#include "pch.h" #include "shlobj.h" #include #define MAX_REPORT_SIZE sizeof(REPORT_DESC) * 100 CReporter::CReporter(LPCWSTR path, fpCallBack cb) { report_event_ = INVALID_HANDLE_VALUE; reports_ = NULL; reports_size_ = 0; completion_ = NULL; log_type_ = 0; threadStop_ = FALSE; cb_ = cb; memset(log_path_, 0, sizeof(log_path_)); StringCbPrintfW(log_path_, sizeof(log_path_), L"%s\\logs", path); } CReporter::~CReporter() { Cleanup(); if(reports_ != NULL) { VirtualFree(reports_, 0, MEM_RELEASE); reports_ = NULL; } if(report_event_ != INVALID_HANDLE_VALUE) { CloseHandle(report_event_); report_event_ = NULL; } } BOOL RecursiveCreateDirectory(LPCTSTR lpPathName, LPSECURITY_ATTRIBUTES lpsa/* = NULL*/) { return (ERROR_SUCCESS == SHCreateDirectoryEx(NULL, lpPathName, lpsa)); } BOOL CReporter::Init() { WCHAR name[MAX_PATH] = {0,}; CNullSA sa; StringCbPrintfW(name, sizeof(name), L"Global\\%s", LOG_SHARE_EVENT); report_event_ = CreateEventW(sa, TRUE, FALSE, name); if(report_event_ == INVALID_HANDLE_VALUE) { BSONE_DEBUG(L"reportnotiy CreateEvent ge(%d)\n", GetLastError()); return FALSE; } threadStop_ = TRUE; thread t1(Run, this); t1.detach(); //thread_ = new Thread(this); //thread_->start("KDCM_LogReporter"); return TRUE; } void CReporter::Cleanup() { threadStop_ = FALSE; } wstring CReporter::GetStateString(ULONG type) { switch(type) { case ENABLE: return L"ENABLE"; case DISABLE: return L"DISABLE"; case READONLY: return L"READONLY"; } // switch(type) // { // case ENABLE: // return KESM_ACTION_CODE_ENABLE; // case DISABLE: // return KESM_ACTION_CODE_BLOCK; // case READONLY: // return KESM_ACTION_CODE_READONLY; // case _CREATE: // return KESM_ACTION_CODE_CREATE; // case _RENAME: // return KESM_ACTION_CODE_RENAME; // case _DELETE: // return KESM_ACTION_CODE_DELETE; // case _UPDATE: // return KESM_ACTION_CODE_UPDATE; // } return L"UNKNWON"; } wstring CReporter::GetCodeString(ULONG code) { switch(code) { case LOG_CONNECT: return L"CONNECT"; case LOG_DISCONNECT: return L"DISCONNECT"; case LOG_POLICY: return L"POLICY"; case LOG_PROCESS: return L"LOG_PROCESS"; } return L"UNKNWON"; } wstring CReporter::GetDevicePolicyString(ULONG type) { switch (type) { case BDC_UNKNOWN_DEV: return L"BDC_UNKNOWN_DEV"; case BDC_CDROM: return L"BDC_CDROM"; case BDC_FLOOPY: return L"BDC_FLOOPY"; case BDC_USB_DISK: return L"BDC_USB_DISK"; case BDC_LOCAL_DISK: return L"BDC_LOCAL_DISK"; case BDC_NETWORKDRIVEOUT: return L"BDC_NETWORKDRIVEOUT"; case BDC_EXTERNALHDD: return L"BDC_EXTERNALHDD"; case BDC_NETWORKDRIVEIN: return L"BDC_NETWORKDRIVEIN"; case BDC_NETWORKSHAREOUT: return L"BDC_NETWORKSHAREOUT"; case BDC_USB: return L"BDC_USB"; case BDC_USB_NET: return L"BDC_USB_NET"; case BDC_USB_HID: return L"BDC_USB_HID"; case BDC_1394: return L"BDC_1394"; case BDC_SERIAL: return L"BDC_SERIAL"; case BDC_PARALLEL: return L"BDC_PARALLEL"; case BDC_PCMCIA: return L"BDC_PCMCIA"; case BDC_PCMCIA_NET: return L"BDC_PCMCIA_NET"; case BDC_IRDA: return L"BDC_IRDA"; case BDC_MODEM: return L"BDC_MODEM"; case BDC_BLUETOOTH: return L"BDC_BLUETOOTH"; case BDC_BLUETOOTH_FILE: return L"BDC_BLUETOOTH_FILE"; case BDC_WIBRO: return L"BDC_WIBRO"; case BDC_TLOGIN: return L"BDC_TLOGIN"; case BDC_ACTIVE_SYNC: return L"BDC_ACTIVE_SYNC"; case BDC_WIRELESS: return L"BDC_WIRELESS"; case BDC_LGMODEM: return L"BDC_LGMODEM"; case BDC_TETHERING: return L"BDC_TETHERING"; case BDC_SDCARD: return L"BDC_SDCARD"; case BDC_PORTABLE_STORAGE: return L"BDC_PORTABLE_STORAGE"; case BDC_WEBCAM: return L"BDC_WEBCAM"; case BDC_MTP: return L"BDC_MTP"; case BDC_MAX_DEVICE_TYPE: return L"BDC_MAX_DEVICE_TYPE"; default: break; } return L"BDC_UNKNOWN_DEV"; } ULONG CReporter::ReadParam(PREPORT_DESC desc) { WCHAR path[1024] = {0,}; WCHAR renamepath[1024] = {0,}; WCHAR *prenamepath = NULL; SYSTEMTIME st; WCHAR time[MAX_PATH] = {0,}; LARGE_INTEGER l = {0}; FILETIME local; WCHAR szhash[100] = {0,}; WCHAR wszTempPath[MAX_PATH] = {0,}; WCHAR wszDirTempPath[MAX_PATH] = {0,}; WCHAR log[2048] = { 0, }; wstring wpath; //if(log_type_ == LOG_NONE) // return 0; if (desc->code == LOG_CONNECT) { l.QuadPart = desc->time; FileTimeToLocalFileTime((PFILETIME)&l, (PFILETIME)&local); FileTimeToSystemTime((PFILETIME)&local, &st); StringCbPrintfW(time, sizeof(time), L"%d-%d-%d : %d:%d:%d", st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond); wpath = desc->path; ReplaceAll(wpath, L"\\", L"\\\\"); StringCbPrintfW(log, sizeof(log), L"%s, %s(%d),%d, %d, %s, %d, %s, %s", \ time, \ GetCodeString(desc->code).c_str(), \ desc->code, \ desc->a0, \ desc->a1, \ desc->ProcessName, \ desc->pid, \ desc->renamepath, \ wpath.c_str()); if (cb_) { cb_((PVOID)log); } } else { BSONE_DEBUG(L"path(%s)", desc->path); if (!NtNameToDosNameW(path, sizeof(path), desc->path)) { //StringCbCopyW(path, sizeof(path), desc->path); wpath = desc->path; wpath = GetNetworkFilePath(wpath); if(wpath.empty()) wpath = desc->path; } else { wpath = path; } //StringCbCopyW(path, sizeof(path),wszTempPath); prenamepath = wcsrchr(desc->renamepath, L'\\'); if (prenamepath) { StringCbCopyW(renamepath, sizeof(renamepath), ++prenamepath); StringCbPrintfW(path, sizeof(path), L"%s(%s)", path, renamepath); } l.QuadPart = desc->time; FileTimeToLocalFileTime((PFILETIME)&l, (PFILETIME)&local); FileTimeToSystemTime((PFILETIME)&local, &st); StringCbPrintfW(time, sizeof(time), L"%d-%d-%d : %d:%d:%d", st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond); if (desc->code == LOG_POLICY) { StringCbPrintfW(log, sizeof(log), L"%s,%s(%d),%s(%d),%s(%d),%s(%d),%s", \ time, \ GetCodeString(desc->code).c_str(), \ desc->code, \ GetDevicePolicyString(desc->a0).c_str(), \ desc->a0, \ GetStateString(desc->a1).c_str(), \ desc->a1, \ desc->ProcessName, \ desc->pid, \ wpath.c_str()); } else { StringCbPrintfW(log, sizeof(log), L"%s,%s,%d,%d,%s(%d),%s", \ time, \ GetCodeString(desc->code).c_str(), \ desc->a0, \ desc->a1, \ desc->ProcessName, \ desc->pid, \ wpath.c_str() ); } BSONE_DEBUG(L"==== %s", log); if (cb_) { cb_((PVOID)log); } } // CDROM Â÷´Ü ·Î±×À϶§ ½ÇÁ¦ Directory Á¸Àç È®ÀÎ //if(desc->a1 == READONLY || desc->a1 == DISABLE) //{ // WCHAR parameter[MAX_PATH] = {0,}; // if(desc->a0 == DEVICE_CDROM) // { // int iRet = _waccess_s(wszTempPath,FALSE); // PB_DEBUGW(L"SendMessage, _waccess_s Check [%s]",wszTempPath); // if(iRet != 0) // { // ÆÄÀÏÀÌ Á¸ÀçÇÏÁö ¾Ê¾Æ PASS // PB_DEBUGW(L"Not access File PASS!!!!"); // return 0; // } // StringCbPrintfW(parameter,sizeof(parameter), L"%s", GetDevicePolicyString(desc->a0)); // RunProcess(g_msgexe_path, parameter, SW_HIDE, SEE_MASK_FLAG_NO_UI | SEE_MASK_NOCLOSEPROCESS, FALSE); // } // else // { // StringCbPrintfW(parameter,sizeof(parameter), L"%s", GetDevicePolicyString(desc->a0)); // RunProcess(g_msgexe_path, parameter, SW_HIDE, SEE_MASK_FLAG_NO_UI | SEE_MASK_NOCLOSEPROCESS, FALSE); // } // if(desc->a2 == FALSE) // ·Î±× Á¤Ã¥ ¿©ºÎ // { // PB_DEBUGW(L"Not LOG POLICY!!!!"); // return 0; // } //} //GetFileHash(path, szhash); return 0; } VOID CReporter::SetLogType(DWORD logtype) { log_type_ = logtype; } ULONG CReporter::GetLog() { HRESULT result = 0; DWORD ret = 0; /// ·Î±× ¾òÀ½ result = interface_->GetLog(reports_, reports_size_, &ret); if(IS_ERROR( result )) { /// ·Î±× ¹öÆÛ »çÀÌÁî Àç ¼³Á¤ ÃÖ´ë MAX_LOG_SIZE reports_size_ = 0x1000 + ret + MAX_REPORT_SIZE; if(reports_ != NULL) { VirtualFree(reports_, 0, MEM_RELEASE); reports_ = NULL; } reports_ = (PVOID)VirtualAlloc(NULL, reports_size_, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if(!reports_) { BSONE_DEBUG(L"ReadLog alloc buffer fail\n"); reports_size_ = 0; return FALSE; } memset((PUCHAR)reports_, 0, reports_size_); result = interface_->GetLog(reports_, reports_size_, &ret); if(IS_ERROR( result )) { return FALSE; } } /// ¾ò¾î¿Â ÃÖ´ë ·Î±× °³¼ö ¸¸Å­ º¯È¯ ÀúÀå PLOG_NOTIFICATION notiy = (PLOG_NOTIFICATION)reports_; //BSONE_DEBUG(L"count(%d)\n", notiy->count); for(DWORD i = 0; icount; ++i) { PREPORT_DESC pLog = (PREPORT_DESC)¬iy->desc; __try { ReadParam(&pLog[i]); } __except(1) { } } return 1; } VOID CReporter::Runner() { DWORD status = 0; while (threadStop_) { GetLog(); status = WaitForSingleObject(report_event_, INFINITE); if (status == WAIT_OBJECT_0) { ResetEvent(report_event_); } else { BSONE_DEBUG(_T("CReporter::run() Terminate(%x)\n"), status); break; } } BSONE_DEBUG(L"ReplayThread end\n"); } static void Run(void * p) { CReporter* reporter = (CReporter*)p; reporter->Runner(); } //VOID CReporter::GetNetworkFilePath(PWCHAR pOrgFilePath, PWCHAR pOutFilePath) //{ // if(_wcsnicmp(pOrgFilePath, L"\\Device\\LanmanRedirector", 24) == 0) // { // WCHAR wszTempPath[MAX_PATH] = {0,}; // PWCHAR pwszTemp = NULL; // // StringCchPrintfW(wszTempPath, MAX_PATH, L"%s", pOrgFilePath + 25); // // pwszTemp = wcsstr(wszTempPath, L"\\"); // // StringCchPrintfW(pOutFilePath, MAX_PATH, L"\\\\%s", pwszTemp + 1); // // } // else if(_wcsnicmp(pOrgFilePath, L"\\Device\\Mup\\;LanmanRedirector", 29) == 0) // { // WCHAR wszTempPath[MAX_PATH] = {0,}; // PWCHAR pwszTemp = NULL; // // StringCchPrintfW(wszTempPath, MAX_PATH, L"%s", (pOrgFilePath + 30)); // // pwszTemp = wcsstr(wszTempPath, L"\\"); // // StringCchPrintfW(pOutFilePath, MAX_PATH, L"\\\\%s", pwszTemp + 1); // // } // else if(_wcsnicmp(pOrgFilePath, L"\\??\\unc\\", 8) == 0) // { // StringCchPrintfW(pOutFilePath, MAX_PATH, L"\\\\%s", pOrgFilePath + 9); // } // else if(_wcsnicmp(pOrgFilePath, L"\\??\\", 4) == 0) // { // StringCchPrintfW(pOutFilePath, MAX_PATH, L"%s", pOrgFilePath + 5); // } // else if(_wcsnicmp(pOrgFilePath, L"\\Device\\Mup", 11) == 0) // { // StringCchPrintfW(pOutFilePath, MAX_PATH, L"\\\\%s", pOrgFilePath + 12); // } // else // { // StringCchPrintfW(pOutFilePath, MAX_PATH, L"%s", pOrgFilePath); // } // // //BSONE_DEBUG(L"pOrgFilePath[%s],pOutFilePath[%s]", pOrgFilePath,pOutFilePath); // //} wstring CReporter::GetNetworkFilePath(const wstring& orgFilePath) { // ÀԷ°ª À¯È¿¼º °Ë»ç if (orgFilePath.empty()) return L""; struct { const wchar_t* prefix; int prefixLen; int skipLen; bool addUNC; } patterns[] = { { L"\\Device\\LanmanRedirector", 24, 25, true }, { L"\\Device\\Mup\\;LanmanRedirector", 29, 30, true }, { L"\\??\\unc\\", 8, 9, true }, { L"\\??\\", 4, 5, false }, { L"\\Device\\Mup", 11, 12, true }, { L"\\Device\\Mup\\;RdpDr\\;:1", 21, 22, false } }; for (const auto& pat : patterns) { if (_wcsnicmp(orgFilePath.c_str(), pat.prefix, pat.prefixLen) == 0) { if (pat.prefixLen >= 24) { wstring tempPath = orgFilePath.substr(pat.skipLen); size_t pos = tempPath.find(L'\\'); if (pos != wstring::npos && pos + 1 < tempPath.length()) { if (pat.addUNC) return L"\\\\" + tempPath.substr(pos + 1); else return tempPath.substr(pos + 1); } else { return L""; } } else { if (pat.addUNC) return L"\\\\" + orgFilePath.substr(pat.skipLen); else return orgFilePath.substr(pat.skipLen); } } } // ¸ÅĪµÇ´Â ÆÐÅÏÀÌ ¾øÀ¸¸é ¿øº» ±×´ë·Î ¹Ýȯ return orgFilePath; }