📄 w2k_spy.c
字号:
"NtCreateNamedPipeFile",
"NtCreatePagingFile",
"NtCreatePort",
"NtCreateProcess",
"NtCreateProfile",
"NtCreateSection",
"NtCreateSemaphore",
"NtCreateSymbolicLinkObject",
"NtCreateThread",
"NtCreateTimer",
"NtCreateToken",
"NtCreateWaitablePort",
"NtDelayExecution",
"NtDeleteAtom",
"NtDeleteFile",
"NtDeleteKey",
"NtDeleteObjectAuditAlarm",
"NtDeleteValueKey",
"NtDeviceIoControlFile",
"NtDisplayString",
"NtDuplicateObject",
"NtDuplicateToken",
"NtEnumerateKey",
"NtEnumerateValueKey",
"NtExtendSection",
"NtFilterToken",
"NtFindAtom",
"NtFlushBuffersFile",
"NtFlushInstructionCache",
"NtFlushKey",
"NtFlushVirtualMemory",
"NtFlushWriteBuffer",
"NtFreeUserPhysicalPages",
"NtFreeVirtualMemory",
"NtFsControlFile",
"NtGetContextThread",
"NtGetDevicePowerState",
"NtGetPlugPlayEvent",
"NtGetTickCount",
"NtGetWriteWatch",
"NtImpersonateAnonymousToken",
"NtImpersonateClientOfPort",
"NtImpersonateThread",
"NtInitializeRegistry",
"NtInitiatePowerAction",
"NtIsSystemResumeAutomatic",
"NtListenPort",
"NtLoadDriver",
"NtLoadKey",
"NtLoadKey2",
"NtLockFile",
"NtLockVirtualMemory",
"NtMakeTemporaryObject",
"NtMapUserPhysicalPages",
"NtMapUserPhysicalPagesScatter",
"NtMapViewOfSection",
"NtNotifyChangeDirectoryFile",
"NtNotifyChangeKey",
"NtNotifyChangeMultipleKeys",
"NtOpenDirectoryObject",
"NtOpenEvent",
"NtOpenEventPair",
"NtOpenFile",
"NtOpenIoCompletion",
"NtOpenJobObject",
"NtOpenKey",
"NtOpenMutant",
"NtOpenObjectAuditAlarm",
"NtOpenProcess",
"NtOpenProcessToken",
"NtOpenSection",
"NtOpenSemaphore",
"NtOpenSymbolicLinkObject",
"NtOpenThread",
"NtOpenThreadToken",
"NtOpenTimer",
"NtPlugPlayControl",
"NtPowerInformation",
"NtPrivilegeCheck",
"NtPrivilegedServiceAuditAlarm",
"NtPrivilegeObjectAuditAlarm",
"NtProtectVirtualMemory",
"NtPulseEvent",
"NtQueryInformationAtom",
"NtQueryAttributesFile",
"NtQueryDefaultLocale",
"NtQueryDefaultUILanguage",
"NtQueryDirectoryFile",
"NtQueryDirectoryObject",
"NtQueryEaFile",
"NtQueryEvent",
"NtQueryFullAttributesFile",
"NtQueryInformationFile",
"NtQueryInformationJobObject",
"NtQueryIoCompletion",
"NtQueryInformationPort",
"NtQueryInformationProcess",
"NtQueryInformationThread",
"NtQueryInformationToken",
"NtQueryInstallUILanguage",
"NtQueryIntervalProfile",
"NtQueryKey",
"NtQueryMultipleValueKey",
"NtQueryMutant",
"NtQueryObject",
"NtQueryOpenSubKeys",
"NtQueryPerformanceCounter",
"NtQueryQuotaInformationFile",
"NtQuerySection",
"NtQuerySecurityObject",
"NtQuerySemaphore",
"NtQuerySymbolicLinkObject",
"NtQuerySystemEnvironmentValue",
"NtQuerySystemInformation",
"NtQuerySystemTime",
"NtQueryTimer",
"NtQueryTimerResolution",
"NtQueryValueKey",
"NtQueryVirtualMemory",
"NtQueryVolumeInformationFile",
"NtQueueApcThread",
"NtRaiseException",
"NtRaiseHardError",
"NtReadFile",
"NtReadFileScatter",
"NtReadRequestData",
"NtReadVirtualMemory",
"NtRegisterThreadTerminatePort",
"NtReleaseMutant",
"NtReleaseSemaphore",
"NtRemoveIoCompletion",
"NtReplaceKey",
"NtReplyPort",
"NtReplyWaitReceivePort",
"NtReplyWaitReceivePortEx",
"NtReplyWaitReplyPort",
"NtRequestDeviceWakeup",
"NtRequestPort",
"NtRequestWaitReplyPort",
"NtRequestWakeupLatency",
"NtResetEvent",
"NtResetWriteWatch",
"NtRestoreKey",
"NtResumeThread",
"NtSaveKey",
"NtSaveMergedKeys",
"NtSecureConnectPort",
"NtSetIoCompletion",
"NtSetContextThread",
"NtSetDefaultHardErrorPort",
"NtSetDefaultLocale",
"NtSetDefaultUILanguage",
"NtSetEaFile",
"NtSetEvent",
"NtSetHighEventPair",
"NtSetHighWaitLowEventPair",
"NtSetInformationFile",
"NtSetInformationJobObject",
"NtSetInformationKey",
"NtSetInformationObject",
"NtSetInformationProcess",
"NtSetInformationThread",
"NtSetInformationToken",
"NtSetIntervalProfile",
"NtSetLdtEntries",
"NtSetLowEventPair",
"NtSetLowWaitHighEventPair",
"NtSetQuotaInformationFile",
"NtSetSecurityObject",
"NtSetSystemEnvironmentValue",
"NtSetSystemInformation",
"NtSetSystemPowerState",
"NtSetSystemTime",
"NtSetThreadExecutionState",
"NtSetTimer",
"NtSetTimerResolution",
"NtSetUuidSeed",
"NtSetValueKey",
"NtSetVolumeInformationFile",
"NtShutdownSystem",
"NtSignalAndWaitForSingleObject",
"NtStartProfile",
"NtStopProfile",
"NtSuspendThread",
"NtSystemDebugControl",
"NtTerminateJobObject",
"NtTerminateProcess",
"NtTerminateThread",
"NtTestAlert",
"NtUnloadDriver",
"NtUnloadKey",
"NtUnlockFile",
"NtUnlockVirtualMemory",
"NtUnmapViewOfSection",
"NtVdmControl",
"NtWaitForMultipleObjects",
"NtWaitForSingleObject",
"NtWaitHighEventPair",
"NtWaitLowEventPair",
"NtWriteFile",
"NtWriteFileGather",
"NtWriteRequestData",
"NtWriteVirtualMemory",
"NtCreateChannel",
"NtListenChannel",
"NtOpenChannel",
"NtReplyWaitSendChannel",
"NtSendWaitReplyChannel",
"NtSetContextChannel",
"NtYieldExecution",
NULL
};
// =================================================================
// SYSTEM SERVICE HOOK FORMAT STRINGS
// =================================================================
// each string must contain the exact function name
//"%s=NtResumeThread(%!,%p)",
PBYTE apbSdtFormats [] =
{
"%s=NtCreateProcess(%+,%n,%o,%!,%b,%!,%!,%!)",
"%s=NtCancelIoFile(%!,%i)",
"%s=NtClose(%-)",
"%s=NtCreateFile(%+,%n,%o,%i,%l,%n,%n,%n,%n,%p,%n)",
"%s=NtCreateKey(%+,%n,%o,%n,%u,%n,%d)",
"%s=NtDeleteFile(%o)",
"%s=NtDeleteKey(%-)",
"%s=NtDeleteValueKey(%!,%u)",
"%s=NtDeviceIoControlFile(%!,%p,%p,%p,%i,%n,%p,%n,%p,%n)",
"%s=NtEnumerateKey(%!,%n,%n,%p,%n,%d)",
"%s=NtEnumerateValueKey(%!,%n,%n,%p,%n,%d)",
"%s=NtFlushBuffersFile(%!,%i)",
"%s=NtFlushKey(%!)",
"%s=NtFsControlFile(%!,%p,%p,%p,%i,%n,%p,%n,%p,%n)",
"%s=NtLoadKey(%o,%o)",
"%s=NtLoadKey2(%o,%o,%n)",
"%s=NtNotifyChangeKey(%!,%p,%p,%p,%i,%n,%b,%p,%n,%b)",
"%s=NtNotifyChangeMultipleKeys(%!,%n,%o,%p,%p,%p,%i,%n,%b,%p,%n,%b)",
"%s=NtOpenFile(%+,%n,%o,%i,%n,%n)",
"%s=NtOpenKey(%+,%n,%o)",
"%s=NtOpenProcess(%+,%n,%o,%c)",
"%s=NtOpenThread(%+,%n,%o,%c)",
"%s=NtQueryDirectoryFile(%!,%p,%p,%p,%i,%p,%n,%n,%b,%u,%b)",
"%s=NtQueryInformationFile(%!,%i,%p,%n,%n)",
"%s=NtQueryInformationProcess(%!,%n,%p,%n,%d)",
"%s=NtQueryInformationThread(%!,%n,%p,%n,%d)",
"%s=NtQueryKey(%!,%n,%p,%n,%d)",
"%s=NtQueryMultipleValueKey(%!,%p,%n,%p,%d,%d)",
"%s=NtQueryOpenSubKeys(%o,%d)",
"%s=NtQuerySystemInformation(%n,%p,%n,%d)",
"%s=NtQuerySystemTime(%l)",
"%s=NtQueryValueKey(%!,%u,%n,%p,%n,%d)",
"%s=NtQueryVolumeInformationFile(%!,%i,%p,%n,%n)",
"%s=NtReadFile(%!,%p,%p,%p,%i,%p,%n,%l,%d)",
"%s=NtReplaceKey(%o,%!,%o)",
"%s=NtSetInformationKey(%!,%n,%p,%n)",
"%s=NtSetInformationFile(%!,%i,%p,%n,%n)",
"%s=NtSetInformationProcess(%!,%n,%p,%n)",
"%s=NtSetInformationThread(%!,%n,%p,%n)",
"%s=NtSetSystemInformation(%n,%p,%n)",
"%s=NtSetSystemTime(%l,%l)",
"%s=NtSetValueKey(%!,%u,%n,%n,%p,%n)",
"%s=NtSetVolumeInformationFile(%!,%i,%p,%n,%n)",
"%s=NtUnloadKey(%o)",
"%s=NtWriteFile(%!,%p,%p,%p,%i,%p,%n,%l,%d)",
NULL
};
// =================================================================
// SYSTEM SERVICE HOOK ENTRIES
// =================================================================
SPY_HOOK_ENTRY aSpyHooks [SDT_SYMBOLS_MAX];
// =================================================================
// STRING FUNCTIONS
// =================================================================
PBYTE strcpyn (PBYTE pbBuffer,
PBYTE pbData,
DWORD dBuffer)
{
DWORD i;
if (dBuffer)
{
for (i = 0; (i < dBuffer-1) && pbData [i]; i++)
{
pbBuffer [i] = pbData [i];
}
pbBuffer [i] = 0;
}
return pbBuffer;
}
// -----------------------------------------------------------------
PWORD wcscpyn (PWORD pwBuffer,
PWORD pwData,
DWORD dBuffer)
{
DWORD i;
if (dBuffer)
{
for (i = 0; (i < dBuffer-1) && pwData [i]; i++)
{
pwBuffer [i] = pwData [i];
}
pwBuffer [i] = 0;
}
return pwBuffer;
}
// =================================================================
// MEMORY MANAGEMENT
// =================================================================
PVOID SpyMemoryCreate (DWORD dSize)
{
return ExAllocatePoolWithTag (PagedPool, max (dSize, 1),
SPY_TAG);
}
// -----------------------------------------------------------------
PVOID SpyMemoryDestroy (PVOID pData)
{
if (pData != NULL) ExFreePool (pData);
return NULL;
}
// =================================================================
// SHIFT/AND SEARCH ENGINE
// =================================================================
void SpySearchReset (PSPY_SEARCH pss)
{
pss->qTest = 0;
pss->dNext = 0;
pss->dHit = MAXDWORD;
return;
}
// -----------------------------------------------------------------
BOOL SpySearchNew (PSPY_SEARCH pss,
PBYTE pbPattern)
{
DWORD i;
QWORD qMask;
PQWORD pqFlags = pss->aqFlags;
for (i = 0; i < 256; i++) pqFlags [i] = 0;
for (i = 0, qMask = 1; pbPattern [i] && qMask; i++, qMask <<= 1)
{
pqFlags [pbPattern [i]] |= qMask;
}
pss->qMask = (qMask ? qMask >> 1 : 0x8000000000000000);
pss->dBytes = i;
SpySearchReset (pss);
return (i && (!pbPattern [i]));
}
// -----------------------------------------------------------------
BOOL SpySearchTest (PSPY_SEARCH pss,
BYTE bData)
{
BOOL fOk = FALSE;
if (pss->qMask)
{
pss->qTest <<= 1;
pss->qTest |= 1;
pss->qTest &= pss->aqFlags [bData];
pss->dNext++;
if (pss->qTest & pss->qMask)
{
pss->qTest = 0;
pss->dHit = pss->dNext - pss->dBytes;
fOk = TRUE;
}
}
return fOk;
}
// -----------------------------------------------------------------
BOOL SpySearchText (PSPY_SEARCH pss,
PBYTE pbText)
{
DWORD i;
BOOL fHit = FALSE;
SpySearchReset (pss);
for (i = 0; (!fHit) && pbText [i]; i++)
{
fHit = SpySearchTest (pss, pbText [i]);
}
return fHit;
}
// -----------------------------------------------------------------
PBYTE SpySearchFormat (PBYTE pbSymbol,
PPBYTE ppbFormats)
{
SPY_SEARCH ss;
DWORD i;
PBYTE pbFormat = NULL;
if (SpySearchNew (&ss, pbSymbol))
{
for (i = 0; (pbFormat = ppbFormats [i]) != NULL; i++)
{
if (SpySearchText (&ss, pbFormat)) break;
}
}
return pbFormat;
}
// =================================================================
// SELECTORS, DESCRIPTORS, GATES, AND SEGMENTS
// =================================================================
BOOL SpySelector (DWORD dSegment,
DWORD dSelector,
PX86_SELECTOR pSelector)
{
X86_SELECTOR Selector = {0, 0};
BOOL fOk = FALSE;
if (pSelector != NULL)
{
fOk = TRUE;
switch (dSegment)
{
case X86_SEGMENT_OTHER:
{
if (fOk = ((dSelector >> X86_SELECTOR_SHIFT)
<= X86_SELECTOR_LIMIT))
{
Selector.wValue = (WORD) dSelector;
}
break;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -