From df13fa76bb3acd5e56a091b84581e9e02903ad5d Mon Sep 17 00:00:00 2001 From: Brad Spengler Date: Mon, 19 Oct 2015 17:01:20 -0400 Subject: [PATCH] Add a hook for GetVolumeInformationByHandleW (called by GetVolumeInformation[A/W]) to allow us to fake the serial number used by Milicenso to key itself to a particular machine (via the serial= option) --- config.c | 3 +++ config.h | 3 +++ cuckoomon.c | 1 + cuckoomon.vcxproj | 1 - cuckoomon.vcxproj.filters | 3 --- hook_file.c | 22 ++++++++++++++++++++++ hooks.h | 12 ++++++++++++ 7 files changed, 41 insertions(+), 4 deletions(-) diff --git a/config.c b/config.c index f3e614b..73461ab 100644 --- a/config.c +++ b/config.c @@ -138,6 +138,9 @@ int read_config(void) else if(!strcmp(key, "force-sleepskip")) { g_config.force_sleepskip = value[0] == '1'; } + else if (!strcmp(key, "serial")) { + g_config.serial_number = (unsigned int)strtoul(value, NULL, 16); + } else if (!strcmp(key, "full-logs")) { g_config.full_logs = value[0] == '1'; } diff --git a/config.h b/config.h index c9c175f..98b7c9a 100644 --- a/config.h +++ b/config.h @@ -64,6 +64,9 @@ struct _g_config { // how many milliseconds since startup unsigned int startup_time; + // system volume serial number (for reproducing Milicenso) + unsigned int serial_number; + // do we force sleep-skipping despite threads? int force_sleepskip; diff --git a/cuckoomon.c b/cuckoomon.c index 2d106e6..9db4be6 100644 --- a/cuckoomon.c +++ b/cuckoomon.c @@ -140,6 +140,7 @@ static hook_t g_hooks[] = { HOOK(kernel32, GetDiskFreeSpaceW), HOOK(kernel32, GetVolumeNameForVolumeMountPointW), + HOOK(kernel32, GetVolumeInformationByHandleW), HOOK(shell32, SHGetFolderPathW), HOOK(shell32, SHGetFileInfoW), diff --git a/cuckoomon.vcxproj b/cuckoomon.vcxproj index 0504824..0f6785a 100644 --- a/cuckoomon.vcxproj +++ b/cuckoomon.vcxproj @@ -382,7 +382,6 @@ - diff --git a/cuckoomon.vcxproj.filters b/cuckoomon.vcxproj.filters index b6d518f..083e702 100644 --- a/cuckoomon.vcxproj.filters +++ b/cuckoomon.vcxproj.filters @@ -257,9 +257,6 @@ Header Files - - Header Files - Header Files diff --git a/hook_file.c b/hook_file.c index 972e931..4948d01 100644 --- a/hook_file.c +++ b/hook_file.c @@ -963,6 +963,28 @@ HOOKDEF(BOOL, WINAPI, GetVolumeNameForVolumeMountPointW, return ret; } +HOOKDEF(BOOL, WINAPI, GetVolumeInformationByHandleW, + _In_ HANDLE hFile, + _Out_opt_ LPWSTR lpVolumeNameBuffer, + _In_ DWORD nVolumeNameSize, + _Out_opt_ LPDWORD lpVolumeSerialNumber, + _Out_opt_ LPDWORD + lpMaximumComponentLength, + _Out_opt_ LPDWORD lpFileSystemFlags, + _Out_opt_ LPWSTR lpFileSystemNameBuffer, + _In_ DWORD nFileSystemNameSize +) { + BOOL ret = Old_GetVolumeInformationByHandleW(hFile, lpVolumeNameBuffer, nVolumeNameSize, lpVolumeSerialNumber, + lpMaximumComponentLength, lpFileSystemFlags, lpFileSystemNameBuffer, nFileSystemNameSize); + + if (ret && lpVolumeSerialNumber && g_config.serial_number) + *lpVolumeSerialNumber = g_config.serial_number; + + LOQ_bool("filesystem", "uH", "VolumeName", lpVolumeNameBuffer, "VolumeSerial", lpVolumeSerialNumber); + + return ret; +} + HOOKDEF(HRESULT, WINAPI, SHGetFolderPathW, _In_ HWND hwndOwner, _In_ int nFolder, diff --git a/hooks.h b/hooks.h index 934947e..eb261b8 100644 --- a/hooks.h +++ b/hooks.h @@ -309,6 +309,18 @@ extern HOOKDEF(HANDLE, WINAPI, FindFirstChangeNotificationW, _In_ DWORD dwNotifyFilter ); +extern HOOKDEF(BOOL, WINAPI, GetVolumeInformationByHandleW, + _In_ HANDLE hFile, + _Out_opt_ LPWSTR lpVolumeNameBuffer, + _In_ DWORD nVolumeNameSize, + _Out_opt_ LPDWORD lpVolumeSerialNumber, + _Out_opt_ LPDWORD + lpMaximumComponentLength, + _Out_opt_ LPDWORD lpFileSystemFlags, + _Out_opt_ LPWSTR lpFileSystemNameBuffer, + _In_ DWORD nFileSystemNameSize +); + // // Registry Hooks //