📄 w2k_spy.c
字号:
}
j -= (psp->sh.dName = i);
// shift left all remaining handles and name offsets
for (i = dSlot; i < psp->sh.dHandles; i++)
{
psp->ahProcesses [i-1] = psp->ahProcesses [i];
psp->ahObjects [i-1] = psp->ahObjects [i];
psp->adNames [i-1] = psp->adNames [i] - j;
}
}
psp->sh.dHandles--;
}
return dSlot;
}
// -----------------------------------------------------------------
DWORD SpyHandleRegister (PSPY_PROTOCOL psp,
HANDLE hProcess,
HANDLE hObject,
PUNICODE_STRING puName)
{
PWORD pwName;
DWORD dName;
DWORD i;
DWORD dSlot = 0;
if (hObject != NULL)
{
// unregister old handle with same value
SpyHandleUnregister (psp, hProcess, hObject, NULL, 0);
if (psp->sh.dHandles == SPY_HANDLES)
{
// unregister oldest handle if overflow
SpyHandleUnregister (psp, psp->ahProcesses [0],
psp->ahObjects [0], NULL, 0);
}
pwName = ((puName != NULL) && SpyMemoryTestAddress (puName)
? puName->Buffer
: NULL);
dName = ((pwName != NULL) && SpyMemoryTestAddress (pwName)
? puName->Length / WORD_
: 0);
if (dName + 1 <= SPY_NAME_BUFFER - psp->sh.dName)
{
// append object to end of list
psp->ahProcesses [psp->sh.dHandles] = hProcess;
psp->ahObjects [psp->sh.dHandles] = hObject;
psp->adNames [psp->sh.dHandles] = psp->sh.dName;
for (i = 0; i < dName; i++)
{
psp->awNames [psp->sh.dName++] = pwName [i];
}
psp->awNames [psp->sh.dName++] = 0;
psp->sh.dHandles++;
dSlot = psp->sh.dHandles;
}
}
return dSlot;
}
// =================================================================
// HOOK PROTOCOL MANAGEMENT (READ)
// =================================================================
DWORD SpyReadData (PSPY_PROTOCOL psp,
PBYTE pbData,
DWORD dData)
{
DWORD i = psp->sh.dRead;
DWORD n = 0;
while ((n < dData) && (i != psp->sh.dWrite))
{
pbData [n++] = psp->abData [i++];
if (i == SPY_DATA_BUFFER) i = 0;
}
psp->sh.dRead = i;
return n;
}
// -----------------------------------------------------------------
DWORD SpyReadLine (PSPY_PROTOCOL psp,
PBYTE pbData,
DWORD dData)
{
BYTE b = 0;
DWORD i = psp->sh.dRead;
DWORD n = 0;
while ((b != '\n') && (i != psp->sh.dWrite))
{
b = psp->abData [i++];
if (i == SPY_DATA_BUFFER) i = 0;
if (n < dData) pbData [n++] = b;
}
if (b == '\n')
{
// remove current line from buffer
psp->sh.dRead = i;
}
else
{
// don't return any data until full line available
n = 0;
}
if (n)
{
pbData [n-1] = 0;
}
else
{
if (dData) pbData [0] = 0;
}
return n;
}
// =================================================================
// HOOK PROTOCOL MANAGEMENT (WRITE)
// =================================================================
void SpyWriteReset (PSPY_PROTOCOL psp)
{
KeQuerySystemTime (&psp->sh.liStart);
psp->sh.dRead = 0;
psp->sh.dWrite = 0;
psp->sh.dCalls = 0;
psp->sh.dHandles = 0;
psp->sh.dName = 0;
return;
}
// -----------------------------------------------------------------
DWORD SpyWriteData (PSPY_PROTOCOL psp,
PBYTE pbData,
DWORD dData)
{
BYTE b;
DWORD i = psp->sh.dRead;
DWORD j = psp->sh.dWrite;
DWORD n = 0;
while (n < dData)
{
psp->abData [j++] = pbData [n++];
if (j == SPY_DATA_BUFFER) j = 0;
if (j == i)
{
// remove first line from buffer
do {
b = psp->abData [i++];
if (i == SPY_DATA_BUFFER) i = 0;
}
while ((b != '\n') && (i != j));
// remove half line only if single line
if ((i == j) &&
((i += (SPY_DATA_BUFFER / 2)) >= SPY_DATA_BUFFER))
{
i -= SPY_DATA_BUFFER;
}
}
}
psp->sh.dRead = i;
psp->sh.dWrite = j;
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteChar (PSPY_PROTOCOL psp,
BYTE bPrefix,
BYTE bData)
{
DWORD n = 0;
if (bPrefix) n += SpyWriteData (psp, &bPrefix, 1);
if (bData ) n += SpyWriteData (psp, &bData, 1);
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteAnsi (PSPY_PROTOCOL psp,
BYTE bPrefix,
PBYTE pbData)
{
DWORD n = SpyWriteChar (psp, 0, bPrefix);
if (pbData != NULL)
{
n += SpyWriteData (psp, pbData, strlen (pbData));
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteBoolean (PSPY_PROTOCOL psp,
BYTE bPrefix,
BOOLEAN bData)
{
return SpyWriteAnsi (psp, bPrefix, (bData ? "TRUE" : "FALSE"));
}
// -----------------------------------------------------------------
DWORD SpyWriteNumber (PSPY_PROTOCOL psp,
BYTE bPrefix,
DWORD dData)
{
BYTE abNumber [8+1];
DWORD x, i;
abNumber [i = 8] = 0;
