|
|
<p>核心HOOK API类,理论上可以HOOK 任何使用STDCALL声明的API函数</p>
<p>// HookInfo.h: interface for the CHookInfo class.<br/>//<br/>//////////////////////////////////////////////////////////////////////</p>
<p>#if !defined(AFX_HOOKINFO_H__D44F115C_76F1_4CC7_BD61_4C393417DA10__INCLUDED_)<br/>#define AFX_HOOKINFO_H__D44F115C_76F1_4CC7_BD61_4C393417DA10__INCLUDED_</p>
<p>#if _MSC_VER > 1000<br/>#pragma once<br/>#endif // _MSC_VER > 1000</p>
<p>typedef struct _HOOKSTRUCT<br/>{<br/> FARPROC pfFunAddr; //用于保存API函数地址<br/> BYTE OldCode[5]; //保存原API前5个字节<br/> BYTE NewCode[5]; //JMP XXXX其中XXXXJMP的地址<br/>}HOOKSTRUCT;</p>
<p>class CHookInfo <br/>{<br/>public:<br/> //HOOK 处理函数<br/> CHookInfo(char *strDllName, char *strFunName, DWORD dwMyFunAddr);<br/> virtual ~CHookInfo(); //析构函数<br/> HOOKSTRUCT *pHook; //HOOK结构<br/> void HookStatus(BOOL blnHook); //关闭/打开HOOK状态<br/>};</p>
<p>CHookInfo::CHookInfo(char *strDllName, char *strFunName, DWORD dwMyFunAddr)<br/>{<br/> pHook = new HOOKSTRUCT;<br/> HMODULE hModule = LoadLibrary(strDllName);<br/> //纪录函数地址<br/> pHook->pfFunAddr = GetProcAddress(hModule,strFunName);<br/> FreeLibrary(hModule);<br/> if(pHook->pfFunAddr == NULL)<br/> return ;<br/> //备份原函数的前5个字节,一般的WIN32 API以__stdcall声明的API理论上都可以这样进行HOOK<br/> memcpy(pHook->OldCode, pHook->pfFunAddr, 5);<br/> pHook->NewCode[0] = 0xe9; //构造JMP<br/> DWORD dwJmpAddr = dwMyFunAddr - (DWORD)pHook->pfFunAddr - 5; //计算JMP地址<br/> memcpy(&pHook->NewCode[1], &dwJmpAddr, 4); <br/> HookStatus(TRUE);//开始进行HOOK<br/>}</p>
<p>CHookInfo::~CHookInfo()<br/>{<br/> //关闭HOOK恢复原函数<br/> HookStatus(FALSE);<br/>}</p>
<p>void CHookInfo::HookStatus(BOOL blnHook)<br/>{<br/> if(blnHook)<br/> WriteProcessMemory((HANDLE)-1, pHook->pfFunAddr, pHook->NewCode, 5, 0);//替换函数地址<br/> else<br/> WriteProcessMemory((HANDLE)-1, pHook->pfFunAddr, pHook->OldCode, 5, 0);//还原函数地址<br/>}<br/>#endif // !defined(AFX_HOOKINFO_H__1967D554_7A9F_40C5_9D86_5899019EB3CD__INCLUDED_)</p>
<p>DLL程序代码,消息传递使用了自定义消息的方式</p>
<p>// RegistryInfo.cpp : Defines the entry point for the DLL application.<br/>//</p>
<p>#include "stdafx.h"<br/>#include <stdlib.h><br/>#include "HookInfo.h"<br/>#define STATUS_SUCCESS (0)<br/>#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) <br/>#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)<br/>#define ObjectNameInformation (1)<br/>#define BLOCKSIZE (0x1000)<br/>#define CurrentProcessHandle ((HANDLE)(0xFFFFFFFF))<br/>#define STATUS_INFO_LEN_MISMATCH 0xC0000004</p>
<p>typedef unsigned long NTSTATUS;<br/>typedef unsigned long SYSTEM_INFORMATION_CLASS;<br/>typedef unsigned long OBJECT_INFORMATION_CLASS;</p>
<p>typedef struct<br/>{<br/> USHORT Length;<br/> USHORT MaxLen;<br/> USHORT *Buffer;<br/>}UNICODE_STRING, *PUNICODE_STRING;</p>
<p>typedef struct _OBJECT_NAME_INFORMATION { // Information Class 1<br/> UNICODE_STRING Name;<br/>} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;</p>
<p>typedef struct _OBJECT_ATTRIBUTES <br/>{<br/> ULONG Length;<br/> HANDLE RootDirectory;<br/> PUNICODE_STRING ObjectName;<br/> ULONG Attributes;<br/> PVOID SecurityDescriptor;<br/> PVOID SecurityQualityOfService;<br/>} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; </p>
<p>typedef NTSTATUS (WINAPI *NTSETVALUEKEY)(IN HANDLE KeyHandle,IN PUNICODE_STRING ValueName,IN ULONG TitleIndex,IN ULONG type1,IN PVOID Data,IN ULONG DataSize);<br/>NTSETVALUEKEY NtSetValueKey = NULL;</p>
<p>typedef NTSTATUS (WINAPI *NTDELETEVALUEKEY)(IN HANDLE KeyHandle,IN PUNICODE_STRING ValueName);<br/>NTDELETEVALUEKEY NtDeleteValueKey = NULL;</p>
<p>typedef NTSTATUS (WINAPI *NTDELETEKEY)(IN HANDLE KeyHandle);<br/>NTDELETEKEY NtDeleteKey = NULL;</p>
<p>typedef NTSTATUS (WINAPI *NTCREATEKEY)(OUT PHANDLE pKeyHandle,IN ACCESS_MASK DesiredAccess,<br/> IN POBJECT_ATTRIBUTES ObjectAttributes,IN ULONG TitleIndex,IN PUNICODE_STRING Class OPTIONAL,<br/> IN ULONG CreateOptions,OUT PULONG Disposition OPTIONAL);<br/>NTCREATEKEY NtCreateKey = NULL;</p>
<p><br/>typedef NTSTATUS (WINAPI *NTQUERYOBJECT)(IN HANDLE ObjectHandle,IN OBJECT_INFORMATION_CLASS ObjectInformationClass,OUT PVOID ObjectInformation,IN ULONG ObjectInformationLength,OUT PULONG ReturnLength);<br/>NTQUERYOBJECT NtQueryObject = NULL;<br/>NTSTATUS WINAPI NtSetValueKeyCallback(IN HANDLE KeyHandle,IN PUNICODE_STRING ValueName,IN ULONG TitleIndex,IN ULONG type1,IN PVOID Data,IN ULONG DataSize);<br/>NTSTATUS WINAPI NtDeleteValueKeyCallback(IN HANDLE KeyHandle,IN PUNICODE_STRING ValueName);<br/>NTSTATUS WINAPI NtDeleteKeyCallback(IN HANDLE KeyHandle);<br/>NTSTATUS WINAPI NtCreateKeyCallback(OUT PHANDLE pKeyHandle,IN ACCESS_MASK DesiredAccess,<br/> IN POBJECT_ATTRIBUTES ObjectAttributes,IN ULONG TitleIndex,IN PUNICODE_STRING Class OPTIONAL,<br/> IN ULONG CreateOptions,OUT PULONG Disposition OPTIONAL);<br/>CHookInfo *ChookNtSetValueKey;<br/>CHookInfo *ChookNtDeleteKey;<br/>CHookInfo *ChookNtCreateKey;<br/>CHookInfo *ChookNtDeleteValueKey;<br/>HINSTANCE m_hinstDll;<br/>HWND m_hWnd;<br/>char *GetSidString(char *strUserName);<br/>char *mstrMachinePath="<a href="file://registry//machine//software//microsoft//windows//currentversion//run">\\registry\\machine\\software\\microsoft\\windows\\currentversion\\run</a>";<br/>char mstrUserPath[400];<br/>char *mstrLogonPath="<a href="file://registry//machine//software//microsoft//windows">\\registry\\machine\\software\\microsoft\\windows</a> nt\\currentversion\\winlogon";<br/>char mstrWinRegPath[260];<br/>HHOOK m_hHook;<br/>DWORD m_ProcessId;</p>
<p>//初始NT系列的函数<br/>VOID LoadNtDll()<br/>{<br/> HMODULE hMod = LoadLibrary("ntdll.dll");<br/> NtDeleteKey = (NTDELETEKEY)GetProcAddress(hMod,"NtDeleteKey");<br/> NtSetValueKey = (NTSETVALUEKEY)GetProcAddress(hMod,"NtSetValueKey");<br/> NtDeleteValueKey = (NTDELETEVALUEKEY)GetProcAddress(hMod,"NtDeleteValueKey");<br/> NtCreateKey = (NTCREATEKEY)GetProcAddress(hMod,"NtCreateKey");<br/> NtQueryObject = (NTQUERYOBJECT)GetProcAddress(hMod,"NtQueryObject");<br/> FreeLibrary(hMod);<br/>}</p>
<p>//DLL入口点函数<br/>BOOL APIENTRY DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)<br/>{<br/> m_hinstDll=hInstance;<br/> if (dwReason == DLL_PROCESS_ATTACH)<br/> {<br/> m_hWnd=FindWindow(NULL,"注册表监视");<br/> if (!m_hWnd) <br/> return FALSE;<br/> GetWindowThreadProcessId(m_hWnd,&m_ProcessId);<br/> char strUserName[260],strSID[200];<br/> DWORD dwSize;<br/> dwSize=260;<br/> GetUserName(strUserName,&dwSize);<br/> strcpy(mstrUserPath,"<a href="file://registry//user//">\\registry\\user\\</a>");<br/> strcpy(strSID,GetSidString(strUserName));<br/> strcat(mstrUserPath,strlwr(strSID));<br/> strcat(mstrUserPath,"\\");<br/> strcpy(mstrWinRegPath,mstrUserPath);<br/> strcat(mstrUserPath,"software\\microsoft\\windows\\currentversion\\run");<br/> strcat(mstrWinRegPath,"software\\microsoft\\windows nt\\currentversion\\windows");<br/> //初始NTDLL<br/> LoadNtDll();<br/> if (GetCurrentProcessId()!=m_ProcessId)<br/> {<br/> ChookNtSetValueKey = new CHookInfo("ntdll.dll","NtSetValueKey",(DWORD)NtSetValueKeyCallback);<br/> ChookNtDeleteKey = new CHookInfo("ntdll.dll","NtDeleteKey",(DWORD)NtDeleteKeyCallback);<br/> ChookNtCreateKey = new CHookInfo("ntdll.dll","NtCreateKey",(DWORD)NtCreateKeyCallback);<br/> ChookNtDeleteValueKey = new CHookInfo("ntdll.dll","NtDeleteValueKey",(DWORD)NtDeleteValueKeyCallback);<br/> }<br/> }<br/> else if (dwReason == DLL_PROCESS_DETACH)<br/> {<br/> if (GetCurrentProcessId()!=m_ProcessId)<br/> {<br/> delete ChookNtSetValueKey;<br/> delete ChookNtDeleteKey;<br/> delete ChookNtCreateKey;<br/> delete ChookNtDeleteValueKey;<br/> }<br/> }<br/> return TRUE; // ok<br/>}</p>
<p>//卸载钩子<br/>BOOL WINAPI UninstallRegHook()//输出卸在钩子函数<br/>{<br/> return(UnhookWindowsHookEx(m_hHook));<br/>} </p>
<p>//钩子函数<br/>LRESULT WINAPI Hook(int nCode,WPARAM wParam,LPARAM lParam)//空的钩子函数<br/>{<br/> return(CallNextHookEx(m_hHook,nCode,wParam,lParam));<br/>}</p>
<p>//安装API钩子<br/>BOOL WINAPI InstallRegHook(LPCTSTR strCheck)<br/>{<br/> if (strcmpi(strCheck,"<a href="http://blog.csdn.net/chenhui530/%22)!=0">http://blog.csdn.net/chenhui530/")!=0</a>)<br/> return FALSE;<br/> m_hHook=SetWindowsHookEx(WH_GETMESSAGE,(HOOKPROC)Hook,m_hinstDll,0);<br/> if (!m_hHook)<br/> {<br/> MessageBoxA(NULL,"安装钩子失败","失败",MB_OK);<br/> return FALSE;<br/> }<br/> return TRUE;<br/>}</p>
<p>//通过句柄获取注册表路径<br/>void GetPath(char *strPath,HANDLE hHandle)<br/>{<br/> HANDLE hHeap = GetProcessHeap();<br/> DWORD dwSize = 0;<br/> POBJECT_NAME_INFORMATION pName = (POBJECT_NAME_INFORMATION)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000); <br/> NTSTATUS ns = NtQueryObject(hHandle, ObjectNameInformation, (PVOID)pName, 0x1000, &dwSize);<br/> DWORD i = 1;<br/> while(ns == STATUS_INFO_LEN_MISMATCH)<br/> {<br/> pName = (POBJECT_NAME_INFORMATION)HeapReAlloc(hHeap, HEAP_ZERO_MEMORY, (LPVOID)pName, 0x1000 * i);<br/> ns = NtQueryObject(hHandle, ObjectNameInformation, (PVOID)pName, 0x1000, NULL);<br/> i++;<br/> }<br/> wsprintf(strPath, "%S", pName->Name.Buffer);<br/> HeapFree(hHeap,0,pName);<br/>}</p>
<p>NTSTATUS WINAPI NtSetValueKeyCallback(IN HANDLE KeyHandle,IN PUNICODE_STRING ValueName,IN ULONG TitleIndex,IN ULONG type1,IN PVOID Data,IN ULONG DataSize)<br/>{<br/> char strName[512];<br/> GetPath(strName,KeyHandle);<br/> char strObjectPath[512] = {'\0'};<br/> //获取注册表完整路径包括创建的键名<br/> if(type1 == 4 || type1 == 5 || type1 == 11)<br/> wsprintf(strObjectPath, "%s\\%S*value:%d,0x%X", strName, ValueName->Buffer, *(DWORD*)Data, *(DWORD*)Data);<br/> else if(type1 == 3)<br/> wsprintf(strObjectPath, "%s\\%S", strName, ValueName->Buffer);<br/> else if(type1 == 8)<br/> wsprintf(strObjectPath, "%s\\%S", strName, ValueName->Buffer);<br/> else<br/> wsprintf(strObjectPath, "%s\\%S*value:%S", strName, ValueName->Buffer, Data);<br/> char strTmp[512];<br/> strcpy(strTmp,strObjectPath);<br/> char *strLwr=strlwr(strObjectPath);<br/> //只监视启动项,这里大家可以自己设置<br/> if (strstr(strLwr,mstrMachinePath) || strstr(strLwr,mstrUserPath) ||<br/> strstr(strLwr,mstrLogonPath) || strstr(strLwr,mstrWinRegPath))<br/> {<br/> COPYDATASTRUCT cds;<br/> //构造字符串好让监管程序分离,这里是按我自己特定的格式传过去的,大家可以根据自己的格式构造<br/> char strInt[10];<br/> itoa(type1,strInt,10);<br/> char strMsg[512];<br/> strcpy(strMsg,"设置值:");<br/> strcat(strMsg,strTmp);<br/> strcat(strMsg,"**");<br/> strcat(strMsg,strInt);<br/> strcat(strMsg,"^^");<br/> char strPath[260];<br/> GetModuleFileName(NULL,strPath,sizeof(strPath));<br/> strcat(strMsg,strPath);<br/> strcat(strMsg,"进程ID<");<br/> itoa(::GetCurrentProcessId(),strInt,10);<br/> strcat(strMsg,strInt);<br/> strcat(strMsg,">");<br/> cds.lpData = strMsg;<br/> cds.cbData = sizeof(strMsg);<br/> cds.dwData = 0;<br/> //发送消息给监管程序,如果同意就执行<br/> LRESULT l=::SendMessage(m_hWnd,WM_COPYDATA,0,(LPARAM)&cds);<br/> if (l==1000)<br/> {<br/> ChookNtSetValueKey->HookStatus(FALSE);<br/> NTSTATUS hReturn = NtSetValueKey(KeyHandle,ValueName,TitleIndex,type1,Data,DataSize);<br/> ChookNtSetValueKey->HookStatus(TRUE);<br/> return hReturn;<br/> }<br/> }<br/> else<br/> {<br/> //没有监控的就让函数执行<br/> ChookNtSetValueKey->HookStatus(FALSE);<br/> NTSTATUS hReturn = NtSetValueKey(KeyHandle,ValueName,TitleIndex,type1,Data,DataSize);<br/> ChookNtSetValueKey->HookStatus(TRUE);<br/> return hReturn;<br/> }<br/> //不同意的返回拒绝访问<br/> return STATUS_ACCESS_DENIED;<br/>}</p>
<p>//注册表删除键值代理函数<br/>NTSTATUS WINAPI NtDeleteValueKeyCallback(IN HANDLE KeyHandle,IN PUNICODE_STRING ValueName)<br/>{<br/> char strName[512];<br/> GetPath(strName,KeyHandle);<br/> char strObjectPath[512] = {'\0'};<br/> //获取注册表完整路径包括创建的键名<br/> wsprintf(strObjectPath, "%s\\%S", strName, ValueName->Buffer);<br/> char strTmp[512];<br/> strcpy(strTmp,strObjectPath);<br/> strlwr(strObjectPath);<br/> //只监视启动项,这里大家可以自己设置<br/> if (strstr(strObjectPath,mstrMachinePath) || strstr(strObjectPath,mstrUserPath) ||<br/> strstr(strObjectPath,mstrLogonPath) || strstr(strObjectPath,mstrWinRegPath))<br/> {<br/> COPYDATASTRUCT cds;<br/> //构造字符串好让监管程序分离,这里是按我自己特定的格式传过去的,大家可以根据自己的格式构造<br/> char strMsg[512];<br/> strcpy(strMsg,"删除值:");<br/> strcat(strMsg,strTmp);<br/> strcat(strMsg,"^^");<br/> char strPath[260];<br/> GetModuleFileName(NULL,strPath,sizeof(strPath));<br/> strcat(strMsg,strPath);<br/> strcat(strMsg,"进程ID<");<br/> char strInt[10];<br/> itoa(::GetCurrentProcessId(),strInt,10);<br/> strcat(strMsg,strInt);<br/> strcat(strMsg,">");<br/> cds.lpData = strMsg;<br/> cds.cbData = sizeof(strMsg);<br/> cds.dwData = 0;<br/> //发送消息给监管程序,如果同意就执行<br/> LRESULT l=::SendMessage(m_hWnd,WM_COPYDATA,0,(LPARAM)&cds);<br/> if (l==1000)<br/> {<br/> ChookNtDeleteValueKey->HookStatus(FALSE);<br/> NTSTATUS hReturn = NtDeleteValueKey(KeyHandle,ValueName);<br/> ChookNtDeleteValueKey->HookStatus(TRUE);<br/> return hReturn;<br/> }<br/> }<br/> else<br/> {<br/> //没有监控的就让函数执行<br/> ChookNtDeleteValueKey->HookStatus(FALSE);<br/> NTSTATUS hReturn = NtDeleteValueKey(KeyHandle,ValueName);<br/> ChookNtDeleteValueKey->HookStatus(TRUE);<br/> return hReturn;<br/> }<br/> //不同意的返回拒绝访问<br/> return STATUS_ACCESS_DENIED;<br/>}</p>
<p>//注册表删除项代理函数<br/>NTSTATUS WINAPI NtDeleteKeyCallback(IN HANDLE KeyHandle)<br/>{<br/> char strObjectPath[512] = {'\0'};<br/> GetPath(strObjectPath,KeyHandle);<br/> char strTmp[512];<br/> strcpy(strTmp,strObjectPath);<br/> strlwr(strObjectPath);<br/> //排除非启动项<br/> if (strstr(strObjectPath,mstrMachinePath) || strstr(strObjectPath,mstrUserPath) ||<br/> strstr(strObjectPath,mstrLogonPath) || strstr(strObjectPath,mstrWinRegPath))<br/> {<br/> COPYDATASTRUCT cds;<br/> //构造字符串好让监管程序分离,这里是按我自己特定的格式传过去的,大家可以根据自己的格式构造<br/> char strMsg[512];<br/> strcpy(strMsg,"删除项:");<br/> strcat(strMsg,strTmp);<br/> strcat(strMsg,"^^");<br/> char strPath[260];<br/> GetModuleFileName(NULL,strPath,sizeof(strPath));<br/> strcat(strMsg,strPath);<br/> char strInt[10];<br/> strcat(strMsg,"进程ID<");<br/> itoa(::GetCurrentProcessId(),strInt,10);<br/> strcat(strMsg,strInt);<br/> strcat(strMsg,">");<br/> cds.lpData = strMsg;<br/> cds.cbData = sizeof(strMsg);<br/> cds.dwData = 0;<br/> //发送消息给监管程序,如果同意就执行<br/> LRESULT l=::SendMessage(m_hWnd,WM_COPYDATA,0,(LPARAM)&cds);<br/> if (l==1000)<br/> {<br/> ChookNtDeleteKey->HookStatus(FALSE);<br/> NTSTATUS hReturn = NtDeleteKey(KeyHandle);<br/> ChookNtDeleteKey->HookStatus(TRUE);<br/> return hReturn;<br/> } <br/> }<br/> else<br/> { <br/> //没有监控的让它继续执行<br/> ChookNtDeleteKey->HookStatus(FALSE);<br/> NTSTATUS hReturn = NtDeleteKey(KeyHandle);<br/> ChookNtDeleteKey->HookStatus(TRUE);<br/> return hReturn;<br/> }<br/> //不同意的返回拒绝访问<br/> return STATUS_ACCESS_DENIED;<br/>}</p>
<p>//注册表创建项代理函数<br/>NTSTATUS WINAPI NtCreateKeyCallback(OUT PHANDLE pKeyHandle,IN ACCESS_MASK DesiredAccess,<br/> IN POBJECT_ATTRIBUTES ObjectAttributes,IN ULONG TitleIndex,IN PUNICODE_STRING Class OPTIONAL,<br/> IN ULONG CreateOptions,OUT PULONG Disposition OPTIONAL)<br/>{<br/> char strName[512];<br/> //获取创建的路径<br/> GetPath(strName,ObjectAttributes->RootDirectory);<br/> char strObjectPath[512];<br/> //获取注册表完整路径包括创建的键名<br/> wsprintf(strObjectPath, "%s\\%S",strName, ObjectAttributes->ObjectName->Buffer);<br/> if (lstrcmpi(strObjectPath,mstrMachinePath)==0 || lstrcmpi(strObjectPath,mstrUserPath)==0 ||<br/> lstrcmpi(strObjectPath,mstrLogonPath)==0 || lstrcmpi(strObjectPath,mstrWinRegPath)==0)<br/> {<br/> ChookNtCreateKey->HookStatus(FALSE);<br/> NTSTATUS hReturn = hReturn = NtCreateKey(pKeyHandle,DesiredAccess,ObjectAttributes,TitleIndex,Class,CreateOptions,Disposition);<br/> ChookNtCreateKey->HookStatus(TRUE);<br/> return hReturn;<br/> }<br/> char strTmp[260];<br/> strcpy(strTmp,strObjectPath);<br/> strlwr(strObjectPath);<br/> //只监视启动项,这里大家可以自己设置<br/> if (strstr(strObjectPath,mstrMachinePath) || strstr(strObjectPath,mstrUserPath) ||<br/> strstr(strObjectPath,mstrLogonPath) || strstr(strObjectPath,mstrWinRegPath))<br/> {<br/> COPYDATASTRUCT cds;<br/> //构造字符串好让监管程序分离<br/> char strMsg[512];<br/> strcpy(strMsg,"新增项:");<br/> strcat(strMsg,strTmp);<br/> strcat(strMsg,"^^");<br/> char strPath[260];<br/> GetModuleFileName(NULL,strPath,sizeof(strPath));<br/> strcat(strMsg,strPath);<br/> strcat(strMsg,"进程ID<");<br/> char strInt[10];<br/> itoa(::GetCurrentProcessId(),strInt,10);<br/> strcat(strMsg,strInt);<br/> strcat(strMsg,">");<br/> cds.lpData = strMsg;<br/> cds.cbData = sizeof(strMsg);<br/> cds.dwData = 0;<br/> //发送消息给监管程序,当返回1000表示同意<br/> LRESULT l=::SendMessage(m_hWnd,WM_COPYDATA,0,(LPARAM)&cds);<br/> if (l==1000)<br/> {<br/> ChookNtCreateKey->HookStatus(FALSE);<br/> NTSTATUS hReturn = NtCreateKey(pKeyHandle,DesiredAccess,ObjectAttributes,TitleIndex,Class,CreateOptions,Disposition);<br/> ChookNtCreateKey->HookStatus(TRUE);<br/> return hReturn;<br/> }<br/> }<br/> else<br/> { <br/> //没有监控的就让函数执行<br/> ChookNtCreateKey->HookStatus(FALSE);<br/> NTSTATUS hReturn = hReturn = NtCreateKey(pKeyHandle,DesiredAccess,ObjectAttributes,TitleIndex,Class,CreateOptions,Disposition);<br/> ChookNtCreateKey->HookStatus(TRUE);<br/> return hReturn;<br/> }<br/> //不同意的返回拒绝访问<br/> return STATUS_ACCESS_DENIED;<br/>}</p>
<p>//获取指定用户的SID<br/>char *GetSidString(char *strUserName)<br/>{<br/> char szBuffer[200];<br/> BYTE sidBuffer[100];<br/> PSID pSid=(PSID)&sidBuffer;<br/> DWORD sidBufferSize = 100;<br/> char domainBuffer[80];<br/> DWORD domainBufferSize = 80;<br/> SID_NAME_USE snu;<br/> LookupAccountName(NULL,strUserName,pSid,&sidBufferSize,domainBuffer,&domainBufferSize,&snu);</p>
<p> SID_IDENTIFIER_AUTHORITY *psia = GetSidIdentifierAuthority(pSid);<br/> DWORD dwTopAuthority = psia->Value[5];<br/> wsprintf(szBuffer, "S-1-%lu", dwTopAuthority);<br/> TCHAR szTemp[32];<br/> int iSubAuthorityCount = *(GetSidSubAuthorityCount(pSid));<br/> for (int i = 0; i<iSubAuthorityCount; i++) <br/> {<br/> DWORD dwSubAuthority = *(GetSidSubAuthority(pSid, i));<br/> wsprintf(szTemp, "%lu", dwSubAuthority);<br/> strcat(szBuffer, "-");<br/> strcat(szBuffer, szTemp);<br/> }<br/> return &szBuffer[0];<br/>}</p>
<p>//来源 :<font face="Verdana">http://blog.csdn.net/chenhui530/archive/2008/02/02/2079118.aspx</font><br/> </p> |
|
发表于 2009-5-9 14:18:43