📄 w2k_spy.c
字号:
"NtQueryMultipleValueKey", "NtQueryMutant", "NtQueryObject", "NtQueryOpenSubKeys", "NtQueryPerformanceCounter", "NtQueryQuotaInformationFile", "NtQuerySection", "NtQuerySecurityObject", "NtQuerySemaphore", "NtQuerySymbolicLinkObject", "NtQuerySystemEnvironmentValue", "NtQuerySystemInformation", "NtQuerySystemTime", "NtQueryTimer", "NtQueryTimerResolution", "NtQueryValueKey", "NtQueryVirtualMemory", "NtQueryVolumeInformationFile", "NtQueueApcThread", "NtRaiseException", "NtRaiseHardError", "NtReadFile", "NtReadFileScatter", "NtReadRequestData", "NtReadVirtualMemory", "NtRegisterThreadTerminatePort", "NtReleaseMutant", "NtReleaseSemaphore", "NtRemoveIoCompletion", "NtReplaceKey", "NtReplyPort", "NtReplyWaitReceivePort", "NtReplyWaitReceivePortEx", "NtReplyWaitReplyPort", "NtRequestDeviceWakeup", "NtRequestPort", "NtRequestWaitReplyPort", "NtRequestWakeupLatency", "NtResetEvent", "NtResetWriteWatch", "NtRestoreKey", "NtResumeThread", "NtSaveKey", "NtSaveMergedKeys", "NtSecureConnectPort", "NtSetIoCompletion", "NtSetContextThread", "NtSetDefaultHardErrorPort", "NtSetDefaultLocale", "NtSetDefaultUILanguage", "NtSetEaFile", "NtSetEvent", "NtSetHighEventPair", "NtSetHighWaitLowEventPair", "NtSetInformationFile", "NtSetInformationJobObject", "NtSetInformationKey", "NtSetInformationObject", "NtSetInformationProcess", "NtSetInformationThread", "NtSetInformationToken", "NtSetIntervalProfile", "NtSetLdtEntries", "NtSetLowEventPair", "NtSetLowWaitHighEventPair", "NtSetQuotaInformationFile", "NtSetSecurityObject", "NtSetSystemEnvironmentValue", "NtSetSystemInformation", "NtSetSystemPowerState", "NtSetSystemTime", "NtSetThreadExecutionState", "NtSetTimer", "NtSetTimerResolution", "NtSetUuidSeed", "NtSetValueKey", "NtSetVolumeInformationFile", "NtShutdownSystem", "NtSignalAndWaitForSingleObject", "NtStartProfile", "NtStopProfile", "NtSuspendThread", "NtSystemDebugControl", "NtTerminateJobObject", "NtTerminateProcess", "NtTerminateThread", "NtTestAlert", "NtUnloadDriver", "NtUnloadKey", "NtUnlockFile", "NtUnlockVirtualMemory", "NtUnmapViewOfSection", "NtVdmControl", "NtWaitForMultipleObjects", "NtWaitForSingleObject", "NtWaitHighEventPair", "NtWaitLowEventPair", "NtWriteFile", "NtWriteFileGather", "NtWriteRequestData", "NtWriteVirtualMemory", "NtCreateChannel", "NtListenChannel", "NtOpenChannel", "NtReplyWaitSendChannel", "NtSendWaitReplyChannel", "NtSetContextChannel", "NtYieldExecution", NULL };// =================================================================// SYSTEM SERVICE HOOK FORMAT STRINGS// =================================================================// each string must contain the exact function namePBYTE apbSdtFormats [] = { "%s=NtCancelIoFile(%!,%i)", "%s=NtClose(%-)", "%s=NtCreateFile(%+,%n,%o,%i,%l,%n,%n,%n,%n,%p,%n)", "%s=NtCreateKey(%+,%n,%o,%n,%u,%n,%d)", "%s=NtDeleteFile(%o)", "%s=NtDeleteKey(%-)", "%s=NtDeleteValueKey(%!,%u)", "%s=NtDeviceIoControlFile(%!,%p,%p,%p,%i,%n,%p,%n,%p,%n)", "%s=NtEnumerateKey(%!,%n,%n,%p,%n,%d)", "%s=NtEnumerateValueKey(%!,%n,%n,%p,%n,%d)", "%s=NtFlushBuffersFile(%!,%i)", "%s=NtFlushKey(%!)", "%s=NtFsControlFile(%!,%p,%p,%p,%i,%n,%p,%n,%p,%n)", "%s=NtLoadKey(%o,%o)", "%s=NtLoadKey2(%o,%o,%n)", "%s=NtNotifyChangeKey(%!,%p,%p,%p,%i,%n,%b,%p,%n,%b)", "%s=NtNotifyChangeMultipleKeys(%!,%n,%o,%p,%p,%p,%i,%n,%b,%p,%n,%b)", "%s=NtOpenFile(%+,%n,%o,%i,%n,%n)", "%s=NtOpenKey(%+,%n,%o)", "%s=NtOpenProcess(%+,%n,%o,%c)", "%s=NtOpenThread(%+,%n,%o,%c)", "%s=NtQueryDirectoryFile(%!,%p,%p,%p,%i,%p,%n,%n,%b,%u,%b)", "%s=NtQueryInformationFile(%!,%i,%p,%n,%n)", "%s=NtQueryInformationProcess(%!,%n,%p,%n,%d)", "%s=NtQueryInformationThread(%!,%n,%p,%n,%d)", "%s=NtQueryKey(%!,%n,%p,%n,%d)", "%s=NtQueryMultipleValueKey(%!,%p,%n,%p,%d,%d)", "%s=NtQueryOpenSubKeys(%o,%d)", "%s=NtQuerySystemInformation(%n,%p,%n,%d)", "%s=NtQuerySystemTime(%l)", "%s=NtQueryValueKey(%!,%u,%n,%p,%n,%d)", "%s=NtQueryVolumeInformationFile(%!,%i,%p,%n,%n)", "%s=NtReadFile(%!,%p,%p,%p,%i,%p,%n,%l,%d)", "%s=NtReplaceKey(%o,%!,%o)", "%s=NtSetInformationKey(%!,%n,%p,%n)", "%s=NtSetInformationFile(%!,%i,%p,%n,%n)", "%s=NtSetInformationProcess(%!,%n,%p,%n)", "%s=NtSetInformationThread(%!,%n,%p,%n)", "%s=NtSetSystemInformation(%n,%p,%n)", "%s=NtSetSystemTime(%l,%l)", "%s=NtSetValueKey(%!,%u,%n,%n,%p,%n)", "%s=NtSetVolumeInformationFile(%!,%i,%p,%n,%n)", "%s=NtUnloadKey(%o)", "%s=NtWriteFile(%!,%p,%p,%p,%i,%p,%n,%l,%d)", NULL };// =================================================================// SYSTEM SERVICE HOOK ENTRIES// =================================================================SPY_HOOK_ENTRY aSpyHooks [SDT_SYMBOLS_MAX];// =================================================================// STRING FUNCTIONS// =================================================================PBYTE strcpyn (PBYTE pbBuffer, PBYTE pbData, DWORD dBuffer) { DWORD i; if (dBuffer) { for (i = 0; (i < dBuffer-1) && pbData [i]; i++) { pbBuffer [i] = pbData [i]; } pbBuffer [i] = 0; } return pbBuffer; }// -----------------------------------------------------------------PWORD wcscpyn (PWORD pwBuffer, PWORD pwData, DWORD dBuffer) { DWORD i; if (dBuffer) { for (i = 0; (i < dBuffer-1) && pwData [i]; i++) { pwBuffer [i] = pwData [i]; } pwBuffer [i] = 0; } return pwBuffer; }// =================================================================// MEMORY MANAGEMENT// =================================================================PVOID SpyMemoryCreate (DWORD dSize) { return ExAllocatePoolWithTag (PagedPool, max (dSize, 1), SPY_TAG); }// -----------------------------------------------------------------PVOID SpyMemoryDestroy (PVOID pData) { if (pData != NULL) ExFreePool (pData); return NULL; }// =================================================================// SHIFT/AND SEARCH ENGINE// =================================================================void SpySearchReset (PSPY_SEARCH pss) { pss->qTest = 0; pss->dNext = 0; pss->dHit = MAXDWORD; return; }// -----------------------------------------------------------------BOOL SpySearchNew (PSPY_SEARCH pss, PBYTE pbPattern) { DWORD i; QWORD qMask; PQWORD pqFlags = pss->aqFlags; for (i = 0; i < 256; i++) pqFlags [i] = 0; for (i = 0, qMask = 1; pbPattern [i] && qMask; i++, qMask <<= 1) { pqFlags [pbPattern [i]] |= qMask; } pss->qMask = (qMask ? qMask >> 1 : 0x8000000000000000); pss->dBytes = i; SpySearchReset (pss); return (i && (!pbPattern [i])); }// -----------------------------------------------------------------BOOL SpySearchTest (PSPY_SEARCH pss, BYTE bData) { BOOL fOk = FALSE; if (pss->qMask) { pss->qTest <<= 1; pss->qTest |= 1; pss->qTest &= pss->aqFlags [bData]; pss->dNext++; if (pss->qTest & pss->qMask) { pss->qTest = 0; pss->dHit = pss->dNext - pss->dBytes; fOk = TRUE; } } return fOk; }// -----------------------------------------------------------------BOOL SpySearchText (PSPY_SEARCH pss, PBYTE pbText) { DWORD i; BOOL fHit = FALSE; SpySearchReset (pss); for (i = 0; (!fHit) && pbText [i]; i++) { fHit = SpySearchTest (pss, pbText [i]); } return fHit; }// -----------------------------------------------------------------PBYTE SpySearchFormat (PBYTE pbSymbol, PPBYTE ppbFormats) { SPY_SEARCH ss; DWORD i; PBYTE pbFormat = NULL; if (SpySearchNew (&ss, pbSymbol)) { for (i = 0; (pbFormat = ppbFormats [i]) != NULL; i++) { if (SpySearchText (&ss, pbFormat)) break; } } return pbFormat; }// =================================================================// SELECTORS, DESCRIPTORS, GATES, AND SEGMENTS// =================================================================BOOL SpySelector (DWORD dSegment, DWORD dSelector, PX86_SELECTOR pSelector) { X86_SELECTOR Selector = {0, 0}; BOOL fOk = FALSE; if (pSelector != NULL) { fOk = TRUE; switch (dSegment) { case X86_SEGMENT_OTHER: { if (fOk = ((dSelector >> X86_SELECTOR_SHIFT) <= X86_SELECTOR_LIMIT)) { Selector.wValue = (WORD) dSelector; } break; } case X86_SEGMENT_CS: { __asm mov Selector.wValue, cs break; } case X86_SEGMENT_DS: { __asm mov Selector.wValue, ds break; } case X86_SEGMENT_ES: { __asm mov Selector.wValue, es break; } case X86_SEGMENT_FS: { __asm mov Selector.wValue, fs break; } case X86_SEGMENT_GS: { __asm mov Selector.wValue, gs break; } case X86_SEGMENT_SS: { __asm mov Selector.wValue, ss break; } case X86_SEGMENT_TSS: { __asm str Selector.wValue break; } default: { fOk = FALSE; break; } } RtlCopyMemory (pSelector, &Selector, X86_SELECTOR_); } return fOk; }// -----------------------------------------------------------------PVOID SpyDescriptorBase (PX86_DESCRIPTOR pDescriptor) { return (PVOID) ((pDescriptor->Base1 ) | (pDescriptor->Base2 << 16) | (pDescriptor->Base3 << 24)); }// -----------------------------------------------------------------DWORD SpyDescriptorLimit (PX86_DESCRIPTOR pDescriptor) { return (pDescriptor->G ? (pDescriptor->Limit1 << 12) | (pDescriptor->Limit2 << 28) | 0xFFF : (pDescriptor->Limit1 ) | (pDescriptor->Limit2 << 16)); }// -----------------------------------------------------------------DWORD SpyDescriptorType (PX86_DESCRIPTOR pDescriptor, PBOOL pfSystem) { if (pfSystem != NULL) *pfSystem = !pDescriptor->S; return pDescriptor->Type; }// -----------------------------------------------------------------BOOL SpyDescriptor (PX86_SELECTOR pSelector, PX86_DESCRIPTOR pDescriptor) { X86_SELECTOR ldt; X86_TABLE gdt; DWORD dType, dLimit; BOOL fSystem; PX86_DESCRIPTOR pDescriptors = NULL; BOOL fOk = FALSE; if (pDescriptor != NULL) { if (pSelector != NULL) { if (pSelector->TI) // ldt descriptor { __asm { sldt ldt.wValue sgdt gdt.wLimit } if ((!ldt.TI) && ldt.Index && ((ldt.wValue & X86_SELECTOR_INDEX) <= gdt.wLimit)) { dType = SpyDescriptorType (gdt.pDescriptors + ldt.Index, &fSystem); dLimit = SpyDescriptorLimit (gdt.pDescriptors + ldt.Index);⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -