From ad5977461118256633b356af5a4c645953dd4bc8 Mon Sep 17 00:00:00 2001
From: cccs-mog <117194682+cccs-mog@users.noreply.github.com>
Date: Wed, 3 Jan 2024 15:35:11 +0000
Subject: [PATCH 1/4] Adding hook trace
---
capemon.filters | 3 +
capemon.vcxproj | 1 +
capemon.vcxproj.filters | 3 +
hook_trace.c | 537 ++++++++++++++++++++++++++++++++++++++++
hook_trace.h | 378 ++++++++++++++++++++++++++++
hooks.c | 27 ++
hooks.h | 165 +++++++++++-
7 files changed, 1113 insertions(+), 1 deletion(-)
create mode 100644 hook_trace.c
create mode 100644 hook_trace.h
diff --git a/capemon.filters b/capemon.filters
index 51c15ff6..78e711c3 100644
--- a/capemon.filters
+++ b/capemon.filters
@@ -42,6 +42,9 @@
Source Files
+
+ Source Files
+
Source Files
diff --git a/capemon.vcxproj b/capemon.vcxproj
index 63389542..10f6548a 100644
--- a/capemon.vcxproj
+++ b/capemon.vcxproj
@@ -260,6 +260,7 @@
+
diff --git a/capemon.vcxproj.filters b/capemon.vcxproj.filters
index b0e351fe..eab98311 100644
--- a/capemon.vcxproj.filters
+++ b/capemon.vcxproj.filters
@@ -42,6 +42,9 @@
Source Files
+
+ Source Files
+
Source Files
diff --git a/hook_trace.c b/hook_trace.c
new file mode 100644
index 00000000..74d8df7e
--- /dev/null
+++ b/hook_trace.c
@@ -0,0 +1,537 @@
+#include
+#include
+#include "hooking.h"
+#include "log.h"
+#include "CAPE\CAPE.h"
+#include "hook_trace.h"
+
+#define DEBUG_COMMENTS
+
+#define IMAX_BITS(m) ((m)/((m)%255+1) / 255%255*8 + 7-86/((m)%255+12))
+#define LOG2_10_N 28
+#define LOG2_10_D 93
+#define UNSIGNED_LONG_STRING_SIZE (IMAX_BITS(ULONG_MAX)*LOG2_10_N/LOG2_10_D + 2)
+#define GUID_SIZE 68
+
+#define G32 "%8" SCNx32
+#define G16 "%4" SCNx16
+#define G8 "%2" SCNx8
+
+extern void DebugOutput(_In_ LPCTSTR lpOutputString, ...);
+
+void string_to_sid(PISID pSid,LPWSTR *pstr) {
+ DWORD sz, i;
+ LPWSTR str;
+ WCHAR fmt[] = {
+ 'S','-','%','u','-','%','2','X','%','2','X','%','X','%','X','%','X','%','X',0 };
+ WCHAR subauthfmt[] = { '-','%','u',0 };
+
+ sz = 14 + pSid->SubAuthorityCount * 11;
+ str = malloc(sz*sizeof(WCHAR) );
+ sprintf( str, fmt, pSid->Revision,
+ pSid->IdentifierAuthority.Value[2],
+ pSid->IdentifierAuthority.Value[3],
+ pSid->IdentifierAuthority.Value[0]&0x0f,
+ pSid->IdentifierAuthority.Value[4]&0x0f,
+ pSid->IdentifierAuthority.Value[1]&0x0f,
+ pSid->IdentifierAuthority.Value[5]&0x0f);
+ for( i=0; iSubAuthorityCount; i++ )
+ sprintf( str + strlen(str), subauthfmt, pSid->SubAuthority[i] );
+ *pstr = str;
+ return TRUE;
+}
+
+void string_to_guid(char * s,GUID guid) {
+ snprintf(s,GUID_SIZE + 1,"%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX",
+ guid.Data1, guid.Data2, guid.Data3,
+ guid.Data4[0], guid.Data4[1], guid.Data4[2], guid.Data4[3],
+ guid.Data4[4], guid.Data4[5], guid.Data4[6], guid.Data4[7]);
+}
+
+HOOKDEF(ULONG, WINAPI, CloseTrace,
+ _In_ TRACEHANDLE TraceHandle
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked CloseTrace\n");
+ ULONG ret = Old_CloseTrace(TraceHandle);
+ LOQ_zero("Trace", "i", "TraceHandle", TraceHandle);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, ControlTraceA,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCTSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties,
+ _In_ ULONG ControlCode
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked ControlTrace\n");
+ char *ControlValues[] = {"FLUSH","QUERY","STOP","UPDATE","INCREMENT_FILE","CONVERT_TO_REALTIME"};
+ char *ControlValue = NULL;
+ ControlValue = malloc(sizeof(char)*UNSIGNED_LONG_STRING_SIZE);
+ ULONG ret = Old_ControlTraceA(TraceHandle,InstanceName,Properties,ControlCode);
+ switch(ControlCode){
+ case EVENT_TRACE_CONTROL_FLUSH:
+ strncpy(ControlValue,ControlValues[0], strlen(ControlValues[0]) + 1);
+ LOQ_zero("Trace", "iss","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ break;
+ case EVENT_TRACE_CONTROL_QUERY:
+ strncpy(ControlValue,ControlValues[1], strlen(ControlValues[1]) + 1);
+ LOQ_zero("Trace", "iss","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ break;
+ case EVENT_TRACE_CONTROL_STOP:
+ strncpy(ControlValue,ControlValues[2], strlen(ControlValues[2]) + 1);
+ LOQ_zero("Trace", "iss","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ break;
+ case EVENT_TRACE_CONTROL_UPDATE:
+ strncpy(ControlValue,ControlValues[3], strlen(ControlValues[3]) + 1);
+ if(Properties->LogFileNameOffset != 0){
+ char *NewLogFileName = NULL;
+ NewLogFileName = malloc(sizeof(char)*1025);
+ strncpy(NewLogFileName, &Properties + Properties->LogFileNameOffset, strlen(&Properties + Properties->LogFileNameOffset) + 1);
+ LOQ_zero("Trace", "issis","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue,"EnableFlags", Properties->EnableFlags, "NewLogFileName", NewLogFileName );
+ free(NewLogFileName);
+ }
+ else{
+ LOQ_zero("Trace", "issi","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue,"EnableFlags", Properties->EnableFlags);
+ }
+ break;
+ case EVENT_TRACE_CONTROL_INCREMENT_FILE:
+ strncpy(ControlValue,ControlValues[4], strlen(ControlValues[4]) + 1);
+ LOQ_zero("Trace", "iss","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ break;
+ case EVENT_TRACE_CONTROL_CONVERT_TO_REALTIME:
+ strncpy(ControlValue,ControlValues[5], strlen(ControlValues[5]) + 1);
+ LOQ_zero("Trace", "iss","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ break;
+ default:
+ snprintf(ControlValue,UNSIGNED_LONG_STRING_SIZE,"%lu",ControlCode);
+ LOQ_zero("Trace", "iss","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ }
+ free(ControlValue);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, ControlTraceW,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCWSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties,
+ _In_ ULONG ControlCode
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked ControlTrace\n");
+ char *ControlValues[] = {"FLUSH","QUERY","STOP","UPDATE","INCREMENT_FILE","CONVERT_TO_REALTIME"};
+ char *ControlValue = NULL;
+ ControlValue = malloc(sizeof(char)*UNSIGNED_LONG_STRING_SIZE);
+ ULONG ret = Old_ControlTraceW(TraceHandle,InstanceName,Properties,ControlCode);
+ switch(ControlCode){
+ case EVENT_TRACE_CONTROL_FLUSH:
+ strncpy(ControlValue,ControlValues[0], strlen(ControlValues[0]) + 1);
+ LOQ_zero("Trace", "ius","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ break;
+ case EVENT_TRACE_CONTROL_QUERY:
+ strncpy(ControlValue,ControlValues[1], strlen(ControlValues[1]) + 1);
+ LOQ_zero("Trace", "ius","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ break;
+ case EVENT_TRACE_CONTROL_STOP:
+ strncpy(ControlValue,ControlValues[2], strlen(ControlValues[2]) + 1);
+ LOQ_zero("Trace", "ius","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ break;
+ case EVENT_TRACE_CONTROL_UPDATE:
+ strncpy(ControlValue,ControlValues[3], strlen(ControlValues[3]) + 1);
+ if(Properties->LogFileNameOffset != 0){
+ char *NewLogFileName = NULL;
+ NewLogFileName = malloc(sizeof(char)*1025);
+ strncpy(NewLogFileName, &Properties + Properties->LogFileNameOffset, strlen(&Properties + Properties->LogFileNameOffset) + 1);
+ LOQ_zero("Trace", "iusis","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue,"EnableFlags", Properties->EnableFlags, "NewLogFileName", NewLogFileName );
+ free(NewLogFileName);
+ }
+ else{
+ LOQ_zero("Trace", "iusi","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue,"EnableFlags", Properties->EnableFlags);
+ }
+ break;
+ case EVENT_TRACE_CONTROL_INCREMENT_FILE:
+ strncpy(ControlValue,ControlValues[4], strlen(ControlValues[4]) + 1);
+ LOQ_zero("Trace", "ius","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ break;
+ case EVENT_TRACE_CONTROL_CONVERT_TO_REALTIME:
+ strncpy(ControlValue,ControlValues[5], strlen(ControlValues[5]) + 1);
+ LOQ_zero("Trace", "ius","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ break;
+ default:
+ snprintf(ControlValue,UNSIGNED_LONG_STRING_SIZE,"%lu",ControlCode);
+ LOQ_zero("Trace", "ius","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue );
+ }
+ free(ControlValue);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, EnableTrace,
+ _In_ ULONG Enable,
+ _In_ ULONG EnableFlag,
+ _In_ ULONG EnableLevel,
+ _In_ LPCGUID ControlGuid,
+ _In_ TRACEHANDLE SessionHandle
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EnableTrace\n");
+ char *S_ControlGuid = NULL;
+ S_ControlGuid = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_ControlGuid,*ControlGuid);
+ ULONG ret = Old_EnableTrace(Enable,EnableFlag,EnableLevel,ControlGuid,SessionHandle);
+ LOQ_zero("Trace", "iiiis", "Enable", Enable, "EnableFlag", EnableFlag, "EnableLevel", EnableLevel, "TraceHandle", SessionHandle, "ControlGUID", S_ControlGuid);
+ free(S_ControlGuid);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, EnableTraceEx,
+ _In_ LPCGUID ProviderId,
+ _In_opt_ LPCGUID SourceId,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ ULONG IsEnabled,
+ _In_ UCHAR Level,
+ _In_ ULONGLONG MatchAnyKeyword,
+ _In_ ULONGLONG MatchAllKeyword,
+ _In_ ULONG EnableProperty,
+ _In_opt_ PEVENT_FILTER_DESCRIPTOR EnableFilterDesc
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EnableTraceEx\n");
+ char *S_ProviderId = NULL;
+ S_ProviderId = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_ProviderId,*ProviderId);
+ char *S_SourceId = NULL;
+ if(SourceId != &GUID_NULL){
+ S_SourceId = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_SourceId,*SourceId);
+ }
+ else {
+ snprintf(S_SourceId, UNSIGNED_LONG_STRING_SIZE, "%s", "NULL");
+ }
+ ULONG ret = Old_EnableTraceEx(ProviderId,SourceId,TraceHandle,IsEnabled,Level,MatchAnyKeyword,MatchAllKeyword,EnableProperty,EnableFilterDesc);
+ LOQ_zero("Trace","ssiiilli", "ProviderId", S_ProviderId, "SourceId", S_SourceId, "TraceHandle", TraceHandle, "Enabled", IsEnabled, "Level", Level,
+ "MatchAnyKeyword", MatchAnyKeyword, "MatchAllKeyword", MatchAllKeyword, "EnableProperty", EnableProperty);
+ free(S_ProviderId);
+ free(S_SourceId);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, EnableTraceEx2,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCGUID ProviderId,
+ _In_ ULONG ControlCode,
+ _In_ UCHAR Level,
+ _In_ ULONGLONG MatchAnyKeyword,
+ _In_ ULONGLONG MatchAllKeyword,
+ _In_ ULONG Timeout,
+ _In_opt_ PENABLE_TRACE_PARAMETERS EnableParameters
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EnableTraceEx2\n");
+ char *S_ProviderId = NULL;
+ S_ProviderId = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_ProviderId,*ProviderId);
+ ULONG ret = Old_EnableTraceEx2(TraceHandle,ProviderId,ControlCode,Level,MatchAnyKeyword,MatchAllKeyword,Timeout,EnableParameters);
+ char *ControlValues[] = {"DISABLE","ENABLE","CAPTURE"};
+ char *ControlValue = NULL;
+ ControlValue = malloc(sizeof(char)*UNSIGNED_LONG_STRING_SIZE);
+ switch(ControlCode){
+ case EVENT_CONTROL_CODE_DISABLE_PROVIDER:
+ strncpy(ControlValue,ControlValues[0], strlen(ControlValues[0]) + 1);
+ break;
+ case EVENT_CONTROL_CODE_ENABLE_PROVIDER:
+ strncpy(ControlValue,ControlValues[1], strlen(ControlValues[1]) + 1);
+ break;
+ case EVENT_CONTROL_CODE_CAPTURE_STATE:
+ strncpy(ControlValue,ControlValues[2], strlen(ControlValues[2]) + 1);
+ break;
+ default:
+ snprintf(ControlValue,UNSIGNED_LONG_STRING_SIZE,"%lu",ControlCode);
+ }
+ LOQ_zero("Trace","sisilll", "ProviderId", S_ProviderId, "TraceHandle", TraceHandle, "ControlCode", ControlValue, "Level", Level,
+ "MatchAnyKeyword", MatchAnyKeyword, "MatchAllKeyword", MatchAllKeyword, "Timeout", Timeout);
+ free(ControlValue);
+ return ret;
+}
+
+HOOKDEF(TRACEHANDLE, WINAPI, OpenTraceA,
+ _Inout_ PEVENT_TRACE_LOGFILEA Logfile
+){
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked OpenTrace\n");
+ TRACEHANDLE ret = Old_OpenTraceA(Logfile);
+ LOQ_void("Trace", "ss","LogFileName",Logfile->LogFileName,"LoggerName", Logfile->LoggerName);
+ return ret;
+}
+
+HOOKDEF(TRACEHANDLE, WINAPI, OpenTraceW,
+ _Inout_ PEVENT_TRACE_LOGFILEW Logfile
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked OpenTrace\n");
+ TRACEHANDLE ret = Old_OpenTraceW(Logfile);
+ LOQ_void("Trace", "uu","LogFileName",Logfile->LogFileName,"LoggerName", Logfile->LoggerName);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, QueryAllTracesA,
+ _Out_ PEVENT_TRACE_PROPERTIES* PropertyArray,
+ _In_ ULONG PropertyArrayCount,
+ _Out_ PULONG LoggerCount
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked QueryAllTraces\n");
+ ULONG ret = Old_QueryAllTracesA(PropertyArray,PropertyArrayCount,LoggerCount);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, QueryAllTracesW,
+ _Out_ PEVENT_TRACE_PROPERTIES* PropertyArray,
+ _In_ ULONG PropertyArrayCount,
+ _Out_ PULONG LoggerCount
+){
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked QueryAllTraces\n");
+ ULONG ret = Old_QueryAllTracesW(PropertyArray,PropertyArrayCount,LoggerCount);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, QueryTraceA,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCTSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked QueryTrace\n");
+ ULONG ret = Old_QueryTraceA(TraceHandle,InstanceName,Properties);
+ LOQ_zero("Trace", "is","TraceHandle", TraceHandle,"InstanceName", InstanceName);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, QueryTraceW,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCWSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked QueryTrace\n");
+ ULONG ret = Old_QueryTraceW(TraceHandle,InstanceName,Properties);
+ LOQ_zero("Trace", "iu","TraceHandle", TraceHandle,"InstanceName", InstanceName);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, StartTraceA,
+ _Out_ PTRACEHANDLE TraceHandle,
+ _In_ LPCTSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked StartTrace\n");
+ ULONG ret = Old_StartTraceA(TraceHandle,InstanceName,Properties);
+ char *S_GUID = NULL;
+ S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_GUID,Properties->Wnode.Guid);
+ if(ret == ERROR_SUCCESS)
+ LOQ_zero("Trace", "iss","TraceHandle", TraceHandle,"InstanceName", InstanceName, "GUID", S_GUID);
+ else
+ LOQ_zero("Trace", "ss","InstanceName", InstanceName, "GUID", S_GUID);
+ free(S_GUID);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, StartTraceW,
+ _Out_ PTRACEHANDLE TraceHandle,
+ _In_ LPCWSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked StartTrace\n");
