📄 w2k_spy.c
字号:
HANDLE hProcess,
PHANDLE phObject)
{
DWORD n = SpyWriteChar (psp, 0, bPrefix);
if ((phObject != NULL) && SpyMemoryTestAddress (phObject))
{
n += SpyWriteHandle (psp, 0, hProcess, *phObject);
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteOpenHandle (PSPY_PROTOCOL psp,
BYTE bPrefix,
HANDLE hProcess,
HANDLE hObject)
{
WORD awName [SPY_NAME];
DWORD n = SpyWriteHandle (psp, bPrefix, hProcess, hObject);
if (SpyHandleName (psp, hProcess, hObject,
awName, SPY_NAME))
{
n += SpyWriteChar (psp, 0, '=');
n += SpyWriteName (psp, 0, awName, MAXDWORD);
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteClosedHandle (PSPY_PROTOCOL psp,
BYTE bPrefix,
HANDLE hProcess,
HANDLE hObject)
{
WORD awName [SPY_NAME];
DWORD n = SpyWriteHandle (psp, bPrefix, hProcess, hObject);
if (SpyHandleUnregister (psp, hProcess, hObject,
awName, SPY_NAME))
{
n += SpyWriteChar (psp, 0, '=');
n += SpyWriteName (psp, 0, awName, MAXDWORD);
}
return n;
}
// -----------------------------------------------------------------
BOOL SpyWriteFilter (PSPY_PROTOCOL psp,
PBYTE pbFormat,
PVOID pParameters,
DWORD dParameters)
{
PHANDLE phObject = NULL;
HANDLE hObject = NULL;
POBJECT_ATTRIBUTES poa = NULL;
PDWORD pdNext;
DWORD i, j;
pdNext = pParameters;
i = j = 0;
while (pbFormat [i])
{
while (pbFormat [i] && (pbFormat [i] != '%')) i++;
if (pbFormat [i] && pbFormat [++i])
{
j++;
switch (pbFormat [i++])
{
case 'b':
case 'a':
case 'w':
case 'u':
case 'n':
case 'l':
case 's':
case 'i':
case 'c':
case 'd':
case 'p':
{
break;
}
case 'o':
{
if (poa == NULL)
{
poa = (POBJECT_ATTRIBUTES) *pdNext;
}
break;
}
case '+':
{
if (phObject == NULL)
{
phObject = (PHANDLE) *pdNext;
}
break;
}
case '!':
case '-':
{
if (hObject == NULL)
{
hObject = (HANDLE) *pdNext;
}
break;
}
default:
{
j--;
break;
}
}
pdNext++;
}
}
return // number of arguments ok
(j == dParameters)
&&
// no handles involved
(((phObject == NULL) && (hObject == NULL))
||
// new handle, successfully registered
((phObject != NULL) &&
SpyHandleRegister (psp, PsGetCurrentProcessId (),
*phObject, OBJECT_NAME (poa)))
||
// registered handle
SpyHandleSlot (psp, PsGetCurrentProcessId (), hObject)
||
// filter disabled
(!gfSpyHookFilter));
}
// -----------------------------------------------------------------
DWORD SpyWriteType (PSPY_PROTOCOL psp,
BYTE bEscape,
BYTE bType,
PVOID pData)
{
HANDLE hProcess = PsGetCurrentProcessId ();
DWORD n = 0;
switch (bType)
{
case 'b':
{
n = SpyWriteBoolean
(psp, bType, *(BOOLEAN *) pData);
break;
}
case 'a':
{
n = SpyWriteAnsi
(psp, bType, *(PBYTE *) pData);
break;
}
case 'w':
{
n = SpyWriteWide
(psp, bType, *(PWORD *) pData, MAXDWORD);
break;
}
case 'u':
{
n = SpyWriteUnicode
(psp, bType, *(PUNICODE_STRING *) pData);
break;
}
case 'n':
{
n = SpyWriteNumber
(psp, bType, *(DWORD *) pData);
break;
}
case 'l':
{
n = SpyWriteLarge
(psp, bType, *(PLARGE_INTEGER *) pData);
break;
}
case 's':
{
n = SpyWriteStatus
(psp, bType, *(NTSTATUS *) pData);
break;
}
case 'i':
{
n = SpyWriteIoStatus
(psp, bType, *(PIO_STATUS_BLOCK *) pData);
break;
}
case 'c':
{
n = SpyWriteClientId
(psp, bType, *(PCLIENT_ID *) pData);
break;
}
case 'd':
{
n = SpyWriteDword
(psp, bType, *(PDWORD *) pData);
break;
}
case 'p':
{
n = SpyWritePointer
(psp, bType, *(PVOID *) pData);
break;
}
case 'o':
{
n = SpyWriteObject
(psp, bType, *(POBJECT_ATTRIBUTES *) pData);
break;
}
case '+':
{
n = SpyWriteNewHandle
(psp, bType, hProcess, *(PHANDLE *) pData);
break;
}
case '!':
{
n = SpyWriteOpenHandle
(psp, bType, hProcess, *(HANDLE *) pData);
break;
}
case '-':
{
n = SpyWriteClosedHandle
(psp, bType, hProcess, *(HANDLE *) pData);
break;
}
default:
{
n = (bEscape == bType
? SpyWriteChar (psp, 0, bType)
: SpyWriteChar (psp, bEscape, bType));
break;
}
}
return n;
}
// -----------------------------------------------------------------
DWORD SpyWriteFormat (PSPY_PROTOCOL psp,
PBYTE pbFormat,
PVOID pParameters)
{
PBYTE pbData;
PDWORD pdData;
DWORD i;
DWORD n = 0;
pbData = pbFormat;
pdData = pParameters;
while (*pbData)
{
for (i = 0; pbData [i] && (pbData [i] != '%'); i++);
n += SpyWriteData (psp, pbData, i);
pbData += i;
if (*pbData)
{
n += SpyWriteType (psp, *pbData, *(pbData+1), pdData++);
if (*++pbData) ++pbData;
}
}
return n;
}
// =================================================================
// SERVICE DESCRIPTOR TABLE HOOKS
// =================================================================
NTSTATUS SpyHookWait (void)
{
return MUTEX_WAIT (gpDeviceContext->kmProtocol);
}
// -----------------------------------------------------------------
LONG SpyHookRelease (void)
{
return MUTEX_RELEASE (gpDeviceContext->kmProtocol);
}
// -----------------------------------------------------------------
void SpyHookReset (void)
{
SpyHookWait ();
SpyWriteReset (&gpDeviceContext->SpyProtocol);
SpyHookRelease ();
return;
}
// -----------------------------------------------------------------
DWORD SpyHookRead (PBYTE pbData,
DWORD dData,
BOOL fLine)
{
DWORD n = 0;
SpyHookWait ();
n = (fLine ? SpyReadLine : SpyReadData)
(&gpDeviceContext->SpyProtocol, pbData, dData);
SpyHookRelease ();
return n;
}
// -----------------------------------------------------------------
DWORD SpyHookWrite (PBYTE pbData,
DWORD dData)
{
DWORD n = 0;
SpyHookWait ();
n = SpyWriteData
(&gpDeviceContext->SpyProtocol, pbData, dData);
SpyHookRelease ();
return n;
}
// -----------------------------------------------------------------
// <#>:<status>=<function>(<arguments>)<time>,<thread>,<handles>
void SpyHookProtocol (PSPY_CALL psc)
{
LARGE_INTEGER liTime;
PSPY_PROTOCOL psp = &gpDeviceContext->SpyProtocol;
KeQuerySystemTime (&liTime);
SpyHookWait ();
if (SpyWriteFilter (psp, psc->pshe->pbFormat,
psc->adParameters,
psc->dParameters))
{
SpyWriteNumber (psp, 0, ++(psp->sh.dCalls)); // <#>:
SpyWriteChar (psp, 0, ':');
// <status>=
SpyWriteFormat (psp, psc->pshe->pbFormat, // <function>
psc->adParameters); // (<arguments>)
SpyWriteLarge (psp, 0, &liTime); // <time>,
SpyWriteChar (psp, 0, ',');
SpyWriteNumber (psp, 0, (DWORD) psc->hThread); // <thread>,
SpyWriteChar (psp, 0, ',');
SpyWriteNumber (psp, 0, psp->sh.dHandles); // <handles>
SpyWriteChar (psp, 0, '\n');
}
SpyHookRelease ();
return;
}
// -----------------------------------------------------------------
BOOL SpyHookPause (BOOL fPause)
{
BOOL fPause1 = (BOOL)
InterlockedExchange ((PLONG) &gfSpyHookPause,
( LONG) fPause);
if (!fPause) SpyHookReset ();
return fPause1;
}
// -----------------------------------------------------------------
BOOL SpyHookFilter (BOOL fFilter)
{
return (BOOL) InterlockedExchange ((PLONG) &gfSpyHookFilter,
( LONG) fFilter);
}
// -----------------------------------------------------------------
// The SpyHook macro defines a hook entry point in inline assembly
// language. The common entry point SpyHook2 is entered by a call
// instruction, allowing the hook to be identified by its return
// address on the stack. The call is executed through a register to
// remove any degrees of freedom from the encoding of the call.
#define SpyHook \
__asm push eax \
__asm mov eax, offset SpyHook2 \
__asm call eax
// -----------------------------------------------------------------
// The SpyHookInitializeEx() function initializes the aSpyHooks[]
// array with the hook entry points and format strings. It also
// hosts the hook entry points and the hook dispatcher.
void SpyHookInitializeEx (PPBYTE ppbSymbols,
PPBYTE ppbFormats)
{
DWORD dHooks1, dHooks2, i, j, n;
__asm
{
jmp SpyHook9
ALIGN 8
SpyHook1: ; start of hook entry point section
}
// the number of entry points defined in this section
// must be equal to SDT_SYMBOLS_MAX (i.e. 0xF8)
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //08
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //10
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //18
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //20
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //28
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //30
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //38
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //40
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //48
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //50
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //58
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //60
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //68
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //70
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //78
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //80
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //88
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //90
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook //98
SpyHook SpyHook SpyHook SpyHook SpyHook⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -