📄 w2k_spy.c
字号:
// __________________________________________________________//// w2k_spy.c// SBS Windows 2000 Spy Device V1.00// 08-27-2000 Sven B. Schreiber// sbs@orgon.com// __________________________________________________________#define _W2K_SPY_SYS_#include <ddk\ntddk.h>#include "w2k_spy.h"// =================================================================// DISCLAIMER// =================================================================/*This software is provided "as is" and any express or impliedwarranties, including, but not limited to, the implied warranties ofmerchantability and fitness for a particular purpose are disclaimed.In no event shall the author Sven B. Schreiber be liable for anydirect, indirect, incidental, special, exemplary, or consequentialdamages (including, but not limited to, procurement of substitutegoods or services; loss of use, data, or profits; or businessinterruption) however caused and on any theory of liability,whether in contract, strict liability, or tort (including negligenceor otherwise) arising in any way out of the use of this software,even if advised of the possibility of such damage.*/// =================================================================// REVISION HISTORY// =================================================================/*08-27-2000 V1.00 Original version (SBS).*/// =================================================================// EXTERNAL VARIABLES// =================================================================extern PWORD NlsAnsiCodePage;extern PWORD NlsOemCodePage;extern PWORD NtBuildNumber;extern PDWORD NtGlobalFlag;extern PDWORD KeI386MachineType;extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;// =================================================================// GLOBAL DATA// =================================================================PRESET_UNICODE_STRING (usDeviceName, CSTRING (DRV_DEVICE));PRESET_UNICODE_STRING (usSymbolicLinkName, CSTRING (DRV_LINK ));PDEVICE_OBJECT gpDeviceObject = NULL;PDEVICE_CONTEXT gpDeviceContext = NULL;BOOL gfSpyHookState = FALSE;BOOL gfSpyHookPause = FALSE;BOOL gfSpyHookFilter = FALSE;HANDLE ghSpyHookThread = 0;BYTE abHex [] = "0123456789ABCDEF";// =================================================================// DISCARDABLE FUNCTIONS// =================================================================NTSTATUS DriverInitialize (PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pusRegistryPath);NTSTATUS DriverEntry (PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pusRegistryPath);// -----------------------------------------------------------------#ifdef ALLOC_PRAGMA#pragma alloc_text (INIT, DriverInitialize)#pragma alloc_text (INIT, DriverEntry)#endif// =================================================================// WINDOWS NT 4.0 SYSTEM SERVICE NAMES// =================================================================// number of entries must match SDT_SYMBOLS_NT4 in w2k_spy.hPBYTE apbSdtSymbolsNT4 [] = { "NtAcceptConnectPort", "NtAccessCheck", "NtAccessCheckAndAuditAlarm", "NtAddAtom", "NtAdjustGroupsToken", "NtAdjustPrivilegesToken", "NtAlertResumeThread", "NtAlertThread", "NtAllocateLocallyUniqueId", "NtAllocateUuids", "NtAllocateVirtualMemory", "NtCallbackReturn", "NtCancelIoFile", "NtCancelTimer", "NtClearEvent", "NtClose", "NtCloseObjectAuditAlarm", "NtCompleteConnectPort", "NtConnectPort", "NtContinue", "NtCreateDirectoryObject", "NtCreateEvent", "NtCreateEventPair", "NtCreateFile", "NtCreateIoCompletion", "NtCreateKey", "NtCreateMailslotFile", "NtCreateMutant", "NtCreateNamedPipeFile", "NtCreatePagingFile", "NtCreatePort", "NtCreateProcess", "NtCreateProfile", "NtCreateSection", "NtCreateSemaphore", "NtCreateSymbolicLinkObject", "NtCreateThread", "NtCreateTimer", "NtCreateToken", "NtDelayExecution", "NtDeleteAtom", "NtDeleteFile", "NtDeleteKey", "NtDeleteObjectAuditAlarm", "NtDeleteValueKey", "NtDeviceIoControlFile", "NtDisplayString", "NtDuplicateObject", "NtDuplicateToken", "NtEnumerateKey", "NtEnumerateValueKey", "NtExtendSection", "NtFindAtom", "NtFlushBuffersFile", "NtFlushInstructionCache", "NtFlushKey", "NtFlushVirtualMemory", "NtFlushWriteBuffer", "NtFreeVirtualMemory", "NtFsControlFile", "NtGetContextThread", "NtGetPlugPlayEvent", "NtGetTickCount", "NtImpersonateClientOfPort", "NtImpersonateThread", "NtInitializeRegistry", "NtListenPort", "NtLoadDriver", "NtLoadKey", "NtLoadKey2", "NtLockFile", "NtLockVirtualMemory", "NtMakeTemporaryObject", "NtMapViewOfSection", "NtNotifyChangeDirectoryFile", "NtNotifyChangeKey", "NtOpenDirectoryObject", "NtOpenEvent", "NtOpenEventPair", "NtOpenFile", "NtOpenIoCompletion", "NtOpenKey", "NtOpenMutant", "NtOpenObjectAuditAlarm", "NtOpenProcess", "NtOpenProcessToken", "NtOpenSection", "NtOpenSemaphore", "NtOpenSymbolicLinkObject", "NtOpenThread", "NtOpenThreadToken", "NtOpenTimer", "NtPlugPlayControl", "NtPrivilegeCheck", "NtPrivilegedServiceAuditAlarm", "NtPrivilegeObjectAuditAlarm", "NtProtectVirtualMemory", "NtPulseEvent", "NtQueryInformationAtom", "NtQueryAttributesFile", "NtQueryDefaultLocale", "NtQueryDirectoryFile", "NtQueryDirectoryObject", "NtQueryEaFile", "NtQueryEvent", "NtQueryFullAttributesFile", "NtQueryInformationFile", "NtQueryIoCompletion", "NtQueryInformationPort", "NtQueryInformationProcess", "NtQueryInformationThread", "NtQueryInformationToken", "NtQueryIntervalProfile", "NtQueryKey", "NtQueryMultipleValueKey", "NtQueryMutant", "NtQueryObject", "NtQueryOleDirectoryFile", "NtQueryPerformanceCounter", "NtQuerySection", "NtQuerySecurityObject", "NtQuerySemaphore", "NtQuerySymbolicLinkObject", "NtQuerySystemEnvironmentValue", "NtQuerySystemInformation", "NtQuerySystemTime", "NtQueryTimer", "NtQueryTimerResolution", "NtQueryValueKey", "NtQueryVirtualMemory", "NtQueryVolumeInformationFile", "NtQueueApcThread", "NtRaiseException", "NtRaiseHardError", "NtReadFile", "NtReadFileScatter", "NtReadRequestData", "NtReadVirtualMemory", "NtRegisterThreadTerminatePort", "NtReleaseMutant", "NtReleaseSemaphore", "NtRemoveIoCompletion", "NtReplaceKey", "NtReplyPort", "NtReplyWaitReceivePort", "NtReplyWaitReplyPort", "NtRequestPort", "NtRequestWaitReplyPort", "NtResetEvent", "NtRestoreKey", "NtResumeThread", "NtSaveKey", "NtSetIoCompletion", "NtSetContextThread", "NtSetDefaultHardErrorPort", "NtSetDefaultLocale", "NtSetEaFile", "NtSetEvent", "NtSetHighEventPair", "NtSetHighWaitLowEventPair", "NtSetHighWaitLowThread (INT 2B)", "NtSetInformationFile", "NtSetInformationKey", "NtSetInformationObject", "NtSetInformationProcess", "NtSetInformationThread", "NtSetInformationToken", "NtSetIntervalProfile", "NtSetLdtEntries", "NtSetLowEventPair", "NtSetLowWaitHighEventPair", "NtSetLowWaitHighThread (INT 2C)", "NtSetSecurityObject", "NtSetSystemEnvironmentValue", "NtSetSystemInformation", "NtSetSystemPowerState", "NtSetSystemTime", "NtSetTimer", "NtSetTimerResolution", "NtSetValueKey", "NtSetVolumeInformationFile", "NtShutdownSystem", "NtSignalAndWaitForSingleObject", "NtStartProfile", "NtStopProfile", "NtSuspendThread", "NtSystemDebugControl", "NtTerminateProcess", "NtTerminateThread", "NtTestAlert", "NtUnloadDriver", "NtUnloadKey", "NtUnlockFile", "NtUnlockVirtualMemory", "NtUnmapViewOfSection", "NtVdmControl", "NtWaitForMultipleObjects", "NtWaitForSingleObject", "NtWaitHighEventPair", "NtWaitLowEventPair", "NtWriteFile", "NtWriteFileGather", "NtWriteRequestData", "NtWriteVirtualMemory", "NtCreateChannel", "NtListenChannel", "NtOpenChannel", "NtReplyWaitSendChannel", "NtSendWaitReplyChannel", "NtSetContextChannel", "NtYieldExecution", NULL };// =================================================================// WINDOWS 2000 SYSTEM SERVICE NAMES// =================================================================// number of entries must match SDT_SYMBOLS_NT5 in w2k_spy.hPBYTE apbSdtSymbolsNT5 [] = { "NtAcceptConnectPort", "NtAccessCheck", "NtAccessCheckAndAuditAlarm", "NtAccessCheckByType", "NtAccessCheckByTypeAndAuditAlarm", "NtAccessCheckByTypeResultList", "NtAccessCheckByTypeResultListAndAuditAlarm", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "NtAddAtom", "NtAdjustGroupsToken", "NtAdjustPrivilegesToken", "NtAlertResumeThread", "NtAlertThread", "NtAllocateLocallyUniqueId", "NtAllocateUserPhysicalPages", "NtAllocateUuids", "NtAllocateVirtualMemory", "NtAreMappedFilesTheSame", "NtAssignProcessToJobObject", "NtCallbackReturn", "NtCancelIoFile", "NtCancelTimer", "NtCancelDeviceWakeupRequest", "NtClearEvent", "NtClose", "NtCloseObjectAuditAlarm", "NtCompleteConnectPort", "NtConnectPort", "NtContinue", "NtCreateDirectoryObject", "NtCreateEvent", "NtCreateEventPair", "NtCreateFile", "NtCreateIoCompletion", "NtCreateJobObject", "NtCreateKey", "NtCreateMailslotFile", "NtCreateMutant", "NtCreateNamedPipeFile", "NtCreatePagingFile", "NtCreatePort", "NtCreateProcess", "NtCreateProfile", "NtCreateSection", "NtCreateSemaphore", "NtCreateSymbolicLinkObject", "NtCreateThread", "NtCreateTimer", "NtCreateToken", "NtCreateWaitablePort", "NtDelayExecution", "NtDeleteAtom", "NtDeleteFile", "NtDeleteKey", "NtDeleteObjectAuditAlarm", "NtDeleteValueKey", "NtDeviceIoControlFile", "NtDisplayString", "NtDuplicateObject", "NtDuplicateToken", "NtEnumerateKey", "NtEnumerateValueKey", "NtExtendSection", "NtFilterToken", "NtFindAtom", "NtFlushBuffersFile", "NtFlushInstructionCache", "NtFlushKey", "NtFlushVirtualMemory", "NtFlushWriteBuffer", "NtFreeUserPhysicalPages", "NtFreeVirtualMemory", "NtFsControlFile", "NtGetContextThread", "NtGetDevicePowerState", "NtGetPlugPlayEvent", "NtGetTickCount", "NtGetWriteWatch", "NtImpersonateAnonymousToken", "NtImpersonateClientOfPort", "NtImpersonateThread", "NtInitializeRegistry", "NtInitiatePowerAction", "NtIsSystemResumeAutomatic", "NtListenPort", "NtLoadDriver", "NtLoadKey", "NtLoadKey2", "NtLockFile", "NtLockVirtualMemory", "NtMakeTemporaryObject", "NtMapUserPhysicalPages", "NtMapUserPhysicalPagesScatter", "NtMapViewOfSection", "NtNotifyChangeDirectoryFile", "NtNotifyChangeKey", "NtNotifyChangeMultipleKeys", "NtOpenDirectoryObject", "NtOpenEvent", "NtOpenEventPair", "NtOpenFile", "NtOpenIoCompletion", "NtOpenJobObject", "NtOpenKey", "NtOpenMutant", "NtOpenObjectAuditAlarm", "NtOpenProcess", "NtOpenProcessToken", "NtOpenSection", "NtOpenSemaphore", "NtOpenSymbolicLinkObject", "NtOpenThread", "NtOpenThreadToken", "NtOpenTimer", "NtPlugPlayControl", "NtPowerInformation", "NtPrivilegeCheck", "NtPrivilegedServiceAuditAlarm", "NtPrivilegeObjectAuditAlarm", "NtProtectVirtualMemory", "NtPulseEvent", "NtQueryInformationAtom", "NtQueryAttributesFile", "NtQueryDefaultLocale", "NtQueryDefaultUILanguage", "NtQueryDirectoryFile", "NtQueryDirectoryObject", "NtQueryEaFile", "NtQueryEvent", "NtQueryFullAttributesFile", "NtQueryInformationFile", "NtQueryInformationJobObject", "NtQueryIoCompletion", "NtQueryInformationPort", "NtQueryInformationProcess", "NtQueryInformationThread", "NtQueryInformationToken", "NtQueryInstallUILanguage", "NtQueryIntervalProfile", "NtQueryKey",⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -