www.pudn.com > hidedrive.rar > Memory.c
/************************************************************
版权所有: 北京赛搏长城信息技术研究所, 2006.4.17
文件名: Memory.c
作者: 李佳伦
描述: HideHKApi.sys过滤辅助功能的实现文件,主要完成以下功能:
申请释放保存规则(文件、进程、注册标)的内存空间
注册表隐藏的辅助函数
***********************************************************/
#include "Cyber02Hide.h"
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
///文件隐藏部分
///
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
/*************************************************************
函数名称: AddFileCtrlInfo(PFILEHIDERULE FileRule)
功能描述: 增加一条文件控制策略
调用: 无
被调用: DriverIoControl()
输入: PFILEHIDERULE FileRule 文件控制策略
输出: 无
返回值: TRUE 成功,FALSE 失败
其他说明: 李佳伦 2006.4.17
*************************************************************/
UCHAR AddFileCtrlInfo(PFILEHIDERULE FileRule)
{
UCHAR Result = FALSE;
ULONG i = 0;
USHORT len = 0;
PFILEHIDERULE FileCtrlItemPrev = NULL, FileCtrlItemCur = NULL, FileCtrlItem = NULL;
NDIS_PHYSICAL_ADDRESS HighAddress = NDIS_PHYSICAL_ADDRESS_CONST(-1, -1);
/* 遍历文件控制列表 */
FileCtrlItemCur = (PFILEHIDERULE)m_FileHideInfo;
for(i = 0; i < m_FileRuleNum; i++)
{
//将要比较的文件名都转化为Ansi格式
ANSI_STRING ansiFileRule,ansiFileCtrlItemCur;
RtlInitAnsiString( &ansiFileRule,FileRule->rule );
RtlInitAnsiString( &ansiFileCtrlItemCur,FileCtrlItemCur->rule );
/* 进行比较,看文件控制信息是否已存在 */
if( RtlCompareMemory(ansiFileRule.Buffer,ansiFileCtrlItemCur.Buffer,ansiFileCtrlItemCur.Length ) == ansiFileCtrlItemCur.Length )
{
/* 文件控制信息已存在 */
Result = TRUE;
break;
}
FileCtrlItemPrev = FileCtrlItemCur;
FileCtrlItemCur = FileCtrlItemCur->_next;
}
/* 文件控制信息已存在 */
if(Result == TRUE)
return FALSE;
/* 为新增加的文件控制信息分配空间 */
NdisAllocateMemory((PVOID)&FileCtrlItem, sizeof(FILEHIDERULE), 0, HighAddress);
//FileCtrlItem = (FILEHIDERULE*)malloc(sizeof(FILEHIDERULE));
if(FileCtrlItem == NULL)
return FALSE;
memset((PUCHAR)FileCtrlItem, 0, sizeof(FILEHIDERULE));
//为文件控制信息结构赋值
RtlCopyMemory( FileCtrlItem->rule,FileRule->rule,256*sizeof(char) );
if(m_FileHideInfo == NULL) //文件控制信息链表为空,第一次增加文件控制信息
{
FileCtrlItem->_next = NULL;
m_FileHideInfo = (PUCHAR)FileCtrlItem;
}
else //文件控制信息链表不为空
{
FileCtrlItemPrev->_next = FileCtrlItem;
FileCtrlItem->_next = NULL;
}
m_FileRuleNum++;
return TRUE;
}
/*************************************************************
函数名称: DelFileCtrlInfo(PFILEHIDERULE FileRule)
功能描述: 删除一条已存在的文件控制信息
调用: 无
被调用: DriverIoControl()
输入: PFILEHIDERULE FileRule 文件控制信息结构指针
输出: 无
返回值: TRUE 成功,FALSE 失败
其他说明: 李佳伦 2006.4.17
*************************************************************/
UCHAR DelFileCtrlInfo(PFILEHIDERULE FileRule)
{
ULONG i = 0;
UCHAR Result = FALSE;
PFILEHIDERULE FileCtrlItem = NULL, FileCtrlItemPrev = NULL;
if(m_FileHideInfo == NULL)
return FALSE;
/* 遍历文件控制信息列表 */
FileCtrlItem = (PFILEHIDERULE)m_FileHideInfo;
FileCtrlItemPrev = FileCtrlItem;
for(i = 0; i < m_FileRuleNum; i++)
{
//将要比较的文件名都转化为Ansi格式
ANSI_STRING ansiFileRule,ansiFileCtrlItem;
RtlInitAnsiString( &ansiFileRule,FileRule->rule );
RtlInitAnsiString( &ansiFileCtrlItem,FileCtrlItem->rule );
/* 进行比较,看文件控制信息是否已存在 */
if(RtlCompareMemory(ansiFileRule.Buffer,ansiFileCtrlItem.Buffer,ansiFileCtrlItem.Length ) == ansiFileCtrlItem.Length)
{
/* 文件控制信息已存在 */
Result = TRUE;
DbgPrint("Find the Del File!\n");
break;
}
FileCtrlItemPrev = FileCtrlItem;
FileCtrlItem = FileCtrlItem->_next;
}
/* 文件控制信息不存在,无法完成删除操作 */
if(Result == FALSE)
return FALSE;
if(FileCtrlItemPrev == FileCtrlItem) //要删除的记录是文件控制信息链表的头节点
{
m_FileHideInfo = (PUCHAR)FileCtrlItem->_next;
NdisFreeMemory((PVOID)FileCtrlItem, sizeof(FILEHIDERULE), 0);
}
else //要删除的记录不是文件控制信息链表的头节点
{
FileCtrlItemPrev->_next = FileCtrlItem->_next;
NdisFreeMemory((PVOID)FileCtrlItem, sizeof(FILEHIDERULE), 0);
}
m_FileRuleNum--;
return TRUE;
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
///进程隐藏部分
///
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
/*************************************************************
函数名称: AddProcessCtrlInfo(PPROCESSHIDERULE ProcessRule)
功能描述: 增加一条进程控制信息
调用: 无
被调用: DriverIoControl()
输入: PPROCESSHIDERULE ProcessRule 进程控制信息
输出: 无
返回值: TRUE 成功,FALSE 失败
其他说明: 李佳伦 2006.4.17
*************************************************************/
UCHAR AddProcessCtrlInfo(PPROCESSHIDERULE ProcessRule)
{
UCHAR Result = FALSE;
ULONG i = 0;
USHORT len = 0;
PPROCESSHIDERULE ProcessCtrlItemPrev = NULL, ProcessCtrlItemCur = NULL, ProcessCtrlItem = NULL;
NDIS_PHYSICAL_ADDRESS HighAddress = NDIS_PHYSICAL_ADDRESS_CONST(-1, -1);
/* 遍历进程控制列表 */
ProcessCtrlItemCur = (PPROCESSHIDERULE)m_ProcessHideInfo;
for(i = 0; i < m_ProcessRuleNum; i++)
{
//将要比较的文件名都转化为Ansi格式
ANSI_STRING ansiProcessRule,ansiProcessCtrlItemCur;
RtlInitAnsiString( &ansiProcessRule,ProcessRule->rule );
RtlInitAnsiString( &ansiProcessCtrlItemCur,ProcessCtrlItemCur->rule );
/* 进行比较,看进程控制信息是否已存在 */
if( RtlCompareMemory(ansiProcessRule.Buffer,ansiProcessCtrlItemCur.Buffer,ansiProcessCtrlItemCur.Length ) == ansiProcessCtrlItemCur.Length )
{
/* 进程控制信息已存在 */
Result = TRUE;
break;
}
ProcessCtrlItemPrev = ProcessCtrlItemCur;
ProcessCtrlItemCur = ProcessCtrlItemCur->_next;
}
/* 进程控制信息已存在 */
if(Result == TRUE)
return FALSE;
/* 为新增加的进程控制信息分配空间 */
NdisAllocateMemory((PVOID)&ProcessCtrlItem, sizeof(PROCESSHIDERULE), 0, HighAddress);
if(ProcessCtrlItem == NULL)
return FALSE;
memset((PUCHAR)ProcessCtrlItem, 0, sizeof(PROCESSHIDERULE));
//为进程控制信息结构赋值
RtlCopyMemory( ProcessCtrlItem->rule,ProcessRule->rule,256*sizeof(char) );
if(m_ProcessHideInfo == NULL) //进程控制信息链表为空,第一次增加进程控制信息
{
ProcessCtrlItem->_next = NULL;
m_ProcessHideInfo = (PUCHAR)ProcessCtrlItem;
}
else //进程控制信息链表不为空
{
ProcessCtrlItemPrev->_next = ProcessCtrlItem;
ProcessCtrlItem->_next = NULL;
}
m_ProcessRuleNum++;
return TRUE;
}
/*************************************************************
函数名称: DelProcessCtrlInfo(PPROCESSHIDERULE ProcessRule)
功能描述: 删除一条已存在的进程控制信息
调用: 无
被调用: DriverIoControl()
输入: PPROCESSHIDERULE ProcessRule 进程控制信息结构指针
输出: 无
返回值: TRUE 成功,FALSE 失败
其他说明: 李佳伦 2006.4.17
*************************************************************/
UCHAR DelProcessCtrlInfo(PPROCESSHIDERULE ProcessRule)
{
ULONG i = 0;
UCHAR Result = FALSE;
PPROCESSHIDERULE ProcessCtrlItem = NULL, ProcessCtrlItemPrev = NULL;
if(m_ProcessHideInfo == NULL)
return FALSE;
/* 遍历进程控制信息列表 */
ProcessCtrlItem = (PPROCESSHIDERULE)m_ProcessHideInfo;
ProcessCtrlItemPrev = ProcessCtrlItem;
for(i = 0; i < m_ProcessRuleNum; i++)
{
//将要比较的进程名都转化为Ansi格式
ANSI_STRING ansiProcessRule,ansiProcessCtrlItem;
RtlInitAnsiString( &ansiProcessRule,ProcessRule->rule );
RtlInitAnsiString( &ansiProcessCtrlItem,ProcessCtrlItem->rule );
/* 进行比较,看进程控制信息是否已存在 */
if(RtlCompareMemory(ansiProcessRule.Buffer,ansiProcessCtrlItem.Buffer,ansiProcessCtrlItem.Length ) == ansiProcessCtrlItem.Length)
{
/* 进程控制信息已存在 */
Result = TRUE;
DbgPrint("Find the Del Process!\n");
break;
}
ProcessCtrlItemPrev = ProcessCtrlItem;
ProcessCtrlItem = ProcessCtrlItem->_next;
}
/* 进程控制信息不存在,无法完成删除操作 */
if(Result == FALSE)
return FALSE;
if(ProcessCtrlItemPrev == ProcessCtrlItem) //要删除的记录是进程控制信息链表的头节点
{
m_ProcessHideInfo = (PUCHAR)ProcessCtrlItem->_next;
NdisFreeMemory((PVOID)ProcessCtrlItem, sizeof(PROCESSHIDERULE), 0);
}
else //要删除的记录不是进程控制信息链表的头节点
{
ProcessCtrlItemPrev->_next = ProcessCtrlItem->_next;
NdisFreeMemory((PVOID)ProcessCtrlItem, sizeof(PROCESSHIDERULE), 0);
}
m_ProcessRuleNum--;
return TRUE;
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
///注册表项隐藏部分
///
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
/*************************************************************
函数名称: AddKeyCtrlInfo(PKEYHIDERULE KeyRule)
功能描述: 增加一条注册表控制信息
调用: 无
被调用: DriverIoControl()
输入: PKEYHIDERULE KeyRule 注册表访问控制信息
输出: 无
返回值: TRUE 成功,FALSE 失败
其他说明: 李佳伦 2006.4.17
*************************************************************/
UCHAR AddKeyCtrlInfo(PKEYHIDERULE KeyRule)
{
UCHAR Result = FALSE;
ULONG i = 0;
USHORT len = 0;
PKEYHIDERULE KeyCtrlItemPrev = NULL, KeyCtrlItemCur = NULL, KeyCtrlItem = NULL;
NDIS_PHYSICAL_ADDRESS HighAddress = NDIS_PHYSICAL_ADDRESS_CONST(-1, -1);
/* 遍历注册表控制列表 */
KeyCtrlItemCur = (PKEYHIDERULE)m_KeyHideInfo;
for(i = 0; i < m_KeyRuleNum; i++)
{
//将要比较的文件名都转化为Ansi格式
ANSI_STRING ansiKeyRule,ansiKeyCtrlItemCur;
RtlInitAnsiString( &ansiKeyRule,KeyRule->rule );
RtlInitAnsiString( &ansiKeyCtrlItemCur,KeyCtrlItemCur->rule );
/* 进行比较,看注册表控制信息是否已存在 */
if( RtlCompareMemory(ansiKeyRule.Buffer,ansiKeyCtrlItemCur.Buffer,ansiKeyCtrlItemCur.Length ) == ansiKeyCtrlItemCur.Length )
{
/* 注册表控制信息已存在 */
Result = TRUE;
break;
}
KeyCtrlItemPrev = KeyCtrlItemCur;
KeyCtrlItemCur = KeyCtrlItemCur->_next;
}
/* 注册表控制信息已存在 */
if(Result == TRUE)
return FALSE;
/* 为新增加的注册表控制信息分配空间 */
NdisAllocateMemory((PVOID)&KeyCtrlItem, sizeof(KEYHIDERULE), 0, HighAddress);
//KeyCtrlItem = (KEYHIDERULE*)malloc(sizeof(KeyHIDERULE));
if(KeyCtrlItem == NULL)
return FALSE;
memset((PUCHAR)KeyCtrlItem, 0, sizeof(KEYHIDERULE));
//DbgPrint("Find the Key!=%s\n",KeyRule->rule);
//为注册表控制信息结构赋值
RtlCopyMemory( KeyCtrlItem->rule,KeyRule->rule,256*sizeof(char) );
if(m_KeyHideInfo == NULL) //注册表控制信息链表为空,第一次增加注册表控制信息
{
KeyCtrlItem->_next = NULL;
m_KeyHideInfo = (PUCHAR)KeyCtrlItem;
}
else //注册表控制信息链表不为空
{
KeyCtrlItemPrev->_next = KeyCtrlItem;
KeyCtrlItem->_next = NULL;
}
m_KeyRuleNum++;
return TRUE;
}
/*************************************************************
函数名称: DelKeyCtrlInfo(PKEYHIDERULE KeyRule)
功能描述: 删除一条已存在的注册表控制信息
调用: 无
被调用: DriverIoControl()
输入: PKEYHIDERULE KeyRule 注册表控制信息结构指针
输出: 无
返回值: TRUE 成功,FALSE 失败
其他说明: 李佳伦 2006.4.17
*************************************************************/
UCHAR DelKeyCtrlInfo(PKEYHIDERULE KeyRule)
{
ULONG i = 0;
UCHAR Result = FALSE;
PKEYHIDERULE KeyCtrlItem = NULL, KeyCtrlItemPrev = NULL;
if(m_KeyHideInfo == NULL)
return FALSE;
/* 遍历注册表控制信息列表 */
KeyCtrlItem = (PKEYHIDERULE)m_KeyHideInfo;
KeyCtrlItemPrev = KeyCtrlItem;
for(i = 0; i < m_KeyRuleNum; i++)
{
//将要比较的注册标键名都转化为Ansi格式
ANSI_STRING ansiKeyRule,ansiKeyCtrlItem;
RtlInitAnsiString( &ansiKeyRule,KeyRule->rule );
RtlInitAnsiString( &ansiKeyCtrlItem,KeyCtrlItem->rule );
/* 进行比较,看注册表控制信息是否已存在 */
if(RtlCompareMemory(ansiKeyRule.Buffer,ansiKeyCtrlItem.Buffer,ansiKeyCtrlItem.Length ) == ansiKeyCtrlItem.Length)
{
/* 注册表控制信息已存在 */
Result = TRUE;
//DbgPrint("Find the Del Key!\n");
break;
}
KeyCtrlItemPrev = KeyCtrlItem;
KeyCtrlItem = KeyCtrlItem->_next;
}
/* 注册表控制信息不存在,无法完成删除操作 */
if(Result == FALSE)
return FALSE;
if(KeyCtrlItemPrev == KeyCtrlItem) //要删除的记录是注册表控制信息链表的头节点
{
m_KeyHideInfo = (PUCHAR)KeyCtrlItem->_next;
NdisFreeMemory((PVOID)KeyCtrlItem, sizeof(KEYHIDERULE), 0);
}
else //要删除的记录不是注册表控制信息链表的头节点
{
KeyCtrlItemPrev->_next = KeyCtrlItem->_next;
NdisFreeMemory((PVOID)KeyCtrlItem, sizeof(KEYHIDERULE), 0);
}
m_KeyRuleNum--;
return TRUE;
}
/*************************************************************
函数名称: AppendKeyInformation
功能描述: 获取某注册表项的名称
调用: 无
被调用:
输入: PVOID KeyInformation,包含名称的信息群
输出: PCHAR Buffer,注册表项名称
返回值: 无
其他说明: 李佳伦 2006.4.17
*************************************************************/
UCHAR AppendKeyInformation( IN KEY_INFORMATION_CLASS KeyInformationClass,
IN PVOID KeyInformation,OUT PUNICODE_STRING ukeyname )
{
PKEY_BASIC_INFORMATION pbasicinfo;
PKEY_FULL_INFORMATION pfullinfo;
PKEY_NODE_INFORMATION pnodeinfo;
WCHAR tKeyName[260] = {0};
UNICODE_STRING keyname;
//ANSI_STRING akeyname;
switch( KeyInformationClass ) {
case KeyBasicInformation:
//DbgPrint("KeyBasicInformation\n");
pbasicinfo = (PKEY_BASIC_INFORMATION) KeyInformation;
//DbgPrint("The Key is =%ws,THE length is %d\n",pbasicinfo->Name,pbasicinfo->NameLength);
RtlZeroMemory(tKeyName, sizeof(WCHAR)*260);
if(pbasicinfo->NameLength < sizeof(WCHAR)*260-2)
{
RtlCopyMemory(tKeyName,pbasicinfo->Name, pbasicinfo->NameLength);
}
else
{
RtlCopyMemory(tKeyName,pbasicinfo->Name, sizeof(WCHAR)*260-2);
}
RtlInitUnicodeString(ukeyname,tKeyName);
return TRUE;
case KeyFullInformation:
//DbgPrint("KeyFullInformation\n");
return FALSE;
case KeyNodeInformation:
//DbgPrint("KeyNodeInformation\n");
pnodeinfo = (PKEY_NODE_INFORMATION) KeyInformation;
RtlZeroMemory(tKeyName, sizeof(WCHAR)*260);
if(pnodeinfo->NameLength < sizeof(WCHAR)*260-2)
{
RtlCopyMemory(tKeyName, (WCHAR *)pnodeinfo->Name, pnodeinfo->NameLength);
}
else
{
RtlCopyMemory(tKeyName, (WCHAR *)pnodeinfo->Name, sizeof(WCHAR)*260-2);
}
RtlInitUnicodeString(ukeyname,tKeyName);
return TRUE;
default:
//DbgPrint("???????????????????????????\n");
return FALSE;
}
}
/*************************************************************
函数名称: ClearTTable
功能描述: 清除t_KeyHideInfo队列
调用: 无
被调用:
输入: 无
输出: 无
返回值: 无
其他说明: 李佳伦 2006.4.17
*************************************************************/
UCHAR ClearTTable()
{
ULONG i = 0;
PKEYHIDERULE KeyCtrlItem = NULL, KeyCtrlItemPrev = NULL;
if(t_KeyHideInfo == NULL)
return FALSE;
/* 遍历控制信息列表 */
KeyCtrlItem = (PKEYHIDERULE)t_KeyHideInfo;
KeyCtrlItemPrev = KeyCtrlItem;
for(i = 0; i < t_KeyRuleNum; i++)
{
KeyCtrlItemPrev = KeyCtrlItem;
KeyCtrlItem = KeyCtrlItem->_next;
NdisFreeMemory((PVOID)KeyCtrlItemPrev, sizeof(KEYHIDERULE), 0);
}
t_KeyRuleNum = 0;
t_KeyHideInfo = NULL;
return TRUE;
}
/*************************************************************
函数名称: AddArray
功能描述: 按字母顺序将一个新的项插入到t_KeyHideInfo队列
调用: 无
被调用:
输入: PKEYHIDERULE KeyRule
输出: PUCHAR t_KeyHideInfo,按字母顺序排列的隐藏队列
返回值: 无
其他说明: ljl 2006-04-12
*************************************************************/
UCHAR AddArray( PKEYHIDERULE KeyRule)
{
UCHAR Result = FALSE;
ULONG i = 0;
USHORT len = 0;
UNICODE_STRING uniKeyRule;
ANSI_STRING aniKeyRule;
PKEYHIDERULE KeyCtrlItemPrev = NULL, KeyCtrlItemCur = NULL, KeyCtrlItem = NULL;
NDIS_PHYSICAL_ADDRESS HighAddress = NDIS_PHYSICAL_ADDRESS_CONST(-1, -1);
/* 遍历注册表控制列表 */
KeyCtrlItemCur = (PKEYHIDERULE)t_KeyHideInfo;
RtlInitAnsiString( &aniKeyRule,KeyRule->rule);
RtlAnsiStringToUnicodeString( &uniKeyRule,&aniKeyRule,TRUE);
for(i = 0; i < t_KeyRuleNum; i++)
{
//将要比较的文件名都转化为unicode格式
UNICODE_STRING uniKeyCtrlItemCur;
ANSI_STRING aniKeyCtrlItemCur;
LONG rt;
RtlInitAnsiString( &aniKeyCtrlItemCur,KeyCtrlItemCur->rule);
RtlAnsiStringToUnicodeString( &uniKeyCtrlItemCur,&aniKeyCtrlItemCur,TRUE);
/* 进行比较,看控制信息是否已存在 */
rt = RtlCompareUnicodeString( &uniKeyRule,&uniKeyCtrlItemCur,TRUE );
if(rt == 0)
{
RtlFreeUnicodeString( &uniKeyCtrlItemCur );
RtlFreeUnicodeString( &uniKeyRule );
return FALSE;
}
else if(rt < 0)
{
RtlFreeUnicodeString( &uniKeyCtrlItemCur );
break;
}
else
{
KeyCtrlItemPrev = KeyCtrlItemCur;
KeyCtrlItemCur = KeyCtrlItemCur->_next;
RtlFreeUnicodeString( &uniKeyCtrlItemCur );
}
}
RtlFreeUnicodeString( &uniKeyRule );
/* 为新增加的控制信息分配空间 */
NdisAllocateMemory((PVOID)&KeyCtrlItem, sizeof(KEYHIDERULE), 0, HighAddress);
if(KeyCtrlItem == NULL)
return 0;
memset((PUCHAR)KeyCtrlItem, 0, sizeof(KEYHIDERULE));
//为控制信息结构赋值
RtlCopyMemory( KeyCtrlItem->rule,KeyRule->rule,256*sizeof(char) );
if( KeyCtrlItemPrev == NULL ) //插入在开头
{
KeyCtrlItem->_next = KeyCtrlItemCur;
t_KeyHideInfo = (PUCHAR)KeyCtrlItem;
}
else if( KeyCtrlItemCur==NULL) //插入在结尾
{
KeyCtrlItemPrev->_next = KeyCtrlItem;
KeyCtrlItem->_next = NULL;
}
else
{
KeyCtrlItemPrev->_next = KeyCtrlItem;
KeyCtrlItem->_next = KeyCtrlItemCur->_next;
}
t_KeyRuleNum++;
return TRUE;
}
/*************************************************************
函数名称: InitHideArray
功能描述: 初始化按字母顺序排列的隐藏队列t_KeyHideInfo
调用: 无
被调用:
输入: HANDLE KeyHandle,目前要查询的项的句炳
输出: PUCHAR t_KeyHideInfo,按字母顺序排列的隐藏队列
返回值: 无
其他说明: ljl 2006-04-12
*************************************************************/
UCHAR InitHideArray(HANDLE KeyHandle)
{
PKEYHIDERULE KeyCtrlItemCur=NULL;
ULONG i;
OBJECT_ATTRIBUTES InitializedAttributes;
HANDLE newKeyHandle=NULL;
//NDIS_PHYSICAL_ADDRESS HighAddress = NDIS_PHYSICAL_ADDRESS_CONST(-1, -1);
//NdisAllocateMemory((PVOID)InitializedAttributes, sizeof(OBJECT_ATTRIBUTES), 0, HighAddress);
if(m_KeyHideInfo==NULL)
{
//DbgPrint("m_KeyHideInfo is NULL.\n");
return 0;
}
KeyCtrlItemCur = (PKEYHIDERULE)m_KeyHideInfo;
for(i = 0; i < m_KeyRuleNum; i++)
{
UNICODE_STRING uniKeyName;
ANSI_STRING aniKeyName;
NTSTATUS rt;
//DbgPrint("m_KeyRuleNum is %d\n",m_KeyRuleNum);
RtlInitAnsiString( &aniKeyName,KeyCtrlItemCur->rule);
RtlAnsiStringToUnicodeString( &uniKeyName,&aniKeyName,TRUE);
//DbgPrint("uniKeyName is %ws\n",uniKeyName.Buffer);
InitializeObjectAttributes(&InitializedAttributes,&uniKeyName,OBJ_KERNEL_HANDLE,KeyHandle,NULL);
rt = ZwOpenKey(&newKeyHandle,KEY_ENUMERATE_SUB_KEYS,&InitializedAttributes);
//DbgPrint("rt is %d\n",rt);
if (rt == STATUS_SUCCESS)
{
//DbgPrint("NOW to add t array,the rule is %s,\n",KeyCtrlItemCur->rule);
AddArray(KeyCtrlItemCur);
ZwClose( newKeyHandle);
}
KeyCtrlItemCur=KeyCtrlItemCur->_next;
RtlFreeUnicodeString(&uniKeyName);
}
return 1;
}
/*************************************************************
函数名称: GetOffset
功能描述: 得到目前的项所对应的隐藏偏移值
调用: 无
被调用:
输入: HANDLE KeyHandle,目前要查询的项的句炳
输出: PUCHAR t_KeyHideInfo,按字母顺序排列的隐藏队列
返回值: 无
其他说明: ljl 2006-04-12
*************************************************************/
ULONG GetOffset( PVOID KeyInformation, KEY_INFORMATION_CLASS KeyInformationClass)
{
CHAR Buffer[256];
UCHAR Result = FALSE;
ULONG i = 0;
ULONG j = 0;
USHORT len = 0;
PKEYHIDERULE KeyCtrlItemPrev = NULL, KeyCtrlItemCur = NULL, KeyCtrlItem = NULL;
UNICODE_STRING ukeyname;
AppendKeyInformation( KeyInformationClass,KeyInformation,&ukeyname);
/* 遍历子网控制列表 */
KeyCtrlItemCur = (PKEYHIDERULE)t_KeyHideInfo;
for(i = 0; i < t_KeyRuleNum; i++)
{
//将要比较的文件名都转化为unicode格式
UNICODE_STRING uniKeyCtrlItemCur;
ANSI_STRING aniKeyCtrlItemCur;
LONG rt;
RtlInitAnsiString( &aniKeyCtrlItemCur,KeyCtrlItemCur->rule);
RtlAnsiStringToUnicodeString( &uniKeyCtrlItemCur,&aniKeyCtrlItemCur,TRUE);
/* 进行比较,看控制信息是否已存在 */
rt = RtlCompareUnicodeString(&ukeyname,&uniKeyCtrlItemCur,TRUE );
KeyCtrlItemPrev = KeyCtrlItemCur;
KeyCtrlItemCur = KeyCtrlItemCur->_next;
if(rt >= 0)
{
j++;
}
else
{
break;
}
RtlFreeUnicodeString(&uniKeyCtrlItemCur);
}
return j;
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
///注册表键值隐藏部分
///
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
/*************************************************************
函数名称: AddValueCtrlInfo(PVALUEHIDERULE ValueRule)
功能描述: 增加一条注册表控制信息
调用: 无
被调用: DriverIoControl()
输入: PVALUEHIDERULE ValueRule 注册表访问控制信息
输出: 无
返回值: TRUE 成功,FALSE 失败
其他说明: 李佳伦 2006.4.17
*************************************************************/
UCHAR AddValueCtrlInfo(PVALUEHIDERULE ValueRule)
{
UCHAR Result = FALSE;
ULONG i = 0;
USHORT len = 0;
PVALUEHIDERULE ValueCtrlItemPrev = NULL, ValueCtrlItemCur = NULL, ValueCtrlItem = NULL;
NDIS_PHYSICAL_ADDRESS HighAddress = NDIS_PHYSICAL_ADDRESS_CONST(-1, -1);
/* 遍历注册表控制列表 */
ValueCtrlItemCur = (PVALUEHIDERULE)m_ValueHideInfo;
for(i = 0; i < m_ValueRuleNum; i++)
{
//将要比较的文件名都转化为Ansi格式
ANSI_STRING ansiValueRule,ansiValueCtrlItemCur;
RtlInitAnsiString( &ansiValueRule,ValueRule->rule );
RtlInitAnsiString( &ansiValueCtrlItemCur,ValueCtrlItemCur->rule );
/* 进行比较,看注册表控制信息是否已存在 */
if( RtlCompareMemory(ansiValueRule.Buffer,ansiValueCtrlItemCur.Buffer,ansiValueCtrlItemCur.Length ) == ansiValueCtrlItemCur.Length )
{
/* 注册表控制信息已存在 */
Result = TRUE;
break;
}
ValueCtrlItemPrev = ValueCtrlItemCur;
ValueCtrlItemCur = ValueCtrlItemCur->_next;
}
/* 注册表控制信息已存在 */
if(Result == TRUE)
return FALSE;
/* 为新增加的注册表控制信息分配空间 */
NdisAllocateMemory((PVOID)&ValueCtrlItem, sizeof(VALUEHIDERULE), 0, HighAddress);
//ValueCtrlItem = (VALUEHIDERULE*)malloc(sizeof(ValueHIDERULE));
if(ValueCtrlItem == NULL)
return FALSE;
memset((PUCHAR)ValueCtrlItem, 0, sizeof(VALUEHIDERULE));
DbgPrint("Find the Value!=%s\n",ValueRule->rule);
//为注册表控制信息结构赋值
RtlCopyMemory( ValueCtrlItem->rule,ValueRule->rule,256*sizeof(char) );
if(m_ValueHideInfo == NULL) //注册表控制信息链表为空,第一次增加注册表控制信息
{
ValueCtrlItem->_next = NULL;
m_ValueHideInfo = (PUCHAR)ValueCtrlItem;
}
else //注册表控制信息链表不为空
{
ValueCtrlItemPrev->_next = ValueCtrlItem;
ValueCtrlItem->_next = NULL;
}
m_ValueRuleNum++;
return TRUE;
}
/*************************************************************
函数名称: DelValueCtrlInfo(PVALUEHIDERULE ValueRule)
功能描述: 删除一条已存在的注册表控制信息
调用: 无
被调用: DriverIoControl()
输入: PVALUEHIDERULE ValueRule 注册表控制信息结构指针
输出: 无
返回值: TRUE 成功,FALSE 失败
其他说明: 李佳伦 2006.4.17
*************************************************************/
UCHAR DelValueCtrlInfo(PVALUEHIDERULE ValueRule)
{
ULONG i = 0;
UCHAR Result = FALSE;
PVALUEHIDERULE ValueCtrlItem = NULL, ValueCtrlItemPrev = NULL;
if(m_ValueHideInfo == NULL)
return FALSE;
/* 遍历注册表控制信息列表 */
ValueCtrlItem = (PVALUEHIDERULE)m_ValueHideInfo;
ValueCtrlItemPrev = ValueCtrlItem;
for(i = 0; i < m_ValueRuleNum; i++)
{
//将要比较的注册标键名都转化为Ansi格式
ANSI_STRING ansiValueRule,ansiValueCtrlItem;
RtlInitAnsiString( &ansiValueRule,ValueRule->rule );
RtlInitAnsiString( &ansiValueCtrlItem,ValueCtrlItem->rule );
/* 进行比较,看注册表控制信息是否已存在 */
if(RtlCompareMemory(ansiValueRule.Buffer,ansiValueCtrlItem.Buffer,ansiValueCtrlItem.Length ) == ansiValueCtrlItem.Length)
{
/* 注册表控制信息已存在 */
Result = TRUE;
DbgPrint("Find the Del Value!\n");
break;
}
ValueCtrlItemPrev = ValueCtrlItem;
ValueCtrlItem = ValueCtrlItem->_next;
}
/* 注册表控制信息不存在,无法完成删除操作 */
if(Result == FALSE)
return FALSE;
if(ValueCtrlItemPrev == ValueCtrlItem) //要删除的记录是注册表控制信息链表的头节点
{
m_ValueHideInfo = (PUCHAR)ValueCtrlItem->_next;
NdisFreeMemory((PVOID)ValueCtrlItem, sizeof(VALUEHIDERULE), 0);
}
else //要删除的记录不是注册表控制信息链表的头节点
{
ValueCtrlItemPrev->_next = ValueCtrlItem->_next;
NdisFreeMemory((PVOID)ValueCtrlItem, sizeof(VALUEHIDERULE), 0);
}
m_ValueRuleNum--;
return TRUE;
}
/*************************************************************
函数名称: GetValueOffset( IN HANDLE KeyHandle,
IN ULONG IndexA,
IN ULONG IndexB,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
PVOID KeyValueInformation,
IN ULONG Length,
PULONG ResultLength)
功能描述: 获得键值查询的两个索引号之间的要隐藏的键值的数目.
调用: 无
被调用: HookZwEnumerateValueKey
输入: IN HANDLE KeyHandle,要查询的项的句柄
IN ULONG IndexA,索引号下限
IN ULONG IndexB,索引号上限
IN ULONG Length,记录KeyValueInformation缓冲区的长度
输出: 无
返回值: 两个索引号之间的要隐藏的键值的数目
其他说明: 李佳伦 2006.4.27
*************************************************************/
ULONG GetValueOffset( IN HANDLE KeyHandle,IN ULONG IndexA,IN ULONG IndexB,IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
PVOID KeyValueInformation, IN ULONG Length, PULONG ResultLength)
{
PVALUEHIDERULE ValueCtrlItemCur=NULL;
NTSTATUS rc;
ULONG i = 0;
ULONG j = 0;
ULONG k = 0;
PKEY_VALUE_BASIC_INFORMATION pbasicinfo;
PKEY_VALUE_FULL_INFORMATION pfullinfo;
WCHAR tValueName[260] = {0};
UNICODE_STRING kvaluename;
if ( m_ValueHideInfo==NULL )
{
DbgPrint("m_ValueHideInfo==NULL\n");
return(0);
}
if( IndexA > IndexB)
{
ULONG IndexT;
IndexT = IndexB;
IndexB = IndexA;
IndexA = IndexT;
}
for( i=IndexA; i<=IndexB; i++ )
{
ULONG find=0;
DbgPrint("begin round one\n");
rc = RealZwEnumerateValueKey( KeyHandle,i,KeyValueInformationClass,KeyValueInformation,Length,ResultLength );
if (!NT_SUCCESS(rc))
{
DbgPrint("fail,the offset is %d\n",i);
return(j);
}
//获得该键值的名称,将其转为UNICODE形式
if (KeyValueInformationClass==KeyValueBasicInformation)
{
pbasicinfo = (PKEY_VALUE_BASIC_INFORMATION) KeyValueInformation;
RtlZeroMemory(tValueName, sizeof(WCHAR)*260);
if(pbasicinfo->NameLength < sizeof(WCHAR)*260-2)
{
RtlCopyMemory(tValueName,pbasicinfo->Name, pbasicinfo->NameLength);
}
else
{
RtlCopyMemory(tValueName,pbasicinfo->Name, sizeof(WCHAR)*260-2);
}
RtlInitUnicodeString(&kvaluename,tValueName);
DbgPrint("the value entry is %ws\n",kvaluename.Buffer);
}
else if (KeyValueInformationClass==KeyValueFullInformation)
{
pfullinfo = (PKEY_VALUE_FULL_INFORMATION) KeyValueInformation;
RtlZeroMemory(tValueName, sizeof(WCHAR)*260);
if(pfullinfo->NameLength < sizeof(WCHAR)*260-2)
{
RtlCopyMemory(tValueName,pfullinfo->Name, pfullinfo->NameLength);
}
else
{
RtlCopyMemory(tValueName,pfullinfo->Name, sizeof(WCHAR)*260-2);
}
RtlInitUnicodeString(&kvaluename,tValueName);
DbgPrint("the value entry is %ws\n",kvaluename.Buffer);
}
else
{
return(0);
}
//判断该键值是否在隐藏队列中
ValueCtrlItemCur = (PVALUEHIDERULE)m_ValueHideInfo;
for(k = 0; k < m_ValueRuleNum; k++)
{
UNICODE_STRING uniValueName;
ANSI_STRING aniValueName;
LONG rt;
RtlInitAnsiString( &aniValueName,ValueCtrlItemCur->rule);
RtlAnsiStringToUnicodeString( &uniValueName,&aniValueName,TRUE);
DbgPrint("uniValueName is %ws\n",uniValueName.Buffer);
/* 进行比较,看控制信息是否已存在 */
rt = RtlCompareUnicodeString( &kvaluename,&uniValueName,TRUE );
if(rt == 0)
{
find=1;
RtlFreeUnicodeString(&uniValueName);
break;
}
RtlFreeUnicodeString( &uniValueName );
ValueCtrlItemCur=ValueCtrlItemCur->_next;
}
if(find==1)
{
j++;
DbgPrint("the offset ++++++++++,now=%d\n",j);
}
}
DbgPrint("the offset is %d\n",j);
return j;
}