📄 w2k_spy.h
字号:
// w2k_spy.h
// 08-27-2000 Sven B. Schreiber
// sbs@orgon.com
// =================================================================
// PROGRAM IDENTIFICATION
// =================================================================
#define DRV_BUILD 1
#define DRV_VERSION_HIGH 1
#define DRV_VERSION_LOW 0
// -----------------------------------------------------------------
#define DRV_DAY 27
#define DRV_MONTH 08
#define DRV_YEAR 2000
// -----------------------------------------------------------------
#define DRV_MODULE w2k_spy
#define DRV_NAME SBS Windows 2000 Spy Device
#define DRV_COMPANY Sven B. Schreiber
#define DRV_AUTHOR Sven B. Schreiber
#define DRV_EMAIL sbs@orgon.com
#define DRV_PREFIX SBS
// =================================================================
// HEADER FILES
// =================================================================
#include <drvinfo.h> // defines more DRV_* items
#include <w2k_def.h> // undocumented definitions
////////////////////////////////////////////////////////////////////
#ifdef _W2K_SPY_SYS_
////////////////////////////////////////////////////////////////////
// =================================================================
// MACROS
// =================================================================
#define min(_a,_b) (((_a) < (_b)) ? (_a) : (_b))
#define max(_a,_b) (((_a) > (_b)) ? (_a) : (_b))
// -----------------------------------------------------------------
#define MUTEX_INITIALIZE(_mutex) \
KeInitializeMutex \
(&(_mutex), 0)
#define MUTEX_WAIT(_mutex) \
KeWaitForMutexObject \
(&(_mutex), Executive, KernelMode, FALSE, NULL)
#define MUTEX_RELEASE(_mutex) \
KeReleaseMutex \
(&(_mutex), FALSE)
// -----------------------------------------------------------------
#define UNICODE_LENGTH(_u) \
((_u) != NULL ? ((_u)->Length / WORD_) : 0)
#define UNICODE_BUFFER(_u) \
((_u) != NULL ? ((_u)->Buffer) : NULL)
#define OBJECT_NAME(_o) \
((_o) != NULL ? ((_o)->ObjectName) : NULL)
// =================================================================
// CONSTANTS
// =================================================================
#define MAX_PATH 260
#define MAXBYTE 0xFF
#define MAXWORD 0xFFFF
#define MAXDWORD 0xFFFFFFFF
// -----------------------------------------------------------------
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6
#define IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8
#define IMAGE_DIRECTORY_ENTRY_TLS 9
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11
#define IMAGE_DIRECTORY_ENTRY_IAT 12
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
// =================================================================
// WINDOWS 2000 IMAGE STRUCTURES
// =================================================================
typedef struct _IMAGE_FILE_HEADER
{
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
}
IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
// -----------------------------------------------------------------
typedef struct _IMAGE_DATA_DIRECTORY
{
DWORD VirtualAddress;
DWORD Size;
}
IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
// -----------------------------------------------------------------
typedef struct _IMAGE_OPTIONAL_HEADER
{
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory
[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
}
IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
// -----------------------------------------------------------------
typedef struct _IMAGE_NT_HEADERS
{
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader;
}
IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
// -----------------------------------------------------------------
typedef struct _IMAGE_EXPORT_DIRECTORY
{
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions;
DWORD AddressOfNames;
DWORD AddressOfNameOrdinals;
}
IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
// =================================================================
// WINDOWS 2000 MODULE INFORMATION
// =================================================================
#define SystemModuleInformation 11 // SYSTEMINFOCLASS
// -----------------------------------------------------------------
typedef struct _MODULE_INFO
{
DWORD dReserved1;
DWORD dReserved2;
PVOID pBase;
DWORD dSize;
DWORD dFlags;
WORD wIndex;
WORD wRank;
WORD wLoadCount;
WORD wNameOffset;
BYTE abPath [MAXIMUM_FILENAME_LENGTH];
}
MODULE_INFO, *PMODULE_INFO, **PPMODULE_INFO;
#define MODULE_INFO_ sizeof (MODULE_INFO)
// -----------------------------------------------------------------
typedef struct _MODULE_LIST
{
DWORD dModules;
MODULE_INFO aModules [];
}
MODULE_LIST, *PMODULE_LIST, **PPMODULE_LIST;
#define MODULE_LIST_ sizeof (MODULE_LIST)
// =================================================================
// WINDOWS 2000 API PROTOTYPES
// =================================================================
PIMAGE_NT_HEADERS NTAPI
RtlImageNtHeader (PVOID Base);
NTSTATUS NTAPI
ZwQuerySystemInformation (DWORD SystemInformationClass,
PVOID SystemInformation,
DWORD SystemInformationLength,
PDWORD ReturnLength);
////////////////////////////////////////////////////////////////////
#else // #ifdef _W2K_SPY_SYS_
////////////////////////////////////////////////////////////////////
// =================================================================
// CONSTANTS
// =================================================================
#define PAGE_SHIFT 12
#define PTI_SHIFT 12
#define PDI_SHIFT 22
#define MAXIMUM_FILENAME_LENGTH 256
// -----------------------------------------------------------------
typedef LARGE_INTEGER
PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS, **PPPHYSICAL_ADDRESS;
typedef LONG
NTSTATUS, *PNTSTATUS, **PPNTSTATUS;
// -----------------------------------------------------------------
typedef enum _NT_PRODUCT_TYPE
{
NtProductInvalid,
NtProductWinNt,
NtProductLanManNt,
NtProductServer
}
NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE, **PPNT_PRODUCT_TYPE;
////////////////////////////////////////////////////////////////////
#endif // #ifdef _W2K_SPY_SYS_
////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////
#ifndef _RC_PASS_
////////////////////////////////////////////////////////////////////
// =================================================================
// MACROS
// =================================================================
#define PTR_ADD(_base,_offset) \
((PVOID) ((PBYTE) (_base) + (DWORD) (_offset)))
// =================================================================
// CONSTANTS
// =================================================================
#define SPY_VERSION DRV_VERSION_BINARY // see drvinfo.h
#define SPY_TAG '>YPS' // SPY>
#define SPY_CALLS 0x00000100 // max api call nesting level
#define SPY_NAME 0x00000400 // max object name length
#define SPY_HANDLES 0x00001000 // max number of handles
#define SPY_NAME_BUFFER 0x00100000 // object name buffer size
#define SPY_DATA_BUFFER 0x00100000 // protocol data buffer size
// -----------------------------------------------------------------
#define FILE_DEVICE_SPY 0x8000
#define SPY_IO_BASE 0x0800
// -----------------------------------------------------------------
#define SPY_IO(_code,_read,_write) \
CTL_CODE ((FILE_DEVICE_SPY), \
((SPY_IO_BASE) + (_code)), \
(METHOD_BUFFERED), \
(((_read) ? (FILE_READ_ACCESS) : 0) | \
((_write) ? (FILE_WRITE_ACCESS) : 0)))
// -----------------------------------------------------------------
// symbol code read write
#define SPY_IO_VERSION_INFO SPY_IO ( 0, TRUE, FALSE)
#define SPY_IO_OS_INFO SPY_IO ( 1, TRUE, FALSE)
#define SPY_IO_SEGMENT SPY_IO ( 2, TRUE, FALSE)
#define SPY_IO_INTERRUPT SPY_IO ( 3, TRUE, FALSE)
#define SPY_IO_PHYSICAL SPY_IO ( 4, TRUE, FALSE)
#define SPY_IO_CPU_INFO SPY_IO ( 5, TRUE, FALSE)
#define SPY_IO_PDE_ARRAY SPY_IO ( 6, TRUE, FALSE)
#define SPY_IO_PAGE_ENTRY SPY_IO ( 7, TRUE, FALSE)
#define SPY_IO_MEMORY_DATA SPY_IO ( 8, TRUE, FALSE)
#define SPY_IO_MEMORY_BLOCK SPY_IO ( 9, TRUE, FALSE)
#define SPY_IO_HANDLE_INFO SPY_IO (10, TRUE, FALSE)
#define SPY_IO_HOOK_INFO SPY_IO (11, TRUE, FALSE)
#define SPY_IO_HOOK_INSTALL SPY_IO (12, TRUE, TRUE )
#define SPY_IO_HOOK_REMOVE SPY_IO (13, TRUE, TRUE )
#define SPY_IO_HOOK_PAUSE SPY_IO (14, TRUE, TRUE )
#define SPY_IO_HOOK_FILTER SPY_IO (15, TRUE, TRUE )
#define SPY_IO_HOOK_RESET SPY_IO (16, TRUE, TRUE )
#define SPY_IO_HOOK_READ SPY_IO (17, TRUE, FALSE)
#define SPY_IO_HOOK_WRITE SPY_IO (18, TRUE, TRUE )
#define SPY_IO_MODULE_INFO SPY_IO (19, TRUE, FALSE)
#define SPY_IO_PE_HEADER SPY_IO (20, TRUE, FALSE)
#define SPY_IO_PE_EXPORT SPY_IO (21, TRUE, FALSE)
#define SPY_IO_PE_SYMBOL SPY_IO (22, TRUE, FALSE)
#define SPY_IO_CALL SPY_IO (23, TRUE, TRUE )
// -----------------------------------------------------------------
#define SDT_SYMBOLS_NT4 0xD3
#define SDT_SYMBOLS_NT5 0xF8
#define SDT_SYMBOLS_MAX SDT_SYMBOLS_NT5
// -----------------------------------------------------------------
#define IMAGE_FILE_HEADER_ sizeof (IMAGE_FILE_HEADER)
#define IMAGE_DATA_DIRECTORY_ sizeof (IMAGE_DATA_DIRECTORY)
#define IMAGE_OPTIONAL_HEADER_ sizeof (IMAGE_OPTIONAL_HEADER)
#define IMAGE_NT_HEADERS_ sizeof (IMAGE_NT_HEADERS)
#define IMAGE_EXPORT_DIRECTORY_ sizeof (IMAGE_EXPORT_DIRECTORY)
// -----------------------------------------------------------------
#define INVALID_ADDRESS ((PVOID) -1)
// =================================================================
// INTEL X86 STRUCTURES, PART 1 OF 3
// =================================================================
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -