📄 w2k_spy.c
字号:
case X86_SEGMENT_CS:
{
__asm mov Selector.wValue, cs
break;
}
case X86_SEGMENT_DS:
{
__asm mov Selector.wValue, ds
break;
}
case X86_SEGMENT_ES:
{
__asm mov Selector.wValue, es
break;
}
case X86_SEGMENT_FS:
{
__asm mov Selector.wValue, fs
break;
}
case X86_SEGMENT_GS:
{
__asm mov Selector.wValue, gs
break;
}
case X86_SEGMENT_SS:
{
__asm mov Selector.wValue, ss
break;
}
case X86_SEGMENT_TSS:
{
__asm str Selector.wValue
break;
}
default:
{
fOk = FALSE;
break;
}
}
RtlCopyMemory (pSelector, &Selector, X86_SELECTOR_);
}
return fOk;
}
// -----------------------------------------------------------------
PVOID SpyDescriptorBase (PX86_DESCRIPTOR pDescriptor)
{
return (PVOID) ((pDescriptor->Base1 ) |
(pDescriptor->Base2 << 16) |
(pDescriptor->Base3 << 24));
}
// -----------------------------------------------------------------
DWORD SpyDescriptorLimit (PX86_DESCRIPTOR pDescriptor)
{
return (pDescriptor->G ? (pDescriptor->Limit1 << 12) |
(pDescriptor->Limit2 << 28) | 0xFFF
: (pDescriptor->Limit1 ) |
(pDescriptor->Limit2 << 16));
}
// -----------------------------------------------------------------
DWORD SpyDescriptorType (PX86_DESCRIPTOR pDescriptor,
PBOOL pfSystem)
{
if (pfSystem != NULL) *pfSystem = !pDescriptor->S;
return pDescriptor->Type;
}
// -----------------------------------------------------------------
BOOL SpyDescriptor (PX86_SELECTOR pSelector,
PX86_DESCRIPTOR pDescriptor)
{
X86_SELECTOR ldt;
X86_TABLE gdt;
DWORD dType, dLimit;
BOOL fSystem;
PX86_DESCRIPTOR pDescriptors = NULL;
BOOL fOk = FALSE;
if (pDescriptor != NULL)
{
if (pSelector != NULL)
{
if (pSelector->TI) // ldt descriptor
{
__asm
{
sldt ldt.wValue
sgdt gdt.wLimit
}
if ((!ldt.TI) && ldt.Index &&
((ldt.wValue & X86_SELECTOR_INDEX)
<= gdt.wLimit))
{
dType = SpyDescriptorType (gdt.pDescriptors +
ldt.Index,
&fSystem);
dLimit = SpyDescriptorLimit (gdt.pDescriptors +
ldt.Index);
if (fSystem && (dType == X86_DESCRIPTOR_SYS_LDT)
&&
((DWORD) (pSelector->wValue
& X86_SELECTOR_INDEX)
<= dLimit))
{
pDescriptors =
SpyDescriptorBase (gdt.pDescriptors +
ldt.Index);
}
}
}
else // gdt descriptor
{
if (pSelector->Index)
{
__asm
{
sgdt gdt.wLimit
}
if ((pSelector->wValue & X86_SELECTOR_INDEX)
<= gdt.wLimit)
{
pDescriptors = gdt.pDescriptors;
}
}
}
}
if (pDescriptors != NULL)
{
RtlCopyMemory (pDescriptor,
pDescriptors + pSelector->Index,
X86_DESCRIPTOR_);
fOk = TRUE;
}
else
{
RtlZeroMemory (pDescriptor,
X86_DESCRIPTOR_);
}
}
return fOk;
}
// -----------------------------------------------------------------
PVOID SpyGateOffset (PX86_GATE pGate)
{
return (PVOID) (pGate->Offset1 | (pGate->Offset2 << 16));
}
// -----------------------------------------------------------------
BOOL SpyIdtGate (PX86_SELECTOR pSelector,
PX86_GATE pGate)
{
X86_TABLE idt;
PX86_GATE pGates = NULL;
BOOL fOk = FALSE;
if (pGate != NULL)
{
if (pSelector != NULL)
{
__asm
{
sidt idt.wLimit
}
if ((pSelector->wValue & X86_SELECTOR_INDEX)
<= idt.wLimit)
{
pGates = idt.pGates;
}
}
if (pGates != NULL)
{
RtlCopyMemory (pGate,
pGates + pSelector->Index,
X86_GATE_);
fOk = TRUE;
}
else
{
RtlZeroMemory (pGate, X86_GATE_);
}
}
return fOk;
}
// -----------------------------------------------------------------
BOOL SpySegment (DWORD dSegment,
DWORD dSelector,
PSPY_SEGMENT pSegment)
{
BOOL fOk = FALSE;
if (pSegment != NULL)
{
fOk = TRUE;
if (!SpySelector (dSegment, dSelector,
&pSegment->Selector))
{
fOk = FALSE;
}
if (!SpyDescriptor (&pSegment->Selector,
&pSegment->Descriptor))
{
fOk = FALSE;
}
pSegment->pBase =
SpyDescriptorBase (&pSegment->Descriptor);
pSegment->dLimit =
SpyDescriptorLimit (&pSegment->Descriptor);
pSegment->fOk = fOk;
}
return fOk;
}
// -----------------------------------------------------------------
BOOL SpyInterrupt (DWORD dInterrupt,
PSPY_INTERRUPT pInterrupt)
{
BOOL fOk = FALSE;
if (pInterrupt != NULL)
{
if (dInterrupt <= X86_SELECTOR_LIMIT)
{
fOk = TRUE;
if (!SpySelector (X86_SEGMENT_OTHER,
dInterrupt << X86_SELECTOR_SHIFT,
&pInterrupt->Selector))
{
fOk = FALSE;
}
if (!SpyIdtGate (&pInterrupt->Selector,
&pInterrupt->Gate))
{
fOk = FALSE;
}
if (!SpySegment (X86_SEGMENT_OTHER,
pInterrupt->Gate.Selector,
&pInterrupt->Segment))
{
fOk = FALSE;
}
pInterrupt->pOffset = SpyGateOffset (&pInterrupt->Gate);
}
else
{
RtlZeroMemory (pInterrupt, SPY_INTERRUPT_);
}
pInterrupt->fOk = fOk;
}
return fOk;
}
// =================================================================
// MEMORY ACCESS FUNCTIONS
// =================================================================
BOOL SpyMemoryPageEntry (PVOID pVirtual,
PSPY_PAGE_ENTRY pspe)
{
SPY_PAGE_ENTRY spe;
BOOL fOk = FALSE;
spe.pe = X86_PDE_ARRAY [X86_PDI (pVirtual)];
spe.dSize = X86_PAGE_4M;
spe.fPresent = FALSE;
if (spe.pe.pde4M.P)
{
if (spe.pe.pde4M.PS)
{
fOk = spe.fPresent = TRUE;
}
else
{
spe.pe = X86_PTE_ARRAY [X86_PAGE (pVirtual)];
spe.dSize = X86_PAGE_4K;
if (spe.pe.pte4K.P)
{
fOk = spe.fPresent = TRUE;
}
else
{
fOk = (spe.pe.pnpe.PageFile != 0);
}
}
}
if (pspe != NULL) *pspe = spe;
return fOk;
}
// -----------------------------------------------------------------
BOOL SpyMemoryTestAddress (PVOID pVirtual)
{
return SpyMemoryPageEntry (pVirtual, NULL);
}
// -----------------------------------------------------------------
BOOL SpyMemoryTestBlock (PVOID pVirtual,
DWORD dBytes)
{
PBYTE pbData;
DWORD dData;
BOOL fOk = TRUE;
if (dBytes)
{
pbData = (PBYTE) ((DWORD_PTR) pVirtual & X86_PAGE_MASK);
dData = (((dBytes + X86_OFFSET_4K (pVirtual) - 1)
/ PAGE_SIZE) + 1) * PAGE_SIZE;
do {
fOk = SpyMemoryTestAddress (pbData);
pbData += PAGE_SIZE;
dData -= PAGE_SIZE;
}
while (fOk && dData);
}
return fOk;
}
// -----------------------------------------------------------------
DWORD SpyMemoryReadBlock (PSPY_MEMORY_BLOCK psmb,
PSPY_MEMORY_DATA psmd,
DWORD dSize)
{
DWORD i;
DWORD n = SPY_MEMORY_DATA__ (psmb->dBytes);
if (dSize >= n)
{
psmd->smb = *psmb;
for (i = 0; i < psmb->dBytes; i++)
{
psmd->awData [i] =
(SpyMemoryTestAddress (psmb->pbAddress + i)
? SPY_MEMORY_DATA_VALUE (psmb->pbAddress [i], TRUE)
: SPY_MEMORY_DATA_VALUE (0, FALSE));
}
}
else
{
if (dSize >= SPY_MEMORY_DATA_)
{
psmd->smb.pbAddress = NULL;
psmd->smb.dBytes = 0;
}
n = 0;
}
return n;
}
// =================================================================
// HANDLE MANAGEMENT
// =================================================================
DWORD SpyHandleSlot (PSPY_PROTOCOL psp,
HANDLE hProcess,
HANDLE hObject)
{
DWORD dSlot = 0;
if (hObject != NULL)
{
while ((dSlot < psp->sh.dHandles)
&&
((psp->ahProcesses [dSlot] != hProcess) ||
(psp->ahObjects [dSlot] != hObject ))) dSlot++;
dSlot = (dSlot < psp->sh.dHandles ? dSlot+1 : 0);
}
return dSlot;
}
// -----------------------------------------------------------------
DWORD SpyHandleName (PSPY_PROTOCOL psp,
HANDLE hProcess,
HANDLE hObject,
PWORD pwName,
DWORD dName)
{
WORD w;
DWORD i;
DWORD dSlot = SpyHandleSlot (psp, hProcess, hObject);
if ((pwName != NULL) && dName)
{
i = 0;
if (dSlot)
{
while ((i+1 < dName) &&
(w = psp->awNames [psp->adNames [dSlot-1] + i]))
{
pwName [i++] = w;
}
}
pwName [i] = 0;
}
return dSlot;
}
// -----------------------------------------------------------------
DWORD SpyHandleUnregister (PSPY_PROTOCOL psp,
HANDLE hProcess,
HANDLE hObject,
PWORD pwName,
DWORD dName)
{
DWORD i, j;
DWORD dSlot = SpyHandleName (psp, hProcess, hObject,
pwName, dName);
if (dSlot)
{
if (dSlot == psp->sh.dHandles)
{
// remove last name entry
psp->sh.dName = psp->adNames [dSlot-1];
}
else
{
i = psp->adNames [dSlot-1];
j = psp->adNames [dSlot ];
// shift left all remaining name entries
while (j < psp->sh.dName)
{
psp->awNames [i++] = psp->awNames [j++];
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -