int workerMain(int argc, char* argv[]) { if (!osquery::compareArguments(argv, argc, osquery::kExpectedWorkerArgs, osquery::kExpectedWorkerArgsCount)) { return ERROR_COMPARE_ARGUMENT; } auto process = osquery::PlatformProcess::getLauncherProcess(); if (process == nullptr) { return ERROR_LAUNCHER_PROCESS; } #ifdef WIN32 CHAR buffer[1024] = {0}; DWORD size = 1024; if (!QueryFullProcessImageNameA(process->nativeHandle(), 0, buffer, &size)) { return ERROR_QUERY_PROCESS_IMAGE; } PathStripPathA(buffer); if (strlen(buffer) != strlen(osquery::kOsqueryTestModuleName)) { return ERROR_IMAGE_NAME_LENGTH; } if (strncmp(buffer, osquery::kOsqueryTestModuleName, strlen(buffer)) != 0) { return ERROR_LAUNCHER_MISMATCH; } #else if (process->nativeHandle() != getppid()) { return ERROR_LAUNCHER_MISMATCH; } #endif return WORKER_SUCCESS_CODE; }
/************************************************************************* * PathStripPath [SHELL32.38] */ void WINAPI PathStripPathAW(LPVOID lpszPath) { if (SHELL_OsIsUnicode()) PathStripPathW(lpszPath); else PathStripPathA(lpszPath); }
std::string PathRemoveFolder(const std::string& path) { char* strBuf = new char[path.size() + 1]; memcpy(strBuf, path.c_str(), path.size()); strBuf[path.size()] = 0; PathStripPathA(strBuf); std::string retPath(strBuf); delete [] strBuf; return retPath; }
HRESULT HDMediaSource::GetService(REFGUID guidService,REFIID riid,LPVOID *ppvObject) { if (ppvObject == nullptr) return E_POINTER; if (guidService == MF_RATE_CONTROL_SERVICE) { //针对Store应用必须提供IMFRateControl接口 return QueryInterface(riid,ppvObject); }else if (guidService == MF_METADATA_PROVIDER_SERVICE) { #if !(WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)) return QueryInterface(riid,ppvObject); #else CHAR szBuffer[MAX_PATH] = {}; GetModuleFileNameA(nullptr,szBuffer,ARRAYSIZE(szBuffer)); PathStripPathA(szBuffer); if (GetModuleHandleA("wmp.dll")) { if (_pMetadata) { ComPtr<IMFMetadata> pMetadata; if (SUCCEEDED(GetMFMetadata(_pPresentationDescriptor.Get(),0,0,pMetadata.GetAddressOf()))) return QueryInterface(riid,ppvObject); } }else{ return QueryInterface(riid,ppvObject); } #endif }else if (guidService == MFNETSOURCE_STATISTICS_SERVICE) { if (_network_mode) return QueryInterface(riid,ppvObject); }else if (guidService == MF_SCRUBBING_SERVICE) { if (FAILED(MakeKeyFramesIndex())) return MF_E_UNSUPPORTED_SERVICE; return QueryInterface(riid,ppvObject); } return MF_E_UNSUPPORTED_SERVICE; }
VOID OutputDebugStringPlus( DWORD rixError, LPSTR pcFile, INT rdLine, LPSTR pcFunc, LPTSTR ptFormat, ... ) { va_list argp; TCHAR atBuf[MAX_PATH], atOut[MAX_PATH], atFiFu[MAX_PATH], atErrMsg[MAX_PATH]; CHAR acFile[MAX_PATH], acFiFu[MAX_PATH]; UINT length; StringCchCopyA( acFile, MAX_PATH, pcFile ); PathStripPathA( acFile ); StringCchPrintfA( acFiFu, MAX_PATH, ("%s %d %s"), acFile, rdLine, pcFunc ); length = (UINT)strlen( acFiFu ); ZeroMemory( atFiFu, sizeof(atFiFu) ); MultiByteToWideChar( CP_ACP, MB_PRECOMPOSED, acFiFu, length, atFiFu, MAX_PATH ); // コードページ,文字の種類を指定するフラグ,マップ元文字列のアドレス,マップ元文字列のバイト数, // マップ先ワイド文字列を入れるバッファのアドレス,バッファのサイズ va_start(argp, ptFormat); StringCchVPrintf( atBuf, MAX_PATH, ptFormat, argp ); va_end( argp ); StringCchPrintf( atOut, MAX_PATH, TEXT("%s @ %s\r\n"), atBuf, atFiFu );// OutputDebugString( atOut ); if( rixError ) { FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, rixError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), atErrMsg, MAX_PATH, NULL ); // メッセージには改行が含まれているようだ StringCchPrintf( atBuf, MAX_PATH, TEXT("[%d]%s"), rixError, atErrMsg );// OutputDebugString( atBuf ); SetLastError( 0 ); } }
HOOKSDLL_API BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID lpReserved) { if (fdwReason == DLL_PROCESS_ATTACH /*|| fdwReason == DLL_THREAD_ATTACH*/) // When initializing.... { // __asm__("int $3"); // We don't need thread notifications for what we're doing. Thus, get // rid of them, thereby eliminating some of the overhead of this DLL DisableThreadLibraryCalls(hModule); HMODULE hProc = GetModuleHandle(NULL); GetModuleFileNameA(hProc, executableName, sizeof (executableName)); PathStripPathA(executableName); WCHAR *wstrEventSource = getEventSourceName(executableName); gLog->initLog(wstrEventSource, PRISMATIK_LOG_SEVERITY_INFO); gLog->reportLogInfo(L"Library initialization..."); free(wstrEventSource); // void *zctx = zmq_ctx_new(); // void *req_socket = zmq_socket(zctx, ZMQ_REQ); // zmq_connect(req_socket, ""); if (!gIpcContext) gIpcContext = new IPCContext(gLog); if (gIpcContext->init()) { if (NULL == (g_syncRunMutex = CreateMutex(NULL, false, NULL))) { } gLog->setLogLevel(gIpcContext->m_memDesc.logLevel); if (!d3d9FrameGrabber) { d3d9FrameGrabber = D3D9FrameGrabber::getInstance(g_syncRunMutex); d3d9FrameGrabber->setIPCContext(gIpcContext); } if (d3d9FrameGrabber->isGAPILoaded()) { if (!d3d9FrameGrabber->init() || !d3d9FrameGrabber->installHooks()) { DWORD errorcode = GetLastError(); gLog->reportLogError(L"error occured while hijacking d3d9 0x%x", errorcode); } else { gLog->reportLogInfo(L"d3d9 hook has been installed successfully"); } } if(!dxgiFrameGrabber) { dxgiFrameGrabber = DxgiFrameGrabber::getInstance(); dxgiFrameGrabber->setIPCContext(gIpcContext); } if(dxgiFrameGrabber->isGAPILoaded()) { if (!dxgiFrameGrabber->init() || !dxgiFrameGrabber->installHooks()) { DWORD errorcode = GetLastError(); gLog->reportLogError(L"error occured while hijacking dxgi 0x%x", errorcode); } else { gLog->reportLogInfo(L"dxgi hook has been installed successfully"); } } } } else if (fdwReason == DLL_PROCESS_DETACH) { if (gLog != NULL) { gLog->reportLogInfo(L"detaching dll..."); if (WAIT_OBJECT_0 == WaitForSingleObject(g_syncRunMutex, INFINITE)) { if (d3d9FrameGrabber->isHooksInstalled()) { gLog->reportLogInfo(L"removing d3d9hooks"); d3d9FrameGrabber->removeHooks(); } if (dxgiFrameGrabber->isHooksInstalled()) { gLog->reportLogInfo(L"removing dxgihooks"); dxgiFrameGrabber->removeHooks(); } gLog->reportLogInfo(L"clearing shared memory"); writeBlankFrame(gIpcContext->m_pMemMap); gLog->reportLogInfo(L"clearing IPC context"); if (gIpcContext) delete gIpcContext; gLog->reportLogInfo(L"releasing syncRunMutex"); ReleaseMutex(g_syncRunMutex); } else { gLog->reportLogError(L"couldn't lock syncRunMutex"); } gLog->reportLogInfo(L"close syncRunMutex"); CloseHandle(g_syncRunMutex); gLog->reportLogInfo(L"close log"); gLog->closeLog(); gLog = NULL; } } return TRUE; }