📄 hookfile.h
字号:
#ifndef _HOOK_FILE_H
#define _HOOK_FILE_H
#include <ntddk.h>
#define MAX_PATH 260
#define THREAD_QUERY_INFORMATION (0x0040)
#define PROCESS_VM_READ (0x0010)
#define PROCESS_QUERY_INFORMATION (0x0400)
#define PARTITION_TYPE_NTFS 0x07
#define PARTITION_TYPE_FAT32 0x0B
#define PARTITION_TYPE_FAT32_LBA 0x0C
typedef BOOLEAN BOOL;
typedef unsigned long DWORD;
typedef DWORD * LPDWORD;
typedef DWORD * PDWORD;
typedef unsigned long ULONG;
typedef unsigned short WORD;
typedef unsigned char BYTE;
typedef unsigned int UINT;
#pragma pack( push ,1)
typedef struct _PARTITION_ENTRY
{
UCHAR active; // 能否启动标志
UCHAR StartHead; // 该分区起始磁头号
UCHAR StartSector; // 起始柱面号高2位:6位起始扇区号
UCHAR StartCylinder; // 起始柱面号低8位
UCHAR PartitionType; // 分区类型
UCHAR EndHead; // 该分区终止磁头号
UCHAR EndSector; // 终止柱面号高2位:6位终止扇区号
UCHAR EndCylinder; // 终止柱面号低8位
ULONG StartLBA; // 起始扇区号
ULONG TotalSector; // 分区尺寸(总扇区数)
} PARTITION_ENTRY, *PPARTITION_ENTRY;
//==============================================================================
typedef struct _MBR_SECTOR
{
UCHAR BootCode[446];
PARTITION_ENTRY Partition[4];
USHORT Signature;
} MBR_SECTOR, *PMBR_SECTOR;
//==============================================================================
typedef struct _BBR_SECTOR
{
USHORT JmpCode; // 2字节跳转指令,跳转到引导代码
UCHAR NopCode; // 1字节nop指令,填充用,保证跳转指令长3个字节
UCHAR OEMName[8]; // 8字节的OEMName
// 下面开始为: BPB( BIOS Parameter Block )
USHORT BytesPerSector; // 每个扇区的字节数 (512 1024 2048 4096)
UCHAR SectorsPerCluster; // 每个簇的扇区数 ( 1 2 4 8 16 32 64 128 )两者相乘不能超过32K(簇最大大小)
USHORT ReservedSectors; // 从卷的第一个扇区开始的保留扇区数目,该值不能为0,对于FAT12/FAT16,该值通常为1,对于FAT32,典型值为32
UCHAR NumberOfFATs; // 卷上FAT数据结构的数目,该值通常应为2,[NTFS不使用NumberOfFATs字段,必须为0]
USHORT RootEntries; // 对于FAT12/FAT16,该值表示32字节目录项的数目,对于FAT32,该值必须为0;[NTFS不使用]
USHORT NumberOfSectors16; // 该卷上的扇区总数,该字段可以为0,如果该字段为0,则NumberOfSectors32不能为0;对于FAT32,该字段必须为0 [FAT32/NTFS不使用该字段]
UCHAR MediaDescriptor; // 介质类型
USHORT SectorsPerFAT16; // 该字段标识一个FAT结构占有的扇区数(FAT12/FAT16),对于FAT32卷,该字段必须为0;[FAT32/NTFS不使用该字段]
USHORT SectorsPerTrack; // 用于INT 0x13中断的每个磁道的扇区数
USHORT HeadsPerCylinder; // 用于INT 0x13中断的每个柱面的磁头数
ULONG HiddenSectors; // 包含该FAT卷的分区之前的隐藏扇区数
ULONG NumberOfSectors32; // 该字段包含该卷上的所有扇区数目,对于FAT32,该字段不为0;FAT12/FAT16可根据实际大小是否超过65536个扇区数决定是否采用该字段; [NTFS不使用该字段]
// 下面开始为: EBPB ( Extended BIOS Parameter Block )
ULONG SectorsPerFAT32; // 对于FAT32,该字段包含一个FAT的大小,而SectorsPerFAT16字段必须为0;
} BBR_SECTOR, *PBBR_SECTOR;
typedef struct SystemServiceDescriptorTable
{
UINT *ServiceTableBase;
UINT *ServiceCounterTableBase;
UINT NumberOfService;
UCHAR *ParameterTableBase;
}SystemServiceDescriptorTable,*PSystemServiceDescriptorTable;
typedef struct _CURDIR
{
UNICODE_STRING DosPath;
PVOID Handle;
}CURDIR, *PCURDIR;
typedef struct _RTL_DRIVE_LETTER_CURDIR
{
WORD Flags;
WORD Length;
ULONG TimeStamp;
STRING DosPath;
}RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
typedef struct _idtr
{
//定义中断描述符表的限制,长度两字节;
short IDTLimit;
//定义中断描述服表的基址,长度四字节;
unsigned int IDTBase;
}IDTR,*PIDTR;
typedef struct _IDTENTRY
{
unsigned short LowOffset;
unsigned short selector;
unsigned char unused_lo;
unsigned char segment_type:4; //0x0E is an interrupt gate
unsigned char system_segment_flag:1;
unsigned char DPL:2; // descriptor privilege level
unsigned char P:1; /* present */
unsigned short HiOffset;
} IDTENTRY,*PIDTENTRY;
typedef struct _RTL_USER_PROCESS_PARAMETERS
{
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
PVOID ConsoleHandle;
ULONG ConsoleFlags;
PVOID StandardInput;
PVOID StandardOutput;
PVOID StandardError;
CURDIR CurrentDirectory;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PVOID Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR CurrentDirectores;
}RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _OS_OFFSET
{
BOOL bIsInit;
// W2K SP4 WXP SP2 2K3 SP0
ULONG OFFSET_EPROCESS_PID; // 0x09C 0x084 0x084
ULONG OFFSET_EPROCESS_ActiveProcessLinks; // 0x0A0 0x088 0x088
ULONG OFFSET_EPROCESS_ParentPID; // 0x1C8 0x14C 0x128
ULONG OFFSET_EPROCESS_ImageFileName; // 0x1FC 0x174 0x154
ULONG OFFSET_EPROCESS_PEB; // 0x1B0 0x1B0 0x190
ULONG OFFSET_EPROCESS_ProcessExiting; // -1(无) 0x248 0x248
ULONG OFFSET_EPROCESS_ProcExitMask; // -1(无) 0x004 0x004
ULONG OFFSET_EPROCESS_ProcDelMask; // -1(无) 0x008 0x008
ULONG OFFSET_EPROCESS_ThreadListHead; // 0x270 0x190 0x170
ULONG OFFSET_ETHREAD_Cid; // 0x1E0 0x1EC 0x1F4
ULONG OFFSET_ETHREAD_StartAddress; // 0x230 0x224 0x22C
ULONG OFFSET_ETHREAD_W32StartAddress; // 0x234 0x228 0x230
ULONG OFFSET_ETHREAD_ThreadProcess; // 0x22C 0x220 0x228
ULONG OFFSET_ETHREAD_ThreadListEntry; // 0x240 0x22C 0x234
ULONG OFFSET_PEB_ProcParam; // 0x010 0x010 0x010
ULONG OFFSET_KTHREAD_WaitListEntry; //
ULONG OFFSET_EPROCESS_ExitProcessCalled; // only for win2k 0x1aa
// changed by doskey
ULONG CALLBACK_ID_CLIENTLOADLIBRARY; // 0x40 0x42
}OS_OFFSET, *POS_OFFSET;
typedef struct _SYSTEM_MODULE_INFORMATION {//Information Class 11
ULONG Reserved [2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName [256 ];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct {
ULONG dwNumberOfModules;
SYSTEM_MODULE_INFORMATION smi;
} MODULES, *PMODULES;
#pragma pack(pop)
const static OS_OFFSET lpOFFSET_W2K_SP4_CN =
{
TRUE,
0x09C, // OFFSET_EPROCESS_PID
0x0A0, // OFFSET_EPROCESS_ActiveProcessLinks
0x1C8, // OFFSET_EPROCESS_ParentPID
0x1FC, // OFFSET_EPROCESS_ImageFileName
0x1B0, // OFFSET_EPROCESS_PEB
(ULONG)-1, // OFFSET_EPROCESS_ProcessExiting
(ULONG)-1, // OFFSET_EPROCESS_ProcExitMask
(ULONG)-1, // OFFSET_EPROCESS_ProcDelMask
0x270, // OFFSET_EPROCESS_ThreadListHead
0x1E0, // OFFSET_ETHREAD_Cid
0x230, // OFFSET_ETHREAD_StartAddress
0x234, // OFFSET_ETHREAD_W32StartAddress
0x22C, // OFFSET_ETHREAD_ThreadProcess
0x240, // OFFSET_ETHREAD_ThreadListEntry
0x010, // OFFSET_PEB_ProcParam
0x05C, // OFFSET_KTHREAD_WaitListEntry
0x1aa, // OFFSET_EPROCESS_ExitProcessCalled
0x40, // CALLBACK_ID_CLIENTLOADLIBRARY
};
const static OS_OFFSET lpOFFSET_XP_SP1 =
{
TRUE,
0x084, // OFFSET_EPROCESS_PID
0x088, // OFFSET_EPROCESS_ActiveProcessLinks
0x14C, // OFFSET_EPROCESS_ParentPID
0x174, // OFFSET_EPROCESS_ImageFileName
0x1B0, // OFFSET_EPROCESS_PEB
0x248, // OFFSET_EPROCESS_ProcessExiting
0x004, // OFFSET_EPROCESS_ProcExitMask
0x008, // OFFSET_EPROCESS_ProcDelMask
0x190, // OFFSET_EPROCESS_ThreadListHead
0x1EC, // OFFSET_ETHREAD_Cid
0x224, // OFFSET_ETHREAD_StartAddress
0x228, // OFFSET_ETHREAD_W32StartAddress
0x220, // OFFSET_ETHREAD_ThreadProcess
0x22C, // OFFSET_ETHREAD_ThreadListEntry
0x010, // OFFSET_PEB_ProcParam
0x060, // OFFSET_KTHREAD_WaitListEntry
(ULONG)-1, // OFFSET_EPROCESS_ExitProcessCalled
0x42, // CALLBACK_ID_CLIENTLOADLIBRARY
};
const static OS_OFFSET lpOFFSET_XP_SP2 =
{
TRUE,
0x084, // OFFSET_EPROCESS_PID
0x088, // OFFSET_EPROCESS_ActiveProcessLinks
0x14C, // OFFSET_EPROCESS_ParentPID
0x174, // OFFSET_EPROCESS_ImageFileName
0x1B0, // OFFSET_EPROCESS_PEB
0x248, // OFFSET_EPROCESS_ProcessExiting
0x004, // OFFSET_EPROCESS_ProcExitMask
0x008, // OFFSET_EPROCESS_ProcDelMask
0x190, // OFFSET_EPROCESS_ThreadListHead
0x1EC, // OFFSET_ETHREAD_Cid
0x224, // OFFSET_ETHREAD_StartAddress
0x228, // OFFSET_ETHREAD_W32StartAddress
0x220, // OFFSET_ETHREAD_ThreadProcess
0x22C, // OFFSET_ETHREAD_ThreadListEntry
0x010, // OFFSET_PEB_ProcParam
0x060, // OFFSET_KTHREAD_WaitListEntry
(ULONG)-1, // OFFSET_EPROCESS_ExitProcessCalled
0x42, // CALLBACK_ID_CLIENTLOADLIBRARY
};
const static OS_OFFSET lpOFFSET_2K3_NOSP =
{
TRUE,
0x084, // OFFSET_EPROCESS_PID
0x088, // OFFSET_EPROCESS_ActiveProcessLinks
0x128, // OFFSET_EPROCESS_ParentPID
0x154, // OFFSET_EPROCESS_ImageFileName
0x190, // OFFSET_EPROCESS_PEB
0x248, // OFFSET_EPROCESS_ProcessExiting
0x004, // OFFSET_EPROCESS_ProcExitMask
0x008, // OFFSET_EPROCESS_ProcDelMask
0x170, // OFFSET_EPROCESS_ThreadListHead
0x1F4, // OFFSET_ETHREAD_Cid
0x22C, // OFFSET_ETHREAD_StartAddress
0x230, // OFFSET_ETHREAD_W32StartAddress
0x228, // OFFSET_ETHREAD_ThreadProcess
0x234, // OFFSET_ETHREAD_ThreadListEntry
0x010, // OFFSET_PEB_ProcParam
0x060, // OFFSET_KTHREAD_WaitListEntry
(ULONG)-1, // OFFSET_EPROCESS_ExitProcessCalled
(ULONG)-1, // CALLBACK_ID_CLIENTLOADLIBRARY
};
const static OS_OFFSET lpOFFSET_2K3_SP1 =
{
TRUE,
0x094, // OFFSET_EPROCESS_PID
0x098, // OFFSET_EPROCESS_ActiveProcessLinks
0x138, // OFFSET_EPROCESS_ParentPID
0x164, // OFFSET_EPROCESS_ImageFileName
0x1A0, // OFFSET_EPROCESS_PEB
0x240, // OFFSET_EPROCESS_ProcessExiting
0x004, // OFFSET_EPROCESS_ProcExitMask
0x008, // OFFSET_EPROCESS_ProcDelMask
0x180, // OFFSET_EPROCESS_ThreadListHead
0x1e4, // OFFSET_ETHREAD_Cid
0x21C, // OFFSET_ETHREAD_StartAddress
0x220, // OFFSET_ETHREAD_W32StartAddress
0x218, // OFFSET_ETHREAD_ThreadProcess
0x224, // OFFSET_ETHREAD_ThreadListEntry
0x010, // OFFSET_PEB_ProcParam
0x060, // OFFSET_KTHREAD_WaitListEntry
(ULONG)-1, // OFFSET_EPROCESS_ExitProcessCalled
(ULONG)-1, // CALLBACK_ID_CLIENTLOADLIBRARY
};
const static OS_OFFSET lpOFFSET_VISTA_SP0 =
{
TRUE,
0x09C, // OFFSET_EPROCESS_PID
0x0A0, // OFFSET_EPROCESS_ActiveProcessLinks
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -