Table de registre
Publié : jeu. 12/août/2004 12:48
J'ai essayé les fonctions de traçage (win XP ou 2k).
Ca marche mais j'ai un petit problème.
Le programme qui suit "trace" les modifications de registre.
On récupère un "keyhandle", et un nom.
Quand keyhandle=0, le nom est complet, sinon, il est tronqué.
Le nom est visiblement le chemin à partir de la clé définie par keyhandle.
Mais pas moyen d'ouvrir cette clé : erreur "invalid handle".
Les valeurs sont toujours les mêmes. Le système doit, à mon avis, posséder une table de clés de registre prédéfinies plus importante que les quelques usuelles (HKLM,...).
Qui arrive à retrouver le chemin complet de la clé? (Grand jeu concours !!)
Le traceur (squelette)
et un programme de test à lancer ensuite : modifie le registre, et ferme le traceur:
Ca marche mais j'ai un petit problème.
Le programme qui suit "trace" les modifications de registre.
On récupère un "keyhandle", et un nom.
Quand keyhandle=0, le nom est complet, sinon, il est tronqué.
Le nom est visiblement le chemin à partir de la clé définie par keyhandle.
Mais pas moyen d'ouvrir cette clé : erreur "invalid handle".
Les valeurs sont toujours les mêmes. Le système doit, à mon avis, posséder une table de clés de registre prédéfinies plus importante que les quelques usuelles (HKLM,...).
Qui arrive à retrouver le chemin complet de la clé? (Grand jeu concours !!)
Le traceur (squelette)
Code : Tout sélectionner
#process_all_access=$1F0FFF
Declare privilege(pid)
privilege(GetCurrentProcessId_())
; ___________ Conversions de chaînes _________________________
Procedure.l ansi2bstr(ansi.s)
size.l=MultiByteToWideChar_(#CP_ACP,0,ansi,-1,0,0)
Dim unicode.w(size)
MultiByteToWideChar_(#CP_ACP, 0, ansi, Len(ansi), unicode(), size)
ProcedureReturn SysAllocString_(@unicode())
EndProcedure
Procedure.s bstr2string(bstr)
result.s=""
pos=bstr
While PeekW(pos)
result=result+Chr(PeekW(pos))
pos=pos+2
Wend
ProcedureReturn result
EndProcedure
;_______________affichage IID_____________________________
Procedure guid(piid)
mem=AllocateMemory(100)
StringFromGUID2_(piid,mem,100)
Debug "GUID="+bstr2string(mem)
FreeMemory(mem)
EndProcedure
;___________Structures et constantes__________________________________
#WNODE_FLAG_TRACED_GUID=$20000
#EVENT_TRACE_FILE_MODE_CIRCULAR=2
#EVENT_TRACE_CONTROL_STOP=1
#EVENT_TRACE_REAL_TIME_MODE=$100
#KERNEL_LOGGER_NAME="NT Kernel Logger"
#EVENT_TRACE_FLAG_DISK_IO=256
#EVENT_TRACE_FLAG_REGISTRY=$20000
SystemTraceControlGuid.GUID
SystemTraceControlGuid\data1=$9e814aad
SystemTraceControlGuid\data2=$3204
SystemTraceControlGuid\data3=$11d2
SystemTraceControlGuid\data4[0]=$9a
SystemTraceControlGuid\data4[1]=$82
SystemTraceControlGuid\data4[2]=$00
SystemTraceControlGuid\data4[3]=$60
SystemTraceControlGuid\data4[4]=$08
SystemTraceControlGuid\data4[5]=$a8
SystemTraceControlGuid\data4[6]=$69
SystemTraceControlGuid\data4[7]=$39
Structure WNODE_HEADER
buffersize.l
providerid.l
historicalcontext.LARGE_INTEGER
timestamp.LARGE_INTEGER
guid.GUID
clientcontext.l
flags.l
EndStructure
Structure EVENT_TRACE_PROPERTIES
wnode.WNODE_HEADER
buffersize.l
minbuffers.l
maxbuffers.l
maxfilesize.l
logfilemode.l
flushtimer.l
enableflags.l
agelimit.l
numberofbuffers.l
freebuffers.l
eventslost.l
bufferswritten.l
logbufferslost.l
realtimebufferslost.l
loggerthreadid.l
logfilenameoffset.l
loggernameoffset.l
loggername.s
