├── Sysmon.sys
├── cpplib
│ ├── CString.cpp
│ ├── CPool.cpp
│ ├── CIntNumber.cpp
│ ├── CNPagedLookaside.cpp
│ ├── CListEntry.h
│ ├── CDeviceObject.h
│ ├── CFilterDevice.h
│ ├── CSysmonBase.cpp
│ ├── CAssert.h
│ ├── CDispatchEngine.cpp
│ ├── CDispatchEngine.h
│ ├── CEResource.h
│ ├── CListEntry.cpp
│ ├── CDriverObject.h
│ ├── CDebug.h
│ ├── CEResource.cpp
│ ├── CVersion.h
│ ├── CFileObject.h
│ ├── CDriverDispatch.h
│ ├── CErrorStatus.h
│ ├── CDriverObject.cpp
│ ├── CUnicodeString.h
│ ├── CSysmonBase.h
│ ├── CErrorStatus.cpp
│ ├── CDebug.cpp
│ ├── CIoStackLocation.h
│ ├── CDriverDispatch.cpp
│ ├── CFileObject.cpp
│ ├── CNPagedLookaside.h
│ ├── CAttachDevice.h
│ ├── CString.h
│ ├── CIoStackLocation.cpp
│ ├── CIntNumber.h
│ ├── CVersion.cpp
│ ├── CAttachDevice.cpp
│ ├── CUnicodeString.cpp
│ ├── CIrp.h
│ ├── CPool.h
│ ├── CMiniFltFilter.h
│ ├── CppLib.h
│ ├── CppLib.cpp
│ ├── CDeviceObject.cpp
│ ├── CFilterDevice.cpp
│ ├── CIrp.cpp
│ └── CMiniFltFilter.cpp
├── CSysmonDispatchEngine.cpp
├── Sysmon.sys.vcxproj.user
├── CSysmonControl.h
├── targetver.h
├── stdafx.cpp
├── CDeviceExtension.h
├── CSysmonControl.cpp
├── Sysmon.sys.cpp
├── stdafx.h
├── CReportRecord.h
├── CSysmonIoControl.h
├── CReportRecord.cpp
├── CSysmonMiniFltFilter.h
├── CDeviceExtension.cpp
├── CDriverEntry.h
├── CSysmonDispatchEngine.h
├── ReadMe.txt
├── CSysmonMiniFltFilter.cpp
├── Sysmon.sys.vcxproj.filters
├── CDriverEntry.cpp
└── Sysmon.sys.vcxproj
├── Sysmon.suo
├── Sysmon
├── Sysmon.rc
├── small.ico
├── Sysmon.ico
├── CEventLogger.cpp
├── CSysmonUtil.cpp
├── CSysmonMofData.cpp
├── CSysmonDriverOpt.cpp
├── CDName.h
├── CDName.cpp
├── stdafx.cpp
├── targetver.h
├── CSysmonUtil.h
├── CSysmonDriverOpt.h
├── stdafx.h
├── Sysmon.vcxproj.user
├── Resource.h
├── CEventLogger.h
├── Sysmon.h
├── ReadMe.txt
├── CDigitalSign.cpp
├── CSsymonEtw.h
├── CDigitalSign.h
├── Sysmon.vcxproj.filters
├── undname.h
├── CSysmonMofData.h
├── Sysmon.cpp
├── Sysmon.vcxproj
├── CSsymonEtw.cpp
├── CMofDataParser.h
└── undname.idl
├── README.md
└── Sysmon.sln
/Sysmon.sys/cpplib/CString.cpp:
--------------------------------------------------------------------------------
1 | #include "CString.h"
2 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CPool.cpp:
--------------------------------------------------------------------------------
1 | #include "CPool.h"
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CIntNumber.cpp:
--------------------------------------------------------------------------------
1 | #include "CIntNumber.h"
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CNPagedLookaside.cpp:
--------------------------------------------------------------------------------
1 | #include "CNPagedLookaside.h"
2 |
--------------------------------------------------------------------------------
/Sysmon.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon.suo
--------------------------------------------------------------------------------
/Sysmon/Sysmon.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon/Sysmon.rc
--------------------------------------------------------------------------------
/Sysmon/small.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon/small.ico
--------------------------------------------------------------------------------
/Sysmon/Sysmon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon/Sysmon.ico
--------------------------------------------------------------------------------
/Sysmon/CEventLogger.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon/CEventLogger.cpp
--------------------------------------------------------------------------------
/Sysmon/CSysmonUtil.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon/CSysmonUtil.cpp
--------------------------------------------------------------------------------
/Sysmon/CSysmonMofData.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon/CSysmonMofData.cpp
--------------------------------------------------------------------------------
/Sysmon/CSysmonDriverOpt.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon/CSysmonDriverOpt.cpp
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CListEntry.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon.sys/cpplib/CListEntry.h
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CDeviceObject.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon.sys/cpplib/CDeviceObject.h
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CFilterDevice.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon.sys/cpplib/CFilterDevice.h
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CSysmonBase.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon.sys/cpplib/CSysmonBase.cpp
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Sysmon_reverse逆向微软sysmon的源代码,逆向的版本是v8
2 | 原始产品
3 | https://docs.microsoft.com/zh-cn/sysinternals/downloads/sysmon
4 |
--------------------------------------------------------------------------------
/Sysmon.sys/CSysmonDispatchEngine.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/basketwill/Sysmon_reverse/HEAD/Sysmon.sys/CSysmonDispatchEngine.cpp
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CAssert.h:
--------------------------------------------------------------------------------
1 | #ifndef _CAssert_h
2 | #define _CAssert_h
3 |
4 | #define CAssert( a )
5 | #define CAssertAddrValid( a , b)
6 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/Sysmon.sys.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CDispatchEngine.cpp:
--------------------------------------------------------------------------------
1 | #include "CDispatchEngine.h"
2 |
3 |
4 | CDispatchEngine::CDispatchEngine(void)
5 | {
6 | }
7 |
8 |
9 | CDispatchEngine::~CDispatchEngine(void)
10 | {
11 | }
12 |
--------------------------------------------------------------------------------
/Sysmon.sys/CSysmonControl.h:
--------------------------------------------------------------------------------
1 | #ifndef _CSysmonControl_h
2 | #define _CSysmonControl_h
3 |
4 | class CSysmonControl
5 | {
6 | public:
7 | CSysmonControl(void);
8 | virtual ~CSysmonControl(void);
9 | };
10 |
11 | #endif
--------------------------------------------------------------------------------
/Sysmon/CDName.h:
--------------------------------------------------------------------------------
1 | #ifndef _CDName_H
2 | #define _CDName_H
3 |
4 | class CDName
5 | {
6 | public:
7 | CDName(void);
8 | virtual ~CDName(void);
9 |
10 | static char* _unDName();
11 | };
12 |
13 | #endif
14 |
15 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CDispatchEngine.h:
--------------------------------------------------------------------------------
1 | #ifndef _CDispatchEngine_h
2 | #define _CDispatchEngine_h
3 |
4 | class CDispatchEngine
5 | {
6 | public:
7 | CDispatchEngine(void);
8 | virtual ~CDispatchEngine(void);
9 | };
10 |
11 | #endif
--------------------------------------------------------------------------------
/Sysmon/CDName.cpp:
--------------------------------------------------------------------------------
1 | #include "StdAfx.h"
2 | #include "CDName.h"
3 |
4 |
5 | CDName::CDName(void)
6 | {
7 | }
8 |
9 |
10 | CDName::~CDName(void)
11 | {
12 | }
13 |
14 |
15 | char* CDName::_unDName()
16 | {
17 | return NULL;
18 | }
--------------------------------------------------------------------------------
/Sysmon.sys/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 |
9 |
--------------------------------------------------------------------------------
/Sysmon/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // Sysmon.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Sysmon.sys/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // Sysmon.sys.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CEResource.h:
--------------------------------------------------------------------------------
1 | #ifndef _CEResource_h
2 | #define _CEResource_h
3 |
4 | #include "cpplib.h"
5 |
6 | class CEResource
7 | {
8 | public:
9 | CEResource(void);
10 | ~CEResource(void);
11 |
12 | void Lock();
13 | void UnLock();
14 |
15 | private:
16 | ERESOURCE mEResoure;
17 | //volatile LONG mReference;
18 | };
19 |
20 | #endif
--------------------------------------------------------------------------------
/Sysmon/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | #define _CRT_RAND_S
8 | #include
9 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CListEntry.cpp:
--------------------------------------------------------------------------------
1 | #include "CListEntry.h"
2 |
3 | // template< typename T>
4 | // CAfdList::CAfdList()
5 | // {
6 | // InitializeListHead( &mAfdList);
7 | // }
8 | //
9 | // template< typename T>
10 | // CAfdList::~CAfdList()
11 | // {
12 | //
13 | // }
14 |
15 | // template< typename T>
16 | // void CAfdList::InsertHeadList()
17 | // {
18 | //
19 | // }
--------------------------------------------------------------------------------
/Sysmon/CSysmonUtil.h:
--------------------------------------------------------------------------------
1 | #ifndef _CSysmonUtil_h
2 | #define _CSysmonUtil_h
3 |
4 | typedef unsigned __int64 QWORD;
5 |
6 | class CSysmonUtil
7 | {
8 | public:
9 | CSysmonUtil(void);
10 | ~CSysmonUtil(void);
11 |
12 | public:
13 | static
14 | BOOL
15 | SysmonVersionIsSupport();
16 |
17 | static
18 | unsigned __int64 CounterTimes(FILETIME t1,__int64 t2);
19 | };
20 |
21 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/CDeviceExtension.h:
--------------------------------------------------------------------------------
1 | #ifndef _CDeviceExtension_h
2 | #define _CDeviceExtension_h
3 | #include
4 |
5 | class CDeviceExtension
6 | {
7 | public:
8 | CDeviceExtension(void);
9 | virtual ~CDeviceExtension(void);
10 | operator PIO_CSQ();
11 | operator PRKEVENT();
12 |
13 | void Init();
14 | private:
15 | IO_CSQ mCsq;
16 | KEVENT mFileEvent;
17 | };
18 |
19 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/CSysmonControl.cpp:
--------------------------------------------------------------------------------
1 | #include "CSysmonControl.h"
2 |
3 | /**********************************************************************************/
4 | #pragma INITCODE
5 |
6 | CSysmonControl::CSysmonControl(void)
7 | {
8 | }
9 |
10 | /**********************************************************************************/
11 | #pragma LOCKEDCODE
12 |
13 | CSysmonControl::~CSysmonControl(void)
14 | {
15 |
16 | }
17 |
18 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CDriverObject.h:
--------------------------------------------------------------------------------
1 | #ifndef _CDriverObject_h
2 | #define _CDriverObject_h
3 | #include "cpplib.h"
4 |
5 | class CDriverObject
6 | {
7 | public:
8 | CDriverObject(void);
9 | CDriverObject(PDRIVER_OBJECT DriverObject);
10 | CDriverObject(const CDriverObject& DriverObject);
11 | ~CDriverObject(void);
12 | public:
13 |
14 | operator const PDRIVER_OBJECT() const;
15 | private:
16 | PDRIVER_OBJECT mDriverObject;
17 | };
18 |
19 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CDebug.h:
--------------------------------------------------------------------------------
1 | #ifndef _CDebug_h
2 | #define _CDebug_h
3 | #include "cpplib.h"
4 |
5 | class CDebug
6 | {
7 | public:
8 | typedef enum {kMaxLengthString = 256};
9 | CDebug(void);
10 | ~CDebug(void);
11 |
12 | #ifdef DEBUG
13 |
14 | static
15 | void DebugOut( const CHAR* formatStr, ... );
16 | #else
17 | static
18 | inline
19 | void DebugOut( const CHAR* formatStr, ... )
20 | {
21 |
22 | }
23 |
24 | #endif
25 |
26 | };
27 |
28 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CEResource.cpp:
--------------------------------------------------------------------------------
1 | #include "CEResource.h"
2 |
3 |
4 | CEResource::CEResource(void)
5 | {
6 | //mReference = 0;
7 | ExInitializeResource(&mEResoure);
8 | }
9 |
10 | CEResource::~CEResource(void)
11 | {
12 | ExDeleteResource(&mEResoure);
13 | }
14 |
15 | void
16 | CEResource::Lock()
17 | {
18 | ExAcquireResourceExclusive(&mEResoure,true);
19 | }
20 |
21 | void
22 | CEResource::UnLock()
23 | {
24 | ExReleaseResource(&mEResoure);
25 | }
26 |
--------------------------------------------------------------------------------
/Sysmon.sys/Sysmon.sys.cpp:
--------------------------------------------------------------------------------
1 | // Sysmon.sys.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | /**********************************************************************************/
8 | #pragma INITCODE
9 |
10 | #ifdef __cplusplus
11 | extern "C"
12 | #endif
13 | NTSTATUS
14 | NTAPI
15 | DriverEntry(
16 | IN PDRIVER_OBJECT DriverObject,
17 | IN PUNICODE_STRING RegistryPath)
18 | {
19 | return 0;
20 | }
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CVersion.h:
--------------------------------------------------------------------------------
1 | #ifndef _CVersion_h
2 | #define _CVersion_h
3 | #include
4 |
5 | class CVersion
6 | {
7 | public:
8 | CVersion(void);
9 | ~CVersion(void);
10 |
11 | void GetOsVersion();
12 | void PsGetVersion();
13 |
14 | ULONG GetMajorVersion();
15 | ULONG GetMinorVersion();
16 | ULONG GetBuilderNumber();
17 |
18 | private:
19 | ULONG mMajorVersion;
20 | ULONG mMinorVersion;
21 | ULONG mBuildNumber;
22 | ULONG mCSDVersion;
23 | };
24 |
25 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 |
14 |
15 |
16 | // TODO: reference additional headers your program requires here
17 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CFileObject.h:
--------------------------------------------------------------------------------
1 | #ifndef _CFileObject_h
2 | #define _CFileObject_h
3 |
4 | class CFileObject
5 | {
6 | public:
7 | CFileObject(void);
8 | CFileObject(const CFileObject& File);
9 | CFileObject(const PFILE_OBJECT& File);
10 | ~CFileObject(void);
11 |
12 | operator PFILE_OBJECT();
13 |
14 | PVOID operator !();
15 |
16 | PUNICODE_STRING FileName();
17 |
18 | PFILE_OBJECT& RelatedFileObject();
19 |
20 | private:
21 | PFILE_OBJECT mFileObj;
22 | };
23 |
24 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/CReportRecord.h:
--------------------------------------------------------------------------------
1 | #ifndef _CReportRecord_h
2 | #define _CReportRecord_h
3 |
4 | #include
5 | #include
6 |
7 |
8 | class CSysmonRecord
9 | {
10 | public:
11 | CSysmonRecord();
12 | ~CSysmonRecord();
13 |
14 | private:
15 | USHORT mType;
16 | };
17 |
18 | class CReportSysmonRecord
19 | {
20 | public:
21 | CReportSysmonRecord(void);
22 | ~CReportSysmonRecord(void);
23 |
24 | private:
25 | CListEntry mReportRecord;
26 | };
27 |
28 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CDriverDispatch.h:
--------------------------------------------------------------------------------
1 | #ifndef _CDriverDispatch_h
2 | #define _CDriverDispatch_h
3 | #include
4 |
5 | class CDriverDispatch
6 | {
7 | public:
8 | CDriverDispatch(void);
9 | CDriverDispatch(const PDRIVER_DISPATCH* DriverDisptach);
10 | virtual ~CDriverDispatch(void);
11 |
12 |
13 | void operator =(const PDRIVER_DISPATCH* DriverDisptach);
14 | BOOL operator !() const;
15 | PDRIVER_DISPATCH& operator [](int n);
16 | private:
17 | PDRIVER_DISPATCH* mDriverDisptach;
18 | };
19 |
20 | #endif
--------------------------------------------------------------------------------
/Sysmon/CSysmonDriverOpt.h:
--------------------------------------------------------------------------------
1 | #ifndef _CSysmonDriverOpt_h
2 | #define _CSysmonDriverOpt_h
3 |
4 | class CSysmonDriverOpt
5 | {
6 | public:
7 | CSysmonDriverOpt(void);
8 | virtual ~CSysmonDriverOpt(void);
9 | public:
10 | BOOL InstallDriver(
11 | LPCTSTR lpszDriverName,
12 | LPCTSTR lpszDriverPath,
13 | LPCTSTR lpszAltitude);
14 |
15 | BOOL StartDriver(LPCTSTR lpszDriverName);
16 |
17 | BOOL StopDriver(LPCTSTR lpszDriverName);
18 |
19 | BOOL DeleteDriver(LPCTSTR lpszDriverName);
20 | };
21 |
22 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CErrorStatus.h:
--------------------------------------------------------------------------------
1 | #ifndef _CErrorStatus_H
2 | #define _CErrorStatus_H
3 |
4 | #include "cpplib.h"
5 |
6 | class CErrorStatus
7 | {
8 | public:
9 | CErrorStatus(void);
10 | ~CErrorStatus(void);
11 | CErrorStatus( NTSTATUS Status );
12 | CErrorStatus(const CErrorStatus& Error );
13 |
14 | void operator =( NTSTATUS Status );
15 |
16 | operator NTSTATUS()
17 | {
18 | return mNtStatus;
19 | }
20 |
21 | BOOL IsNtSuccess();
22 |
23 | private:
24 | NTSTATUS mNtStatus;
25 | ULONG mSystemError;
26 | };
27 |
28 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CDriverObject.cpp:
--------------------------------------------------------------------------------
1 |
2 | #include "CDriverObject.h"
3 |
4 |
5 | CDriverObject::CDriverObject(void)
6 | {
7 | }
8 |
9 | CDriverObject::CDriverObject(PDRIVER_OBJECT DriverObject)
10 | {
11 | mDriverObject = DriverObject;
12 | }
13 |
14 | CDriverObject::CDriverObject(const CDriverObject& DriverObject)
15 | {
16 | mDriverObject = DriverObject.mDriverObject;
17 | }
18 |
19 | CDriverObject::~CDriverObject(void)
20 | {
21 | }
22 |
23 |
24 | CDriverObject::operator const PDRIVER_OBJECT() const
25 | {
26 | return mDriverObject;
27 | }
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CUnicodeString.h:
--------------------------------------------------------------------------------
1 | #ifndef _CUnicodeString_h
2 | #define _CUnicodeString_h
3 |
4 |
5 | #include
6 |
7 |
8 | class CUnicodeString
9 | {
10 | public:
11 | CUnicodeString(void);
12 | CUnicodeString(const CUnicodeString& String);
13 | CUnicodeString(const PUNICODE_STRING& pString);
14 | virtual ~CUnicodeString(void);
15 |
16 | PUNICODE_STRING operator &();
17 |
18 | operator PUNICODE_STRING();
19 |
20 | void operator =(const WCHAR* pString);
21 | void operator =(WCHAR* pString);
22 | private:
23 | UNICODE_STRING mString;
24 | };
25 |
26 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/CSysmonIoControl.h:
--------------------------------------------------------------------------------
1 | #ifndef _CSysmonControl_h
2 | #define _CSysmonControl_h
3 |
4 | typedef enum _Base_Sysmon_FileObj_Type
5 | {
6 | kFileObjErrorType = 0,
7 | kFileObjFilePath = 1,
8 | kFileObjNamedPipe = 2,
9 | }Base_Sysmon_FileObj_Type;
10 |
11 | typedef struct _Sysmon_Flt_CompletionContext
12 | {
13 | union
14 | {
15 | ULONG ContextValue;
16 | PVOID* ReportEvent;
17 | };
18 | }Sysmon_Flt_CompletionContext;
19 |
20 | typedef struct _Sysmon_Flt_Stream_Context
21 | {
22 | PVOID* FsContext2;
23 | }Sysmon_Flt_Stream_Context,*PSysmon_Flt_Stream_Context;
24 |
25 | #endif
26 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CSysmonBase.h:
--------------------------------------------------------------------------------
1 | #ifndef _CSysmonBase_h
2 | #define _CSysmonBase_h
3 |
4 | #include
5 | #include
6 |
7 | class CSysmonBase
8 | {
9 | public:
10 | CSysmonBase(void);
11 | ~CSysmonBase(void);
12 |
13 | public:
14 | static
15 | USHORT
16 | SysmonIsNamedPipe(
17 | PCFLT_RELATED_OBJECTS pFltFileObj
18 | );
19 |
20 | static
21 | BOOL
22 | SysmonFileIsCommonName(
23 | PFLT_CALLBACK_DATA CallbackData
24 | );
25 |
26 | static
27 | bool
28 | SysmonQueryFileFileAttributes(
29 | PFLT_RELATED_OBJECTS pFltObj
30 | );
31 | };
32 |
33 | #endif
--------------------------------------------------------------------------------
/Sysmon/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 |
14 | // C RunTime Header Files
15 | #include
16 | #include
17 | #include
18 | #include
19 |
20 |
21 | // TODO: reference additional headers your program requires here
22 |
--------------------------------------------------------------------------------
/Sysmon/Sysmon.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | -n
5 | WindowsLocalDebugger
6 |
7 |
8 | sysmon.exe -i
9 | WindowsLocalDebugger
10 |
11 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CErrorStatus.cpp:
--------------------------------------------------------------------------------
1 | #include "CErrorStatus.h"
2 |
3 |
4 | CErrorStatus::CErrorStatus(void)
5 | {
6 | mNtStatus = STATUS_UNSUCCESSFUL;
7 | }
8 |
9 | CErrorStatus::~CErrorStatus(void)
10 | {
11 | }
12 |
13 | CErrorStatus::CErrorStatus( NTSTATUS Status )
14 | {
15 | mNtStatus = Status;
16 | }
17 |
18 | CErrorStatus::CErrorStatus(const CErrorStatus& Error )
19 | {
20 | mNtStatus = Error.mNtStatus;
21 | mSystemError = Error.mSystemError;
22 | }
23 |
24 | void
25 | CErrorStatus::operator =( NTSTATUS Status )
26 | {
27 | mNtStatus = Status;
28 | }
29 |
30 | BOOL
31 | CErrorStatus::IsNtSuccess()
32 | {
33 | return NT_SUCCESS(mNtStatus);
34 | }
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CDebug.cpp:
--------------------------------------------------------------------------------
1 | #include "cpplib.h"
2 | #include "CDebug.h"
3 | #include
4 | #include
5 |
6 |
7 | CDebug::CDebug(void)
8 | {
9 | }
10 |
11 |
12 | CDebug::~CDebug(void)
13 | {
14 | }
15 |
16 | #ifdef DEBUG
17 |
18 | void
19 | CDebug::DebugOut( const CHAR* formatStr, ... )
20 | {
21 | CHAR StrBuf[kMaxLengthString];
22 | va_list ArgList;
23 | memset( StrBuf , 0 , kMaxLengthString );
24 | va_start(ArgList, formatStr);
25 | _vsnprintf(
26 | StrBuf,
27 | kMaxLengthString,
28 | formatStr,
29 | ArgList);
30 | va_end(ArgList);
31 |
32 | KdPrint(("[AfdFilter]:"));
33 | KdPrint((StrBuf));
34 | KdPrint(("\n"));
35 | }
36 |
37 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CIoStackLocation.h:
--------------------------------------------------------------------------------
1 | #ifndef _CIoStackLocation_h
2 | #define _CIoStackLocation_h
3 |
4 | #include "CFileObject.h"
5 |
6 | class CIoStackLocation
7 | {
8 | public:
9 | CIoStackLocation(void);
10 | CIoStackLocation(const CIoStackLocation& Stack);
11 | CIoStackLocation(const PIO_STACK_LOCATION& Stack);
12 | ~CIoStackLocation(void);
13 |
14 | operator PIO_STACK_LOCATION();
15 |
16 | void operator =(const PIO_STACK_LOCATION Stack);
17 | BOOLEAN operator ==(const PIO_STACK_LOCATION Stack);
18 | BOOLEAN operator !=(const PIO_STACK_LOCATION Stack);
19 | PVOID operator !();
20 |
21 | CFileObject FileObject();
22 | UCHAR& Flags();
23 |
24 | private:
25 | PIO_STACK_LOCATION mStack;
26 | };
27 |
28 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CDriverDispatch.cpp:
--------------------------------------------------------------------------------
1 | #include "CDriverDispatch.h"
2 |
3 |
4 | CDriverDispatch::CDriverDispatch(void)
5 | :mDriverDisptach(NULL)
6 | {
7 | }
8 |
9 | CDriverDispatch::CDriverDispatch(const PDRIVER_DISPATCH* DriverDisptach)
10 | {
11 | mDriverDisptach = (PDRIVER_DISPATCH*)DriverDisptach;
12 | }
13 |
14 | CDriverDispatch::~CDriverDispatch(void)
15 | {
16 | }
17 |
18 | void CDriverDispatch::operator =(const PDRIVER_DISPATCH* DriverDisptach)
19 | {
20 | mDriverDisptach = (PDRIVER_DISPATCH*)DriverDisptach;
21 | }
22 |
23 | BOOL CDriverDispatch::operator !() const
24 | {
25 | return mDriverDisptach != NULL;
26 | }
27 |
28 | PDRIVER_DISPATCH& CDriverDispatch::operator [](int n)
29 | {
30 | return mDriverDisptach[n];
31 | }
--------------------------------------------------------------------------------
/Sysmon.sys/CReportRecord.cpp:
--------------------------------------------------------------------------------
1 | #include "CReportRecord.h"
2 |
3 | /**********************************************************************************/
4 | #pragma LOCKEDCODE
5 |
6 | CSysmonRecord::CSysmonRecord()
7 | {
8 |
9 | }
10 |
11 | /**********************************************************************************/
12 | #pragma LOCKEDCODE
13 |
14 | CSysmonRecord::~CSysmonRecord()
15 | {
16 |
17 | }
18 |
19 | /**********************************************************************************/
20 | #pragma LOCKEDCODE
21 |
22 | CReportSysmonRecord::CReportSysmonRecord(void)
23 | {
24 | }
25 |
26 | /**********************************************************************************/
27 | #pragma LOCKEDCODE
28 |
29 | CReportSysmonRecord::~CReportSysmonRecord(void)
30 | {
31 | }
32 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CFileObject.cpp:
--------------------------------------------------------------------------------
1 | #include "cpplib.h"
2 | #include "CFileObject.h"
3 |
4 |
5 | CFileObject::CFileObject(void)
6 | :mFileObj(NULL)
7 | {
8 | }
9 |
10 | CFileObject::CFileObject(const CFileObject& File)
11 | {
12 | mFileObj = mFileObj;
13 | }
14 |
15 | CFileObject::CFileObject(const PFILE_OBJECT& File)
16 | {
17 | mFileObj = File;
18 | }
19 |
20 | CFileObject::~CFileObject(void)
21 | {
22 | }
23 |
24 |
25 | CFileObject::operator PFILE_OBJECT()
26 | {
27 | return mFileObj;
28 | }
29 |
30 | PVOID CFileObject::operator !()
31 | {
32 | return (PVOID)!mFileObj;
33 | }
34 |
35 | PUNICODE_STRING CFileObject::FileName()
36 | {
37 | return &mFileObj->FileName;
38 | }
39 |
40 | PFILE_OBJECT& CFileObject::RelatedFileObject()
41 | {
42 | return mFileObj->RelatedFileObject;
43 | }
--------------------------------------------------------------------------------
/Sysmon/Resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Sysmon.rc
4 | //
5 |
6 | #define IDS_APP_TITLE 103
7 |
8 | #define IDR_MAINFRAME 128
9 | #define IDD_SYSMON_DIALOG 102
10 | #define IDD_ABOUTBOX 103
11 | #define IDM_ABOUT 104
12 | #define IDM_EXIT 105
13 | #define IDI_SYSMON 107
14 | #define IDI_SMALL 108
15 | #define IDC_SYSMON 109
16 | #define IDC_MYICON 2
17 | #ifndef IDC_STATIC
18 | #define IDC_STATIC -1
19 | #endif
20 | // Next default values for new objects
21 | //
22 | #ifdef APSTUDIO_INVOKED
23 | #ifndef APSTUDIO_READONLY_SYMBOLS
24 |
25 | #define _APS_NO_MFC 130
26 | #define _APS_NEXT_RESOURCE_VALUE 129
27 | #define _APS_NEXT_COMMAND_VALUE 32771
28 | #define _APS_NEXT_CONTROL_VALUE 1000
29 | #define _APS_NEXT_SYMED_VALUE 110
30 | #endif
31 | #endif
32 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CNPagedLookaside.h:
--------------------------------------------------------------------------------
1 | #ifndef _CNPagedLookaside_h
2 | #define _CNPagedLookaside_h
3 |
4 | #include "cpplib.h"
5 |
6 | template< typename T, USHORT PoolTag = NPAGE_LIST_POOL_TAG>
7 | class CNPagedLookaside
8 | {
9 | public:
10 | CNPagedLookaside(void)
11 | {
12 | ExInitializeNPagedLookasideList(
13 | &mNPagedLookasside,
14 | 0,
15 | 0,
16 | 0,
17 | sizeof(T),
18 | PoolTag,
19 | 0);
20 | }
21 |
22 | ~CNPagedLookaside(void)
23 | {
24 | ExDeleteNPagedLookasideList(&mNPagedLookasside);
25 | }
26 |
27 | T* Allocate()
28 | {
29 | return static_cast(ExAllocateFromNPagedLookasideList(&mNPagedLookasside));
30 | }
31 |
32 | void Free( T* pT )
33 | {
34 | ExFreeToNPagedLookasideList(&mNPagedLookasside, pT);
35 | }
36 |
37 | private:
38 | NPAGED_LOOKASIDE_LIST mNPagedLookasside;
39 | };
40 |
41 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CAttachDevice.h:
--------------------------------------------------------------------------------
1 | #ifndef _CAfdAttachDevice_H
2 | #define _CAfdAttachDevice_H
3 |
4 | #include "cpplib.h"
5 | #include "CListEntry.h"
6 | #include "CErrorStatus.h"
7 |
8 |
9 | class CAttachDevice
10 | {
11 | public:
12 | CAttachDevice(void);
13 | virtual ~CAttachDevice(void);
14 |
15 | void operator =( PDEVICE_OBJECT DeviceObject)
16 | {
17 | mDeviceObject = DeviceObject;
18 | }
19 |
20 |
21 | PDEVICE_OBJECT Device()
22 | {
23 | return mDeviceObject;
24 | }
25 |
26 | PDEVICE_OBJECT LowDevice()
27 | {
28 | return mLowDeviceObject;
29 | }
30 |
31 | CErrorStatus Init( PDEVICE_OBJECT AttachDevice,
32 | PDEVICE_OBJECT OldDevice );
33 |
34 | CErrorStatus Attach(
35 | PDRIVER_OBJECT Driver,
36 | UNICODE_STRING& DeviceName);
37 | private:
38 | PDEVICE_OBJECT mDeviceObject;
39 | PDEVICE_OBJECT mLowDeviceObject;
40 | UNICODE_STRING mDriverPath;
41 | };
42 |
43 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/CSysmonMiniFltFilter.h:
--------------------------------------------------------------------------------
1 | #ifndef _CSysmonMiniFltFilter_h
2 | #define _CSysmonMiniFltFilter_h
3 |
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | class CSysmonMiniFltFilter :
10 | public CMiniFltFilter
11 | {
12 | public:
13 | CSysmonMiniFltFilter(void);
14 | ~CSysmonMiniFltFilter(void);
15 |
16 | CErrorStatus Init(PDRIVER_OBJECT DriverObj);
17 |
18 | public:
19 | static
20 | NTSTATUS
21 | NTAPI
22 | FilterUnloadCallback(
23 | FLT_FILTER_UNLOAD_FLAGS Flags
24 | );
25 |
26 | static
27 | NTSTATUS
28 | NTAPI
29 | InstanceSetupCallback(
30 | PCFLT_RELATED_OBJECTS FltObjects,
31 | FLT_INSTANCE_SETUP_FLAGS Flags,
32 | DEVICE_TYPE VolumeDeviceType,
33 | FLT_FILESYSTEM_TYPE VolumeFilesystemType
34 | );
35 |
36 | static
37 | NTSTATUS
38 | NTAPI
39 | InstanceQueryTeardownCallback(
40 | PCFLT_RELATED_OBJECTS FltObjects,
41 | FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
42 | );
43 |
44 | private:
45 | // CListEntry mListFile;
46 | };
47 |
48 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/CDeviceExtension.cpp:
--------------------------------------------------------------------------------
1 | #include "CDeviceExtension.h"
2 |
3 | /**********************************************************************************/
4 | #pragma LOCKEDCODE
5 |
6 | CDeviceExtension::CDeviceExtension(void)
7 | {
8 | }
9 |
10 |
11 | /**********************************************************************************/
12 | #pragma LOCKEDCODE
13 |
14 | CDeviceExtension::~CDeviceExtension(void)
15 | {
16 | }
17 |
18 | /**********************************************************************************/
19 | #pragma PAGEDCODE
20 |
21 | CDeviceExtension::operator PIO_CSQ()
22 | {
23 | return &mCsq;
24 | }
25 |
26 | /**********************************************************************************/
27 | #pragma PAGEDCODE
28 |
29 | CDeviceExtension::operator PRKEVENT()
30 | {
31 | return &mFileEvent;
32 | }
33 |
34 |
35 | /**********************************************************************************/
36 | #pragma INITCODE
37 |
38 | void CDeviceExtension::Init()
39 | {
40 | KeInitializeEvent(
41 | &mFileEvent,
42 | SynchronizationEvent,
43 | 0);
44 | }
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CString.h:
--------------------------------------------------------------------------------
1 | #ifndef _CStringT_h
2 | #define _CStringT_h
3 | #include
4 |
5 | template
6 | class CStringT
7 | {
8 | public:
9 | CStringT(void)
10 | {
11 |
12 | }
13 |
14 | virtual ~CStringT(void)
15 | {
16 |
17 | }
18 |
19 | operator T*()
20 | {
21 | return pT;
22 | }
23 |
24 | protected:
25 | T pT[COUNT];
26 | };
27 |
28 |
29 | class CStringW: public CStringT
30 | {
31 | public:
32 | CStringW()
33 | {
34 | memset(this,0,sizeof(*this));
35 | }
36 |
37 | ~CStringW()
38 | {
39 |
40 | }
41 | private:
42 | USHORT mLength;
43 | USHORT mMaxLength;
44 | };
45 |
46 | template
47 | class CStackStringW : public CStringT
48 | {
49 | public:
50 | CStackStringW()
51 | {
52 |
53 | }
54 |
55 | ~CStackStringW()
56 | {
57 |
58 | }
59 |
60 | WCHAR& operator [](int n)
61 | {
62 | return pT[n];
63 | }
64 |
65 | operator WCHAR*()
66 | {
67 | return &pT[0];
68 | }
69 |
70 | WCHAR* operator &()
71 | {
72 | return &pT[0];
73 | }
74 |
75 | };
76 |
77 |
78 |
79 | #endif
80 |
--------------------------------------------------------------------------------
/Sysmon/CEventLogger.h:
--------------------------------------------------------------------------------
1 | #ifndef _CEventLogger_h
2 | #define _CEventLogger_h
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 | class CEventLogger
11 | {
12 | public:
13 | CEventLogger(void);
14 | virtual ~CEventLogger(void);
15 |
16 | HRESULT Init(
17 | LPCTSTR lpszLogFile,
18 | LPCTSTR lpszSessionName,
19 | GUID *pguid = NULL);
20 |
21 | HRESULT DeInit();
22 |
23 | void Log(UCHAR nLevel, LPCTSTR lpszFormat,...);
24 |
25 | protected:
26 | static
27 | ULONG
28 | WINAPI ControlCallback(
29 | WMIDPREQUESTCODE nRequestCode,
30 | PVOID pContext,
31 | ULONG* Reserved,
32 | PVOID pBuffer);
33 |
34 | ULONG _ControlCallback(
35 | WMIDPREQUESTCODE nRequestCode,
36 | PWNODE_HEADER pHeader);
37 |
38 | GUID m_provider_guid;
39 | TRACEHANDLE m_hTrace;
40 | TRACEHANDLE m_hSession;
41 | BOOL m_bLoggingEnabled;
42 | UCHAR m_nLoggingLevel;
43 | CAtlArray m_eventdata;
44 | GUID m_session_guid;
45 | CStringW m_strLogFile;
46 | CStringW m_strSessionName;
47 | CAtlArray m_sessiondata;
48 | };
49 |
50 | #endif
51 |
52 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CIoStackLocation.cpp:
--------------------------------------------------------------------------------
1 | #include "cpplib.h"
2 | #include "CIoStackLocation.h"
3 |
4 |
5 | CIoStackLocation::CIoStackLocation(void)
6 | :mStack(NULL)
7 | {
8 | }
9 |
10 | CIoStackLocation::CIoStackLocation(
11 | const CIoStackLocation& Stack)
12 | {
13 | mStack = Stack.mStack;
14 | }
15 |
16 | CIoStackLocation::CIoStackLocation(const PIO_STACK_LOCATION& Stack)
17 | {
18 | mStack = Stack;
19 | }
20 |
21 | CIoStackLocation::~CIoStackLocation(void)
22 | {
23 | }
24 |
25 |
26 | CIoStackLocation::operator PIO_STACK_LOCATION()
27 | {
28 | return mStack;
29 | }
30 |
31 | void
32 | CIoStackLocation::operator =(const PIO_STACK_LOCATION Stack)
33 | {
34 | mStack =Stack;
35 | }
36 |
37 | BOOLEAN
38 | CIoStackLocation::operator ==(const PIO_STACK_LOCATION Stack)
39 | {
40 | return ( mStack == Stack?true:false);
41 | }
42 |
43 | BOOLEAN CIoStackLocation::operator !=(const PIO_STACK_LOCATION Stack)
44 | {
45 | return (mStack != Stack?true:false);
46 | }
47 |
48 | PVOID CIoStackLocation::operator !()
49 | {
50 | return ((PVOID)!mStack);
51 | }
52 |
53 | CFileObject CIoStackLocation::FileObject()
54 | {
55 | return mStack->FileObject;
56 | }
57 |
58 | UCHAR& CIoStackLocation::Flags()
59 | {
60 | return mStack->Flags;
61 | }
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CIntNumber.h:
--------------------------------------------------------------------------------
1 | #ifndef _CIntNumber_h
2 | #define _CIntNumber_h
3 |
4 | #include "cpplib.h"
5 |
6 | template
7 | class CIntNumber
8 | {
9 | public:
10 | CIntNumber(void)
11 | {
12 | mNumber = 0;
13 | }
14 |
15 | CIntNumber(T _X )
16 | {
17 | mNumber = _X;
18 | }
19 |
20 | CIntNumber(CIntNumber& _X )
21 | {
22 | mNumber = (T)_X;
23 | }
24 |
25 | ~CIntNumber(void)
26 | {
27 | mNumber = 0;
28 | }
29 |
30 | operator T() const
31 | {
32 | return mNumber;
33 | }
34 |
35 | void
36 | operator ++()
37 | {
38 | mNumber++;
39 | }
40 |
41 | void
42 | operator =(T& _X)
43 | {
44 | mNumber = _X;
45 | }
46 |
47 | void
48 | operator =(CIntNumber& _X)
49 | {
50 | mNumber = (T)_X;
51 | }
52 |
53 | BOOL
54 | operator ==(T& _X)
55 | {
56 | return (mNumber == _X);
57 | }
58 |
59 | BOOL
60 | operator ==(CIntNumber& _X)
61 | {
62 | return (mNumber == (T)_X);
63 | }
64 |
65 | BOOL
66 | operator <(T& _X)
67 | {
68 | return (BOOL)(mNumber < _X);
69 | }
70 |
71 | BOOL
72 | operator <=(T& _X)
73 | {
74 | return (mNumber <= _X);
75 | }
76 |
77 | BOOL
78 | operator >(T& _X)
79 | {
80 | return (mNumber > _X);
81 | }
82 |
83 | BOOL
84 | operator >=(T& _X)
85 | {
86 | return (mNumber >= _X);
87 | }
88 |
89 | T mNumber;
90 | };
91 |
92 | #endif
--------------------------------------------------------------------------------
/Sysmon/Sysmon.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include "resource.h"
4 |
5 | BOOLEAN
6 | FORCEINLINE
7 | IsListEmpty(
8 | __in const LIST_ENTRY * ListHead
9 | )
10 | {
11 | return (BOOLEAN)(ListHead->Flink == ListHead);
12 | }
13 |
14 | FORCEINLINE
15 | VOID
16 | InitializeListHead(
17 | __out PLIST_ENTRY ListHead
18 | )
19 | {
20 | ListHead->Flink = ListHead->Blink = ListHead;
21 | }
22 |
23 | FORCEINLINE
24 | VOID
25 | InsertTailList(
26 | __inout PLIST_ENTRY ListHead,
27 | __inout __drv_aliasesMem PLIST_ENTRY Entry
28 | )
29 | {
30 | PLIST_ENTRY Blink;
31 |
32 | Blink = ListHead->Blink;
33 | Entry->Flink = ListHead;
34 | Entry->Blink = Blink;
35 | Blink->Flink = Entry;
36 | ListHead->Blink = Entry;
37 | }
38 |
39 | FORCEINLINE
40 | BOOLEAN
41 | RemoveEntryList(
42 | __in PLIST_ENTRY Entry
43 | )
44 | {
45 | PLIST_ENTRY Blink;
46 | PLIST_ENTRY Flink;
47 |
48 | Flink = Entry->Flink;
49 | Blink = Entry->Blink;
50 | Blink->Flink = Flink;
51 | Flink->Blink = Blink;
52 | return (BOOLEAN)(Flink == Blink);
53 | }
54 |
55 | FORCEINLINE
56 | PLIST_ENTRY
57 | RemoveHeadList(
58 | __inout PLIST_ENTRY ListHead
59 | )
60 | {
61 | PLIST_ENTRY Flink;
62 | PLIST_ENTRY Entry;
63 |
64 | Entry = ListHead->Flink;
65 | Flink = Entry->Flink;
66 | ListHead->Flink = Flink;
67 | Flink->Blink = ListHead;
68 | return Entry;
69 | }
70 |
71 | DWORD RunSysmonX64();
72 |
--------------------------------------------------------------------------------
/Sysmon.sys/CDriverEntry.h:
--------------------------------------------------------------------------------
1 | #ifndef _CDriverEntry_h
2 | #define _CDriverEntry_h
3 | #include "CVersion.h"
4 | #include
5 | #include "CReportRecord.h"
6 | #include "CDeviceObject.h"
7 | #include "CSysmonMiniFltFilter.h"
8 |
9 |
10 | #ifdef __cplusplus
11 | extern "C"{
12 | #endif
13 | class CDriverEntry
14 | {
15 | public:
16 | CDriverEntry(void);
17 | ~CDriverEntry(void);
18 |
19 | public:
20 | static
21 | NTSTATUS
22 | NTAPI
23 | Init(
24 | IN PDRIVER_OBJECT DriverObject,
25 | IN PUNICODE_STRING RegistryPath
26 | );
27 | static
28 | CDriverEntry& Instance();
29 |
30 | public:
31 | void PsGetVersion();
32 | BOOL IsSupportFlt();
33 |
34 | CErrorStatus
35 | InitIoDeice(
36 | PDRIVER_OBJECT Driver,
37 | CStackStringW<256>& DeviceName,
38 | CStackStringW<256>& DosDeviceName,
39 | const UINT32 DeviceExtSize
40 | );
41 |
42 | void DeleteDosLink(CStackStringW<256>& SymbolicLink);
43 |
44 | void* Extension();
45 |
46 | CErrorStatus InitMiniFlt(PDRIVER_OBJECT DriverObj);
47 | private:
48 | CVersion mSystemVersion;
49 | BOOL mIsSupportFlt;
50 | CReportSysmonRecord mReportSysmonRecord;
51 |
52 | CDeviceObject mDeviceObject;
53 | CSysmonMiniFltFilter mMiniFltFilter;
54 | private:
55 | static CDriverEntry _Instance;
56 | };
57 |
58 |
59 | #ifdef __cplusplus
60 | };
61 | #endif
62 |
63 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CVersion.cpp:
--------------------------------------------------------------------------------
1 | #include "CVersion.h"
2 |
3 | CVersion::CVersion(void)
4 | :mMajorVersion(0)
5 | ,mMinorVersion(0)
6 | ,mBuildNumber(0)
7 | {
8 | }
9 |
10 |
11 | CVersion::~CVersion(void)
12 | {
13 | }
14 |
15 | /**********************************************************************************/
16 | #pragma LOCKEDCODE
17 |
18 | void CVersion::GetOsVersion()
19 | {
20 | OSVERSIONINFOW VersionInformation;
21 | VersionInformation.dwOSVersionInfoSize = sizeof(OSVERSIONINFOW);
22 | if (NT_SUCCESS(::RtlGetVersion(&VersionInformation)))
23 | {
24 | mMajorVersion = VersionInformation.dwMajorVersion;
25 | mMinorVersion = VersionInformation.dwMinorVersion;
26 | }
27 | }
28 |
29 | /**********************************************************************************/
30 | #pragma LOCKEDCODE
31 |
32 | void CVersion::PsGetVersion()
33 | {
34 | ::PsGetVersion(&mMajorVersion,&mMinorVersion, &mBuildNumber, 0);
35 | }
36 |
37 |
38 | /**********************************************************************************/
39 | #pragma LOCKEDCODE
40 |
41 | ULONG CVersion::GetMajorVersion()
42 | {
43 | return mMajorVersion;
44 | }
45 |
46 |
47 | /**********************************************************************************/
48 | #pragma LOCKEDCODE
49 |
50 | ULONG CVersion::GetMinorVersion()
51 | {
52 | return mMinorVersion;
53 | }
54 |
55 |
56 | /**********************************************************************************/
57 | #pragma LOCKEDCODE
58 |
59 | ULONG CVersion::GetBuilderNumber()
60 | {
61 | return mBuildNumber;
62 | }
--------------------------------------------------------------------------------
/Sysmon.sys/CSysmonDispatchEngine.h:
--------------------------------------------------------------------------------
1 | #ifndef _CSysmonDispatchEngine_h
2 | #define _CSysmonDispatchEngine_h
3 | #include
4 | #include "CDeviceExtension.h"
5 | #include
6 |
7 | class CSysmonDispatchEngine
8 | {
9 | public:
10 | CSysmonDispatchEngine(void);
11 | ~CSysmonDispatchEngine(void);
12 |
13 | public:
14 | static
15 | NTSTATUS
16 | NTAPI
17 | SysmonDispatchIrp(
18 | PDEVICE_OBJECT DeviceObject,
19 | PIRP Irp);
20 |
21 | static
22 | NTSTATUS
23 | NTAPI
24 | SysmonFltPreOperation (
25 | PFLT_CALLBACK_DATA Data,
26 | PFLT_RELATED_OBJECTS FltObjects,
27 | PVOID *CompletionContext
28 | );
29 |
30 | static
31 | NTSTATUS
32 | NTAPI
33 | SysmonFltPostOperation (
34 | PFLT_CALLBACK_DATA Data,
35 | PCFLT_RELATED_OBJECTS FltObjects,
36 | PVOID CompletionContext,
37 | FLT_POST_OPERATION_FLAGS Flags
38 | );
39 |
40 | static
41 | void
42 | NTAPI
43 | SysmonIoCsqInsertIrp(
44 | PIO_CSQ Csq,
45 | PIRP Irp
46 | );
47 |
48 | static
49 | void
50 | NTAPI
51 | SysmonIoCsqRemoveIrp(
52 | PIO_CSQ Csq,
53 | PIRP Irp
54 | );
55 |
56 | static
57 | PIRP
58 | NTAPI
59 | SysmonIoCsqPeekNextIrp(
60 | PIO_CSQ Csq,
61 | PIRP Irp,
62 | PVOID PeekContext
63 | );
64 |
65 | static
66 | void
67 | NTAPI
68 | SysmonIoCsqAcquireLock(
69 | PIO_CSQ Csq,
70 | PKIRQL Irql
71 | );
72 |
73 | static
74 | void
75 | NTAPI
76 | SysmonIoCsqReleaseLock(
77 | PIO_CSQ Csq,
78 | KIRQL Irql
79 | );
80 |
81 | static
82 | void
83 | NTAPI
84 | SysmonIoCsqCompleteCanceledIrp(
85 | PIO_CSQ Csq,
86 | PIRP Irp
87 | );
88 |
89 |
90 | static
91 | void
92 | InitCsq(CDeviceExtension& DevExt);
93 | };
94 |
95 | #endif
--------------------------------------------------------------------------------
/Sysmon.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Sysmon", "Sysmon\Sysmon.vcxproj", "{E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}"
5 | EndProject
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Sysmon.sys", "Sysmon.sys\Sysmon.sys.vcxproj", "{E179CA60-36AC-4DCC-8B87-06214F32DD0B}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release|Win32 = Release|Win32
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Debug|Win32.ActiveCfg = Debug|Win32
17 | {E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Debug|Win32.Build.0 = Debug|Win32
18 | {E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Debug|x64.ActiveCfg = Debug|x64
19 | {E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Debug|x64.Build.0 = Debug|x64
20 | {E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Release|Win32.ActiveCfg = Release|Win32
21 | {E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Release|Win32.Build.0 = Release|Win32
22 | {E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Release|x64.ActiveCfg = Release|x64
23 | {E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Release|x64.Build.0 = Release|x64
24 | {E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Debug|Win32.ActiveCfg = Debug|Win32
25 | {E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Debug|Win32.Build.0 = Debug|Win32
26 | {E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Debug|x64.ActiveCfg = Debug|x64
27 | {E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Debug|x64.Build.0 = Debug|x64
28 | {E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Release|Win32.ActiveCfg = Release|Win32
29 | {E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Release|Win32.Build.0 = Release|Win32
30 | {E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Release|x64.ActiveCfg = Release|x64
31 | {E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Release|x64.Build.0 = Release|x64
32 | EndGlobalSection
33 | GlobalSection(SolutionProperties) = preSolution
34 | HideSolutionNode = FALSE
35 | EndGlobalSection
36 | EndGlobal
37 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CAttachDevice.cpp:
--------------------------------------------------------------------------------
1 | #include "CAttachDevice.h"
2 | #include "CDebug.h"
3 |
4 |
5 | /**********************************************************************************/
6 | #pragma PAGEDCODE
7 |
8 | CAttachDevice::CAttachDevice(void)
9 | :mDeviceObject(NULL),
10 | mLowDeviceObject(NULL)
11 | {
12 | RtlInitUnicodeString(
13 | &mDriverPath,
14 | L"\\Device\\xxx" );
15 | }
16 |
17 | /**********************************************************************************/
18 | #pragma LOCKEDCODE
19 |
20 | CAttachDevice::~CAttachDevice(void)
21 | {
22 | }
23 |
24 |
25 | /**********************************************************************************/
26 | #pragma INITCODE
27 |
28 | CErrorStatus
29 | CAttachDevice::Init( PDEVICE_OBJECT AttachDevice,
30 | PDEVICE_OBJECT OldDevice )
31 | {
32 | CErrorStatus Error;
33 | Error = STATUS_SUCCESS;
34 |
35 | mDeviceObject = AttachDevice;
36 | mLowDeviceObject = OldDevice;
37 |
38 | return Error;
39 | }
40 |
41 |
42 | /**********************************************************************************/
43 | #pragma LOCKEDCODE
44 |
45 | CErrorStatus
46 | CAttachDevice::Attach(
47 | PDRIVER_OBJECT Driver,
48 | UNICODE_STRING& DeviceName)
49 | {
50 | CErrorStatus Error;
51 | PDEVICE_OBJECT AttachDeviceObject;
52 | PDEVICE_OBJECT OldDeviceObject;
53 |
54 | Error = IoCreateDevice(
55 | Driver,
56 | 0,
57 | NULL,
58 | FILE_DEVICE_UNKNOWN,
59 | 0,
60 | TRUE,
61 | &AttachDeviceObject);
62 |
63 | if ( Error.IsNtSuccess())
64 | {
65 | //AttachDeviceObject->Flags |= DO_DIRECT_IO;
66 |
67 | Error = IoAttachDevice(
68 | AttachDeviceObject,
69 | &DeviceName,
70 | &OldDeviceObject);
71 |
72 | if (Error.IsNtSuccess()) {
73 |
74 | CDebug::DebugOut(
75 | "CAfdAttachDevice: IoAttachDevice(%S): 0x%x\n",
76 | DeviceName.Buffer,
77 | Error);
78 |
79 | Init( AttachDeviceObject,
80 | OldDeviceObject);
81 | }
82 |
83 | //KdPrint(("[tdi_fw] DriverEntry: %S fileobj: 0x%x\n", devname, *fltobj));
84 | //return status;
85 | }
86 | else
87 | {
88 | CDebug::DebugOut(
89 | "CAfdAttachDevice: IoCreateDevice(%S): 0x%x\n",
90 | DeviceName.Buffer,
91 | Error);
92 | }
93 |
94 | return Error;
95 | }
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CUnicodeString.cpp:
--------------------------------------------------------------------------------
1 | #include "CUnicodeString.h"
2 |
3 | /**********************************************************************************/
4 | #pragma LOCKEDCODE
5 |
6 | CUnicodeString::CUnicodeString(void)
7 | {
8 | mString.Buffer = NULL;
9 | mString.Length = 0;
10 | mString.MaximumLength = 0;
11 | }
12 |
13 | /**********************************************************************************/
14 | #pragma LOCKEDCODE
15 |
16 | CUnicodeString::CUnicodeString(const CUnicodeString& String)
17 | {
18 | mString.Buffer = String.mString.Buffer;
19 | mString.Length = String.mString.Length;
20 | mString.MaximumLength = String.mString.MaximumLength;
21 | }
22 |
23 | /**********************************************************************************/
24 | #pragma LOCKEDCODE
25 |
26 | CUnicodeString::CUnicodeString(const PUNICODE_STRING& pString)
27 | {
28 |
29 | if (pString)
30 | {
31 | __try
32 | {
33 | mString.Buffer = pString->Buffer;
34 | mString.Length = pString->Length;
35 | mString.MaximumLength = pString->MaximumLength;
36 | }
37 | __except(EXCEPTION_EXECUTE_HANDLER)
38 | {
39 |
40 | }
41 |
42 | }
43 |
44 | }
45 |
46 | /**********************************************************************************/
47 | #pragma LOCKEDCODE
48 |
49 | CUnicodeString::~CUnicodeString(void)
50 | {
51 | }
52 |
53 | /**********************************************************************************/
54 | #pragma LOCKEDCODE
55 |
56 | PUNICODE_STRING CUnicodeString::operator &()
57 | {
58 | return &mString;
59 | }
60 |
61 | /**********************************************************************************/
62 | #pragma LOCKEDCODE
63 |
64 | CUnicodeString::operator PUNICODE_STRING()
65 | {
66 | return &mString;
67 | }
68 |
69 | /**********************************************************************************/
70 | #pragma LOCKEDCODE
71 |
72 | void CUnicodeString::operator =(const WCHAR* pString)
73 | {
74 | if (pString)
75 | {
76 | RtlInitUnicodeString(&mString,pString);
77 | }
78 | }
79 |
80 | /**********************************************************************************/
81 | #pragma LOCKEDCODE
82 |
83 | void CUnicodeString::operator =(WCHAR* pString)
84 | {
85 | if (pString)
86 | {
87 | RtlInitUnicodeString(&mString,pString);
88 | }
89 | }
--------------------------------------------------------------------------------
/Sysmon.sys/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : Sysmon.sys Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this Sysmon.sys DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your Sysmon.sys application.
9 |
10 |
11 | Sysmon.sys.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | Sysmon.sys.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | Sysmon.sys.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named Sysmon.sys.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/Sysmon/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | WIN32 APPLICATION : Sysmon Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this Sysmon application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your Sysmon application.
9 |
10 |
11 | Sysmon.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | Sysmon.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | Sysmon.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | AppWizard has created the following resources:
29 |
30 | Sysmon.rc
31 | This is a listing of all of the Microsoft Windows resources that the
32 | program uses. It includes the icons, bitmaps, and cursors that are stored
33 | in the RES subdirectory. This file can be directly edited in Microsoft
34 | Visual C++.
35 |
36 | Resource.h
37 | This is the standard header file, which defines new resource IDs.
38 | Microsoft Visual C++ reads and updates this file.
39 |
40 | Sysmon.ico
41 | This is an icon file, which is used as the application's icon (32x32).
42 | This icon is included by the main resource file Sysmon.rc.
43 |
44 | small.ico
45 | This is an icon file, which contains a smaller version (16x16)
46 | of the application's icon. This icon is included by the main resource
47 | file Sysmon.rc.
48 |
49 | /////////////////////////////////////////////////////////////////////////////
50 | Other standard files:
51 |
52 | StdAfx.h, StdAfx.cpp
53 | These files are used to build a precompiled header (PCH) file
54 | named Sysmon.pch and a precompiled types file named StdAfx.obj.
55 |
56 | /////////////////////////////////////////////////////////////////////////////
57 | Other notes:
58 |
59 | AppWizard uses "TODO:" comments to indicate parts of the source code you
60 | should add to or customize.
61 |
62 | /////////////////////////////////////////////////////////////////////////////
63 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CIrp.h:
--------------------------------------------------------------------------------
1 | #ifndef _CIrp_h
2 | #define _CIrp_h
3 |
4 | #include "cpplib.h"
5 | #include "CErrorStatus.h"
6 |
7 | class CIrp
8 | {
9 | public:
10 | enum IrpStackLocation {Current, Next};
11 | CIrp(void);
12 | CIrp(PIRP pIrp);
13 | ~CIrp();
14 |
15 | operator PIRP (){ return mIrp;};
16 | operator IRP&() {return *mIrp;};
17 | operator const IRP&() const {return *mIrp;};
18 | operator const PIRP() const {return mIrp;};
19 | operator ULONG_PTR(){ return (ULONG_PTR)mIrp; };
20 | PIRP operator->() {return mIrp;};
21 | const PIRP operator->() const {return mIrp;};
22 |
23 | PIRP Get() const;
24 |
25 | NTSTATUS& Status() const;
26 | KPROCESSOR_MODE& RequestorMode() const;
27 | ULONG_PTR& Information() const;
28 | PMDL& MdlAddress() const;
29 | PVOID& UserBuffer() const;
30 | PVOID& DriverContext1() const;
31 | PVOID& DriverContext2() const;
32 | PVOID& DriverContext3() const;
33 | PVOID& DriverContext4() const;
34 | UINT8& MajorFunction() const;
35 | UINT8& MinorFunction() const;
36 | UINT8& Flags() const;
37 | UINT8& Control() const;
38 | ULONG& ReadLength() const;
39 | INT64& ReadPos() const;
40 | ULONG& WriteLength() const;
41 | INT64& WritePos() const;
42 | ULONG& IoctlCode() const;
43 | void *& IoctlOutputBuffer() const;
44 | ULONG& IoctlOutputBufferLength() const;
45 | void *& IoctlInputBuffer() const;
46 | ULONG& IoctlInputBufferLength() const;
47 | void *& IoctlType3InputBuffer() const;
48 | PDEVICE_OBJECT& Device() const;
49 | PFILE_OBJECT& FileObject() const;
50 | PIO_STACK_LOCATION StackLocation() const;
51 | void UseCurrentStackLocation() ;
52 | void UseNextStackLocation();
53 | void CopyStackLocationToNext() const;
54 | void SkipStackLocation() const;
55 |
56 | NTSTATUS Complete( NTSTATUS status,
57 | CCHAR boost = IO_NO_INCREMENT);
58 | void SetCancelRoutine(PDRIVER_CANCEL cancelFunc);
59 | void MarkPending();
60 | void UnmarkPending();
61 |
62 | CErrorStatus BuildDeviceIoControlRequest(
63 | UINT32 IoctlCode,
64 | PDEVICE_OBJECT Device,
65 | const void* InBuf,
66 | UINT32 SizeInBuf,
67 | void * OutBuf,
68 | UINT32 SizeOutBuf,
69 | BOOL Internal,
70 | KEVENT& event,
71 | IO_STATUS_BLOCK& IoStatus);
72 |
73 | CErrorStatus BuildSynchronousFsdRequest(
74 | UINT32 IoctlCode,
75 | PDEVICE_OBJECT Device,
76 | const void* InBuf,
77 | UINT32 nBytes,
78 | INT64 pos,
79 | KEVENT& event,
80 | IO_STATUS_BLOCK& IoStatus);
81 |
82 | NTSTATUS SimpleSend(DEVICE_OBJECT *device);
83 | private:
84 | IRP* mIrp;
85 | IrpStackLocation mStackLocation;
86 | };
87 |
88 | #endif
89 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CPool.h:
--------------------------------------------------------------------------------
1 | #ifndef _CPool_h
2 | #define _CPool_h
3 |
4 | #include "cpplib.h"
5 | #include "CIntNumber.h"
6 |
7 | template
11 | class CPool
12 | {
13 | public:
14 | CPool(void)
15 | {
16 | mPool = NULL;
17 | mPoolSize = 0;
18 | mReference = 0;
19 | }
20 |
21 | CPool(const CPool& Pool )
22 | {
23 | mPool = Pool.mPool;
24 | mPoolSize = Pool.mPoolSize;
25 | mReference = Pool.mReference;
26 | }
27 |
28 | ~CPool(void)
29 | {
30 | if ( mPool &&
31 | AutoRelease == true )
32 | {
33 | Free();
34 | }
35 | }
36 |
37 | operator T*() const
38 | {
39 | return (T*)mPool;
40 | }
41 |
42 | BOOL
43 | operator ==( CIntNumber& Pointer )
44 | {
45 | return (mPool == (T*)((INT3264)Pointer));
46 | }
47 |
48 | BOOL
49 | operator !=( CIntNumber& Pointer )
50 | {
51 | return (mPool != (T*) ((INT3264)Pointer));
52 | }
53 |
54 | const
55 | T&
56 | operator []( INT3264 Index) const
57 | {
58 | if ( Index < Size() &&
59 | Index >= 0 )
60 | {
61 | return ((T*)*this)[Index];
62 | }
63 |
64 | return ((T*)*this)[0];
65 | }
66 |
67 | T&
68 | operator []( INT3264 Index )
69 | {
70 | if ( Index >= Size() ||
71 | Index < 0 )
72 | {
73 | return ((T*)*this)[0];
74 | }
75 |
76 | return ((T*)*this)[Index];
77 | }
78 |
79 | // T&
80 | // operator=( T& _E )
81 | // {
82 | // return _E;
83 | // }
84 |
85 | CPool&
86 | operator=( CPool& _X )
87 | {
88 | mPool = (T*)_X;
89 | mPoolSize = _X.Size();
90 | }
91 |
92 | T* Allocate( SIZE_T _S )
93 | {
94 |
95 | if ( mPool == NULL )
96 | {
97 | mPool = static_cast(ExAllocatePoolWithTag(
98 | PoolType,
99 | _S,
100 | PoolTag));
101 |
102 | if ( mPool )
103 | {
104 | mPoolSize = _S;
105 | }
106 | }
107 |
108 | return static_cast(mPool);
109 | }
110 |
111 | T* Allocate()
112 | {
113 |
114 | if ( mPool == NULL )
115 | {
116 | mPool = static_cast(ExAllocatePoolWithTag( PoolType,
117 | sizeof(T),
118 | PoolTag));
119 |
120 | if ( mPool )
121 | {
122 | mPoolSize = sizeof(T);
123 | }
124 | }
125 |
126 | return mPool;
127 | }
128 |
129 | void Free()
130 | {
131 | if ( mPool )
132 | {
133 | ExFreePool(mPool);
134 | mPool = NULL;
135 | mPoolSize = 0;
136 | }
137 | }
138 |
139 | INT3264 Size()
140 | {
141 | return mPoolSize;
142 | }
143 |
144 | private:
145 |
146 | T* mPool;
147 | ULONG_PTR mPoolSize;
148 | ULONG_PTR mReference;
149 |
150 | };
151 |
152 | #endif
--------------------------------------------------------------------------------
/Sysmon/CDigitalSign.cpp:
--------------------------------------------------------------------------------
1 | #include "StdAfx.h"
2 | #include "CDigitalSign.h"
3 |
4 |
5 | CDigitalSign::CDigitalSign(void)
6 | :m_bInit(false)
7 | ,m_WinVerifyTrust(NULL)
8 | ,m_pWTHelperGetProvSignerFromChain(NULL)
9 | ,m_pWTHelperProvDataFromStateData(NULL)
10 | ,m_pCryptCATAdminReleaseContext(NULL)
11 | ,m_pCryptCATAdminReleaseCatalogContext(NULL)
12 | ,m_pCryptCATCatalogInfoFromContext(NULL)
13 | ,m_pCryptCATAdminEnumCatalogFromHash(NULL)
14 | ,m_pCryptCATAdminCalcHashFromFileHandle(NULL)
15 | ,m_pCryptCATAdminAcquireContext(NULL)
16 | ,m_pCryptCATAdminAddCatalog(NULL)
17 | ,m_pCryptCATAdminRemoveCatalog(NULL)
18 | ,m_pIsCatalogFile(NULL)
19 | ,m_pCertNameToStrW(NULL)
20 | {
21 | }
22 |
23 |
24 | CDigitalSign::~CDigitalSign(void)
25 | {
26 | }
27 |
28 |
29 | bool CDigitalSign::Init()
30 | {
31 | if (!m_bInit)
32 | {
33 | m_bInit = true;
34 |
35 | HMODULE hWinTrust = LoadLibraryW(L"Wintrust.dll");
36 |
37 | if ( !hWinTrust )
38 | return false;
39 |
40 | m_WinVerifyTrust = (pWinVerifyTrust)GetProcAddress(hWinTrust, "WinVerifyTrust");
41 | m_pWTHelperGetProvSignerFromChain = (pWTHelperGetProvSignerFromChain)
42 | GetProcAddress(hWinTrust, "WTHelperGetProvSignerFromChain");
43 |
44 | m_pWTHelperProvDataFromStateData = (pWTHelperProvDataFromStateData)
45 | GetProcAddress(hWinTrust, "WTHelperProvDataFromStateData");
46 |
47 | m_pCryptCATAdminReleaseContext = (pCryptCATAdminReleaseContext)
48 | GetProcAddress(hWinTrust, "CryptCATAdminReleaseContext");
49 |
50 | m_pCryptCATAdminReleaseCatalogContext = (pCryptCATAdminReleaseCatalogContext)
51 | GetProcAddress(hWinTrust, "CryptCATAdminReleaseCatalogContext");
52 |
53 | m_pCryptCATCatalogInfoFromContext = (pCryptCATCatalogInfoFromContext)
54 | GetProcAddress(hWinTrust, "CryptCATCatalogInfoFromContext");
55 |
56 | m_pCryptCATAdminEnumCatalogFromHash = (pCryptCATAdminEnumCatalogFromHash)
57 | GetProcAddress(hWinTrust, "CryptCATAdminEnumCatalogFromHash");
58 |
59 | m_pCryptCATAdminCalcHashFromFileHandle = (pCryptCATAdminCalcHashFromFileHandle)
60 | GetProcAddress(hWinTrust,"CryptCATAdminCalcHashFromFileHandle");
61 |
62 | m_pCryptCATAdminAcquireContext = (pCryptCATAdminAcquireContext)
63 | GetProcAddress(hWinTrust,"CryptCATAdminAcquireContext");
64 |
65 | m_pCryptCATAdminAddCatalog = (pCryptCATAdminAddCatalog)
66 | GetProcAddress(hWinTrust, "CryptCATAdminAddCatalog");
67 |
68 | m_pCryptCATAdminRemoveCatalog = (pCryptCATAdminRemoveCatalog)
69 | GetProcAddress(hWinTrust, "CryptCATAdminRemoveCatalog");
70 |
71 | m_pIsCatalogFile = (pIsCatalogFile)GetProcAddress(hWinTrust, "IsCatalogFile");
72 |
73 | hWinTrust = LoadLibraryW(L"crypt32.dll");
74 | m_pCertNameToStrW = (pCertNameToStrW)GetProcAddress(hWinTrust, "CertNameToStrW");
75 | }
76 |
77 | return m_pCryptCATAdminAcquireContext != 0;
78 | }
--------------------------------------------------------------------------------
/Sysmon/CSsymonEtw.h:
--------------------------------------------------------------------------------
1 | #ifndef _CSsymonEtw_h
2 | #define _CSsymonEtw_h
3 |
4 | #include "CMofDataParser.h"
5 | #include "CSysmonMofData.h"
6 | #include
7 | #include
8 |
9 | typedef void* HEVENT;
10 |
11 | #ifdef __cplusplus
12 | extern "C"{
13 | #endif
14 |
15 | typedef
16 | ULONG
17 | (WINAPI
18 | *pStartTrace)(
19 | PTRACEHANDLE SessionHandle,
20 | LPCTSTR SessionName,
21 | PEVENT_TRACE_PROPERTIES Properties
22 | );
23 |
24 | typedef
25 | ULONG
26 | (WINAPI
27 | *pControlTrace)
28 | (
29 | TRACEHANDLE SessionHandle,
30 | LPCTSTR SessionName,
31 | PEVENT_TRACE_PROPERTIES Properties,
32 | ULONG ControlCode
33 | );
34 |
35 | typedef
36 | TRACEHANDLE
37 | (WINAPI
38 | *pOpenTrace)
39 | (
40 | PEVENT_TRACE_LOGFILE Logfile
41 | );
42 |
43 | typedef
44 | ULONG
45 | (WINAPI
46 | *pProcessTrace)(
47 | _In_ PTRACEHANDLE HandleArray,
48 | _In_ ULONG HandleCount,
49 | _In_ LPFILETIME StartTime,
50 | _In_ LPFILETIME EndTime
51 | );
52 |
53 | #ifdef __cplusplus
54 | };
55 | #endif
56 |
57 | typedef struct _Sysomn_Event_Properties
58 | {
59 | EVENT_TRACE_PROPERTIES Properties;
60 | TCHAR LoggerName[MAX_PATH];
61 | TCHAR LoggerFile[MAX_PATH];
62 | ULONG dwMax1;
63 | ULONG dwMax2;
64 | ULONG dwMax3;
65 | ULONG dwMax4;
66 | ULONG dwMax5;
67 | ULONG dwMax6;
68 | ULONG dwMax7;
69 | ULONG dwMax8;
70 | ULONG dwMax9;
71 | ULONG dwMax10;
72 | }Sysomn_Event_Properties;
73 |
74 | class CSsymonEtw
75 | {
76 | public:
77 | CSsymonEtw(void);
78 | virtual ~CSsymonEtw(void);
79 |
80 | public:
81 | HRESULT StartTrace(BOOL bStart);
82 | ULONG InitData();
83 |
84 | void* GetEventClassPropertyListList(PEVENT_TRACE pEventTrace);
85 | void Enter();
86 | void Leave();
87 | public:
88 | pStartTrace m_pStartTrace;
89 | pControlTrace m_pControlTrace;
90 | pOpenTrace m_pOpenTrace;
91 | pProcessTrace m_pProcessTrace;
92 |
93 | BOOL m_bInit;
94 | BOOL m_bStartTrace;
95 | TRACEHANDLE m_SessionHandle;
96 | HANDLE m_hEtwTraceThread;
97 | HEVENT m_hGlobalEvent;
98 |
99 | BOOL m_bInitData;
100 | CRITICAL_SECTION m_csData;
101 | FILETIME m_SystemTime;
102 |
103 | LARGE_INTEGER m_PerformanceCount;
104 | LARGE_INTEGER m_Frequency;
105 |
106 | UINT64 m_EventClassNums;
107 |
108 | CSysmonMofData m_SysmonMofData;
109 |
110 | CMofDataParser m_MofDataParser;
111 | private:
112 | static
113 | UINT
114 | WINAPI
115 | ProcessTraceThread(void* lp);
116 |
117 | static
118 | UINT
119 | WINAPI
120 | ProcessDataThread(void* lp);
121 |
122 | static
123 | ULONG
124 | WINAPI
125 | BufferCallback(
126 | PEVENT_TRACE_LOGFILE Buffer
127 | );
128 |
129 | static
130 | VOID
131 | WINAPI
132 | EventCallback(
133 | PEVENT_TRACE pEvent
134 | );
135 |
136 | public:
137 | static CSsymonEtw* Instance()
138 | {
139 | if (!_Instace)
140 | {
141 | _Instace = new CSsymonEtw();
142 | }
143 |
144 | return _Instace;
145 | }
146 |
147 | static CSsymonEtw* _Instace;
148 | };
149 |
150 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CMiniFltFilter.h:
--------------------------------------------------------------------------------
1 | #ifndef _CMiniFltFilter_h
2 | #define _CMiniFltFilter_h
3 |
4 | #include
5 | #include "CErrorStatus.h"
6 |
7 | #define MAX_FLT_CONTEXT_REGISTRATION 20
8 | #define MAX_FLT_OPERATION_REGISTRATION 50
9 |
10 | typedef enum _Flt_Fn_Callback
11 | {
12 | kFilterUnloadCallback,
13 | kInstanceSetupCallbac,
14 | kInstanceQueryTeardowCallback,
15 | kInstanceTeardownStartCallback,
16 | kInstanceTeardownCompleteCallback,
17 | kGenerateFileNameCallback,
18 | kNormalizeNameComponentCallback,
19 | kNormalizeContextCleanupCallback,
20 | kTransactionNotificationCallback,
21 | kNormalizeNameComponentExCallback,
22 |
23 | }Flt_Fn_Callback;
24 |
25 | class CMiniFltFilter
26 | {
27 | public:
28 | CMiniFltFilter(void);
29 | virtual ~CMiniFltFilter(void);
30 |
31 | void RegisterCallback(int nIndex,void* pFn);
32 | void RegisterOptRegistration(
33 | int nIdex,
34 | USHORT ContextSize,
35 | FLT_OPERATION_REGISTRATION_FLAGS Flags,
36 | PFLT_PRE_OPERATION_CALLBACK PreOperation,
37 | PFLT_POST_OPERATION_CALLBACK PostOperation,
38 | PVOID Reserved1 = NULL
39 | );
40 |
41 | void RegisterContext(
42 | int nIdex,
43 | FLT_CONTEXT_TYPE ContextType,
44 | USHORT ContextSize,
45 | ULONG PoolTag,
46 | PVOID Reserved1 = NULL
47 | );
48 |
49 | CErrorStatus FltRegisterFilter(PDRIVER_OBJECT DriverObj);
50 |
51 | public:
52 | static
53 | NTSTATUS
54 | NTAPI
55 | FilterUnloadCallback(
56 | FLT_FILTER_UNLOAD_FLAGS Flags
57 | );
58 |
59 | static
60 | NTSTATUS
61 | NTAPI
62 | InstanceSetupCallback(
63 | PCFLT_RELATED_OBJECTS FltObjects,
64 | FLT_INSTANCE_SETUP_FLAGS Flags,
65 | DEVICE_TYPE VolumeDeviceType,
66 | FLT_FILESYSTEM_TYPE VolumeFilesystemType
67 | );
68 |
69 | static
70 | NTSTATUS
71 | NTAPI
72 | InstanceQueryTeardownCallback(
73 | PCFLT_RELATED_OBJECTS FltObjects,
74 | FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
75 | );
76 |
77 | private:
78 | PFLT_FILTER mFilter;
79 | FLT_REGISTRATION mFltRegistration;
80 | FLT_CONTEXT_REGISTRATION mContextRegistration[MAX_FLT_CONTEXT_REGISTRATION];
81 | FLT_OPERATION_REGISTRATION mOptRegistration[MAX_FLT_OPERATION_REGISTRATION];
82 |
83 | PFLT_FILTER_UNLOAD_CALLBACK mFilterUnloadCallback;
84 | PFLT_INSTANCE_SETUP_CALLBACK mInstanceSetupCallback;
85 | PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK mInstanceQueryTeardownCallback;
86 | PFLT_INSTANCE_TEARDOWN_CALLBACK mInstanceTeardownStartCallback;
87 | PFLT_INSTANCE_TEARDOWN_CALLBACK mInstanceTeardownCompleteCallback;
88 | PFLT_GENERATE_FILE_NAME mGenerateFileNameCallback;
89 | PFLT_NORMALIZE_NAME_COMPONENT mNormalizeNameComponentCallback;
90 | PFLT_NORMALIZE_CONTEXT_CLEANUP mNormalizeContextCleanupCallback;
91 | PFLT_TRANSACTION_NOTIFICATION_CALLBACK mTransactionNotificationCallback;
92 | PFLT_NORMALIZE_NAME_COMPONENT_EX mNormalizeNameComponentExCallback;
93 |
94 | #if FLT_MGR_WIN8
95 | PFLT_SECTION_CONFLICT_NOTIFICATION_CALLBACK mSectionNotificationCallback;
96 | #endif // FLT_MGR_WIN8
97 | };
98 |
99 |
100 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/CSysmonMiniFltFilter.cpp:
--------------------------------------------------------------------------------
1 | #include "CSysmonMiniFltFilter.h"
2 | #include "CSysmonDispatchEngine.h"
3 | #include "CSysmonIoControl.h"
4 |
5 |
6 | #define FLTPOST(Fn) (PFLT_POST_OPERATION_CALLBACK)CSysmonDispatchEngine::Fn
7 | #define FLTPRE(Fn) (PFLT_PRE_OPERATION_CALLBACK)CSysmonDispatchEngine::Fn
8 |
9 | CSysmonMiniFltFilter::CSysmonMiniFltFilter(void)
10 | {
11 | }
12 |
13 |
14 | CSysmonMiniFltFilter::~CSysmonMiniFltFilter(void)
15 | {
16 | }
17 |
18 |
19 | /**********************************************************************************/
20 | #pragma INITCODE
21 |
22 | CErrorStatus CSysmonMiniFltFilter::Init(PDRIVER_OBJECT DriverObj)
23 | {
24 | CErrorStatus Status;
25 | RegisterCallback(
26 | kFilterUnloadCallback,
27 | CSysmonMiniFltFilter::FilterUnloadCallback);
28 |
29 | RegisterCallback(
30 | kInstanceSetupCallbac,
31 | CSysmonMiniFltFilter::InstanceSetupCallback);
32 |
33 | RegisterCallback(
34 | kInstanceQueryTeardowCallback,
35 | CSysmonMiniFltFilter::InstanceQueryTeardownCallback);
36 |
37 | RegisterContext(
38 | 0,
39 | FLT_STREAMHANDLE_CONTEXT,
40 | 2,
41 | 'csyS');
42 |
43 | RegisterContext(
44 | 1,
45 | FLT_STREAMHANDLE_CONTEXT,
46 | sizeof(Sysmon_Flt_Stream_Context),
47 | 'xchf');
48 |
49 | RegisterOptRegistration(
50 | 0,
51 | IRP_MJ_CREATE,
52 | 0,
53 | FLTPRE(SysmonFltPreOperation),
54 | FLTPOST(SysmonFltPostOperation)
55 | );
56 |
57 | RegisterOptRegistration(
58 | 1,
59 | IRP_MJ_CLEANUP,
60 | 0,
61 | FLTPRE(SysmonFltPreOperation),
62 | FLTPOST(SysmonFltPostOperation)
63 | );
64 |
65 | RegisterOptRegistration(
66 | 2,
67 | IRP_MJ_SET_INFORMATION,
68 | 0,
69 | FLTPRE(SysmonFltPreOperation),
70 | FLTPOST(SysmonFltPostOperation)
71 | );
72 |
73 | RegisterOptRegistration(
74 | 3,
75 | IRP_MJ_CLOSE,
76 | 0,
77 | FLTPRE(SysmonFltPreOperation),
78 | FLTPOST(SysmonFltPostOperation)
79 | );
80 |
81 | RegisterOptRegistration(
82 | 4,
83 | IRP_MJ_CREATE_NAMED_PIPE,
84 | 0,
85 | FLTPRE(SysmonFltPreOperation),
86 | FLTPOST(SysmonFltPostOperation)
87 | );
88 |
89 | Status = FltRegisterFilter(DriverObj);
90 |
91 | return Status;
92 | }
93 |
94 | /**********************************************************************************/
95 | #pragma LOCKEDCODE
96 |
97 | NTSTATUS
98 | CSysmonMiniFltFilter::FilterUnloadCallback(
99 | FLT_FILTER_UNLOAD_FLAGS Flags
100 | )
101 | {
102 | return STATUS_SUCCESS;
103 | }
104 |
105 |
106 | /**********************************************************************************/
107 | #pragma LOCKEDCODE
108 |
109 | NTSTATUS
110 | CSysmonMiniFltFilter::InstanceSetupCallback(
111 | PCFLT_RELATED_OBJECTS FltObjects,
112 | FLT_INSTANCE_SETUP_FLAGS Flags,
113 | DEVICE_TYPE VolumeDeviceType,
114 | FLT_FILESYSTEM_TYPE VolumeFilesystemType
115 | )
116 | {
117 |
118 | if ( VolumeDeviceType == FILE_DEVICE_DISK_FILE_SYSTEM)
119 | {
120 | return STATUS_SUCCESS;
121 | }
122 |
123 | // if (VolumeFilesystemType != FLT_FSTYPE_NPFS)
124 | // {
125 | // }
126 | }
127 |
128 |
129 | /**********************************************************************************/
130 | #pragma LOCKEDCODE
131 |
132 | NTSTATUS
133 | CSysmonMiniFltFilter::InstanceQueryTeardownCallback(
134 | PCFLT_RELATED_OBJECTS FltObjects,
135 | FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
136 | )
137 | {
138 | return STATUS_SUCCESS;
139 | }
--------------------------------------------------------------------------------
/Sysmon/CDigitalSign.h:
--------------------------------------------------------------------------------
1 | #ifndef _CDigitalSign_h
2 | #define _CDigitalSign_h
3 | #include
4 |
5 | typedef void* HCATINFO;
6 | typedef void* HCATADMIN;
7 |
8 | typedef struct CATALOG_INFO_ {
9 | DWORD cbStruct;
10 | WCHAR wszCatalogFile[MAX_PATH];
11 | } CATALOG_INFO;
12 |
13 | extern "C"
14 | {
15 | typedef
16 | LONG
17 | ( WINAPI *pWinVerifyTrust)(
18 | HWND hwnd,
19 | GUID *pgActionID,
20 | LPVOID pWVTData);
21 |
22 | typedef
23 | CRYPT_PROVIDER_SGNR*
24 | (WINAPI *pWTHelperGetProvSignerFromChain)(
25 | CRYPT_PROVIDER_DATA *pProvData,
26 | DWORD idxSigner,
27 | BOOL fCounterSigner,
28 | DWORD idxCounterSigner);
29 |
30 | typedef
31 | CRYPT_PROVIDER_DATA * (WINAPI *pWTHelperProvDataFromStateData)(
32 | HANDLE hStateData);
33 |
34 | typedef
35 | BOOL
36 | (WINAPI *pCryptCATAdminReleaseContext)(
37 | IN VOID* hCatAdmin,
38 | IN DWORD dwFlags
39 | );
40 |
41 | typedef
42 | BOOL
43 | (WINAPI *pCryptCATAdminReleaseCatalogContext)(
44 | IN VOID* hCatAdmin,
45 | IN VOID* hCatInfo,
46 | IN DWORD dwFlags
47 | );
48 |
49 | typedef
50 | BOOL
51 | (WINAPI *pCryptCATCatalogInfoFromContext)(
52 | _In_ VOID* hCatInfo,
53 | _Inout_ CATALOG_INFO *psCatInfo,
54 | _In_ DWORD dwFlags
55 | );
56 |
57 | typedef
58 | HCATINFO
59 | (WINAPI *pCryptCATAdminEnumCatalogFromHash)(
60 | HCATADMIN hCatAdmin,
61 | BYTE *pbHash,
62 | DWORD cbHash,
63 | DWORD dwFlags,
64 | HCATINFO *phPrevCatInfo
65 | );
66 |
67 | typedef
68 | BOOL
69 | (WINAPI *pCryptCATAdminCalcHashFromFileHandle)(
70 | HANDLE hFile,
71 | DWORD *pcbHash,
72 | BYTE *pbHash,
73 | DWORD dwFlags
74 | );
75 |
76 | typedef
77 | BOOL
78 | (WINAPI *pCryptCATAdminAcquireContext)(
79 | HCATADMIN *phCatAdmin,
80 | const GUID *pgSubsystem,
81 | DWORD dwFlags
82 | );
83 |
84 | typedef
85 | HCATINFO
86 | (WINAPI *pCryptCATAdminAddCatalog)(
87 | HCATADMIN hCatAdmin,
88 | PWSTR pwszCatalogFile,
89 | PWSTR pwszSelectBaseName,
90 | DWORD dwFlags
91 | );
92 |
93 | typedef
94 | BOOL
95 | (WINAPI *pCryptCATAdminRemoveCatalog)(
96 | IN HCATADMIN hCatAdmin,
97 | IN LPCWSTR pwszCatalogFile,
98 | IN DWORD dwFlags
99 | );
100 |
101 | typedef
102 | BOOL
103 | (WINAPI *pIsCatalogFile)(
104 | IN HANDLE hFile,
105 | WCHAR *pwszFileName
106 | );
107 |
108 | typedef
109 | DWORD
110 | (WINAPI *pCertNameToStrW)(
111 | DWORD dwCertEncodingType,
112 | PCERT_NAME_BLOB pName,
113 | DWORD dwStrType,
114 | LPSTR psz,
115 | DWORD csz
116 | );
117 | };
118 |
119 |
120 |
121 | class CDigitalSign
122 | {
123 | public:
124 | CDigitalSign(void);
125 | virtual ~CDigitalSign(void);
126 |
127 | bool Init();
128 | private:
129 | bool m_bInit;
130 | pWinVerifyTrust m_WinVerifyTrust;
131 | pWTHelperGetProvSignerFromChain m_pWTHelperGetProvSignerFromChain;
132 | pWTHelperProvDataFromStateData m_pWTHelperProvDataFromStateData;
133 | pCryptCATAdminReleaseContext m_pCryptCATAdminReleaseContext;
134 | pCryptCATAdminReleaseCatalogContext m_pCryptCATAdminReleaseCatalogContext;
135 | pCryptCATCatalogInfoFromContext m_pCryptCATCatalogInfoFromContext;
136 | pCryptCATAdminEnumCatalogFromHash m_pCryptCATAdminEnumCatalogFromHash;
137 | pCryptCATAdminCalcHashFromFileHandle m_pCryptCATAdminCalcHashFromFileHandle;
138 | pCryptCATAdminAcquireContext m_pCryptCATAdminAcquireContext;
139 | pCryptCATAdminAddCatalog m_pCryptCATAdminAddCatalog;
140 | pCryptCATAdminRemoveCatalog m_pCryptCATAdminRemoveCatalog;
141 | pIsCatalogFile m_pIsCatalogFile;
142 | pCertNameToStrW m_pCertNameToStrW;
143 | };
144 |
145 | #endif
146 |
147 |
--------------------------------------------------------------------------------
/Sysmon/Sysmon.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 | Resource Files
21 |
22 |
23 | Resource Files
24 |
25 |
26 |
27 |
28 | Header Files
29 |
30 |
31 | Header Files
32 |
33 |
34 | Header Files
35 |
36 |
37 | Header Files
38 |
39 |
40 | Header Files
41 |
42 |
43 | Header Files
44 |
45 |
46 | Header Files
47 |
48 |
49 | Header Files
50 |
51 |
52 | Header Files
53 |
54 |
55 | Header Files
56 |
57 |
58 | Header Files
59 |
60 |
61 | Header Files
62 |
63 |
64 | Header Files
65 |
66 |
67 |
68 |
69 | Source Files
70 |
71 |
72 | Source Files
73 |
74 |
75 | Source Files
76 |
77 |
78 | Source Files
79 |
80 |
81 | Source Files
82 |
83 |
84 | Source Files
85 |
86 |
87 | Source Files
88 |
89 |
90 | Source Files
91 |
92 |
93 | Source Files
94 |
95 |
96 | Source Files
97 |
98 |
99 | Source Files
100 |
101 |
102 |
103 |
104 | Resource Files
105 |
106 |
107 |
108 |
109 | Source Files
110 |
111 |
112 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CppLib.h:
--------------------------------------------------------------------------------
1 | #ifndef _CPP_LIB_h
2 | #define _CPP_LIB_h
3 | #include
4 | #include
5 |
6 | typedef char CHAR;
7 | typedef unsigned char UCHAR;
8 | typedef unsigned char BOOLEAN;
9 | typedef wchar_t WCHAR;
10 | typedef unsigned char boolean;
11 | typedef unsigned __int32 UINT32;
12 | typedef unsigned int ULONG32, *PULONG32;
13 | typedef unsigned int DWORD32, *PDWORD32;
14 | typedef int BOOL;
15 | typedef signed char INT8, *PINT8;
16 | typedef signed short INT16, *PINT16;
17 | typedef signed int INT32, *PINT32;
18 | typedef signed __int64 INT64, *PINT64;
19 | typedef unsigned char UINT8, *PUINT8;
20 | typedef unsigned short UINT16, *PUINT16;
21 | typedef unsigned int UINT32, *PUINT32;
22 | typedef unsigned __int64 UINT64, *PUINT64;
23 |
24 | typedef __int64 INT64;
25 | typedef __int3264 ADDRPOINT;
26 | typedef __int3264 INT3264;
27 | typedef unsigned int UINT;
28 | typedef unsigned char BYTE;
29 | typedef unsigned long ULONG;
30 | typedef short SHORT;
31 | typedef unsigned short USHORT;
32 |
33 |
34 | #define IsNull(a) (a == NULL)
35 |
36 | #define PAGEDCODE code_seg("PAGE")
37 | #define LOCKEDCODE code_seg()
38 | #define INITCODE code_seg("INIT")
39 |
40 |
41 | #ifndef __cplusplus
42 | extern "C"{
43 | #endif
44 |
45 | // Types
46 |
47 | typedef void (_cdecl *PtrVoidFunc)(void);
48 |
49 | struct AtExitEntry
50 | {
51 | PtrVoidFunc func;
52 | AtExitEntry *next;
53 | };
54 |
55 | // Static variables
56 |
57 | int
58 | _cdecl
59 | atexit(PtrVoidFunc func);
60 |
61 | #ifndef __cplusplus
62 | };
63 | #endif
64 |
65 | typedef enum MemoryType
66 | {
67 | kDefaultMemType = NonPagedPool,
68 | };
69 |
70 | void *
71 | NewHelper(
72 | size_t size,
73 | MemoryType memType);
74 |
75 | void
76 | DeleteHelper(void *p);
77 |
78 | inline
79 | void*
80 | _cdecl
81 | operator new(size_t size)
82 | {
83 | return NewHelper(size,kDefaultMemType);
84 | }
85 |
86 | inline
87 | void *
88 | _cdecl
89 | operator new[](size_t size)
90 | {
91 | return NewHelper(size,kDefaultMemType);
92 | }
93 |
94 | inline
95 | void *
96 | _cdecl
97 | operator new(size_t size, MemoryType memType)
98 | {
99 | return NewHelper(size, memType);
100 | }
101 |
102 | inline
103 | void *
104 | _cdecl
105 | operator new[](size_t size, MemoryType memType)
106 | {
107 | return NewHelper(size, memType);
108 | }
109 |
110 | // Placement new.
111 |
112 | inline
113 | void *
114 | _cdecl
115 | operator new(size_t size, void *pMem)
116 | {
117 | (void) size;
118 | return pMem;
119 | }
120 |
121 | inline
122 | void *
123 | _cdecl
124 | operator new[](size_t size, void *pMem)
125 | {
126 | (void) size;
127 | return pMem;
128 | }
129 |
130 |
131 | // Operator delete functions
132 |
133 | inline
134 | void
135 | _cdecl
136 | operator delete(void *p)
137 | {
138 | DeleteHelper(p);
139 | }
140 |
141 | inline
142 | void
143 | _cdecl
144 | operator delete[](void *p)
145 | {
146 | DeleteHelper(p);
147 | }
148 |
149 | inline
150 | void
151 | _cdecl
152 | operator delete(void *p, MemoryType memType)
153 | {
154 | (void) memType;
155 | DeleteHelper(p);
156 | }
157 |
158 | inline
159 | void
160 | _cdecl
161 | operator delete[](void *p, MemoryType memType)
162 | {
163 | (void) memType;
164 | DeleteHelper(p);
165 | }
166 |
167 |
168 | // Placement delete.
169 |
170 | inline
171 | void
172 | _cdecl
173 | operator delete(void *pMem1, void *pMem2)
174 | {
175 | (void) pMem1;
176 | (void) pMem2;
177 |
178 | return;
179 | }
180 |
181 | inline
182 | void
183 | _cdecl
184 | operator delete[](void *pMem1, void *pMem2)
185 | {
186 | (void) pMem1;
187 | (void) pMem2;
188 | return;
189 | }
190 |
191 | void
192 | CallGlobalConstructors();
193 | void
194 | CallGlobalDestructors();
195 |
196 | extern "C"
197 | EXCEPTION_DISPOSITION
198 | CxxFrameHandler3(
199 | __in void* pExcept, // Information for this exception
200 | __in ULONG_PTR RN, // Dynamic information for this frame
201 | __in void* pContext, // Context info
202 | __in void* pDC // More dynamic info for this frame
203 | );
204 |
205 |
206 | class type_info {
207 | public:
208 | type_info();
209 | virtual ~type_info();
210 |
211 | char const * name() const;
212 |
213 | bool operator==(type_info const & right) const;
214 | bool operator!=(type_info const & right) const;
215 | bool before(type_info const & right) const;
216 |
217 | private:
218 | type_info(type_info const & right);
219 | type_info & operator=(type_info const & right);
220 | };
221 |
222 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CppLib.cpp:
--------------------------------------------------------------------------------
1 | #include "CppLib.h"
2 | #include
3 | #include "CAssert.h"
4 | AtExitEntry *AtExitEntryList = NULL;
5 |
6 |
7 | // Exported variables
8 |
9 | #if defined(_IA64_) || defined(_AMD64_)
10 | #pragma section(".CRT$XCA",long,read)
11 | __declspec(allocate(".CRT$XCA")) void(*__ctors_begin__[1])(void) = { 0 };
12 | #pragma section(".CRT$XCZ",long,read)
13 | __declspec(allocate(".CRT$XCZ")) void(*__ctors_end__[1])(void) = { 0 };
14 | #pragma data_seg()
15 | #else
16 | #pragma data_seg(".CRT$XCA")
17 | void(*__ctors_begin__[1])(void) = { 0 };
18 | #pragma data_seg(".CRT$XCZ")
19 | void(*__ctors_end__[1])(void) = { 0 };
20 | #pragma data_seg()
21 | #endif
22 |
23 | #pragma data_seg(".STL$A")
24 | void(*___StlStartInitCalls__[1])(void) = { 0 };
25 | #pragma data_seg(".STL$L")
26 | void(*___StlEndInitCalls__[1])(void) = { 0 };
27 | #pragma data_seg(".STL$M")
28 | void(*___StlStartTerminateCalls__[1])(void) = { 0 };
29 | #pragma data_seg(".STL$Z")
30 | void(*___StlEndTerminateCalls__[1])(void) = { 0 };
31 | #pragma data_seg()
32 |
33 |
34 | #pragma data_seg(".CRT$XCA")
35 | PtrVoidFunc __xc_a[] = {NULL};
36 | #pragma data_seg(".CRT$XCZ")
37 | PtrVoidFunc __xc_z[] = {NULL};
38 | #pragma data_seg()
39 |
40 | // Functions
41 |
42 | EXTERN_C
43 | int
44 | __cdecl _cinit(
45 | __in int
46 | )
47 | {
48 | for (void(**ctor)(void) = __ctors_begin__ + 1;
49 | ctor < __ctors_end__;
50 | ctor++)
51 | {
52 | (*ctor)();
53 | }
54 | return 0;
55 | }
56 |
57 | int
58 | _cdecl
59 | atexit(PtrVoidFunc func)
60 | {
61 | AtExitEntry *newEntry;
62 |
63 | if (!func)
64 | {
65 | return 0;
66 | }
67 |
68 | newEntry = new AtExitEntry;
69 |
70 | if (IsNull(newEntry))
71 | return 0;
72 |
73 | newEntry->func = func;
74 |
75 | newEntry->next = AtExitEntryList;
76 | AtExitEntryList = newEntry;
77 |
78 | return 1;
79 | }
80 |
81 | EXTERN_C
82 | void
83 | __cdecl doexit(
84 | __in int /*code*/,
85 | __in int /*quick*/,
86 | __in int /*retcaller*/
87 | )
88 | {
89 | for (AtExitEntry* entry = AtExitEntryList; entry;)
90 | {
91 | AtExitEntry* next = entry->next;
92 | delete entry;
93 | entry = next;
94 | }
95 | }
96 |
97 | void *
98 | NewHelper(
99 | size_t size,
100 | MemoryType memType)
101 | {
102 | CAssert(size);
103 |
104 | if ( size == 0 )
105 | size = 1; // required by standard!
106 |
107 | //#if PGP_DEBUG
108 | void *pMem = ExAllocatePoolWithTag(
109 | (POOL_TYPE)memType,
110 | size,
111 | 'zpmt');
112 | //#else // !PGPDISK_DEBUG
113 | //void *pMem = ExAllocatePool(NonPagedPool, size);
114 | //#endif // PGPDISK_DEBUG
115 |
116 | // #if PGP_DEBUG
117 | // if (IsntNull(pMem))
118 | // pgpDebugWhackMemory(pMem, size);
119 | // #endif // PGP_DEBUG
120 |
121 | return pMem;
122 | };
123 |
124 | void
125 | DeleteHelper(void *p)
126 | {
127 | if ( IsNull(p) )
128 | ExFreePool(p);
129 | }
130 |
131 | void
132 | CallGlobalConstructors()
133 | {
134 | PtrVoidFunc *pfbegin, *pfend;
135 |
136 | pfbegin = __xc_a;
137 | pfend = __xc_z;
138 |
139 | while (pfbegin < pfend)
140 | {
141 | if (*pfbegin != NULL)
142 | (**pfbegin)();
143 |
144 | ++pfbegin;
145 | }
146 | }
147 |
148 | void
149 | CallGlobalDestructors()
150 | {
151 | AtExitEntry *curEntry, *nextEntry;
152 |
153 | curEntry = AtExitEntryList;
154 |
155 | while (IsNull(curEntry))
156 | {
157 | curEntry->func();
158 | nextEntry = curEntry->next;
159 | delete curEntry;
160 | curEntry = nextEntry;
161 | }
162 | }
163 |
164 |
165 | //except
166 |
167 | EXCEPTION_DISPOSITION
168 | CxxFrameHandler3(
169 | __in void* pExcept, // Information for this exception
170 | __in ULONG_PTR RN, // Dynamic information for this frame
171 | __in void* pContext, // Context info
172 | __in void* pDC // More dynamic info for this frame
173 | )
174 | {
175 | __debugbreak();
176 | return EXCEPTION_DISPOSITION::ExceptionNestedException;
177 | }
178 |
179 | #ifdef _WIN64
180 |
181 | extern "C"
182 | void
183 | _CxxThrowException(
184 | __in void *,
185 | __in _ThrowInfo *
186 | )
187 | {
188 | }
189 |
190 | #else
191 |
192 | extern "C"
193 | void
194 | __stdcall
195 | _CxxThrowException(
196 | __in void *,
197 | __in _ThrowInfo *
198 | )
199 | {
200 | }
201 |
202 |
203 | #endif
204 |
205 | type_info::type_info() {
206 | }
207 |
208 | type_info::~type_info() {
209 | }
210 |
211 | char const *
212 | type_info::name() const {
213 | return "N/A";
214 | }
215 |
216 | bool
217 | type_info::operator==(type_info const & right) const {
218 | return false;
219 | }
220 |
221 | bool
222 | type_info::operator!=(type_info const & right) const {
223 | return false;
224 | }
225 |
226 | bool
227 | type_info::before(type_info const & right) const {
228 | return false;
229 | }
230 |
231 | type_info::type_info(type_info const & right) {
232 | }
233 |
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CDeviceObject.cpp:
--------------------------------------------------------------------------------
1 |
2 | #include "CDeviceObject.h"
3 | #include "CAssert.h"
4 | #include "CDebug.h"
5 |
6 | CDeviceObject::CDeviceObject(void)
7 | :mDeviceObject(NULL)
8 | {
9 | }
10 |
11 | CDeviceObject::CDeviceObject(PDEVICE_OBJECT Device)
12 | {
13 | mDeviceObject = Device;
14 | }
15 |
16 | CDeviceObject::CDeviceObject(const CDeviceObject& Device)
17 | {
18 | mDeviceObject = Device.mDeviceObject;
19 | }
20 |
21 | CDeviceObject::~CDeviceObject(void)
22 | {
23 | mDeviceObject = NULL;
24 | }
25 |
26 |
27 | CDeviceObject::operator const PDEVICE_OBJECT() const
28 | {
29 | return mDeviceObject;
30 | }
31 |
32 | CDeviceObject::operator PDEVICE_OBJECT &()
33 | {
34 | return mDeviceObject;
35 | }
36 |
37 | PDEVICE_OBJECT* CDeviceObject::operator &()
38 | {
39 | return &mDeviceObject;
40 | }
41 |
42 | void CDeviceObject::operator =(PDEVICE_OBJECT Device)
43 | {
44 | mDeviceObject = Device;
45 | }
46 |
47 | bool CDeviceObject::operator !=(PDEVICE_OBJECT DeviceObject)
48 | {
49 | return (mDeviceObject != DeviceObject);
50 | }
51 |
52 | bool CDeviceObject::operator !()
53 | {
54 | return (mDeviceObject == NULL);
55 | }
56 |
57 | ULONG& CDeviceObject::Flags()
58 | {
59 | return mDeviceObject->Flags;
60 | }
61 |
62 | PVOID& CDeviceObject::DeviceExtension()
63 | {
64 | return mDeviceObject->DeviceExtension;
65 | }
66 |
67 | PDRIVER_OBJECT& CDeviceObject::DriverObject()
68 | {
69 | return mDeviceObject->DriverObject;
70 | }
71 |
72 | ULONG& CDeviceObject::DeviceType()
73 | {
74 | return mDeviceObject->DeviceType;
75 | }
76 |
77 | PDEVICE_OBJECT& CDeviceObject::AttachedDevice()
78 | {
79 | return mDeviceObject->AttachedDevice;
80 | }
81 |
82 | PDEVICE_OBJECT& CDeviceObject::NextDevice()
83 | {
84 | return mDeviceObject->NextDevice;
85 | }
86 |
87 | ULONG& CDeviceObject::Characteristics()
88 | {
89 | return mDeviceObject->Characteristics;
90 | }
91 |
92 |
93 | /**********************************************************************************/
94 | #pragma LOCKEDCODE
95 |
96 | CErrorStatus
97 | CDeviceObject::Init(
98 | PDRIVER_OBJECT Driver,
99 | CStackStringW<256>& DeviceName,
100 | CStackStringW<256>& DosDeviceName,
101 | const UINT32 DeviceExtSize
102 | )
103 | {
104 | CErrorStatus Error;
105 | UINT32 Index;
106 | CUnicodeString IoDeviceName;
107 | Index = 0;
108 | IoDeviceName = &DeviceName;
109 | Error = Create(
110 | Driver,
111 | DeviceExtSize,
112 | IoDeviceName,
113 | FILE_DEVICE_UNKNOWN,
114 | 0,
115 | FALSE
116 | );
117 |
118 | if (Error.IsNtSuccess())
119 | {
120 | Error = Link(&DosDeviceName,IoDeviceName);
121 |
122 | if ( !Error.IsNtSuccess() )
123 | {
124 | Delete();
125 | }
126 | else
127 | {
128 | Flags() &= 0xFFFFFF7F;
129 | }
130 | }
131 |
132 | return Error;
133 | }
134 |
135 | /**********************************************************************************/
136 | #pragma LOCKEDCODE
137 |
138 | CErrorStatus
139 | CDeviceObject::Create(
140 | PDRIVER_OBJECT DriverObject,
141 | const UINT32 DeviceExtSize,
142 | CUnicodeString& DeviceName,
143 | DEVICE_TYPE DeviceType,
144 | UINT32 DeviceChars,
145 | BOOL Exclusive
146 | )
147 | {
148 | CErrorStatus Error;
149 | CAssert(!IsAttached());
150 |
151 | Error = ::IoCreateDevice(
152 | DriverObject,
153 | DeviceExtSize,
154 | (PUNICODE_STRING)DeviceName,
155 | DeviceType,
156 | DeviceChars,
157 | Exclusive,
158 | &mDeviceObject);
159 |
160 | if ( Error.IsNtSuccess())
161 | {
162 | // CDebug::DebugOut(
163 | // "CDeviceObject::IoCreateDevice(%S): 0x%x\n",
164 | // DeviceName.Buffer,
165 | // Error);
166 |
167 | }
168 |
169 | return Error;
170 | }
171 |
172 | /**********************************************************************************/
173 | #pragma LOCKEDCODE
174 |
175 | CErrorStatus
176 | CDeviceObject::Link(
177 | const WCHAR* LinkName,
178 | CUnicodeString& DeviceName) const
179 | {
180 | CErrorStatus Error;
181 | CUnicodeString DeviceLinkName;
182 | CAssert(IsAttached());
183 | CAssert(WeCreated());
184 | CAssert(!WeLinked());
185 |
186 | do
187 | {
188 | if (!LinkName)
189 | {
190 | Error = STATUS_INVALID_ADDRESS;
191 | break;
192 | }
193 |
194 | DeviceLinkName = LinkName;
195 | Error = IoCreateSymbolicLink(
196 | DeviceLinkName,
197 | DeviceName
198 | );
199 |
200 | } while (FALSE);
201 |
202 | return Error;
203 | }
204 |
205 | /**********************************************************************************/
206 | #pragma PAGEDCODE
207 |
208 | void CDeviceObject::Delete()
209 | {
210 | if (mDeviceObject)
211 | {
212 | ::IoDeleteDevice(mDeviceObject);
213 | }
214 |
215 | }
216 |
217 | /**********************************************************************************/
218 | #pragma PAGEDCODE
219 |
220 | void CDeviceObject::DeleteSymbolicLink(CStackStringW<256>& SymbolicLink)
221 | {
222 | CUnicodeString SymbolicLinkName;
223 | SymbolicLinkName = SymbolicLink;
224 | ::IoDeleteSymbolicLink(SymbolicLinkName);
225 | }
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CFilterDevice.cpp:
--------------------------------------------------------------------------------
1 | #include "CFilterDevice.h"
2 | #include "CIrp.h"
3 | #include "CppLib.h"
4 | #include "CAssert.h"
5 |
6 | WCHAR* CFilterDevice::sDeviceName = L"\\Device\\XXXXXXX";
7 | WCHAR* CFilterDevice::sLinkName = L"\\DosDevices\\XXXXXXX";
8 |
9 |
10 | CFilterDevice::CFilterDevice(void)
11 | :mDeviceObject(NULL),
12 | mDriverObject(NULL),
13 | mIsAttached(FALSE),
14 | mWeCreated(FALSE),
15 | mWeLinked(NULL),
16 | mFileObjectToUse(NULL),
17 | mDispatchFunc(NULL),
18 | mRefPtr(NULL),
19 | mIsRelease(FALSE)
20 | {
21 | }
22 |
23 |
24 | CFilterDevice::~CFilterDevice(void)
25 | {
26 | }
27 |
28 | CErrorStatus
29 | CFilterDevice::Init( PDRIVER_OBJECT Driver,
30 | PUNICODE_STRING Registry,
31 | const UINT32 DeviceExtSize)
32 | {
33 |
34 | CErrorStatus Error;
35 | UINT32 Index;
36 |
37 | Index = 0;
38 |
39 | Error = Create( Driver,
40 | DeviceExtSize,
41 | sDeviceName,
42 | FILE_DEVICE_UNKNOWN,
43 | 0,
44 | FALSE,
45 | NULL,
46 | NULL );
47 |
48 | if (Error.IsNtSuccess())
49 | {
50 |
51 | // for ( Index = 0; Index < IRP_MJ_MAXIMUM_FUNCTION ; Index++)
52 | // {
53 | // Driver->MajorFunction[Index] = CAfdFilterDispatch::FilterDispatch;
54 | // }
55 | //Error = AfdFastIo.Init(Driver);
56 |
57 | //if (Error.IsNtSuccess())
58 | //{
59 | //Error = CZPMountEngine::Init(this);
60 |
61 | //if ( Error.IsNtSuccess())
62 | //{
63 | Error = Link(sLinkName);
64 |
65 | if ( !Error.IsNtSuccess() )
66 | {
67 | Delete();
68 |
69 | }
70 | else
71 | {
72 | // Error = ToAttachDevice( L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Afd" );
73 | //
74 | // if ( !Error.IsNtSuccess())
75 | // {
76 | // Unlink();
77 | // Delete();
78 | // }
79 | }
80 | //}
81 | //}
82 |
83 | mIsRelease = TRUE;
84 |
85 | }
86 |
87 | return Error;
88 | }
89 |
90 | CErrorStatus
91 | CFilterDevice::Create(
92 | PDRIVER_OBJECT DriverObject,
93 | const UINT32 DeviceExtSize,
94 | const WCHAR* DeviceName,
95 | DEVICE_TYPE DeviceType,
96 | UINT32 DeviceChars,
97 | BOOL Exclusive,
98 | IrpDispatchFunc DispatchFunc,
99 | void *RefPtr)
100 | {
101 | CErrorStatus Error;
102 | CAssert(!IsAttached());
103 | CAssertAddrValid( DispatchFunc, IrpDispatchFunc);
104 |
105 | RtlInitUnicodeString(
106 | &mDeviceName ,
107 | DeviceName );
108 |
109 | Error = IoCreateDevice(
110 | DriverObject,
111 | DeviceExtSize,
112 | &mDeviceName,
113 | DeviceType,
114 | DeviceChars,
115 | Exclusive,
116 | &mDeviceObject);
117 |
118 | if ( Error.IsNtSuccess())
119 | {
120 | mDriverObject = DriverObject;
121 | mDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
122 | mDeviceObject->Flags |= DO_DIRECT_IO;
123 | mDeviceObject->DeviceExtension = this;
124 |
125 | mIsAttached = TRUE;
126 | mWeCreated = TRUE;
127 | mDispatchFunc = DispatchFunc;
128 | mRefPtr = RefPtr;
129 | }
130 |
131 | return Error;
132 | }
133 |
134 | void
135 | CFilterDevice::Delete()
136 | {
137 | CAssert(IsAttached());
138 | CAssert(WeCreated());
139 | CAssert(!WeLinked());
140 |
141 | IoDeleteDevice(mDeviceObject);
142 |
143 | //mDeviceName.Empty();
144 | mIsAttached = FALSE;
145 | mDeviceObject = NULL;
146 | mDispatchFunc = NULL;
147 | mRefPtr = NULL;
148 | }
149 |
150 |
151 | CErrorStatus
152 | CFilterDevice::Link(const WCHAR* LinkName)
153 | {
154 | CErrorStatus Error;
155 | CAssert(IsAttached());
156 | CAssert(WeCreated());
157 | CAssert(!WeLinked());
158 |
159 | RtlInitUnicodeString( &mDeviceLinkName,
160 | LinkName );
161 |
162 | //if ( Error.IsNtSuccess() )
163 | //{
164 | Error = IoCreateSymbolicLink(
165 | &mDeviceLinkName,
166 | &mDeviceName
167 | );
168 | //}
169 |
170 | if ( Error.IsNtSuccess())
171 | {
172 | mWeLinked = TRUE;
173 | }
174 |
175 | return Error;
176 | }
177 |
178 | CErrorStatus
179 | CFilterDevice::Unlink()
180 | {
181 | CErrorStatus Error;
182 | CAssert(IsAttached());
183 | CAssert(WeCreated());
184 | CAssert(WeLinked());
185 |
186 | Error = IoDeleteSymbolicLink(
187 | &mDeviceLinkName
188 | );
189 |
190 |
191 | if ( Error.IsNtSuccess() )
192 | {
193 | mWeLinked = FALSE;
194 | }
195 |
196 | return Error;
197 | }
198 |
199 | CErrorStatus
200 | CFilterDevice::ToAttachDevice( WCHAR* DeviceName )
201 | {
202 | CErrorStatus Error;
203 | UNICODE_STRING AttachDeviceName;
204 | PDEVICE_OBJECT DeviceObject;
205 | FILE_OBJECT* FileObject;
206 |
207 |
208 | RtlInitUnicodeString( &AttachDeviceName , DeviceName);
209 |
210 | Error = ZwLoadDriver(&AttachDeviceName);
211 |
212 | if ( Error.IsNtSuccess() ||
213 | Error == STATUS_IMAGE_ALREADY_LOADED )
214 | {
215 | RtlInitUnicodeString(&AttachDeviceName, L"\\Device\\Afd");
216 | Error = IoGetDeviceObjectPointer(
217 | &AttachDeviceName,
218 | FILE_READ_ATTRIBUTES,
219 | &FileObject,
220 | &DeviceObject);
221 |
222 | if ( Error.IsNtSuccess() )
223 | {
224 | Error = mAttachDevice.Attach( mDriverObject,AttachDeviceName);
225 |
226 | if ( Error.IsNtSuccess() )
227 | {
228 | mIsAttached = TRUE;
229 | }
230 | }
231 | }
232 |
233 | return Error;
234 | }
235 |
236 |
237 | PDEVICE_OBJECT
238 | CFilterDevice::Device()
239 | {
240 | return mDeviceObject;
241 | }
242 |
243 | CAttachDevice&
244 | CFilterDevice::AttachDevice()
245 | {
246 | CAttachDevice AttachDev;
247 | return AttachDev;
248 | }
--------------------------------------------------------------------------------
/Sysmon/undname.h:
--------------------------------------------------------------------------------
1 | //
2 | // Copyright (c) Microsoft Corporation. All rights reserved.
3 | //
4 | //
5 | // This source code is licensed under Microsoft Shared Source License
6 | // Version 1.0 for Windows CE.
7 | // For a copy of the license visit http://go.microsoft.com/fwlink/?LinkId=3223.
8 | //
9 |
10 |
11 | // #if !defined(_M_I86)
12 | // // The 32-bit compiler
13 | // #define __far
14 | // #define __near
15 | // #define __pascal
16 | // #define __loadds
17 | // #endif
18 | // typedef char * pchar_t;
19 | // typedef const char * pcchar_t;
20 | // typedef void * ( __cdecl * Alloc_t )( unsigned int );
21 | // typedef void ( __cdecl * Free_t )( void * );
22 | // typedef char * ( __cdecl * GetParameter_t )( long );
23 | // #ifdef __cplusplus
24 | // extern "C"
25 | // #endif
26 | // _CRTIMP pchar_t __cdecl __unDName (
27 | // pchar_t, // User supplied buffer (or NULL)
28 | // pcchar_t, // Input decorated name
29 | // int, // Maximum length of user buffer
30 | // Alloc_t, // Address of heap allocator
31 | // Free_t, // Address of heap deallocator
32 | // unsigned short // Feature disable flags
33 | // );
34 | // #ifdef __cplusplus
35 | // extern "C"
36 | // #endif
37 | // _CRTIMP pchar_t __cdecl __unDNameEx (
38 | // pchar_t, // User supplied buffer (or NULL)
39 | // pcchar_t, // Input decorated name
40 | // int, // Maximum length of user buffer
41 | // Alloc_t, // Address of heap allocator
42 | // Free_t, // Address of heap deallocator
43 | // GetParameter_t, // Function to get any template parameters
44 | // unsigned long // Feature disable flags
45 | // );
46 | // /*
47 | // * The user may provide a buffer into which the undecorated declaration
48 | // * is to be placed, in which case, the length field must be specified.
49 | // * The length is the maximum number of characters (including the terminating
50 | // * NULL character) which may be written into the user buffer.
51 | // *
52 | // * If the output buffer is NULL, the length field is ignored, and the
53 | // * undecorator will allocate a buffer exactly large enough to hold the
54 | // * resulting declaration. It is the users responsibility to deallocate
55 | // * this buffer.
56 | // *
57 | // * The user may also supply the allocator and deallocator functions if
58 | // * they wish. If they do, then all heap actions performed by the routine
59 | // * will use the provided heap functions.
60 | // *
61 | // * If the allocator address is NULL, then the routine will default to using
62 | // * the standard allocator and deallocator functions, 'malloc' and 'free'.
63 | // *
64 | // * If an error occurs internally, then the routine will return NULL. If
65 | // * it was successful, it will return the buffer address provided by the
66 | // * user, or the address of the buffer allocated on their behalf, if they
67 | // * specified a NULL buffer address.
68 | // *
69 | // * If a given name does not have a valid undecoration, the original name
70 | // * is returned in the output buffer.
71 | // *
72 | // * Fine selection of a number of undecorator attributes is possible, by
73 | // * specifying flags (bit-fields) to disable the production of parts of the
74 | // * complete declaration. The flags may be OR'ed together to select multiple
75 | // * disabling of selected fields. The fields and flags are as follows :-
76 | // */
77 | // #define UNDNAME_COMPLETE (0x0000) // Enable full undecoration
78 | // #define UNDNAME_NO_LEADING_UNDERSCORES (0x0001) // Remove leading underscores from MS extended keywords
79 | // #define UNDNAME_NO_MS_KEYWORDS (0x0002) // Disable expansion of MS extended keywords
80 | // #define UNDNAME_NO_FUNCTION_RETURNS (0x0004) // Disable expansion of return type for primary declaration
81 | // #define UNDNAME_NO_ALLOCATION_MODEL (0x0008) // Disable expansion of the declaration model
82 | // #define UNDNAME_NO_ALLOCATION_LANGUAGE (0x0010) // Disable expansion of the declaration language specifier
83 | // #define UNDNAME_NO_MS_THISTYPE (0x0020) /* NYI */ // Disable expansion of MS keywords on the 'this' type for primary declaration
84 | // #define UNDNAME_NO_CV_THISTYPE (0x0040) /* NYI */ // Disable expansion of CV modifiers on the 'this' type for primary declaration
85 | // #define UNDNAME_NO_THISTYPE (0x0060) // Disable all modifiers on the 'this' type
86 | // #define UNDNAME_NO_ACCESS_SPECIFIERS (0x0080) // Disable expansion of access specifiers for members
87 | // #define UNDNAME_NO_THROW_SIGNATURES (0x0100) // Disable expansion of 'throw-signatures' for functions and pointers to functions
88 | // #define UNDNAME_NO_MEMBER_TYPE (0x0200) // Disable expansion of 'static' or 'virtual'ness of members
89 | // #define UNDNAME_NO_RETURN_UDT_MODEL (0x0400) // Disable expansion of MS model for UDT returns
90 | // #define UNDNAME_32_BIT_DECODE (0x0800) // Undecorate 32-bit decorated names
91 | // #define UNDNAME_NAME_ONLY (0x1000) // Crack only the name for primary declaration;
92 | // // return just [scope::]name. Does expand template params
93 | // #define UNDNAME_TYPE_ONLY (0x2000) // Input is just a type encoding; compose an abstract declarator
94 | // #define UNDNAME_HAVE_PARAMETERS (0x4000) // The real templates parameters are available
95 | // #define UNDNAME_NO_ECSU (0x8000) // Suppress enum/class/struct/union
96 | // #define UNDNAME_NO_IDENT_CHAR_CHECK (0x10000) // Suppress check for IsValidIdentChar
--------------------------------------------------------------------------------
/Sysmon/CSysmonMofData.h:
--------------------------------------------------------------------------------
1 | #ifndef _CSysmonMofData_h
2 | #define _CSysmonMofData_h
3 |
4 | #include "Sysmon.h"
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 |
14 | extern "C"
15 | {
16 | typedef HRESULT (WINAPI * pSafeArrayDestroy)(SAFEARRAY *);
17 | typedef HRESULT (WINAPI * pSafeArrayGetElement)(SAFEARRAY * , LONG *, void *);
18 | };
19 |
20 |
21 | typedef struct _CTcpIpInfo
22 | {
23 | BSTR NetName;
24 | ULONG NetType;
25 | }CTcpIpInfo;
26 |
27 | typedef struct _Sysmon_Net_Report
28 | {
29 | ULONG NrSize;
30 | ULONG NrProcessId;
31 | ULONG NrThreadId;
32 | GUID NrGuid;
33 | LARGE_INTEGER NrSystemTime;
34 | ULONG NrEventType;
35 | ULONG NrUdpOrTcp;
36 | }Sysmon_Net_Report;
37 |
38 | class CSysmonData
39 | {
40 | friend class CSysmonDataEntry;
41 | friend class CSysmonProperty;
42 | friend class CSysmonMofData;
43 | public:
44 | CSysmonData();
45 | ~CSysmonData();
46 |
47 | BOOL Compare(BSTR pString);
48 | BOOL CompareN(BSTR pString,ULONG Size);
49 |
50 | LONG Len()
51 | {
52 | if (m_pData)
53 | {
54 | __try
55 | {
56 | return lstrlen(m_pData);
57 | }
58 | __except(EXCEPTION_EXECUTE_HANDLER)
59 | {
60 |
61 | }
62 |
63 | }
64 | return 0;
65 | }
66 | private:
67 | BSTR m_pData;
68 | void* m_pAlloc;
69 | LONG m_Reference;
70 | };
71 |
72 | class CSysmonEventList
73 | {
74 | friend class CSysmonMofData;
75 | public:
76 | CSysmonEventList();
77 | ~CSysmonEventList();
78 | BOOL IsListEmpty()
79 | {
80 | return ::IsListEmpty(&m_Entry);
81 | }
82 |
83 | CSysmonEventList(LIST_ENTRY* Fink,LIST_ENTRY* Blink);
84 | CSysmonEventList* InsertBack(LIST_ENTRY* Blink,void* pElm);
85 | private:
86 | void* m_pEvent;
87 | public:
88 | LIST_ENTRY m_Entry;
89 | };
90 |
91 | class CSysmonDataEntry
92 | {
93 | friend class CSysmonMofData;
94 | public:
95 | CSysmonDataEntry();
96 | CSysmonDataEntry(GUID* Guid,USHORT Type,USHORT Version,USHORT Level);
97 | ~CSysmonDataEntry();
98 | void operator =(CSysmonDataEntry* pDataEntry);
99 | CSysmonDataEntry* InitData(CSysmonData** pData,BSTR pString);
100 | LONG GetCLassNameLen();
101 |
102 | private:
103 | CSysmonData* m_EventClassName;
104 | CSysmonData* m_EventTypeName;
105 | GUID m_EventGuid;
106 | USHORT m_EventType;
107 | USHORT m_EventVersion;
108 | USHORT m_EventLevel;
109 |
110 | ULONG m_ProperitySize;
111 | CSysmonEventList* m_ProperityList;
112 | };
113 |
114 | class CSysmonProperty
115 | {
116 | friend class CSysmonMofData;
117 | public:
118 | CSysmonProperty()
119 | :m_Data(NULL)
120 | ,m_Len(0),
121 | m_ArraySize(0)
122 | {
123 |
124 | }
125 |
126 | CSysmonProperty(BSTR pName,LONG Len,LONG ArraySize)
127 | :m_Data(NULL)
128 | ,m_Len(0),
129 | m_ArraySize(0)
130 | {
131 |
132 | if (pName)
133 | {
134 | InitData(&m_Data,pName);
135 | }
136 | m_Len = Len;
137 | m_ArraySize = ArraySize;
138 |
139 | }
140 |
141 | ~CSysmonProperty()
142 | {
143 |
144 | }
145 |
146 | void InitData(CSysmonData** pData,BSTR pString)
147 | {
148 | BSTR pOldData = 0;
149 | if (pData && *pData)
150 | {
151 | pOldData = (*pData)->m_pData;
152 | }
153 |
154 | if (!pString || pOldData != pString)
155 | {
156 | if (*pData)
157 | {
158 | if ( !InterlockedDecrement((volatile LONG *)&(*pData)->m_Reference))
159 | {
160 | if ((*pData)->m_pData)
161 | {
162 | SysFreeString((*pData)->m_pData);
163 | (*pData)->m_pData = 0;
164 | }
165 |
166 | if ( (*pData)->m_pAlloc )
167 | {
168 | delete (*pData)->m_pAlloc;
169 | (*pData)->m_pAlloc = 0;
170 | }
171 |
172 | delete (*pData);
173 | }
174 |
175 | (*pData) = NULL;
176 | }
177 | }
178 |
179 | CSysmonData* pNew = new CSysmonData();
180 |
181 | if (pNew)
182 | {
183 | pNew->m_pAlloc = 0;
184 | pNew->m_Reference = 1;
185 | pNew->m_pData = SysAllocString(pString);
186 |
187 | if ( !pNew->m_pData && pString )
188 | {
189 | // LogError(0x8007000E);
190 | }
191 | }
192 | else
193 | {
194 | //LogError(0x8007000E);
195 | }
196 |
197 | *pData = pNew;
198 | }
199 |
200 | private:
201 | CSysmonData* m_Data;
202 | LONG m_Len;
203 | LONG m_ArraySize;
204 | };
205 |
206 | class CSysmonMofData
207 | {
208 | public:
209 | CSysmonMofData(void);
210 | virtual ~CSysmonMofData(void);
211 |
212 | public:
213 | CSysmonDataEntry* GetEventCategoryClass(
214 | GUID* ClassGuid,
215 | USHORT Version,
216 | USHORT Level,
217 | USHORT Type);
218 |
219 | CSysmonDataEntry* GetPropertyList(
220 | IWbemClassObject* pClass,
221 | GUID* ClassGuid,
222 | USHORT Version,
223 | USHORT Level,
224 | USHORT Type);
225 |
226 | void SysmonAddProperityList(
227 | CSysmonEventList* pList,
228 | BSTR ProperityName,
229 | LONG Len,
230 | LONG ArraySize);
231 |
232 | CSysmonDataEntry* Phase_1(
233 | GUID* ClassGuid,
234 | USHORT Version,
235 | USHORT Level,
236 | USHORT Type);
237 |
238 | void Phase_2(
239 | PEVENT_TRACE pEvent,
240 | CSysmonDataEntry* pDataEntry
241 | );
242 |
243 | HRESULT CoCreateInstance();
244 |
245 | LONG GetArraySize(IWbemQualifierSet* pQualifierSet);
246 | LONG GetArrayValue(
247 | CIMTYPE CimType,
248 | IWbemQualifierSet * pQualifierSet);
249 |
250 | void InsertBack(
251 | CSysmonEventList* pEventList,
252 | LONG* Reference,
253 | void* pElm);
254 |
255 |
256 | CSysmonEventList* AddEvent(CSysmonEventList* pEventList);
257 |
258 | private:
259 | IWbemServices* m_pIWbemService;
260 | CSysmonEventList* m_SysmonEventList;
261 | LONG m_EventListNums;
262 | public:
263 | static CTcpIpInfo m_TcpIpEventTypeName[25];
264 | };
265 |
266 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CIrp.cpp:
--------------------------------------------------------------------------------
1 | #include "cpplib.h"
2 | #include "CIrp.h"
3 | #include "CAssert.h"
4 |
5 | CIrp::CIrp(void)
6 | :mIrp(NULL)
7 | {
8 |
9 | }
10 |
11 | CIrp::CIrp(PIRP pIrp)
12 | :mIrp(NULL)
13 | {
14 | mIrp = pIrp;
15 | }
16 |
17 | CIrp::~CIrp()
18 | {
19 | mIrp = NULL;
20 | }
21 |
22 |
23 | PIRP
24 | CIrp::Get() const
25 | {
26 | return mIrp;
27 | }
28 |
29 | NTSTATUS&
30 | CIrp::Status() const
31 | {
32 | return mIrp->IoStatus.Status;
33 | }
34 |
35 | KPROCESSOR_MODE&
36 | CIrp::RequestorMode() const
37 | {
38 | return mIrp->RequestorMode;
39 | }
40 |
41 | ULONG_PTR&
42 | CIrp::Information() const
43 | {
44 | return mIrp->IoStatus.Information;
45 | }
46 |
47 | PMDL&
48 | CIrp::MdlAddress() const
49 | {
50 | return mIrp->MdlAddress;
51 | }
52 |
53 | PVOID&
54 | CIrp::UserBuffer() const
55 | {
56 | return mIrp->UserBuffer;
57 | }
58 |
59 |
60 | PVOID&
61 | CIrp::DriverContext1() const
62 | {
63 | return mIrp->Tail.Overlay.DriverContext[1];
64 | }
65 |
66 | PVOID&
67 | CIrp::DriverContext2() const
68 | {
69 | return mIrp->Tail.Overlay.DriverContext[2];
70 | }
71 |
72 | PVOID&
73 | CIrp::DriverContext3() const
74 | {
75 | return mIrp->Tail.Overlay.DriverContext[3];
76 | }
77 |
78 | PVOID&
79 | CIrp::DriverContext4() const
80 | {
81 | return mIrp->Tail.Overlay.DriverContext[4];
82 | }
83 |
84 | UINT8&
85 | CIrp::MajorFunction() const
86 | {
87 | return StackLocation()->MajorFunction;
88 | }
89 |
90 | UINT8&
91 | CIrp::MinorFunction() const
92 | {
93 | return StackLocation()->MinorFunction;
94 | }
95 |
96 | UINT8&
97 | CIrp::Flags() const
98 | {
99 | return StackLocation()->Flags;
100 | }
101 |
102 | UINT8&
103 | CIrp::Control() const
104 | {
105 | return StackLocation()->Control;
106 | }
107 |
108 | ULONG&
109 | CIrp::ReadLength() const
110 | {
111 | return StackLocation()->Parameters.Read.Length;
112 | }
113 |
114 | INT64&
115 | CIrp::ReadPos() const
116 | {
117 | return StackLocation()->Parameters.Read.ByteOffset.QuadPart;
118 | }
119 |
120 | ULONG&
121 | CIrp::WriteLength() const
122 | {
123 | return StackLocation()->Parameters.Write.Length;
124 | }
125 |
126 | INT64&
127 | CIrp::WritePos() const
128 | {
129 | return StackLocation()->Parameters.Write.ByteOffset.QuadPart;
130 | }
131 |
132 | ULONG&
133 | CIrp::IoctlCode() const
134 | {
135 | return StackLocation()->Parameters.DeviceIoControl.IoControlCode;
136 | }
137 |
138 | void *&
139 | CIrp::IoctlOutputBuffer() const
140 | {
141 | return mIrp->UserBuffer;
142 | }
143 |
144 | ULONG&
145 | CIrp::IoctlOutputBufferLength() const
146 | {
147 | return StackLocation()->Parameters.DeviceIoControl.
148 | OutputBufferLength;
149 | }
150 |
151 | void *&
152 | CIrp::IoctlInputBuffer() const
153 | {
154 | return mIrp->AssociatedIrp.SystemBuffer;
155 | }
156 |
157 | ULONG&
158 | CIrp::IoctlInputBufferLength() const
159 | {
160 | return StackLocation()->Parameters.DeviceIoControl.InputBufferLength;
161 | }
162 |
163 | void *&
164 | CIrp::IoctlType3InputBuffer() const
165 | {
166 | return StackLocation()->Parameters.DeviceIoControl.Type3InputBuffer;
167 | }
168 |
169 | PDEVICE_OBJECT& CIrp::Device() const
170 | {
171 | return StackLocation()->DeviceObject;
172 | }
173 |
174 | PFILE_OBJECT& CIrp::FileObject() const
175 | {
176 | return StackLocation()->FileObject;
177 | }
178 |
179 | PIO_STACK_LOCATION
180 | CIrp::StackLocation() const
181 | {
182 | if (mStackLocation == Current)
183 | return IoGetCurrentIrpStackLocation(mIrp);
184 | else
185 | return IoGetNextIrpStackLocation(mIrp);
186 | }
187 |
188 |
189 | void CIrp::UseCurrentStackLocation()
190 | {
191 | mStackLocation = Current;
192 | }
193 |
194 | void CIrp::UseNextStackLocation()
195 | {
196 | mStackLocation = Next;
197 | }
198 |
199 | void
200 | CIrp::CopyStackLocationToNext() const
201 | {
202 | IoCopyCurrentIrpStackLocationToNext(mIrp);
203 | }
204 |
205 | void
206 | CIrp::SkipStackLocation() const
207 | {
208 | IoSkipCurrentIrpStackLocation(mIrp);
209 | }
210 |
211 | NTSTATUS
212 | CIrp::Complete(NTSTATUS status, CCHAR boost)
213 | {
214 | Status() = status;
215 | IoCompleteRequest(mIrp, boost);
216 |
217 | return status;
218 | }
219 |
220 | NTSTATUS SimpleCompletion(
221 | DEVICE_OBJECT *device,
222 | IRP *irp,
223 | void* context)
224 | {
225 | ASSERT(irp);
226 |
227 | UNREFERENCED_PARAMETER(device);
228 |
229 | if(irp->PendingReturned)
230 | {
231 | ASSERT(context);
232 | KeSetEvent((KEVENT*) context, 0, false);
233 | }
234 |
235 | return STATUS_MORE_PROCESSING_REQUIRED;
236 | }
237 |
238 | NTSTATUS
239 | CIrp::SimpleSend(DEVICE_OBJECT *device)
240 | {
241 | KEVENT Event;
242 | NTSTATUS Status;
243 | KeInitializeEvent(&Event, NotificationEvent, false);
244 |
245 | IoSetCompletionRoutine(
246 | mIrp,
247 | SimpleCompletion,
248 | &Event,
249 | true,
250 | true,
251 | true);
252 |
253 | Status = IoCallDriver(device, mIrp);
254 |
255 | if(STATUS_PENDING == Status)
256 | {
257 | KeWaitForSingleObject(&Event, Executive, KernelMode, false, 0);
258 |
259 | Status = mIrp->IoStatus.Status;
260 | }
261 |
262 | return Status;
263 | }
264 |
265 |
266 | void
267 | CIrp::SetCancelRoutine(PDRIVER_CANCEL cancelFunc)
268 | {
269 | IoSetCancelRoutine(mIrp, cancelFunc);
270 | }
271 |
272 | void
273 | CIrp::MarkPending()
274 | {
275 | IoMarkIrpPending(mIrp);
276 | }
277 |
278 | void
279 | CIrp::UnmarkPending()
280 | {
281 | IoGetCurrentIrpStackLocation(mIrp)->Control &= ~SL_PENDING_RETURNED;
282 | }
283 |
284 |
285 |
286 | CErrorStatus
287 | CIrp::BuildDeviceIoControlRequest(
288 | UINT32 IoctlCode,
289 | PDEVICE_OBJECT Device,
290 | const void* InBuf,
291 | UINT32 SizeInBuf,
292 | void* OutBuf,
293 | UINT32 SizeOutBuf,
294 | BOOL Internal,
295 | KEVENT& Event,
296 | IO_STATUS_BLOCK& IoStatus)
297 | {
298 | CErrorStatus Error;
299 | CAssertAddrValid(pDeviceObject, DEVICE_OBJECT);
300 |
301 | mIrp = IoBuildDeviceIoControlRequest(
302 | IoctlCode,
303 | Device,
304 | const_cast(InBuf),
305 | SizeInBuf,
306 | OutBuf,
307 | SizeOutBuf,
308 | Internal,
309 | &Event,
310 | &IoStatus);
311 |
312 | if ( IsNull(mIrp) )
313 | {
314 | Error = IoStatus.Status;
315 | }
316 |
317 | return Error;
318 | }
319 |
320 | CErrorStatus
321 | CIrp::BuildSynchronousFsdRequest(
322 | UINT32 majorFunc,
323 | PDEVICE_OBJECT pDeviceObject,
324 | const void *buf,
325 | UINT32 nBytes,
326 | INT64 pos,
327 | KEVENT& event,
328 | IO_STATUS_BLOCK& IoStatus)
329 | {
330 | CErrorStatus Error;
331 | CAssertAddrValid(pDeviceObject, DEVICE_OBJECT);
332 |
333 | LARGE_INTEGER liPos;
334 | liPos.QuadPart = pos;
335 | mIrp = IoBuildSynchronousFsdRequest(majorFunc, pDeviceObject,
336 | const_cast(buf), nBytes, &liPos, &event, &IoStatus);
337 |
338 | if (IsNull(mIrp))
339 | {
340 | Error = IoStatus.Status;
341 | }
342 |
343 | return Error;
344 | }
345 |
--------------------------------------------------------------------------------
/Sysmon/Sysmon.cpp:
--------------------------------------------------------------------------------
1 | // Sysmon.cpp : Defines the entry point for the application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include "Sysmon.h"
6 | #include
7 | #include "CSysmonDriverOpt.h"
8 | #include "CSsymonEtw.h"
9 | #include
10 | #include
11 | #include
12 | #define MAX_LOADSTRING 100
13 |
14 |
15 | extern "C" typedef BOOL (WINAPI *pIsWow64Process)(
16 | HANDLE hProcess,
17 | PBOOL Wow64Process
18 | );
19 |
20 | int APIENTRY _tWinMain(
21 | HINSTANCE hInstance,
22 | HINSTANCE hPrevInstance,
23 | LPTSTR lpCmdLine,
24 | int nCmdShow)
25 | {
26 | UNREFERENCED_PARAMETER(hPrevInstance);
27 | UNREFERENCED_PARAMETER(lpCmdLine);
28 |
29 | int argc = 0;
30 | char** argv = NULL;
31 | WCHAR** argvW = (WCHAR**)NULL;
32 |
33 | argvW = ::CommandLineToArgvW(::GetCommandLine(), &argc);
34 | // argv = (char**)malloc(argc * sizeof(char*));
35 | // int cb = 0;
36 | // for (int i = 0; i < argc; i++)
37 | // {
38 | // cb = WideCharToMultiByte (CP_ACP, 0, argvW[i], -1, NULL, 0, NULL, NULL);
39 | // argv[i] = (char*)malloc(cb * sizeof(WCHAR) + 1);
40 | // WideCharToMultiByte (CP_ACP, 0, argvW[i], -1, argv[i], cb, NULL, NULL);
41 | // }
42 |
43 | BOOL bIsWow64Process = FALSE;
44 | HMODULE v4 = GetModuleHandleW(L"kernel32.dll");
45 | pIsWow64Process v5 = (pIsWow64Process)GetProcAddress(v4, "IsWow64Process");
46 | if ( v5 )
47 | {
48 | v5(GetCurrentProcess(), &bIsWow64Process);
49 | }
50 |
51 | if (bIsWow64Process)
52 | {
53 | return RunSysmonX64();
54 | }
55 |
56 |
57 | if (argc > 1)
58 | {
59 | if (lstrcmpi(argvW[1],_T("-i")) == 0 )
60 | {
61 |
62 | CSysmonDriverOpt Opt;
63 |
64 | Opt.InstallDriver(
65 | _T("Sysmon"),
66 | _T("Sysmon.sys"),
67 | _T("370030"));
68 |
69 |
70 | if(Opt.StartDriver(_T("Sysmon")))
71 | {
72 | MessageBox(NULL,_T("Success"),_T("Success"),MB_OK);
73 | }
74 | }
75 |
76 | if (lstrcmpi(argvW[1],_T("-n")) == 0 )
77 | {
78 |
79 | CSsymonEtw::Instance()->StartTrace(1);
80 | }
81 | }
82 |
83 |
84 | MSG msg;
85 | while (GetMessage(&msg, NULL, 0, 0))
86 | {
87 |
88 | TranslateMessage(&msg);
89 |
90 | DispatchMessage(&msg);
91 |
92 | }
93 |
94 | return msg.wParam;
95 |
96 |
97 | return TRUE;
98 | }
99 |
100 |
101 | extern "C" typedef void (WINAPI *pGetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo);
102 |
103 | BOOLEAN __fastcall SysmonTempFileName(wchar_t * FileName, wchar_t* TempName)
104 | {
105 | wchar_t *v2;
106 | int i;
107 | unsigned int v5;
108 | wchar_t Dsta[MAX_PATH] = {0};
109 | WCHAR Buffer[MAX_PATH] = {0};
110 | WCHAR RandName[20] = {0};
111 | v2 = TempName;
112 | wcscpy_s(Dsta, MAX_PATH, FileName);
113 |
114 | if ( !GetTempPathW(MAX_PATH, Buffer) )
115 | return 0;
116 |
117 | i = 0;
118 |
119 | while ( TRUE )
120 | {
121 | do
122 | {
123 | wcscpy_s(v2, 520, Buffer);
124 | if ( RandName[0] )
125 | {
126 | wcscat_s(v2, 520, RandName);
127 | wcscat_s(v2, 520, L"\\");
128 | if ( GetFileAttributesW(v2) != -1 || !CreateDirectoryW(v2, 0) )
129 | break;
130 | }
131 |
132 | wcscat_s(v2, 520, Dsta);
133 | if ( GetFileAttributesW(v2) == -1 )
134 | return 1;
135 | if ( RandName[0] )
136 | {
137 | wcsrchr(v2, '\\')[1] = 0;
138 | RemoveDirectoryW(v2);
139 | }
140 |
141 | } while (FALSE);
142 |
143 | rand_s(&v5);
144 | swprintf_s(RandName, 20, L"SYS%u", v5);
145 | if ( (unsigned int)++i >= 10 )
146 | return 0;
147 | }
148 |
149 | return 1;
150 | }
151 |
152 | wchar_t *__fastcall SysmonFormatMessageW(wchar_t *Dest, int len)
153 | {
154 | int v2;
155 | wchar_t *v3;
156 | DWORD v5;
157 | WCHAR* Buffer;
158 |
159 | Buffer = 0;
160 |
161 | v3 = Dest;
162 |
163 | v5 = FormatMessageW(12544, 0, GetLastError(), 0, (LPWSTR)&Buffer, 0, 0);
164 | if ( v5 && len >= (signed int)(v5 + 14) )
165 | {
166 | Buffer[lstrlenW(Buffer) - 2] = 0;
167 | _swprintf(v3, L"%s", Buffer, GetLastError());
168 | }
169 | else
170 | {
171 | *v3 = 0;
172 | }
173 | if ( Buffer )
174 | LocalFree(*(HLOCAL *)Buffer);
175 | return v3;
176 | }
177 |
178 | BOOLEAN __fastcall SysmonExtractResource(LPCWSTR lpName, wchar_t *Filename)
179 | {
180 | HRSRC hrFile;
181 | HGLOBAL hgFile;
182 | DWORD nFileLength;
183 | const void *ptr;
184 | FILE *hFile;
185 |
186 | hrFile = FindResourceW(0, lpName, L"BINRES");
187 |
188 | if ( !hrFile )
189 | return 0;
190 | hgFile = LoadResource(0, hrFile);
191 | nFileLength = SizeofResource(0, hrFile);
192 | ptr = LockResource(hgFile);
193 | hFile = _wfopen(Filename, L"wb");
194 |
195 | if ( !hFile )
196 | return 0;
197 |
198 | fwrite(ptr, 1, nFileLength, hFile);
199 | fclose(hFile);
200 |
201 | return 1;
202 | }
203 |
204 | DWORD RunSysmonX64()
205 | {
206 | HMODULE v0;
207 | pGetNativeSystemInfo v1;
208 | DWORD result;
209 | wchar_t *v4;
210 |
211 | STARTUPINFOW StartupInfo = {0};
212 | SYSTEM_INFO SystemInfo = {0};
213 | PROCESS_INFORMATION ProcessInformation = {0};
214 | DWORD ExitCode;
215 | wchar_t Dest[256] = {0};
216 | WCHAR Filename[520] = {0};
217 |
218 | ExitCode = 0;
219 | StartupInfo.cb = 68;
220 | StartupInfo.lpReserved = 0;
221 | memset(&StartupInfo.lpDesktop, 0, 0x3Cu);
222 |
223 | __m128i Xmm0 = {0};
224 | _mm_storeu_si128((__m128i *)&ProcessInformation, Xmm0);
225 |
226 | v0 = LoadLibraryW(L"kernel32.dll");
227 | v1 = (pGetNativeSystemInfo)GetProcAddress(v0, "GetNativeSystemInfo");
228 |
229 | if ( v1 )
230 | v1(&SystemInfo);
231 | else
232 | GetSystemInfo(&SystemInfo);
233 |
234 | if ( SystemInfo.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64 )
235 | {
236 | wprintf(L"Unsupported processor type: %d\n", SystemInfo.wProcessorArchitecture);
237 | return 1630;
238 | }
239 |
240 | memset(Filename, 0, sizeof(WCHAR)*520);
241 | if ( !GetModuleFileNameW(0, Filename, 520) )
242 | {
243 | ExitCode = GetLastError();
244 | wprintf(L"Failed to get the module filename:\n%s\n\n", SysmonFormatMessageW(Dest, 256));
245 | return ExitCode;
246 | }
247 |
248 | v4 = wcsrchr(Filename, '\\');
249 |
250 | if ( !SysmonTempFileName(v4 + 1,Filename) )
251 | {
252 | ExitCode = GetLastError();
253 |
254 | wprintf(L"Failed to create temporaryfile:\n%s\n\n", SysmonFormatMessageW(Dest, 256));
255 | return ExitCode;
256 | }
257 |
258 | if ( !SysmonExtractResource((LPCWSTR)1001,Filename) && GetFileAttributesW(Filename) == -1 )
259 | {
260 | ExitCode = GetLastError();
261 | wprintf(L"Failed to extract the 64-bit version:\n%s\n\n", SysmonFormatMessageW(Dest, 256));
262 | return ExitCode;
263 | }
264 |
265 | if ( CreateProcessW(
266 | Filename,
267 | GetCommandLineW(),
268 | 0,
269 | 0,
270 | 0,
271 | 0,
272 | 0,
273 | 0,
274 | &StartupInfo,
275 | &ProcessInformation) )
276 | {
277 | WaitForSingleObject(ProcessInformation.hProcess, 0xFFFFFFFF);
278 | GetExitCodeProcess(ProcessInformation.hProcess, &ExitCode);
279 | CloseHandle(ProcessInformation.hProcess);
280 | CloseHandle(ProcessInformation.hThread);
281 | result = ExitCode;
282 | if ( ExitCode == 999 )
283 | return result;
284 | }
285 | else
286 | {
287 | ExitCode = GetLastError();
288 | wprintf(L"Error launching 64-bit version:\n%s\n\n", SysmonFormatMessageW(Dest, 256));
289 | }
290 |
291 | DeleteFileW(Filename);
292 |
293 | return ExitCode;
294 | }
--------------------------------------------------------------------------------
/Sysmon.sys/cpplib/CMiniFltFilter.cpp:
--------------------------------------------------------------------------------
1 | #include "CMiniFltFilter.h"
2 |
3 |
4 | #pragma comment(lib,"FltMgr.lib")
5 |
6 | /**********************************************************************************/
7 | #pragma INITCODE
8 |
9 | CMiniFltFilter::CMiniFltFilter(void)
10 | :mFilter(NULL)
11 | {
12 | memset(
13 | &mFltRegistration,
14 | 0,
15 | sizeof(FLT_REGISTRATION));
16 |
17 | mFltRegistration.Size = sizeof(FLT_REGISTRATION);
18 | mFltRegistration.Version = FLT_REGISTRATION_VERSION;
19 | mFltRegistration.Flags = 0;
20 | mFltRegistration.ContextRegistration = mContextRegistration;
21 | mFltRegistration.OperationRegistration = mOptRegistration;
22 |
23 | for ( int nI = 0; nI < MAX_FLT_OPERATION_REGISTRATION;nI++)
24 | {
25 | mOptRegistration[nI].MajorFunction = IRP_MJ_OPERATION_END;
26 | mOptRegistration[nI].Flags = 0;
27 | mOptRegistration[nI].PostOperation = 0;
28 | mOptRegistration[nI].PreOperation = 0;
29 | mOptRegistration[nI].Reserved1 = 0;
30 | }
31 |
32 | for ( int nI = 0; nI < MAX_FLT_CONTEXT_REGISTRATION; nI++)
33 | {
34 | mContextRegistration[nI].ContextType = FLT_CONTEXT_END;
35 | mContextRegistration[nI].ContextAllocateCallback = 0;
36 | mContextRegistration[nI].ContextCleanupCallback = 0;
37 | mContextRegistration[nI].ContextFreeCallback = 0;
38 | mContextRegistration[nI].Flags = 0;
39 | mContextRegistration[nI].PoolTag = 0;
40 | mContextRegistration[nI].Reserved1 = 0;
41 | mContextRegistration[nI].Size = 0;
42 | }
43 |
44 | mFilterUnloadCallback = 0;
45 | mInstanceSetupCallback = 0;
46 | mInstanceQueryTeardownCallback = 0;
47 | mInstanceTeardownStartCallback = 0;
48 | mInstanceTeardownCompleteCallback = 0;
49 | mGenerateFileNameCallback = 0;
50 | mNormalizeNameComponentCallback = 0;
51 | mNormalizeContextCleanupCallback = 0;
52 | mTransactionNotificationCallback = 0;
53 | mNormalizeNameComponentExCallback = 0;
54 |
55 | #if FLT_MGR_WIN8
56 | mSectionNotificationCallback = 0;
57 | #endif // FLT_MGR_WIN8
58 | }
59 |
60 | /**********************************************************************************/
61 | #pragma LOCKEDCODE
62 |
63 | CMiniFltFilter::~CMiniFltFilter(void)
64 | {
65 | }
66 |
67 |
68 | /**********************************************************************************/
69 | #pragma INITCODE
70 |
71 | void
72 | CMiniFltFilter::RegisterCallback(int nIndex,void* pFn)
73 | {
74 | if (nIndex == 0)
75 | {
76 | mFilterUnloadCallback = (PFLT_FILTER_UNLOAD_CALLBACK)pFn;
77 | mFltRegistration.FilterUnloadCallback = mFilterUnloadCallback;
78 | }
79 |
80 | if (nIndex == 1)
81 | {
82 | mInstanceSetupCallback = (PFLT_INSTANCE_SETUP_CALLBACK)pFn;
83 | mFltRegistration.InstanceSetupCallback = mInstanceSetupCallback;
84 | }
85 |
86 | if (nIndex == 2)
87 | {
88 | mInstanceQueryTeardownCallback = (PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK)pFn;
89 | mFltRegistration.InstanceQueryTeardownCallback = mInstanceQueryTeardownCallback;
90 | }
91 |
92 | if (nIndex == 3)
93 | {
94 | mInstanceTeardownStartCallback = (PFLT_INSTANCE_TEARDOWN_CALLBACK)pFn;
95 | mFltRegistration.InstanceTeardownStartCallback = mInstanceTeardownStartCallback;
96 | }
97 |
98 | if (nIndex == 4)
99 | {
100 | mInstanceTeardownCompleteCallback = (PFLT_INSTANCE_TEARDOWN_CALLBACK)pFn;
101 | mFltRegistration.InstanceTeardownCompleteCallback = mInstanceTeardownCompleteCallback;
102 | }
103 |
104 | if (nIndex == 5)
105 | {
106 | mGenerateFileNameCallback = (PFLT_GENERATE_FILE_NAME)pFn;
107 | mFltRegistration.GenerateFileNameCallback = mGenerateFileNameCallback;
108 | }
109 |
110 | if (nIndex == 6)
111 | {
112 | mNormalizeNameComponentCallback = (PFLT_NORMALIZE_NAME_COMPONENT)pFn;
113 | mFltRegistration.NormalizeNameComponentCallback = mNormalizeNameComponentCallback;
114 | }
115 |
116 | if (nIndex == 7)
117 | {
118 | mNormalizeContextCleanupCallback = (PFLT_NORMALIZE_CONTEXT_CLEANUP)pFn;
119 | mFltRegistration.NormalizeContextCleanupCallback = mNormalizeContextCleanupCallback;
120 | }
121 |
122 | if (nIndex == 8)
123 | {
124 | mTransactionNotificationCallback = (PFLT_TRANSACTION_NOTIFICATION_CALLBACK)pFn;
125 | mFltRegistration.TransactionNotificationCallback = mTransactionNotificationCallback;
126 | }
127 |
128 | if (nIndex == 9)
129 | {
130 | mNormalizeNameComponentExCallback = (PFLT_NORMALIZE_NAME_COMPONENT_EX)pFn;
131 | mFltRegistration.NormalizeNameComponentExCallback = mNormalizeNameComponentExCallback;
132 | }
133 | ;
134 | }
135 |
136 |
137 | /**********************************************************************************/
138 | #pragma INITCODE
139 |
140 | void
141 | CMiniFltFilter::RegisterOptRegistration(
142 | int nIdex,
143 | USHORT MajorFunction,
144 | FLT_OPERATION_REGISTRATION_FLAGS Flags,
145 | PFLT_PRE_OPERATION_CALLBACK PreOperation,
146 | PFLT_POST_OPERATION_CALLBACK PostOperation,
147 | PVOID Reserved1
148 | )
149 | {
150 | mOptRegistration[nIdex].MajorFunction = static_cast(MajorFunction);
151 | mOptRegistration[nIdex].Flags = Flags;
152 | mOptRegistration[nIdex].PreOperation = PreOperation;
153 | mOptRegistration[nIdex].PostOperation = PostOperation;
154 | mOptRegistration[nIdex].Reserved1 = Reserved1;
155 | }
156 |
157 | void CMiniFltFilter::RegisterContext(
158 | int nIdex,
159 | FLT_CONTEXT_TYPE ContextType,
160 | USHORT ContextSize,
161 | ULONG PoolTag,
162 | PVOID Reserved1
163 | )
164 | {
165 | mContextRegistration[nIdex].Reserved1 = Reserved1;
166 | mContextRegistration[nIdex].Size = ContextSize;
167 | mContextRegistration[nIdex].ContextAllocateCallback = 0;
168 | mContextRegistration[nIdex].ContextCleanupCallback = 0;
169 | mContextRegistration[nIdex].ContextFreeCallback = 0;
170 | mContextRegistration[nIdex].ContextType = ContextType;
171 | mContextRegistration[nIdex].Size = ContextSize;
172 | mContextRegistration[nIdex].PoolTag = PoolTag;
173 | }
174 |
175 | /**********************************************************************************/
176 | #pragma INITCODE
177 |
178 | CErrorStatus
179 | CMiniFltFilter::FltRegisterFilter(PDRIVER_OBJECT DriverObj)
180 | {
181 | CErrorStatus Status;
182 |
183 | Status = ::FltRegisterFilter(DriverObj,&mFltRegistration,&mFilter);
184 |
185 | if (Status.IsNtSuccess())
186 | {
187 | ::FltStartFiltering(mFilter);
188 | }
189 |
190 | return Status;
191 | }
192 |
193 | /**********************************************************************************/
194 | #pragma LOCKEDCODE
195 |
196 | NTSTATUS
197 | CMiniFltFilter::FilterUnloadCallback(
198 | FLT_FILTER_UNLOAD_FLAGS Flags
199 | )
200 | {
201 | return STATUS_SUCCESS;
202 | }
203 |
204 |
205 | /**********************************************************************************/
206 | #pragma LOCKEDCODE
207 |
208 | NTSTATUS
209 | CMiniFltFilter::InstanceSetupCallback(
210 | PCFLT_RELATED_OBJECTS FltObjects,
211 | FLT_INSTANCE_SETUP_FLAGS Flags,
212 | DEVICE_TYPE VolumeDeviceType,
213 | FLT_FILESYSTEM_TYPE VolumeFilesystemType
214 | )
215 | {
216 |
217 | if ( VolumeDeviceType == FILE_DEVICE_DISK_FILE_SYSTEM)
218 | {
219 | return STATUS_SUCCESS;
220 | }
221 |
222 | // if (VolumeFilesystemType != FLT_FSTYPE_NPFS)
223 | // {
224 | // }
225 |
226 | return STATUS_UNSUCCESSFUL;
227 | }
228 |
229 |
230 | /**********************************************************************************/
231 | #pragma LOCKEDCODE
232 |
233 | NTSTATUS
234 | CMiniFltFilter::InstanceQueryTeardownCallback(
235 | PCFLT_RELATED_OBJECTS FltObjects,
236 | FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
237 | )
238 | {
239 | return STATUS_SUCCESS;
240 | }
--------------------------------------------------------------------------------
/Sysmon.sys/Sysmon.sys.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 | {c03ff512-8920-4e38-b76a-ef373713f0ca}
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 | cpplib
32 |
33 |
34 | cpplib
35 |
36 |
37 | cpplib
38 |
39 |
40 | cpplib
41 |
42 |
43 | cpplib
44 |
45 |
46 | cpplib
47 |
48 |
49 | cpplib
50 |
51 |
52 | cpplib
53 |
54 |
55 | cpplib
56 |
57 |
58 | cpplib
59 |
60 |
61 | cpplib
62 |
63 |
64 | cpplib
65 |
66 |
67 | cpplib
68 |
69 |
70 | cpplib
71 |
72 |
73 | cpplib
74 |
75 |
76 | cpplib
77 |
78 |
79 | cpplib
80 |
81 |
82 | cpplib
83 |
84 |
85 | Header Files
86 |
87 |
88 | Header Files
89 |
90 |
91 | Header Files
92 |
93 |
94 | cpplib
95 |
96 |
97 | cpplib
98 |
99 |
100 | Header Files
101 |
102 |
103 | cpplib
104 |
105 |
106 | cpplib
107 |
108 |
109 | Header Files
110 |
111 |
112 | Header Files
113 |
114 |
115 | cpplib
116 |
117 |
118 | Header Files
119 |
120 |
121 |
122 |
123 | Source Files
124 |
125 |
126 | Source Files
127 |
128 |
129 | cpplib
130 |
131 |
132 | cpplib
133 |
134 |
135 | cpplib
136 |
137 |
138 | cpplib
139 |
140 |
141 | cpplib
142 |
143 |
144 | cpplib
145 |
146 |
147 | cpplib
148 |
149 |
150 | cpplib
151 |
152 |
153 | cpplib
154 |
155 |
156 | cpplib
157 |
158 |
159 | cpplib
160 |
161 |
162 | cpplib
163 |
164 |
165 | cpplib
166 |
167 |
168 | cpplib
169 |
170 |
171 | cpplib
172 |
173 |
174 | cpplib
175 |
176 |
177 | cpplib
178 |
179 |
180 | Source Files
181 |
182 |
183 | Source Files
184 |
185 |
186 | Source Files
187 |
188 |
189 | cpplib
190 |
191 |
192 | cpplib
193 |
194 |
195 | Source Files
196 |
197 |
198 | cpplib
199 |
200 |
201 | cpplib
202 |
203 |
204 | Source Files
205 |
206 |
207 | Source Files
208 |
209 |
210 | cpplib
211 |
212 |
213 |
--------------------------------------------------------------------------------
/Sysmon.sys/CDriverEntry.cpp:
--------------------------------------------------------------------------------
1 | #include "CDriverEntry.h"
2 | #include
3 | #include "CErrorStatus.h"
4 | #include "CUnicodeString.h"
5 | #include "CString.h"
6 | #include "CDriverDispatch.h"
7 | #include "CSysmonDispatchEngine.h"
8 | #include "CDeviceExtension.h"
9 | #include
10 |
11 |
12 | CDriverEntry CDriverEntry::_Instance;
13 |
14 | /**********************************************************************************/
15 | #pragma LOCKEDCODE
16 |
17 | CDriverEntry::CDriverEntry(void)
18 | :mIsSupportFlt(FALSE)
19 | {
20 | }
21 |
22 | /**********************************************************************************/
23 | #pragma LOCKEDCODE
24 |
25 | CDriverEntry::~CDriverEntry(void)
26 | {
27 | }
28 |
29 | /**********************************************************************************/
30 | #pragma LOCKEDCODE
31 |
32 | CDriverEntry& CDriverEntry::Instance()
33 | {
34 | return _Instance;
35 | }
36 |
37 | /**********************************************************************************/
38 | #pragma LOCKEDCODE
39 |
40 | void CDriverEntry::PsGetVersion()
41 | {
42 | mSystemVersion.PsGetVersion();
43 | }
44 |
45 | /**********************************************************************************/
46 | #pragma LOCKEDCODE
47 |
48 | BOOL CDriverEntry::IsSupportFlt()
49 | {
50 | CVersion OsVersion;
51 | OsVersion.GetOsVersion();
52 |
53 | mIsSupportFlt = ( OsVersion.GetMajorVersion() > 6 ||
54 | ( OsVersion.GetMajorVersion() == 6 && OsVersion.GetMinorVersion() >= 2));
55 |
56 | return mIsSupportFlt;
57 | }
58 |
59 | /**********************************************************************************/
60 | #pragma INITCODE
61 |
62 | NTSTATUS
63 | CDriverEntry::Init(
64 | IN PDRIVER_OBJECT DriverObject,
65 | IN PUNICODE_STRING RegistryPath
66 | )
67 | {
68 | CErrorStatus Status = STATUS_UNSUCCESSFUL;
69 | CallGlobalConstructors();
70 |
71 | CStackStringW<256> DeviceName;
72 | CStackStringW<256> DosDeviceName;
73 | CDriverDispatch DriverDispatch;
74 | CUnicodeString DevicePath = RegistryPath;
75 | BOOL IsSupportFlt = FALSE;
76 | CDriverEntry::Instance().PsGetVersion();
77 |
78 | DeviceName[0] = '\\';
79 | DeviceName[1] = 'D';
80 | DeviceName[2] = 'e';
81 | DeviceName[3] = 'v';
82 | DeviceName[4] = 'i';
83 | DeviceName[5] = 'c';
84 | DeviceName[6] = 'e';
85 | DeviceName[7] = '\\';
86 | DeviceName[8] = '\\';
87 |
88 | DosDeviceName[0] = '\\';
89 | DosDeviceName[1] = 'D';
90 | DosDeviceName[2] = 'o';
91 | DosDeviceName[3] = 's';
92 | DosDeviceName[4] = 'D';
93 | DosDeviceName[5] = 'e';
94 | DosDeviceName[6] = 'v';
95 | DosDeviceName[7] = 'i';
96 | DosDeviceName[8] = 'c';
97 | DosDeviceName[9] = 'e';
98 | DosDeviceName[10] = 's';
99 | DosDeviceName[11] = '\\';
100 | DosDeviceName[12] = '\\';
101 |
102 | PWCHAR pEndPathName = &RegistryPath->Buffer[RegistryPath->Length/2];
103 |
104 | do
105 | {
106 | if (pEndPathName == RegistryPath->Buffer)
107 | {
108 | if (pEndPathName[0] != '\\')
109 | {
110 | break;
111 | }
112 | }
113 | else
114 | {
115 | while (pEndPathName[0] != '\\')
116 | {
117 | pEndPathName--;
118 |
119 | if (pEndPathName == RegistryPath->Buffer)
120 | {
121 | break;
122 | }
123 | }
124 | }
125 |
126 | ++pEndPathName;
127 |
128 | } while (FALSE);
129 |
130 |
131 | ULONG LengthOfName = RegistryPath->Length - (pEndPathName - RegistryPath->Buffer);
132 |
133 | if (LengthOfName > 255)
134 | {
135 | LengthOfName = 255;
136 | }
137 |
138 | memcpy(&DeviceName[8], pEndPathName, LengthOfName);
139 | wcsncpy(&DosDeviceName[12], pEndPathName, LengthOfName);
140 |
141 | IsSupportFlt = CDriverEntry::Instance().IsSupportFlt();
142 |
143 | DriverDispatch = DriverObject->MajorFunction;
144 |
145 | if (!DriverDispatch)
146 | {
147 | DriverDispatch[IRP_MJ_CREATE] = CSysmonDispatchEngine::SysmonDispatchIrp;
148 | DriverDispatch[IRP_MJ_CLOSE] = CSysmonDispatchEngine::SysmonDispatchIrp;
149 | DriverDispatch[IRP_MJ_DEVICE_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;
150 |
151 |
152 | if (!IsSupportFlt)
153 | {
154 | DriverDispatch[IRP_MJ_CREATE] = CSysmonDispatchEngine::SysmonDispatchIrp;
155 | DriverDispatch[IRP_MJ_CREATE_NAMED_PIPE] = CSysmonDispatchEngine::SysmonDispatchIrp;
156 | DriverDispatch[IRP_MJ_CLOSE] = CSysmonDispatchEngine::SysmonDispatchIrp;
157 | DriverDispatch[IRP_MJ_READ] = CSysmonDispatchEngine::SysmonDispatchIrp;
158 | DriverDispatch[IRP_MJ_WRITE] = CSysmonDispatchEngine::SysmonDispatchIrp;
159 | DriverDispatch[IRP_MJ_QUERY_INFORMATION] = CSysmonDispatchEngine::SysmonDispatchIrp;
160 | DriverDispatch[IRP_MJ_SET_INFORMATION] = CSysmonDispatchEngine::SysmonDispatchIrp;
161 | DriverDispatch[IRP_MJ_QUERY_EA] = CSysmonDispatchEngine::SysmonDispatchIrp;
162 | DriverDispatch[IRP_MJ_SET_EA] = CSysmonDispatchEngine::SysmonDispatchIrp;
163 | DriverDispatch[IRP_MJ_FLUSH_BUFFERS] = CSysmonDispatchEngine::SysmonDispatchIrp;
164 | DriverDispatch[IRP_MJ_QUERY_VOLUME_INFORMATION] = CSysmonDispatchEngine::SysmonDispatchIrp;
165 | DriverDispatch[IRP_MJ_SET_VOLUME_INFORMATION] = CSysmonDispatchEngine::SysmonDispatchIrp;
166 | DriverDispatch[IRP_MJ_DIRECTORY_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;
167 | DriverDispatch[IRP_MJ_FILE_SYSTEM_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;
168 | DriverDispatch[IRP_MJ_DEVICE_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;
169 | DriverDispatch[IRP_MJ_INTERNAL_DEVICE_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;
170 | DriverDispatch[IRP_MJ_SHUTDOWN] = CSysmonDispatchEngine::SysmonDispatchIrp;
171 | DriverDispatch[IRP_MJ_LOCK_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;
172 | DriverDispatch[IRP_MJ_CLEANUP] = CSysmonDispatchEngine::SysmonDispatchIrp;
173 | DriverDispatch[IRP_MJ_CREATE_MAILSLOT] = CSysmonDispatchEngine::SysmonDispatchIrp;
174 | DriverDispatch[IRP_MJ_QUERY_SECURITY] = CSysmonDispatchEngine::SysmonDispatchIrp;
175 | DriverDispatch[IRP_MJ_SET_SECURITY] = CSysmonDispatchEngine::SysmonDispatchIrp;
176 | DriverDispatch[IRP_MJ_POWER] = CSysmonDispatchEngine::SysmonDispatchIrp;
177 | DriverDispatch[IRP_MJ_SYSTEM_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;
178 | DriverDispatch[IRP_MJ_DEVICE_CHANGE] = CSysmonDispatchEngine::SysmonDispatchIrp;
179 | DriverDispatch[IRP_MJ_QUERY_QUOTA] = CSysmonDispatchEngine::SysmonDispatchIrp;
180 | DriverDispatch[IRP_MJ_SET_QUOTA] = CSysmonDispatchEngine::SysmonDispatchIrp;
181 | }
182 |
183 | }
184 |
185 | do
186 | {
187 | Status = CDriverEntry::Instance().InitIoDeice(
188 | DriverObject,
189 | DeviceName,
190 | DosDeviceName,
191 | sizeof(CDeviceExtension));
192 |
193 | if (Status.IsNtSuccess())
194 | {
195 | __try
196 | {
197 | CDeviceExtension* DeviceExtension = (CDeviceExtension*)CDriverEntry::Instance().Extension();
198 |
199 | if (DeviceExtension)
200 | {
201 | CSysmonDispatchEngine::InitCsq(*DeviceExtension);
202 | DeviceExtension->Init();
203 | }
204 |
205 | Status = CDriverEntry::Instance().InitMiniFlt(DriverObject);
206 |
207 | if (!Status.IsNtSuccess())
208 | {
209 | CDriverEntry::Instance().DeleteDosLink(DosDeviceName);
210 | break;
211 | }
212 | }
213 | __except(EXCEPTION_CONTINUE_EXECUTION)
214 | {
215 |
216 | }
217 | }
218 |
219 | } while (FALSE);
220 |
221 |
222 | return Status;
223 | }
224 |
225 |
226 | /**********************************************************************************/
227 | #pragma INITCODE
228 |
229 | CErrorStatus
230 | CDriverEntry::InitIoDeice(
231 | PDRIVER_OBJECT Driver,
232 | CStackStringW<256>& DeviceName,
233 | CStackStringW<256>& DosDeviceName,
234 | const UINT32 DeviceExtSize
235 | )
236 | {
237 | return mDeviceObject.Init(Driver,DeviceName,DosDeviceName,DeviceExtSize);
238 | }
239 |
240 |
241 | /**********************************************************************************/
242 | #pragma LOCKEDCODE
243 |
244 | void*
245 | CDriverEntry::Extension()
246 | {
247 | return mDeviceObject.DeviceExtension();
248 | }
249 |
250 |
251 | /**********************************************************************************/
252 | #pragma INITCODE
253 |
254 | CErrorStatus
255 | CDriverEntry::InitMiniFlt(PDRIVER_OBJECT DriverObj)
256 | {
257 | return mMiniFltFilter.Init(DriverObj);
258 | }
259 |
260 |
261 | /**********************************************************************************/
262 | #pragma PAGEDCODE
263 |
264 | void
265 | CDriverEntry::DeleteDosLink(CStackStringW<256>& SymbolicLink)
266 | {
267 | mDeviceObject.DeleteSymbolicLink(SymbolicLink);
268 | }
--------------------------------------------------------------------------------
/Sysmon/Sysmon.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}
23 | Win32Proj
24 | Sysmon
25 |
26 |
27 |
28 | Application
29 | true
30 | Unicode
31 | Static
32 |
33 |
34 | Application
35 | true
36 | Unicode
37 |
38 |
39 | Application
40 | false
41 | true
42 | Unicode
43 |
44 |
45 | Application
46 | false
47 | true
48 | Unicode
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 | true
68 |
69 |
70 | true
71 |
72 |
73 | false
74 |
75 |
76 | false
77 | $(ProjectName)64
78 |
79 |
80 |
81 | Use
82 | Level3
83 | Disabled
84 | WIN32;_DEBUG;_WINDOWS;INITGUID;%(PreprocessorDefinitions)
85 | MultiThreadedDebug
86 | Async
87 |
88 |
89 | Windows
90 | true
91 |
92 |
93 |
94 |
95 | Use
96 | Level3
97 | Disabled
98 | WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)
99 |
100 |
101 | Windows
102 | true
103 |
104 |
105 |
106 |
107 | Level3
108 | Use
109 | MaxSpeed
110 | true
111 | true
112 | WIN32;NDEBUG;_WINDOWS;INITGUID;%(PreprocessorDefinitions)
113 | MultiThreaded
114 |
115 |
116 | Windows
117 | true
118 | true
119 | true
120 |
121 |
122 |
123 |
124 | Level3
125 | Use
126 | MaxSpeed
127 | true
128 | true
129 | WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
130 |
131 |
132 | Windows
133 | true
134 | true
135 | true
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 | Create
169 | Create
170 | Create
171 | Create
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
--------------------------------------------------------------------------------
/Sysmon/CSsymonEtw.cpp:
--------------------------------------------------------------------------------
1 | #include "StdAfx.h"
2 | #include "CSsymonEtw.h"
3 | #include "CSysmonUtil.h"
4 | #include
5 | #include
6 | #include
7 |
8 |
9 |
10 | #pragma comment(lib,"Ws2_32.lib")
11 |
12 | #define EVENT_TRACE_SYSTEM_LOGGER_MODE 0x2000000
13 |
14 | CSsymonEtw* CSsymonEtw::_Instace = NULL;
15 |
16 | CSsymonEtw::CSsymonEtw(void)
17 | {
18 | m_pStartTrace = NULL;
19 | m_pControlTrace = NULL;
20 | m_pOpenTrace = NULL;
21 | m_pProcessTrace = NULL;
22 | m_SessionHandle = NULL;
23 | m_hEtwTraceThread =0;
24 | m_bInit = FALSE;
25 | m_hGlobalEvent = CreateEvent(0, TRUE, 0, 0);
26 | m_bStartTrace = FALSE;
27 | m_bInitData = FALSE;
28 | m_EventClassNums = 0;
29 |
30 | GetSystemTimeAsFileTime(&m_SystemTime);
31 | QueryPerformanceCounter(&m_PerformanceCount);
32 | QueryPerformanceFrequency(&m_Frequency);
33 | }
34 |
35 |
36 | CSsymonEtw::~CSsymonEtw(void)
37 | {
38 | }
39 |
40 |
41 | ULONG CSsymonEtw::InitData()
42 | {
43 | FILETIME SystemTimeAsFileTime;
44 |
45 | if ( CSsymonEtw::m_bInitData )
46 | {
47 | //sub_4144E0(1);
48 | }
49 | else
50 | {
51 | InitializeCriticalSection(&m_csData);
52 | CSsymonEtw::m_bInitData = 1;
53 | }
54 |
55 | GetSystemTimeAsFileTime(&SystemTimeAsFileTime);
56 | m_SystemTime = SystemTimeAsFileTime;
57 | return SystemTimeAsFileTime.dwHighDateTime;
58 | }
59 |
60 | void CSsymonEtw::Enter()
61 | {
62 | EnterCriticalSection(&m_csData);
63 | }
64 |
65 | void CSsymonEtw::Leave()
66 | {
67 | LeaveCriticalSection(&m_csData);
68 | }
69 |
70 | HRESULT CSsymonEtw::StartTrace(BOOL bStart)
71 | {
72 | WSAData Wsa = {0};
73 | BOOL IsThanXp = FALSE;
74 | DWORD dwVerison = GetVersion();
75 | DWORD dwMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVerison)));
76 | DWORD dwMinorVersion = (DWORD)(HIBYTE(LOWORD(dwVerison)));
77 | DWORD FileMode = 0;
78 | UINT ThreadId;
79 | HRESULT bFail;
80 |
81 | if (m_bInit == FALSE)
82 | {
83 | HMODULE hAdv = LoadLibraryW(L"advapi32.dll");
84 | m_pStartTrace = (pStartTrace)GetProcAddress(hAdv, "StartTraceW");
85 | m_pControlTrace = (pControlTrace)GetProcAddress(hAdv, "ControlTraceW");
86 | m_pOpenTrace = (pOpenTrace)GetProcAddress(hAdv, "OpenTraceW");
87 | m_pProcessTrace = (pProcessTrace)GetProcAddress(hAdv, "ProcessTrace");
88 | int ret = WSAStartup(
89 | MAKEWORD(2,2),
90 | &Wsa);
91 | if ( ret )
92 | return ret;
93 |
94 | m_bInit = TRUE;
95 | }
96 |
97 | if (!m_pStartTrace)
98 | {
99 | return 1;
100 | }
101 |
102 | if (m_bStartTrace == bStart)
103 | {
104 | return 0;
105 | }
106 |
107 | if (dwMajorVersion >= 6 )
108 | {
109 | if(dwMinorVersion >= 2)
110 | {
111 | IsThanXp = TRUE;
112 | }
113 | }
114 |
115 | Sysomn_Event_Properties SysmonEvent = {0};
116 | SysmonEvent.Properties.Wnode.BufferSize = sizeof(Sysomn_Event_Properties);
117 | SysmonEvent.Properties.Wnode.Flags = WNODE_FLAG_TRACED_GUID ;
118 | SysmonEvent.Properties.Wnode.ClientContext = 1;
119 | SysmonEvent.Properties.FlushTimer = 1;
120 | SysmonEvent.Properties.LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
121 | SysmonEvent.Properties.LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) +
122 | MAX_PATH*sizeof(TCHAR);
123 |
124 |
125 | FileMode = 0;
126 | if (IsThanXp)
127 | {
128 | FileMode = EVENT_TRACE_SYSTEM_LOGGER_MODE;
129 | }
130 |
131 | SysmonEvent.Properties.LogFileMode = FileMode |
132 | EVENT_TRACE_REAL_TIME_MODE;
133 |
134 | if ( dwMajorVersion < 6 || dwMinorVersion < 2)
135 | {
136 | SysmonEvent.Properties.Wnode.Guid = SystemTraceControlGuid;
137 | }
138 |
139 | LPCTSTR pLogName = _T("SYSMON TRACE");
140 |
141 | if (!IsThanXp)
142 | {
143 | pLogName = _T("NT Kernel Logger");
144 | }
145 |
146 |
147 | StringCchCopy(SysmonEvent.LoggerName,MAX_PATH,pLogName );
148 |
149 | if (CSysmonUtil::SysmonVersionIsSupport())
150 | {
151 | SysmonEvent.Properties.EnableFlags = EVENT_TRACE_FLAG_EXTENSION;
152 | SysmonEvent.Properties.EnableFlags |= 0x00FF0000;
153 | SysmonEvent.Properties.EnableFlags |=
154 | (EVENT_TRACE_FLAG_DISK_IO_INIT |
155 | EVENT_TRACE_FLAG_SYSTEMCALL |
156 | EVENT_TRACE_FLAG_PROCESS_COUNTERS);
157 | SysmonEvent.dwMax2 = 0x10009;
158 | SysmonEvent.dwMax1 = 0x1000A;
159 | SysmonEvent.dwMax3 = 0x10000;
160 | }
161 | else
162 | {
163 | SysmonEvent.Properties.EnableFlags |= EVENT_TRACE_FLAG_NETWORK_TCPIP;
164 | }
165 |
166 | if (bStart)
167 | {
168 | InitData();
169 |
170 | ULONG bSuccess = m_pStartTrace(
171 | &m_SessionHandle,
172 | SysmonEvent.LoggerName,
173 | &SysmonEvent.Properties);
174 |
175 | if ( bSuccess && bSuccess != ERROR_ALREADY_EXISTS)
176 | {
177 | //sub_418280(&Text, L"Network trace initialization failed: Error %d", v11);
178 | //MessageBoxW(0, &Text, L"System Monitor", 0x10u);
179 | bFail = bSuccess;
180 | }
181 | else
182 | {
183 | m_hEtwTraceThread = (HANDLE)
184 | _beginthreadex(
185 | 0,
186 | 0,
187 | CSsymonEtw::ProcessTraceThread,
188 | 0,
189 | 0,
190 | &ThreadId);
191 | m_bStartTrace = bStart;
192 | bFail = 0;
193 | }
194 | }
195 | else
196 | {
197 | SetEvent(m_hGlobalEvent);
198 | bFail = m_pControlTrace(
199 | m_SessionHandle,
200 | SysmonEvent.LoggerName,
201 | &SysmonEvent.Properties,
202 | EVENT_TRACE_CONTROL_STOP);
203 |
204 | WaitForSingleObject(m_hEtwTraceThread, INFINITE);
205 | CloseHandle(m_hEtwTraceThread);
206 | m_hEtwTraceThread = 0;
207 | ResetEvent(m_hGlobalEvent);
208 |
209 | if ( !bFail )
210 | {
211 | m_bStartTrace = 0;
212 | //sub_414630();
213 | }
214 | }
215 |
216 | return bFail;
217 | }
218 |
219 | void* CSsymonEtw::GetEventClassPropertyListList(PEVENT_TRACE pEventTrace)
220 | {
221 |
222 | if (!m_EventClassNums)
223 | {
224 | //EventTraceGuid
225 |
226 | m_EventClassNums++;
227 | }
228 |
229 | if (pEventTrace)
230 | {
231 |
232 | }
233 |
234 | return 0;
235 | }
236 |
237 | UINT CSsymonEtw::ProcessTraceThread(void* lp)
238 | {
239 | BOOL IsThanXp = FALSE;
240 | BOOL IsStop = FALSE;
241 | DWORD dwVerison = GetVersion();
242 | DWORD dwMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVerison)));
243 | DWORD dwMinorVersion = (DWORD)(HIBYTE(LOWORD(dwVerison)));
244 |
245 | if (dwMajorVersion >= 6 )
246 | {
247 | if(dwMinorVersion >= 2)
248 | {
249 | IsThanXp = TRUE;
250 | }
251 | }
252 |
253 | EVENT_TRACE_LOGFILE SysmonEvent = {0};
254 | SysmonEvent.LoggerName = NULL;
255 | SysmonEvent.Context = 0;
256 | SysmonEvent.BufferCallback = CSsymonEtw::BufferCallback;
257 | SysmonEvent.BuffersRead = 0;
258 |
259 |
260 | LPCTSTR pLogName = _T("SYSMON TRACE");
261 |
262 | if (!IsThanXp)
263 | {
264 | pLogName = _T("NT Kernel Logger");
265 | }
266 |
267 | SysmonEvent.LoggerName = (LPWSTR)pLogName;
268 | SysmonEvent.CurrentTime = 0;
269 | SysmonEvent.EventCallback = CSsymonEtw::EventCallback;
270 | SysmonEvent.LogFileMode = EVENT_TRACE_REAL_TIME_MODE |
271 | EVENT_TRACE_ADD_HEADER_MODE;
272 |
273 | TRACEHANDLE hOpenTrace = CSsymonEtw::Instance()->m_pOpenTrace(&SysmonEvent);
274 |
275 | if (!hOpenTrace)
276 | {
277 | return -1;
278 | }
279 |
280 | UINT ThreadId = 0;
281 | HANDLE hDataThread = (void *)_beginthreadex(
282 | 0,
283 | 0,
284 | ProcessDataThread,
285 | 0,
286 | 0,
287 | &ThreadId);
288 |
289 | ULONG bSuccess = CSsymonEtw::Instance()->m_pProcessTrace(
290 | &hOpenTrace,
291 | 1,
292 | 0,
293 | 0);
294 |
295 | if ( WaitForSingleObject(
296 | CSsymonEtw::Instance()->m_hGlobalEvent,
297 | 0) == STATUS_TIMEOUT )
298 | {
299 | IsStop = 1;
300 | SetEvent(CSsymonEtw::Instance()->m_hGlobalEvent);
301 | }
302 |
303 | WaitForSingleObject(hDataThread, INFINITE);
304 | CloseHandle(hDataThread);
305 |
306 | if ( IsStop )
307 | {
308 | CloseHandle(CSsymonEtw::Instance()->m_hEtwTraceThread);
309 | CSsymonEtw::Instance()->m_hEtwTraceThread = 0;
310 | ResetEvent(CSsymonEtw::Instance()->m_hGlobalEvent);
311 |
312 | CSsymonEtw::Instance()->m_bStartTrace = 0;
313 |
314 | //sub_414630();
315 |
316 | // if ( sub_407C70() & 1 )
317 | CSsymonEtw::Instance()->StartTrace(1);
318 | }
319 |
320 | return 0;
321 | }
322 |
323 |
324 | ULONG
325 | CSsymonEtw::BufferCallback(
326 | PEVENT_TRACE_LOGFILE Buffer
327 | )
328 | {
329 | return 0;
330 | }
331 |
332 | #include "CMofDataParser.h"
333 | VOID
334 | CSsymonEtw::EventCallback(
335 | PEVENT_TRACE pEvent
336 | )
337 | {
338 | if (pEvent)
339 | {
340 | //CMofParseRes Result;
341 | //CSsymonEtw::Instance()->m_MofDataParser.Parse(pEvent,Result);
342 |
343 | return;
344 |
345 | CSysmonDataEntry* pDataEntry = CSsymonEtw::Instance()->m_SysmonMofData.Phase_1(
346 | &pEvent->Header.Guid,
347 | pEvent->Header.Class.Version,
348 | pEvent->Header.Class.Level,
349 | pEvent->Header.Class.Type);
350 |
351 | if (pDataEntry)
352 | {
353 | CSsymonEtw::Instance()->Enter();
354 | CSsymonEtw::Instance()->m_SysmonMofData.Phase_2(pEvent,pDataEntry);
355 | CSsymonEtw::Instance()->Leave();
356 | }
357 | }
358 |
359 | }
360 |
361 |
362 | UINT
363 | CSsymonEtw::ProcessDataThread(void* lp)
364 | {
365 | LARGE_INTEGER PerformanceCount;
366 |
367 | while ( WaitForSingleObject(
368 | CSsymonEtw::Instance()->m_hGlobalEvent,
369 | 250) == STATUS_TIMEOUT )
370 | {
371 | CSsymonEtw::Instance()->Enter();
372 |
373 | QueryPerformanceCounter(&PerformanceCount);
374 | ULONG LowPart = PerformanceCount.LowPart -
375 | CSsymonEtw::Instance()->m_PerformanceCount.LowPart;
376 |
377 | ULONG HighPart = (PerformanceCount.HighPart -
378 | CSsymonEtw::Instance()->m_PerformanceCount.HighPart);
379 |
380 | ULONGLONG QuadPart = PerformanceCount.QuadPart -
381 | CSsymonEtw::Instance()->m_PerformanceCount.QuadPart;
382 |
383 | ULONGLONG Frequency = 0;
384 | LARGE_INTEGER ft2 = {0};
385 | LARGE_INTEGER lg2 = {0};
386 | LARGE_INTEGER lg3 = {0};
387 |
388 | if ( HighPart >= 0 )
389 | {
390 | lg2.QuadPart = ((10000000 * (QuadPart % CSsymonEtw::Instance()->m_Frequency.QuadPart)) /
391 | CSsymonEtw::Instance()->m_Frequency.QuadPart +
392 | 10000000 * (QuadPart / CSsymonEtw::Instance()->m_Frequency.QuadPart));
393 |
394 | ft2.LowPart = lg2.LowPart;
395 | }
396 | else
397 | {
398 |
399 |
400 | lg2.QuadPart = CSysmonUtil::CounterTimes(
401 | CSsymonEtw::Instance()->m_SystemTime,
402 | -HighPart);
403 |
404 | ft2.LowPart = lg2.LowPart;
405 | }
406 |
407 | ft2.HighPart = CSsymonEtw::Instance()->m_SystemTime.dwHighDateTime;
408 | lg3.LowPart += CSsymonEtw::Instance()->m_SystemTime.dwLowDateTime;
409 | lg2.LowPart = CSsymonEtw::Instance()->m_SystemTime.dwLowDateTime;
410 |
411 | ft2.HighPart = (ft2.QuadPart + lg2.QuadPart) >> 32;
412 |
413 | CSsymonEtw::Instance()->Leave();
414 | }
415 |
416 | return 0;
417 | }
--------------------------------------------------------------------------------
/Sysmon/CMofDataParser.h:
--------------------------------------------------------------------------------
1 | #ifndef _CMofDataParser_h
2 | #define _CMofDataParser_h
3 |
4 | #include "Sysmon.h"
5 |
6 | #define MAX_CHAR_ARRAY_SIZE 20
7 | #define TCHAR_VALUE 0x1
8 | #define UINT32_ARRAY_VALUE 0x2
9 | #define OTHER_VALUE 0x4
10 | #define CHAR_ARRAY_VALUE 0x8
11 | #include
12 | #include
13 | #include
14 | #include
15 |
16 | typedef unsigned int uint32;
17 | typedef unsigned long long uint64;
18 |
19 | extern "C"
20 | {
21 | typedef HRESULT (WINAPI * pSafeArrayDestroy)(SAFEARRAY *);
22 | typedef HRESULT (WINAPI * pSafeArrayGetElement)(SAFEARRAY * , LONG *, void *);
23 | };
24 |
25 |
26 | typedef struct _MOF_DATA_HEADER
27 | {
28 | int MofCount;
29 | SYSTEMTIME MofLocal;
30 | BSTR MofClassName;
31 | BSTR MofTypeName;
32 | USHORT MofType;
33 | USHORT MofLevel;
34 | USHORT MofVsersion;
35 | GUID MofGuid;
36 | }MOF_DATA_HEADER;
37 |
38 | typedef struct _MOF_CHAR_ARRAY
39 | {
40 | TCHAR Name[20];
41 | union
42 | {
43 | char* cValue;
44 | WCHAR* wValue;
45 | };
46 |
47 | }MOF_CHAR_ARRAY;
48 |
49 | typedef struct _MOF_ITEM
50 | {
51 | TCHAR Name[50];
52 | ULONG Types;
53 | UINT32 ArraySize;
54 | union
55 | {
56 | TCHAR* cValues;
57 | LARGE_INTEGER liValue;
58 | UINT32* u32ArrayValue;
59 | MOF_CHAR_ARRAY* mofcArray;
60 | };
61 |
62 | }MOF_ITEM,*PMOF_ITEM;
63 |
64 | typedef struct _MOF_PROPERTY
65 | {
66 | LIST_ENTRY Entry;
67 | BSTR Name;
68 | ULONG Types;
69 | UINT32 ArraySize;
70 |
71 | }MOF_PROPERTY;
72 |
73 | class CMofParseRes
74 | {
75 | friend class CMofDataParser;
76 | public:
77 | CMofParseRes()
78 | {
79 | ZeroMemory(
80 | this,
81 | sizeof(*this));
82 |
83 | InitializeListHead(
84 | &m_MofPropertyList
85 | );
86 | }
87 |
88 | ~CMofParseRes()
89 | {
90 | }
91 |
92 | UINT32 GetCount()
93 | {
94 | return m_MofHeader.MofCount;
95 | }
96 |
97 | SYSTEMTIME GetTimeStmp()
98 | {
99 | return m_MofHeader.MofLocal;
100 | }
101 |
102 | public:
103 | LIST_ENTRY m_Entry;
104 | private:
105 | MOF_DATA_HEADER m_MofHeader;
106 | LIST_ENTRY m_MofPropertyList;
107 |
108 | };
109 |
110 | typedef struct _propertyList
111 | {
112 | BSTR Name;
113 | LONG CimType;
114 | IWbemQualifierSet* pQualifiers;
115 |
116 | } PROPERTY_LIST;
117 |
118 | class CMofData
119 | {
120 | public:
121 | CMofData(void)
122 | {
123 | m_Mof = NULL;
124 | memset(
125 | &m_MofHead,
126 | 0,
127 | sizeof(MOF_DATA_HEADER));
128 | }
129 |
130 | CMofData(const CMofData& Mof)
131 | {
132 | m_Mof = Mof.m_Mof;
133 | }
134 |
135 | CMofData(const PMOF_ITEM& Mof)
136 | {
137 | m_Mof = Mof;
138 | }
139 |
140 | ~CMofData(void)
141 | {
142 |
143 | }
144 |
145 |
146 | void operator =(const PMOF_ITEM Mof)
147 | {
148 | m_Mof = Mof;
149 | }
150 |
151 | BOOL operator ==(const TCHAR* Name )
152 | {
153 | if ( m_Mof )
154 | {
155 | if (sizeof(TCHAR) >= 2 )
156 | {
157 | if ( !wcsicmp(Name,m_Mof->Name))
158 | {
159 | return TRUE;
160 | }
161 |
162 | }
163 | else
164 | {
165 | if (!stricmp(
166 | (char*)Name,
167 | (char*)m_Mof->Name))
168 | {
169 | return TRUE;
170 | }
171 | }
172 |
173 | }
174 | return FALSE;
175 | }
176 |
177 | UINT32 getDataInt32( UINT32 DataType ,int Index = 0)
178 | {
179 | if ( m_Mof )
180 | {
181 | if(m_Mof->Types == DataType
182 | )
183 | {
184 |
185 | if (DataType == UINT32_ARRAY_VALUE)
186 | {
187 | if (m_Mof->u32ArrayValue)
188 | {
189 | return m_Mof->u32ArrayValue[Index];
190 | }
191 | }
192 | else if ( DataType == CHAR_ARRAY_VALUE )
193 | {
194 | if ( m_Mof->mofcArray )
195 | {
196 | return (UINT32)&m_Mof->mofcArray[Index];
197 | }
198 | }
199 |
200 |
201 | }
202 |
203 | }
204 |
205 | return 0;
206 | }
207 |
208 | UINT64 getDataInt64( UINT32 DataType ,int Index = 0 )
209 | {
210 | if ( m_Mof )
211 | {
212 | if(m_Mof->Types == DataType
213 | )
214 | {
215 |
216 | if (DataType == OTHER_VALUE)
217 | {
218 | return m_Mof->liValue.QuadPart;
219 | }
220 | }
221 |
222 | }
223 |
224 | return 0;
225 | }
226 |
227 | TCHAR* getWideString( UINT32 DataType ,int Index = 0 )
228 | {
229 | if ( m_Mof )
230 | {
231 | if(m_Mof->Types == DataType
232 | )
233 | {
234 |
235 | if (DataType == CHAR_ARRAY_VALUE )
236 | {
237 | if (m_Mof->mofcArray)
238 | {
239 | return m_Mof->mofcArray[Index].wValue;
240 | }
241 | }
242 | else if ( DataType == TCHAR_VALUE )
243 | {
244 | if ( m_Mof->cValues )
245 | {
246 | return (TCHAR*)m_Mof->cValues;
247 | }
248 | }
249 | }
250 | }
251 |
252 | return NULL;
253 | }
254 |
255 | char* getAnsiString( UINT32 DataType ,int Index = 0 )
256 | {
257 | if ( m_Mof )
258 | {
259 | if(m_Mof->Types == DataType
260 | )
261 | {
262 |
263 | if (DataType == CHAR_ARRAY_VALUE )
264 | {
265 | if (m_Mof->mofcArray)
266 | {
267 | return m_Mof->mofcArray[Index].cValue;
268 | }
269 | }
270 | else if ( DataType == TCHAR_VALUE )
271 | {
272 | if ( m_Mof->cValues )
273 | {
274 | return (char*)m_Mof->cValues;
275 | }
276 | }
277 | }
278 | }
279 |
280 | return NULL;
281 | }
282 |
283 | UINT32 GetProcessId()
284 | {
285 | return getDataInt32( UINT32_ARRAY_VALUE );
286 | }
287 |
288 | UINT64 GetUniqueProcessKey()
289 | {
290 | return getDataInt64( OTHER_VALUE );
291 | }
292 |
293 | char* GetProcessImageFileName()
294 | {
295 | char* ImageFileName = NULL;
296 |
297 | if (! (ImageFileName = getAnsiString( TCHAR_VALUE , 0 )) )
298 | {
299 | ImageFileName = getAnsiString(CHAR_ARRAY_VALUE,0);
300 | }
301 |
302 | return ImageFileName;
303 | }
304 |
305 |
306 | /************************************************************************/
307 | /* FileObject
308 | */
309 | /************************************************************************/
310 |
311 | UINT64 GetFileObject()
312 | {
313 | return getDataInt64(OTHER_VALUE,0);
314 | }
315 |
316 | TCHAR* GetFileOpenPath()
317 | {
318 | TCHAR* OpenPath = NULL;
319 |
320 | if ( !(OpenPath = getWideString(
321 | TCHAR_VALUE,
322 | 0)))
323 | {
324 | OpenPath = getWideString(
325 | CHAR_ARRAY_VALUE,
326 | 0);
327 | }
328 |
329 | return OpenPath;
330 | }
331 |
332 | private:
333 | MOF_DATA_HEADER m_MofHead;
334 | PMOF_ITEM m_Mof;
335 | LIST_ENTRY m_Entry;
336 | };
337 |
338 |
339 |
340 | class CMofDataParser
341 | {
342 | public:
343 | CMofDataParser(void);
344 |
345 |
346 | virtual ~CMofDataParser(void);
347 | private:
348 | HRESULT Connect(
349 | BSTR bstrNamespace
350 | );
351 | public:
352 |
353 | void SetPointSize(ULONG PointSize )
354 | {
355 | m_PointerSize = 8;
356 | }
357 |
358 | BOOL Parse(
359 | PEVENT_TRACE pEvent,
360 | CMofParseRes& Result );
361 |
362 | private:
363 | IWbemServices* m_pServices;
364 | ULONG m_PointerSize;
365 | LIST_ENTRY m_ModDataList;
366 | protected:
367 | void GetPropertyName(
368 | PROPERTY_LIST* pProperty,
369 | TCHAR* PropertyName
370 | );
371 |
372 | PBYTE GetPropertyValue(
373 | PROPERTY_LIST* pProperty,
374 | MOF_ITEM& MofItem,
375 | PBYTE pEventData,
376 | USHORT RemainingBytes);
377 |
378 | IWbemClassObject* GetEventCategoryClass(
379 | BSTR bstrClassGuid,
380 | int Version);
381 |
382 | CMofParseRes* GetEventClassPropertyList(
383 | IWbemClassObject* pEventCategoryClass,
384 | GUID& Guid,
385 | USHORT Version,
386 | USHORT Level,
387 | USHORT EventType);
388 |
389 | void FreePropertyList(
390 | PROPERTY_LIST* pProperties,
391 | DWORD Count);
392 |
393 | BOOL GetPropertyList(
394 | IWbemClassObject* pClass,
395 | PROPERTY_LIST** ppProperties,
396 | DWORD* pPropertyCount,
397 | LONG* PropertyIndex);
398 |
399 | LONG GetArraySize(
400 | IWbemQualifierSet* pQualifierSet);
401 |
402 | LONG GetArrayValue(
403 | CIMTYPE CimType,
404 | IWbemQualifierSet * pQualifierSet);
405 |
406 | void AddProperityList(
407 | LIST_ENTRY* Entry,
408 | BSTR pvData,
409 | LONG ValueLen,
410 | LONG ArraySize);
411 |
412 | void AddGlobalEvent(
413 | LIST_ENTRY* Entry);
414 |
415 | public:
416 | CMofDataParser* Instance();
417 | };
418 |
419 | class FileCreateNameX86
420 | {
421 |
422 | public:
423 | FileCreateNameX86(void)
424 | {
425 |
426 | }
427 |
428 | ~FileCreateNameX86()
429 | {
430 |
431 | }
432 |
433 | UINT32 FileObject;
434 | TCHAR FileName[1];
435 | };
436 |
437 | class CPropertyRes;
438 |
439 |
440 | class CPropertyRes
441 | {
442 | friend class CPropertyData;
443 | public:
444 | CPropertyRes(void)
445 | {
446 | ZeroMemory(this,sizeof(*this));
447 | }
448 |
449 | CPropertyRes(const CPropertyRes& Res)
450 | {
451 | ZeroMemory(this,sizeof(*this));
452 |
453 | if (Res.mData_ && Res.mLen_)
454 | {
455 | mData_ = new BYTE[Res.mLen_ + 1];
456 |
457 | if ( mData_ )
458 | {
459 | CopyMemory(
460 | mData_,
461 | Res.mData_,
462 | Res.mLen_);
463 |
464 | mLen_ = Res.mLen_;
465 | }
466 |
467 | CopyMemory(
468 | mName,
469 | Res.mName,
470 | 50);
471 | }
472 |
473 | }
474 |
475 | ~CPropertyRes(void)
476 | {
477 | if (mData_)
478 | {
479 | delete[] (char*)mData_;
480 | mData_ = NULL;
481 | }
482 |
483 | mLen_ = NULL;
484 |
485 | ZeroMemory(this,sizeof(*this));
486 | }
487 |
488 | void Init()
489 | {
490 | mData_ = NULL;
491 | mLen_ = 0;
492 | }
493 |
494 | TCHAR* GetFileName()
495 | {
496 | return (TCHAR*)mData_;
497 | }
498 |
499 | char* GetProcessName()
500 | {
501 | return (char*)mData_;
502 | }
503 |
504 | TCHAR* GetQueryDomainName()
505 | {
506 | return (TCHAR*)mData_;
507 | }
508 |
509 | TCHAR* GetQueryResult()
510 | {
511 | return (TCHAR*)mData_;
512 | }
513 |
514 | ULONGLONG GetFileObject()
515 | {
516 | if ( mData_ )
517 | {
518 | return *((ULONGLONG*)mData_);
519 | }
520 |
521 | return 0;
522 | }
523 |
524 | ULONG GetProcessId()
525 | {
526 | if ( mData_ )
527 | {
528 | return *((ULONG*)mData_);
529 | }
530 |
531 | return -1;
532 | }
533 |
534 | WORD GetPort()
535 | {
536 | if ( mData_ )
537 | {
538 | return *((WORD*)mData_);
539 | }
540 |
541 | return -1;
542 | }
543 |
544 | ULONG GetQueryStatus()
545 | {
546 | if ( mData_ )
547 | {
548 | return *((ULONG*)mData_);
549 | }
550 |
551 | return -1;
552 | }
553 |
554 | ULONG GetIpAddress()
555 | {
556 | if ( mData_ )
557 | {
558 | return *((ULONG*)mData_);
559 | }
560 |
561 | return -1;
562 | }
563 |
564 | ULONG GetIoSize()
565 | {
566 | if ( mData_ )
567 | {
568 | return *((ULONG*)mData_);
569 | }
570 |
571 | return 0;
572 | }
573 |
574 | BOOL operator == ( TCHAR* StrName)
575 | {
576 | if (!wcsicmp(StrName,mName))
577 | {
578 | return TRUE;
579 | }
580 |
581 | return FALSE;
582 | }
583 |
584 | private:
585 | TCHAR mName[50];
586 | PBYTE mData_;
587 | int mLen_;
588 |
589 | };
590 |
591 | #define PARSE_TYPE_FILE 1
592 | #define PARSE_TYPE_OTHER 2
593 |
594 | static CPropertyRes Res;
595 |
596 | #endif
--------------------------------------------------------------------------------
/Sysmon.sys/Sysmon.sys.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {E179CA60-36AC-4DCC-8B87-06214F32DD0B}
23 | Win32Proj
24 | Sysmonsys
25 |
26 |
27 |
28 | DynamicLibrary
29 | true
30 | Unicode
31 |
32 |
33 | DynamicLibrary
34 | true
35 | Unicode
36 |
37 |
38 | DynamicLibrary
39 | false
40 | true
41 | Unicode
42 |
43 |
44 | DynamicLibrary
45 | false
46 | true
47 | Unicode
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 | false
67 |
68 |
69 | true
70 |
71 |
72 | false
73 | false
74 |
75 |
76 | false
77 | false
78 | Sysmon64
79 | .sys
80 |
81 |
82 |
83 | NotUsing
84 | Level3
85 | Disabled
86 | WIN32;_X86_
87 | $(WDK_PATH_INCLUDE);cpplib\;%(AdditionalIncludeDirectories)
88 | Disabled
89 | false
90 | false
91 | false
92 | Default
93 | MultiThreadedDebug
94 | false
95 | false
96 | false
97 | false
98 | ProgramDatabase
99 | StdCall
100 |
101 |
102 | Native
103 | true
104 | $(WDK_PATH_LIB);FltMgr.lib
105 | true
106 | CDriverEntry::Init
107 | 0x10000
108 |
109 |
110 |
111 |
112 | $(WDK_PATH_LIB_DIR)
113 | $(OutDir)$(TargetName)
114 | /INTEGRITYCHECK %(AdditionalOptions)
115 |
116 |
117 |
118 |
119 |
120 |
121 | NotUsing
122 | Level3
123 | Disabled
124 | WIN64;_WIN64;_AMD64_
125 | $(WDK_PATH_INCLUDE);cpplib\;%(AdditionalIncludeDirectories)
126 | Disabled
127 | false
128 | false
129 | false
130 | Default
131 | MultiThreadedDebug
132 | false
133 | false
134 | false
135 | false
136 | ProgramDatabase
137 | StdCall
138 |
139 |
140 | Native
141 | true
142 | $(WDK_PATH_LIB_64)
143 | true
144 | CDriverEntry::Init
145 | 0x10000
146 |
147 |
148 |
149 |
150 |
151 |
152 | $(OutDir)$(TargetName)
153 | /INTEGRITYCHECK %(AdditionalOptions)
154 |
155 |
156 |
157 |
158 | Level3
159 | NotUsing
160 | Disabled
161 | false
162 | false
163 | WIN32;_X86_
164 | $(WDK_PATH_INCLUDE);cpplib\;%(AdditionalIncludeDirectories)
165 | Disabled
166 | false
167 | false
168 | MultiThreaded
169 | false
170 | StdCall
171 |
172 |
173 |
174 |
175 | None
176 | Default
177 |
178 |
179 | Native
180 | true
181 | true
182 | true
183 | CDriverEntry::Init
184 | 0x10000
185 |
186 |
187 |
188 |
189 | $(OutDir)$(TargetName)
190 | $(WDK_PATH_LIB);FltMgr.lib
191 | true
192 | /INTEGRITYCHECK %(AdditionalOptions)
193 |
194 |
195 |
196 |
197 |
198 |
199 |
200 |
201 |
202 |
203 | $(WDK_PATH_LIB_DIR)
204 |
205 |
206 |
207 |
208 | Level3
209 | NotUsing
210 | Disabled
211 | false
212 | false
213 | WIN64;_WIN64;_AMD64_
214 | $(WDK_PATH_INCLUDE);cpplib\;%(AdditionalIncludeDirectories)
215 | Disabled
216 | false
217 | false
218 | MultiThreaded
219 | false
220 | StdCall
221 |
222 |
223 | Native
224 | true
225 | true
226 | true
227 | CDriverEntry::Init
228 | 0x10000000
229 |
230 |
231 |
232 |
233 | $(OutDir)$(TargetName)$(TargetExt)
234 | $(WDK_PATH_LIB_64)
235 | true
236 | /INTEGRITYCHECK %(AdditionalOptions)
237 |
238 |
239 |
240 |
241 |
242 |
243 |
244 |
245 |
246 |
247 |
248 |
249 |
250 |
251 |
252 |
253 |
254 |
255 |
256 |
257 |
258 |
259 |
260 |
261 |
262 |
263 |
264 |
265 |
266 |
267 |
268 |
269 |
270 |
271 |
272 |
273 |
274 |
275 |
276 |
277 |
278 |
279 |
280 |
281 |
282 |
283 |
284 |
285 |
286 |
287 |
288 |
289 |
290 |
291 |
292 |
293 |
294 |
295 |
296 |
297 |
298 |
299 |
300 |
301 |
302 |
303 |
304 |
305 |
306 |
307 |
308 |
309 |
310 |
311 |
312 |
313 |
314 | Create
315 | Create
316 | Create
317 | Create
318 |
319 |
320 |
321 |
322 |
323 |
324 |
--------------------------------------------------------------------------------
/Sysmon/undname.idl:
--------------------------------------------------------------------------------
1 | import "oaidl.idl";
2 | import "ocidl.idl";
3 |
4 | //
5 | // Copyright (c) Microsoft Corporation. All rights reserved.
6 | //
7 | //
8 | // Use of this source code is subject to the terms of your Microsoft Windows CE
9 | // Source Alliance Program license form. If you did not accept the terms of
10 | // such a license, you are not authorized to use this source code.
11 | //
12 | /*
13 | * This module contains the definitions for the inline functions used by the
14 | * name undecorator. It is intended that this file should be included
15 | * somewhere in the source file for the undecorator to maximise the chance
16 | * that they will be truly inlined.
17 | */
18 | // The following class is a special node class, used in the implementation
19 | // of the internal chaining mechanism of the 'DName's
20 | // class charNode;
21 | // class pcharNode;
22 | // class pDNameNode;
23 | // class DNameStatusNode;
24 | // #if ( NO_VIRTUAL )
25 | // enum NodeType
26 | // {
27 | // charNode_t,
28 | // pcharNode_t,
29 | // pDNameNode_t,
30 | // DNameStatusNode_t
31 | // };
32 | // #endif // NO_VIRTUAL
33 | // class DNameNode
34 | // {
35 | // private:
36 | // #if NO_VIRTUAL
37 | // NodeType typeIndex;
38 | // #endif // NO_VIRTUAL
39 | // DNameNode * next;
40 | // protected:
41 | // #if ( !NO_VIRTUAL )
42 | // __near DNameNode ();
43 | // #else // } elif NO_VIRTUAL {
44 | // __near DNameNode ( NodeType );
45 | // #endif // NO_VIRTUAL
46 | // __near DNameNode ( const DNameNode & );
47 | // public:
48 | // virtual int __near length () const PURE;
49 | // virtual char __near getLastChar () const PURE;
50 | // virtual pchar_t __near getString ( pchar_t, int ) const PURE;
51 | // DNameNode * __near clone ();
52 | // DNameNode * __near nextNode () const;
53 | // DNameNode & __near operator += ( DNameNode * );
54 | // };
55 | // class charNode : public DNameNode
56 | // {
57 | // private:
58 | // char me;
59 | // public:
60 | // __near charNode ( char );
61 | // virtual int __near length () const;
62 | // virtual char __near getLastChar () const;
63 | // virtual pchar_t __near getString ( pchar_t, int ) const;
64 | // };
65 | // class pcharNode : public DNameNode
66 | // {
67 | // private:
68 | // pchar_t me;
69 | // int myLen;
70 | // public:
71 | // __near pcharNode ( pcchar_t, int = 0 );
72 | // virtual int __near length () const;
73 | // virtual char __near getLastChar () const;
74 | // virtual pchar_t __near getString ( pchar_t, int ) const;
75 | // };
76 | // class pDNameNode : public DNameNode
77 | // {
78 | // private:
79 | // DName * me;
80 | // public:
81 | // __near pDNameNode ( DName * );
82 | // virtual int __near length () const;
83 | // virtual char __near getLastChar () const;
84 | // virtual pchar_t __near getString ( pchar_t, int ) const;
85 | // };
86 | // class DNameStatusNode : public DNameNode
87 | // {
88 | // private:
89 | // #define TruncationMessage (" ?? ")
90 | // #define TruncationMessageLength (4)
91 | // DNameStatus me;
92 | // int myLen;
93 | // public:
94 | // __near DNameStatusNode ( DNameStatus );
95 | // virtual int __near length () const;
96 | // virtual char __near getLastChar () const;
97 | // virtual pchar_t __near getString ( pchar_t, int ) const;
98 | // };
99 | // // Memory allocation functions
100 | // inline void __far * __near __pascal operator new ( unsigned int sz, HeapManager &, int noBuffer )
101 | // { return heap.getMemory ( sz, noBuffer ); }
102 | // void __far * __near HeapManager::getMemory ( unsigned int sz, int noBuffer )
103 | // {
104 | // // Align the allocation on an appropriate boundary
105 | // sz = (( sz + PACK_SIZE-1 ) & ~(PACK_SIZE-1) );
106 | // if ( noBuffer )
107 | // return ( *pOpNew )( sz );
108 | // else
109 | // {
110 | // // Handler a potential request for no space
111 | // if ( !sz )
112 | // sz = 1;
113 | // if ( blockLeft < sz )
114 | // {
115 | // // Is the request greater than the largest buffer size ?
116 | // if ( sz > memBlockSize )
117 | // return 0; // If it is, there is nothing we can do
118 | // // Allocate a new block
119 | // Block * pNewBlock = rnew Block;
120 | // // Did the allocation succeed ? If so connect it up
121 | // if ( pNewBlock )
122 | // {
123 | // // Handle the initial state
124 | // if ( tail )
125 | // tail = tail->next = pNewBlock;
126 | // else
127 | // head = tail = pNewBlock;
128 | // // Compute the remaining space
129 | // blockLeft = memBlockSize - sz;
130 | // } // End of IF then
131 | // else
132 | // return 0; // Oh-oh! Memory allocation failure
133 | // } // End of IF then
134 | // else
135 | // blockLeft -= sz; // Deduct the allocated amount
136 | // // And return the buffer address
137 | // return &( tail->memBlock[ blockLeft ]);
138 | // } // End of IF else
139 | // } // End of "HeapManager" FUNCTION "getMemory(unsigned int,int)"
140 | // // Friend functions of 'DName'
141 | // inline DName __near __pascal operator + ( char c, const DName & rd )
142 | // { return DName ( c ) + rd; }
143 | // inline DName __near __pascal operator + ( DNameStatus st, const DName & rd )
144 | // { return DName ( st ) + rd; }
145 | // inline DName __near __pascal operator + ( pcchar_t s, const DName & rd )
146 | // { return DName ( s ) + rd; }
147 | // // The 'DName' constructors
148 | // inline __near DName::DName () { node = 0; stat = DN_valid; isIndir = 0; isAUDC = 0; isAUDTThunk = 0; NoTE = 0; }
149 | // inline __near DName::DName ( DNameNode * pd ) { node = pd; stat = DN_valid; isIndir = 0; isAUDC = 0; isAUDTThunk = 0; NoTE = 0; }
150 | // __near DName::DName ( char c )
151 | // {
152 | // stat = DN_valid;
153 | // isIndir = 0;
154 | // isAUDC = 0;
155 | // isAUDTThunk = 0;
156 | // node = 0;
157 | // NoTE = 0;
158 | // // The NULL character is boring, do not copy
159 | // if ( c )
160 | // doPchar ( &c, 1 );
161 | // } // End of "DName" CONSTRUCTOR '(char)'
162 | // #if 1
163 | // inline __near DName::DName ( const DName & rd )
164 | // {
165 | // stat = rd.stat;
166 | // isIndir = rd.isIndir;
167 | // isAUDC = rd.isAUDC;
168 | // isAUDTThunk = rd.isAUDTThunk;
169 | // node = rd.node;
170 | // NoTE = rd.NoTE;
171 | // } // End of "DName" CONSTRUCTOR '(const DName&)'
172 | // #endif
173 | // __near DName::DName ( DName * pd )
174 | // {
175 | // if ( pd )
176 | // {
177 | // node = gnew pDNameNode ( pd );
178 | // stat = ( node ? DN_valid : DN_error );
179 | // } // End of IF else
180 | // else
181 | // {
182 | // stat = DN_valid;
183 | // node = 0;
184 | // } // End of IF else
185 | // isIndir = 0;
186 | // isAUDC = 0;
187 | // isAUDTThunk = 0;
188 | // NoTE = 0;
189 | // } // End of "DName" CONSTRUCTOR '( DName* )'
190 | // __near DName::DName ( pcchar_t s )
191 | // {
192 | // stat = DN_valid;
193 | // node = 0;
194 | // isIndir = 0;
195 | // isAUDC = 0;
196 | // isAUDTThunk = 0;
197 | // NoTE = 0;
198 | // if ( s )
199 | // doPchar ( s, strlen ( s ));
200 | // } // End of "DName" CONSTRUCTOR '(pcchar_t)'
201 | // __near DName::DName ( pcchar_t & name, char terminator )
202 | // {
203 | // stat = DN_valid;
204 | // isIndir = 0;
205 | // isAUDC = 0;
206 | // isAUDTThunk = 0;
207 | // node = 0;
208 | // NoTE = 0;
209 | // // Is there a string ?
210 | // if ( name )
211 | // if ( *name )
212 | // {
213 | // int len = 0;
214 | // // How long is the string ?
215 | // for ( pcchar_t s = name; *name && ( *name != terminator ); name++ )
216 | // if ( isValidIdentChar ( *name ) || UnDecorator::doNoIdentCharCheck () )
217 | // len++;
218 | // else
219 | // {
220 | // stat = DN_invalid;
221 | // return;
222 | // } // End of IF else
223 | // // Copy the name string fragment
224 | // doPchar ( s, len );
225 | // // Now gobble the terminator if present, handle error conditions
226 | // if ( *name )
227 | // {
228 | // if ( *name++ != terminator )
229 | // {
230 | // stat = DN_error;
231 | // node = 0;
232 | // } // End of IF then
233 | // else
234 | // stat = DN_valid;
235 | // } // End of IF then
236 | // elif ( status () == DN_valid )
237 | // stat = DN_truncated;
238 | // } // End of IF then
239 | // else
240 | // stat = DN_truncated;
241 | // else
242 | // stat = DN_invalid;
243 | // } // End of "DName" CONSTRUCTOR '(pcchar_t&,char)'
244 | // __near DName::DName ( unsigned long num )
245 | // {
246 | // char buf[ 11 ];
247 | // char * pBuf = buf + 10;
248 | // stat = DN_valid;
249 | // node = 0;
250 | // isIndir = 0;
251 | // isAUDC = 0;
252 | // isAUDTThunk = 0;
253 | // NoTE = 0;
254 | // // Essentially, 'ultoa ( num, buf, 10 )' :-
255 | // *pBuf = 0;
256 | // do
257 | // {
258 | // *( --pBuf ) = (char)(( num % 10 ) + '0' );
259 | // num /= 10UL;
260 | // } while ( num );
261 | // doPchar ( pBuf, ( 10 - (int) ( pBuf - buf )));
262 | // } // End of "DName" CONSTRUCTOR '(unsigned long)'
263 | // __near DName::DName ( DNameStatus st )
264 | // {
265 | // stat = ((( st == DN_invalid ) || ( st == DN_error )) ? st : DN_valid );
266 | // node = gnew DNameStatusNode ( st );
267 | // isIndir = 0;
268 | // isAUDC = 0;
269 | // isAUDTThunk = 0;
270 | // NoTE = 0;
271 | // if ( !node )
272 | // stat = DN_error;
273 | // } // End of "DName" CONSTRUCTOR '(DNameStatus)'
274 | // // Now the member functions for 'DName'
275 | // int __near DName::isValid () const { return (( status () == DN_valid ) || ( status () == DN_truncated )); }
276 | // int __near DName::isEmpty () const { return (( node == 0 ) || !isValid ()); }
277 | // inline DNameStatus __near DName::status () const { return (DNameStatus)stat; } // The cast is to keep Glockenspiel quiet
278 | // inline DName & __near DName::setPtrRef () { isIndir = 1; return *this; }
279 | // inline int __near DName::isPtrRef () const { return isIndir; }
280 | // inline int __near DName::isUDC () const { return ( !isEmpty () && isAUDC ); }
281 | // inline void __near DName::setIsUDC () { if ( !isEmpty ()) isAUDC = TRUE; }
282 | // inline int __near DName::isUDTThunk () const { return ( !isEmpty () && isAUDTThunk ); }
283 | // inline void __near DName::setIsUDTThunk () { if ( !isEmpty ()) isAUDTThunk = TRUE; }
284 | // inline int DName::isNoTE () const { return NoTE; }
285 | // inline void DName::setIsNoTE () { NoTE = TRUE; }
286 | // int __near DName::length () const
287 | // {
288 | // int len = 0;
289 | // if ( !isEmpty ())
290 | // for ( DNameNode * pNode = node; pNode; pNode = pNode->nextNode ())
291 | // len += pNode->length ();
292 | // return len;
293 | // } // End of "DName" FUNCTION "length"
294 | // char __near DName::getLastChar () const
295 | // {
296 | // DNameNode * pLast = 0;
297 | // if ( !isEmpty ())
298 | // for ( DNameNode * pNode = node; pNode; pNode = pNode->nextNode ())
299 | // if ( pNode->length () != 0 )
300 | // pLast = pNode;
301 | // return pLast != 0 ? pLast->getLastChar () : '';
302 | // } // End of "DName" FUNCTION "getLastChar"
303 | // pchar_t __near DName::getString ( pchar_t buf, int max ) const
304 | // {
305 | // if ( !isEmpty ())
306 | // {
307 | // // Does the caller want a buffer allocated ?
308 | // if ( !buf )
309 | // {
310 | // max = length () + 1;
311 | // buf = gnew char[ max ]; // Get a buffer big enough
312 | // } // End of IF then
313 | // // If memory allocation failure, then return no buffer
314 | // if ( buf )
315 | // {
316 | // // Now, go through the process of filling the buffer (until max is reached)
317 | // int curLen = max;
318 | // DNameNode * curNode = node;
319 | // pchar_t curBuf = buf;
320 | // while ( curNode && ( curLen > 0 ))
321 | // {
322 | // int fragLen = curNode->length ();
323 | // pchar_t fragBuf = 0;
324 | // // Skip empty nodes
325 | // if ( fragLen )
326 | // {
327 | // // Handle buffer overflow
328 | // if (( curLen - fragLen ) < 0 )
329 | // fragLen = curLen;
330 | // // Now copy 'len' number of bytes of the piece to the buffer
331 | // fragBuf = curNode->getString ( curBuf, fragLen );
332 | // // Should never happen, but handle it anyway
333 | // if ( fragBuf )
334 | // {
335 | // // Update string position
336 | // curLen -= fragLen;
337 | // curBuf += fragLen;
338 | // } // End of IF
339 | // } // End of IF
340 | // // Move on to the next name fragment
341 | // curNode = curNode->nextNode ();
342 | // } // End of WHILE
343 | // *curBuf = 0; // Always NULL terminate the resulting string
344 | // } // End of IF
345 | // } // End of IF then
346 | // elif ( buf )
347 | // *buf = 0;
348 | // // Return the buffer
349 | // return buf;
350 | // } // End of "DName" FUNCTION "getString(pchar_t,int)"
351 | // DName __near DName::operator + ( char ch ) const
352 | // {
353 | // DName local ( *this );
354 | // if ( local.isEmpty ())
355 | // local = ch;
356 | // else
357 | // local += ch;
358 | // // And return the newly formed 'DName'
359 | // return local;
360 | // } // End of "DName" OPERATOR "+(char)"
361 | // DName __near DName::operator + ( pcchar_t str ) const
362 | // {
363 | // DName local ( *this );
364 | // if ( local.isEmpty ())
365 | // local = str;
366 | // else
367 | // local += str;
368 | // // And return the newly formed 'DName'
369 | // return local;
370 | // } // End of "DName" OPERATOR "+(pcchar_t)"
371 | // DName __near DName::operator + ( const DName & rd ) const
372 | // {
373 | // DName local ( *this );
374 | // if ( local.isEmpty ())
375 | // local = rd;
376 | // elif ( rd.isEmpty ())
377 | // local += rd.status ();
378 | // else
379 | // local += rd;
380 | // // And return the newly formed 'DName'
381 | // return local;
382 | // } // End of "DName" OPERATOR "+(const DName&)"
383 | // DName __near DName::operator + ( DName * pd ) const
384 | // {
385 | // DName local ( *this );
386 | // if ( local.isEmpty ())
387 | // local = pd;
388 | // else
389 | // local += pd;
390 | // // And return the newly formed 'DName'
391 | // return local;
392 | // } // End of "DName" OPERATOR "+(DName*)"
393 | // DName __near DName::operator + ( DNameStatus st ) const
394 | // {
395 | // DName local ( *this );
396 | // if ( local.isEmpty ())
397 | // local = st;
398 | // else
399 | // local += st;
400 | // // And return the newly formed 'DName'
401 | // return local;
402 | // } // End of "DName" OPERATOR "+(DNameStatus)"
403 | // DName & __near DName::operator += ( char ch )
404 | // {
405 | // if ( ch )
406 | // if ( isEmpty ())
407 | // *this = ch;
408 | // else
409 | // {
410 | // node = node->clone ();
411 | // if ( node )
412 | // *node += gnew charNode ( ch );
413 | // else
414 | // stat = DN_error;
415 | // } // End of IF
416 | // // And return self
417 | // return *this;
418 | // } // End of "DName" OPERATOR "+=(char)"
419 | // DName & __near DName::operator += ( pcchar_t str )
420 | // {
421 | // if ( str && *str )
422 | // if ( isEmpty ())
423 | // *this = str;
424 | // else
425 | // {
426 | // node = node->clone ();
427 | // if ( node )
428 | // *node += gnew pcharNode ( str );
429 | // else
430 | // stat = DN_error;
431 | // } // End of IF
432 | // // And return self
433 | // return *this;
434 | // } // End of "DName" OPERATOR "+=(pcchar_t)"
435 | // DName & __near DName::operator += ( const DName & rd )
436 | // {
437 | // if ( rd.isEmpty ())
438 | // *this += rd.status ();
439 | // else
440 | // if ( isEmpty ())
441 | // *this = rd;
442 | // else
443 | // {
444 | // node = node->clone ();
445 | // if ( node )
446 | // *node += rd.node;
447 | // else
448 | // stat = DN_error;
449 | // } // End of IF
450 | // // And return self
451 | // return *this;
452 | // } // End of "DName" OPERATOR "+=(const DName&)"
453 | // DName & __near DName::operator += ( DName * pd )
454 | // {
455 | // if ( pd )
456 | // if ( isEmpty ())
457 | // *this = pd;
458 | // elif (( pd->status () == DN_valid ) || ( pd->status () == DN_truncated ))
459 | // {
460 | // DNameNode * pNew = gnew pDNameNode ( pd );
461 | // if ( pNew )
462 | // {
463 | // node = node->clone ();
464 | // if ( node )
465 | // *node += pNew;
466 | // } // End of IF then
467 | // else
468 | // node = 0;
469 | // if ( !node )
470 | // stat = DN_error;
471 | // } // End of IF then
472 | // else
473 | // *this += pd->status ();
474 | // // And return self
475 | // return *this;
476 | // } // End of "DName" OPERATOR "+=(DName*)"
477 | // DName & __near DName::operator += ( DNameStatus st )
478 | // {
479 | // if ( isEmpty () || (( st == DN_invalid ) || ( st == DN_error )))
480 | // *this = st;
481 | // else
482 | // {
483 | // DNameNode * pNew = gnew DNameStatusNode ( st );
484 | // if ( pNew )
485 | // {
486 | // node = node->clone ();
487 | // if ( node )
488 | // *node += pNew;
489 | // } // End of IF then
490 | // else
491 | // node = 0;
492 | // if ( !node )
493 | // stat = DN_error;
494 | // } // End of IF else
495 | // // Return self
496 | // return *this;
497 | // } // End of "DName" OPERATOR "+=(DNameStatus)"
498 | // DName & __near DName::operator |= ( const DName & rd )
499 | // {
500 | // // Attenuate the error status. Always becomes worse. Don't propogate truncation
501 | // if (( status () != DN_error ) && !rd.isValid ())
502 | // stat = rd.status ();
503 | // // And return self
504 | // return *this;
505 | // } // End of "DName" OPERATOR '|=(const DName&)'
506 | // DName & __near DName::operator = ( char ch )
507 | // {
508 | // isIndir = 0;
509 | // isAUDC = 0;
510 | // isAUDTThunk = 0;
511 | // doPchar ( &ch, 1 );
512 | // return *this;
513 | // } // End of "DName" OPERATOR '=(char)'
514 | // DName & __near DName::operator = ( pcchar_t str )
515 | // {
516 | // isIndir = 0;
517 | // isAUDC = 0;
518 | // isAUDTThunk = 0;
519 | // doPchar ( str, strlen ( str ));
520 | // // And return self
521 | // return *this;
522 | // } // End of "DName" OPERATOR '=(pcchar_t)'
523 | // DName & __near DName::operator = ( const DName & rd )
524 | // {
525 | // if (( status () == DN_valid ) || ( status () == DN_truncated ))
526 | // {
527 | // stat = rd.stat;
528 | // isIndir = rd.isIndir;
529 | // isAUDC = rd.isAUDC;
530 | // isAUDTThunk = rd.isAUDTThunk;
531 | // node = rd.node;
532 | // } // End of IF
533 | // // And return self
534 | // return *this;
535 | // } // End of "DName" OPERATOR '=(const DName&)'
536 | // DName & __near DName::operator = ( DName * pd )
537 | // {
538 | // if (( status () == DN_valid ) || ( status () == DN_truncated ))
539 | // if ( pd )
540 | // {
541 | // isIndir = 0;
542 | // isAUDC = 0;
543 | // isAUDTThunk = 0;
544 | // node = gnew pDNameNode ( pd );
545 | // if ( !node )
546 | // stat = DN_error;
547 | // } // End of IF then
548 | // else
549 | // *this = DN_error;
550 | // // And return self
551 | // return *this;
552 | // } // End of "DName" OPERATOR '=(DName*)'
553 | // DName & __near DName::operator = ( DNameStatus st )
554 | // {
555 | // if (( st == DN_invalid ) || ( st == DN_error ))
556 | // {
557 | // node = 0;
558 | // if ( status () != DN_error )
559 | // stat = st;
560 | // } // End of IF then
561 | // elif (( status () == DN_valid ) || ( status () == DN_truncated ))
562 | // {
563 | // isIndir = 0;
564 | // isAUDC = 0;
565 | // isAUDTThunk = 0;
566 | // node = gnew DNameStatusNode ( st );
567 | // if ( !node )
568 | // stat = DN_error;
569 | // } // End of ELIF then
570 | // // And return self
571 | // return *this;
572 | // } // End of "DName" OPERATOR '=(DNameStatus)'
573 | // // Private implementation functions for 'DName'
574 | // void __near DName::doPchar ( pcchar_t str, int len )
575 | // {
576 | // if ( !(( status () == DN_invalid ) || ( status () == DN_error )))
577 | // if ( node )
578 | // *this = DN_error;
579 | // elif ( str && len )
580 | // {
581 | // // Allocate as economically as possible
582 | // switch ( len )
583 | // {
584 | // case 0:
585 | // stat = DN_error;
586 | // break;
587 | // case 1:
588 | // node = gnew charNode ( *str );
589 | // if ( !node )
590 | // stat = DN_error;
591 | // break;
592 | // default:
593 | // node = gnew pcharNode ( str, len );
594 | // if ( !node )
595 | // stat = DN_error;
596 | // break;
597 | // } // End of SWITCH
598 | // } // End of ELIF
599 | // else
600 | // stat = DN_invalid;
601 | // } // End of "DName" FUNCTION "doPchar(pcchar_t,int)"
602 | // // The member functions for the 'Replicator'
603 | // inline int __near Replicator::isFull () const { return ( index == 9 ); }
604 | // inline __near Replicator::Replicator ()
605 | // : ErrorDName ( DN_error ), InvalidDName ( DN_invalid )
606 | // { index = -1; }
607 | // Replicator & __near Replicator::operator += ( const DName & rd )
608 | // {
609 | // if ( !isFull () && !rd.isEmpty ())
610 | // {
611 | // DName * pNew = gnew DName ( rd );
612 | // // Don't update if failed
613 | // if ( pNew )
614 | // dNameBuffer[ ++index ] = pNew;
615 | // } // End of IF
616 | // return *this;
617 | // } // End of "Replicator" OPERATOR '+=(const DName&)'
618 | // const DName & __near Replicator::operator [] ( int x ) const
619 | // {
620 | // if (( x < 0 ) || ( x > 9 ))
621 | // return ErrorDName;
622 | // elif (( index == -1 ) || ( x > index ))
623 | // return InvalidDName;
624 | // else
625 | // return *dNameBuffer[ x ];
626 | // } // End of "Replicator" OPERATOR '[](int)'
627 | // // The member functions for the 'DNameNode' classes
628 | // #if ( !NO_VIRTUAL )
629 | // __near DNameNode::DNameNode ()
630 | // #else // } elif NO_VIRTUAL {
631 | // __near DNameNode::DNameNode ( NodeType ndTy )
632 | // : typeIndex ( ndTy )
633 | // #endif // NO_VIRTUAL
634 | // { next = 0; }
635 | // inline __near DNameNode::DNameNode ( const DNameNode & rd ) { next = (( rd.next ) ? rd.next->clone () : 0 ); }
636 | // inline DNameNode * __near DNameNode::nextNode () const { return next; }
637 | // DNameNode * __near DNameNode::clone ()
638 | // {
639 | // return gnew pDNameNode ( gnew DName ( this ));
640 | // }
641 | // #if ( NO_VIRTUAL )
642 | // int __near DNameNode::length () const
643 | // { // Pure function, should not be called
644 | // switch ( typeIndex )
645 | // {
646 | // case charNode_t:
647 | // return ((charNode*)this )->length ();
648 | // case pcharNode_t:
649 | // return ((pcharNode*)this )->length ();
650 | // case pDNameNode_t:
651 | // return ((pDNameNode*)this )->length ();
652 | // case DNameStatusNode_t:
653 | // return ((DNameStatusNode*)this )->length ();
654 | // } // End of SWITCH
655 | // return 0;
656 | // }
657 | // int __near DNameNode::getLastChar () const
658 | // { // Pure function, should not be called
659 | // switch ( typeIndex )
660 | // {
661 | // case charNode_t:
662 | // return ((charNode*)this )->getLastChar ();
663 | // case pcharNode_t:
664 | // return ((pcharNode*)this )->getLastChar ();
665 | // case pDNameNode_t:
666 | // return ((pDNameNode*)this )->getLastChar ();
667 | // case DNameStatusNode_t:
668 | // return ((DNameStatusNode*)this )->getLastChar ();
669 | // } // End of SWITCH
670 | // return 0;
671 | // }
672 | // pchar_t __near DNameNode::getString ( pchar_t s, int l ) const
673 | // { // Pure function, should not be called
674 | // switch ( typeIndex )
675 | // {
676 | // case charNode_t:
677 | // return ((charNode*)this )->getString ( s, l );
678 | // case pcharNode_t:
679 | // return ((pcharNode*)this )->getString ( s, l );
680 | // case pDNameNode_t:
681 | // return ((pDNameNode*)this )->getString ( s, l );
682 | // case DNameStatusNode_t:
683 | // return ((DNameStatusNode*)this )->getString ( s, l );
684 | // } // End of SWITCH
685 | // return 0;
686 | // }
687 | // #endif // NO_VIRTUAL
688 | // DNameNode & __near DNameNode::operator += ( DNameNode * pNode )
689 | // {
690 | // if ( pNode )
691 | // {
692 | // if ( next )
693 | // {
694 | // // Skip to the end of the chain
695 | // for ( DNameNode* pScan = next; pScan->next; pScan = pScan->next )
696 | // ;
697 | // // And append the new node
698 | // pScan->next = pNode;
699 | // } // End of IF then
700 | // else
701 | // next = pNode;
702 | // } // End of IF
703 | // // And return self
704 | // return *this;
705 | // } // End of "DNameNode" OPERATOR '+=(DNameNode*)'
706 | // // The 'charNode' virtual functions
707 | // __near charNode::charNode ( char ch )
708 | // #if ( NO_VIRTUAL )
709 | // : DNameNode ( charNode_t )
710 | // #endif // NO_VIRTUAL
711 | // { me = ch; }
712 | // inline int __near charNode::length () const { return 1; }
713 | // inline char __near charNode::getLastChar () const { return me; }
714 | // pchar_t __near charNode::getString ( pchar_t buf, int len ) const
715 | // {
716 | // if ( buf && len )
717 | // *buf = me;
718 | // else
719 | // buf = 0;
720 | // // Now return the character
721 | // return buf;
722 | // } // End of "charNode" FUNCTION "getString(pchar_t,int)"
723 | // // The 'pcharNode' virtual functions
724 | // inline int __near pcharNode::length () const { return myLen; }
725 | // inline char __near pcharNode::getLastChar () const { return ( myLen ? me[ myLen - 1 ] : '' ); }
726 | // __near pcharNode::pcharNode ( pcchar_t str, int len )
727 | // #if ( NO_VIRTUAL )
728 | // : DNameNode ( pcharNode_t )
729 | // #endif // NO_VIRTUAL
730 | // {
731 | // // Get length if not supplied
732 | // if ( !len && str )
733 | // len = strlen ( str );
734 | // // Allocate a new string buffer if valid state
735 | // if ( len && str )
736 | // {
737 | // me = gnew char[ len ];
738 | // myLen = len;
739 | // if ( me )
740 | // strncpy ( me, str, len );
741 | // } // End of IF then
742 | // else
743 | // {
744 | // me = 0;
745 | // myLen = 0;
746 | // } // End of IF else
747 | // } // End of "pcharNode" CONSTRUCTOR '(pcchar_t,int)'
748 | // pchar_t __near pcharNode::getString ( pchar_t buf, int len ) const
749 | // {
750 | // // Use the shorter of the two lengths (may not be NULL terminated)
751 | // if ( len > pcharNode::length ())
752 | // len = pcharNode::length ();
753 | // // Do the copy as appropriate
754 | // return (( me && buf && len ) ? strncpy ( buf, me, len ) : 0 );
755 | // } // End of "pcharNode" FUNCTION "getString(pchar_t,int)"
756 | // // The 'pDNameNode' virtual functions
757 | // __near pDNameNode::pDNameNode ( DName * pName )
758 | // #if ( NO_VIRTUAL )
759 | // : DNameNode ( pDNameNode_t )
760 | // #endif // NO_VIRTUAL
761 | // { me = (( pName && (( pName->status () == DN_invalid ) || ( pName->status () == DN_error ))) ? 0 : pName ); }
762 | // inline int __near pDNameNode::length () const { return ( me ? me->length () : 0 ); }
763 | // inline char __near pDNameNode::getLastChar () const { return ( me ? me->getLastChar () : '' ); }
764 | // pchar_t __near pDNameNode::getString ( pchar_t buf, int len ) const
765 | // { return (( me && buf && len ) ? me->getString ( buf, len ) : 0 ); }
766 | // // The 'DNameStatusNode' virtual functions
767 | // __near DNameStatusNode::DNameStatusNode ( DNameStatus stat )
768 | // #if ( NO_VIRTUAL )
769 | // : DNameNode ( DNameStatusNode_t )
770 | // #endif // NO_VIRTUAL
771 | // { me = stat; myLen = (( me == DN_truncated ) ? TruncationMessageLength : 0 ); }
772 | // inline int __near DNameStatusNode::length () const { return myLen; }
773 | // inline char __near DNameStatusNode::getLastChar () const
774 | // { return (( me == DN_truncated ) ? TruncationMessage[ TruncationMessageLength - 1 ] : '' ); }
775 | // pchar_t __near DNameStatusNode::getString ( pchar_t buf, int len ) const
776 | // {
777 | // // Use the shorter of the two lengths (may not be NULL terminated)
778 | // if ( len > DNameStatusNode::length ())
779 | // len = DNameStatusNode::length ();
780 | // // Do the copy as appropriate
781 | // return ((( me == DN_truncated ) && buf && len ) ? strncpy ( buf, TruncationMessage, len ) : 0 );
782 | // } // End of "DNameStatusNode" FUNCTION "getString(pchar_t,int)"
--------------------------------------------------------------------------------