diff --git a/ProtectFilex86/FileProtectX86.c b/ProtectFilex86/FileProtectX86.c index 3f2d32a..7d8dcaa 100644 --- a/ProtectFilex86/FileProtectX86.c +++ b/ProtectFilex86/FileProtectX86.c @@ -1,17 +1,13 @@ #ifndef CXX_FILEPROTECTX86_H -# include "FileProtectX86.h" +# include "FileProtectX86.h" #endif - ULONG gC2pKeyCount = 0; PDRIVER_OBJECT gDriverObject = NULL; - - BOOLEAN bOk = FALSE; - ULONG_PTR IndexOffsetOfFunction = 0; ULONG_PTR SSDTDescriptor = 0; KIRQL Irql; @@ -22,869 +18,754 @@ pfnNtSetInformationFile Old_NtSetInformationFileWinXP = NULL; pfnNtDeleteFile Old_NtDeleteFileWinXP = NULL; //pfnNtCreateFile Old_NtCreateFileWinXP = NULL; pfnNtWriteFile Old_NtWriteFileWinXP = NULL; -NTSTATUS - DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath) +NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath) { - + ULONG i; + NTSTATUS status; - ULONG i; - NTSTATUS status; + // 填写所有的分发函数的指针 + for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) + { + DriverObject->MajorFunction[i] = c2pDispatchGeneral; + } + // 单独的填写一个Read分发函数。因为要的过滤就是读取来的按键信息 + // 其他的都不重要。这个分发函数单独写。 + DriverObject->MajorFunction[IRP_MJ_READ] = c2pDispatchRead; - // 填写所有的分发函数的指针 - for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) - { - DriverObject->MajorFunction[i] = c2pDispatchGeneral; - } + // 单独的填写一个IRP_MJ_POWER函数。这是因为这类请求中间要调用 + // 一个PoCallDriver和一个PoStartNextPowerIrp,比较特殊。 + DriverObject->MajorFunction [IRP_MJ_POWER] = c2pPower; - // 单独的填写一个Read分发函数。因为要的过滤就是读取来的按键信息 - // 其他的都不重要。这个分发函数单独写。 - DriverObject->MajorFunction[IRP_MJ_READ] = c2pDispatchRead; + // 我们想知道什么时候一个我们绑定过的设备被卸载了(比如从机器上 + // 被拔掉了?)所以专门写一个PNP(即插即用)分发函数 + DriverObject->MajorFunction [IRP_MJ_PNP] = c2pPnP; - // 单独的填写一个IRP_MJ_POWER函数。这是因为这类请求中间要调用 - // 一个PoCallDriver和一个PoStartNextPowerIrp,比较特殊。 - DriverObject->MajorFunction [IRP_MJ_POWER] = c2pPower; + // 卸载函数。 + DriverObject->DriverUnload = c2pUnload; + gDriverObject = DriverObject; + // 绑定所有键盘设备 + status =c2pAttachDevices(DriverObject, RegisterPath); - // 我们想知道什么时候一个我们绑定过的设备被卸载了(比如从机器上 - // 被拔掉了?)所以专门写一个PNP(即插即用)分发函数 - DriverObject->MajorFunction [IRP_MJ_PNP] = c2pPnP; + SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByNameFromNtosExport(L"KeServiceDescriptorTable"); + IndexOffsetOfFunction = 1; - // 卸载函数。 - DriverObject->DriverUnload = c2pUnload; - gDriverObject = DriverObject; - // 绑定所有键盘设备 - status =c2pAttachDevices(DriverObject, RegisterPath); + ulIndex = GetSSDTApiFunctionIndexFromNtdll("NtSetInformationFile"); + ulIndex1 = GetSSDTApiFunctionIndexFromNtdll("NtWriteFile"); + ulIndex2 = GetSSDTApiFunctionIndexFromNtdll("NtDeleteFile"); -#ifdef _WIN64 -// SSDTDescriptor = GetKeServiceDescriptorTable64(); //获取SSDT表 -// IndexOffsetOfFunction = 4; - -#else - SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByNameFromNtosExport(L"KeServiceDescriptorTable"); - IndexOffsetOfFunction = 1; -#endif - - ulIndex = GetSSDTApiFunctionIndexFromNtdll("NtSetInformationFile"); - ulIndex1 = GetSSDTApiFunctionIndexFromNtdll("NtWriteFile"); - ulIndex2 = GetSSDTApiFunctionIndexFromNtdll("NtDeleteFile"); - - HookSSDT(ulIndex); - HookWrite(ulIndex1); - HookDelete(ulIndex2); - - - return STATUS_SUCCESS; + HookSSDT(ulIndex); + HookWrite(ulIndex1); + HookDelete(ulIndex2); + return STATUS_SUCCESS; } NTSTATUS - c2pDevExtInit( - IN PC2P_DEV_EXT devExt, - IN PDEVICE_OBJECT pFilterDeviceObject, - IN PDEVICE_OBJECT pTargetDeviceObject, - IN PDEVICE_OBJECT pLowerDeviceObject ) + c2pDevExtInit( + IN PC2P_DEV_EXT devExt, + IN PDEVICE_OBJECT pFilterDeviceObject, + IN PDEVICE_OBJECT pTargetDeviceObject, + IN PDEVICE_OBJECT pLowerDeviceObject ) { - memset(devExt, 0, sizeof(C2P_DEV_EXT)); - devExt->NodeSize = sizeof(C2P_DEV_EXT); - devExt->pFilterDeviceObject = pFilterDeviceObject; - KeInitializeSpinLock(&(devExt->IoRequestsSpinLock)); - KeInitializeEvent(&(devExt->IoInProgressEvent), NotificationEvent, FALSE); - devExt->TargetDeviceObject = pTargetDeviceObject; - devExt->LowerDeviceObject = pLowerDeviceObject; - return( STATUS_SUCCESS ); + memset(devExt, 0, sizeof(C2P_DEV_EXT)); + devExt->NodeSize = sizeof(C2P_DEV_EXT); + devExt->pFilterDeviceObject = pFilterDeviceObject; + KeInitializeSpinLock(&(devExt->IoRequestsSpinLock)); + KeInitializeEvent(&(devExt->IoInProgressEvent), NotificationEvent, FALSE); + devExt->TargetDeviceObject = pTargetDeviceObject; + devExt->LowerDeviceObject = pLowerDeviceObject; + return( STATUS_SUCCESS ); } // 这个函数经过改造。