📄 wndsinfo.c
字号:
#include <ntddk.h>
#include <string.h>
// #pragma data_seg ("PAGE")
BOOLEAN g_IsCreated;
WCHAR * pKrnlDeviceName = L"\\Device\\wndsinfo";
WCHAR * pUserDeviceName = L"\\??\\wndsinfo";
typedef unsigned long DWORD;
DWORD bIsWin2K, bIsWinXP, bIsWin2003;
DWORD OSLowAddr;
#define IOCTL_CODE_GET_WINDOWS_INFO CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
#define MAX_WND_COUNT 1024 * 256
typedef struct __WINDOW_INFO_CELL
{
DWORD hWnd;
DWORD style;
DWORD left;
DWORD top;
DWORD right;
DWORD bottom;
DWORD wnd_proc;
DWORD pid;
}WINDOW_INFO_CELL;
typedef struct __WINDOWS_INFO
{
DWORD in_count;//in: 窗口信息数量
DWORD out_count;//out: 实际窗口信息的数量
WINDOW_INFO_CELL wic[1];
}WINDOWS_INFO;
void get_all_windows_info(WINDOWS_INFO *pwi);
PDEVICE_OBJECT Device;
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath);
NTSTATUS MyCreateDevice(IN PDRIVER_OBJECT DriverObject);
VOID MyUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS MyDispatchCreate(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
NTSTATUS MyDispatchClose(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
NTSTATUS MyDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
#ifdef ALLOC_PRAGMA
#pragma alloc_text (INIT, DriverEntry)
#pragma alloc_text (PAGELock, MyUnload)
#pragma alloc_text (PAGELock, MyDispatchCreate)
#pragma alloc_text (PAGELock, MyDispatchClose)
#pragma alloc_text (PAGELock, MyDeviceControl)
#endif
DWORD ScanDWORD(DWORD _StartAddress, DWORD _len, DWORD _ScanContent)
{
DWORD dw;
PAGED_CODE();
if (_StartAddress == 0 || _len == 0)
return 0xffffffff;
__asm
{
pushfd;
pushad;
push es;
cli;
mov ax, 23h;
mov es, ax;
mov eax, _ScanContent;
mov edi, _StartAddress;
cld;
mov ecx, _len;
repne scasd;
jz __a1;
jecxz __a2;
__a1:
inc ecx;
mov eax, _len;
sub eax, ecx;
mov dw, eax;
pop es;
popad;
popfd;
}
return dw;
__asm
{
__a2:
pop es;
popad;
popfd;
}
return 0xffffffff;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
NTSTATUS Status;
DWORD major_version, minor_version;
UNREFERENCED_PARAMETER (RegistryPath);
g_IsCreated = FALSE;
if (0x80000000 < (DWORD)ZwMakeTemporaryObject && (DWORD)ZwMakeTemporaryObject < 0xc0000000) OSLowAddr = 0x80000000;
else OSLowAddr = 0xc0000000;
PsGetVersion(&major_version, &minor_version, 0, 0);
bIsWin2K = bIsWinXP = bIsWin2003 = 0;
if (major_version == 5)
{
if (minor_version == 0) bIsWin2K = 1;
else if (minor_version == 1) bIsWinXP = 1;
else if (minor_version == 2) bIsWin2003 = 1;
}
else return STATUS_DRIVER_UNABLE_TO_LOAD;
DriverObject->DriverUnload = MyUnload;
DriverObject->MajorFunction[IRP_MJ_CREATE] = MyDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = MyDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MyDeviceControl;
Status = MyCreateDevice(DriverObject);
return Status;
}
NTSTATUS MyCreateDevice(IN PDRIVER_OBJECT DriverObject)
{
NTSTATUS Status;
UNICODE_STRING KrnlUnicodeDeviceName, UserUnicodeDeviceName;
PAGED_CODE();
RtlInitUnicodeString(&KrnlUnicodeDeviceName,pKrnlDeviceName);
Status = IoCreateDevice(DriverObject,0,&KrnlUnicodeDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,&Device);
if (!NT_SUCCESS(Status))
{
g_IsCreated = 0;
return Status;
}
RtlInitUnicodeString(&UserUnicodeDeviceName,pUserDeviceName);
Status = IoCreateSymbolicLink(&UserUnicodeDeviceName,&KrnlUnicodeDeviceName);
if (!NT_SUCCESS(Status))
{
g_IsCreated = 0;
IoDeleteDevice(Device);
return Status;
}
DriverObject->DeviceObject = Device;
Device->Flags &= ~DO_DEVICE_INITIALIZING;
Device->Flags |= DO_DIRECT_IO;
g_IsCreated = 1;
return STATUS_SUCCESS;
}
VOID MyUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING UserUnicodeDeviceName;
PAGED_CODE();
if (g_IsCreated)
{
RtlInitUnicodeString(&UserUnicodeDeviceName,pUserDeviceName);
IoDeleteSymbolicLink(&UserUnicodeDeviceName);
IoDeleteDevice(DriverObject->DeviceObject);
}
}
NTSTATUS MyDispatchCreate(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
PAGED_CODE();
UNREFERENCED_PARAMETER( DeviceObject );
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
IoCompleteRequest( Irp, 0 );
return STATUS_SUCCESS;
}
NTSTATUS MyDispatchClose(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
PAGED_CODE();
UNREFERENCED_PARAMETER( DeviceObject );
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
IoCompleteRequest( Irp, 0 );
return STATUS_SUCCESS;
}
NTSTATUS MyDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
PIO_STACK_LOCATION irpSp;
PULONG inBuf;
WINDOWS_INFO *pwi;
PAGED_CODE();
irpSp = IoGetCurrentIrpStackLocation( Irp );
inBuf = (PULONG) Irp->AssociatedIrp.SystemBuffer;
Irp->IoStatus.Information = 0;
if (inBuf == 0)
{
Irp->IoStatus.Status = STATUS_NOT_IMPLEMENTED;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return STATUS_NOT_IMPLEMENTED;
}
switch (irpSp->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_CODE_GET_WINDOWS_INFO:
pwi = ((WINDOWS_INFO**)inBuf)[0];
get_all_windows_info(pwi);
Irp->IoStatus.Status = STATUS_SUCCESS;
break;
default:
Irp->IoStatus.Status = STATUS_NOT_IMPLEMENTED;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return STATUS_NOT_IMPLEMENTED;
}
IoCompleteRequest( Irp, 0 );
return STATUS_SUCCESS;
}
void get_windows_info_2K(DWORD sys_wnd_block, DWORD sys_wnd_block_addr, WINDOWS_INFO *pwi, DWORD *tmp_hWnds)
{
DWORD dw;
int i;
PAGED_CODE();
dw = tmp_hWnds[0];
if (dw == MAX_WND_COUNT - 1) return;
if (pwi->out_count == pwi->in_count) return;
if (sys_wnd_block == 0) return;
dw = ((DWORD*)(sys_wnd_block+0xc))[0];
if (dw != sys_wnd_block_addr) return;
dw = ((DWORD*)(sys_wnd_block+8))[0];
if (dw == 0) return;
dw = ((DWORD*)sys_wnd_block)[0];
i = ScanDWORD((DWORD)(tmp_hWnds+1), MAX_WND_COUNT-1, dw);
if (i == -1)
{
tmp_hWnds[0] ++;
tmp_hWnds[tmp_hWnds[0]] = dw;
dw = ((DWORD*)(sys_wnd_block+0x5c))[0];
if (dw < OSLowAddr)
{
i = pwi->out_count;
pwi->wic[i].hWnd = ((DWORD*)sys_wnd_block)[0];
pwi->wic[i].style = ((DWORD*)(sys_wnd_block+0x20))[0];
pwi->wic[i].left = ((DWORD*)(sys_wnd_block+0x3c))[0];
pwi->wic[i].top = ((DWORD*)(sys_wnd_block+0x40))[0];
pwi->wic[i].right = ((DWORD*)(sys_wnd_block+0x44))[0];
pwi->wic[i].bottom = ((DWORD*)(sys_wnd_block+0x48))[0];
pwi->wic[i].wnd_proc = ((DWORD*)(sys_wnd_block+0x5c))[0];
dw = ((DWORD*)(sys_wnd_block+8))[0];
dw = ((DWORD*)dw)[0];
dw = ((DWORD*)(dw+0x44))[0];
dw = ((DWORD*)(dw+0x9c))[0];
pwi->wic[i].pid = dw;
pwi->out_count ++;
}
get_windows_info_2K(((DWORD*)(sys_wnd_block+0x2c))[0], sys_wnd_block_addr, pwi, tmp_hWnds);
get_windows_info_2K(((DWORD*)(sys_wnd_block+0x30))[0], sys_wnd_block_addr, pwi, tmp_hWnds);
get_windows_info_2K(((DWORD*)(sys_wnd_block+0x34))[0], sys_wnd_block_addr, pwi, tmp_hWnds);
get_windows_info_2K(((DWORD*)(sys_wnd_block+0x38))[0], sys_wnd_block_addr, pwi, tmp_hWnds);
}
}
void get_windows_info_XP_2003(DWORD sys_wnd_block, DWORD sys_wnd_block_addr, WINDOWS_INFO *pwi, DWORD *tmp_hWnds)
{
DWORD dw;
int i;
PAGED_CODE();
if (sys_wnd_block == 0) return;
dw = ((DWORD*)(sys_wnd_block+0xc))[0];
if (dw != sys_wnd_block_addr) return;
dw = ((DWORD*)(sys_wnd_block+8))[0];
if (dw == 0) return;
dw = ((DWORD*)sys_wnd_block)[0];
i = ScanDWORD((DWORD)(tmp_hWnds+1), MAX_WND_COUNT-1, dw);
if (i == -1)
{
tmp_hWnds[0] ++;
tmp_hWnds[tmp_hWnds[0]] = dw;
dw = ((DWORD*)(sys_wnd_block+0x60))[0];
if (dw < OSLowAddr)
{
i = pwi->out_count;
pwi->wic[i].hWnd = ((DWORD*)sys_wnd_block)[0];
pwi->wic[i].style = ((DWORD*)(sys_wnd_block+0x20))[0];
pwi->wic[i].left = ((DWORD*)(sys_wnd_block+0x40))[0];
pwi->wic[i].top = ((DWORD*)(sys_wnd_block+0x44))[0];
pwi->wic[i].right = ((DWORD*)(sys_wnd_block+0x48))[0];
pwi->wic[i].bottom = ((DWORD*)(sys_wnd_block+0x4c))[0];
pwi->wic[i].wnd_proc = ((DWORD*)(sys_wnd_block+0x60))[0];
dw = ((DWORD*)(sys_wnd_block+8))[0];
dw = ((DWORD*)dw)[0];
dw = ((DWORD*)(dw+0x44))[0];
dw = ((DWORD*)(dw+0x84))[0];
pwi->wic[i].pid = dw;
pwi->out_count ++;
}
get_windows_info_XP_2003(((DWORD*)(sys_wnd_block+0x2c))[0], sys_wnd_block_addr, pwi, tmp_hWnds);
get_windows_info_XP_2003(((DWORD*)(sys_wnd_block+0x30))[0], sys_wnd_block_addr, pwi, tmp_hWnds);
get_windows_info_XP_2003(((DWORD*)(sys_wnd_block+0x34))[0], sys_wnd_block_addr, pwi, tmp_hWnds);
get_windows_info_XP_2003(((DWORD*)(sys_wnd_block+0x38))[0], sys_wnd_block_addr, pwi, tmp_hWnds);
}
}
void get_all_windows_info_2K(WINDOWS_INFO *pwi, DWORD *tmp_hWnds)
{
DWORD dw;
PAGED_CODE();
_asm
{
mov eax, dword ptr fs:[124h];
mov eax, dword ptr [eax+124h];
mov eax, dword ptr [eax+30h];
mov dw, eax;
}
if (dw == 0) return;
get_windows_info_2K(((DWORD*)dw)[12], dw, pwi, tmp_hWnds);
get_windows_info_2K(((DWORD*)dw)[13], dw, pwi, tmp_hWnds);
get_windows_info_2K(((DWORD*)dw)[14], dw, pwi, tmp_hWnds);
}
void get_all_windows_info_XP(WINDOWS_INFO *pwi, DWORD *tmp_hWnds)
{
DWORD dw;
PAGED_CODE();
_asm
{
mov eax, dword ptr fs:[124h];
mov eax, dword ptr [eax+130h];
mov eax, dword ptr [eax+3ch];
mov dw, eax;
}
if (dw == 0) return;
get_windows_info_XP_2003(((DWORD*)dw)[13], dw, pwi, tmp_hWnds);
get_windows_info_XP_2003(((DWORD*)dw)[14], dw, pwi, tmp_hWnds);
get_windows_info_XP_2003(((DWORD*)dw)[15], dw, pwi, tmp_hWnds);
}
void get_all_windows_info_2003(WINDOWS_INFO *pwi, DWORD *tmp_hWnds)
{
DWORD dw;
PAGED_CODE();
_asm
{
mov eax, dword ptr fs:[124h];
mov eax, dword ptr [eax+14ch];
mov eax, dword ptr [eax+3ch];
mov dw, eax;
}
if (dw == 0) return;
get_windows_info_XP_2003(((DWORD*)dw)[12], dw, pwi, tmp_hWnds);
get_windows_info_XP_2003(((DWORD*)dw)[13], dw, pwi, tmp_hWnds);
get_windows_info_XP_2003(((DWORD*)dw)[14], dw, pwi, tmp_hWnds);
}
void get_all_windows_info(WINDOWS_INFO *pwi)
{
DWORD *tmp_hWnds;
PAGED_CODE();
pwi->out_count = 0;
tmp_hWnds = (DWORD*)ExAllocatePool(PagedPool, sizeof(DWORD) * MAX_WND_COUNT);
if (tmp_hWnds == 0) return;
memset(tmp_hWnds, 0, sizeof(DWORD) * MAX_WND_COUNT);
if (bIsWin2K) get_all_windows_info_2K(pwi, tmp_hWnds);
else if (bIsWinXP) get_all_windows_info_XP(pwi, tmp_hWnds);
else if (bIsWin2003) get_all_windows_info_2003(pwi, tmp_hWnds);
ExFreePool(tmp_hWnds);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -