📄 w2k_spy.c
字号:
if (n) { pbData [n-1] = 0; } else { if (dData) pbData [0] = 0; } return n; }// =================================================================// HOOK PROTOCOL MANAGEMENT (WRITE)// =================================================================void SpyWriteReset (PSPY_PROTOCOL psp) { KeQuerySystemTime (&psp->sh.liStart); psp->sh.dRead = 0; psp->sh.dWrite = 0; psp->sh.dCalls = 0; psp->sh.dHandles = 0; psp->sh.dName = 0; return; }// -----------------------------------------------------------------DWORD SpyWriteData (PSPY_PROTOCOL psp, PBYTE pbData, DWORD dData) { BYTE b; DWORD i = psp->sh.dRead; DWORD j = psp->sh.dWrite; DWORD n = 0; while (n < dData) { psp->abData [j++] = pbData [n++]; if (j == SPY_DATA_BUFFER) j = 0; if (j == i) { // remove first line from buffer do { b = psp->abData [i++]; if (i == SPY_DATA_BUFFER) i = 0; } while ((b != '\n') && (i != j)); // remove half line only if single line if ((i == j) && ((i += (SPY_DATA_BUFFER / 2)) >= SPY_DATA_BUFFER)) { i -= SPY_DATA_BUFFER; } } } psp->sh.dRead = i; psp->sh.dWrite = j; return n; }// -----------------------------------------------------------------DWORD SpyWriteChar (PSPY_PROTOCOL psp, BYTE bPrefix, BYTE bData) { DWORD n = 0; if (bPrefix) n += SpyWriteData (psp, &bPrefix, 1); if (bData ) n += SpyWriteData (psp, &bData, 1); return n; }// -----------------------------------------------------------------DWORD SpyWriteAnsi (PSPY_PROTOCOL psp, BYTE bPrefix, PBYTE pbData) { DWORD n = SpyWriteChar (psp, 0, bPrefix); if (pbData != NULL) { n += SpyWriteData (psp, pbData, strlen (pbData)); } return n; }// -----------------------------------------------------------------DWORD SpyWriteBoolean (PSPY_PROTOCOL psp, BYTE bPrefix, BOOLEAN bData) { return SpyWriteAnsi (psp, bPrefix, (bData ? "TRUE" : "FALSE")); }// -----------------------------------------------------------------DWORD SpyWriteNumber (PSPY_PROTOCOL psp, BYTE bPrefix, DWORD dData) { BYTE abNumber [8+1]; DWORD x, i; abNumber [i = 8] = 0; x = dData; do { abNumber [--i] = abHex [x & 0xF]; x >>= 4; } while (x); return SpyWriteAnsi (psp, bPrefix, abNumber+i); }// -----------------------------------------------------------------DWORD SpyWriteWide (PSPY_PROTOCOL psp, BYTE bPrefix, PWORD pwData, DWORD dData) { UNICODE_STRING us; ANSI_STRING as; WORD awChar [] = L"?"; BYTE abChar [] = "?"; DWORD dData1, i; DWORD n = SpyWriteChar (psp, 0, bPrefix); if ((pwData != NULL) && SpyMemoryTestAddress (pwData)) { dData1 = (dData != MAXDWORD ? dData : wcslen (pwData)); RtlInitUnicodeString (&us, awChar); RtlInitAnsiString (&as, abChar); for (i = 0; i < dData1; i++) { if (pwData [i] < 0x100) { abChar [0] = (BYTE) pwData [i]; } else { awChar [0] = pwData [i]; if (RtlUnicodeStringToAnsiString (&as, &us, FALSE) != STATUS_SUCCESS) { abChar [0] = '?'; } } n += SpyWriteChar (psp, 0, abChar [0]); } } return n; }// -----------------------------------------------------------------DWORD SpyWriteString (PSPY_PROTOCOL psp, BYTE bPrefix, PWORD pwData, DWORD dData, BYTE bStart, BYTE bStop) { DWORD n = SpyWriteChar (psp, 0, bPrefix); if ((pwData != NULL) && SpyMemoryTestAddress (pwData)) { n += SpyWriteChar (psp, 0, bStart); n += SpyWriteWide (psp, 0, pwData, dData); n += SpyWriteChar (psp, 0, bStop); } return n; }// -----------------------------------------------------------------DWORD SpyWriteName (PSPY_PROTOCOL psp, BYTE bPrefix, PWORD pwData, DWORD dData) { return SpyWriteString (psp, bPrefix, pwData, dData, '\"', '\"'); }// -----------------------------------------------------------------DWORD SpyWriteUnicode (PSPY_PROTOCOL psp, BYTE bPrefix, PUNICODE_STRING puData) { DWORD n = SpyWriteChar (psp, 0, bPrefix); if ((puData != NULL) && SpyMemoryTestAddress (puData)) { n += SpyWriteName (psp, 0, puData->Buffer, puData->Length / WORD_); } return n; }// -----------------------------------------------------------------DWORD SpyWriteObject (PSPY_PROTOCOL psp, BYTE bPrefix, POBJECT_ATTRIBUTES poa) { return SpyWriteUnicode (psp, bPrefix, OBJECT_NAME (poa)); }// -----------------------------------------------------------------DWORD SpyWriteLarge (PSPY_PROTOCOL psp, BYTE bPrefix, PLARGE_INTEGER pliData) { BYTE abNumber [16+1]; DWORDLONG x; DWORD i; DWORD n = SpyWriteChar (psp, 0, bPrefix); if ((pliData != NULL) && SpyMemoryTestAddress (pliData)) { abNumber [i = 16] = 0; x = (pliData->QuadPart); do { abNumber [--i] = abHex [x & 0xF]; x >>= 4; } while (x); n += SpyWriteAnsi (psp, 0, abNumber+i); } return n; }// -----------------------------------------------------------------DWORD SpyWriteStatus (PSPY_PROTOCOL psp, BYTE bPrefix, NTSTATUS NtStatus) { return SpyWriteNumber (psp, bPrefix, NtStatus); }// -----------------------------------------------------------------DWORD SpyWriteIoStatus (PSPY_PROTOCOL psp, BYTE bPrefix, PIO_STATUS_BLOCK pisb) { DWORD n = SpyWriteChar (psp, 0, bPrefix); if ((pisb != NULL) && SpyMemoryTestAddress (pisb)) { n += SpyWriteNumber (psp, 0, pisb->Status); n += SpyWriteChar (psp, 0, '.'); n += SpyWriteNumber (psp, 0, pisb->Information); } return n; }// -----------------------------------------------------------------DWORD SpyWriteClientId (PSPY_PROTOCOL psp, BYTE bPrefix, PCLIENT_ID pci) { DWORD n = SpyWriteChar (psp, 0, bPrefix); if ((pci != NULL) && SpyMemoryTestAddress (pci)) { n += SpyWriteNumber (psp, 0, (DWORD) pci->UniqueProcess); n += SpyWriteChar (psp, 0, '.'); n += SpyWriteNumber (psp, 0, (DWORD) pci->UniqueThread); } return n; }// -----------------------------------------------------------------DWORD SpyWriteDword (PSPY_PROTOCOL psp, BYTE bPrefix, PDWORD pdData) { DWORD n = SpyWriteChar (psp, 0, bPrefix); if ((pdData != NULL) && SpyMemoryTestAddress (pdData)) { n += SpyWriteNumber (psp, 0, *pdData); } return n; }// -----------------------------------------------------------------DWORD SpyWritePointer (PSPY_PROTOCOL psp, BYTE bPrefix, PVOID pData) { DWORD n = SpyWriteChar (psp, 0, bPrefix); if (pData != NULL) { n += SpyWriteNumber (psp, 0, (DWORD) pData); } return n; }// -----------------------------------------------------------------DWORD SpyWriteHandle (PSPY_PROTOCOL psp, BYTE bPrefix, HANDLE hProcess, HANDLE hObject) { DWORD n = SpyWriteChar (psp, 0, bPrefix); n += SpyWriteNumber (psp, 0, (DWORD) hProcess); n += SpyWriteChar (psp, 0, '.'); n += SpyWriteNumber (psp, 0, (DWORD) hObject); return n; }// -----------------------------------------------------------------DWORD SpyWriteNewHandle (PSPY_PROTOCOL psp, BYTE bPrefix, HANDLE hProcess, PHANDLE phObject) { DWORD n = SpyWriteChar (psp, 0, bPrefix); if ((phObject != NULL) && SpyMemoryTestAddress (phObject)) { n += SpyWriteHandle (psp, 0, hProcess, *phObject); } return n; }// -----------------------------------------------------------------DWORD SpyWriteOpenHandle (PSPY_PROTOCOL psp, BYTE bPrefix, HANDLE hProcess, HANDLE hObject) { WORD awName [SPY_NAME]; DWORD n = SpyWriteHandle (psp, bPrefix, hProcess, hObject); if (SpyHandleName (psp, hProcess, hObject, awName, SPY_NAME)) { n += SpyWriteChar (psp, 0, '='); n += SpyWriteName (psp, 0, awName, MAXDWORD); } return n; }// -----------------------------------------------------------------DWORD SpyWriteClosedHandle (PSPY_PROTOCOL psp, BYTE bPrefix, HANDLE hProcess, HANDLE hObject) { WORD awName [SPY_NAME]; DWORD n = SpyWriteHandle (psp, bPrefix, hProcess, hObject); if (SpyHandleUnregister (psp, hProcess, hObject, awName, SPY_NAME)) { n += SpyWriteChar (psp, 0, '='); n += SpyWriteName (psp, 0, awName, MAXDWORD); } return n; }// -----------------------------------------------------------------BOOL SpyWriteFilter (PSPY_PROTOCOL psp, PBYTE pbFormat, PVOID pParameters, DWORD dParameters) { PHANDLE phObject = NULL; HANDLE hObject = NULL; POBJECT_ATTRIBUTES poa = NULL; PDWORD pdNext; DWORD i, j; pdNext = pParameters; i = j = 0; while (pbFormat [i]) { while (pbFormat [i] && (pbFormat [i] != '%')) i++; if (pbFormat [i] && pbFormat [++i]) { j++; switch (pbFormat [i++]) { case 'b': case 'a': case 'w': case 'u': case 'n': case 'l': case 's': case 'i': case 'c': case 'd': case 'p': { break; } case 'o': { if (poa == NULL) { poa = (POBJECT_ATTRIBUTES) *pdNext; } break; } case '+': { if (phObject == NULL) { phObject = (PHANDLE) *pdNext; } break; } case '!': case '-': { if (hObject == NULL) { hObject = (HANDLE) *pdNext; } break; } default: { j--;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -