STDMETHODIMP CDebugLog::GetBindLog(DWORD dwDetailLevel, LPWSTR pwzDebugLog,
DWORD *pcbDebugLog)
{
HRESULT hr = S_OK;
LISTNODE pos = NULL;
DWORD dwCharsReqd;
CDebugLogElement *pLogElem = NULL;
if (!pcbDebugLog) {
hr = E_INVALIDARG;
goto Exit;
}
pos = _listDbgMsg.GetHeadPosition();
if (!pos) {
// No entries in debug log!
hr = S_FALSE;
goto Exit;
}
// Calculate total size (entries + new line chars + NULL)
dwCharsReqd = 0;
while (pos) {
pLogElem = _listDbgMsg.GetNext(pos);
ASSERT(pLogElem);
if (pLogElem->_dwDetailLvl <= dwDetailLevel) {
dwCharsReqd += lstrlenW(pLogElem->_pszMsg) * sizeof(WCHAR);
dwCharsReqd += sizeof(L"\r\n");
}
}
dwCharsReqd += 1; // NULL char
if (!pwzDebugLog || *pcbDebugLog < dwCharsReqd) {
*pcbDebugLog = dwCharsReqd;
hr = HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER);
goto Exit;
}
*pwzDebugLog = L'\0';
pos = _listDbgMsg.GetHeadPosition();
while (pos) {
pLogElem = _listDbgMsg.GetNext(pos);
ASSERT(pLogElem);
if (pLogElem->_dwDetailLvl <= dwDetailLevel) {
StrCatW(pwzDebugLog, pLogElem->_pszMsg);
StrCatW(pwzDebugLog, L"\r\n");
}
}
ASSERT((DWORD)lstrlenW(pwzDebugLog) * sizeof(WCHAR) < dwCharsReqd);
Exit:
return hr;
}
VOID QuerySSDTHook(HWND m_hWnd,ULONG ID,int IntType,CMyList *m_list)
{
DWORD dwReadByte;
int i=0;
SHFILEINFO shfileinfo;
SSDTImg.Create(16,16, ILC_COLOR32, 2, 100);
HIMAGELIST hImageList = NULL;
CMyAProtectApp *imgApp=(CMyAProtectApp*)AfxGetApp();
SetDlgItemTextW(m_hWnd,IDC_DebugStatus,L"正在扫描SSDT,请稍后...");
if (bIsPhysicalCheck){
SaveToFile("\r\n\r\n[---SSDT---]\r\n",PhysicalFile);
}
SSDTInfo = (PSSDTINFO)VirtualAlloc(0, sizeof(SSDTINFO)*810,MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (SSDTInfo)
{
memset(SSDTInfo,0,sizeof(SSDTINFO)*810);
if (IntType == 0)
{
ReadFile((HANDLE)LIST_SSDT,SSDTInfo,sizeof(SSDTINFO)*810,&dwReadByte,0);
}else
ReadFile((HANDLE)LIST_SSDT_ALL,SSDTInfo,sizeof(SSDTINFO)*810,&dwReadByte,0);
for ( i=0;i< (int)SSDTInfo->ulCount;i++)
{
WCHAR lpwzTextOut[100];
memset(lpwzTextOut,0,sizeof(lpwzTextOut));
wsprintfW(lpwzTextOut,L"共有 %d 个数据,正在扫描第 %d 个,请稍后...",SSDTInfo->ulCount,i);
SetDlgItemTextW(m_hWnd,ID,lpwzTextOut);
WCHAR lpwzNumber[256] = {0};
WCHAR lpwzHookType[256] = {0};
WCHAR lpwzFunction[256] = {0};
WCHAR lpwzHookModuleImage[256] = {0};
WCHAR lpwzMemoryFunctionBase[256] = {0};
WCHAR lpwzRealFunctionBase[256] = {0};
WCHAR lpwzHookModuleBase[256] = {0};
WCHAR lpwzHookModuleSize[256] = {0};
memset(lpwzNumber,0,sizeof(lpwzNumber));
memset(lpwzHookType,0,sizeof(lpwzHookType));
memset(lpwzFunction,0,sizeof(lpwzFunction));
memset(lpwzHookModuleImage,0,sizeof(lpwzHookModuleImage));
memset(lpwzMemoryFunctionBase,0,sizeof(lpwzMemoryFunctionBase));
memset(lpwzRealFunctionBase,0,sizeof(lpwzRealFunctionBase));
memset(lpwzHookModuleBase,0,sizeof(lpwzHookModuleBase));
memset(lpwzHookModuleSize,0,sizeof(lpwzHookModuleSize));
if (SSDTInfo->SSDT[i].ulNumber == 0xffffffff)
{
StrCatW(lpwzNumber,L"*");
}
else
wsprintfW(lpwzNumber,L"%d",SSDTInfo->SSDT[i].ulNumber);
MultiByteToWideChar(
CP_ACP,
0,
SSDTInfo->SSDT[i].lpszFunction,
-1,
lpwzFunction,
strlen(SSDTInfo->SSDT[i].lpszFunction)
);
MultiByteToWideChar(
CP_ACP,
0,
SSDTInfo->SSDT[i].lpszHookModuleImage,
-1,
lpwzHookModuleImage,
strlen(SSDTInfo->SSDT[i].lpszHookModuleImage)
);
wsprintfW(lpwzMemoryFunctionBase,L"0x%08X",SSDTInfo->SSDT[i].ulMemoryFunctionBase);
wsprintfW(lpwzRealFunctionBase,L"0x%08X",SSDTInfo->SSDT[i].ulRealFunctionBase);
wsprintfW(lpwzHookModuleBase,L"0x%08X",SSDTInfo->SSDT[i].ulHookModuleBase);
wsprintfW(lpwzHookModuleSize,L"%d KB",SSDTInfo->SSDT[i].ulHookModuleSize/1024);
switch (SSDTInfo->SSDT[i].IntHookType)
{
case 0:
StrCatW(lpwzHookType,L"-");
break;
case 1:
StrCatW(lpwzHookType,L"SSDT hook");
break;
case 2:
StrCatW(lpwzHookType,L"SSDT Inline hook");
break;
case 3:
StrCatW(lpwzHookType,L"Inline hook");
break;
}
WCHAR lpwzDosFullPath[256];
WCHAR lpwzWinDir[256];
WCHAR lpwzSysDisk[256];
memset(lpwzWinDir,0,sizeof(lpwzWinDir));
memset(lpwzSysDisk,0,sizeof(lpwzSysDisk));
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
GetWindowsDirectoryW(lpwzWinDir,sizeof(lpwzWinDir));
memcpy(lpwzSysDisk,lpwzWinDir,4);
if (wcsstr(lpwzHookModuleImage,L"\\??\\"))
{
//开始这种路径的处理
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
wcsncpy(lpwzDosFullPath,lpwzHookModuleImage+wcslen(L"\\??\\"),wcslen(lpwzHookModuleImage)-wcslen(L"\\??\\"));
goto Next;
}
if (wcsstr(lpwzHookModuleImage,L"\\WINDOWS\\system32\\"))
{
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
wcscat(lpwzDosFullPath,lpwzSysDisk);
wcscat(lpwzDosFullPath,lpwzHookModuleImage);
//MessageBoxW(lpwzDosFullPath,lpwzFullSysName,0);
goto Next;
}
if (wcsstr(lpwzHookModuleImage,L"\\SystemRoot\\"))
{
WCHAR lpwzTemp[256];
memset(lpwzTemp,0,sizeof(lpwzTemp));
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
wcscat(lpwzTemp,lpwzSysDisk);
wcscat(lpwzTemp,L"\\WINDOWS\\");
wcscat(lpwzDosFullPath,lpwzTemp);
wcsncpy(lpwzDosFullPath+wcslen(lpwzTemp),lpwzHookModuleImage+wcslen(L"\\SystemRoot\\"),wcslen(lpwzHookModuleImage) - wcslen(L"\\SystemRoot\\"));
goto Next;
}
Next:
//这里是一键体检的数据,不需要插入界面了
if (bIsPhysicalCheck){
//如果没有hook,就返回
if (SSDTInfo->SSDT[i].IntHookType == 0){
continue;
}
WCHAR lpwzSaveBuffer[1024] ={0};
CHAR lpszSaveBuffer[2024] ={0};
memset(lpwzSaveBuffer,0,sizeof(lpwzSaveBuffer));
memset(lpszSaveBuffer,0,sizeof(lpszSaveBuffer));
wsprintfW(lpwzSaveBuffer,L" --> 发现Hook:ID:%ws | 当前地址:%ws | 原始地址:%ws | 函数名:%ws | 内核模块:%ws | Hook类型:%ws\r\n",
lpwzNumber,lpwzMemoryFunctionBase,lpwzRealFunctionBase,lpwzFunction,lpwzDosFullPath,lpwzHookType);
m_list->InsertItem(0,L"SSDT",RGB(77,77,77));
m_list->SetItemText(0,1,lpwzSaveBuffer);
WideCharToMultiByte( CP_ACP,
0,
lpwzSaveBuffer,
-1,
lpszSaveBuffer,
wcslen(lpwzSaveBuffer)*2,
NULL,
NULL
);
SaveToFile(lpszSaveBuffer,PhysicalFile);
continue;
}
if (SSDTInfo->SSDT[i].IntHookType == 0)
{
m_list->InsertItem(i,lpwzNumber,RGB(77,77,77));
}else
{
m_list->InsertItem(i,lpwzNumber,RGB(255,20,147));
}
m_list->SetItemText(i,1,lpwzMemoryFunctionBase);
m_list->SetItemText(i,2,lpwzRealFunctionBase);
m_list->SetItemText(i,3,lpwzFunction);
m_list->SetItemText(i,4,lpwzDosFullPath);
m_list->SetItemText(i,5,lpwzHookModuleBase);
m_list->SetItemText(i,6,lpwzHookModuleSize);
m_list->SetItemText(i,7,lpwzHookType);
if(GetFileAttributes(lpwzDosFullPath)!=INVALID_FILE_ATTRIBUTES)
{
hImageList=(HIMAGELIST)::SHGetFileInfo(lpwzDosFullPath,0,&shfileinfo,sizeof(shfileinfo),SHGFI_ICON);
SSDTImg.Add(shfileinfo.hIcon);
}else
SSDTImg.Add(imgApp->LoadIconW(IDI_WHITE));
m_list->SetImageList(&SSDTImg);
m_list->SetItemImageId(i,i);
DestroyIcon(shfileinfo.hIcon);
}
VirtualFree(SSDTInfo,sizeof(SSDTINFO)*810,MEM_RESERVE | MEM_COMMIT);
}
WCHAR lpwzTextOut[100];
memset(lpwzTextOut,0,sizeof(lpwzTextOut));
wsprintfW(lpwzTextOut,L"SSDT扫描完毕,共有 %d 个数据",i);
SetDlgItemTextW(m_hWnd,ID,lpwzTextOut);
}
VOID QueryProcessHandle(HWND m_hWnd,ULONG ID,CMyList *m_list)
{
/*argv[1]=L"QQ";
argv[2]=NULL;*/
setlocale(LC_ALL,"chs");
TCHAR privilege[17]=SE_DEBUG_NAME;
HANDLE hprocess,hThread;
hprocess=GetCurrentProcess();
if(!UpPrivilege(hprocess,privilege))
printf("%s","UpPrivilege failed \r\n");
PSYSTEM_HANDLE_INFORMATION pinfo={0};
GET_HANDLE_FILENAME pfn={0};
//TCHAR FileName[MAX_PATH];
ULONG ulSize,NumOfHandle;
LPVOID tmp=NULL;
int i = 0;
char lpszNum[20] = {0};
WideCharToMultiByte (CP_OEMCP,NULL,lpwzNum,-1,lpszNum,wcslen(lpwzNum)*2,NULL,FALSE);
ulPID = atoi(lpszNum);
SetDlgItemTextW(m_hWnd,ID,L"正在扫描进程打开文件句柄,请稍后...");
if(LocateNtdllEntry())
{
HANDLE hFile = CreateFile(_T("NUL"), GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, 0);
pinfo=(PSYSTEM_HANDLE_INFORMATION)((ULONG)GetSystemHandleInformation(&NumOfHandle,&ulSize)+4);
UCHAR TypeNumber=GetFileHandleType(hFile,pinfo,NumOfHandle);
for (ULONG r = 0; r < NumOfHandle; r++,pinfo++)
{
WCHAR lpwzTextOut[100];
memset(lpwzTextOut,0,sizeof(lpwzTextOut));
wsprintfW(lpwzTextOut,L"共有 %d 个数据,正在扫描第 %d 个,请稍后...",NumOfHandle,r);
SetDlgItemTextW(m_hWnd,ID,lpwzTextOut);
if(pinfo->ObjectTypeNumber==TypeNumber)
{
pfn.FileHandle=DupHandle(pinfo->ProcessId,(HANDLE)pinfo->Handle);
HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)GetHandleFileName, &pfn, 0, NULL);
if (WaitForSingleObject(hThread, 100) == WAIT_TIMEOUT)
TerminateThread(hThread, 0);
else
{
DWORD pthread;
GetExitCodeThread(hThread,&pthread);
// if(wcsstr(pfn.FileName,argv[1])>0 && pthread)
//
// WCHAR lpwzDebug[260];
// wsprintfW(lpwzDebug,L"STR KEY: %d PID: %d OPEN PATH: %s OPEN HANDLE: 0x%X OBJECT:0x%08X\r\n",ulPID,pinfo->ProcessId,pfn.FileName,pinfo->Handle,pinfo->Object);
// MessageBoxW(0,lpwzDebug,0,0);
if (ulPID == pinfo->ProcessId)
{
WCHAR lpwzNumber[260] = {0};
WCHAR lpwzType[260] = {0};
WCHAR lpwzPath[260] = {0};
WCHAR lpwzHandle[260] = {0};
WCHAR lpwzObject[260] = {0};
memset(lpwzNumber,0,260);
memset(lpwzType,0,260);
memset(lpwzPath,0,260);
memset(lpwzHandle,0,260);
memset(lpwzObject,0,260);
wsprintfW(lpwzNumber,L"%d",pinfo->ObjectTypeNumber);
switch (pinfo->ObjectTypeNumber)
{
case 28:
StrCatW(lpwzType,L"File");
break;
}
//wsprintfW(lpwzPath,L"%ws",pinfo->ObjectTypeNumber);
// char lpszFile[260] = {0};
//
// memset(lpszFile,0,sizeof(lpszFile));
// wsprintfA(lpszFile,"File --> %s",pfn.FileName);
// WideCharToMultiByte (CP_OEMCP,NULL,lpwzPath,-1,lpszFile,wcslen(lpwzPath)*2,NULL,FALSE);
//
// OutputDebugStringW(pfn.FileName);
// OutputDebugStringA(lpszFile);
// OutputDebugStringW(lpwzPath);
//pfn.FileName
i++;
wsprintfW(lpwzHandle,L"0x%08X",pinfo->Handle);
wsprintfW(lpwzObject,L"0x%08X",pinfo->Object);
m_list->InsertItem(0,lpwzNumber,RGB(77,77,77));
m_list->SetItemText(0,1,lpwzType);
m_list->SetItemText(0,2,pfn.FileName);
m_list->SetItemText(0,3,lpwzHandle);
m_list->SetItemText(0,4,lpwzObject);
}
CloseHandle(hThread);
}
}
}
WCHAR lpwzTextOut[100];
memset(lpwzTextOut,0,sizeof(lpwzTextOut));
wsprintfW(lpwzTextOut,L"进程所打开文件句柄扫描完毕,共有 %d 个数据",i);
SetDlgItemTextW(m_hWnd,ID,lpwzTextOut);
}
return;
}
void QueryNsipHook(HWND m_hWnd,ULONG ID,CMyList *m_list)
{
DWORD dwReadByte;
int ItemNum = m_list->GetItemCount();
int i=0;
if (!IsWindows7())
{
SetDlgItemTextW(m_hWnd,ID,L"不支持当前系统Nsiproxy的枚举...");
return;
}
SHFILEINFO shfileinfo;
NsiproxyImg.Create(16,16, ILC_COLOR32, 2, 100);
HIMAGELIST hImageList = NULL;
SetDlgItemTextW(m_hWnd,ID,L"正在扫描Nsiproxy/Dispatch,请稍后...");
if (bIsPhysicalCheck){
SaveToFile("\r\n\r\n[---NSIPROXY.SYS---]\r\n",PhysicalFile);
}
if (NsiproxyDispatchBakUp)
{
VirtualFree(NsiproxyDispatchBakUp,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2,MEM_RESERVE | MEM_COMMIT);
NsiproxyDispatchBakUp = 0;
}
NsiproxyDispatchBakUp = (PNSIPROXYDISPATCHBAKUP)VirtualAlloc(0,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2,MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (NsiproxyDispatchBakUp)
{
memset(NsiproxyDispatchBakUp,0,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2);
ReadFile((HANDLE)LIST_NSIPROXY_HOOK,NsiproxyDispatchBakUp,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2,&dwReadByte,0);
for (i=0;i< (int)NsiproxyDispatchBakUp->ulCount;i++)
{
WCHAR lpwzTextOut[100];
memset(lpwzTextOut,0,sizeof(lpwzTextOut));
wsprintfW(lpwzTextOut,L"共有 %d 个数据,正在扫描第 %d 个,请稍后...",NsiproxyDispatchBakUp->ulCount,i);
SetDlgItemTextW(m_hWnd,ID,lpwzTextOut);
WCHAR lpwzNumber[256] = {0};
WCHAR lpwzHookType[256] = {0};
WCHAR lpwzFunction[256] = {0};
WCHAR lpwzHookModuleImage[256] = {0};
WCHAR lpwzCurrentNtfsDispatch[256] = {0};
WCHAR lpwsNtfsDispatch[256] = {0};
WCHAR lpwzHookModuleBase[256] = {0};
WCHAR lpwzHookModuleSize[256] = {0};
memset(lpwzNumber,0,sizeof(lpwzNumber));
memset(lpwzHookType,0,sizeof(lpwzHookType));
memset(lpwzFunction,0,sizeof(lpwzFunction));
memset(lpwzHookModuleImage,0,sizeof(lpwzHookModuleImage));
memset(lpwzCurrentNtfsDispatch,0,sizeof(lpwzCurrentNtfsDispatch));
memset(lpwsNtfsDispatch,0,sizeof(lpwsNtfsDispatch));
memset(lpwzHookModuleBase,0,sizeof(lpwzHookModuleBase));
memset(lpwzHookModuleSize,0,sizeof(lpwzHookModuleSize));
switch (NsiproxyDispatchBakUp->NsiproxyDispatch[i].Hooked)
{
case 0:
StrCatW(lpwzHookType,L"-");
break;
case 1:
StrCatW(lpwzHookType,L"nsiprroxy hook");
break;
case 2:
StrCatW(lpwzHookType,L"nsiprroxy Inline hook");
break;
}
wsprintfW(lpwzNumber,L"%d",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulNumber);
//wsprintfW(lpwzHookModuleImage,L"%ws",NtfsDispatchBakUp->NtfsDispatch[i].lpszBaseModule);
MultiByteToWideChar(
CP_ACP,
0,
NsiproxyDispatchBakUp->NsiproxyDispatch[i].lpszBaseModule,
-1,
lpwzHookModuleImage,
strlen(NsiproxyDispatchBakUp->NsiproxyDispatch[i].lpszBaseModule)
);
wsprintfW(lpwzFunction,L"%ws",NsiproxyDispatchBakUp->NsiproxyDispatch[i].lpwzNsiproxyDispatchName);
wsprintfW(lpwzCurrentNtfsDispatch,L"0x%08X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulCurrentNsiproxyDispatch);
wsprintfW(lpwsNtfsDispatch,L"0x%08X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulNsiproxyDispatch);
wsprintfW(lpwzHookModuleBase,L"0x%X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulModuleBase);
wsprintfW(lpwzHookModuleSize,L"0x%X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulModuleSize);
WCHAR lpwzDosFullPath[256];
WCHAR lpwzWinDir[256];
WCHAR lpwzSysDisk[256];
memset(lpwzWinDir,0,sizeof(lpwzWinDir));
memset(lpwzSysDisk,0,sizeof(lpwzSysDisk));
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
GetWindowsDirectoryW(lpwzWinDir,sizeof(lpwzWinDir));
memcpy(lpwzSysDisk,lpwzWinDir,4);
if (wcsstr(lpwzHookModuleImage,L"\\??\\"))
{
//开始这种路径的处理
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
wcsncpy(lpwzDosFullPath,lpwzHookModuleImage+wcslen(L"\\??\\"),wcslen(lpwzHookModuleImage)-wcslen(L"\\??\\"));
goto Next;
}
if (wcsstr(lpwzHookModuleImage,L"\\WINDOWS\\system32\\"))
{
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
wcscat(lpwzDosFullPath,lpwzSysDisk);
wcscat(lpwzDosFullPath,lpwzHookModuleImage);
//MessageBoxW(lpwzDosFullPath,lpwzFullSysName,0);
goto Next;
}
if (wcsstr(lpwzHookModuleImage,L"\\SystemRoot\\"))
{
WCHAR lpwzTemp[256];
memset(lpwzTemp,0,sizeof(lpwzTemp));
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
wcscat(lpwzTemp,lpwzSysDisk);
wcscat(lpwzTemp,L"\\WINDOWS\\");
wcscat(lpwzDosFullPath,lpwzTemp);
wcsncpy(lpwzDosFullPath+wcslen(lpwzTemp),lpwzHookModuleImage+wcslen(L"\\SystemRoot\\"),wcslen(lpwzHookModuleImage) - wcslen(L"\\SystemRoot\\"));
goto Next;
}
//if (wcslen(lpwzHookModuleImage) == wcslen(lpwzHookModuleImage))
//{
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
wcscat(lpwzDosFullPath,lpwzSysDisk);
wcscat(lpwzDosFullPath,L"\\WINDOWS\\system32\\drivers\\");
wcscat(lpwzDosFullPath,lpwzHookModuleImage);
goto Next;
//}
Next:
//这里是一键体检的数据,不需要插入界面了
if (bIsPhysicalCheck){
//如果没有hook,就返回
if (NsiproxyDispatchBakUp->NsiproxyDispatch[i].Hooked == 0){
continue;
}
WCHAR lpwzSaveBuffer[1024] ={0};
CHAR lpszSaveBuffer[2024] ={0};
memset(lpwzSaveBuffer,0,sizeof(lpwzSaveBuffer));
memset(lpszSaveBuffer,0,sizeof(lpszSaveBuffer));
wsprintfW(lpwzSaveBuffer,L" --> 发现Hook:ID:%ws | 当前地址:%ws | 原始地址:%ws | 函数名:%ws | 内核模块:%ws | Hook类型:%ws\r\n",
lpwzNumber,lpwzCurrentNtfsDispatch,lpwsNtfsDispatch,lpwzFunction,lpwzDosFullPath,lpwzHookType);
m_list->InsertItem(0,L"NSIPROXY.SYS",RGB(77,77,77));
m_list->SetItemText(0,1,lpwzSaveBuffer);
WideCharToMultiByte( CP_ACP,
0,
lpwzSaveBuffer,
-1,
lpszSaveBuffer,
wcslen(lpwzSaveBuffer)*2,
NULL,
NULL
);
SaveToFile(lpszSaveBuffer,PhysicalFile);
continue;
}
if (NsiproxyDispatchBakUp->NsiproxyDispatch[i].Hooked == 0)
{
m_list->InsertItem(i,lpwzNumber,RGB(77,77,77));
}else
{
m_list->InsertItem(i,lpwzNumber,RGB(255,20,147));
}
m_list->SetItemText(i,1,lpwzFunction);
m_list->SetItemText(i,2,lpwzCurrentNtfsDispatch);
m_list->SetItemText(i,3,lpwsNtfsDispatch);
m_list->SetItemText(i,4,lpwzDosFullPath);
m_list->SetItemText(i,5,lpwzHookModuleBase);
m_list->SetItemText(i,6,lpwzHookModuleSize);
m_list->SetItemText(i,7,lpwzHookType);
hImageList=(HIMAGELIST)::SHGetFileInfo(lpwzDosFullPath,0,&shfileinfo,sizeof(shfileinfo),SHGFI_ICON);
NsiproxyImg.Add(shfileinfo.hIcon);
m_list->SetImageList(&NsiproxyImg);
m_list->SetItemImageId(i,i);
DestroyIcon(shfileinfo.hIcon);
}
}
WCHAR lpwzTextOut[100];
memset(lpwzTextOut,0,sizeof(lpwzTextOut));
wsprintfW(lpwzTextOut,L"Nsiproxy/Dispatch 扫描完毕,共有 %d 个数据",i);
SetDlgItemTextW(m_hWnd,ID,lpwzTextOut);
}
