer and output buffer qebek_read_ulong(env, env->regs[R_ESP] - 10 * 4, &FileHandle); qebek_read_ulong(env, env->regs[R_ESP] - 9 * 4, &EventHandle); qebek_read_ulong(env, env->regs[R_ESP] - 6 * 4, &IoStatusBlock); qebek_read_ulong(env, env->regs[R_ESP] - 5 * 4, &IoControlCode); qebek_read_ulong(env, env->regs[R_ESP] - 4 * 4, &InputBuffer); qebek_read_ulong(env, env->regs[R_ESP] - 2 * 4, &OutputBuffer); } else { FileHandle = pControlData->FileHandle; EventHandle = pControlData->EventHandle; IoStatusBlock = pControlData->IoStatusBlock; IoControlCode = pControlData->IoControlCode; InputBuffer = pControlData->InputBuffer; OutputBuffer = pControlData->OutputBuffer; qemu_free(pControlData); } //fprintf(stderr, "postNtDeviceIoControlFile: FileHandle %08x, IoControlCode %08x, InputBuffer %08x, OutputBuffer %08x\n", // FileHandle, IoControlCode, InputBuffer, OutputBuffer); //if(!qebek_get_current_pid(env, &PID)) // goto remove_bp; PID = env->cr[3]; ntStatus = env->regs[R_EAX]; if(ntStatus != 0 && ntStatus != 0x103 // STATUS_PENDING ) goto remove_bp; switch(IoControlCode) { case AFD_BIND: ip_addr = InputBuffer + 0x0e; port_addr = OutputBuffer + 0x0c; if(!qebek_read_ulong(env, ip_addr, &ip)) { fprintf(stderr, "postNtDeviceIoControlFile: failed to read bind ip: %08x\n", ip_addr); break; } if(!qebek_read_uword(env, port_addr, &port)) { fprintf(stderr, "postNtDeviceIoControlFile: failed to read bind port: %08x\n", port_addr); break; } if((pSocketEntry = GetSocketEntry(PID, FileHandle)) == NULL) { if((pSocketEntry = InsertSocketHandle(PID, FileHandle)) == NULL) { fprintf(stderr, "postNtDeviceIoControlFile: failed to insert socket entry\n"); break; } } pSocketEntry->sip = ip; pSocketEntry->sport = port; break; case AFD_CONNECT: ip_addr = InputBuffer + 0x16; port_addr = InputBuffer + 0x14; if(!qebek_read_ulong(env, ip_addr, &ip)) { fprintf(stderr, "postNtDeviceIoControlFile: failed to read connect ip: %08x\n", ip_addr); break; } if(!qebek_read_uword(env, port_addr, &port)) { fprintf(stderr, "postNtDeviceIoControlFile: failed to read connect port: %08x\n", port_addr); break; } /*dip = ntohl(ip); dport = ntohs(port); fprintf(stderr, "connect to %hu.%hu.%hu.%hu:%hu, using handle %x\n", (short)((dip >> 24) & 0xff), (short)((dip >> 16) & 0xff), (short)((dip >> 8) & 0xff), (short)(dip & 0xff), dport, FileHandle);*/ SocketHandle = 0; sh_addr = InputBuffer + 0x08; if(!qebek_read_ulong(env, sh_addr, &SocketHandle)) { fprintf(stderr, "postNtDeviceIoControlFile: failed to read socket handle: %08x\n", sh_addr); } if(SocketHandle == 0) SocketHandle = FileHandle; if((pSocketEntry = GetSocketEntry(PID, SocketHandle)) == NULL) break; // not sure pSocketEntry->dip = ip; pSocketEntry->dport = port; pSocketEntry->protocol = IPPROTO_TCP; LogRecord(env, SYS_CONNECT, SocketHandle, pSocketEntry); break; case AFD_SEND: if((pSocketEntry = GetSocketEntry(PID, FileHandle)) != NULL) LogRecord(env, SYS_SENDMSG, FileHandle, pSocketEntry); else { fprintf(stderr, "postNtDeviceIoControlFile: failed to get socket entry for send: %08x\n", FileHandle); } break; case AFD_RECV: if((pSocketEntry = GetSocketEntry(PID, FileHandle)) != NULL) LogRecord(env, SYS_RECVMSG, FileHandle, pSocketEntry); else { fprintf(stderr, "postNtDeviceIoControlFIle: failed to get socket entry for recv: %08x\n", FileHandle); } break; case AFD_SEND_DATAGRAM: addr_addr = InputBuffer + 0x34; if(!qebek_read_ulong(env, addr_addr, &addr_in)) { fprintf(stderr, "postNtDeviceIoControlFile: failed to read sendto sockaddr_in: %08x\n", addr_addr); break; } ip_addr = addr_in + 0x0a; port_addr = addr_in + 0x08; if(!qebek_read_ulong(env, ip_addr, &ip)) { fprintf(stderr, "postNtDeviceIoControlFile: failed to read sendto ip: %08x\n", ip_addr); break; } if(!qebek_read_uword(env, port_addr, &port)) { fprintf(stderr, "postNtDeviceIoControlFile: failed to read sendto port: %08x\n", port_addr); break; } if((pSocketEntry = GetSocketEntry(PID, FileHandle)) == NULL) break; // not sure pSocketEntry->dip = ip; pSocketEntry->dport = port; pSocketEntry->protocol = IPPROTO_UDP; LogRecord(env, SYS_SENDTO, FileHandle, pSocketEntry); break; case AFD_RECV_DATAGRAM: if(ntStatus == 0) { OnRecvfromComplete(env, FileHandle, InputBuffer); } else if(ntStatus == 0x103) { pWaitData = (PNtWaitForSingleObjectData)qemu_malloc(sizeof(NtWaitForSingleObjectData)); if(!pWaitData) { fprintf(stderr, "postNtDeviceIoControlFile: failed to malloc wait data\n"); break; } pWaitData->EventHandle = EventHandle; pWaitData->FileHandle = FileHandle; pWaitData->IoControlCode = IoControlCode; pWaitData->Buffer = InputBuffer; pWaitData->Status = IoStatusBlock; if(!qebek_bp_add(NtWaitForSingleObject, env->cr[3], env->regs[R_EBP], preNtWaitForSingleObject, pWaitData)) { fprintf(stderr, "postNtDeviceIoControlFile: failed to add wait bp\n"); qemu_free(pWaitData); } } break; case AFD_ACCEPT: if(ntStatus == 0) { OnAcceptComplete(env, FileHandle, OutputBuffer); } else if(ntStatus == 0x103) { pWaitData = (PNtWaitForSingleObjectData)qemu_malloc(sizeof(NtWaitForSingleObjectData)); if(!pWaitData) { fprintf(stderr, "postNtDeviceIoControlFile: failed to malloc wait data2\n"); break; } pWaitData->EventHandle = EventHandle; pWaitData->FileHandle = FileHandle; pWaitData->IoControlCode = IoControlCode; pWaitData->Buffer = OutputBuffer; pWaitData->Status = IoStatusBlock; if(!qebek_bp_add(NtWaitForSingleObject, env->cr[3], env->regs[R_EBP], preNtWaitForSingleObject, pWaitData)) { fprintf(stderr, "postNtDeviceIoControlFile: failed to add wait bp2\n"); qemu_free(pWaitData); } } break; case AFD_DUPLICATE: sh_addr = InputBuffer + 0x08; if(!qebek_read_ulong(env, sh_addr, &SocketHandle)) { fprintf(stderr, "postNtDeviceIoControlFile: failed to read new socket handle: %08x\n", sh_addr); break; } if((pSocketEntry = GetSocketEntry(PID, FileHandle)) == NULL) { fprintf(stderr, "psotNtDeviceIoControlFile: failed to get old socket entry: %08x\n", FileHandle); break; } if((pSocketEntry2 = InsertSocketHandle(PID, SocketHandle)) == NULL) { fprintf(stderr, "postNtDeviceIoControlFile: failed to insert new socket entry: %08x\n", SocketHandle); break; } memcpy(pSocketEntry2, pSocketEntry, sizeof(SOCKET_ENTRY)); break; case AFD_SELECT: //fprintf(stderr, "AFD_SELECT\n"); break; default: break; } remove_bp: // remove return address bp_addr = env->eip; if(!qebek_bp_remove(bp_addr, env->cr[3], env->regs[R_EBP])) { fprintf(stderr, "postNtDeviceIoControlFile: failed to remove postcall interception.\n"); } }
void LogManager::writeLogRecord(int LSN, int type, int transID, int prevLSN, int pageID, int undoNxtLSN, char* oldData, char* newData) { log[tail] = LogRecord(LSN, type, transID, prevLSN, pageID, undoNxtLSN, oldData, newData); tail++; }
//----- (08001F19) -------------------------------------------------------- NTSTATUS DMDeviceControl( PDEVICE_OBJECT DeviceObject, PIRP Irp ) { PIO_STACK_LOCATION IrpStack; PVOID OutputBuffer; PVOID InputBuffer; ULONG InputLength; ULONG OutputLength; NTSTATUS status; PDEVICE_ENTRY DevEntry; LARGE_INTEGER CurrentTime; LARGE_INTEGER PerfCount; ULONG seq; char IoctlName[64] = ""; PCHAR pIoCtlName; ULONG IoControlCode; IrpStack = IoGetCurrentIrpStackLocation(Irp); IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode; if ( DeviceObject == g_pDeviceObject ) { InputBuffer = Irp->AssociatedIrp.SystemBuffer; InputLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength; OutputLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength; OutputBuffer = Irp->AssociatedIrp.SystemBuffer; if ( METHOD_FROM_CTL_CODE(IoControlCode) == METHOD_NEITHER ) { OutputBuffer = Irp->UserBuffer; } status = DMDeviceIoCtl(Irp, InputBuffer, InputLength, OutputBuffer, OutputLength, IoControlCode); } else { if ( g_bUsePerfCounter ) { CurrentTime.QuadPart = 0; PerfCount = KeQueryPerformanceCounter(0); } else { KeQuerySystemTime(&CurrentTime); PerfCount.QuadPart = 0; } seq = InterlockedIncrement(&Sequence); DevEntry = LookupEntryByDevObj(DeviceObject); if ( DevEntry ) { pIoCtlName = GetIoctlName(IoctlName, IrpStack->Parameters.DeviceIoControl.IoControlCode); LogRecord( seq, &CurrentTime, DevEntry->DiskNumber, "%s(%s)", IrpStack->MajorFunction == IRP_MJ_DEVICE_CONTROL ? "IRP_MJ_DEVICE_CONTROL" : "IRP_MJ_INTERNAL_DEVICE_CONTROL", IoctlName); } status = DefaultDispatch(DeviceObject, Irp, seq, g_bUsePerfCounter, &PerfCount); if ( IoControlCode == IOCTL_DISK_FIND_NEW_DEVICES || IoControlCode == IOCTL_DISK_SET_DRIVE_LAYOUT ) { if ( NT_SUCCESS(status) ) { HookDispatch(DeviceObject->DriverObject, 0); } } } return status; }
LogManager::LogManager() { head = 0; tail = 0; lastForcedLSN = -1; for (int i = 0; i < 292; i++) { log[i] = LogRecord(); } }