📄 nkcrypt.c
字号:
}
return false;
}
char NotAndSHR7(char code) //探测最高位是不是1(负数),若为1返回0,否则返回1
{
return (~code)>>7;
}
char GetCharByIndex( char* cArray, char Index)
{
char cTmp;
cTmp = (char)(IndexTable[(int)Index]) - 0x20;
if ( cTmp >= 0 && cTmp < 0x5f)
return cArray[(int)cTmp];
else
return 0xff;
}
char ConvertLetter( char code)
// 将 EditCtrl 的扫描码转换为内部的码????
{
switch(code)
{
case 0xc7:
return 0x88;
case 0x48:
return 0x9;
case 0x47:
return 0x8;
case 0x49:
return 0xa;
case 0x4b:
return 0x5;
case 0x4c:
return 0x6;
case 0x4d:
return 0x7;
case 0x4f:
return 0x2;
case 0x50:
return 0x3;
case 0x51:
return 0x4;
case 0x52:
return 0xb;
case 0x53:
return 0x34;
case 0xc8:
return 0x89;
case 0xc9:
return 0x8a;
case 0xcb:
return 0x85;
case 0xcc:
return 0x86;
case 0xcd:
return 0x87;
case 0xcf:
return 0x82;
case 0xd0:
return 0x83;
case 0xd1:
return 0x84;
case 0xd2:
return 0x8b;
case 0xd3:
return 0xb4;
default:
return code;
}
}
// VirtualAddress 为16进制的字符串地址, OutAddress为2进制的字符串地址
void ChangeHexToBin( IN char* VirtualAddress, OUT char* OutAddress)
{
int i,j,Index=0;
int k;
char bTmp;
char* Buffer1;
char* Buffer2;
i = strlen(VirtualAddress);
Buffer1 = (char*)ExAllocatePool( NonPagedPool, i*4+1);
Buffer2 = (char*)ExAllocatePool( NonPagedPool, i+1);
strcpy(Buffer2, VirtualAddress);
VirtualAddress = NULL;
if ( i > 0 )
{
for ( ; (int)VirtualAddress < i; ((int)VirtualAddress)++)
{
bTmp = Buffer2[(int)VirtualAddress];
if ( bTmp >= 0x30 && bTmp <= 0x39)
{
bTmp -= 0x30;
}
else if ( bTmp >= 0x61 && bTmp <= 0x66 )
{
bTmp -= 0x57;
}
else if ( bTmp >= 0x41 && bTmp <= 0x46)
{
bTmp -= 0x37;
}
else
continue;
for ( k=3; k>-1;k--)
{
if ( (1<<k)& bTmp)
Buffer1[Index++] = 0x31;
else
Buffer1[Index++] = 0x30;
}
}
}
Buffer1[Index] = 0;
strcpy( OutAddress, Buffer1);
ExFreePool( (PVOID)Buffer1);
ExFreePool( (PVOID)Buffer2);
return;
}
NTSTATUS DoNothing( PDEVICE_OBJECT param1, PIRP param2)
{
return 0;
}
NTSTATUS CompletionRoutine( PDEVICE_OBJECT pDeviceObj, PIRP pIrp, PVOID param)
{
bool bTmp=0;
STRUCT_SIX Var_8;
bool Var_C;
DWORD Index;
PSTRUCT_FIVE pStructFive;
PIO_STACK_LOCATION pIrpStack;
if ( NT_SUCCESS( pIrp->IoStatus.Status))
{
if ( g_DUnKnown1)
{
pStructFive = (PSTRUCT_FIVE)((DWORD)pIrp->AssociatedIrp.SystemBuffer+2);
Index = (DWORD)(pIrp->IoStatus.Information) / 12;
for ( ; Index!=0; Index--)
{
memset( &Var_8, 0, 4);
Var_C = pStructFive->bReserved0;
do
{
if ( (g_DUnKnown1 != 0 || g_DUnKnown2 != 0)
&& !g_Buffer12H->Reserved6 && !g_Buffer12H->Reserved7
&& ( g_Buffer12H->bDoletter != true || g_Buffer12H->Reserved10 != true))
{
if ( pStructFive->WReserved2 == 0)
{
if ( g_byteCom1 != 0xe0 && g_byteCom2 != 0xe0)
{
if ( g_Buffer12H->ConvertEditCtrl)
{
g_byteCom1 = pStructFive->bReserved0;
Var_C = ConvertLetter( Var_C);
}
}
else if ( Var_C == 0xe0)
{
g_byteCom1 = pStructFive->bReserved0;
g_byteCom2 = pStructFive->bReserved0;
}
else if ( g_byteCom2 == g_byteCom1)
{
g_byteCom2 = 0xe0;
g_byteCom1 = pStructFive->bReserved0;
}
else if ( g_byteCom1 == 0xe0 && Var_C == 0x37 || Var_C == 0xb7)
{
g_byteCom2 = false;
g_byteCom1 = pStructFive->bReserved0;
break;
}
else
{
g_byteCom2 = false;
g_byteCom1 = pStructFive->bReserved0;
}
}
if ( IsLetterCode( Var_C) && g_Buffer12H->bDoletter)
break;
if ( g_DUnKnown2 == 1)
break;
if ( g_Buffer12H->Reserved11)
break;
if ( g_Buffer12H->Reserved7 == false)
{
if ( IsInputCode(Var_C) == false)
{
bTmp = false;
break;
}
else
bTmp = true;
}
else if ( g_Buffer12H->Reserved7 == true )
{
if ( IsInputPlusCode(Var_C) == false)
bTmp = true;
else
bTmp = false;
}
if ( bTmp != true)
break;
if ( g_Buffer17H->Reserved7 == false)
{
Var_8.bReserved1 = pStructFive->bReserved0;
Var_8.bReserved0 = (char)LookUpAsciiByIndex2( (int)pStructFive->bReserved0);
}
else if ( g_Buffer17H->Reserved7 == false)
{
Var_8.bReserved1 = pStructFive->bReserved0;
Var_8.bReserved0 = (char)LookUpAsciiByIndex( (int)pStructFive->bReserved0);
}
Var_8.bReserved2 = NotAndSHR7( Var_C);
if ( Var_8.bReserved2 == false && pStructFive->WReserved2 == 0)
{
DoHash((int*)&Var_8);
KeSetEvent( g_PRKEvent, 0, 0);
}
pStructFive->bReserved0 = false;
pStructFive->bReserved1 = false;
}
}while(FALSE);
if ( g_Buffer17H->Reserved6 == true)
{
pStructFive->bReserved0 = false;
pStructFive->bReserved1 = false;
}
pStructFive = (PSTRUCT_FIVE)( (DWORD)pStructFive + 0xc);
}
}
}
if ( pIrp->IoStatus.Status != STATUS_SUCCESS)
{
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
pIrpStack->Control = 0;
}
else
{
IofCompleteRequest( pIrp, 0);
}
return pIrp->IoStatus.Status;
}
NTSTATUS MyIoCallDriver( PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
// PIO_STACK_LOCATION pIrpStack;
// PIO_STACK_LOCATION pNewIrpStack;
// pIrpStack = IoGetCurrentIrpStackLocation( pIrp);
// pNewIrpStack = (PIO_STACK_LOCATION)( (DWORD)pIrpStack - 0x24);
// //????
// memcpy( pNewIrpStack, pIrpStack, 28);
// pNewIrpStack->Control = 0;
//
// pNewIrpStack->CompletionRoutine = CompletionRoutine;
// pNewIrpStack->Context = (PVOID)g_IntVector;
// pNewIrpStack->Control = IRP_ASSOCIATED_IRP|IRP_SYNCHRONOUS_API|IRP_MOUNT_COMPLETION;
//
IoCopyCurrentIrpStackLocationToNext( pIrp);
IoSetCompletionRoutine( pIrp, CompletionRoutine, &g_IntVector, TRUE, TRUE, TRUE);
return IofCallDriver( pDeviceObject, pIrp);
}
void TimerFunction (
IN PVOID SystemSpecific1,
IN PDEVICE_OBJECT pDeviceObj,
IN PVOID SystemSpecific2,
IN PVOID SystemSpecific3
)
{
PDEVICE_OBJECT pTmpDeviceObj = NULL;
WCHAR* SourceString;
UNICODE_STRING DeviceName;
int iTmp=0,iIndex;
PDEVICE_OBJECT pTmpDeviceObjAttach;
PDEVICE_OBJECT pTmpDeviceObj1;
SourceString = (WCHAR*)ExAllocatePool( NonPagedPool, 0x35);
swprintf( SourceString, L"\\Device\\nPKCryptKbdClass%d", 0);
RtlInitUnicodeString( &DeviceName, SourceString);
if ( g_bCanAttach)
{
pTmpDeviceObj1 = g_AttachInfo.pDeviceObjArray[0]->DriverObject->DeviceObject;
pTmpDeviceObj = NULL;
for ( iIndex=0; iIndex < (int)g_AttachNumber; iIndex++)
{
if ( g_AttachInfo.pAttachDeviceObjArray[iIndex+1] == NULL)
{
if ( iTmp == 0)
{
iTmp = iIndex+1;
}
}
}
if ( !g_IsNT4)
{
swprintf( SourceString, L"\\Device\\nPKCryptKbdClass%d", iTmp);
RtlInitUnicodeString( &DeviceName, SourceString);
}
if ( IoCreateDevice( pDeviceObj->DriverObject, 0, &DeviceName,
pTmpDeviceObj1->DeviceType,
pTmpDeviceObj1->Characteristics, 1,
&pTmpDeviceObj) >= STATUS_SUCCESS)
{
pTmpDeviceObjAttach = IoAttachDeviceToDeviceStack( pTmpDeviceObj, pTmpDeviceObj1);
if ( pTmpDeviceObjAttach == NULL )
{
IoDeleteDevice( pTmpDeviceObj);
}
else
{
pTmpDeviceObj->Flags |= ( pTmpDeviceObj1->Flags & FILE_DEVICE_NETWORK_FILE_SYSTEM);
g_AttachNumber++;
g_AttachInfo.pSourceDeviceObjArray[iTmp] = pTmpDeviceObj;
g_AttachInfo.pAttachDeviceObjArray[iTmp] = pTmpDeviceObjAttach;
g_AttachInfo.pDeviceObjArray[iTmp] = pTmpDeviceObj1;
g_AttachInfo.intArray1[iTmp] = 0;
g_bCanAttach = false;
g_intUnknown1 = 0;
if ( g_IsNT4 )
return;
}
}
}
else if ( g_IsNT4 )
return;
if ( DeviceName.Buffer != NULL)
ExFreePool( DeviceName.Buffer);
return;
}
NTSTATUS OpenEventHandle( PIRP pIrp, PIO_STACK_LOCATION pIrpStack)
{
//这里应该是个结构....
typedef struct _STRUCT_ONE
{
int iIndex;
HANDLE tmpHandle;
}STRUCT_ONE;
STRUCT_ONE tmp;
tmp.iIndex = 0;
tmp.tmpHandle = NULL;
//??????
memcpy( &tmp, pIrp->AssociatedIrp.SystemBuffer,
(int)pIrpStack->Parameters.DeviceIoControl.InputBufferLength);
if ( tmp.iIndex != 1)
return STATUS_UNSUCCESSFUL;
ObReferenceObjectByHandle( tmp.tmpHandle, 0, 0, 1, &g_PRKEvent, NULL);
return STATUS_SUCCESS;
}
int LookUpAsciiByIndex( int code)
{
char cTmp;
if ( code >= 0x80)
code &= 0x7f;
if ( g_Buffer12H->ShiftDown )
{
if( code >= 0x80)
return -1;
cTmp = SHIFT_ASCIITable_128[code];
if( cTmp == 0)
return -1;
if ( g_Buffer12H->Reserved1 != true)
return (int)cTmp;
if ( cTmp < 0x41)
return (int)cTmp;
if ( cTmp > 0x5a)
return (int)cTmp;
return (int)ASCIITable_128[code];
}
else
{
if( code > 0x80)
return -1;
cTmp = ASCIITable_128[code];
if( cTmp == 0)
return -1;
if ( g_Buffer12H->Reserved1 != 1)
return (int)cTmp;
if ( cTmp < 0x61)
return (int)cTmp;
if ( cTmp > 0x7a)
return (int)cTmp;
return (int)SHIFT_ASCIITable_128[code];
}
}
int LookUpAsciiByIndex2( int code)
{
char cTmp;
if ( code >= 0x80)
code &= 0x7f;
if ( g_Buffer12H->ShiftDown )
{
if( code > 0x59 )
return -1;
cTmp = SHIFT_ASCIITable_92[code];
if( cTmp == 0)
return -1;
if ( g_Buffer12H->Reserved1 != 1)
return (int)cTmp;
if ( cTmp < 0x41)
return (int)cTmp;
if ( cTmp > 0x5a)
return (int)cTmp;
return (int)ASCIITable_92[code];
}
else
{
if( code > 0x80)
return -1;
cTmp = ASCIITable_92[code];
if( cTmp == 0)
return -1;
if ( g_Buffer12H->Reserved1 != 1)
return (int)cTmp;
if ( cTmp < 0x61)
return (int)cTmp;
if ( cTmp > 0x7a)
return (int)cTmp;
return (int)SHIFT_ASCIITable_92[code];
}
}
void ConvertCharArray( char* cArray, char* param2)
{
while ( param2 != NULL)
{
if ( *param2 == 0)
break;
if ( *param2 != 0x20)
{
*param2 = GetCharByIndex( cArray, *param2);
}
param2++;
}
return;
}
DWORD HookKBInt() //修改中断向量入口
{
DWORD orgIntEntry;
KIRQL NewIrql;
if ( g_IsMulProcesser)
{
KeSetAffinityThread( KeGetCurrentThread(), 1);
__asm sidt g_IDTR;
__asm cli;
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8) = (USHORT)NewIntEntry;
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8 + 6) = (USHORT)( (DWORD)NewIntEntry>>0x10);
__asm sti;
if ( KeSetAffinityThread( KeGetCurrentThread(), 2) < 0)
{
g_IsMulProcesser = 0;
return g_KBIntEntry1;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -