📄 w2k_spy.c
字号:
// __________________________________________________________
//
// w2k_spy.c
// SBS Windows 2000 Spy Device V1.00
// 08-27-2000 Sven B. Schreiber
// sbs@orgon.com
// __________________________________________________________
#define _W2K_SPY_SYS_
#include <ddk\ntddk.h>
#include "w2k_spy.h"
#define MAXPATHLEN 256
// =================================================================
// DISCLAIMER
// =================================================================
/*
This software is provided "as is" and any express or implied
warranties, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
In no event shall the author Sven B. Schreiber be liable for any
direct, indirect, incidental, special, exemplary, or consequential
damages (including, but not limited to, procurement of substitute
goods or services; loss of use, data, or profits; or business
interruption) however caused and on any theory of liability,
whether in contract, strict liability, or tort (including negligence
or otherwise) arising in any way out of the use of this software,
even if advised of the possibility of such damage.
*/
// =================================================================
// REVISION HISTORY
// =================================================================
/*
08-27-2000 V1.00 Original version (SBS).
*/
// =================================================================
// EXTERNAL VARIABLES
// =================================================================
extern PWORD NlsAnsiCodePage;
extern PWORD NlsOemCodePage;
extern PWORD NtBuildNumber;
extern PDWORD NtGlobalFlag;
extern PDWORD KeI386MachineType;
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
// =================================================================
// GLOBAL DATA
// =================================================================
PRESET_UNICODE_STRING (usDeviceName, CSTRING (DRV_DEVICE));
PRESET_UNICODE_STRING (usSymbolicLinkName, CSTRING (DRV_LINK ));
PDEVICE_OBJECT gpDeviceObject = NULL;
PDEVICE_CONTEXT gpDeviceContext = NULL;
BOOL gfSpyHookState = FALSE;
BOOL gfSpyHookPause = FALSE;
BOOL gfSpyHookFilter = FALSE;
HANDLE ghSpyHookThread = 0;
char fullName[255];
HANDLE keyHandle,handle,pid;
BYTE abHex [] = "0123456789ABCDEF";
// =================================================================
// DISCARDABLE FUNCTIONS
// =================================================================
NTSTATUS GetProcessIdByThreadHandle(HANDLE threadHandle,PHANDLE pid)
{
DWORD myStatus;//存储返回变量
BYTE SystemInfo[60];//存放NtQueryInformationThread返回信息的缓冲
//DWORD id;
int my_NtQueryInformationThread;
int infoaddr=(DWORD)&SystemInfo;//缓冲地址
__asm
{
mov my_NtQueryInformationThread,804A832Dh
push 0
push 28//这里必须是28,则函数不执行,这个值是我从10到100琼琚出来的,辛苦啊555。。。
push infoaddr
push 0
push threadHandle
call my_NtQueryInformationThread//调用NtQueryInformationThread获得线程所属进程的PID
mov myStatus,eax
}
*pid=*(PHANDLE)(SystemInfo+8);
return STATUS_SUCCESS;
}
NTSTATUS GetProcessIdByHandle(HANDLE Handle,PHANDLE pid)
{
PVOID pKey=NULL;
PEPROCESS peprocess;
//PPEB peb;
NTSTATUS ns;
ns= ObReferenceObjectByHandle( Handle, 0, NULL, KernelMode, &pKey, NULL ) ;
if( !NT_SUCCESS(ns)) return ns;
//*pid=(PHANDLE *)pKey+28;
peprocess=(PEPROCESS)pKey;
*pid=(PHANDLE*)(peprocess->UniqueProcessId);
//peb=peprocess->Peb;
return STATUS_SUCCESS;
}
NTSTATUS GetFullName(HANDLE KeyHandle,char *fullname)
{
NTSTATUS ns;
PVOID pKey=NULL,pFile=NULL;
//PUNICODE_STRING fullUniName;
ANSI_STRING akeyname;
//ULONG actualLen;
fullname[0]=0x00;
ns= ObReferenceObjectByHandle( KeyHandle, 0, NULL, KernelMode, &pKey, NULL ) ;
if( !NT_SUCCESS(ns)) return ns;
//fullUniName = ExAllocatePool( PagedPool, MAXPATHLEN*2+2*sizeof(ULONG));
//fullUniName->MaximumLength = MAXPATHLEN*2;
__try
{
pFile=(PVOID)*(ULONG *)((char *)pKey+20);
pFile=(PVOID)*(ULONG *)((char *)pFile);
pFile=(PVOID)*(ULONG *)((char *)pFile+36);
/*
ns=ObQueryNameString( pFile, fullUniName, MAXPATHLEN, &actualLen );
if( !NT_SUCCESS(ns))
{
ExFreePool( fullUniName );
ObDereferenceObject(pKey );
return ns;
}*/
RtlUnicodeStringToAnsiString( &akeyname, &((PFILE_OBJECT)pFile)->FileName, TRUE );
//RtlUnicodeStringToAnsiString( &akeyname, fullUniName, TRUE );
if(akeyname.Length<MAXPATHLEN)
{
memcpy(fullname,akeyname.Buffer,akeyname.Length);
fullname[akeyname.Length]=0x00;
}
else
{
memcpy(fullname,akeyname.Buffer,MAXPATHLEN);
fullname[MAXPATHLEN-1]=0x00;
}
RtlFreeAnsiString( &akeyname );
//ExFreePool( fullUniName );
ObDereferenceObject(pKey );
return STATUS_SUCCESS;
}
__except(1)
{
if(pKey) ObDereferenceObject(pKey );
return STATUS_SUCCESS;
}
}
NTSTATUS DriverInitialize (PDRIVER_OBJECT pDriverObject,
PUNICODE_STRING pusRegistryPath);
NTSTATUS DriverEntry (PDRIVER_OBJECT pDriverObject,
PUNICODE_STRING pusRegistryPath);
// -----------------------------------------------------------------
#ifdef ALLOC_PRAGMA
#pragma alloc_text (INIT, DriverInitialize)
#pragma alloc_text (INIT, DriverEntry)
#endif
// =================================================================
// WINDOWS NT 4.0 SYSTEM SERVICE NAMES
// =================================================================
// number of entries must match SDT_SYMBOLS_NT4 in w2k_spy.h
PBYTE apbSdtSymbolsNT4 [] =
{
"NtAcceptConnectPort",
"NtAccessCheck",
"NtAccessCheckAndAuditAlarm",
"NtAddAtom",
"NtAdjustGroupsToken",
"NtAdjustPrivilegesToken",
"NtAlertResumeThread",
"NtAlertThread",
"NtAllocateLocallyUniqueId",
"NtAllocateUuids",
"NtAllocateVirtualMemory",
"NtCallbackReturn",
"NtCancelIoFile",
"NtCancelTimer",
"NtClearEvent",
"NtClose",
"NtCloseObjectAuditAlarm",
"NtCompleteConnectPort",
"NtConnectPort",
"NtContinue",
"NtCreateDirectoryObject",
"NtCreateEvent",
"NtCreateEventPair",
"NtCreateFile",
"NtCreateIoCompletion",
"NtCreateKey",
"NtCreateMailslotFile",
"NtCreateMutant",
"NtCreateNamedPipeFile",
"NtCreatePagingFile",
"NtCreatePort",
"NtCreateProcess",
"NtCreateProfile",
"NtCreateSection",
"NtCreateSemaphore",
"NtCreateSymbolicLinkObject",
"NtCreateThread",
"NtCreateTimer",
"NtCreateToken",
"NtDelayExecution",
"NtDeleteAtom",
"NtDeleteFile",
"NtDeleteKey",
"NtDeleteObjectAuditAlarm",
"NtDeleteValueKey",
"NtDeviceIoControlFile",
"NtDisplayString",
"NtDuplicateObject",
"NtDuplicateToken",
"NtEnumerateKey",
"NtEnumerateValueKey",
"NtExtendSection",
"NtFindAtom",
"NtFlushBuffersFile",
"NtFlushInstructionCache",
"NtFlushKey",
"NtFlushVirtualMemory",
"NtFlushWriteBuffer",
"NtFreeVirtualMemory",
"NtFsControlFile",
"NtGetContextThread",
"NtGetPlugPlayEvent",
"NtGetTickCount",
"NtImpersonateClientOfPort",
"NtImpersonateThread",
"NtInitializeRegistry",
"NtListenPort",
"NtLoadDriver",
"NtLoadKey",
"NtLoadKey2",
"NtLockFile",
"NtLockVirtualMemory",
"NtMakeTemporaryObject",
"NtMapViewOfSection",
"NtNotifyChangeDirectoryFile",
"NtNotifyChangeKey",
"NtOpenDirectoryObject",
"NtOpenEvent",
"NtOpenEventPair",
"NtOpenFile",
"NtOpenIoCompletion",
"NtOpenKey",
"NtOpenMutant",
"NtOpenObjectAuditAlarm",
"NtOpenProcess",
"NtOpenProcessToken",
"NtOpenSection",
"NtOpenSemaphore",
"NtOpenSymbolicLinkObject",
"NtOpenThread",
"NtOpenThreadToken",
"NtOpenTimer",
"NtPlugPlayControl",
"NtPrivilegeCheck",
"NtPrivilegedServiceAuditAlarm",
"NtPrivilegeObjectAuditAlarm",
"NtProtectVirtualMemory",
"NtPulseEvent",
"NtQueryInformationAtom",
"NtQueryAttributesFile",
"NtQueryDefaultLocale",
"NtQueryDirectoryFile",
"NtQueryDirectoryObject",
"NtQueryEaFile",
"NtQueryEvent",
"NtQueryFullAttributesFile",
"NtQueryInformationFile",
"NtQueryIoCompletion",
"NtQueryInformationPort",
"NtQueryInformationProcess",
"NtQueryInformationThread",
"NtQueryInformationToken",
"NtQueryIntervalProfile",
"NtQueryKey",
"NtQueryMultipleValueKey",
"NtQueryMutant",
"NtQueryObject",
"NtQueryOleDirectoryFile",
"NtQueryPerformanceCounter",
"NtQuerySection",
"NtQuerySecurityObject",
"NtQuerySemaphore",
"NtQuerySymbolicLinkObject",
"NtQuerySystemEnvironmentValue",
"NtQuerySystemInformation",
"NtQuerySystemTime",
"NtQueryTimer",
"NtQueryTimerResolution",
"NtQueryValueKey",
"NtQueryVirtualMemory",
"NtQueryVolumeInformationFile",
"NtQueueApcThread",
"NtRaiseException",
"NtRaiseHardError",
"NtReadFile",
"NtReadFileScatter",
"NtReadRequestData",
"NtReadVirtualMemory",
"NtRegisterThreadTerminatePort",
"NtReleaseMutant",
"NtReleaseSemaphore",
"NtRemoveIoCompletion",
"NtReplaceKey",
"NtReplyPort",
"NtReplyWaitReceivePort",
"NtReplyWaitReplyPort",
"NtRequestPort",
"NtRequestWaitReplyPort",
"NtResetEvent",
"NtRestoreKey",
"NtResumeThread",
"NtSaveKey",
"NtSetIoCompletion",
"NtSetContextThread",
"NtSetDefaultHardErrorPort",
"NtSetDefaultLocale",
"NtSetEaFile",
"NtSetEvent",
"NtSetHighEventPair",
"NtSetHighWaitLowEventPair",
"NtSetHighWaitLowThread (INT 2B)",
"NtSetInformationFile",
"NtSetInformationKey",
"NtSetInformationObject",
"NtSetInformationProcess",
"NtSetInformationThread",
"NtSetInformationToken",
"NtSetIntervalProfile",
"NtSetLdtEntries",
"NtSetLowEventPair",
"NtSetLowWaitHighEventPair",
"NtSetLowWaitHighThread (INT 2C)",
"NtSetSecurityObject",
"NtSetSystemEnvironmentValue",
"NtSetSystemInformation",
"NtSetSystemPowerState",
"NtSetSystemTime",
"NtSetTimer",
"NtSetTimerResolution",
"NtSetValueKey",
"NtSetVolumeInformationFile",
"NtShutdownSystem",
"NtSignalAndWaitForSingleObject",
"NtStartProfile",
"NtStopProfile",
"NtSuspendThread",
"NtSystemDebugControl",
"NtTerminateProcess",
"NtTerminateThread",
"NtTestAlert",
"NtUnloadDriver",
"NtUnloadKey",
"NtUnlockFile",
"NtUnlockVirtualMemory",
"NtUnmapViewOfSection",
"NtVdmControl",
"NtWaitForMultipleObjects",
"NtWaitForSingleObject",
"NtWaitHighEventPair",
"NtWaitLowEventPair",
"NtWriteFile",
"NtWriteFileGather",
"NtWriteRequestData",
"NtWriteVirtualMemory",
"NtCreateChannel",
"NtListenChannel",
"NtOpenChannel",
"NtReplyWaitSendChannel",
"NtSendWaitReplyChannel",
"NtSetContextChannel",
"NtYieldExecution",
NULL
};
// =================================================================
// WINDOWS 2000 SYSTEM SERVICE NAMES
// =================================================================
// number of entries must match SDT_SYMBOLS_NT5 in w2k_spy.h
PBYTE apbSdtSymbolsNT5 [] =
{
"NtAcceptConnectPort",
"NtAccessCheck",
"NtAccessCheckAndAuditAlarm",
"NtAccessCheckByType",
"NtAccessCheckByTypeAndAuditAlarm",
"NtAccessCheckByTypeResultList",
"NtAccessCheckByTypeResultListAndAuditAlarm",
"NtAccessCheckByTypeResultListAndAuditAlarmByHandle",
"NtAddAtom",
"NtAdjustGroupsToken",
"NtAdjustPrivilegesToken",
"NtAlertResumeThread",
"NtAlertThread",
"NtAllocateLocallyUniqueId",
"NtAllocateUserPhysicalPages",
"NtAllocateUuids",
"NtAllocateVirtualMemory",
"NtAreMappedFilesTheSame",
"NtAssignProcessToJobObject",
"NtCallbackReturn",
"NtCancelIoFile",
"NtCancelTimer",
"NtCancelDeviceWakeupRequest",
"NtClearEvent",
"NtClose",
"NtCloseObjectAuditAlarm",
"NtCompleteConnectPort",
"NtConnectPort",
"NtContinue",
"NtCreateDirectoryObject",
"NtCreateEvent",
"NtCreateEventPair",
"NtCreateFile",
"NtCreateIoCompletion",
"NtCreateJobObject",
"NtCreateKey",
"NtCreateMailslotFile",
"NtCreateMutant",
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -