注册表的监控 WIN9X

一、WINDOWS9X 部分

        目前有关注册表监控的例子大多需要VTOOLSD的支持，在没有VTOOLSD的
情况下，编此类程序就需要一点汇编知识了，本文就没有使用VTOOLSD，本人也不太
喜欢使用它。

        监控注册表实际上就是拦截如下几个系统服务：(具体参数见DDK DOCUMENTS)。
Begin_Hook_table:
        RegOpenKey
        RegCloseKey
        RegCreateKey
        RegDeleteKey
        RegEnumKey
        RegEnumValue
        RegFlushKey
        RegQueryInfoKey
        RegQueryValue
        RegQueryValueEx
        RegSetValue
        RegSetValueEx
        RegRemapPreDefKey
        RegQueryMultipleValues
        RegCreateDynKey
End_Hook_table:

        微软的编译器提供了一套接管VMM服务例程的标准, 例如接管RegOpenKey，：

1、首先声明准备接管函数HookRegOpenKey
BeginProc HookRegOpenKey, service, hook_proc, RealRegOpenKey, locked
        ArgVar hkey, DWORD
        ArgVar lpszSubKey, DWORD
        ArgVar phkResult, DWORD

        EnterProc

         push dword ptr phkResult ;
         push dword ptr lpszSubKey ;
         push dword ptr hkey  ;= invoke RealRegOpenKey,  hkey, lpszSubKey, phkResult
         call [RealRegOpenKey]  ;
    ;;   add  esp, 12
  
        LeaveProc
        Return

EndProc HookRegOpenKey

2、用VMM服务Hook_Device_Service来联上我们的函数

        GetVxdServiceOrdinal eax, _RegOpenKey
        mov     esi, OFFSET32 HookRegOpenKey  ; points to the hook procedure to install
        VMMCall Hook_Device_Service
        jc      @F      ;;fail
        mov             RealRegOpenKey, esi     ;for safe
@@:

3、用VMM服务Unhook_Device_Service来卸载我们的函数
         getvxdserviceordinal eax, _RegOpenKey
         mov     esi, OFFSET32 HookRegOpenKey  ; points to the hook procedure to install
         VMMCall Unhook_Device_Service

一、工程文件：
        与标准工程没有太多差别，采用C与汇编混合编程， DEF文件略；

#   Requires:
#       VC++ 5.0以上的编译器
#       98ddk
#       VXDWRAPS.CLB (from Beta-3 DDK or newer), 如不用sprintf之类的函数则不需。

DEVICE  = RegMon
OBJS    = devctl.obj regmon.obj hook.obj msg.obj

CVXDFLAGS = -Zdp -Gs -Zp -c -DIS_32 -Zl -DDEBLEVEL=1 -DDEBUG
ASM    = ml
AFLAGS = -coff -DBLD_COFF -DIS_32 -nologo -W3 -Zd -c -Cx -DMASM6 -DINITLOG -DDEBLEVEL=1 -DDEBUG
ASMENV = ML

all: $(DEVICE).vxd

regmon.obj: regmon.c
        cl $(CVXDFLAGS) %s

.asm.obj:
    set $(ASMENV)=$(AFLAGS)
    $(ASM) -Fo$*.obj $<

$(DEVICE).sym: $(DEVICE).map
    mapsym -s $(DEVICE).map

$(DEVICE).map: $(DEVICE).vxd

$(DEVICE).vxd: $(OBJS)
    link @<<$(DEVICE).LNK /DEF:<<$(DEVICE).DEF
/VXD /NOD
/OUT:$(DEVICE).vxd
/MAP:$(DEVICE).map
$(OBJS) vxdwraps.clb

二、hook.asm, 由于较多，只列举几个：
BeginProc HookRegOpenKey, service, hook_proc, RealRegOpenKey, locked
        ArgVar hkey, DWORD
        ArgVar lpszSubKey, DWORD
        ArgVar phkResult, DWORD

        EnterProc
         push dword ptr phkResult
         push dword ptr lpszSubKey
         push dword ptr hkey
         call [RealRegOpenKey]

        LeaveProc
        Return

EndProc HookRegOpenKey

BeginProc HookRegCloseKey, service, hook_proc, RealRegCloseKey, locked
         ArgVar hKey, DWORD

         EnterProc
         push dword ptr hKey
         call [RealRegCloseKey]

         LeaveProc
         Return

EndProc HookRegCloseKey

BeginProc HookRegCreateKey, service, hook_proc, RealRegCreateKey, locked

        jmp [RealRegCreateKey]

EndProc HookRegCreateKey

BeginProc HookRegDeleteKey, service, hook_proc, RealRegDeleteKey, locked

         jmp [RealRegDeleteKey]

EndProc HookRegDeleteKey

 ........
 ........

starthook proc public C uses ebx ecx edx
        getvxdserviceordinal eax, _RegOpenKey
        mov     esi, OFFSET32 HookRegOpenKey  ; points to the hook procedure to install
        VMMCall Hook_Device_Service
        jc      @F      ;;fail
        mov             RealRegOpenKey, esi
@@:
        getvxdserviceordinal eax, _RegCloseKey
        mov     esi, OFFSET32 HookRegCloseKey  ; points to the hook procedure to install
        VMMCall Hook_Device_Service
        jc      @F      ;;fail
        mov             RealRegCloseKey, esi
@@:
        getvxdserviceordinal eax, _RegCreateKey
        mov     esi, OFFSET32 HookRegCreateKey  ; points to the hook procedure to install
        VMMCall Hook_Device_Service
        jc      @F      ;;fail
        mov             RealRegCreateKey, esi

 ..............
 ..............

@@:
        getvxdserviceordinal eax, _RegCreateDynKey
        mov     esi, OFFSET32 HookRegCreateDynKey  ; points to the hook procedure to install
        VMMCall Hook_Device_Service
        jc              @F
        mov             RealRegCreateDynKey, esi
@@:

 ret
starthook endp

stophook proc public C uses ebx ecx edx

        .if RealRegOpenKey != 0
                getvxdserviceordinal eax, _RegOpenKey
                mov     esi, OFFSET32 HookRegOpenKey  ; points to the hook procedure to install
                VMMCall Unhook_Device_Service
        .endif

        .if RealRegCloseKey != 0
                getvxdserviceordinal eax, _RegCloseKey
                mov     esi, OFFSET32 HookRegCloseKey  ; points to the hook procedure to install
                VMMCall Unhook_Device_Service
        .endif

 ...... 
 ......
       ret

stophook endp

三、regmon.c, 部分：

DWORD OnDeviceIoControl(PDIOCPARAMETERS p)
{
        DWORD retc=0;
       
        switch (p->dwIoControlCode)
        {
        case CMD_GET_VERSION:  
                {
                        break;
                }
        case CMD_START_HOOK:
                {
         starthook();
                        break;
                }
        case CMD_STOP_HOOK:
 {
        stophook();
         break;
 } 
        default:
                break;
        }
        return 0;
}

OnSysDynamicDeviceInit()
{
        return TRUE;
}

OnSysDynamicDeviceExit()
{
        stophook();
        return TRUE;
}