+ ULONG ret = Old_StartTraceW(TraceHandle,InstanceName,Properties);
+ char *S_GUID = NULL;
+ S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_GUID,Properties->Wnode.Guid);
+ if(ret == ERROR_SUCCESS)
+ LOQ_zero("Trace", "ius","TraceHandle", TraceHandle,"InstanceName", InstanceName, "GUID", S_GUID);
+ else
+ LOQ_zero("Trace", "us","InstanceName", InstanceName, "GUID", S_GUID);
+ free(S_GUID);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, StopTraceA,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCTSTR InstanceName,
+ _Out_ PEVENT_TRACE_PROPERTIES Properties
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked StopTrace\n");
+ ULONG ret = Old_StopTraceA(TraceHandle,InstanceName,Properties);
+ char *S_GUID = NULL;
+ S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_GUID,Properties->Wnode.Guid);
+ if(ret == ERROR_SUCCESS)
+ LOQ_zero("Trace", "iss","TraceHandle", TraceHandle,"InstanceName", InstanceName, "GUID", S_GUID);
+ else
+ LOQ_zero("Trace", "ss","InstanceName", InstanceName, "GUID", S_GUID);
+ free(S_GUID);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, StopTraceW,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCWSTR InstanceName,
+ _Out_ PEVENT_TRACE_PROPERTIES Properties
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked StopTrace\n");
+ ULONG ret = Old_StopTraceW(TraceHandle,InstanceName,Properties);
+ char *S_GUID = NULL;
+ S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_GUID,Properties->Wnode.Guid);
+ if(ret == ERROR_SUCCESS)
+ LOQ_zero("Trace", "ius","TraceHandle", TraceHandle,"InstanceName", InstanceName, "GUID", S_GUID);
+ else
+ LOQ_zero("Trace", "us","InstanceName", InstanceName, "GUID", S_GUID);
+ free(S_GUID);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, UpdateTraceA,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCTSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked UpdateTrace\n");
+ ULONG ret = Old_UpdateTraceA(TraceHandle,InstanceName,Properties);
+ if(Properties->LogFileNameOffset != 0){
+ char *NewLogFileName = NULL;
+ NewLogFileName = malloc(sizeof(char)*1025);
+ strncpy(NewLogFileName, &Properties + Properties->LogFileNameOffset, strlen(&Properties + Properties->LogFileNameOffset) + 1);
+ LOQ_zero("Trace", "isis","TraceHandle", TraceHandle,"InstanceName", InstanceName,"EnableFlags", Properties->EnableFlags, "NewLogFileName", NewLogFileName );
+ free(NewLogFileName);
+ }
+ else{
+ LOQ_zero("Trace", "isi","TraceHandle", TraceHandle,"InstanceName", InstanceName,"EnableFlags", Properties->EnableFlags);
+ }
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, UpdateTraceW,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCWSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked UpdateTrace\n");
+ ULONG ret = Old_UpdateTraceW(TraceHandle,InstanceName,Properties);
+ if(Properties->LogFileNameOffset != 0){
+ char *NewLogFileName = NULL;
+ NewLogFileName = malloc(sizeof(char)*1025);
+ strncpy(NewLogFileName, &Properties + Properties->LogFileNameOffset, strlen(&Properties + Properties->LogFileNameOffset) + 1);
+ LOQ_zero("Trace", "iuis","TraceHandle", TraceHandle,"InstanceName", InstanceName,"EnableFlags", Properties->EnableFlags, "NewLogFileName", NewLogFileName );
+ free(NewLogFileName);
+ }
+ else{
+ LOQ_zero("Trace", "iui","TraceHandle", TraceHandle,"InstanceName", InstanceName,"EnableFlags", Properties->EnableFlags);
+ }
+ return ret;
+}
+
+HOOKDEF(LONG, WINAPI, CveEventWrite,
+ _In_ PCWSTR CveId,
+ _In_opt_ PCWSTR AdditionalDetails
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked CveEventWrite\n");
+ LONG ret = Old_CveEventWrite(CveId,AdditionalDetails);
+ LOQ_zero("Trace", "uu", "CVE", CveId, "AdditionalDetails", AdditionalDetails);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, EventAccessControl,
+ _In_ LPGUID Guid,
+ _In_ ULONG Operation,
+ _In_ PSID Sid,
+ _In_ ULONG Rights,
+ _In_ BOOLEAN AllowOrDeny
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventAccessControl\n");
+ ULONG ret = Old_EventAccessControl(Guid,Operation,Sid,Rights,AllowOrDeny);
+ char *S_GUID = NULL;
+ S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_GUID,*Guid);
+ WCHAR *S_SID = NULL;
+ PISID SID_Struct = Sid;
+ S_SID = malloc((14 + SID_Struct->SubAuthorityCount * 11)*sizeof(WCHAR));
+ string_to_sid(Sid,S_SID);
+ LOQ_zero("Trace", "sluli", "GUID", S_GUID, "Operation", Operation, "SID", S_SID, "Rights", Rights, "Allow_OR_Deny", AllowOrDeny);
+ free(S_SID);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, EventAccessQuery,
+ _In_ LPGUID Guid,
+ _Inout_ PSECURITY_DESCRIPTOR Buffer,
+ _Inout_ PULONG BufferSize
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventAccessQuery\n");
+ ULONG ret = Old_EventAccessQuery(Guid,Buffer,BufferSize);
+ char *S_GUID = NULL;
+ S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_GUID,*Guid);
+ LOQ_zero("Trace", "s", "GUID", S_GUID);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, EventAccessRemove,
+ _In_ LPGUID Guid
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventAccessRemove\n");
+ ULONG ret = Old_EventAccessRemove(Guid);
+ char *S_GUID = NULL;
+ S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_GUID,*Guid);
+ LOQ_zero("Trace", "s", "GUID", S_GUID);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, EventRegister,
+ _In_ LPCGUID ProviderId,
+ _In_opt_ PENABLECALLBACK EnableCallback,
+ _In_opt_ PVOID CallbackContext,
+ _Out_ PREGHANDLE RegHandle
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventRegister\n");
+ ULONG ret = Old_EventRegister(ProviderId,EnableCallback,CallbackContext,RegHandle);
+ char *S_ProviderID = NULL;
+ S_ProviderID = malloc(sizeof(char)*(GUID_SIZE+1));
+ string_to_guid(S_ProviderID ,*ProviderId);
+ LOQ_zero("Trace", "s", "ProviderId", S_ProviderID );
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, EventSetInformation,
+ _In_ REGHANDLE RegHandle,
+ _In_ EVENT_INFO_CLASS InformationClass,
+ _In_ PVOID EventInformation,
+ _In_ ULONG InformationLength
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventSetInformation\n");
+ ULONG ret = Old_EventSetInformation(RegHandle,InformationClass,EventInformation,InformationLength);
+ char *InformationClasses[] = {"TRACKINFO","RESERVED","SETTRAITS","DESCRIPTORTYPE","INVALID"};
+ char *S_InformationClass = NULL;
+ S_InformationClass = malloc(sizeof(char)*UNSIGNED_LONG_STRING_SIZE);
+ switch(InformationClass){
+ case EventProviderBinaryTrackInfo:
+ strncpy(S_InformationClass,InformationClasses[0], strlen(InformationClasses[0]) + 1);
+ break;
+ case EventProviderSetReserved1:
+ strncpy(S_InformationClass,InformationClasses[1], strlen(InformationClasses[1]) + 1);
+ break;
+ case EventProviderSetTraits:
+ strncpy(S_InformationClass,InformationClasses[2], strlen(InformationClasses[2]) + 1);
+ break;
+ case EventProviderUseDescriptorType:
+ strncpy(S_InformationClass,InformationClasses[3], strlen(InformationClasses[3]) + 1);
+ break;
+ case MaxEventInfo:
+ strncpy(S_InformationClass,InformationClasses[4], strlen(InformationClasses[4]) + 1);
+ break;
+ default:
+ snprintf(S_InformationClass,UNSIGNED_LONG_STRING_SIZE,"%lu",InformationClass);
+ }
+
+ LOQ_zero("Trace", "lsb", "Handle", RegHandle, "Information_Class", InformationClass, "EventInformation", InformationLength, EventInformation);
+ return ret;
+}
+
+HOOKDEF(ULONG, WINAPI, EventUnregister,
+ _In_ REGHANDLE RegHandle
+) {
+ DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventUnregister\n");
+ ULONG ret = Old_EventUnregister(RegHandle);
+ LOQ_zero("Trace", "l", "Handle", RegHandle );
+ return ret;
+}
\ No newline at end of file
diff --git a/hook_trace.h b/hook_trace.h
new file mode 100644
index 00000000..d1cc7ea1
--- /dev/null
+++ b/hook_trace.h
@@ -0,0 +1,378 @@
+#include
+#include
+
+#define EVENT_TRACE_CONTROL_QUERY 0
+#define EVENT_TRACE_CONTROL_STOP 1
+#define EVENT_TRACE_CONTROL_UPDATE 2
+#define EVENT_TRACE_CONTROL_FLUSH 3
+#define EVENT_TRACE_CONTROL_INCREMENT_FILE 4
+#define EVENT_TRACE_CONTROL_CONVERT_TO_REALTIME 5
+
+#define EVENT_CONTROL_CODE_DISABLE_PROVIDER 0
+#define EVENT_CONTROL_CODE_ENABLE_PROVIDER 1
+#define EVENT_CONTROL_CODE_CAPTURE_STATE 2
+
+#ifndef _TRACEHANDLE_DEFINED
+#define _TRACEHANDLE_DEFINED
+typedef ULONG64 TRACEHANDLE, *PTRACEHANDLE;
+#endif
+
+#define PEVENT_TRACE_LOGFILE PEVENT_TRACE_LOGFILEA
+
+typedef struct _EVENT_TRACE_LOGFILEW
+EVENT_TRACE_LOGFILEW, *PEVENT_TRACE_LOGFILEW;
+
+typedef struct _EVENT_TRACE_LOGFILEA
+EVENT_TRACE_LOGFILEA, *PEVENT_TRACE_LOGFILEA;
+
+typedef ULONG(WINAPI * PEVENT_TRACE_BUFFER_CALLBACKW)
+(PEVENT_TRACE_LOGFILEW Logfile);
+
+typedef ULONG(WINAPI * PEVENT_TRACE_BUFFER_CALLBACKA)
+(PEVENT_TRACE_LOGFILEA Logfile);
+
+typedef ULONGLONG REGHANDLE, *PREGHANDLE;
+
+typedef struct _ETW_BUFFER_CONTEXT {
+ union {
+ struct {
+ UCHAR ProcessorNumber;
+ UCHAR Alignment;
+ } DUMMYSTRUCTNAME;
+ USHORT ProcessorIndex;
+ } DUMMYUNIONNAME;
+ USHORT LoggerId;
+} ETW_BUFFER_CONTEXT, *PETW_BUFFER_CONTEXT;
+
+typedef struct _EVENT_DESCRIPTOR {
+
+ USHORT Id;
+ UCHAR Version;
+ UCHAR Channel;
+ UCHAR Level;
+ UCHAR Opcode;
+ USHORT Task;
+ ULONGLONG Keyword;
+
+} EVENT_DESCRIPTOR, *PEVENT_DESCRIPTOR;
+
+typedef struct _EVENT_HEADER {
+
+ USHORT Size; // Event Size
+ USHORT HeaderType; // Header Type
+ USHORT Flags; // Flags
+ USHORT EventProperty; // User given event property
+ ULONG ThreadId; // Thread Id
+ ULONG ProcessId; // Process Id
+ LARGE_INTEGER TimeStamp; // Event Timestamp
+ GUID ProviderId; // Provider Id
+ EVENT_DESCRIPTOR EventDescriptor; // Event Descriptor
+ union {
+ struct {
+ ULONG KernelTime; // Kernel Mode CPU ticks
+ ULONG UserTime; // User mode CPU ticks
+ } DUMMYSTRUCTNAME;
+ ULONG64 ProcessorTime; // Processor Clock
+ // for private session events
+ } DUMMYUNIONNAME;
+ GUID ActivityId; // Activity Id
+
+} EVENT_HEADER, *PEVENT_HEADER;
+
+typedef struct _EVENT_HEADER_EXTENDED_DATA_ITEM {
+
+ USHORT Reserved1; // Reserved for internal use
+ USHORT ExtType; // Extended info type
+ struct {
+ USHORT Linkage : 1; // Indicates additional extended
+ // data item
+ USHORT Reserved2 : 15;
+ };
+ USHORT DataSize; // Size of extended info data
+ ULONGLONG DataPtr; // Pointer to extended info data
+
+} EVENT_HEADER_EXTENDED_DATA_ITEM, *PEVENT_HEADER_EXTENDED_DATA_ITEM;
+
+typedef struct _EVENT_RECORD {
+ EVENT_HEADER EventHeader;
+ ETW_BUFFER_CONTEXT BufferContext;
+ USHORT ExtendedDataCount;
+ USHORT UserDataLength;
+ PEVENT_HEADER_EXTENDED_DATA_ITEM ExtendedData;
+ PVOID UserData;
+ PVOID UserContext;
+} EVENT_RECORD, *PEVENT_RECORD;
+
+typedef struct _EVENT_TRACE_HEADER { // overlays WNODE_HEADER
+ USHORT Size; // Size of entire record
+ union {
+ USHORT FieldTypeFlags; // Indicates valid fields
+ struct {
+ UCHAR HeaderType; // Header type - internal use only
+ UCHAR MarkerFlags; // Marker - internal use only
+ } DUMMYSTRUCTNAME;
+ } DUMMYUNIONNAME;
+ union {
+ ULONG Version;
+ struct {
+ UCHAR Type; // event type
+ UCHAR Level; // trace instrumentation level
+ USHORT Version; // version of trace record
+ } Class;
+ } DUMMYUNIONNAME2;
+ ULONG ThreadId; // Thread Id
+ ULONG ProcessId; // Process Id
+ LARGE_INTEGER TimeStamp; // time when event happens
+ union {
+ GUID Guid; // Guid that identifies event
+ ULONGLONG GuidPtr; // use with WNODE_FLAG_USE_GUID_PTR
+ } DUMMYUNIONNAME3;
+ union {
+ struct {
+ ULONG KernelTime; // Kernel Mode CPU ticks
+ ULONG UserTime; // User mode CPU ticks
+ } DUMMYSTRUCTNAME;
+ ULONG64 ProcessorTime; // Processor Clock
+ struct {
+ ULONG ClientContext; // Reserved
+ ULONG Flags; // Event Flags
+ } DUMMYSTRUCTNAME2;
+ } DUMMYUNIONNAME4;
+} EVENT_TRACE_HEADER, *PEVENT_TRACE_HEADER;
+
+typedef struct _EVENT_TRACE {
+ EVENT_TRACE_HEADER Header; // Event trace header
+ ULONG InstanceId; // Instance Id of this event
+ ULONG ParentInstanceId; // Parent Instance Id.
+ GUID ParentGuid; // Parent Guid;
+ PVOID MofData; // Pointer to Variable Data
+ ULONG MofLength; // Variable Datablock Length
+ union {
+ ULONG ClientContext;
+ ETW_BUFFER_CONTEXT BufferContext;
+ } DUMMYUNIONNAME;
+} EVENT_TRACE, *PEVENT_TRACE;
+
+typedef VOID(WINAPI *PEVENT_CALLBACK)(PEVENT_TRACE pEvent);
+
+typedef VOID(WINAPI *PEVENT_RECORD_CALLBACK) (PEVENT_RECORD EventRecord);
+
+typedef struct _TRACE_LOGFILE_HEADER {
+ ULONG BufferSize; // Logger buffer size in Kbytes
+ union {
+ ULONG Version; // Logger version
+ struct {
+ UCHAR MajorVersion;
+ UCHAR MinorVersion;
+ UCHAR SubVersion;
+ UCHAR SubMinorVersion;
+ } VersionDetail;
+ } DUMMYUNIONNAME;
+ ULONG ProviderVersion; // defaults to NT version
+ ULONG NumberOfProcessors; // Number of Processors
+ LARGE_INTEGER EndTime; // Time when logger stops
+ ULONG TimerResolution; // assumes timer is constant!!!
+ ULONG MaximumFileSize; // Maximum in Mbytes
+ ULONG LogFileMode; // specify logfile mode
+ ULONG BuffersWritten; // used to file start of Circular File
+ union {
+ GUID LogInstanceGuid; // For RealTime Buffer Delivery
+ struct {
+ ULONG StartBuffers; // Count of buffers written at start.
+ ULONG PointerSize; // Size of pointer type in bits
+ ULONG EventsLost; // Events lost during log session
+ ULONG CpuSpeedInMHz; // Cpu Speed in MHz
+ } DUMMYSTRUCTNAME;
+ } DUMMYUNIONNAME2;
+#if defined(_WMIKM_)
+ PWCHAR LoggerName;
+ PWCHAR LogFileName;
+ RTL_TIME_ZONE_INFORMATION TimeZone;
+#else
+ LPWSTR LoggerName;
+ LPWSTR LogFileName;
+ TIME_ZONE_INFORMATION TimeZone;
+#endif
+ LARGE_INTEGER BootTime;
+ LARGE_INTEGER PerfFreq; // Reserved
+ LARGE_INTEGER StartTime; // Reserved
+ ULONG ReservedFlags; // ClockType
+ ULONG BuffersLost;
+} TRACE_LOGFILE_HEADER, *PTRACE_LOGFILE_HEADER;
+
+struct _EVENT_TRACE_LOGFILEW {
+ LPWSTR LogFileName; // Logfile Name
+ LPWSTR LoggerName; // LoggerName
+ LONGLONG CurrentTime; // timestamp of last event
+ ULONG BuffersRead; // buffers read to date
+ union {
+ // Mode of the logfile
+ ULONG LogFileMode;
+ // Processing flags used on Vista and above
+ ULONG ProcessTraceMode;
+ } DUMMYUNIONNAME;
+ EVENT_TRACE CurrentEvent; // Current Event from this stream.
+ TRACE_LOGFILE_HEADER LogfileHeader; // logfile header structure
+ PEVENT_TRACE_BUFFER_CALLBACKW // callback before each buffer
+ BufferCallback; // is read
+//
+// following variables are filled for BufferCallback.
+//
+ ULONG BufferSize;
+ ULONG Filled;
+ ULONG EventsLost;
+ //
+ // following needs to be propagated to each buffer
+ //
+ union {
+ // Callback with EVENT_TRACE
+ PEVENT_CALLBACK EventCallback;
+ // Callback with EVENT_RECORD on Vista and above
+ PEVENT_RECORD_CALLBACK EventRecordCallback;
+ } DUMMYUNIONNAME2;
+
+ ULONG IsKernelTrace; // TRUE for kernel logfile
+
+ PVOID Context; // reserved for internal use
+};
+
+struct _EVENT_TRACE_LOGFILEA {
+ LPSTR LogFileName; // Logfile Name
+ LPSTR LoggerName; // LoggerName
+ LONGLONG CurrentTime; // timestamp of last event
+ ULONG BuffersRead; // buffers read to date
+ union {
+ ULONG LogFileMode; // Mode of the logfile
+ ULONG ProcessTraceMode; // Processing flags
+ } DUMMYUNIONNAME;
+ EVENT_TRACE CurrentEvent; // Current Event from this stream
+ TRACE_LOGFILE_HEADER LogfileHeader; // logfile header structure
+ PEVENT_TRACE_BUFFER_CALLBACKA // callback before each buffer
+ BufferCallback; // is read
+
+//
+// following variables are filled for BufferCallback.
+//
+ ULONG BufferSize;
+ ULONG Filled;
+ ULONG EventsLost;
+ //
+ // following needs to be propagated to each buffer
+ //
+ union {
+ PEVENT_CALLBACK EventCallback; // callback for every event
+ PEVENT_RECORD_CALLBACK EventRecordCallback;
+ } DUMMYUNIONNAME2;
+
+
+ ULONG IsKernelTrace; // TRUE for kernel logfile
+
+ PVOID Context; // reserved for internal use
+};
+
+typedef enum _EVENT_INFO_CLASS {
+ EventProviderBinaryTrackInfo, /*
+ Requests that the ETW runtime add the full path to the binary that
+ registered the provider into each trace. The full path is important if
+ if the binary contains the mc.exe-generated decoding resources but is
+ not globally registered. Decoding tools can use the path to locate the
+ binary and extract the decoding resources. */
+ EventProviderSetReserved1, /*
+ Not used. */
+ EventProviderSetTraits, /*
+ Provides the ETW runtime with additional information about the
+ provider, potentially including the provider name and a group GUID.
+ Refer the the MSDN Provider Traits topic for more information about the
+ format of the data to be used with this control code.
+ Setting this trait also configures the ETW runtime to respect the
+ Type field of EVENT_DATA_DESCRIPTOR (by default the Type field is
+ ignored). */
+ EventProviderUseDescriptorType, /*
+ Configures whether the ETW runtime should respect the Type field of the
+ EVENT_DATA_DESCRIPTOR. The data for this control code is a BOOLEAN
+ (1 byte, value FALSE or TRUE). */
+ MaxEventInfo
+} EVENT_INFO_CLASS;
+
+typedef struct _WNODE_HEADER
+{
+ ULONG BufferSize; // Size of entire buffer inclusive of this ULONG
+ ULONG ProviderId; // Provider Id of driver returning this buffer
+ union
+ {
+ ULONG64 HistoricalContext; // Logger use
+ struct
+ {
+ ULONG Version; // Reserved
+ ULONG Linkage; // Linkage field reserved for WMI
+ } DUMMYSTRUCTNAME;
+ } DUMMYUNIONNAME;
+
+ union
+ {
+ ULONG CountLost; // Reserved
+ HANDLE KernelHandle; // Kernel handle for data block
+ LARGE_INTEGER TimeStamp; // Timestamp as returned in units of 100ns
+ // since 1/1/1601
+ } DUMMYUNIONNAME2;
+ GUID Guid; // Guid for data block returned with results
+ ULONG ClientContext;
+ ULONG Flags; // Flags, see below
+} WNODE_HEADER, *PWNODE_HEADER;
+
+typedef struct _EVENT_FILTER_DESCRIPTOR {
+
+ ULONGLONG Ptr; // Pointer to filter data. Set to (ULONGLONG)(ULONG_PTR)pData.
+ ULONG Size; // Size of filter data in bytes.
+ ULONG Type; // EVENT_FILTER_TYPE value.
+
+} EVENT_FILTER_DESCRIPTOR, *PEVENT_FILTER_DESCRIPTOR;
+
+typedef struct _EVENT_TRACE_PROPERTIES {
+ WNODE_HEADER Wnode;
+ //
+ // data provided by caller
+ ULONG BufferSize; // buffer size for logging (kbytes)
+ ULONG MinimumBuffers; // minimum to preallocate
+ ULONG MaximumBuffers; // maximum buffers allowed
+ ULONG MaximumFileSize; // maximum logfile size (in MBytes)
+ ULONG LogFileMode; // sequential, circular
+ ULONG FlushTimer; // buffer flush timer, in seconds
+ ULONG EnableFlags; // trace enable flags
+ union {
+ LONG AgeLimit; // unused
+ LONG FlushThreshold; // Number of buffers to fill before flushing
+ } DUMMYUNIONNAME;
+
+ // data returned to caller
+ ULONG NumberOfBuffers; // no of buffers in use
+ ULONG FreeBuffers; // no of buffers free
+ ULONG EventsLost; // event records lost
+ ULONG BuffersWritten; // no of buffers written to file
+ ULONG LogBuffersLost; // no of logfile write failures
+ ULONG RealTimeBuffersLost; // no of rt delivery failures
+ HANDLE LoggerThreadId; // thread id of Logger
+ ULONG LogFileNameOffset; // Offset to LogFileName
+ ULONG LoggerNameOffset; // Offset to LoggerName
+} EVENT_TRACE_PROPERTIES, *PEVENT_TRACE_PROPERTIES;
+
+typedef struct _ENABLE_TRACE_PARAMETERS {
+ ULONG Version;
+ ULONG EnableProperty;
+ ULONG ControlFlags;
+ GUID SourceId;
+ PEVENT_FILTER_DESCRIPTOR EnableFilterDesc;
+ ULONG FilterDescCount;
+} ENABLE_TRACE_PARAMETERS, *PENABLE_TRACE_PARAMETERS;
+
+typedef
+VOID
+(NTAPI *PENABLECALLBACK) (
+ _In_ LPCGUID SourceId,
+ _In_ ULONG IsEnabled,
+ _In_ UCHAR Level,
+ _In_ ULONGLONG MatchAnyKeyword,
+ _In_ ULONGLONG MatchAllKeyword,
+ _In_opt_ PEVENT_FILTER_DESCRIPTOR FilterData,
+ _Inout_opt_ PVOID CallbackContext
+ );
\ No newline at end of file
diff --git a/hooks.c b/hooks.c
index 1e2acaf2..1b196e5f 100644
--- a/hooks.c
+++ b/hooks.c
@@ -506,6 +506,33 @@ hook_t full_hooks[] = {
HOOK(advapi32, ControlService),
HOOK(advapi32, DeleteService),
+ // Trace Hooks
+ HOOK(Sechost.dll, CloseTrace),
+ HOOK(Sechost.dll, ControlTraceA),
+ HOOK(Sechost.dll, ControlTraceW),
+ HOOK(Advapi32.dll, EnableTrace),
+ HOOK(Advapi32.dll, EnableTraceEx),
+ HOOK(Sechost.dll, EnableTraceEx2),
+ HOOK(Sechost.dll, OpenTraceA),
+ HOOK(Sechost.dll, OpenTraceW),
+ HOOK(Sechost.dll, QueryAllTracesA),
+ HOOK(Sechost.dll, QueryAllTracesW),
+ HOOK(Advapi32.dll, QueryTraceA),
+ HOOK(Advapi32.dll, QueryTraceW),
+ HOOK(Sechost.dll, StartTraceA),
+ HOOK(Sechost.dll, StartTraceW),
+ HOOK(Sechost.dll, StopTraceA),
+ HOOK(Sechost.dll, StopTraceW),
+ HOOK(Advapi32.dll, UpdateTraceA),
+ HOOK(Advapi32.dll, UpdateTraceW),
+ HOOK(Advapi32.dll, CveEventWrite),
+ HOOK(Sechost.dll, EventAccessControl),
+ HOOK(Advapi32.dll, EventAccessQuery),
+ HOOK(Sechost.dll, EventAccessRemove),
+ HOOK(Advapi32.dll, EventRegister),
+ HOOK(Advapi32.dll, EventSetInformation),
+ HOOK(Advapi32.dll, EventUnregister),
+
// Sleep Hooks
HOOK(ntdll, NtQueryPerformanceCounter),
HOOK(ntdll, NtDelayExecution),
diff --git a/hooks.h b/hooks.h
index 346958ea..ee4931a0 100644
--- a/hooks.h
+++ b/hooks.h
@@ -22,7 +22,7 @@ along with this program. If not, see .
#include "ntapi.h"
#include
#include
-
+#include "hook_trace.h"
//
// File Hooks
//
@@ -3066,6 +3066,169 @@ HOOKDEF(NTSTATUS, WINAPI, BCryptEncrypt,
ULONG dwFlags
);
+//
+// Event Trace Hooks
+//
+
+HOOKDEF(ULONG, WINAPI, CloseTrace,
+ _In_ TRACEHANDLE TraceHandle
+);
+
+HOOKDEF(ULONG, WINAPI, ControlTraceA,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCTSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties,
+ _In_ ULONG ControlCode
+);
+
+HOOKDEF(ULONG, WINAPI, ControlTraceW,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCWSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties,
+ _In_ ULONG ControlCode
+);
+
+HOOKDEF(ULONG, WINAPI, EnableTrace,
+ _In_ ULONG Enable,
+ _In_ ULONG EnableFlag,
+ _In_ ULONG EnableLevel,
+ _In_ LPCGUID ControlGuid,
+ _In_ TRACEHANDLE SessionHandle
+);
+
+HOOKDEF(ULONG, WINAPI, EnableTraceEx,
+ _In_ LPCGUID ProviderId,
+ _In_opt_ LPCGUID SourceId,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ ULONG IsEnabled,
+ _In_ UCHAR Level,
+ _In_ ULONGLONG MatchAnyKeyword,
+ _In_ ULONGLONG MatchAllKeyword,
+ _In_ ULONG EnableProperty,
+ _In_opt_ PEVENT_FILTER_DESCRIPTOR EnableFilterDesc
+);
+
+HOOKDEF(ULONG, WINAPI, EnableTraceEx2,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCGUID ProviderId,
+ _In_ ULONG ControlCode,
+ _In_ UCHAR Level,
+ _In_ ULONGLONG MatchAnyKeyword,
+ _In_ ULONGLONG MatchAllKeyword,
+ _In_ ULONG Timeout,
+ _In_opt_ PENABLE_TRACE_PARAMETERS EnableParameters
+);
+
+HOOKDEF(TRACEHANDLE, WINAPI, OpenTraceA,
+ _Inout_ PEVENT_TRACE_LOGFILE Logfile
+);
+
+HOOKDEF(TRACEHANDLE, WINAPI, OpenTraceW,
+ _Inout_ PEVENT_TRACE_LOGFILE Logfile
+);
+
+HOOKDEF(ULONG, WINAPI, QueryAllTracesA,
+ _Out_ PEVENT_TRACE_PROPERTIES* PropertyArray,
+ _In_ ULONG PropertyArrayCount,
+ _Out_ PULONG SessionCount
+);
+
+HOOKDEF(ULONG, WINAPI, QueryAllTracesW,
+ _Out_ PEVENT_TRACE_PROPERTIES* PropertyArray,
+ _In_ ULONG PropertyArrayCount,
+ _Out_ PULONG SessionCount
+);
+
+HOOKDEF(ULONG, WINAPI, QueryTraceA,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCTSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+);
+
+HOOKDEF(ULONG, WINAPI, QueryTraceW,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCWSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+);
+
+HOOKDEF(ULONG, WINAPI, StartTraceA,
+ _Out_ PTRACEHANDLE TraceHandle,
+ _In_ LPCTSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+);
+
+HOOKDEF(ULONG, WINAPI, StartTraceW,
+ _Out_ PTRACEHANDLE TraceHandle,
+ _In_ LPCWSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+);
+
+HOOKDEF(ULONG, WINAPI, StopTraceA,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCTSTR InstanceName,
+ _Out_ PEVENT_TRACE_PROPERTIES Properties
+);
+
+HOOKDEF(ULONG, WINAPI, StopTraceW,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCWSTR InstanceName,
+ _Out_ PEVENT_TRACE_PROPERTIES Properties
+);
+
+HOOKDEF(ULONG, WINAPI, UpdateTraceA,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCTSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+);
+
+HOOKDEF(ULONG, WINAPI, UpdateTraceW,
+ _In_ TRACEHANDLE TraceHandle,
+ _In_ LPCWSTR InstanceName,
+ _Inout_ PEVENT_TRACE_PROPERTIES Properties
+);
+
+HOOKDEF(LONG, WINAPI, CveEventWrite,
+ _In_ PCWSTR CveId,
+ _In_opt_ PCWSTR AdditionalDetails
+);
+
+HOOKDEF(ULONG, WINAPI, EventAccessControl,
+ _In_ LPGUID Guid,
+ _In_ ULONG Operation,
+ _In_ PSID Sid,
+ _In_ ULONG Rights,
+ _In_ BOOLEAN AllowOrDeny
+);
+
+HOOKDEF(ULONG, WINAPI, EventAccessQuery,
+ _In_ LPGUID Guid,
+ _Inout_ PSECURITY_DESCRIPTOR Buffer,
+ _Inout_ PULONG BufferSize
+);
+
+HOOKDEF(ULONG, WINAPI, EventAccessRemove,
+ _In_ LPGUID Guid
+);
+
+HOOKDEF(ULONG, WINAPI, EventRegister,
+ _In_ LPCGUID ProviderId,
+ _In_opt_ PENABLECALLBACK EnableCallback,
+ _In_opt_ PVOID CallbackContext,
+ _Out_ PREGHANDLE RegHandle
+);
+
+HOOKDEF(ULONG, WINAPI, EventSetInformation,
+ _In_ REGHANDLE RegHandle,
+ _In_ EVENT_INFO_CLASS InformationClass,
+ _In_ PVOID EventInformation,
+ _In_ ULONG InformationLength
+);
+
+HOOKDEF(ULONG, WINAPI, EventUnregister,
+ _In_ REGHANDLE RegHandle
+);
+
+
//
// Special Hooks
//
From b8588993f272d97a8531f42d881ee35392368d94 Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly
Date: Fri, 15 Mar 2024 16:42:55 +0000
Subject: [PATCH 2/4] Trace hooks: omit extension from hookset
---
hooks.c | 50 +++++++++++++++++++++++++-------------------------
1 file changed, 25 insertions(+), 25 deletions(-)
diff --git a/hooks.c b/hooks.c
index e67cc602..a27025b5 100644
--- a/hooks.c
+++ b/hooks.c
@@ -509,31 +509,31 @@ hook_t full_hooks[] = {
HOOK(advapi32, DeleteService),
// Trace Hooks
- HOOK(Sechost.dll, CloseTrace),
- HOOK(Sechost.dll, ControlTraceA),
- HOOK(Sechost.dll, ControlTraceW),
- HOOK(Advapi32.dll, EnableTrace),
- HOOK(Advapi32.dll, EnableTraceEx),
- HOOK(Sechost.dll, EnableTraceEx2),
- HOOK(Sechost.dll, OpenTraceA),
- HOOK(Sechost.dll, OpenTraceW),
- HOOK(Sechost.dll, QueryAllTracesA),
- HOOK(Sechost.dll, QueryAllTracesW),
- HOOK(Advapi32.dll, QueryTraceA),
- HOOK(Advapi32.dll, QueryTraceW),
- HOOK(Sechost.dll, StartTraceA),
- HOOK(Sechost.dll, StartTraceW),
- HOOK(Sechost.dll, StopTraceA),
- HOOK(Sechost.dll, StopTraceW),
- HOOK(Advapi32.dll, UpdateTraceA),
- HOOK(Advapi32.dll, UpdateTraceW),
- HOOK(Advapi32.dll, CveEventWrite),
- HOOK(Sechost.dll, EventAccessControl),
- HOOK(Advapi32.dll, EventAccessQuery),
- HOOK(Sechost.dll, EventAccessRemove),
- HOOK(Advapi32.dll, EventRegister),
- HOOK(Advapi32.dll, EventSetInformation),
- HOOK(Advapi32.dll, EventUnregister),
+ HOOK(sechost, CloseTrace),
+ HOOK(sechost, ControlTraceA),
+ HOOK(sechost, ControlTraceW),
+ HOOK(advapi32, EnableTrace),
+ HOOK(advapi32, EnableTraceEx),
+ HOOK(sechost, EnableTraceEx2),
+ HOOK(sechost, OpenTraceA),
+ HOOK(sechost, OpenTraceW),
+ HOOK(sechost, QueryAllTracesA),
+ HOOK(sechost, QueryAllTracesW),
+ HOOK(advapi32, QueryTraceA),
+ HOOK(advapi32, QueryTraceW),
+ HOOK(sechost, StartTraceA),
+ HOOK(sechost, StartTraceW),
+ HOOK(sechost, StopTraceA),
+ HOOK(sechost, StopTraceW),
+ HOOK(advapi32, UpdateTraceA),
+ HOOK(advapi32, UpdateTraceW),
+ HOOK(advapi32, CveEventWrite),
+ HOOK(sechost, EventAccessControl),
+ HOOK(advapi32, EventAccessQuery),
+ HOOK(sechost, EventAccessRemove),
+ HOOK(advapi32, EventRegister),
+ HOOK(advapi32, EventSetInformation),
+ HOOK(advapi32, EventUnregister),
// Sleep Hooks
HOOK(ntdll, NtQueryPerformanceCounter),
From 3465c3ba60fbbdd54e456be590a11de8f61bb88b Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly
Date: Thu, 21 Mar 2024 17:12:26 +0000
Subject: [PATCH 3/4] hook_trace.c: remove inappropriate use of DebuggerOutput
from hooks
---
hook_trace.c | 27 +--------------------------
1 file changed, 1 insertion(+), 26 deletions(-)
diff --git a/hook_trace.c b/hook_trace.c
index 74d8df7e..32fd091d 100644
--- a/hook_trace.c
+++ b/hook_trace.c
@@ -51,7 +51,6 @@ void string_to_guid(char * s,GUID guid) {
HOOKDEF(ULONG, WINAPI, CloseTrace,
_In_ TRACEHANDLE TraceHandle
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked CloseTrace\n");
ULONG ret = Old_CloseTrace(TraceHandle);
LOQ_zero("Trace", "i", "TraceHandle", TraceHandle);
return ret;
@@ -63,7 +62,6 @@ HOOKDEF(ULONG, WINAPI, ControlTraceA,
_Inout_ PEVENT_TRACE_PROPERTIES Properties,
_In_ ULONG ControlCode
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked ControlTrace\n");
char *ControlValues[] = {"FLUSH","QUERY","STOP","UPDATE","INCREMENT_FILE","CONVERT_TO_REALTIME"};
char *ControlValue = NULL;
ControlValue = malloc(sizeof(char)*UNSIGNED_LONG_STRING_SIZE);
@@ -116,7 +114,6 @@ HOOKDEF(ULONG, WINAPI, ControlTraceW,
_Inout_ PEVENT_TRACE_PROPERTIES Properties,
_In_ ULONG ControlCode
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked ControlTrace\n");
char *ControlValues[] = {"FLUSH","QUERY","STOP","UPDATE","INCREMENT_FILE","CONVERT_TO_REALTIME"};
char *ControlValue = NULL;
ControlValue = malloc(sizeof(char)*UNSIGNED_LONG_STRING_SIZE);
@@ -170,7 +167,6 @@ HOOKDEF(ULONG, WINAPI, EnableTrace,
_In_ LPCGUID ControlGuid,
_In_ TRACEHANDLE SessionHandle
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EnableTrace\n");
char *S_ControlGuid = NULL;
S_ControlGuid = malloc(sizeof(char)*(GUID_SIZE+1));
string_to_guid(S_ControlGuid,*ControlGuid);
@@ -191,7 +187,6 @@ HOOKDEF(ULONG, WINAPI, EnableTraceEx,
_In_ ULONG EnableProperty,
_In_opt_ PEVENT_FILTER_DESCRIPTOR EnableFilterDesc
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EnableTraceEx\n");
char *S_ProviderId = NULL;
S_ProviderId = malloc(sizeof(char)*(GUID_SIZE+1));
string_to_guid(S_ProviderId,*ProviderId);
@@ -221,7 +216,6 @@ HOOKDEF(ULONG, WINAPI, EnableTraceEx2,
_In_ ULONG Timeout,
_In_opt_ PENABLE_TRACE_PARAMETERS EnableParameters
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EnableTraceEx2\n");
char *S_ProviderId = NULL;
S_ProviderId = malloc(sizeof(char)*(GUID_SIZE+1));
string_to_guid(S_ProviderId,*ProviderId);
@@ -251,7 +245,6 @@ HOOKDEF(ULONG, WINAPI, EnableTraceEx2,
HOOKDEF(TRACEHANDLE, WINAPI, OpenTraceA,
_Inout_ PEVENT_TRACE_LOGFILEA Logfile
){
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked OpenTrace\n");
TRACEHANDLE ret = Old_OpenTraceA(Logfile);
LOQ_void("Trace", "ss","LogFileName",Logfile->LogFileName,"LoggerName", Logfile->LoggerName);
return ret;
@@ -260,7 +253,6 @@ HOOKDEF(TRACEHANDLE, WINAPI, OpenTraceA,
HOOKDEF(TRACEHANDLE, WINAPI, OpenTraceW,
_Inout_ PEVENT_TRACE_LOGFILEW Logfile
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked OpenTrace\n");
TRACEHANDLE ret = Old_OpenTraceW(Logfile);
LOQ_void("Trace", "uu","LogFileName",Logfile->LogFileName,"LoggerName", Logfile->LoggerName);
return ret;
@@ -271,7 +263,6 @@ HOOKDEF(ULONG, WINAPI, QueryAllTracesA,
_In_ ULONG PropertyArrayCount,
_Out_ PULONG LoggerCount
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked QueryAllTraces\n");
ULONG ret = Old_QueryAllTracesA(PropertyArray,PropertyArrayCount,LoggerCount);
return ret;
}
@@ -281,7 +272,6 @@ HOOKDEF(ULONG, WINAPI, QueryAllTracesW,
_In_ ULONG PropertyArrayCount,
_Out_ PULONG LoggerCount
){
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked QueryAllTraces\n");
ULONG ret = Old_QueryAllTracesW(PropertyArray,PropertyArrayCount,LoggerCount);
return ret;
}
@@ -291,7 +281,6 @@ HOOKDEF(ULONG, WINAPI, QueryTraceA,
_In_ LPCTSTR InstanceName,
_Inout_ PEVENT_TRACE_PROPERTIES Properties
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked QueryTrace\n");
ULONG ret = Old_QueryTraceA(TraceHandle,InstanceName,Properties);
LOQ_zero("Trace", "is","TraceHandle", TraceHandle,"InstanceName", InstanceName);
return ret;
@@ -302,7 +291,6 @@ HOOKDEF(ULONG, WINAPI, QueryTraceW,
_In_ LPCWSTR InstanceName,
_Inout_ PEVENT_TRACE_PROPERTIES Properties
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked QueryTrace\n");
ULONG ret = Old_QueryTraceW(TraceHandle,InstanceName,Properties);
LOQ_zero("Trace", "iu","TraceHandle", TraceHandle,"InstanceName", InstanceName);
return ret;
@@ -313,7 +301,6 @@ HOOKDEF(ULONG, WINAPI, StartTraceA,
_In_ LPCTSTR InstanceName,
_Inout_ PEVENT_TRACE_PROPERTIES Properties
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked StartTrace\n");
ULONG ret = Old_StartTraceA(TraceHandle,InstanceName,Properties);
char *S_GUID = NULL;
S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
@@ -331,7 +318,6 @@ HOOKDEF(ULONG, WINAPI, StartTraceW,
_In_ LPCWSTR InstanceName,
_Inout_ PEVENT_TRACE_PROPERTIES Properties
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked StartTrace\n");
ULONG ret = Old_StartTraceW(TraceHandle,InstanceName,Properties);
char *S_GUID = NULL;
S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
@@ -349,7 +335,6 @@ HOOKDEF(ULONG, WINAPI, StopTraceA,
_In_ LPCTSTR InstanceName,
_Out_ PEVENT_TRACE_PROPERTIES Properties
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked StopTrace\n");
ULONG ret = Old_StopTraceA(TraceHandle,InstanceName,Properties);
char *S_GUID = NULL;
S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
@@ -367,7 +352,6 @@ HOOKDEF(ULONG, WINAPI, StopTraceW,
_In_ LPCWSTR InstanceName,
_Out_ PEVENT_TRACE_PROPERTIES Properties
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked StopTrace\n");
ULONG ret = Old_StopTraceW(TraceHandle,InstanceName,Properties);
char *S_GUID = NULL;
S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
@@ -385,7 +369,6 @@ HOOKDEF(ULONG, WINAPI, UpdateTraceA,
_In_ LPCTSTR InstanceName,
_Inout_ PEVENT_TRACE_PROPERTIES Properties
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked UpdateTrace\n");
ULONG ret = Old_UpdateTraceA(TraceHandle,InstanceName,Properties);
if(Properties->LogFileNameOffset != 0){
char *NewLogFileName = NULL;
@@ -405,7 +388,6 @@ HOOKDEF(ULONG, WINAPI, UpdateTraceW,
_In_ LPCWSTR InstanceName,
_Inout_ PEVENT_TRACE_PROPERTIES Properties
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked UpdateTrace\n");
ULONG ret = Old_UpdateTraceW(TraceHandle,InstanceName,Properties);
if(Properties->LogFileNameOffset != 0){
char *NewLogFileName = NULL;
@@ -424,7 +406,6 @@ HOOKDEF(LONG, WINAPI, CveEventWrite,
_In_ PCWSTR CveId,
_In_opt_ PCWSTR AdditionalDetails
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked CveEventWrite\n");
LONG ret = Old_CveEventWrite(CveId,AdditionalDetails);
LOQ_zero("Trace", "uu", "CVE", CveId, "AdditionalDetails", AdditionalDetails);
return ret;
@@ -437,7 +418,6 @@ HOOKDEF(ULONG, WINAPI, EventAccessControl,
_In_ ULONG Rights,
_In_ BOOLEAN AllowOrDeny
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventAccessControl\n");
ULONG ret = Old_EventAccessControl(Guid,Operation,Sid,Rights,AllowOrDeny);
char *S_GUID = NULL;
S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
@@ -456,7 +436,6 @@ HOOKDEF(ULONG, WINAPI, EventAccessQuery,
_Inout_ PSECURITY_DESCRIPTOR Buffer,
_Inout_ PULONG BufferSize
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventAccessQuery\n");
ULONG ret = Old_EventAccessQuery(Guid,Buffer,BufferSize);
char *S_GUID = NULL;
S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
@@ -468,7 +447,6 @@ HOOKDEF(ULONG, WINAPI, EventAccessQuery,
HOOKDEF(ULONG, WINAPI, EventAccessRemove,
_In_ LPGUID Guid
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventAccessRemove\n");
ULONG ret = Old_EventAccessRemove(Guid);
char *S_GUID = NULL;
S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
@@ -483,7 +461,6 @@ HOOKDEF(ULONG, WINAPI, EventRegister,
_In_opt_ PVOID CallbackContext,
_Out_ PREGHANDLE RegHandle
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventRegister\n");
ULONG ret = Old_EventRegister(ProviderId,EnableCallback,CallbackContext,RegHandle);
char *S_ProviderID = NULL;
S_ProviderID = malloc(sizeof(char)*(GUID_SIZE+1));
@@ -498,7 +475,6 @@ HOOKDEF(ULONG, WINAPI, EventSetInformation,
_In_ PVOID EventInformation,
_In_ ULONG InformationLength
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventSetInformation\n");
ULONG ret = Old_EventSetInformation(RegHandle,InformationClass,EventInformation,InformationLength);
char *InformationClasses[] = {"TRACKINFO","RESERVED","SETTRAITS","DESCRIPTORTYPE","INVALID"};
char *S_InformationClass = NULL;
@@ -530,8 +506,7 @@ HOOKDEF(ULONG, WINAPI, EventSetInformation,
HOOKDEF(ULONG, WINAPI, EventUnregister,
_In_ REGHANDLE RegHandle
) {
- DebuggerOutput("[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked EventUnregister\n");
ULONG ret = Old_EventUnregister(RegHandle);
LOQ_zero("Trace", "l", "Handle", RegHandle );
return ret;
-}
\ No newline at end of file
+}
From 4ab562e15a99952f906d443a62fc2737956793bd Mon Sep 17 00:00:00 2001
From: cccs-mog <117194682+cccs-mog@users.noreply.github.com>
Date: Mon, 27 Jan 2025 19:37:20 +0000
Subject: [PATCH 4/4] Fixing warnings
---
capemon.vcxproj | 2 ++
hook_trace.c | 23 +++++++++++------------
2 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/capemon.vcxproj b/capemon.vcxproj
index 5e00c23b..ec593728 100644
--- a/capemon.vcxproj
+++ b/capemon.vcxproj
@@ -483,6 +483,8 @@
true
false
+ true
+ false
diff --git a/hook_trace.c b/hook_trace.c
index 32fd091d..444f04f8 100644
--- a/hook_trace.c
+++ b/hook_trace.c
@@ -22,13 +22,13 @@ extern void DebugOutput(_In_ LPCTSTR lpOutputString, ...);
void string_to_sid(PISID pSid,LPWSTR *pstr) {
DWORD sz, i;
LPWSTR str;
- WCHAR fmt[] = {
- 'S','-','%','u','-','%','2','X','%','2','X','%','X','%','X','%','X','%','X',0 };
- WCHAR subauthfmt[] = { '-','%','u',0 };
+ //WCHAR fmt[] = {
+ // 'S','-','%','u','-','%','2','X','%','2','X','%','X','%','X','%','X','%','X',0 };
+ //#WCHAR subauthfmt[] = { '-','%','u',0 };
sz = 14 + pSid->SubAuthorityCount * 11;
str = malloc(sz*sizeof(WCHAR) );
- sprintf( str, fmt, pSid->Revision,
+ sprintf((char *)str, "S-%u-%2X%2X%X%X%X%X", pSid->Revision,
pSid->IdentifierAuthority.Value[2],
pSid->IdentifierAuthority.Value[3],
pSid->IdentifierAuthority.Value[0]&0x0f,
@@ -36,9 +36,8 @@ void string_to_sid(PISID pSid,LPWSTR *pstr) {
pSid->IdentifierAuthority.Value[1]&0x0f,
pSid->IdentifierAuthority.Value[5]&0x0f);
for( i=0; iSubAuthorityCount; i++ )
- sprintf( str + strlen(str), subauthfmt, pSid->SubAuthority[i] );
+ sprintf((char *)(str + strlen((const char *)str)), "-%u", pSid->SubAuthority[i] );
*pstr = str;
- return TRUE;
}
void string_to_guid(char * s,GUID guid) {
@@ -84,7 +83,7 @@ HOOKDEF(ULONG, WINAPI, ControlTraceA,
if(Properties->LogFileNameOffset != 0){
char *NewLogFileName = NULL;
NewLogFileName = malloc(sizeof(char)*1025);
- strncpy(NewLogFileName, &Properties + Properties->LogFileNameOffset, strlen(&Properties + Properties->LogFileNameOffset) + 1);
+ strncpy(NewLogFileName, (void *)(&Properties + Properties->LogFileNameOffset), strlen((const char *)(&Properties + Properties->LogFileNameOffset) + 1));
LOQ_zero("Trace", "issis","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue,"EnableFlags", Properties->EnableFlags, "NewLogFileName", NewLogFileName );
free(NewLogFileName);
}
@@ -136,7 +135,7 @@ HOOKDEF(ULONG, WINAPI, ControlTraceW,
if(Properties->LogFileNameOffset != 0){
char *NewLogFileName = NULL;
NewLogFileName = malloc(sizeof(char)*1025);
- strncpy(NewLogFileName, &Properties + Properties->LogFileNameOffset, strlen(&Properties + Properties->LogFileNameOffset) + 1);
+ strncpy(NewLogFileName, (void *)(&Properties + Properties->LogFileNameOffset), strlen((const char *)(&Properties + Properties->LogFileNameOffset) + 1));
LOQ_zero("Trace", "iusis","TraceHandle", TraceHandle,"InstanceName", InstanceName,"ControlCode", ControlValue,"EnableFlags", Properties->EnableFlags, "NewLogFileName", NewLogFileName );
free(NewLogFileName);
}
@@ -373,7 +372,7 @@ HOOKDEF(ULONG, WINAPI, UpdateTraceA,
if(Properties->LogFileNameOffset != 0){
char *NewLogFileName = NULL;
NewLogFileName = malloc(sizeof(char)*1025);
- strncpy(NewLogFileName, &Properties + Properties->LogFileNameOffset, strlen(&Properties + Properties->LogFileNameOffset) + 1);
+ strncpy(NewLogFileName, (void *)(&Properties + Properties->LogFileNameOffset), strlen((const char *)(&Properties + Properties->LogFileNameOffset) + 1));
LOQ_zero("Trace", "isis","TraceHandle", TraceHandle,"InstanceName", InstanceName,"EnableFlags", Properties->EnableFlags, "NewLogFileName", NewLogFileName );
free(NewLogFileName);
}
@@ -392,7 +391,7 @@ HOOKDEF(ULONG, WINAPI, UpdateTraceW,
if(Properties->LogFileNameOffset != 0){
char *NewLogFileName = NULL;
NewLogFileName = malloc(sizeof(char)*1025);
- strncpy(NewLogFileName, &Properties + Properties->LogFileNameOffset, strlen(&Properties + Properties->LogFileNameOffset) + 1);
+ strncpy(NewLogFileName, (void *)(&Properties + Properties->LogFileNameOffset), strlen((const char *)(&Properties + Properties->LogFileNameOffset) + 1));
LOQ_zero("Trace", "iuis","TraceHandle", TraceHandle,"InstanceName", InstanceName,"EnableFlags", Properties->EnableFlags, "NewLogFileName", NewLogFileName );
free(NewLogFileName);
}
@@ -422,10 +421,10 @@ HOOKDEF(ULONG, WINAPI, EventAccessControl,
char *S_GUID = NULL;
S_GUID = malloc(sizeof(char)*(GUID_SIZE+1));
string_to_guid(S_GUID,*Guid);
- WCHAR *S_SID = NULL;
+ LPWSTR S_SID = NULL;
PISID SID_Struct = Sid;
S_SID = malloc((14 + SID_Struct->SubAuthorityCount * 11)*sizeof(WCHAR));
- string_to_sid(Sid,S_SID);
+ string_to_sid(Sid,&S_SID);
LOQ_zero("Trace", "sluli", "GUID", S_GUID, "Operation", Operation, "SID", S_SID, "Rights", Rights, "Allow_OR_Deny", AllowOrDeny);
free(S_SID);
return ret;