📄 spyserver.c
字号:
if( pProc==NULL )
{
TRACE_WARNING (TEXT("Tryed to kill an unknown process\n")) ;
}
else if( nProcessId==GetCurrentProcessId() )
{
TRACE_WARNING (TEXT("Refused to kill my process\n")) ;
bSuccess = FALSE ;
}
else
{
hProcess = OpenProcess (PROCESS_TERMINATE, FALSE, nProcessId) ;
if( ! hProcess )
{
TRACE_WARNING (TEXT("OpenProcess failed (error=%u)\n"), GetLastError()) ;
return FALSE ;
}
bSuccess = TerminateProcess (hProcess, 0) ;
CloseHandle (hProcess) ;
if( ! bSuccess )
TRACE_ERROR (TEXT("TerminateProcess failed (error=%u)\n"), GetLastError()) ;
}
}
else
{
DWORD nBytesReturned ;
bSuccess = DeviceIoControl (g_hDriver, IOCTL_KILL_PROCESS,
&nProcessAddress, sizeof(nProcessAddress),
NULL, 0, &nBytesReturned, NULL) ;
if( ! bSuccess )
TRACE_ERROR (TEXT("DeviceIoControl failed (error=%u)\n"), GetLastError()) ;
}
return bSuccess ;
}
/******************************************************************/
/* Exported function */
/******************************************************************/
BOOL SpySrv_IgnoreProcess (PROCADDR nProcessAddress, BOOL bIgnore)
{
BOOL bSuccess ;
DWORD nBytesReturned ;
SDCIGNOREPROC params ;
PROCSTRUCT *pProc ;
params.nProcessAddress = nProcessAddress ;
params.bIgnore = bIgnore ;
bSuccess = DeviceIoControl (g_hDriver, IOCTL_IGNORE_PROCESS,
¶ms, sizeof(params),
NULL, 0, &nBytesReturned, NULL) ;
if( ! bSuccess )
{
TRACE_ERROR (TEXT("DeviceIoControl failed (error=%u)\n"), GetLastError()) ;
return FALSE ;
}
ProcList_Lock () ;
pProc = ProcList_Get (nProcessAddress) ;
if( pProc )
pProc->nState = bIgnore ? PS_HOOK_DISABLED : PS_HOOKED_WHILE_RUNNING ;
ProcList_Unlock () ;
PostMessage (g_hwndMain, WM_SPYNOTIFY, SN_PROCESSCHANGED, nProcessAddress) ;
return TRUE ;
}
/******************************************************************/
/* Internal function */
/******************************************************************/
BOOL _SpySrv_RefreshProcList ()
{
PVOID pBuffer ;
DWORD nBufferSize ;
DWORD nBytesReturned=0 ;
BOOL bSuccess ;
PROCESSLISTENTRY* pEntry ;
nBufferSize = 1024*1024 ;
pBuffer = malloc (nBufferSize) ;
bSuccess = DeviceIoControl (g_hDriver, IOCTL_GET_PROCESSLIST,
NULL, 0,
pBuffer, nBufferSize,
&nBytesReturned, NULL) ;
if( ! bSuccess || nBytesReturned==0 )
{
TRACE_ERROR (TEXT("Failed to get process list (error=%u)\n"),
GetLastError()) ;
free (pBuffer) ;
return FALSE ;
}
ProcList_Lock () ;
ProcList_Clear () ;
pEntry = pBuffer ;
while( 1 )
{
PROCSTRUCT proc ;
TRACE_INFO (TEXT("%d : %ls\n"), pEntry->nProcessId, pEntry->wszFilePath) ;
proc.nProcessAddress = pEntry->nProcessAddress ;
proc.nProcessId = pEntry->nProcessId ;
proc.nState = PS_HOOKED_WHILE_RUNNING ;
wcslcpy (proc.szName, PathFindFileName(pEntry->wszFilePath), 32) ;
wcslcpy (proc.szPath, pEntry->wszFilePath, MAX_PATH) ;
ProcList_Add (&proc) ;
if( pEntry->nNextEntry == 0 ) break ;
pEntry = (PROCESSLISTENTRY*)( (BYTE*)pEntry + pEntry->nNextEntry ) ;
}
ProcList_Unlock () ;
free (pBuffer) ;
return TRUE ;
}
/******************************************************************/
/* Exported function */
/******************************************************************/
BOOL SpySrv_InstallDriver (BOOL bPermanently)
{
SC_HANDLE hManager ;
SC_HANDLE hService ;
BOOL bSuccess ;
TCHAR szDriverPath[MAX_PATH] ;
_SpySrv_GetAbsolutePath (szDriverPath, g_szDriverFileName) ;
if( !PathFileExists(szDriverPath) )
{
TRACE_ERROR (TEXT("File not found : %s\n"), szDriverPath) ;
SetLastError (ERROR_FILE_NOT_FOUND) ;
return FALSE ;
}
TRACE_INFO (TEXT("Driver path = %s\n"), szDriverPath) ;
hManager = OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS) ;
if( hManager==NULL )
{
TRACE_ERROR (TEXT("OpenSCManager failed (error=%u)\n"), GetLastError()) ;
return FALSE ;
}
create:
hService = CreateService (hManager,
g_szServiceName,
TEXT("Winpooch kernel spy"),
SERVICE_START|DELETE,
SERVICE_KERNEL_DRIVER,
bPermanently?
SERVICE_SYSTEM_START:SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL,
szDriverPath,
NULL, NULL,
NULL, NULL, NULL) ;
if( hService==NULL )
{
DWORD dwLastError = GetLastError() ;
if( dwLastError == ERROR_SERVICE_EXISTS )
{
hService = OpenService (hManager, g_szServiceName, SERVICE_STOP|DELETE) ;
if( hService!=NULL )
{
SERVICE_STATUS srvstatus ;
ControlService (hService, SERVICE_CONTROL_STOP, &srvstatus) ;
bSuccess = DeleteService(hService) ;
CloseServiceHandle (hService) ;
if( bSuccess )
{
TRACE_WARNING (TEXT("Service deleted. Try to re-create it\n")) ;
goto create ;
}
}
}
TRACE_ERROR (TEXT("CreateService failed (error=%u)\n"), dwLastError) ;
CloseServiceHandle (hManager) ;
SetLastError (dwLastError) ;
return FALSE ;
}
bSuccess = StartService (hService, 0, NULL) ;
if( ! bSuccess )
{
DWORD dwLastError = GetLastError() ;
TRACE_ERROR (TEXT("StartService failed (error=%u)\n"), dwLastError) ;
DeleteService(hService) ;
CloseServiceHandle (hService) ;
CloseServiceHandle (hManager) ;
SetLastError (dwLastError) ;
return FALSE ;
}
CloseServiceHandle (hService) ;
CloseServiceHandle (hManager) ;
return TRUE ;
}
/******************************************************************/
/* Exported function */
/******************************************************************/
BOOL SpySrv_UninstallDriver ()
{
SC_HANDLE hManager ;
SC_HANDLE hService ;
BOOL bSuccess ;
SERVICE_STATUS srvstatus ;
hManager = OpenSCManager (NULL, NULL, 0) ;
if( hManager==NULL )
{
TRACE_ERROR (TEXT("OpenSCManager failed (error=%u)\n"), GetLastError()) ;
return FALSE ;
}
hService = OpenService (hManager, g_szServiceName, SERVICE_STOP|DELETE) ;
if( hService==NULL )
{
TRACE_ERROR (TEXT("OpenService failed (error=%u)\n"), GetLastError()) ;
return FALSE ;
}
bSuccess = ControlService (hService, SERVICE_CONTROL_STOP, &srvstatus) ;
if( ! bSuccess )
{
TRACE_WARNING (TEXT("ControlService failed (error=%u)\n"), GetLastError()) ;
}
bSuccess = DeleteService(hService) ;
if( ! bSuccess )
{
TRACE_ERROR (TEXT("DeleteService failed (error=%u)\n"), GetLastError()) ;
return FALSE ;
}
CloseServiceHandle (hService) ;
CloseServiceHandle (hManager) ;
return TRUE ;
}
BOOL SpySrv_SetScanFilters (LPCWSTR * pszFilters, UINT nFilters)
{
BYTE *pBuffer ;
UINT nBufferSize ;
BOOL bSuccess ;
DWORD nWaitResult ;
OVERLAPPED ov ;
if( nFilters > 0 )
{
UINT i, n ;
TRACE_INFO (TEXT("Calculating buffer size...\n")) ;
n = 0 ;
for( i=0 ; i<nFilters ; i++ )
n += (wcslen(pszFilters[i])+1)*sizeof(WCHAR) ;
TRACE_INFO (TEXT("Buffer size is %u\n"), n) ;
nBufferSize = n ;
pBuffer = malloc (n) ;
n = 0 ;
for( i=0 ; i<nFilters ; i++ )
{
wcscpy ((LPWSTR)&pBuffer[n], pszFilters[i]) ;
n += (wcslen(pszFilters[i])+1)*sizeof(TCHAR) ;
}
}
else
{
pBuffer = NULL ;
nBufferSize = 0 ;
}
ov.hEvent = CreateEvent (NULL, TRUE, FALSE, NULL) ;
bSuccess = DeviceIoControl (g_hDriver,
IOCTL_SET_SCAN_FILTERS,
pBuffer, nBufferSize,
NULL, 0, NULL, &ov) ;
if( !bSuccess && GetLastError()==ERROR_IO_PENDING )
{
TRACE_WARNING (TEXT("IOCTL_SET_SCAN_FILTERS is running asynchronously\n")) ;
nWaitResult = WaitForSingleObject (ov.hEvent, 10*1000) ;
bSuccess = nWaitResult==WAIT_OBJECT_0 ;
}
CloseHandle (ov.hEvent) ;
free (pBuffer) ;
if( ! bSuccess )
TRACE_ERROR (TEXT("Failed to send scanner path to driver\n")) ;
return bSuccess ;
}
/******************************************************************/
/* Exported function */
/******************************************************************/
BOOL SpySrv_SyncScanCache (VOID * pUserPtr, SYNCCACHECALLBACK pfnCallback, LARGE_INTEGER * pliLastSyncTime,
ULONG * pnFirstIdentifier, ULONG * pnLastIdentifier)
{
PVOID pBuffer ;
DWORD nBufferSize ;
DWORD nBytesReturned=0 ;
DWORD nRemainingSize ;
BOOL bSuccess ;
SCANCACHEENTRY* pEntry ;
SDCSYNCCACHE synccache ;
TRACE_INFO (TEXT("SYNCHRONIZE\n")) ;
if( pnFirstIdentifier ) *pnFirstIdentifier = 0 ;
if( pnLastIdentifier ) *pnLastIdentifier = 0 ;
synccache.liLastSyncTime = *pliLastSyncTime ;
nBufferSize = 1024*1024 ;
pBuffer = MALLOC (nBufferSize) ;
bSuccess = DeviceIoControl (g_hDriver, IOCTL_SYNC_CACHE,
&synccache, sizeof(synccache),
pBuffer, nBufferSize,
&nBytesReturned, NULL) ;
if( ! bSuccess || nBytesReturned==0 )
{
TRACE_ERROR (TEXT("Failed to get process list (error=%u)\n"),
GetLastError()) ;
FREE (pBuffer) ;
return FALSE ;
}
if( pnFirstIdentifier )
*pnFirstIdentifier = ((SCANCACHEHEADER*)pBuffer)->nFirstIdentifier ;
if( pnLastIdentifier )
*pnLastIdentifier = ((SCANCACHEHEADER*)pBuffer)->nLastIdentifier ;
pEntry = (SCANCACHEENTRY*)( (BYTE*)pBuffer + sizeof(SCANCACHEHEADER) ) ;
nRemainingSize = nBytesReturned - sizeof(SCANCACHEHEADER) ;
while( nRemainingSize > sizeof(SCANCACHEENTRY) )
{
TRACE_INFO (TEXT("%d : %ls\n"), pEntry->nIdentifier, pEntry->wszFilePath) ;
if( ! pfnCallback (pUserPtr, pEntry->nIdentifier, pEntry->wszFilePath, pEntry->nScanResult, &pEntry->liScanTime) )
break ;
if( pEntry->nNextEntry == 0 ) break ;
nRemainingSize -= pEntry->nNextEntry ;
pEntry = (SCANCACHEENTRY*)( (BYTE*)pEntry + pEntry->nNextEntry ) ;
}
FREE (pBuffer) ;
return TRUE ;
}
/******************************************************************/
/* Exported function */
/******************************************************************/
BOOL SpySrv_AddFileToCache (LPCWSTR szFilePath, SCANRESULT nResult, LARGE_INTEGER * pliScanTime)
{
SDCADDFILETOCACHE* pAddfile ;
UINT nSize ;
DWORD nBytesReturned ;
BOOL bSuccess ;
nSize = sizeof(SDCADDFILETOCACHE)+sizeof(WCHAR)*(wcslen(szFilePath)+1) ;
pAddfile = MALLOC (nSize) ;
pAddfile->nScanResult = nResult ;
pAddfile->liScanTime = *pliScanTime ;
wcscpy (pAddfile->wszFilePath, szFilePath) ;
bSuccess = DeviceIoControl (g_hDriver, IOCTL_ADD_FILE_TO_CACHE,
pAddfile, nSize,
NULL, 0,
&nBytesReturned, NULL) ;
FREE (pAddfile) ;
if( ! bSuccess )
{
TRACE_ERROR (TEXT("Failed to add file to antivirus cache (error=%u)\n"),
GetLastError()) ;
return FALSE ;
}
return TRUE ;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -