📄 nkcrypt.c
字号:
pStructTwo = FindAndCreateStruct(4);
if ( pIrp->MdlAddress->MdlFlags != (MDL_SOURCE_IS_NONPAGED_POOL|MDL_MAPPED_TO_SYSTEM_VA) )
dPvoid = pIrp->MdlAddress->MappedSystemVa;
else
dPvoid = MmMapLockedPagesSpecifyCache( pIrp->MdlAddress, KernelMode, 1, NULL, 0, 0x10);
if ( dPvoid != NULL)
{
memcpy( dPvoid, pStructTwo->StartAddress, pIrpStack->Parameters.DeviceIoControl.OutputBufferLength);
return Status;
}
else
Status = STATUS_INSUFFICIENT_RESOURCES;
}
break;
case 0x2201a6:
{
if ( g_Buffer17H->DoUnhookKBInt || g_Buffer17H->DoDetach)
CopyStructFour( &VarStructFour);
if ( pIrp->MdlAddress->MdlFlags != (MDL_SOURCE_IS_NONPAGED_POOL|MDL_MAPPED_TO_SYSTEM_VA) )
dPvoid = pIrp->MdlAddress->MappedSystemVa;
else
dPvoid = MmMapLockedPagesSpecifyCache( pIrp->MdlAddress, KernelMode, 1, NULL, 0, 0x10);
if ( dPvoid != NULL)
{
memcpy( dPvoid, &VarStructFour, pIrpStack->Parameters.DeviceIoControl.OutputBufferLength);
return Status;
}
else
Status = STATUS_INSUFFICIENT_RESOURCES;
}
break;
case 0x2201e4:
CanDeleteStruct = *(DWORD*)( pIrp->AssociatedIrp.SystemBuffer);
break;
case 0x2203f4:
CopyDataToCArray( pDeviceObj, pIrp);
break;
case 0x22020c:
g_DUnKnown2 = *(DWORD*)( pIrp->AssociatedIrp.SystemBuffer);
break;
case 0x220324:
Status = OpenEventHandle( pIrp, pIrpStack);
break;
case 0x2203c4:
{
if ( g_Buffer17H->DoUnhookKBInt && g_Buffer17H->DoDetach )
{
if ( g_bDoSaveAndHook)
{
g_StructFour.bFirst = false;
g_StructFour.bSecond = false;
g_StructFour.Array[0] = 0;
}
else
{
HookAndSaveKBInt();
g_KBIntEntry = GetKeyBoardIntEntry();
g_StructFour.bFirst = false;
g_StructFour.bSecond = false;
g_StructFour.Array[0] = 0;
}
}
else if ( g_Buffer17H->DoUnhookKBInt && !g_Buffer17H->DoDetach )
{
if ( g_bDoSaveAndHook)
{
g_StructFour.bFirst = false;
g_StructFour.bSecond = false;
g_StructFour.Array[0] = 0;
}
else
{
HookAndSaveKBInt();
g_KBIntEntry = GetKeyBoardIntEntry();
g_StructFour.bFirst = false;
g_StructFour.bSecond = false;
g_StructFour.Array[0] = 0;
}
return Status;
}
else if( !g_Buffer17H->DoUnhookKBInt && !g_Buffer17H->DoDetach )
return Status;
if ( g_bUnknown2 == false )
{
Status = SetTwoBoolFalse( pDeviceObj, pIrp);
if ( NT_SUCCESS( Status))
{
g_bUnknown2 = false;
}
else
{
if ( g_IsNT4 == false)
{
if ( g_bUnknown1)
{
AddDeviceFun1 = g_AttachInfo.pDeviceObjArray[0]->DriverObject->DriverExtension->AddDevice;
g_AttachInfo.pDeviceObjArray[0]->DriverObject->DriverExtension->AddDevice = AddDevice;
DispatchFun1 = g_AttachInfo.pDeviceObjArray[0]->DriverObject->MajorFunction[IRP_MJ_POWER];
g_AttachInfo.pDeviceObjArray[0]->DriverObject->MajorFunction[IRP_MJ_POWER] = DispatchFun2;
}
}
}
}
}
break;
case 0x2203f2:
{
pDeviceObj = (PDEVICE_OBJECT)0x402;
if ( pIrp->MdlAddress->MdlFlags != (MDL_SOURCE_IS_NONPAGED_POOL|MDL_MAPPED_TO_SYSTEM_VA) )
dPvoid = pIrp->MdlAddress->MappedSystemVa;
else
dPvoid = MmMapLockedPages( pIrp->MdlAddress, KernelMode);
// ???
memcpy( dPvoid, &pDeviceObj, pIrpStack->Parameters.DeviceIoControl.OutputBufferLength);
}
break;
case 0x2203f8:
CopyDataToPVoidUnknown1( pDeviceObj, pIrp);
break;
case 0x2203fe:
DoNothing( pDeviceObj, pIrp);
break;
case 0x220402:
MD5String( pDeviceObj, pIrp);
break;
default:
break;
}
return Status;
}
NTSTATUS DriverDispatch( IN PDEVICE_OBJECT pDeviceObj,IN PIRP pIrp)
{
NTSTATUS Status;
PIO_STACK_LOCATION pIrpStack;
DWORD Index=1;
DWORD dTmp=0;
if ( pIrp == NULL)
return STATUS_SUCCESS;
pIrpStack = IoGetCurrentIrpStackLocation( pIrp);
if ( pDeviceObj == g_DeviceObj)
{
switch( pIrpStack->MajorFunction)
{
case IRP_MJ_CREATE:
Status = SaveKBIntEntryOnce( pDeviceObj, pIrp);
break;
case IRP_MJ_CLOSE:
Status = DoNothing( pDeviceObj, pIrp);
break;
case IRP_MJ_DEVICE_CONTROL:
Status = DispatchIoControl( pDeviceObj, pIrp);
break;
case IRP_MJ_SHUTDOWN:
{
if ( g_Buffer17H->DoDetach )
{
if ( g_bUnknown1 && !g_IsNT4 && g_bUnknown2)
{
g_AttachInfo.pDeviceObjArray[0]->DriverObject->MajorFunction[IRP_MJ_POWER] = DispatchFun1;
g_AttachInfo.pDeviceObjArray[0]->DriverObject->DriverExtension->AddDevice = AddDeviceFun1;
DetachAndDeleteDevice();
g_bUnknown2 = false;
}
}
}
break;
case IRP_MJ_CLEANUP:
{
if ( g_Buffer17H->DoUnhookKBInt && (!CanDeleteStruct) )
{
if( g_pVoidUnknown1 != NULL)
ExFreePool( g_pVoidUnknown1);
UnHookKBInt();
DeleteAllStructByPid( pDeviceObj, pIrp);
g_DUnKnown1 = 0;
}
}
break;
case IRP_MJ_POWER:
Status = STATUS_SUCCESS;
break;
default:
Status = STATUS_UNSUCCESSFUL;
break;
}
pIrp->IoStatus.Status = Status;
if( Status == STATUS_SUCCESS)
pIrp->IoStatus.Information = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
else
pIrp->IoStatus.Status = STATUS_SUCCESS;
IofCompleteRequest( pIrp, 0);
return Status;
}
else if ( g_AttachInfo.pSourceDeviceObjArray[0] == pDeviceObj)
{
if ( pIrpStack->MajorFunction != 0x3 )
{
if ( g_AttachInfo.pAttachDeviceObjArray[0] != NULL)
{
pIrp->CurrentLocation = (CHAR)((DWORD)pIrp->CurrentLocation+1);
pIrp->Tail.Overlay.CurrentStackLocation = (PIO_STACK_LOCATION)((DWORD)pIrpStack+0x24);
Status = IofCallDriver( g_AttachInfo.pAttachDeviceObjArray[0], pIrp);
if ( g_bUnknown3)
{
if ( g_AttachNumber*2+2 == g_intUnknown1)
{
if ( g_IsNT4 == false)
{
g_bCanAttach = true;
NdisInitializeTimer( &g_NdisTimer, TimerFunction, pDeviceObj);
NdisSetTimer( &g_NdisTimer, 0x1f4);
}
g_intUnknown1 = 1;
g_bUnknown3 = false;
}
else
g_intUnknown1++;
return Status;
}
else
return Status;
}
else
{
pIrp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
IofCompleteRequest( pIrp, 0);
return STATUS_INVALID_DEVICE_REQUEST;
}
}
else
return MyIoCallDriver( g_AttachInfo.pAttachDeviceObjArray[0], pIrp);
}
else
{
if ( g_AttachNumber >= 1)
{
for ( Index=1; Index<= g_AttachNumber; Index++)
{
if ( pDeviceObj == g_AttachInfo.pSourceDeviceObjArray[Index])
{
dTmp = Index;
}
}
if ( dTmp != 0)
{
if ( pIrpStack->MajorFunction != 0x3)
{
if ( g_AttachInfo.pAttachDeviceObjArray[dTmp] != NULL)
{
pIrp->CurrentLocation = (CHAR)((DWORD)pIrp->CurrentLocation+1);
pIrp->Tail.Overlay.CurrentStackLocation = (PIO_STACK_LOCATION)((DWORD)pIrpStack+0x24);
Status = IofCallDriver( g_AttachInfo.pAttachDeviceObjArray[dTmp], pIrp);
if ( g_bUnknown3)
{
if ( g_intUnknown1 == g_AttachNumber*2)
{
if ( g_IsNT4 == 0)
{
g_bCanAttach = true;
NdisInitializeTimer( &g_NdisTimer, TimerFunction, pDeviceObj);
NdisSetTimer( &g_NdisTimer, 0x1f4);
}
g_intUnknown1 = 1;
g_bUnknown3 = false;
}
else
g_intUnknown1++;
}
return Status;
}
}
else
return MyIoCallDriver( g_AttachInfo.pAttachDeviceObjArray[dTmp], pIrp);
}
}
}
pIrp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
IofCompleteRequest( pIrp, 0);
return STATUS_INVALID_DEVICE_REQUEST;
}
NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegPath)
{
// 将压栈的ebx做参数 ????
// 原汇编代码没有定义这个 PKAFFINITY,只是随意压了一下???
PKAFFINITY Affinity;
NTSTATUS ret_status;
int i; // 从 0至IRP_MJ_MAXIMUM_FUNCTION...
// 获取16字节的进程名字在EPROC中的偏移
NameOffsetInEproc = GetNameOffsetInEproc();
GetVersionInfo();
if ( KeNumberProcessors > 1)
{
g_IsMulProcesser = TRUE;
// 强制切换处理器....
KeSetAffinityThread( KeGetCurrentThread(), 1);
}
// Isa = 1, BusNumber = 1 ,BusInterruptLevel = 1 , BusInterruptVector = 1
// 获得键盘的中断向量号....
g_IntVector = HalGetInterruptVector( 1,1,1,1, &g_Kirql, &Affinity);
if ( g_IntVector > 0xff)
g_IntVector -= 0x100;
if ( g_IntVector == 0 )
g_IntVector = HalGetInterruptVector( 1,0,1,1, &g_Kirql, &Affinity);
if ( g_IntVector > 0xff)
g_IntVector -= 0x100;
if ( g_IntVector == 0 )
{
if ( g_IsNT4)
{
g_IntVector = 0x31;
}
}
if ( g_IsMulProcesser)
{
if ( KeSetAffinityThread( KeGetCurrentThread(),2) < 0)
{
g_IsMulProcesser = 0;
}
g_IntVector2 = HalGetInterruptVector( 1,1,1,1, &g_Kirql, &Affinity);
if ( g_IntVector2 > 0xff)
g_IntVector2 -= 0x100;
if ( g_IntVector2 == 0 )
g_IntVector2 = HalGetInterruptVector( 1,0,1,1, &g_Kirql, &Affinity);
if ( g_IntVector2 > 0xff)
g_IntVector2 -= 0x100;
if ( g_IsNT4)
{
g_IntVector2 = 0x31;
}
KeSetAffinityThread( KeGetCurrentThread(),2);
}
for( i = 0; i< IRP_MJ_MAXIMUM_FUNCTION; i++)
pDriverObj->MajorFunction[i] = DriverDispatch;
pDriverObj->DriverUnload = DriverUnload;
ret_status = CreateDevice( pDriverObj, pRegPath);
if ( ret_status >= 0 )
{
// registers the driver to receive an IRP_MJ_SHUTDOWN IRP
// when the system is shut down
ret_status = IoRegisterShutdownNotification( g_DeviceObj);
if ( ret_status >=0 )
{
//缺少两个赋值..
g_DriverObj = pDriverObj;
g_pUnicodeString = pRegPath;
ret_status = AllocateBuffer();
if ( ret_status >= 0)
{
InitializeListHead( &g_LockList1.pList);
KeInitializeSpinLock( &g_LockList1.Lock);
InitializeListHead( &g_LockList2.pList);
KeInitializeSpinLock( &g_LockList2.Lock);
InitializeListHead( &g_IDTLockList.pList);
KeInitializeSpinLock( &g_IDTLockList.Lock);
InitializeListHead( &g_LockList4.pList);
KeInitializeSpinLock( &g_LockList4.Lock);
KeInitializeSpinLock( &g_SpinLock5);
KeInitializeDpc( &g_Kdpc, DeferredRoutine, 0);
}
}
}
if ( ret_status != STATUS_SUCCESS )
{
DriverUnload( pDriverObj);
}
return ret_status;
}
DWORD GetKeyBoardIntEntry() //返回g_IntVector号中断向量的入口地址,只支持单核
{
KIRQL NewIrql;
DWORD IdtAddr=0; // g_IntVector号中断向量的入口地址
if ( g_IsNT4)
{
NewIrql = KfAcquireSpinLock( &g_IDTLockList.Lock);
}
g_pIDTR = &g_IDTR;
__asm sidt g_IDTR;
IdtAddr = ((PIDTENTRY)( g_pIDTR->IDTBase + g_IntVector*8))->HiOffset;
IdtAddr = IdtAddr<<0x10;
IdtAddr |= ((PIDTENTRY)( g_pIDTR->IDTBase + g_IntVector*8))->LowOffset;
/*
_asm
{
mov eax, g_pIDTR
mov ecx, g_IntVector
mov eax, [eax+2]
movzx esi, word ptr [eax+ecx*8+6]
lea eax, [eax+ecx*8]
shl esi, 10h
movzx eax, word ptr [eax]
or esi, eax
}
*/
if ( g_IsNT4)
{
KfReleaseSpinLock( &g_IDTLockList.Lock, NewIrql);
}
return IdtAddr;
}
void SaveKBIntEntry()
{
g_KBIntEntry = GetKeyBoardIntEntry();
}
NTSTATUS SaveKBIntEntryOnce( PDEVICE_OBJECT pDeviceObj, PIRP pIrp)
{
if ( g_bAlreadyKBEntry == false)
{
SaveKBIntEntry();
g_bAlreadyKBEntry = true;
}
return STATUS_SUCCESS;
}
void FreeMDL( PVOID BaseAddress,PMDL Mdl)
{
if ( BaseAddress == 0)
return;
if ( Mdl == 0)
return;
MmUnmapLockedPages( BaseAddress, Mdl);
IoFreeMdl( Mdl);
return;
}
void ClearLinkDevice()
{
UNICODE_STRING SymbolicLinkName;
if ( g_DeviceObj == NULL)
return;
RtlInitUnicodeString( &SymbolicLinkName, L"\\DosDevices\\npkcrypt");
IoDeleteSymbolicLink( &SymbolicLinkName);
IoDeleteDevice( g_DeviceObj);
}
bool IsLetterCode( char code)
{
int i;
for ( i=0; i<0x34; i++)
{
if ( LetterScanCode[i] == code)
return true;
}
return false;
}
bool IsInputPlusCode( char code)
{
int i;
for ( i=0; i<0x66; i++)
{
if ( CanBeInputCodePlus[i] == code)
return true;
}
return false;
}
bool IsInputCode( char code)
{
int i;
for ( i=0; i<0x64; i++)
{
if ( CanBeInputCode[i] == code)
return true;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -