|
|
@@ -0,0 +1,117 @@ |
|
|
|
|
|
#include <iostream> |
|
|
#include <Windows.h> |
|
|
#include <Lmcons.h> // UNLEN + GetUserName |
|
|
#include <tlhelp32.h> // CreateToolhelp32Snapshot() |
|
|
#include <strsafe.h> |
|
|
|
|
|
extern "C" __declspec(dllexport) DWORD APIENTRY OpenPerfData(LPWSTR pContext); |
|
|
extern "C" __declspec(dllexport) DWORD APIENTRY CollectPerfData(LPWSTR pQuery, PVOID* ppData, LPDWORD pcbData, LPDWORD pObjectsReturned); |
|
|
extern "C" __declspec(dllexport) DWORD APIENTRY ClosePerfData(); |
|
|
void Log(LPCWSTR pwszCallingFrom); |
|
|
void LogToFile(LPCWSTR pwszFilnema, LPWSTR pwszData); |
|
|
|
|
|
DWORD APIENTRY OpenPerfData(LPWSTR pContext) |
|
|
{ |
|
|
Log(L"OpenPerfData"); |
|
|
return ERROR_SUCCESS; |
|
|
} |
|
|
|
|
|
DWORD APIENTRY CollectPerfData(LPWSTR pQuery, PVOID* ppData, LPDWORD pcbData, LPDWORD pObjectsReturned) |
|
|
{ |
|
|
Log(L"CollectPerfData"); |
|
|
return ERROR_SUCCESS; |
|
|
} |
|
|
|
|
|
DWORD APIENTRY ClosePerfData() |
|
|
{ |
|
|
Log(L"ClosePerfData"); |
|
|
return ERROR_SUCCESS; |
|
|
} |
|
|
|
|
|
void Log(LPCWSTR pwszCallingFrom) |
|
|
{ |
|
|
LPWSTR pwszBuffer, pwszCommandLine; |
|
|
WCHAR wszUsername[UNLEN + 1] = { 0 }; |
|
|
SYSTEMTIME st = { 0 }; |
|
|
HANDLE hToolhelpSnapshot; |
|
|
PROCESSENTRY32 stProcessEntry = { 0 }; |
|
|
DWORD dwPcbBuffer = UNLEN, dwBytesWritten = 0, dwProcessId = 0, dwParentProcessId = 0, dwBufSize = 0; |
|
|
BOOL bResult = FALSE; |
|
|
|
|
|
// Get the command line of the current process |
|
|
pwszCommandLine = GetCommandLine(); |
|
|
|
|
|
// Get the name of the process owner |
|
|
GetUserName(wszUsername, &dwPcbBuffer); |
|
|
|
|
|
// Get the PID of the current process |
|
|
dwProcessId = GetCurrentProcessId(); |
|
|
|
|
|
// Get the PID of the parent process |
|
|
hToolhelpSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); |
|
|
stProcessEntry.dwSize = sizeof(PROCESSENTRY32); |
|
|
if (Process32First(hToolhelpSnapshot, &stProcessEntry)) { |
|
|
do { |
|
|
if (stProcessEntry.th32ProcessID == dwProcessId) { |
|
|
dwParentProcessId = stProcessEntry.th32ParentProcessID; |
|
|
break; |
|
|
} |
|
|
} while (Process32Next(hToolhelpSnapshot, &stProcessEntry)); |
|
|
} |
|
|
CloseHandle(hToolhelpSnapshot); |
|
|
|
|
|
// Get the current date and time |
|
|
GetLocalTime(&st); |
|
|
|
|
|
// Prepare the output string and log the result |
|
|
dwBufSize = 4096 * sizeof(WCHAR); |
|
|
pwszBuffer = (LPWSTR)malloc(dwBufSize); |
|
|
if (pwszBuffer) |
|
|
{ |
|
|
StringCchPrintf(pwszBuffer, dwBufSize, L"[%.2u:%.2u:%.2u] - PID=%d - PPID=%d - USER='%s' - CMD='%s' - METHOD='%s'\r\n", |
|
|
st.wHour, |
|
|
st.wMinute, |
|
|
st.wSecond, |
|
|
dwProcessId, |
|
|
dwParentProcessId, |
|
|
wszUsername, |
|
|
pwszCommandLine, |
|
|
pwszCallingFrom |
|
|
); |
|
|
|
|
|
LogToFile(L"C:\\LOGS\\RpcEptMapperPoc.log", pwszBuffer); |
|
|
|
|
|
free(pwszBuffer); |
|
|
} |
|
|
} |
|
|
|
|
|
void LogToFile(LPCWSTR pwszFilename, LPWSTR pwszData) |
|
|
{ |
|
|
HANDLE hFile; |
|
|
DWORD dwBytesWritten; |
|
|
|
|
|
hFile= CreateFile(pwszFilename, FILE_APPEND_DATA, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); |
|
|
if (hFile != INVALID_HANDLE_VALUE) |
|
|
{ |
|
|
WriteFile(hFile, pwszData, (DWORD)wcslen(pwszData) * sizeof(WCHAR), &dwBytesWritten, NULL); |
|
|
CloseHandle(hFile); |
|
|
} |
|
|
} |
|
|
|
|
|
extern "C" BOOL WINAPI DllMain(HINSTANCE const instance, DWORD const reason, LPVOID const reserved) |
|
|
{ |
|
|
switch (reason) |
|
|
{ |
|
|
case DLL_PROCESS_ATTACH: |
|
|
Log(L"DllMain"); |
|
|
break; |
|
|
case DLL_THREAD_ATTACH: |
|
|
break; |
|
|
case DLL_THREAD_DETACH: |
|
|
break; |
|
|
case DLL_PROCESS_DETACH: |
|
|
break; |
|
|
} |
|
|
return TRUE; |
|
|
} |
itm4n created this gist