logfilename.s
EndStructure
Structure EVENT_TRACE_HEADER
size.w
fieldtypeflags.w
type.b
level.b
version.w
threadid.l
processid.l
timestamp.LARGE_INTEGER
StructureUnion
guid.GUID
pguid.LARGE_INTEGER
EndStructureUnion
kerneltime.l
usertime.l
EndStructure
Structure EVENT_TRACE
header.EVENT_TRACE_HEADER
instanceid.l
parentinstanceid.l
parentguid.GUID
mofdata.l
moflength.l
clientcontext.l
test.l[2]
EndStructure
Structure TRACE_LOGFILE_HEADER
buffersize.l
version.l
providerversion.l
nbprocessors.l
endtime.LARGE_INTEGER
timerresolution.l
maxfilesize.l
logfilemode.l
bufferswritten.l
loginstanceguid.GUID
loggername.l
logfilename.l
timezone.TIME_ZONE_INFORMATION
boottime.LARGE_INTEGER
perffreq.LARGE_INTEGER
starttime.LARGE_INTEGER
reservedflags.l
bufferslost.l
EndStructure
Structure EVENT_TRACE_LOGFILE
logfilename.l
loggername.l
currenttime.LARGE_INTEGER
buffersread.l
logfilemode.l
currentevent.EVENT_TRACE
logfileheader.TRACE_LOGFILE_HEADER
buffercallback.l
buffersize.l
filled.l
eventslost.l
eventcallback.l
iskerneltrace.l
context.l
EndStructure
;________________Callbacks__________________________
Procedure buffercallback(*buffer.event_trace_logfile)
count+1
If *buffer\eventslost
Debug "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
Debug Str(*buffer\eventslost)+" events lost"
Debug "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
EndIf
ProcedureReturn 1
EndProcedure
Procedure callback(*pevent.event_trace)
count+1
If *pevent\header\type=14 Or *pevent\header\type=10 Or *pevent\header\type=12
hkey=PeekL(*pevent\mofdata+4)
Debug "hkey="+Hex(hkey)
Debug "type="+Str(*pevent\header\type)
nom.s=bstr2string(*pevent\mofdata+20)
Debug "nom="+nom
Debug "processid="+Str(*pevent\header\processid)
Debug "index="+Str(PeekL(*pevent\mofdata+16))
Debug "status="+Str(PeekL(*pevent\mofdata))
EndIf
EndProcedure
;___________________Lancement du traceur____________
trace.EVENT_TRACE_PROPERTIES
size=SizeOf(EVENT_TRACE_PROPERTIES)+2*1024
mem=AllocateMemory(size)
RtlZeroMemory_(mem,size)
trace\loggernameoffset=SizeOf(EVENT_TRACE_PROPERTIES)
trace\logfilenameoffset=SizeOf(EVENT_TRACE_PROPERTIES)+1024
trace\enableflags=#EVENT_TRACE_FLAG_REGISTRY
trace\wnode\buffersize=size
trace\wnode\flags=#WNODE_FLAG_TRACED_GUID|#EVENT_TRACE_FLAG_DISK_IO
trace\logfilemode=#EVENT_TRACE_REAL_TIME_MODE
trace\buffersize=40
trace\maxbuffers=1000
trace\minbuffers=3
trace\agelimit=0
trace\flushtimer=0
trace\maxfilesize=0
CopyMemory(@SystemTraceControlGuid,@trace\wnode\guid,SizeOf(GUID))
trace\logfilemode=#EVENT_TRACE_REAL_TIME_MODE
CopyMemory(@trace,mem,SizeOf(EVENT_TRACE_PROPERTIES))
PokeS(mem+trace\loggernameoffset,"NT Kernel Logger")
OpenLibrary(0,"advapi32.dll")
logger.s="NT Kernel Logger"
r=CallFunction(0,"StartTraceA",@handle,@logger,mem)
Debug "erreur starttrace="+Str(r)
FreeMemory(mem)
log.EVENT_TRACE_LOGFILE
RtlZeroMemory_(@log,SizeOf(EVENT_TRACE_LOGFILE))
log\logfilemode=#EVENT_TRACE_REAL_TIME_MODE
log\loggername=@logger
log\logfilename=0
log\buffercallback=@buffercallback()
log\eventcallback=@callback()
a.LARGE_INTEGER
a\lowpart=CallFunction(0,"OpenTraceA",@log)
Debug "erreur processtrace="+Str(CallFunction(0,"ProcessTrace",@a,1,0,0))
r=CallFunction(0,"CloseTrace",a\lowpart,a\highpart)
Debug "erreur closetrace="+Str(r)
DataSection
registryguid:
;ae53722e-c863-11d2-8659-00c04fa321a1
Data.l $ae53722e
Data.w $c863, $11d2
Data.b $86, $59, $00, $c0, $4f, $a3, $21, $a1
EndDataSection
;__________________Privilèges_____________________
Procedure privilege(pid)
ph=OpenProcess_($1F0FFF,1,pid)
OpenProcessToken_(ph,$20,@h)
Dim p.s(29)
p(0)="SeAssignPrimaryTokenPrivilege"
p(1)="SeAuditPrivilege"
p(2)="SeBackupPrivilege"
p(3)="SeChangeNotifyPrivilege"
p(4)="SeCreateGlobalPrivilege"
p(5)="SeCreatePagefilePrivilege"
p(6)="SeCreatePermanentPrivilege"
p(7)="SeCreateTokenPrivilege"
p(8)="SeDebugPrivilege"
p(9)="SeEnableDelegationPrivilege"
p(10)="SeImpersonatePrivilege"
p(11)="SeIncreaseBasePriorityPrivilege"
p(12)="SeIncreaseQuotaPrivilege"
p(13)="SeLoadDriverPrivilege"
p(14)="SeLockMemoryPrivilege"
p(15)="SeMachineAccountPrivilege"
p(16)="SeManageVolumePrivilege"
p(17)="SeProfileSingleProcessPrivilege"
p(18)="SeRemoteShutdownPrivilege"
p(19)="SeRestorePrivilege"
p(20)="SeSecurityPrivilege"
p(21)="SeShutdownPrivilege"
p(22)="SeSyncAgentPrivilege"
p(23)="SeSystemEnvironment"
p(24)="SeSystemProfilePrivilege"
p(25)="SeSystemtimePrivilege"
p(26)="SeTakeOwnershipPrivilege"
p(27)="SeTcbPrivilege"
p(28)="SeUndockPrivilege"
p(29)="SeUnsolicitedInputPrivilege"
Structure LI
low.l
high.l
EndStructure
Structure luidandattributes
pluid.LI
attrib.l
EndStructure
Structure privileges
count.l
privilege.luidandattributes
EndStructure
shut.LI
result=1
For i=0 To 29
LookupPrivilegeValue_(0,@p(i),@shut)
newprivilege.privileges
newprivilege\count=1
newprivilege\privilege\attrib=2
newprivilege\privilege\pluid\low=shut\low
newprivilege\privilege\pluid\high=shut\high
result=result*AdjustTokenPrivileges_(h,0,newprivilege,SizeOf(privileges),0,0)
Next i
ProcedureReturn result
EndProcedure
Code : Tout sélectionner
For i=1 To 10
If RegCreateKeyEx_(#HKEY_LOCAL_MACHINE, "", 0, 0, #REG_OPTION_NON_VOLATILE, #KEY_ALL_ACCESS, 0, @NewKey, @KeyInfo) = #ERROR_SUCCESS
StringBuffer.s =Chr(65+i)
RegSetValueEx_(NewKey, "Test", 0, #REG_SZ,@StringBuffer, Len(StringBuffer)+1)
RegCloseKey_(NewKey)
Delay(30)
EndIf
Next
;E101A248
Structure WNODE_HEADER
buffersize.l
providerid.l
historicalcontext.LARGE_INTEGER
timestamp.LARGE_INTEGER
guid.GUID
clientcontext.l
flags.l
EndStructure
Structure EVENT_TRACE_PROPERTIES
wnode.WNODE_HEADER
buffersize.l
minbuffers.l
maxbuffers.l
maxfilesize.l
logfilemode.l
flushtimer.l
enableflags.l
agelimit.l
numberofbuffers.l
freebuffers.l
eventslost.l
bufferswritten.l
logbufferslost.l
realtimebufferslost.l
loggerthreadid.l
logfilenameoffset.l
loggernameoffset.l
loggername.s
logfilename.s
EndStructure
#WNODE_FLAG_TRACED_GUID=$20000
#EVENT_TRACE_FILE_MODE_CIRCULAR=2
#EVENT_TRACE_CONTROL_STOP=1
#EVENT_TRACE_REAL_TIME_MODE=$100
#KERNEL_LOGGER_NAME="NT Kernel Logger"
#EVENT_TRACE_FLAG_DISK_IO=256
#EVENT_TRACE_FLAG_REGISTRY=$20000
trace.EVENT_TRACE_PROPERTIES
size=SizeOf(EVENT_TRACE_PROPERTIES)+2*1024
mem=AllocateMemory(size)
RtlZeroMemory_(mem,size)
trace\loggernameoffset=SizeOf(EVENT_TRACE_PROPERTIES)
trace\logfilenameoffset=SizeOf(EVENT_TRACE_PROPERTIES)+1024
trace\wnode\buffersize=size
trace\wnode\flags=#WNODE_FLAG_TRACED_GUID
CopyMemory(@SystemTraceControlGuid,@trace\wnode\guid,SizeOf(GUID))
trace\logfilemode=#EVENT_TRACE_REAL_TIME_MODE
CopyMemory(@trace,mem,SizeOf(EVENT_TRACE_PROPERTIES))
PokeS(mem+trace\loggernameoffset,"NT Kernel Logger")
OpenLibrary(0,"advapi32.dll")
r=CallFunction(0,"ControlTraceA",0,0,"NT Kernel Logger",mem,1)
FreeMemory(mem)
CloseLibrary(0)