📄 w2k_spy.h
字号:
#define X86_SELECTOR_TI 0x0004
#define X86_SELECTOR_INDEX 0xFFF8
#define X86_SELECTOR_SHIFT 3
#define X86_SELECTOR_LIMIT (X86_SELECTOR_INDEX >> \
X86_SELECTOR_SHIFT)
// -----------------------------------------------------------------
#define X86_DESCRIPTOR_SYS_TSS16A 0x1
#define X86_DESCRIPTOR_SYS_LDT 0x2
#define X86_DESCRIPTOR_SYS_TSS16B 0x3
#define X86_DESCRIPTOR_SYS_CALL16 0x4
#define X86_DESCRIPTOR_SYS_TASK 0x5
#define X86_DESCRIPTOR_SYS_INT16 0x6
#define X86_DESCRIPTOR_SYS_TRAP16 0x7
#define X86_DESCRIPTOR_SYS_TSS32A 0x9
#define X86_DESCRIPTOR_SYS_TSS32B 0xB
#define X86_DESCRIPTOR_SYS_CALL32 0xC
#define X86_DESCRIPTOR_SYS_INT32 0xE
#define X86_DESCRIPTOR_SYS_TRAP32 0xF
// -----------------------------------------------------------------
#define X86_DESCRIPTOR_APP_ACCESSED 0x1
#define X86_DESCRIPTOR_APP_READ_WRITE 0x2
#define X86_DESCRIPTOR_APP_EXECUTE_READ 0x2
#define X86_DESCRIPTOR_APP_EXPAND_DOWN 0x4
#define X86_DESCRIPTOR_APP_CONFORMING 0x4
#define X86_DESCRIPTOR_APP_CODE 0x8
// =================================================================
// SPY STRUCTURES
// =================================================================
typedef struct _SPY_VERSION_INFO
{
DWORD dVersion;
WORD awName [SPY_NAME];
}
SPY_VERSION_INFO, *PSPY_VERSION_INFO, **PPSPY_VERSION_INFO;
#define SPY_VERSION_INFO_ sizeof (SPY_VERSION_INFO)
// -----------------------------------------------------------------
typedef struct _SPY_OS_INFO
{
DWORD dPageSize;
DWORD dPageShift;
DWORD dPtiShift;
DWORD dPdiShift;
DWORD dPageMask;
DWORD dPtiMask;
DWORD dPdiMask;
PX86_PE PteArray;
PX86_PE PdeArray;
PVOID pLowestUserAddress;
PVOID pThreadEnvironmentBlock;
PVOID pHighestUserAddress;
PVOID pUserProbeAddress;
PVOID pSystemRangeStart;
PVOID pLowestSystemAddress;
PVOID pSharedUserData;
PVOID pProcessorControlRegion;
PVOID pProcessorControlBlock;
DWORD dGlobalFlag;
DWORD dI386MachineType;
DWORD dNumberProcessors;
DWORD dProductType;
DWORD dBuildNumber;
DWORD dNtMajorVersion;
DWORD dNtMinorVersion;
WORD awNtSystemRoot [MAX_PATH];
}
SPY_OS_INFO, *PSPY_OS_INFO, **PPSPY_OS_INFO;
#define SPY_OS_INFO_ sizeof (SPY_OS_INFO)
// -----------------------------------------------------------------
typedef struct _SPY_SEGMENT
{
X86_SELECTOR Selector;
X86_DESCRIPTOR Descriptor;
PVOID pBase;
DWORD dLimit;
BOOL fOk;
}
SPY_SEGMENT, *PSPY_SEGMENT, **PPSPY_SEGMENT;
#define SPY_SEGMENT_ sizeof (SPY_SEGMENT)
// -----------------------------------------------------------------
typedef struct _SPY_INTERRUPT
{
X86_SELECTOR Selector;
X86_GATE Gate;
SPY_SEGMENT Segment;
PVOID pOffset;
BOOL fOk;
}
SPY_INTERRUPT, *PSPY_INTERRUPT, **PPSPY_INTERRUPT;
#define SPY_INTERRUPT_ sizeof (SPY_INTERRUPT)
// -----------------------------------------------------------------
typedef struct _SPY_CPU_INFO
{
X86_REGISTER cr0;
X86_REGISTER cr2;
X86_REGISTER cr3;
SPY_SEGMENT cs;
SPY_SEGMENT ds;
SPY_SEGMENT es;
SPY_SEGMENT fs;
SPY_SEGMENT gs;
SPY_SEGMENT ss;
SPY_SEGMENT tss;
X86_TABLE idt;
X86_TABLE gdt;
X86_SELECTOR ldt;
}
SPY_CPU_INFO, *PSPY_CPU_INFO, **PPSPY_CPU_INFO;
#define SPY_CPU_INFO_ sizeof (SPY_CPU_INFO)
// -----------------------------------------------------------------
typedef struct _SPY_PDE_ARRAY
{
X86_PE apde [X86_PAGES_4M];
}
SPY_PDE_ARRAY, *PSPY_PDE_ARRAY, **PPSPY_PDE_ARRAY;
#define SPY_PDE_ARRAY_ sizeof (SPY_PDE_ARRAY)
// -----------------------------------------------------------------
typedef struct _SPY_PAGE_ENTRY
{
X86_PE pe;
DWORD dSize;
BOOL fPresent;
}
SPY_PAGE_ENTRY, *PSPY_PAGE_ENTRY, **PPSPY_PAGE_ENTRY;
#define SPY_PAGE_ENTRY_ sizeof (SPY_PAGE_ENTRY)
// -----------------------------------------------------------------
typedef struct _SPY_MEMORY_BLOCK
{
union
{
PBYTE pbAddress;
PVOID pAddress;
};
DWORD dBytes;
}
SPY_MEMORY_BLOCK, *PSPY_MEMORY_BLOCK, **PPSPY_MEMORY_BLOCK;
#define SPY_MEMORY_BLOCK_ sizeof (SPY_MEMORY_BLOCK)
// -----------------------------------------------------------------
#define SPY_MEMORY_DATA_N(_n) \
struct _SPY_MEMORY_DATA_##_n \
{ \
SPY_MEMORY_BLOCK smb; \
WORD awData [_n]; \
}
typedef SPY_MEMORY_DATA_N (0)
SPY_MEMORY_DATA, *PSPY_MEMORY_DATA, **PPSPY_MEMORY_DATA;
#define SPY_MEMORY_DATA_ sizeof (SPY_MEMORY_DATA)
#define SPY_MEMORY_DATA__(_n) (SPY_MEMORY_DATA_ + ((_n) * WORD_))
#define SPY_MEMORY_DATA_BYTE 0x00FF
#define SPY_MEMORY_DATA_VALID 0x0100
#define SPY_MEMORY_DATA_VALUE(_b,_v) \
((WORD) (((_b) & SPY_MEMORY_DATA_BYTE ) | \
((_v) ? SPY_MEMORY_DATA_VALID : 0)))
// -----------------------------------------------------------------
typedef struct _SPY_HANDLE_INFO
{
PVOID pObjectBody;
DWORD dHandleAttributes;
}
SPY_HANDLE_INFO, *PSPY_HANDLE_INFO, **PPSPY_HANDLE_INFO;
#define SPY_HANDLE_INFO_ sizeof (SPY_HANDLE_INFO)
// -----------------------------------------------------------------
typedef struct _SPY_HOOK_ENTRY
{
NTPROC Handler;
PBYTE pbFormat;
}
SPY_HOOK_ENTRY, *PSPY_HOOK_ENTRY, **PPSPY_HOOK_ENTRY;
#define SPY_HOOK_ENTRY_ sizeof (SPY_HOOK_ENTRY)
// -----------------------------------------------------------------
typedef struct _SPY_CALL
{
BOOL fInUse; // set if used entry
HANDLE hThread; // id of calling thread
HANDLE processId; // processId
PSPY_HOOK_ENTRY pshe; // associated hook entry
PVOID pCaller; // caller's return address
DWORD dParameters; // number of parameters
DWORD adParameters [1+256]; // result and parameters
}
SPY_CALL, *PSPY_CALL, **PPSPY_CALL;
#define SPY_CALL_ sizeof (SPY_CALL)
// -----------------------------------------------------------------
typedef struct _SPY_HEADER
{
LARGE_INTEGER liStart; // start time
DWORD dRead; // read data index
DWORD dWrite; // write data index
DWORD dCalls; // api usage count
DWORD dHandles; // handle count
DWORD dName; // object name index
}
SPY_HEADER, *PSPY_HEADER, **PPSPY_HEADER;
#define SPY_HEADER_ sizeof (SPY_HEADER)
// -----------------------------------------------------------------
typedef struct _PROCESS_INFO
{
HANDLE handle;
HANDLE pid;
BYTE processName[255];
}
PROCESS_INFO,*PPROCESS_INFO;
typedef struct _SPY_PROTOCOL
{
SPY_HEADER sh; // protocol header
HANDLE ahProcesses [SPY_HANDLES]; // process id array
HANDLE ahObjects [SPY_HANDLES]; // handle array
DWORD adNames [SPY_HANDLES]; // name offsets
WORD awNames [SPY_NAME_BUFFER]; // name strings
BYTE abData [SPY_DATA_BUFFER]; // protocol data
}
SPY_PROTOCOL, *PSPY_PROTOCOL, **PPSPY_PROTOCOL;
#define SPY_PROTOCOL_ sizeof (SPY_PROTOCOL)
// -----------------------------------------------------------------
typedef struct _SPY_HOOK_INFO
{
SPY_HEADER sh;
PSPY_CALL psc;
PSPY_PROTOCOL psp;
PSERVICE_DESCRIPTOR_TABLE psdt;
SERVICE_DESCRIPTOR_TABLE sdt;
DWORD ServiceLimit;
NTPROC ServiceTable [SDT_SYMBOLS_MAX];
BYTE ArgumentTable [SDT_SYMBOLS_MAX];
SPY_HOOK_ENTRY SpyHooks [SDT_SYMBOLS_MAX];
}
SPY_HOOK_INFO, *PSPY_HOOK_INFO, **PPSPY_HOOK_INFO;
#define SPY_HOOK_INFO_ sizeof (SPY_HOOK_INFO)
// -----------------------------------------------------------------
typedef struct _SPY_MODULE_INFO
{
PVOID pBase;
DWORD dSize;
DWORD dFlags;
DWORD dIndex;
DWORD dLoadCount;
DWORD dNameOffset;
BYTE abPath [MAXIMUM_FILENAME_LENGTH];
}
SPY_MODULE_INFO, *PSPY_MODULE_INFO, **PPSPY_MODULE_INFO;
#define SPY_MODULE_INFO_ sizeof (SPY_MODULE_INFO)
// -----------------------------------------------------------------
typedef struct _SPY_CALL_INPUT
{
BOOL fFastCall;
DWORD dArgumentBytes;
PVOID pArguments;
PBYTE pbSymbol;
PVOID pEntryPoint;
}
SPY_CALL_INPUT, *PSPY_CALL_INPUT, **PPSPY_CALL_INPUT;
#define SPY_CALL_INPUT_ sizeof (SPY_CALL_INPUT)
// -----------------------------------------------------------------
typedef struct _SPY_CALL_OUTPUT
{
ULARGE_INTEGER uliResult;
}
SPY_CALL_OUTPUT, *PSPY_CALL_OUTPUT, **PPSPY_CALL_OUTPUT;
#define SPY_CALL_OUTPUT_ sizeof (SPY_CALL_OUTPUT)
// -----------------------------------------------------------------
typedef struct _SPY_SEARCH
{
QWORD aqFlags [256];
QWORD qMask;
QWORD qTest;
DWORD dNext;
DWORD dHit;
DWORD dBytes;
}
SPY_SEARCH, *PSPY_SEARCH, **PPSPY_SEARCH;
#define SPY_SEARCH_ sizeof (SPY_SEARCH)
// =================================================================
// DEVICE CONTEXT
// =================================================================
#ifdef _W2K_SPY_SYS_
typedef struct _DEVICE_CONTEXT
{
PDRIVER_OBJECT pDriverObject; // driver object ptr
PDEVICE_OBJECT pDeviceObject; // device object ptr
KMUTEX kmDispatch; // ioctl dispatch mutex
KMUTEX kmProtocol; // protocol access mutex
DWORD dLevel; // nesting level
DWORD dMisses; // number of misses
SPY_CALL SpyCalls [SPY_CALLS]; // api call contexts
SPY_PROTOCOL SpyProtocol; // protocol control block
}
DEVICE_CONTEXT, *PDEVICE_CONTEXT, **PPDEVICE_CONTEXT;
#define DEVICE_CONTEXT_ sizeof (DEVICE_CONTEXT)
#endif // #ifdef _W2K_SPY_SYS_
////////////////////////////////////////////////////////////////////
#endif // #ifndef _RC_PASS_
////////////////////////////////////////////////////////////////////
// =================================================================
// END OF FILE
// =================================================================
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -