From 06459edb6961206f4246a8971b6ea4e7a3fc9cf9 Mon Sep 17 00:00:00 2001 From: Jason Hood Date: Thu, 23 Aug 2018 17:34:34 +1000 Subject: [PATCH] Log CreateFile calls Since I've hooked CreateFile use log level 32 to log how it's used, providing a simple file monitor. --- ANSI.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++------ ansicon.c | 23 +++++++-------- readme.txt | 8 ++++-- 3 files changed, 91 insertions(+), 22 deletions(-) diff --git a/ANSI.c b/ANSI.c index 29c6589..5be111a 100644 --- a/ANSI.c +++ b/ANSI.c @@ -210,9 +210,10 @@ scrolling will use the default attribute for new lines; workaround Windows 10 1803 console bug. - v1.85, 22 August, 2018: + v1.85, 22 & 23 August, 2018: fix creating the wrap buffer; - always inject from ansicon.exe, even if it's GUI or excluded. + always inject from ansicon.exe, even if it's GUI or excluded; + log CreateFile calls. */ #include "ansicon.h" @@ -3614,6 +3615,55 @@ WINAPI MyFreeLibrary( HMODULE hModule ) // Add GENERIC_READ access to enable retrieving console info. //----------------------------------------------------------------------------- +static void log_CreateFile( HANDLE h, LPCVOID name, BOOL wide, DWORD access, + DWORD dwDesiredAccess, DWORD dwCreationDisposition ) +{ + DWORD err = GetLastError(); + + static char log[] = "CreateFile%s: %*s, %s, %s, %\"s"; + LPCSTR acc, op; + char state[32]; + int len; + + if (access != dwDesiredAccess) + acc = "w->r/w"; + else if (access == (GENERIC_READ | GENERIC_WRITE) || + (access & (FILE_READ_DATA | FILE_WRITE_DATA)) == (FILE_READ_DATA | + FILE_WRITE_DATA)) + acc = "r/w"; + else if (access == GENERIC_WRITE || + access & (FILE_WRITE_DATA | FILE_APPEND_DATA)) + acc = "write"; + else if (access == GENERIC_READ || + access & FILE_READ_DATA) + acc = "read"; + else + acc = "access"; + + switch (dwCreationDisposition) + { + case CREATE_ALWAYS: op = "create"; break; + case CREATE_NEW: op = "new"; break; + case OPEN_ALWAYS: op = "open"; break; + case OPEN_EXISTING: op = "existing"; break; + case TRUNCATE_EXISTING: op = "truncate"; break; + default: op = "unknown"; break; + } + + if (h == INVALID_HANDLE_VALUE) + len = ac_sprintf( state, "failed (%u)", err ); + else + { + state[0] = 'o'; + state[1] = 'k'; + len = 2; + } + log[sizeof(log) - 2] = wide ? 'S' : 's'; + DEBUGSTR( 1, log, wide ? "W" : "A", len, state, op, acc, name ); + + SetLastError( err ); +} + HANDLE WINAPI MyCreateFileA( LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, @@ -3621,6 +3671,10 @@ WINAPI MyCreateFileA( LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile ) { + LPCSTR name = lpFileName; + DWORD access = dwDesiredAccess; + HANDLE h; + if (dwDesiredAccess == GENERIC_WRITE) { PDWORD con = (PDWORD)lpFileName; @@ -3631,9 +3685,13 @@ WINAPI MyCreateFileA( LPCSTR lpFileName, DWORD dwDesiredAccess, dwDesiredAccess |= GENERIC_READ; } } - return CreateFileA( lpFileName, dwDesiredAccess, dwShareMode, - lpSecurityAttributes, dwCreationDisposition, - dwFlagsAndAttributes, hTemplateFile ); + h = CreateFileA( lpFileName, dwDesiredAccess, dwShareMode, + lpSecurityAttributes, dwCreationDisposition, + dwFlagsAndAttributes, hTemplateFile ); + if (log_level & 32) + log_CreateFile( h, name, FALSE, access, + dwDesiredAccess, dwCreationDisposition ); + return h; } HANDLE @@ -3643,6 +3701,10 @@ WINAPI MyCreateFileW( LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile ) { + LPCWSTR name = lpFileName; + DWORD access = dwDesiredAccess; + HANDLE h; + if (dwDesiredAccess == GENERIC_WRITE) { #ifdef _WIN64 @@ -3662,9 +3724,13 @@ WINAPI MyCreateFileW( LPCWSTR lpFileName, DWORD dwDesiredAccess, dwDesiredAccess |= GENERIC_READ; } } - return CreateFileW( lpFileName, dwDesiredAccess, dwShareMode, - lpSecurityAttributes, dwCreationDisposition, - dwFlagsAndAttributes, hTemplateFile ); + h = CreateFileW( lpFileName, dwDesiredAccess, dwShareMode, + lpSecurityAttributes, dwCreationDisposition, + dwFlagsAndAttributes, hTemplateFile ); + if (log_level & 32) + log_CreateFile( h, name, TRUE, access, + dwDesiredAccess, dwCreationDisposition ); + return h; } HANDLE diff --git a/ansicon.c b/ansicon.c index 92c35b7..b141fbf 100644 --- a/ansicon.c +++ b/ansicon.c @@ -93,12 +93,13 @@ v1.84, 7 May, 2018: import the DLL. - v1.85, 22 August, 2018: + v1.85, 22 & 23 August, 2018: use IsConsoleHandle for my_fputws, to distinguish NUL; - don't load into the parent if already loaded. + don't load into the parent if already loaded; + add log level 32 to log CreateFile. */ -#define PDATE L"22 August, 2018" +#define PDATE L"23 August, 2018" #include "ansicon.h" #include "version.h" @@ -870,25 +871,25 @@ L"http://ansicon.adoxa.vze.com/\n" L"\n" L"Process ANSI escape sequences in " WINTYPE L" console programs.\n" L"\n" -L"ansicon [-l] [-i] [-I] [-u] [-U] [-m[]] [-p[u]]\n" -L" [-e|E string | -t|T [file(s)] | program [args]]\n" +L"ansicon [-lLEVEL] [-i] [-I] [-u] [-U] [-m[ATTR]] [-p[u]]\n" +L" [-e|E STRING | -t|T [FILE...] | PROGRAM [ARGS]]\n" L"\n" L" -l\t\tset the logging level (1=process, 2=module, 3=function,\n" -L" \t\t +4=output, +8=append) for program (-p is unaffected)\n" +L" \t\t +4=output, +8=append, +16=imports, +32=files) for PROGRAM\n" L" -i\t\tinstall - add ANSICON to CMD's AutoRun entry (also implies -p)\n" L" -u\t\tuninstall - remove ANSICON from the AutoRun entry\n" L" -I -U\t\tuse local machine instead of current user\n" -L" -m\t\tuse grey on black (\"monochrome\") or as default color\n" +L" -m\t\tuse grey on black (\"monochrome\") or ATTR as default color\n" L" -p\t\thook into the parent process\n" L" -pu\t\tunhook from the parent process\n" -L" -e\t\techo string\n" -L" -E\t\techo string, don't append newline\n" +L" -e\t\techo STRING\n" +L" -E\t\techo STRING, don't append newline\n" L" -t\t\tdisplay files (\"-\" for stdin), combined as a single stream\n" L" -T\t\tdisplay files, name first, blank line before and after\n" -L" program\trun the specified program\n" +L" PROGRAM\trun the specified program\n" L" nothing\trun a new command processor, or display stdin if redirected\n" L"\n" -L" is one or two hexadecimal digits; please use \"COLOR /?\" for details.\n" +L"ATTR is one or two hexadecimal digits; please use \"COLOR /?\" for details.\n" L"It may start with '-' to reverse foreground and background (but not for -p)." ); } diff --git a/readme.txt b/readme.txt index 6d17142..9fc131b 100644 --- a/readme.txt +++ b/readme.txt @@ -102,6 +102,7 @@ Usage 4 Log console output (add to any of the above) 8 Append to the existing file (add to any of the above) 16 Log all imported modules (add to any of the above) + 32 Log CreateFile (add to any of the above) The log option will not work with '-p'; set the environment variable ANSICON_LOG (to the number) instead. The variable is only read once when a @@ -339,11 +340,12 @@ Version History Legend: + added, - bug-fixed, * changed. - 1.85 - 22 August, 2018: + 1.85 - 23 August, 2018: - fix wrap issues with a buffer bigger than the window; - fix -e et al when redirecting to NUL; - prevent -p from injecting when already injected; - - fix running directly via ansicon (hook even if it's GUI or excluded). + - fix running directly via ansicon (hook even if it's GUI or excluded); + + add log level 32 to monitor CreateFile. 1.84 - 11 May, 2018: - close the flush handles on detach; @@ -634,4 +636,4 @@ Distribution ============================ -Jason Hood, 22 August, 2018. +Jason Hood, 23 August, 2018.