📄 nkcrypt.c
字号:
}
__asm sidt g_IDTR2;
orgIntEntry = ( (*(DWORD*)(g_pIDTR2->IDTBase + g_IntVector2*8) ) && 0xffff) | ( (*(DWORD*)(g_pIDTR2->IDTBase + g_IntVector2*8 + 6) ) && 0xffff0000);
__asm cli;
*(USHORT*)( g_pIDTR2->IDTBase + g_IntVector2*8) = (USHORT)NewIntEntry;
*(USHORT*)( g_pIDTR2->IDTBase + g_IntVector2*8 + 6) = (USHORT)( (DWORD)NewIntEntry>>0x10);
__asm sti;
KeSetAffinityThread( KeGetCurrentThread(), 1);
return orgIntEntry;
}
else
{
if ( g_IsNT4)
NewIrql = KfAcquireSpinLock( &g_IDTLockList.Lock);
__asm sidt g_IDTR;
orgIntEntry = ( (*(DWORD*)(g_pIDTR->IDTBase + g_IntVector*8) ) && 0xffff) | ( (*(DWORD*)(g_pIDTR->IDTBase + g_IntVector*8 + 6) ) && 0xffff0000);
__asm cli;
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8) = (USHORT)NewIntEntry;
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8 + 6) = (USHORT)( (DWORD)NewIntEntry>>0x10);
__asm sti;
if( g_IsNT4)
KfReleaseSpinLock( &g_IDTLockList.Lock, NewIrql);
return orgIntEntry;
}
}
//获取一个结构体的指针.....源代码一定很烂....
int FindStruct( int Num)
{
PLOCK_LIST pTmpLockList, pChgLockList;
KIRQL NewIrql;
DWORD pAddress=0,pAddress1;
if ( Num == 1 )
{
pTmpLockList = &g_LockList1;
}
else if ( Num == 2 )
{
pTmpLockList = &g_LockList2;
}
else if ( Num == 3 )
{
pTmpLockList = &g_IDTLockList;
}
else if ( Num == 4 )
{
pTmpLockList = &g_LockList4;
}
else
return 0;
NewIrql = KfAcquireSpinLock( &pTmpLockList->Lock);
pChgLockList = (PLOCK_LIST)pTmpLockList->pList.Flink;
if ( (PLIST_ENTRY)pTmpLockList == (PLIST_ENTRY)pChgLockList )
{
KfReleaseSpinLock( &pTmpLockList->Lock, NewIrql);
return 0;
}
for( ; ; )
{
if ( (PLIST_ENTRY)pTmpLockList == (PLIST_ENTRY)pChgLockList)
break;
// 又一个结构体....
/*
原型见 STRUCT_TWO
*/
pAddress1 = (DWORD)pChgLockList-0x10;
if( *(DWORD*)pAddress == (DWORD)PsGetCurrentProcessId() )
{
pAddress = pAddress1;
break;
}
pChgLockList = (PLOCK_LIST)pChgLockList->pList.Flink;
}
KfReleaseSpinLock( &pTmpLockList->Lock, NewIrql);
return pAddress;
}
PSTRUCT_TWO FindAndCreateStruct( int Num)
{
PSTRUCT_TWO pStructTwo;
PSTRUCT_TWO Buffer;
KIRQL NewIrql;
pStructTwo = (PSTRUCT_TWO)FindStruct( Num);
if ( pStructTwo != NULL )
return pStructTwo;
Buffer = (PSTRUCT_TWO)ExAllocatePool( NonPagedPool, sizeof(STRUCT_TWO));
memset( Buffer, 0, sizeof(STRUCT_TWO));
Buffer->Pid = (DWORD)PsGetCurrentProcessId();
if ( Num == 1)
{
AllocateMDL( &g_HashTable, &Buffer->StartAddress, &Buffer->pMdl, 0x50);
InitializeListHead( &Buffer->pLockList.pList);
NewIrql = KfAcquireSpinLock( &g_LockList1.Lock);
InsertTailList( &g_LockList1.pList, &Buffer->pLockList.pList);
KfReleaseSpinLock( &g_LockList1.Lock, NewIrql);
}
else if ( Num == 2)
{
AllocateMDL( &g_Buffer8H, &Buffer->StartAddress, &Buffer->pMdl, 0x8);
InitializeListHead( &Buffer->pLockList.pList);
NewIrql = KfAcquireSpinLock( &g_LockList2.Lock);
InsertTailList( &g_LockList2.pList, &Buffer->pLockList.pList);
KfReleaseSpinLock( &g_LockList2.Lock, NewIrql);
}
else if ( Num == 3)
{
AllocateMDL( &g_Buffer12H, &Buffer->StartAddress, &Buffer->pMdl, 0x12);
InitializeListHead( &Buffer->pLockList.pList);
NewIrql = KfAcquireSpinLock( &g_IDTLockList.Lock);
InsertTailList( &g_IDTLockList.pList, &Buffer->pLockList.pList);
KfReleaseSpinLock( &g_IDTLockList.Lock, NewIrql);
}
else if ( Num == 4)
{
AllocateMDL( &g_Buffer17H, &Buffer->StartAddress, &Buffer->pMdl, 0x17);
InitializeListHead( &Buffer->pLockList.pList);
NewIrql = KfAcquireSpinLock( &g_LockList4.Lock);
InsertTailList( &g_LockList4.pList, &Buffer->pLockList.pList);
KfReleaseSpinLock( &g_LockList4.Lock, NewIrql);
}
else
return NULL;
return Buffer;
}
bool DeleteStruct( int Num)
{
bool bTmp=false;
KIRQL NewIrql;
PLOCK_LIST pTmpLockList, pChgLockList;
DWORD Pid;
PSTRUCT_TWO pStructTwo;
if ( Num == 1)
{
NewIrql = KfAcquireSpinLock( &g_LockList1.Lock);
pTmpLockList = &g_LockList1;
}
else if ( Num == 2)
{
NewIrql = KfAcquireSpinLock( &g_LockList2.Lock);
pTmpLockList = &g_LockList2;
}
else if ( Num == 3)
{
NewIrql = KfAcquireSpinLock( &g_IDTLockList.Lock);
pTmpLockList = &g_IDTLockList;
}
else if ( Num == 4)
{
NewIrql = KfAcquireSpinLock( &g_LockList4.Lock);
pTmpLockList = &g_LockList4;
}
else
return false;
pChgLockList = (PLOCK_LIST)pTmpLockList->pList.Flink;
if ( pChgLockList == pTmpLockList)
{
KfReleaseSpinLock( &pTmpLockList->Lock, NewIrql);
return false;
}
KfReleaseSpinLock( &pTmpLockList->Lock, NewIrql);
for ( ; ; )
{
if ( pChgLockList == pTmpLockList )
return bTmp;
Pid = (DWORD)PsGetCurrentProcessId();
if ( Pid == *(DWORD*)( pChgLockList - 0x10) )
{
if ( pChgLockList->pList.Blink != NULL)
{
RemoveEntryList( (PLIST_ENTRY)pChgLockList);
break;
}
}
pChgLockList = (PLOCK_LIST)pChgLockList->pList.Flink;
}
pStructTwo = (PSTRUCT_TWO)( (DWORD)pChgLockList - 0x10);
FreeMDL( pStructTwo->StartAddress, pStructTwo->pMdl);
ExFreePool( (PVOID)pStructTwo);
return true;
}
NTSTATUS DeleteAllStructByPid( PDEVICE_OBJECT pDeviceObj, PIRP pIrp)
{
if ( CanDeleteStruct == 0)
return STATUS_SUCCESS;
DeleteStruct(1);
DeleteStruct(2);
DeleteStruct(3);
DeleteStruct(4);
return STATUS_SUCCESS;
}
NTSTATUS SetTwoBoolFalse( PDEVICE_OBJECT pDriverObj, PIRP pIrp)
{
g_bUnknown1 = 0;
g_bUnknown2 = 0;
return STATUS_SUCCESS;
}
void CopyDataToCArray( PDEVICE_OBJECT pDeviceObj, PIRP pIrp)
{
memcpy( g_cArrayUnknown1, pIrp->AssociatedIrp.SystemBuffer, 0x60);
return;
}
NTSTATUS AddDevice( IN PDRIVER_OBJECT pDriverObj,IN PDEVICE_OBJECT PhysicalDeviceObject)
{
g_bUnknown3 = true;
g_intUnknown1 = 1;
return AddDeviceFun1( pDriverObj, PhysicalDeviceObject);
}
int DoHash( int* pNum)
{
if ( (g_Buffer8H->Reserved2+1)%20 == g_Buffer8H->Reserved1 )
return 0;
g_HashTable[ g_Buffer8H->Reserved2] = *pNum;
g_Buffer8H->Reserved2++;
g_Buffer8H->Reserved2 = g_Buffer8H->Reserved2%20;
return *pNum;
}
void CopyDataToPVoidUnknown1( PDEVICE_OBJECT pDeviceObj, PIRP pIrp)
{
PIO_STACK_LOCATION pIrpStack;
pIrpStack = IoGetCurrentIrpStackLocation( pIrp);
if ( g_pVoidUnknown1 != NULL)
ExFreePool( g_pVoidUnknown1);
g_pVoidUnknown1 = ExAllocatePool( NonPagedPool, pIrpStack->Parameters.DeviceIoControl.InputBufferLength+1);
memset( g_pVoidUnknown1, 0, pIrpStack->Parameters.DeviceIoControl.InputBufferLength+1);
memcpy( g_pVoidUnknown1, pIrp->AssociatedIrp.SystemBuffer, pIrpStack->Parameters.DeviceIoControl.InputBufferLength);
return;
}
bool IsEditCtrlKey( char code)
{
if ( code > 0xe1)
{
g_bUnknown4 = false;
return g_bUnknown4;
}
else if ( code >= 0xc7 && code <= 0xe0 )
{
switch( code)
{
case 0xc7:
case 0xc8:
case 0xc9:
case 0xcb:
case 0xcc:
case 0xcd:
case 0xcf:
case 0xd0:
case 0xd1:
case 0xd2:
case 0xd3:
case 0xe0: // 按 print screen 和break 时会先发送这个
g_bUnknown4 = true;
break;
default:
g_bUnknown4 = false;
}
}
else if ( code < 0xc7 && code > 0xaa)
{
g_bUnknown4 = false;
return g_bUnknown4;
}
else
{
switch( code)
{
case 0xaa:
case 0x2a: // SHIFT
case 0x47: // HOME
case 0x48: // UP
case 0x49: // PAGE UP
case 0x4b: // LEFT
case 0x4c: // 5??
case 0x4d: // RIGHT
case 0x4f: // END
case 0x50: // DOWN
case 0x51: // PAGE DOWN
case 0x52: // INSERT
case 0x53: // DELETE
g_bUnknown4 = true;
break;
default:
g_bUnknown4 = false;
break;
}
}
return g_bUnknown4;
}
DWORD UnHookKBInt() // 支持双核的CPU,总是返回0,恢复原键盘中断
{
KIRQL NewIrql;
if ( g_IsMulProcesser)
{
KeSetAffinityThread( KeGetCurrentThread(), 1);
__asm cli;
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8) = (USHORT)(g_KBIntEntry1 & 0xffff);
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8 + 6) = (USHORT)( g_KBIntEntry1 >> 0x10 );
__asm sti;
if ( KeSetAffinityThread( KeGetCurrentThread(), 2) < 0)
{
g_IsMulProcesser = 0;
return 0;
}
__asm cli;
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8) = (USHORT)(g_KBIntEntry2 & 0xffff);
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8 + 6) = (USHORT)( g_KBIntEntry2 >> 0x10 );
__asm sti;
return 0;
}
else
{
if ( g_IsNT4)
NewIrql = KfAcquireSpinLock( &g_IDTLockList.Lock);
__asm cli;
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8) = (USHORT)(g_KBIntEntry1 & 0xffff);
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8 + 6) = (USHORT)( g_KBIntEntry1 >> 0x10 );
__asm sti;
if ( g_IsNT4)
KfReleaseSpinLock( &g_IDTLockList.Lock, NewIrql);
return 0;
}
}
//某个结构体没搞定
void CopyStructFour( PSTRUCT_FOUR pDest)
{
DWORD tmpIntEntry;
tmpIntEntry = GetKeyBoardIntEntry();
if ( g_KBIntEntry == tmpIntEntry )
{
g_StructFour.bFirst = false;
g_StructFour.bSecond = false;
g_StructFour.Array[0] = 0;
}
else
{
if ( g_Buffer17H->CanReHookKBInt )
{
HookKBInt();
g_KBIntEntry = GetKeyBoardIntEntry();
if ( g_KBIntEntry != tmpIntEntry)
{
g_StructFour.bFirst = true;
g_StructFour.Array[0] = tmpIntEntry;
g_Buffer17H->Reserved2 = true;
g_Buffer17H->IntEntry = tmpIntEntry;
}
}
}
RtlCopyMemory( pDest, &g_StructFour, sizeof(STRUCT_FOUR));
g_StructFour.bSecond = false;
return;
}
void DetachAndDeleteDevice()
{
DWORD Index;
for ( Index=1; Index<=g_AttachNumber; Index++)
{
if ( g_AttachInfo.pDeviceObjArray[Index] != NULL )
IoDetachDevice( g_AttachInfo.pDeviceObjArray[Index]);
if ( g_AttachInfo.pSourceDeviceObjArray[Index] != NULL )
IoDetachDevice( g_AttachInfo.pSourceDeviceObjArray[Index]);
g_AttachInfo.pSourceDeviceObjArray[Index] = NULL;
g_AttachInfo.pDeviceObjArray[Index] = NULL;
g_AttachInfo.intArray1[Index] = 0;
g_AttachInfo.pAttachDeviceObjArray[Index] = NULL;
}
if ( g_AttachInfo.pDeviceObjArray[0] != NULL)
IoDetachDevice( g_AttachInfo.pDeviceObjArray[0]);
if ( g_AttachInfo.intArray1[0] != 0)
ObfDereferenceObject( (PVOID)g_AttachInfo.intArray1[0]);
IoDeleteDevice( g_AttachInfo.pSourceDeviceObjArray[0]);
g_AttachInfo.pSourceDeviceObjArray[0] = NULL;
g_AttachInfo.pDeviceObjArray[0] = NULL;
g_AttachInfo.intArray1[0] = 0;
g_AttachInfo.pAttachDeviceObjArray[0] = NULL;
return;
}
DWORD HookAndSaveKBInt() //修改中断向量入口,之前不加锁...
{
// 先保存,再HOOK
if( g_IsMulProcesser)
{
KeSetAffinityThread( KeGetCurrentThread(), 1);
__asm sidt g_IDTR;
g_KBIntEntry1 = ((PIDTENTRY)( g_pIDTR->IDTBase + g_IntVector*8))->HiOffset;
g_KBIntEntry1 = g_KBIntEntry1<<0x10;
g_KBIntEntry1 |= ((PIDTENTRY)( g_pIDTR->IDTBase + g_IntVector*8))->LowOffset;
__asm cli;
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8) = (USHORT)NewIntEntry;
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8 + 6) = (USHORT)( (DWORD)NewIntEntry>>0x10);
__asm sti;
if ( KeSetAffinityThread( KeGetCurrentThread(), 2) < 0)
{
g_IsMulProcesser = 0;
return g_KBIntEntry1;
}
__asm sidt g_IDTR2;
g_KBIntEntry2 = ( (*(DWORD*)(g_pIDTR2->IDTBase + g_IntVector2*8) ) && 0xffff) | ( (*(DWORD*)(g_pIDTR2->IDTBase + g_IntVector2*8 + 6) ) && 0xffff0000);
__asm cli;
*(USHORT*)( g_pIDTR2->IDTBase + g_IntVector2*8) = (USHORT)NewIntEntry;
*(USHORT*)( g_pIDTR2->IDTBase + g_IntVector2*8 + 6) = (USHORT)( (DWORD)NewIntEntry>>0x10);
__asm sti;
KeSetAffinityThread( KeGetCurrentThread(), 1);
g_bDoSaveAndHook = 1;
return g_KBIntEntry1;
}
else
{
__asm sidt g_IDTR;
g_KBIntEntry1 = ((PIDTENTRY)( g_pIDTR->IDTBase + g_IntVector*8))->HiOffset;
g_KBIntEntry1 = g_KBIntEntry1<<0x10;
g_KBIntEntry1 |= ((PIDTENTRY)( g_pIDTR->IDTBase + g_IntVector*8))->LowOffset;
__asm cli;
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8) = (USHORT)NewIntEntry;
*(USHORT*)( g_pIDTR->IDTBase + g_IntVector*8 + 6) = (USHORT)( (DWORD)NewIntEntry>>0x10);
__asm sti;
g_bDoSaveAndHook = 1;
return g_KBIntEntry1;
}
}
NTSTATUS DispatchFun2( PDEVICE_OBJECT pDeviceObj, PIRP pIrp)
{
PIO_STACK_LOCATION pIrpStack;
DWORD Index;
DWORD EqualIndex;
pIrpStack = IoGetCurrentIrpStackLocation( pIrp);
if ( pIrpStack->MinorFunction == IRP_MN_SURPRISE_REMOVAL)
{
for ( Index=0; Index<=g_AttachNumber; Index++)
{
if ( g_AttachInfo.pDeviceObjArray[Index] == pDeviceObj)
EqualIndex = Index;
}
if ( g_AttachInfo.pSourceDeviceObjArray[EqualIndex] != NULL)
{
if ( g_AttachInfo.pDeviceObjArray[EqualIndex] != NULL)
{
IoDetachDevice( g_AttachInfo.pDeviceObjArray[EqualIndex]);
}
IoDeleteDevice( g_AttachInfo.pSourceDeviceObjArray[Index]);
g_AttachNumber--;
g_AttachInfo.pDeviceObjArray[EqualIndex] = NULL;
g_AttachInfo.intArray1[EqualIndex] = 0;
g_AttachInfo.pSourceDeviceObjArray[Index] = NULL;
g_AttachInfo.pAttachDeviceObjArray[EqualIndex] = NULL;
g_bUnknown3 = false;
g_bCanAttach = false;
}
}
return DispatchFun1( pDeviceObj, pIrp);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -