📄 w2k_hook.c
字号:
}
// -----------------------------------------------------------------
DWORD WINAPI SpyHookRead (HANDLE hDevice,
BOOL fLine,
PBYTE pbData,
DWORD dData)
{
DWORD dInfo;
if (!DeviceIoControl (hDevice, SPY_IO_HOOK_READ,
&fLine, BOOL_,
pbData, dData,
&dInfo, NULL))
{
dInfo = 0;
}
return dInfo;
}
// -----------------------------------------------------------------
BOOL WINAPI SpyHookWrite (HANDLE hDevice,
PBYTE pbData)
{
return SpyIoControl (hDevice, SPY_IO_HOOK_WRITE,
pbData, lstrlenA (pbData),
NULL, 0);
}
// =================================================================
// SPY DEVICE MANAGEMENT
// =================================================================
void WINAPI Execute (PPWORD ppwFilters,
DWORD dFilters)
{
SPY_VERSION_INFO svi;
SPY_HOOK_INFO shi;
DWORD dCount, i, j, k, n;
BOOL fPause, fFilter, fRepeat;
BYTE abData [HOOK_MAX_DATA];
WORD awData [HOOK_MAX_DATA];
WORD awPath [MAX_PATH] = L"?";
SC_HANDLE hControl = NULL;
HANDLE hDevice = INVALID_HANDLE_VALUE;
HANDLE hLogFile = INVALID_HANDLE_VALUE;
_printf (L"\r\nLoading \"%s\" (%s) ...\r\n",
awSpyDisplay, awSpyDevice);
if (w2kFilePath (NULL, awSpyFile, awPath, MAX_PATH))
{
_printf (L"Driver: \"%s\"\r\n",
awPath);
hControl = w2kServiceLoad (awSpyDevice, awSpyDisplay,
awPath, TRUE);
}
if (hControl != NULL)
{
_printf (L"Opening \"%s\" ...\r\n",
awSpyPath);
hDevice = CreateFile (awSpyPath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
}
else
{
_printf (L"Unable to load the spy device driver.\r\n");
}
if (hDevice != INVALID_HANDLE_VALUE)
{
if (SpyVersionInfo (hDevice, &svi))
{
_printf (L"\r\n"
L"%s V%lu.%02lu ready\r\n",
svi.awName,
svi.dVersion / 100, svi.dVersion % 100);
}
if (SpyHookInfo (hDevice, &shi))
{
_printf (L"\r\n"
L"API hook parameters: 0x%08lX\r\n"
L"SPY_PROTOCOL structure: 0x%08lX\r\n"
L"SPY_PROTOCOL data buffer: 0x%08lX\r\n"
L"KeServiceDescriptorTable: 0x%08lX\r\n"
L"KiServiceTable: 0x%08lX\r\n"
L"KiArgumentTable: 0x%08lX\r\n"
L"Service table size: 0x%lX (%lu)\r\n",
shi.psc,
shi.psp,
shi.psp->abData,
shi.psdt,
shi.sdt.ntoskrnl.ServiceTable,
shi.sdt.ntoskrnl.ArgumentTable,
shi.ServiceLimit, shi.ServiceLimit);
}
SpyHookPause (hDevice, TRUE, &fPause ); fPause = FALSE;
SpyHookFilter (hDevice, TRUE, &fFilter); fFilter = FALSE;
if (SpyHookInstall (hDevice, TRUE, &dCount))
{
_printf (L"\r\n"
L"Installed %lu API hooks\r\n",
dCount);
}
_printf (L"\r\n"
L"Protocol control keys:\r\n"
L"\r\n"
L"P - pause ON/off\r\n"
L"F - filter ON/off\r\n"
L"R - reset protocol\r\n"
L"ESC - exit\r\n"
L"\r\n");
hLogFile=CreateFile(L"C:\\ApiLog.txt",GENERIC_WRITE,NULL,NULL,
CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
//OpenFile("c:\apilog.txt")
for (fRepeat = TRUE; fRepeat;)
{
if (n = SpyHookRead (hDevice, TRUE,
abData, HOOK_MAX_DATA))
{
if (abData [0] == '-')
{
n = 0;
}
else
{
i = 0;
while (abData [i] && (abData [i++] != '='));
j = i;
while (abData [j] && (abData [j] != '(')) j++;
k = 0;
while (i < j) awData [k++] = abData [i++];
awData [k] = 0;
for (i = 0; i < dFilters; i++)
{
if (PatternMatcher (ppwFilters [i], awData))
{
n = 0;
break;
}
}
}
if (!n)
{
fprintf(hLogFile,L"%hs\r\n", abData);
_printf(L"%hs\r\n", abData);
}
Sleep (0);
}
else
{
Sleep (HOOK_IOCTL_DELAY);
}
switch (KeyboardData ())
{
case 'P':
{
SpyHookPause (hDevice, fPause, &fPause);
SpyHookWrite (hDevice, (fPause ? abPauseOff
: abPauseOn));
break;
}
case 'F':
{
SpyHookFilter (hDevice, fFilter, &fFilter);
SpyHookWrite (hDevice, (fFilter ? abFilterOff
: abFilterOn));
break;
}
case 'R':
{
SpyHookReset (hDevice);
SpyHookWrite (hDevice, abReset);
break;
}
case VK_ESCAPE:
{
_printf (L"%hs\r\n", abExit);
fRepeat = FALSE;
break;
}
}
}
if (SpyHookRemove (hDevice, FALSE, &dCount))
{
_printf (L"\r\n"
L"Removed %lu API hooks\r\n",
dCount);
}
_printf (L"\r\nClosing the spy device ...\r\n");
CloseHandle (hDevice);
}
else
{
_printf (L"Unable to open the spy device.\r\n");
}
if ((hControl != NULL) && gfSpyUnload)
{
_printf (L"Unloading the spy device ...\r\n");
w2kServiceUnload (awSpyDevice, hControl);
}
return;
}
// =================================================================
// MAIN PROGRAM
// =================================================================
DWORD Main (DWORD argc, PTBYTE *argv, PTBYTE *argp)
{
_printf (atAbout);
if (argc < 2)
{
_printf (atUsage, awArguments);
}
else
{
Execute (argv+1, argc-1);
}
return 0;
}
// =================================================================
// END OF PROGRAM
// =================================================================
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -