void selectionsort(){
for(int i=25;i>0;i--){
int maxposition = i;
for(int j=i-1;j>0;j--){
if(*arrayof(j)>*arrayof(maxposition)){
maxposition=j;
}
}
swap(i,maxposition);
}
}
NTSTATUS RegmonEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
int i;
ServiceTable = KeServiceDescriptorTable;
RealRegSetValueKey = (fnRealRegSetValueKey) SYSCALL( ZwSetValueKey );
// 更改SSDT表
SETSYSCALL( ZwSetValueKey, RegSetValueKey );
for(i = 0; i < arrayof(CurrentUser); i++)
CurrentUser[i].RootNameLen = wcslen(CurrentUser[i].RootName);
for(i = 0; i < arrayof(RootKey); i++)
RootKey[i].RootNameLen = wcslen(RootKey[i].RootName);
for(i = 0; i < arrayof(RegGuardPath); i++)
RegGuardPath[i].ulPathHash = GetHashUprPath(RegGuardPath[i].pGuardPath, NULL);
// 初始化内存分配器
ExInitializePagedLookasideList(&gRegMonLooaside, NULL, NULL, 0
, MAXPATHLEN * 2 + 2 * sizeof(ULONG), PAGE_DEBUG, 0);
return STATUS_SUCCESS;
}
NTSTATUS RegSetValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex, IN ULONG Type,
IN PVOID Data, IN ULONG DataSize )
{
WCHAR szFullPath[MAXPATHLEN] = {0};
PVOID pKeyObj = NULL;
ULONG ulRet = 0;
PUNICODE_STRING fullUniName = NULL;
int i;
ULONG nAllowd = 1;
WCHAR szValueName[256] = {0};
WCHAR szValue[512] = {0};
if(FALSE == IsGuardStart())
goto allowed;
if(STATUS_SUCCESS == ObReferenceObjectByHandle(KeyHandle, 0, NULL, KernelMode, &pKeyObj, NULL))
{
PINNERPACK_LIST pList;
LONG nSubType = 0;
fullUniName = ExAllocateFromPagedLookasideList(&gRegMonLooaside);
if(NULL == fullUniName)
goto allowed;
fullUniName->MaximumLength = MAXPATHLEN * 2;
ObQueryNameString(pKeyObj, (POBJECT_NAME_INFORMATION)fullUniName, MAXPATHLEN, &ulRet);
ObDereferenceObject(pKeyObj);
// 转换路径
ConvertKeyPath(szFullPath, fullUniName->Buffer, MAXPATHLEN);
ExFreeToPagedLookasideList(&gRegMonLooaside, fullUniName);
// 复制路径
wcsncpy(szValueName, (NULL != ValueName)?ValueName->Buffer:L""
, (NULL != ValueName)?ValueName->Length:0);
// 比较路径
if(FALSE == IsRegGuardPath(szFullPath, szValueName, &nSubType))
goto allowed;
if(REG_SZ == Type)
{
wcsncpy(szValue, Data, arrayof(szValueName));
}
// 到用户求请
if(FALSE != CheckRequestIsAllowed(MAKEGUARDTYPE(MASK_GUARDLITE_REGMON, nSubType)
, szFullPath, szValueName, szValue))
{
goto allowed;
}
}
return STATUS_ACCESS_DENIED;
allowed:
return RealRegSetValueKey(KeyHandle, ValueName, TitleIndex, Type, Data, DataSize);
}
void spiral(){
arrcp[5][5]={0};
int i=0,j=0,dir=0;
arrcp[0][0]=*arrayof(0);
for(int x=24;x>=0;x--){
if(!check(i,j,dir)){
dir = (dir+1)%4;
}
int no = *arrayof(25-x);
if(dir==0){
arrcp[i][j++]=no;
}
else if(dir==1){
arrcp[i++][j]=no;
}
else if(dir==2){
arrcp[i][j--]=no;
}
else{
arrcp[i--][j]=no;
}
}
}
/*
* 判断是不是工作目录
*/
BOOLEAN IsFilemonGuardPath(PWSTR pPath, BOOLEAN isDir, LONG* pSubType)
{
ULONG ulHashs[MAX_PATH] = {0};
LONG nCheck = 0;
WCHAR* pCheck = NULL;
ULONG ulPathHash = 0;
LONG i;
if(NULL == pPath)
return FALSE;
pCheck = wcsrchr(pPath, L'\\');
if(NULL == pCheck)
return FALSE;
nCheck = pCheck - pPath;
// 如果长度不对,就返回
if(nCheck <= 0)
return FALSE;
// 获取HASH
ulPathHash = GetHashUprPath(pPath, ulHashs);
// 开始比较
for(i = 0; i < arrayof(FileGuardPath); i++)
{
if(NULL != pSubType)
*pSubType = FileGuardPath[i].nSubType;
// 目录处理
if(FALSE != isDir && ulPathHash == FileGuardPath[i].ulPathHash)
return TRUE;
if(FileGuardPath[i].nPathLen >= 0 && FileGuardPath[i].nPathLen <= nCheck)
{
if(ulHashs[ FileGuardPath[i].nPathLen ] != FileGuardPath[i].ulPathHash)
continue;
if( pPath[ FileGuardPath[i].nPathLen ] != L'\\')
return FALSE;
return TRUE;
}
else
{
if(ulPathHash != FileGuardPath[i].ulPathHash)
continue;
return TRUE;
}
}
return FALSE;
}
void ConvertKeyPath(LPWSTR pOut, LPWSTR pIn, int nLen)
{
int i = 0;
WCHAR cmpname[MAXROOTLEN] = {0};
LPWSTR nameptr = NULL;
for( i = 0; i < arrayof(CurrentUser); i++ )
{
ConvertToUpper( cmpname, pIn, CurrentUser[i].RootNameLen );
if( !wcsncmp( cmpname, CurrentUser[i].RootName, CurrentUser[i].RootNameLen ))
{
nameptr = pIn + CurrentUser[i].RootNameLen;
while( *nameptr && *nameptr != L'\\' ) nameptr++;
wcscpy( pOut, CurrentUser[i].RootShort );
wcsncpy( &pOut[4],nameptr, nLen-4);
//wcsncat( , pOut, nameptr );
return;
}
}
for( i = 0; i < arrayof(RootKey); i++ )
{
ConvertToUpper( cmpname, pIn, RootKey[i].RootNameLen );
if( !wcsncmp( cmpname, RootKey[i].RootName,
RootKey[i].RootNameLen ))
{
nameptr = pIn + RootKey[i].RootNameLen;
wcscpy( pOut, RootKey[i].RootShort );
//wcscat( pOut, nameptr );
wcsncpy( &pOut[4],nameptr, nLen-4);
return;
}
}
wcscpy( pOut, pIn );
}
/*
* 查看路径是否监控的路径
*/
BOOLEAN IsRegGuardPath(PCWSTR pPath, PCWSTR pSubPath, LONG* pSubType)
{
ULONG ulHash = GetHashUprPath(pPath, NULL);
int i;
for(i = 0; i < arrayof(RegGuardPath); i++)
{
if(ulHash != RegGuardPath[i].ulPathHash)
continue;
/*if(_wcsicmp(pPath, RegGuardPath[i].szGuardPath) == 0)*/
*pSubType = RegGuardPath[i].nSubType;
if(NULL == RegGuardPath[i].pSubPath)
return TRUE;
if(0 == _wcsicmp(pSubPath, RegGuardPath[i].pSubPath))
return TRUE;
return FALSE;
}
return FALSE;
}
static void rotate_log()
{
time_t rawtime;
struct tm * timeinfo;
time(&rawtime);
timeinfo = localtime(&rawtime);
// rotate log next day at 00:00:00
timeinfo->tm_hour = timeinfo->tm_min = timeinfo->tm_sec = 0;
log_rotate_time = mktime(timeinfo);
log_rotate_time += 60 * 60 * 24; // +24h
// change filename
char filename[256];
strftime(filename, arrayof(filename), LOG_FILENAME, timeinfo);
logger_file_open(filename);
assert(log_file != NULL);
}
void swap(int i,int j){
int a = *arrayof(i);
*arrayof(i)= *arrayof(j);
*arrayof(j)=a;
}
int __cdecl main(int argc, char **argv)
{
BOOLEAN fNeedHelp = FALSE;
PCHAR pszScript = NULL;
char szDllName[MAX_PATH];
for (int arg = 1;
arg < argc && (argv[arg][0] == '-' || argv[arg][0] == '/');
arg++) {
CHAR *argn = argv[arg] + 1;
CHAR *argp = argn;
while (*argp && *argp != ':')
argp++;
if (*argp == ':')
*argp++ = '\0';
switch (argn[0]) {
case 'p':
case 'P':
pszScript = argp;
puts( pszScript );
break;
case 'h':
case 'H':
case '?':
fNeedHelp = TRUE;
break;
default:
fNeedHelp = TRUE;
printf("withdll.exe: Bad argument: %s\n", argv[arg]);
break;
}
}
if (arg >= argc) {
fNeedHelp = TRUE;
}
if (fNeedHelp) {
PrintUsage();
return 1;
}
//////////////////////////////////////////////////////////////////////////
STARTUPINFO si;
PROCESS_INFORMATION pi;
CHAR szCommand[2048];
CHAR szExe[1024];
CHAR szFullExe[1024] = "\0";
PCHAR pszFileExe = NULL;
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
si.cb = sizeof(si);
szCommand[0] = L'\0';
strcpy(szExe, argv[arg]);
for (; arg < argc; arg++) {
if (strchr(argv[arg], ' ') != NULL || strchr(argv[arg], '\t') != NULL) {
strcat(szCommand, "\"");
strcat(szCommand, argv[arg]);
strcat(szCommand, "\"");
}
else {
strcat(szCommand, argv[arg]);
}
if (arg + 1 < argc)
strcat(szCommand, " ");
}
printf("adderload.exe: Starting: `%s'\n\n", szCommand);
fflush(stdout);
SetLastError(0);
SearchPath(NULL, szExe, ".exe", arrayof(szFullExe), szFullExe, &pszFileExe);
GetModuleFileName(NULL, szDllName, MAX_PATH - 1);
std::string dllName = std::string( szDllName );
dllName.erase( dllName.rfind("\\"), dllName.size() );
dllName.append( "\\DLLs\\_adder.dll" );
if (!CreateProcessWithDll(szFullExe[0] ? szFullExe : NULL,
szCommand, NULL, NULL, TRUE,
CREATE_DEFAULT_ERROR_MODE, NULL, NULL,
&si, &pi, dllName.c_str(), "AdderProcessStartup", pszScript, NULL)) {
printf("adderload.exe: CreateProcessWithDll failed: %d\n", GetLastError());
ExitProcess(2);
}
WaitForSingleObject(pi.hProcess, INFINITE);
DWORD dwResult = 0;
if (!GetExitCodeProcess(pi.hProcess, &dwResult)) {
printf("adderload.exe: GetExitCodeProcess failed: %d\n", GetLastError());
dwResult = 3;
}
return dwResult;
}