public static Int32 CopyFileExA(
IntPtr lpExistingFileName,
IntPtr lpNewFileName,
IntPtr lpProgressRoutine,
IntPtr lpData,
IntPtr pbCancel,
UInt32 dwCopyFlags)
{
if (DetourBlock.IsDetouring)
{
return OriginalFn(lpExistingFileName, lpNewFileName, lpProgressRoutine, lpData, pbCancel, dwCopyFlags);
}
using (var block = new DetourBlock())
{
Int32 copyResult = OriginalFn(lpExistingFileName, lpNewFileName, lpProgressRoutine, lpData, pbCancel, dwCopyFlags);
if (copyResult > 0)
{
Remoting.Scribe.DocumentFileCopy(Process.GetCurrentProcess().Id,
Marshal.PtrToStringAnsi(lpExistingFileName), Marshal.PtrToStringAnsi(lpNewFileName));
}
return copyResult;
}
}
public static UInt32 NtReadFile(
IntPtr FileHandle,
IntPtr Event,
IntPtr ApcRoutine,
IntPtr ApcContext,
IntPtr IoStatusBlock,
UInt32 Buffer,
UInt32 Length,
UInt32 ByteOffset,
UInt32 Key)
{
if (DetourBlock.IsDetouring) {
return OriginalFn(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock,
Buffer, Length, ByteOffset, Key);
}
using (var block = new DetourBlock())
{
var result = OriginalFn(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock,
Buffer, Length, ByteOffset, Key);
if (result == 0 /* STATUS_SUCCESS */)
{
Remoting.Scribe.DocumentFileRead(Process.GetCurrentProcess().Id, FileHandle);
}
return result;
}
}
public static bool CreateProcessW(
IntPtr lpApplicationName,
IntPtr lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
Int32 bInheritHandles,
UInt32 dwCreationFlags,
IntPtr lpEnvironment,
IntPtr lpCurrentDirectory,
IntPtr lpStartupInfo,
IntPtr lpProcessInformation)
{
//
// TODO: This can be removed by specifying the original CreateProcessX function
// via DetourCreateProcessWithDll's last param.
//
if (DetourBlock.IsDetouring)
{
return OriginalFn(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles,
dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
}
using (var block = new DetourBlock())
{
var local_applicationName = Marshal.PtrToStringUni(lpApplicationName);
var local_commandLine = Marshal.PtrToStringUni(lpCommandLine);
var targetExecutable = ((!string.IsNullOrEmpty(local_applicationName)) ? local_applicationName : Helpers.ExtractTargetPath(local_commandLine)).Trim('"');
// skip EXEs which we know like to stick around...
if (ExeBlackList.Any(blacklisted => targetExecutable.EndsWith(blacklisted,StringComparison.CurrentCultureIgnoreCase))) {
return OriginalFn(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles,
dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
}
string detours = Constants.DetoursDllName;
bool bounced;
var result = Detours.DetourCreateProcessWithDllW(lpApplicationName, lpCommandLine,
lpProcessAttributes, lpThreadAttributes, detours, Constants.CoAppTraceHost,
bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, local_applicationName, local_commandLine, out bounced);
PROCESS_INFORMATION pi = (PROCESS_INFORMATION) Marshal.PtrToStructure(lpProcessInformation,
typeof (PROCESS_INFORMATION));
if (pi.dwProcessId > 0 && !bounced) {
Debug.Assert(Process.GetCurrentProcess().Id != 0);
Remoting.Scribe.DocumentNewProcess(Process.GetCurrentProcess().Id, (int)pi.dwProcessId, local_commandLine, targetExecutable, Environment.CurrentDirectory);
}
return result;
}
}
public static UInt32 NtCreateFile(
IntPtr FileHandle,
IntPtr DesiredAccess,
IntPtr ObjectAttributes,
IntPtr IoStatusBlock,
IntPtr AllocationSize,
UInt32 FileAttributes,
UInt32 ShareAccess,
UInt32 CreateDisposition,
UInt32 CreateOptions,
IntPtr EaBuffer,
UInt32 EaLength)
{
if (DetourBlock.IsDetouring) {
return OriginalFn(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,
AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions,
EaBuffer, EaLength);
}
using (var block = new DetourBlock()) {
var result = OriginalFn(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,
AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions,
EaBuffer, EaLength);
var oa = (OBJECT_ATTRIBUTES) Marshal.PtrToStructure(ObjectAttributes, typeof (OBJECT_ATTRIBUTES));
var on = (UNICODE_STRING) Marshal.PtrToStructure(oa.ObjectName, typeof (UNICODE_STRING));
var us = Marshal.PtrToStringUni(on.Buffer, on.Length/2);
var created = false;
switch( CreateDisposition ) {
case 0x00000000: // FILE_SUPERCEDE
case 0x00000002: // FILE_CREATE
case 0x00000004: // FILE_OVERWRITE
case 0x00000005: // FILE_OVERWRITE_IF
created = true;
break;
}
if (result == 0 /* STATUS_SUCCESS */) {
Remoting.Scribe.DocumentFileOpen(Process.GetCurrentProcess().Id, us, Marshal.ReadIntPtr(FileHandle), Environment.CurrentDirectory, created);
}
if ((CreateOptions & 0x00001000) == 0x00001000) {
Remoting.Scribe.DocumentFileDelete(Process.GetCurrentProcess().Id, us, Environment.CurrentDirectory);
}
return result;
}
}
public static bool CreateProcessW(
IntPtr lpApplicationName,
IntPtr lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
Int32 bInheritHandles,
UInt32 dwCreationFlags,
IntPtr lpEnvironment,
IntPtr lpCurrentDirectory,
IntPtr lpStartupInfo,
IntPtr lpProcessInformation)
{
//
// TODO: This can be removed by specifying the original CreateProcessX function
// via DetourCreateProcessWithDll's last param.
//
if (DetourBlock.IsDetouring)
{
return OriginalFn(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles,
dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
}
using (var block = new DetourBlock())
{
string local_applicationName = Marshal.PtrToStringUni(lpApplicationName);
string local_commandLine = Marshal.PtrToStringUni(lpCommandLine);
string detours = Constants.DetoursDllName;
string detoured = Path.Combine(Path.GetDirectoryName(detours), Constants.DetouredDllName);
bool bounced;
var result = Detours.DetourCreateProcessWithDll(lpApplicationName, lpCommandLine,
lpProcessAttributes, lpThreadAttributes, detours, detoured, Constants.CoAppTraceHost,
bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, out bounced);
PROCESS_INFORMATION pi = (PROCESS_INFORMATION) Marshal.PtrToStructure(lpProcessInformation,
typeof (PROCESS_INFORMATION));
if (pi.dwProcessId > 0 && !bounced) {
Debug.Assert(Process.GetCurrentProcess().Id != 0);
Remoting.Scribe.DocumentNewProcess(Process.GetCurrentProcess().Id, (int)pi.dwProcessId, local_commandLine, (!string.IsNullOrEmpty(local_applicationName)) ? local_applicationName : Helpers.ExtractTargetPath(local_commandLine), Environment.CurrentDirectory);
}
return result;
}
}
public static UInt32 GetFileAttributesA(IntPtr lpFileName)
{
if (DetourBlock.IsDetouring)
{
return OriginalFn(lpFileName);
}
using (var block = new DetourBlock())
{
UInt32 probeResult = OriginalFn(lpFileName);
if (probeResult != unchecked((UInt32)(-1)) /* INVALID_FILE_ATTRIBUTES */)
{
Remoting.Scribe.DocumentFileProbe(Process.GetCurrentProcess().Id, Marshal.PtrToStringAnsi(lpFileName), Environment.CurrentDirectory);
}
return probeResult;
}
}
public static bool MoveFileExW(IntPtr lpExistingFileName, IntPtr lpNewFileName, UInt32 dwFlags)
{
if (DetourBlock.IsDetouring) {
return OriginalFn(lpExistingFileName, lpNewFileName, dwFlags);
}
using (var block = new DetourBlock())
{
var moveResult = OriginalFn(lpExistingFileName, lpNewFileName, dwFlags);
if (moveResult)
{
Remoting.Scribe.DocumentFileMove(Process.GetCurrentProcess().Id,
Marshal.PtrToStringUni(lpExistingFileName), Marshal.PtrToStringUni(lpNewFileName));
}
return moveResult;
}
}
public static UInt32 GetEnvironmentVariableW(
IntPtr lpName,
IntPtr lpBuffer,
UInt32 nSize)
{
if (DetourBlock.IsDetouring) {
return OriginalFn(lpName, lpBuffer, nSize);
}
using (var block = new DetourBlock()) {
var result = OriginalFn(lpName, lpBuffer, nSize);
if (result != 0) {
var varname = Marshal.PtrToStringUni(lpName);
Remoting.Scribe.DocumentEnvQuery(Process.GetCurrentProcess().Id, varname);
}
return result;
}
}
public static UInt32 GetModuleHandleA(IntPtr lpFileName)
{
if (DetourBlock.IsDetouring || success) {
return OriginalFn(lpFileName);
}
using (var block = new DetourBlock()) {
var mh = Kernel32.GetModuleHandle("msys-1.0.dll");
if( mh.IsInvalid ) {
var argc = Kernel32.GetProcAddress(mh, "__argc");
if( argc != IntPtr.Zero) {
var argv = Kernel32.GetProcAddress(mh, "__argv");
if( argv != IntPtr.Zero ) {
var argc_int= (Int32)Marshal.PtrToStructure(argc, typeof(Int32));
// gets the location of the char**
var argv_IntPtr= (IntPtr)Marshal.PtrToStructure(argv, typeof(IntPtr));
if(argv_IntPtr != IntPtr.Zero ) {
var args = new List<string>();
if (argc_int > 0) {
for (var i = 0; i < argc_int; i++) {
var stringLocation = (IntPtr)Marshal.PtrToStructure(new IntPtr(argv_IntPtr.ToInt32() + IntPtr.Size * i), typeof(IntPtr));
var arg = Marshal.PtrToStringAnsi(stringLocation);
args.Add(arg);
}
if (args.Count > 0) {
Remoting.Scribe.DocumentCommandLine(Process.GetCurrentProcess().Id, args.Aggregate(string.Empty, (current, each) => current + " " + QuoteIfNeeded(each)).Trim());
success = true;
}
}
}
}
}
}
return OriginalFn(lpFileName);
}
}
public static UInt32 WriteFileEx(
IntPtr FileHandle,
IntPtr Buffer,
UInt32 BytesToWrite,
IntPtr Overlapped,
IntPtr OverlappedCompletionRoutine)
{
if (DetourBlock.IsDetouring) {
return OriginalFn(FileHandle, Buffer, BytesToWrite, Overlapped, OverlappedCompletionRoutine);
}
using (var block = new DetourBlock()) {
var result = OriginalFn(FileHandle, Buffer, BytesToWrite, Overlapped, OverlappedCompletionRoutine);
//if (result != 0 || Overlapped != IntPtr.Zero ) {
Remoting.Scribe.DocumentFileWrite(Process.GetCurrentProcess().Id, FileHandle);
//}
return result;
}
}
public static UInt32 NtDeleteFile(IntPtr ObjectAttributes)
{
if (DetourBlock.IsDetouring)
{
return OriginalFn(ObjectAttributes);
}
using (var block = new DetourBlock())
{
var result = OriginalFn(ObjectAttributes);
var oa = (OBJECT_ATTRIBUTES) Marshal.PtrToStructure(ObjectAttributes, typeof (OBJECT_ATTRIBUTES));
var on = (UNICODE_STRING) Marshal.PtrToStructure(oa.ObjectName, typeof (UNICODE_STRING));
var us = Marshal.PtrToStringUni(on.Buffer, on.Length/2);
// if (result == 0 /* STATUS_SUCCESS */)
Remoting.Scribe.DocumentFileDelete(Process.GetCurrentProcess().Id, us, Environment.CurrentDirectory);
return result;
}
}
public static UInt32 CreateFileMappingW(
IntPtr FileHandle,
IntPtr SecurityAttributes,
UInt32 FlagsProtect,
UInt32 SizeHigh,
UInt32 SizeLow,
IntPtr Name)
{
if (DetourBlock.IsDetouring) {
return OriginalFn(FileHandle, SecurityAttributes, FlagsProtect, SizeHigh, SizeLow, Name);
}
using (var block = new DetourBlock()) {
var result = OriginalFn(FileHandle, SecurityAttributes, FlagsProtect, SizeHigh, SizeLow, Name);
switch (FlagsProtect) {
case 0x02 : // PAGE_READONLY
Remoting.Scribe.DocumentFileRead(Process.GetCurrentProcess().Id, FileHandle.ToInt64());
break;
case 0x04 : // PAGE_READWRITE
Remoting.Scribe.DocumentFileWrite(Process.GetCurrentProcess().Id, FileHandle.ToInt64());
Remoting.Scribe.DocumentFileRead(Process.GetCurrentProcess().Id, FileHandle.ToInt64());
break;
case 0x08 : // PAGE_WRITECOPY
Remoting.Scribe.DocumentFileWrite(Process.GetCurrentProcess().Id, FileHandle.ToInt64());
break;
case 0x20 : // PAGE_EXECUTE_READ
Remoting.Scribe.DocumentFileRead(Process.GetCurrentProcess().Id, FileHandle.ToInt64());
break;
case 0x40 : // PAGE_EXECUTE_READWRITE
Remoting.Scribe.DocumentFileWrite(Process.GetCurrentProcess().Id, FileHandle.ToInt64());
Remoting.Scribe.DocumentFileRead(Process.GetCurrentProcess().Id, FileHandle.ToInt64());
break;
}
return result;
}
}
public static UInt32 NtQuerySystemEnvironmentValue(
IntPtr VariableName,
IntPtr Value,
UInt32 ValueBufferLength,
IntPtr RequiredLength)
{
if (DetourBlock.IsDetouring) {
return OriginalFn(VariableName, Value, ValueBufferLength, RequiredLength);
}
using (var block = new DetourBlock()) {
var result = OriginalFn(VariableName, Value, ValueBufferLength, RequiredLength);
if (result == 0 /* STATUS_SUCCESS */) {
var us = (UNICODE_STRING) Marshal.PtrToStructure(VariableName, typeof (UNICODE_STRING));
var varname = Marshal.PtrToStringUni(us.Buffer, us.Length/2);
Remoting.Scribe.DocumentEnvQuery(Process.GetCurrentProcess().Id, varname);
}
return result;
}
}
