📄 nkcrypt.c
字号:
/*****************************************************************
*
* Reversed By yykingking (yykingking@126.com)
* 仅供学习交流使用
*****************************************************************/
#include "header.h"
#include <stdio.h>
__declspec(dllimport) char KeNumberProcessors;
__declspec(dllimport) int KeSetAffinityThread( PKTHREAD pKThread, int Num);
char ASCIITable_92[] =
{
0x00, 0x1B, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30,
0x2D, 0x3D, 0x08, 0x09, 0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x5B, 0x5D,
0x0A, 0x00, 0x61, 0x73, 0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3B, 0x27, 0x60, 0x00, 0x5C,
0x7A, 0x78, 0x63, 0x76, 0x62, 0x6E, 0x6D, 0x2C, 0x2E, 0x2F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x80,
0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x00, 0x00, 0x92, 0x97, 0x94, 0x2D, 0x96,
0x35, 0x99, 0x2B, 0x93, 0x98, 0x95, 0x90, 0x91, 0x00, 0x00, 0x00, 0x8A, 0x8B, 0x00, 0x00, 0x00
};
char SHIFT_ASCIITable_92[] =
{
0x00, 0x1B, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A, 0x28, 0x29, 0x5F, 0x2B, 0x08, 0x09,
0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4F, 0x50, 0x7B, 0x7D, 0x0A, 0x00, 0x41, 0x53,
0x44, 0x46, 0x47, 0x48, 0x4A, 0x4B, 0x4C, 0x3A, 0x22, 0x7E, 0x00, 0x7C, 0x5A, 0x58, 0x43, 0x56,
0x42, 0x4E, 0x4D, 0x3C, 0x3E, 0x3F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x80, 0x81, 0x82, 0x83, 0x84,
0x85, 0x86, 0x87, 0x88, 0x89, 0x00, 0x00, 0x92, 0x97, 0x94, 0x2D, 0x96, 0x35, 0x99, 0x2B, 0x93,
0x98, 0x95, 0x90, 0x91, 0x00, 0x00, 0x00, 0x8A, 0x8B, 0x00, 0x00, 0x00
};
char ASCIITable_128[] =
{
0x00, 0x1B, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30,
0x2D, 0x5E, 0x08, 0x09, 0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x40, 0x5B,
0x0A, 0x00, 0x61, 0x73, 0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3B, 0x3A, 0x00, 0x00, 0x5D,
0x7A, 0x78, 0x63, 0x76, 0x62, 0x6E, 0x6D, 0x2C, 0x2E, 0x2F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x80,
0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x00, 0x00, 0x92, 0x97, 0x94, 0x2D, 0x96,
0x35, 0x99, 0x2B, 0x93, 0x98, 0x95, 0x90, 0x91, 0x00, 0x00, 0x00, 0x8A, 0x8B, 0x00, 0x00, 0x00,
00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
00, 00, 00, 00, 00, 00, 00, 0x5C, 00, 00, 00, 00, 00, 00, 00, 00,
00, 0x5C, 00, 00
};
char SHIFT_ASCIITable_128[] =
{
0x00, 0x1B, 0x21, 0x22,
0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x00, 0x3D, 0x7E, 0x08, 0x09, 0x51, 0x57, 0x45, 0x52,
0x54, 0x59, 0x55, 0x49, 0x4F, 0x50, 0x60, 0x7B, 0x0A, 0x00, 0x41, 0x53, 0x44, 0x46, 0x47, 0x48,
0x4A, 0x4B, 0x4C, 0x2B, 0x2A, 0x00, 0x00, 0x7D, 0x5A, 0x58, 0x43, 0x56, 0x42, 0x4E, 0x4D, 0x3C,
0x3E, 0x3F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88,
0x89, 0x00, 0x00, 0x92, 0x97, 0x94, 0x2D, 0x96, 0x35, 0x99, 0x2B, 0x93, 0x98, 0x95, 0x90, 0x91,
00, 00, 00, 0x8A, 0x8B, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x5F,
00, 00, 00, 00, 00, 00, 00, 00, 00, 0x7C, 00, 00
};
DWORD IndexTable[128] =
{
0,1,2,3,4,5,6,7,8,9,0xA, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x65, 0x6D, 0x64, 0x6E, 0x26, 0x25,
0x43, 0x5B, 0x54, 0x5E, 0x5D, 0x7A, 0x7B, 0x27, 0x73, 0x24, 0x42, 0x6B, 0x77, 0x53, 0x35, 0x36, 0x37,
0x28, 0x6F, 0x23, 0x56, 0x6A, 0x5F, 0x34, 0x79, 0x51, 0x72, 0x29, 0x70, 0x22, 0x57, 0x5A, 0x33, 0x52,
0x2A, 0x48, 0x63, 0x7C, 0x71, 0x21, 0x41, 0x40, 0x31, 0x60, 0x2B, 0x62, 0x74, 0x38, 0x39, 0x20, 0x69,
0x3F, 0x32, 0x61, 0x2C, 0x45, 0x4F, 0x4D, 0x76, 0x55, 0x58, 0x3E, 0x2F, 0x46, 0x2D, 0x50, 0x78, 0x7D,
0x7E, 0x3A, 0x59, 0x3D, 0x30, 0x47, 0x2E, 0x44, 0x4E, 0x5C, 0x66, 0x68, 0x3B, 0x3C, 0x75, 0x49, 0x4A,
0x4B, 0x6C, 0x4C, 0x67, 0x7F
};
char CanBeInputCode[] =
{
0x2,0x82,0x3,0x83,0x4,0x84,0x5,0x85,0x6,0x86,0x7,0x87,0x8,0x88,0x9,0x89,0xA,0x8A,0xB,0x8B,
0x0C, 0x8C, 0x0D, 0x8D, 0x10, 0x90, 0x11, 0x91, 0x12, 0x92, 0x13, 0x93, 0x14, 0x94, 0x15, 0x95,
0x16, 0x96, 0x17, 0x97, 0x18, 0x98, 0x19, 0x99, 0x1A, 0x9A, 0x1B, 0x9B, 0x1E, 0x9E, 0x1F, 0x9F,
0x20, 0xA0, 0x21, 0xA1, 0x22, 0xA2, 0x23, 0xA3, 0x24, 0xA4, 0x25, 0xA5, 0x26, 0xA6, 0x27, 0xA7,
0x28, 0xA8, 0x29, 0xA9, 0x2B, 0xAB, 0x2C, 0xAC, 0x2D, 0xAD, 0x2E, 0xAE, 0x2F, 0xAF, 0x30, 0xB0,
0x31, 0xB1, 0x32, 0xB2, 0x33, 0xB3, 0x34, 0xB4, 0x35, 0xB5, 0x37, 0xB7, 0x4A, 0xCA, 0x4E, 0xCE
};
// ---CanBeInputCode:(100b)
// 2--d (缺0x7d) (1234567890-=)
// LetterScanCode (a-z)
// 多0x29(`)
// 33-35h (,./)
// (缺0x73)
// 37h 4ah 4eh (*-+)
// ---CanBeInputPlusCode:(104b)
// 2--d (1234567890-=)
// 0x7d
// LetterScanCode(a-z)
// 33-35h (,./)
// 73h
// 37h 4ah 4eh (*-+)
// 0x0000
char CanBeInputCodePlus[] =
{
0x2,0x82,0x3,0x83,0x4,0x84,0x5,0x85,0x6,0x86,0x7,0x87,0x8,0x88,0x9,0x89,0xA,0x8A,0xB,0x8B,
0x0C, 0x8C, 0x0D, 0x8D, 0x10, 0x90, 0x11, 0x91, 0x12, 0x92, 0x13, 0x93, 0x14, 0x94, 0x15, 0x95,
0x16, 0x96, 0x17, 0x97, 0x18, 0x98, 0x19, 0x99, 0x1A, 0x9A, 0x1B, 0x9B, 0x1E, 0x9E, 0x1F, 0x9F,
0x20, 0xA0, 0x21, 0xA1, 0x22, 0xA2, 0x23, 0xA3, 0x24, 0xA4, 0x25, 0xA5, 0x26, 0xA6, 0x27, 0xA7,
0x28, 0xA8, 0x2B, 0xAB, 0x2C, 0xAC, 0x2D, 0xAD, 0x2E, 0xAE, 0x2F, 0xAF, 0x30, 0xB0,
0x31, 0xB1, 0x32, 0xB2, 0x33, 0xB3, 0x34, 0xB4, 0x35, 0xB5, 0x37, 0xB7, 0x4A, 0xCA, 0x4E, 0xCE,
0x7D, 0xFD, 0x73, 0xF3, 0x00, 0x00
};
char LetterScanCode[] =
{
0x10, 0x90, 0x11, 0x91, 0x12, 0x92, 0x13, 0x93, 0x14, 0x94, 0x15, 0x95, 0x16, 0x96,
0x17, 0x97, 0x18, 0x98, 0x19, 0x99, 0x1E, 0x9E, 0x1F, 0x9F, 0x20, 0xA0, 0x21, 0xA1,
0x22, 0xA2, 0x23, 0xA3, 0x24, 0xA4, 0x25, 0xA5, 0x26, 0xA6, 0x2C, 0xAC,
0x2D, 0xAD, 0x2E, 0xAE, 0x2F, 0xAF, 0x30, 0xB0, 0x31, 0xB1, 0x32, 0xB2
};
ATTACH_INFO g_AttachInfo;
bool g_IsNT4, g_Is2K, g_IsXp;
PDEVICE_OBJECT g_DeviceObj;
DWORD g_AttachNumber;
PVOID g_pVoidUnknown1;
PSTRUCT_12H g_Buffer12H;
PSTRUCT_17H g_Buffer17H;
int* g_HashTable;
PSTRUCT_THREE g_Buffer8H;
PRKEVENT g_PRKEvent;
DWORD NameOffsetInEproc;
KIRQL g_Kirql;
ULONG g_IntVector,g_IntVector2;
BOOL g_IsMulProcesser=FALSE;
PDRIVER_OBJECT g_DriverObj,g_pDriverObj1;
PUNICODE_STRING g_pUnicodeString;
LOCK_LIST g_LockList1,g_LockList2,g_IDTLockList,g_LockList4;
KSPIN_LOCK g_SpinLock5;
KDPC g_Kdpc;
IDTR g_IDTR,g_IDTR2;
PIDTR g_pIDTR=(&g_IDTR), g_pIDTR2=(&g_IDTR2);
char g_cArrayUnknown1[0x60] = { 0,}; //长度为0x60
bool g_bCanAttach;
int g_intUnknown1;
DWORD g_KBIntEntry; //键盘中断入口处...
bool g_bAlreadyKBEntry=false; //保证KB中断地址只被存一次.....
DWORD g_KBIntEntry1,g_KBIntEntry2;//双核CPU键盘中断入口处...保存用来恢复..
DWORD CanDeleteStruct=0;
bool g_bUnknown1=0,g_bUnknown2=0,g_bUnknown3=0,g_bUnknown4=0;
PDRIVER_ADD_DEVICE AddDeviceFun1;
bool g_bDoSaveAndHook=false;
STRUCT_FOUR g_StructFour;
PDRIVER_DISPATCH DispatchFun1;
DWORD g_DUnKnown1,g_DUnKnown2;
NDIS_TIMER g_NdisTimer;
BYTE g_byteCom1,g_byteCom2;
DWORD g_OldKBEntry;
__declspec (naked) NewIntEntry()
{
__asm
{
sub esp, 4
push ebp
mov ebp, esp
cli
pushfd
pushad
push ds
push es
push gs
push fs
mov bx, 23h
mov ds, bx
mov es, bx
mov gs, bx
mov bx, 30h
mov fs, bx
push eax
call DispatchNewInt
mov g_OldKBEntry, eax
cmp eax, 0
jnz loc_1049B
xor dx, dx
mov dl, 20h
mov al, 20h
out dx, al //; Interrupt controller, 8259A.
pop fs
pop gs
pop es
pop ds
popad
popfd
pop ebp
add esp, 4
iretd
jmp DriverEntry ;
loc_1049B:
pop fs
pop gs
pop es
pop ds
popad
popfd
pop ebp
add esp, 4
jmp cs:g_OldKBEntry
}
}
DWORD GetNameOffsetInEproc()
{
DWORD sys_eproc;
DWORD i;
sys_eproc = (DWORD)IoGetCurrentProcess();
for ( i=0; i<0x3000; i++)
{
if ( strncmp( "System", (const char*)(sys_eproc+i), 6) == 0)
{
return (sys_eproc+i);
}
}
return 0;
}
void GetVersionInfo()
{
UNICODE_STRING CSDVersion;
ULONG MajorVersion;
ULONG MinorVersion;
ULONG BuildNumber;
CSDVersion.MaximumLength = 0x32;
CSDVersion.Length = 0;
PsGetVersion( &MajorVersion, &MinorVersion, &BuildNumber, &CSDVersion);
if( MajorVersion == 4)
g_IsNT4 = true;
else
g_IsNT4 = false;
if ( MajorVersion == 5 && MinorVersion == 1)
{
g_IsXp = true;
g_Is2K = false;
return;
}
g_IsXp = false;
if ( MajorVersion == 5)
{
g_Is2K = true;
if( MinorVersion == 0)
return;
}
g_Is2K = false;
return;
}
NTSTATUS CreateDevice( PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pUnicodeString)
{
NTSTATUS ret_status;
UNICODE_STRING SymbolicLinkName;
UNICODE_STRING DeviceName;
RtlInitUnicodeString( &DeviceName, L"\\Device\\npkcrypt");
ret_status = IoCreateDevice( pDriverObj, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, 0, &g_DeviceObj);
if ( ret_status != STATUS_SUCCESS )
return ret_status;
RtlInitUnicodeString( &SymbolicLinkName, L"\\DosDevices\\npkcrypt");
ret_status = IoCreateSymbolicLink( &SymbolicLinkName, &DeviceName);
if ( ret_status != STATUS_SUCCESS)
{
IoDeleteDevice( pDriverObj->DeviceObject);
}
pDriverObj->Flags |= 0x14;
return ret_status;
}
NTSTATUS AllocateBuffer()
{
g_Buffer17H = ExAllocatePool( NonPagedPool, 0x17);
if ( g_Buffer17H == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
memset( g_Buffer17H, 0, 0x17);
g_Buffer12H = ExAllocatePool( NonPagedPool, 0x12);
if ( g_Buffer12H == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
memset( g_Buffer12H, 0, 0x12);
g_HashTable = (int*)ExAllocatePool( NonPagedPool, 0x50);
if ( g_HashTable == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
memset( g_HashTable, 0, 0x50);
g_Buffer8H = (PSTRUCT_THREE)ExAllocatePool( NonPagedPool, 0x8);
if ( g_Buffer8H == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
memset( g_Buffer8H, 0, 0x8);
return STATUS_SUCCESS;
}
NTSTATUS AllocateMDL( PVOID VirtualAddress, PVOID* pMapOut,PMDL* ppMdl,ULONG Length)
{
PVOID pMapAddress;
*ppMdl = IoAllocateMdl( *(PVOID*)VirtualAddress, Length, 0, 0, 0);
if ( *ppMdl == NULL)
{
ExFreePool( *(PVOID*)VirtualAddress);
return STATUS_INSUFFICIENT_RESOURCES;
}
MmBuildMdlForNonPagedPool( *ppMdl);
(*ppMdl)->MdlFlags |= 2;
// returns the starting address of the mapped pages
pMapAddress = MmMapLockedPagesSpecifyCache( *ppMdl, 1, 1, 0, 0, 0x10);
(ULONG)pMapAddress |= (*ppMdl)->ByteOffset;
*pMapOut = pMapAddress;
return STATUS_SUCCESS;
}
void FreeBuffer()
{
if ( g_Buffer8H != NULL)
ExFreePool( g_Buffer8H);
if ( g_Buffer12H != NULL)
ExFreePool( g_Buffer12H);
if ( g_Buffer17H != NULL)
ExFreePool( g_Buffer17H);
if ( g_HashTable != NULL)
ExFreePool( g_HashTable);
}
void DeferredRoutine( PKDPC pKdpc, PVOID param1, PVOID param2, PVOID param3)
{
KeSetEvent( g_PRKEvent, 0, 0);
}
NTSTATUS DriverUnload( IN PDRIVER_OBJECT pDriverObj)
{
if ( g_IsMulProcesser)
KeSetAffinityThread( KeGetCurrentThread(), 1);
if ( g_Buffer17H->DoUnhookKBInt && g_Buffer17H->DoDetach)
{
g_AttachInfo.pDeviceObjArray[0]->DriverObject->MajorFunction[IRP_MJ_MAXIMUM_FUNCTION] = DispatchFun1;
g_AttachInfo.pDeviceObjArray[0]->DriverObject->DriverExtension->AddDevice = AddDeviceFun1;
DetachAndDeleteDevice();
ClearLinkDevice();
UnHookKBInt();
g_bDoSaveAndHook = false;
}
else
{
if ( g_Buffer17H->DoUnhookKBInt && (!g_Buffer17H->DoDetach) )
{
UnHookKBInt();
g_bDoSaveAndHook = false;
}
else if ( (!g_Buffer17H->DoUnhookKBInt) && g_Buffer17H->DoDetach )
{
g_AttachInfo.pDeviceObjArray[0]->DriverObject->MajorFunction[IRP_MJ_POWER] = DispatchFun1;
g_AttachInfo.pDeviceObjArray[0]->DriverObject->DriverExtension->AddDevice = AddDeviceFun1;
DetachAndDeleteDevice();
}
ClearLinkDevice();
}
FreeBuffer();
KeRemoveQueueDpc( &g_Kdpc);
return STATUS_SUCCESS;
}
NTSTATUS DispatchIoControl( IN PDEVICE_OBJECT pDeviceObj,IN PIRP pIrp)
{
NTSTATUS Status;
STRUCT_FOUR VarStructFour;
PIO_STACK_LOCATION pIrpStack;
PVOID dPvoid;
PSTRUCT_TWO pStructTwo;
g_StructFour.bFirst = false;
memset( &g_StructFour.bSecond, 0, sizeof(STRUCT_FOUR)-1);
pIrpStack = IoGetCurrentIrpStackLocation( pIrp);
Status = STATUS_SUCCESS;
switch( pIrpStack->Parameters.DeviceIoControl.IoControlCode)
{
case 0x2201e8:
{
g_DUnKnown1 = (DWORD)pIrp->AssociatedIrp.SystemBuffer;
g_Buffer17H->CanReHookKBInt = (bool)g_DUnKnown1;
if ( g_Buffer17H->DoDetach || g_Buffer17H->DoUnhookKBInt)
{
if ( g_DUnKnown1 != 0)
{
HookKBInt();
g_KBIntEntry = GetKeyBoardIntEntry();
g_StructFour.bFirst = 0;
g_StructFour.bSecond = 0;
g_StructFour.Array[0] = 0;
return Status;
}
else
{
UnHookKBInt();
g_KBIntEntry = GetKeyBoardIntEntry();
return Status;
}
}
else
return Status;
}
break;
case 0x22019e:
{
pStructTwo = FindAndCreateStruct(3);
if ( pIrp->MdlAddress->MdlFlags != (MDL_SOURCE_IS_NONPAGED_POOL|MDL_MAPPED_TO_SYSTEM_VA) )
dPvoid = pIrp->MdlAddress->MappedSystemVa;
else
dPvoid = MmMapLockedPagesSpecifyCache( pIrp->MdlAddress, KernelMode, 1, NULL, 0, 0x10);
if ( dPvoid != NULL)
{
memcpy( dPvoid, pStructTwo->StartAddress, pIrpStack->Parameters.DeviceIoControl.OutputBufferLength);
return Status;
}
else
Status = STATUS_INSUFFICIENT_RESOURCES;
}
break;
case 0x220004:
return DoNothing( pDeviceObj, pIrp);
break;
case 0x220008:
return DeleteAllStructByPid( pDeviceObj, pIrp);
break;
case 0x220196:
{
pStructTwo = FindAndCreateStruct(1);
if ( pIrp->MdlAddress->MdlFlags != (MDL_SOURCE_IS_NONPAGED_POOL|MDL_MAPPED_TO_SYSTEM_VA) )
dPvoid = pIrp->MdlAddress->MappedSystemVa;
else
dPvoid = MmMapLockedPagesSpecifyCache( pIrp->MdlAddress, KernelMode, 1, NULL, 0, 0x10);
if ( dPvoid != NULL)
{
memcpy( dPvoid, pStructTwo->StartAddress, pIrpStack->Parameters.DeviceIoControl.OutputBufferLength);
return Status;
}
else
Status = STATUS_INSUFFICIENT_RESOURCES;
}
break;
case 0x22019a:
{
pStructTwo = FindAndCreateStruct(2);
if ( pIrp->MdlAddress->MdlFlags != (MDL_SOURCE_IS_NONPAGED_POOL|MDL_MAPPED_TO_SYSTEM_VA) )
dPvoid = pIrp->MdlAddress->MappedSystemVa;
else
dPvoid = MmMapLockedPagesSpecifyCache( pIrp->MdlAddress, KernelMode, 1, NULL, 0, 0x10);
if ( dPvoid != NULL)
{
memcpy( dPvoid, pStructTwo->StartAddress, pIrpStack->Parameters.DeviceIoControl.OutputBufferLength);
return Status;
}
else
Status = STATUS_INSUFFICIENT_RESOURCES;
}
break;
case 0x2201a2:
{
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -