[
  {
    "path": "README.md",
    "content": "# Sysmon_reverse逆向微软sysmon的源代码，逆向的版本是v8\n原始产品\nhttps://docs.microsoft.com/zh-cn/sysinternals/downloads/sysmon\n"
  },
  {
    "path": "Sysmon/CDName.cpp",
    "content": "#include \"StdAfx.h\"\n#include \"CDName.h\"\n\n\nCDName::CDName(void)\n{\n}\n\n\nCDName::~CDName(void)\n{\n}\n\n\nchar* CDName::_unDName()\n{\n\treturn NULL;\n}"
  },
  {
    "path": "Sysmon/CDName.h",
    "content": "#ifndef _CDName_H\n#define _CDName_H\n\nclass CDName\n{\npublic:\n\tCDName(void);\n\tvirtual ~CDName(void);\n\n\tstatic char* _unDName();\n};\n\n#endif\n\n"
  },
  {
    "path": "Sysmon/CDigitalSign.cpp",
    "content": "#include \"StdAfx.h\"\n#include \"CDigitalSign.h\"\n\n\nCDigitalSign::CDigitalSign(void)\n\t:m_bInit(false)\n\t,m_WinVerifyTrust(NULL)\n\t,m_pWTHelperGetProvSignerFromChain(NULL)\n\t,m_pWTHelperProvDataFromStateData(NULL)\n\t,m_pCryptCATAdminReleaseContext(NULL)\n\t,m_pCryptCATAdminReleaseCatalogContext(NULL)\n\t,m_pCryptCATCatalogInfoFromContext(NULL)\n\t,m_pCryptCATAdminEnumCatalogFromHash(NULL)\n\t,m_pCryptCATAdminCalcHashFromFileHandle(NULL)\n\t,m_pCryptCATAdminAcquireContext(NULL)\n\t,m_pCryptCATAdminAddCatalog(NULL)\n\t,m_pCryptCATAdminRemoveCatalog(NULL)\n\t,m_pIsCatalogFile(NULL)\n\t,m_pCertNameToStrW(NULL)\n{\n}\n\n\nCDigitalSign::~CDigitalSign(void)\n{\n}\n\n\nbool CDigitalSign::Init()\n{\n\tif (!m_bInit)\n\t{\n\t\tm_bInit = true;\n\n\t\tHMODULE hWinTrust = LoadLibraryW(L\"Wintrust.dll\");\n\n\t\tif ( !hWinTrust )\n\t\t\treturn false;\n\t\t\n\t\tm_WinVerifyTrust = (pWinVerifyTrust)GetProcAddress(hWinTrust, \"WinVerifyTrust\");\n\t\tm_pWTHelperGetProvSignerFromChain = (pWTHelperGetProvSignerFromChain)\n\t\t\t\t\t\t\tGetProcAddress(hWinTrust, \"WTHelperGetProvSignerFromChain\");\n\n\t\tm_pWTHelperProvDataFromStateData = (pWTHelperProvDataFromStateData)\n\t\t\t\t\t\t\tGetProcAddress(hWinTrust, \"WTHelperProvDataFromStateData\");\n\t\t\n\t\tm_pCryptCATAdminReleaseContext = (pCryptCATAdminReleaseContext)\n\t\t\t\t\t\t\tGetProcAddress(hWinTrust, \"CryptCATAdminReleaseContext\");\n\n\t\tm_pCryptCATAdminReleaseCatalogContext = (pCryptCATAdminReleaseCatalogContext)\n\t\t\t\t\t\t\tGetProcAddress(hWinTrust, \"CryptCATAdminReleaseCatalogContext\");\n\n\t\tm_pCryptCATCatalogInfoFromContext = (pCryptCATCatalogInfoFromContext)\n\t\t\t\t\t\t\tGetProcAddress(hWinTrust, \"CryptCATCatalogInfoFromContext\");\n\n\t\tm_pCryptCATAdminEnumCatalogFromHash = (pCryptCATAdminEnumCatalogFromHash)\n\t\t\t\t\t\t\tGetProcAddress(hWinTrust, \"CryptCATAdminEnumCatalogFromHash\");\n\n\t\tm_pCryptCATAdminCalcHashFromFileHandle = (pCryptCATAdminCalcHashFromFileHandle)\n\t\t\t\t\t\t\tGetProcAddress(hWinTrust,\"CryptCATAdminCalcHashFromFileHandle\");\n\n\t\tm_pCryptCATAdminAcquireContext = (pCryptCATAdminAcquireContext)\n\t\t\t\t\t\t\tGetProcAddress(hWinTrust,\"CryptCATAdminAcquireContext\");\n\n\t\tm_pCryptCATAdminAddCatalog = (pCryptCATAdminAddCatalog)\n\t\t\t\t\t\t\tGetProcAddress(hWinTrust, \"CryptCATAdminAddCatalog\");\n\n\t\tm_pCryptCATAdminRemoveCatalog = (pCryptCATAdminRemoveCatalog)\n\t\t\t\t\t\t\tGetProcAddress(hWinTrust, \"CryptCATAdminRemoveCatalog\");\n\n\t\tm_pIsCatalogFile = (pIsCatalogFile)GetProcAddress(hWinTrust, \"IsCatalogFile\");\n\n\t\thWinTrust = LoadLibraryW(L\"crypt32.dll\");\n\t\tm_pCertNameToStrW = (pCertNameToStrW)GetProcAddress(hWinTrust, \"CertNameToStrW\");\n\t}\n\t\n\treturn m_pCryptCATAdminAcquireContext != 0;\n}"
  },
  {
    "path": "Sysmon/CDigitalSign.h",
    "content": "#ifndef _CDigitalSign_h\n#define _CDigitalSign_h\n#include <WinTrust.h>\n\ntypedef void* HCATINFO;\ntypedef void* HCATADMIN;\n\ntypedef struct CATALOG_INFO_ {\n\tDWORD cbStruct;\n\tWCHAR wszCatalogFile[MAX_PATH];\n} CATALOG_INFO;\n\nextern \"C\"\n{\n\ttypedef\n\tLONG\n\t( WINAPI *pWinVerifyTrust)(\n\t\t\t\t\t\t\tHWND hwnd,\n\t\t\t\t\t\t\tGUID *pgActionID,\n\t\t\t\t\t\t\tLPVOID pWVTData);\n\n\ttypedef \n\tCRYPT_PROVIDER_SGNR* \n\t(WINAPI *pWTHelperGetProvSignerFromChain)(\n\t\t\t\t\t\t\tCRYPT_PROVIDER_DATA *pProvData,\n\t\t\t\t\t\t\tDWORD idxSigner,\n\t\t\t\t\t\t\tBOOL fCounterSigner,\n\t\t\t\t\t\t\tDWORD idxCounterSigner);\n\n\ttypedef\n\tCRYPT_PROVIDER_DATA * (WINAPI *pWTHelperProvDataFromStateData)(\n\t\t\t\t\t\t\tHANDLE hStateData);\n\n\ttypedef\n\tBOOL \n\t(WINAPI *pCryptCATAdminReleaseContext)(\n\t\tIN VOID* hCatAdmin,\n\t\tIN DWORD     dwFlags\n\t\t);\n\n\ttypedef\n\tBOOL \n\t(WINAPI *pCryptCATAdminReleaseCatalogContext)(\n\t\tIN VOID* hCatAdmin,\n\t\tIN VOID*  hCatInfo,\n\t\tIN DWORD     dwFlags\n\t\t);\n\n\ttypedef\n\tBOOL\n\t(WINAPI *pCryptCATCatalogInfoFromContext)(\n\t\t_In_    VOID*     hCatInfo,\n\t\t_Inout_ CATALOG_INFO *psCatInfo,\n\t\t_In_    DWORD        dwFlags\n\t\t);\n\n\ttypedef\n\tHCATINFO \n\t(WINAPI *pCryptCATAdminEnumCatalogFromHash)(\n\t\tHCATADMIN hCatAdmin,\n\t\tBYTE      *pbHash,\n\t\tDWORD     cbHash,\n\t\tDWORD     dwFlags,\n\t\tHCATINFO  *phPrevCatInfo\n\t\t);\n\n\ttypedef\n\tBOOL\n\t(WINAPI *pCryptCATAdminCalcHashFromFileHandle)(\n\t\tHANDLE hFile,\n\t\tDWORD  *pcbHash,\n\t\tBYTE   *pbHash,\n\t\tDWORD  dwFlags\n\t\t);\n\n\ttypedef\n\tBOOL\n\t(WINAPI *pCryptCATAdminAcquireContext)(\n\t\tHCATADMIN  *phCatAdmin,\n\t\tconst GUID *pgSubsystem,\n\t\tDWORD      dwFlags\n\t\t);\n\n\ttypedef\n\tHCATINFO\n\t(WINAPI *pCryptCATAdminAddCatalog)(\n\t\tHCATADMIN hCatAdmin,\n\t\tPWSTR     pwszCatalogFile,\n\t\tPWSTR     pwszSelectBaseName,\n\t\tDWORD     dwFlags\n\t\t);\n\n\ttypedef\n\tBOOL\n\t(WINAPI *pCryptCATAdminRemoveCatalog)(\n\t\tIN HCATADMIN hCatAdmin,\n\t\tIN LPCWSTR   pwszCatalogFile,\n\t\tIN DWORD     dwFlags\n\t\t);\n\n\ttypedef\n\tBOOL \n\t(WINAPI *pIsCatalogFile)(\n\t\tIN HANDLE hFile,\n\t\tWCHAR     *pwszFileName\n\t\t);\n\n\ttypedef\n\tDWORD\n\t(WINAPI *pCertNameToStrW)(\n\t\tDWORD           dwCertEncodingType,\n\t\tPCERT_NAME_BLOB pName,\n\t\tDWORD           dwStrType,\n\t\tLPSTR           psz,\n\t\tDWORD           csz\n\t\t);\n};\n\n\n\nclass CDigitalSign\n{\npublic:\n\tCDigitalSign(void);\n\tvirtual ~CDigitalSign(void);\n\n\tbool Init();\nprivate:\n\tbool m_bInit;\n\tpWinVerifyTrust\t\t\t\t\t\t\tm_WinVerifyTrust;\n\tpWTHelperGetProvSignerFromChain\t\t\tm_pWTHelperGetProvSignerFromChain;\n\tpWTHelperProvDataFromStateData\t\t\tm_pWTHelperProvDataFromStateData;\n\tpCryptCATAdminReleaseContext\t\t\tm_pCryptCATAdminReleaseContext;\n\tpCryptCATAdminReleaseCatalogContext\t\tm_pCryptCATAdminReleaseCatalogContext;\n\tpCryptCATCatalogInfoFromContext\t\t\tm_pCryptCATCatalogInfoFromContext;\n\tpCryptCATAdminEnumCatalogFromHash\t\tm_pCryptCATAdminEnumCatalogFromHash;\n\tpCryptCATAdminCalcHashFromFileHandle\tm_pCryptCATAdminCalcHashFromFileHandle;\n\tpCryptCATAdminAcquireContext\t\t\tm_pCryptCATAdminAcquireContext;\n\tpCryptCATAdminAddCatalog\t\t\t\tm_pCryptCATAdminAddCatalog;\n\tpCryptCATAdminRemoveCatalog\t\t\t\tm_pCryptCATAdminRemoveCatalog;\n\tpIsCatalogFile\t\t\t\t\t\t\tm_pIsCatalogFile;\n\tpCertNameToStrW\t\t\t\t\t\t\tm_pCertNameToStrW;\n};\n\n#endif\n\n"
  },
  {
    "path": "Sysmon/CEventLogger.cpp",
    "content": "#include \"StdAfx.h\"\n#include \"CEventLogger.h\"\n\n#include <strsafe.h>\n#pragma comment (lib, \"strsafe.lib\")\n\n\nCEventLogger::CEventLogger(void):\nm_hTrace(0), \n\tm_hSession(0),\n\tm_bLoggingEnabled(FALSE),\n\tm_nLoggingLevel(TRACE_LEVEL_INFORMATION)\n{ \n\tmemset(\n\t\t&m_provider_guid,\n\t\t0, \n\t\tsizeof(m_provider_guid)); \n\tmemset(\n\t\t&m_session_guid,\n\t\t0,\n\t\tsizeof(m_session_guid)); \n}\n\nCEventLogger::~CEventLogger(void) \n{ \n\tDeInit();\n}\n\n/* Initialize the logger lpszLogFile: location of log file, \nmust end with .etl and all folders in path must exists lpszSessionName:\nunique session name, like \"_trace\" */\n\nHRESULT CEventLogger::Init(\n\tLPCTSTR lpszLogFile, \n\tLPCTSTR lpszSessionName, \n\tGUID *pguid) \n{ \n\tHRESULT hr = S_OK; \n\tif(NULL == m_hTrace) \n\t{ \n\t\tm_strLogFile = lpszLogFile;\n\t\tm_strSessionName = lpszSessionName;\n\t\tif(m_strLogFile.GetLength() > 0 && m_strSessionName.GetLength() > 0) \n\t\t{\n\t\t\t// if caller didnt supply a GUID we will create one on the fly \n\t\t\tif(NULL == pguid) \n\t\t\t\thr = CoCreateGuid(&m_provider_guid); \n\t\t\telse \n\t\t\t\tmemcpy_s(\n\t\t\t\t\t&m_provider_guid,\n\t\t\t\t\tsizeof(m_provider_guid),\n\t\t\t\t\tpguid, \n\t\t\t\t\tsizeof(GUID));\n\n\t\t\t// register us as event provider\n\t\t\thr = AtlHresultFromWin32(\n\t\t\t\tRegisterTraceGuids(\n\t\t\t\t\t\t\t&CEventLogger::ControlCallback, \n\t\t\t\t\t\t\tthis,\n\t\t\t\t\t\t\t&m_provider_guid,\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t&m_hTrace));\n\n\t\t\tif(SUCCEEDED(hr))\n\t\t\t{\n\t\t\t\tm_hSession = NULL;\n\t\t\t\tm_bLoggingEnabled = FALSE;\n\t\t\t\tm_nLoggingLevel = TRACE_LEVEL_INFORMATION;\n\n\t\t\t\t/**\n\t\t\t\tInitialize the structure that will be used for writing events, the structure looks like this:\n\t\t\t\tstruct{\n\t\t\t\tEVENT_TRACE_HEADER header;\n\t\t\t\tMOF_FIELD mof;\n\t\t\t\t}\n\t\t\t\tWe will use only one MOF_FIELD after the EVENT_TRACE_HEADER and the logging text will be put here\n\t\t\t\t*/\n\n\t\t\t\tif(m_eventdata.GetCount() == 0)\n\t\t\t\t\tm_eventdata.SetCount(sizeof(EVENT_TRACE_HEADER) + sizeof(MOF_FIELD));\n\t\t\t\tif(m_eventdata.GetCount() > 0)\n\t\t\t\t{\n\t\t\t\t\tmemset(m_eventdata.GetData(), 0, m_eventdata.GetCount());\n\t\t\t\t\tPEVENT_TRACE_HEADER pEventHeader = (PEVENT_TRACE_HEADER)m_eventdata.GetData();\n\t\t\t\t\tpEventHeader->Size = m_eventdata.GetCount();\n\t\t\t\t\tpEventHeader->Flags = WNODE_FLAG_USE_MOF_PTR;\n\t\t\t\t\tpEventHeader->Class.Type = EVENT_TRACE_TYPE_INFO;\n\t\t\t\t}\n\n\t\t\t\thr = CoCreateGuid(&m_session_guid);\n\t\t\t\tm_sessiondata.SetCount(\n\t\t\t\t\tsizeof(EVENT_TRACE_PROPERTIES) + \n\t\t\t\t\t(m_strLogFile.GetLength() + m_strSessionName.GetLength() + 2) * 2);\n\n\t\t\t\tif(m_sessiondata.GetCount() > 0)\n\t\t\t\t{\n\t\t\t\t\tmemset(\n\t\t\t\t\t\tm_sessiondata.GetData(), \n\t\t\t\t\t\t0, \n\t\t\t\t\t\tm_sessiondata.GetCount());\n\n\t\t\t\t\tPEVENT_TRACE_PROPERTIES pTracePropperties = (PEVENT_TRACE_PROPERTIES)m_sessiondata.GetData();\n\t\t\t\t\tpTracePropperties->Wnode.BufferSize = m_sessiondata.GetCount();\n\t\t\t\t\tpTracePropperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;\n\t\t\t\t\tpTracePropperties->Wnode.ClientContext = 1;\n\t\t\t\t\tmemcpy_s(\n\t\t\t\t\t\t\t&pTracePropperties->Wnode.Guid,\n\t\t\t\t\t\t\tsizeof(pTracePropperties->Wnode.Guid),\n\t\t\t\t\t\t\t&m_session_guid,\n\t\t\t\t\t\t\tsizeof(m_session_guid));\n\n\t\t\t\t\tpTracePropperties->LogFileMode = EVENT_TRACE_FILE_MODE_CIRCULAR | \n\t\t\t\t\t\t\t\t\t\t\t\t\tEVENT_TRACE_USE_PAGED_MEMORY;\n\n\t\t\t\t\tpTracePropperties->MaximumFileSize = 1;\n\t\t\t\t\tpTracePropperties->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES);\n\t\t\t\t\tStringCchCopyW(\n\t\t\t\t\t\t\t(LPWSTR)((LPBYTE)pTracePropperties + pTracePropperties->LogFileNameOffset),\n\t\t\t\t\t\t\tm_strLogFile.GetLength() + 1,\n\t\t\t\t\t\t\tm_strLogFile.GetString());\n\n\t\t\t\t\tpTracePropperties->LoggerNameOffset =\n\t\t\t\t\t\t\t\t\t\t\tpTracePropperties->LogFileNameOffset + \n\t\t\t\t\t\t\t\t\t\t\t\t\t(m_strLogFile.GetLength() + 1) * 2;\n\n\t\t\t\t\tStringCchCopyW(\n\t\t\t\t\t\t(LPWSTR)((LPBYTE)pTracePropperties + pTracePropperties->LoggerNameOffset), \n\t\t\t\t\t\tm_strSessionName.GetLength() + 1, \n\t\t\t\t\t\tm_strSessionName.GetString());\n\n\t\t\t\t\t// start and enable trace\n\t\t\t\t\thr = AtlHresultFromWin32(\n\t\t\t\t\t\tStartTrace(\n\t\t\t\t\t\t\t&m_hSession, \n\t\t\t\t\t\t\tm_strSessionName,\n\t\t\t\t\t\t\tpTracePropperties));\n\n\t\t\t\t\tif(SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\thr = AtlHresultFromWin32(\n\t\t\t\t\t\t\t\t\t\tEnableTrace(\n\t\t\t\t\t\t\t\t\t\t\t\tTRUE, \n\t\t\t\t\t\t\t\t\t\t\t\t0, \n\t\t\t\t\t\t\t\t\t\t\t\tTRACE_LEVEL_VERBOSE,\n\t\t\t\t\t\t\t\t\t\t\t\t&m_provider_guid,\n\t\t\t\t\t\t\t\t\t\t\t\tm_hSession));\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\telse\n\t\t{\n\t\t\thr = E_INVALIDARG;\n\t\t}\n\t}\n\n\treturn hr;\n}\n\n\nHRESULT CEventLogger::DeInit()\n{ \n\tHRESULT hr = S_OK; \n\tif(NULL != m_hSession) \n\t{ \n\t\t// Disable provider \n\t\thr = AtlHresultFromWin32(\n\t\t\t\t\t\tEnableTrace(\n\t\t\t\t\t\t\t\t\tFALSE, \n\t\t\t\t\t\t\t\t\t0, \n\t\t\t\t\t\t\t\t\t0, \n\t\t\t\t\t\t\t\t\t&m_provider_guid,\n\t\t\t\t\t\t\t\t\tm_hSession));\n\n\t\t// Stop trace\n\t\thr = AtlHresultFromWin32(\n\t\t\tControlTrace(\n\t\t\tm_hSession, \n\t\t\tm_strSessionName,\n\t\t\t(PEVENT_TRACE_PROPERTIES)m_sessiondata.GetData(),\n\t\t\tEVENT_TRACE_CONTROL_STOP)\n\t\t\t);\n\t}\n\n\tif(NULL != m_hTrace)\n\t{\n\t\t// Unregister provider\n\t\thr = AtlHresultFromWin32(\n\t\t\t\t\tUnregisterTraceGuids(m_hTrace));\n\n\t\tm_hTrace = NULL;\n\t\tm_hSession = NULL;\n\t}\n\treturn hr;\n}\n\nvoid CEventLogger::Log(\n\tUCHAR nLevel, \n\tLPCTSTR lpszFormat,...)\n{ \n\tif(NULL != m_hSession && nLevel <= m_nLoggingLevel && m_eventdata.GetCount() > 0)\n\t{\n\t\tva_list args;\n\t\tva_start(args, lpszFormat);\n\t\tCString strLog; \n\t\tstrLog.FormatV(lpszFormat, args);\n\t\tva_end(args);\n\n\t\tPEVENT_TRACE_HEADER pEventHeader = (PEVENT_TRACE_HEADER)m_eventdata.GetData();\n\t\tPMOF_FIELD pMOF = (PMOF_FIELD)((LPBYTE)pEventHeader + sizeof(EVENT_TRACE_HEADER));\n\n\t\t// Put the string as binary into the first the only MOF structure\n\t\tpEventHeader->Class.Level = nLevel;\n\t\tpMOF->Length = (strLog.GetLength() + 1) * sizeof(TCHAR);\n\t\tpMOF->DataPtr = (ULONG64)strLog.GetString();\n\n\t\t// Write event\n\t\tHRESULT hr = AtlHresultFromWin32(\n\t\t\t\t\t\t\t\tTraceEvent(\n\t\t\t\t\t\t\t\t\t\tm_hSession, \n\t\t\t\t\t\t\t\t\t\tpEventHeader)\n\t\t\t\t\t\t\t\t\t\t);\n\t}\n}\n\nULONG CEventLogger::ControlCallback(\n\tWMIDPREQUESTCODE nRequestCode, \n\tPVOID pContext, \n\tULONG* Reserved, \n\tPVOID pBuffer) \n{ \n\tif(NULL != pContext) \n\t\treturn ((CEventLogger*)pContext)->_ControlCallback(\n\t\tnRequestCode,\n\t\t(PWNODE_HEADER)pBuffer\n\t\t); \n\n\treturn ERROR_SUCCESS; \n}\n\n// Callback function which responses to logging control from ETW \nULONG CEventLogger::_ControlCallback(\n\tWMIDPREQUESTCODE nRequestCode, \n\tPWNODE_HEADER pHeader) \n{ \n\tif(WMI_ENABLE_EVENTS == nRequestCode) \n\t{\n\t\tm_bLoggingEnabled = TRUE; \n\t\tm_hSession = GetTraceLoggerHandle(pHeader);\n\t\tif(NULL != m_hSession)\n\t\t\tm_nLoggingLevel = GetTraceEnableLevel(m_hSession);\n\t} \n\telse if(WMI_DISABLE_EVENTS == nRequestCode)\n\t{\n\t\tm_bLoggingEnabled = FALSE;\n\t\tm_hSession = 0; \n\t} \n\n\treturn ERROR_SUCCESS;\n}"
  },
  {
    "path": "Sysmon/CEventLogger.h",
    "content": "#ifndef _CEventLogger_h\n#define _CEventLogger_h\n#include <CGuid.h>\n#include <atlbase.h>\n#include <atlstr.h> \n#include <atlcoll.h>\n#include <Wmistr.h>\n#include <Evntrace.h>\n\nclass CEventLogger\n{\npublic: \n\tCEventLogger(void);\n\tvirtual ~CEventLogger(void);\n\n\tHRESULT Init(\n\t\t\t\tLPCTSTR lpszLogFile,\n\t\t\t\tLPCTSTR lpszSessionName,\n\t\t\t\tGUID *pguid = NULL);\n\n\tHRESULT DeInit();\n\n\tvoid Log(UCHAR nLevel, LPCTSTR lpszFormat,...);\n\nprotected: \n\tstatic \n\t\tULONG\n\t\tWINAPI ControlCallback(\n\t\tWMIDPREQUESTCODE nRequestCode,\n\t\tPVOID pContext,\n\t\tULONG* Reserved,\n\t\tPVOID pBuffer);\n\n\tULONG _ControlCallback(\n\t\tWMIDPREQUESTCODE nRequestCode, \n\t\tPWNODE_HEADER pHeader);\n\n\tGUID m_provider_guid;\n\tTRACEHANDLE m_hTrace;\n\tTRACEHANDLE m_hSession;\n\tBOOL m_bLoggingEnabled;\n\tUCHAR m_nLoggingLevel;\n\tCAtlArray<BYTE> m_eventdata;\n\tGUID m_session_guid;\n\tCStringW m_strLogFile;\n\tCStringW m_strSessionName;\n\tCAtlArray<BYTE> m_sessiondata;\n};\n\n#endif\n\n"
  },
  {
    "path": "Sysmon/CMofDataParser.cpp",
    "content": "#include \"StdAfx.h\"\n#include \"CMofDataParser.h\"\n#include \"Sysmon.h\"\n#include <WinSock2.h>\n#include <in6addr.h>\n\n#define SeLengthSid( Sid ) (8 +(4*((SID*)Sid)->SubAuthorityCount))\n\n#pragma comment (lib,\"Ws2_32.lib\")\nCMofDataParser::CMofDataParser(void)\n\t:m_pServices(NULL)\n{\n\tInitializeListHead(&m_ModDataList);\n}\n\nCMofDataParser::~CMofDataParser(void)\n{\n\t\n}\n\nCMofDataParser* CMofDataParser::Instance()\n{\n\n\n\tif ( !m_pServices)\n\t{\n\t\tif(FAILED(Connect(\n\t\t\tBSTR(_T(\"root\\\\wmi\")))))\n\t\t{\n\t\t\treturn NULL;\n\t\t}\n\t}\n\n\treturn this;\n}\n\nHRESULT CMofDataParser::Connect(\n\tBSTR bstrNamespace\n\t)\n{\n\tHRESULT hr = S_OK;\n\tIWbemLocator* pLocator = NULL;\n\n\thr = CoInitialize(0);\n\n\thr = CoCreateInstance(__uuidof(WbemLocator),\n\t\t0,\n\t\tCLSCTX_INPROC_SERVER,\n\t\t__uuidof(IWbemLocator),\n\t\t(LPVOID*) &pLocator);\n\n\tif (FAILED(hr))\n\t{\n\t\tgoto cleanup;\n\t}\n\n\thr = pLocator->ConnectServer(bstrNamespace,\n\t\tNULL,\n\t\tNULL,\n\t\tNULL,\n\t\t0L,\n\t\tNULL,\n\t\tNULL,\n\t\t&m_pServices);\n\n\tif (FAILED(hr))\n\t{\n\t\tgoto cleanup;\n\t}\n\n\thr = CoSetProxyBlanket(m_pServices,\n\t\tRPC_C_AUTHN_WINNT,\n\t\tRPC_C_AUTHZ_NONE,\n\t\tNULL,\n\t\tRPC_C_AUTHN_LEVEL_PKT, \n\t\tRPC_C_IMP_LEVEL_IMPERSONATE,\n\t\tNULL, \n\t\tEOAC_NONE);\n\n\tif (FAILED(hr))\n\t{\n\t\tm_pServices->Release();\n\t\tm_pServices = NULL;\n\t}\n\ncleanup:\n\n\tif (pLocator)\n\t\tpLocator->Release();\n\n\treturn hr;\n}\n\nBOOL CMofDataParser::Parse( \n\t\t\t\t\t\tPEVENT_TRACE pEvent,\n\t\t\t\t\t\tCMofParseRes& Result )\n{\n\tTCHAR ClassGuid[50] = {0};\n\tSYSTEMTIME st = {0};\n\t\n\tFILETIME ft = {0};\n\tIWbemClassObject* pEventCategoryClass = NULL;\n\tCMofParseRes* pEventRes = NULL;\n\tPROPERTY_LIST* pProperties = NULL;\n\tDWORD PropertyCount = 0;\n\tLONG pPropertyIndex[30] = {0};\n\tPBYTE pEventData = NULL;  \n\tPBYTE pEndOfEventData = NULL;\n\n\tif (!Instance())\n\t{\n\t\treturn NULL;\n\t}\n\n\tStringFromGUID2(\n\t\t\t\tpEvent->Header.Guid,\n\t\t\t\tClassGuid, \n\t\t\t\tsizeof(ClassGuid));\n\t\n\tft.dwHighDateTime = pEvent->Header.TimeStamp.HighPart;\n\tft.dwLowDateTime = pEvent->Header.TimeStamp.LowPart;\n\n\tif (pEvent->MofLength <= 0)\n\t{\n\t\treturn FALSE;\n\t}\n\n\n\tfor ( LIST_ENTRY* pEntry = m_ModDataList.Flink;\n\t\tpEntry != &m_ModDataList;\n\t\tpEntry = pEntry->Flink)\n\t{\n\t\tCMofParseRes* pRes = CONTAINING_RECORD(\n\t\t\t\t\t\t\t\t\t\t\tpEntry,\n\t\t\t\t\t\t\t\t\t\t\tCMofParseRes,\n\t\t\t\t\t\t\t\t\t\t\tm_Entry);\n\n\t\tif (pRes)\n\t\t{\n\t\t\tif (pRes)\n\t\t\t{\n\t\t\t\tif (pRes->m_MofHeader.MofVsersion == pEvent->Header.Class.Version &&\n\t\t\t\t\tpRes->m_MofHeader.MofType == pEvent->Header.Class.Type)\n\t\t\t\t{\n\t\t\t\t\tif (pEvent->Header.Guid.Data1 == pRes->m_MofHeader.MofGuid.Data1 &&\n\t\t\t\t\t\tpEvent->Header.Guid.Data2 == pRes->m_MofHeader.MofGuid.Data2 &&\n\t\t\t\t\t\tpEvent->Header.Guid.Data3 == pRes->m_MofHeader.MofGuid.Data3 &&\n\t\t\t\t\t\tpEvent->Header.Guid.Data4[0] == pRes->m_MofHeader.MofGuid.Data4[0] &&\n\t\t\t\t\t\tpEvent->Header.Guid.Data4[1] == pRes->m_MofHeader.MofGuid.Data4[1] &&\n\t\t\t\t\t\tpEvent->Header.Guid.Data4[2] == pRes->m_MofHeader.MofGuid.Data4[2] &&\n\t\t\t\t\t\tpEvent->Header.Guid.Data4[3] == pRes->m_MofHeader.MofGuid.Data4[3] &&\n\t\t\t\t\t\tpEvent->Header.Guid.Data4[4] == pRes->m_MofHeader.MofGuid.Data4[4] &&\n\t\t\t\t\t\tpEvent->Header.Guid.Data4[5] == pRes->m_MofHeader.MofGuid.Data4[5] &&\n\t\t\t\t\t\tpEvent->Header.Guid.Data4[6] == pRes->m_MofHeader.MofGuid.Data4[6] &&\n\t\t\t\t\t\tpEvent->Header.Guid.Data4[7] == pRes->m_MofHeader.MofGuid.Data4[7])\n\t\t\t\t\t{\n\t\t\t\t\t\tResult = *pRes;\n\t\t\t\t\t\treturn TRUE;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tFileTimeToSystemTime(\n\t\t&ft,\n\t\t&st);\n\tSystemTimeToTzSpecificLocalTime(\n\t\tNULL,\n\t\t&st,\n\t\t&Result.m_MofHeader.MofLocal);\n\n\n\tpEventCategoryClass = GetEventCategoryClass(\n\t\t\t\t\t\t\t\t\tBSTR(ClassGuid),\n\t\t\t\t\t\t\t\t\tpEvent->Header.Class.Version);\n\tif (pEventCategoryClass)\n\t{\n\n\t\tpEventRes = GetEventClassPropertyList(\n\t\t\t\t\t\tpEventCategoryClass,\n\t\t\t\t\t\tpEvent->Header.Guid,\n\t\t\t\t\t\tpEvent->Header.Class.Version,\n\t\t\t\t\t\tpEvent->Header.Class.Level,\n\t\t\t\t\t\tpEvent->Header.Class.Type);\n\n\t\tpEventCategoryClass->Release();\n\t\tpEventCategoryClass = NULL;\n\n\t\tif (pEventRes)\n\t\t{\n\t\t\tResult = *pEventRes;\n// \t\t\tif (GetPropertyList(\n// \t\t\t\t\t\tpEventClass,\n// \t\t\t\t\t\t&pProperties,\n// \t\t\t\t\t\t&PropertyCount,\n// \t\t\t\t\t\tpPropertyIndex ))\n// \t\t\t{\n// \t\t\t\t\n// \t\t\t\tpEventData = (PBYTE)(pEvent->MofData);\n// \t\t\t\tpEndOfEventData = ((PBYTE)(pEvent->MofData) + pEvent->MofLength);\n// \n// \t\t\t\tif ( PropertyCount )\n// \t\t\t\t{\n// \t\t\t\t\tResult.m_MofProperty = new MOF_ITEM[PropertyCount];\n// \t\t\t\t\tif (Result.m_MofProperty)\n// \t\t\t\t\t{\n// \t\t\t\t\t\tZeroMemory(\n// \t\t\t\t\t\t\tResult.m_MofProperty,\n// \t\t\t\t\t\t\tsizeof(MOF_ITEM) * \n// \t\t\t\t\t\t\tPropertyCount);\n// \t\t\t\t\t}\n// \t\t\t\t}\n// \n// \t\t\t\tif ( Result.m_MofProperty )\n// \t\t\t\t{\n// \t\t\t\t\tfor (LONG i = 0; (DWORD)i < PropertyCount; i++)\n// \t\t\t\t\t{\n// \n// \t\t\t\t\t\tif ( !(0 <= pPropertyIndex[i] &&\n// \t\t\t\t\t\t\tpPropertyIndex[i] <= PropertyCount ))\n// \t\t\t\t\t\t{\n// \t\t\t\t\t\t\tbreak;\n// \t\t\t\t\t\t}\n// \n// \t\t\t\t\t\tGetPropertyName( \n// \t\t\t\t\t\t\t\t&pProperties[pPropertyIndex[i]],\n// \t\t\t\t\t\t\t\tResult.m_MofProperty[i].Name);\n// \n// \t\t\t\t\t\tpEventData =  GetPropertyValue(\n// \t\t\t\t\t\t\t\t\t\t\t&pProperties[pPropertyIndex[i]], \n// \t\t\t\t\t\t\t\t\t\t\t*(Result.GetItem(i)),\n// \t\t\t\t\t\t\t\t\t\t\tpEventData, \n// \t\t\t\t\t\t\t\t\t\t\t(USHORT)(pEndOfEventData - pEventData));\n// \n// \t\t\t\t\t\tif (NULL == pEventData)\n// \t\t\t\t\t\t{\n// \t\t\t\t\t\t\tbreak;\n// \t\t\t\t\t\t}\n// \n// \t\t\t\t\t\tResult.m_MofHeader.MofCount = (i + 1);\n// \t\t\t\t\t}\n// \t\t\t\t}\t\t\t\t\n// \n// \t\t\t\tFreePropertyList(\n// \t\t\t\t\t\t\tpProperties,\n// \t\t\t\t\t\t\tPropertyCount);\n// \t\t\t}\n\n\t\t\treturn TRUE;\n\t\t}\n\t}\n\n\treturn FALSE;\n}\n\n\nIWbemClassObject* \nCMofDataParser::GetEventCategoryClass(\n\t\t\t\t\t\t\t\tBSTR bstrClassGuid,\n\t\t\t\t\t\t\t\tint Version)\n{\n\tHRESULT hr = S_OK;\n\tHRESULT hrQualifier = S_OK;\n\tIEnumWbemClassObject* pClasses = NULL;\n\tIEnumWbemClassObject* pClasses_2 = NULL;\n\tIWbemClassObject* pClass = NULL;\n\tIWbemClassObject* pClass_2 = NULL;\n\tIWbemQualifierSet* pQualifiers = NULL;\n\tULONG cnt = 0;\n\tULONG cnt_2 = 0;\n\tVARIANT varGuid;\n\tVARIANT varVersion; \n\n\tVariantInit(&varGuid);\n\tVariantInit(&varVersion);\n\n\thr = m_pServices->CreateClassEnum(\n\t\t\t\t\t\tBSTR(_T(\"EventTrace\")), \n\t\t\t\t\t\tWBEM_FLAG_DEEP |\n\t\t\t\t\t\tWBEM_FLAG_FORWARD_ONLY |\n\t\t\t\t\t\tWBEM_FLAG_USE_AMENDED_QUALIFIERS,\n\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t&pClasses);\n\n\tif (FAILED(hr))\n\t{\n\t\tgoto cleanup;\n\t}\n\n\t__try\n\t{\n\t\twhile (S_OK == hr)\n\t\t{\n\t\t\tif (pClass)\n\t\t\t{\n\t\t\t\tpClass->Release();\n\t\t\t\tpClass = NULL;\n\t\t\t}\n\n\t\t\thr = pClasses->Next(WBEM_INFINITE, 1, &pClass, &cnt);\n\n\t\t\tif (FAILED(hr) || cnt != 1)\n\t\t\t{\n\t\t\t\tgoto cleanup;\n\t\t\t}\n\n\t\t\tVARIANT varCLassName;\n\t\t\tVariantInit(&varCLassName);\n\t\t\tif (FAILED(pClass->Get(BSTR(_T(\"__CLASS\")),0,&varCLassName,0,0)))\n\t\t\t{\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tm_pServices->CreateClassEnum(\n\t\t\t\tvarCLassName.bstrVal,\n\t\t\t\tWBEM_FLAG_DEEP | \n\t\t\t\tWBEM_FLAG_UPDATE_ONLY | \n\t\t\t\tWBEM_FLAG_USE_AMENDED_QUALIFIERS,\n\t\t\t\t0,\n\t\t\t\t&pClasses_2);\n\n\t\t\tVariantClear(&varCLassName);\n\n\t\t\tcnt_2 = 1;\n\n\t\t\tdo \n\t\t\t{\n\t\t\t\t\n\t\t\t\tif (pClasses_2)\n\t\t\t\t{\n\t\t\t\t\tif ( pClasses_2->Next(5000, 1, &pClass_2, &cnt_2) != S_OK )\n\t\t\t\t\t\tcontinue;\n\n\t\t\t\t\tif ( cnt_2 != 1 )\n\t\t\t\t\t\tbreak;\t\t\t\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tpClass_2 = pClass;\n\t\t\t\t\tcnt_2 = 1;\n\t\t\t\t}\n\n\t\t\t\tHRESULT hr2 = pClass_2->Get(BSTR(_T(\"__CLASS\")),0,&varCLassName,0,0);\n\t\t\t\tVariantClear(&varCLassName);\n\n\t\t\t\tif (SUCCEEDED(hr2))\n\t\t\t\t{\n\t\t\t\t\tif ( pQualifiers )\n\t\t\t\t\t{\n\t\t\t\t\t\tpQualifiers->Release();\n\t\t\t\t\t\tpQualifiers = 0;\n\t\t\t\t\t}\n\n\t\t\t\t\thrQualifier = pClass_2->GetQualifierSet(&pQualifiers);\n\n\t\t\t\t\tif (pQualifiers)\n\t\t\t\t\t{\n\t\t\t\t\t\thrQualifier = pQualifiers->Get(L\"Guid\", 0, &varGuid, NULL);\n\n\t\t\t\t\t\tif (SUCCEEDED(hrQualifier))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif (_wcsicmp(varGuid.bstrVal, bstrClassGuid) == 0)\n\t\t\t\t\t\t\t{\n\n\t\t\t\t\t\t\t\thrQualifier = pQualifiers->Get(L\"EventVersion\", 0, &varVersion, NULL);\n\n\t\t\t\t\t\t\t\tif (SUCCEEDED(hrQualifier))\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tVariantChangeType(&varVersion, &varVersion, 0, VT_I2);\n\t\t\t\t\t\t\t\t\tSHORT Ver = varVersion.iVal;\n\t\t\t\t\t\t\t\t\tVariantClear(&varVersion);\n\t\t\t\t\t\t\t\t\tif (Version == Ver)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t__leave; //found class\n\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\tVariantClear(&varVersion);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse if (WBEM_E_NOT_FOUND == hrQualifier) \n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t__leave; //found class\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\tVariantClear(&varGuid);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tpQualifiers->Release();\n\t\t\t\t\t\tpQualifiers = NULL;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (pClass_2)\n\t\t\t\t{\n\t\t\t\t\tpClass_2->Release();\n\t\t\t\t\tpClass_2 = NULL;\n\t\t\t\t}\n\n\t\t\t} while (cnt_2 == 1);\n\n\t\t\tif (pClasses_2)\n\t\t\t{\n\t\t\t\tpClasses_2->Release();\n\t\t\t\tpClasses_2 = NULL;\n\t\t\t}\t\t\n\t\t} \n\t}\n\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t{\n\n\t}\n\ncleanup:\n\n\tif (pClasses_2)\n\t{\n\t\tpClasses_2->Release();\n\t\tpClasses_2 = NULL;\n\t}\n\n\tif (pClasses)\n\t{\n\t\tpClasses->Release();\n\t\tpClasses = NULL;\n\t}\n\n\tif (pQualifiers)\n\t{\n\t\tpQualifiers->Release();\n\t\tpQualifiers = NULL;\n\t}\n\n\tif (pClass)\n\t{\n\t\tpClass->Release();\n\t\tpClass = NULL;\n\t}\n\n\tVariantClear(&varVersion);\n\tVariantClear(&varGuid);\n\n\treturn pClass_2;\n}\n\nCMofParseRes* \nCMofDataParser::GetEventClassPropertyList(\n\t\t\t\t\t\tIWbemClassObject* pEventCategoryClass,\n\t\t\t\t\t\tGUID& Guid,\n\t\t\t\t\t\tUSHORT Version,\n\t\t\t\t\t\tUSHORT Level,\n\t\t\t\t\t\tUSHORT EventType)\n{\n\tHRESULT hr = S_OK;\n\tHRESULT hrQualifier = S_OK;\n\tIEnumWbemClassObject* pClasses = NULL;\n\tIWbemClassObject* pClass = NULL;\n\tIWbemQualifierSet* pQualifiers = NULL;\n\tBOOL FoundEventClass = FALSE;\n\tCMofParseRes* pMofParseRes = NULL;\n\tOLECHAR szClassName[100] = {0};\n\tULONG cnt = 0;\n\tVARIANT varClassName;\n\tVARIANT varEventType;\n\tVARIANT\tvarDisplayName;\n\t\n\tLIST_ENTRY pList;\n\n\tInitializeListHead(&pList);\n\tVariantInit(&varClassName);\n\tVariantInit(&varEventType);\n\tVariantInit(&varDisplayName);\n\n\thr = pEventCategoryClass->Get(_T(\"__CLASS\"), 0, &varClassName, NULL, NULL);\n\n\tif (FAILED(hr))\n\t{\n\t\tgoto cleanup;\n\t}\n\n\tStringCchCopy(\n\t\t\t\tszClassName,\n\t\t\t\t100,\n\t\t\t\tvarClassName.bstrVal);\n\n\tif (pQualifiers)\n\t{\n\t\tpQualifiers->Release();\n\t\tpQualifiers = NULL;\n\t}\n\n\tpEventCategoryClass->GetQualifierSet(&pQualifiers);\n\n\tif (pQualifiers && !pQualifiers->Get(\n\t\tBSTR(_T(\"DisplayName\")),\n\t\t0,\n\t\t&varDisplayName,\n\t\t0) && varDisplayName.lVal )\n\t{\n\t\tStringCchCopy(\n\t\t\t\tszClassName,\n\t\t\t\tMAX_PATH,\n\t\t\t\tvarDisplayName.bstrVal);\n\t}\n\n\thr = m_pServices->CreateClassEnum(varClassName.bstrVal, \n\t\tWBEM_FLAG_DEEP | \n\t\tWBEM_FLAG_UPDATE_ONLY | \n\t\tWBEM_FLAG_USE_AMENDED_QUALIFIERS,\n\t\tNULL, \n\t\t&pClasses);\n\n\tif (FAILED(hr))\n\t{\t\t\n\t\tgoto cleanup;\n\t}\n\n\twhile (S_OK == hr)\n\t{\n\t\thr = pClasses->Next(WBEM_INFINITE, 1, &pClass, &cnt);\n\n\t\tif (hr != S_OK)\n\t\t{\n\t\t\tgoto cleanup;\n\t\t}\n\n\t\tif (cnt != 1)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\tif (pQualifiers)\n\t\t{\n\t\t\tpQualifiers->Release();\n\t\t\tpQualifiers = NULL;\n\t\t}\n\n\t\thrQualifier = pClass->GetQualifierSet(&pQualifiers);\n\n\t\tif (FAILED(hrQualifier))\n\t\t{\t\t\t\n\t\t\tpClass->Release();\n\t\t\tpClass = NULL;\n\t\t\tgoto cleanup;\n\t\t}\n\n\t\thrQualifier = pQualifiers->Get(L\"EventType\", 0, &varEventType, NULL);\n\n\t\tif (FAILED(hrQualifier))\n\t\t{\n\t\t\t\n\t\t\tpClass->Release();\n\t\t\tpClass = NULL;\n\t\t\tgoto cleanup;\n\t\t}\n\n\t\t// If multiple events provide the same data, the EventType qualifier\n\t\t// will contain an array of types. Loop through the array and find a match.\n\n\t\tif (varEventType.vt & VT_ARRAY)\n\t\t{\n\t\t\tHRESULT hrSafe = S_OK;\n\t\t\t\n\t\t\tSAFEARRAY* pEventTypes = varEventType.parray;\n\t\t\tVARIANT vargTypeName;\n\t\t\tVariantInit(&vargTypeName);\n\t\t\tif ( pQualifiers->Get(\n\t\t\t\tBSTR(_T(\"EventTypeName\")),\n\t\t\t\t0,\n\t\t\t\t&vargTypeName, \n\t\t\t\t0) == S_OK &&\n\t\t\t\tvargTypeName.vt & VT_ARRAY )\n\t\t\t{\n\t\t\t\tSAFEARRAY* pEventNames = vargTypeName.parray;\n\t\t\t\tBSTR* ppvData = NULL;\n\t\t\t\t\n\n\t\t\t\tif (pEventNames && pEventTypes &&\n\t\t\t\t\tpEventNames->rgsabound->cElements &&\n\t\t\t\t\tpEventTypes->rgsabound->cElements &&\n\t\t\t\t\tpEventTypes->rgsabound->cElements ==\n\t\t\t\t\tpEventNames->rgsabound->cElements)\n\t\t\t\t{\n\t\t\t\t\tSafeArrayAccessData(\n\t\t\t\t\t\t\t\t\tpEventNames,\n\t\t\t\t\t\t\t\t\t(void**)&ppvData);\n\n\t\t\t\t\tfor (LONG i = 0; (ULONG)i < pEventTypes->rgsabound->cElements; i++)\n\t\t\t\t\t{\n\t\t\t\t\t\tint ClassEventType = 0;\n\t\t\t\t\t\thrSafe = SafeArrayGetElement(pEventTypes, &i, &ClassEventType);\n\n\t\t\t\t\t\tCMofParseRes* pMofParseRes2 = (CMofParseRes*)malloc(sizeof(CMofParseRes));\n\n\t\t\t\t\t\tif (pMofParseRes2)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tZeroMemory(pMofParseRes2,sizeof(CMofParseRes));\n\n\t\t\t\t\t\t\tInitializeListHead(&pMofParseRes2->m_MofPropertyList);\n\t\t\t\t\t\t\tpMofParseRes2->m_MofHeader.MofClassName = SysAllocString(szClassName);\n\t\t\t\t\t\t\tmemcpy(\n\t\t\t\t\t\t\t\t&pMofParseRes2->m_MofHeader.MofGuid,\n\t\t\t\t\t\t\t\t&Guid,\t\t\t \n\t\t\t\t\t\t\t\tsizeof(GUID));\n\n\t\t\t\t\t\t\tpMofParseRes2->m_MofHeader.MofType = ClassEventType;\n\t\t\t\t\t\t\tpMofParseRes2->m_MofHeader.MofLevel = Level;\n\t\t\t\t\t\t\tpMofParseRes2->m_MofHeader.MofVsersion = Version;\n\t\t\t\t\t\t\tpMofParseRes2->m_MofHeader.MofTypeName = SysAllocString(ppvData[i]);\n\t\t\t\t\t\t\tInsertTailList(&pList,&pMofParseRes2->m_Entry);\n\n\t\t\t\t\t\t\tif (ClassEventType == EventType)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tpMofParseRes = pMofParseRes2;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\t\t\t\t\t\t\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t}\n\n\t\t\tVariantClear(&vargTypeName);\n\t\t}\n\t\telse\n\t\t{\n\t\t\tVARIANT vargTypeName;\n\t\t\tVariantInit(&vargTypeName);\n\t\t\tif ( pQualifiers->Get(\n\t\t\t\tBSTR(_T(\"EventTypeName\")),\n\t\t\t\t0,\n\t\t\t\t&vargTypeName, \n\t\t\t\t0) == S_OK )\n\t\t\t{\n\t\t\t\tVariantChangeType(&varEventType, &varEventType, 0, VT_I2);\n\t\t\t\tUSHORT vType = varEventType.iVal;\n\n\t\t\t\tCMofParseRes* pMofParseRes2 = (CMofParseRes*)malloc(sizeof(CMofParseRes));\n\n\t\t\t\tif (pMofParseRes2)\n\t\t\t\t{\n\t\t\t\t\tZeroMemory(pMofParseRes2,sizeof(CMofParseRes));\n\t\t\t\t\tInitializeListHead(&pMofParseRes2->m_MofPropertyList);\n\t\t\t\t\tpMofParseRes2->m_MofHeader.MofClassName = SysAllocString(szClassName);\n\t\t\t\t\tmemcpy(\n\t\t\t\t\t\t&pMofParseRes2->m_MofHeader.MofGuid,\n\t\t\t\t\t\t&Guid,\t\t\t \n\t\t\t\t\t\tsizeof(GUID));\n\n\t\t\t\t\tpMofParseRes2->m_MofHeader.MofType = vType;\n\t\t\t\t\tpMofParseRes2->m_MofHeader.MofLevel = Level;\n\t\t\t\t\tpMofParseRes2->m_MofHeader.MofVsersion = Version;\n\t\t\t\t\tpMofParseRes2->m_MofHeader.MofTypeName = SysAllocString(vargTypeName.bstrVal);\n\n\t\t\t\t\tInsertTailList(&pList,&pMofParseRes2->m_Entry);\n\n\t\t\t\t\tif (vType == EventType)\n\t\t\t\t\t{\n\t\t\t\t\t\t//FoundEventClass = TRUE;\n\t\t\t\t\t\tpMofParseRes = pMofParseRes2;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tVariantClear(&vargTypeName);\n\n\t\t\t\n\t\t}\n\t\tVariantClear(&varEventType);\n\n\t\tSAFEARRAY* pNames = NULL;\n\t\tVARIANT QualifierVal;\n\t\tVariantInit(&QualifierVal);\n\t\tQualifierVal.vt = VT_I4;\n\t\tQualifierVal.lVal = 1;\n\t\tLONG rgIndices = 0;\t\n\n\t\twhile(TRUE)\n\t\t{\n\t\t\thr = pClass->GetNames(\n\t\t\t\t(BSTR)_T(\"WmiDataId\"),\n\t\t\t\tWBEM_FLAG_ONLY_IF_IDENTICAL,\n\t\t\t\t&QualifierVal,\n\t\t\t\t&pNames);\n\n\t\t\tif (hr != S_OK)\n\t\t\t{\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tif (!pNames->rgsabound->cElements)\n\t\t\t{\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\trgIndices = 0;\n\t\t\tdo \n\t\t\t{\n\t\t\t\tBSTR pvElement = NULL;\n\t\t\t\tCIMTYPE QualifierType = 0;\n\t\t\t\tif ( SafeArrayGetElement(pNames, &rgIndices, &pvElement) ||\n\t\t\t\t\tpClass->Get(pvElement, 0, 0, &QualifierType, 0))\n\t\t\t\t{\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\n\t\t\t\tif ( pQualifiers )\n\t\t\t\t{\n\t\t\t\t\tpQualifiers->Release();\n\t\t\t\t\tpQualifiers = 0;\n\t\t\t\t}\n\n\t\t\t\tif(pClass->GetPropertyQualifierSet(pvElement,&pQualifiers))\n\t\t\t\t{\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\n\t\t\t\tLONG dwLen = GetArrayValue(QualifierType,pQualifiers);\n\t\t\t\tLONG ArraySize = QualifierType & VT_ARRAY ? GetArraySize(pQualifiers) : 1;\n\n\t\t\t\tAddProperityList(\n\t\t\t\t\t\t\t\t&pList,\n\t\t\t\t\t\t\t\tpvElement,\n\t\t\t\t\t\t\t\tdwLen,\n\t\t\t\t\t\t\t\tArraySize);\n\t\t\t\trgIndices++;\n\n\t\t\t} while(rgIndices < pNames->rgsabound->cElements);\n\n\t\t\tQualifierVal.lVal++;\n\t\t\tSafeArrayDestroy(pNames);\n\t\t\tpNames = 0;\n\t\t}\t\t\n\t\t\n\t\tpClass->Release();\n\t\tpClass = NULL;\n\n\t\tAddGlobalEvent(&pList);\n\t}\n\ncleanup:\n\n\tif (pClass)\n\t{\n\t\tpClass->Release();\n\t\tpClass = NULL;\n\t}\n\n\tif (pClasses)\n\t{\n\t\tpClasses->Release();\n\t\tpClasses = NULL;\n\t}\n\n\tif (pQualifiers)\n\t{\n\t\tpQualifiers->Release();\n\t\tpQualifiers = NULL;\n\t}\n\t\n\tAddGlobalEvent(&pList);\n\n\tVariantClear(&varClassName);\n\tVariantClear(&varEventType);\n\tVariantClear(&varDisplayName);\n\n\treturn pMofParseRes;\n}\n\n\nBOOL CMofDataParser::GetPropertyList(\n\t\t\t\t\t\tIWbemClassObject* pClass, \n\t\t\t\t\t\tPROPERTY_LIST** ppProperties,\n\t\t\t\t\t\tDWORD* pPropertyCount,\n\t\t\t\t\t\tLONG* PropertyIndex)\n{\n\tHRESULT hr = S_OK;\n\tSAFEARRAY* pNames = NULL;\n\tLONG j = 0;\n\tVARIANT var;\n\n\t// Retrieve the property names.\n\n\thr = pClass->GetNames(\n\t\t\t\t\t\tNULL,\n\t\t\t\t\t\tWBEM_FLAG_LOCAL_ONLY,\n\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t&pNames);\n\tif (pNames)\n\t{\n\t\t*pPropertyCount = pNames->rgsabound->cElements;\n\n\t\t\n\t\t*ppProperties = new PROPERTY_LIST[*pPropertyCount];\t\n\n\t\tif ( NULL == *ppProperties)\n\t\t{\n\t\t\thr = E_OUTOFMEMORY;\n\t\t\tgoto cleanup;\n\t\t}\n\n\t\tZeroMemory(\n\t\t\t*ppProperties,\n\t\t\tsizeof(PROPERTY_LIST) * (*pPropertyCount)\n\t\t\t\t\t);\n\n\t\tfor (LONG i = 0; (ULONG)i < *pPropertyCount; i++)\n\t\t{\n\t\t\tPROPERTY_LIST* pCurProperList = &(*ppProperties)[i];\n\t\t\t\n\t\t\t__try\n\t\t\t{\n\t\t\t\thr = SafeArrayGetElement(\n\t\t\t\t\tpNames, \n\t\t\t\t\t&i,\n\t\t\t\t\t&(pCurProperList->Name));\n\n\t\t\t\tif (FAILED(hr))\n\t\t\t\t{\n\t\t\t\t\tgoto cleanup;\n\t\t\t\t} \n\n\t\t\t\t//Save the qualifiers. Used latter to help determine how to read the event data.\n\n\t\t\t\thr = pClass->GetPropertyQualifierSet(\n\t\t\t\t\tpCurProperList->Name,\n\t\t\t\t\t&(pCurProperList->pQualifiers));\n\t\t\t\tif (FAILED(hr))\n\t\t\t\t{\n\t\t\t\t\tgoto cleanup;\n\t\t\t\t} \n\n\t\t\t\thr = pCurProperList->pQualifiers->Get(\n\t\t\t\t\tL\"WmiDataId\",\n\t\t\t\t\t0,\n\t\t\t\t\t&var,\n\t\t\t\t\tNULL);\n\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t{\n\t\t\t\t\tj = var.intVal - 1;\n\t\t\t\t\tVariantClear(&var);\n\t\t\t\t\t*(PropertyIndex + j ) = i;\n\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tgoto cleanup;\n\t\t\t\t}\n\n\t\t\t\thr = pClass->Get(\n\t\t\t\t\tpCurProperList->Name,\n\t\t\t\t\t0,\n\t\t\t\t\tNULL,\n\t\t\t\t\t&(pCurProperList->CimType),\n\t\t\t\t\tNULL);\n\n\t\t\t\tif (FAILED(hr))\n\t\t\t\t{\n\t\t\t\t\tgoto cleanup;\n\t\t\t\t} \n\t\t\t}\n\t\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t\t{\n\n\t\t\t}\n\t\t}\n\t}\n\ncleanup:\n\n\tif (pNames)\n\t{\n\t\tSafeArrayDestroy(pNames);\n\t}\n\n\tif (FAILED(hr))\n\t{\n\t\tif (*ppProperties)\n\t\t{\n\t\t\tFreePropertyList(\n\t\t\t\t\t\t*ppProperties,\n\t\t\t\t\t\t*pPropertyCount);\n\t\t}\n\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}\n\n\nvoid CMofDataParser::FreePropertyList(\n\t\t\t\tPROPERTY_LIST* pProperties,\n\t\t\t\tDWORD Count)\n{\n\tif(pProperties)\n\t{\n\t\tfor (DWORD i=0; i < Count; i++)\n\t\t{\n\t\t\tSysFreeString((pProperties+i)->Name);\n\n\t\t\tif ((pProperties+i)->pQualifiers)\n\t\t\t{\n\t\t\t\t(pProperties+i)->pQualifiers->Release();\n\t\t\t\t(pProperties+i)->pQualifiers = NULL;\n\t\t\t}\n\t\t}\n\n\t\tdelete[] pProperties;\n\t\tpProperties = NULL;\n\t}\n\n}\n\nvoid CMofDataParser::GetPropertyName(\n\t\t\t\t\t\tPROPERTY_LIST* pProperty,\n\t\t\t\t\t\tTCHAR* PropertyName)\n{\n\tHRESULT hr;\n\tVARIANT varDisplayName;\n\tVariantInit(&varDisplayName);\n\t__try\n\t{\n\t\thr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\t\t\t\t\tL\"DisplayName\",\n\t\t\t\t\t\t\t\t\t\t0, \n\t\t\t\t\t\t\t\t\t\t&varDisplayName,\n\t\t\t\t\t\t\t\t\t\tNULL);\n\n\t}\n\t__except (EXCEPTION_EXECUTE_HANDLER)\n\t{\n\t\thr = -1;\n\t}\n\t\n\n\t\n\tif (SUCCEEDED(hr))\n\t{\n\t\tPropertyName = SysAllocString(varDisplayName.bstrVal);\n\t}\n\telse\n\t{\n\t\tPropertyName = SysAllocString(pProperty->Name);\n\t}\n\t\n\tVariantClear(&varDisplayName);\n}\n\n\nPBYTE CMofDataParser::GetPropertyValue(\n\t\t\t\t\t\t\t\tPROPERTY_LIST*\tpProperty,\n\t\t\t\t\t\t\t\tMOF_ITEM&\t\tMofItem,\n\t\t\t\t\t\t\t\tPBYTE\t\t\tpEventData,\n\t\t\t\t\t\t\t\tUSHORT\t\t\tRemainingBytes)\n{\n\tHRESULT hr;\n\tVARIANT varQualifier;\n\tULONG ArraySize = 1;\n\tBOOL PrintAsChar = FALSE;\n\tBOOL PrintAsHex = FALSE;\n\tBOOL PrintAsIPAddress = FALSE; \n\tBOOL PrintAsPort = FALSE; \n\tBOOL IsWideString = FALSE;\n\tBOOL IsNullTerminated = FALSE;\n\tUSHORT StringLength = 0;\n\tMofItem.ArraySize = 0;\n\tMofItem.cValues = 0;\n\tMofItem.liValue.QuadPart = 0;\n\n\tif (SUCCEEDED(hr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\t\t\t\t\t\t\tL\"Pointer\",\n\t\t\t\t\t\t\t\t\t\t\t\t0, \n\t\t\t\t\t\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t\t\t\t\t\tNULL)) ||\n\t\tSUCCEEDED(hr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\t\t\t\t\t\t\tL\"PointerType\",\n\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t\t\t\t\t\tNULL)))\n\t{\n\t\tif (m_PointerSize == 4) \n\t\t{\n\t\t\tULONG temp = 0;\n\n\t\t\tCopyMemory(\n\t\t\t\t\t&temp,\n\t\t\t\t\tpEventData,\n\t\t\t\t\tsizeof(ULONG));\n\n\t\t\tMofItem.Types = OTHER_VALUE;\n\t\t\tMofItem.liValue.LowPart = temp; \n\t\t}\n\t\telse\n\t\t{\n\t\t\tULONGLONG temp = 0;\n\n\t\t\tCopyMemory(\n\t\t\t\t\t&temp,\n\t\t\t\t\tpEventData,\n\t\t\t\t\tsizeof(ULONGLONG));\n\n\t\t\t\n\t\t\tMofItem.Types = OTHER_VALUE;\n\t\t\tMofItem.liValue.QuadPart = temp;\n\t\t}\n\n\t\tpEventData += m_PointerSize;\n\n\t\treturn pEventData;\n\t}\n\telse\n\t{\n\t\t\n\t\tif (pProperty->CimType & CIM_FLAG_ARRAY)\n\t\t{\n\t\t\thr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\t\t\t\t\t\tL\"MAX\",\n\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t&varQualifier,\n\t\t\t\t\t\t\t\t\t\t\tNULL);\n\t\t\tif (SUCCEEDED(hr))\n\t\t\t{\n\t\t\t\tArraySize = varQualifier.intVal;\n\t\t\t\tVariantClear(&varQualifier);\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t//wprintf(L\"Failed to retrieve the MAX qualifier. Terminating.\\n\");\n\t\t\t\treturn NULL;\n\t\t\t}\n\t\t}\n\n\t\t// The CimType is the data type of the property.\n\n\t\tswitch(pProperty->CimType & (~CIM_FLAG_ARRAY))\n\t\t{\n\t\tcase CIM_SINT32:\n\t\t\t{\n\t\t\t\tLONG temp = 0;\n\t\t\t\tMofItem.u32ArrayValue = new uint32[ArraySize];\n\n\t\t\t\tif ( MofItem.u32ArrayValue)\n\t\t\t\t{\n\t\t\t\t\tfor ( ULONG i = 0 ; i < ArraySize ;  i++)\n\t\t\t\t\t{\n\t\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t&temp,\n\t\t\t\t\t\t\tpEventData,\n\t\t\t\t\t\t\tsizeof(LONG));\n\n\t\t\t\t\t\tMofItem.u32ArrayValue[i] = temp;\n\t\t\t\t\t\t\n\t\t\t\t\t\tpEventData += sizeof(LONG);\n\t\t\t\t\t}\n\n\t\t\t\t\tMofItem.Types = UINT32_ARRAY_VALUE;\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\treturn NULL;\n\t\t\t\t}\n\n\t\t\t\t\n\t\t\t\treturn pEventData;\n\t\t\t}\n\n\t\tcase CIM_UINT32:\n\t\t\t{\n\t\t\t\tULONG temp = 0;\n\n\t\t\t\thr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\t\t\t\t\t\t\tL\"Extension\",\n\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t&varQualifier,\n\t\t\t\t\t\t\t\t\t\t\t\tNULL);\n\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t{\n\t\t\t\t\t\n\t\t\t\t\tif (_wcsicmp(L\"IPAddr\", varQualifier.bstrVal) == 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tPrintAsIPAddress = TRUE;\n\t\t\t\t\t}\n\n\t\t\t\t\tVariantClear(&varQualifier);\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\thr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\t\t\t\t\t\t\t\tL\"Format\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t\t\t\t\t\t\tNULL);\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\tPrintAsHex = TRUE;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tMofItem.u32ArrayValue = new uint32[ArraySize];\n\n\t\t\t\tif ( MofItem.u32ArrayValue)\n\t\t\t\t{\n\t\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t\t{\n\t\t\t\t\t\tCopyMemory(&temp, pEventData, sizeof(ULONG));\n\n\t\t\t\t\t\tif (PrintAsIPAddress)\n\t\t\t\t\t\t{\n// \t\t\t\t\t\t\twprintf(L\"%03d.%03d.%03d.%03d\\n\", (temp >>  0) & 0xff,\n// \t\t\t\t\t\t\t\t(temp >>  8) & 0xff,\n// \t\t\t\t\t\t\t\t(temp >>  16) & 0xff,\n// \t\t\t\t\t\t\t\t(temp >>  24) & 0xff);\n\n\t\t\t\t\t\t\tMofItem.u32ArrayValue[i] = temp;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse if (PrintAsHex)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t//wprintf(L\"0x%x\\n\", temp);\n\t\t\t\t\t\t\tMofItem.u32ArrayValue[i] = temp;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t//wprintf(L\"%lu\\n\", temp);\n\t\t\t\t\t\t\tMofItem.u32ArrayValue[i] = temp;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tpEventData += sizeof(ULONG);\n\t\t\t\t\t}\n\n\n\t\t\t\t\tMofItem.Types = UINT32_ARRAY_VALUE;\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\treturn NULL;\n\t\t\t\t}\n\n\t\t\t\treturn pEventData;\n\t\t\t}\n\n\t\tcase CIM_SINT64:\n\t\t\t{\n\t\t\t\tLONGLONG temp = 0;\n\n\t\t\t\tfor (ULONG i=0; i < ArraySize; i++)\n\t\t\t\t{\n\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t&temp,\n\t\t\t\t\t\t\tpEventData,\n\t\t\t\t\t\t\tsizeof(LONGLONG));\n\t\t\t\t\t//wprintf(L\"%I64d\\n\", temp);\n\t\t\t\t\tMofItem.liValue.QuadPart = temp;\n\t\t\t\t\tMofItem.Types = OTHER_VALUE;\n\t\t\t\t\tpEventData += sizeof(LONGLONG);\n\t\t\t\t}\n\n\t\t\t\treturn pEventData;\n\t\t\t}\n\n\t\tcase CIM_UINT64:\n\t\t\t{\n\t\t\t\tULONGLONG temp = 0;\n\n\t\t\t\tfor (ULONG i=0; i < ArraySize; i++)\n\t\t\t\t{\n\t\t\t\t\tCopyMemory(&temp, pEventData, sizeof(ULONGLONG));\n\t\t\t\t\t//wprintf(L\"%I64u\\n\", temp);\n\t\t\t\t\tMofItem.liValue.QuadPart = temp;\n\t\t\t\t\tMofItem.Types = OTHER_VALUE;\n\n\t\t\t\t\tpEventData += sizeof(ULONGLONG);\n\t\t\t\t}\n\n\t\t\t\treturn pEventData;\n\t\t\t}\n\n\t\tcase CIM_STRING:\n\t\t\t{\n\t\t\t\tUSHORT temp = 0;\n\n\t\t\t\tif( _wcsicmp(\n\t\t\t\t\t\t_T(\"ApplicationId\"),\n\t\t\t\t\t\tMofItem.Name))\n\t\t\t\t{\n\t\t\t\t\thr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\tL\"Format\",\n\t\t\t\t\t\t0, \n\t\t\t\t\t\tNULL,\n\t\t\t\t\t\tNULL);\n\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\tIsWideString = TRUE;\n\t\t\t\t\t}\n\n\t\t\t\t\thr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\tL\"StringTermination\",\n\t\t\t\t\t\t0,\n\t\t\t\t\t\t&varQualifier, \n\t\t\t\t\t\tNULL);\n\n\t\t\t\t\tif (FAILED(hr) || (_wcsicmp(\n\t\t\t\t\t\tvarQualifier.bstrVal,\n\t\t\t\t\t\tL\"NullTerminated\") == 0))\n\t\t\t\t\t{\n\t\t\t\t\t\tIsNullTerminated = TRUE;\n\t\t\t\t\t}\n\t\t\t\t\telse if (_wcsicmp(\n\t\t\t\t\t\tvarQualifier.bstrVal,\n\t\t\t\t\t\tL\"Counted\") == 0)\n\t\t\t\t\t{\n\t\t\t\t\t\t// First two bytes of the string contain its length.\n\n\t\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t&StringLength, \n\t\t\t\t\t\t\tpEventData,\n\t\t\t\t\t\t\tsizeof(USHORT));\n\n\t\t\t\t\t\tpEventData += sizeof(USHORT);\n\t\t\t\t\t}\n\t\t\t\t\telse if (_wcsicmp(\n\t\t\t\t\t\tvarQualifier.bstrVal,\n\t\t\t\t\t\tL\"ReverseCounted\") == 0)\n\t\t\t\t\t{\n\n\t\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t&temp,\n\t\t\t\t\t\t\tpEventData,\n\t\t\t\t\t\t\tsizeof(USHORT));\n\n\t\t\t\t\t\tStringLength = MAKEWORD(\n\t\t\t\t\t\t\tHIBYTE(temp), \n\t\t\t\t\t\t\tLOBYTE(temp));\n\n\t\t\t\t\t\tpEventData += sizeof(USHORT);\n\t\t\t\t\t}\n\t\t\t\t\telse if (_wcsicmp(\n\t\t\t\t\t\tvarQualifier.bstrVal,\n\t\t\t\t\t\tL\"NotCounted\") == 0)\n\t\t\t\t\t{\n\n\t\t\t\t\t\tStringLength = RemainingBytes;\n\t\t\t\t\t}\n\n\t\t\t\t\tif ( ArraySize)\n\t\t\t\t\t{\n\t\t\t\t\t\tMofItem.mofcArray = new MOF_CHAR_ARRAY[ArraySize];\n\n\t\t\t\t\t\tif ( MofItem.mofcArray)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tMofItem.Types = CHAR_ARRAY_VALUE;\n\t\t\t\t\t\t\tZeroMemory(\n\t\t\t\t\t\t\t\tMofItem.mofcArray,\n\t\t\t\t\t\t\t\tsizeof(MOF_CHAR_ARRAY)*ArraySize);\n\n\t\t\t\t\t\t\tMofItem.ArraySize = ArraySize;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\treturn NULL;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tVariantClear(&varQualifier);\n\n\t\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t\t{\n\t\t\t\t\t\tif (IsWideString)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif (IsNullTerminated)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tStringLength = (USHORT)(wcslen((WCHAR*)pEventData));\n\t\t\t\t\t\t\t\tStringLength += sizeof(WCHAR);\n\n\t\t\t\t\t\t\t\tif ( StringLength && MofItem.mofcArray )\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].Name[0] = i;\n\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].wValue = new WCHAR[StringLength];\n\n\t\t\t\t\t\t\t\t\tif (MofItem.mofcArray[i].wValue)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tStringCchCopy(\n\t\t\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].wValue,\n\t\t\t\t\t\t\t\t\t\t\tStringLength,\n\t\t\t\t\t\t\t\t\t\t\t(STRSAFE_LPCWSTR)pEventData);\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\t\t\t\t\n\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tLONG StringSize = (StringLength) * sizeof(WCHAR); \n\t\t\t\t\t\t\t\t//WCHAR* pwsz = (WCHAR*)malloc(StringSize + sizeof(WCHAR)); // +2 for NULL\n\n\t\t\t\t\t\t\t\tif (MofItem.mofcArray)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].Name[0] = i;\n\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].wValue = new WCHAR[StringLength+1];\n\n\t\t\t\t\t\t\t\t\tif (MofItem.mofcArray[i].wValue)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].wValue,\n\t\t\t\t\t\t\t\t\t\t\t(WCHAR*)pEventData,\n\t\t\t\t\t\t\t\t\t\t\tStringSize);\n\n\t\t\t\t\t\t\t\t\t\t*(MofItem.mofcArray[i].wValue+StringSize) = '\\0';\n\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\tStringLength *= sizeof(WCHAR);\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse  // It is an ANSI string\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif (IsNullTerminated)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tStringLength = (USHORT)strlen((char*)pEventData) + 1;\n\t\t\t\t\t\t\t\t//printf(\"%s\\n\", (char*)pEventData);\n\t\t\t\t\t\t\t\tif ( StringLength && MofItem.mofcArray )\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].Name[0] = i;\n\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].cValue = new char[StringLength];\n\n\t\t\t\t\t\t\t\t\tif (MofItem.mofcArray[i].cValue)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tStringCchCopyA(\n\t\t\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].cValue,\n\t\t\t\t\t\t\t\t\t\t\tStringLength,\n\t\t\t\t\t\t\t\t\t\t\t(STRSAFE_LPCSTR)pEventData);\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t//char* psz = (char*)malloc(StringLength+1);  // +1 for NULL\n\t\t\t\t\t\t\t\tif (MofItem.mofcArray)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].Name[0] = i;\n\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].cValue = new char[StringLength+1];\n\n\t\t\t\t\t\t\t\t\tif (MofItem.mofcArray[i].cValue)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t\t\t\t\tMofItem.mofcArray[i].cValue,\n\t\t\t\t\t\t\t\t\t\t\t(char*)pEventData,\n\t\t\t\t\t\t\t\t\t\t\tStringLength);\n\n\t\t\t\t\t\t\t\t\t\t*(MofItem.mofcArray[i].cValue + StringLength) = '\\0';\n\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tpEventData += StringLength;\n\t\t\t\t\t\tStringLength = 0;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tMofItem.Types = OTHER_VALUE;\n\t\t\t\t\tMofItem.liValue.QuadPart = 0;\n\n\t\t\t\t\tCopyMemory( \n\t\t\t\t\t\t\t&MofItem.liValue.LowPart,\n\t\t\t\t\t\t\tpEventData,\n\t\t\t\t\t\t\t4);\n\t\t\t\t\t \n\t\t\t\t\t(UCHAR*)pEventData += 4;\n\t\t\t\t}\n\n\t\t\t\t\n\t\t\t\treturn pEventData;\n\t\t\t} \n\n\t\tcase CIM_BOOLEAN:\n\t\t\t{\n\t\t\t\tBOOL temp = FALSE;\n\n\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t{\n\t\t\t\t\tCopyMemory(&temp, pEventData, sizeof(BOOL));\n\t\t\t\t\twprintf(L\"%s\\n\", (temp) ? L\"TRUE\" : L\"FALSE\");\n\t\t\t\t\tpEventData += sizeof(BOOL);\n\t\t\t\t}\n\n\t\t\t\treturn pEventData;\n\t\t\t}\n\n\t\tcase CIM_SINT8:\n\t\tcase CIM_UINT8:\n\t\t\t{\n\t\t\t\thr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\t\t\t\t\t\t\tL\"Extension\",\n\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t&varQualifier, \n\t\t\t\t\t\t\t\t\t\t\t\tNULL);\n\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t{\n\t\t\t\t\t\n\t\t\t\t\tif (_wcsicmp(\n\t\t\t\t\t\t\tL\"Guid\",\n\t\t\t\t\t\t\tvarQualifier.bstrVal) == 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tWCHAR szGuid[50] =  {0};\n\t\t\t\t\t\tGUID Guid;\n\n\t\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t\t&Guid,\n\t\t\t\t\t\t\t\t(GUID*)pEventData,\n\t\t\t\t\t\t\t\tsizeof(GUID));\n\n\t\t\t\t\t\tStringFromGUID2(\t\n\t\t\t\t\t\t\t\t\tGuid,\n\t\t\t\t\t\t\t\t\tszGuid,\n\t\t\t\t\t\t\t\t\tsizeof(szGuid)-1);\n\t\t\t\t\t\tMofItem.Types = TCHAR_VALUE;\n\t\t\t\t\t\tMofItem.cValues = new TCHAR[50];\n\n\t\t\t\t\t\tif (MofItem.cValues)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tStringCchCopy(\n\t\t\t\t\t\t\t\t\t\tMofItem.cValues,\n\t\t\t\t\t\t\t\t\t\t50,\n\t\t\t\t\t\t\t\t\t\tszGuid\n\t\t\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t}\n\t\t\t\t\t\t\n\t\t\t\t\t}\n\n\t\t\t\t\tVariantClear(&varQualifier);\n\t\t\t\t\tpEventData += sizeof(GUID);\n\t\t\t\t}\n\t\t\t\telse \n\t\t\t\t{\n\t\t\t\t\thr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\t\t\t\t\t\t\t\tL\"Format\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t\t\t\t\t\t\tNULL);\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\tPrintAsChar = TRUE;  // ANSI character\n\t\t\t\t\t}\n\n\t\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t\t{\n\t\t\t\t\t\tif (PrintAsChar)\n\t\t\t\t\t\t\twprintf(L\"%c\", *((char*)pEventData)); \n\t\t\t\t\t\telse\n\t\t\t\t\t\t\twprintf(L\"%hd\", *((BYTE*)pEventData));\n\n\t\t\t\t\t\tpEventData += sizeof(UINT8);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\twprintf(L\"\\n\");\n\n\t\t\t\treturn pEventData;\n\t\t\t}\n\n\t\tcase CIM_CHAR16:\n\t\t\t{\n\t\t\t\tWCHAR temp;\n\n\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t{\n\t\t\t\t\tCopyMemory(&temp, pEventData, sizeof(WCHAR));\n\t\t\t\t\twprintf(L\"%c\", temp);\n\t\t\t\t\tpEventData += sizeof(WCHAR);\n\t\t\t\t}\n\n\t\t\t\twprintf(L\"\\n\");\n\n\t\t\t\treturn pEventData;\n\t\t\t}\n\n\t\tcase CIM_SINT16:\n\t\t\t{\n\t\t\t\tSHORT temp = 0;\n\n\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t{\n\t\t\t\t\tCopyMemory(&temp, pEventData, sizeof(SHORT));\n\t\t\t\t\twprintf(L\"%hd\\n\", temp);\n\t\t\t\t\tpEventData += sizeof(SHORT);\n\t\t\t\t}\n\n\t\t\t\treturn pEventData;\n\t\t\t}\n\n\t\tcase CIM_UINT16:\n\t\t\t{\n\t\t\t\tUSHORT temp = 0;\n\n\t\t\t\t// If the data is a port number, call the ntohs Windows Socket 2 function\n\t\t\t\t// to convert the data from TCP/IP network byte order to host byte order.\n\t\t\t\t// This is here to support legacy event classes; the Port extension \n\t\t\t\t// should only be used on properties whose CIM type is object.\n\n\t\t\t\thr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\t\t\t\t\t\t\tL\"Extension\",\n\t\t\t\t\t\t\t\t\t\t\t\t0, \n\t\t\t\t\t\t\t\t\t\t\t\t&varQualifier,\n\t\t\t\t\t\t\t\t\t\t\t\tNULL);\n\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t{\n\t\t\t\t\tif (_wcsicmp(\n\t\t\t\t\t\t\t\tL\"Port\",\n\t\t\t\t\t\t\t\tvarQualifier.bstrVal) == 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tPrintAsPort = TRUE;\n\t\t\t\t\t}\n\n\t\t\t\t\tVariantClear(&varQualifier);\n\t\t\t\t}\n\n\t\t\t\tif (ArraySize)\n\t\t\t\t{\n\t\t\t\t\tMofItem.u32ArrayValue = new uint32[ArraySize];\n\t\t\t\t\tif (MofItem.u32ArrayValue)\n\t\t\t\t\t{\n\t\t\t\t\t\tMofItem.Types = UINT32_ARRAY_VALUE;\n\t\t\t\t\t\tZeroMemory(\n\t\t\t\t\t\t\t\t\tMofItem.u32ArrayValue,\n\t\t\t\t\t\t\t\t\tsizeof(uint32)*ArraySize\n\t\t\t\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t{\n\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t&temp,\n\t\t\t\t\t\t\tpEventData,\n\t\t\t\t\t\t\tsizeof(USHORT));\n\n\t\t\t\t\tif (MofItem.u32ArrayValue)\n\t\t\t\t\t{\n\t\t\t\t\t\tif (PrintAsPort)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tMofItem.u32ArrayValue[i] = ntohs(temp);\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tMofItem.u32ArrayValue[i] = temp;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\t\t\t\t\t\n\n\t\t\t\t\tpEventData += sizeof(USHORT);\n\t\t\t\t}\n\n\t\t\t\treturn pEventData;\n\t\t\t}\n\n\t\tcase CIM_OBJECT:\n\t\t\t{\n\t\t\t\t// An object data type has to include the Extension qualifier.\n\n\t\t\t\thr = pProperty->pQualifiers->Get(\n\t\t\t\t\t\t\t\t\t\t\t\tL\"Extension\",\n\t\t\t\t\t\t\t\t\t\t\t\t0, \n\t\t\t\t\t\t\t\t\t\t\t\t&varQualifier, \n\t\t\t\t\t\t\t\t\t\t\t\tNULL);\n\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t{\n\t\t\t\t\tif (_wcsicmp(\n\t\t\t\t\t\t\t\tL\"SizeT\",\n\t\t\t\t\t\t\t\tvarQualifier.bstrVal) == 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tVariantClear(&varQualifier);\n\n\t\t\t\t\t\t// You do not need to know the data type of the property, you just \n\t\t\t\t\t\t// retrieve either 4 bytes or 8 bytes depending on the pointer's size.\n\n\t\t\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif (m_PointerSize == 4) \n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tULONG temp = 0;\n\n\t\t\t\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t\t\t\t&temp, \n\t\t\t\t\t\t\t\t\t\tpEventData,\n\t\t\t\t\t\t\t\t\t\tsizeof(ULONG));\n\t\t\t\t\t\t\t\twprintf(L\"0x%x\\n\", temp);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tULONGLONG temp = 0;\n\n\t\t\t\t\t\t\t\tCopyMemory(&temp, pEventData, sizeof(ULONGLONG));\n\t\t\t\t\t\t\t\twprintf(L\"0x%x\\n\", temp);\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\tpEventData += m_PointerSize;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\treturn pEventData;\n\t\t\t\t\t}\n\t\t\t\t\tif (_wcsicmp(\n\t\t\t\t\t\t\t\tL\"Port\", \n\t\t\t\t\t\t\t\tvarQualifier.bstrVal) == 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tUSHORT temp = 0;\n\n\t\t\t\t\t\tVariantClear(&varQualifier);\n\n\t\t\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t\t\t&temp,\n\t\t\t\t\t\t\t\t\tpEventData, \n\t\t\t\t\t\t\t\t\tsizeof(USHORT));\n\t\t\t\t\t\t\twprintf(L\"%hu\\n\", ntohs(temp));\n\t\t\t\t\t\t\tpEventData += sizeof(USHORT);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\treturn pEventData;\n\t\t\t\t\t}\n\t\t\t\t\telse if (_wcsicmp(L\"IPAddr\", varQualifier.bstrVal) == 0 ||\n\t\t\t\t\t\t_wcsicmp(L\"IPAddrV4\", varQualifier.bstrVal) == 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tULONG temp = 0;\n\n\t\t\t\t\t\tVariantClear(&varQualifier);\n\n\t\t\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tCopyMemory(&temp, pEventData, sizeof(ULONG));\n\n\t\t\t\t\t\t\twprintf(L\"%d.%d.%d.%d\\n\", (temp >>  0) & 0xff,\n\t\t\t\t\t\t\t\t(temp >>  8) & 0xff,\n\t\t\t\t\t\t\t\t(temp >>  16) & 0xff,\n\t\t\t\t\t\t\t\t(temp >>  24) & 0xff);\n\n\t\t\t\t\t\t\tpEventData += sizeof(ULONG);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\treturn pEventData;\n\t\t\t\t\t}\n\t\t\t\t\telse if (_wcsicmp(\n\t\t\t\t\t\t\t\t\tL\"IPAddrV6\",\n\t\t\t\t\t\t\t\t\tvarQualifier.bstrVal) == 0)\n\t\t\t\t\t{\n\t\t\t\t\t\ttypedef LPTSTR (WINAPI *PIPV6ADDRTOSTRING)(\n\t\t\t\t\t\t\tconst IN6_ADDR *Addr,\n\t\t\t\t\t\t\tLPTSTR S\n\t\t\t\t\t\t\t);\n\n\t\t\t\t\t\tWCHAR IPv6AddressAsString[46] = {0};\n\t\t\t\t\t\tIN6_ADDR IPv6Address;\n\t\t\t\t\t\tPIPV6ADDRTOSTRING fnRtlIpv6AddressToString;\n\n\t\t\t\t\t\tVariantClear(&varQualifier);\n\n\t\t\t\t\t\tfnRtlIpv6AddressToString = (PIPV6ADDRTOSTRING)\n\t\t\t\t\t\t\t\t\t\t\t\tGetProcAddress(\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tGetModuleHandle(L\"ntdll\"),\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"RtlIpv6AddressToStringW\");\n\n\t\t\t\t\t\tif (NULL == fnRtlIpv6AddressToString)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\twprintf(L\"GetProcAddress failed with %lu.\\n\", GetLastError());\n\t\t\t\t\t\t\treturn NULL;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t\t\t&IPv6Address,\n\t\t\t\t\t\t\t\t\tpEventData,\n\t\t\t\t\t\t\t\t\tsizeof(IN6_ADDR));\n\n\t\t\t\t\t\t\tfnRtlIpv6AddressToString(\n\t\t\t\t\t\t\t\t\t\t\t\t&IPv6Address,\n\t\t\t\t\t\t\t\t\t\t\t\tIPv6AddressAsString);\n\n\t\t\t\t\t\t\twprintf(L\"%s\\n\", IPv6AddressAsString);\n\n\t\t\t\t\t\t\tpEventData += sizeof(IN6_ADDR);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\treturn pEventData;\n\t\t\t\t\t}\n\t\t\t\t\telse if (_wcsicmp(L\"Guid\", varQualifier.bstrVal) == 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tWCHAR szGuid[50] = {0};\n\t\t\t\t\t\tGUID Guid;\n\n\t\t\t\t\t\tVariantClear(&varQualifier);\n\n\t\t\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tCopyMemory(&Guid, (GUID*)pEventData, sizeof(GUID));\n\n\t\t\t\t\t\t\tStringFromGUID2(Guid, szGuid, sizeof(szGuid)-1);\n\t\t\t\t\t\t\twprintf(L\"%s\\n\", szGuid);\n\n\t\t\t\t\t\t\tpEventData += sizeof(GUID);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\treturn pEventData;\n\t\t\t\t\t}\n\t\t\t\t\telse if (_wcsicmp(L\"Sid\", varQualifier.bstrVal) == 0)\n\t\t\t\t\t{\n\t\t\t\t\t\t// Get the user's security identifier and print the \n\t\t\t\t\t\t// user's name and domain.\n\n\t\t\t\t\t\tSID* psid;\n\t\t\t\t\t\tDWORD cchUserSize = 0;\n\t\t\t\t\t\tDWORD cchDomainSize = 0;\n\t\t\t\t\t\tWCHAR* pUser = NULL;\n\t\t\t\t\t\tWCHAR* pDomain = NULL;\n\t\t\t\t\t\tSID_NAME_USE eNameUse;\n\t\t\t\t\t\tDWORD status = 0;\n\t\t\t\t\t\tULONG temp = 0;\n\t\t\t\t\t\tUSHORT CopyLength = 0;\n\t\t\t\t\t\tBYTE buffer[SECURITY_MAX_SID_SIZE];\n\n\t\t\t\t\t\tVariantClear(&varQualifier);\n\n\t\t\t\t\t\tif ( ArraySize == 1)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tMofItem.mofcArray = new MOF_CHAR_ARRAY[2];\n\t\t\t\t\t\t\tif (MofItem.mofcArray)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tMofItem.Types = CHAR_ARRAY_VALUE;\n\t\t\t\t\t\t\t\tZeroMemory(\n\t\t\t\t\t\t\t\t\t\tMofItem.mofcArray,\n\t\t\t\t\t\t\t\t\t\tsizeof(MOF_CHAR_ARRAY)*2);\n\n\t\t\t\t\t\t\t\tMofItem.ArraySize = 2;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tfor (ULONG i = 0; i < ArraySize; i++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t\t\t&temp,\n\t\t\t\t\t\t\t\t\tpEventData, \n\t\t\t\t\t\t\t\t\tsizeof(ULONG));\n\n\t\t\t\t\t\t\tif (temp > 0)\n\t\t\t\t\t\t\t{\n\n\t\t\t\t\t\t\t\tUSHORT BytesToSid = m_PointerSize * 2;\n\n\t\t\t\t\t\t\t\tpEventData += BytesToSid;\n\n\t\t\t\t\t\t\t\tif (RemainingBytes - BytesToSid > SECURITY_MAX_SID_SIZE)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tCopyLength = SECURITY_MAX_SID_SIZE;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tCopyLength = RemainingBytes - BytesToSid;\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\tCopyMemory(\n\t\t\t\t\t\t\t\t\t\t&buffer,\n\t\t\t\t\t\t\t\t\t\tpEventData,\n\t\t\t\t\t\t\t\t\t\tCopyLength);\n\n\t\t\t\t\t\t\t\tpsid = (SID*)&buffer;\n\n\t\t\t\t\t\t\t\tLookupAccountSid(\n\t\t\t\t\t\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t\t\t\t\t\tpsid,\n\t\t\t\t\t\t\t\t\t\t\t\tpUser,\n\t\t\t\t\t\t\t\t\t\t\t\t&cchUserSize,\n\t\t\t\t\t\t\t\t\t\t\t\tpDomain, \n\t\t\t\t\t\t\t\t\t\t\t\t&cchDomainSize,\n\t\t\t\t\t\t\t\t\t\t\t\t&eNameUse);\n\n\t\t\t\t\t\t\t\tstatus = GetLastError();\n\t\t\t\t\t\t\t\tif (ERROR_INSUFFICIENT_BUFFER == status)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tpUser = (WCHAR*)malloc(cchUserSize * sizeof(WCHAR));\n\t\t\t\t\t\t\t\t\tpDomain = (WCHAR*)malloc(cchDomainSize * sizeof(WCHAR));\n\n\t\t\t\t\t\t\t\t\tif (pUser && pDomain)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tif (LookupAccountSid(\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tpsid,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tpUser,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t&cchUserSize,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tpDomain,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t&cchDomainSize,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t&eNameUse))\n\t\t\t\t\t\t\t\t\t\t{\n\n\t\t\t\t\t\t\t\t\t\t\tif ( i == 0)\n\t\t\t\t\t\t\t\t\t\t\t{\n\n\t\t\t\t\t\t\t\t\t\t\t\tif ( MofItem.mofcArray )\n\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\tMofItem.mofcArray[0].wValue = new WCHAR[cchDomainSize];\n\n\t\t\t\t\t\t\t\t\t\t\t\t\tif (MofItem.mofcArray[0].wValue)\n\t\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tStringCchCopy(\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tMofItem.mofcArray[0].Name,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t50,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t_T(\"Domain\")\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t);\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tStringCchCopy(\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tMofItem.mofcArray[0].wValue,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tcchDomainSize,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tpDomain\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t);\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\t\t\t\tMofItem.mofcArray[1].wValue = new WCHAR[cchUserSize];\n\n\t\t\t\t\t\t\t\t\t\t\t\t\tif (MofItem.mofcArray[1].wValue)\n\t\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tStringCchCopy(\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tMofItem.mofcArray[1].Name,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t50,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t_T(\"User\")\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t);\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tStringCchCopy(\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tMofItem.mofcArray[1].wValue,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tcchUserSize,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tpUser\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t);\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\twprintf(L\"Second LookupAccountSid failed with, %d\\n\", GetLastError());\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\twprintf(L\"Allocation error.\\n\");\n\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\tif (pUser)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tfree(pUser);\n\t\t\t\t\t\t\t\t\t\tpUser = NULL;\n\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\tif (pDomain)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tfree(pDomain);\n\t\t\t\t\t\t\t\t\t\tpDomain = NULL;\n\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\tcchUserSize = 0;\n\t\t\t\t\t\t\t\t\tcchDomainSize = 0;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse if (ERROR_NONE_MAPPED == status)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\twprintf(L\"Unable to locate account for the specified SID\\n\");\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\twprintf(L\"First LookupAccountSid failed with, %d\\n\", status);\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\tpEventData += SeLengthSid(psid);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse  // There is no SID\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tpEventData += sizeof(ULONG);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\treturn pEventData;\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"Extension, %s, not supported.\\n\", varQualifier.bstrVal);\n\t\t\t\t\t\tVariantClear(&varQualifier);\n\t\t\t\t\t\treturn NULL;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\twprintf(L\"Object data type is missing Extension qualifier.\\n\");\n\t\t\t\t\treturn NULL;\n\t\t\t\t}\n\t\t\t}\n\n\t\tdefault: \n\t\t\t{\n\t\t\t\twprintf(L\"Unknown CIM type\\n\");\n\t\t\t\treturn NULL;\n\t\t\t}\n\n\t\t} // switch\n\t}\n}\n\nLONG CMofDataParser::GetArraySize(\n\t\t\t\t\t\tIWbemQualifierSet* pQualifierSet)\n{\n\tLONG ArraySize = 1;\n\tVARIANT varQualifier;\n\tHRESULT hr;\n\tif ( pQualifierSet )\n\t{\n\t\tBSTR bstrMax = SysAllocString(L\"MAX\");\n\t\tVariantInit(&varQualifier);\n\n\t\thr = pQualifierSet->Get(bstrMax, 0, &varQualifier, 0);\n\t\tSysFreeString(bstrMax);\n\t\tif ( !hr && varQualifier.vt == 3 )\n\t\t\tArraySize = varQualifier.lVal;\n\n\t\tVariantClear(&varQualifier);\n\t}\n\n\treturn ArraySize;\n}\n\nLONG CMofDataParser::GetArrayValue(\n\tCIMTYPE CimType,\n\tIWbemQualifierSet * pQualifierSet)\n{\n\tLONG RetValue = 29;\n\tBSTR bstrQualifier;\n\tVARIANT varQualifier;\n\tHRESULT hr;\n\tBOOL bPointer;\n\tOLECHAR szFormat[11];\n\tOLECHAR szStringTermination[31];\n\tOLECHAR szExtension[31];\n\tbPointer = 0;\n\n\tszFormat[0] = 0;\n\tszStringTermination[0] = 0;\n\tszExtension[0] = 0;\n\n\tif (pQualifierSet)\n\t{\n\t\tbstrQualifier = SysAllocString(L\"Format\");\n\t\tVariantInit(&varQualifier);\n\t\thr = pQualifierSet->Get(bstrQualifier, 0, &varQualifier, 0);\n\t\tSysFreeString(bstrQualifier);\n\n\t\tif ( !hr && varQualifier.lVal )\n\t\t\tStringCchCopy(szFormat, 10, varQualifier.bstrVal);\n\n\t\tbstrQualifier = SysAllocString(L\"StringTermination\");\n\t\tVariantClear(&varQualifier);\n\n\t\thr = pQualifierSet->Get(bstrQualifier, 0, &varQualifier, 0);\n\t\tSysFreeString(bstrQualifier);\n\n\t\tif ( !hr && varQualifier.lVal )\n\t\t\tStringCchCopy(szStringTermination, 30, varQualifier.bstrVal);\n\n\t\tbstrQualifier = SysAllocString(L\"Pointer\");\n\t\tVariantClear(&varQualifier);\n\n\t\thr = pQualifierSet->Get(bstrQualifier, 0, &varQualifier, 0);\n\t\tSysFreeString(bstrQualifier);\n\n\t\tif ( hr == S_OK)\n\t\t{\n\t\t\tbPointer = 1;\n\t\t}\n\n\t\tbstrQualifier = SysAllocString(L\"Extension\");\n\t\tVariantClear(&varQualifier);\n\n\t\thr = pQualifierSet->Get(bstrQualifier, 0, &varQualifier, 0);\n\t\tSysFreeString(bstrQualifier);\n\n\t\tif ( !hr && varQualifier.lVal )\n\t\t\tStringCchCopy(szExtension, 30, varQualifier.bstrVal);\n\n\t\tVariantClear(&varQualifier);\n\n\t\tswitch ( CimType & (~CIM_FLAG_ARRAY) )\n\t\t{\n\t\tcase CIM_SINT16:\n\t\t\tRetValue = 4;\n\t\t\tbreak;\n\t\tcase CIM_SINT32:\n\t\t\tRetValue = 6;\n\t\t\tbreak;\n\t\tcase CIM_REAL32:\n\t\t\tRetValue = 11;\n\t\t\tbreak;\n\t\tcase CIM_REAL64:\n\t\t\tRetValue = 12;\n\t\t\tbreak;\n\t\tcase CIM_STRING:\n\t\t\t{\n\t\t\t\tif ( _wcsicmp(szStringTermination, L\"NullTerminated\") )\n\t\t\t\t{\n\t\t\t\t\tif ( _wcsicmp(szStringTermination, L\"Counted\") )\n\t\t\t\t\t{\n\t\t\t\t\t\tif ( _wcsicmp(szStringTermination, L\"ReverseCounted\") )\n\t\t\t\t\t\t\tRetValue = _wcsicmp(szStringTermination, L\"NotCounted\") != 0 ? 13 : 23;\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\tRetValue = 18 - (_wcsicmp(szFormat, L\"w\") != 0);\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\tRetValue = 16 - (_wcsicmp(szFormat, L\"w\") != 0);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tRetValue = 14 - (_wcsicmp(szFormat, L\"w\") != 0);\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\t\tcase CIM_BOOLEAN:\n\t\t\tRetValue = 26;\n\t\t\tbreak;\n\t\tcase CIM_OBJECT:\n\t\t\tif ( !_wcsicmp(szExtension, L\"Port\") )\n\t\t\t{\n\t\t\t\tRetValue = 21;\n\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tif ( !_wcsicmp(szExtension, L\"IPAddr\") )\n\t\t\t\t{\n\t\t\t\t\tRetValue = 20;\n\t\t\t\t}\n\t\t\t\telse if ( _wcsicmp(szExtension, L\"Sid\") )\n\t\t\t\t{\n\t\t\t\t\tif ( _wcsicmp(szExtension, L\"Guid\") )\n\t\t\t\t\t{\n\t\t\t\t\t\tif ( !_wcsicmp(szExtension, L\"SizeT\") )\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tRetValue = 6;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif ( _wcsicmp(szExtension, L\"IPAddrV6\") )\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tif ( _wcsicmp(szExtension, L\"IPAddrV4\") )\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tif ( !_wcsicmp(szExtension, L\"WmiTime\") )\n\t\t\t\t\t\t\t\t\t\tRetValue = 28;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tRetValue = 20;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tRetValue = 27;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\tRetValue = 25;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tRetValue = 19;\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\t\tcase CIM_SINT8:\n\t\t\tRetValue = 3;\n\t\t\tif ( !_wcsicmp(szFormat, L\"c\") )\n\t\t\t\tRetValue = 0;\n\t\t\tbreak;\n\t\tcase CIM_UINT8:\n\t\t\tRetValue = 2;\n\t\t\tbreak;\n\t\tcase CIM_UINT16:\n\t\t\tRetValue = 5;\n\t\t\tbreak;\n\t\tcase CIM_UINT32:\n\t\t\tRetValue = 7;\n\t\t\tbreak;\n\t\tcase CIM_SINT64:\n\t\t\tRetValue = 9;\n\t\t\tbreak;\n\t\tcase CIM_UINT64:\n\t\t\tRetValue = 10;\n\t\t\tbreak;\n\t\tcase CIM_CHAR16:\n\t\t\tRetValue = 1;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (bPointer)\n\t\t{\n\t\t\tRetValue = 24;\n\t\t}\n\n\t}\n\n\treturn RetValue;\n}\n\n\nvoid CMofDataParser::AddProperityList(\n\t\t\t\t\t\t\tLIST_ENTRY* plist,\n\t\t\t\t\t\t\tBSTR pvData,\n\t\t\t\t\t\t\tLONG ValueLen,\n\t\t\t\t\t\t\tLONG ArraySize)\n{\n\tLIST_ENTRY* pEntry = plist->Flink;\n\t\n\twhile(pEntry != plist)\n\t{\t\t\n\t\tCMofParseRes* pRes = CONTAINING_RECORD(\n\t\t\t\t\t\t\t\t\t\t\tpEntry,\n\t\t\t\t\t\t\t\t\t\t\tCMofParseRes,\n\t\t\t\t\t\t\t\t\t\t\tm_Entry);\n\n\t\tif (pRes)\n\t\t{\n\t\t\tMOF_PROPERTY*  pProperty = (MOF_PROPERTY*)\n\t\t\t\t\t\t\t\t\tmalloc(sizeof(MOF_PROPERTY));\n\n\t\t\tif (pProperty)\n\t\t\t{\n\t\t\t\t__try\n\t\t\t\t{\n\t\t\t\t\tZeroMemory(pProperty,sizeof(MOF_PROPERTY));\n\t\t\t\t\tpProperty->Entry.Flink = pProperty->Entry.Blink = 0;\n\t\t\t\t\tint nLen = 0;\n\t\t\t\t\tif (pvData && (nLen = lstrlen(pvData)))\n\t\t\t\t\t{\n\t\t\t\t\t\tpProperty->ArraySize = ArraySize;\n\t\t\t\t\t\tpProperty->Types = ValueLen;\n\n\t\t\t\t\t\tpProperty->Name = (BSTR)malloc((nLen+1)* sizeof(OLECHAR));\n\n\t\t\t\t\t\tif (pProperty->Name)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t__try\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tStringCchCopy(\n\t\t\t\t\t\t\t\t\tpProperty->Name,\n\t\t\t\t\t\t\t\t\tnLen + 1,\n\t\t\t\t\t\t\t\t\tpvData);\n\n\t\t\t\t\t\t\t\tInsertTailList(\n\t\t\t\t\t\t\t\t\t&pRes->m_MofPropertyList,\n\t\t\t\t\t\t\t\t\t&pProperty->Entry);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tif (pProperty->Name)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tfree(pProperty->Name);\n\t\t\t\t\t\t\t\t\tpProperty->Name = NULL;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tfree(pProperty);\n\t\t\t\t\t\t\tpProperty = NULL;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\t\t\t\t\t\n\n\n\t\t\t\t}\n\t\t\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t\t\t{\n\t\t\t\t\tif (pProperty)\n\t\t\t\t\t{\n\t\t\t\t\t\tfree(pProperty);\n\t\t\t\t\t\tpProperty = NULL;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t__try\n\t\t{\n\t\t\tpEntry = pEntry->Flink;\n\t\t}\n\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\t\t\n\t}\n}\n\nvoid CMofDataParser::AddGlobalEvent(\n\t\t\t\t\t\t\tLIST_ENTRY* plist\n\t\t\t\t\t\t\t)\n{\n\n\twhile(!IsListEmpty(plist))\n\t{\n\t\tLIST_ENTRY* pEntry = plist->Flink;\n\t\t__try\n\t\t{\n\t\t\tCMofParseRes* pRes = CONTAINING_RECORD(\n\t\t\t\tpEntry,\n\t\t\t\tCMofParseRes,\n\t\t\t\tm_Entry);\n\n\t\t\tif (pRes)\n\t\t\t{\n\t\t\t\tRemoveEntryList(&pRes->m_Entry);\n\t\t\t\tInsertTailList(&m_ModDataList,&pRes->m_Entry);\n\t\t\t}\n\t\t}\n\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t{\n\t\t\tbreak;\n\t\t}\t\t\n\t}\n\n\tInitializeListHead(plist);\n}"
  },
  {
    "path": "Sysmon/CMofDataParser.h",
    "content": "#ifndef _CMofDataParser_h\n#define _CMofDataParser_h\n\n#include \"Sysmon.h\"\n\n#define MAX_CHAR_ARRAY_SIZE 20\n#define TCHAR_VALUE 0x1\n#define UINT32_ARRAY_VALUE 0x2\n#define OTHER_VALUE 0x4\n#define CHAR_ARRAY_VALUE 0x8\n#include <WbemCli.h>\n#include <Wmistr.h>\n#include <Evntrace.h>\n#include <strsafe.h>\n\ntypedef unsigned int uint32;\ntypedef unsigned long long uint64;\n\nextern \"C\"\n{\n\ttypedef HRESULT (WINAPI * pSafeArrayDestroy)(SAFEARRAY *);\n\ttypedef HRESULT (WINAPI * pSafeArrayGetElement)(SAFEARRAY * , LONG *, void *);\n};\n\n\ntypedef struct _MOF_DATA_HEADER\n{\n\tint\t\t\tMofCount;\n\tSYSTEMTIME\tMofLocal;\n\tBSTR\t\tMofClassName;\n\tBSTR\t\tMofTypeName;\n\tUSHORT\t\tMofType;\n\tUSHORT\t\tMofLevel;\n\tUSHORT\t\tMofVsersion;\n\tGUID\t\tMofGuid;\n}MOF_DATA_HEADER;\n\ntypedef struct _MOF_CHAR_ARRAY\n{\n\tTCHAR Name[20];\n\tunion\n\t{\n\t\tchar*  cValue;\n\t\tWCHAR* wValue; \n\t};\n\n}MOF_CHAR_ARRAY;\n\ntypedef struct _MOF_ITEM\n{\n\tTCHAR\tName[50];\n\tULONG\tTypes;\n\tUINT32\tArraySize;\n\tunion\n\t{\n\t\tTCHAR*\t\t\tcValues;\n\t\tLARGE_INTEGER\tliValue;\n\t\tUINT32*\t\t\tu32ArrayValue;\n\t\tMOF_CHAR_ARRAY*\tmofcArray;\n\t};\n\t\n}MOF_ITEM,*PMOF_ITEM;\n\ntypedef struct _MOF_PROPERTY\n{\n\tLIST_ENTRY\tEntry;\n\tBSTR\t\tName;\n\tULONG\t\tTypes;\n\tUINT32\t\tArraySize;\n\n}MOF_PROPERTY;\n\nclass CMofParseRes\n{\n\tfriend class  CMofDataParser;\npublic:\n\tCMofParseRes()\n\t{\n\t\tZeroMemory(\n\t\t\t\tthis,\n\t\t\t\tsizeof(*this));\n\n\t\tInitializeListHead(\n\t\t\t\t\t&m_MofPropertyList\n\t\t\t\t\t);\n\t}\n\n\t~CMofParseRes()\n\t{\n\t}\n\n\tUINT32 GetCount()\n\t{\n\t\treturn m_MofHeader.MofCount;\n\t}\n\n\tSYSTEMTIME GetTimeStmp()\n\t{\n\t\treturn m_MofHeader.MofLocal;\n\t}\n\t\npublic:\n\tLIST_ENTRY\t\t\tm_Entry;\nprivate:\n\tMOF_DATA_HEADER\t\tm_MofHeader;\n\tLIST_ENTRY\t\t\tm_MofPropertyList;\n\n};\n\ntypedef struct _propertyList\n{\n\tBSTR Name;     \n\tLONG CimType;\n\tIWbemQualifierSet* pQualifiers;\n\n} PROPERTY_LIST;\n\nclass CMofData\n{\npublic:\n\tCMofData(void)\n\t{\n\t\tm_Mof = NULL;\n\t\tmemset(\n\t\t\t&m_MofHead,\n\t\t\t0,\n\t\t\tsizeof(MOF_DATA_HEADER));\n\t}\n\n\tCMofData(const CMofData& Mof)\n\t{\n\t\tm_Mof = Mof.m_Mof;\n\t}\n\n\tCMofData(const PMOF_ITEM& Mof)\n\t{\n\t\tm_Mof = Mof;\n\t}\n\n\t~CMofData(void)\n\t{\n\n\t}\n\n\t\n\tvoid operator =(const PMOF_ITEM Mof)\n\t{\n\t\tm_Mof = Mof;\n\t}\n\n\tBOOL operator ==(const TCHAR* Name )\n\t{\n\t\tif ( m_Mof )\n\t\t{\n\t\t\tif (sizeof(TCHAR) >=  2 )\n\t\t\t{\n\t\t\t\tif ( !wcsicmp(Name,m_Mof->Name))\n\t\t\t\t{\n\t\t\t\t\treturn TRUE;\n\t\t\t\t}\n\t\t\t\t\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tif (!stricmp(\n\t\t\t\t\t\t\t(char*)Name,\n\t\t\t\t\t\t\t(char*)m_Mof->Name))\n\t\t\t\t{\n\t\t\t\t\treturn TRUE;\n\t\t\t\t}\n\t\t\t}\n\t\t\t\n\t\t}\n\t\treturn FALSE;\n\t}\n\n\tUINT32 getDataInt32( UINT32 DataType ,int Index = 0)\n\t{\n\t\tif ( m_Mof )\n\t\t{\n\t\t\tif(m_Mof->Types == DataType\n\t\t\t\t )\n\t\t\t{\n\n\t\t\t\tif (DataType == UINT32_ARRAY_VALUE)\n\t\t\t\t{\n\t\t\t\t\tif (m_Mof->u32ArrayValue)\n\t\t\t\t\t{\n\t\t\t\t\t\treturn m_Mof->u32ArrayValue[Index];\n\t\t\t\t\t}\t\t\n\t\t\t\t}\n\t\t\t\telse if ( DataType == CHAR_ARRAY_VALUE )\n\t\t\t\t{\n\t\t\t\t\tif ( m_Mof->mofcArray )\n\t\t\t\t\t{\n\t\t\t\t\t\treturn (UINT32)&m_Mof->mofcArray[Index];\n\t\t\t\t\t}\t\t\n\t\t\t\t}\n\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t}\n\t\t\t\n\t\t}\n\n\t\treturn 0;\n\t}\n\n\tUINT64 getDataInt64( UINT32 DataType ,int Index = 0 )\n\t{\n\t\tif ( m_Mof )\n\t\t{\n\t\t\tif(m_Mof->Types == DataType\n\t\t\t\t)\n\t\t\t{\n\n\t\t\t\tif (DataType == OTHER_VALUE)\n\t\t\t\t{\t\t\t\t\t\n\t\t\t\t\treturn m_Mof->liValue.QuadPart;\t\t\t\t\t\t\n\t\t\t\t}\n\t\t\t}\n\n\t\t}\n\n\t\treturn 0;\n\t}\n\n\tTCHAR* getWideString( UINT32 DataType ,int Index = 0 )\n\t{\n\t\tif ( m_Mof )\n\t\t{\n\t\t\tif(m_Mof->Types == DataType\n\t\t\t\t)\n\t\t\t{\n\n\t\t\t\tif (DataType == CHAR_ARRAY_VALUE )\n\t\t\t\t{\n\t\t\t\t\tif (m_Mof->mofcArray)\n\t\t\t\t\t{\n\t\t\t\t\t\treturn m_Mof->mofcArray[Index].wValue;\n\t\t\t\t\t}\t\t\n\t\t\t\t}\n\t\t\t\telse if ( DataType == TCHAR_VALUE )\n\t\t\t\t{\n\t\t\t\t\tif ( m_Mof->cValues )\n\t\t\t\t\t{\n\t\t\t\t\t\treturn (TCHAR*)m_Mof->cValues;\n\t\t\t\t\t}\t\t\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn NULL;\n\t}\n\n\tchar* getAnsiString( UINT32 DataType ,int Index = 0 )\n\t{\n\t\tif ( m_Mof )\n\t\t{\n\t\t\tif(m_Mof->Types == DataType\n\t\t\t\t)\n\t\t\t{\n\n\t\t\t\tif (DataType == CHAR_ARRAY_VALUE )\n\t\t\t\t{\n\t\t\t\t\tif (m_Mof->mofcArray)\n\t\t\t\t\t{\n\t\t\t\t\t\treturn m_Mof->mofcArray[Index].cValue;\n\t\t\t\t\t}\t\t\n\t\t\t\t}\n\t\t\t\telse if ( DataType == TCHAR_VALUE )\n\t\t\t\t{\n\t\t\t\t\tif ( m_Mof->cValues )\n\t\t\t\t\t{\n\t\t\t\t\t\treturn (char*)m_Mof->cValues;\n\t\t\t\t\t}\t\t\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn NULL;\n\t}\n\n\tUINT32 GetProcessId()\n\t{\n\t\treturn getDataInt32( UINT32_ARRAY_VALUE );\n\t}\n\n\tUINT64 GetUniqueProcessKey()\n\t{\n\t\treturn getDataInt64( OTHER_VALUE );\n\t}\n\n\tchar* GetProcessImageFileName()\n\t{\n\t\tchar* ImageFileName = NULL;\n\n\t\tif (! (ImageFileName = getAnsiString( TCHAR_VALUE , 0 )) )\n\t\t{\n\t\t\tImageFileName = getAnsiString(CHAR_ARRAY_VALUE,0);\n\t\t}\n\n\t\treturn ImageFileName;\n\t}\n\n\n\t/************************************************************************/\n\t/* FileObject\n\t*/\n\t/************************************************************************/\n\n\tUINT64 GetFileObject()\n\t{\n\t\treturn getDataInt64(OTHER_VALUE,0);\n\t}\n\n\tTCHAR* GetFileOpenPath()\n\t{\n\t\tTCHAR* OpenPath = NULL;\n\n\t\tif ( !(OpenPath = getWideString(\n\t\t\t\t\t\t\t\tTCHAR_VALUE,\n\t\t\t\t\t\t\t\t0)))\n\t\t{\n\t\t\tOpenPath = getWideString(\n\t\t\t\t\t\t\t\tCHAR_ARRAY_VALUE,\n\t\t\t\t\t\t\t\t0);\n\t\t}\n\n\t\treturn OpenPath;\n\t}\n\nprivate:\n\tMOF_DATA_HEADER m_MofHead;\n\tPMOF_ITEM\t\tm_Mof;\n\tLIST_ENTRY\t\tm_Entry;\n};\n\n\n\nclass CMofDataParser\n{\npublic:\n\tCMofDataParser(void);\n\t\n\n\tvirtual ~CMofDataParser(void);\nprivate:\n\tHRESULT Connect(\n\t\tBSTR bstrNamespace\n\t\t);\npublic:\n\t\n\tvoid SetPointSize(ULONG PointSize )\n\t{\n\t\tm_PointerSize = 8;\n\t}\n\n\tBOOL Parse(\n\t\t\tPEVENT_TRACE pEvent,\n\t\t\tCMofParseRes& Result );\n\nprivate:\n\tIWbemServices*\t\t\t\tm_pServices;\n\tULONG\t\t\t\t\t\tm_PointerSize;\n\tLIST_ENTRY\t\t\t\t\tm_ModDataList;\nprotected:\n\tvoid GetPropertyName(\n\t\t\tPROPERTY_LIST* pProperty,\n\t\t\tTCHAR* PropertyName\n\t\t\t);\n\n\tPBYTE GetPropertyValue(\n\t\t\tPROPERTY_LIST*\tpProperty,\n\t\t\tMOF_ITEM&\t\tMofItem,\n\t\t\tPBYTE\t\t\tpEventData,\n\t\t\tUSHORT\t\t\tRemainingBytes);\n\n\tIWbemClassObject* GetEventCategoryClass(\n\t\t\t\t\t\t\t\tBSTR bstrClassGuid,\n\t\t\t\t\t\t\t\tint Version);\n\n\tCMofParseRes* GetEventClassPropertyList(\n\t\t\t\t\t\t\t\tIWbemClassObject* pEventCategoryClass,\n\t\t\t\t\t\t\t\tGUID& Guid,\n\t\t\t\t\t\t\t\tUSHORT Version,\n\t\t\t\t\t\t\t\tUSHORT Level,\n\t\t\t\t\t\t\t\tUSHORT EventType);\n\n\tvoid FreePropertyList(\n\t\t\t\t\tPROPERTY_LIST* pProperties,\n\t\t\t\t\tDWORD Count);\n\n\tBOOL GetPropertyList(\n\t\t\t\t\tIWbemClassObject* pClass, \n\t\t\t\t\tPROPERTY_LIST** ppProperties,\n\t\t\t\t\tDWORD* pPropertyCount,\n\t\t\t\t\tLONG* PropertyIndex);\n\n\tLONG GetArraySize(\n\t\t\t\t\t\t\tIWbemQualifierSet* pQualifierSet);\n\n\tLONG GetArrayValue(\n\t\t\t\t\tCIMTYPE CimType,\n\t\t\t\t\tIWbemQualifierSet * pQualifierSet);\n\n\tvoid AddProperityList(\n\t\t\t\t\tLIST_ENTRY* Entry,\n\t\t\t\t\tBSTR pvData,\n\t\t\t\t\tLONG ValueLen,\n\t\t\t\t\tLONG ArraySize);\n\n\tvoid AddGlobalEvent(\n\t\t\t\t\tLIST_ENTRY* Entry);\n\npublic:\n\tCMofDataParser* Instance();\n};\n\nclass FileCreateNameX86\n{\n\npublic:\n\tFileCreateNameX86(void)\n\t{\n\n\t}\n\n\t~FileCreateNameX86()\n\t{\n\n\t}\n\n\tUINT32 FileObject;\n\tTCHAR FileName[1];\n};\n\nclass CPropertyRes;\n\n\nclass CPropertyRes\n{\n\tfriend class CPropertyData;\npublic:\n\tCPropertyRes(void)\n\t{\n\t\tZeroMemory(this,sizeof(*this));\n\t}\n\n\tCPropertyRes(const CPropertyRes& Res)\n\t{\n\t\tZeroMemory(this,sizeof(*this));\n\n\t\tif (Res.mData_ && Res.mLen_)\n\t\t{\n\t\t\tmData_ = new BYTE[Res.mLen_ + 1];\n\n\t\t\tif ( mData_ )\n\t\t\t{\n\t\t\t\tCopyMemory(\n\t\t\t\t\tmData_,\n\t\t\t\t\tRes.mData_,\n\t\t\t\t\tRes.mLen_);\n\n\t\t\t\tmLen_ = Res.mLen_;\n\t\t\t}\n\n\t\t\tCopyMemory(\n\t\t\t\tmName,\n\t\t\t\tRes.mName,\n\t\t\t\t50);\n\t\t}\t\n\t\t\n\t}\n\n\t~CPropertyRes(void)\n\t{\n\t\tif (mData_)\n\t\t{\n\t\t\tdelete[] (char*)mData_;\n\t\t\tmData_ = NULL;\n\t\t}\n\n\t\tmLen_ = NULL;\n\n\t\tZeroMemory(this,sizeof(*this));\n\t}\n\n\tvoid Init()\n\t{\n\t\tmData_ = NULL;\n\t\tmLen_ = 0;\n\t}\n\n\tTCHAR* GetFileName()\n\t{\n\t\treturn (TCHAR*)mData_;\n\t}\n\n\tchar* GetProcessName()\n\t{\n\t\treturn (char*)mData_;\n\t}\n\n\tTCHAR* GetQueryDomainName()\n\t{\n\t\treturn (TCHAR*)mData_;\n\t}\n\n\tTCHAR* GetQueryResult()\n\t{\n\t\treturn (TCHAR*)mData_;\n\t}\n\n\tULONGLONG GetFileObject()\n\t{\n\t\tif ( mData_ )\n\t\t{\n\t\t\treturn *((ULONGLONG*)mData_);\n\t\t}\n\n\t\treturn 0;\n\t}\n\n\tULONG GetProcessId()\n\t{\n\t\tif ( mData_ )\n\t\t{\n\t\t\treturn *((ULONG*)mData_);\n\t\t}\n\n\t\treturn -1;\n\t}\n\n\tWORD GetPort()\n\t{\n\t\tif ( mData_ )\n\t\t{\n\t\t\treturn *((WORD*)mData_);\n\t\t}\n\n\t\treturn -1;\n\t}\n\n\tULONG GetQueryStatus()\n\t{\n\t\tif ( mData_ )\n\t\t{\n\t\t\treturn *((ULONG*)mData_);\n\t\t}\n\n\t\treturn -1;\n\t}\n\n\tULONG GetIpAddress()\n\t{\n\t\tif ( mData_ )\n\t\t{\n\t\t\treturn *((ULONG*)mData_);\n\t\t}\n\n\t\treturn -1;\n\t}\n\n\tULONG GetIoSize()\n\t{\n\t\tif ( mData_ )\n\t\t{\n\t\t\treturn *((ULONG*)mData_);\n\t\t}\n\n\t\treturn 0;\n\t}\n\n\tBOOL operator == ( TCHAR* StrName)\n\t{\n\t\tif (!wcsicmp(StrName,mName))\n\t\t{\n\t\t\treturn TRUE;\n\t\t}\n\n\t\treturn FALSE;\n\t}\n\nprivate:\n\tTCHAR mName[50];\n\tPBYTE mData_;\n\tint   mLen_;\n\n};\n\n#define PARSE_TYPE_FILE 1\n#define PARSE_TYPE_OTHER 2\n\nstatic CPropertyRes Res;\n\n#endif"
  },
  {
    "path": "Sysmon/CSsymonEtw.cpp",
    "content": "#include \"StdAfx.h\"\n#include \"CSsymonEtw.h\"\n#include \"CSysmonUtil.h\"\n#include <winsock2.h>\n#include <strsafe.h>\n#include <process.h>\n\n\n\n#pragma comment(lib,\"Ws2_32.lib\")\n\n#define EVENT_TRACE_SYSTEM_LOGGER_MODE 0x2000000\n\nCSsymonEtw* CSsymonEtw::_Instace = NULL;\n\nCSsymonEtw::CSsymonEtw(void)\n{\n\tm_pStartTrace = NULL;\n\tm_pControlTrace = NULL;\n\tm_pOpenTrace = NULL;\n\tm_pProcessTrace = NULL;\n\tm_SessionHandle = NULL;\n\tm_hEtwTraceThread =0;\n\tm_bInit = FALSE;\n\tm_hGlobalEvent = CreateEvent(0, TRUE, 0, 0);\n\tm_bStartTrace = FALSE;\n\tm_bInitData = FALSE;\n\tm_EventClassNums = 0;\n\n\tGetSystemTimeAsFileTime(&m_SystemTime);\n\tQueryPerformanceCounter(&m_PerformanceCount);\n\tQueryPerformanceFrequency(&m_Frequency);\n}\n\n\nCSsymonEtw::~CSsymonEtw(void)\n{\n}\n\n\nULONG CSsymonEtw::InitData()\n{\n\tFILETIME SystemTimeAsFileTime;\n\n\tif ( CSsymonEtw::m_bInitData )\n\t{\n\t\t//sub_4144E0(1);\n\t}\n\telse\n\t{\n\t\tInitializeCriticalSection(&m_csData);\n\t\tCSsymonEtw::m_bInitData = 1;\n\t}\n\n\tGetSystemTimeAsFileTime(&SystemTimeAsFileTime);\n\tm_SystemTime = SystemTimeAsFileTime;\n\treturn SystemTimeAsFileTime.dwHighDateTime;\n}\n\nvoid CSsymonEtw::Enter()\n{\n\tEnterCriticalSection(&m_csData);\n}\n\nvoid CSsymonEtw::Leave()\n{\n\tLeaveCriticalSection(&m_csData);\n}\n\nHRESULT CSsymonEtw::StartTrace(BOOL bStart)\n{\n\tWSAData Wsa = {0};\n\tBOOL IsThanXp = FALSE;\n\tDWORD dwVerison = GetVersion();\n\tDWORD dwMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVerison)));\n\tDWORD dwMinorVersion = (DWORD)(HIBYTE(LOWORD(dwVerison)));\n\tDWORD FileMode = 0;\n\tUINT ThreadId;\n\tHRESULT bFail;\n\n\tif (m_bInit == FALSE)\n\t{\n\t\tHMODULE hAdv = LoadLibraryW(L\"advapi32.dll\");\n\t\tm_pStartTrace = (pStartTrace)GetProcAddress(hAdv, \"StartTraceW\");\n\t\tm_pControlTrace = (pControlTrace)GetProcAddress(hAdv, \"ControlTraceW\");\n\t\tm_pOpenTrace = (pOpenTrace)GetProcAddress(hAdv, \"OpenTraceW\");\n\t\tm_pProcessTrace = (pProcessTrace)GetProcAddress(hAdv, \"ProcessTrace\");\n\t\tint ret = WSAStartup(\n\t\t\t\t\t\tMAKEWORD(2,2),\n\t\t\t\t\t\t&Wsa);\n\t\tif ( ret )\n\t\t\treturn ret;\n\n\t\tm_bInit = TRUE;\n\t}\n\n\tif (!m_pStartTrace)\n\t{\n\t\treturn 1;\n\t}\n\n\tif (m_bStartTrace == bStart)\n\t{\n\t\treturn 0;\n\t}\n\n\tif (dwMajorVersion >= 6 )\n\t{\n\t\tif(dwMinorVersion >= 2)\n\t\t{\n\t\t\tIsThanXp = TRUE;\n\t\t}\n\t}\n\t\t\n\tSysomn_Event_Properties SysmonEvent = {0};\n\tSysmonEvent.Properties.Wnode.BufferSize = sizeof(Sysomn_Event_Properties);\n\tSysmonEvent.Properties.Wnode.Flags = WNODE_FLAG_TRACED_GUID ;\n\tSysmonEvent.Properties.Wnode.ClientContext = 1;\n\tSysmonEvent.Properties.FlushTimer = 1;\n\tSysmonEvent.Properties.LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);\n\tSysmonEvent.Properties.LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) +\n\t\t\t\t\t\t\t\t\t\t\tMAX_PATH*sizeof(TCHAR);\n\n\n\tFileMode = 0;\n\tif (IsThanXp)\n\t{\n\t\tFileMode = EVENT_TRACE_SYSTEM_LOGGER_MODE;\n\t}\n\n\tSysmonEvent.Properties.LogFileMode = FileMode | \n\t\t\t\t\t\t\t\tEVENT_TRACE_REAL_TIME_MODE;\n\n\tif ( dwMajorVersion < 6 || dwMinorVersion < 2)\n\t{\n\t\tSysmonEvent.Properties.Wnode.Guid = SystemTraceControlGuid;\n\t}\n\n\tLPCTSTR pLogName = _T(\"SYSMON TRACE\");\n\n\tif (!IsThanXp)\n\t{\n\t\tpLogName = _T(\"NT Kernel Logger\");\n\t}\n\n\n\tStringCchCopy(SysmonEvent.LoggerName,MAX_PATH,pLogName );\n\n\tif (CSysmonUtil::SysmonVersionIsSupport())\n\t{\n\t\tSysmonEvent.Properties.EnableFlags = EVENT_TRACE_FLAG_EXTENSION;\n\t\tSysmonEvent.Properties.EnableFlags |= 0x00FF0000;\n\t\tSysmonEvent.Properties.EnableFlags |=\n\t\t\t\t\t\t\t\t(EVENT_TRACE_FLAG_DISK_IO_INIT |\n\t\t\t                      EVENT_TRACE_FLAG_SYSTEMCALL |\n\t\t\t\t\t\t\t\t  EVENT_TRACE_FLAG_PROCESS_COUNTERS);\n \t\tSysmonEvent.dwMax2 = 0x10009;\n \t\tSysmonEvent.dwMax1 = 0x1000A;\n \t\tSysmonEvent.dwMax3 = 0x10000;\n\t}\n\telse\n\t{\n\t\tSysmonEvent.Properties.EnableFlags |= EVENT_TRACE_FLAG_NETWORK_TCPIP; \n\t}\n\n\tif (bStart)\n\t{\n\t\tInitData();\n\n\t\tULONG bSuccess = m_pStartTrace(\n\t\t\t\t\t\t\t\t\t\t\t&m_SessionHandle,\n\t\t\t\t\t\t\t\t\t\t\tSysmonEvent.LoggerName,\n\t\t\t\t\t\t\t\t\t\t\t&SysmonEvent.Properties);\n\n\t\tif ( bSuccess && bSuccess != ERROR_ALREADY_EXISTS)\n\t\t{\n\t\t\t//sub_418280(&Text, L\"Network trace initialization failed: Error %d\", v11);\n\t\t\t//MessageBoxW(0, &Text, L\"System Monitor\", 0x10u);\n\t\t\tbFail = bSuccess;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tm_hEtwTraceThread = (HANDLE)\n\t\t\t\t\t\t\t\t\t\t_beginthreadex(\n\t\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t\tCSsymonEtw::ProcessTraceThread,\n\t\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t\t&ThreadId);\n\t\t\tm_bStartTrace = bStart;\n\t\t\tbFail = 0;\n\t\t}\n\t}\n\telse\n\t{\n\t\tSetEvent(m_hGlobalEvent);\n\t\tbFail = m_pControlTrace(\n\t\t\t\t\t\t\t\t\tm_SessionHandle,\n\t\t\t\t\t\t\t\t\tSysmonEvent.LoggerName, \n\t\t\t\t\t\t\t\t\t&SysmonEvent.Properties,\n\t\t\t\t\t\t\t\t\tEVENT_TRACE_CONTROL_STOP);\n\n\t\tWaitForSingleObject(m_hEtwTraceThread, INFINITE);\n\t\tCloseHandle(m_hEtwTraceThread);\n\t\tm_hEtwTraceThread = 0;\n\t\tResetEvent(m_hGlobalEvent);\n\n\t\tif ( !bFail )\n\t\t{\n\t\t\tm_bStartTrace = 0;\n\t\t\t//sub_414630();\n\t\t}\n\t}\n\n\treturn bFail;\n}\n\nvoid* CSsymonEtw::GetEventClassPropertyListList(PEVENT_TRACE pEventTrace)\n{\n\n\tif (!m_EventClassNums)\n\t{\n\t\t//EventTraceGuid\n\n\t\tm_EventClassNums++;\n\t}\n\n\tif (pEventTrace)\n\t{\n\n\t}\n\n\treturn 0;\n}\n\nUINT CSsymonEtw::ProcessTraceThread(void* lp)\n{\n\tBOOL IsThanXp = FALSE;\n\tBOOL IsStop = FALSE;\n\tDWORD dwVerison = GetVersion();\n\tDWORD dwMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVerison)));\n\tDWORD dwMinorVersion = (DWORD)(HIBYTE(LOWORD(dwVerison)));\n\n\tif (dwMajorVersion >= 6 )\n\t{\n\t\tif(dwMinorVersion >= 2)\n\t\t{\n\t\t\tIsThanXp = TRUE;\n\t\t}\n\t}\n\n\tEVENT_TRACE_LOGFILE SysmonEvent = {0};\n\tSysmonEvent.LoggerName = NULL;\n\tSysmonEvent.Context = 0;\n\tSysmonEvent.BufferCallback = CSsymonEtw::BufferCallback;\n\tSysmonEvent.BuffersRead = 0;\n\t\n\n\tLPCTSTR pLogName = _T(\"SYSMON TRACE\");\n\n\tif (!IsThanXp)\n\t{\n\t\tpLogName = _T(\"NT Kernel Logger\");\n\t}\n\n\tSysmonEvent.LoggerName = (LPWSTR)pLogName;\n\tSysmonEvent.CurrentTime = 0;\n\tSysmonEvent.EventCallback = CSsymonEtw::EventCallback;\n\tSysmonEvent.LogFileMode = EVENT_TRACE_REAL_TIME_MODE |\n\t\t\t\t\t\t\tEVENT_TRACE_ADD_HEADER_MODE;\n\n\tTRACEHANDLE hOpenTrace = CSsymonEtw::Instance()->m_pOpenTrace(&SysmonEvent);\n\n\tif (!hOpenTrace)\n\t{\n\t\treturn -1;\n\t}\n\n\tUINT ThreadId = 0;\n\tHANDLE hDataThread = (void *)_beginthreadex(\n\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\tProcessDataThread, \n\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t&ThreadId);\n\n\t ULONG bSuccess = CSsymonEtw::Instance()->m_pProcessTrace(\n\t\t\t\t\t\t\t\t\t\t\t\t&hOpenTrace,\n\t\t\t\t\t\t\t\t\t\t\t\t1,\n\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t0);\n\n\t if ( WaitForSingleObject(\n\t\t\t\t\t\tCSsymonEtw::Instance()->m_hGlobalEvent,\n\t\t\t\t\t\t0) == STATUS_TIMEOUT )\n\t {\n\t\t IsStop = 1;\n\t\t SetEvent(CSsymonEtw::Instance()->m_hGlobalEvent);\n\t }\n\n\t WaitForSingleObject(hDataThread, INFINITE);\n\t CloseHandle(hDataThread);\n\n\t if ( IsStop )\n\t {\n\t\t CloseHandle(CSsymonEtw::Instance()->m_hEtwTraceThread);\n\t\t CSsymonEtw::Instance()->m_hEtwTraceThread = 0;\n\t\t ResetEvent(CSsymonEtw::Instance()->m_hGlobalEvent);\n\n\t\t CSsymonEtw::Instance()->m_bStartTrace = 0;\n\n\t\t //sub_414630();\n\n// \t\t if ( sub_407C70() & 1 )\n \t\t\t CSsymonEtw::Instance()->StartTrace(1);\n\t }\n\n\treturn 0;\n}\n\n\nULONG \nCSsymonEtw::BufferCallback(\n\tPEVENT_TRACE_LOGFILE Buffer\n\t)\n{\n\treturn 0;\n}\n\n#include \"CMofDataParser.h\"\nVOID\nCSsymonEtw::EventCallback(\n\tPEVENT_TRACE pEvent\n\t)\n{\n\tif (pEvent)\n\t{\n\t\t//CMofParseRes Result;\n\t\t//CSsymonEtw::Instance()->m_MofDataParser.Parse(pEvent,Result);\n\t\t\n\t\treturn;\n\n \t\tCSysmonDataEntry* pDataEntry = CSsymonEtw::Instance()->m_SysmonMofData.Phase_1(\n \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t&pEvent->Header.Guid,\n \t\t\t\t\t\t\t\t\t\t\t\t\t\t\tpEvent->Header.Class.Version,\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\n \t\t\t\t\t\t\t\t\t\t\t\t\t\t\tpEvent->Header.Class.Level,\n \t\t\t\t\t\t\t\t\t\t\t\t\t\t\tpEvent->Header.Class.Type);\n \n \t\tif (pDataEntry)\n \t\t{\n \t\t\tCSsymonEtw::Instance()->Enter();\n \t\t\tCSsymonEtw::Instance()->m_SysmonMofData.Phase_2(pEvent,pDataEntry);\n \t\t\tCSsymonEtw::Instance()->Leave();\n \t\t}\n\t}\n\t\n}\n\n\nUINT\nCSsymonEtw::ProcessDataThread(void* lp)\n{\n\tLARGE_INTEGER PerformanceCount;\n\n\twhile ( WaitForSingleObject(\n\t\t\t\t\tCSsymonEtw::Instance()->m_hGlobalEvent, \n\t\t\t\t\t250) == STATUS_TIMEOUT )\n\t{\n\t\tCSsymonEtw::Instance()->Enter();\n\n\t\tQueryPerformanceCounter(&PerformanceCount);\n\t\tULONG LowPart = PerformanceCount.LowPart - \n\t\t\tCSsymonEtw::Instance()->m_PerformanceCount.LowPart;\n\n\t\tULONG HighPart = (PerformanceCount.HighPart -\n\t\t\t\tCSsymonEtw::Instance()->m_PerformanceCount.HighPart);\n\n\t\tULONGLONG QuadPart = PerformanceCount.QuadPart - \n\t\t\tCSsymonEtw::Instance()->m_PerformanceCount.QuadPart;\n\n\t\tULONGLONG Frequency = 0;\n\t\tLARGE_INTEGER ft2 = {0};\n\t\tLARGE_INTEGER lg2 = {0};\n\t\tLARGE_INTEGER lg3 = {0};\n\n\t\tif ( HighPart >= 0 )\n\t\t{\n\t\t\tlg2.QuadPart = ((10000000 * (QuadPart % CSsymonEtw::Instance()->m_Frequency.QuadPart)) / \n\t\t\t\tCSsymonEtw::Instance()->m_Frequency.QuadPart +\n\t\t\t\t\t10000000 * (QuadPart / CSsymonEtw::Instance()->m_Frequency.QuadPart));\n\n\t\t\tft2.LowPart = lg2.LowPart;\n\t\t}\n\t\telse\n\t\t{\n\t\t\t\n\n\t\t\tlg2.QuadPart = CSysmonUtil::CounterTimes(\n\t\t\t\t\t\t\t\t\t\t\t\t\tCSsymonEtw::Instance()->m_SystemTime,\n\t\t\t\t\t\t\t\t\t\t\t\t\t-HighPart);\n\n\t\t\tft2.LowPart = lg2.LowPart;\n\t\t}\n\n\t\tft2.HighPart = CSsymonEtw::Instance()->m_SystemTime.dwHighDateTime;\n\t\tlg3.LowPart += CSsymonEtw::Instance()->m_SystemTime.dwLowDateTime;\n\t\tlg2.LowPart = CSsymonEtw::Instance()->m_SystemTime.dwLowDateTime;\n\n\t\tft2.HighPart = (ft2.QuadPart + lg2.QuadPart) >> 32;\n\n\t\tCSsymonEtw::Instance()->Leave();\n\t}\n\n\treturn 0;\n}"
  },
  {
    "path": "Sysmon/CSsymonEtw.h",
    "content": "#ifndef _CSsymonEtw_h\n#define _CSsymonEtw_h\n\n#include \"CMofDataParser.h\"\n#include \"CSysmonMofData.h\"\n#include <wmistr.h>\n#include <Evntrace.h>\n\ntypedef void* HEVENT;\n\n#ifdef __cplusplus\nextern \"C\"{\n#endif\n\ntypedef\nULONG\n(WINAPI\n*pStartTrace)(\n\t PTRACEHANDLE            SessionHandle,\n\t LPCTSTR                 SessionName,\n\t PEVENT_TRACE_PROPERTIES Properties\n\t);\n\ntypedef\nULONG\n(WINAPI\n*pControlTrace)\n(\n\tTRACEHANDLE             SessionHandle,\n\tLPCTSTR                 SessionName,\n\tPEVENT_TRACE_PROPERTIES Properties,\n\tULONG                   ControlCode\n);\n\ntypedef\nTRACEHANDLE\n(WINAPI\n*pOpenTrace)\n(\n\tPEVENT_TRACE_LOGFILE Logfile\n);\n\ntypedef\nULONG\n(WINAPI\n*pProcessTrace)(\n\t_In_ PTRACEHANDLE HandleArray,\n\t_In_ ULONG        HandleCount,\n\t_In_ LPFILETIME   StartTime,\n\t_In_ LPFILETIME   EndTime\n\t);\n\n#ifdef __cplusplus\n};\n#endif\n\ntypedef struct _Sysomn_Event_Properties\n{\n\tEVENT_TRACE_PROPERTIES  Properties;\n\tTCHAR\t\t\t\t    LoggerName[MAX_PATH];\n\tTCHAR\t\t\t\t\tLoggerFile[MAX_PATH];\n\tULONG\t\t\t\t\tdwMax1;\n\tULONG\t\t\t\t\tdwMax2;\n\tULONG\t\t\t\t\tdwMax3;\n\tULONG\t\t\t\t\tdwMax4;\n\tULONG\t\t\t\t\tdwMax5;\n\tULONG\t\t\t\t\tdwMax6;\n\tULONG\t\t\t\t\tdwMax7;\n\tULONG\t\t\t\t\tdwMax8;\n\tULONG\t\t\t\t\tdwMax9;\n\tULONG\t\t\t\t\tdwMax10;\n}Sysomn_Event_Properties;\n\nclass CSsymonEtw\n{\npublic:\n\tCSsymonEtw(void);\n\tvirtual ~CSsymonEtw(void);\n\npublic:\n\tHRESULT StartTrace(BOOL bStart);\n\tULONG   InitData();\n\n\tvoid* GetEventClassPropertyListList(PEVENT_TRACE pEventTrace);\n\tvoid Enter();\n\tvoid Leave();\npublic:\n\tpStartTrace m_pStartTrace;\n\tpControlTrace m_pControlTrace;\n\tpOpenTrace m_pOpenTrace;\n\tpProcessTrace m_pProcessTrace;\n\n\tBOOL\t\t\t\tm_bInit;\n\tBOOL\t\t\t\tm_bStartTrace;\n\tTRACEHANDLE\t\t\tm_SessionHandle;\n\tHANDLE\t\t\t\tm_hEtwTraceThread;\n\tHEVENT\t\t\t\tm_hGlobalEvent;\n\n\tBOOL\t\t\t\tm_bInitData;\n\tCRITICAL_SECTION\tm_csData;\n\tFILETIME\t\t\tm_SystemTime;\n\n\tLARGE_INTEGER\t\tm_PerformanceCount;\n\tLARGE_INTEGER\t\tm_Frequency;\n\n\tUINT64\t\t\t\tm_EventClassNums;\n\n\tCSysmonMofData\t\tm_SysmonMofData;\n\t\n\tCMofDataParser\t\tm_MofDataParser;\nprivate:\n\tstatic \n\tUINT\n\tWINAPI\n\tProcessTraceThread(void* lp);\n\n\tstatic\n\tUINT\n\tWINAPI\n\tProcessDataThread(void* lp);\n\n\tstatic\n\tULONG\n\tWINAPI \n\tBufferCallback(\n\t\tPEVENT_TRACE_LOGFILE Buffer\n\t\t);\n\n\tstatic\n\tVOID\n\tWINAPI\n\tEventCallback(\n\t\tPEVENT_TRACE pEvent\n\t\t);\n\npublic:\n\tstatic CSsymonEtw* Instance()\n\t{\n\t\tif (!_Instace)\n\t\t{\n\t\t\t_Instace = new CSsymonEtw();\n\t\t}\n\n\t\treturn _Instace;\n\t}\n\n\tstatic CSsymonEtw* _Instace;\n};\n\n#endif"
  },
  {
    "path": "Sysmon/CSysmonDriverOpt.cpp",
    "content": "#include \"StdAfx.h\"\n#include \"CSysmonDriverOpt.h\"\n\n\nCSysmonDriverOpt::CSysmonDriverOpt(void)\n{\n}\n\n\nCSysmonDriverOpt::~CSysmonDriverOpt(void)\n{\n}\n\n\n//======================================== ̬/жsys ======================================\n// SYSļͬĿ¼\n// SYSΪHelloDDK.sys,ôװInstallDriver(\"HelloDDK\",\".\\\\HelloDDK.sys\",\"370030\"/*Altitude*/);\n//  StartDriver(\"HelloDDK\");\n// ֹͣ StopDriver(\"HelloDDK\");\n// жSYSҲƵĵụ̀ DeleteDriver(\"HelloDDK\");\n//====================================================================================================\n\nBOOL CSysmonDriverOpt::InstallDriver(\n\t\t\t\t\t\t\tLPCTSTR lpszDriverName,\n\t\t\t\t\t\t\tLPCTSTR lpszDriverPath,\n\t\t\t\t\t\t\tLPCTSTR lpszAltitude)\n{\n\tTCHAR   szTempStr[MAX_PATH];\n\tHKEY    hKey;\n\tDWORD    dwData;\n\tTCHAR    szDriverImagePath[MAX_PATH];    \n\n\tif( NULL == lpszDriverName || NULL == lpszDriverPath )\n\t{\n\t\treturn FALSE;\n\t}\n\n\t//õ·\n\tGetFullPathName(\n\t\t\tlpszDriverPath,\n\t\t\tMAX_PATH,\n\t\t\tszDriverImagePath,\n\t\t\tNULL);\n\n\tSC_HANDLE hServiceMgr = NULL;\n\tSC_HANDLE hService = NULL;\n\n\t//򿪷ƹ\n\thServiceMgr = OpenSCManager( \n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tNULL, \n\t\t\t\t\t\t\tSC_MANAGER_ALL_ACCESS );\n\n\tif( hServiceMgr == NULL ) \n\t{\n\t\tCloseServiceHandle(hServiceMgr);\n\t\treturn FALSE;        \n\t}\n\n\t//Ӧķ\n\thService = CreateService( hServiceMgr,\n\t\tlpszDriverName,             // עе\n\t\tlpszDriverName,             // עDisplayName ֵ\n\t\tSERVICE_ALL_ACCESS,         // ķȨ\n\t\tSERVICE_FILE_SYSTEM_DRIVER, // ʾصķļϵͳ\n\t\tSERVICE_DEMAND_START,       // עStart ֵ\n\t\tSERVICE_ERROR_IGNORE,       // עErrorControl ֵ\n\t\tszDriverImagePath,          // עImagePath ֵ\n\t\t_T(\"FSFilter Activity Monitor\"),// עGroup ֵ\n\t\tNULL, \n\t\t_T(\"FltMgr\"),                   // עDependOnService ֵ\n\t\tNULL, \n\t\tNULL);\n\n\tif( hService == NULL ) \n\t{        \n\t\tif( GetLastError() == ERROR_SERVICE_EXISTS ) \n\t\t{\n\t\t\t//񴴽ʧܣڷѾ\n\t\t\tCloseServiceHandle(hService);       // \n\t\t\tCloseServiceHandle(hServiceMgr);    // SCM\n\t\t\treturn TRUE; \n\t\t}\n\t\telse \n\t\t{\n\t\t\tCloseServiceHandle(hService);       // \n\t\t\tCloseServiceHandle(hServiceMgr);    // SCM\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\tCloseServiceHandle(hService);       // \n\tCloseServiceHandle(hServiceMgr);    // SCM\n\n\t//-------------------------------------------------------------------------------------------------------\n\t// SYSTEM\\\\CurrentControlSet\\\\Services\\\\DriverName\\\\Instancesӽµļֵ \n\t//-------------------------------------------------------------------------------------------------------\n\tlstrcpy(szTempStr,_T(\"SYSTEM\\\\CurrentControlSet\\\\Services\\\\\"));\n\tlstrcat(szTempStr,lpszDriverName);\n\tlstrcat(szTempStr,_T(\"\\\\Instances\"));\n\tif(RegCreateKeyEx(\n\t\t\t\tHKEY_LOCAL_MACHINE,\n\t\t\t\tszTempStr,\n\t\t\t\t0,\n\t\t\t\t_T(\"\"),\n\t\t\t\tTRUE,\n\t\t\t\tKEY_ALL_ACCESS,\n\t\t\t\tNULL,\n\t\t\t\t&hKey,\n\t\t\t\t(LPDWORD)&dwData)!=ERROR_SUCCESS)\n\t{\n\t\treturn FALSE;\n\t}\n\n\t// עDefaultInstance ֵ \n\tlstrcpy(szTempStr,lpszDriverName);\n\tlstrcat(szTempStr,_T(\"Instance\"));\n\tif(RegSetValueEx(\n\t\t\t\t\thKey,\n\t\t\t\t\t_T(\"DefaultInstance\"),\n\t\t\t\t\t0,\n\t\t\t\t\tREG_SZ,\n\t\t\t\t\t(CONST BYTE*)\n\t\t\t\t\tszTempStr,\n\t\t\t\t\t(DWORD)lstrlen(szTempStr)*sizeof(TCHAR))!=ERROR_SUCCESS)\n\t{\n\t\treturn FALSE;\n\t}\n\n\tRegFlushKey(hKey);//ˢע\n\tRegCloseKey(hKey);\n\t//-------------------------------------------------------------------------------------------------------\n\n\t//-------------------------------------------------------------------------------------------------------\n\t// SYSTEM\\\\CurrentControlSet\\\\Services\\\\DriverName\\\\Instances\\\\DriverName Instanceӽµļֵ \n\t//-------------------------------------------------------------------------------------------------------\n\tlstrcpy(szTempStr,_T(\"SYSTEM\\\\CurrentControlSet\\\\Services\\\\\"));\n\tlstrcat(szTempStr,lpszDriverName);\n\tlstrcat(szTempStr,_T(\"\\\\Instances\\\\\"));\n\tlstrcat(szTempStr,lpszDriverName);\n\tlstrcat(szTempStr,_T(\"Instance\"));\n\n\tif(RegCreateKeyEx(\n\t\t\tHKEY_LOCAL_MACHINE,\n\t\t\tszTempStr,\n\t\t\t0,\n\t\t\t_T(\"\"),\n\t\t\tTRUE,\n\t\t\tKEY_ALL_ACCESS,\n\t\t\tNULL,\n\t\t\t&hKey,\n\t\t\t(LPDWORD)&dwData)!=ERROR_SUCCESS)\n\t{\n\t\treturn FALSE;\n\t}\n\n\t// עAltitude ֵ\n\tlstrcpy(szTempStr,lpszAltitude);\n\tif(RegSetValueEx(\n\t\t\t\thKey,\n\t\t\t\t_T(\"Altitude\"),\n\t\t\t\t0,\n\t\t\t\tREG_SZ,\n\t\t\t\t(CONST BYTE*)szTempStr,\n\t\t\t\t(DWORD)\n\t\t\t\tlstrlen(szTempStr)*sizeof(TCHAR))!=ERROR_SUCCESS)\n\t{\n\t\treturn FALSE;\n\t}\n\n\t// עFlags ֵ\n\tdwData = 0x0;\n\tif(RegSetValueEx(\n\t\t\t\t\thKey,\n\t\t\t\t\t_T(\"Flags\"),\n\t\t\t\t\t0,\n\t\t\t\t\tREG_DWORD,\n\t\t\t\t\t(CONST BYTE*)&dwData,\n\t\t\t\t\tsizeof(DWORD))!=ERROR_SUCCESS)\n\t{\n\t\treturn FALSE;\n\t}\n\n\tRegFlushKey(hKey);//ˢע\n\tRegCloseKey(hKey);\n\t//-------------------------------------------------------------------------------------------------------\n\n\treturn TRUE;\n}\n\nBOOL CSysmonDriverOpt::StartDriver(LPCTSTR lpszDriverName)\n{\n\tSC_HANDLE        schManager;\n\tSC_HANDLE        schService;\n\tSERVICE_STATUS    svcStatus;\n\n\tif( NULL == lpszDriverName)\n\t{\n\t\treturn FALSE;\n\t}\n\n\tschManager = OpenSCManager(\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tSC_MANAGER_ALL_ACCESS);\n\n\tif(NULL == schManager)\n\t{\n\t\tCloseServiceHandle(schManager);\n\t\treturn FALSE;\n\t}\n\n\tschService = OpenService(\n\t\t\t\t\tschManager,\n\t\t\t\t\tlpszDriverName,\n\t\t\t\t\tSERVICE_ALL_ACCESS);\n\n\tif(NULL == schService)\n\t{\n\t\tCloseServiceHandle(schService);\n\t\tCloseServiceHandle(schManager);\n\t\treturn FALSE;\n\t}\n\n\tif(!StartService(\n\t\t\tschService,\n\t\t\t0,\n\t\t\tNULL))\n\t{\n\t\tCloseServiceHandle(schService);\n\t\tCloseServiceHandle(schManager);\n\n\t\tDWORD dwError = GetLastError();\n\t\tif( dwError == ERROR_SERVICE_ALREADY_RUNNING ) \n\t\t{             \n\t\t\treturn TRUE;\n\t\t}\n\n\t\tTCHAR szError[50];\n\t\twsprintf(szError,_T(\"%d\"),dwError);\n\t\tMessageBox(NULL,szError,szError,MB_OK);\n\n\t\treturn FALSE;\n\t}\n\n\tCloseServiceHandle(schService);\n\tCloseServiceHandle(schManager);\n\n\treturn TRUE;\n}\n\nBOOL CSysmonDriverOpt::StopDriver(LPCTSTR lpszDriverName)\n{\n\tSC_HANDLE        schManager;\n\tSC_HANDLE        schService;\n\tSERVICE_STATUS    svcStatus;\n\tbool            bStopped=false;\n\n\tschManager = OpenSCManager(\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tSC_MANAGER_ALL_ACCESS);\n\tif(NULL == schManager)\n\t{\n\t\treturn FALSE;\n\t}\n\n\tschService = OpenService(\n\t\t\t\t\t\tschManager,\n\t\t\t\t\t\tlpszDriverName,\n\t\t\t\t\t\tSERVICE_ALL_ACCESS);\n\tif(NULL == schService)\n\t{\n\t\tCloseServiceHandle(schManager);\n\t\treturn FALSE;\n\t}\n\n\tif(!ControlService(\n\t\t\t\t\tschService,\n\t\t\t\t\tSERVICE_CONTROL_STOP,\n\t\t\t\t\t&svcStatus) &&\n\t\t\t\t\t(svcStatus.dwCurrentState != SERVICE_STOPPED))\n\t{\n\t\tCloseServiceHandle(schService);\n\t\tCloseServiceHandle(schManager);\n\t\treturn FALSE;\n\t}\n\n\tCloseServiceHandle(schService);\n\tCloseServiceHandle(schManager);\n\n\treturn TRUE;\n}\n\nBOOL CSysmonDriverOpt::DeleteDriver(LPCTSTR lpszDriverName)\n{\n\tSC_HANDLE        schManager;\n\tSC_HANDLE        schService;\n\tSERVICE_STATUS    svcStatus;\n\n\tschManager = OpenSCManager(\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tSC_MANAGER_ALL_ACCESS);\n\tif(NULL == schManager)\n\t{\n\t\treturn FALSE;\n\t}\n\n\tschService = OpenService(\n\t\t\t\t\t\tschManager,\n\t\t\t\t\t\tlpszDriverName,\n\t\t\t\t\t\tSERVICE_ALL_ACCESS);\n\n\tif(NULL == schService)\n\t{\n\t\tCloseServiceHandle(schManager);\n\t\treturn FALSE;\n\t}\n\n\tControlService(\n\t\t\t\tschService,\n\t\t\t\tSERVICE_CONTROL_STOP,\n\t\t\t\t&svcStatus);\n\n\tif(!DeleteService(schService))\n\t{\n\t\tCloseServiceHandle(schService);\n\t\tCloseServiceHandle(schManager);\n\t\treturn FALSE;\n\t}\n\n\tCloseServiceHandle(schService);\n\tCloseServiceHandle(schManager);\n\n\treturn TRUE;\n}\n"
  },
  {
    "path": "Sysmon/CSysmonDriverOpt.h",
    "content": "#ifndef _CSysmonDriverOpt_h\n#define _CSysmonDriverOpt_h\n\nclass CSysmonDriverOpt\n{\npublic:\n\tCSysmonDriverOpt(void);\n\tvirtual ~CSysmonDriverOpt(void);\npublic:\n\tBOOL InstallDriver(\n\t\t\t\t\tLPCTSTR lpszDriverName,\n\t\t\t\t\tLPCTSTR lpszDriverPath,\n\t\t\t\t\tLPCTSTR lpszAltitude); \n\n\tBOOL StartDriver(LPCTSTR lpszDriverName);\n\n\tBOOL StopDriver(LPCTSTR lpszDriverName);\n\n\tBOOL DeleteDriver(LPCTSTR lpszDriverName);\n};\n\n#endif"
  },
  {
    "path": "Sysmon/CSysmonMofData.cpp",
    "content": "#include \"StdAfx.h\"\n#include \"CSysmonMofData.h\"\n#include \"CSsymonEtw.h\"\n#include \"CSysmonUtil.h\"\n#include \"Sysmon.h\"\n\n#define MAX_MOF_DATA_LIST 357913940\n\nCTcpIpInfo CSysmonMofData::m_TcpIpEventTypeName[25]  = {\n\t{_T(\"Send\"),2},\n\t{_T(\"SendIPV4\"),2},\n\t{_T(\"SendIPV6\"),2},\n\t{_T(\"Recv\"),3},\n\t{_T(\"RecvIPV4\"),3},\n\t{_T(\"RecvIPV6\"),3},\n\t{_T(\"Accept\"),4},\n\t{_T(\"AcceptIPV4\"),4},\n\t{_T(\"AcceptIPV6\"),4},\n\t{_T(\"Connect\"),5},\n\t{_T(\"ConnectIPV4\"),5},\n\t{_T(\"ConnectIPV6\"),5},\n\t{_T(\"Disconnect\"),6},\n\t{_T(\"DisconnectIPV4\"),6},\n\t{_T(\"DisconnectIPV6\"),6},\n\t{_T(\"Reconnect\"),7},\n\t{_T(\"ReconnectIPV4\"),7},\n\t{_T(\"ReconnectIPV6\"),7},\n\t{_T(\"Retransmit\"),8},\n\t{_T(\"RetransmitIPV4\"),8},\n\t{_T(\"RetransmitIPV6\"),8},\n\t{_T(\"TCPCopy\"),9},\n\t{_T(\"TCPCopyIPV4\"),9},\n\t{_T(\"TCPCopyIPV6\"),9}\n};\n\nCSysmonMofData::CSysmonMofData(void)\n\t:m_pIWbemService(NULL)\n\t,m_EventListNums(0)\n{\n\tm_SysmonEventList = new CSysmonEventList(0,0);\n}\n\n\nCSysmonMofData::~CSysmonMofData(void)\n{\n\tif (m_SysmonEventList)\n\t{\n\t\tdelete m_SysmonEventList;\n\t\tm_SysmonEventList = NULL;\n\t}\n}\n\nHRESULT CSysmonMofData::CoCreateInstance()\n{\n\tOLECHAR *pwWdmi;\n\tHRESULT hr;\n\tIWbemLocator *pLocator;\n\t\n\tpLocator = 0;\n\tpwWdmi = SysAllocString(L\"root\\\\wmi\");\n\tCoInitializeEx(0, 0);\n\thr = ::CoCreateInstance(\n\t\t\t\t\t\t\t__uuidof(WbemLocator),\n\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\tCLSCTX_INPROC_SERVER,\n\t\t\t\t\t\t\t__uuidof(IWbemLocator),\n\t\t\t\t\t\t\t(LPVOID *)&pLocator);\n\tif ( SUCCEEDED(hr) )\n\t{\n\t\thr = pLocator->ConnectServer(\n\t\t\t\t\t\t\t\tpwWdmi,\n\t\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t\tNULL, \n\t\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t\t0L,\n\t\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t\t&m_pIWbemService);\n\n\t\tif ( SUCCEEDED(hr) )\n\t\t\thr = CoSetProxyBlanket(\n\t\t\t\t\t\t\t\tm_pIWbemService, \n\t\t\t\t\t\t\t\tRPC_C_AUTHN_WINNT,\n\t\t\t\t\t\t\t\tRPC_C_AUTHZ_NONE,\n\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\tRPC_C_AUTHN_LEVEL_PKT,\n\t\t\t\t\t\t\t\tRPC_C_IMP_LEVEL_IMPERSONATE,\n\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\tEOAC_NONE);\n\t}\n\n\tSysFreeString(pwWdmi);\n\tif ( pLocator )\n\t\tpLocator->Release();\n\n\treturn hr;\n}\n\nCSysmonDataEntry* CSysmonMofData::Phase_1(\n\tGUID* ClassGuid,\n\tUSHORT Version,\n\tUSHORT Level,\n\tUSHORT Type)\n{\n\tCSysmonDataEntry* pDataEntry = NULL;\n\tLONG nIndex = 0;\n\tdo \n\t{\n\n\t\tif ( !m_EventListNums )\n\t\t{\n\t\t\tCSysmonDataEntry* pDataEntry_1 = new CSysmonDataEntry(\n\t\t\t\t(GUID*)&EventTraceGuid,\n\t\t\t\t-1,\n\t\t\t\t0,\n\t\t\t\t0);\n\n\t\t\tif ( pDataEntry_1 )\n\t\t\t{\n\t\t\t\tpDataEntry_1->InitData(&pDataEntry_1->m_EventClassName, L\"EventTrace\");\n\t\t\t\tpDataEntry_1->InitData(&pDataEntry_1->m_EventTypeName, L\"Header\");\n\n\t\t\t\tCSysmonEventList* pEventList = m_SysmonEventList->InsertBack(\n\t\t\t\t\tm_SysmonEventList->m_Entry.Blink,\n\t\t\t\t\tpDataEntry_1);\n\n\t\t\t\tif ( (unsigned int)(MAX_MOF_DATA_LIST - m_EventListNums) < 1 )\n\t\t\t\t{\n\t\t\t\t\t//std::_Xlength_error(\"list<T> too long\");\n\t\t\t\t}\n\n\t\t\t\t++m_EventListNums;\n\n\t\t\t\tm_SysmonEventList->m_Entry.Blink = &pEventList->m_Entry;\n\t\t\t\tpEventList->m_Entry.Blink->Flink = &pEventList->m_Entry;\n\t\t\t}\n\t\t}\n\n\t\tif ( !IsListEmpty(&m_SysmonEventList->m_Entry) )\n\t\t{\n\t\t\tLIST_ENTRY* pEntry = m_SysmonEventList->m_Entry.Flink;\n\t\t\tCSysmonDataEntry* pTem_2 = NULL;\n\t\t\tCSysmonDataEntry* pTem_3 = NULL;\n\t\t\twhile(TRUE)\n\t\t\t{\n\t\t\t\tCSysmonEventList* pList = CONTAINING_RECORD(pEntry,CSysmonEventList,m_Entry);\n\t\t\t\tCSysmonDataEntry* pTemp = (CSysmonDataEntry*)pList->m_pEvent;\n\t\t\t\t\n\t\t\t\tint TotleSize = 12;\n\n\t\t\t\tif (pTemp)\n\t\t\t\t{\n\t\t\t\t\tLONG* p1 = (LONG*)&(pTemp->m_EventGuid);\n\t\t\t\t\tLONG* p2 = (LONG*)ClassGuid;\n\n\t\t\t\t\twhile( *p1 == *p2)\n\t\t\t\t\t{\n\t\t\t\t\t\tp1++;\n\t\t\t\t\t\tp2++;\n\n\t\t\t\t\t\tBOOL bExit = TotleSize < 4;\t\t\t\t\t\t\n\t\t\t\t\t\tTotleSize -= 4;\n\n\t\t\t\t\t\tif (bExit)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif ( pTemp->m_EventType == Type &&\n\t\t\t\t\t\t\t\tpTemp->m_EventVersion == Version)\n\t\t\t\t\t\t\t{\n\n\t\t\t\t\t\t\t\tpDataEntry = pTemp;\n\t\t\t\t\t\t\t\treturn pDataEntry;\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\tif (pTemp->m_EventType == 0x0FFFF )\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tif (!pTem_2)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tpTem_2 = pTemp;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\t\t\t\t\t\t\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tpEntry = pEntry->Flink;\n\n\t\t\t\tif (pEntry != &m_SysmonEventList->m_Entry)\n\t\t\t\t{\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tif (!pDataEntry)\n\t\t{\n\t\t\tpDataEntry = GetEventCategoryClass(ClassGuid,Version,Level,Type);\n\n\t\t\tif (!pDataEntry)\n\t\t\t{\n\t\t\t\tpDataEntry = new CSysmonDataEntry(\n\t\t\t\t\t\t\t\t\t\t\tClassGuid,\n\t\t\t\t\t\t\t\t\t\t\tType,\n\t\t\t\t\t\t\t\t\t\t\tVersion,\n\t\t\t\t\t\t\t\t\t\t\tLevel);\n\n\t\t\t\tif ( pDataEntry )\n\t\t\t\t{\n\t\t\t\t\tpDataEntry->m_EventClassName = NULL;\n\t\t\t\t\tpDataEntry->m_EventTypeName = NULL;\n\n\t\t\t\t\tpDataEntry->m_ProperityList = 0;\n\t\t\t\t\tpDataEntry->m_ProperitySize = 0;\n\t\t\t\t\t\t\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t\n\t} while (FALSE);\n\t\n\n\treturn pDataEntry;\n}\n\nvoid \nCSysmonMofData::Phase_2(\n\tPEVENT_TRACE pEvent,\n\tCSysmonDataEntry* pDataEntry\n\t)\n{\n\tLARGE_INTEGER SystemTime;\n\tLARGE_INTEGER SystemTime_2;\n\n\t__try\n\t{\n\t\tif (pEvent && pDataEntry)\n\t\t{\n\t\t\tif (pEvent->MofData && \n\t\t\t\tpEvent->MofLength)\n\t\t\t{\n\t\t\t\tCSysmonData* pEventClass = pDataEntry->m_EventClassName;\n\t\t\t\tULONG dwClassType = 0;\n\n\t\t\t\tif (pEventClass && pEventClass->Compare(_T(\"TcpIp\")))\n\t\t\t\t{\n\t\t\t\t\tdwClassType = 1;\n\t\t\t\t}\n\t\t\t\telse if (pEventClass && pEventClass->Compare(_T(\"UdpIp\")))\n\t\t\t\t{\n\t\t\t\t\tdwClassType = 2;\n\t\t\t\t}\n\t\t\t\telse if (pEventClass && pEventClass->Compare(_T(\"MSNT_TcpIpInformation\")))\n\t\t\t\t{\n\t\t\t\t\tdwClassType = 3;\n\t\t\t\t}\n\n\t\t\t\tif ( dwClassType == 1 ||\n\t\t\t\t\tdwClassType == 2 ||\n\t\t\t\t\tdwClassType == 3 )\n\t\t\t\t{\n\t\t\t\t\tBOOL v15 = (pEvent->Header.TimeStamp.HighPart == 0x1000000);\n\t\t\t\t\tBOOL v16 = (pEvent->Header.TimeStamp.HighPart > 0x1000000);\n\n\t\t\t\t\tif (pEvent->Header.TimeStamp.HighPart < 0x1000000 ||\n\t\t\t\t\t\tpEvent->Header.TimeStamp.LowPart < 0 )\n\t\t\t\t\t{\n\t\t\t\t\t\tSystemTime.QuadPart = CSysmonUtil::CounterTimes(\n\t\t\t\t\t\t\tCSsymonEtw::Instance()->m_SystemTime,\n\t\t\t\t\t\t\tpEvent->Header.TimeStamp.QuadPart - \n\t\t\t\t\t\t\tCSsymonEtw::Instance()->m_PerformanceCount.QuadPart\n\t\t\t\t\t\t\t);\n\n\t\t\t\t\t\tSystemTime_2.LowPart = CSsymonEtw::Instance()->m_SystemTime.dwLowDateTime;\n\t\t\t\t\t\tSystemTime_2.HighPart = CSsymonEtw::Instance()->m_SystemTime.dwHighDateTime;\n\t\t\t\t\t\tSystemTime_2.QuadPart += SystemTime.QuadPart;\n\n\t\t\t\t\t\tSystemTime.LowPart = CSsymonEtw::Instance()->m_SystemTime.dwLowDateTime;\n\t\t\t\t\t\tSystemTime.HighPart = CSsymonEtw::Instance()->m_SystemTime.dwHighDateTime;\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\tSystemTime_2.HighPart = pEvent->Header.TimeStamp.HighPart;\n\t\t\t\t\t\tSystemTime_2.LowPart = pEvent->Header.TimeStamp.LowPart;\n\n\t\t\t\t\t\tSystemTime.LowPart = CSsymonEtw::Instance()->m_SystemTime.dwLowDateTime;\n\t\t\t\t\t\tSystemTime.HighPart = CSsymonEtw::Instance()->m_SystemTime.dwHighDateTime;\n\t\t\t\t\t}\n\n\n\t\t\t\t\tif (SystemTime_2.QuadPart >= SystemTime.QuadPart)\n\t\t\t\t\t{\n\t\t\t\t\t\tCSysmonData* pEventType = pDataEntry->m_EventTypeName;\n\t\t\t\t\t\tLONG EventType = 0;\n\t\t\t\t\t\tBOOL IsUdp = FALSE;\n\n\t\t\t\t\t\t__try\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tIsUdp = pEventClass->CompareN(_T(\"Udp\"),3);\n\t\t\t\t\t\t}\n\t\t\t\t\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tIsUdp = FALSE;\n\t\t\t\t\t\t}\n\t\t\t\t\t\t\n\t\t\t\t\t\tif (pEventType && pEventType->Len())\n\t\t\t\t\t\t{\t\t\t\t\t\t\n\t\t\t\t\t\t\tLONG nI = 0;\n\t\t\t\t\t\t\tBOOL NotEque = TRUE;\n\t\t\t\t\t\t\t__try\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twhile(TRUE && nI < 24)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tBSTR pEventTypeName_1 = CSysmonMofData::m_TcpIpEventTypeName[nI].NetName;\n\t\t\t\t\t\t\t\t\tBSTR pEventTypeName_2 = pEventType->m_pData;\n\t\t\t\t\t\t\t\t\twhile(TRUE && pEventTypeName_1 && pEventTypeName_2)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tif (pEventTypeName_1[0] != pEventTypeName_2[0])\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\tif (pEventTypeName_1[0] == 0)\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tNotEque = FALSE;\n\t\t\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\tpEventTypeName_1++;\n\t\t\t\t\t\t\t\t\t\tpEventTypeName_2++;\n\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\tif (NotEque == FALSE)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\tnI++;\n\n\t\t\t\t\t\t\t\t\tif (nI > 24)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tEventType = 0;\n\t\t\t\t\t\t\t\t\t\t__leave;\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\tEventType = CSysmonMofData::m_TcpIpEventTypeName[nI].NetType;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t\t\t\t\t\t{\n\n\t\t\t\t\t\t\t}\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tEventType = (pEvent->Header.Class.Type==11)?3:(pEvent->Header.Class.Type==10)+1;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (IsUdp == TRUE || EventType == 4 || EventType == 5)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif ( pDataEntry->m_ProperityList &&\n\t\t\t\t\t\t\t\t!pDataEntry->m_ProperityList->IsListEmpty())\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t__try\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tSysmon_Net_Report* NetReport = (Sysmon_Net_Report*)\n\t\t\t\t\t\t\t\t\t\tmalloc(sizeof(Sysmon_Net_Report));\n\n\t\t\t\t\t\t\t\t\tif (NetReport)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tNetReport->NrEventType = 1;\n\t\t\t\t\t\t\t\t\t\tNetReport->NrProcessId = pEvent->Header.ProcessId;\n\t\t\t\t\t\t\t\t\t\tif (pEvent->Header.ThreadId == -1)\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tNetReport->NrThreadId = 0;\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tNetReport->NrThreadId = pEvent->Header.ThreadId;\n\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\t__m128i m128Zero = {0};\n\t\t\t\t\t\t\t\t\t\t_mm_storeu_si128((__m128i *)&NetReport->NrGuid, m128Zero);\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t\t\t\t\t\t\t{\n\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\t\t\t\t\n\t\t\t}\n\t\t}\n\t}\n\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t{\n\n\t}\n}\n\nCSysmonDataEntry* \nCSysmonMofData::GetEventCategoryClass(\n\tGUID* ClassGuid,\n\tUSHORT Version,\n\tUSHORT Level,\n\tUSHORT Type)\n{\n\tHRESULT hr = S_OK;\n\tOLECHAR* oleTrace = NULL;\n\tOLECHAR* oleClassName = NULL;\n\tOLECHAR* oleGuid = NULL;\n\tOLECHAR* oleVersion = NULL;\n\tVARIANT varGuid;\n\tVARIANT varVersion;\n\tVARIANT varClassName;\n\tCSysmonDataEntry* pDataEntry;\n\tOLECHAR* oleClassName_2 = NULL;\n\tpDataEntry = NULL;\n\tIEnumWbemClassObject* pClasses = NULL;\n\tIEnumWbemClassObject* pClasses_2 = NULL;\n\tIWbemClassObject* pClass = NULL;\n\tIWbemClassObject* pClass_2 = NULL;\n\tIWbemQualifierSet* pQualifiers = NULL;\n\tULONG CntTrace = 1;\n\tULONG CntClass = 1;\n\tTCHAR EventGuid[5*sizeof(GUID)] = {0};\n\tTCHAR GuidString[5*sizeof(GUID)] = {0};\n\n\tVariantInit(&varClassName);\n\tVariantInit(&varGuid);\n\tVariantInit(&varVersion);\n\n\tdo\n\t{\n\t\tif (!m_pIWbemService && CoCreateInstance())\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\tStringCchPrintf(\n\t\t\tEventGuid,\n\t\t\t5*sizeof(GUID),\n\t\t\t_T(\"{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}\"),\n\t\t\tClassGuid->Data1,\n\t\t\tClassGuid->Data2,\n\t\t\tClassGuid->Data3,\n\t\t\tClassGuid->Data4[0],\n\t\t\tClassGuid->Data4[1],\n\t\t\tClassGuid->Data4[2],\n\t\t\tClassGuid->Data4[3],\n\t\t\tClassGuid->Data4[4],\n\t\t\tClassGuid->Data4[5],\n\t\t\tClassGuid->Data4[6],\n\t\t\tClassGuid->Data4[7]);\n\n\t\toleTrace\t\t= SysAllocString(_T(\"EventTrace\"));\n\t\toleClassName\t= SysAllocString(_T(\"__CLASS\"));\n\t\toleGuid\t\t\t= SysAllocString(_T(\"Guid\"));\n\t\toleVersion\t= SysAllocString(_T(\"EventVersion\"));\n\n\t\thr = m_pIWbemService->CreateClassEnum(\n\t\t\t\t\t\t\t\t\toleTrace,\n\t\t\t\t\t\t\t\t\tWBEM_FLAG_DEEP | \n\t\t\t\t\t\t\t\t\tWBEM_FLAG_UPDATE_ONLY | \n\t\t\t\t\t\t\t\t\tWBEM_FLAG_USE_AMENDED_QUALIFIERS,\n\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t&pClasses);\n\t\tSysFreeString(oleTrace);\n\n\t\tif (hr != S_OK)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\t__try\n\t\t{\t\t\n\n\t\t\tdo \n\t\t\t{\n\t\t\t\tif (pClass)\n\t\t\t\t{\n\t\t\t\t\tpClass->Release();\n\t\t\t\t\tpClass = NULL;\n\t\t\t\t}\n\t\t\t\t\n\t\t\t\tif( pClasses->Next(5000,1, &pClass, &CntTrace) != S_OK)\n\t\t\t\t{\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\n\t\t\t\tif (CntTrace != 1)\n\t\t\t\t{\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\n\t\t\t\tif ( pClass->Get(oleClassName, 0, &varClassName, 0, 0) != S_OK )\n\t\t\t\t\tcontinue;\n\n\t\t\t\toleClassName_2 = SysAllocString(varClassName.bstrVal);\n\t\t\t\tm_pIWbemService->CreateClassEnum(\n\t\t\t\t\toleClassName_2,\n\t\t\t\t\tWBEM_FLAG_DEEP | \n\t\t\t\t\tWBEM_FLAG_UPDATE_ONLY | \n\t\t\t\t\tWBEM_FLAG_USE_AMENDED_QUALIFIERS,\n\t\t\t\t\t0,\n\t\t\t\t\t&pClasses_2);\n\n\t\t\t\tSysFreeString(oleClassName_2);\n\t\t\t\tVariantClear(&varClassName);\n\n\t\t\t\tCntClass = 1;\n\n\t\t\t\tdo \n\t\t\t\t{\n\t\t\t\t\tpClass_2 = NULL;\n\t\t\t\t\tif (pClasses_2)\n\t\t\t\t\t{\n\t\t\t\t\t\tif ( pClasses_2->Next(5000, 1, &pClass_2, &CntClass) != S_OK )\n\t\t\t\t\t\t\tcontinue;\n\n\t\t\t\t\t\tif ( CntClass != 1 )\n\t\t\t\t\t\t\tbreak;\t\t\t\t\t\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\tCntClass = 1;\n\t\t\t\t\t\tpClass_2 = pClass;\n\t\t\t\t\t}\n\n\t\t\t\t\tHRESULT hr2 = pClass_2->Get(oleClassName, 0, &varClassName, 0, 0);\n\t\t\t\t\tVariantClear(&varClassName);\n\n\t\t\t\t\tif (hr2 == S_OK)\n\t\t\t\t\t{\n\t\t\t\t\t\tif ( pQualifiers )\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tpQualifiers->Release();\n\t\t\t\t\t\t\tpQualifiers = 0;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tHRESULT hrQualifier = pClass_2->GetQualifierSet(&pQualifiers);\n\n\t\t\t\t\t\tif ( FAILED(hrQualifier))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif(pQualifiers->Get(\n\t\t\t\t\t\t\toleGuid,\n\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t&varGuid,\n\t\t\t\t\t\t\t0) == S_OK)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\twcscpy_s(GuidString, 5*sizeof(GUID), varGuid.bstrVal);\n\t\t\t\t\t\t\tVariantClear(&varGuid);\n\n \t\t\t\t\t\t\tif ( !wcsstr(GuidString, L\"{\") )\n \t\t\t\t\t\t\t\tStringCchPrintf(GuidString, 5*sizeof(GUID),_T(\"{%s}\"),GuidString);\n\n\t\t\t\t\t\t\tif ( !_wcsicmp(GuidString, EventGuid) )\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tif(pQualifiers->Get(\n\t\t\t\t\t\t\t\t\toleVersion,\n\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t&varVersion,\n\t\t\t\t\t\t\t\t\t0) == S_OK)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tVariantChangeType(&varVersion, &varVersion, 0, VT_I2);\n\t\t\t\t\t\t\t\t\tWORD VersionTmp = varVersion.iVal;\n\t\t\t\t\t\t\t\t\tVariantClear(&varVersion);\n\t\t\t\t\t\t\t\t\tif ( Version != VersionTmp )\n\t\t\t\t\t\t\t\t\t\tcontinue;\n\n\t\t\t\t\t\t\t\t\tpDataEntry = GetPropertyList(\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tpClass_2,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tClassGuid,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tVersion,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tLevel,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tType);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tpDataEntry = GetPropertyList(\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tpClass_2,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tClassGuid,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tVersion,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tLevel,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tType);\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t__leave;\n\t\t\t\t\t\t\t}\t\t\t\t\t\t\t\n\t\t\t\t\t\t}\t\t\t\t\t\n\t\t\t\t\t}\n\n\t\t\t\t} while (CntClass == 1);\n\n\t\t\t\tif (pClasses_2)\n\t\t\t\t{\n\t\t\t\t\tpClasses_2->Release();\n\t\t\t\t\tpClasses_2 = NULL;\n\t\t\t\t}\n\n\t\t\t} while (CntTrace == 1);\n\n\t\t}\n\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t{\n\n\t\t}\n\t\t\n\t\tif (pClasses)\n\t\t{\n\t\t\tpClasses->Release();\n\t\t\tpClasses = NULL;\n\t\t}\n\n\t} while (FALSE);\n\t\t\n\tVariantClear(&varGuid);\n\tVariantClear(&varVersion);\n\n\tSysFreeString(oleGuid);\n\tSysFreeString(oleClassName);\n\tSysFreeString(oleVersion);\n\n\tif (pClasses)\n\t{\n\t\tpClasses->Release();\n\t\tpClasses = NULL;\n\t}\n\n\tif (pClasses_2)\n\t{\n\t\tpClasses_2->Release();\n\t\tpClasses_2 = NULL;\n\t}\n\n\tif (pQualifiers)\n\t{\n\t\tpQualifiers->Release();\n\t\tpQualifiers = NULL;\n\t}\n\n\treturn pDataEntry;\n}\n\nvoid CSysmonMofData::InsertBack(\n\t\t\tCSysmonEventList* pEventList,\n\t\t\tLONG* Reference,\n\t\t\tvoid* pElm)\n{\n\tCSysmonEventList* pNewList = pEventList->InsertBack(pEventList->m_Entry.Blink,pElm);\n\t(*Reference)++;\n\t if ( 0x15555554 - *Reference < 1 )\n\t {\n\t\t //std::_Xlength_error(\"list<T> too long\");\n\t }\n\n\t (*Reference)++;\n\t pEventList->m_Entry.Blink = &pNewList->m_Entry;\n\t pNewList->m_Entry.Blink->Flink = &pNewList->m_Entry;\n}\n\nvoid CSysmonDataEntry::operator =(CSysmonDataEntry* pDataEntry)\n{\n\tif (this != pDataEntry)\n\t{\n\t\tm_EventClassName = pDataEntry->m_EventClassName;\n\t\tif ( pDataEntry->m_EventClassName )\n\t\t\tInterlockedIncrement((volatile LONG *)&m_EventClassName->m_Reference);\n\t}\n}\n\nvoid CSysmonMofData::SysmonAddProperityList(\n\t\t\t\tCSysmonEventList* pList, \n\t\t\t\tBSTR ProperityName,\n\t\t\t\tLONG Len,\n\t\t\t\tLONG ArraySize)\n{\n\tif ( pList)\n\t{\n\t\tLONG Reference = 0;\n\t\tLIST_ENTRY* pEntry = pList->m_Entry.Flink;\n\t\twhile( pEntry != &pList->m_Entry)\n\t\t{\n\t\t\tCSysmonEventList* pEventList = CONTAINING_RECORD(pEntry,CSysmonEventList,m_Entry);\n\n\t\t\tif (pEventList)\n\t\t\t{\n\t\t\t\tCSysmonDataEntry* pDataEntry = (CSysmonDataEntry*)pEventList->m_pEvent;\n\n\t\t\t\tif (pDataEntry)\n\t\t\t\t{\n\t\t\t\t\tCSysmonProperty* pProperity = new CSysmonProperty(ProperityName,Len,ArraySize);\n\t\t\t\t\tpDataEntry->m_ProperitySize++;\n\n\t\t\t\t\tCSysmonEventList* pNewList = pDataEntry->m_ProperityList->InsertBack(\n\t\t\t\t\t\tpDataEntry->m_ProperityList->m_Entry.Blink,\n\t\t\t\t\t\tpProperity);\n\n\t\t\t\t\tpDataEntry->m_ProperityList->m_Entry.Blink = &pNewList->m_Entry;\n\t\t\t\t\tpNewList->m_Entry.Blink = &pNewList->m_Entry;\n\n\t\t\t\t}\n\t\t\t\t\n\t\t\t}\t\t\n\t\t\t\n\n\t\t\tpEntry = pEntry->Flink;\n\t\t}\n\n\t}\n}\n\nCSysmonDataEntry* CSysmonMofData::GetPropertyList(\n\t\t\t\t\t\t\tIWbemClassObject* pClass,\n\t\t\t\t\t\t\tGUID* ClassGuid,\n\t\t\t\t\t\t\tUSHORT Version,\n\t\t\t\t\t\t\tUSHORT Level,\n\t\t\t\t\t\t\tUSHORT Type)\n{\n\tCSysmonDataEntry* pDataEntry;\n\tCSysmonEventList* pEventList;\n\tCSysmonEventList* pEventList_2;\n\tCSysmonDataEntry* pRetEventv63;\n\tCSysmonDataEntry* pOldDataEntry;\n\tLONG Reference;\n\tBSTR bstrDisplayName;\n\tBSTR bstrClassName;\n\tBSTR bstrEventType;\n\tBSTR bstrEventTypeName;\n\tBSTR bstrWmiDataId;\n\tBSTR bstrVarClassName;\n\tVARIANT varClassName;\n\tVARIANT varDisplayName;\n\tVARIANTARG vargType;\n\tVARIANTARG vargTypeName;\n\tIWbemQualifierSet * pQualifierSet = NULL;\n\tIEnumWbemClassObject* pClasses = NULL;\n\tIWbemClassObject*\t  pClass_1 = NULL;\n\tULONG Cnt;\n\tHRESULT hr;\n\tULONG*\t\tppvData;\n\tBSTR*\t\tppvData_2;\n\tOLECHAR szClassName[MAX_PATH] = {0};\n\tOLECHAR szEventName[MAX_PATH] = {0};\n\tpSafeArrayDestroy ApiSafeArrayDestroy = NULL;\n\tpSafeArrayGetElement ApiSafeArrayGetElement = NULL;\n\tpEventList = new CSysmonEventList(0,0);\n\tpDataEntry = NULL;\n\tVariantInit(&varClassName);\n\tVariantInit(&varDisplayName);\n\tVariantInit(&vargType);\n\tVariantInit(&vargTypeName);\n\n\t//VariantInit(&v40);\n\t//VariantInit(&v36);\n\tReference = 1;\n\tpRetEventv63 = NULL;\n\tbstrClassName = SysAllocString(L\"__CLASS\");\n\tbstrWmiDataId = SysAllocString(L\"WmiDataId\");\n\tbstrEventType = SysAllocString(L\"EventType\");\n\tbstrEventTypeName = SysAllocString(L\"EventTypeName\");\n\tbstrDisplayName = SysAllocString(L\"DisplayName\");\n\n\tif ( pClass->Get(\n\t\t\t\t\tbstrClassName,\n\t\t\t\t\t0,\n\t\t\t\t\t&varClassName, \n\t\t\t\t\t0,\n\t\t\t\t\t0) == S_OK )\n\t{\n\t\tStringCchCopy(\n\t\t\t\tszClassName,\n\t\t\t\tMAX_PATH,\n\t\t\t\tvarClassName.bstrVal);\n\n\t\tif (pQualifierSet)\n\t\t{\n\t\t\tpQualifierSet->Release();\n\t\t\tpQualifierSet = NULL;\n\t\t}\n\n\t\tpClass->GetQualifierSet(&pQualifierSet);\n\t\tif ( !pQualifierSet->Get(\n\t\t\t\t\t\t\t\tbstrDisplayName,\n\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t&varDisplayName,\n\t\t\t\t\t\t\t\t0) && varDisplayName.lVal )\n\t\t\t\tStringCchCopy(szClassName, MAX_PATH, varDisplayName.bstrVal);\n\n\t\tpDataEntry = new CSysmonDataEntry(ClassGuid,-1,-1,-1);\n\t\tpRetEventv63 = pDataEntry;\n\t\tpOldDataEntry = pDataEntry;\n\n\t\tif (pDataEntry)\n\t\t{\n\t\t\tpDataEntry->InitData(&pDataEntry->m_EventClassName,szClassName);\n\t\t\tpEventList_2 = pEventList->InsertBack(\n\t\t\t\t\t\t\t\t\t\t\tpEventList->m_Entry.Blink,\n\t\t\t\t\t\t\t\t\t\t\tpDataEntry);\n\n\t\t\tpEventList->m_Entry.Blink = &pEventList_2->m_Entry;\n\t\t\tpEventList_2->m_Entry.Blink->Flink = &pEventList_2->m_Entry;\n\n\t\t\tbstrVarClassName = SysAllocString(varClassName.bstrVal);\n\t\t\thr = m_pIWbemService->CreateClassEnum(\n\t\t\t\t\t\t\t\t\t\t\tbstrVarClassName,\n\t\t\t\t\t\t\t\t\t\t\tWBEM_FLAG_DEEP | \n\t\t\t\t\t\t\t\t\t\t\tWBEM_FLAG_UPDATE_ONLY | \n\t\t\t\t\t\t\t\t\t\t\tWBEM_FLAG_USE_AMENDED_QUALIFIERS,\n\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t&pClasses);\n\t\t\tSysFreeString(bstrVarClassName);\n\n\t\t\tif ( hr == S_OK)\n\t\t\t{\n\t\t\t\tApiSafeArrayDestroy = SafeArrayDestroy;\n\t\t\t\tApiSafeArrayGetElement = SafeArrayGetElement;\n\n\t\t\t\tCnt = 1;\n\t\t\t\twhile ( TRUE )\n\t\t\t\t{\n\t\t\t\t\tpClass_1 = 0;\n\t\t\t\t\tif ( pClasses->Next(5000, 1, &pClass_1, &Cnt) != S_OK )\n\t\t\t\t\t{\n\n\t\t\t\t\t\tpClass_1 = pClass;\n\t\t\t\t\t\tpClass_1->AddRef();\n\n\t\t\t\t\t}\n\n\t\t\t\t\tif ( pQualifierSet )\n\t\t\t\t\t{\n\t\t\t\t\t\tpQualifierSet->Release();\n\t\t\t\t\t\tpQualifierSet = 0;\n\t\t\t\t\t}\n\n\t\t\t\t\tpClass_1->GetQualifierSet(&pQualifierSet);\n\t\t\t\t\t VariantClear(&vargType);\n\n\t\t\t\t\t if ( pQualifierSet->Get(\n\t\t\t\t\t\t\t\t\t\t\tbstrEventType,\n\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t&vargType,\n\t\t\t\t\t\t\t\t\t\t\t0) == S_OK )\n\t\t\t\t\t {\n\n\t\t\t\t\t\t if (vargType.vt & VT_ARRAY)\n\t\t\t\t\t\t {\n\t\t\t\t\t\t\t SAFEARRAY* pl1 = vargType.parray;\n\t\t\t\t\t\t\t SAFEARRAY* pl2 = NULL;\n\t\t\t\t\t\t\t LONG plLbound_1 = 0;\n\t\t\t\t\t\t\t LONG plUbound_1 = 0;\n\t\t\t\t\t\t\t LONG plLbound_2 = 0;\n\t\t\t\t\t\t\t LONG plUbound_2 = 0;\n\t\t\t\t\t\t\t VariantClear(&vargTypeName);\n\t\t\t\t\t\t\t if ( pQualifierSet->Get(\n\t\t\t\t\t\t\t\t\t\t\t\t\tbstrEventTypeName,\n\t\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t\t&vargTypeName, \n\t\t\t\t\t\t\t\t\t\t\t\t\t0) == S_OK && (vargTypeName.vt & VT_ARRAY) )\n\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t pl2 = vargTypeName.parray;\n\t\t\t\t\t\t\t }\n\n\t\t\t\t\t\t\t if ( !pl1\n\t\t\t\t\t\t\t\t || SafeArrayGetLBound(pl1, 1, &plLbound_1)\n\t\t\t\t\t\t\t\t || SafeArrayGetUBound(pl1, 1, &plUbound_1)\n\t\t\t\t\t\t\t\t || plUbound_1 < 0 )\n\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t pDataEntry = pRetEventv63;\n\t\t\t\t\t\t\t\t break;\n\t\t\t\t\t\t\t }\n\n\t\t\t\t\t\t\t  SafeArrayAccessData(pl1, (void**)&ppvData);\n\n\t\t\t\t\t\t\t  if ( pl2 )\n\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t  if ( SafeArrayGetLBound(pl2, 1, &plLbound_2) ||\n\t\t\t\t\t\t\t\t\t  SafeArrayGetUBound(pl2, 1, &plUbound_2) ||\n\t\t\t\t\t\t\t\t\t  plUbound_2 < 0 )\n\t\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t\t  pDataEntry = pRetEventv63;\n\t\t\t\t\t\t\t\t\t  break;\n\t\t\t\t\t\t\t\t  }\n\n\t\t\t\t\t\t\t\t  SafeArrayAccessData(pl2, (void**)&ppvData_2);\n\t\t\t\t\t\t\t  }\n\n\t\t\t\t\t\t\t  if ( plLbound_1 <= plUbound_1)\n\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t  LONG rgIndices = plLbound_1;\n\n\t\t\t\t\t\t\t\t  while(TRUE)\n\t\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t\t  do \n\t\t\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t\t\t  USHORT uType = (*(USHORT*)&ppvData[rgIndices]);\n\n\t\t\t\t\t\t\t\t\t\t  try\n\t\t\t\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t\t\t\t  CSysmonDataEntry* pDataEntry__3 = new CSysmonDataEntry(ClassGuid,uType,Version,Level);\n\n\t\t\t\t\t\t\t\t\t\t\t  if (pDataEntry__3)\n\t\t\t\t\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t\t\t\t\t  InsertBack(pEventList,&Reference,pDataEntry__3);\n\n\t\t\t\t\t\t\t\t\t\t\t\t  if (pOldDataEntry->GetCLassNameLen())\n\t\t\t\t\t\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t\t\t\t\t\t  *pDataEntry__3 = pOldDataEntry;\n\t\t\t\t\t\t\t\t\t\t\t\t  }\n\n\t\t\t\t\t\t\t\t\t\t\t\t  if (Type == uType)\n\t\t\t\t\t\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t\t\t\t\t\t  pRetEventv63 = pDataEntry__3;\n\t\t\t\t\t\t\t\t\t\t\t\t  }\n\n\t\t\t\t\t\t\t\t\t\t\t\t  if ( pl2 )\n\t\t\t\t\t\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t\t\t\t\t\t  if ( rgIndices < plLbound_2 || rgIndices > plUbound_2 )\n\t\t\t\t\t\t\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t  break;\n\t\t\t\t\t\t\t\t\t\t\t\t\t  }\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t  pDataEntry__3->InitData(\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t  &pDataEntry__3->m_EventTypeName,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t  ppvData_2[rgIndices]);\n\t\t\t\t\t\t\t\t\t\t\t\t  }\n\t\t\t\t\t\t\t\t\t\t\t  }\n\n\t\t\t\t\t\t\t\t\t\t  }\n\t\t\t\t\t\t\t\t\t\t  catch(...)\n\t\t\t\t\t\t\t\t\t\t  {\n\n\t\t\t\t\t\t\t\t\t\t  }\n\n\t\t\t\t\t\t\t\t\t  } while (FALSE);\n\t\t\t\t\t\t\t\t\t  \n\t\t\t\t\t\t\t\t\t  rgIndices++;\n\n\t\t\t\t\t\t\t\t\t  if ( rgIndices > plUbound_1 )\n\t\t\t\t\t\t\t\t\t  {\n\t\t\t\t\t\t\t\t\t\t  pl1 = vargType.parray;\n\t\t\t\t\t\t\t\t\t\t  break;\n\t\t\t\t\t\t\t\t\t  }\n\t\t\t\t\t\t\t\t  }\n\t\t\t\t\t\t\t  }\n\n\t\t\t\t\t\t\t   SafeArrayUnaccessData(pl1);\n\t\t\t\t\t\t\t   ApiSafeArrayDestroy(pl1);\n\t\t\t\t\t\t\t   VariantInit(&vargType);\n\n\t\t\t\t\t\t\t   if ( pl2 )\n\t\t\t\t\t\t\t   {\n\t\t\t\t\t\t\t\t   SafeArrayUnaccessData(pl2);\n\t\t\t\t\t\t\t\t   SafeArrayDestroy(pl2);\n\t\t\t\t\t\t\t\t   VariantInit(&vargTypeName);\n\t\t\t\t\t\t\t   }\n\n\t\t\t\t\t\t }\n\t\t\t\t\t\t else\n\t\t\t\t\t\t {\n\n\t\t\t\t\t\t\t VariantChangeType(&vargType, &vargType, 0, VT_I2);\n\t\t\t\t\t\t\t USHORT vType = vargType.iVal;\n\t\t\t\t\t\t\t VariantClear(&vargTypeName);\n\n\t\t\t\t\t\t\t if ( pQualifierSet->Get(\n\t\t\t\t\t\t\t\t\t\t\t\t\tbstrEventTypeName,\n\t\t\t\t\t\t\t\t\t\t\t\t\t0,\n\t\t\t\t\t\t\t\t\t\t\t\t\t&vargTypeName, \n\t\t\t\t\t\t\t\t\t\t\t\t\t0) )\n\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t szEventName[0] = 0;\n\t\t\t\t\t\t\t }\n\t\t\t\t\t\t\t else\n\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t wcscpy_s(\n\t\t\t\t\t\t\t\t\t\tszEventName,\n\t\t\t\t\t\t\t\t\t\tMAX_PATH,\n\t\t\t\t\t\t\t\t\t\tvargTypeName.bstrVal\n\t\t\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t }\n\n\t\t\t\t\t\t\t CSysmonDataEntry* pDataEntry__3 = new CSysmonDataEntry(ClassGuid,vType,Version,Level);\n\t\t\t\t\t\t\t if (pDataEntry__3)\n\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t InsertBack(pEventList,&Reference,pDataEntry__3);\n\n\t\t\t\t\t\t\t\t if (pOldDataEntry->GetCLassNameLen())\n\t\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t\t *pDataEntry__3 = pOldDataEntry;\n\t\t\t\t\t\t\t\t }\n\n\t\t\t\t\t\t\t\t if ( Type == vType)\n\t\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t\t pRetEventv63 = pDataEntry__3;\n\t\t\t\t\t\t\t\t }\n\n\t\t\t\t\t\t\t\t pDataEntry__3->InitData(\n\t\t\t\t\t\t\t\t\t &pDataEntry__3->m_EventTypeName,\n\t\t\t\t\t\t\t\t\t szEventName);\n\t\t\t\t\t\t\t }\n\n\t\t\t\t\t\t }\n\n\t\t\t\t\t }\n\n\t\t\t\t\t SAFEARRAY* pNames = NULL;\n\t\t\t\t\t LONG plLbound_1 = 0;\n\t\t\t\t\t LONG plUbound_1 = 0;\n\t\t\t\t\t LONG plLbound_2 = 0;\n\t\t\t\t\t LONG plUbound_2 = 0;\n\t\t\t\t\t BSTR pv_1 = NULL;\n\t\t\t\t\t CIMTYPE QualifierType = 0;\n\t\t\t\t\t VariantClear(&varClassName);\n\t\t\t\t\t varClassName.vt = VT_I4;\n\t\t\t\t\t varClassName.lVal = 1;\n\n\t\t\t\t\t //LONG Index = 1;\n\t\t\t\t\t //hr = pClass->GetNames(NULL, WBEM_FLAG_LOCAL_ONLY, NULL, &pNames);\n\t\t\t\t\t hr = pClass_1->GetNames(\n\t\t\t\t\t\t bstrWmiDataId,\n\t\t\t\t\t\t WBEM_FLAG_ONLY_IF_IDENTICAL, \n\t\t\t\t\t\t &varClassName,\n\t\t\t\t\t\t &pNames);\n\n\t\t\t\t\t while( hr == S_OK)\n\t\t\t\t\t {\n\n\t\t\t\t\t\t if ( SafeArrayGetLBound(pNames, 1, &plLbound_1) ||\n\t\t\t\t\t\t\t SafeArrayGetUBound(pNames, 1, &plUbound_1) || plUbound_1 < 0 )\n\t\t\t\t\t\t\t break;\n\n\t\t\t\t\t\t //plUbound_1 = pNames->rgsabound->cElements;\n\n\t\t\t\t\t\t if ( plLbound_1 <= plUbound_1 )\n\t\t\t\t\t\t {\n\t\t\t\t\t\t\t LONG nIndex = plLbound_1;\n\t\t\t\t\t\t\t do\n\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t if ( ApiSafeArrayGetElement(pNames, &nIndex, &pv_1) || pClass_1->Get(pv_1, 0, 0, &QualifierType, 0) )\n\t\t\t\t\t\t\t\t\t break;\n\n\t\t\t\t\t\t\t\t if ( pQualifierSet )\n\t\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t\t pQualifierSet->Release();\n\t\t\t\t\t\t\t\t\t pQualifierSet = 0;\n\t\t\t\t\t\t\t\t }\n\n\t\t\t\t\t\t\t\t if ( pClass_1->GetPropertyQualifierSet(pv_1, &pQualifierSet) )\n\t\t\t\t\t\t\t\t\t break;\n\n\t\t\t\t\t\t\t\t LONG v30 = GetArrayValue(QualifierType, pQualifierSet);\n\t\t\t\t\t\t\t\t LONG ArraySize = QualifierType & 0x2000 ? GetArraySize(pQualifierSet) : 1;\n\n\t\t\t\t\t\t\t\t SysmonAddProperityList(\n\t\t\t\t\t\t\t\t\t\t\t\t\tpEventList,\n\t\t\t\t\t\t\t\t\t\t\t\t\tpv_1,\n\t\t\t\t\t\t\t\t\t\t\t\t\tv30, \n\t\t\t\t\t\t\t\t\t\t\t\t\tArraySize);\n\t\t\t\t\t\t\t\t ++nIndex;\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t }\n\t\t\t\t\t\t\t while ( nIndex <= plUbound_1 );\n\t\t\t\t\t\t }\n\n\t\t\t\t\t\t ApiSafeArrayDestroy(pNames);\n\t\t\t\t\t\t pNames = 0;\n\t\t\t\t\t\t  varClassName.lVal++;// = (Index++);\n\t\t\t\t\t }\n\n\t\t\t\t\t AddEvent(pEventList);\n\n\t\t\t\t\t if ( Cnt != 1 )\n\t\t\t\t\t {\n\t\t\t\t\t\t pDataEntry = pRetEventv63;\n\t\t\t\t\t\t break;\n\t\t\t\t\t }\n\t\t\t\t}//1\n\t\t\t}//0.\n\t\t}\n\t}\n\n\tVariantClear(&varClassName);\n\tVariantClear(&varDisplayName);\n\tVariantClear(&vargTypeName);\n\tSysFreeString(bstrClassName);\n\tSysFreeString(bstrDisplayName);\n\tSysFreeString(bstrEventType);\n\tSysFreeString(bstrEventTypeName);\n\tSysFreeString(bstrWmiDataId);\n\n\tAddEvent(pEventList);\n\n\tLIST_ENTRY* pEntry = pEventList->m_Entry.Flink;\n\n\tInitializeListHead(&pEventList->m_Entry);\n\n\twhile (pEntry != &pEventList->m_Entry)\n\t{\n\t\tCSysmonEventList* pList = CONTAINING_RECORD(\n\t\t\tpEntry,\n\t\t\tCSysmonEventList,m_Entry);\n\n\t\tpEntry = pEntry->Flink;\n\n\t\tif (pList)\n\t\t{\n\t\t\tdelete pList;\n\t\t\tpList = NULL;\n\t\t}\t\t\t\n\t}\n\n\treturn pDataEntry;\n}\n\nCSysmonEventList* CSysmonMofData::AddEvent(\n\t\t\t\t\t\t\t\t\t\tCSysmonEventList* pEventList)\n{\n\tCSysmonEventList* pRetList = pEventList;\n\tif (pEventList)\n\t{\n\t\tLIST_ENTRY* pEntry = pEventList->m_Entry.Flink;\n\n\t\twhile(pEntry != &pEventList->m_Entry )\n\t\t{\t\n\t\t\tCSysmonEventList* pList = CONTAINING_RECORD(pEntry,CSysmonEventList,m_Entry);\n\t\t\tif (pList)\n\t\t\t{\n\t\t\t\tCSysmonDataEntry* pDataEntry = (CSysmonDataEntry*)pList->m_pEvent;\n\t\t\t\tCSysmonEventList* pEvent = \n\t\t\t\t\t\t\t\t\tm_SysmonEventList->InsertBack(\n\t\t\t\t\t\t\t\t\t\t\t\tm_SysmonEventList->m_Entry.Blink,\n\t\t\t\t\t\t\t\t\t\t\t\tpDataEntry);\n\n\t\t\t\tm_SysmonEventList->m_Entry.Blink = &pEvent->m_Entry;\n\t\t\t\tpEvent->m_Entry.Blink->Flink = &pEvent->m_Entry;\n\n\t\t\t\tm_EventListNums++;\n\t\t\t}\n\n\t\t\tpEntry = pEntry->Flink;\n\t\t}\n\n\t\tpEntry = pEventList->m_Entry.Flink;\n\n\t\tInitializeListHead(&pEventList->m_Entry);\n\t\t\n\t\twhile (pEntry != &pEventList->m_Entry)\n\t\t{\n\t\t\tCSysmonEventList* pList = CONTAINING_RECORD(\n\t\t\t\t\t\t\t\t\t\t\t\tpEntry,\n\t\t\t\t\t\t\t\t\t\t\t\tCSysmonEventList,m_Entry);\n\n\t\t\tpRetList = pList;\n\t\t\tpEntry = pEntry->Flink;\n\n\t\t\tif (pList)\n\t\t\t{\n\t\t\t\tdelete pList;\n\t\t\t\tpList = NULL;\n\t\t\t}\t\t\t\n\t\t}\n\n\t\treturn pRetList;\n\t}\n\n\treturn NULL;\n}\n\nLONG CSysmonMofData::GetArrayValue(\n\t\t\t\t\t\t\tCIMTYPE CimType,\n\t\t\t\t\t\t\tIWbemQualifierSet * pQualifierSet)\n{\n\tLONG RetValue = 29;\n\tBSTR bstrQualifier;\n\tVARIANT varQualifier;\n\tHRESULT hr;\n\tBOOL bPointer;\n\tOLECHAR szFormat[11];\n\tOLECHAR szStringTermination[31];\n\tOLECHAR szExtension[31];\n\tbPointer = 0;\n\n\tszFormat[0] = 0;\n\tszStringTermination[0] = 0;\n\tszExtension[0] = 0;\n\n\tif (pQualifierSet)\n\t{\n\t\tbstrQualifier = SysAllocString(L\"Format\");\n\t\tVariantInit(&varQualifier);\n\t\thr = pQualifierSet->Get(bstrQualifier, 0, &varQualifier, 0);\n\t\tSysFreeString(bstrQualifier);\n\n\t\tif ( !hr && varQualifier.lVal )\n\t\t\tStringCchCopy(szFormat, 10, varQualifier.bstrVal);\n\n\t\tbstrQualifier = SysAllocString(L\"StringTermination\");\n\t\tVariantClear(&varQualifier);\n\n\t\thr = pQualifierSet->Get(bstrQualifier, 0, &varQualifier, 0);\n\t\tSysFreeString(bstrQualifier);\n\n\t\tif ( !hr && varQualifier.lVal )\n\t\t\tStringCchCopy(szStringTermination, 30, varQualifier.bstrVal);\n\n\t\tbstrQualifier = SysAllocString(L\"Pointer\");\n\t\tVariantClear(&varQualifier);\n\n\t\thr = pQualifierSet->Get(bstrQualifier, 0, &varQualifier, 0);\n\t\tSysFreeString(bstrQualifier);\n\n\t\tif ( hr == S_OK)\n\t\t{\n\t\t\tbPointer = 1;\n\t\t}\n\n\t\tbstrQualifier = SysAllocString(L\"Extension\");\n\t\tVariantClear(&varQualifier);\n\n\t\thr = pQualifierSet->Get(bstrQualifier, 0, &varQualifier, 0);\n\t\tSysFreeString(bstrQualifier);\n\n\t\tif ( !hr && varQualifier.lVal )\n\t\t\tStringCchCopy(szExtension, 30, varQualifier.bstrVal);\n\n\t\tVariantClear(&varQualifier);\n\n\t\t switch ( CimType & (~CIM_FLAG_ARRAY) )\n\t\t {\n\t\t case CIM_SINT16:\n\t\t\t RetValue = 4;\n\t\t\t break;\n\t\t case CIM_SINT32:\n\t\t\t RetValue = 6;\n\t\t\t break;\n\t\t case CIM_REAL32:\n\t\t\t RetValue = 11;\n\t\t\t break;\n\t\t case CIM_REAL64:\n\t\t\t RetValue = 12;\n\t\t\t break;\n\t\t case CIM_STRING:\n\t\t\t {\n\t\t\t\t if ( _wcsicmp(szStringTermination, L\"NullTerminated\") )\n\t\t\t\t {\n\t\t\t\t\t if ( _wcsicmp(szStringTermination, L\"Counted\") )\n\t\t\t\t\t {\n\t\t\t\t\t\t if ( _wcsicmp(szStringTermination, L\"ReverseCounted\") )\n\t\t\t\t\t\t\t RetValue = _wcsicmp(szStringTermination, L\"NotCounted\") != 0 ? 13 : 23;\n\t\t\t\t\t\t else\n\t\t\t\t\t\t\t RetValue = 18 - (_wcsicmp(szFormat, L\"w\") != 0);\n\t\t\t\t\t }\n\t\t\t\t\t else\n\t\t\t\t\t {\n\t\t\t\t\t\t RetValue = 16 - (_wcsicmp(szFormat, L\"w\") != 0);\n\t\t\t\t\t }\n\t\t\t\t }\n\t\t\t\t else\n\t\t\t\t {\n\t\t\t\t\t RetValue = 14 - (_wcsicmp(szFormat, L\"w\") != 0);\n\t\t\t\t }\n\t\t\t }\n\t\t\t break;\n\t\t case CIM_BOOLEAN:\n\t\t\t RetValue = 26;\n\t\t\t break;\n\t\t case CIM_OBJECT:\n\t\t\t if ( !_wcsicmp(szExtension, L\"Port\") )\n\t\t\t {\n\t\t\t\t RetValue = 21;\n\t\t\t\t\n\t\t\t }\n\t\t\t else\n\t\t\t {\n\t\t\t\t if ( !_wcsicmp(szExtension, L\"IPAddr\") )\n\t\t\t\t {\n\t\t\t\t\t RetValue = 20;\n\t\t\t\t }\n\t\t\t\t else if ( _wcsicmp(szExtension, L\"Sid\") )\n\t\t\t\t {\n\t\t\t\t\t if ( _wcsicmp(szExtension, L\"Guid\") )\n\t\t\t\t\t {\n\t\t\t\t\t\t if ( !_wcsicmp(szExtension, L\"SizeT\") )\n\t\t\t\t\t\t {\n\t\t\t\t\t\t\t RetValue = 6;\n\t\t\t\t\t\t }\n\t\t\t\t\t\t else\n\t\t\t\t\t\t {\n\t\t\t\t\t\t\t if ( _wcsicmp(szExtension, L\"IPAddrV6\") )\n\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t if ( _wcsicmp(szExtension, L\"IPAddrV4\") )\n\t\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t\t if ( !_wcsicmp(szExtension, L\"WmiTime\") )\n\t\t\t\t\t\t\t\t\t\t RetValue = 28;\n\t\t\t\t\t\t\t\t }\n\t\t\t\t\t\t\t\t else\n\t\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t\t RetValue = 20;\n\t\t\t\t\t\t\t\t }\n\t\t\t\t\t\t\t }\n\t\t\t\t\t\t\t else\n\t\t\t\t\t\t\t {\n\t\t\t\t\t\t\t\t RetValue = 27;\n\t\t\t\t\t\t\t }\n\t\t\t\t\t\t }\n\t\t\t\t\t\t\n\t\t\t\t\t }\n\t\t\t\t\t else\n\t\t\t\t\t {\n\t\t\t\t\t\t RetValue = 25;\n\t\t\t\t\t }\n\t\t\t\t }\n\t\t\t\t else\n\t\t\t\t {\n\t\t\t\t\t RetValue = 19;\n\t\t\t\t }\n\t\t\t }\n\t\t\t break;\n\t\t case CIM_SINT8:\n\t\t\t RetValue = 3;\n\t\t\t if ( !_wcsicmp(szFormat, L\"c\") )\n\t\t\t\t RetValue = 0;\n\t\t\t break;\n\t\t case CIM_UINT8:\n\t\t\t RetValue = 2;\n\t\t\t break;\n\t\t case CIM_UINT16:\n\t\t\t RetValue = 5;\n\t\t\t break;\n\t\t case CIM_UINT32:\n\t\t\t RetValue = 7;\n\t\t\t break;\n\t\t case CIM_SINT64:\n\t\t\t RetValue = 9;\n\t\t\t break;\n\t\t case CIM_UINT64:\n\t\t\t RetValue = 10;\n\t\t\t break;\n\t\t case CIM_CHAR16:\n\t\t\t RetValue = 1;\n\t\t\t break;\n\t\t }\n\n\t\t if (bPointer)\n\t\t {\n\t\t\t RetValue = 24;\n\t\t }\n\t\t \n\t}\n\n\treturn RetValue;\n}\n\nLONG CSysmonMofData::GetArraySize(\n\t\t\t\t\t\t\tIWbemQualifierSet* pQualifierSet)\n{\n\tLONG ArraySize = 1;\n\tVARIANT varQualifier;\n\tHRESULT hr;\n\tif ( pQualifierSet )\n\t{\n\t\tBSTR bstrMax = SysAllocString(L\"MAX\");\n\t\tVariantInit(&varQualifier);\n\n\t\thr = pQualifierSet->Get(bstrMax, 0, &varQualifier, 0);\n\t\tSysFreeString(bstrMax);\n\t\tif ( !hr && varQualifier.vt == 3 )\n\t\t\tArraySize = varQualifier.lVal;\n\n\t\tVariantClear(&varQualifier);\n\t}\n\n\treturn ArraySize;\n}\n\nCSysmonData::CSysmonData()\n\t:m_pData(NULL)\n\t,m_pAlloc(NULL)\n\t,m_Reference(0) \n{\n\n}\n\nCSysmonData::~CSysmonData()\n{\n\n}\n\nBOOL CSysmonData::Compare(BSTR pString)\n{\n\tif (pString && m_pData)\n\t{\n\t\treturn _wcsicmp(m_pData,pString) == 0;\n\t}\n\treturn FALSE;\n}\n\nBOOL CSysmonData::CompareN(BSTR pString,ULONG Size)\n{\n\tif (pString && m_pData)\n\t{\n\t\treturn _wcsnicmp(m_pData,pString,Size) == 0;\n\t}\n\treturn FALSE;\n}\n\nCSysmonDataEntry::CSysmonDataEntry()\n\t:m_EventClassName(NULL)\n\t,m_EventTypeName(NULL)\n\t,m_ProperitySize(0)\n{\n\n}\n\nCSysmonDataEntry::CSysmonDataEntry(\n\t\t\t\t\t\t\t\tGUID* Guid,\n\t\t\t\t\t\t\t\tUSHORT Type,\n\t\t\t\t\t\t\t\tUSHORT Version,\n\t\t\t\t\t\t\t\tUSHORT Level)\n{\n\tm_EventClassName = NULL;\n\tm_EventTypeName = NULL;\n\n\tm_EventType = Type;\n\tm_EventVersion = Version;\n\tm_EventLevel = Level;\n\tm_ProperitySize = 0;\n\tm_ProperityList = new CSysmonEventList(0,0);\n\t\n\t_mm_storeu_si128(\n\t\t\t\t(__m128i *)&m_EventGuid,\n\t\t\t\t_mm_loadu_si128((const __m128i *)Guid));\n}\n\nCSysmonDataEntry::~CSysmonDataEntry()\n{\n\n}\n\nLONG CSysmonDataEntry::GetCLassNameLen()\n{\n\tif ( m_EventClassName && m_EventClassName->m_pData)\n\t{\n\t\treturn SysStringLen(m_EventClassName->m_pData);\n\t}\n\n\treturn 0;\n}\n\nCSysmonDataEntry* CSysmonDataEntry::InitData(CSysmonData** pData,BSTR pString)\n{\n\tBSTR pOldData = 0;\n\tif (pData && *pData)\n\t{\n\t\tpOldData = (*pData)->m_pData;\n\t}\n\n\tif (!pString || pOldData != pString)\n\t{\n\t\tif (*pData)\n\t\t{\n\t\t\tif ( !InterlockedDecrement((volatile LONG *)&(*pData)->m_Reference))\n\t\t\t{\n\t\t\t\tif ((*pData)->m_pData)\n\t\t\t\t{\n\t\t\t\t\tSysFreeString((*pData)->m_pData);\n\t\t\t\t\t(*pData)->m_pData = 0;\n\t\t\t\t}\n\n\t\t\t\tif ( m_EventClassName->m_pAlloc )\n\t\t\t\t{\n\t\t\t\t\tdelete (*pData)->m_pAlloc;\n\t\t\t\t\t(*pData)->m_pAlloc = 0;\n\t\t\t\t}\n\n\t\t\t\tdelete (*pData);\n\t\t\t}\n\n\t\t\t(*pData) = NULL;\n\t\t}\n\t}\n\n\tCSysmonData* pNew = new CSysmonData();\n\n\tif (pNew)\n\t{\n\t\tpNew->m_pAlloc = 0;\n\t\tpNew->m_Reference = 1;\n\t\tpNew->m_pData = SysAllocString(pString);\n\t\t\n\t\tif ( !pNew->m_pData && pString )\n\t\t{\n\t\t//\tLogError(0x8007000E);\n\t\t}\n\t}\n\telse\n\t{\n\t\t//LogError(0x8007000E);\n\t}\n\n\t*pData = pNew;\n\n\treturn this;\n}\n\n\nCSysmonEventList::CSysmonEventList()\n\t:m_pEvent(0)\n{\n\tInitializeListHead(&m_Entry);\n}\n\nCSysmonEventList::CSysmonEventList(\n\t\t\t\t\t\t\tLIST_ENTRY* Fink,\n\t\t\t\t\t\t\tLIST_ENTRY* Blink)\n\t\t\t\t\t\t\t:m_pEvent(0)\n{\n\tLIST_ENTRY* pl1;\n\tLIST_ENTRY* pl2;\n\n\tpl1 = Fink;\n\tm_pEvent = 0;\n\tif (Fink)\n\t{\n\t\tpl2 = Blink;\n\t}\n\telse\n\t{\n\t\tpl1 = &m_Entry;\n\t\tpl2 = &m_Entry;\n\t}\n\n\tm_Entry.Flink = pl1;\n\tm_Entry.Blink = pl2;\n}\n\nCSysmonEventList::~CSysmonEventList()\n{\n\n}\n\nCSysmonEventList* CSysmonEventList::InsertBack(LIST_ENTRY* Blink,void* pElm)\n{\n\tCSysmonEventList* pList = new CSysmonEventList(\n\t\t\t\t\t\t\t\t\t\t\t\t&m_Entry,\n\t\t\t\t\t\t\t\t\t\t\t\tBlink);\n\tif (pList)\n\t{\n\t\tpList->m_pEvent = pElm;\n\t}\n\n\treturn pList;\n}"
  },
  {
    "path": "Sysmon/CSysmonMofData.h",
    "content": "#ifndef _CSysmonMofData_h\n#define _CSysmonMofData_h\n\n#include \"Sysmon.h\"\n#include <wbemidl.h>\n#include <comutil.h>\n#include <wbemidl.h>\n#include <wmistr.h>\n#include <WbemCli.h>\n#include <strsafe.h>\n#include <intrin.h>\n#include <Evntrace.h>\n\nextern \"C\"\n{\n\ttypedef HRESULT (WINAPI * pSafeArrayDestroy)(SAFEARRAY *);\n\ttypedef HRESULT (WINAPI * pSafeArrayGetElement)(SAFEARRAY * , LONG *, void *);\n};\n\n\ntypedef struct _CTcpIpInfo\n{\n\tBSTR NetName;\n\tULONG NetType;\n}CTcpIpInfo;\n\ntypedef struct _Sysmon_Net_Report\n{\n\tULONG\t\t\tNrSize;\n\tULONG\t\t\tNrProcessId;\n\tULONG\t\t\tNrThreadId;\n\tGUID\t\t\tNrGuid;\n\tLARGE_INTEGER\tNrSystemTime;\n\tULONG\t\t\tNrEventType;\n\tULONG\t\t\tNrUdpOrTcp;\n}Sysmon_Net_Report;\n\nclass CSysmonData\n{\n\tfriend class CSysmonDataEntry;\n\tfriend class CSysmonProperty;\n\tfriend class CSysmonMofData;\npublic:\n\tCSysmonData();\n\t~CSysmonData();\n\n\tBOOL Compare(BSTR pString);\n\tBOOL CompareN(BSTR pString,ULONG Size);\n\n\tLONG Len()\n\t{\n\t\tif (m_pData)\n\t\t{\n\t\t\t__try\n\t\t\t{\n\t\t\t\treturn lstrlen(m_pData);\n\t\t\t}\n\t\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t\t{\n\n\t\t\t}\n\t\t\t\n\t\t}\n\t\treturn 0;\n\t}\nprivate:\n\tBSTR m_pData;\n\tvoid* m_pAlloc;\n\tLONG  m_Reference; \n};\n\nclass CSysmonEventList\n{\n\tfriend class CSysmonMofData;\npublic:\n\tCSysmonEventList();\n\t~CSysmonEventList();\n\tBOOL IsListEmpty()\n\t{\n\t\treturn ::IsListEmpty(&m_Entry);\n\t}\n\n\tCSysmonEventList(LIST_ENTRY* Fink,LIST_ENTRY* Blink);\n\tCSysmonEventList* InsertBack(LIST_ENTRY* Blink,void* pElm);\nprivate:\n\tvoid*\t\tm_pEvent;\npublic:\n\tLIST_ENTRY\tm_Entry;\n};\n\nclass CSysmonDataEntry\n{\n\tfriend class CSysmonMofData;\npublic:\n\tCSysmonDataEntry();\n\tCSysmonDataEntry(GUID* Guid,USHORT Type,USHORT Version,USHORT Level);\n\t~CSysmonDataEntry();\n\tvoid operator =(CSysmonDataEntry* pDataEntry);\n\tCSysmonDataEntry* InitData(CSysmonData** pData,BSTR pString);\n\tLONG GetCLassNameLen();\n\t\nprivate:\n\tCSysmonData*\t\tm_EventClassName;\n\tCSysmonData*\t\tm_EventTypeName;\n\tGUID\t\t\t\tm_EventGuid;\n\tUSHORT\t\t\t\tm_EventType;\n\tUSHORT\t\t\t\tm_EventVersion;\n\tUSHORT\t\t\t\tm_EventLevel;\n\n\tULONG\t\t\t\tm_ProperitySize;\n\tCSysmonEventList*\tm_ProperityList;\n};\n\nclass CSysmonProperty\n{\n\tfriend class CSysmonMofData;\npublic:\n\tCSysmonProperty()\n\t\t:m_Data(NULL)\n\t\t,m_Len(0),\n\t\tm_ArraySize(0)\n\t{\n\n\t}\n\n\tCSysmonProperty(BSTR pName,LONG Len,LONG ArraySize)\n\t\t:m_Data(NULL)\n\t\t,m_Len(0),\n\t\tm_ArraySize(0)\n\t{\n\t\t\n\t\tif (pName)\n\t\t{\n\t\t\tInitData(&m_Data,pName);\n\t\t}\n\t\tm_Len = Len;\n\t\tm_ArraySize = ArraySize;\n\n\t}\n\n\t~CSysmonProperty()\n\t{\n\n\t}\n\n\tvoid InitData(CSysmonData** pData,BSTR pString)\n\t{\n\t\tBSTR pOldData = 0;\n\t\tif (pData && *pData)\n\t\t{\n\t\t\tpOldData = (*pData)->m_pData;\n\t\t}\n\n\t\tif (!pString || pOldData != pString)\n\t\t{\n\t\t\tif (*pData)\n\t\t\t{\n\t\t\t\tif ( !InterlockedDecrement((volatile LONG *)&(*pData)->m_Reference))\n\t\t\t\t{\n\t\t\t\t\tif ((*pData)->m_pData)\n\t\t\t\t\t{\n\t\t\t\t\t\tSysFreeString((*pData)->m_pData);\n\t\t\t\t\t\t(*pData)->m_pData = 0;\n\t\t\t\t\t}\n\n\t\t\t\t\tif ( (*pData)->m_pAlloc )\n\t\t\t\t\t{\n\t\t\t\t\t\tdelete (*pData)->m_pAlloc;\n\t\t\t\t\t\t(*pData)->m_pAlloc = 0;\n\t\t\t\t\t}\n\n\t\t\t\t\tdelete (*pData);\n\t\t\t\t}\n\n\t\t\t\t(*pData) = NULL;\n\t\t\t}\n\t\t}\n\n\t\tCSysmonData* pNew = new CSysmonData();\n\n\t\tif (pNew)\n\t\t{\n\t\t\tpNew->m_pAlloc = 0;\n\t\t\tpNew->m_Reference = 1;\n\t\t\tpNew->m_pData = SysAllocString(pString);\n\n\t\t\tif ( !pNew->m_pData && pString )\n\t\t\t{\n\t\t\t\t//\tLogError(0x8007000E);\n\t\t\t}\n\t\t}\n\t\telse\n\t\t{\n\t\t\t//LogError(0x8007000E);\n\t\t}\n\n\t\t*pData = pNew;\n\t}\n\nprivate:\n\tCSysmonData*\tm_Data;\n\tLONG\t\t\tm_Len;\n\tLONG\t\t\tm_ArraySize;\n};\n\nclass CSysmonMofData\n{\npublic:\n\tCSysmonMofData(void);\n\tvirtual ~CSysmonMofData(void);\n\npublic:\n\tCSysmonDataEntry* GetEventCategoryClass(\n\t\t\t\t\t\t\t\t\t\tGUID* ClassGuid,\n\t\t\t\t\t\t\t\t\t\tUSHORT Version,\n\t\t\t\t\t\t\t\t\t\tUSHORT Level,\n\t\t\t\t\t\t\t\t\t\tUSHORT Type);\n\n\tCSysmonDataEntry* GetPropertyList(\n\t\t\t\t\t\t\tIWbemClassObject* pClass,\n\t\t\t\t\t\t\tGUID* ClassGuid,\n\t\t\t\t\t\t\tUSHORT Version,\n\t\t\t\t\t\t\tUSHORT Level,\n\t\t\t\t\t\t\tUSHORT Type);\n\n\tvoid SysmonAddProperityList(\n\t\t\t\t\t\tCSysmonEventList* pList, \n\t\t\t\t\t\tBSTR ProperityName,\n\t\t\t\t\t\tLONG Len,\n\t\t\t\t\t\tLONG ArraySize);\n\n\tCSysmonDataEntry* Phase_1(\n\t\t\t\t\t\tGUID* ClassGuid,\n\t\t\t\t\t\tUSHORT Version,\n\t\t\t\t\t\tUSHORT Level,\n\t\t\t\t\t\tUSHORT Type);\n\n\tvoid Phase_2(\n\t\t\t\tPEVENT_TRACE pEvent,\n\t\t\t\tCSysmonDataEntry* pDataEntry\n\t\t\t\t\t\t);\n\n\tHRESULT CoCreateInstance();\n\n\tLONG GetArraySize(IWbemQualifierSet* pQualifierSet);\n\tLONG GetArrayValue(\n\t\t\t\tCIMTYPE CimType,\n\t\t\t\tIWbemQualifierSet * pQualifierSet);\n\n\tvoid InsertBack(\n\t\t\t\tCSysmonEventList* pEventList,\n\t\t\t\tLONG* Reference,\n\t\t\t\tvoid* pElm);\n\n\n\tCSysmonEventList* AddEvent(CSysmonEventList* pEventList);\n\nprivate:\n\tIWbemServices*\t\tm_pIWbemService;\n\tCSysmonEventList*\tm_SysmonEventList;\n\tLONG\t\t\t\tm_EventListNums;\npublic:\n\tstatic CTcpIpInfo\tm_TcpIpEventTypeName[25];\n};\n\n#endif"
  },
  {
    "path": "Sysmon/CSysmonUtil.cpp",
    "content": "#include \"StdAfx.h\"\n#include \"CSysmonUtil.h\"\n\n\nCSysmonUtil::CSysmonUtil(void)\n{\n}\n\n\nCSysmonUtil::~CSysmonUtil(void)\n{\n}\n\nBOOL CSysmonUtil::SysmonVersionIsSupport()\n{\n\tBOOL result;\n\tOSVERSIONINFOEX VersionInformation;\n\n\tVersionInformation.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);\n\tVersionInformation.dwMajorVersion = 0;\n\tmemset(\n\t\t&VersionInformation.dwMinorVersion,\n\t\t0,\n\t\tsizeof(OSVERSIONINFOW));\n\n\tGetVersionEx((POSVERSIONINFO)&VersionInformation);\n\n\tif ( VersionInformation.dwMajorVersion >= 6 )\n\t\treturn 1;\n\n\tif ( VersionInformation.dwMajorVersion != 5 || \n\t\t!VersionInformation.dwMinorVersion )\n\t{\n\t\tresult = 0;\n\t}\n\n\tif ( VersionInformation.dwMinorVersion == 1 )\n\t{\n\t\t//= XP2\n\t\treturn VersionInformation.wServicePackMajor >= 2;\n\t}\n\tif ( VersionInformation.dwMinorVersion == 2 )\n\t{\n\t\tresult = (VersionInformation.wProductType == VER_NT_WORKSTATION);\n\t}\n\telse\n\t{\n\t\tresult = 0;\n\t}\n\n\treturn result;\n}\n\nunsigned __int64 CSysmonUtil::CounterTimes(FILETIME t1,__int64 t2)\n{\n\tunsigned __int64 Result = 0;\n\n\tif ( t2 >= 0 )\n\t{\n\t\treturn (unsigned __int64)(10000000 * (t2 % (QWORD)(t1.dwLowDateTime + 16))) / (QWORD)(t1.dwLowDateTime + 16)\n\t\t+ 10000000 * (t2 / (QWORD)(t1.dwLowDateTime + 16));\n\t}\n\telse\n\t{\n\t\tResult = CounterTimes(t1,-t2);\n\t}\n\n\treturn Result;\n}"
  },
  {
    "path": "Sysmon/CSysmonUtil.h",
    "content": "#ifndef _CSysmonUtil_h\n#define _CSysmonUtil_h\n\ntypedef unsigned __int64 QWORD;\n\nclass CSysmonUtil\n{\npublic:\n\tCSysmonUtil(void);\n\t~CSysmonUtil(void);\n\npublic:\n\tstatic\n\tBOOL \n\tSysmonVersionIsSupport();\n\n\tstatic\n\tunsigned __int64 CounterTimes(FILETIME t1,__int64 t2);\n};\n\n#endif"
  },
  {
    "path": "Sysmon/ReadMe.txt",
    "content": "========================================================================\n    WIN32 APPLICATION : Sysmon Project Overview\n========================================================================\n\nAppWizard has created this Sysmon application for you.\n\nThis file contains a summary of what you will find in each of the files that\nmake up your Sysmon application.\n\n\nSysmon.vcxproj\n    This is the main project file for VC++ projects generated using an Application Wizard.\n    It contains information about the version of Visual C++ that generated the file, and\n    information about the platforms, configurations, and project features selected with the\n    Application Wizard.\n\nSysmon.vcxproj.filters\n    This is the filters file for VC++ projects generated using an Application Wizard. \n    It contains information about the association between the files in your project \n    and the filters. This association is used in the IDE to show grouping of files with\n    similar extensions under a specific node (for e.g. \".cpp\" files are associated with the\n    \"Source Files\" filter).\n\nSysmon.cpp\n    This is the main application source file.\n\n/////////////////////////////////////////////////////////////////////////////\nAppWizard has created the following resources:\n\nSysmon.rc\n    This is a listing of all of the Microsoft Windows resources that the\n    program uses.  It includes the icons, bitmaps, and cursors that are stored\n    in the RES subdirectory.  This file can be directly edited in Microsoft\n    Visual C++.\n\nResource.h\n    This is the standard header file, which defines new resource IDs.\n    Microsoft Visual C++ reads and updates this file.\n\nSysmon.ico\n    This is an icon file, which is used as the application's icon (32x32).\n    This icon is included by the main resource file Sysmon.rc.\n\nsmall.ico\n    This is an icon file, which contains a smaller version (16x16)\n    of the application's icon. This icon is included by the main resource\n    file Sysmon.rc.\n\n/////////////////////////////////////////////////////////////////////////////\nOther standard files:\n\nStdAfx.h, StdAfx.cpp\n    These files are used to build a precompiled header (PCH) file\n    named Sysmon.pch and a precompiled types file named StdAfx.obj.\n\n/////////////////////////////////////////////////////////////////////////////\nOther notes:\n\nAppWizard uses \"TODO:\" comments to indicate parts of the source code you\nshould add to or customize.\n\n/////////////////////////////////////////////////////////////////////////////\n"
  },
  {
    "path": "Sysmon/Resource.h",
    "content": "//{{NO_DEPENDENCIES}}\n// Microsoft Visual C++ generated include file.\n// Used by Sysmon.rc\n//\n\n#define IDS_APP_TITLE\t\t\t103\n\n#define IDR_MAINFRAME\t\t\t128\n#define IDD_SYSMON_DIALOG\t102\n#define IDD_ABOUTBOX\t\t\t103\n#define IDM_ABOUT\t\t\t\t104\n#define IDM_EXIT\t\t\t\t105\n#define IDI_SYSMON\t\t\t107\n#define IDI_SMALL\t\t\t\t108\n#define IDC_SYSMON\t\t\t109\n#define IDC_MYICON\t\t\t\t2\n#ifndef IDC_STATIC\n#define IDC_STATIC\t\t\t\t-1\n#endif\n// Next default values for new objects\n//\n#ifdef APSTUDIO_INVOKED\n#ifndef APSTUDIO_READONLY_SYMBOLS\n\n#define _APS_NO_MFC\t\t\t\t\t130\n#define _APS_NEXT_RESOURCE_VALUE\t129\n#define _APS_NEXT_COMMAND_VALUE\t\t32771\n#define _APS_NEXT_CONTROL_VALUE\t\t1000\n#define _APS_NEXT_SYMED_VALUE\t\t110\n#endif\n#endif\n"
  },
  {
    "path": "Sysmon/Sysmon.cpp",
    "content": "// Sysmon.cpp : Defines the entry point for the application.\n//\n\n#include \"stdafx.h\"\n#include \"Sysmon.h\"\n#include <ShellAPI.h>\n#include \"CSysmonDriverOpt.h\"\n#include \"CSsymonEtw.h\"\n#include <wchar.h>\n#include <stdlib.h>\n#include <string.h>\n#define MAX_LOADSTRING 100\n\n\nextern \"C\" typedef BOOL (WINAPI *pIsWow64Process)(\n\tHANDLE hProcess,\n\tPBOOL  Wow64Process\n\t);\n\nint APIENTRY _tWinMain(\n\t\t\t\t\tHINSTANCE hInstance,\n                     HINSTANCE hPrevInstance,\n                     LPTSTR    lpCmdLine,\n                     int       nCmdShow)\n{\n\tUNREFERENCED_PARAMETER(hPrevInstance);\n\tUNREFERENCED_PARAMETER(lpCmdLine);\n\n\tint argc = 0;\n\tchar** argv = NULL;\n\tWCHAR** argvW = (WCHAR**)NULL;\n\t\n\targvW = ::CommandLineToArgvW(::GetCommandLine(), &argc);\n// \targv = (char**)malloc(argc * sizeof(char*));\n// \tint cb = 0;\n// \tfor (int i = 0; i < argc; i++)   \n// \t{\n// \t\tcb = WideCharToMultiByte (CP_ACP, 0, argvW[i],  -1, NULL, 0, NULL, NULL);\n// \t\targv[i] = (char*)malloc(cb * sizeof(WCHAR) + 1);\n// \t\tWideCharToMultiByte (CP_ACP, 0, argvW[i], -1, argv[i], cb, NULL, NULL);\n// \t}\n\n\tBOOL bIsWow64Process = FALSE;\n\tHMODULE v4 = GetModuleHandleW(L\"kernel32.dll\");\n\tpIsWow64Process v5 = (pIsWow64Process)GetProcAddress(v4, \"IsWow64Process\");\n\tif ( v5 )\n\t{\n\t\tv5(GetCurrentProcess(), &bIsWow64Process);\n\t}\n\n\tif (bIsWow64Process)\n\t{\n\t\treturn RunSysmonX64();\n\t}\n\n\n\tif (argc > 1)\n\t{\n\t\tif (lstrcmpi(argvW[1],_T(\"-i\")) == 0 )\n\t\t{\n\t\t\t\n\t\t\tCSysmonDriverOpt Opt;\n\n\t\t\tOpt.InstallDriver(\n\t\t\t\t\t\t\t_T(\"Sysmon\"),\n\t\t\t\t\t\t\t_T(\"Sysmon.sys\"),\n\t\t\t\t\t\t\t_T(\"370030\"));\n\n\t\t\t\n\t\t\tif(Opt.StartDriver(_T(\"Sysmon\")))\n\t\t\t{\n\t\t\t\tMessageBox(NULL,_T(\"Success\"),_T(\"Success\"),MB_OK);\n\t\t\t}\n\t\t}\n\n\t\tif (lstrcmpi(argvW[1],_T(\"-n\")) == 0 )\n\t\t{\n\n\t\t\tCSsymonEtw::Instance()->StartTrace(1);\n\t\t}\n\t}\n\n\n\tMSG msg;\n\twhile (GetMessage(&msg, NULL, 0, 0))\n\t{\n\n\t\tTranslateMessage(&msg);\n\n\t\tDispatchMessage(&msg);\n\n\t}\n\n\treturn msg.wParam;\n\n\n \treturn TRUE;\n}\n\n\nextern \"C\" typedef void (WINAPI *pGetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo);\n\nBOOLEAN __fastcall SysmonTempFileName(wchar_t * FileName, wchar_t* TempName)\n{\n\twchar_t *v2;\n\tint i;\n\tunsigned int v5;\n\twchar_t Dsta[MAX_PATH] = {0};\n\tWCHAR Buffer[MAX_PATH] = {0};\n\tWCHAR RandName[20] = {0};\n\tv2 = TempName;\n\twcscpy_s(Dsta, MAX_PATH, FileName);\n\n\tif ( !GetTempPathW(MAX_PATH, Buffer) )\n\t\treturn 0;\n\n\ti = 0;\n\n\twhile ( TRUE )\n\t{\n\t\tdo \n\t\t{\n\t\t\twcscpy_s(v2, 520, Buffer);\n\t\t\tif ( RandName[0] )\n\t\t\t{\n\t\t\t\twcscat_s(v2, 520, RandName);\n\t\t\t\twcscat_s(v2, 520, L\"\\\\\");\n\t\t\t\tif ( GetFileAttributesW(v2) != -1 || !CreateDirectoryW(v2, 0) )\n\t\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\twcscat_s(v2, 520, Dsta);\n\t\t\tif ( GetFileAttributesW(v2) == -1 )\n\t\t\t\treturn 1;\n\t\t\tif ( RandName[0] )\n\t\t\t{\n\t\t\t\twcsrchr(v2, '\\\\')[1] = 0;\n\t\t\t\tRemoveDirectoryW(v2);\n\t\t\t}\n\n\t\t} while (FALSE);\n\t\t\n\t\trand_s(&v5);\n\t\tswprintf_s(RandName, 20, L\"SYS%u\", v5);\n\t\tif ( (unsigned int)++i >= 10 )\n\t\t\treturn 0;\n\t}\n\n\treturn 1;\n}\n\nwchar_t *__fastcall SysmonFormatMessageW(wchar_t *Dest, int len)\n{\n\tint v2;\n\twchar_t *v3;\n\tDWORD v5;\n\tWCHAR* Buffer;\n\n\tBuffer = 0;\n\n\tv3 = Dest;\n\n\tv5 = FormatMessageW(12544, 0, GetLastError(), 0, (LPWSTR)&Buffer, 0, 0);\n\tif ( v5 && len >= (signed int)(v5 + 14) )\n\t{\n\t\tBuffer[lstrlenW(Buffer) - 2] = 0;\n\t\t_swprintf(v3, L\"%s\", Buffer, GetLastError());\n\t}\n\telse\n\t{\n\t\t*v3 = 0;\n\t}\n\tif ( Buffer )\n\t\tLocalFree(*(HLOCAL *)Buffer);\n\treturn v3;\n}\n\nBOOLEAN __fastcall SysmonExtractResource(LPCWSTR lpName, wchar_t *Filename)\n{\n\tHRSRC hrFile;\n\tHGLOBAL hgFile;\n\tDWORD nFileLength;\n\tconst void *ptr;\n\tFILE *hFile;\n\n\thrFile = FindResourceW(0, lpName, L\"BINRES\");\n\n\tif ( !hrFile )\n\t\treturn 0;\n\thgFile = LoadResource(0, hrFile);\n\tnFileLength = SizeofResource(0, hrFile);\n\tptr = LockResource(hgFile);\n\thFile = _wfopen(Filename, L\"wb\");\n\n\tif ( !hFile )\n\t\treturn 0;\n\n\tfwrite(ptr, 1, nFileLength, hFile);\n\tfclose(hFile);\n\n\treturn 1;\n}\n\nDWORD RunSysmonX64()\n{\n\tHMODULE v0;\n\tpGetNativeSystemInfo v1;\n\tDWORD result;\n\twchar_t *v4;\n\n\tSTARTUPINFOW StartupInfo = {0};\n\tSYSTEM_INFO SystemInfo = {0};\n\tPROCESS_INFORMATION ProcessInformation = {0};\n\tDWORD ExitCode;\n\twchar_t Dest[256] = {0};\n\tWCHAR Filename[520] = {0};\n\n\tExitCode = 0;\n\tStartupInfo.cb = 68;\n\tStartupInfo.lpReserved = 0;\n\tmemset(&StartupInfo.lpDesktop, 0, 0x3Cu);\n\n\t__m128i Xmm0 = {0};\n\t_mm_storeu_si128((__m128i *)&ProcessInformation, Xmm0);\n\n\tv0 = LoadLibraryW(L\"kernel32.dll\");\n\tv1 = (pGetNativeSystemInfo)GetProcAddress(v0, \"GetNativeSystemInfo\");\n\n\tif ( v1 )\n\t\tv1(&SystemInfo);\n\telse\n\t\tGetSystemInfo(&SystemInfo);\n\n\tif ( SystemInfo.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64 )\n\t{\n\t\twprintf(L\"Unsupported processor type: %d\\n\", SystemInfo.wProcessorArchitecture);\n\t\treturn 1630;\n\t}\n\n\tmemset(Filename, 0, sizeof(WCHAR)*520);\n\tif ( !GetModuleFileNameW(0, Filename, 520) )\n\t{\n\t\tExitCode = GetLastError();\n\t\twprintf(L\"Failed to get the module filename:\\n%s\\n\\n\", SysmonFormatMessageW(Dest, 256));\n\t\treturn ExitCode;\n\t}\n\n\tv4 = wcsrchr(Filename, '\\\\');\n\n\tif ( !SysmonTempFileName(v4 + 1,Filename) )\n\t{\n\t\tExitCode = GetLastError();\n\n\t\twprintf(L\"Failed to create temporaryfile:\\n%s\\n\\n\", SysmonFormatMessageW(Dest, 256));\n\t\treturn ExitCode;\n\t}\n\n\tif ( !SysmonExtractResource((LPCWSTR)1001,Filename) && GetFileAttributesW(Filename) == -1 )\n\t{\n\t\tExitCode = GetLastError();\n\t\twprintf(L\"Failed to extract the 64-bit version:\\n%s\\n\\n\", SysmonFormatMessageW(Dest, 256));\n\t\treturn ExitCode;\n\t}\n\n\tif ( CreateProcessW(\n\t\t\t\t\tFilename,\n\t\t\t\t\tGetCommandLineW(),\n\t\t\t\t\t0,\n\t\t\t\t\t0,\n\t\t\t\t\t0,\n\t\t\t\t\t0,\n\t\t\t\t\t0,\n\t\t\t\t\t0,\n\t\t\t\t\t&StartupInfo,\n\t\t\t\t\t&ProcessInformation) )\n\t{\n\t\tWaitForSingleObject(ProcessInformation.hProcess, 0xFFFFFFFF);\n\t\tGetExitCodeProcess(ProcessInformation.hProcess, &ExitCode);\n\t\tCloseHandle(ProcessInformation.hProcess);\n\t\tCloseHandle(ProcessInformation.hThread);\n\t\tresult = ExitCode;\n\t\tif ( ExitCode == 999 )\n\t\t\treturn result;\n\t}\n\telse\n\t{\n\t\tExitCode = GetLastError();\n\t\twprintf(L\"Error launching 64-bit version:\\n%s\\n\\n\", SysmonFormatMessageW(Dest, 256));\n\t}\n\n\tDeleteFileW(Filename);\n\n\treturn ExitCode;\n}"
  },
  {
    "path": "Sysmon/Sysmon.h",
    "content": "#pragma once\n\n#include \"resource.h\"\n\nBOOLEAN\n\tFORCEINLINE\n\tIsListEmpty(\n\t__in const LIST_ENTRY * ListHead\n\t)\n{\n\treturn (BOOLEAN)(ListHead->Flink == ListHead);\n}\n\nFORCEINLINE\n\tVOID\n\tInitializeListHead(\n\t__out PLIST_ENTRY ListHead\n\t)\n{\n\tListHead->Flink = ListHead->Blink = ListHead;\n}\n\nFORCEINLINE\n\tVOID\n\tInsertTailList(\n\t__inout PLIST_ENTRY ListHead,\n\t__inout __drv_aliasesMem PLIST_ENTRY Entry\n\t)\n{\n\tPLIST_ENTRY Blink;\n\n\tBlink = ListHead->Blink;\n\tEntry->Flink = ListHead;\n\tEntry->Blink = Blink;\n\tBlink->Flink = Entry;\n\tListHead->Blink = Entry;\n}\n\nFORCEINLINE\n\tBOOLEAN\n\tRemoveEntryList(\n\t__in PLIST_ENTRY Entry\n\t)\n{\n\tPLIST_ENTRY Blink;\n\tPLIST_ENTRY Flink;\n\n\tFlink = Entry->Flink;\n\tBlink = Entry->Blink;\n\tBlink->Flink = Flink;\n\tFlink->Blink = Blink;\n\treturn (BOOLEAN)(Flink == Blink);\n}\n\nFORCEINLINE\n\tPLIST_ENTRY\n\tRemoveHeadList(\n\t__inout PLIST_ENTRY ListHead\n\t)\n{\n\tPLIST_ENTRY Flink;\n\tPLIST_ENTRY Entry;\n\n\tEntry = ListHead->Flink;\n\tFlink = Entry->Flink;\n\tListHead->Flink = Flink;\n\tFlink->Blink = ListHead;\n\treturn Entry;\n}\n\nDWORD RunSysmonX64();\n"
  },
  {
    "path": "Sysmon/Sysmon.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup Label=\"ProjectConfigurations\">\n    <ProjectConfiguration Include=\"Debug|Win32\">\n      <Configuration>Debug</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Debug|x64\">\n      <Configuration>Debug</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|Win32\">\n      <Configuration>Release</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|x64\">\n      <Configuration>Release</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n  </ItemGroup>\n  <PropertyGroup Label=\"Globals\">\n    <ProjectGuid>{E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}</ProjectGuid>\n    <Keyword>Win32Proj</Keyword>\n    <RootNamespace>Sysmon</RootNamespace>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <CharacterSet>Unicode</CharacterSet>\n    <UseOfAtl>Static</UseOfAtl>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\n  <ImportGroup Label=\"ExtensionSettings\">\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"PropertySheets\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"PropertySheets\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <PropertyGroup Label=\"UserMacros\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <LinkIncremental>true</LinkIncremental>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <LinkIncremental>true</LinkIncremental>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <LinkIncremental>false</LinkIncremental>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <LinkIncremental>false</LinkIncremental>\n    <TargetName>$(ProjectName)64</TargetName>\n  </PropertyGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <ClCompile>\n      <PrecompiledHeader>Use</PrecompiledHeader>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;INITGUID;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>\n      <ExceptionHandling>Async</ExceptionHandling>\n    </ClCompile>\n    <Link>\n      <SubSystem>Windows</SubSystem>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <ClCompile>\n      <PrecompiledHeader>Use</PrecompiledHeader>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <SubSystem>Windows</SubSystem>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <PrecompiledHeader>Use</PrecompiledHeader>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;INITGUID;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n    </ClCompile>\n    <Link>\n      <SubSystem>Windows</SubSystem>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <PrecompiledHeader>Use</PrecompiledHeader>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <SubSystem>Windows</SubSystem>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemGroup>\n    <None Include=\"ReadMe.txt\" />\n    <None Include=\"small.ico\" />\n    <None Include=\"Sysmon.ico\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"CDigitalSign.h\" />\n    <ClInclude Include=\"CDName.h\" />\n    <ClInclude Include=\"CEventLogger.h\" />\n    <ClInclude Include=\"CMofDataParser.h\" />\n    <ClInclude Include=\"CSsymonEtw.h\" />\n    <ClInclude Include=\"CSysmonDriverOpt.h\" />\n    <ClInclude Include=\"CSysmonMofData.h\" />\n    <ClInclude Include=\"CSysmonUtil.h\" />\n    <ClInclude Include=\"Resource.h\" />\n    <ClInclude Include=\"stdafx.h\" />\n    <ClInclude Include=\"Sysmon.h\" />\n    <ClInclude Include=\"targetver.h\" />\n    <ClInclude Include=\"undname.h\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"CDigitalSign.cpp\" />\n    <ClCompile Include=\"CDName.cpp\" />\n    <ClCompile Include=\"CEventLogger.cpp\" />\n    <ClCompile Include=\"CMofDataParser.cpp\" />\n    <ClCompile Include=\"CSsymonEtw.cpp\" />\n    <ClCompile Include=\"CSysmonDriverOpt.cpp\" />\n    <ClCompile Include=\"CSysmonMofData.cpp\" />\n    <ClCompile Include=\"CSysmonUtil.cpp\" />\n    <ClCompile Include=\"stdafx.cpp\">\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">Create</PrecompiledHeader>\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">Create</PrecompiledHeader>\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">Create</PrecompiledHeader>\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">Create</PrecompiledHeader>\n    </ClCompile>\n    <ClCompile Include=\"Sysmon.cpp\" />\n    <ClCompile Include=\"undname.cpp\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ResourceCompile Include=\"Sysmon.rc\" />\n  </ItemGroup>\n  <ItemGroup>\n    <Midl Include=\"undname.idl\" />\n  </ItemGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\n  <ImportGroup Label=\"ExtensionTargets\">\n  </ImportGroup>\n</Project>"
  },
  {
    "path": "Sysmon/Sysmon.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup>\n    <Filter Include=\"Source Files\">\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\n      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\n    </Filter>\n    <Filter Include=\"Header Files\">\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\n      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>\n    </Filter>\n    <Filter Include=\"Resource Files\">\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\n    </Filter>\n  </ItemGroup>\n  <ItemGroup>\n    <None Include=\"ReadMe.txt\" />\n    <None Include=\"small.ico\">\n      <Filter>Resource Files</Filter>\n    </None>\n    <None Include=\"Sysmon.ico\">\n      <Filter>Resource Files</Filter>\n    </None>\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"stdafx.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"targetver.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"Resource.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"Sysmon.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CSysmonDriverOpt.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CSsymonEtw.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CSysmonUtil.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CSysmonMofData.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CMofDataParser.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CDigitalSign.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CEventLogger.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CDName.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"undname.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"stdafx.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"Sysmon.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CSysmonDriverOpt.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CSsymonEtw.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CSysmonUtil.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CSysmonMofData.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CMofDataParser.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CDigitalSign.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CEventLogger.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CDName.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"undname.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n  </ItemGroup>\n  <ItemGroup>\n    <ResourceCompile Include=\"Sysmon.rc\">\n      <Filter>Resource Files</Filter>\n    </ResourceCompile>\n  </ItemGroup>\n  <ItemGroup>\n    <Midl Include=\"undname.idl\">\n      <Filter>Source Files</Filter>\n    </Midl>\n  </ItemGroup>\n</Project>"
  },
  {
    "path": "Sysmon/Sysmon.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <LocalDebuggerCommandArguments>-n</LocalDebuggerCommandArguments>\n    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <LocalDebuggerCommandArguments>sysmon.exe -i</LocalDebuggerCommandArguments>\n    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>\n  </PropertyGroup>\n</Project>"
  },
  {
    "path": "Sysmon/stdafx.cpp",
    "content": "// stdafx.cpp : source file that includes just the standard includes\n// Sysmon.pch will be the pre-compiled header\n// stdafx.obj will contain the pre-compiled type information\n\n#include \"stdafx.h\"\n\n// TODO: reference any additional headers you need in STDAFX.H\n// and not in this file\n"
  },
  {
    "path": "Sysmon/stdafx.h",
    "content": "// stdafx.h : include file for standard system include files,\n// or project specific include files that are used frequently, but\n// are changed infrequently\n//\n\n#pragma once\n\n#include \"targetver.h\"\n\n#define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers\n// Windows Header Files:\n#include <windows.h>\n\n// C RunTime Header Files\n#include <stdlib.h>\n#include <malloc.h>\n#include <memory.h>\n#include <tchar.h>\n\n\n// TODO: reference additional headers your program requires here\n"
  },
  {
    "path": "Sysmon/targetver.h",
    "content": "#pragma once\n\n// Including SDKDDKVer.h defines the highest available Windows platform.\n\n// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and\n// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.\n#define _CRT_RAND_S  \n#include <SDKDDKVer.h>\n"
  },
  {
    "path": "Sysmon/undname.cpp",
    "content": "//\n// Copyright (c) Microsoft Corporation.  All rights reserved.\n//\n//\n// This source code is licensed under Microsoft Shared Source License\n// Version 1.0 for Windows CE.\n// For a copy of the license visit http://go.microsoft.com/fwlink/?LinkId=3223.\n//\n//\tMake sure all dependent defines exist and have a valid value\n#include \"stdafx.h\"\n// #ifndef\tNO_COMPILER_NAMES\n// #define\tNO_COMPILER_NAMES\t0\n// #endif\n// #ifndef VERS_32BIT\n// #define VERS_32BIT\t1\n// #endif\n// #ifndef PACK_SIZE\n// #if !VERS_32BIT\n// #define PACK_SIZE\t2\n// #elif defined(_X86_)\n// #define PACK_SIZE\t4\n// #else\n// #define PACK_SIZE\t8\n// #endif\n// #endif\n// //\tCheck for version inconsistancies, and setup version flags\n// #ifdef\tVERS_BSC\n// #undef\tNO_COMPILER_NAMES\n// #define\tNO_COMPILER_NAMES\t1\n// #pragma\tinline_depth ( 3 )\n// #pragma\tcheck_stack ( off )\n// #else\n// #pragma\tinline_depth ( 3 )\n// #pragma\tcheck_stack ( off )\n// #endif\n// #define\tPURE\t=0\n// // #include\t<stddef.h>\n// #include\t<stdlib.h>\n// #include\t\"undname.h\"\n// #pragma warning(disable:4291)\t// No matching operator delete\n// class\tDName;\n// class\tDNameNode;\n// class\tReplicator;\n// class\tHeapManager;\n// class\tUnDecorator;\n// const\tunsigned int\tmemBlockSize\t= 508;\t// A '512' byte block including the header\n// class\tHeapManager\n// {\n// private:\n// \tAlloc_t\tpOpNew;\n// \tFree_t\tpOpDelete;\n// \tstruct\tBlock\n// \t{\n// \t\tBlock *\tnext;\n// \t\tchar\tmemBlock[ memBlockSize ];\n// \t\t__near\tBlock ()\t{\tnext\t= 0;\t}\n// \t};\n// \tBlock *\thead;\n// \tBlock *\ttail;\n// \tunsigned int\tblockLeft;\n// public:\n// \tvoid\t__near\tConstructor ( Alloc_t pAlloc, Free_t pFree )\n// \t{\tpOpNew\t= pAlloc;\n// \tpOpDelete\t= pFree;\n// \tblockLeft\t= 0;\n// \thead\t= 0;\n// \ttail\t= 0;\n// \t}\n// \tvoid __far *\t__near\tgetMemory ( unsigned int, int );\n// \tvoid\t__near\tDestructor ( void )\n// \t{\tif\t( pOpDelete != 0 )\n// \twhile\t( tail = head )\n// \t{\n// \t\thead\t= tail->next;\n// \t\t( *pOpDelete )( tail );\n// \t}\n// \t}\n// #define\tgnew\tnew(heap,0)\n// #define\trnew\tnew(heap,1)\n// };\n// void   *\t__near __pascal\toperator new ( unsigned int, HeapManager &, int = 0 );\n// static\tHeapManager\theap;\n// //\tThe MS Token table\n// enum\tTokens\n// {\n// #if !VERS_32BIT\n// \tTOK_near,\n// \tTOK_nearSp,\n// \tTOK_nearP,\n// \tTOK_far,\n// \tTOK_farSp,\n// \tTOK_farP,\n// \tTOK_huge,\n// \tTOK_hugeSp,\n// \tTOK_hugeP,\n// #endif\n// \tTOK_basedLp,\n// \tTOK_cdecl,\n// \tTOK_pascal,\n// \tTOK_stdcall,\n// \tTOK_thiscall,\n// \tTOK_fastcall,\n// \tTOK_cocall,\n// \tTOK_ptr64,\n// \tTOK_restrict,\n// #if !VERS_32BIT\n// \tTOK_interrupt,\n// \tTOK_saveregs,\n// \tTOK_self,\n// \tTOK_segment,\n// \tTOK_segnameLpQ,\n// #endif\n// \tTOK__last\n// };\n// static\tconst pcchar_t\t__near\ttokenTable[]\t=\n// {\n// #if !VERS_32BIT\n// \t\"__near\",\t// TOK_near\n// \t\"__near \",\t// TOK_nearSp\n// \t\"__near*\",\t// TOK_nearP\n// \t\"__far\",\t// TOK_far\n// \t\"__far \",\t// TOK_farSp\n// \t\"__far*\",\t// TOK_farP\n// \t\"__huge\",\t// TOK_huge\n// \t\"__huge \",\t// TOK_hugeSp\n// \t\"__huge*\",\t// TOK_hugeP\n// #endif\n// \t\"__based(\",\t// TOK_basedLp\n// \t\"__cdecl\",\t// TOK_cdecl\n// \t\"__pascal\",\t// TOK_pascal\n// \t\"__stdcall\",\t// TOK_stdcall\n// \t\"__thiscall\",\t// TOK_thiscall\n// \t\"__fastcall\",\t// TOK_fastcall\n// \t\"__cocall\",\t// TOK_cocall\n// \t\"__ptr64\",\t// TOK_ptr64\n// \t\"__restrict\",\t// TOK_restrict\n// #if !VERS_32BIT\n// \t\"__interrupt\",\t// TOK_interrupt\n// \t\"__saveregs\",\t// TOK_saveregs\n// \t\"__self\",\t// TOK_self\n// \t\"__segment\",\t// TOK_segment\n// \t\"__segname(\"\",\t// TOK_segnameLpQ\n// #endif\n// \t\"\"\n// };\n// //\tThe operator mapping table\n// static\tconst pcchar_t\t__near\tnameTable[]\t=\n// {\n// \t\" new\",\n// \t\" delete\",\n// \t\"=\",\n// \t\">>\",\n// \t\"<<\",\n// \t\"!\",\n// \t\"==\",\n// \t\"!=\",\n// \t\"[]\",\n// \t\"operator\",\n// \t\"->\",\n// \t\"*\",\n// \t\"++\",\n// \t\"--\",\n// \t\"-\",\n// \t\"+\",\n// \t\"&\",\n// \t\"->*\",\n// \t\"/\",\n// \t\"%\",\n// \t\"<\",\n// \t\"<=\",\n// \t\">\",\n// \t\">=\",\n// \t\",\",\n// \t\"()\",\n// \t\"~\",\n// \t\"^\",\n// \t\"|\",\n// \t\"&&\",\n// \t\"||\",\n// \t\"*=\",\n// \t\"+=\",\n// \t\"-=\",\n// \t\"/=\",\n// \t\"%=\",\n// \t\">>=\",\n// \t\"<<=\",\n// \t\"&=\",\n// \t\"|=\",\n// \t\"^=\",\n// #if\t( !NO_COMPILER_NAMES )\n// \t\"`vftable'\",\n// \t\"`vbtable'\",\n// \t\"`vcall'\",\n// \t\"`typeof'\",\n// \t\"`local static guard'\",\n// \t\"`string'\",\n// \t\"`vbase destructor'\",\n// \t\"`vector deleting destructor'\",\n// \t\"`default constructor closure'\",\n// \t\"`scalar deleting destructor'\",\n// \t\"`vector constructor iterator'\",\n// \t\"`vector destructor iterator'\",\n// \t\"`vector vbase constructor iterator'\",\n// \t\"`virtual displacement map\",\n// \t\"`eh vector constructor iterator'\",\n// \t\"`eh vector destructor iterator'\",\n// \t\"`eh vector vbase constructor iterator'\",\n// \t\"`copy constructor closure'\",\n// \t\"`udt returning'\",\n// \t\"`EH\", //eh initialized struct\n// \t\"`RTTI\", //rtti initialized struct\n// \t\"`local vftable'\",\n// \t\"`local vftable constructor closure'\",\n// #endif\t// !NO_COMPILER_NAMES\n// \t\" new[]\",\n// \t\" delete[]\",\n// #if ( !NO_COMPILER_NAMES )\n// \t\"`omni callsig'\",\n// \t\"`placement delete closure'\",\n// \t\"`placement delete[] closure'\",\n// #endif\n// \t\"\"\n// };\n// static const pcchar_t __near ehTable[] =\n// {\n// \t\" Ptr to Member Data'\",\n// \t\" Catchable Type'\",\n// \t\" Catchable Type Array'\",\n// \t\" ThrowInfo'\",\n// };\n// static const pcchar_t __near rttiTable[] =\n// {\n// \t\" Type Descriptor'\",\n// \t\" Base Class Descriptor at (\",\n// \t\" Base Class Array'\",\n// \t\" Class Hierarchy Descriptor'\",\n// \t\" Complete Object Locator'\",\n// };\n// //\tThe following 'enum' should really be nested inside 'class DName', but to\n// //\tmake the code compile better with Glockenspiel, I have extracted it\n// enum\tDNameStatus\n// {\n// \tDN_valid,\n// \tDN_invalid,\n// \tDN_truncated,\n// \tDN_error\n// };\n// class\tDName\n// {\n// public:\n// \t__near\tDName ();\n// \t__near\tDName ( char );\n// #if\t1\n// \t__near\tDName ( const DName & );\t// Shallow copy\n// #endif\n// \t__near\tDName ( DNameNode * );\n// \t__near\tDName ( pcchar_t );\n// \t__near\tDName ( pcchar_t&, char );\n// \t__near\tDName ( DNameStatus );\n// \t__near\tDName ( DName * );\n// \t__near\tDName ( unsigned long );\n// \tint\t__near\tisValid () const;\n// \tint\t__near\tisEmpty () const;\n// \tDNameStatus\t__near\tstatus () const;\n// \tDName &\t__near\tsetPtrRef ();\n// \tint\t__near\tisPtrRef () const;\n// \tint\t__near\tisUDC () const;\n// \tvoid\t__near\tsetIsUDC ();\n// \tint\t__near\tisUDTThunk () const;\n// \tvoid\t__near\tsetIsUDTThunk ();\n// \tint\tisNoTE () const;\n// \tvoid\tsetIsNoTE ();\n// \tint\t__near\tlength () const;\n// \tchar\t__near\tgetLastChar () const;\n// \tpchar_t\t__near\tgetString ( pchar_t, int ) const;\n// \tDName\t__near\toperator + ( pcchar_t ) const;\n// \tDName\t__near\toperator + ( const DName & ) const;\n// \tDName\t__near\toperator + ( char ) const;\n// \tDName\t__near\toperator + ( DName * ) const;\n// \tDName\t__near\toperator + ( DNameStatus ) const;\n// \tDName &\t__near\toperator += ( char );\n// \tDName &\t__near\toperator += ( pcchar_t );\n// \tDName &\t__near\toperator += ( DName * );\n// \tDName &\t__near\toperator += ( DNameStatus );\n// \tDName &\t__near\toperator += ( const DName & );\n// \tDName &\t__near\toperator |= ( const DName & );\n// \tDName &\t__near\toperator = ( pcchar_t );\n// \tDName &\t__near\toperator = ( const DName & );\n// \tDName &\t__near\toperator = ( char );\n// \tDName &\t__near\toperator = ( DName * );\n// \tDName &\t__near\toperator = ( DNameStatus );\n// \t//\tFriends :\n// \tfriend\tDName\t__near __pascal\toperator + ( char, const DName & );\n// \tfriend\tDName\t__near __pascal\toperator + ( pcchar_t, const DName & );\n// \tfriend\tDName\t__near __pascal\toperator + ( DNameStatus, const DName & );\n// private:\n// \tDNameNode *\tnode;\n// \tDNameStatus\tstat\t: 4;\n// \tunsigned int\tisIndir\t: 1;\n// \tunsigned int\tisAUDC\t: 1;\n// \tunsigned int\tisAUDTThunk\t: 1;\n// \tunsigned int\tNoTE\t: 1;\n// \tvoid\t__near\tdoPchar ( pcchar_t, int );\n// };\n// class\tReplicator\n// {\n// private:\n// \t//\tDeclare, in order to suppress automatic generation\n// \tvoid\toperator = ( const Replicator& );\n// \tint\tindex;\n// \tDName *\tdNameBuffer[ 10 ];\n// \tconst DName\tErrorDName;\n// \tconst DName\tInvalidDName;\n// public:\n// \t__near\tReplicator ();\n// \tint\t__near\tisFull () const;\n// \tReplicator &\t__near\toperator += ( const DName & );\n// \tconst DName &\t__near\toperator [] ( int ) const;\n// };\n// class\tUnDecorator\n// {\n// private:\n// \t//\tDeclare, in order to suppress automatic generation\n// \tvoid\toperator = ( const UnDecorator& );\n// \tReplicator\tArgList;\n// \tstatic\tReplicator *\tpArgList;\n// \tReplicator\tZNameList;\n// \tstatic\tReplicator *\tpZNameList;\n// \tstatic\tReplicator *\tpTemplateArgList;\n// \tstatic\tpcchar_t\tgName;\n// \tstatic\tpcchar_t\tname;\n// \tstatic\tpchar_t\toutputString;\n// \tstatic\tint\tmaxStringLength;\n// \tstatic\tunsigned long\tdisableFlags;\n// \tstatic\tDName\t__near\tgetDecoratedName ( void );\n// \tstatic\tDName\t__near\tgetSymbolName ( void );\n// \tstatic\tDName\t__near\tgetZName ( void );\n// \tstatic\tDName\t__near\tgetOperatorName ( void );\n// \tstatic\tDName\t__near\tgetScope ( void );\n// \tstatic\tDName\tgetScopedName ( void );\n// \tstatic\tDName\t__near\tgetSignedDimension ( void );\n// \tstatic\tDName\t__near\tgetDimension ( void );\n// \tstatic\tint\t__near\tgetNumberOfDimensions ( void );\n// \tstatic\tDName\t__near\tgetTemplateName ( void );\n// \tstatic\tDName\t__near\tgetTemplateArgumentList( void );\n// \tstatic\tDName\t__near\tgetTemplateConstant( void );\n// \tstatic\tDName\t__near\tcomposeDeclaration ( const DName & );\n// \tstatic\tint\t__near\tgetTypeEncoding ( void );\n// \tstatic\tDName\t__near\tgetBasedType ( void );\n// \tstatic\tDName\t__near\tgetECSUName ( void );\n// \tstatic\tDName\t__near\tgetEnumType ( void );\n// \tstatic\tDName\t__near\tgetCallingConvention ( void );\n// \tstatic\tDName\t__near\tgetReturnType ( DName * = 0 );\n// \tstatic\tDName\t__near\tgetDataType ( DName * );\n// \tstatic\tDName\t__near\tgetPrimaryDataType ( const DName & );\n// \tstatic\tDName\t__near\tgetDataIndirectType ( const DName &, char, const DName &, int = FALSE );\n// \tstatic\tDName\t__near\tgetDataIndirectType ();\n// \tstatic\tDName\t__near\tgetBasicDataType ( const DName & );\n// \tstatic\tDName\t__near\tgetECSUDataType ( void );\n// \tstatic\tDName\t__near\tgetPtrRefType ( const DName &, const DName &, int );\n// \tstatic\tDName\t__near\tgetPtrRefDataType ( const DName &, int );\n// \tstatic\tDName\t__near\tgetArrayType ( const DName& );\n// \tstatic\tDName\tgetFunctionIndirectType( const DName & superType );\n// \tstatic\tDName\t__near\tgetArgumentTypes ( void );\n// \tstatic\tDName\t__near\tgetArgumentList ( void );\n// \tstatic\tDName\t__near\tgetThrowTypes ( void );\n// \tstatic\tDName\t__near\tgetLexicalFrame ( void );\n// \tstatic\tDName\t__near\tgetStorageConvention ( void );\n// \tstatic\tDName\t__near\tgetThisType ( void );\n// \tstatic\tDName\t__near\tgetPointerType ( const DName &, const DName & );\n// \tstatic\tDName\t__near\tgetReferenceType ( const DName &, const DName & );\n// \tstatic\tDName\t__near\tgetExternalDataType ( const DName & );\n// \tstatic\tDName\t__near\tgetSegmentName ( void );\n// #if\t( !NO_COMPILER_NAMES )\n// \tstatic\tDName\t__near\tgetDisplacement ( void );\n// \tstatic\tDName\t__near\tgetCallIndex ( void );\n// \tstatic\tDName\t__near\tgetGuardNumber ( void );\n// \tstatic\tDName\t__near\tgetVfTableType ( const DName & );\n// \tstatic\tDName\t__near\tgetVbTableType ( const DName & );\n// \tstatic\tDName\t__near\tgetVCallThunkType ( void );\n// #endif\t// !NO_COMPILER_NAMES\n// \tstatic\tDName\tgetStringEncoding ( char *prefix, int wantBody );\n// \tstatic GetParameter_t m_pGetParameter;\n// public:\n// \t__near\tUnDecorator ( pchar_t, pcchar_t, int, GetParameter_t, unsigned long );\n// \tstatic\tint\t__near\tdoUnderScore ();\n// \tstatic\tint\t__near\tdoMSKeywords ();\n// \tstatic\tint\t__near\tdoFunctionReturns ();\n// \tstatic\tint\t__near\tdoAllocationModel ();\n// \tstatic\tint\t__near\tdoAllocationLanguage ();\n// #if\t0\n// \tstatic\tint\t__near\tdoMSThisType ();\n// \tstatic\tint\t__near\tdoCVThisType ();\n// #endif\n// \tstatic\tint\t__near\tdoThisTypes ();\n// \tstatic\tint\t__near\tdoAccessSpecifiers ();\n// \tstatic\tint\t__near\tdoThrowTypes ();\n// \tstatic\tint\t__near\tdoMemberTypes ();\n// \tstatic\tint\t__near\tdoReturnUDTModel ();\n// \tstatic\tint\t__near\tdo32BitNear ();\n// \tstatic\tint\t__near\tdoNameOnly ();\n// \tstatic\tint\t__near\tdoTypeOnly ();\n// \tstatic\tint\t__near\thaveTemplateParameters ();\n// \tstatic\tint\t__near\tdoEcsu ();\n// \tstatic\tint\t__near\tdoNoIdentCharCheck ();\n// \tstatic\tpcchar_t\t__near\tUScore ( Tokens );\n// \t__near\toperator pchar_t ();\n// };\n// Replicator *\tUnDecorator::pArgList;\n// Replicator *\tUnDecorator::pZNameList\t= 0;\n// Replicator *\tUnDecorator::pTemplateArgList\t= 0;\n// pcchar_t\tUnDecorator::gName\t= 0;\n// pcchar_t\tUnDecorator::name\t= 0;\n// pchar_t\tUnDecorator::outputString\t= 0;\n// int\tUnDecorator::maxStringLength\t= 0;\n// unsigned long\tUnDecorator::disableFlags\t= 0;\n// GetParameter_t\tUnDecorator::m_pGetParameter\t= 0;\n// // #ifdef _CRTBLD\n// pchar_t\t__far _CRTIMP __loadds\t__unDName (\tpchar_t outputString,\n// \t// #else\n// \t// pchar_t\t__far __cdecl __loadds\tunDName (\tpchar_t outputString,\n// \t// #endif\n// \tpcchar_t name,\n// \tint maxStringLength,\t// Note, COMMA is leading following optional arguments\n// \tAlloc_t pAlloc,\n// \tFree_t pFree,\n// \tunsigned short disableFlags\n// \t)\n// \t/*\n// \t*\tThis function will undecorate a name, returning the string corresponding to\n// \t*\tthe C++ declaration needed to produce the name.  Its has a similar interface\n// \t*\tto 'strncpy'.\n// \t*\n// \t*\tIf the target string 'outputString' is specified to be NULL, a string of\n// \t*\tsuitable length will be allocated and its address returned.  If the returned\n// \t*\tstring is allocated by 'unDName', then it is the programmers responsibility\n// \t*\tto deallocate it.  It will have been allocated on the far heap.\n// \t*\n// \t*\tIf the target string is not NULL, then the parameter 'maxStringLength' will\n// \t*\tspecify the maximum number of characters which may be placed in the string.\n// \t*\tIn this case, the returned value is the same as 'outputString'.\n// \t*\n// \t*\tBoth the input parameter 'name' and the returned string are NULL terminated\n// \t*\tstrings of characters.\n// \t*\n// \t*\tIf the returned value is NULL, it indicates that the undecorator ran out of\n// \t*\tmemory, or an internal error occurred, and was unable to complete its task.\n// \t*/\n// {\n// \t//\tMust have an allocator and a deallocator (and we MUST trust them)\n// \tif\t( !( pAlloc ))\n// \t\treturn\t0;\n// \telse\n// \t\theap.Constructor ( pAlloc, pFree );\n// \t//\tCreate the undecorator object, and get the result\n// \tUnDecorator\tunDecorate (\toutputString,\n// \t\tname,\n// \t\tmaxStringLength,\n// \t\t0,\n// \t\tdisableFlags\n// \t\t);\n// \tpchar_t\tunDecoratedName\t= unDecorate;\n// \t// Destruct the heap (would use a destructor, but that causes DLL problems)\n// \theap.Destructor ();\n// \t//\tAnd return the composed name\n// \treturn\tunDecoratedName;\n// }\t// End of FUNCTION \"unDName\"\n// // #ifdef _CRTBLD\n// pchar_t\t__far _CRTIMP __loadds\t__unDNameEx (\tpchar_t outputString,\n// \t// #else\n// \t// pchar_t\t__far __cdecl __loadds\tunDNameEx (\tpchar_t outputString,\n// \t// #endif\n// \tpcchar_t name,\n// \tint maxStringLength,\t// Note, COMMA is leading following optional arguments\n// \tAlloc_t pAlloc,\n// \tFree_t pFree,\n// \tGetParameter_t pGetParameter,\n// \tunsigned long disableFlags\n// \t)\n// \t/*\n// \t*\tThis function will undecorate a name, returning the string corresponding to\n// \t*\tthe C++ declaration needed to produce the name.  Its has a similar interface\n// \t*\tto 'strncpy'.\n// \t*\n// \t*\tIf the target string 'outputString' is specified to be NULL, a string of\n// \t*\tsuitable length will be allocated and its address returned.  If the returned\n// \t*\tstring is allocated by 'unDName', then it is the programmers responsibility\n// \t*\tto deallocate it.  It will have been allocated on the far heap.\n// \t*\n// \t*\tIf the target string is not NULL, then the parameter 'maxStringLength' will\n// \t*\tspecify the maximum number of characters which may be placed in the string.\n// \t*\tIn this case, the returned value is the same as 'outputString'.\n// \t*\n// \t*\tBoth the input parameter 'name' and the returned string are NULL terminated\n// \t*\tstrings of characters.\n// \t*\n// \t*\tIf the returned value is NULL, it indicates that the undecorator ran out of\n// \t*\tmemory, or an internal error occurred, and was unable to complete its task.\n// \t*/\n// {\n// \t//\tMust have an allocator and a deallocator (and we MUST trust them)\n// \tif\t( !( pAlloc ))\n// \t\treturn\t0;\n// \telse\n// \t\theap.Constructor ( pAlloc, pFree );\n// \t//\tCreate the undecorator object, and get the result\n// \tUnDecorator\tunDecorate (\toutputString,\n// \t\tname,\n// \t\tmaxStringLength,\n// \t\tpGetParameter,\n// \t\tdisableFlags\n// \t\t);\n// \tpchar_t\tunDecoratedName\t= unDecorate;\n// \t// Destruct the heap (would use a destructor, but that causes DLL problems)\n// \theap.Destructor ();\n// \t//\tAnd return the composed name\n// \treturn\tunDecoratedName;\n// }\t// End of FUNCTION \"unDName\"\n// //\tThe 'UnDecorator' member functions\n// inline\t__near\tUnDecorator::UnDecorator\t(\tpchar_t output,\n// \tpcchar_t dName,\n// \tint maxLen,\n// \tGetParameter_t pGetParameter,\n// \tunsigned long disable\n// \t)\n// {\n// \tname\t= dName;\n// \tgName\t= name;\n// \tif\t( output ) {\n// \t\tmaxStringLength\t= maxLen - 1;\t// The algorithm in getString doesn't leave room\n// \t\t// for terminating NULL; be paranoid and leave one\n// \t\t// extra char.\n// \t\t// It's a lot easier to fix this here....\n// \t\toutputString\t= output;\n// \t}\n// \telse {\n// \t\toutputString\t= 0;\n// \t\tmaxStringLength\t= 0;\n// \t}\n// \tpZNameList\t= &ZNameList;\n// \tpArgList\t= &ArgList;\n// \tdisableFlags\t= disable;\n// \tm_pGetParameter\t= pGetParameter;\n// }\t// End of \"UnDecorator\" CONSTRUCTOR '()'\n// inline\t__near\tUnDecorator::operator pchar_t ()\n// {\n// \tDName\tresult;\n// \tDName\tunDName;\n// \t//\tFind out if the name is a decorated name or not.  Could be a reserved\n// \t//\tCodeView variant of a decorated name\n// \tif\t( name )\n// \t{\n// \t\tif\t(( *name == '?' ) && ( name[ 1 ] == '@' ))\n// \t\t{\n// #if\t( !NO_COMPILER_NAMES )\n// \t\t\tgName\t+= 2;\n// \t\t\tresult\t= \"CV: \" + getDecoratedName ();\n// #else\t// } elif NO_COMPILER_NAMES\n// \t\t\tresult\t= DN_invalid;\n// #endif\t// NO_COMPILER_NAMES\n// \t\t}\t// End of IF then\n// \t\telif\t(( *name == '?' ) && ( name[1] == '$' ))\n// \t\t\tresult\t= getTemplateName ();\n// \t\telse\n// \t\t\tresult\t= getDecoratedName ();\n// \t}\t// End of IF then\n// \t//\tIf the name was not a valid name, then make the name the same as the original\n// \t//\tIt is also invalid if there are any remaining characters in the name (except when\n// \t//\twe're giving the name only)\n// \tif\t( result.status () == DN_error )\n// \t\treturn\t0;\n// \telif\t( (*gName && !doNameOnly ()) || ( result.status () == DN_invalid ))\n// \t\tunDName\t= name;\t// Return the original name\n// \telse\n// \t\tunDName\t= result;\n// \t//\tConstruct the return string\n// \tif\t( !outputString )\n// \t{\n// \t\tmaxStringLength\t= unDName.length () + 1;\n// \t\toutputString \t= rnew char[ maxStringLength ];\n// \t}\t// End of IF\n// \tif\t( outputString )\n// \t\tunDName.getString ( outputString, maxStringLength );\n// \t//\tReturn the result\n// \treturn\toutputString;\n// }\t// End of \"UnDecorator\" OPERATOR 'pchar_t'\n// DName\t__near\tUnDecorator::getDecoratedName ( void )\n// {\n// \t//\tEnsure that it is intended to be a decorated name\n// \tif\t( doTypeOnly() )\n// \t{\n// \t\t// Disable the type-only flag, so that if we get here recursively, eg.\n// \t\t// in a template tag, we do full name undecoration.\n// \t\tdisableFlags &= ~UNDNAME_TYPE_ONLY;\n// \t\t// If we're decoding just a type, process it as the type for an abstract\n// \t\t// declarator, by giving an empty symbol name.\n// \t\tDName\tresult = getDataType ( NULL );\n// \t\tdisableFlags |= UNDNAME_TYPE_ONLY;\n// \t\treturn result;\n// \t}\n// \telif\t( *gName == '?' )\n// \t{\n// \t\t//\tExtract the basic symbol name\n// \t\tgName++;\t// Advance the original name pointer\n// \t\tDName\tsymbolName\t= getSymbolName ();\n// \t\tint\tudcSeen\t= symbolName.isUDC ();\n// \t\t//\tAbort if the symbol name is invalid\n// \t\tif\t( !symbolName.isValid ())\n// \t\t\treturn\tsymbolName;\n// \t\t//\tExtract, and prefix the scope qualifiers\n// \t\tif\t( *gName && ( *gName != '@' )) {\n// \t\t\tDName\tscope = getScope ();\n// \t\t\tif\t( !scope.isEmpty() )\n// \t\t\t\tsymbolName\t= scope + \"::\" + symbolName;\n// \t\t}\n// \t\tif\t( udcSeen )\n// \t\t\tsymbolName.setIsUDC ();\n// \t\t//\tNow compose declaration\n// \t\tif\t( symbolName.isEmpty () || symbolName.isNoTE() )\n// \t\t{\n// \t\t\treturn\tsymbolName;\n// \t\t}\n// \t\telif\t( !*gName || ( *gName == '@' ) )\n// \t\t{\n// \t\t\tif\t( *gName )\n// \t\t\t\tgName++;\n// \t\t\tif\t(doNameOnly () && !udcSeen) {\n// \t\t\t\t// Eat the rest of the dname, in case this is a recursive invocation,\n// \t\t\t\t// such as for a template argument.\n// \t\t\t\t(void)composeDeclaration( DName() );\n// \t\t\t\treturn symbolName;\n// \t\t\t}\n// \t\t\telse {\n// \t\t\t\treturn\tcomposeDeclaration ( symbolName );\n// \t\t\t}\n// \t\t}\t// End of ELIF then\n// \t\telse\n// \t\t\treturn\tDN_invalid;\n// \t}\t// End of IF then\n// \telif\t( *gName )\n// \t\treturn\tDN_invalid;\n// \telse\n// \t\treturn\tDN_truncated;\n// }\t// End of \"UnDecorator\" FUNCTION \"getDecoratedName\"\n// inline\tDName\t__near\tUnDecorator::getSymbolName ( void )\n// {\n// \tif\t( *gName == '?' )\n// \t{\n// \t\tgName++;\n// \t\treturn\tgetOperatorName ();\n// \t}\t// End of IF then\n// \telse\n// \t\treturn\tgetZName ();\n// }\t// End of \"UnDecorator\" FUNCTION \"getSymbolName\"\n// DName\t__near\tUnDecorator::getZName ( void )\n// {\n// \tint\tzNameIndex\t= *gName - '0';\n// \t//\tHandle 'zname-replicators', otherwise an actual name\n// \tif\t(( zNameIndex >= 0 ) && ( zNameIndex <= 9 ))\n// \t{\n// \t\tgName++;\t// Skip past the replicator\n// \t\t//\tAnd return the indexed name\n// \t\treturn\t( *pZNameList )[ zNameIndex ];\n// \t}\t// End of IF then\n// \telse\n// \t{\n// \t\tDName\tzName;\n// \t\tif\t( *gName == '?' )\n// \t\t{\n// \t\t\tzName\t= getTemplateName ();\n// \t\t\tif\t( *gName++ != '@' )\n// \t\t\t\tzName\t= *--gName ? DN_invalid : DN_truncated;\n// \t\t}\n// \t\telse\n// \t\t\t//\tExtract the 'zname' to the terminator\n// \t\t\tzName\t= DName( gName, '@' );\t// This constructor updates 'name'\n// \t\t//\tAdd it to the current list of 'zname's\n// \t\tif\t( !pZNameList->isFull ())\n// \t\t\t*pZNameList\t+= zName;\n// \t\t//\tAnd return the symbol name\n// \t\treturn\tzName;\n// \t}\t// End of IF else\n// }\t// End of \"UnDecorator\" FUNCTION \"getZName\"\n// inline\tDName\t__near\tUnDecorator::getOperatorName ( void )\n// {\n// \tDName\toperatorName;\n// \tDName\ttmpName;\n// \tint\tudcSeen\t= FALSE;\n// \t//\tSo what type of operator is it ?\n// \tswitch\t( *gName++ )\n// \t{\n// \tcase 0:\n// \t\tgName--;\t// End of string, better back-track\n// \t\treturn\tDN_truncated;\n// \tcase OC_ctor:\n// \tcase OC_dtor:\n// \t\t//\n// \t\t// The constructor and destructor are special:\n// \t\t// Their operator name is the name of their first enclosing scope, which\n// \t\t// will always be a tag, which may be a template specialization!\n// \t\t//\n// \t\t{\n// \t\t\t//\tUse a temporary.  Don't want to advance the name pointer\n// \t\t\tpcchar_t\tpName\t= gName;\n// \t\t\toperatorName\t= getZName ();\n// \t\t\tgName = pName;\t// Undo our lookahead\n// \t\t\tif\t( !operatorName.isEmpty () && ( gName[ -1 ] == OC_dtor ))\n// \t\t\t\toperatorName\t= '~' + operatorName;\n// \t\t\treturn\toperatorName;\n// \t\t}\t// End of CASE 'OC_ctor,OC_dtor'\n// \t\tbreak;\n// \tcase OC_new:\n// \tcase OC_delete:\n// \tcase OC_assign:\n// \tcase OC_rshift:\n// \tcase OC_lshift:\n// \tcase OC_not:\n// \tcase OC_equal:\n// \tcase OC_unequal:\n// \t\toperatorName\t= nameTable[ gName[ -1 ] - OC_new ];\n// \t\tbreak;\n// \tcase OC_udc:\n// \t\tudcSeen\t= TRUE;\n// \t\t//\tNo break\n// \tcase OC_index:\n// \tcase OC_pointer:\n// \tcase OC_star:\n// \tcase OC_incr:\n// \tcase OC_decr:\n// \tcase OC_minus:\n// \tcase OC_plus:\n// \tcase OC_amper:\n// \tcase OC_ptrmem:\n// \tcase OC_divide:\n// \tcase OC_modulo:\n// \tcase OC_less:\n// \tcase OC_leq:\n// \tcase OC_greater:\n// \tcase OC_geq:\n// \tcase OC_comma:\n// \tcase OC_call:\n// \tcase OC_compl:\n// \tcase OC_xor:\n// \tcase OC_or:\n// \tcase OC_land:\n// \tcase OC_lor:\n// \tcase OC_asmul:\n// \tcase OC_asadd:\n// \tcase OC_assub:\t// Regular operators from the first group\n// \t\toperatorName\t= nameTable[ gName[ -1 ] - OC_index + ( OC_unequal - OC_new + 1 )];\n// \t\tbreak;\n// \tcase '_':\n// \t\tswitch\t( *gName++ )\n// \t\t{\n// \t\tcase 0:\n// \t\t\tgName--;\t// End of string, better back-track\n// \t\t\treturn\tDN_truncated;\n// \t\tcase OC_asdiv:\n// \t\tcase OC_asmod:\n// \t\tcase OC_asrshift:\n// \t\tcase OC_aslshift:\n// \t\tcase OC_asand:\n// \t\tcase OC_asor:\n// \t\tcase OC_asxor:\t// Regular operators from the extended group\n// \t\t\toperatorName\t= nameTable[ gName[ -1 ] - OC_asdiv + ( OC_assub - OC_index + 1 ) + ( OC_unequal - OC_new + 1 )];\n// \t\t\tbreak;\n// #if\t( !NO_COMPILER_NAMES )\n// \t\tcase OC_vftable:\n// \t\tcase OC_vbtable:\n// \t\tcase OC_vcall:\n// \t\t\treturn\tnameTable[ gName[ -1 ] - OC_asdiv + ( OC_assub - OC_index + 1 ) + ( OC_unequal - OC_new + 1 )];\n// \t\tcase OC_string:\n// \t\t\t{\n// \t\t\t\tDName result = getStringEncoding( \"`string'\", TRUE );\n// \t\t\t\tresult.setIsNoTE();\n// \t\t\t\treturn result;\n// \t\t\t}\n// \t\tcase OC_metatype:\n// \t\tcase OC_guard:\n// \t\tcase OC_vbdtor:\n// \t\tcase OC_vdeldtor:\n// \t\tcase OC_defctor:\n// \t\tcase OC_sdeldtor:\n// \t\tcase OC_vctor:\n// \t\tcase OC_vdtor:\n// \t\tcase OC_vallctor:\n// \t\tcase OC_ehvctor:\n// \t\tcase OC_ehvdtor:\n// \t\tcase OC_ehvctorvb:\n// \t\tcase OC_copyctorclosure:\n// \t\tcase OC_locvfctorclosure:\n// \t\tcase OC_locvftable:\t// Special purpose names\n// \t\tcase OC_placementDeleteClosure:\n// \t\tcase OC_placementArrayDeleteClosure:\n// \t\t\treturn nameTable[ gName[ -1 ] - OC_metatype + ( OC_vcall - OC_asdiv + 1 ) + ( OC_assub - OC_index + 1 ) + ( OC_unequal - OC_new + 1 )];\n// \t\tcase OC_udtthunk:\n// \t\t\toperatorName = nameTable[ gName[ -1 ] - OC_metatype + ( OC_vcall - OC_asdiv + 1 ) + ( OC_assub - OC_index + 1 ) + ( OC_unequal - OC_new + 1 )];\n// \t\t\ttmpName \t= getOperatorName();\n// \t\t\tif ( !tmpName.isEmpty() && tmpName.isUDTThunk() )\n// \t\t\t\treturn\tDN_invalid;\n// \t\t\treturn operatorName + tmpName;\n// \t\t\tbreak;\n// \t\tcase OC_eh_init:\n// \t\t\tbreak;\n// \t\tcase OC_rtti_init:\n// \t\t\toperatorName = nameTable[ gName[ -1 ] - OC_metatype + ( OC_vcall - OC_asdiv + 1 ) + ( OC_assub - OC_index + 1 ) + ( OC_unequal - OC_new + 1 )];\n// \t\t\ttmpName = rttiTable[ gName[0] - OC_rtti_TD ];\n// \t\t\tswitch\t( *gName++ )\n// \t\t\t{\n// \t\t\tcase OC_rtti_TD:\n// \t\t\t\t{\n// \t\t\t\t\tDName\tresult = getDataType ( NULL );\n// \t\t\t\t\treturn result + ' ' + operatorName + tmpName;\n// \t\t\t\t}\n// \t\t\t\tbreak;\n// \t\t\tcase OC_rtti_BCD:\n// \t\t\t\t{\n// \t\t\t\t\tDName\tresult = operatorName + tmpName;\n// \t\t\t\t\tresult += getSignedDimension() + ',';\n// \t\t\t\t\tresult += getSignedDimension() + ',';\n// \t\t\t\t\tresult += getSignedDimension() + ',';\n// \t\t\t\t\tresult += getDimension() + ')';\n// \t\t\t\t\treturn result + ''';\n// \t\t\t\t}\n// \t\t\t\tbreak;\n// \t\t\tcase OC_rtti_BCA:\n// \t\t\tcase OC_rtti_CHD:\n// \t\t\tcase OC_rtti_COL:\n// \t\t\t\treturn operatorName + tmpName;\n// \t\t\t\tbreak;\n// \t\t\tdefault:\n// \t\t\t\tgName--;\n// \t\t\t\treturn DN_truncated;\n// \t\t\t\tbreak;\n// \t\t\t}\n// \t\t\tbreak;\n// #endif\t// !NO_COMPILER_NAMES\n// \t\tcase OC_arrayNew:\n// \t\tcase OC_arrayDelete:\n// \t\t\toperatorName = nameTable[ gName[ -1 ] - OC_metatype + ( OC_vcall - OC_asdiv + 1 ) + ( OC_assub - OC_index + 1 ) + ( OC_unequal - OC_new + 1 )\n// #if NO_COMPILER_NAMES\n// \t\t\t\t- ( OC_locvfctorclosure - OC_vftable + 1 )\t// discount names not in table\n// #endif\n// \t\t\t];\n// \t\t\tbreak;\n// \t\t\t// Yet another level of nested encodings....\n// \t\tcase '?':\n// \t\t\tswitch( *gName++ ) {\n// \t\t\tcase 0:\n// \t\t\t\tgName--;\t// End of string, better back-track\n// \t\t\t\treturn\tDN_truncated;\n// \t\t\tcase OC_anonymousNamespace:\n// \t\t\t\t//\n// \t\t\t\t// Anonymous namespace (new-style) is a string encoding of the\n// \t\t\t\t// machine name and the translation unit name.  Since the remainder\n// \t\t\t\t// of the name doesn't really fit the dname grammar, skip it.\n// \t\t\t\t// There are two '@' markers in the name....\n// \t\t\t\t//\n// \t\t\t\t{\n// \t\t\t\t\tDName result = getStringEncoding( \"`anonymous namespace'\", FALSE );\n// \t\t\t\t\tresult.setIsNoTE();\n// \t\t\t\t\treturn result;\n// \t\t\t\t}\n// \t\t\tdefault:\n// \t\t\t\treturn\tDN_invalid;\n// \t\t\t}\n// \t\t\tbreak;\n// \t\tdefault:\n// \t\t\treturn\tDN_invalid;\n// \t\t}\t// End of SWITCH\n// \t\tbreak;\n// \tdefault:\n// \t\treturn\tDN_invalid;\n// \t}\t// End of SWITCH\n// \t//\tThis really is an operator name, so prefix it with 'operator'\n// \tif\t( udcSeen )\n// \t\toperatorName.setIsUDC ();\n// \telif\t( !operatorName.isEmpty ())\n// \t\toperatorName\t= \"operator\" + operatorName;\n// \treturn\toperatorName;\n// }\t// End of \"UnDecorator\" FUNCTION \"getOperatorName\"\n// DName\tUnDecorator::getStringEncoding ( char *prefix, int wantBody )\n// {\n// \tDName result = prefix;\n// \t// First @ comes right after operator code\n// \tif\t( *gName++ != '@' || *gName++ != '_' ) {\n// \t\treturn DN_invalid;\n// \t}\n// \t// Skip the string kind\n// \t*gName++;\n// \t// Get (& discard) the length\n// \tgetDimension();\n// \t// Get (& discart) the checksum\n// \tgetDimension();\n// \twhile ( *gName && *gName != '@' ) {\n// \t\t// For now, we'll just skip it\n// \t\tgName++;\n// \t}\n// \tif\t( !*gName ) {\n// \t\tgName--;\n// \t\treturn DN_truncated;\n// \t}\n// \t// Eat the terminating '@'\n// \tgName++;\n// \treturn result;\n// }\n// DName\t__near\tUnDecorator::getScope ( void )\n// {\n// \tDName\tscope;\n// \tbool\tfNeedBracket = false;\n// \t//\tGet the list of scopes\n// \twhile\t(( scope.status () == DN_valid ) && *gName && ( *gName != '@' ))\n// \t{\t//\tInsert the scope operator if not the first scope\n// \t\tif\t( !scope.isEmpty() ) {\n// \t\t\tscope\t= \"::\" + scope;\n// \t\t\tif (fNeedBracket) {\n// \t\t\t\tscope = '[' + scope;\n// \t\t\t\tfNeedBracket = false;\n// \t\t\t}\n// \t\t}\n// \t\t//\tDetermine what kind of scope it is\n// \t\tif\t( *gName == '?' )\n// \t\t\tswitch\t( *++gName )\n// \t\t{\n// \t\t\tcase '?':\n// \t\t\t\tif\t( gName[1] == '_' && gName[2] == '?' ) {\n// \t\t\t\t\t//\n// \t\t\t\t\t// Anonymous namespace name (new style)\n// \t\t\t\t\t//\n// \t\t\t\t\tgName++;\n// \t\t\t\t\tscope = getOperatorName () + scope;\n// \t\t\t\t\t// There should be a zname termination @...\n// \t\t\t\t\tif\t( *gName == '@' ) {\n// \t\t\t\t\t\tgName++;\n// \t\t\t\t\t}\n// \t\t\t\t}\n// \t\t\t\telse if\t( !doNameOnly() )\n// \t\t\t\t\tscope\t= '`' + getDecoratedName () + ''' + scope;\n// \t\t\t\telse\n// \t\t\t\tgetDecoratedName();\t// Skip lexical scope info\n// \t\t\t\tbreak;\n// \t\t\tcase '$':\n// \t\t\t\t// It's a template name, which is a kind of zname; back up\n// \t\t\t\t// and handle like a zname.\n// \t\t\t\tgName--;\n// \t\t\t\tscope\t= getZName () + scope;\n// \t\t\t\tbreak;\n// \t\t\tcase '%':\n// \t\t\t\t//\n// \t\t\t\t// It an anonymous namespace (old-style);\n// \t\t\t\t// skip the (unreadable) name and instead insert\n// \t\t\t\t// an appropriate string\n// \t\t\t\t//\n// \t\t\t\twhile ( *gName != '@' ) {\n// \t\t\t\t\tgName++;\n// \t\t\t\t}\n// \t\t\t\tgName++;\n// \t\t\t\tscope = \"`anonymous namespace'\" + scope;\n// \t\t\t\tbreak;\n// \t\t\tcase 'I':\n// \t\t\t\t//\n// \t\t\t\t// This is the interface whose method the class is\n// \t\t\t\t// implementing\n// \t\t\t\t//\n// \t\t\t\tgName++;\n// \t\t\t\tscope = getZName () + ']' + scope;\n// \t\t\t\tfNeedBracket = true;\n// \t\t\t\tbreak;\n// \t\t\tdefault:\n// \t\t\t\tif\t( !doNameOnly() )\n// \t\t\t\t\tscope\t= getLexicalFrame () + scope;\n// \t\t\t\telse\n// \t\t\t\t\tgetLexicalFrame();\t// Skip lexical scope info\n// \t\t\t\tbreak;\n// \t\t}\t// End of SWITCH\n// \t\telse\n// \t\t\tscope\t= getZName () + scope;\n// \t}\t// End of WHILE\n// \t//\tCatch error conditions\n// \tswitch\t( *gName )\n// \t{\n// \tcase 0:\n// \t\tif\t( scope.isEmpty() )\n// \t\t\tscope\t= DN_truncated;\n// \t\telse\n// \t\t\tscope\t= DName ( DN_truncated ) + \"::\" + scope;\n// \t\tbreak;\n// \tcase '@':\t// '@' expected to end the scope list\n// \t\tbreak;\n// \tdefault:\n// \t\tscope\t= DN_invalid;\n// \t\tbreak;\n// \t}\t// End of SWITCH\n// \t//\tReturn the composed scope\n// \treturn\tscope;\n// }\t// End of \"UnDecorator\" FUNCTION \"getScope\"\n// DName\t__near\tUnDecorator::getSignedDimension ( void )\n// {\n// \tif\t( !*gName )\n// \t\treturn\tDN_truncated;\n// \telif\t( *gName == '?' ) {\n// \t\tgName++;\t// skip the '?'\n// \t\treturn\t'-' + getDimension();\n// \t}\n// \telse\n// \t\treturn\tgetDimension();\n// }\t// End of \"Undecorator\" FUNCTION \"getSignedDimension\"\n// DName\t__near\tUnDecorator::getDimension ( void )\n// {\n// \tif\t( !*gName )\n// \t\treturn\tDN_truncated;\n// \telif\t(( *gName >= '0' ) && ( *gName <= '9' ))\n// \t\treturn\tDName ((unsigned long)( *gName++ - '0' + 1 ));\n// \telse\n// \t{\n// \t\tunsigned long\tdim\t= 0L;\n// \t\t//\tDon't bother detecting overflow, it's not worth it\n// \t\twhile\t( *gName != '@' )\n// \t\t{\n// \t\t\tif\t( !*gName )\n// \t\t\t\treturn\tDN_truncated;\n// \t\t\telif\t(( *gName >= 'A' ) && ( *gName <= 'P' ))\n// \t\t\t\tdim\t= ( dim << 4 ) + ( *gName - 'A' );\n// \t\t\telse\n// \t\t\t\treturn\tDN_invalid;\n// \t\t\tgName++;\n// \t\t}\t// End of WHILE\n// \t\t//\tEnsure integrity, and return\n// \t\tif\t( *gName++ != '@' )\n// \t\t\treturn\tDN_invalid;\t// Should never get here\n// \t\treturn\tdim;\n// \t}\t// End of ELIF else\n// }\t// End of \"UnDecorator\" FUNCTION \"getDimension\"\n// int\t__near\tUnDecorator::getNumberOfDimensions ( void )\n// {\n// \tif\t( !*gName )\n// \t\treturn\t0;\n// \telif\t(( *gName >= '0' ) && ( *gName <= '9' ))\n// \t\treturn\t(( *gName++ - '0' ) + 1 );\n// \telse\n// \t{\n// \t\tint\tdim\t= 0;\n// \t\t//\tDon't bother detecting overflow, it's not worth it\n// \t\twhile\t( *gName != '@' )\n// \t\t{\n// \t\t\tif\t( !*gName )\n// \t\t\t\treturn\t0;\n// \t\t\telif\t(( *gName >= 'A' ) && ( *gName <= 'P' ))\n// \t\t\t\tdim\t= ( dim << 4 ) + ( *gName - 'A' );\n// \t\t\telse\n// \t\t\t\treturn\t-1;\n// \t\t\tgName++;\n// \t\t}\t// End of WHILE\n// \t\t//\tEnsure integrity, and return\n// \t\tif\t( *gName++ != '@' )\n// \t\t\treturn\t-1;\t// Should never get here\n// \t\treturn\tdim;\n// \t}\t// End of ELIF else\n// }\t// End of \"UnDecorator\" FUNCTION \"getNumberOfDimensions\"\n// DName\t__near\tUnDecorator::getTemplateName ( void )\n// {\n// \t//\n// \t// First make sure we're really looking at a template name\n// \t//\n// \tif\t( gName[0] != '?' || gName[1] != '$' )\n// \t\treturn DN_invalid;\n// \tgName += 2;\t// Skip the marker characters\n// \t//\n// \t// Stack the replicators, since template names are their own replicator scope:\n// \t//\n// \tReplicator * pSaveArgList \t= pArgList;\n// \tReplicator * pSaveZNameList \t= pZNameList;\n// \tReplicator * pSaveTemplateArgList \t= pTemplateArgList;\n// \tReplicator localArgList, localZNameList, localTemplateArgList;\n// \tpArgList \t= &localArgList;\n// \tpZNameList \t= &localZNameList;\n// \tpTemplateArgList \t= &localTemplateArgList;\n// \t//\n// \t// Crack the template name:\n// \t//\n// \tDName\ttemplateName\t= getZName ();\n// \tif\t( !templateName.isEmpty ())\n// \t{\n// \t\ttemplateName\t+= '<' + getTemplateArgumentList ();\n// \t\tif\t( templateName.getLastChar () == '>' )\n// \t\t\ttemplateName += ' ';\n// \t\ttemplateName\t+= '>';\n// \t}\n// \t//\n// \t// Restore the previous replicators:\n// \t//\n// \tpArgList\t= pSaveArgList;\n// \tpZNameList\t= pSaveZNameList;\n// \tpTemplateArgList\t= pSaveTemplateArgList;\n// \t//\tReturn the completed 'template-name'\n// \treturn\ttemplateName;\n// }\t// End of \"UnDecorator\" FUNCTION \"getTemplateName\"\n// DName\t__near\tUnDecorator::getTemplateArgumentList ( void )\n// {\n// \tint\tfirst\t= TRUE;\n// \tDName\taList;\n// \twhile\t(( aList.status () == DN_valid ) && *gName && ( *gName != AT_endoflist ))\n// \t{\n// \t\t//\tInsert the argument list separator if not the first argument\n// \t\tif\t( first )\n// \t\t\tfirst\t= FALSE;\n// \t\telse\n// \t\t\taList\t+= ',';\n// \t\t//\tGet the individual argument type\n// \t\tint\targIndex\t= *gName - '0';\n// \t\t//\tHandle 'template-argument-replicators', otherwise a new argument type\n// \t\tif\t(( argIndex >= 0 ) && ( argIndex <= 9 ))\n// \t\t{\n// \t\t\tgName++;\t// Skip past the replicator\n// \t\t\t//\tAppend to the argument list\n// \t\t\taList\t+= ( *pTemplateArgList )[ argIndex ];\n// \t\t}\t// End of IF then\n// \t\telse\n// \t\t{\n// \t\t\tpcchar_t\toldGName\t= gName;\n// \t\t\tDName\targ;\n// \t\t\t//\n// \t\t\t//\tExtract the 'argument' type\n// \t\t\t//\n// \t\t\tif\t( *gName == DT_void ) {\n// \t\t\t\tgName++;\n// \t\t\t\targ = \"void\";\n// \t\t\t} \n// \t\t\telif ( (*gName == '$') && (gName[1] != '$')) {\n// \t\t\t\tgName++;\n// \t\t\t\targ = getTemplateConstant();\n// \t\t\t}\n// \t\t\telif ( *gName == '?' ) {\n// \t\t\t\t//\n// \t\t\t\t// This is a template-parameter, i.e. we have a \"specialization\" of\n// \t\t\t\t// X<T>. so get the template-parameter-index and use a \"generic\" name\n// \t\t\t\t// for this parameter\n// \t\t\t\t//\n// \t\t\t\tDName dimension = getSignedDimension();\n// \t\t\t\tif ( haveTemplateParameters()) {\n// \t\t\t\t\tchar buffer[16];\n// \t\t\t\t\tdimension.getString( buffer, 16 );\n// \t\t\t\t\tchar *str = (*m_pGetParameter)(atol(buffer));\n// \t\t\t\t\tif ( str != NULL ) {\n// \t\t\t\t\t\targ = str;\n// \t\t\t\t\t}\n// \t\t\t\t\telse {\n// \t\t\t\t\t\targ = \"`template-parameter\" + dimension + \"'\";\n// \t\t\t\t\t}\n// \t\t\t\t}\n// \t\t\t\telse {\n// \t\t\t\t\targ = \"`template-parameter\" + dimension + \"'\";\n// \t\t\t\t}\n// \t\t\t}\n// \t\t\telse {\n// \t\t\t\targ = getPrimaryDataType ( DName() );\n// \t\t\t}\n// \t\t\t//\tAdd it to the current list of 'template-argument's, if it is bigger than a one byte encoding\n// \t\t\tif\t((( gName - oldGName ) > 1 ) && !pTemplateArgList->isFull ())\n// \t\t\t\t*pTemplateArgList\t+= arg;\n// \t\t\t//\tAppend to the argument list\n// \t\t\taList\t+= arg;\n// \t\t}\t// End of IF else\n// \t}\t// End of WHILE\n// \t//\tReturn the completed template argument list\n// \treturn\taList;\n// }\t// End of \"UnDecorator\" FUNCTION \"getTemplateArgumentList\"\n// DName\t__near\tUnDecorator::getTemplateConstant(void)\n// {\n// \t//\n// \t// template-constant ::=\n// \t//\t'0'\t<template-integral-constant>\n// \t//\t'1' <template-address-constant>\n// \t//\t'2' <template-floating-point-constant>\n// \t//\n// \tswitch ( *gName++ )\n// \t{\n// \t\t//\n// \t\t// template-integral-constant ::=\n// \t\t//\t<signed-dimension>\n// \t\t//\n// \tcase TC_integral:\n// \t\treturn \tgetSignedDimension ();\n// \t\t//\n// \t\t// template-address-constant ::=\n// \t\t//\t'@'\t// Null pointer\n// \t\t//\t<decorated-name>\n// \t\t//\n// \tcase TC_address:\n// \t\tif \t( *gName == TC_nullptr )\n// \t\t{\n// \t\t\tgName++;\n// \t\t\treturn\t\"NULL\";\n// \t\t}\n// \t\telse\n// \t\t\treturn\tDName(\"&\") + getDecoratedName ();\n// \tcase TC_name:\n// \t\treturn getDecoratedName ();\n// \t\t//\n// \t\t// template-floating-point-constant ::=\n// \t\t//\t<normalized-mantissa><exponent>\n// \t\t//\n// \tcase TC_fp:\n// \t\t{\n// \t\t\tDName\tmantissa ( getSignedDimension () );\n// \t\t\tDName\texponent ( getSignedDimension () );\n// \t\t\tif\t( mantissa.isValid() && exponent.isValid() )\n// \t\t\t{\n// \t\t\t\t//\n// \t\t\t\t// Get string representation of mantissa\n// \t\t\t\t//\n// \t\t\t\tchar\tbuf[100];\t// Way overkill for a compiler generated fp constant\n// \t\t\t\tif\t( !mantissa.getString( &(buf[1]), 100 ) )\n// \t\t\t\t\treturn\tDN_invalid;\n// \t\t\t\t//\n// \t\t\t\t// Insert decimal point\n// \t\t\t\t//\n// \t\t\t\tbuf[0] = buf[1];\n// \t\t\t\tif\t( buf[0] == '-' )\n// \t\t\t\t{\n// \t\t\t\t\tbuf[1] = buf[2];\n// \t\t\t\t\tbuf[2] = '.';\n// \t\t\t\t}\n// \t\t\t\telse\n// \t\t\t\t\tbuf[1] = '.';\n// \t\t\t\t//\n// \t\t\t\t// String it all together\n// \t\t\t\t//\n// \t\t\t\treturn DName( buf ) + 'e' + exponent;\n// \t\t\t} // End of IF then\n// \t\t\telse\n// \t\t\t\treturn DN_truncated;\n// \t\t}\t// End of BLOCK case TC_fp\n// \tcase TC_dummy:\n// \t\t{\n// \t\t\t//\n// \t\t\t// This is a template-parameter, i.e. we have a \"specialization\" of\n// \t\t\t// X<n>. so get the template-parameter-index and use a \"generic\" name\n// \t\t\t// for this parameter\n// \t\t\t//\n// \t\t\tDName dimension = getSignedDimension();\n// \t\t\tif ( haveTemplateParameters()) {\n// \t\t\t\tchar buffer[16];\n// \t\t\t\tdimension.getString( buffer, 16 );\n// \t\t\t\tchar *str = (*m_pGetParameter)(atol(buffer));\n// \t\t\t\tif ( str != NULL ) {\n// \t\t\t\t\treturn str;\n// \t\t\t\t}\n// \t\t\t}\n// \t\t\treturn \"`template-parameter\" + dimension + \"'\";\n// \t\t}\n// \t\tbreak;\n// \tcase '':\n// \t\t--gName;\n// \t\treturn\tDN_truncated;\n// \tdefault:\n// \t\treturn\tDN_invalid;\n// \t}\t// End of SWITCH\n// }\t// End of \"UnDecorator\" FUNCTION \"getTemplateConstant\"\n// inline\tDName\t__near\tUnDecorator::composeDeclaration ( const DName & symbol )\n// {\n// \tDName\tdeclaration;\n// \tunsigned int\ttypeCode\t= getTypeEncoding ();\n// \tint\tsymIsUDC\t= symbol.isUDC ();\n// \t//\tHandle bad typeCode's, or truncation\n// \tif\t( TE_isbadtype ( typeCode ))\n// \t\treturn\tDN_invalid;\n// \telif\t( TE_istruncated ( typeCode ))\n// \t\treturn\t( DN_truncated + symbol );\n// \t//\tThis is a very complex part.  The type of the declaration must be\n// \t//\tdetermined, and the exact composition must be dictated by this type.\n// \t//\tIs it any type of a function ?\n// \t//\tHowever, for ease of decoding, treat the 'localdtor' thunk as data, since\n// \t//\tits decoration is a function of the variable to which it belongs and not\n// \t//\ta usual function type of decoration.\n// #if\t( NO_COMPILER_NAMES )\n// \tif\t( TE_isthunk ( typeCode ))\n// \t\treturn\tDN_invalid;\n// \tif\t( TE_isfunction ( typeCode ))\n// #else\t// } elif !NO_COMPILER_NAMES {\n// \tif\t( TE_isfunction ( typeCode ) && !(( TE_isthunk ( typeCode ) && TE_islocaldtor ( typeCode )) ||\n// \t\t( TE_isthunk ( typeCode ) && ( TE_istemplatector ( typeCode ) || TE_istemplatedtor ( typeCode )))))\n// #endif\t// !NO_COMPILER_NAMES\n// \t{\n// \t\t//\tIf it is based, then compose the 'based' prefix for the name\n// \t\tif\t( TE_isbased ( typeCode ))\n// \t\t\tif\t( doMSKeywords () && doAllocationModel ())\n// \t\t\t\tdeclaration\t= ' ' + getBasedType ();\n// \t\t\telse\n// \t\t\t\tdeclaration\t|= getBasedType ();\t// Just lose the 'based-type'\n// #if\t( !NO_COMPILER_NAMES )\n// \t\t//\tCheck for some of the specially composed 'thunk's\n// \t\tif\t( TE_isthunk ( typeCode ) && TE_isvcall ( typeCode ))\n// \t\t{\n// \t\t\tdeclaration\t+= symbol + '{' + getCallIndex () + ',';\n// \t\t\tdeclaration\t+= getVCallThunkType () + \"}' \";\n// \t\t\tif ( doMSKeywords () && doAllocationLanguage ())\n// \t\t\t\tdeclaration\t= ' ' + getCallingConvention () + ' ' + declaration;\t// What calling convention ?\n// \t\t\telse\n// \t\t\t\tdeclaration |= getCallingConvention ();\t// Just lose the 'calling-convention'\n// \t\t}\t// End of IF then\n// \t\telse\n// #endif\t// !NO_COMPILER_NAMES\n// \t\t{\n// \t\t\tDName\tvtorDisp;\n// \t\t\tDName\tadjustment;\n// \t\t\tDName\tthisType;\n// #if\t( !NO_COMPILER_NAMES )\n// \t\t\tif\t( TE_isthunk ( typeCode ))\n// \t\t\t{\n// \t\t\t\tif\t( TE_isvtoradj ( typeCode ))\n// \t\t\t\t\tvtorDisp\t= getDisplacement ();\n// \t\t\t\tadjustment\t= getDisplacement ();\n// \t\t\t}\t// End of IF else\n// #endif\t// !NO_COMPILER_NAMES\n// \t\t\t//\tGet the 'this-type' for non-static function members\n// \t\t\tif\t( TE_ismember ( typeCode ) && !TE_isstatic ( typeCode ))\n// \t\t\t\tif\t( doThisTypes ())\n// \t\t\t\t\tthisType\t= getThisType ();\n// \t\t\t\telse\n// \t\t\t\t\tthisType\t|= getThisType ();\n// \t\t\tif\t( doMSKeywords ())\n// \t\t\t{\n// \t\t\t\t//\tAttach the calling convention\n// \t\t\t\tif\t( doAllocationLanguage ())\n// \t\t\t\t\tdeclaration\t= getCallingConvention () + declaration;\t// What calling convention ?\n// \t\t\t\telse\n// \t\t\t\t\tdeclaration\t|= getCallingConvention ();\t// Just lose the 'calling-convention'\n// \t\t\t\t//\tAny model specifiers ?\n// #if !VERS_32BIT\n// \t\t\t\tif\t( doAllocationModel ())\n// \t\t\t\t\tif\t( TE_isnear ( typeCode ))\n// \t\t\t\t\t\tdeclaration\t= UScore ( TOK_nearSp ) + declaration;\n// \t\t\t\telif\t( TE_isfar ( typeCode ))\n// \t\t\t\t\tdeclaration\t= UScore ( TOK_farSp ) + declaration;\n// #endif\n// \t\t\t}\t// End of IF\n// \t\t\telse\n// \t\t\t\tdeclaration\t|= getCallingConvention ();\t// Just lose the 'calling-convention'\n// \t\t\t//\tNow put them all together\n// \t\t\tif\t( !symbol.isEmpty ())\n// \t\t\t\tif\t( !declaration.isEmpty () && !doNameOnly() )\t// And the symbol name\n// \t\t\t\t\tdeclaration\t+= ' ' + symbol;\n// \t\t\t\telse\n// \t\t\t\t\tdeclaration\t= symbol;\n// \t\t\t//\tCompose the return type, catching the UDC case\n// \t\t\tDName *\tpDeclarator\t= 0;\n// \t\t\tDName\treturnType;\n// \t\t\tif\t( symIsUDC )\t// Is the symbol a UDC operator ?\n// \t\t\t{\n// \t\t\t\tdeclaration\t+= \" \" + getReturnType ();\n// \t\t\t\tif\t( doNameOnly() )\n// \t\t\t\t\treturn\tdeclaration;\n// \t\t\t}\n// \t\t\telse\n// \t\t\t{\n// \t\t\t\tpDeclarator\t= gnew DName;\n// \t\t\t\treturnType\t= getReturnType ( pDeclarator );\n// \t\t\t}\t// End of IF else\n// #if\t( !NO_COMPILER_NAMES )\n// \t\t\t//\tAdd the displacements for virtual function thunks\n// \t\t\tif\t( TE_isthunk ( typeCode ))\n// \t\t\t{\n// \t\t\t\tif\t( TE_isvtoradj ( typeCode ))\n// \t\t\t\t\tdeclaration\t+= \"`vtordisp{\" + vtorDisp + ',';\n// \t\t\t\telse\n// \t\t\t\t\tdeclaration\t+= \"`adjustor{\";\n// \t\t\t\tdeclaration\t+= adjustment + \"}' \";\n// \t\t\t}\t// End of IF\n// #endif\t// !NO_COMPILER_NAMES\n// \t\t\t//\tAdd the function argument prototype\n// \t\t\tdeclaration\t+= '(' + getArgumentTypes () + ')';\n// \t\t\t//\tIf this is a non-static member function, append the 'this' modifiers\n// \t\t\tif\t( TE_ismember ( typeCode ) && !TE_isstatic ( typeCode ))\n// \t\t\t\tdeclaration\t+= thisType;\n// \t\t\t//\tAdd the 'throw' signature\n// \t\t\tif\t( doThrowTypes ())\n// \t\t\t\tdeclaration\t+= getThrowTypes ();\n// \t\t\telse\n// \t\t\t\tdeclaration\t|= getThrowTypes ();\t// Just lose the 'throw-types'\n// \t\t\t//\tIf it has a declarator, then insert it into the declaration,\n// \t\t\t//\tsensitive to the return type composition\n// \t\t\tif\t( doFunctionReturns () && pDeclarator )\n// \t\t\t{\n// \t\t\t\t*pDeclarator\t= declaration;\n// \t\t\t\tdeclaration\t= returnType;\n// \t\t\t}\t// End of IF\n// \t\t}\t// End of IF else\n// \t}\t// End of IF then\n// \telse\n// \t{\n// \t\tdeclaration\t+= symbol;\n// \t\t//\tCatch the special handling cases\n// #if\t( !NO_COMPILER_NAMES )\n// \t\tif\t( TE_isvftable ( typeCode ))\n// \t\t\treturn\tgetVfTableType ( declaration );\n// \t\telif\t( TE_isvbtable ( typeCode ))\n// \t\t\treturn\tgetVbTableType ( declaration );\n// \t\telif\t( TE_isguard ( typeCode ))\n// \t\t\treturn\t( declaration + '{' + getGuardNumber () + \"}'\" );\n// \t\telif\t( TE_isthunk ( typeCode ) && TE_islocaldtor ( typeCode ))\n// \t\t\tdeclaration\t+= \"`local static destructor helper'\";\n// \t\telif\t( TE_isthunk ( typeCode ) && TE_istemplatector ( typeCode ))\n// \t\t\tdeclaration\t+= \"`template static data member constructor helper'\";\n// \t\telif\t( TE_isthunk ( typeCode ) && TE_istemplatedtor ( typeCode ))\n// \t\t\tdeclaration\t+= \"`template static data member destructor helper'\";\n// \t\telif\t( TE_ismetaclass ( typeCode ))\n// \t\t\t//\n// \t\t\t// Meta-class information has its information in its operator id\n// \t\t\t//\n// \t\t\treturn declaration;\n// #else\t// } elif NO_COMPILER_NAMES {\n// \t\tif\t( TE_isvftable ( typeCode )\n// \t\t\t|| TE_isvbtable ( typeCode )\n// \t\t\t|| TE_isguard ( typeCode )\n// \t\t\t|| TE_ismetaclass ( typeCode ))\n// \t\t\treturn\tDN_invalid;\n// #endif\t// NO_COMPILER_NAMES\n// \t\tif ( TE_isthunk( typeCode ) && ( TE_istemplatector( typeCode ) || TE_istemplatedtor( typeCode ))) {\n// \t\t\t//\n// \t\t\t// Insert a space before the declaration\n// \t\t\t//\n// \t\t\tdeclaration = \" \" + declaration;\n// \t\t}\n// \t\telse {\n// \t\t\t//\tAll others are decorated as data symbols\n// \t\t\tdeclaration\t= getExternalDataType ( declaration );\n// \t\t}\n// \t}\t// End of IF else\n// \t//\tPrepend the 'virtual' and 'static' attributes for members\n// \tif\t( TE_ismember ( typeCode ))\n// \t{\n// \t\tif\t( doMemberTypes ())\n// \t\t{\n// \t\t\tif\t( TE_isstatic ( typeCode ))\n// \t\t\t\tdeclaration\t= \"static \" + declaration;\n// \t\t\tif\t( TE_isvirtual ( typeCode ) || ( TE_isthunk ( typeCode ) && ( TE_isvtoradj ( typeCode ) || TE_isadjustor ( typeCode ))))\n// \t\t\t\tdeclaration\t= \"virtual \" + declaration;\n// \t\t}\t// End of IF\n// \t\t//\tPrepend the access specifiers\n// \t\tif\t( doAccessSpecifiers ())\n// \t\t\tif\t( TE_isprivate ( typeCode ))\n// \t\t\t\tdeclaration\t= \"private: \" + declaration;\n// \t\telif\t( TE_isprotected ( typeCode ))\n// \t\t\tdeclaration\t= \"protected: \" + declaration;\n// \t\telif\t( TE_ispublic ( typeCode ))\n// \t\t\tdeclaration\t= \"public: \" + declaration;\n// \t}\t// End of IF\n// #if\t( !NO_COMPILER_NAMES )\n// \t//\tIf it is a thunk, mark it appropriately\n// \tif\t( TE_isthunk ( typeCode ))\n// \t\tdeclaration\t= \"[thunk]:\" + declaration;\n// #endif\t// !NO_COMPILER_NAMES\n// \t//\tReturn the composed declaration\n// \treturn\tdeclaration;\n// }\t// End of \"UnDecorator\" FUNCTION \"composeDeclaration\"\n// inline\tint\t__near\tUnDecorator::getTypeEncoding ( void )\n// {\n// \tunsigned int\ttypeCode\t= 0u;\n// \t//\tStrip any leading '_' which indicates that it is based\n// \tif\t( *gName == '_' )\n// \t{\n// \t\tTE_setisbased ( typeCode );\n// \t\tgName++;\n// \t}\t// End of IF\n// \t//\tNow handle the code proper :-\n// \tif\t(( *gName >= 'A' ) && ( *gName <= 'Z' ))\t// Is it some sort of function ?\n// \t{\n// \t\tint\tcode\t= *gName++ - 'A';\n// \t\t//\tNow determine the function type\n// \t\tTE_setisfunction ( typeCode );\t// All of them are functions ?\n// \t\t//\tDetermine the calling model\n// \t\tif\t( code & TE_far )\n// \t\t\tTE_setisfar ( typeCode );\n// \t\telse\n// \t\t\tTE_setisnear ( typeCode );\n// \t\t//\tIs it a member function or not ?\n// \t\tif\t( code < TE_external )\n// \t\t{\n// \t\t\t//\tRecord the fact that it is a member\n// \t\t\tTE_setismember ( typeCode );\n// \t\t\t//\tWhat access permissions does it have\n// \t\t\tswitch\t( code & TE_access )\n// \t\t\t{\n// \t\t\tcase TE_private:\n// \t\t\t\tTE_setisprivate ( typeCode );\n// \t\t\t\tbreak;\n// \t\t\tcase TE_protect:\n// \t\t\t\tTE_setisprotected ( typeCode );\n// \t\t\t\tbreak;\n// \t\t\tcase TE_public:\n// \t\t\t\tTE_setispublic ( typeCode );\n// \t\t\t\tbreak;\n// \t\t\tdefault:\n// \t\t\t\tTE_setisbadtype ( typeCode );\n// \t\t\t\treturn\ttypeCode;\n// \t\t\t}\t// End of SWITCH\n// \t\t\t//\tWhat type of a member function is it ?\n// \t\t\tswitch\t( code & TE_adjustor )\n// \t\t\t{\n// \t\t\tcase TE_adjustor:\n// \t\t\t\tTE_setisadjustor ( typeCode );\n// \t\t\t\tbreak;\n// \t\t\tcase TE_virtual:\n// \t\t\t\tTE_setisvirtual ( typeCode );\n// \t\t\t\tbreak;\n// \t\t\tcase TE_static:\n// \t\t\t\tTE_setisstatic ( typeCode );\n// \t\t\t\tbreak;\n// \t\t\tcase TE_member:\n// \t\t\t\tbreak;\n// \t\t\tdefault:\n// \t\t\t\tTE_setisbadtype ( typeCode );\n// \t\t\t\treturn\ttypeCode;\n// \t\t\t}\t// End of SWITCH\n// \t\t}\t// End of IF\n// \t}\t// End of IF then\n// \telif\t( *gName == '$' )\t// Extended set ?  Special handling\n// \t{\n// \t\t//\tWhat type of symbol is it ?\n// \t\tswitch\t( *( ++gName ))\n// \t\t{\n// \t\tcase SHF_localdtor:\t// A destructor helper for a local static ?\n// \t\t\tTE_setislocaldtor ( typeCode );\n// \t\t\tbreak;\n// \t\tcase SHF_vcall:\t// A VCall-thunk ?\n// \t\t\tTE_setisvcall ( typeCode );\n// \t\t\tbreak;\n// \t\tcase SHF_templateStaticDataMemberCtor:\t// A constructor helper for template static data members\n// \t\t\tTE_setistemplatector ( typeCode );\n// \t\t\tbreak; \n// \t\tcase SHF_templateStaticDataMemberDtor:\t// A destructor helper for template static data members\n// \t\t\tTE_setistemplatedtor ( typeCode );\n// \t\t\tbreak; \n// \t\tcase 0:\n// \t\t\tTE_setistruncated ( typeCode );\n// \t\t\tbreak;\n// \t\tcase '0':\n// \t\tcase '1':\n// \t\tcase '2':\n// \t\tcase '3':\n// \t\tcase '4':\n// \t\tcase '5':\t// Construction displacement adjustor thunks\n// \t\t\t{\n// \t\t\t\tint\tcode\t= *gName - '0';\n// \t\t\t\t//\tSet up the principal type information\n// \t\t\t\tTE_setisfunction ( typeCode );\n// \t\t\t\tTE_setismember ( typeCode );\n// \t\t\t\tTE_setisvtoradj ( typeCode );\n// \t\t\t\t//\tIs it 'near' or 'far' ?\n// \t\t\t\tif\t( code & TE_far )\n// \t\t\t\t\tTE_setisfar ( typeCode );\n// \t\t\t\telse\n// \t\t\t\t\tTE_setisnear ( typeCode );\n// \t\t\t\t//\tWhat type of access protection ?\n// \t\t\t\tswitch\t( code & TE_access_vadj )\n// \t\t\t\t{\n// \t\t\t\tcase TE_private_vadj:\n// \t\t\t\t\tTE_setisprivate ( typeCode );\n// \t\t\t\t\tbreak;\n// \t\t\t\tcase TE_protect_vadj:\n// \t\t\t\t\tTE_setisprotected ( typeCode );\n// \t\t\t\t\tbreak;\n// \t\t\t\tcase TE_public_vadj:\n// \t\t\t\t\tTE_setispublic ( typeCode );\n// \t\t\t\t\tbreak;\n// \t\t\t\tdefault:\n// \t\t\t\t\tTE_setisbadtype ( typeCode );\n// \t\t\t\t\treturn\ttypeCode;\n// \t\t\t\t}\t// End of SWITCH\n// \t\t\t}\t// End of CASE '0,1,2,3,4,5'\n// \t\t\tbreak;\n// \t\tdefault:\n// \t\t\tTE_setisbadtype ( typeCode );\n// \t\t\treturn\ttypeCode;\n// \t\t}\t// End of SWITCH\n// \t\t//\tAdvance past the code character\n// \t\tgName++;\n// \t}\t// End of ELIF then\n// \telif\t(( *gName >= TE_static_d ) && ( *gName <= TE_metatype ))\t// Non function decorations ?\n// \t{\n// \t\tint\tcode\t= *gName++;\n// \t\tTE_setisdata ( typeCode );\n// \t\t//\tWhat type of symbol is it ?\n// \t\tswitch\t( code )\n// \t\t{\n// \t\tcase ( TE_static_d | TE_private_d ):\n// \t\t\tTE_setisstatic ( typeCode );\n// \t\t\tTE_setisprivate ( typeCode );\n// \t\t\tbreak;\n// \t\tcase ( TE_static_d | TE_protect_d ):\n// \t\t\tTE_setisstatic ( typeCode );\n// \t\t\tTE_setisprotected ( typeCode );\n// \t\t\tbreak;\n// \t\tcase ( TE_static_d | TE_public_d ):\n// \t\t\tTE_setisstatic ( typeCode );\n// \t\t\tTE_setispublic ( typeCode );\n// \t\t\tbreak;\n// \t\tcase TE_global:\n// \t\t\tTE_setisglobal ( typeCode );\n// \t\t\tbreak;\n// \t\tcase TE_guard:\n// \t\t\tTE_setisguard ( typeCode );\n// \t\t\tbreak;\n// \t\tcase TE_local:\n// \t\t\tTE_setislocal ( typeCode );\n// \t\t\tbreak;\n// \t\tcase TE_vftable:\n// \t\t\tTE_setisvftable ( typeCode );\n// \t\t\tbreak;\n// \t\tcase TE_vbtable:\n// \t\t\tTE_setisvbtable ( typeCode );\n// \t\t\tbreak;\n// \t\tcase TE_metatype:\n// \t\t\tTE_setismetaclass ( typeCode );\n// \t\t\tbreak;\n// \t\tdefault:\n// \t\t\tTE_setisbadtype ( typeCode );\n// \t\t\treturn\ttypeCode;\n// \t\t}\t// End of SWITCH\n// \t}\t// End of ELIF then\n// \telif\t( *gName )\n// \t\tTE_setisbadtype ( typeCode );\n// \telse\n// \t\tTE_setistruncated ( typeCode );\n// \t//\tReturn the composed type code\n// \treturn\ttypeCode;\n// }\t// End of \"UnDecorator\" FUNCTION \"getTypeEncoding\"\n// DName\t__near\tUnDecorator::getBasedType ( void )\n// {\n// \tDName\tbasedDecl ( UScore ( TOK_basedLp ));\n// \t//\tWhat type of 'based' is it ?\n// \tif\t( *gName )\n// \t{\n// \t\tswitch\t( *gName++ )\n// \t\t{\n// #if !VERS_32BIT\n// \t\tcase BT_segname:\n// \t\t\tbasedDecl\t+= UScore ( TOK_segnameLpQ ) + getSegmentName () + \"\")\";\n// \t\t\t\tbreak;\n// \t\tcase BT_segment:\n// \t\t\tbasedDecl\t+= DName ( \"NYI:\" ) + UScore ( TOK_segment );\n// \t\t\tbreak;\n// #endif\n// \t\tcase BT_void:\n// \t\t\tbasedDecl\t+= \"void\";\n// \t\t\tbreak;\n// #if !VERS_32BIT\n// \t\tcase BT_self:\n// \t\t\tbasedDecl\t+= UScore ( TOK_self );\n// \t\t\tbreak;\n// \t\tcase BT_nearptr:\n// \t\t\tbasedDecl\t+= DName ( \"NYI:\" ) + UScore ( TOK_nearP );\n// \t\t\tbreak;\n// \t\tcase BT_farptr:\n// \t\t\tbasedDecl\t+= DName ( \"NYI:\" ) + UScore ( TOK_farP );\n// \t\t\tbreak;\n// \t\tcase BT_hugeptr:\n// \t\t\tbasedDecl\t+= DName ( \"NYI:\" ) + UScore ( TOK_hugeP );\n// \t\t\tbreak;\n// \t\tcase BT_segaddr:\n// \t\t\tbasedDecl\t+= \"NYI:<segment-address-of-variable>\";\n// \t\t\tbreak;\n// #else\n// \t\tcase BT_nearptr:\n// \t\t\tbasedDecl\t+= getScopedName();\n// \t\t\tbreak;\n// #endif\n// \t\tcase BT_basedptr:\n// \t\t\t//\n// \t\t\t// Note: based pointer on based pointer is reserved\n// \t\t\t//\n// \t\t\treturn\tDN_invalid;\n// \t\t}\t// End of SWITCH\n// \t}\t// End of IF else\n// \telse\n// \t\tbasedDecl\t+= DN_truncated;\n// \t//\tClose the based syntax\n// \tbasedDecl\t+= \") \";\n// \t//\tReturn completed based declaration\n// \treturn\tbasedDecl;\n// }\t// End of \"UnDecorator\" FUNCTION \"getBasedType\"\n// DName\t__near\tUnDecorator::getScopedName ( void )\n// {\n// \tDName\tname;\n// \t//\tGet the beginning of the name\n// \tname\t= getZName ();\n// \t//\tNow the scope (if any)\n// \tif\t(( name.status () == DN_valid ) && *gName && ( *gName != '@' ))\n// \t\tname\t= getScope () + \"::\" + name;\n// \t//\tSkip the trailing '@'\n// \tif\t( *gName == '@' )\n// \t\tgName++;\n// \telif\t( *gName )\n// \t\tname\t= DN_invalid;\n// \telif\t( name.isEmpty ())\n// \t\tname\t= DN_truncated;\n// \telse\n// \t\tname\t= DName ( DN_truncated ) + \"::\" + name;\n// \t//\tAnd return the complete name\n// \treturn\tname;\n// }\t// End of \"UnDecorator\" FUNCTION \"getECSUName\"\n// inline\tDName\tUnDecorator::getECSUName ( void )\t{ return getScopedName(); }\n// inline\tDName\t__near\tUnDecorator::getEnumType ( void )\n// {\n// \tDName\tecsuName;\n// \tif\t( *gName )\n// \t{\n// \t\t//\tWhat type of an 'enum' is it ?\n// \t\tswitch\t( *gName )\n// \t\t{\n// \t\tcase ET_schar:\n// \t\tcase ET_uchar:\n// \t\t\tecsuName\t= \"char \";\n// \t\t\tbreak;\n// \t\tcase ET_sshort:\n// \t\tcase ET_ushort:\n// \t\t\tecsuName\t= \"short \";\n// \t\t\tbreak;\n// \t\tcase ET_sint:\n// \t\t\tbreak;\n// \t\tcase ET_uint:\n// \t\t\tecsuName\t= \"int \";\n// \t\t\tbreak;\n// \t\tcase ET_slong:\n// \t\tcase ET_ulong:\n// \t\t\tecsuName\t= \"long \";\n// \t\t\tbreak;\n// \t\tdefault:\n// \t\t\treturn\tDN_invalid;\n// \t\t}\t// End of SWITCH\n// \t\t//\tAdd the 'unsigned'ness if appropriate\n// \t\tswitch\t( *gName++ )\n// \t\t{\n// \t\tcase ET_uchar:\n// \t\tcase ET_ushort:\n// \t\tcase ET_uint:\n// \t\tcase ET_ulong:\n// \t\t\tecsuName\t= \"unsigned \" + ecsuName;\n// \t\t\tbreak;\n// \t\t}\t// End of SWITCH\n// \t\t//\tNow return the composed name\n// \t\treturn\tecsuName;\n// \t}\t// End of IF then\n// \telse\n// \t\treturn\tDN_truncated;\n// }\t// End of \"UnDecorator\" FUNCTION \"getEnumType\"\n// DName\t__near\tUnDecorator::getCallingConvention ( void )\n// {\n// \tif\t( *gName )\n// \t{\n// \t\tunsigned int\tcallCode\t= ((unsigned int)*gName++ ) - 'A';\n// \t\t//\tWhat is the primary calling convention\n// #if CC_COR\n// \t\tif\t(( callCode >= CC_cdecl ) && ( callCode <= CC_cocall ))\n// #else\t// CC_COR\n// \t\tif\t(( callCode >= CC_cdecl ) && ( callCode <= CC_interrupt ))\n// #endif\t// CC_COR\n// \t\t{\n// \t\t\tDName\tcallType;\n// \t\t\t//\tNow, what type of 'calling-convention' is it, 'interrupt' is special ?\n// \t\t\tif\t( doMSKeywords ())\n// #if !VERS_32BIT\n// \t\t\t\tif\t( callCode == CC_interrupt )\n// \t\t\t\t\tcallType\t= UScore ( TOK_interrupt );\n// \t\t\t\telse\n// #endif\n// \t\t\t\t{\n// \t\t\t\t\tswitch\t( callCode & ~CC_saveregs )\n// \t\t\t\t\t{\n// \t\t\t\t\tcase CC_cdecl:\n// \t\t\t\t\t\tcallType\t= UScore ( TOK_cdecl );\n// \t\t\t\t\t\tbreak;\n// \t\t\t\t\tcase CC_pascal:\n// \t\t\t\t\t\tcallType\t= UScore ( TOK_pascal );\n// \t\t\t\t\t\tbreak;\n// \t\t\t\t\tcase CC_thiscall:\n// \t\t\t\t\t\tcallType\t= UScore ( TOK_thiscall );\n// \t\t\t\t\t\tbreak;\n// \t\t\t\t\tcase CC_stdcall:\n// \t\t\t\t\t\tcallType\t= UScore ( TOK_stdcall );\n// \t\t\t\t\t\tbreak;\n// \t\t\t\t\tcase CC_fastcall:\n// \t\t\t\t\t\tcallType\t= UScore ( TOK_fastcall );\n// \t\t\t\t\t\tbreak;\n// \t\t\t\t\tcase CC_cocall:\n// \t\t\t\t\t\tcallType\t= UScore ( TOK_cocall );\n// \t\t\t\t\t\tbreak;\n// \t\t\t\t\t}\t// End of SWITCH\n// \t\t\t\t\t//\tHas it also got 'saveregs' marked ?\n// #if !VERS_32BIT\n// \t\t\t\t\tif\t( callCode & CC_saveregs )\n// \t\t\t\t\t\tcallType\t+= ' ' + UScore ( TOK_saveregs );\n// #endif\n// \t\t\t\t}\t// End of IF else\n// \t\t\t\t//\tAnd return\n// \t\t\t\treturn\tcallType;\n// \t\t}\t// End of IF then\n// \t\telse\n// \t\t\treturn\tDN_invalid;\n// \t}\t// End of IF then\n// \telse\n// \t\treturn\tDN_truncated;\n// }\t// End of \"UnDecorator\" FUNCTION \"getCallingConvention\"\n// DName\t__near\tUnDecorator::getReturnType ( DName * pDeclarator )\n// {\n// \tif\t( *gName == '@' )\t// Return type for constructors and destructors ?\n// \t{\n// \t\tgName++;\n// \t\treturn\tDName ( pDeclarator );\n// \t}\t// End of IF then\n// \telse\n// \t\treturn\tgetDataType ( pDeclarator );\n// }\t// End of \"UnDecorator\" FUNCTION \"getReturnType\"\n// DName\t__near\tUnDecorator::getDataType ( DName * pDeclarator )\n// {\n// \tDName\tsuperType ( pDeclarator );\n// \t//\tWhat type is it ?\n// \tswitch\t( *gName )\n// \t{\n// \tcase 0:\n// \t\treturn\t( DN_truncated + superType );\n// \tcase DT_void:\n// \t\tgName++;\n// \t\tif\t( superType.isEmpty ())\n// \t\t\treturn\t\"void\";\n// \t\telse\n// \t\t\treturn\t\"void \" + superType;\n// \tcase '?':\n// \t\t{\n// \t\t\tgName++;\t// Skip the '?'\n// \t\t\tsuperType = getDataIndirectType ( superType, 0, DName (), 0);\n// \t\t\treturn\tgetPrimaryDataType ( superType );\n// \t\t\treturn\tsuperType;\n// \t\t}\t// End of CASE '?'\n// \tdefault:\n// \t\treturn\tgetPrimaryDataType ( superType );\n// \t}\t// End of SWITCH\n// }\t// End of \"UnDecorator\" FUNCTION \"getDataType\"\n// DName\t__near\tUnDecorator::getPrimaryDataType ( const DName & superType )\n// {\n// \tDName\tcvType;\n// \tswitch\t( *gName )\n// \t{\n// \tcase 0:\n// \t\treturn\t( DN_truncated + superType );\n// \tcase PDT_volatileReference:\n// \t\tcvType\t= \"volatile\";\n// \t\tif\t( !superType.isEmpty ())\n// \t\t\tcvType\t+= ' ';\n// \t\t// No break\n// \tcase PDT_reference:\n// \t\t{\n// \t\t\tDName\tcopyOfSuperType ( superType );\n// \t\t\tgName++;\n// \t\t\treturn\tgetReferenceType ( cvType, copyOfSuperType.setPtrRef ());\n// \t\t}\t// End of CASE 'PDT_reference'\n// \tcase PDT_extend:\n// \t\t{\n// \t\t\t//\n// \t\t\t// Extended Primary Data Type (items overlooked in original design):\n// \t\t\t// prefixed by '$$'.\n// \t\t\t//\n// \t\t\tif\t( gName[1] != PDT_extend )\n// \t\t\t\tif\t( gName[1] == '' ) \n// \t\t\t\t\treturn DN_truncated + superType;\n// \t\t\t\telse\n// \t\t\t\t\treturn DN_invalid;\n// \t\t\tgName += 2;\n// \t\t\tswitch\t( *gName )\n// \t\t\t{\n// \t\t\tcase PDT_ex_function:\n// \t\t\t\tgName++;\n// \t\t\t\treturn\tgetFunctionIndirectType( superType );\n// \t\t\tcase PDT_ex_other:\n// \t\t\t\tgName++;\n// \t\t\t\treturn\tgetPtrRefDataType( superType, /* isPtr = */ TRUE );\n// \t\t\tcase PDT_ex_qualified:\n// \t\t\t\tgName++;\n// \t\t\t\treturn(getBasicDataType(getDataIndirectType ( superType, 0, DName (), 0)));\n// \t\t\tcase 0:\n// \t\t\t\treturn\t( DN_truncated + superType );\n// \t\t\tdefault:\n// \t\t\t\treturn\tDN_invalid;\n// \t\t\t}\n// \t\t}\n// \tdefault:\n// \t\treturn\tgetBasicDataType ( superType );\n// \t}\t// End of SWITCH\n// }\t// End of \"UnDecorator\" FUNCTION \"getPrimaryDataType\"\n// DName\t__near\tUnDecorator::getArgumentTypes ( void )\n// {\n// \tswitch\t( *gName )\n// \t{\n// \tcase AT_ellipsis:\n// \t\treturn\t( gName++, \"...\" );\n// \tcase AT_void:\n// \t\treturn\t( gName++, \"void\" );\n// \tdefault:\n// \t\t{\n// \t\t\tDName\targuments ( getArgumentList ());\n// \t\t\t//\tNow, is it a varargs function or not ?\n// \t\t\tif\t( arguments.status () == DN_valid )\n// \t\t\t\tswitch\t( *gName )\n// \t\t\t{\n// \t\t\t\tcase 0:\n// \t\t\t\t\treturn\targuments;\n// \t\t\t\tcase AT_ellipsis:\n// \t\t\t\t\treturn\t( gName++, arguments + \",...\" );\n// \t\t\t\tcase AT_endoflist:\n// \t\t\t\t\treturn\t( gName++, arguments );\n// \t\t\t\tdefault:\n// \t\t\t\t\treturn\tDN_invalid;\n// \t\t\t}\t// End of SWITCH\n// \t\t\telse\n// \t\t\t\treturn\targuments;\n// \t\t}\t// End of DEFAULT\n// \t}\t// End of SWITCH\n// }\t// End of \"UnDecorator\" FUNCTION \"getArgumentTypes\"\n// DName\t__near\tUnDecorator::getArgumentList ( void )\n// {\n// \tint\tfirst\t= TRUE;\n// \tDName\taList;\n// \twhile\t(( aList.status () == DN_valid ) && ( *gName != AT_endoflist ) && ( *gName != AT_ellipsis ))\n// \t{\n// \t\t//\tInsert the argument list separator if not the first argument\n// \t\tif\t( first )\n// \t\t\tfirst\t= FALSE;\n// \t\telse\n// \t\t\taList\t+= ',';\n// \t\t//\tGet the individual argument type\n// \t\tif\t( *gName )\n// \t\t{\n// \t\t\tint\targIndex\t= *gName - '0';\n// \t\t\t//\tHandle 'argument-replicators', otherwise a new argument type\n// \t\t\tif\t(( argIndex >= 0 ) && ( argIndex <= 9 ))\n// \t\t\t{\n// \t\t\t\tgName++;\t// Skip past the replicator\n// \t\t\t\t//\tAppend to the argument list\n// \t\t\t\taList\t+= ( *pArgList )[ argIndex ];\n// \t\t\t}\t// End of IF then\n// \t\t\telse\n// \t\t\t{\n// \t\t\t\tpcchar_t\toldGName\t= gName;\n// \t\t\t\t//\tExtract the 'argument' type\n// \t\t\t\tDName\targ ( getPrimaryDataType ( DName ()));\n// \t\t\t\t//\tAdd it to the current list of 'argument's, if it is bigger than a one byte encoding\n// \t\t\t\tif\t((( gName - oldGName ) > 1 ) && !pArgList->isFull ())\n// \t\t\t\t\t*pArgList\t+= arg;\n// \t\t\t\t//\tAppend to the argument list\n// \t\t\t\taList\t+= arg;\n// \t\t\t}\t// End of IF else\n// \t\t}\t// End of IF then\n// \t\telse\n// \t\t{\n// \t\t\taList\t+= DN_truncated;\n// \t\t\tbreak;\n// \t\t}\t// End of IF else\n// \t}\t// End of WHILE\n// \t//\tReturn the completed argument list\n// \treturn\taList;\n// }\t// End of \"UnDecorator\" FUNCTION \"getArgumentList\"\n// DName\t__near\tUnDecorator::getThrowTypes ( void )\n// {\n// \tif\t( *gName )\n// \t\tif\t( *gName == AT_ellipsis )\t// Handle ellipsis here to suppress the 'throw' signature\n// \t\t\treturn\t( gName++, DName ());\n// \t\telse\n// \t\t\treturn\t( \" throw(\" + getArgumentTypes () + ')' );\n// \telse\n// \t\treturn\t( DName ( \" throw(\" ) + DN_truncated + ')' );\n// }\t// End of \"UnDecorator\" FUNCTION \"getThrowTypes\"\n// DName\t__near\tUnDecorator::getBasicDataType ( const DName & superType )\n// {\n// \tif\t( *gName )\n// \t{\n// \t\tunsigned char\tbdtCode\t= *gName++;\n// \t\tunsigned char\textended_bdtCode;\n// \t\tint\tpCvCode\t= -1;\n// \t\tDName\tbasicDataType;\n// \t\t//\tExtract the principal type information itself, and validate the codes\n// \t\tswitch\t( bdtCode )\n// \t\t{\n// \t\tcase BDT_schar:\n// \t\tcase BDT_char:\n// \t\tcase ( BDT_char   | BDT_unsigned ):\n// \t\t\tbasicDataType\t= \"char\";\n// \t\t\tbreak;\n// \t\tcase BDT_short:\n// \t\tcase ( BDT_short  | BDT_unsigned ):\n// \t\t\tbasicDataType\t= \"short\";\n// \t\t\tbreak;\n// \t\tcase BDT_int:\n// \t\tcase ( BDT_int    | BDT_unsigned ):\n// \t\t\tbasicDataType\t= \"int\";\n// \t\t\tbreak;\n// \t\tcase BDT_long:\n// \t\tcase ( BDT_long   | BDT_unsigned ):\n// \t\t\tbasicDataType\t= \"long\";\n// \t\t\tbreak;\n// #if !VERS_32BIT\n// \t\tcase BDT_segment:\n// \t\t\tbasicDataType\t= UScore ( TOK_segment );\n// \t\t\tbreak;\n// #endif\n// \t\tcase BDT_float:\n// \t\t\tbasicDataType\t= \"float\";\n// \t\t\tbreak;\n// \t\tcase BDT_longdouble:\n// \t\t\tbasicDataType\t= \"long \";\n// \t\t\t// No break\n// \t\tcase BDT_double:\n// \t\t\tbasicDataType\t+= \"double\";\n// \t\t\tbreak;\n// \t\tcase BDT_pointer:\n// \t\tcase ( BDT_pointer | BDT_const ):\n// \t\tcase ( BDT_pointer | BDT_volatile ):\n// \t\tcase ( BDT_pointer | BDT_const | BDT_volatile ):\n// \t\t\tpCvCode\t= ( bdtCode & ( BDT_const | BDT_volatile ));\n// \t\t\tbreak;\n// \t\tcase BDT_extend:\n// \t\t\tswitch(extended_bdtCode = *gName++) {\n// \t\t\tcase BDT_bool:\n// \t\t\t\tbasicDataType\t= \"bool\";\n// \t\t\t\tbreak;\n// \t\t\tcase BDT_int8:\n// \t\t\tcase ( BDT_int8   | BDT_unsigned ):\n// \t\t\t\tbasicDataType\t= \"__int8\";\n// \t\t\t\tbreak;\n// \t\t\tcase BDT_int16:\n// \t\t\tcase ( BDT_int16  | BDT_unsigned ):\n// \t\t\t\tbasicDataType\t= \"__int16\";\n// \t\t\t\tbreak;\n// \t\t\tcase BDT_int32:\n// \t\t\tcase ( BDT_int32  | BDT_unsigned ):\n// \t\t\t\tbasicDataType\t= \"__int32\";\n// \t\t\t\tbreak;\n// \t\t\tcase BDT_int64:\n// \t\t\tcase ( BDT_int64  | BDT_unsigned ):\n// \t\t\t\tbasicDataType\t= \"__int64\";\n// \t\t\t\tbreak;\n// \t\t\tcase BDT_int128:\n// \t\t\tcase ( BDT_int128 | BDT_unsigned ):\n// \t\t\t\tbasicDataType\t= \"__int128\";\n// \t\t\t\tbreak;\n// \t\t\tcase BDT_wchar_t:\n// \t\t\t\tbasicDataType\t= \"wchar_t\";\n// \t\t\t\tbreak;\n// #if CC_COR || CC_COR2\n// \t\t\tcase BDT_coclass:\n// \t\t\tcase BDT_interface:\n// \t\t\t\t{\n// \t\t\t\t\tgName--;\t// Backup, since 'ecsu-data-type' does it's own decoding\n// \t\t\t\t\tbasicDataType = getECSUDataType();\n// \t\t\t\t\tif ( basicDataType.isEmpty()) {\n// \t\t\t\t\t\treturn basicDataType;\n// \t\t\t\t\t}\n// \t\t\t\t}\n// \t\t\t\tbreak;\n// #endif\t// CC_COR || CC_COR2\n// \t\t\tdefault:\n// \t\t\t\tbasicDataType\t= \"UNKNOWN\";\n// \t\t\t\tbreak;\n// \t\t\t}\n// \t\t\tbreak;\n// \t\tdefault:\n// \t\t\tgName--;\t// Backup, since 'ecsu-data-type' does it's own decoding\n// \t\t\tbasicDataType\t= getECSUDataType ();\n// \t\t\tif\t( basicDataType.isEmpty ())\n// \t\t\t\treturn\tbasicDataType;\n// \t\t\tbreak;\n// \t\t}\t// End of SWITCH\n// \t\t//\tWhat type of basic data type composition is involved ?\n// \t\tif\t( pCvCode == -1 )\t// Simple ?\n// \t\t{\n// \t\t\t//\tDetermine the 'signed/unsigned'ness\n// \t\t\tswitch\t( bdtCode )\n// \t\t\t{\n// \t\t\tcase ( BDT_char   | BDT_unsigned ):\n// \t\t\tcase ( BDT_short  | BDT_unsigned ):\n// \t\t\tcase ( BDT_int    | BDT_unsigned ):\n// \t\t\tcase ( BDT_long   | BDT_unsigned ):\n// \t\t\t\tbasicDataType\t= \"unsigned \" + basicDataType;\n// \t\t\t\tbreak;\n// \t\t\tcase BDT_schar:\n// \t\t\t\tbasicDataType\t= \"signed \" + basicDataType;\n// \t\t\t\tbreak;\n// \t\t\tcase BDT_extend:\n// \t\t\t\tswitch\t( extended_bdtCode )\n// \t\t\t\t{\n// \t\t\t\tcase ( BDT_int8   | BDT_unsigned ):\n// \t\t\t\tcase ( BDT_int16  | BDT_unsigned ):\n// \t\t\t\tcase ( BDT_int32  | BDT_unsigned ):\n// \t\t\t\tcase ( BDT_int64  | BDT_unsigned ):\n// \t\t\t\tcase ( BDT_int128 | BDT_unsigned ):\n// \t\t\t\t\tbasicDataType\t= \"unsigned \" + basicDataType;\n// \t\t\t\t\tbreak;\n// \t\t\t\t}\t// End of SWITCH\n// \t\t\t\tbreak;\n// \t\t\t}\t// End of SWITCH\n// \t\t\t// \tAdd the indirection type to the type\n// \t\t\tif\t( !superType.isEmpty ())\n// \t\t\t\tbasicDataType\t+= ' ' + superType;\n// \t\t\t//\tAnd return the completed type\n// \t\t\treturn\tbasicDataType;\n// \t\t}\t// End of IF then\n// \t\telse\n// \t\t{\n// \t\t\tDName\tcvType;\n// \t\t\tDName\tcopyOfSuperType ( superType );\n// \t\t\t//\tIs it 'const/volatile' qualified ?\n// \t\t\tif\t( superType . isEmpty() ) \n// \t\t\t{\n// \t\t\t\t//\n// \t\t\t\t// const/volatile are redundantly encoded, except at the start\n// \t\t\t\t// of a \"type only\" context.  In such a context, the super-type\n// \t\t\t\t// is empty.\n// \t\t\t\t//\n// \t\t\t\tif\t( pCvCode & BDT_const )\n// \t\t\t\t{\n// \t\t\t\t\tcvType\t= \"const\";\n// \t\t\t\t\tif\t( pCvCode & BDT_volatile )\n// \t\t\t\t\t\tcvType\t+= \" volatile\";\n// \t\t\t\t}\t// End of IF then\n// \t\t\t\telif\t( pCvCode & BDT_volatile )\n// \t\t\t\t\tcvType\t= \"volatile\";\n// \t\t\t}\t// End of IF then\n// \t\t\t//\tConstruct the appropriate pointer type declaration\n// \t\t\treturn\tgetPointerType ( cvType, copyOfSuperType );\n// \t\t}\t// End of IF else\n// \t}\t// End of IF then\n// \telse\n// \t\treturn\t( DN_truncated + superType );\n// }\t// End of \"UnDecorator\" FUNCTION \"getBasicDataType\"\n// DName\t__near\tUnDecorator::getECSUDataType ( void )\n// {\n// \t//\tExtract the principal type information itself, and validate the codes\n// \tint fPrefix = doEcsu() && !doNameOnly();\n// \tDName Prefix;\n// \tswitch\t( *gName++ )\n// \t{\n// \tcase 0:\n// \t\tgName--;\t// Backup to permit later error recovery to work safely\n// \t\treturn\t\"`unknown ecsu'\" + DN_truncated;\n// \tcase BDT_union:\n// \t\tPrefix = \"union \";\n// \t\tbreak;\n// \tcase BDT_struct:\n// \t\tPrefix = \"struct \";\n// \t\tbreak;\n// \tcase BDT_class:\n// \t\tPrefix = \"class \";\n// \t\tbreak;\n// #if CC_COR || CC_COR2\n// \tcase BDT_coclass:\n// \t\tPrefix = \"coclass \";\n// \t\tbreak;\n// \tcase BDT_interface:\n// \t\tPrefix = \"interface \";\n// \t\tbreak;\n// #endif\t// CC_COR || CC_COR2\n// \tcase BDT_enum:\n// \t\tfPrefix = doEcsu();\n// \t\tPrefix = \"enum \" + getEnumType ();\n// \t\tbreak;\n// \t\t//\tdefault:\n// \t\t//\treturn\tDN_invalid;\n// \t}\t// End of SWITCH\n// \tDName\tecsuDataType;\n// \tif\t( fPrefix )\n// \t\tecsuDataType\t= Prefix;\n// \t//\tGet the 'class/struct/union' name\n// \tecsuDataType\t+= getECSUName ();\n// \t//\tAnd return the formed 'ecsu-data-type'\n// \treturn\tecsuDataType;\n// }\t// End of \"UnDecorator\" FUNCTION \"getECSUDataType\"\n// //\n// // Undecorator::getFunctionIndirectType\n// //\n// //\tNote: this function gets both the function-indirect-type and the function-type.\n// //\n// DName\tUnDecorator::getFunctionIndirectType( const DName & superType )\n// {\n// \tif\t( ! *gName )\n// \t\treturn DN_truncated + superType;\n// \tif\t( ! IT_isfunction( *gName ))\n// \t\treturn DN_invalid;\n// \tint\tfitCode\t= *gName++ - '6';\n// \tif\t( fitCode == ( '_' - '6' ))\n// \t{\n// \t\tif\t( *gName )\n// \t\t{\n// \t\t\tfitCode\t= *gName++ - 'A' + FIT_based;\n// \t\t\tif\t(( fitCode < FIT_based ) || ( fitCode > ( FIT_based | FIT_far | FIT_member )))\n// \t\t\t\tfitCode\t= -1;\n// \t\t}\t// End of IF then\n// \t\telse\n// \t\t\treturn\t( DN_truncated + superType );\n// \t}\t// End of IF then\n// \telif\t(( fitCode < FIT_near ) || ( fitCode > ( FIT_far | FIT_member )))\n// \t\tfitCode\t= -1;\n// \t//\tReturn if invalid name\n// \tif\t( fitCode == -1 )\n// \t\treturn\tDN_invalid;\n// \t//\tOtherwise, what are the function indirect attributes\n// \tDName\tthisType;\n// \tDName\tfitType = superType;\n// \t//\tIs it a pointer to member function ?\n// \tif\t( fitCode & FIT_member )\n// \t{\n// \t\tfitType\t= \"::\" + fitType;\n// \t\tif\t( *gName )\n// \t\t\tfitType\t= ' ' + getScope () + fitType;\n// \t\telse\n// \t\t\tfitType\t= DN_truncated + fitType;\n// \t\tif\t( *gName )\n// \t\t\tif\t( *gName == '@' )\n// \t\t\t\tgName++;\n// \t\t\telse\n// \t\t\t\treturn\tDN_invalid;\n// \t\telse\n// \t\t\treturn\t( DN_truncated + fitType );\n// \t\tif\t( doThisTypes ())\n// \t\t\tthisType\t= getThisType ();\n// \t\telse\n// \t\t\tthisType\t|= getThisType ();\n// \t}\t// End of IF\n// \t//\tIs it a based allocated function ?\n// \tif\t( fitCode & FIT_based )\n// \t\tif\t( doMSKeywords ())\n// \t\t\tfitType\t= ' ' + getBasedType () + fitType;\n// \t\telse\n// \t\t\tfitType\t|= getBasedType ();\t// Just lose the 'based-type'\n// \t//\tGet the 'calling-convention'\n// \tif\t( doMSKeywords ())\n// \t{\n// \t\tfitType\t= getCallingConvention () + fitType;\n// \t\t//\tIs it a near or far function pointer\n// #if !VERS_32BIT\n// \t\tfitType\t= UScore ((( fitCode & FIT_far ) ? TOK_farSp : TOK_nearSp )) + fitType;\n// #endif\n// \t}\t// End of IF then\n// \telse\n// \t\tfitType\t|= getCallingConvention ();\t// Just lose the 'calling-convention'\n// \t//\tParenthesise the indirection component, and work on the rest\n// \tif\t( ! superType . isEmpty() ) {\n// \t\tfitType\t= '(' + fitType + ')';\n// \t}\n// \t//\tGet the rest of the 'function-type' pieces\n// \tDName *\tpDeclarator\t= gnew DName;\n// \tDName\treturnType ( getReturnType ( pDeclarator ));\n// \tfitType\t+= '(' + getArgumentTypes () + ')';\n// \tif\t( doThisTypes () && ( fitCode & FIT_member ))\n// \t\tfitType\t+= thisType;\n// \tif\t( doThrowTypes ())\n// \t\tfitType\t+= getThrowTypes ();\n// \telse\n// \t\tfitType\t|= getThrowTypes ();\t// Just lose the 'throw-types'\n// \t//\tNow insert the indirected declarator, catch the allocation failure here\n// \tif\t( pDeclarator )\n// \t\t*pDeclarator\t= fitType;\n// \telse\n// \t\treturn\tDN_error;\n// \t//\tAnd return the composed function type (now in 'returnType' )\n// \treturn\treturnType;\n// }\n// DName\t__near\tUnDecorator::getPtrRefType ( const DName & cvType, const DName & superType, int isPtr )\n// {\n// \t//\tDoubles up as 'pointer-type' and 'reference-type'\n// \tif\t( *gName )\n// \t\tif\t( IT_isfunction ( *gName ))\t// Is it a function or data indirection ?\n// \t\t{\n// \t\t\tDName\tfitType\t= ( isPtr ? '*' : '&' );\n// \t\t\tif\t( !cvType.isEmpty () && ( superType.isEmpty () || !superType.isPtrRef ()))\n// \t\t\t\tfitType\t+= cvType;\n// \t\t\tif\t( !superType.isEmpty ())\n// \t\t\t\tfitType\t+= superType;\n// \t\t\treturn getFunctionIndirectType( fitType );\n// \t\t}\t// End of IF then\n// \t\telse\n// \t\t{\n// \t\t\t//\tOtherwise, it is either a pointer or a reference to some data type\n// \t\t\tDName\tinnerType ( getDataIndirectType ( superType, ( isPtr ? '*' : '&' ), cvType ));\n// \t\t\treturn\tgetPtrRefDataType ( innerType, isPtr );\n// \t\t}\t// End of IF else\n// \telse\n// \t{\n// \t\tDName\ttrunk ( DN_truncated );\n// \t\ttrunk\t+= ( isPtr ? '*' : '&' );\n// \t\tif\t( !cvType.isEmpty ())\n// \t\t\ttrunk\t+= cvType;\n// \t\tif\t( !superType.isEmpty ())\n// \t\t{\n// \t\t\tif\t( !cvType.isEmpty ())\n// \t\t\t\ttrunk\t+= ' ';\n// \t\t\ttrunk\t+= superType;\n// \t\t}\t// End of IF\n// \t\treturn\ttrunk;\n// \t}\t// End of IF else\n// }\t// End of \"UnDecorator\" FUNCTION \"getPtrRefType\"\n// DName\t__near\tUnDecorator::getDataIndirectType ( const DName & superType, char prType, const DName & cvType, int thisFlag )\n// {\n// \tif\t( *gName )\n// \t{\n// \t\tunsigned int\tditCode\t= ( *gName - (( *gName >= 'A' ) ? (unsigned int)'A': (unsigned int)( '0' - 26 )));\n// \t\tDName msExtension;\n// \t\tif\t( doMSKeywords ())\n// \t\t{\n// \t\t\tint fContinue = TRUE;\n// \t\t\tdo\n// \t\t\t{\n// \t\t\t\tswitch\t( ditCode & DIT_modelmask )\n// \t\t\t\t{\n// \t\t\t\tcase DIT_ptr64:\n// \t\t\t\t\tif ( !msExtension.isEmpty())\n// \t\t\t\t\t\tmsExtension = msExtension + ' ' + UScore( TOK_ptr64 );\n// \t\t\t\t\telse\n// \t\t\t\t\t\tmsExtension = UScore( TOK_ptr64 );\n// \t\t\t\t\tgName++;\n// \t\t\t\t\tditCode\t= ( *gName - (( *gName >= 'A' ) ? (unsigned int)'A': (unsigned int)( '0' - 26 )));\n// \t\t\t\t\tbreak;\n// \t\t\t\tcase DIT_restrict:\n// \t\t\t\t\tif ( !msExtension.isEmpty())\n// \t\t\t\t\t\tmsExtension = msExtension + ' ' + UScore( TOK_restrict );\n// \t\t\t\t\telse\n// \t\t\t\t\t\tmsExtension = UScore( TOK_restrict );\n// \t\t\t\t\tgName++;\n// \t\t\t\t\tditCode\t= ( *gName - (( *gName >= 'A' ) ? (unsigned int)'A': (unsigned int)( '0' - 26 )));\n// \t\t\t\t\tbreak;\n// \t\t\t\tdefault:\n// \t\t\t\t\tfContinue = FALSE;\n// \t\t\t\t\tbreak;\n// \t\t\t\t}\n// \t\t\t} while (fContinue);\n// \t\t}\n// \t\tgName++;\t// Skip to next character in name\n// \t\t//\tIs it a valid 'data-indirection-type' ?\n// \t\tif\t(( ditCode >= DIT_near ) && ( ditCode <= ( DIT_const | DIT_volatile | DIT_modelmask | DIT_member )))\n// \t\t{\n// \t\t\tDName\tditType ( prType );\n// \t\t\tif ( !msExtension.isEmpty()) \n// \t\t\t\tditType = ditType + ' ' + msExtension;\n// \t\t\t//\tIf it is a member, then these attributes immediately precede the indirection token\n// \t\t\tif\t( ditCode & DIT_member )\n// \t\t\t{\n// \t\t\t\t//\tIf it is really 'this-type', then it cannot be any form of pointer to member\n// \t\t\t\tif\t( thisFlag )\n// \t\t\t\t\treturn\tDN_invalid;\n// \t\t\t\t//\tOtherwise, extract the scope for the PM\n// \t\t\t\tif\t( prType != '' )\n// \t\t\t\t{\n// \t\t\t\t\tditType\t= \"::\" + ditType;\n// \t\t\t\t\tif\t( *gName )\n// \t\t\t\t\t\tditType\t= getScope () + ditType;\n// \t\t\t\t\telse\n// \t\t\t\t\t\tditType\t= DN_truncated + ditType;\n// \t\t\t\t}\n// \t\t\t\telif\t( *gName )\n// \t\t\t\t{\n// \t\t\t\t\t//\n// \t\t\t\t\t// The scope is ignored for special uses of data-indirect-type, such\n// \t\t\t\t\t// as storage-convention.  I think it's a \n// \t\t\t\t\t// with Member storage convention, as that is already covered in the\n// \t\t\t\t\t// scope of the name.  However, we don't want to change the dname scheme,\n// \t\t\t\t\t// so we're stuck with it.\n// \t\t\t\t\t//\n// \t\t\t\t\tditType |= getScope ();\n// \t\t\t\t}\n// \t\t\t\t//\tNow skip the scope terminator\n// \t\t\t\tif\t( !*gName )\n// \t\t\t\t\tditType\t+= DN_truncated;\n// \t\t\t\telif\t( *gName++ != '@' )\n// \t\t\t\t\treturn\tDN_invalid;\n// \t\t\t}\t// End of IF\n// \t\t\t//\tAdd the 'model' attributes (prefixed) as appropriate\n// \t\t\tif\t( doMSKeywords ()) {\n// \t\t\t\tswitch\t( ditCode & DIT_modelmask )\n// \t\t\t\t{\n// #if !VERS_32BIT\n// \t\t\t\tcase DIT_near:\n// \t\t\t\t\tif\t( do32BitNear ())\n// \t\t\t\t\t\tditType\t= UScore ( TOK_near ) + ditType;\n// \t\t\t\t\tbreak;\n// \t\t\t\tcase DIT_far:\n// \t\t\t\t\tditType\t= UScore ( TOK_far ) + ditType;\n// \t\t\t\t\tbreak;\n// \t\t\t\tcase DIT_huge:\n// \t\t\t\t\tditType\t= UScore ( TOK_huge ) + ditType;\n// \t\t\t\t\tbreak;\n// #endif\n// \t\t\t\tcase DIT_based:\n// \t\t\t\t\t//\tThe 'this-type' can never be 'based'\n// \t\t\t\t\tif\t( thisFlag )\n// \t\t\t\t\t\treturn\tDN_invalid;\n// \t\t\t\t\tditType\t= getBasedType () + ditType;\n// \t\t\t\t\tbreak;\n// \t\t\t\t}\t// End of SWITCH\n// \t\t\t}\t// End of IF\n// \t\t\telif\t(( ditCode & DIT_modelmask ) == DIT_based )\n// \t\t\t\tditType\t|= getBasedType ();\t// Just lose the 'based-type'\n// \t\t\t//\tHandle the 'const' and 'volatile' attributes\n// \t\t\tif\t( ditCode & DIT_volatile )\n// \t\t\t\tditType\t= \"volatile \" + ditType;\n// \t\t\tif\t( ditCode & DIT_const )\n// \t\t\t\tditType\t= \"const \" + ditType;\n// \t\t\t//\tAppend the supertype, if not 'this-type'\n// \t\t\tif\t( !thisFlag )\n// \t\t\t\tif\t( !superType.isEmpty ())\n// \t\t\t\t{\n// \t\t\t\t\t//\tIs the super context included 'cv' information, ensure that it is added appropriately\n// \t\t\t\t\tif\t( superType.isPtrRef () || cvType.isEmpty ())\n// \t\t\t\t\t\tditType\t+= ' ' + superType;\n// \t\t\t\t\telse\n// \t\t\t\t\t\tditType\t+= ' ' + cvType + ' ' + superType;\n// \t\t\t\t}\t// End of IF then\n// \t\t\t\telif\t( !cvType.isEmpty ())\n// \t\t\t\t\tditType\t+= ' ' + cvType;\n// \t\t\t\t//\tMake sure qualifiers aren't re-applied\n// \t\t\t\tditType.setPtrRef ();\n// \t\t\t\t//\tFinally, return the composed 'data-indirection-type' (with embedded sub-type)\n// \t\t\t\treturn\tditType;\n// \t\t}\t// End of IF then\n// \t\telse\n// \t\t\treturn\tDN_invalid;\n// \t}\t// End of IF then\n// \telif\t( !thisFlag && !superType.isEmpty ())\n// \t{\n// \t\t//\tIs the super context included 'cv' information, ensure that it is added appropriately\n// \t\tif\t( superType.isPtrRef () || cvType.isEmpty ())\n// \t\t\treturn\t( DN_truncated + superType );\n// \t\telse\n// \t\t\treturn\t( DN_truncated + cvType + ' ' + superType );\n// \t}\t// End of ELIF then\n// \telif\t( !thisFlag && !cvType.isEmpty ())\n// \t\treturn\t( DN_truncated + cvType );\n// \telse\n// \t\treturn\tDN_truncated;\n// }\t// End of \"UnDecorator\" FUNCTION \"getDataIndirectType\"\n// inline\tDName\t__near\tUnDecorator::getPtrRefDataType ( const DName & superType, int isPtr )\n// {\n// \t//\tDoubles up as 'pointer-data-type' and 'reference-data-type'\n// \tif\t( *gName )\n// \t{\n// \t\t//\tIs this a 'pointer-data-type' ?\n// \t\tif\t( isPtr && ( *gName == PoDT_void ))\n// \t\t{\n// \t\t\tgName++;\t// Skip this character\n// \t\t\tif\t( superType.isEmpty ())\n// \t\t\t\treturn\t\"void\";\n// \t\t\telse\n// \t\t\t\treturn\t\"void \" + superType;\n// \t\t}\t// End of IF\n// \t\t//\tOtherwise it may be a 'reference-data-type'\n// \t\tif\t( *gName == RDT_array )\t// An array ?\n// \t\t{\n// \t\t\tgName++;\n// \t\t\treturn\tgetArrayType( superType );\n// \t\t}\t// End of IF\n// \t\t//\tOtherwise, it is a 'basic-data-type'\n// \t\treturn\tgetBasicDataType ( superType );\n// \t}\t// End of IF then\n// \telse\n// \t\treturn\t( DN_truncated + superType );\n// }\t// End of \"UnDecorator\" FUNCTION \"getPtrRefDataType\"\n// inline\tDName\t__near\tUnDecorator::getArrayType ( const DName & superType )\n// {\n// \tif\t( *gName )\n// \t{\n// \t\tint\tnoDimensions\t= getNumberOfDimensions ();\n// \t\tif ( noDimensions < 0 ) \n// \t\t\tnoDimensions = 0;\n// \t\tif\t( !noDimensions )\n// \t\t\treturn\tgetBasicDataType ( DName ( '[' ) + DN_truncated + ']' );\n// \t\telse\n// \t\t{\n// \t\t\tDName\tarrayType;\n// \t\t\twhile\t( noDimensions-- )\n// \t\t\t\tarrayType\t+= '[' + getDimension () + ']';\n// \t\t\t//\tIf it is indirect, then parenthesise the 'super-type'\n// \t\t\tif\t( !superType.isEmpty ())\n// \t\t\t\tarrayType\t= '(' + superType + ')' + arrayType;\n// \t\t\t//\tReturn the finished array dimension information\n// \t\t\treturn\tgetPrimaryDataType ( arrayType );\n// \t\t}\t// End of IF else\n// \t}\t// End of IF\n// \telif\t( !superType.isEmpty ())\n// \t\treturn\tgetBasicDataType ( '(' + superType + \")[\" + DN_truncated + ']' );\n// \telse\n// \t\treturn\tgetBasicDataType ( DName ( '[' ) + DN_truncated + ']' );\n// }\t// End of \"UnDecorator\" FUNCTION \"getArrayType\"\n// inline\tDName\t__near\tUnDecorator::getLexicalFrame ( void )\t{\treturn\t'`' + getDimension () + ''';\t}\n// \tinline\tDName\t__near\tUnDecorator::getStorageConvention ( void )\t{\treturn\tgetDataIndirectType ();\t}\n// inline\tDName\t__near\tUnDecorator::getDataIndirectType ()\t{\treturn\tgetDataIndirectType ( DName (),  0, DName ());\t}\n// inline\tDName\t__near\tUnDecorator::getThisType ( void )\t{\treturn\tgetDataIndirectType ( DName (), 0, DName (), TRUE );\t}\n// inline\tDName\t__near\tUnDecorator::getPointerType ( const DName & cv, const DName & name )\n// {\treturn\tgetPtrRefType ( cv, name, TRUE );\t}\n// inline\tDName\t__near\tUnDecorator::getReferenceType ( const DName & cv, const DName & name )\n// {\treturn\tgetPtrRefType ( cv, name, FALSE );\t}\n// inline\tDName\t__near\tUnDecorator::getSegmentName ( void )\t{\treturn\tgetZName ();\t}\n// #if\t( !NO_COMPILER_NAMES )\n// inline\tDName\t__near\tUnDecorator::getDisplacement ( void )\t{\treturn\tgetDimension ();\t}\n// inline\tDName\t__near\tUnDecorator::getCallIndex ( void )\t{\treturn\tgetDimension ();\t}\n// inline\tDName\t__near\tUnDecorator::getGuardNumber ( void )\t{\treturn\tgetDimension ();\t}\n// inline\tDName\t__near\tUnDecorator::getVbTableType ( const DName & superType )\n// {\treturn\tgetVfTableType ( superType );\t}\n// inline\tDName\t__near\tUnDecorator::getVCallThunkType ( void )\n// {\n// #if VERS_32BIT\n// \tswitch (*gName) {\n// \tcase VMT_nTnCnV:\n// \t\t++gName;\n// \t\treturn DName(\"{flat}\");\n// \tcase 0:\n// \t\treturn DN_truncated;\n// \tdefault:\n// \t\treturn DN_invalid;\n// \t}\n// #else\n// \tDName\tvcallType\t= '{';\n// \t//\tGet the 'this' model, and validate all values\n// \tswitch\t( *gName )\n// \t{\n// \tcase VMT_nTnCnV:\n// \tcase VMT_nTfCnV:\n// \tcase VMT_nTnCfV:\n// \tcase VMT_nTfCfV:\n// \tcase VMT_nTnCbV:\n// \tcase VMT_nTfCbV:\n// \t\tvcallType\t+= UScore ( TOK_nearSp );\n// \t\tbreak;\n// \tcase VMT_fTnCnV:\n// \tcase VMT_fTfCnV:\n// \tcase VMT_fTnCfV:\n// \tcase VMT_fTfCfV:\n// \tcase VMT_fTnCbV:\n// \tcase VMT_fTfCbV:\n// \t\tvcallType\t+= UScore ( TOK_farSp );\n// \t\tbreak;\n// \tcase 0:\n// \t\treturn\tDN_truncated;\n// \tdefault:\n// \t\treturn\tDN_invalid;\n// \t}\t// End of SWITCH\n// \t//\tAlways append 'this'\n// \tvcallType\t+= \"this, \";\n// \t//\tGet the 'call' model\n// \tswitch\t( *gName )\n// \t{\n// \tcase VMT_nTnCnV:\n// \tcase VMT_fTnCnV:\n// \tcase VMT_nTnCfV:\n// \tcase VMT_fTnCfV:\n// \tcase VMT_nTnCbV:\n// \tcase VMT_fTnCbV:\n// \t\tvcallType\t+= UScore ( TOK_nearSp );\n// \t\tbreak;\n// \tcase VMT_nTfCnV:\n// \tcase VMT_fTfCnV:\n// \tcase VMT_nTfCfV:\n// \tcase VMT_fTfCfV:\n// \tcase VMT_nTfCbV:\n// \tcase VMT_fTfCbV:\n// \t\tvcallType\t+= UScore ( TOK_farSp );\n// \t\tbreak;\n// \t}\t// End of SWITCH\n// \t//\tAlways append 'call'\n// \tvcallType\t+= \"call, \";\n// \t//\tGet the 'vfptr' model\n// \tswitch\t( *gName++ )\t// Last time, so advance the pointer\n// \t{\n// \tcase VMT_nTnCnV:\n// \tcase VMT_nTfCnV:\n// \tcase VMT_fTnCnV:\n// \tcase VMT_fTfCnV:\n// \t\tvcallType\t+= UScore ( TOK_nearSp );\n// \t\tbreak;\n// \tcase VMT_nTnCfV:\n// \tcase VMT_nTfCfV:\n// \tcase VMT_fTnCfV:\n// \tcase VMT_fTfCfV:\n// \t\tvcallType\t+= UScore ( TOK_farSp );\n// \t\tbreak;\n// \tcase VMT_nTfCbV:\n// \tcase VMT_fTnCbV:\n// \tcase VMT_fTfCbV:\n// \tcase VMT_nTnCbV:\n// \t\tvcallType\t+= getBasedType ();\n// \t\tbreak;\n// \t}\t// End of SWITCH\n// \t//\tAlways append 'vfptr'\n// \tvcallType\t+= \"vfptr}\";\n// \t//\tAnd return the resultant 'vcall-model-type'\n// \treturn\tvcallType;\n// #endif\n// }\t// End of \"UnDecorator\" FUNCTION \"getVCallThunk\"\n// \n// inline\tDName __near\tUnDecorator::getVfTableType (const DName & superType )\n// {\n// \tDName\tvxTableName\t= superType;\n// \tif\t( vxTableName.isValid () && *gName )\n// \t{\n// \t\tvxTableName\t= getStorageConvention () + ' ' + vxTableName;\n// \t\tif\t( vxTableName.isValid ())\n// \t\t{\n// \t\t\tif\t( *gName != '@' )\n// \t\t\t{\n// \t\t\t\tvxTableName\t+= \"{for \";\n// \t\t\t\twhile\t( vxTableName.isValid () && *gName && ( *gName != '@' ))\n// \t\t\t\t{\n// \t\t\t\t\tvxTableName\t+= '`' + getScope () + ''';\n// \t\t\t\t\t\t//\tSkip the scope delimiter\n// \t\t\t\t\t\tif\t( *gName == '@' )\n// \t\t\t\t\t\t\tgName++;\n// \t\t\t\t\t//\tClose the current scope, and add a conjunction for the next (if any)\n// \t\t\t\t\tif\t( vxTableName.isValid () && ( *gName != '@' ))\n// \t\t\t\t\t\tvxTableName\t+= \"s \";\n// \t\t\t\t}\t// End of WHILE\n// \t\t\t\tif\t( vxTableName.isValid ())\n// \t\t\t\t{\n// \t\t\t\t\tif\t( !*gName )\n// \t\t\t\t\t\tvxTableName\t+= DN_truncated;\n// \t\t\t\t\tvxTableName\t+= '}';\n// \t\t\t\t}\t// End of IF\n// \t\t\t}\t// End of IF\n// \t\t\t//\tSkip the 'vpath-name' terminator\n// \t\t\tif\t( *gName == '@' )\n// \t\t\t\tgName++;\n// \t\t}\t// End of IF\n// \t}\t// End of IF then\n// \telif\t( vxTableName.isValid ())\n// \t\tvxTableName\t= DN_truncated + vxTableName;\n// \treturn\tvxTableName;\n// }\t//\tEnd of \"UnDecorator\" FUNCTION \"getVfTableType\"\n// #endif\t// !NO_COMPILER_NAMES\n// inline\tDName\t__near\tUnDecorator::getExternalDataType ( const DName & superType )\n// {\n// \t//\tCreate an indirect declarator for the the rest\n// \tDName *\tpDeclarator\t= gnew DName ();\n// \tDName\tdeclaration\t= getDataType ( pDeclarator );\n// \t//\tNow insert the declarator into the declaration along with its 'storage-convention'\n// \tif (pDeclarator) {\n// \t\t*pDeclarator\t= getStorageConvention () + ' ' + superType;\n// \t}\n// \treturn\tdeclaration;\n// }\t//\tEnd of \"UnDecorator\" FUNCTION \"getExternalDataType\"\n// inline\tint\t__near\tUnDecorator::doUnderScore ()\t{\treturn\t!( disableFlags & UNDNAME_NO_LEADING_UNDERSCORES );\t}\n// inline\tint\t__near\tUnDecorator::doMSKeywords ()\t{\treturn\t!( disableFlags & UNDNAME_NO_MS_KEYWORDS );\t}\n// inline\tint\t__near\tUnDecorator::doFunctionReturns ()\t{\treturn\t!( disableFlags & UNDNAME_NO_FUNCTION_RETURNS );\t}\n// inline\tint\t__near\tUnDecorator::doAllocationModel ()\t{\treturn\t!( disableFlags & UNDNAME_NO_ALLOCATION_MODEL );\t}\n// inline\tint\t__near\tUnDecorator::doAllocationLanguage ()\t{\treturn\t!( disableFlags & UNDNAME_NO_ALLOCATION_LANGUAGE );\t}\n// #if\t0\n// inline\tint\t__near\tUnDecorator::doMSThisType ()\t{\treturn\t!( disableFlags & UNDNAME_NO_MS_THISTYPE );\t}\n// inline\tint\t__near\tUnDecorator::doCVThisType ()\t{\treturn\t!( disableFlags & UNDNAME_NO_CV_THISTYPE );\t}\n// #endif\n// inline\tint\t__near\tUnDecorator::doThisTypes ()\t{\treturn (( disableFlags & UNDNAME_NO_THISTYPE ) != UNDNAME_NO_THISTYPE );\t}\n// inline\tint\t__near\tUnDecorator::doAccessSpecifiers ()\t{\treturn\t!( disableFlags & UNDNAME_NO_ACCESS_SPECIFIERS );\t}\n// inline\tint\t__near\tUnDecorator::doThrowTypes ()\t{\treturn\t!( disableFlags & UNDNAME_NO_THROW_SIGNATURES );\t}\n// inline\tint\t__near\tUnDecorator::doMemberTypes ()\t{\treturn\t!( disableFlags & UNDNAME_NO_MEMBER_TYPE );\t}\n// inline\tint\t__near\tUnDecorator::doReturnUDTModel ()\t{\treturn\t!( disableFlags & UNDNAME_NO_RETURN_UDT_MODEL );\t}\n// inline\tint\t__near\tUnDecorator::do32BitNear ()\t{\treturn\t!( disableFlags & UNDNAME_32_BIT_DECODE );\t}\n// inline\tint\t__near\tUnDecorator::doNameOnly ()\t{\treturn\t( disableFlags & UNDNAME_NAME_ONLY );\t}\n// inline\tint\t__near\tUnDecorator::doTypeOnly ()\t{\treturn\t( disableFlags & UNDNAME_TYPE_ONLY );\t}\n// inline\tint\t__near\tUnDecorator::haveTemplateParameters ()\t{\treturn\t( disableFlags & UNDNAME_HAVE_PARAMETERS);\t}\n// inline\tint \t__near\tUnDecorator::doEcsu ()\t{\treturn\t!( disableFlags & UNDNAME_NO_ECSU );\t}\n// inline\tint \t__near\tUnDecorator::doNoIdentCharCheck ()\t{\treturn\t( disableFlags & UNDNAME_NO_IDENT_CHAR_CHECK );\t}\n// pcchar_t\t__near\tUnDecorator::UScore ( Tokens tok  )\n// {\n// #if !VERS_32BIT\n// \tif\t((( tok == TOK_nearSp ) || ( tok == TOK_nearP )) && !do32BitNear ())\n// \t\treturn\ttokenTable[ tok ] + 6;\t// Skip '__near'\n// #endif\n// \tif\t( doUnderScore ())\n// \t\treturn\ttokenTable[ tok ];\n// \telse\n// \t\treturn\ttokenTable[ tok ] + 2 ;\n// }\t// End of \"UnDecorator\" FUNCTION \"UScore\"\n// //\tInclude the string composition support classes.  Mostly inline stuff, and\n// //\tnot important to the algorithm.\n// #include\t\"undname.inl\""
  },
  {
    "path": "Sysmon/undname.h",
    "content": "//\n// Copyright (c) Microsoft Corporation.  All rights reserved.\n//\n//\n// This source code is licensed under Microsoft Shared Source License\n// Version 1.0 for Windows CE.\n// For a copy of the license visit http://go.microsoft.com/fwlink/?LinkId=3223.\n//\n\n\n// #if !defined(_M_I86)\n//     //  The 32-bit compiler\n//     #define __far\n//     #define __near\n//     #define __pascal\n//     #define __loadds\n// #endif\n// typedef char *        pchar_t;\n// typedef const char *  pcchar_t;\n// typedef void * ( __cdecl * Alloc_t )( unsigned int );\n// typedef void   ( __cdecl * Free_t  )( void * );\n// typedef char * ( __cdecl * GetParameter_t  )( long );\n// #ifdef  __cplusplus\n// extern \"C\"\n// #endif\n// _CRTIMP pchar_t __cdecl __unDName (\n//                             pchar_t,\t// User supplied buffer (or NULL)\n//                             pcchar_t,\t// Input decorated name\n//                             int,\t// Maximum length of user buffer\n//                             Alloc_t,\t// Address of heap allocator\n//                             Free_t,\t// Address of heap deallocator\n//                             unsigned short\t// Feature disable flags\n//                         );\n// #ifdef  __cplusplus\n// extern \"C\"\n// #endif\n// _CRTIMP pchar_t __cdecl __unDNameEx (\n//                             pchar_t,\t// User supplied buffer (or NULL)\n//                             pcchar_t,\t// Input decorated name\n//                             int,\t// Maximum length of user buffer\n//                             Alloc_t,\t// Address of heap allocator\n//                             Free_t,\t// Address of heap deallocator\n// GetParameter_t,\t// Function to get any template parameters\n//                             unsigned long\t// Feature disable flags\n//                         );\n// /*\n//  *  The user may provide a buffer into which the undecorated declaration\n//  *  is to be placed, in which case, the length field must be specified.\n//  *  The length is the maximum number of characters (including the terminating\n//  *  NULL character) which may be written into the user buffer.\n//  *\n//  *  If the output buffer is NULL, the length field is ignored, and the\n//  *  undecorator will allocate a buffer exactly large enough to hold the\n//  *  resulting declaration.  It is the users responsibility to deallocate\n//  *  this buffer.\n//  *\n//  *  The user may also supply the allocator and deallocator functions if\n//  *  they wish.  If they do, then all heap actions performed by the routine\n//  *  will use the provided heap functions.\n//  *\n//  *  If the allocator address is NULL, then the routine will default to using\n//  *  the standard allocator and deallocator functions, 'malloc' and 'free'.\n//  *\n//  *  If an error occurs internally, then the routine will return NULL.  If\n//  *  it was successful, it will return the buffer address provided by the\n//  *  user, or the address of the buffer allocated on their behalf, if they\n//  *  specified a NULL buffer address.\n//  *\n//  *  If a given name does not have a valid undecoration, the original name\n//  *  is returned in the output buffer.\n//  *\n//  *  Fine selection of a number of undecorator attributes is possible, by\n//  *  specifying flags (bit-fields) to disable the production of parts of the\n//  *  complete declaration.  The flags may be OR'ed together to select multiple\n//  *  disabling of selected fields.  The fields and flags are as follows :-\n//  */\n// #define UNDNAME_COMPLETE                (0x0000)    // Enable full undecoration\n// #define UNDNAME_NO_LEADING_UNDERSCORES  (0x0001)    // Remove leading underscores from MS extended keywords\n// #define UNDNAME_NO_MS_KEYWORDS          (0x0002)    // Disable expansion of MS extended keywords\n// #define UNDNAME_NO_FUNCTION_RETURNS     (0x0004)    // Disable expansion of return type for primary declaration\n// #define UNDNAME_NO_ALLOCATION_MODEL     (0x0008)    // Disable expansion of the declaration model\n// #define UNDNAME_NO_ALLOCATION_LANGUAGE  (0x0010)    // Disable expansion of the declaration language specifier\n//   #define   UNDNAME_NO_MS_THISTYPE          (0x0020)    /* NYI */   // Disable expansion of MS keywords on the 'this' type for primary declaration\n//   #define   UNDNAME_NO_CV_THISTYPE          (0x0040)    /* NYI */   // Disable expansion of CV modifiers on the 'this' type for primary declaration\n// #define UNDNAME_NO_THISTYPE             (0x0060)    // Disable all modifiers on the 'this' type\n// #define UNDNAME_NO_ACCESS_SPECIFIERS    (0x0080)    // Disable expansion of access specifiers for members\n// #define UNDNAME_NO_THROW_SIGNATURES     (0x0100)    // Disable expansion of 'throw-signatures' for functions and pointers to functions\n// #define UNDNAME_NO_MEMBER_TYPE          (0x0200)    // Disable expansion of 'static' or 'virtual'ness of members\n// #define UNDNAME_NO_RETURN_UDT_MODEL     (0x0400)    // Disable expansion of MS model for UDT returns\n// #define UNDNAME_32_BIT_DECODE           (0x0800)    // Undecorate 32-bit decorated names\n// #define UNDNAME_NAME_ONLY               (0x1000)    // Crack only the name for primary declaration;\n//                                                     //  return just [scope::]name.  Does expand template params\n// #define UNDNAME_TYPE_ONLY               (0x2000)    // Input is just a type encoding; compose an abstract declarator\n// #define UNDNAME_HAVE_PARAMETERS         (0x4000)    // The real templates parameters are available\n// #define UNDNAME_NO_ECSU                 (0x8000)    // Suppress enum/class/struct/union\n// #define UNDNAME_NO_IDENT_CHAR_CHECK     (0x10000)   // Suppress check for IsValidIdentChar"
  },
  {
    "path": "Sysmon/undname.idl",
    "content": "import \"oaidl.idl\";\nimport \"ocidl.idl\";\n\n//\n// Copyright (c) Microsoft Corporation.  All rights reserved.\n//\n//\n// Use of this source code is subject to the terms of your Microsoft Windows CE\n// Source Alliance Program license form.  If you did not accept the terms of\n// such a license, you are not authorized to use this source code.\n//\n/*\n *\tThis module contains the definitions for the inline functions used by the\n *\tname undecorator.  It is intended that this file should be included\n *\tsomewhere in the source file for the undecorator to maximise the chance\n *\tthat they will be truly inlined.\n */\n//\tThe following class is a special node class, used in the implementation\n//\tof the internal chaining mechanism of the 'DName's\n// class\tcharNode;\n// class\tpcharNode;\n// class\tpDNameNode;\n// class\tDNameStatusNode;\n// #if\t( NO_VIRTUAL )\n// enum\tNodeType\n// {\n// charNode_t,\n// pcharNode_t,\n// pDNameNode_t,\n// DNameStatusNode_t\n// };\n// #endif\t// NO_VIRTUAL\n// class\tDNameNode\n// {\n// private:\n// #if\tNO_VIRTUAL\n// NodeType\ttypeIndex;\n// #endif\t// NO_VIRTUAL\n// DNameNode *\tnext;\n// protected:\n// #if\t( !NO_VIRTUAL )\n// __near\tDNameNode ();\n// #else\t// } elif NO_VIRTUAL {\n// __near\tDNameNode ( NodeType );\n// #endif\t// NO_VIRTUAL\n// __near\tDNameNode ( const DNameNode & );\n// public:\n// virtual\tint\t__near\tlength () const PURE;\n// virtual\tchar\t__near\tgetLastChar () const PURE;\n// virtual\tpchar_t\t__near\tgetString ( pchar_t, int ) const PURE;\n// DNameNode *\t__near\tclone ();\n// DNameNode *\t__near\tnextNode () const;\n// DNameNode &\t__near\toperator += ( DNameNode * );\n// };\n// class\tcharNode\t: public DNameNode\n// {\n// private:\n// char\tme;\n// public:\n// __near\tcharNode ( char );\n// virtual\tint\t__near\tlength () const;\n// virtual\tchar\t__near\tgetLastChar () const;\n// virtual\tpchar_t\t__near\tgetString ( pchar_t, int ) const;\n// };\n// class\tpcharNode\t: public DNameNode\n// {\n// private:\n// pchar_t\tme;\n// int\tmyLen;\n// public:\n// __near\tpcharNode ( pcchar_t, int = 0 );\n// virtual\tint\t__near\tlength () const;\n// virtual\tchar\t__near\tgetLastChar () const;\n// virtual\tpchar_t\t__near\tgetString ( pchar_t, int ) const;\n// };\n// class\tpDNameNode\t: public DNameNode\n// {\n// private:\n// DName *\tme;\n// public:\n// __near\tpDNameNode ( DName * );\n// virtual\tint\t__near\tlength () const;\n// virtual\tchar\t__near\tgetLastChar () const;\n// virtual\tpchar_t\t__near\tgetString ( pchar_t, int ) const;\n// };\n// class\tDNameStatusNode\t: public DNameNode\n// {\n// private:\n// #define\tTruncationMessage\t(\" ?? \")\n// #define\tTruncationMessageLength\t(4)\n// DNameStatus\tme;\n// int\tmyLen;\n// public:\n// __near\tDNameStatusNode ( DNameStatus );\n// virtual\tint\t__near\tlength () const;\n// virtual\tchar\t__near\tgetLastChar () const;\n// virtual\tpchar_t\t__near\tgetString ( pchar_t, int ) const;\n// };\n// //\tMemory allocation functions\n// inline\tvoid __far *\t__near __pascal\toperator new ( unsigned int sz, HeapManager &, int noBuffer )\n// {\treturn\theap.getMemory ( sz, noBuffer );\t}\n// void __far *\t__near\tHeapManager::getMemory ( unsigned int sz, int noBuffer )\n// {\n// //\tAlign the allocation on an appropriate boundary\n// sz\t= (( sz + PACK_SIZE-1 ) & ~(PACK_SIZE-1) );\n// if\t( noBuffer )\n// return\t( *pOpNew )( sz );\n// else\n// {\n// //\tHandler a potential request for no space\n// if\t( !sz )\n// sz\t= 1;\n// if\t( blockLeft < sz )\n// {\n// //\tIs the request greater than the largest buffer size ?\n// if\t( sz > memBlockSize )\n// return\t0;\t// If it is, there is nothing we can do\n// //\tAllocate a new block\n// Block *\tpNewBlock\t= rnew Block;\n// //\tDid the allocation succeed ?  If so connect it up\n// if\t( pNewBlock )\n// {\n// //\tHandle the initial state\n// if\t( tail )\n// tail\t= tail->next\t= pNewBlock;\n// else\n// head\t= tail\t= pNewBlock;\n// //\tCompute the remaining space\n// blockLeft\t= memBlockSize - sz;\n// }\t// End of IF then\n// else\n// return\t0;\t// Oh-oh!  Memory allocation failure\n// }\t// End of IF then\n// else\n// blockLeft\t-= sz;\t// Deduct the allocated amount\n// //\tAnd return the buffer address\n// return\t&( tail->memBlock[ blockLeft ]);\n// }\t// End of IF else\n// }\t// End of \"HeapManager\" FUNCTION \"getMemory(unsigned int,int)\"\n// //\tFriend functions of 'DName'\n// inline DName\t__near __pascal\toperator + ( char c, const DName & rd )\n// {\treturn\tDName ( c ) + rd;\t}\n// inline DName\t__near __pascal\toperator + ( DNameStatus st, const DName & rd )\n// {\treturn\tDName ( st ) + rd;\t}\n// inline DName\t__near __pascal\toperator + ( pcchar_t s, const DName & rd )\n// {\treturn\tDName ( s ) + rd;\t}\n// //\tThe 'DName' constructors\n// inline\t__near\tDName::DName ()\t{\tnode\t= 0;\tstat\t= DN_valid;\tisIndir\t= 0;\tisAUDC\t= 0; isAUDTThunk = 0;\tNoTE\t= 0; }\n// inline\t__near\tDName::DName ( DNameNode * pd )\t{\tnode\t= pd;\tstat\t= DN_valid;\tisIndir\t= 0;\tisAUDC\t= 0; isAUDTThunk = 0;\tNoTE = 0; }\n// __near\tDName::DName ( char c )\n// {\n// stat\t= DN_valid;\n// isIndir\t= 0;\n// isAUDC\t= 0;\n// isAUDTThunk = 0;\n// node\t= 0;\n// NoTE\t= 0;\n// //\tThe NULL character is boring, do not copy\n// if\t( c )\n// doPchar ( &c, 1 );\n// }\t// End of \"DName\" CONSTRUCTOR '(char)'\n// #if\t1\n// inline __near\tDName::DName ( const DName & rd )\n// {\n// stat\t= rd.stat;\n// isIndir\t= rd.isIndir;\n// isAUDC\t= rd.isAUDC;\n// isAUDTThunk = rd.isAUDTThunk;\n// node\t= rd.node;\n// NoTE\t= rd.NoTE;\n// }\t// End of \"DName\" CONSTRUCTOR '(const DName&)'\n// #endif\n// __near\tDName::DName ( DName * pd )\n// {\n// if\t( pd )\n// {\n// node\t= gnew pDNameNode ( pd );\n// stat\t= ( node ? DN_valid : DN_error );\n// }\t// End of IF else\n// else\n// {\n// stat\t= DN_valid;\n// node\t= 0;\n// }\t// End of IF else\n// isIndir\t= 0;\n// isAUDC\t= 0;\n// isAUDTThunk = 0;\n// NoTE\t= 0;\n// }\t// End of \"DName\" CONSTRUCTOR '( DName* )'\n// __near\tDName::DName ( pcchar_t s )\n// {\n// stat\t= DN_valid;\n// node\t= 0;\n// isIndir\t= 0;\n// isAUDC\t= 0;\n// isAUDTThunk = 0;\n// NoTE\t= 0;\n// if\t( s )\n// doPchar ( s, strlen ( s ));\n// }\t// End of \"DName\" CONSTRUCTOR '(pcchar_t)'\n// __near\tDName::DName ( pcchar_t & name, char terminator )\n// {\n// stat\t= DN_valid;\n// isIndir\t= 0;\n// isAUDC\t= 0;\n// isAUDTThunk = 0;\n// node\t= 0;\n// NoTE\t= 0;\n// //\tIs there a string ?\n// if\t( name )\n// if\t( *name )\n// {\n// int\tlen\t= 0;\n// //\tHow long is the string ?\n// for\t( pcchar_t s = name; *name && ( *name != terminator ); name++ )\n// if\t( isValidIdentChar ( *name ) || UnDecorator::doNoIdentCharCheck () )\n// len++;\n// else\n// {\n// stat\t= DN_invalid;\n// return;\n// }\t// End of IF else\n// //\tCopy the name string fragment\n// doPchar ( s, len );\n// //\tNow gobble the terminator if present, handle error conditions\n// if\t( *name )\n// {\n// if\t( *name++ != terminator )\n// {\n// stat\t= DN_error;\n// node\t= 0;\n// }\t// End of IF then\n// else\n// stat\t= DN_valid;\n// }\t// End of IF then\n// elif\t( status () == DN_valid )\n// stat\t= DN_truncated;\n// }\t// End of IF then\n// else\n// stat\t= DN_truncated;\n// else\n// stat\t= DN_invalid;\n// }\t// End of \"DName\" CONSTRUCTOR '(pcchar_t&,char)'\n// __near\tDName::DName ( unsigned long num )\n// {\n// char\tbuf[ 11 ];\n// char *\tpBuf\t= buf + 10;\n// stat\t= DN_valid;\n// node\t= 0;\n// isIndir\t= 0;\n// isAUDC\t= 0;\n// isAUDTThunk = 0;\n// NoTE\t= 0;\n// //\tEssentially, 'ultoa ( num, buf, 10 )' :-\n// *pBuf\t= 0;\n// do\n// {\n// *( --pBuf )\t= (char)(( num % 10 ) + '0' );\n// num\t/= 10UL;\n// }\twhile\t( num );\n// doPchar ( pBuf, ( 10 - (int) ( pBuf - buf )));\n// }\t// End of \"DName\" CONSTRUCTOR '(unsigned long)'\n// __near\tDName::DName ( DNameStatus st )\n// {\n// stat\t= ((( st == DN_invalid ) || ( st == DN_error )) ? st : DN_valid );\n// node\t= gnew DNameStatusNode ( st );\n// isIndir\t= 0;\n// isAUDC\t= 0;\n// isAUDTThunk = 0;\n// NoTE\t= 0;\n// if\t( !node )\n// stat\t= DN_error;\n// }\t// End of \"DName\" CONSTRUCTOR '(DNameStatus)'\n// //\tNow the member functions for 'DName'\n// int\t__near\tDName::isValid () const\t{\treturn\t(( status () == DN_valid ) || ( status () == DN_truncated ));\t}\n// int\t__near\tDName::isEmpty () const\t{\treturn\t(( node == 0 ) || !isValid ());\t}\n// inline\tDNameStatus\t__near\tDName::status () const\t{\treturn\t(DNameStatus)stat;\t}\t// The cast is to keep Glockenspiel quiet\n// inline\tDName &\t__near\tDName::setPtrRef ()\t{\tisIndir\t= 1;\treturn\t*this;\t}\n// inline\tint\t__near\tDName::isPtrRef () const\t{\treturn\tisIndir;\t}\n// inline\tint\t__near\tDName::isUDC () const\t{\treturn\t( !isEmpty () && isAUDC );\t}\n// inline\tvoid\t__near\tDName::setIsUDC ()\t{\tif\t( !isEmpty ())\tisAUDC\t= TRUE;\t}\n// inline\tint\t__near\tDName::isUDTThunk () const\t{\treturn\t( !isEmpty () && isAUDTThunk );\t}\n// inline\tvoid\t__near\tDName::setIsUDTThunk ()\t{\tif\t( !isEmpty ())\tisAUDTThunk\t= TRUE;\t}\n// inline\tint\tDName::isNoTE () const\t{\treturn NoTE;\t}\n// inline\tvoid\tDName::setIsNoTE ()\t{\tNoTE = TRUE;\t}\n// int\t__near\tDName::length () const\n// {\n// int\tlen\t= 0;\n// if\t( !isEmpty ())\n// for\t( DNameNode * pNode = node; pNode; pNode = pNode->nextNode ())\n// len\t+= pNode->length ();\n// return\tlen;\n// }\t// End of \"DName\" FUNCTION \"length\"\n// char\t__near\tDName::getLastChar () const\n// {\n// DNameNode * pLast = 0;\n// if ( !isEmpty ())\n// for ( DNameNode * pNode = node; pNode; pNode = pNode->nextNode ())\n// if ( pNode->length () != 0 )\n// pLast = pNode;\n// return\tpLast != 0 ? pLast->getLastChar () : '';\n// }\t// End of \"DName\" FUNCTION \"getLastChar\"\n// pchar_t\t__near\tDName::getString ( pchar_t buf, int max ) const\n// {\n// if\t( !isEmpty ())\n// {\n// //\tDoes the caller want a buffer allocated ?\n// if\t( !buf )\n// {\n// max\t= length () + 1;\n// buf\t= gnew char[ max ];\t// Get a buffer big enough\n// }\t// End of IF then\n// //\tIf memory allocation failure, then return no buffer\n// if\t( buf )\n// {\n// //\tNow, go through the process of filling the buffer (until max is reached)\n// int\tcurLen\t= max;\n// DNameNode *\tcurNode\t= node;\n// pchar_t\tcurBuf\t= buf;\n// while\t( curNode && ( curLen > 0 ))\n// {\n// int\tfragLen\t= curNode->length ();\n// pchar_t\tfragBuf\t= 0;\n// //\tSkip empty nodes\n// if\t( fragLen )\n// {\n// //\tHandle buffer overflow\n// if\t(( curLen - fragLen ) < 0 )\n// fragLen\t= curLen;\n// //\tNow copy 'len' number of bytes of the piece to the buffer\n// fragBuf\t= curNode->getString ( curBuf, fragLen );\n// //\tShould never happen, but handle it anyway\n// if\t( fragBuf )\n// {\n// //\tUpdate string position\n// curLen\t-= fragLen;\n// curBuf\t+= fragLen;\n// }\t// End of IF\n// }\t// End of IF\n// //\tMove on to the next name fragment\n// curNode\t= curNode->nextNode ();\n// }\t// End of WHILE\n// *curBuf\t= 0;\t// Always NULL terminate the resulting string\n// }\t// End of IF\n// }\t// End of IF then\n// elif\t( buf )\n// *buf\t= 0;\n// //\tReturn the buffer\n// return\tbuf;\n// }\t// End of \"DName\" FUNCTION \"getString(pchar_t,int)\"\n// DName\t__near\tDName::operator + ( char ch ) const\n// {\n// DName\tlocal ( *this );\n// if\t( local.isEmpty ())\n// local\t= ch;\n// else\n// local\t+= ch;\n// //\tAnd return the newly formed 'DName'\n// return\tlocal;\n// }\t// End of \"DName\" OPERATOR \"+(char)\"\n// DName\t__near\tDName::operator + ( pcchar_t str ) const\n// {\n// DName\tlocal ( *this );\n// if\t( local.isEmpty ())\n// local\t= str;\n// else\n// local\t+= str;\n// //\tAnd return the newly formed 'DName'\n// return\tlocal;\n// }\t// End of \"DName\" OPERATOR \"+(pcchar_t)\"\n// DName\t__near\tDName::operator + ( const DName & rd ) const\n// {\n// DName\tlocal ( *this );\n// if\t( local.isEmpty ())\n// local\t= rd;\n// elif\t( rd.isEmpty ())\n// local\t+= rd.status ();\n// else\n// local\t+= rd;\n// //\tAnd return the newly formed 'DName'\n// return\tlocal;\n// }\t// End of \"DName\" OPERATOR \"+(const DName&)\"\n// DName\t__near\tDName::operator + ( DName * pd ) const\n// {\n// DName\tlocal ( *this );\n// if\t( local.isEmpty ())\n// local\t= pd;\n// else\n// local\t+= pd;\n// //\tAnd return the newly formed 'DName'\n// return\tlocal;\n// }\t// End of \"DName\" OPERATOR \"+(DName*)\"\n// DName\t__near\tDName::operator + ( DNameStatus st ) const\n// {\n// DName\tlocal ( *this );\n// if\t( local.isEmpty ())\n// local\t= st;\n// else\n// local\t+= st;\n// //\tAnd return the newly formed 'DName'\n// return\tlocal;\n// }\t// End of \"DName\" OPERATOR \"+(DNameStatus)\"\n// DName &\t__near\tDName::operator += ( char ch )\n// {\n// if\t( ch )\n// if\t( isEmpty ())\n// *this\t= ch;\n// else\n// {\n// node\t= node->clone ();\n// if\t( node )\n// *node\t+= gnew charNode ( ch );\n// else\n// stat\t= DN_error;\n// }\t// End of IF\n// //\tAnd return self\n// return\t*this;\n// }\t// End of \"DName\" OPERATOR \"+=(char)\"\n// DName &\t__near\tDName::operator += ( pcchar_t str )\n// {\n// if\t( str && *str )\n// if\t( isEmpty ())\n// *this\t= str;\n// else\n// {\n// node\t= node->clone ();\n// if\t( node )\n// *node\t+= gnew pcharNode ( str );\n// else\n// stat\t= DN_error;\n// }\t// End of IF\n// //\tAnd return self\n// return\t*this;\n// }\t// End of \"DName\" OPERATOR \"+=(pcchar_t)\"\n// DName &\t__near\tDName::operator += ( const DName & rd )\n// {\n// if\t( rd.isEmpty ())\n// *this\t+= rd.status ();\n// else\n// if\t( isEmpty ())\n// *this\t= rd;\n// else\n// {\n// node\t= node->clone ();\n// if\t( node )\n// *node\t+= rd.node;\n// else\n// stat\t= DN_error;\n// }\t// End of IF\n// //\tAnd return self\n// return\t*this;\n// }\t// End of \"DName\" OPERATOR \"+=(const DName&)\"\n// DName &\t__near\tDName::operator += ( DName * pd )\n// {\n// if\t( pd )\n// if\t( isEmpty ())\n// *this\t= pd;\n// elif\t(( pd->status () == DN_valid ) || ( pd->status () == DN_truncated ))\n// {\n// DNameNode *\tpNew\t= gnew pDNameNode ( pd );\n// if\t( pNew )\n// {\n// node\t= node->clone ();\n// if\t( node )\n// *node\t+= pNew;\n// }\t// End of IF then\n// else\n// node\t= 0;\n// if\t( !node )\n// stat\t= DN_error;\n// }\t// End of IF then\n// else\n// *this\t+= pd->status ();\n// //\tAnd return self\n// return\t*this;\n// }\t// End of \"DName\" OPERATOR \"+=(DName*)\"\n// DName &\t__near\tDName::operator += ( DNameStatus st )\n// {\n// if\t( isEmpty () || (( st == DN_invalid ) || ( st == DN_error )))\n// *this\t= st;\n// else\n// {\n// DNameNode *\tpNew\t= gnew DNameStatusNode ( st );\n// if\t( pNew )\n// {\n// node\t= node->clone ();\n// if\t( node )\n// *node\t+= pNew;\n// }\t// End of IF then\n// else\n// node\t= 0;\n// if\t( !node )\n// stat\t= DN_error;\n// }\t// End of IF else\n// //\tReturn self\n// return\t*this;\n// }\t// End of \"DName\" OPERATOR \"+=(DNameStatus)\"\n// DName &\t__near\tDName::operator |= ( const DName & rd )\n// {\n// //\tAttenuate the error status.  Always becomes worse.  Don't propogate truncation\n// if\t(( status () != DN_error ) && !rd.isValid ())\n// stat\t= rd.status ();\n// //\tAnd return self\n// return\t*this;\n// }\t// End of \"DName\" OPERATOR '|=(const DName&)'\n// DName &\t__near\tDName::operator = ( char ch )\n// {\n// isIndir\t= 0;\n// isAUDC\t= 0;\n// isAUDTThunk = 0;\n// doPchar ( &ch, 1 );\n// return\t*this;\n// }\t// End of \"DName\" OPERATOR '=(char)'\n// DName &\t__near\tDName::operator = ( pcchar_t str )\n// {\n// isIndir\t= 0;\n// isAUDC\t= 0;\n// isAUDTThunk = 0;\n// doPchar ( str, strlen ( str ));\n// //\tAnd return self\n// return\t*this;\n// }\t// End of \"DName\" OPERATOR '=(pcchar_t)'\n// DName &\t__near\tDName::operator = ( const DName & rd )\n// {\n// if\t(( status () == DN_valid ) || ( status () == DN_truncated ))\n// {\n// stat\t= rd.stat;\n// isIndir\t= rd.isIndir;\n// isAUDC\t= rd.isAUDC;\n// isAUDTThunk = rd.isAUDTThunk;\n// node\t= rd.node;\n// }\t// End of IF\n// //\tAnd return self\n// return\t*this;\n// }\t// End of \"DName\" OPERATOR '=(const DName&)'\n// DName &\t__near\tDName::operator = ( DName * pd )\n// {\n// if\t(( status () == DN_valid ) || ( status () == DN_truncated ))\n// if\t( pd )\n// {\n// isIndir\t= 0;\n// isAUDC\t= 0;\n// isAUDTThunk = 0;\n// node\t= gnew pDNameNode ( pd );\n// if\t( !node )\n// stat\t= DN_error;\n// }\t// End of IF then\n// else\n// *this\t= DN_error;\n// //\tAnd return self\n// return\t*this;\n// }\t// End of \"DName\" OPERATOR '=(DName*)'\n// DName &\t__near\tDName::operator = ( DNameStatus st )\n// {\n// if\t(( st == DN_invalid ) || ( st == DN_error ))\n// {\n// node\t= 0;\n// if\t( status () != DN_error )\n// stat\t= st;\n// }\t// End of IF then\n// elif\t(( status () == DN_valid ) || ( status () == DN_truncated ))\n// {\n// isIndir\t= 0;\n// isAUDC\t= 0;\n// isAUDTThunk = 0;\n// node\t= gnew DNameStatusNode ( st );\n// if\t( !node )\n// stat\t= DN_error;\n// }\t// End of ELIF then\n// //\tAnd return self\n// return\t*this;\n// }\t// End of \"DName\" OPERATOR '=(DNameStatus)'\n// //\tPrivate implementation functions for 'DName'\n// void\t__near\tDName::doPchar ( pcchar_t str, int len )\n// {\n// if\t( !(( status () == DN_invalid ) || ( status () == DN_error )))\n// if\t( node )\n// *this\t= DN_error;\n// elif\t( str && len )\n// {\n// //\tAllocate as economically as possible\n// switch\t( len )\n// {\n// case 0:\n// stat\t= DN_error;\n// break;\n// case 1:\n// node\t= gnew charNode ( *str );\n// if\t( !node )\n// stat\t= DN_error;\n// break;\n// default:\n// node\t= gnew pcharNode ( str, len );\n// if\t( !node )\n// stat\t= DN_error;\n// break;\n// }\t// End of SWITCH\n// }\t// End of ELIF\n// else\n// stat\t= DN_invalid;\n// }\t// End of \"DName\" FUNCTION \"doPchar(pcchar_t,int)\"\n// //\tThe member functions for the 'Replicator'\n// inline\tint\t__near\tReplicator::isFull () const\t{\treturn\t( index == 9 );\t}\n// inline\t__near\tReplicator::Replicator ()\n// :\tErrorDName ( DN_error ), InvalidDName ( DN_invalid )\n// {\tindex\t= -1;\t}\n// Replicator &\t__near\tReplicator::operator += ( const DName & rd )\n// {\n// if\t( !isFull () && !rd.isEmpty ())\n// {\n// DName *\tpNew\t= gnew DName ( rd );\n// //\tDon't update if failed\n// if\t( pNew )\n// dNameBuffer[ ++index ]\t= pNew;\n// }\t// End of IF\n// return\t*this;\n// }\t// End of \"Replicator\" OPERATOR '+=(const DName&)'\n// const DName &\t__near\tReplicator::operator [] ( int x ) const\n// {\n// if\t(( x < 0 ) || ( x > 9 ))\n// return\tErrorDName;\n// elif\t(( index == -1 ) || ( x > index ))\n// return\tInvalidDName;\n// else\n// return\t*dNameBuffer[ x ];\n// }\t// End of \"Replicator\" OPERATOR '[](int)'\n// //\tThe member functions for the 'DNameNode' classes\n// #if\t( !NO_VIRTUAL )\n// __near\tDNameNode::DNameNode ()\n// #else\t// } elif NO_VIRTUAL {\n// __near\tDNameNode::DNameNode ( NodeType ndTy )\n// :\ttypeIndex ( ndTy )\n// #endif\t// NO_VIRTUAL\n// {\tnext\t= 0;\t}\n// inline\t__near\tDNameNode::DNameNode ( const DNameNode & rd )\t{\tnext\t= (( rd.next ) ? rd.next->clone () : 0 );\t}\n// inline\tDNameNode *\t__near\tDNameNode::nextNode () const\t{\treturn\tnext;\t}\n// DNameNode *\t__near\tDNameNode::clone ()\n// {\n// return\tgnew pDNameNode ( gnew DName ( this ));\n// }\n// #if\t( NO_VIRTUAL )\n// int\t__near\tDNameNode::length () const\n// {\t//\tPure function, should not be called\n// switch\t( typeIndex )\n// {\n// case charNode_t:\n// return\t((charNode*)this )->length ();\n// case pcharNode_t:\n// return\t((pcharNode*)this )->length ();\n// case pDNameNode_t:\n// return\t((pDNameNode*)this )->length ();\n// case DNameStatusNode_t:\n// return\t((DNameStatusNode*)this )->length ();\n// }\t// End of SWITCH\n// return\t0;\n// }\n// int\t__near\tDNameNode::getLastChar () const\n// {\t//\tPure function, should not be called\n// switch\t( typeIndex )\n// {\n// case charNode_t:\n// return\t((charNode*)this )->getLastChar ();\n// case pcharNode_t:\n// return\t((pcharNode*)this )->getLastChar ();\n// case pDNameNode_t:\n// return\t((pDNameNode*)this )->getLastChar ();\n// case DNameStatusNode_t:\n// return\t((DNameStatusNode*)this )->getLastChar ();\n// }\t// End of SWITCH\n// return\t0;\n// }\n// pchar_t\t__near\tDNameNode::getString ( pchar_t s, int l ) const\n// {\t//\tPure function, should not be called\n// switch\t( typeIndex )\n// {\n// case charNode_t:\n// return\t((charNode*)this )->getString ( s, l );\n// case pcharNode_t:\n// return\t((pcharNode*)this )->getString ( s, l );\n// case pDNameNode_t:\n// return\t((pDNameNode*)this )->getString ( s, l );\n// case DNameStatusNode_t:\n// return\t((DNameStatusNode*)this )->getString ( s, l );\n// }\t// End of SWITCH\n// return\t0;\n// }\n// #endif\t// NO_VIRTUAL\n// DNameNode &\t__near\tDNameNode::operator += ( DNameNode * pNode )\n// {\n// if\t( pNode )\n// {\n// if\t( next )\n// {\n// //\tSkip to the end of the chain\n// for\t( DNameNode* pScan = next; pScan->next; pScan = pScan->next )\n// ;\n// //\tAnd append the new node\n// pScan->next\t= pNode;\n// }\t// End of IF then\n// else\n// next\t= pNode;\n// }\t// End of IF\n// //\tAnd return self\n// return\t*this;\n// }\t// End of \"DNameNode\" OPERATOR '+=(DNameNode*)'\n// //\tThe 'charNode' virtual functions\n// __near\tcharNode::charNode ( char ch )\n// #if\t( NO_VIRTUAL )\n// :\tDNameNode ( charNode_t )\n// #endif\t// NO_VIRTUAL\n// {\tme\t= ch;\t}\n// inline\tint\t__near\tcharNode::length () const\t{\treturn\t1;\t}\n// inline\tchar __near\tcharNode::getLastChar () const\t{\treturn\tme;\t}\n// pchar_t\t__near\tcharNode::getString ( pchar_t buf, int len ) const\n// {\n// if\t( buf && len )\n// *buf\t= me;\n// else\n// buf\t= 0;\n// //\tNow return the character\n// return\tbuf;\n// }\t// End of \"charNode\" FUNCTION \"getString(pchar_t,int)\"\n// //\tThe 'pcharNode' virtual functions\n// inline\tint\t__near\tpcharNode::length () const\t{\treturn\tmyLen;\t}\n// inline\tchar __near\tpcharNode::getLastChar () const\t{\treturn\t( myLen ? me[ myLen - 1 ] : '' );\t}\n// __near\tpcharNode::pcharNode ( pcchar_t str, int len )\n// #if ( NO_VIRTUAL )\n// :\tDNameNode ( pcharNode_t )\n// #endif\t// NO_VIRTUAL\n// {\n// //\tGet length if not supplied\n// if\t( !len && str )\n// len\t= strlen ( str );\n// //\tAllocate a new string buffer if valid state\n// if\t( len && str )\n// {\n// me\t= gnew char[ len ];\n// myLen\t= len;\n// if\t( me )\n// strncpy ( me, str, len );\n// }\t// End of IF then\n// else\n// {\n// me\t= 0;\n// myLen\t= 0;\n// }\t// End of IF else\n// }\t// End of \"pcharNode\" CONSTRUCTOR '(pcchar_t,int)'\n// pchar_t\t__near\tpcharNode::getString ( pchar_t buf, int len ) const\n// {\n// //\tUse the shorter of the two lengths (may not be NULL terminated)\n// if\t( len > pcharNode::length ())\n// len\t= pcharNode::length ();\n// //\tDo the copy as appropriate\n// return\t(( me && buf && len ) ? strncpy ( buf, me, len ) : 0 );\n// }\t// End of \"pcharNode\" FUNCTION \"getString(pchar_t,int)\"\n// //\tThe 'pDNameNode' virtual functions\n// __near\tpDNameNode::pDNameNode ( DName * pName )\n// #if\t( NO_VIRTUAL )\n// :\tDNameNode ( pDNameNode_t )\n// #endif\t// NO_VIRTUAL\n// {\tme\t= (( pName && (( pName->status () == DN_invalid ) || ( pName->status () == DN_error ))) ? 0 : pName );\t}\n// inline\tint\t__near\tpDNameNode::length () const\t{\treturn\t( me ? me->length () : 0 );\t}\n// inline\tchar __near\tpDNameNode::getLastChar () const\t{\treturn\t( me ? me->getLastChar () : '' ); }\n// pchar_t\t__near\tpDNameNode::getString ( pchar_t buf, int len ) const\n// {\treturn\t(( me && buf && len ) ? me->getString ( buf, len ) : 0 );\t}\n// //\tThe 'DNameStatusNode' virtual functions\n// __near\tDNameStatusNode::DNameStatusNode ( DNameStatus stat )\n// #if\t( NO_VIRTUAL )\n// :\tDNameNode ( DNameStatusNode_t )\n// #endif\t// NO_VIRTUAL\n// {\tme\t= stat;\tmyLen\t= (( me == DN_truncated ) ? TruncationMessageLength : 0 );\t}\n// inline\tint\t__near\tDNameStatusNode::length () const\t{\treturn\tmyLen;\t}\n// inline\tchar __near\tDNameStatusNode::getLastChar () const\n// {\treturn (( me == DN_truncated ) ? TruncationMessage[ TruncationMessageLength - 1 ] : '' );\t}\n// pchar_t\t__near\tDNameStatusNode::getString ( pchar_t buf, int len ) const\n// {\n// //\tUse the shorter of the two lengths (may not be NULL terminated)\n// if\t( len > DNameStatusNode::length ())\n// len\t= DNameStatusNode::length ();\n// //\tDo the copy as appropriate\n// return\t((( me == DN_truncated ) && buf && len ) ? strncpy ( buf, TruncationMessage, len ) : 0 );\n// }\t// End of \"DNameStatusNode\" FUNCTION \"getString(pchar_t,int)\""
  },
  {
    "path": "Sysmon.sln",
    "content": "\nMicrosoft Visual Studio Solution File, Format Version 11.00\n# Visual Studio 2010\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Sysmon\", \"Sysmon\\Sysmon.vcxproj\", \"{E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Sysmon.sys\", \"Sysmon.sys\\Sysmon.sys.vcxproj\", \"{E179CA60-36AC-4DCC-8B87-06214F32DD0B}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|Win32 = Debug|Win32\n\t\tDebug|x64 = Debug|x64\n\t\tRelease|Win32 = Release|Win32\n\t\tRelease|x64 = Release|x64\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Debug|Win32.ActiveCfg = Debug|Win32\n\t\t{E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Debug|Win32.Build.0 = Debug|Win32\n\t\t{E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Debug|x64.Build.0 = Debug|x64\n\t\t{E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Release|Win32.ActiveCfg = Release|Win32\n\t\t{E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Release|Win32.Build.0 = Release|Win32\n\t\t{E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Release|x64.ActiveCfg = Release|x64\n\t\t{E64CC626-B5DB-47C9-93DD-D14F2F60B6C6}.Release|x64.Build.0 = Release|x64\n\t\t{E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Debug|Win32.ActiveCfg = Debug|Win32\n\t\t{E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Debug|Win32.Build.0 = Debug|Win32\n\t\t{E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Debug|x64.Build.0 = Debug|x64\n\t\t{E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Release|Win32.ActiveCfg = Release|Win32\n\t\t{E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Release|Win32.Build.0 = Release|Win32\n\t\t{E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Release|x64.ActiveCfg = Release|x64\n\t\t{E179CA60-36AC-4DCC-8B87-06214F32DD0B}.Release|x64.Build.0 = Release|x64\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\nEndGlobal\n"
  },
  {
    "path": "Sysmon.sys/CDeviceExtension.cpp",
    "content": "#include \"CDeviceExtension.h\"\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCDeviceExtension::CDeviceExtension(void)\n{\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCDeviceExtension::~CDeviceExtension(void)\n{\n}\n\n/**********************************************************************************/\n#pragma PAGEDCODE\n\nCDeviceExtension::operator PIO_CSQ()\n{\n\treturn &mCsq;\n}\n\n/**********************************************************************************/\n#pragma PAGEDCODE\n\nCDeviceExtension::operator PRKEVENT()\n{\n\treturn &mFileEvent;\n}\n\n\n/**********************************************************************************/\n#pragma INITCODE\n\nvoid CDeviceExtension::Init()\n{\n\tKeInitializeEvent(\n\t\t\t&mFileEvent,\n\t\t\tSynchronizationEvent,\n\t\t\t0);\n}"
  },
  {
    "path": "Sysmon.sys/CDeviceExtension.h",
    "content": "#ifndef _CDeviceExtension_h\n#define _CDeviceExtension_h\n#include <CppLib.h>\n\nclass CDeviceExtension\n{\npublic:\n\tCDeviceExtension(void);\n\tvirtual ~CDeviceExtension(void);\n\toperator PIO_CSQ();\n\toperator PRKEVENT();\n\n\tvoid Init();\nprivate:\n\tIO_CSQ mCsq;\n\tKEVENT mFileEvent;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/CDriverEntry.cpp",
    "content": "#include \"CDriverEntry.h\"\n#include <CppLib.h>\n#include \"CErrorStatus.h\"\n#include \"CUnicodeString.h\"\n#include \"CString.h\"\n#include \"CDriverDispatch.h\"\n#include \"CSysmonDispatchEngine.h\"\n#include \"CDeviceExtension.h\"\n#include <Fltkernel.h>\n\n\nCDriverEntry CDriverEntry::_Instance;\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCDriverEntry::CDriverEntry(void)\n\t:mIsSupportFlt(FALSE)\n{\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCDriverEntry::~CDriverEntry(void)\n{\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCDriverEntry& CDriverEntry::Instance()\n{\n\treturn _Instance;\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nvoid CDriverEntry::PsGetVersion()\n{\n\tmSystemVersion.PsGetVersion();\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nBOOL CDriverEntry::IsSupportFlt()\n{\n\tCVersion OsVersion;\n\tOsVersion.GetOsVersion();\n\n\tmIsSupportFlt =  ( OsVersion.GetMajorVersion() > 6 || \n\t\t( OsVersion.GetMajorVersion() == 6 && OsVersion.GetMinorVersion() >= 2));\n\n\treturn mIsSupportFlt;\n}\n\n/**********************************************************************************/\n#pragma INITCODE\n\nNTSTATUS \nCDriverEntry::Init(\n\tIN PDRIVER_OBJECT\tDriverObject,\n\tIN PUNICODE_STRING RegistryPath\n\t)\n{\n\tCErrorStatus Status = STATUS_UNSUCCESSFUL;\n    CallGlobalConstructors();\n\n\tCStackStringW<256> DeviceName;\n\tCStackStringW<256> DosDeviceName;\n\tCDriverDispatch DriverDispatch;\n\tCUnicodeString DevicePath = RegistryPath;\n\tBOOL IsSupportFlt = FALSE;\n\tCDriverEntry::Instance().PsGetVersion();\n\n\tDeviceName[0] = '\\\\';\n\tDeviceName[1] = 'D';\n\tDeviceName[2] = 'e';\n\tDeviceName[3] = 'v';\n\tDeviceName[4] = 'i';\n\tDeviceName[5] = 'c';\n\tDeviceName[6] = 'e';\n\tDeviceName[7] = '\\\\';\n\tDeviceName[8] = '\\\\';\n\n\tDosDeviceName[0] = '\\\\';\n\tDosDeviceName[1] = 'D';\n\tDosDeviceName[2] = 'o';\n\tDosDeviceName[3] = 's';\n\tDosDeviceName[4] = 'D';\n\tDosDeviceName[5] = 'e';\n\tDosDeviceName[6] = 'v';\n\tDosDeviceName[7] = 'i';\n\tDosDeviceName[8] = 'c';\n\tDosDeviceName[9] = 'e';\n\tDosDeviceName[10] = 's';\n\tDosDeviceName[11] = '\\\\';\n\tDosDeviceName[12] = '\\\\';\n\n\tPWCHAR pEndPathName = &RegistryPath->Buffer[RegistryPath->Length/2];\n\n\tdo \n\t{\n\t\tif (pEndPathName == RegistryPath->Buffer)\n\t\t{\n\t\t\tif (pEndPathName[0] != '\\\\')\n\t\t\t{\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\telse\n\t\t{\n\t\t\twhile (pEndPathName[0] != '\\\\')\n\t\t\t{\n\t\t\t\tpEndPathName--;\n\n\t\t\t\tif (pEndPathName == RegistryPath->Buffer)\n\t\t\t\t{\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t++pEndPathName;\n\n\t} while (FALSE);\n\n\t\n\tULONG LengthOfName = RegistryPath->Length - (pEndPathName - RegistryPath->Buffer);\n\n\tif (LengthOfName > 255)\n\t{\n\t\tLengthOfName = 255;\n\t}\n\n\tmemcpy(&DeviceName[8], pEndPathName, LengthOfName);\n\twcsncpy(&DosDeviceName[12], pEndPathName, LengthOfName);\n\n\tIsSupportFlt = CDriverEntry::Instance().IsSupportFlt();\n\t\n\tDriverDispatch = DriverObject->MajorFunction;\n\n\tif (!DriverDispatch)\n\t{\n\t\tDriverDispatch[IRP_MJ_CREATE] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\tDriverDispatch[IRP_MJ_CLOSE] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\tDriverDispatch[IRP_MJ_DEVICE_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\n\n\t\tif (!IsSupportFlt)\n\t\t{\n\t\t\tDriverDispatch[IRP_MJ_CREATE] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_CREATE_NAMED_PIPE] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_CLOSE] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_READ] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_WRITE] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_QUERY_INFORMATION] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_SET_INFORMATION] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_QUERY_EA] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_SET_EA] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_FLUSH_BUFFERS] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_QUERY_VOLUME_INFORMATION] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_SET_VOLUME_INFORMATION] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_DIRECTORY_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_FILE_SYSTEM_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_DEVICE_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_INTERNAL_DEVICE_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_SHUTDOWN] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_LOCK_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_CLEANUP] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_CREATE_MAILSLOT] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_QUERY_SECURITY] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_SET_SECURITY] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_POWER] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_SYSTEM_CONTROL] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_DEVICE_CHANGE] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_QUERY_QUOTA] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t\tDriverDispatch[IRP_MJ_SET_QUOTA] = CSysmonDispatchEngine::SysmonDispatchIrp;\n\t\t}\n\t\t\n\t}\n\n\tdo \n\t{\n\t\tStatus = CDriverEntry::Instance().InitIoDeice(\n\t\t\tDriverObject,\n\t\t\tDeviceName,\n\t\t\tDosDeviceName,\n\t\t\tsizeof(CDeviceExtension));\n\n\t\tif (Status.IsNtSuccess())\n\t\t{\n\t\t\t__try\n\t\t\t{\n\t\t\t\tCDeviceExtension* DeviceExtension = (CDeviceExtension*)CDriverEntry::Instance().Extension();\n\n\t\t\t\tif (DeviceExtension)\n\t\t\t\t{\n\t\t\t\t\tCSysmonDispatchEngine::InitCsq(*DeviceExtension);\n\t\t\t\t\tDeviceExtension->Init();\n\t\t\t\t}\n\n\t\t\t\tStatus = CDriverEntry::Instance().InitMiniFlt(DriverObject);\n\n\t\t\t\tif (!Status.IsNtSuccess())\n\t\t\t\t{\n\t\t\t\t\tCDriverEntry::Instance().DeleteDosLink(DosDeviceName);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\t__except(EXCEPTION_CONTINUE_EXECUTION)\n\t\t\t{\n\n\t\t\t}\n\t\t}\n\n\t} while (FALSE);\n\n\t\n\treturn Status;\n}\n\n\n/**********************************************************************************/\n#pragma INITCODE\n\nCErrorStatus \nCDriverEntry::InitIoDeice(\t\n\tPDRIVER_OBJECT\t\t\t\t\tDriver,\n\tCStackStringW<256>&\t\tDeviceName,\n\tCStackStringW<256>&\t\tDosDeviceName,\n\tconst UINT32\t\t\t\t\tDeviceExtSize\n\t)\n{\n\treturn mDeviceObject.Init(Driver,DeviceName,DosDeviceName,DeviceExtSize);\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nvoid* \nCDriverEntry::Extension()\n{\n\treturn mDeviceObject.DeviceExtension();\n}\n\n\n/**********************************************************************************/\n#pragma INITCODE\n\nCErrorStatus\nCDriverEntry::InitMiniFlt(PDRIVER_OBJECT DriverObj)\n{\n\treturn mMiniFltFilter.Init(DriverObj);\n}\n\n\n/**********************************************************************************/\n#pragma PAGEDCODE\n\nvoid \nCDriverEntry::DeleteDosLink(CStackStringW<256>& SymbolicLink)\n{\n\tmDeviceObject.DeleteSymbolicLink(SymbolicLink);\n}"
  },
  {
    "path": "Sysmon.sys/CDriverEntry.h",
    "content": "#ifndef _CDriverEntry_h\n#define _CDriverEntry_h\n#include \"CVersion.h\"\n#include <CppLib.h>\n#include \"CReportRecord.h\"\n#include \"CDeviceObject.h\"\n#include \"CSysmonMiniFltFilter.h\"\n\n\n#ifdef __cplusplus\nextern \"C\"{\n#endif\n\tclass CDriverEntry\n\t{\n\tpublic:\n\t\tCDriverEntry(void);\n\t\t~CDriverEntry(void);\n\n\tpublic:\n\t\tstatic\n\t\tNTSTATUS\n\t\tNTAPI\n\t\tInit(\n\t\t\tIN PDRIVER_OBJECT\tDriverObject,\n\t\t\tIN PUNICODE_STRING RegistryPath\n\t\t\t);\n\t\tstatic\n\t\tCDriverEntry& Instance();\n\n\tpublic:\n\t\tvoid PsGetVersion();\n\t\tBOOL IsSupportFlt();\n\n\t\tCErrorStatus \n\t\tInitIoDeice(\t\n\t\t\t\tPDRIVER_OBJECT\t\t\t\t\tDriver,\n\t\t\t\tCStackStringW<256>&\t\tDeviceName,\n\t\t\t\tCStackStringW<256>&\t\tDosDeviceName,\n\t\t\t\tconst UINT32\t\t\t\t\tDeviceExtSize\n\t\t\t\t);\n\n\t\tvoid DeleteDosLink(CStackStringW<256>& SymbolicLink);\n\n\t\tvoid* Extension();\n\n\t\tCErrorStatus InitMiniFlt(PDRIVER_OBJECT DriverObj);\n\tprivate:\n\t\tCVersion\t\t\t\tmSystemVersion;\n\t\tBOOL\t\t\t\t\tmIsSupportFlt;\n\t\tCReportSysmonRecord\t\tmReportSysmonRecord;\n\n\t\tCDeviceObject\t\t\tmDeviceObject;\n\t\tCSysmonMiniFltFilter\tmMiniFltFilter;\n\tprivate:\n\t\tstatic CDriverEntry _Instance;\n\t};\n\n\n#ifdef __cplusplus\n};\n#endif\n\n#endif"
  },
  {
    "path": "Sysmon.sys/CReportRecord.cpp",
    "content": "#include \"CReportRecord.h\"\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCSysmonRecord::CSysmonRecord()\n{\n\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCSysmonRecord::~CSysmonRecord()\n{\n\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCReportSysmonRecord::CReportSysmonRecord(void)\n{\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCReportSysmonRecord::~CReportSysmonRecord(void)\n{\n}\n"
  },
  {
    "path": "Sysmon.sys/CReportRecord.h",
    "content": "#ifndef _CReportRecord_h\n#define _CReportRecord_h\n\n#include <cpplib.h>\n#include <CListEntry.h>\n\n\nclass CSysmonRecord\n{\npublic:\n\tCSysmonRecord();\n\t~CSysmonRecord();\n\nprivate:\n\tUSHORT mType;\n};\n\nclass CReportSysmonRecord\n{\npublic:\n\tCReportSysmonRecord(void);\n\t~CReportSysmonRecord(void);\n\nprivate:\n\tCListEntry<CSysmonRecord*> mReportRecord;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/CSysmonControl.cpp",
    "content": "#include \"CSysmonControl.h\"\n\n/**********************************************************************************/\n#pragma INITCODE\n\nCSysmonControl::CSysmonControl(void)\n{\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCSysmonControl::~CSysmonControl(void)\n{\n\n}\n\n"
  },
  {
    "path": "Sysmon.sys/CSysmonControl.h",
    "content": "#ifndef _CSysmonControl_h\n#define _CSysmonControl_h\n\nclass CSysmonControl\n{\npublic:\n\tCSysmonControl(void);\n\tvirtual ~CSysmonControl(void);\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/CSysmonDispatchEngine.cpp",
    "content": "#include \"CSysmonDispatchEngine.h\"\n#include <CErrorStatus.h>\n#include <CIoStackLocation.h>\n#include <CIrp.h>\n#include <CSysmonBase.h>\n#include \"CSysmonioControl.h\"\n\n\n#define FLT_CONTEXT(Context) (Sysmon_Flt_CompletionContext*)Context\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCSysmonDispatchEngine::CSysmonDispatchEngine(void)\n{\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCSysmonDispatchEngine::~CSysmonDispatchEngine(void)\n{\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nNTSTATUS \nCSysmonDispatchEngine::SysmonDispatchIrp(\n\tPDEVICE_OBJECT DeviceObject,\n\tPIRP Irp)\n{\n\tCErrorStatus Status = STATUS_SUCCESS;\n\tCIoStackLocation IoStack;\n\tCIrp SysmonIrp(Irp);\n\n\tIoStack = SysmonIrp.StackLocation();\n\tSysmonIrp.Information() = STATUS_SUCCESS;\n\n\tif (SysmonIrp.MajorFunction())\n\t{\n\t\tif (SysmonIrp.MajorFunction() != IRP_MJ_DEVICE_CONTROL)\n\t\t{\n\t\t\tif ( SysmonIrp.MajorFunction() == IRP_MJ_CLEANUP )\n\t\t\t{\n\t\t\t\tCDeviceExtension* Externsion = (CDeviceExtension*)\n\t\t\t\t\t\t\t\t\t\t\tSysmonIrp.FileObject()->DeviceObject->DeviceExtension;\n\n\t\t\t\tif (Externsion)\n\t\t\t\t{\n\t\t\t\t\tCIrp CsqIrp;\n\n\t\t\t\t\tdo \n\t\t\t\t\t{\n\t\t\t\t\t\tif (CsqIrp )\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tCsqIrp.Information() = STATUS_SUCCESS;\n\t\t\t\t\t\t\tCsqIrp.Complete(STATUS_CANCELLED,0);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tCsqIrp =  IoCsqRemoveNextIrp(*Externsion,IoStack.FileObject());\n\n\t\t\t\t\t} while (CsqIrp != NULL);\t\t\t\t\n\t\t\t\t}\n\t\t\t\t\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tStatus = STATUS_INVALID_DEVICE_REQUEST;\n\t\t\t}\t\t\t\n\t\t}\n\t\telse\n\t\t{\n\t\t\t//here is  cope IRP_MJ_DEVICE_CONTROL\n\t\t}\n\t}\n\telse\n\t{\n\t\tSECURITY_SUBJECT_CONTEXT SubjectSecurityContext;\n\t\tPRIVILEGE_SET            RequiredPrivileges;\n\t\tSeCaptureSubjectContext(&SubjectSecurityContext);\n\n\t\tRequiredPrivileges.PrivilegeCount = 1;\n\t\tRequiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY;\n\t\tRequiredPrivileges.Privilege[0].Luid.LowPart = 20;\n\t\tRequiredPrivileges.Privilege[0].Luid.HighPart = 0;\n\t\tRequiredPrivileges.Privilege[0].Attributes = 0;\n\n\t\tif(SePrivilegeCheck(\n\t\t\t\t\t\t&RequiredPrivileges,\n\t\t\t\t\t\t&SubjectSecurityContext,\n\t\t\t\t\t\tExGetPreviousMode()) != TRUE)\n\t\t{\n\t\t\tStatus = STATUS_ACCESS_DENIED;\n\t\t}\n\n\t\tSeReleaseSubjectContext(&SubjectSecurityContext);\n\t}\n\n\tif ( Status != STATUS_PENDING )\n\t{\n\t\tSysmonIrp.Complete(Status,0);//IofCompleteRequest(v3, 0);\n\t}\n\n\treturn Status;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nNTSTATUS\nCSysmonDispatchEngine::SysmonFltPreOperation(\n\tPFLT_CALLBACK_DATA Data,\n\tPFLT_RELATED_OBJECTS FltObjects,\n\tPVOID *CompletionContext\n\t)\n{\n\tCErrorStatus Status = STATUS_WAIT_1;\n\tLARGE_INTEGER FileCreateTime;\n\tSysmon_Flt_CompletionContext* FltCompletionContext = FLT_CONTEXT(CompletionContext);\n\tFltCompletionContext->ContextValue = 0;\n\n\tdo \n\t{\n\t\tUSHORT FileObjType = CSysmonBase::SysmonIsNamedPipe(FltObjects);\n\t\tif (FileObjType == kFileObjFilePath)\n\t\t{\n\t\t\tStatus = STATUS_SUCCESS;\n\t\t\tbreak;\n\t\t}\n\t\telse if (FileObjType == kFileObjNamedPipe )\n\t\t{\n\t\t\tStatus = STATUS_SUCCESS;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (!IoGetTopLevelIrp())\n\t\t{\n\t\t\t//ʾûģʽirp\n\t\t\tif (CSysmonBase::SysmonFileIsCommonName(Data))\n\t\t\t{\n\t\t\t\t FltCompletionContext->ContextValue = 4;\n\t\t\t\t Status = STATUS_SUCCESS;\n\t\t\t\tbreak;\n\t\t\t}\n\n\n\t\t\tif ( Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION)\n\t\t\t{\n\t\t\t\t// ļbasicInfo\n\t\t\t\tif ( Data->RequestorMode == UserMode           \n\t\t\t\t\t&& Data->Iopb->Parameters.SetFileInformation.FileInformationClass ==\n\t\t\t\t\tFileBasicInformation\n\t\t\t\t\t&& \n\t\t\t\t\tData->Iopb->Parameters.SetFileInformation.Length >= \n\t\t\t\t\tsizeof(FILE_BASIC_INFORMATION) )\n\t\t\t\t{\n\t\t\t\t\tFILE_BASIC_INFORMATION* pBaseInfo = (FILE_BASIC_INFORMATION *)\n\t\t\t\t\t\t\t\t\t\tData->Iopb->Parameters.SetFileInformation.InfoBuffer;\n\n\t\t\t\t\tFileCreateTime.QuadPart = pBaseInfo->CreationTime.QuadPart;\n\t\t\t\t\tif ( pBaseInfo )\n\t\t\t\t\t{\n\t\t\t\t\t\t\n\t\t\t\t\t\tif ( pBaseInfo->CreationTime.QuadPart )\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif ( (FileCreateTime.HighPart & FileCreateTime.LowPart) != -1\n\t\t\t\t\t\t\t\t&& (FileCreateTime.LowPart != -2 || FileCreateTime.HighPart != -1)\n\t\t\t\t\t\t\t\t&& CSysmonBase::SysmonQueryFileFileAttributes(FltObjects) )\n\t\t\t\t\t\t\t{\n// \t\t\t\t\t\t\t\tpReportEvent = SysmonCReateSetFileInfoReport(\n// \t\t\t\t\t\t\t\t\tFltObjects,\n// \t\t\t\t\t\t\t\t\tFileCreateTime->LowPart,\n// \t\t\t\t\t\t\t\t\tFileCreateTime->HighPart);\n// \t\t\t\t\t\t\t\tif ( pReportEvent )\n// \t\t\t\t\t\t\t\t{\n// \t\t\t\t\t\t\t\t\t*CompletionContext = pReportEvent;\n// \t\t\t\t\t\t\t\t\tv3 = 0;\n// \t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\telse if ( Data->Iopb->MajorFunction == IRP_MJ_CLEANUP )\n\t\t\t{\n\t\t\t\t//if ( byte_10015C17 )\n\t\t\t\t{\n\t\t\t\t\tPSysmon_Flt_Stream_Context FltContext = 0;\n\t\t\t\t\tif ( NT_SUCCESS(FltGetStreamContext(\n\t\t\t\t\t\t\t\t\t\tFltObjects->Instance,\n\t\t\t\t\t\t\t\t\t\tFltObjects->FileObject,\n\t\t\t\t\t\t\t\t\t\t(PFLT_CONTEXT*)&FltContext)))\n\t\t\t\t\t{\n\t\t\t\t\t\tif ( FltObjects->FileObject->FsContext2 == FltContext->FsContext2 )\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tFltContext->FsContext2 = 0;\n// \t\t\t\t\t\t\tv9 = (struct _Sysmon_Report_Common_Header *)SysmonGetFileReportEventAndIsCalHash(\n// \t\t\t\t\t\t\t\t(PFLT_INSTANCE)FltObjects->Instance,\n// \t\t\t\t\t\t\t\tFltObjects->FileObject,\n// \t\t\t\t\t\t\t\t1);\n// \t\t\t\t\t\t\tif ( v9 )\n// \t\t\t\t\t\t\t\tSysmonReportEvent(v9);\n\n\t\t\t\t\t\t\tFltDeleteContext(FltContext);\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t}\n\t\t\t\t\t\tFltReleaseContext(FltContext);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif ( !Data->Iopb->MajorFunction /*&& (byte_10015C2C || byte_10015C17)*/ )\n\t\t\t{\n\t\t\t\t//if ( v3 )\n\t\t\t\t{\n\t\t\t\t\tUCHAR CreateOption = (UCHAR)(((Data->Iopb->Parameters.Create.Options)>>24) & 0xFF);\n\t\t\t\t\t\n\t\t\t\t\tif ( CreateOption == FILE_SUPERSEDE || //½/ļ\n\t\t\t\t\t\tCreateOption == FILE_CREATE ||  //½ļ\n\t\t\t\t\t\tCreateOption == FILE_OVERWRITE || //ļ\n\t\t\t\t\t\tCreateOption == FILE_MAXIMUM_DISPOSITION || //򿪲/ļ\n\t\t\t\t\t\tCreateOption == FILE_OPEN_IF //Ѵļ\n\t\t\t\t\t\t)\n\t\t\t\t\t{\n\t\t\t\t\t\tStatus = STATUS_SUCCESS;\n\t\t\t\t\t\tFltCompletionContext->ContextValue = 5;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t} while (FALSE);\n\t\n\n\treturn Status;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nNTSTATUS\nCSysmonDispatchEngine::SysmonFltPostOperation(\n\tPFLT_CALLBACK_DATA Data,\n\tPCFLT_RELATED_OBJECTS FltObjects,\n\tPVOID CompletionContext,\n\tFLT_POST_OPERATION_FLAGS Flags\n\t)\n{\n\tCErrorStatus Status = STATUS_SUCCESS;\n\n\treturn Status;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nvoid\nCSysmonDispatchEngine::SysmonIoCsqInsertIrp(\n\tPIO_CSQ Csq,\n\tPIRP Irp\n\t)\n{\n\tPLIST_ENTRY ListHead = (PLIST_ENTRY)((UCHAR*)Csq \n\t\t\t\t\t\t\t\t\t\t- sizeof(IO_CSQ)\n\t\t\t\t\t\t\t\t\t\t- sizeof(LIST_ENTRY));\n\n\tInsertTailList(ListHead,&Irp->Tail.Overlay.ListEntry);\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nvoid \nCSysmonDispatchEngine::SysmonIoCsqRemoveIrp(\n\tPIO_CSQ Csq,\n\tPIRP Irp\n\t)\n{\n\tRemoveEntryList(&Irp->Tail.Overlay.ListEntry);\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nPIRP \nCSysmonDispatchEngine::SysmonIoCsqPeekNextIrp(\n\tPIO_CSQ Csq,\n\tPIRP Irp,\n\tPVOID PeekContext\n\t)\n{\n\tPLIST_ENTRY ListHead = (PLIST_ENTRY)((UCHAR*)Csq \n\t\t- sizeof(IO_CSQ)\n\t\t- sizeof(LIST_ENTRY));\n\n\tLIST_ENTRY* Flink = NULL;\n\tif (Irp)\n\t{\n\t\tFlink = Irp->Tail.Overlay.ListEntry.Flink;\n\t}\n\telse\n\t{\n\t\tFlink = ListHead->Flink;\n\t}\n\n\tif (Flink == ListHead)\n\t{\n\t\treturn 0;\n\t}\n\n\twhile ( PeekContext && Flink[1].Flink[3].Flink != PeekContext )\n\t{\n\t\tFlink = Flink->Flink;\n\t\tif ( Flink == ListHead )\n\t\t\treturn 0;\n\t}\n\n\treturn Irp;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nvoid \nCSysmonDispatchEngine::SysmonIoCsqAcquireLock(\n\tPIO_CSQ Csq,\n\tPKIRQL Irql\n\t)\n{\n\tExAcquireFastMutex((PFAST_MUTEX)&Csq[-1]);\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\t\nvoid\nCSysmonDispatchEngine::SysmonIoCsqReleaseLock(\n\tPIO_CSQ Csq,\n\tKIRQL Irql\n\t)\n{\n\tExReleaseFastMutex((PFAST_MUTEX)&Csq[-1]);\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nvoid\nCSysmonDispatchEngine::SysmonIoCsqCompleteCanceledIrp(\n\tPIO_CSQ Csq,\n\tPIRP Irp\n\t)\n{\n\tIrp->IoStatus.Status = STATUS_CANCELLED;\n\tIrp->IoStatus.Information = 0;\n\tIofCompleteRequest(Irp, 0);\n}\n\n/**********************************************************************************/\n#pragma INITCODE\n\nvoid\nCSysmonDispatchEngine::InitCsq(CDeviceExtension& DevExt)\n{\n\t::IoCsqInitialize(\n\t\t\t\t\tDevExt,\n\t\t\t\t\t(PIO_CSQ_INSERT_IRP)SysmonIoCsqInsertIrp,\n\t\t\t\t\t(PIO_CSQ_REMOVE_IRP)SysmonIoCsqRemoveIrp,\n\t\t\t\t\t(PIO_CSQ_PEEK_NEXT_IRP)SysmonIoCsqPeekNextIrp,\n\t\t\t\t\t(PIO_CSQ_ACQUIRE_LOCK)SysmonIoCsqAcquireLock,\n\t\t\t\t\t(PIO_CSQ_RELEASE_LOCK)SysmonIoCsqReleaseLock,\n\t\t\t\t\t(PIO_CSQ_COMPLETE_CANCELED_IRP)SysmonIoCsqCompleteCanceledIrp);\n}"
  },
  {
    "path": "Sysmon.sys/CSysmonDispatchEngine.h",
    "content": "#ifndef _CSysmonDispatchEngine_h\n#define _CSysmonDispatchEngine_h\n#include <CppLib.h>\n#include \"CDeviceExtension.h\"\n#include <fltKernel.h>\n\nclass CSysmonDispatchEngine\n{\npublic:\n\tCSysmonDispatchEngine(void);\n\t~CSysmonDispatchEngine(void);\n\npublic:\n\tstatic\t\n\tNTSTATUS \n\tNTAPI \n\tSysmonDispatchIrp(\n\t\t\t\t\t\tPDEVICE_OBJECT DeviceObject,\n\t\t\t\t\t\tPIRP Irp);\n\n\tstatic\n\tNTSTATUS\n\tNTAPI\n\tSysmonFltPreOperation (\n\t\t PFLT_CALLBACK_DATA Data,\n\t\t PFLT_RELATED_OBJECTS FltObjects,\n\t\tPVOID *CompletionContext\n\t\t);\n\n\tstatic\n\tNTSTATUS\n\tNTAPI\n\tSysmonFltPostOperation (\n\t\t PFLT_CALLBACK_DATA Data,\n\t\t PCFLT_RELATED_OBJECTS FltObjects,\n\t\t PVOID CompletionContext,\n\t\t FLT_POST_OPERATION_FLAGS Flags\n\t\t);\n\n\tstatic\n\tvoid\n\tNTAPI\n\tSysmonIoCsqInsertIrp(\n\t\tPIO_CSQ Csq,\n\t\tPIRP Irp\n\t\t);\n\n\tstatic\n\tvoid \n\tNTAPI\n\tSysmonIoCsqRemoveIrp(\n\t\tPIO_CSQ Csq,\n\t\tPIRP Irp\n\t\t);\n\n\tstatic\n\tPIRP \n\tNTAPI\n\tSysmonIoCsqPeekNextIrp(\n\t\tPIO_CSQ Csq,\n\t\tPIRP Irp,\n\t\tPVOID PeekContext\n\t\t);\n\n\tstatic\n\tvoid \n\tNTAPI\n\tSysmonIoCsqAcquireLock(\n\t\tPIO_CSQ Csq,\n\t\tPKIRQL Irql\n\t\t);\n\n\tstatic\t\n\tvoid\n\tNTAPI\n\tSysmonIoCsqReleaseLock(\n\t\tPIO_CSQ Csq,\n\t\tKIRQL Irql\n\t\t);\n\n\tstatic\n\tvoid\n\tNTAPI\n\tSysmonIoCsqCompleteCanceledIrp(\n\t\tPIO_CSQ Csq,\n\t\tPIRP Irp\n\t\t);\n\n\n\tstatic \n\tvoid\n\tInitCsq(CDeviceExtension& DevExt);\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/CSysmonIoControl.h",
    "content": "#ifndef _CSysmonControl_h\n#define _CSysmonControl_h\n\ntypedef enum _Base_Sysmon_FileObj_Type\n{\n\tkFileObjErrorType = 0,\n\tkFileObjFilePath = 1,\n\tkFileObjNamedPipe = 2,\n}Base_Sysmon_FileObj_Type;\n\ntypedef struct _Sysmon_Flt_CompletionContext\n{\n\tunion\n\t{\n\t\tULONG\t\tContextValue;\n\t\tPVOID*\t\tReportEvent;\n\t};\t\n}Sysmon_Flt_CompletionContext;\n\ntypedef struct _Sysmon_Flt_Stream_Context\n{\n\tPVOID* FsContext2;\n}Sysmon_Flt_Stream_Context,*PSysmon_Flt_Stream_Context;\n\n#endif\n"
  },
  {
    "path": "Sysmon.sys/CSysmonMiniFltFilter.cpp",
    "content": "#include \"CSysmonMiniFltFilter.h\"\n#include \"CSysmonDispatchEngine.h\"\n#include \"CSysmonIoControl.h\"\n\n\n#define FLTPOST(Fn) (PFLT_POST_OPERATION_CALLBACK)CSysmonDispatchEngine::Fn\n#define FLTPRE(Fn) (PFLT_PRE_OPERATION_CALLBACK)CSysmonDispatchEngine::Fn\n\nCSysmonMiniFltFilter::CSysmonMiniFltFilter(void)\n{\n}\n\n\nCSysmonMiniFltFilter::~CSysmonMiniFltFilter(void)\n{\n}\n\n\n/**********************************************************************************/\n#pragma INITCODE\n\nCErrorStatus CSysmonMiniFltFilter::Init(PDRIVER_OBJECT DriverObj)\n{\n\tCErrorStatus Status;\n\tRegisterCallback(\n\t\tkFilterUnloadCallback,\n\t\tCSysmonMiniFltFilter::FilterUnloadCallback);\n\n\tRegisterCallback(\n\t\tkInstanceSetupCallbac,\n\t\tCSysmonMiniFltFilter::InstanceSetupCallback);\n\n\tRegisterCallback(\n\t\tkInstanceQueryTeardowCallback,\n\t\tCSysmonMiniFltFilter::InstanceQueryTeardownCallback);\n\n\tRegisterContext(\n\t\t\t\t0,\n\t\t\t\tFLT_STREAMHANDLE_CONTEXT,\n\t\t\t\t2,\n\t\t\t\t'csyS');\n\n\tRegisterContext(\n\t\t\t\t1,\n\t\t\t\tFLT_STREAMHANDLE_CONTEXT,\n\t\t\t\tsizeof(Sysmon_Flt_Stream_Context),\n\t\t\t\t'xchf');\n\n\tRegisterOptRegistration(\n\t\t0,\n\t\tIRP_MJ_CREATE,\n\t\t0,\n\t\tFLTPRE(SysmonFltPreOperation),\n\t\tFLTPOST(SysmonFltPostOperation)\n\t\t);\n\n\tRegisterOptRegistration(\n\t\t1,\n\t\tIRP_MJ_CLEANUP,\n\t\t0,\n\t\tFLTPRE(SysmonFltPreOperation),\n\t\tFLTPOST(SysmonFltPostOperation)\n\t\t);\n\n\tRegisterOptRegistration(\n\t\t2,\n\t\tIRP_MJ_SET_INFORMATION,\n\t\t0,\n\t\tFLTPRE(SysmonFltPreOperation),\n\t\tFLTPOST(SysmonFltPostOperation)\n\t\t);\n\n\tRegisterOptRegistration(\n\t\t3,\n\t\tIRP_MJ_CLOSE,\n\t\t0,\n\t\tFLTPRE(SysmonFltPreOperation),\n\t\tFLTPOST(SysmonFltPostOperation)\n\t\t);\n\n\tRegisterOptRegistration(\n\t\t4,\n\t\tIRP_MJ_CREATE_NAMED_PIPE,\n\t\t0,\n\t\tFLTPRE(SysmonFltPreOperation),\n\t\tFLTPOST(SysmonFltPostOperation)\n\t\t);\n\n\tStatus = FltRegisterFilter(DriverObj);\n\n\treturn Status;\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nNTSTATUS \nCSysmonMiniFltFilter::FilterUnloadCallback(\n\tFLT_FILTER_UNLOAD_FLAGS Flags\n\t)\n{\n\treturn STATUS_SUCCESS;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nNTSTATUS\nCSysmonMiniFltFilter::InstanceSetupCallback(\n\tPCFLT_RELATED_OBJECTS FltObjects,\n\tFLT_INSTANCE_SETUP_FLAGS Flags,\n\tDEVICE_TYPE VolumeDeviceType,\n\tFLT_FILESYSTEM_TYPE VolumeFilesystemType\n\t)\n{\n\n\tif ( VolumeDeviceType == FILE_DEVICE_DISK_FILE_SYSTEM)\n\t{\n\t\treturn STATUS_SUCCESS;\n\t}\n\n// \tif (VolumeFilesystemType != FLT_FSTYPE_NPFS)\n// \t{\n// \t}\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nNTSTATUS\nCSysmonMiniFltFilter::InstanceQueryTeardownCallback(\n\tPCFLT_RELATED_OBJECTS FltObjects,\n\tFLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags\n\t)\n{\n\treturn STATUS_SUCCESS;\n}"
  },
  {
    "path": "Sysmon.sys/CSysmonMiniFltFilter.h",
    "content": "#ifndef _CSysmonMiniFltFilter_h\n#define _CSysmonMiniFltFilter_h\n\n#include <cminifltfilter.h>\n#include <CListEntry.h>\n#include <CppLib.h>\n#include <CErrorStatus.h>\n\nclass CSysmonMiniFltFilter :\n\tpublic CMiniFltFilter\n{\npublic:\n\tCSysmonMiniFltFilter(void);\n\t~CSysmonMiniFltFilter(void);\n\n\tCErrorStatus Init(PDRIVER_OBJECT DriverObj);\n\npublic:\n\tstatic\n\t\tNTSTATUS \n\t\tNTAPI\n\t\tFilterUnloadCallback(\n\t\tFLT_FILTER_UNLOAD_FLAGS Flags\n\t\t);\n\n\tstatic\n\t\tNTSTATUS\n\t\tNTAPI\n\t\tInstanceSetupCallback(\n\t\tPCFLT_RELATED_OBJECTS FltObjects,\n\t\tFLT_INSTANCE_SETUP_FLAGS Flags,\n\t\tDEVICE_TYPE VolumeDeviceType,\n\t\tFLT_FILESYSTEM_TYPE VolumeFilesystemType\n\t\t);\n\n\tstatic\n\t\tNTSTATUS\n\t\tNTAPI\n\t\tInstanceQueryTeardownCallback(\n\t\tPCFLT_RELATED_OBJECTS FltObjects,\n\t\tFLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags\n\t\t);\n\nprivate:\n//\tCListEntry\tmListFile;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/ReadMe.txt",
    "content": "========================================================================\n    DYNAMIC LINK LIBRARY : Sysmon.sys Project Overview\n========================================================================\n\nAppWizard has created this Sysmon.sys DLL for you.\n\nThis file contains a summary of what you will find in each of the files that\nmake up your Sysmon.sys application.\n\n\nSysmon.sys.vcxproj\n    This is the main project file for VC++ projects generated using an Application Wizard.\n    It contains information about the version of Visual C++ that generated the file, and\n    information about the platforms, configurations, and project features selected with the\n    Application Wizard.\n\nSysmon.sys.vcxproj.filters\n    This is the filters file for VC++ projects generated using an Application Wizard. \n    It contains information about the association between the files in your project \n    and the filters. This association is used in the IDE to show grouping of files with\n    similar extensions under a specific node (for e.g. \".cpp\" files are associated with the\n    \"Source Files\" filter).\n\nSysmon.sys.cpp\n    This is the main DLL source file.\n\n\tWhen created, this DLL does not export any symbols. As a result, it\n\twill not produce a .lib file when it is built. If you wish this project\n\tto be a project dependency of some other project, you will either need to\n\tadd code to export some symbols from the DLL so that an export library\n\twill be produced, or you can set the Ignore Input Library property to Yes\n\ton the General propert page of the Linker folder in the project's Property\n\tPages dialog box.\n\n/////////////////////////////////////////////////////////////////////////////\nOther standard files:\n\nStdAfx.h, StdAfx.cpp\n    These files are used to build a precompiled header (PCH) file\n    named Sysmon.sys.pch and a precompiled types file named StdAfx.obj.\n\n/////////////////////////////////////////////////////////////////////////////\nOther notes:\n\nAppWizard uses \"TODO:\" comments to indicate parts of the source code you\nshould add to or customize.\n\n/////////////////////////////////////////////////////////////////////////////\n"
  },
  {
    "path": "Sysmon.sys/Sysmon.sys.cpp",
    "content": "// Sysmon.sys.cpp : Defines the exported functions for the DLL application.\n//\n\n#include \"stdafx.h\"\n#include <CppLib.h>\n\n/**********************************************************************************/\n#pragma INITCODE\n\n#ifdef __cplusplus\nextern \"C\"\n#endif\n\tNTSTATUS\n\tNTAPI \n\tDriverEntry(\n\tIN PDRIVER_OBJECT\tDriverObject,\n\tIN PUNICODE_STRING RegistryPath)\n{\n\treturn 0;\n}"
  },
  {
    "path": "Sysmon.sys/Sysmon.sys.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup Label=\"ProjectConfigurations\">\n    <ProjectConfiguration Include=\"Debug|Win32\">\n      <Configuration>Debug</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Debug|x64\">\n      <Configuration>Debug</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|Win32\">\n      <Configuration>Release</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|x64\">\n      <Configuration>Release</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n  </ItemGroup>\n  <PropertyGroup Label=\"Globals\">\n    <ProjectGuid>{E179CA60-36AC-4DCC-8B87-06214F32DD0B}</ProjectGuid>\n    <Keyword>Win32Proj</Keyword>\n    <RootNamespace>Sysmonsys</RootNamespace>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\n  <ImportGroup Label=\"ExtensionSettings\">\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"PropertySheets\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"PropertySheets\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <PropertyGroup Label=\"UserMacros\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <LinkIncremental>false</LinkIncremental>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <LinkIncremental>true</LinkIncremental>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <LinkIncremental>false</LinkIncremental>\n    <GenerateManifest>false</GenerateManifest>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <LinkIncremental>false</LinkIncremental>\n    <GenerateManifest>false</GenerateManifest>\n    <TargetName>Sysmon64</TargetName>\n    <TargetExt>.sys</TargetExt>\n  </PropertyGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <ClCompile>\n      <PrecompiledHeader>NotUsing</PrecompiledHeader>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <PreprocessorDefinitions>WIN32;_X86_</PreprocessorDefinitions>\n      <AdditionalIncludeDirectories>$(WDK_PATH_INCLUDE);cpplib\\;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\n      <InlineFunctionExpansion>Disabled</InlineFunctionExpansion>\n      <StringPooling>false</StringPooling>\n      <MinimalRebuild>false</MinimalRebuild>\n      <ExceptionHandling>false</ExceptionHandling>\n      <BasicRuntimeChecks>Default</BasicRuntimeChecks>\n      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>\n      <BufferSecurityCheck>false</BufferSecurityCheck>\n      <FunctionLevelLinking>false</FunctionLevelLinking>\n      <FloatingPointExceptions>false</FloatingPointExceptions>\n      <CreateHotpatchableImage>false</CreateHotpatchableImage>\n      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>\n      <CallingConvention>StdCall</CallingConvention>\n    </ClCompile>\n    <Link>\n      <SubSystem>Native</SubSystem>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n      <AdditionalDependencies>$(WDK_PATH_LIB);FltMgr.lib</AdditionalDependencies>\n      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>\n      <EntryPointSymbol>CDriverEntry::Init</EntryPointSymbol>\n      <BaseAddress>0x10000</BaseAddress>\n      <RandomizedBaseAddress>\n      </RandomizedBaseAddress>\n      <DataExecutionPrevention>\n      </DataExecutionPrevention>\n      <AdditionalLibraryDirectories>$(WDK_PATH_LIB_DIR)</AdditionalLibraryDirectories>\n      <OutputFile>$(OutDir)$(TargetName)</OutputFile>\n      <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>\n      <CLRImageType>\n      </CLRImageType>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <ClCompile>\n      <PrecompiledHeader>NotUsing</PrecompiledHeader>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <PreprocessorDefinitions>WIN64;_WIN64;_AMD64_</PreprocessorDefinitions>\n      <AdditionalIncludeDirectories>$(WDK_PATH_INCLUDE);cpplib\\;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\n      <InlineFunctionExpansion>Disabled</InlineFunctionExpansion>\n      <StringPooling>false</StringPooling>\n      <MinimalRebuild>false</MinimalRebuild>\n      <ExceptionHandling>false</ExceptionHandling>\n      <BasicRuntimeChecks>Default</BasicRuntimeChecks>\n      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>\n      <BufferSecurityCheck>false</BufferSecurityCheck>\n      <FunctionLevelLinking>false</FunctionLevelLinking>\n      <FloatingPointExceptions>false</FloatingPointExceptions>\n      <CreateHotpatchableImage>false</CreateHotpatchableImage>\n      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>\n      <CallingConvention>StdCall</CallingConvention>\n    </ClCompile>\n    <Link>\n      <SubSystem>Native</SubSystem>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n      <AdditionalDependencies>$(WDK_PATH_LIB_64)</AdditionalDependencies>\n      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>\n      <EntryPointSymbol>CDriverEntry::Init</EntryPointSymbol>\n      <BaseAddress>0x10000</BaseAddress>\n      <RandomizedBaseAddress>\n      </RandomizedBaseAddress>\n      <DataExecutionPrevention>\n      </DataExecutionPrevention>\n      <AdditionalLibraryDirectories>\n      </AdditionalLibraryDirectories>\n      <OutputFile>$(OutDir)$(TargetName)</OutputFile>\n      <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <PrecompiledHeader>NotUsing</PrecompiledHeader>\n      <Optimization>Disabled</Optimization>\n      <FunctionLevelLinking>false</FunctionLevelLinking>\n      <IntrinsicFunctions>false</IntrinsicFunctions>\n      <PreprocessorDefinitions>WIN32;_X86_</PreprocessorDefinitions>\n      <AdditionalIncludeDirectories>$(WDK_PATH_INCLUDE);cpplib\\;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\n      <InlineFunctionExpansion>Disabled</InlineFunctionExpansion>\n      <WholeProgramOptimization>false</WholeProgramOptimization>\n      <ExceptionHandling>false</ExceptionHandling>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <BufferSecurityCheck>false</BufferSecurityCheck>\n      <CallingConvention>StdCall</CallingConvention>\n      <AssemblerListingLocation>\n      </AssemblerListingLocation>\n      <XMLDocumentationFileName>\n      </XMLDocumentationFileName>\n      <ErrorReporting>None</ErrorReporting>\n      <CompileAs>Default</CompileAs>\n    </ClCompile>\n    <Link>\n      <SubSystem>Native</SubSystem>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <EntryPointSymbol>CDriverEntry::Init</EntryPointSymbol>\n      <BaseAddress>0x10000</BaseAddress>\n      <RandomizedBaseAddress>\n      </RandomizedBaseAddress>\n      <DataExecutionPrevention>\n      </DataExecutionPrevention>\n      <OutputFile>$(OutDir)$(TargetName)</OutputFile>\n      <AdditionalDependencies>$(WDK_PATH_LIB);FltMgr.lib</AdditionalDependencies>\n      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>\n      <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>\n      <ManifestFile>\n      </ManifestFile>\n      <AllowIsolation>\n      </AllowIsolation>\n      <EnableUAC>\n      </EnableUAC>\n      <UACExecutionLevel>\n      </UACExecutionLevel>\n      <UACUIAccess>\n      </UACUIAccess>\n      <AdditionalLibraryDirectories>$(WDK_PATH_LIB_DIR)</AdditionalLibraryDirectories>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <PrecompiledHeader>NotUsing</PrecompiledHeader>\n      <Optimization>Disabled</Optimization>\n      <FunctionLevelLinking>false</FunctionLevelLinking>\n      <IntrinsicFunctions>false</IntrinsicFunctions>\n      <PreprocessorDefinitions>WIN64;_WIN64;_AMD64_</PreprocessorDefinitions>\n      <AdditionalIncludeDirectories>$(WDK_PATH_INCLUDE);cpplib\\;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\n      <InlineFunctionExpansion>Disabled</InlineFunctionExpansion>\n      <WholeProgramOptimization>false</WholeProgramOptimization>\n      <ExceptionHandling>false</ExceptionHandling>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <BufferSecurityCheck>false</BufferSecurityCheck>\n      <CallingConvention>StdCall</CallingConvention>\n    </ClCompile>\n    <Link>\n      <SubSystem>Native</SubSystem>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <EntryPointSymbol>CDriverEntry::Init</EntryPointSymbol>\n      <BaseAddress>0x10000000</BaseAddress>\n      <RandomizedBaseAddress>\n      </RandomizedBaseAddress>\n      <DataExecutionPrevention>\n      </DataExecutionPrevention>\n      <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>\n      <AdditionalDependencies>$(WDK_PATH_LIB_64)</AdditionalDependencies>\n      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>\n      <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>\n      <AllowIsolation>\n      </AllowIsolation>\n      <EnableUAC>\n      </EnableUAC>\n      <UACExecutionLevel>\n      </UACExecutionLevel>\n      <UACUIAccess>\n      </UACUIAccess>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemGroup>\n    <None Include=\"ReadMe.txt\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"CDeviceExtension.h\" />\n    <ClInclude Include=\"CDriverEntry.h\" />\n    <ClInclude Include=\"cpplib\\CAttachDevice.h\" />\n    <ClInclude Include=\"cpplib\\CAssert.h\" />\n    <ClInclude Include=\"cpplib\\CDebug.h\" />\n    <ClInclude Include=\"cpplib\\CDeviceObject.h\" />\n    <ClInclude Include=\"cpplib\\CDispatchEngine.h\" />\n    <ClInclude Include=\"cpplib\\CDriverDispatch.h\" />\n    <ClInclude Include=\"cpplib\\CDriverObject.h\" />\n    <ClInclude Include=\"cpplib\\CEResource.h\" />\n    <ClInclude Include=\"cpplib\\CErrorStatus.h\" />\n    <ClInclude Include=\"cpplib\\CFileObject.h\" />\n    <ClInclude Include=\"cpplib\\CFilterDevice.h\" />\n    <ClInclude Include=\"cpplib\\CIntNumber.h\" />\n    <ClInclude Include=\"cpplib\\CIoStackLocation.h\" />\n    <ClInclude Include=\"cpplib\\CIrp.h\" />\n    <ClInclude Include=\"cpplib\\CListEntry.h\" />\n    <ClInclude Include=\"cpplib\\CMiniFltFilter.h\" />\n    <ClInclude Include=\"cpplib\\CNPagedLookaside.h\" />\n    <ClInclude Include=\"cpplib\\CPool.h\" />\n    <ClInclude Include=\"cpplib\\CppLib.h\" />\n    <ClInclude Include=\"cpplib\\CString.h\" />\n    <ClInclude Include=\"cpplib\\CSysmonBase.h\" />\n    <ClInclude Include=\"cpplib\\CUnicodeString.h\" />\n    <ClInclude Include=\"cpplib\\CVersion.h\" />\n    <ClInclude Include=\"CReportRecord.h\" />\n    <ClInclude Include=\"CSysmonControl.h\" />\n    <ClInclude Include=\"CSysmonDispatchEngine.h\" />\n    <ClInclude Include=\"CSysmonIoControl.h\" />\n    <ClInclude Include=\"CSysmonMiniFltFilter.h\" />\n    <ClInclude Include=\"stdafx.h\" />\n    <ClInclude Include=\"targetver.h\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"CDeviceExtension.cpp\" />\n    <ClCompile Include=\"CDriverEntry.cpp\" />\n    <ClCompile Include=\"cpplib\\CAttachDevice.cpp\" />\n    <ClCompile Include=\"cpplib\\CDebug.cpp\" />\n    <ClCompile Include=\"cpplib\\CDeviceObject.cpp\" />\n    <ClCompile Include=\"cpplib\\CDispatchEngine.cpp\" />\n    <ClCompile Include=\"cpplib\\CDriverDispatch.cpp\" />\n    <ClCompile Include=\"cpplib\\CDriverObject.cpp\" />\n    <ClCompile Include=\"cpplib\\CEResource.cpp\" />\n    <ClCompile Include=\"cpplib\\CErrorStatus.cpp\" />\n    <ClCompile Include=\"cpplib\\CFileObject.cpp\" />\n    <ClCompile Include=\"cpplib\\CFilterDevice.cpp\" />\n    <ClCompile Include=\"cpplib\\CIntNumber.cpp\" />\n    <ClCompile Include=\"cpplib\\CIoStackLocation.cpp\" />\n    <ClCompile Include=\"cpplib\\CIrp.cpp\" />\n    <ClCompile Include=\"cpplib\\CListEntry.cpp\" />\n    <ClCompile Include=\"cpplib\\CMiniFltFilter.cpp\" />\n    <ClCompile Include=\"cpplib\\CNPagedLookaside.cpp\" />\n    <ClCompile Include=\"cpplib\\CPool.cpp\" />\n    <ClCompile Include=\"cpplib\\CppLib.cpp\" />\n    <ClCompile Include=\"cpplib\\CString.cpp\" />\n    <ClCompile Include=\"cpplib\\CSysmonBase.cpp\" />\n    <ClCompile Include=\"cpplib\\CUnicodeString.cpp\" />\n    <ClCompile Include=\"cpplib\\CVersion.cpp\" />\n    <ClCompile Include=\"CReportRecord.cpp\" />\n    <ClCompile Include=\"CSysmonControl.cpp\" />\n    <ClCompile Include=\"CSysmonDispatchEngine.cpp\" />\n    <ClCompile Include=\"CSysmonMiniFltFilter.cpp\" />\n    <ClCompile Include=\"stdafx.cpp\">\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">Create</PrecompiledHeader>\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">Create</PrecompiledHeader>\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">Create</PrecompiledHeader>\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">Create</PrecompiledHeader>\n    </ClCompile>\n    <ClCompile Include=\"Sysmon.sys.cpp\" />\n  </ItemGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\n  <ImportGroup Label=\"ExtensionTargets\">\n  </ImportGroup>\n</Project>"
  },
  {
    "path": "Sysmon.sys/Sysmon.sys.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup>\n    <Filter Include=\"Source Files\">\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\n      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\n    </Filter>\n    <Filter Include=\"Header Files\">\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\n      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>\n    </Filter>\n    <Filter Include=\"Resource Files\">\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\n    </Filter>\n    <Filter Include=\"cpplib\">\n      <UniqueIdentifier>{c03ff512-8920-4e38-b76a-ef373713f0ca}</UniqueIdentifier>\n    </Filter>\n  </ItemGroup>\n  <ItemGroup>\n    <None Include=\"ReadMe.txt\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"stdafx.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"targetver.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CAssert.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CDebug.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CEResource.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CErrorStatus.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CIntNumber.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CIrp.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CListEntry.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CNPagedLookaside.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CPool.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CppLib.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CDeviceObject.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CDriverObject.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CFileObject.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CIoStackLocation.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CString.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CUnicodeString.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CDriverDispatch.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CVersion.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CDriverEntry.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CSysmonDispatchEngine.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CReportRecord.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CFilterDevice.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CAttachDevice.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CDeviceExtension.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CDispatchEngine.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CMiniFltFilter.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CSysmonMiniFltFilter.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CSysmonControl.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"cpplib\\CSysmonBase.h\">\n      <Filter>cpplib</Filter>\n    </ClInclude>\n    <ClInclude Include=\"CSysmonIoControl.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"stdafx.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"Sysmon.sys.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CDebug.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CEResource.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CErrorStatus.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CIntNumber.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CIrp.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CListEntry.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CNPagedLookaside.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CPool.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CppLib.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CDeviceObject.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CDriverObject.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CFileObject.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CIoStackLocation.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CString.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CUnicodeString.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CDriverDispatch.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CVersion.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CDriverEntry.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CSysmonDispatchEngine.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CReportRecord.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CFilterDevice.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CAttachDevice.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CDeviceExtension.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CDispatchEngine.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CMiniFltFilter.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CSysmonMiniFltFilter.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"CSysmonControl.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"cpplib\\CSysmonBase.cpp\">\n      <Filter>cpplib</Filter>\n    </ClCompile>\n  </ItemGroup>\n</Project>"
  },
  {
    "path": "Sysmon.sys/Sysmon.sys.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n</Project>"
  },
  {
    "path": "Sysmon.sys/cpplib/CAssert.h",
    "content": "#ifndef _CAssert_h\n#define _CAssert_h\n\n#define CAssert( a )\n#define CAssertAddrValid( a , b)\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CAttachDevice.cpp",
    "content": "#include \"CAttachDevice.h\"\n#include \"CDebug.h\"\n\n\n/**********************************************************************************/\n#pragma PAGEDCODE\n\nCAttachDevice::CAttachDevice(void)\n:mDeviceObject(NULL),\nmLowDeviceObject(NULL)\n{\n\tRtlInitUnicodeString( \n\t\t\t\t&mDriverPath,\n\t\t\t\tL\"\\\\Device\\\\xxx\" );\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCAttachDevice::~CAttachDevice(void)\n{\n}\n\n\n/**********************************************************************************/\n#pragma INITCODE\n\nCErrorStatus\nCAttachDevice::Init( PDEVICE_OBJECT AttachDevice,\n\t\t\t\t\t\tPDEVICE_OBJECT OldDevice )\n{\n\tCErrorStatus Error;\n\tError = STATUS_SUCCESS;\n\n\tmDeviceObject = AttachDevice;\n\tmLowDeviceObject = OldDevice;\n\n\treturn Error;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCErrorStatus\nCAttachDevice::Attach( \n\tPDRIVER_OBJECT Driver,\n\tUNICODE_STRING& DeviceName)\n{\n\tCErrorStatus Error;\n\tPDEVICE_OBJECT\tAttachDeviceObject;\n\tPDEVICE_OBJECT  OldDeviceObject;\n\n\tError = IoCreateDevice(\n\t\t\t\t\t\tDriver,\n\t\t\t\t\t\t0,\n\t\t\t\t\t\tNULL,\n\t\t\t\t\t\tFILE_DEVICE_UNKNOWN,\n\t\t\t\t\t\t0,\n\t\t\t\t\t\tTRUE,\n\t\t\t\t\t\t&AttachDeviceObject);\n\n\tif ( Error.IsNtSuccess()) \n\t{\n\t\t//AttachDeviceObject->Flags |= DO_DIRECT_IO;\n\n\t\tError = IoAttachDevice(\n\t\t\t\t\t\tAttachDeviceObject,\n\t\t\t\t\t\t&DeviceName,\n\t\t\t\t\t\t&OldDeviceObject);\n\n\t\tif (Error.IsNtSuccess()) {\n\n\t\t\tCDebug::DebugOut(\n\t\t\t\t\t\t\"CAfdAttachDevice: IoAttachDevice(%S): 0x%x\\n\",\n\t\t\t\t\t\tDeviceName.Buffer, \n\t\t\t\t\t\tError);\n\t\t\t\n\t\t\tInit(\t\tAttachDeviceObject,\n\t\t\t\t\t\tOldDeviceObject);\n\t\t}\n\n\t\t//KdPrint((\"[tdi_fw] DriverEntry: %S fileobj: 0x%x\\n\", devname, *fltobj));\n\t\t//return status;\n\t}\n\telse\n\t{\n\t\tCDebug::DebugOut(\n\t\t\t\t\t\"CAfdAttachDevice: IoCreateDevice(%S): 0x%x\\n\",\n\t\t\t\t\tDeviceName.Buffer,\n\t\t\t\t\tError);\n\t}\n\n\treturn Error;\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CAttachDevice.h",
    "content": "#ifndef _CAfdAttachDevice_H\n#define _CAfdAttachDevice_H\n\n#include \"cpplib.h\"\n#include \"CListEntry.h\"\n#include \"CErrorStatus.h\"\n\n\nclass CAttachDevice\n{\npublic:\n\tCAttachDevice(void);\n\tvirtual ~CAttachDevice(void);\n\n\tvoid operator =( PDEVICE_OBJECT DeviceObject)\n\t{\n\t\tmDeviceObject = DeviceObject;\n\t}\n\n\n\tPDEVICE_OBJECT Device()\n\t{\n\t\treturn mDeviceObject;\n\t}\n\n\tPDEVICE_OBJECT LowDevice()\n\t{\n\t\treturn mLowDeviceObject;\n\t}\n\n\tCErrorStatus Init( PDEVICE_OBJECT AttachDevice,\n\t\t\t\t\t\tPDEVICE_OBJECT OldDevice );\n\n\tCErrorStatus Attach( \n\t\t\t\t\tPDRIVER_OBJECT Driver,\n\t\t\t\t\tUNICODE_STRING& DeviceName);\nprivate:\n\tPDEVICE_OBJECT mDeviceObject;\n\tPDEVICE_OBJECT mLowDeviceObject;\n\tUNICODE_STRING mDriverPath;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CDebug.cpp",
    "content": "#include \"cpplib.h\"\n#include \"CDebug.h\"\n#include <stdarg.h>\n#include <stdio.h>\n\n\nCDebug::CDebug(void)\n{\n}\n\n\nCDebug::~CDebug(void)\n{\n}\n\n#ifdef DEBUG\n\nvoid\nCDebug::DebugOut( const CHAR* formatStr, ... )\n{\n\tCHAR\tStrBuf[kMaxLengthString];\n\tva_list\tArgList;\n\tmemset( StrBuf , 0 , kMaxLengthString );\n\tva_start(ArgList, formatStr);\n\t_vsnprintf(\n\t\t\tStrBuf,\n\t\t\tkMaxLengthString, \n\t\t\tformatStr,\n\t\t\tArgList);\n\tva_end(ArgList);\n\n\tKdPrint((\"[AfdFilter]:\"));\n\tKdPrint((StrBuf));\n\tKdPrint((\"\\n\"));\n}\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CDebug.h",
    "content": "#ifndef _CDebug_h\n#define _CDebug_h\n#include \"cpplib.h\"\n\nclass CDebug\n{\npublic:\n\ttypedef enum {kMaxLengthString = 256};\n\tCDebug(void);\n\t~CDebug(void);\n\n#ifdef DEBUG\n\n\tstatic\n\tvoid DebugOut( const CHAR* formatStr, ... );\n#else\n\tstatic\n\tinline \n\tvoid DebugOut( const CHAR* formatStr, ... )\n\t{\n\n\t}\n\n#endif\n\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CDeviceObject.cpp",
    "content": "\n#include \"CDeviceObject.h\"\n#include \"CAssert.h\"\n#include \"CDebug.h\"\n\nCDeviceObject::CDeviceObject(void)\n\t:mDeviceObject(NULL)\n{\n}\n\nCDeviceObject::CDeviceObject(PDEVICE_OBJECT Device)\n{\n\tmDeviceObject = Device;\n}\n\nCDeviceObject::CDeviceObject(const CDeviceObject& Device)\n{\n\tmDeviceObject = Device.mDeviceObject;\n}\n\nCDeviceObject::~CDeviceObject(void)\n{\n\tmDeviceObject = NULL;\n}\n\n\nCDeviceObject::operator const PDEVICE_OBJECT() const\n{\n\treturn mDeviceObject;\n}\n\nCDeviceObject::operator PDEVICE_OBJECT &()\n{\n\treturn mDeviceObject;\n}\n\nPDEVICE_OBJECT* CDeviceObject::operator &()\n{\n\treturn &mDeviceObject;\n}\n\nvoid CDeviceObject::operator =(PDEVICE_OBJECT Device)\n{\n\tmDeviceObject = Device;\n}\n\nbool CDeviceObject::operator !=(PDEVICE_OBJECT DeviceObject)\n{\n\treturn (mDeviceObject != DeviceObject);\n}\n\nbool CDeviceObject::operator !()\n{\n\treturn (mDeviceObject == NULL);\n}\n\nULONG& CDeviceObject::Flags()\n{\n\treturn mDeviceObject->Flags;\n}\n\nPVOID& CDeviceObject::DeviceExtension()\n{\n\treturn mDeviceObject->DeviceExtension;\n}\n\nPDRIVER_OBJECT& CDeviceObject::DriverObject()\n{\n\treturn mDeviceObject->DriverObject;\n}\n\nULONG& CDeviceObject::DeviceType()\n{\n\treturn mDeviceObject->DeviceType;\n}\n\nPDEVICE_OBJECT& CDeviceObject::AttachedDevice()\n{\n\treturn mDeviceObject->AttachedDevice;\n}\n\nPDEVICE_OBJECT& CDeviceObject::NextDevice()\n{\n\treturn mDeviceObject->NextDevice;\n}\n\nULONG& CDeviceObject::Characteristics()\n{\n\treturn mDeviceObject->Characteristics;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCErrorStatus \nCDeviceObject::Init(\t\n\tPDRIVER_OBJECT\t\t\t\t\tDriver,\n\tCStackStringW<256>&\t\tDeviceName,\n\tCStackStringW<256>&\t\tDosDeviceName,\n\tconst UINT32\t\t\t\t\tDeviceExtSize\n\t)\n{\n\tCErrorStatus Error;\n\tUINT32 Index;\n\tCUnicodeString IoDeviceName;\n\tIndex = 0;\n\tIoDeviceName = &DeviceName;\n\tError = Create( \n\t\t\t\tDriver,\n\t\t\t\tDeviceExtSize,\n\t\t\t\tIoDeviceName,\n\t\t\t\tFILE_DEVICE_UNKNOWN,\n\t\t\t\t0,\t\t\t\t\t\n\t\t\t\tFALSE\n\t\t\t\t);\n\n\tif (Error.IsNtSuccess())\n\t{\t\t\n\t\tError = Link(&DosDeviceName,IoDeviceName);\n\n\t\tif ( !Error.IsNtSuccess() )\n\t\t{\n\t\t\tDelete();\n\t\t}\n\t\telse\n\t\t{\n\t\t\tFlags() &= 0xFFFFFF7F;\n\t\t}\n\t}\n\n\treturn Error;\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCErrorStatus \nCDeviceObject::Create(\n\tPDRIVER_OBJECT\t\t\tDriverObject,\n\tconst UINT32\t\t\tDeviceExtSize,\n\tCUnicodeString&\tDeviceName, \n\tDEVICE_TYPE\t\t\t\tDeviceType, \n\tUINT32\t\t\t\t\tDeviceChars, \n\tBOOL\t\t\t\t\tExclusive\n\t)\n{\n\tCErrorStatus Error;\n\tCAssert(!IsAttached());\n\t\n\tError = ::IoCreateDevice(\n\t\t\t\t\tDriverObject,\n\t\t\t\t\tDeviceExtSize,\n\t\t\t\t\t(PUNICODE_STRING)DeviceName,\n\t\t\t\t\tDeviceType,\n\t\t\t\t\tDeviceChars,\n\t\t\t\t\tExclusive,\n\t\t\t\t\t&mDeviceObject);\t\n\n\tif ( Error.IsNtSuccess())\n\t{\n//  \t\tCDebug::DebugOut(\n//  \t\t\t\"CDeviceObject::IoCreateDevice(%S): 0x%x\\n\",\n//  \t\t\tDeviceName.Buffer, \n//  \t\t\tError);\n\t\t\n\t}\n\n\treturn Error;\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCErrorStatus \nCDeviceObject::Link(\n\t\t\t\t\tconst WCHAR* LinkName,\n\t\t\t\t\tCUnicodeString& DeviceName) const\n{\n\tCErrorStatus Error;\n\tCUnicodeString DeviceLinkName;\n\tCAssert(IsAttached());\n\tCAssert(WeCreated());\n\tCAssert(!WeLinked());\n\n\tdo \n\t{\n\t\tif (!LinkName)\n\t\t{\n\t\t\tError = STATUS_INVALID_ADDRESS;\n\t\t\tbreak;\n\t\t}\n\t\t\n\t\tDeviceLinkName = LinkName;\n\t\tError = IoCreateSymbolicLink(\n\t\t\t\tDeviceLinkName, \n\t\t\t\tDeviceName\n\t\t\t\t);\n\n\t} while (FALSE);\t\n\n\treturn Error;\n}\n\n/**********************************************************************************/\n#pragma PAGEDCODE\n\nvoid CDeviceObject::Delete()\n{\n\tif (mDeviceObject)\n\t{\n\t\t::IoDeleteDevice(mDeviceObject);\n\t}\n\t\n}\n\n/**********************************************************************************/\n#pragma PAGEDCODE\n\nvoid CDeviceObject::DeleteSymbolicLink(CStackStringW<256>& SymbolicLink)\n{\n\tCUnicodeString SymbolicLinkName;\n\tSymbolicLinkName = SymbolicLink;\n\t::IoDeleteSymbolicLink(SymbolicLinkName);\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CDeviceObject.h",
    "content": "#ifndef _CDeviceObject_h\n#define _CDeviceObject_h\n#include \"cpplib.h\"\n#include \"CErrorStatus.h\"\n#include \"CString.h\"\n#include \"CUnicodeString.h\"\n\nclass CDeviceObject\n{\npublic:\n\tCDeviceObject(void);\n\tCDeviceObject(PDEVICE_OBJECT Device);\n\tCDeviceObject(const CDeviceObject& Device);\n\t~CDeviceObject(void);\n\npublic:\n\n\toperator const PDEVICE_OBJECT() const;\n\n\toperator PDEVICE_OBJECT&();\n\n\tPDEVICE_OBJECT* operator &();\n\n\tvoid operator =(PDEVICE_OBJECT Device);\n\n\tbool operator !=(PDEVICE_OBJECT DeviceObject);\n\n\tbool operator !();\n\n\tULONG& Flags();\n\n\tULONG& Characteristics();\n\n\tULONG& DeviceType();\n\n\tPVOID& DeviceExtension();\n\n\tPDRIVER_OBJECT& DriverObject();\n\n\tPDEVICE_OBJECT& AttachedDevice();\n\n\tPDEVICE_OBJECT& NextDevice();\n\n\tCErrorStatus ObQueryNameString();\n\n\tCErrorStatus \n\tInit(\t\n\t\tPDRIVER_OBJECT\t\t\t\t\tDriver,\n\t\tCStackStringW<256>&\t\tDeviceName,\n\t\tCStackStringW<256>&\t\tDosDeviceName,\n\t\tconst UINT32\t\t\t\t\tDeviceExtSize\n\t\t);\n\n\tCErrorStatus Create(\n\t\tPDRIVER_OBJECT\t\t\tDriverObject,\n\t\tconst UINT32\t\t\tDeviceExtSize,\n\t\tCUnicodeString&\tDeviceName, \n\t\tDEVICE_TYPE\t\t\t\tDeviceType, \n\t\tUINT32\t\t\t\t\tDeviceChars, \n\t\tBOOL\t\t\t\t\tExclusive\n\t\t);\n\n\tCErrorStatus\tLink( \n\t\t\t\t\t\tconst WCHAR* LinkName,\n\t\t\t\t\t\tCUnicodeString& DeviceName) const;\n\tvoid Delete();\n\n\tvoid DeleteSymbolicLink(CStackStringW<256>& SymbolicLink);\nprivate:\n\t/*\n\t* ...豸...\n\t*/\n\tPDEVICE_OBJECT\tmDeviceObject;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CDispatchEngine.cpp",
    "content": "#include \"CDispatchEngine.h\"\n\n\nCDispatchEngine::CDispatchEngine(void)\n{\n}\n\n\nCDispatchEngine::~CDispatchEngine(void)\n{\n}\n"
  },
  {
    "path": "Sysmon.sys/cpplib/CDispatchEngine.h",
    "content": "#ifndef _CDispatchEngine_h\n#define _CDispatchEngine_h\n\nclass CDispatchEngine\n{\npublic:\n\tCDispatchEngine(void);\n\tvirtual ~CDispatchEngine(void);\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CDriverDispatch.cpp",
    "content": "#include \"CDriverDispatch.h\"\n\n\nCDriverDispatch::CDriverDispatch(void)\n\t:mDriverDisptach(NULL)\n{\n}\n\nCDriverDispatch::CDriverDispatch(const PDRIVER_DISPATCH* DriverDisptach)\n{\n\tmDriverDisptach = (PDRIVER_DISPATCH*)DriverDisptach;\n}\n\nCDriverDispatch::~CDriverDispatch(void)\n{\n}\n\nvoid CDriverDispatch::operator =(const PDRIVER_DISPATCH* DriverDisptach)\n{\n\tmDriverDisptach = (PDRIVER_DISPATCH*)DriverDisptach;\n}\n\nBOOL CDriverDispatch::operator !() const\n{\n\treturn mDriverDisptach != NULL;\n}\n\nPDRIVER_DISPATCH& CDriverDispatch::operator [](int n)\n{\n\treturn mDriverDisptach[n];\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CDriverDispatch.h",
    "content": "#ifndef _CDriverDispatch_h\n#define _CDriverDispatch_h\n#include <cpplib.h>\n\nclass CDriverDispatch\n{\npublic:\n\tCDriverDispatch(void);\n\tCDriverDispatch(const PDRIVER_DISPATCH* DriverDisptach);\n\tvirtual ~CDriverDispatch(void);\n\n\n\tvoid operator =(const PDRIVER_DISPATCH* DriverDisptach);\n\tBOOL operator !() const;\n\tPDRIVER_DISPATCH& operator [](int n);\nprivate:\n\tPDRIVER_DISPATCH* mDriverDisptach;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CDriverObject.cpp",
    "content": "\n#include \"CDriverObject.h\"\n\n\nCDriverObject::CDriverObject(void)\n{\n}\n\nCDriverObject::CDriverObject(PDRIVER_OBJECT DriverObject)\n{\n\tmDriverObject = DriverObject;\n}\n\nCDriverObject::CDriverObject(const CDriverObject& DriverObject)\n{\n\tmDriverObject = DriverObject.mDriverObject;\n}\n\nCDriverObject::~CDriverObject(void)\n{\n}\n\n\nCDriverObject::operator const PDRIVER_OBJECT() const\n{\n\treturn mDriverObject;\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CDriverObject.h",
    "content": "#ifndef _CDriverObject_h\n#define _CDriverObject_h\n#include \"cpplib.h\"\n\nclass CDriverObject\n{\npublic:\n\tCDriverObject(void);\n\tCDriverObject(PDRIVER_OBJECT DriverObject);\n\tCDriverObject(const CDriverObject& DriverObject);\n\t~CDriverObject(void);\npublic:\n\n\toperator const PDRIVER_OBJECT() const;\nprivate:\n\tPDRIVER_OBJECT mDriverObject;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CEResource.cpp",
    "content": "#include \"CEResource.h\"\n\n\nCEResource::CEResource(void)\n{\n\t//mReference = 0;\n\tExInitializeResource(&mEResoure);\n}\n\nCEResource::~CEResource(void)\n{\t\n\tExDeleteResource(&mEResoure);\t\t\n}\n\nvoid \nCEResource::Lock()\n{\t\n\tExAcquireResourceExclusive(&mEResoure,true);\t\t\n}\n\nvoid \nCEResource::UnLock()\n{\t\n\tExReleaseResource(&mEResoure);\t\n}\n"
  },
  {
    "path": "Sysmon.sys/cpplib/CEResource.h",
    "content": "#ifndef _CEResource_h\n#define _CEResource_h\n\n#include \"cpplib.h\"\n\nclass CEResource\n{\npublic:\n\tCEResource(void);\n\t~CEResource(void);\n\n\tvoid Lock();\n\tvoid UnLock();\n\nprivate:\n\tERESOURCE\t\t\tmEResoure;\n\t//volatile\tLONG\tmReference;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CErrorStatus.cpp",
    "content": "#include \"CErrorStatus.h\"\n\n\nCErrorStatus::CErrorStatus(void)\n{\n\tmNtStatus = STATUS_UNSUCCESSFUL;\n}\n\nCErrorStatus::~CErrorStatus(void)\n{\n}\n\nCErrorStatus::CErrorStatus( NTSTATUS Status  )\n{\n\tmNtStatus = Status;\n}\n\nCErrorStatus::CErrorStatus(const CErrorStatus& Error )\n{\n\tmNtStatus = Error.mNtStatus;\n\tmSystemError = Error.mSystemError;\n}\n\nvoid\nCErrorStatus::operator =( NTSTATUS Status )\n{\n\tmNtStatus = Status;\n}\n\nBOOL \nCErrorStatus::IsNtSuccess()\n{\n\treturn NT_SUCCESS(mNtStatus);\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CErrorStatus.h",
    "content": "#ifndef _CErrorStatus_H\n#define _CErrorStatus_H\n\n#include \"cpplib.h\"\n\nclass CErrorStatus\n{\npublic:\n\tCErrorStatus(void);\n\t~CErrorStatus(void);\n\tCErrorStatus( NTSTATUS Status  );\n\tCErrorStatus(const CErrorStatus& Error );\n\n\tvoid operator =( NTSTATUS Status );\n\n\toperator NTSTATUS()\n\t{\n\t\treturn mNtStatus;\n\t}\n\n\tBOOL IsNtSuccess();\n\nprivate:\n\tNTSTATUS mNtStatus;\n\tULONG    mSystemError;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CFileObject.cpp",
    "content": "#include \"cpplib.h\"\n#include \"CFileObject.h\"\n\n\nCFileObject::CFileObject(void)\n\t:mFileObj(NULL)\n{\n}\n\nCFileObject::CFileObject(const CFileObject& File)\n{\n\tmFileObj = mFileObj;\n}\n\nCFileObject::CFileObject(const PFILE_OBJECT& File)\n{\n\tmFileObj = File;\n}\n\nCFileObject::~CFileObject(void)\n{\n}\n\n\nCFileObject::operator PFILE_OBJECT()\n{\n\treturn mFileObj;\n}\n\nPVOID CFileObject::operator !()\n{\n\treturn (PVOID)!mFileObj;\n}\n\nPUNICODE_STRING CFileObject::FileName()\n{\n\treturn &mFileObj->FileName;\n}\n\nPFILE_OBJECT&    CFileObject::RelatedFileObject()\n{\n\treturn mFileObj->RelatedFileObject;\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CFileObject.h",
    "content": "#ifndef _CFileObject_h\n#define _CFileObject_h\n\nclass CFileObject\n{\npublic:\n\tCFileObject(void);\n\tCFileObject(const CFileObject& File);\n\tCFileObject(const PFILE_OBJECT& File);\n\t~CFileObject(void);\n\n\toperator PFILE_OBJECT();\n\n\tPVOID operator !();\n\n\tPUNICODE_STRING FileName();\n\n\tPFILE_OBJECT&    RelatedFileObject();\n\nprivate:\n\tPFILE_OBJECT mFileObj;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CFilterDevice.cpp",
    "content": "#include \"CFilterDevice.h\"\n#include \"CIrp.h\"\n#include \"CppLib.h\"\n#include \"CAssert.h\"\n\nWCHAR* CFilterDevice::sDeviceName = L\"\\\\Device\\\\XXXXXXX\";\nWCHAR* CFilterDevice::sLinkName   = L\"\\\\DosDevices\\\\XXXXXXX\";\n\n\nCFilterDevice::CFilterDevice(void)\n:mDeviceObject(NULL),\nmDriverObject(NULL),\nmIsAttached(FALSE),\nmWeCreated(FALSE),\nmWeLinked(NULL),\nmFileObjectToUse(NULL),\nmDispatchFunc(NULL),\nmRefPtr(NULL),\nmIsRelease(FALSE)\n{\n}\n\n\nCFilterDevice::~CFilterDevice(void)\n{\n}\n\nCErrorStatus \nCFilterDevice::Init(\tPDRIVER_OBJECT\t\t\tDriver,\n\t\t\t\t\t\tPUNICODE_STRING\t\t\tRegistry,\n\t\t\t\t\t\tconst UINT32\t\t\tDeviceExtSize)\n{\n\n\tCErrorStatus Error;\n\tUINT32 Index;\n\n\tIndex = 0;\n\n\tError = Create( Driver,\n\t\t\t\t\tDeviceExtSize,\n\t\t\t\t\tsDeviceName,\n\t\t\t\t\tFILE_DEVICE_UNKNOWN,\n\t\t\t\t\t0,\t\t\t\t\t\n\t\t\t\t\tFALSE,\n\t\t\t\t\tNULL,\n\t\t\t\t\tNULL );\n\n\tif (Error.IsNtSuccess())\n\t{\n\n// \t\tfor ( Index = 0; Index < IRP_MJ_MAXIMUM_FUNCTION ; Index++)\n// \t\t{\n// \t\t\tDriver->MajorFunction[Index] = CAfdFilterDispatch::FilterDispatch;\n// \t\t}\n\t\t//Error = AfdFastIo.Init(Driver);\n\n\t\t//if (Error.IsNtSuccess())\n\t\t//{\n\t\t\t//Error = CZPMountEngine::Init(this);\n\n\t\t\t//if ( Error.IsNtSuccess())\n\t\t\t//{\n\t\tError = Link(sLinkName);\n\n\t\tif ( !Error.IsNtSuccess() )\n\t\t{\n\t\t\tDelete();\n\n\t\t}\n\t\telse\n\t\t{\n// \t\t\tError = ToAttachDevice( L\"\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Services\\\\Afd\" );\n// \n// \t\t\tif ( !Error.IsNtSuccess())\n// \t\t\t{\n// \t\t\t\tUnlink();\n// \t\t\t\tDelete();\n// \t\t\t}\n\t\t}\t\t\n\t\t\t//}\t\t\t\n\t\t//}\n\n\t\tmIsRelease = TRUE;\n\n\t}\n\n\treturn Error;\n}\n\nCErrorStatus \nCFilterDevice::Create(\n\tPDRIVER_OBJECT\t\t\tDriverObject,\n\tconst UINT32\t\t\tDeviceExtSize,\n\tconst WCHAR*\t\t\tDeviceName, \n\tDEVICE_TYPE\t\t\t\tDeviceType, \n\tUINT32\t\t\t\tDeviceChars, \n\tBOOL\t\t\t\t\tExclusive, \n\tIrpDispatchFunc\t\t\tDispatchFunc, \n\tvoid\t\t\t\t\t*RefPtr)\n{\n\tCErrorStatus Error;\n\tCAssert(!IsAttached());\n\tCAssertAddrValid( DispatchFunc, IrpDispatchFunc);\n\n\tRtlInitUnicodeString( \n\t\t&mDeviceName ,\n\t\tDeviceName );\n\n\tError = IoCreateDevice(\n\t\tDriverObject,\n\t\tDeviceExtSize,\n\t\t&mDeviceName,\n\t\tDeviceType,\n\t\tDeviceChars,\n\t\tExclusive,\n\t\t&mDeviceObject);\t\n\n\tif ( Error.IsNtSuccess())\n\t{\n\t\tmDriverObject\t\t\t= DriverObject;\n\t\tmDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;\n\t\tmDeviceObject->Flags |= DO_DIRECT_IO;\n\t\tmDeviceObject->DeviceExtension = this;\n\n\t\tmIsAttached\t\t= TRUE;\n\t\tmWeCreated\t\t= TRUE;\n\t\tmDispatchFunc\t= DispatchFunc;\n\t\tmRefPtr\t\t\t= RefPtr;\n\t}\n\n\treturn Error;\n}\n\nvoid \nCFilterDevice::Delete()\n{\n\tCAssert(IsAttached());\n\tCAssert(WeCreated());\n\tCAssert(!WeLinked());\n\n\tIoDeleteDevice(mDeviceObject);\n\t\n\t//mDeviceName.Empty();\n\tmIsAttached\t\t= FALSE;\n\tmDeviceObject\t= NULL;\n\tmDispatchFunc\t= NULL;\n\tmRefPtr\t\t\t= NULL;\n}\n\n\nCErrorStatus \nCFilterDevice::Link(const WCHAR* LinkName)\n{\n\tCErrorStatus Error;\n\tCAssert(IsAttached());\n\tCAssert(WeCreated());\n\tCAssert(!WeLinked());\n\n\tRtlInitUnicodeString(\t&mDeviceLinkName,\n\t\t\t\t\t\t\tLinkName );\n\n\t//if ( Error.IsNtSuccess() )\n\t//{\n\t\tError = IoCreateSymbolicLink(\n\t\t\t\t\t\t&mDeviceLinkName, \n\t\t\t\t\t\t&mDeviceName\n\t\t\t\t\t\t);\n\t//}\n\n\tif ( Error.IsNtSuccess())\n\t{\n\t\tmWeLinked = TRUE;\n\t}\n\n\treturn Error;\n}\n\nCErrorStatus \nCFilterDevice::Unlink()\n{\n\tCErrorStatus Error;\n\tCAssert(IsAttached());\n\tCAssert(WeCreated());\n\tCAssert(WeLinked());\n\n\tError = IoDeleteSymbolicLink(\n\t\t&mDeviceLinkName\n\t\t);\n\n\n\tif ( Error.IsNtSuccess() )\n\t{\n\t\tmWeLinked = FALSE;\n\t}\n\n\treturn Error;\n}\n\nCErrorStatus \nCFilterDevice::ToAttachDevice( WCHAR* DeviceName )\n{\n\tCErrorStatus Error;\n    UNICODE_STRING AttachDeviceName;\n\tPDEVICE_OBJECT\tDeviceObject;\n\tFILE_OBJECT*\tFileObject;\n\t\n\n\tRtlInitUnicodeString( &AttachDeviceName , DeviceName);\n\n\tError = ZwLoadDriver(&AttachDeviceName);\n\n\tif ( Error.IsNtSuccess() || \n\t\tError == STATUS_IMAGE_ALREADY_LOADED )\n\t{\n\t\tRtlInitUnicodeString(&AttachDeviceName, L\"\\\\Device\\\\Afd\");\n\t\tError = IoGetDeviceObjectPointer( \n\t\t\t\t\t\t\t\t\t&AttachDeviceName, \n\t\t\t\t\t\t\t\t\tFILE_READ_ATTRIBUTES,\n\t\t\t\t\t\t\t\t\t&FileObject, \n\t\t\t\t\t\t\t\t\t&DeviceObject);\n\n\t\tif ( Error.IsNtSuccess() )\n\t\t{\n\t\t\tError = mAttachDevice.Attach( mDriverObject,AttachDeviceName);\n\n\t\t\tif ( Error.IsNtSuccess() )\n\t\t\t{\n\t\t\t\tmIsAttached = TRUE;\n\t\t\t}\n\t\t}\n\t}\n\n\treturn Error;\n}\n\n\nPDEVICE_OBJECT\nCFilterDevice::Device()\n{\n\treturn mDeviceObject;\n}\n\nCAttachDevice&\nCFilterDevice::AttachDevice()\n{\t\n\tCAttachDevice AttachDev;\n\treturn AttachDev;\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CFilterDevice.h",
    "content": "#ifndef _CFilterDevice_H\n#define _CFilterDevice_H\n\n#include \"cpplib.h\"\n#include \"CErrorStatus.h\"\n#include \"CAttachDevice.h\"\n\nclass CFilterDevice;\nclass CIrp;\n\ntypedef CErrorStatus ( NTAPI *IrpDispatchFunc)(\n\t\t\t\t\t\t\t\t\tCFilterDevice * FilterDevice,\n\t\t\t\t\t\t\t\t\tCIrp&Irp,\n\t\t\t\t\t\t\t\t\tvoid* RefPtr, \n\t\t\t\t\t\t\t\t\tBOOL& IsIrpCompleted);\n\nclass CFilterDevice\n{\npublic:\n\tCFilterDevice(void);\n\t~CFilterDevice(void);\n\t\npublic:\n\tCErrorStatus Create( PDRIVER_OBJECT Driver );\n\n\tCErrorStatus \n\t\tInit(\tPDRIVER_OBJECT\t\t\tDriver,\n\t\t\t\tPUNICODE_STRING\t\t\tRegistry,\n\t\t\t\tconst UINT32\t\t\tDeviceExtSize\n\t\t\t\t);\n\n\tCErrorStatus Create(\n\t\t\t\t\tPDRIVER_OBJECT\t\t\tDriverObject,\n\t\t\t\t\tconst UINT32\t\t\tDeviceExtSize,\n\t\t\t\t\tconst WCHAR*\t\t\tDeviceName, \n\t\t\t\t\tDEVICE_TYPE\t\t\t\tDeviceType, \n\t\t\t\t\tUINT32\t\t\t\tDeviceChars, \n\t\t\t\t\tBOOL\t\t\t\t\tExclusive, \n\t\t\t\t\tIrpDispatchFunc\t\t\tDispatchFunc, \n\t\t\t\t\tvoid\t\t\t\t\t*RefPtr);\n\n\tCErrorStatus\tLink( const WCHAR* LinkName);\n\tCErrorStatus\tUnlink();\n\tvoid\t\t\tDelete();\n \n\tPDEVICE_OBJECT\n\tDevice();\n\n\n\tstatic \n\tCAttachDevice&  \n\tAttachDevice();\n\n\tPDRIVER_OBJECT  DriverObject() const {return mDriverObject;};\n\n\toperator PDEVICE_OBJECT() {return mDeviceObject;};\n\toperator const PDEVICE_OBJECT() const {return mDeviceObject;};\n\tBOOL\t\t\tIsAttached() const{return mIsAttached;};\n\tBOOL\t\t\tWeCreated() const {return mWeCreated;};\n\tBOOL\t\t\tWeLinked()\tconst {return mWeLinked;};\n\n\tCErrorStatus ToAttachDevice( WCHAR* DeviceName );\n\n\tCErrorStatus\n\t\tDispatchIrp( \n\t\tCIrp& Irp,\n\t\tBOOL& IsIrpCompleted );\n\nprivate:\n\t/*\n\t* ...豸...\n\t*/\n\tDEVICE_OBJECT*\tmDeviceObject;\n\n\t/*\n\t* ......\n\t*/\n\tDRIVER_OBJECT*\tmDriverObject;\n\n\t/*\n\tAttach豸\n\t*/\n\tCAttachDevice mAttachDevice;\n\n\t/*\n\t* ...豸(DeviceName)...\n\t*/\n\tUNICODE_STRING\tmDeviceName;\n\n\t/*\n\t* ...豸(LinkName)...\n\t*/\n\tUNICODE_STRING\tmDeviceLinkName;\n\n\t/*\n\t* ...豸...\n\t*/\n\tvoid*\t\t\tmRefPtr;\n\n\t/*\n\t* ...豸Ƿ񱻸Attached...\n\t*/\n\tBOOL\t\t\tmIsAttached;\n\n\t/*\n\t* ...豸Ƿ񱻴Created...\n\t*/\n\tBOOL\t\t\tmWeCreated;\n\n\t/*\n\t* ...豸ǷLinked...\n\t*/\n\tBOOL\t\t\tmWeLinked;\n\n\t/*\n\t*\n\t*/\n\tBOOL\t\t\tmIsRelease;\n\n\t/*\n\t* ...豸豸...\n\t*/\n\n\tPFILE_OBJECT\tmFileObjectToUse;\n\tIrpDispatchFunc\tmDispatchFunc;\n\n\tstatic WCHAR* sDeviceName;\n\tstatic WCHAR* sLinkName;\n\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CIntNumber.cpp",
    "content": "#include \"CIntNumber.h\"\n\n\n"
  },
  {
    "path": "Sysmon.sys/cpplib/CIntNumber.h",
    "content": "#ifndef _CIntNumber_h\n#define _CIntNumber_h\n\n#include \"cpplib.h\"\n\ntemplate<typename T>\nclass CIntNumber\n{\npublic:\n\tCIntNumber(void)\n\t{\n\t\tmNumber = 0;\n\t}\n\n\tCIntNumber(T _X )\n\t{\n\t\tmNumber = _X;\n\t}\n\n\tCIntNumber(CIntNumber& _X )\n\t{\n\t\tmNumber = (T)_X;\n\t}\n\n\t~CIntNumber(void)\n\t{\n\t\tmNumber = 0;\n\t}\n\n\toperator T() const\n\t{\n\t\treturn mNumber;\n\t}\n\n\tvoid\n\toperator ++()\n\t{\n\t\tmNumber++;\n\t}\n\n\tvoid\n\toperator =(T& _X)\n\t{\n\t\tmNumber = _X;\n\t}\n\t\n\tvoid\n\toperator =(CIntNumber& _X)\n\t{\n\t\tmNumber = (T)_X;\n\t}\n\n \tBOOL\n \toperator ==(T& _X)\n \t{\n \t\treturn (mNumber == _X);\n \t}\n\n\tBOOL\n\toperator ==(CIntNumber& _X)\n\t{\n\t\treturn (mNumber == (T)_X);\n\t}\n\n\tBOOL\n\toperator <(T& _X)\n\t{\n\t\treturn (BOOL)(mNumber < _X);\n\t}\n\n\tBOOL\n\t\toperator <=(T& _X)\n\t{\n\t\treturn (mNumber <= _X);\n\t}\n\n\tBOOL\n\t\toperator >(T& _X)\n\t{\n\t\treturn (mNumber > _X);\n\t}\n\n\tBOOL\n\t\toperator >=(T& _X)\n\t{\n\t\treturn (mNumber >= _X);\n\t}\n\n\tT mNumber;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CIoStackLocation.cpp",
    "content": "#include \"cpplib.h\"\n#include \"CIoStackLocation.h\"\n\n\nCIoStackLocation::CIoStackLocation(void)\n\t:mStack(NULL)\n{\n}\n\nCIoStackLocation::CIoStackLocation(\n\t\t\t\tconst CIoStackLocation& Stack)\n{\n\tmStack = Stack.mStack;\n}\n\nCIoStackLocation::CIoStackLocation(const PIO_STACK_LOCATION& Stack)\n{\n\tmStack = Stack;\n}\n\nCIoStackLocation::~CIoStackLocation(void)\n{\n}\n\n\nCIoStackLocation::operator PIO_STACK_LOCATION()\n{\n\treturn mStack;\n}\n\nvoid\nCIoStackLocation::operator =(const PIO_STACK_LOCATION Stack)\n{\n\tmStack =Stack;\n}\n\nBOOLEAN \nCIoStackLocation::operator ==(const PIO_STACK_LOCATION Stack)\n{\n\treturn ( mStack == Stack?true:false); \n}\n\nBOOLEAN CIoStackLocation::operator !=(const PIO_STACK_LOCATION Stack)\n{\n\treturn (mStack != Stack?true:false);\n}\n\nPVOID CIoStackLocation::operator !()\n{\n\treturn ((PVOID)!mStack);\n}\n\nCFileObject CIoStackLocation::FileObject()\n{\n\treturn mStack->FileObject;\n}\n\nUCHAR&\tCIoStackLocation::Flags()\n{\n\treturn mStack->Flags;\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CIoStackLocation.h",
    "content": "#ifndef _CIoStackLocation_h\n#define _CIoStackLocation_h\n\n#include \"CFileObject.h\"\n\nclass CIoStackLocation\n{\npublic:\n\tCIoStackLocation(void);\n\tCIoStackLocation(const CIoStackLocation& Stack);\n\tCIoStackLocation(const PIO_STACK_LOCATION& Stack);\n\t~CIoStackLocation(void);\n\n\toperator PIO_STACK_LOCATION();\n\n\tvoid operator =(const PIO_STACK_LOCATION Stack);\n\tBOOLEAN operator ==(const PIO_STACK_LOCATION Stack);\n\tBOOLEAN operator !=(const PIO_STACK_LOCATION Stack);\n\tPVOID operator !();\n\n\tCFileObject FileObject();\n\tUCHAR&\t\tFlags();\n\nprivate:\n\tPIO_STACK_LOCATION mStack;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CIrp.cpp",
    "content": "#include \"cpplib.h\"\n#include \"CIrp.h\"\n#include \"CAssert.h\"\n\nCIrp::CIrp(void)\n:mIrp(NULL)\n{\n\n}\n\nCIrp::CIrp(PIRP pIrp)\n:mIrp(NULL)\n{\n\tmIrp = pIrp;\n}\n\nCIrp::~CIrp()\n{\n\tmIrp = NULL;\n}\n\n\nPIRP\t\t\nCIrp::Get() const\n{\n\treturn mIrp;\n}\n\nNTSTATUS& \t\n\tCIrp::Status() const \n{\n\treturn mIrp->IoStatus.Status;\n}\n\nKPROCESSOR_MODE&\t\t\nCIrp::RequestorMode() const\n{\n\treturn mIrp->RequestorMode;\n}\n\nULONG_PTR&\t\nCIrp::Information() const \n{\n\treturn mIrp->IoStatus.Information;\n}\n\nPMDL&\nCIrp::MdlAddress() const \n{\n\treturn mIrp->MdlAddress;\n}\n\nPVOID&\t\t\nCIrp::UserBuffer() const \n{\n\treturn mIrp->UserBuffer;\n}\n\n\nPVOID&\nCIrp::DriverContext1() const \n{\n\treturn mIrp->Tail.Overlay.DriverContext[1];\n}\n\nPVOID&\nCIrp::DriverContext2() const \n{\n\treturn mIrp->Tail.Overlay.DriverContext[2];\n}\n\nPVOID&\nCIrp::DriverContext3() const \n{\n\treturn mIrp->Tail.Overlay.DriverContext[3];\n}\n\nPVOID&\nCIrp::DriverContext4() const \n{\n\treturn mIrp->Tail.Overlay.DriverContext[4];\n}\n\nUINT8&\nCIrp::MajorFunction() const \n{\n\treturn StackLocation()->MajorFunction;\n}\n\nUINT8&\nCIrp::MinorFunction() const \n{\n\treturn StackLocation()->MinorFunction;\n}\n\nUINT8&\nCIrp::Flags() const \n{\n\treturn StackLocation()->Flags;\n}\n\nUINT8&\t\nCIrp::Control() const \n{\n\treturn StackLocation()->Control;\n}\n\nULONG&\nCIrp::ReadLength() const \n{\n\treturn StackLocation()->Parameters.Read.Length;\n}\n\nINT64&\nCIrp::ReadPos() const \n{\n\treturn StackLocation()->Parameters.Read.ByteOffset.QuadPart;\n}\n\nULONG&\nCIrp::WriteLength() const \n{\n\treturn StackLocation()->Parameters.Write.Length;\n}\n\nINT64&\t\nCIrp::WritePos() const \n{\n\treturn StackLocation()->Parameters.Write.ByteOffset.QuadPart;\n}\n\nULONG&\nCIrp::IoctlCode() const \n{\n\treturn StackLocation()->Parameters.DeviceIoControl.IoControlCode;\n}\n\nvoid *&\nCIrp::IoctlOutputBuffer() const \n{\n\treturn mIrp->UserBuffer;\n}\n\nULONG&\nCIrp::IoctlOutputBufferLength() const \n{\n\treturn StackLocation()->Parameters.DeviceIoControl.\n\t\tOutputBufferLength;\n}\n\nvoid *&\nCIrp::IoctlInputBuffer() const \n{\n\treturn mIrp->AssociatedIrp.SystemBuffer;\n}\n\nULONG&\nCIrp::IoctlInputBufferLength() const \n{\n\treturn StackLocation()->Parameters.DeviceIoControl.InputBufferLength;\n}\n\nvoid *&\nCIrp::IoctlType3InputBuffer() const \n{\n\treturn StackLocation()->Parameters.DeviceIoControl.Type3InputBuffer;\n}\n\nPDEVICE_OBJECT&\tCIrp::Device() const  \n{\n\treturn StackLocation()->DeviceObject;\n}\n\nPFILE_OBJECT&\tCIrp::FileObject() const  \n{\n\treturn StackLocation()->FileObject;\n}\n\nPIO_STACK_LOCATION\t\nCIrp::StackLocation() const\n{\n\tif (mStackLocation == Current)\n\t\treturn IoGetCurrentIrpStackLocation(mIrp);\n\telse\n\t\treturn IoGetNextIrpStackLocation(mIrp);\n}\n\n\nvoid\tCIrp::UseCurrentStackLocation() \n{\n\tmStackLocation = Current;\n}\n\nvoid\tCIrp::UseNextStackLocation() \n{\n\tmStackLocation = Next;\n}\n\nvoid \nCIrp::CopyStackLocationToNext() const\n{\n\tIoCopyCurrentIrpStackLocationToNext(mIrp);\n}\n\nvoid \nCIrp::SkipStackLocation() const\n{\n\tIoSkipCurrentIrpStackLocation(mIrp);\n}\n\nNTSTATUS \nCIrp::Complete(NTSTATUS status, CCHAR boost)\n{\n\tStatus() = status;\n\tIoCompleteRequest(mIrp, boost);\n\n\treturn status;\n}\n\nNTSTATUS SimpleCompletion(\n\tDEVICE_OBJECT *device,\n\tIRP *irp, \n\tvoid* context)\n{\n\tASSERT(irp);\n\n\tUNREFERENCED_PARAMETER(device);\n\n\tif(irp->PendingReturned)\n\t{\n\t\tASSERT(context);\n\t\tKeSetEvent((KEVENT*) context, 0, false);\n\t}\n\n\treturn STATUS_MORE_PROCESSING_REQUIRED;\n}\n\nNTSTATUS \nCIrp::SimpleSend(DEVICE_OBJECT *device)\n{\n\tKEVENT Event;\n\tNTSTATUS Status;\n\tKeInitializeEvent(&Event, NotificationEvent, false);\n\t\n\tIoSetCompletionRoutine(\n\t\t\t\t\t\tmIrp, \n\t\t\t\t\t\tSimpleCompletion,\n\t\t\t\t\t\t&Event,\n\t\t\t\t\t\ttrue, \n\t\t\t\t\t\ttrue, \n\t\t\t\t\t\ttrue);\n\n\tStatus = IoCallDriver(device, mIrp);\n\n\tif(STATUS_PENDING == Status)\n\t{\n\t\tKeWaitForSingleObject(&Event, Executive, KernelMode, false, 0);\t\n\n\t\tStatus = mIrp->IoStatus.Status;\n\t}\n\n\treturn Status;\n}\n\n\nvoid \nCIrp::SetCancelRoutine(PDRIVER_CANCEL cancelFunc)\n{\n\tIoSetCancelRoutine(mIrp, cancelFunc);\n}\n\nvoid \n\tCIrp::MarkPending()\n{\n\tIoMarkIrpPending(mIrp);\n}\n\nvoid \nCIrp::UnmarkPending()\n{\n\tIoGetCurrentIrpStackLocation(mIrp)->Control &= ~SL_PENDING_RETURNED;\n}\n\n\n\nCErrorStatus \nCIrp::BuildDeviceIoControlRequest(\n\tUINT32\t\t\tIoctlCode, \n\tPDEVICE_OBJECT\t\tDevice, \n\tconst void*\t\t\tInBuf, \n\tUINT32\t\t\tSizeInBuf, \n\tvoid*\t\t\t\tOutBuf, \n\tUINT32\t\t\tSizeOutBuf, \n\tBOOL\t\t\t\tInternal, \n\tKEVENT&\t\t\t\tEvent, \n\tIO_STATUS_BLOCK&\tIoStatus)\n{\n\tCErrorStatus Error;\n\tCAssertAddrValid(pDeviceObject, DEVICE_OBJECT);\n\n\tmIrp = IoBuildDeviceIoControlRequest(\n\t\tIoctlCode,\n\t\tDevice, \n\t\tconst_cast<void *>(InBuf),\n\t\tSizeInBuf,\n\t\tOutBuf,\n\t\tSizeOutBuf,\n\t\tInternal, \n\t\t&Event,\n\t\t&IoStatus);\n\n\tif ( IsNull(mIrp) )\n\t{\n\t\tError = IoStatus.Status;\n\t}\n\n\treturn Error;\n}\n\nCErrorStatus \nCIrp::BuildSynchronousFsdRequest(\n\tUINT32\t\t\tmajorFunc, \n\tPDEVICE_OBJECT\t\tpDeviceObject, \n\tconst void\t\t\t*buf, \n\tUINT32\t\t\tnBytes, \n\tINT64\t\t\tpos, \n\tKEVENT&\t\t\t\tevent, \n\tIO_STATUS_BLOCK&\tIoStatus)\n{\n\tCErrorStatus Error;\n\tCAssertAddrValid(pDeviceObject, DEVICE_OBJECT);\n\n\tLARGE_INTEGER\tliPos;\n\tliPos.QuadPart = pos;\n\tmIrp = IoBuildSynchronousFsdRequest(majorFunc, pDeviceObject, \n\t\tconst_cast<void *>(buf), nBytes, &liPos, &event, &IoStatus);\n\n\tif (IsNull(mIrp))\n\t{\n\t\tError = IoStatus.Status;\n\t}\n\n\treturn Error;\n}\n"
  },
  {
    "path": "Sysmon.sys/cpplib/CIrp.h",
    "content": "#ifndef _CIrp_h\n#define _CIrp_h\n\n#include \"cpplib.h\"\n#include \"CErrorStatus.h\"\n\nclass CIrp\n{\npublic:\n\tenum IrpStackLocation {Current, Next};\n\tCIrp(void);\n\tCIrp(PIRP pIrp);\n\t~CIrp();\n\n\toperator PIRP (){ return mIrp;};\n\toperator IRP&() {return *mIrp;};\n\toperator const IRP&() const {return *mIrp;};\n\toperator const PIRP() const {return mIrp;};\n\toperator ULONG_PTR(){ return (ULONG_PTR)mIrp; };\n\tPIRP\t\toperator->() {return mIrp;};\n\tconst PIRP\toperator->() const {return mIrp;};\n\n\tPIRP Get() const;\n\n\tNTSTATUS& \t\t\tStatus() const;\n\tKPROCESSOR_MODE&\tRequestorMode() const;\n\tULONG_PTR&\t\t\tInformation() const;\t\n\tPMDL&\t\t\t\tMdlAddress() const;\t\n\tPVOID&\t\t\t\tUserBuffer() const;\t\n\tPVOID&\t\t\t\tDriverContext1() const;\t\n\tPVOID&\t\t\t\tDriverContext2() const;\n\tPVOID&\t\t\t\tDriverContext3() const;\n\tPVOID&\t\t\t\tDriverContext4() const;\n\tUINT8&\t\t\tMajorFunction() const;\n\tUINT8&\t\t\tMinorFunction() const;\n\tUINT8&\t\t\tFlags() const;\n\tUINT8&\t\t\tControl() const;\t\n\tULONG&\t\t\tReadLength() const;\n\tINT64&\t\t\tReadPos() const;\n\tULONG&\t\t\tWriteLength() const;\n\tINT64&\t\t\tWritePos() const;\t\n\tULONG&\t\t\tIoctlCode() const;\t\n\tvoid *&\t\t\tIoctlOutputBuffer() const;\t\n\tULONG&\t\t\tIoctlOutputBufferLength() const;\t\n\tvoid *&\t\t\tIoctlInputBuffer() const;\t\n\tULONG&\t\t\tIoctlInputBufferLength() const;\t\n\tvoid *&\t\t\tIoctlType3InputBuffer() const;\t\n\tPDEVICE_OBJECT&\t\tDevice() const; \t\n\tPFILE_OBJECT&\t\tFileObject() const;  \t\n\tPIO_STACK_LOCATION\tStackLocation() const;\n\tvoid\t\t\t\tUseCurrentStackLocation() ;\t\n\tvoid\t\t\t\tUseNextStackLocation();\n\tvoid\t\t\t\tCopyStackLocationToNext() const;\n\tvoid\t\t\t\tSkipStackLocation() const;\n\n\tNTSTATUS\t\t\tComplete(\tNTSTATUS status, \n\t\t\t\t\t\t\t\t\tCCHAR boost = IO_NO_INCREMENT);\n\tvoid\t\t\t\tSetCancelRoutine(PDRIVER_CANCEL cancelFunc);\n\tvoid\t\t\t\tMarkPending();\n\tvoid\t\t\t\tUnmarkPending();\n\n\tCErrorStatus\t\t\tBuildDeviceIoControlRequest(\n\t\t\t\t\t\t\t\t\t\tUINT32\t\t\tIoctlCode, \n\t\t\t\t\t\t\t\t\t\tPDEVICE_OBJECT\t\tDevice,\n\t\t\t\t\t\t\t\t\t\tconst void*\t\t\tInBuf, \n\t\t\t\t\t\t\t\t\t\tUINT32\t\t\tSizeInBuf,\n\t\t\t\t\t\t\t\t\t\tvoid *\t\t\t\tOutBuf, \n\t\t\t\t\t\t\t\t\t\tUINT32\t\t\tSizeOutBuf, \n\t\t\t\t\t\t\t\t\t\tBOOL\t\t\t\tInternal,\n\t\t\t\t\t\t\t\t\t\tKEVENT& event,\n\t\t\t\t\t\t\t\t\t\tIO_STATUS_BLOCK& IoStatus);\n\n\tCErrorStatus\t\t\tBuildSynchronousFsdRequest(\n\t\t\t\t\t\t\t\t\t\tUINT32\t\tIoctlCode, \n\t\t\t\t\t\t\t\t\t\tPDEVICE_OBJECT\tDevice,\n\t\t\t\t\t\t\t\t\t\tconst void*\t\tInBuf,\n\t\t\t\t\t\t\t\t\t\tUINT32 nBytes, \n\t\t\t\t\t\t\t\t\t\tINT64 pos, \n\t\t\t\t\t\t\t\t\t\tKEVENT& event, \n\t\t\t\t\t\t\t\t\t\tIO_STATUS_BLOCK& IoStatus);\n\n\tNTSTATUS\t\t\t\tSimpleSend(DEVICE_OBJECT *device);\nprivate:\n\tIRP*\t\t\t\tmIrp;\n\tIrpStackLocation\tmStackLocation;\n};\n\n#endif\n"
  },
  {
    "path": "Sysmon.sys/cpplib/CListEntry.cpp",
    "content": "#include \"CListEntry.h\"\n\n// template< typename T>\n// CAfdList<T>::CAfdList()\n// {\n// \tInitializeListHead( &mAfdList);\n// }\n// \n// template< typename T>\n// CAfdList<T>::~CAfdList()\n// {\n// \n// }\n\n// template< typename T>\n// void CAfdList<T>::InsertHeadList()\n// {\n// \n// }"
  },
  {
    "path": "Sysmon.sys/cpplib/CListEntry.h",
    "content": "#ifndef _CListEntry_H\n#define _CListEntry_H\n\n#include \"cpplib.h\"\n#include \"CEResource.h\"\n\n#define LIST_COMMON_TAG 'Aflt'\n\ntypedef struct _C_LIST_NODE\n{\n\tLIST_ENTRY Entry;\n\tvoid*      Elment;\n\n}C_LIST_NODE;\n\ntemplate<\ttypename T,\n\t\t\tBOOLEAN IsHead = false,\n\t\t\tunsigned long PoolTag = LIST_COMMON_TAG >\n\nclass CListEntry\n{\npublic:\n\n\tclass IteratorType\n\t{\n\t\tfriend class CListEntry;\n\tpublic:\n\t\tIteratorType()\n\t\t{\n\t\t\tmPl = NULL;\n\t\t\tmPt = NULL;\n\t\t}\n\n\t\tIteratorType(const IteratorType& _T )\n\t\t{\n\t\t\tmPt = _T.mPt;\n\t\t\tmPl = _T.mPl;\n\t\t}\n\n\t\t~IteratorType()\n\t\t{\n\t\t}\n\n\tprivate:\n\t\tLIST_ENTRY* mPl;\n\t\tCListEntry* mPt;\n\t};\n\n\tclass Iterator\n\t{\n\t\tfriend class CListEntry;\n\t\tfriend class IteratorType;\n\tpublic:\n\t\tIterator()\n\t\t{\n\t\t\tmT.mPl = NULL;\n\t\t\tmT.mPt = NULL;\n\t\t}\n\n\t\tIterator( const Iterator& _I )\n\t\t{\n\t\t\tmT.mPl = _I.mT.mPl;\n\t\t\tmT.mPt = _I.mT.mPt;\n\t\t}\n\n\t\t~Iterator()\n\t\t{\n\t\t\tmT.mPl = NULL;\n\n\t\t\tif ( mT.mPt )\n\t\t\t{\n\t\t\t\tmT.mPt->UnLock();\n\t\t\t}\n\t\t}\n\n\tpublic:\n\n\t\tvoid\n\t\toperator++()\n\t\t{\n\t\t\tif ( mT.mPl )\n\t\t\t{\n\t\t\t\tmT.mPl = mT.mPl->Flink;\n\t\t\t}\n\t\t}\n\n\t\tvoid operator--()\n\t\t{\n\t\t\tif ( mT.mPl )\n\t\t\t{\n\t\t\t\tmT.mPl->Blink;\n\t\t\t}\n\t\t}\n\n\t\tT&\n\t\toperator *()\n\t\t{\n\t\t\tC_LIST_NODE* Node;\n\t\t\tNode = CONTAINING_RECORD(\n\t\t\t\t\t\t\tmT.mPl,\n\t\t\t\t\t\t\tC_LIST_NODE,\n\t\t\t\t\t\t\tEntry);\t\n\t\t\t\n\t\t\treturn *((T*)Node->Elment);\n\t\t}\n\n\t\tBOOLEAN\n\t\toperator !=(Iterator& _I)\n\t\t{\n\t\t\treturn (this != &_I);\n\t\t}\n\n\t\tBOOLEAN\n\t\toperator !=( LIST_ENTRY* _X )\n\t\t{\n\t\t\treturn (mT.mPl != _X);\n\t\t}\n\n\t\tvoid\n\t\toperator =( IteratorType& _X )\n\t\t{\n\t\t\tmT.mPl = _X.mPl;\n\t\t\tmT.mPt = _X.mPt;\n\t\t}\n\n\tprivate:\n\t\tIteratorType mT;\n\n\t};\n\n\tCListEntry()\n\t{\n\t\tInitializeListHead( &mAfdList);\n\n\t\tmIteratorType.mPl = mAfdList.Flink;\n\t\tmIteratorType.mPt = this;\n\n\t\tmMaxSize = -1;\n\t\tmSize = 0;\n\t}\n\n\t~CListEntry()\n\t{\n\n\t}\n\n\tBOOLEAN push_front( T* _X )\n\t{\n\t\tC_LIST_NODE* Entry;\n\n\t\tEntry = (C_LIST_NODE*)\n\t\t\tExAllocatePoolWithTag(\n\t\t\t\t\t\tNonPagedPool,\n\t\t\t\t\t\tsizeof(C_LIST_NODE),\n\t\t\t\t\t\tPoolTag);\n\n\t\tif ( Entry )\n\t\t{\n\t\t\tLock();\n\n\t\t\t__try\n\t\t\t{\n\t\t\t\tEntry->Elment = (void*)_X;\n\t\t\t\t\n\t\t\t\tInsertHeadList(\t&mAfdList,\n\t\t\t\t\t\t&Entry->Entry);\n\n\t\t\t}\n\t\t\t__finally\n\t\t\t{\n\t\t\t\tUnLock();\n\t\t\t}\t\t\t\t\n\n\t\t\treturn true;\n\t\t}\n\n\t\treturn false;\t\t\n\t}\n\n\tBOOLEAN push_back( T* _X )\n\t{\n\t\tC_LIST_NODE* Entry;\n\n\t\tEntry = (C_LIST_NODE*)\n\t\t\tExAllocatePoolWithTag(\n\t\t\t\t\t\tNonPagedPool,\n\t\t\t\t\t\tsizeof(C_LIST_NODE),\n\t\t\t\t\t\tPoolTag);\n\n\t\tif ( Entry )\n\t\t{\n\t\t\tLock();\n\n\t\t\t__try\n\t\t\t{\n\t\t\t\tEntry->Elment = (void*)_X;\n\n\t\t\t\tInsertTailList(\t&mAfdList,\n\t\t\t\t\t\t\t\t&Entry->Entry);\n\n\t\t\t}\n\t\t\t__finally\n\t\t\t{\n\t\t\t\tUnLock();\n\t\t\t}\t\t\t\t\n\n\t\t\treturn true;\n\t\t}\n\n\t\treturn false;\t\t\n\t}\n\n\tBOOLEAN Insert( T* _X )\n\t{\n\t\tif ( IsHead == true )\n\t\t{\n\t\t\treturn push_front(\t_X );\n\t\t}\n\t\telse\n\t\t{\n\t\t\treturn push_back(_X);\n\t\t}\n\n\t\treturn false;\n\t}\n\n\t//ɾָĵ\n\tIteratorType& erase(Iterator& _I )\n\t{\n\t\tIteratorType _T;\n\t\tC_LIST_NODE* Node;\n\n\t\t__try\n\t\t{\n\t\t\t_T.mPt = _I.mT.mPt;\n\n\t\t\tNode = CONTAINING_RECORD( \n\t\t\t\t_I.mT.mPl ,\n\t\t\t\tC_LIST_NODE,\n\t\t\t\tEntry);\n\n\t\t\tif ( Node )\n\t\t\t{\t\t\t\n\t\t\t\tRemoveEntryList(_I.mT.mPl);\n\t\t\t\tExFreePool(Node);\n\t\t\t\tNode = NULL;\n\t\t\t}\n\n\t\t\t_T.mPl = _I.mT.mPl;\n\t\t}\n\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t{\n\n\t\t}\t\t\n\t\n\t\treturn _T;\n\t}\n\n\tBOOLEAN Remove( T* _X )\n\t{\n\t\tLIST_ENTRY* Entry;\n\t\tC_LIST_NODE* Node;\n\t\tT* Elment;\n\n\t\tLock();\n\n\t\t__try\n\t\t{\n\t\t\t__try\n\t\t\t{\n\t\t\t\tEntry = &mAfdList;\n\n\t\t\t\tif( !IsListEmpty(Entry))\n\t\t\t\t{\n\t\t\t\t\twhile( Entry->Flink != &mAfdList )\n\t\t\t\t\t{\n\t\t\t\t\t\tNode = CONTAINING_RECORD( \n\t\t\t\t\t\t\t\t\t\t\tEntry ,\n\t\t\t\t\t\t\t\t\t\t\tC_LIST_NODE,\n\t\t\t\t\t\t\t\t\t\t\tEntry);\n\n\t\t\t\t\t\tif ( Node )\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif ( Node->Elment == _X )\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tRemoveEntryList(Entry);\n\n\t\t\t\t\t\t\t\tExFreePool(Node);\n\n\t\t\t\t\t\t\t\tNode = NULL;\n\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tEntry = Entry->Flink;\n\t\t\t\t\t}\n\t\t\t\t\t\n\t\t\t\t}\n\t\t\t}\n\t\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t\t{\n\t\t\t\treturn false;\n\t\t\t}\n\t\t}\t\t\n\t\t__finally\n\t\t{\n\t\t\tUnLock();\n\t\t}\n\t\t\n\t\treturn true;\n\t}\n\n\tIteratorType& Begin()\n\t{\n\t\tLock();\n\n\t\tmIteratorType.mPl\t\t= mAfdList.Flink;\n\t\tmIteratorType.mPt       = this;\n\n\t\treturn mIteratorType;\n\t}\n\n\tLIST_ENTRY* End()\n\t{\n\t\treturn &mAfdList;\n\t}\n\nprivate:\n\n\tvoid Lock()\n\t{\n\t\tmESourceLock.Lock();\n\t}\n\n\tvoid UnLock()\n\t{\n\t\tmESourceLock.UnLock();\n\t}\n\n\tIteratorType\tmIteratorType;\n\tLIST_ENTRY\t\tmAfdList;\n\tULONG\t\t\tmMaxSize;\n\tULONG\t\t\tmSize;\n\tCEResource\tmESourceLock;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CMiniFltFilter.cpp",
    "content": "#include \"CMiniFltFilter.h\"\n\n\n#pragma comment(lib,\"FltMgr.lib\")\n\n/**********************************************************************************/\n#pragma INITCODE\n\nCMiniFltFilter::CMiniFltFilter(void)\n\t:mFilter(NULL)\n{\n\tmemset(\n\t\t\t&mFltRegistration,\n\t\t\t0,\n\t\t\tsizeof(FLT_REGISTRATION));\n\n\tmFltRegistration.Size = sizeof(FLT_REGISTRATION);\n\tmFltRegistration.Version = FLT_REGISTRATION_VERSION;\n\tmFltRegistration.Flags = 0;\n\tmFltRegistration.ContextRegistration = mContextRegistration;\n\tmFltRegistration.OperationRegistration = mOptRegistration;\n\n\tfor ( int nI = 0; nI < MAX_FLT_OPERATION_REGISTRATION;nI++)\n\t{\n\t\tmOptRegistration[nI].MajorFunction = IRP_MJ_OPERATION_END;\n\t\tmOptRegistration[nI].Flags = 0;\n\t\tmOptRegistration[nI].PostOperation = 0;\n\t\tmOptRegistration[nI].PreOperation = 0;\n\t\tmOptRegistration[nI].Reserved1 = 0;\n\t}\n\n\tfor ( int nI = 0; nI < MAX_FLT_CONTEXT_REGISTRATION; nI++)\n\t{\n\t\tmContextRegistration[nI].ContextType = FLT_CONTEXT_END;\n\t\tmContextRegistration[nI].ContextAllocateCallback = 0;\n\t\tmContextRegistration[nI].ContextCleanupCallback = 0;\n\t\tmContextRegistration[nI].ContextFreeCallback = 0;\n\t\tmContextRegistration[nI].Flags = 0;\n\t\tmContextRegistration[nI].PoolTag = 0;\n\t\tmContextRegistration[nI].Reserved1 = 0;\n\t\tmContextRegistration[nI].Size = 0;\n\t}\n\n\tmFilterUnloadCallback = 0;\n\tmInstanceSetupCallback = 0;\n\tmInstanceQueryTeardownCallback = 0;\n\tmInstanceTeardownStartCallback = 0;\n\tmInstanceTeardownCompleteCallback = 0;\n\tmGenerateFileNameCallback = 0;\n\tmNormalizeNameComponentCallback = 0;\n\tmNormalizeContextCleanupCallback = 0;\n\tmTransactionNotificationCallback = 0;\n\tmNormalizeNameComponentExCallback = 0;\n\n#if FLT_MGR_WIN8\n\tmSectionNotificationCallback = 0;\n#endif // FLT_MGR_WIN8\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCMiniFltFilter::~CMiniFltFilter(void)\n{\n}\n\n\n/**********************************************************************************/\n#pragma INITCODE\n\nvoid \nCMiniFltFilter::RegisterCallback(int nIndex,void* pFn)\n{\n\tif (nIndex == 0)\n\t{\n\t\tmFilterUnloadCallback = (PFLT_FILTER_UNLOAD_CALLBACK)pFn;\n\t\tmFltRegistration.FilterUnloadCallback = mFilterUnloadCallback;\n\t}\n\n\tif (nIndex == 1)\n\t{\n\t\tmInstanceSetupCallback = (PFLT_INSTANCE_SETUP_CALLBACK)pFn;\n\t\tmFltRegistration.InstanceSetupCallback = mInstanceSetupCallback;\n\t}\n\n\tif (nIndex == 2)\n\t{\n\t\tmInstanceQueryTeardownCallback = (PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK)pFn;\n\t\tmFltRegistration.InstanceQueryTeardownCallback = mInstanceQueryTeardownCallback;\n\t}\n\n\tif (nIndex == 3)\n\t{\n\t\tmInstanceTeardownStartCallback = (PFLT_INSTANCE_TEARDOWN_CALLBACK)pFn;\n\t\tmFltRegistration.InstanceTeardownStartCallback = mInstanceTeardownStartCallback;\n\t}\n\n\tif (nIndex == 4)\n\t{\n\t\tmInstanceTeardownCompleteCallback = (PFLT_INSTANCE_TEARDOWN_CALLBACK)pFn;\n\t\tmFltRegistration.InstanceTeardownCompleteCallback = mInstanceTeardownCompleteCallback;\n\t}\n\n\tif (nIndex == 5)\n\t{\n\t\tmGenerateFileNameCallback = (PFLT_GENERATE_FILE_NAME)pFn;\n\t\tmFltRegistration.GenerateFileNameCallback = mGenerateFileNameCallback;\n\t}\n\t\n\tif (nIndex == 6)\n\t{\n\t\tmNormalizeNameComponentCallback = (PFLT_NORMALIZE_NAME_COMPONENT)pFn;\n\t\tmFltRegistration.NormalizeNameComponentCallback = mNormalizeNameComponentCallback;\n\t}\n\t\n\tif (nIndex == 7)\n\t{\n\t\tmNormalizeContextCleanupCallback = (PFLT_NORMALIZE_CONTEXT_CLEANUP)pFn;\n\t\tmFltRegistration.NormalizeContextCleanupCallback = mNormalizeContextCleanupCallback;\n\t}\n\t\t\t\t\n\tif (nIndex == 8)\n\t{\n\t\tmTransactionNotificationCallback = (PFLT_TRANSACTION_NOTIFICATION_CALLBACK)pFn;\n\t\tmFltRegistration.TransactionNotificationCallback = mTransactionNotificationCallback;\n\t}\n\n\tif (nIndex == 9)\n\t{\n\t\tmNormalizeNameComponentExCallback = (PFLT_NORMALIZE_NAME_COMPONENT_EX)pFn;\n\t\tmFltRegistration.NormalizeNameComponentExCallback = mNormalizeNameComponentExCallback;\n\t}\n\t\t\t;\n}\n\n\n/**********************************************************************************/\n#pragma INITCODE\n\nvoid \nCMiniFltFilter::RegisterOptRegistration(\n\tint nIdex,\n\tUSHORT MajorFunction,\n\tFLT_OPERATION_REGISTRATION_FLAGS Flags,\n\tPFLT_PRE_OPERATION_CALLBACK      PreOperation,\n\tPFLT_POST_OPERATION_CALLBACK     PostOperation,\n\tPVOID                            Reserved1\n\t)\n{\n\tmOptRegistration[nIdex].MajorFunction = static_cast<UCHAR>(MajorFunction);\n\tmOptRegistration[nIdex].Flags = Flags;\n\tmOptRegistration[nIdex].PreOperation = PreOperation;\n\tmOptRegistration[nIdex].PostOperation = PostOperation;\n\tmOptRegistration[nIdex].Reserved1 = Reserved1;\n}\n\nvoid CMiniFltFilter::RegisterContext(\n\t\t\t\t\t\t\tint\t\tnIdex,\n\t\t\t\t\t\t\tFLT_CONTEXT_TYPE\tContextType,\n\t\t\t\t\t\t\tUSHORT\t\t\t\tContextSize,\n\t\t\t\t\t\t\tULONG\t\t\t\tPoolTag,\n\t\t\t\t\t\t\tPVOID               Reserved1\n\t\t\t\t\t\t\t)\n{\n\tmContextRegistration[nIdex].Reserved1 = Reserved1;\n\tmContextRegistration[nIdex].Size = ContextSize;\n\tmContextRegistration[nIdex].ContextAllocateCallback = 0;\n\tmContextRegistration[nIdex].ContextCleanupCallback = 0;\n\tmContextRegistration[nIdex].ContextFreeCallback = 0;\n\tmContextRegistration[nIdex].ContextType = ContextType;\n\tmContextRegistration[nIdex].Size = ContextSize;\n\tmContextRegistration[nIdex].PoolTag = PoolTag;\n}\n\n/**********************************************************************************/\n#pragma INITCODE\n\nCErrorStatus \nCMiniFltFilter::FltRegisterFilter(PDRIVER_OBJECT DriverObj)\n{\n\tCErrorStatus Status;\n\n\tStatus = ::FltRegisterFilter(DriverObj,&mFltRegistration,&mFilter);\n\n\tif (Status.IsNtSuccess())\n\t{\n\t\t::FltStartFiltering(mFilter);\n\t}\n\n\treturn Status;\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nNTSTATUS \nCMiniFltFilter::FilterUnloadCallback(\n\tFLT_FILTER_UNLOAD_FLAGS Flags\n\t)\n{\n\treturn STATUS_SUCCESS;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nNTSTATUS\nCMiniFltFilter::InstanceSetupCallback(\n\tPCFLT_RELATED_OBJECTS FltObjects,\n\tFLT_INSTANCE_SETUP_FLAGS Flags,\n\tDEVICE_TYPE VolumeDeviceType,\n\tFLT_FILESYSTEM_TYPE VolumeFilesystemType\n\t)\n{\n\n\tif ( VolumeDeviceType == FILE_DEVICE_DISK_FILE_SYSTEM)\n\t{\n\t\treturn STATUS_SUCCESS;\n\t}\n\n// \tif (VolumeFilesystemType != FLT_FSTYPE_NPFS)\n// \t{\n// \t}\n\n\treturn STATUS_UNSUCCESSFUL;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nNTSTATUS\nCMiniFltFilter::InstanceQueryTeardownCallback(\n\tPCFLT_RELATED_OBJECTS FltObjects,\n\tFLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags\n\t)\n{\n\treturn STATUS_SUCCESS;\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CMiniFltFilter.h",
    "content": "#ifndef _CMiniFltFilter_h\n#define _CMiniFltFilter_h\n\n#include <fltKernel.h>\n#include \"CErrorStatus.h\"\n\n#define MAX_FLT_CONTEXT_REGISTRATION 20\n#define MAX_FLT_OPERATION_REGISTRATION 50\n\ntypedef enum _Flt_Fn_Callback\n{\n\tkFilterUnloadCallback,\n\tkInstanceSetupCallbac,\n\tkInstanceQueryTeardowCallback,\n\tkInstanceTeardownStartCallback,\n\tkInstanceTeardownCompleteCallback,\n\tkGenerateFileNameCallback,\n\tkNormalizeNameComponentCallback,\n\tkNormalizeContextCleanupCallback,\n\tkTransactionNotificationCallback,\n\tkNormalizeNameComponentExCallback,\n\n}Flt_Fn_Callback;\n\nclass CMiniFltFilter\n{\npublic:\n\tCMiniFltFilter(void);\n\tvirtual ~CMiniFltFilter(void);\n\n\tvoid RegisterCallback(int nIndex,void* pFn);\n\tvoid RegisterOptRegistration(\n\t\t\t\t\t\t\tint nIdex,\n\t\t\t\t\t\t\tUSHORT ContextSize,\n\t\t\t\t\t\t\tFLT_OPERATION_REGISTRATION_FLAGS Flags,\n\t\t\t\t\t\t\tPFLT_PRE_OPERATION_CALLBACK      PreOperation,\n\t\t\t\t\t\t\tPFLT_POST_OPERATION_CALLBACK     PostOperation,\n\t\t\t\t\t\t\tPVOID                            Reserved1 = NULL\n\t\t\t\t\t\t\t);\n\n\tvoid RegisterContext(\n\t\t\t\t\tint\t\t\t\t\tnIdex,\n\t\t\t\t\tFLT_CONTEXT_TYPE\tContextType,\n\t\t\t\t\tUSHORT\t\t\t\tContextSize,\n\t\t\t\t\tULONG\t\t\t\tPoolTag,\n\t\t\t\t\tPVOID               Reserved1 = NULL\n\t\t\t\t\t);\n\n\tCErrorStatus FltRegisterFilter(PDRIVER_OBJECT DriverObj);\n\npublic:\n\tstatic\n\tNTSTATUS \n\tNTAPI\n\tFilterUnloadCallback(\n\t\tFLT_FILTER_UNLOAD_FLAGS Flags\n\t\t);\n\n\tstatic\n\tNTSTATUS\n\tNTAPI\n\tInstanceSetupCallback(\n\t\tPCFLT_RELATED_OBJECTS FltObjects,\n\t\tFLT_INSTANCE_SETUP_FLAGS Flags,\n\t\tDEVICE_TYPE VolumeDeviceType,\n\t\tFLT_FILESYSTEM_TYPE VolumeFilesystemType\n\t\t);\n\n\tstatic\n\tNTSTATUS\n\tNTAPI\n\tInstanceQueryTeardownCallback(\n\t\tPCFLT_RELATED_OBJECTS FltObjects,\n\t\tFLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags\n\t\t);\n\nprivate:\n\tPFLT_FILTER\t\t\t\t\t\t\t\tmFilter;\n\tFLT_REGISTRATION\t\t\t\t\t\tmFltRegistration;\n\tFLT_CONTEXT_REGISTRATION\t\t\t\tmContextRegistration[MAX_FLT_CONTEXT_REGISTRATION];\n\tFLT_OPERATION_REGISTRATION\t\t\t\tmOptRegistration[MAX_FLT_OPERATION_REGISTRATION];\n\t\n\tPFLT_FILTER_UNLOAD_CALLBACK\t\t\t\tmFilterUnloadCallback;\n\tPFLT_INSTANCE_SETUP_CALLBACK\t\t\tmInstanceSetupCallback;\n\tPFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK\tmInstanceQueryTeardownCallback;\n\tPFLT_INSTANCE_TEARDOWN_CALLBACK\t\t\tmInstanceTeardownStartCallback;\n\tPFLT_INSTANCE_TEARDOWN_CALLBACK\t\t\tmInstanceTeardownCompleteCallback;\n\tPFLT_GENERATE_FILE_NAME\t\t\t\t\tmGenerateFileNameCallback;\n\tPFLT_NORMALIZE_NAME_COMPONENT\t\t\tmNormalizeNameComponentCallback;\n\tPFLT_NORMALIZE_CONTEXT_CLEANUP\t\t\tmNormalizeContextCleanupCallback;\n\tPFLT_TRANSACTION_NOTIFICATION_CALLBACK\tmTransactionNotificationCallback;\n\tPFLT_NORMALIZE_NAME_COMPONENT_EX\t\tmNormalizeNameComponentExCallback;\n\n#if FLT_MGR_WIN8\n\tPFLT_SECTION_CONFLICT_NOTIFICATION_CALLBACK mSectionNotificationCallback;\n#endif // FLT_MGR_WIN8\n};\n\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CNPagedLookaside.cpp",
    "content": "#include \"CNPagedLookaside.h\"\n"
  },
  {
    "path": "Sysmon.sys/cpplib/CNPagedLookaside.h",
    "content": "#ifndef _CNPagedLookaside_h\n#define _CNPagedLookaside_h\n\n#include \"cpplib.h\"\n\ntemplate< typename T, USHORT PoolTag = NPAGE_LIST_POOL_TAG>\nclass CNPagedLookaside\n{\npublic:\n\tCNPagedLookaside(void)\n\t{\n\t\tExInitializeNPagedLookasideList(\n\t\t\t&mNPagedLookasside, \n\t\t\t0,\n\t\t\t0,\n\t\t\t0,\n\t\t\tsizeof(T),\n\t\t\tPoolTag,\n\t\t\t0);\n\t}\n\n\t~CNPagedLookaside(void)\n\t{\n\t\tExDeleteNPagedLookasideList(&mNPagedLookasside);\n\t}\n\n\tT* Allocate()\n\t{\n\t\treturn static_cast<T*>(ExAllocateFromNPagedLookasideList(&mNPagedLookasside));\n\t}\n\n\tvoid Free( T* pT )\n\t{\n\t\tExFreeToNPagedLookasideList(&mNPagedLookasside, pT);\n\t}\n\nprivate:\n\tNPAGED_LOOKASIDE_LIST mNPagedLookasside;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CPool.cpp",
    "content": "#include \"CPool.h\"\n\n\n"
  },
  {
    "path": "Sysmon.sys/cpplib/CPool.h",
    "content": "#ifndef _CPool_h\n#define _CPool_h\n\n#include \"cpplib.h\"\n#include \"CIntNumber.h\"\n\ntemplate<typename T,\n\t\tPOOL_TYPE PoolType = NonPagedPool,\n\t\tUSHORT PoolTag = NON_PAGED_POOL_TAG,\n\t\tBOOLEAN AutoRelease = false>\nclass CPool\n{\npublic:\n\tCPool(void)\n\t{\n\t\tmPool = NULL;\n\t\tmPoolSize = 0;\n\t\tmReference = 0;\n\t}\n\n\tCPool(const CPool& Pool )\n\t{\n\t\tmPool = Pool.mPool;\n\t\tmPoolSize = Pool.mPoolSize;\n\t\tmReference = Pool.mReference;\n\t}\n\n\t~CPool(void)\n\t{\n\t\tif (\tmPool && \n\t\t\t\tAutoRelease == true )\n\t\t{\n\t\t\tFree();\n\t\t}\n\t}\n\n\toperator T*() const\n\t{\n\t\treturn (T*)mPool;\n\t}\n\n\tBOOL\n\toperator ==( CIntNumber<INT3264>& Pointer )\n\t{\n\t\treturn (mPool == (T*)((INT3264)Pointer));\n\t}\n\n\tBOOL\n\toperator !=( CIntNumber<INT3264>& Pointer )\n\t{\n\t\treturn (mPool != (T*) ((INT3264)Pointer));\n\t}\n\n\tconst\n\tT&\n\toperator []( INT3264 Index) const\n\t{\n\t\tif ( Index < Size() &&\n\t\t\tIndex >= 0 )\n\t\t{\n\t\t\treturn ((T*)*this)[Index];\n\t\t}\n\n\t\treturn  ((T*)*this)[0];\n\t}\n\n\tT&\n\toperator []( INT3264 Index )\n\t{\n\t\tif ( Index >= Size() ||\n\t\t\tIndex < 0 )\n\t\t{\n\t\t\treturn ((T*)*this)[0];\n\t\t}\n\t\t\n\t\treturn ((T*)*this)[Index];\n\t}\n\t\n// \tT&\n// \toperator=( T& _E )\n// \t{\n// \t\treturn _E;\n// \t}\n\n\tCPool<T,PoolType,PoolTag,AutoRelease>&\n\toperator=( CPool<T,PoolType,PoolTag,AutoRelease>& _X )\n\t{\n\t\tmPool = (T*)_X;\n\t\tmPoolSize = _X.Size();\n\t}\n\t\n\tT* Allocate( SIZE_T _S )\n\t{\n\n\t\tif ( mPool == NULL )\n\t\t{\n\t\t\tmPool = static_cast<T*>(ExAllocatePoolWithTag(\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tPoolType,\n\t\t\t\t\t\t\t\t\t\t\t\t\t_S,\n\t\t\t\t\t\t\t\t\t\t\t\t\tPoolTag));\n\n\t\t\tif ( mPool )\n\t\t\t{\n\t\t\t\tmPoolSize = _S;\n\t\t\t}\n\t\t}\n\n\t\treturn static_cast<T*>(mPool);\n\t}\n\n\tT* Allocate()\n\t{\n\n\t\tif ( mPool == NULL )\n\t\t{\n\t\t\tmPool = static_cast<T*>(ExAllocatePoolWithTag(\t\tPoolType,\n\t\t\t\t\t\t\t\t\t\t\t\tsizeof(T),\n\t\t\t\t\t\t\t\t\t\t\t\tPoolTag));\n\n\t\t\tif ( mPool )\n\t\t\t{\n\t\t\t\tmPoolSize = sizeof(T);\n\t\t\t}\n\t\t}\n\n\t\treturn mPool;\n\t}\n\n\tvoid Free()\n\t{\n\t\tif ( mPool )\n\t\t{\n\t\t\tExFreePool(mPool);\n\t\t\tmPool = NULL;\n\t\t\tmPoolSize = 0;\n\t\t}\n\t}\n\n\tINT3264 Size()\n\t{\n\t\treturn mPoolSize;\n\t}\n\nprivate:\n\n\tT* mPool;\n\tULONG_PTR mPoolSize;\n\tULONG_PTR mReference;\n\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CString.cpp",
    "content": "#include \"CString.h\"\n"
  },
  {
    "path": "Sysmon.sys/cpplib/CString.h",
    "content": "#ifndef _CStringT_h\n#define _CStringT_h\n#include <CppLib.h>\n\ntemplate<typename T, int COUNT>\nclass CStringT\n{\npublic:\n\tCStringT(void)\n\t{\n\n\t}\n\n\tvirtual ~CStringT(void)\n\t{\n\n\t}\n\n\toperator T*()\n\t{\n\t\treturn pT;\n\t}\n\nprotected:\n\tT pT[COUNT];\n};\n\n\nclass CStringW: public CStringT<WCHAR*,1>\n{\npublic:\n\tCStringW()\n\t{\n\t\tmemset(this,0,sizeof(*this));\n\t}\n\n\t~CStringW()\n\t{\n\n\t}\nprivate:\n\tUSHORT mLength;\n\tUSHORT mMaxLength;\n};\n\ntemplate<int COUNT>\nclass CStackStringW : public CStringT<WCHAR,COUNT>\n{\npublic:\n\tCStackStringW()\n\t{\n\n\t}\n\n\t~CStackStringW()\n\t{\n\n\t}\n\n\tWCHAR& operator [](int n)\n\t{\n\t\treturn pT[n];\n\t}\n\n\toperator WCHAR*()\n\t{\n\t\treturn &pT[0];\n\t}\n\n\tWCHAR* operator &()\n\t{\n\t\treturn &pT[0];\n\t}\n\n};\n\n\n\n#endif\n"
  },
  {
    "path": "Sysmon.sys/cpplib/CSysmonBase.cpp",
    "content": "#include \"CSysmonBase.h\"\n#include <CErrorStatus.h>\n#include <cpplib.h>\n\nCSysmonBase::CSysmonBase(void)\n{\n}\n\n\nCSysmonBase::~CSysmonBase(void)\n{\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nUSHORT\nCSysmonBase::SysmonIsNamedPipe(PCFLT_RELATED_OBJECTS pFltFileObj)\n{\n\tCErrorStatus Status;\n\tUSHORT Type;\t\n\tUNICODE_STRING DestinationString;\n\tUNICODE_STRING String2;\n\tUNICODE_STRING String1;\n\tSIZE_T NumberOfBytes;\n\n\tString1.Buffer = 0;\n\tString1.Length = 0;\n\n\tStatus = FltGetVolumeName(\n\t\t\t\t\t\t\tpFltFileObj->Volume,\n\t\t\t\t\t\t\t&String1,\n\t\t\t\t\t\t\t&NumberOfBytes);\n\n\tif ( Status == STATUS_BUFFER_TOO_SMALL )\n\t{\n\t\tif ( NumberOfBytes != 36 && NumberOfBytes != 34 )\n\t\t\treturn 0;\n\n\t\tString1.Buffer = (PWSTR)ExAllocatePoolWithTag(\n\t\t\t\t\t\t\t\t\t\t\t\t\tNonPagedPool,\n\t\t\t\t\t\t\t\t\t\t\t\t\tNumberOfBytes,\n\t\t\t\t\t\t\t\t\t\t\t\t\t'PsyS');\n\t\tif ( !String1.Buffer )\n\t\t\treturn 0;\n\n\t\tString1.Length = NumberOfBytes & 0xFF;\n\t\tString1.MaximumLength = NumberOfBytes & 0xFF;\n\t\tStatus = FltGetVolumeName(\n\t\t\t\t\t\t\tpFltFileObj->Volume, \n\t\t\t\t\t\t\t&String1,\n\t\t\t\t\t\t\t&NumberOfBytes);\n\t}\n\n\tdo \n\t{\n\t\tif ( Status != STATUS_SUCCESS)\n\t\t{\n\t\t\tif ( !String1.Buffer )\n\t\t\t\treturn 0;\n\n\t\t\tExFreePoolWithTag(\n\t\t\t\t\t\t\tString1.Buffer,\n\t\t\t\t\t\t\t'EPIP');\n\t\t\treturn 0;\n\t\t}\n\n\t\tRtlInitUnicodeString(\n\t\t\t&DestinationString,\n\t\t\tL\"\\\\Device\\\\NamedPipe\");\n\t\tRtlInitUnicodeString(\n\t\t\t\t\t\t&String2,\n\t\t\t\t\t\tL\"\\\\\");\n\n\t\t// жǷNampedPipe\n\t\tif ( RtlCompareUnicodeString(\n\t\t\t\t\t\t\t\t\t&String1,\n\t\t\t\t\t\t\t\t\t&DestinationString,\n\t\t\t\t\t\t\t\t\t1) )\n\t\t{\n\t\t\tif ( RtlCompareUnicodeString(\n\t\t\t\t\t\t\t\t\t\t&String1,\n\t\t\t\t\t\t\t\t\t\t&String2, \n\t\t\t\t\t\t\t\t\t\t1) )\n\t\t\t{\n\n\t\t\t\tExFreePoolWithTag(\n\t\t\t\t\tString1.Buffer,\n\t\t\t\t\t'EPIP');\n\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\tExFreePoolWithTag(\n\t\t\t\t\t\t\tString1.Buffer, \n\t\t\t\t\t\t\t'EPIP');\n\t\t\tType = 1;// 0ʾļ·1ʾ\n\t\t}\n\t\telse\n\t\t{\n\t\t\tExFreePoolWithTag(\n\t\t\t\t\t\t\tString1.Buffer,\n\t\t\t\t\t\t\t'EPIP');\n\t\t\tType = 2;// 2ʾܵ\n\t\t}\n\n\t} while (FALSE);\t\n\n\treturn Type;\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nBOOL \nCSysmonBase::SysmonFileIsCommonName(\n\t\t\t\t\t\t\tPFLT_CALLBACK_DATA CallbackData\n\t\t\t\t\t\t\t)\n{\n\tBOOL IsDirectory;\n\tPFLT_FILE_NAME_INFORMATION FileNameInformation;\n\n\tIsDirectory = 0;\n\tif ( CallbackData )\n\t{\n\t\tif ( !CallbackData->Iopb->MajorFunction )\n\t\t{\n\t\t\tFileNameInformation = 0;\n\n\t\t\t// #define FLT_FILE_NAME_NORMALIZED    0x01\n\t\t\t//     #define FLT_FILE_NAME_OPENED        0x02\n\t\t\t//     #define FLT_FILE_NAME_SHORT         0x03\n\t\t\t//  #define FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP 0x0400\n\t\t\tif ( NT_SUCCESS(FltGetFileNameInformation(\n\t\t\t\t\t\t\t\t\tCallbackData,\n\t\t\t\t\t\t\t\t\tFLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP |\n\t\t\t\t\t\t\t\t\tFLT_FILE_NAME_OPENED,\n\t\t\t\t\t\t\t\t\t&FileNameInformation)) )\n\t\t\t{\n\t\t\t\tif ( NT_SUCCESS(FltParseFileNameInformation(FileNameInformation))\n\t\t\t\t\t&& !FileNameInformation->ParentDir.Length\n\t\t\t\t\t&& !FileNameInformation->Share.Length\n\t\t\t\t\t&& !FileNameInformation->FinalComponent.Length\n\t\t\t\t\t&& !FileNameInformation->Extension.Length\n\t\t\t\t\t&& FileNameInformation->Volume.Length )\n\t\t\t\t{\n\t\t\t\t\tIsDirectory = 1;\n\t\t\t\t}\n\n\t\t\t\tFltReleaseFileNameInformation(FileNameInformation);\n\t\t\t}\n\t\t}\n\t}\n\n\treturn IsDirectory;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nbool \nCSysmonBase::SysmonQueryFileFileAttributes(PFLT_RELATED_OBJECTS pFltObj)\n{\n\tFILE_BASIC_INFORMATION FileBaseInfo;\n\n\treturn NT_SUCCESS(FltQueryInformationFile(\n\t\t\t\t\t\t\tpFltObj->Instance,\n\t\t\t\t\t\t\tpFltObj->FileObject,\n\t\t\t\t\t\t\t&FileBaseInfo,\n\t\t\t\t\t\t\tsizeof(FileBaseInfo), \n\t\t\t\t\t\t\tFileBasicInformation, 0))\n\t\t&& !(FileBaseInfo.FileAttributes &\n\t\t(FILE_ATTRIBUTE_DEVICE|\n\t\tFILE_ATTRIBUTE_DIRECTORY));\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CSysmonBase.h",
    "content": "#ifndef _CSysmonBase_h\n#define _CSysmonBase_h\n\n#include <cpplib.h>\n#include <fltKernel.h>\n\nclass CSysmonBase\n{\npublic:\n\tCSysmonBase(void);\n\t~CSysmonBase(void);\n\npublic:\n\tstatic\n\tUSHORT \n\tSysmonIsNamedPipe(\n\t\t\t\t\tPCFLT_RELATED_OBJECTS pFltFileObj\n\t\t\t\t\t);\n\n\tstatic\n\tBOOL \n\tSysmonFileIsCommonName(\n\t\t\t\t\tPFLT_CALLBACK_DATA CallbackData\n\t\t\t\t\t);\n\n\tstatic\n\tbool \n\tSysmonQueryFileFileAttributes(\n\t\t\t\t\tPFLT_RELATED_OBJECTS pFltObj\n\t\t\t\t\t);\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CUnicodeString.cpp",
    "content": "#include \"CUnicodeString.h\"\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCUnicodeString::CUnicodeString(void)\n{\n\tmString.Buffer = NULL;\n\tmString.Length = 0;\n\tmString.MaximumLength = 0;\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCUnicodeString::CUnicodeString(const CUnicodeString& String)\n{\n\tmString.Buffer = String.mString.Buffer;\n\tmString.Length = String.mString.Length;\n\tmString.MaximumLength = String.mString.MaximumLength;\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCUnicodeString::CUnicodeString(const PUNICODE_STRING& pString)\n{\n\n\tif (pString)\n\t{\n\t\t__try\n\t\t{\n\t\t\tmString.Buffer = pString->Buffer;\n\t\t\tmString.Length = pString->Length;\n\t\t\tmString.MaximumLength = pString->MaximumLength;\n\t\t}\n\t\t__except(EXCEPTION_EXECUTE_HANDLER)\n\t\t{\n\n\t\t}\n\t\t\n\t}\n\t\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCUnicodeString::~CUnicodeString(void)\n{\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nPUNICODE_STRING CUnicodeString::operator &()\n{\n\treturn &mString;\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nCUnicodeString::operator PUNICODE_STRING()\n{\n\treturn &mString;\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nvoid CUnicodeString::operator =(const WCHAR* pString)\n{\n\tif (pString)\n\t{\n\t\tRtlInitUnicodeString(&mString,pString);\n\t}\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nvoid CUnicodeString::operator =(WCHAR* pString)\n{\n\tif (pString)\n\t{\n\t\tRtlInitUnicodeString(&mString,pString);\n\t}\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CUnicodeString.h",
    "content": "#ifndef _CUnicodeString_h\n#define _CUnicodeString_h\n\n\n#include <CppLib.h>\n\n\nclass CUnicodeString\n{\npublic:\n\tCUnicodeString(void);\n\tCUnicodeString(const CUnicodeString& String);\n\tCUnicodeString(const PUNICODE_STRING& pString);\n\tvirtual ~CUnicodeString(void);\n\n\tPUNICODE_STRING operator &();\n\n\toperator PUNICODE_STRING();\n\n\tvoid operator =(const WCHAR* pString);\n\tvoid operator =(WCHAR* pString);\nprivate:\n\tUNICODE_STRING mString;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CVersion.cpp",
    "content": "#include \"CVersion.h\"\n\nCVersion::CVersion(void)\n\t:mMajorVersion(0)\n\t,mMinorVersion(0)\n\t,mBuildNumber(0)\n{\n}\n\n\nCVersion::~CVersion(void)\n{\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nvoid CVersion::GetOsVersion()\n{\n\tOSVERSIONINFOW VersionInformation;\n\tVersionInformation.dwOSVersionInfoSize = sizeof(OSVERSIONINFOW);\n\tif (NT_SUCCESS(::RtlGetVersion(&VersionInformation)))\n\t{\n\t\tmMajorVersion = VersionInformation.dwMajorVersion;\n\t\tmMinorVersion = VersionInformation.dwMinorVersion;\n\t}\n}\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nvoid CVersion::PsGetVersion()\n{\n\t::PsGetVersion(&mMajorVersion,&mMinorVersion, &mBuildNumber, 0);\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nULONG CVersion::GetMajorVersion()\n{\n\treturn mMajorVersion;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nULONG CVersion::GetMinorVersion()\n{\n\treturn mMinorVersion;\n}\n\n\n/**********************************************************************************/\n#pragma LOCKEDCODE\n\nULONG CVersion::GetBuilderNumber()\n{\n\treturn mBuildNumber;\n}"
  },
  {
    "path": "Sysmon.sys/cpplib/CVersion.h",
    "content": "#ifndef _CVersion_h\n#define _CVersion_h\n#include <cpplib.h>\n\nclass CVersion\n{\npublic:\n\tCVersion(void);\n\t~CVersion(void);\n\n\tvoid GetOsVersion();\n\tvoid PsGetVersion();\n\n\tULONG GetMajorVersion();\n\tULONG GetMinorVersion();\n\tULONG GetBuilderNumber();\n\t\nprivate:\n\tULONG mMajorVersion;\n\tULONG mMinorVersion;\n\tULONG mBuildNumber;\n\tULONG mCSDVersion;\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/cpplib/CppLib.cpp",
    "content": "#include \"CppLib.h\"\n#include <excpt.h>\n#include \"CAssert.h\"\nAtExitEntry *AtExitEntryList = NULL;\n\n\n// Exported variables\n\n#if defined(_IA64_) || defined(_AMD64_)\n#pragma section(\".CRT$XCA\",long,read)\n__declspec(allocate(\".CRT$XCA\")) void(*__ctors_begin__[1])(void) = { 0 };\n#pragma section(\".CRT$XCZ\",long,read)\n__declspec(allocate(\".CRT$XCZ\")) void(*__ctors_end__[1])(void) = { 0 };\n#pragma data_seg()\n#else\n#pragma data_seg(\".CRT$XCA\")\nvoid(*__ctors_begin__[1])(void) = { 0 };\n#pragma data_seg(\".CRT$XCZ\")\nvoid(*__ctors_end__[1])(void) = { 0 };\n#pragma data_seg()\n#endif\n\n#pragma data_seg(\".STL$A\")\nvoid(*___StlStartInitCalls__[1])(void) = { 0 };\n#pragma data_seg(\".STL$L\")\nvoid(*___StlEndInitCalls__[1])(void) = { 0 };\n#pragma data_seg(\".STL$M\")\nvoid(*___StlStartTerminateCalls__[1])(void) = { 0 };\n#pragma data_seg(\".STL$Z\")\nvoid(*___StlEndTerminateCalls__[1])(void) = { 0 };\n#pragma data_seg()\n\n\n#pragma data_seg(\".CRT$XCA\")\nPtrVoidFunc __xc_a[] = {NULL};\n#pragma data_seg(\".CRT$XCZ\")\nPtrVoidFunc __xc_z[] = {NULL};\n#pragma data_seg()\n\n// Functions\n\nEXTERN_C\nint\n__cdecl _cinit(\n__in int\n\t)\n{\n\tfor (void(**ctor)(void) = __ctors_begin__ + 1;\n\t\tctor < __ctors_end__;\n\t\tctor++)\n\t{\n\t\t(*ctor)();\n\t}\n\treturn 0;\n}\n\nint \n_cdecl \natexit(PtrVoidFunc func)\n{\n\tAtExitEntry\t*newEntry;\n\n\tif (!func)\n\t{\n\t\treturn 0;\n\t}\n\n\tnewEntry = new AtExitEntry;\n\n\tif (IsNull(newEntry))\n\t\treturn 0;\n\n\tnewEntry->func = func;\n\n\tnewEntry->next = AtExitEntryList;\n\tAtExitEntryList = newEntry;\n\n\treturn 1;\n}\n\nEXTERN_C\nvoid\n__cdecl doexit(\n\t__in int /*code*/,\n\t__in int /*quick*/,\n\t__in int /*retcaller*/\n\t)\n{\n\tfor (AtExitEntry* entry = AtExitEntryList; entry;)\n\t{\n\t\tAtExitEntry* next = entry->next;\n\t\tdelete entry;\n\t\tentry = next;\n\t}\n}\n\nvoid * \nNewHelper(\n\t\tsize_t\t\tsize,\n\t\tMemoryType\tmemType)\n{\n\tCAssert(size);\n\n\tif ( size == 0 )\n\t\tsize = 1;\t// required by standard!\n\n//#if PGP_DEBUG\n\tvoid\t*pMem\t= ExAllocatePoolWithTag(\n\t\t\t\t\t\t\t\t\t(POOL_TYPE)memType,\n\t\t\t\t\t\t\t\t\tsize, \n\t\t\t\t\t\t\t\t\t'zpmt');\n//#else\t// !PGPDISK_DEBUG\n\t//void\t*pMem\t= ExAllocatePool(NonPagedPool, size);\n//#endif\t// PGPDISK_DEBUG\n\n// #if PGP_DEBUG\n// \tif (IsntNull(pMem))\n// \t\tpgpDebugWhackMemory(pMem, size);\n// #endif\t// PGP_DEBUG\n\n\treturn pMem;\n};\n\nvoid \nDeleteHelper(void *p)\n{\n\tif ( IsNull(p) )\n\t\tExFreePool(p);\n}\n\nvoid  \nCallGlobalConstructors()\n{\n\tPtrVoidFunc\t*pfbegin, *pfend;\n\n\tpfbegin = __xc_a;\n\tpfend = __xc_z;\n\n\twhile (pfbegin < pfend)\n\t{\n\t\tif (*pfbegin != NULL)\n\t\t\t(**pfbegin)();\n\n\t\t++pfbegin;\n\t}\n}\n\nvoid \nCallGlobalDestructors()\n{\n\tAtExitEntry\t*curEntry, *nextEntry;\n\n\tcurEntry = AtExitEntryList;\n\n\twhile (IsNull(curEntry))\n\t{\n\t\tcurEntry->func();\n\t\tnextEntry = curEntry->next;\n\t\tdelete curEntry;\n\t\tcurEntry = nextEntry;\n\t}\n}\n\n\n//except\n\nEXCEPTION_DISPOSITION \nCxxFrameHandler3(\n\t__in void* pExcept, // Information for this exception\n\t__in ULONG_PTR RN, // Dynamic information for this frame\n\t__in void* pContext, // Context info\n\t__in void* pDC // More dynamic info for this frame\n\t)\n{\n\t__debugbreak();\n\treturn EXCEPTION_DISPOSITION::ExceptionNestedException;\n}\n\n#ifdef _WIN64\n\nextern \"C\"\n\tvoid \n\t_CxxThrowException(\n\t__in void *, \n\t__in _ThrowInfo *\n\t)\n{\n}\n\n#else\n\nextern \"C\"\n\tvoid\n\t__stdcall\n\t_CxxThrowException(\n\t__in void *, \n\t__in _ThrowInfo *\n\t)\n{\n}\n\n\n#endif\n\ntype_info::type_info() {\n}\n\ntype_info::~type_info() {\n}\n\nchar const *\ntype_info::name() const {\n\t\treturn \"N/A\";\n}\n\nbool \ntype_info::operator==(type_info const & right) const {\n\t\treturn false;\n}\n\nbool \ntype_info::operator!=(type_info const & right) const {\n\t\treturn false;\n}\n\nbool\ntype_info::before(type_info const & right) const {\n\t\treturn false;\n}\n\ntype_info::type_info(type_info const & right) {\n}\n"
  },
  {
    "path": "Sysmon.sys/cpplib/CppLib.h",
    "content": "#ifndef _CPP_LIB_h\n#define _CPP_LIB_h\n#include <ntifs.h>\n#include <strsafe.h>\n\ntypedef char CHAR;\ntypedef unsigned char UCHAR;\ntypedef unsigned char BOOLEAN;\ntypedef wchar_t WCHAR;\ntypedef unsigned char boolean;\ntypedef unsigned __int32 UINT32;\ntypedef unsigned int ULONG32, *PULONG32;\ntypedef unsigned int DWORD32, *PDWORD32;\ntypedef int BOOL;\ntypedef signed char         INT8, *PINT8;\ntypedef signed short        INT16, *PINT16;\ntypedef signed int          INT32, *PINT32;\ntypedef signed __int64      INT64, *PINT64;\ntypedef unsigned char       UINT8, *PUINT8;\ntypedef unsigned short      UINT16, *PUINT16;\ntypedef unsigned int        UINT32, *PUINT32;\ntypedef unsigned __int64    UINT64, *PUINT64;\n\ntypedef __int64  INT64;\ntypedef __int3264 ADDRPOINT;\ntypedef __int3264 INT3264;\ntypedef unsigned int UINT;\ntypedef unsigned char BYTE;\ntypedef unsigned long ULONG;\ntypedef short SHORT;\ntypedef unsigned short USHORT;\n\n\n#define IsNull(a) (a == NULL)\n\n#define PAGEDCODE\tcode_seg(\"PAGE\")\n#define LOCKEDCODE\tcode_seg()\n#define INITCODE\tcode_seg(\"INIT\")\n\n\n#ifndef __cplusplus\nextern \"C\"{\n#endif\n\n\t// Types\n\ntypedef void (_cdecl *PtrVoidFunc)(void);\n\nstruct AtExitEntry\n{\n\tPtrVoidFunc func;\n\tAtExitEntry *next;\n};\n\n// Static variables\n\nint \n_cdecl \natexit(PtrVoidFunc func);\n\n#ifndef __cplusplus\n};\n#endif\n\ntypedef enum MemoryType\n{\n\tkDefaultMemType = NonPagedPool,\n};\n\nvoid * \nNewHelper(\n\tsize_t\t\tsize,\n\tMemoryType\tmemType);\n\nvoid \nDeleteHelper(void *p);\n\ninline \nvoid*\n_cdecl \noperator new(size_t size)\n{\n\treturn NewHelper(size,kDefaultMemType);\n}\n\ninline \nvoid * \n_cdecl \noperator new[](size_t size)\n{\n\treturn NewHelper(size,kDefaultMemType);\n}\n\ninline \nvoid * \n_cdecl \n\toperator new(size_t size, MemoryType memType)\n{\n\treturn NewHelper(size, memType);\n}\n\ninline \n\tvoid * \n\t_cdecl \n\toperator new[](size_t size, MemoryType memType)\n{\n\treturn NewHelper(size, memType);\n}\n\n// Placement new.\n\ninline \nvoid * \n_cdecl \noperator new(size_t size, void *pMem)\n{\n\t(void) size;\n\treturn pMem;\n}\n\ninline \n\tvoid * \n\t_cdecl \n\toperator new[](size_t size, void *pMem)\n{\n\t(void) size;\n\treturn pMem;\n}\n\n\n// Operator delete functions\n\ninline \n\tvoid \n\t_cdecl \n\toperator delete(void *p)\n{ \n\tDeleteHelper(p);\n}\n\ninline \n\tvoid \n\t_cdecl \n\toperator delete[](void *p)\n{ \n\tDeleteHelper(p);\n}\n\ninline \n\tvoid \n\t_cdecl \n\toperator delete(void *p, MemoryType memType)\n{ \n\t(void) memType;\n\tDeleteHelper(p);\n}\n\ninline \n\tvoid \n\t_cdecl \n\toperator delete[](void *p, MemoryType memType)\n{ \n\t(void) memType;\n\tDeleteHelper(p);\n}\n\n\n// Placement delete.\n\ninline \nvoid \n_cdecl \noperator delete(void *pMem1, void *pMem2)\n{\n\t(void) pMem1;\n\t(void) pMem2;\n\n\treturn;\n}\n\ninline \nvoid \n_cdecl \noperator delete[](void *pMem1, void *pMem2)\n{\n\t(void) pMem1;\n\t(void) pMem2;\n\treturn;\n}\n\nvoid  \n\tCallGlobalConstructors();\nvoid \n\tCallGlobalDestructors();\n\nextern \"C\"\nEXCEPTION_DISPOSITION \nCxxFrameHandler3(\n\t__in void* pExcept, // Information for this exception\n\t__in ULONG_PTR RN, // Dynamic information for this frame\n\t__in void* pContext, // Context info\n\t__in void* pDC // More dynamic info for this frame\n\t);\n\n\nclass type_info {\npublic:\n\ttype_info();\n\tvirtual ~type_info();\n\n\tchar const * name() const;\n\n\tbool operator==(type_info const & right) const;\n\tbool operator!=(type_info const & right) const;\n\tbool before(type_info const & right) const;\n\nprivate:\n\ttype_info(type_info const & right);\n\ttype_info & operator=(type_info const & right);\n};\n\n#endif"
  },
  {
    "path": "Sysmon.sys/stdafx.cpp",
    "content": "// stdafx.cpp : source file that includes just the standard includes\n// Sysmon.sys.pch will be the pre-compiled header\n// stdafx.obj will contain the pre-compiled type information\n\n#include \"stdafx.h\"\n\n// TODO: reference any additional headers you need in STDAFX.H\n// and not in this file\n"
  },
  {
    "path": "Sysmon.sys/stdafx.h",
    "content": "// stdafx.h : include file for standard system include files,\n// or project specific include files that are used frequently, but\n// are changed infrequently\n//\n\n#pragma once\n\n#include \"targetver.h\"\n\n#define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers\n// Windows Header Files:\n#include <CppLib.h>\n\n\n\n// TODO: reference additional headers your program requires here\n"
  },
  {
    "path": "Sysmon.sys/targetver.h",
    "content": "#pragma once\n\n// Including SDKDDKVer.h defines the highest available Windows platform.\n\n// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and\n// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.\n\n\n"
  }
]