注册表监视驱动

// SkMon_HookReg.c //////////////////////////////////////////////////////////////////////////////// // Hook / Unhook Registry functions. // and my Registry_Callback function. //////////////////////////////////////////////////////////////////////////////// // Start by snake, 2000/9/29 // add structure output, 2000/10/16, by snake. //////////////////////////////////////////////////////////////////////////////// #include <ntddk.h> #include <stdio.h> #include "SkDrv_Misc.h" #include "SkMon_reg.h" #include "SkDrv_RegComm.h" //add own declare for Win2K. enum { KeyNameInformation = 3 }; typedef struct _KEY_NAME_INFORMATION { ULONG NameLength; WCHAR Name[1]; // Variable length string } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; typedef NTSTATUS(*RegKeyParamFunction)(IN HANDLE KeyHandle); //Reg Function Declare... NTSTATUS (*RealRegOpenKey)( IN PHANDLE, IN OUT ACCESS_MASK, IN POBJECT_ATTRIBUTES ); NTSTATUS (*RealRegQueryKey)( IN HANDLE, IN KEY_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG ); NTSTATUS (*RealRegQueryValueKey)( IN HANDLE, IN PUNICODE_STRING, IN KEY_VALUE_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG ); NTSTATUS (*RealRegEnumerateValueKey)( IN HANDLE, IN ULONG, IN KEY_VALUE_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG ); NTSTATUS (*RealRegEnumerateKey)( IN HANDLE, IN ULONG, IN KEY_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG ); NTSTATUS (*RealRegSetValueKey)( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN ULONG TitleIndex, IN ULONG Type, IN PVOID Data, IN ULONG DataSize ); NTSTATUS (*RealRegCreateKey)( OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES , IN ULONG, IN PUNICODE_STRING, IN ULONG, OUT PULONG ); NTSTATUS (*RealRegDeleteValueKey)( IN HANDLE, IN PUNICODE_STRING ); NTSTATUS (*RealRegCloseKey)( IN HANDLE ); NTSTATUS (*RealRegDeleteKey)( IN HANDLE ); NTSTATUS (*RealRegFlushKey)( IN HANDLE ); NTSTATUS (*RealRegLoadKey)( IN POBJECT_ATTRIBUTES, IN POBJECT_ATTRIBUTES ); NTSTATUS (*RealRegUnloadKey)( IN POBJECT_ATTRIBUTES ); //Local variables. BOOLEAN RegistryHook=FALSE; #define GETSYSCALL(_table, _function) _table->ServiceTable[ *(PULONG)((PUCHAR)_function+1)] //local function declaring... NTSTATUS SkMon_HookRegOpenKey( IN OUT PHANDLE pHandle, IN ACCESS_MASK ReqAccess, IN POBJECT_ATTRIBUTES pOpenInfo); NTSTATUS SkMon_HookRegCreateKey( OUT PHANDLE handle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES pObjectAttribute, IN ULONG, IN PUNICODE_STRING, IN ULONG, OUT PULONG); NTSTATUS SkMon_HookRegQueryKey( IN HANDLE KeyHandle, IN KEY_INFORMATION_CLASS KeyInformationClass, OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG pResultLength); NTSTATUS SkMon_HookRegEnumerateKey( IN HANDLE KeyHandle, IN ULONG Index, IN KEY_VALUE_INFORMATION_CLASS KeyInformationClass, OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG pResultLength); NTSTATUS SkMon_HookRegFlushKey( IN HANDLE ); NTSTATUS SkMon_HookRegDeleteKey( IN HANDLE ); NTSTATUS SkMon_HookRegCloseKey( IN HANDLE KeyHandle); NTSTATUS SkMon_HookRegKeyParamHandle(IN HANDLE KeyHandle, char *FunctionName, RegKeyParamFunction HandleFunc, ULONG dwAction); NTSTATUS SkMon_HookRegDeleteValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING KeyName); NTSTATUS SkMon_HookRegSetValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN ULONG TitleIndex, IN ULONG Type, IN PVOID Data, IN ULONG DataSize ); NTSTATUS SkMon_HookRegEnumerateValueKey( IN HANDLE KeyHandle, IN ULONG longdata1, IN KEY_VALUE_INFORMATION_CLASS KeyInformationClass, OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG pResultLength); void GetKeyFullName( HANDLE hKey, PUNICODE_STRING lpszSubKeyVal, PCHAR fullName); PVOID GetPointer( HANDLE handle ); BOOLEAN IsTheThreadDisable(ULONG id, char *name); BOOLEAN CanLogTheThread(ULONG id, LPCTSTR str); VOID AppendKeyInformation( IN KEY_INFORMATION_CLASS KeyInformationClass, IN PVOID KeyInformation, PCHAR Buffer ); VOID AppendRegValueData( IN ULONG Type, IN PVOID Data, IN ULONG Length, IN OUT PCHAR Buffer ); VOID AppendRegValueType( ULONG Type, PCHAR Buffer ); void RemoveHandleObjectInHashTable( IN HANDLE KeyHandle); void SkMon_AddRegUnitToLink(IN Sk_LogUnit_Mang *pMang, IN ULONG processID, IN char *szProcessName, IN ULONG dwRegAction, IN BOOLEAN bEnable, IN char *pszKeyName, ULONG status, IN PVOID otherInfo1, IN PVOID otherInfo2); VOID AppendValueInformation( IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, IN PVOID KeyValueInformation, PCHAR Buffer, PCHAR ValueName ); //for special declaring RegAccessing function. // // Definition for Registry function prototypes not included in NTDDK.H // NTSYSAPI NTSTATUS NTAPI ZwDeleteValueKey( IN HANDLE, IN PUNICODE_STRING ); //NTSYSAPI NTSTATUS NTAPI ZwLoadKey( IN POBJECT_ATTRIBUTES, IN POBJECT_ATTRIBUTES ); //NTSYSAPI NTSTATUS NTAPI ZwUnloadKey( IN POBJECT_ATTRIBUTES ); void InitHookSkMonRegistry() { RegistryHook = FALSE; } void DeInitHookSkMonRegistry() { UnHookSkMonRegistry(); } void UnHookSkMonRegistry() { if( RegistryHook){ RegistryHook = FALSE; GETSYSCALL( ServiceTable, ZwOpenKey) = RealRegOpenKey; GETSYSCALL( ServiceTable, ZwCreateKey) = RealRegCreateKey; GETSYSCALL( ServiceTable, ZwQueryKey) = RealRegQueryKey; GETSYSCALL( ServiceTable, ZwEnumerateKey) = RealRegEnumerateKey; GETSYSCALL( ServiceTable, ZwEnumerateValueKey) = RealRegEnumerateValueKey; GETSYSCALL( ServiceTable, ZwSetValueKey) = RealRegSetValueKey; GETSYSCALL( ServiceTable, ZwDeleteValueKey) = RealRegDeleteValueKey; GETSYSCALL( ServiceTable, ZwClose) = RealRegCloseKey; GETSYSCALL( ServiceTable, ZwDeleteKey) = RealRegDeleteKey; //GETSYSCALL( ServiceTable, ZwFlushKey) = RealRegFlushKey; //... } } void HookSkMonRegistry() { if( !RegistryHook){ RealRegOpenKey = GETSYSCALL( ServiceTable, ZwOpenKey); RealRegCreateKey = GETSYSCALL( ServiceTable, ZwCreateKey); RealRegQueryKey = GETSYSCALL( ServiceTable, ZwQueryKey); RealRegEnumerateKey = GETSYSCALL( ServiceTable, ZwEnumerateKey); RealRegEnumerateValueKey = GETSYSCALL( ServiceTable, ZwEnumerateValueKey); RealRegSetValueKey = GETSYSCALL( ServiceTable, ZwSetValueKey); RealRegDeleteValueKey = GETSYSCALL( ServiceTable, ZwDeleteValueKey); RealRegCloseKey = GETSYSCALL( ServiceTable, ZwClose); RealRegDeleteKey = GETSYSCALL( ServiceTable, ZwDeleteKey); //RealRegFlushKey = GETSYSCALL( ServiceTable, ZwFlushKey); GETSYSCALL( ServiceTable, ZwOpenKey) = (PVOID)SkMon_HookRegOpenKey; GETSYSCALL( ServiceTable, ZwCreateKey) = (PVOID)SkMon_HookRegCreateKey; GETSYSCALL( ServiceTable, ZwQueryKey) = (PVOID)SkMon_HookRegQueryKey; GETSYSCALL( ServiceTable, ZwEnumerateKey) = (PVOID)SkMon_HookRegEnumerateKey; GETSYSCALL( ServiceTable, ZwEnumerateValueKey) = (PVOID)SkMon_HookRegEnumerateValueKey; GETSYSCA