w2k_spy.c

一个可以对系统硬件进行访问的驱动程序

                    if (fSystem && (dType == X86_DESCRIPTOR_SYS_LDT)
                        &&
                        ((DWORD) (pSelector->wValue
                                  & X86_SELECTOR_INDEX)
                         <= dLimit))
                        {
                        pDescriptors =
                            SpyDescriptorBase (gdt.pDescriptors +
                                               ldt.Index);
                        }
                    }
                }
            else // gdt descriptor
                {
                if (pSelector->Index)
                    {
                    __asm
                        {
                        sgdt gdt.wLimit
                        }
                    if ((pSelector->wValue & X86_SELECTOR_INDEX)
                        <= gdt.wLimit)
                        {
                        pDescriptors = gdt.pDescriptors;
                        }
                    }
                }
            }
        if (pDescriptors != NULL)
            {
            RtlCopyMemory (pDescriptor,
                           pDescriptors + pSelector->Index,
                           X86_DESCRIPTOR_);
            fOk = TRUE;
            }
        else
            {
            RtlZeroMemory (pDescriptor,
                           X86_DESCRIPTOR_);
            }
        }
    return fOk;
    }

// -----------------------------------------------------------------

PVOID SpyGateOffset (PX86_GATE pGate)
    {
    return (PVOID) (pGate->Offset1 | (pGate->Offset2 << 16));
    }

// -----------------------------------------------------------------

BOOL SpyIdtGate (PX86_SELECTOR pSelector,
                 PX86_GATE     pGate)
    {
    X86_TABLE idt;
    PX86_GATE pGates = NULL;
    BOOL      fOk    = FALSE;

    if (pGate != NULL)
        {
        if (pSelector != NULL)
            {
            __asm
                {
                sidt idt.wLimit
                }
            if ((pSelector->wValue & X86_SELECTOR_INDEX)
                <= idt.wLimit)
                {
                pGates = idt.pGates;
                }
            }
        if (pGates != NULL)
            {
            RtlCopyMemory (pGate,
                           pGates + pSelector->Index,
                           X86_GATE_);
            fOk = TRUE;
            }
        else
            {
            RtlZeroMemory (pGate, X86_GATE_);
            }
        }
    return fOk;
    }

// -----------------------------------------------------------------

BOOL SpySegment (DWORD        dSegment,
                 DWORD        dSelector,
                 PSPY_SEGMENT pSegment)
    {
    BOOL fOk = FALSE;

    if (pSegment != NULL)
        {
        fOk = TRUE;
        
        if (!SpySelector   (dSegment, dSelector,
                            &pSegment->Selector))
            {
            fOk = FALSE;
            }
        if (!SpyDescriptor (&pSegment->Selector,
                            &pSegment->Descriptor))
            {
            fOk = FALSE;
            }
        pSegment->pBase  =
            SpyDescriptorBase  (&pSegment->Descriptor);

        pSegment->dLimit =
            SpyDescriptorLimit (&pSegment->Descriptor);

        pSegment->fOk = fOk;
        }
    return fOk;
    }

// -----------------------------------------------------------------

BOOL SpyInterrupt (DWORD          dInterrupt,
                   PSPY_INTERRUPT pInterrupt)
    {
    BOOL fOk = FALSE;

    if (pInterrupt != NULL)
        {
        if (dInterrupt <= X86_SELECTOR_LIMIT)
            {
            fOk = TRUE;

            if (!SpySelector (X86_SEGMENT_OTHER,
                              dInterrupt << X86_SELECTOR_SHIFT,
                              &pInterrupt->Selector))
                {
                fOk = FALSE;
                }
            if (!SpyIdtGate  (&pInterrupt->Selector,
                              &pInterrupt->Gate))
                {
                fOk = FALSE;
                }
            if (!SpySegment  (X86_SEGMENT_OTHER,
                              pInterrupt->Gate.Selector,
                              &pInterrupt->Segment))
                {
                fOk = FALSE;
                }
            pInterrupt->pOffset = SpyGateOffset (&pInterrupt->Gate);
            }
        else
            {
            RtlZeroMemory (pInterrupt, SPY_INTERRUPT_);
            }
        pInterrupt->fOk = fOk;
        }
    return fOk;
    }

// =================================================================
// MEMORY ACCESS FUNCTIONS
// =================================================================

BOOL SpyMemoryPageEntry (PVOID           pVirtual,
                         PSPY_PAGE_ENTRY pspe)
    {
    SPY_PAGE_ENTRY spe;
    BOOL           fOk = FALSE;

    spe.pe       = X86_PDE_ARRAY [X86_PDI (pVirtual)];
    spe.dSize    = X86_PAGE_4M;
    spe.fPresent = FALSE;

    if (spe.pe.pde4M.P)
        {
        if (spe.pe.pde4M.PS)
            {
            fOk = spe.fPresent = TRUE;
            }
        else
            {
            spe.pe    = X86_PTE_ARRAY [X86_PAGE (pVirtual)];
            spe.dSize = X86_PAGE_4K;

            if (spe.pe.pte4K.P)
                {
                fOk = spe.fPresent = TRUE;
                }
            else
                {
                fOk = (spe.pe.pnpe.PageFile != 0);
                }
            }
        }
    if (pspe != NULL) *pspe = spe;
    return fOk;
    }

// -----------------------------------------------------------------

BOOL SpyMemoryTestAddress (PVOID pVirtual)
    {
    return SpyMemoryPageEntry (pVirtual, NULL);
    }

// -----------------------------------------------------------------

BOOL SpyMemoryTestBlock (PVOID pVirtual,
                         DWORD dBytes)
    {
    PBYTE pbData;
    DWORD dData;
    BOOL  fOk = TRUE;

    if (dBytes)
        {
        pbData = (PBYTE) ((DWORD_PTR) pVirtual & X86_PAGE_MASK);
        dData  = (((dBytes + X86_OFFSET_4K (pVirtual) - 1)
                   / PAGE_SIZE) + 1) * PAGE_SIZE;
        do  {
            fOk = SpyMemoryTestAddress (pbData);

            pbData += PAGE_SIZE;
            dData  -= PAGE_SIZE;
            }
        while (fOk && dData);
        }
    return fOk;
    }

// -----------------------------------------------------------------

DWORD SpyMemoryReadBlock (PSPY_MEMORY_BLOCK psmb,
                          PSPY_MEMORY_DATA  psmd,
                          DWORD             dSize)
    {
    DWORD i;
    DWORD n = SPY_MEMORY_DATA__ (psmb->dBytes);

    if (dSize >= n)
        {
        psmd->smb = *psmb;

        for (i = 0; i < psmb->dBytes; i++)
            {
            psmd->awData [i] =
                (SpyMemoryTestAddress (psmb->pbAddress + i)
                 ? SPY_MEMORY_DATA_VALUE (psmb->pbAddress [i], TRUE)
                 : SPY_MEMORY_DATA_VALUE (0, FALSE));
            }
        }
    else
        {
        if (dSize >= SPY_MEMORY_DATA_)
            {
            psmd->smb.pbAddress = NULL;
            psmd->smb.dBytes    = 0;
            }
        n = 0;
        }
    return n;
    }

// =================================================================
// HANDLE MANAGEMENT
// =================================================================

DWORD SpyHandleSlot (PSPY_PROTOCOL psp,
                     HANDLE        hProcess,
                     HANDLE        hObject)
    {
    DWORD dSlot = 0;

    if (hObject != NULL)
        {
        while ((dSlot < psp->sh.dHandles)
               &&
               ((psp->ahProcesses [dSlot] != hProcess) ||
                (psp->ahObjects   [dSlot] != hObject ))) dSlot++;

        dSlot = (dSlot < psp->sh.dHandles ? dSlot+1 : 0);
        }
    return dSlot;
    }

// -----------------------------------------------------------------

DWORD SpyHandleName (PSPY_PROTOCOL psp,
                     HANDLE        hProcess,
                     HANDLE        hObject,
                     PWORD         pwName,
                     DWORD         dName)
    {
    WORD  w;
    DWORD i;
    DWORD dSlot = SpyHandleSlot (psp, hProcess, hObject);

    if ((pwName != NULL) && dName)
        {
        i = 0;

        if (dSlot)
            {
            while ((i+1 < dName) &&
                   (w = psp->awNames [psp->adNames [dSlot-1] + i]))
                {
                pwName [i++] = w;
                }
            }
        pwName [i] = 0;
        }
    return dSlot;
    }

// -----------------------------------------------------------------

DWORD SpyHandleUnregister (PSPY_PROTOCOL psp,
                           HANDLE        hProcess,
                           HANDLE        hObject,
                           PWORD         pwName,
                           DWORD         dName)
    {
    DWORD i, j;
    DWORD dSlot = SpyHandleName (psp, hProcess, hObject,
                                 pwName, dName);
    if (dSlot)
        {
        if (dSlot == psp->sh.dHandles)
            {
            // remove last name entry
            psp->sh.dName = psp->adNames [dSlot-1];
            }
        else
            {
            i = psp->adNames [dSlot-1];
            j = psp->adNames [dSlot  ];

            // shift left all remaining name entries
            while (j < psp->sh.dName)
                {
                psp->awNames [i++] = psp->awNames [j++];
                }
            j -= (psp->sh.dName = i);

            // shift left all remaining handles and name offsets
            for (i = dSlot; i < psp->sh.dHandles; i++)
                {
                psp->ahProcesses [i-1] = psp->ahProcesses [i];
                psp->ahObjects   [i-1] = psp->ahObjects   [i];
                psp->adNames     [i-1] = psp->adNames     [i] - j;
                }
            }
        psp->sh.dHandles--;
        }
    return dSlot;
    }

// -----------------------------------------------------------------

DWORD SpyHandleRegister (PSPY_PROTOCOL   psp,
                         HANDLE          hProcess,
                         HANDLE          hObject,
                         PUNICODE_STRING puName)
    {
    PWORD pwName;
    DWORD dName;
    DWORD i;
    DWORD dSlot = 0;

    if (hObject != NULL)
        {
        // unregister old handle with same value
        SpyHandleUnregister (psp, hProcess, hObject, NULL, 0);

        if (psp->sh.dHandles == SPY_HANDLES)
            {
            // unregister oldest handle if overflow
            SpyHandleUnregister (psp, psp->ahProcesses [0],
                                 psp->ahObjects [0], NULL, 0);
            }
        pwName = ((puName != NULL) && SpyMemoryTestAddress (puName)
                  ? puName->Buffer
                  : NULL);

        dName  = ((pwName != NULL) && SpyMemoryTestAddress (pwName)
                  ? puName->Length / WORD_
                  : 0);

        if (dName + 1 <= SPY_NAME_BUFFER - psp->sh.dName)
            {
            // append object to end of list
            psp->ahProcesses [psp->sh.dHandles] = hProcess;
            psp->ahObjects   [psp->sh.dHandles] = hObject;
            psp->adNames     [psp->sh.dHandles] = psp->sh.dName;

            for (i = 0; i < dName; i++)
                {
                psp->awNames [psp->sh.dName++] = pwName [i];
                }
            psp->awNames [psp->sh.dName++] = 0;

            psp->sh.dHandles++;
            dSlot = psp->sh.dHandles;
            }
        }
    return dSlot;
    }

// =================================================================
// HOOK PROTOCOL MANAGEMENT (READ)
// =================================================================

DWORD SpyReadData (PSPY_PROTOCOL psp,
                   PBYTE         pbData,
                   DWORD         dData)
    {
    DWORD i = psp->sh.dRead;
    DWORD n = 0;

    while ((n < dData) && (i != psp->sh.dWrite))
        {
        pbData [n++] = psp->abData [i++];
        if (i == SPY_DATA_BUFFER) i = 0;
        }
    psp->sh.dRead = i;
    return n;
    }

// -----------------------------------------------------------------

DWORD SpyReadLine (PSPY_PROTOCOL psp,
                   PBYTE         pbData,
                   DWORD         dData)
    {
    BYTE  b = 0;
    DWORD i = psp->sh.dRead;
    DWORD n = 0;

    while ((b != '\n') && (i != psp->sh.dWrite))
        {
        b = psp->abData [i++];
        if (i == SPY_DATA_BUFFER) i = 0;
        if (n < dData) pbData [n++] = b;
        }
    if (b == '\n')
        {
        // remove current line from buffer
        psp->sh.dRead = i;
        }
    else
        {
        // don't return any data until full line available
        n = 0;
        }