Ca marche mais j'ai un petit problème.
Le programme qui suit "trace" les modifications de registre.
On récupère un "keyhandle", et un nom.
Quand keyhandle=0, le nom est complet, sinon, il est tronqué.
Le nom est visiblement le chemin à partir de la clé définie par keyhandle.
Mais pas moyen d'ouvrir cette clé : erreur "invalid handle".
Les valeurs sont toujours les mêmes. Le système doit, à mon avis, posséder une table de clés de registre prédéfinies plus importante que les quelques usuelles (HKLM,...).
Qui arrive à retrouver le chemin complet de la clé? (Grand jeu concours !!)
Le traceur (squelette)
Code : Tout sélectionner
#process_all_access=$1F0FFF
Declare privilege(pid)
privilege(GetCurrentProcessId_())
; ___________ Conversions de chaînes _________________________
Procedure.l ansi2bstr(ansi.s)
size.l=MultiByteToWideChar_(#CP_ACP,0,ansi,-1,0,0)
Dim unicode.w(size)
MultiByteToWideChar_(#CP_ACP, 0, ansi, Len(ansi), unicode(), size)
ProcedureReturn SysAllocString_(@unicode())
EndProcedure
Procedure.s bstr2string(bstr)
result.s=""
pos=bstr
While PeekW(pos)
result=result+Chr(PeekW(pos))
pos=pos+2
Wend
ProcedureReturn result
EndProcedure
;_______________affichage IID_____________________________
Procedure guid(piid)
mem=AllocateMemory(100)
StringFromGUID2_(piid,mem,100)
Debug "GUID="+bstr2string(mem)
FreeMemory(mem)
EndProcedure
;___________Structures et constantes__________________________________
#WNODE_FLAG_TRACED_GUID=$20000
#EVENT_TRACE_FILE_MODE_CIRCULAR=2
#EVENT_TRACE_CONTROL_STOP=1
#EVENT_TRACE_REAL_TIME_MODE=$100
#KERNEL_LOGGER_NAME="NT Kernel Logger"
#EVENT_TRACE_FLAG_DISK_IO=256
#EVENT_TRACE_FLAG_REGISTRY=$20000
SystemTraceControlGuid.GUID
SystemTraceControlGuid\data1=$9e814aad
SystemTraceControlGuid\data2=$3204
SystemTraceControlGuid\data3=$11d2
SystemTraceControlGuid\data4[0]=$9a
SystemTraceControlGuid\data4[1]=$82
SystemTraceControlGuid\data4[2]=$00
SystemTraceControlGuid\data4[3]=$60
SystemTraceControlGuid\data4[4]=$08
SystemTraceControlGuid\data4[5]=$a8
SystemTraceControlGuid\data4[6]=$69
SystemTraceControlGuid\data4[7]=$39
Structure WNODE_HEADER
buffersize.l
providerid.l
historicalcontext.LARGE_INTEGER
timestamp.LARGE_INTEGER
guid.GUID
clientcontext.l
flags.l
EndStructure
Structure EVENT_TRACE_PROPERTIES
wnode.WNODE_HEADER
buffersize.l
minbuffers.l
maxbuffers.l
maxfilesize.l
logfilemode.l
flushtimer.l
enableflags.l
agelimit.l
numberofbuffers.l
freebuffers.l
eventslost.l
bufferswritten.l
logbufferslost.l
realtimebufferslost.l
loggerthreadid.l
logfilenameoffset.l
loggernameoffset.l
loggername.s
logfilename.s
EndStructure
Structure EVENT_TRACE_HEADER
size.w
fieldtypeflags.w
type.b
level.b
version.w
threadid.l
processid.l
timestamp.LARGE_INTEGER
StructureUnion
guid.GUID
pguid.LARGE_INTEGER
EndStructureUnion
kerneltime.l
usertime.l
EndStructure
Structure EVENT_TRACE
header.EVENT_TRACE_HEADER
instanceid.l
parentinstanceid.l
parentguid.GUID
mofdata.l
moflength.l
clientcontext.l
test.l[2]
EndStructure
Structure TRACE_LOGFILE_HEADER
buffersize.l
version.l
providerversion.l
nbprocessors.l
endtime.LARGE_INTEGER
timerresolution.l
maxfilesize.l
logfilemode.l
bufferswritten.l
loginstanceguid.GUID
loggername.l
logfilename.l
timezone.TIME_ZONE_INFORMATION
boottime.LARGE_INTEGER
perffreq.LARGE_INTEGER
starttime.LARGE_INTEGER
reservedflags.l
bufferslost.l
EndStructure
Structure EVENT_TRACE_LOGFILE
logfilename.l
loggername.l
currenttime.LARGE_INTEGER
buffersread.l
logfilemode.l
currentevent.EVENT_TRACE
logfileheader.TRACE_LOGFILE_HEADER
buffercallback.l
buffersize.l
filled.l
eventslost.l
eventcallback.l
iskerneltrace.l
context.l
EndStructure
;________________Callbacks__________________________
Procedure buffercallback(*buffer.event_trace_logfile)
count+1
If *buffer\eventslost
Debug "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
Debug Str(*buffer\eventslost)+" events lost"
Debug "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
EndIf
ProcedureReturn 1
EndProcedure
Procedure callback(*pevent.event_trace)
count+1
If *pevent\header\type=14 Or *pevent\header\type=10 Or *pevent\header\type=12
hkey=PeekL(*pevent\mofdata+4)
Debug "hkey="+Hex(hkey)
Debug "type="+Str(*pevent\header\type)
nom.s=bstr2string(*pevent\mofdata+20)
Debug "nom="+nom
Debug "processid="+Str(*pevent\header\processid)
Debug "index="+Str(PeekL(*pevent\mofdata+16))
Debug "status="+Str(PeekL(*pevent\mofdata))
EndIf
EndProcedure
;___________________Lancement du traceur____________
trace.EVENT_TRACE_PROPERTIES
size=SizeOf(EVENT_TRACE_PROPERTIES)+2*1024
mem=AllocateMemory(size)
RtlZeroMemory_(mem,size)
trace\loggernameoffset=SizeOf(EVENT_TRACE_PROPERTIES)
trace\logfilenameoffset=SizeOf(EVENT_TRACE_PROPERTIES)+1024
trace\enableflags=#EVENT_TRACE_FLAG_REGISTRY
trace\wnode\buffersize=size
trace\wnode\flags=#WNODE_FLAG_TRACED_GUID|#EVENT_TRACE_FLAG_DISK_IO
trace\logfilemode=#EVENT_TRACE_REAL_TIME_MODE
trace\buffersize=40
trace\maxbuffers=1000
trace\minbuffers=3
trace\agelimit=0
trace\flushtimer=0
trace\maxfilesize=0
CopyMemory(@SystemTraceControlGuid,@trace\wnode\guid,SizeOf(GUID))
trace\logfilemode=#EVENT_TRACE_REAL_TIME_MODE
CopyMemory(@trace,mem,SizeOf(EVENT_TRACE_PROPERTIES))
PokeS(mem+trace\loggernameoffset,"NT Kernel Logger")
OpenLibrary(0,"advapi32.dll")
logger.s="NT Kernel Logger"
r=CallFunction(0,"StartTraceA",@handle,@logger,mem)
Debug "erreur starttrace="+Str(r)
FreeMemory(mem)
log.EVENT_TRACE_LOGFILE
RtlZeroMemory_(@log,SizeOf(EVENT_TRACE_LOGFILE))
log\logfilemode=#EVENT_TRACE_REAL_TIME_MODE
log\loggername=@logger
log\logfilename=0
log\buffercallback=@buffercallback()
log\eventcallback=@callback()
a.LARGE_INTEGER
a\lowpart=CallFunction(0,"OpenTraceA",@log)
Debug "erreur processtrace="+Str(CallFunction(0,"ProcessTrace",@a,1,0,0))
r=CallFunction(0,"CloseTrace",a\lowpart,a\highpart)
Debug "erreur closetrace="+Str(r)
DataSection
registryguid:
;ae53722e-c863-11d2-8659-00c04fa321a1
Data.l $ae53722e
Data.w $c863, $11d2
Data.b $86, $59, $00, $c0, $4f, $a3, $21, $a1
EndDataSection
;__________________Privilèges_____________________
Procedure privilege(pid)
ph=OpenProcess_($1F0FFF,1,pid)
OpenProcessToken_(ph,$20,@h)
Dim p.s(29)
p(0)="SeAssignPrimaryTokenPrivilege"
p(1)="SeAuditPrivilege"
p(2)="SeBackupPrivilege"
p(3)="SeChangeNotifyPrivilege"
p(4)="SeCreateGlobalPrivilege"
p(5)="SeCreatePagefilePrivilege"
p(6)="SeCreatePermanentPrivilege"
p(7)="SeCreateTokenPrivilege"
p(8)="SeDebugPrivilege"
p(9)="SeEnableDelegationPrivilege"
p(10)="SeImpersonatePrivilege"
p(11)="SeIncreaseBasePriorityPrivilege"
p(12)="SeIncreaseQuotaPrivilege"
p(13)="SeLoadDriverPrivilege"
p(14)="SeLockMemoryPrivilege"
p(15)="SeMachineAccountPrivilege"
p(16)="SeManageVolumePrivilege"
p(17)="SeProfileSingleProcessPrivilege"
p(18)="SeRemoteShutdownPrivilege"
p(19)="SeRestorePrivilege"
p(20)="SeSecurityPrivilege"
p(21)="SeShutdownPrivilege"
p(22)="SeSyncAgentPrivilege"
p(23)="SeSystemEnvironment"
p(24)="SeSystemProfilePrivilege"
p(25)="SeSystemtimePrivilege"
p(26)="SeTakeOwnershipPrivilege"
p(27)="SeTcbPrivilege"
p(28)="SeUndockPrivilege"
p(29)="SeUnsolicitedInputPrivilege"
Structure LI
low.l
high.l
EndStructure
Structure luidandattributes
pluid.LI
attrib.l
EndStructure
Structure privileges
count.l
privilege.luidandattributes
EndStructure
shut.LI
result=1
For i=0 To 29
LookupPrivilegeValue_(0,@p(i),@shut)
newprivilege.privileges
newprivilege\count=1
newprivilege\privilege\attrib=2
newprivilege\privilege\pluid\low=shut\low
newprivilege\privilege\pluid\high=shut\high
result=result*AdjustTokenPrivileges_(h,0,newprivilege,SizeOf(privileges),0,0)
Next i
ProcedureReturn result
EndProcedure
Code : Tout sélectionner
For i=1 To 10
If RegCreateKeyEx_(#HKEY_LOCAL_MACHINE, "", 0, 0, #REG_OPTION_NON_VOLATILE, #KEY_ALL_ACCESS, 0, @NewKey, @KeyInfo) = #ERROR_SUCCESS
StringBuffer.s =Chr(65+i)
RegSetValueEx_(NewKey, "Test", 0, #REG_SZ,@StringBuffer, Len(StringBuffer)+1)
RegCloseKey_(NewKey)
Delay(30)
EndIf
Next
;E101A248
Structure WNODE_HEADER
buffersize.l
providerid.l
historicalcontext.LARGE_INTEGER
timestamp.LARGE_INTEGER
guid.GUID
clientcontext.l
flags.l
EndStructure
Structure EVENT_TRACE_PROPERTIES
wnode.WNODE_HEADER
buffersize.l
minbuffers.l
maxbuffers.l
maxfilesize.l
logfilemode.l
flushtimer.l
enableflags.l
agelimit.l
numberofbuffers.l
freebuffers.l
eventslost.l
bufferswritten.l
logbufferslost.l
realtimebufferslost.l
loggerthreadid.l
logfilenameoffset.l
loggernameoffset.l
loggername.s
logfilename.s
EndStructure
#WNODE_FLAG_TRACED_GUID=$20000
#EVENT_TRACE_FILE_MODE_CIRCULAR=2
#EVENT_TRACE_CONTROL_STOP=1
#EVENT_TRACE_REAL_TIME_MODE=$100
#KERNEL_LOGGER_NAME="NT Kernel Logger"
#EVENT_TRACE_FLAG_DISK_IO=256
#EVENT_TRACE_FLAG_REGISTRY=$20000
trace.EVENT_TRACE_PROPERTIES
size=SizeOf(EVENT_TRACE_PROPERTIES)+2*1024
mem=AllocateMemory(size)
RtlZeroMemory_(mem,size)
trace\loggernameoffset=SizeOf(EVENT_TRACE_PROPERTIES)
trace\logfilenameoffset=SizeOf(EVENT_TRACE_PROPERTIES)+1024
trace\wnode\buffersize=size
trace\wnode\flags=#WNODE_FLAG_TRACED_GUID
CopyMemory(@SystemTraceControlGuid,@trace\wnode\guid,SizeOf(GUID))
trace\logfilemode=#EVENT_TRACE_REAL_TIME_MODE
CopyMemory(@trace,mem,SizeOf(EVENT_TRACE_PROPERTIES))
PokeS(mem+trace\loggernameoffset,"NT Kernel Logger")
OpenLibrary(0,"advapi32.dll")
r=CallFunction(0,"ControlTraceA",0,0,"NT Kernel Logger",mem,1)
FreeMemory(mem)
CloseLibrary(0)