x = dData;
do {
abNumber [--i] = abHex [x & 0xF];
x >>= 4;
}
while (x);
return SpyWriteAnsi (psp, bPrefix, abNumber+i);
}
// -----------------------------------------------------------------
DWORD SpyWriteWide (PSPY_PROTOCOL psp,
BYTE bPrefix,
PWORD pwData,
DWORD dData)
{
UNICODE_STRING us;
ANSI_STRING as;
WORD awChar [] = L"?";
BYTE abChar [] = "?";
DWORD dData1, i;
DWORD n = SpyWriteChar (psp, 0, bPrefix);
if ((pwData != NULL) && SpyMemoryTestAddress (pwData))
{
dData1 = (dData != MAXDWORD ? dData : wcslen (pwData));
RtlInitUnicodeString (&us, awChar);
RtlInitAnsiString (&as, abChar);
for (i = 0; i < dData1; i++)
{
if (pwData [i] < 0x100)
{
abChar [0] = (BYTE) pwData [i];
}
else
{
awChar [0] = pwData [i];
if (RtlUnicodeStringToAnsiString (&as, &us, FALSE)
!= STATUS_SUCCESS)
{
abChar [0] = '?';
}
}
n += SpyWriteChar (psp, 0, abChar [0]);
}
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteString (PSPY_PROTOCOL psp,
BYTE bPrefix,
PWORD pwData,
DWORD dData,
BYTE bStart,
BYTE bStop)
{
DWORD n = SpyWriteChar (psp, 0, bPrefix);
if ((pwData != NULL) && SpyMemoryTestAddress (pwData))
{
n += SpyWriteChar (psp, 0, bStart);
n += SpyWriteWide (psp, 0, pwData, dData);
n += SpyWriteChar (psp, 0, bStop);
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteName (PSPY_PROTOCOL psp,
BYTE bPrefix,
PWORD pwData,
DWORD dData)
{
return SpyWriteString (psp, bPrefix, pwData, dData, '\"', '\"');
}
// -----------------------------------------------------------------
DWORD SpyWriteUnicode (PSPY_PROTOCOL psp,
BYTE bPrefix,
PUNICODE_STRING puData)
{
DWORD n = SpyWriteChar (psp, 0, bPrefix);
if ((puData != NULL) && SpyMemoryTestAddress (puData))
{
n += SpyWriteName (psp, 0, puData->Buffer,
puData->Length / WORD_);
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteObject (PSPY_PROTOCOL psp,
BYTE bPrefix,
POBJECT_ATTRIBUTES poa)
{
return SpyWriteUnicode (psp, bPrefix, OBJECT_NAME (poa));
}
// -----------------------------------------------------------------
DWORD SpyWriteLarge (PSPY_PROTOCOL psp,
BYTE bPrefix,
PLARGE_INTEGER pliData)
{
BYTE abNumber [16+1];
DWORDLONG x;
DWORD i;
DWORD n = SpyWriteChar (psp, 0, bPrefix);
if ((pliData != NULL) && SpyMemoryTestAddress (pliData))
{
abNumber [i = 16] = 0;
x = (pliData->QuadPart);
do {
abNumber [--i] = abHex [x & 0xF];
x >>= 4;
}
while (x);
n += SpyWriteAnsi (psp, 0, abNumber+i);
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteStatus (PSPY_PROTOCOL psp,
BYTE bPrefix,
NTSTATUS NtStatus)
{
return SpyWriteNumber (psp, bPrefix, NtStatus);
}
// -----------------------------------------------------------------
DWORD SpyWriteIoStatus (PSPY_PROTOCOL psp,
BYTE bPrefix,
PIO_STATUS_BLOCK pisb)
{
DWORD n = SpyWriteChar (psp, 0, bPrefix);
if ((pisb != NULL) && SpyMemoryTestAddress (pisb))
{
n += SpyWriteNumber (psp, 0, pisb->Status);
n += SpyWriteChar (psp, 0, '.');
n += SpyWriteNumber (psp, 0, pisb->Information);
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteClientId (PSPY_PROTOCOL psp,
BYTE bPrefix,
PCLIENT_ID pci)
{
DWORD n = SpyWriteChar (psp, 0, bPrefix);
if ((pci != NULL) && SpyMemoryTestAddress (pci))
{
n += SpyWriteNumber (psp, 0, (DWORD) pci->UniqueProcess);
n += SpyWriteChar (psp, 0, '.');
n += SpyWriteNumber (psp, 0, (DWORD) pci->UniqueThread);
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteDword (PSPY_PROTOCOL psp,
BYTE bPrefix,
PDWORD pdData)
{
DWORD n = SpyWriteChar (psp, 0, bPrefix);
if ((pdData != NULL) && SpyMemoryTestAddress (pdData))
{
n += SpyWriteNumber (psp, 0, *pdData);
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWritePointer (PSPY_PROTOCOL psp,
BYTE bPrefix,
PVOID pData)
{
DWORD n = SpyWriteChar (psp, 0, bPrefix);
if (pData != NULL)
{
n += SpyWriteNumber (psp, 0, (DWORD) pData);
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteHandle (PSPY_PROTOCOL psp,
BYTE bPrefix,
HANDLE hProcess,
HANDLE hObject)
{
DWORD n = SpyWriteChar (psp, 0, bPrefix);
n += SpyWriteNumber (psp, 0, (DWORD) hProcess);
n += SpyWriteChar (psp, 0, '.');
n += SpyWriteNumber (psp, 0, (DWORD) hObject);
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteNewHandle (PSPY_PROTOCOL psp,
BYTE bPrefix,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -