-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathRBoxIOCPNotifs.cpp
64 lines (55 loc) · 2.14 KB
/
RBoxIOCPNotifs.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
//
// Created by hx1997 on 2018/3/11.
//
#define BUFSIZE 256
#include <cstdio>
#include <windows.h>
#include "RBoxMessage.h"
void PollCompletionPort(HANDLE hIocp) {
DWORD dwEvent;
ULONG_PTR lpCompKey;
LPOVERLAPPED lpOverlapped;
char msg[BUFSIZE];
DWORD dwPID;
HANDLE hProcess;
CHAR szPath[MAX_PATH] = "???";
DWORD dwSize = MAX_PATH;
while(true) {
if (!GetQueuedCompletionStatus(hIocp, &dwEvent, &lpCompKey, &lpOverlapped, 100))
continue;
switch (dwEvent) {
case JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO:
IssueMessage("All processes have ended in the sandbox!", MSGTYPE_INFO);
break;
case JOB_OBJECT_MSG_NEW_PROCESS:
dwPID = (DWORD)lpOverlapped;
hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, false, dwPID);
QueryFullProcessImageNameA(hProcess, 0, szPath, &dwSize);
CloseHandle(hProcess);
sprintf(msg, "Process run: [%ld] %s", dwPID, szPath);
IssueMessage(msg, MSGTYPE_INFO);
break;
case JOB_OBJECT_MSG_EXIT_PROCESS:
dwPID = (DWORD)lpOverlapped;
hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, false, dwPID);
QueryFullProcessImageNameA(hProcess, 0, szPath, &dwSize);
CloseHandle(hProcess);
sprintf(msg, "Process exited: [%ld] %s", dwPID, szPath);
IssueMessage(msg, MSGTYPE_INFO);
break;
case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS:
dwPID = (DWORD)lpOverlapped;
hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, false, dwPID);
QueryFullProcessImageNameA(hProcess, 0, szPath, &dwSize);
CloseHandle(hProcess);
sprintf(msg, "Process crashed: [%ld] %s", dwPID, szPath);
IssueMessage(msg, MSGTYPE_INFO);
break;
case 0xCAFE:
// A special signal that terminates the thread
return;
default:
break;
}
}
}