-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathhelpers.cpp
More file actions
256 lines (221 loc) · 6.83 KB
/
helpers.cpp
File metadata and controls
256 lines (221 loc) · 6.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
#include "stdafx.h"
// ============================================
// EtwTi-FluctuationMonitor v2.0
// 辅助函数实现
// ============================================
// 内存保护属性转字符串
const char* ProtectionString(DWORD Protection) {
switch (Protection) {
case PAGE_NOACCESS:
return "---";
case PAGE_READONLY:
return "R--";
case PAGE_READWRITE:
return "RW-";
case PAGE_WRITECOPY:
return "RC-";
case PAGE_EXECUTE:
return "--X";
case PAGE_EXECUTE_READ:
return "R-X";
case PAGE_EXECUTE_READWRITE:
return "RWX";
case PAGE_EXECUTE_WRITECOPY:
return "RCX";
case PAGE_GUARD:
return "G--";
case PAGE_NOCACHE:
return "NC-";
case PAGE_WRITECOMBINE:
return "WC-";
}
return "???";
}
// 根据进程ID获取进程名
std::wstring ProcessName(DWORD processId) {
std::wstring buffer;
buffer.resize(32768);
HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processId);
if (hProcess) {
DWORD dwSize = (DWORD)buffer.size();
if (QueryFullProcessImageNameW(hProcess, 0, &buffer[0], &dwSize))
{
buffer = std::filesystem::path(buffer).filename();
}
CloseHandle(hProcess);
}
if (buffer.empty()) {
wsprintf(&buffer[0], L"pid:%d", processId);
}
return buffer;
}
// 获取当前时间戳字符串
std::string GetCurrentTimestamp() {
auto now = std::chrono::system_clock::now();
auto time = std::chrono::system_clock::to_time_t(now);
auto ms = std::chrono::duration_cast<std::chrono::milliseconds>(
now.time_since_epoch()) % 1000;
std::stringstream ss;
struct tm buf;
localtime_s(&buf, &time);
ss << std::put_time(&buf, "%Y-%m-%d %H:%M:%S");
ss << '.' << std::setfill('0') << std::setw(3) << ms.count();
return ss.str();
}
// 根据事件ID获取事件类型
EventType GetEventType(USHORT eventId) {
switch (eventId) {
case EVENT_ALLOCVM_LOCAL:
case EVENT_ALLOCVM_REMOTE:
case EVENT_ALLOCVM_LOCAL_KERNEL:
case EVENT_ALLOCVM_REMOTE_KERNEL:
return EventType::ALLOCVM;
case EVENT_PROTECTVM_LOCAL:
case EVENT_PROTECTVM_REMOTE:
case EVENT_PROTECTVM_LOCAL_KERNEL:
case EVENT_PROTECTVM_REMOTE_KERNEL:
return EventType::PROTECTVM;
case EVENT_MAPVIEW_LOCAL:
case EVENT_MAPVIEW_REMOTE:
case EVENT_MAPVIEW_LOCAL_KERNEL:
case EVENT_MAPVIEW_REMOTE_KERNEL:
return EventType::MAPVIEW;
case EVENT_QUEUEUSERAPC_REMOTE:
case EVENT_QUEUEUSERAPC_REMOTE_KERNEL:
return EventType::QUEUEUSERAPC;
case EVENT_SETTHREADCONTEXT_REMOTE:
case EVENT_SETTHREADCONTEXT_REMOTE_KERNEL:
return EventType::SETTHREADCONTEXT;
case EVENT_READVM_LOCAL:
case EVENT_READVM_REMOTE:
return EventType::READVM;
case EVENT_WRITEVM_LOCAL:
case EVENT_WRITEVM_REMOTE:
return EventType::WRITEVM;
case EVENT_SUSPEND_THREAD:
return EventType::SUSPEND_THREAD;
case EVENT_RESUME_THREAD:
return EventType::RESUME_THREAD;
case EVENT_SUSPEND_PROCESS:
return EventType::SUSPEND_PROCESS;
case EVENT_RESUME_PROCESS:
return EventType::RESUME_PROCESS;
case EVENT_FREEZE_PROCESS:
return EventType::FREEZE_PROCESS;
case EVENT_THAW_PROCESS:
return EventType::THAW_PROCESS;
case EVENT_DRIVER_LOAD:
return EventType::DRIVER_LOAD;
case EVENT_DRIVER_UNLOAD:
return EventType::DRIVER_UNLOAD;
case EVENT_DEVICE_CREATE:
return EventType::DEVICE_CREATE;
case EVENT_DEVICE_CLOSE:
return EventType::DEVICE_CLOSE;
default:
return EventType::UNKNOWN;
}
}
// 根据事件ID判断行为类型(本地/跨进程)
BehaviorType GetBehaviorType(USHORT eventId) {
switch (eventId) {
// 本地行为事件(进程操作自己的内存)
case EVENT_ALLOCVM_LOCAL:
case EVENT_PROTECTVM_LOCAL:
case EVENT_MAPVIEW_LOCAL:
case EVENT_READVM_LOCAL:
case EVENT_WRITEVM_LOCAL:
return BehaviorType::LOCAL;
// 跨进程行为事件(进程操作其他进程的内存)
case EVENT_ALLOCVM_REMOTE:
case EVENT_PROTECTVM_REMOTE:
case EVENT_MAPVIEW_REMOTE:
case EVENT_QUEUEUSERAPC_REMOTE:
case EVENT_SETTHREADCONTEXT_REMOTE:
case EVENT_READVM_REMOTE:
case EVENT_WRITEVM_REMOTE:
return BehaviorType::REMOTE;
// 内核调用本地行为事件
case EVENT_ALLOCVM_LOCAL_KERNEL:
case EVENT_PROTECTVM_LOCAL_KERNEL:
case EVENT_MAPVIEW_LOCAL_KERNEL:
return BehaviorType::LOCAL;
// 内核调用跨进程行为事件
case EVENT_ALLOCVM_REMOTE_KERNEL:
case EVENT_PROTECTVM_REMOTE_KERNEL:
case EVENT_MAPVIEW_REMOTE_KERNEL:
case EVENT_QUEUEUSERAPC_REMOTE_KERNEL:
case EVENT_SETTHREADCONTEXT_REMOTE_KERNEL:
return BehaviorType::REMOTE;
// 线程/进程操作
case EVENT_SUSPEND_THREAD:
case EVENT_RESUME_THREAD:
case EVENT_SUSPEND_PROCESS:
case EVENT_RESUME_PROCESS:
case EVENT_FREEZE_PROCESS:
case EVENT_THAW_PROCESS:
return BehaviorType::LOCAL;
// 驱动/设备事件
case EVENT_DRIVER_LOAD:
case EVENT_DRIVER_UNLOAD:
case EVENT_DEVICE_CREATE:
case EVENT_DEVICE_CLOSE:
return BehaviorType::KERNEL;
default:
return BehaviorType::LOCAL;
}
}
// 事件类型转字符串
std::string EventTypeToString(EventType type) {
switch (type) {
case EventType::ALLOCVM:
return "ALLOCVM";
case EventType::PROTECTVM:
return "PROTECTVM";
case EventType::MAPVIEW:
return "MAPVIEW";
case EventType::QUEUEUSERAPC:
return "QUEUEUSERAPC";
case EventType::SETTHREADCONTEXT:
return "SETTHREADCONTEXT";
case EventType::READVM:
return "READVM";
case EventType::WRITEVM:
return "WRITEVM";
case EventType::SUSPEND_THREAD:
return "SUSPEND_THREAD";
case EventType::RESUME_THREAD:
return "RESUME_THREAD";
case EventType::SUSPEND_PROCESS:
return "SUSPEND_PROCESS";
case EventType::RESUME_PROCESS:
return "RESUME_PROCESS";
case EventType::FREEZE_PROCESS:
return "FREEZE_PROCESS";
case EventType::THAW_PROCESS:
return "THAW_PROCESS";
case EventType::DRIVER_LOAD:
return "DRIVER_LOAD";
case EventType::DRIVER_UNLOAD:
return "DRIVER_UNLOAD";
case EventType::DEVICE_CREATE:
return "DEVICE_CREATE";
case EventType::DEVICE_CLOSE:
return "DEVICE_CLOSE";
default:
return "UNKNOWN";
}
}
// 行为类型转字符串
std::string BehaviorTypeToString(BehaviorType type) {
switch (type) {
case BehaviorType::LOCAL:
return "LOCAL";
case BehaviorType::REMOTE:
return "REMOTE";
case BehaviorType::KERNEL:
return "KERNEL";
default:
return "UNKNOWN";
}
}