能打开驱动对象Kbdclass,然后绑定 // 它下面的所有的设备: NTSTATUS - c2pAttachDevices( - IN PDRIVER_OBJECT DriverObject, - IN PUNICODE_STRING RegistryPath - ) + c2pAttachDevices( + IN PDRIVER_OBJECT DriverObject, + IN PUNICODE_STRING RegistryPath + ) { - NTSTATUS status = 0; - UNICODE_STRING uniNtNameString; - PC2P_DEV_EXT devExt; - PDEVICE_OBJECT pFilterDeviceObject = NULL; - PDEVICE_OBJECT pTargetDeviceObject = NULL; - PDEVICE_OBJECT pLowerDeviceObject = NULL; + NTSTATUS status = 0; + UNICODE_STRING uniNtNameString; + PC2P_DEV_EXT devExt; + PDEVICE_OBJECT pFilterDeviceObject = NULL; + PDEVICE_OBJECT pTargetDeviceObject = NULL; + PDEVICE_OBJECT pLowerDeviceObject = NULL; - PDRIVER_OBJECT KbdDriverObject = NULL; + PDRIVER_OBJECT KbdDriverObject = NULL; - KdPrint(("MyAttach\n")); + KdPrint(("MyAttach\n")); - // 初始化一个字符串,就是Kdbclass驱动的名字。 - RtlInitUnicodeString(&uniNtNameString, KBD_DRIVER_NAME); - // 请参照前面打开设备对象的例子。只是这里打开的是驱动对象。 - status = ObReferenceObjectByName ( - &uniNtNameString, - OBJ_CASE_INSENSITIVE, - NULL, - 0, - IoDriverObjectType, - KernelMode, - NULL, - &KbdDriverObject - ); - // 如果失败了就直接返回 - if(!NT_SUCCESS(status)) - { - KdPrint(("MyAttach: Couldn't get the MyTest Device Object\n")); - return( status ); - } - else - { - // 这个打开需要解应用。早点解除了免得之后忘记。 - ObDereferenceObject(DriverObject); - } + // 初始化一个字符串,就是Kdbclass驱动的名字。 + RtlInitUnicodeString(&uniNtNameString, KBD_DRIVER_NAME); + // 请参照前面打开设备对象的例子。只是这里打开的是驱动对象。 + status = ObReferenceObjectByName ( + &uniNtNameString, + OBJ_CASE_INSENSITIVE, + NULL, + 0, + IoDriverObjectType, + KernelMode, + NULL, + &KbdDriverObject + ); + // 如果失败了就直接返回 + if(!NT_SUCCESS(status)) + { + KdPrint(("MyAttach: Couldn't get the MyTest Device Object\n")); + return( status ); + } + else + { + // 这个打开需要解应用。早点解除了免得之后忘记。 + ObDereferenceObject(DriverObject); + } - // 这是设备链中的第一个设备 - pTargetDeviceObject = KbdDriverObject->DeviceObject; - // 现在开始遍历这个设备链 - while (pTargetDeviceObject) - { - // 生成一个过滤设备,这是前面读者学习过的。这里的IN宏和OUT宏都是 - // 空宏,只有标志性意义,表明这个参数是一个输入或者输出参数。 - status = IoCreateDevice( - IN DriverObject, - IN sizeof(C2P_DEV_EXT), - IN NULL, - IN pTargetDeviceObject->DeviceType, - IN pTargetDeviceObject->Characteristics, - IN FALSE, - OUT &pFilterDeviceObject - ); + // 这是设备链中的第一个设备 + pTargetDeviceObject = KbdDriverObject->DeviceObject; + // 现在开始遍历这个设备链 + while (pTargetDeviceObject) + { + // 生成一个过滤设备,这是前面读者学习过的。这里的IN宏和OUT宏都是 + // 空宏,只有标志性意义,表明这个参数是一个输入或者输出参数。 + status = IoCreateDevice( + IN DriverObject, + IN sizeof(C2P_DEV_EXT), + IN NULL, + IN pTargetDeviceObject->DeviceType, + IN pTargetDeviceObject->Characteristics, + IN FALSE, + OUT &pFilterDeviceObject + ); - // 如果失败了就直接退出。 - if (!NT_SUCCESS(status)) - { - KdPrint(("MyAttach: Couldn't create the MyFilter Filter Device Object\n")); - return (status); - } + // 如果失败了就直接退出。 + if (!NT_SUCCESS(status)) + { + KdPrint(("MyAttach: Couldn't create the MyFilter Filter Device Object\n")); + return (status); + } - // 绑定。pLowerDeviceObject是绑定之后得到的下一个设备。也就是 - // 前面常常说的所谓真实设备。 - pLowerDeviceObject = - IoAttachDeviceToDeviceStack(pFilterDeviceObject, pTargetDeviceObject); - // 如果绑定失败了,放弃之前的操作,退出。 - if(!pLowerDeviceObject) - { - KdPrint(("MyAttach: Couldn't attach to MyTest Device Object\n")); - IoDeleteDevice(pFilterDeviceObject); - pFilterDeviceObject = NULL; - return( status ); - } + // 绑定。pLowerDeviceObject是绑定之后得到的下一个设备。也就是 + // 前面常常说的所谓真实设备。 + pLowerDeviceObject = + IoAttachDeviceToDeviceStack(pFilterDeviceObject, pTargetDeviceObject); + // 如果绑定失败了,放弃之前的操作,退出。 + if(!pLowerDeviceObject) + { + KdPrint(("MyAttach: Couldn't attach to MyTest Device Object\n")); + IoDeleteDevice(pFilterDeviceObject); + pFilterDeviceObject = NULL; + return( status ); + } - // 设备扩展!下面要详细讲述设备扩展的应用。 - devExt = (PC2P_DEV_EXT)(pFilterDeviceObject->DeviceExtension); - c2pDevExtInit( - devExt, - pFilterDeviceObject, - pTargetDeviceObject, - pLowerDeviceObject ); + // 设备扩展!下面要详细讲述设备扩展的应用。 + devExt = (PC2P_DEV_EXT)(pFilterDeviceObject->DeviceExtension); + c2pDevExtInit( + devExt, + pFilterDeviceObject, + pTargetDeviceObject, + pLowerDeviceObject ); - // 下面的操作和前面过滤串口的操作基本一致。这里不再解释了。 - pFilterDeviceObject->DeviceType=pLowerDeviceObject->DeviceType; - pFilterDeviceObject->Characteristics=pLowerDeviceObject->Characteristics; - pFilterDeviceObject->StackSize=pLowerDeviceObject->StackSize+1; - pFilterDeviceObject->Flags |= pLowerDeviceObject->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE) ; - //next device - pTargetDeviceObject = pTargetDeviceObject->NextDevice; - } - return status; + // 下面的操作和前面过滤串口的操作基本一致。这里不再解释了。 + pFilterDeviceObject->DeviceType=pLowerDeviceObject->DeviceType; + pFilterDeviceObject->Characteristics=pLowerDeviceObject->Characteristics; + pFilterDeviceObject->StackSize=pLowerDeviceObject->StackSize+1; + pFilterDeviceObject->Flags |= pLowerDeviceObject->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE) ; + //next device + pTargetDeviceObject = pTargetDeviceObject->NextDevice; + } + return status; } VOID - c2pDetach(IN PDEVICE_OBJECT pDeviceObject) + c2pDetach(IN PDEVICE_OBJECT pDeviceObject) { - PC2P_DEV_EXT devExt; - BOOLEAN NoRequestsOutstanding = FALSE; - devExt = (PC2P_DEV_EXT)pDeviceObject->DeviceExtension; - __try - { - __try - { - IoDetachDevice(devExt->TargetDeviceObject); - devExt->TargetDeviceObject = NULL; - IoDeleteDevice(pDeviceObject); - devExt->pFilterDeviceObject = NULL; - DbgPrint(("Detach Finished\n")); - } - __except (EXCEPTION_EXECUTE_HANDLER){} - } - __finally{} - return; + PC2P_DEV_EXT devExt; + BOOLEAN NoRequestsOutstanding = FALSE; + devExt = (PC2P_DEV_EXT)pDeviceObject->DeviceExtension; + __try + { + __try + { + IoDetachDevice(devExt->TargetDeviceObject); + devExt->TargetDeviceObject = NULL; + IoDeleteDevice(pDeviceObject); + devExt->pFilterDeviceObject = NULL; + DbgPrint(("Detach Finished\n")); + } + __except (EXCEPTION_EXECUTE_HANDLER){} + } + __finally{} + return; } VOID - c2pUnload(IN PDRIVER_OBJECT DriverObject) + c2pUnload(IN PDRIVER_OBJECT DriverObject) { - PDEVICE_OBJECT DeviceObject; - PDEVICE_OBJECT OldDeviceObject; - PC2P_DEV_EXT devExt; + PDEVICE_OBJECT DeviceObject; + PDEVICE_OBJECT OldDeviceObject; + PC2P_DEV_EXT devExt; - LARGE_INTEGER lDelay; - PRKTHREAD CurrentThread; - //delay some time - lDelay = RtlConvertLongToLargeInteger(100 * DELAY_ONE_MILLISECOND); - CurrentThread = KeGetCurrentThread(); - // 把当前线程设置为低实时模式,以便让它的运行尽量少影响其他程序。 - KeSetPriorityThread(CurrentThread, LOW_REALTIME_PRIORITY); + LARGE_INTEGER lDelay; + PRKTHREAD CurrentThread; + //delay some time + lDelay = RtlConvertLongToLargeInteger(100 * DELAY_ONE_MILLISECOND); + CurrentThread = KeGetCurrentThread(); + // 把当前线程设置为低实时模式,以便让它的运行尽量少影响其他程序。 + KeSetPriorityThread(CurrentThread, LOW_REALTIME_PRIORITY); - UNREFERENCED_PARAMETER(DriverObject); - KdPrint(("DriverEntry unLoading...\n")); + UNREFERENCED_PARAMETER(DriverObject); + KdPrint(("DriverEntry unLoading...\n")); - // 遍历所有设备并一律解除绑定 - DeviceObject = DriverObject->DeviceObject; - while (DeviceObject) - { - // 解除绑定并删除所有的设备 - c2pDetach(DeviceObject); - DeviceObject = DeviceObject->NextDevice; - } - ASSERT(NULL == DriverObject->DeviceObject); + // 遍历所有设备并一律解除绑定 + DeviceObject = DriverObject->DeviceObject; + while (DeviceObject) + { + // 解除绑定并删除所有的设备 + c2pDetach(DeviceObject); + DeviceObject = DeviceObject->NextDevice; + } + ASSERT(NULL == DriverObject->DeviceObject); - while (gC2pKeyCount) - { - KeDelayExecutionThread(KernelMode, FALSE, &lDelay); - } + while (gC2pKeyCount) + { + KeDelayExecutionThread(KernelMode, FALSE, &lDelay); + } - UnHookSSDT(ulIndex); - UnHookSSDTWrite(ulIndex1); - UnHookSSDTDelete(ulIndex2); - KdPrint(("DriverEntry unLoad OK!\n")); - //return; + UnHookSSDT(ulIndex); + UnHookSSDTWrite(ulIndex1); + UnHookSSDTDelete(ulIndex2); + KdPrint(("DriverEntry unLoad OK!\n")); + //return; } //处理我们不关心的所有IRP NTSTATUS c2pDispatchGeneral( - IN PDEVICE_OBJECT DeviceObject, - IN PIRP Irp - ) + IN PDEVICE_OBJECT DeviceObject, + IN PIRP Irp + ) { - // 其他的分发函数,直接skip然后用IoCallDriver把IRP发送到真实设备 - // 的设备对象。 - KdPrint(("Other Diapatch!")); - IoSkipCurrentIrpStackLocation(Irp); - return IoCallDriver(((PC2P_DEV_EXT) - DeviceObject->DeviceExtension)->LowerDeviceObject, Irp); + // 其他的分发函数,直接skip然后用IoCallDriver把IRP发送到真实设备 + // 的设备对象。 + KdPrint(("Other Diapatch!")); + IoSkipCurrentIrpStackLocation(Irp); + return IoCallDriver(((PC2P_DEV_EXT) + DeviceObject->DeviceExtension)->LowerDeviceObject, Irp); } //只处理主功能号为IRP_MJ_POWER的IRP NTSTATUS c2pPower( - IN PDEVICE_OBJECT DeviceObject, - IN PIRP Irp - ) + IN PDEVICE_OBJECT DeviceObject, + IN PIRP Irp + ) { - PC2P_DEV_EXT devExt; - devExt = - (PC2P_DEV_EXT)DeviceObject->DeviceExtension; + PC2P_DEV_EXT devExt; + devExt = + (PC2P_DEV_EXT)DeviceObject->DeviceExtension; - PoStartNextPowerIrp( Irp ); - IoSkipCurrentIrpStackLocation( Irp ); - return PoCallDriver(devExt->LowerDeviceObject, Irp ); + PoStartNextPowerIrp( Irp ); + IoSkipCurrentIrpStackLocation( Irp ); + return PoCallDriver(devExt->LowerDeviceObject, Irp ); } //设备被拔出时,需解除绑定,并删除过滤设备 NTSTATUS c2pPnP( - IN PDEVICE_OBJECT DeviceObject, - IN PIRP Irp - ) + IN PDEVICE_OBJECT DeviceObject, + IN PIRP Irp + ) { - PC2P_DEV_EXT devExt; - PIO_STACK_LOCATION irpStack; - NTSTATUS status = STATUS_SUCCESS; - KIRQL oldIrql; - KEVENT event; + PC2P_DEV_EXT devExt; + PIO_STACK_LOCATION irpStack; + NTSTATUS status = STATUS_SUCCESS; + KIRQL oldIrql; + KEVENT event; - // 获得真实设备。 - devExt = (PC2P_DEV_EXT)(DeviceObject->DeviceExtension); - irpStack = IoGetCurrentIrpStackLocation(Irp); + // 获得真实设备。 + devExt = (PC2P_DEV_EXT)(DeviceObject->DeviceExtension); + irpStack = IoGetCurrentIrpStackLocation(Irp); - switch (irpStack->MinorFunction) - { - case IRP_MN_REMOVE_DEVICE: - KdPrint(("IRP_MN_REMOVE_DEVICE\n")); + switch (irpStack->MinorFunction) + { + case IRP_MN_REMOVE_DEVICE: + KdPrint(("IRP_MN_REMOVE_DEVICE\n")); - // 首先把请求发下去 - IoSkipCurrentIrpStackLocation(Irp); - IoCallDriver(devExt->LowerDeviceObject, Irp); - // 然后解除绑定。 - IoDetachDevice(devExt->LowerDeviceObject); - // 删除我们自己生成的虚拟设备。 - IoDeleteDevice(DeviceObject); - status = STATUS_SUCCESS; - break; + // 首先把请求发下去 + IoSkipCurrentIrpStackLocation(Irp); + IoCallDriver(devExt->LowerDeviceObject, Irp); + // 然后解除绑定。 + IoDetachDevice(devExt->LowerDeviceObject); + // 删除我们自己生成的虚拟设备。 + IoDeleteDevice(DeviceObject); + status = STATUS_SUCCESS; + break; - default: - // 对于其他类型的IRP,全部都直接下发即可。 - IoSkipCurrentIrpStackLocation(Irp); - status = IoCallDriver(devExt->LowerDeviceObject, Irp); - } - return status; + default: + // 对于其他类型的IRP,全部都直接下发即可。 + IoSkipCurrentIrpStackLocation(Irp); + status = IoCallDriver(devExt->LowerDeviceObject, Irp); + } + return status; } // 这是一个IRP完成回调函数的原型 NTSTATUS c2pReadComplete( - IN PDEVICE_OBJECT DeviceObject, - IN PIRP Irp, - IN PVOID Context - ) + IN PDEVICE_OBJECT DeviceObject, + IN PIRP Irp, + IN PVOID Context + ) { - POBJECT_NAME_INFORMATION ObjetNameInfor; - ULONG* ulProcessNameLen; - PIO_STACK_LOCATION IrpSp; - ULONG buf_len = 0; - PUCHAR buf = NULL; - size_t i; - ULONG numKeys = 0; - IrpSp = IoGetCurrentIrpStackLocation( Irp ); + POBJECT_NAME_INFORMATION ObjetNameInfor; + ULONG* ulProcessNameLen; + PIO_STACK_LOCATION IrpSp; + ULONG buf_len = 0; + PUCHAR buf = NULL; + size_t i; + ULONG numKeys = 0; + IrpSp = IoGetCurrentIrpStackLocation( Irp ); - // 如果这个请求是成功的。很显然,如果请求失败了,这么获取 - // 进一步的信息是没意义的。 - if( NT_SUCCESS( Irp->IoStatus.Status ) ) - { - PKEYBOARD_INPUT_DATA pKeyData; - // 获得读请求完成后输出的缓冲区 - buf = Irp->AssociatedIrp.SystemBuffer; - pKeyData = Irp->AssociatedIrp.SystemBuffer; + // 如果这个请求是成功的。很显然,如果请求失败了,这么获取 + // 进一步的信息是没意义的。 + if( NT_SUCCESS( Irp->IoStatus.Status ) ) + { + PKEYBOARD_INPUT_DATA pKeyData; + // 获得读请求完成后输出的缓冲区 + buf = Irp->AssociatedIrp.SystemBuffer; + pKeyData = Irp->AssociatedIrp.SystemBuffer; - // 获得这个缓冲区的长度。一般的说返回值有多长都保存在 - // Information中。 + // 获得这个缓冲区的长度。一般的说返回值有多长都保存在 + // Information中。 - - buf_len = Irp->IoStatus.Information; - numKeys = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA); - - __try - { + buf_len = Irp->IoStatus.Information; + numKeys = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA); - - if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)IrpSp->FileObject, &ObjetNameInfor))) - { - if(wcsstr(ObjetNameInfor->Name.Buffer,L"Shine.txt")!=0) - { - DbgPrint("aaaaaaa"); - } - } - } - __except(1) - { - DbgPrint("Exception:%x",GetExceptionCode()); - } - - - //通过EProcess获得进程名称 - - - for(i = 0; i < numKeys; i++) - { - // DbgPrint("%02X %d\n",pKeyData[i].MakeCode,pKeyData[i].Flags); - - if(pKeyData[i].MakeCode == 0x1d&&pKeyData[i].Flags ==KEY_MAKE) - { - //左Ctrl - bOk = TRUE; - } - - if(pKeyData[i].MakeCode == 0x2e&&pKeyData[i].Flags==KEY_MAKE&&bOk==TRUE) //按下 - { - pKeyData[i].MakeCode = 0x20; - bOk = FALSE; - DbgPrint("aaaaaaaaaaaaaa"); - } + __try + { + if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)IrpSp->FileObject, &ObjetNameInfor))) + { + if(wcsstr(ObjetNameInfor->Name.Buffer,L"Shine.txt")!=0) + { + DbgPrint("aaaaaaa"); + } + } + } + __except(1) + { + DbgPrint("Exception:%x",GetExceptionCode()); + } + //通过Process获得进程名称 + for(i = 0; i < numKeys; i++) + { + // DbgPrint("%02X %d\n",pKeyData[i].MakeCode,pKeyData[i].Flags); - } - //… 这里可以做进一步的处理。我这里很简单的打印出所有的扫 - // 描码。 + if(pKeyData[i].MakeCode == 0x1d && pKeyData[i].Flags == KEY_MAKE) + { + //左Ctrl + bOk = TRUE; + } + if(pKeyData[i].MakeCode == 0x2e && pKeyData[i].Flags == KEY_MAKE && bOk == TRUE ) //按下 + { + pKeyData[i].MakeCode = 0x20; + bOk = FALSE; + DbgPrint("aaaaaaaaaaaaaa"); + } + } + //… 这里可以做进一步的处理。我这里很简单的打印出所有的扫 + // 描码。 + // for(i=0;iPendingReturned ) - { - IoMarkIrpPending( Irp ); - } - return Irp->IoStatus.Status; + if( Irp->PendingReturned ) + { + IoMarkIrpPending( Irp ); + } + return Irp->IoStatus.Status; } NTSTATUS c2pDispatchRead( - IN PDEVICE_OBJECT DeviceObject, - IN PIRP Irp ) + IN PDEVICE_OBJECT DeviceObject, + IN PIRP Irp ) { - NTSTATUS status = STATUS_SUCCESS; - PC2P_DEV_EXT devExt; - PIO_STACK_LOCATION currentIrpStack; - KEVENT waitEvent; - KeInitializeEvent( &waitEvent, NotificationEvent, FALSE ); + NTSTATUS status = STATUS_SUCCESS; + PC2P_DEV_EXT devExt; + PIO_STACK_LOCATION currentIrpStack; + KEVENT waitEvent; + KeInitializeEvent( &waitEvent, NotificationEvent, FALSE ); - if (Irp->CurrentLocation == 1) - { - ULONG ReturnedInformation = 0; - KdPrint(("Dispatch encountered bogus current location\n")); - status = STATUS_INVALID_DEVICE_REQUEST; - Irp->IoStatus.Status = status; - Irp->IoStatus.Information = ReturnedInformation; - IoCompleteRequest(Irp, IO_NO_INCREMENT); - return(status); - } + if (Irp->CurrentLocation == 1) + { + ULONG ReturnedInformation = 0; + KdPrint(("Dispatch encountered bogus current location\n")); + status = STATUS_INVALID_DEVICE_REQUEST; + Irp->IoStatus.Status = status; + Irp->IoStatus.Information = ReturnedInformation; + IoCompleteRequest(Irp, IO_NO_INCREMENT); + return(status); + } - // 全局变量键计数器加1 - gC2pKeyCount++; + // 全局变量键计数器加1 + gC2pKeyCount++; - // 得到设备扩展。目的是之后为了获得下一个设备的指针。 - devExt = - (PC2P_DEV_EXT)DeviceObject->DeviceExtension; + // 得到设备扩展。目的是之后为了获得下一个设备的指针。 + devExt = + (PC2P_DEV_EXT)DeviceObject->DeviceExtension; - // 设置回调函数并把IRP传递下去。 之后读的处理也就结束了。 - // 剩下的任务是要等待读请求完成。 - currentIrpStack = IoGetCurrentIrpStackLocation(Irp); - IoCopyCurrentIrpStackLocationToNext(Irp); - IoSetCompletionRoutine( Irp, c2pReadComplete, - DeviceObject, TRUE, TRUE, TRUE ); - return IoCallDriver( devExt->LowerDeviceObject, Irp ); + // 设置回调函数并把IRP传递下去。 之后读的处理也就结束了。 + // 剩下的任务是要等待读请求完成。 + currentIrpStack = IoGetCurrentIrpStackLocation(Irp); + IoCopyCurrentIrpStackLocationToNext(Irp); + IoSetCompletionRoutine( Irp, c2pReadComplete, + DeviceObject, TRUE, TRUE, TRUE ); + return IoCallDriver( devExt->LowerDeviceObject, Irp ); } - - - VOID HookSSDT(ULONG_PTR ulIndex) { + PULONG32 ServiceTableBase = NULL; + ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址 + Old_NtSetInformationFileWinXP = (pfnNtSetInformationFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址 - PULONG32 ServiceTableBase = NULL; - - ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址 - - Old_NtSetInformationFileWinXP = (pfnNtSetInformationFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址 - - - WPOFF(); - ServiceTableBase[ulIndex] = (ULONG32)Fake_NtSetInformationFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中 - WPON(); - - + WPOFF(); + ServiceTableBase[ulIndex] = (ULONG32)Fake_NtSetInformationFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中 + WPON(); } VOID HookWrite(ULONG_PTR ulIndex) { - PULONG32 ServiceTableBase = NULL; - - ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址 - - Old_NtWriteFileWinXP = (pfnNtWriteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址 - - - WPOFF(); - ServiceTableBase[ulIndex] = (ULONG32)Fake_NtWriteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中 - WPON(); + PULONG32 ServiceTableBase = NULL; + ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址 + Old_NtWriteFileWinXP = (pfnNtWriteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址 + WPOFF(); + ServiceTableBase[ulIndex] = (ULONG32)Fake_NtWriteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中 + WPON(); } VOID HookDelete(ULONG_PTR ulIndex) { - PULONG32 ServiceTableBase = NULL; + PULONG32 ServiceTableBase = NULL; + ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址 + Old_NtDeleteFileWinXP = (pfnNtDeleteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址 - ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址 - - Old_NtDeleteFileWinXP = (pfnNtDeleteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址 - - - WPOFF(); - ServiceTableBase[ulIndex] = (ULONG32)Fake_NtDeleteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中 - WPON(); + WPOFF(); + ServiceTableBase[ulIndex] = (ULONG32)Fake_NtDeleteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中 + WPON(); } - - - VOID - UnHookSSDT(ULONG_PTR ulIndex) + UnHookSSDT(ULONG_PTR ulIndex) { - - PULONG32 ServiceTableBase = NULL; - ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; - - WPOFF(); - ServiceTableBase[ulIndex] = (ULONG32)Old_NtSetInformationFileWinXP; - WPON(); + PULONG32 ServiceTableBase = NULL; + ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; + WPOFF(); + ServiceTableBase[ulIndex] = (ULONG32)Old_NtSetInformationFileWinXP; + WPON(); } - - VOID - UnHookSSDTWrite(ULONG_PTR ulIndex) + UnHookSSDTWrite(ULONG_PTR ulIndex) { - PULONG32 ServiceTableBase = NULL; - ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; + PULONG32 ServiceTableBase = NULL; + ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; - WPOFF(); - ServiceTableBase[ulIndex] = (ULONG32)Old_NtWriteFileWinXP; - WPON(); + WPOFF(); + ServiceTableBase[ulIndex] = (ULONG32)Old_NtWriteFileWinXP; + WPON(); } - - VOID - UnHookSSDTDelete(ULONG_PTR ulIndex) + UnHookSSDTDelete(ULONG_PTR ulIndex) { + PULONG32 ServiceTableBase = NULL; + ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; - PULONG32 ServiceTableBase = NULL; - ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; - - WPOFF(); - ServiceTableBase[ulIndex] = (ULONG32)Old_NtDeleteFileWinXP; - WPON(); - + WPOFF(); + ServiceTableBase[ulIndex] = (ULONG32)Old_NtDeleteFileWinXP; + WPON(); } - - - NTSTATUS Fake_NtSetInformationFileWinXP( - __in HANDLE FileHandle, - __out PIO_STATUS_BLOCK IoStatusBlock, - __in_bcount(Length) PVOID FileInformation, - __in ULONG Length, - __in FILE_INFORMATION_CLASS FileInformationClass - ) + __in HANDLE FileHandle, + __out PIO_STATUS_BLOCK IoStatusBlock, + __in_bcount(Length) PVOID FileInformation, + __in ULONG Length, + __in FILE_INFORMATION_CLASS FileInformationClass + ) { - NTSTATUS Status; - PFILE_OBJECT hObject; - POBJECT_NAME_INFORMATION ObjetNameInfor; + NTSTATUS Status; + PFILE_OBJECT hObject; + POBJECT_NAME_INFORMATION ObjetNameInfor; - Status = ObReferenceObjectByHandle(FileHandle,FILE_READ_DATA,0,KernelMode,&hObject, 0); - //通过进程句柄获取EProcess对象 + Status = ObReferenceObjectByHandle(FileHandle,FILE_READ_DATA,0,KernelMode,&hObject, 0); + //通过进程句柄获取EProcess对象 - if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)hObject, &ObjetNameInfor))) - { - if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt")) - { - if(FileInformationClass==FileRenameInformation) - { - return; - } - } - } + if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)hObject, &ObjetNameInfor))) + { + if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt")) + { + if(FileInformationClass == FileRenameInformation) + { + return STATUS_ACCESS_DENIED; + } + } + } - Old_NtSetInformationFileWinXP(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass); + return Old_NtSetInformationFileWinXP(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass); } NTSTATUS - Fake_NtWriteFileWinXP ( - __in HANDLE FileHandle, - __in_opt HANDLE Event, - __in_opt PIO_APC_ROUTINE ApcRoutine, - __in_opt PVOID ApcContext, - __out PIO_STATUS_BLOCK IoStatusBlock, - __in_bcount(Length) PVOID Buffer, - __in ULONG Length, - __in_opt PLARGE_INTEGER ByteOffset, - __in_opt PULONG Key - ) + Fake_NtWriteFileWinXP ( + __in HANDLE FileHandle, + __in_opt HANDLE Event, + __in_opt PIO_APC_ROUTINE ApcRoutine, + __in_opt PVOID ApcContext, + __out PIO_STATUS_BLOCK IoStatusBlock, + __in_bcount(Length) PVOID Buffer, + __in ULONG Length, + __in_opt PLARGE_INTEGER ByteOffset, + __in_opt PULONG Key + ) { + NTSTATUS Status; + PFILE_OBJECT hObject; + POBJECT_NAME_INFORMATION ObjetNameInfor; + Status = ObReferenceObjectByHandle(FileHandle,FILE_READ_DATA,0,KernelMode,&hObject, 0); + //通过进程句柄获取EProcess对象 - NTSTATUS Status; - PFILE_OBJECT hObject; - POBJECT_NAME_INFORMATION ObjetNameInfor; + if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)hObject, &ObjetNameInfor))) + { + if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt")) + { + return STATUS_ACCESS_DENIED; + } + } - Status = ObReferenceObjectByHandle(FileHandle,FILE_READ_DATA,0,KernelMode,&hObject, 0); - //通过进程句柄获取EProcess对象 - - if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)hObject, &ObjetNameInfor))) - { - if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt")) - { - return; - } - } - - Old_NtWriteFileWinXP(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key); + return Old_NtWriteFileWinXP(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key); } NTSTATUS Fake_NtDeleteFileWinXP( - __in POBJECT_ATTRIBUTES ObjectAttributes - ) + __in POBJECT_ATTRIBUTES ObjectAttributes + ) { - if(wcsstr((ObjectAttributes->ObjectName)->Buffer,L"D:\\Shine.txt")) - { - return; - } - Old_NtDeleteFileWinXP(ObjectAttributes); - + if(wcsstr((ObjectAttributes->ObjectName)->Buffer,L"D:\\Shine.txt")) + { + return STATUS_ACCESS_DENIED; + } + return Old_NtDeleteFileWinXP(ObjectAttributes); } PVOID - GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName) + GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName) { - UNICODE_STRING uniFunctionName; - PVOID FunctionAddress = NULL; + UNICODE_STRING uniFunctionName; + PVOID FunctionAddress = NULL; - if (wzFunctionName && wcslen(wzFunctionName) > 0) - { - RtlInitUnicodeString(&uniFunctionName, wzFunctionName); - FunctionAddress = MmGetSystemRoutineAddress(&uniFunctionName); - } + if (wzFunctionName && wcslen(wzFunctionName) > 0) + { + RtlInitUnicodeString(&uniFunctionName, wzFunctionName); + FunctionAddress = MmGetSystemRoutineAddress(&uniFunctionName); + } - return FunctionAddress; + return FunctionAddress; } - -PVOID GetKeServiceDescriptorTable64() -{ - PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082); - PUCHAR EndSearchAddress = StartSearchAddress + 0x500; - PUCHAR i = NULL; - UCHAR b1=0,b2=0,b3=0; - ULONG_PTR ulv1 = 0; - PVOID FunctionAddress = 0; - for(i=StartSearchAddress;iOptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress){ + ExportTable =(IMAGE_EXPORT_DIRECTORY*)((ULONG_PTR)MapBase + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + FunctionAddresses = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfFunctions); + FunctionNames = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfNames); + FunctionIndexs = (USHORT*)((ULONG_PTR)MapBase + ExportTable->AddressOfNameOrdinals); + for(i = 0; i < ExportTable->NumberOfNames; i++) + { + szFunctionName = (LPSTR)((ULONG_PTR)MapBase + FunctionNames[i]); + if (_stricmp(szFunctionName, szFindFunctionName) == 0) + { + ulIndex = FunctionIndexs[i]; + ulFunctionAddress = (ULONG_PTR)((ULONG_PTR)MapBase + FunctionAddresses[ulIndex]); + ulIndex=*(ULONG*)(ulFunctionAddress+IndexOffsetOfFunction); + break; + } + } + } + }__except(EXCEPTION_EXECUTE_HANDLER) + { - return STATUS_UNSUCCESSFUL; + } + } - } - else - { - __try{ - NtHeader = RtlImageNtHeader(MapBase); - if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress){ - ExportTable =(IMAGE_EXPORT_DIRECTORY*)((ULONG_PTR)MapBase + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); - FunctionAddresses = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfFunctions); - FunctionNames = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfNames); - FunctionIndexs = (USHORT*)((ULONG_PTR)MapBase + ExportTable->AddressOfNameOrdinals); - for(i = 0; i < ExportTable->NumberOfNames; i++) - { - szFunctionName = (LPSTR)((ULONG_PTR)MapBase + FunctionNames[i]); - if (_stricmp(szFunctionName, szFindFunctionName) == 0) - { - ulIndex = FunctionIndexs[i]; - ulFunctionAddress = (ULONG_PTR)((ULONG_PTR)MapBase + FunctionAddresses[ulIndex]); - ulIndex=*(ULONG*)(ulFunctionAddress+IndexOffsetOfFunction); - break; - } - } - } - }__except(EXCEPTION_EXECUTE_HANDLER) - { + if (ulIndex == -1) + { + DbgPrint("%s Get Index Error\n", szFindFunctionName); + } - } - } - - if (ulIndex == -1) - { - DbgPrint("%s Get Index Error\n", szFindFunctionName); - } - - ZwUnmapViewOfSection(NtCurrentProcess(), MapBase); - return ulIndex; + ZwUnmapViewOfSection(NtCurrentProcess(), MapBase); + return ulIndex; } - - - - NTSTATUS - MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL, - OUT PVOID *BaseAddress, - OUT PSIZE_T ViewSize OPTIONAL) + MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL, + OUT PVOID *BaseAddress, + OUT PSIZE_T ViewSize OPTIONAL) { - NTSTATUS Status = STATUS_INVALID_PARAMETER; - HANDLE hFile = NULL; - HANDLE hSection = NULL; - OBJECT_ATTRIBUTES oa; - SIZE_T MapViewSize = 0; - IO_STATUS_BLOCK Iosb; - UNICODE_STRING uniFilePath; + NTSTATUS Status = STATUS_INVALID_PARAMETER; + HANDLE hFile = NULL; + HANDLE hSection = NULL; + OBJECT_ATTRIBUTES oa; + SIZE_T MapViewSize = 0; + IO_STATUS_BLOCK Iosb; + UNICODE_STRING uniFilePath; - if (!wzFilePath || !BaseAddress){ - return Status; - } + if (!wzFilePath || !BaseAddress){ + return Status; + } - RtlInitUnicodeString(&uniFilePath, wzFilePath); - InitializeObjectAttributes(&oa, - &uniFilePath, - OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, - NULL, - NULL - ); + RtlInitUnicodeString(&uniFilePath, wzFilePath); + InitializeObjectAttributes(&oa, + &uniFilePath, + OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, + NULL, + NULL + ); - Status = IoCreateFile(&hFile, - GENERIC_READ | SYNCHRONIZE, - &oa, - &Iosb, - NULL, - FILE_ATTRIBUTE_NORMAL, - FILE_SHARE_READ, - FILE_OPEN, - FILE_SYNCHRONOUS_IO_NONALERT, - NULL, - 0, - CreateFileTypeNone, - NULL, - IO_NO_PARAMETER_CHECKING - ); + Status = IoCreateFile(&hFile, + GENERIC_READ | SYNCHRONIZE, + &oa, + &Iosb, + NULL, + FILE_ATTRIBUTE_NORMAL, + FILE_SHARE_READ, + FILE_OPEN, + FILE_SYNCHRONOUS_IO_NONALERT, + NULL, + 0, + CreateFileTypeNone, + NULL, + IO_NO_PARAMETER_CHECKING + ); - if (!NT_SUCCESS(Status)) - { - return Status; - } + if (!NT_SUCCESS(Status)) + { + return Status; + } - oa.ObjectName = NULL; - Status = ZwCreateSection(&hSection, - SECTION_QUERY | SECTION_MAP_READ, - &oa, - NULL, - PAGE_WRITECOPY, - SEC_IMAGE, - hFile - ); - ZwClose(hFile); - if (!NT_SUCCESS(Status)) - { - return Status; + oa.ObjectName = NULL; + Status = ZwCreateSection(&hSection, + SECTION_QUERY | SECTION_MAP_READ, + &oa, + NULL, + PAGE_WRITECOPY, + SEC_IMAGE, + hFile + ); + ZwClose(hFile); + if (!NT_SUCCESS(Status)) + { + return Status; + } - } + if (!hProcess){ + hProcess = NtCurrentProcess(); + } - if (!hProcess){ - hProcess = NtCurrentProcess(); - } + Status = ZwMapViewOfSection(hSection, + hProcess, + BaseAddress, + 0, + 0, + 0, + ViewSize ? ViewSize : &MapViewSize, + ViewUnmap, + 0, + PAGE_WRITECOPY + ); + ZwClose(hSection); + if (!NT_SUCCESS(Status)) + { + return Status; + } - Status = ZwMapViewOfSection(hSection, - hProcess, - BaseAddress, - 0, - 0, - 0, - ViewSize ? ViewSize : &MapViewSize, - ViewUnmap, - 0, - PAGE_WRITECOPY - ); - ZwClose(hSection); - if (!NT_SUCCESS(Status)) - { - return Status; - } - - return Status; + return Status; } - - - - ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor) { - ULONG_PTR ServiceTableBase= 0 ; - PSYSTEM_SERVICE_TABLE32 SSDT = (PSYSTEM_SERVICE_TABLE32)SSDTDescriptor; + ULONG_PTR ServiceTableBase= 0 ; + PSYSTEM_SERVICE_TABLE32 SSDT = (PSYSTEM_SERVICE_TABLE32)SSDTDescriptor; - ServiceTableBase=(ULONG)(SSDT ->ServiceTableBase); + ServiceTableBase=(ULONG)(SSDT ->ServiceTableBase); - return (*(PULONG_PTR)(ServiceTableBase + 4 * ulIndex)); + return (*(PULONG_PTR)(ServiceTableBase + 4 * ulIndex)); } - - -ULONG_PTR GetFunctionAddressByIndexFromSSDT64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor) -{ - LONG ulv1 = 0; - ULONG_PTR ulv2 = 0; - ULONG_PTR ServiceTableBase= 0 ; - PSYSTEM_SERVICE_TABLE64 SSDT = (PSYSTEM_SERVICE_TABLE64)SSDTDescriptor; - ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase); - ulv2 = ServiceTableBase + 4 * ulIndex; - ulv1 = *(PLONG)ulv2; - ulv1 = ulv1>>4; - return ServiceTableBase + (ULONG_PTR)ulv1; -} - - - VOID WPOFF() { - ULONG_PTR cr0 = 0; - Irql = KeRaiseIrqlToDpcLevel(); - cr0 =__readcr0(); - cr0 &= 0xfffffffffffeffff; - __writecr0(cr0); - // _disable(); //这句话 屏蔽也没有啥 - + ULONG_PTR cr0 = 0; + Irql = KeRaiseIrqlToDpcLevel(); + cr0 =__readcr0(); + cr0 &= 0xfffffffffffeffff; + __writecr0(cr0); + //_disable(); } VOID WPON() { - - ULONG_PTR cr0=__readcr0(); - cr0 |= 0x10000; - // _enable(); //这句话 屏蔽也没有啥 - __writecr0(cr0); - KeLowerIrql(Irql); + ULONG_PTR cr0=__readcr0(); + cr0 |= 0x10000; + //_enable(); + __writecr0(cr0); + KeLowerIrql(Irql); } diff --git a/ProtectFilex86/FileProtectX86.h b/ProtectFilex86/FileProtectX86.h index 2fd5c67..c1ddd82 100644 --- a/ProtectFilex86/FileProtectX86.h +++ b/ProtectFilex86/FileProtectX86.h @@ -7,7 +7,7 @@ #include #include NTSTATUS - DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath); + DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath); #include @@ -15,109 +15,101 @@ NTSTATUS #define SEC_IMAGE 0x01000000 - -typedef struct _SYSTEM_SERVICE_TABLE64{ - PVOID ServiceTableBase; - PVOID ServiceCounterTableBase; - ULONG64 NumberOfServices; - PVOID ParamTableBase; -} SYSTEM_SERVICE_TABLE64, *PSYSTEM_SERVICE_TABLE64; - typedef struct _SYSTEM_SERVICE_TABLE32 { - PVOID ServiceTableBase; - PVOID ServiceCounterTableBase; - ULONG32 NumberOfServices; - PVOID ParamTableBase; + PVOID ServiceTableBase; + PVOID ServiceCounterTableBase; + ULONG32 NumberOfServices; + PVOID ParamTableBase; } SYSTEM_SERVICE_TABLE32, *PSYSTEM_SERVICE_TABLE32; typedef NTSTATUS - (*pfnNtSetInformationFile) ( - __in HANDLE FileHandle, - __out PIO_STATUS_BLOCK IoStatusBlock, - __in_bcount(Length) PVOID FileInformation, - __in ULONG Length, - __in FILE_INFORMATION_CLASS FileInformationClass - ); + (*pfnNtSetInformationFile) ( + __in HANDLE FileHandle, + __out PIO_STATUS_BLOCK IoStatusBlock, + __in_bcount(Length) PVOID FileInformation, + __in ULONG Length, + __in FILE_INFORMATION_CLASS FileInformationClass + ); NTSTATUS Fake_NtSetInformationFileWinXP( - __in HANDLE FileHandle, - __out PIO_STATUS_BLOCK IoStatusBlock, - __in_bcount(Length) PVOID FileInformation, - __in ULONG Length, - __in FILE_INFORMATION_CLASS FileInformationClass - ); + __in HANDLE FileHandle, + __out PIO_STATUS_BLOCK IoStatusBlock, + __in_bcount(Length) PVOID FileInformation, + __in ULONG Length, + __in FILE_INFORMATION_CLASS FileInformationClass + ); typedef - NTSTATUS - (*pfnNtDeleteFile) ( - __in POBJECT_ATTRIBUTES ObjectAttributes - ); + NTSTATUS + (*pfnNtDeleteFile) ( + __in POBJECT_ATTRIBUTES ObjectAttributes + ); NTSTATUS Fake_NtDeleteFileWinXP( - __in POBJECT_ATTRIBUTES ObjectAttributes - ); + __in POBJECT_ATTRIBUTES ObjectAttributes + ); typedef NTSTATUS - (*pfnNtWriteFile) ( - __in HANDLE FileHandle, - __in_opt HANDLE Event, - __in_opt PIO_APC_ROUTINE ApcRoutine, - __in_opt PVOID ApcContext, - __out PIO_STATUS_BLOCK IoStatusBlock, - __in_bcount(Length) PVOID Buffer, - __in ULONG Length, - __in_opt PLARGE_INTEGER ByteOffset, - __in_opt PULONG Key - ); + (*pfnNtWriteFile) ( + __in HANDLE FileHandle, + __in_opt HANDLE Event, + __in_opt PIO_APC_ROUTINE ApcRoutine, + __in_opt PVOID ApcContext, + __out PIO_STATUS_BLOCK IoStatusBlock, + __in_bcount(Length) PVOID Buffer, + __in ULONG Length, + __in_opt PLARGE_INTEGER ByteOffset, + __in_opt PULONG Key + ); NTSTATUS - Fake_NtWriteFileWinXP ( - __in HANDLE FileHandle, - __in_opt HANDLE Event, - __in_opt PIO_APC_ROUTINE ApcRoutine, - __in_opt PVOID ApcContext, - __out PIO_STATUS_BLOCK IoStatusBlock, - __in_bcount(Length) PVOID Buffer, - __in ULONG Length, - __in_opt PLARGE_INTEGER ByteOffset, - __in_opt PULONG Key - ); + Fake_NtWriteFileWinXP ( + __in HANDLE FileHandle, + __in_opt HANDLE Event, + __in_opt PIO_APC_ROUTINE ApcRoutine, + __in_opt PVOID ApcContext, + __out PIO_STATUS_BLOCK IoStatusBlock, + __in_bcount(Length) PVOID Buffer, + __in ULONG Length, + __in_opt PLARGE_INTEGER ByteOffset, + __in_opt PULONG Key + ); typedef NTSTATUS (*pfnNtCreateFile) ( - __out PHANDLE FileHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes, - __out PIO_STATUS_BLOCK IoStatusBlock, - __in_opt PLARGE_INTEGER AllocationSize, - __in ULONG FileAttributes, - __in ULONG ShareAccess, - __in ULONG CreateDisposition, - __in ULONG CreateOptions, - __in_bcount_opt(EaLength) PVOID EaBuffer, - __in ULONG EaLength - ); + __out PHANDLE FileHandle, + __in ACCESS_MASK DesiredAccess, + __in POBJECT_ATTRIBUTES ObjectAttributes, + __out PIO_STATUS_BLOCK IoStatusBlock, + __in_opt PLARGE_INTEGER AllocationSize, + __in ULONG FileAttributes, + __in ULONG ShareAccess, + __in ULONG CreateDisposition, + __in ULONG CreateOptions, + __in_bcount_opt(EaLength) PVOID EaBuffer, + __in ULONG EaLength + ); - NTSTATUS - Fake_NtCreateFileWinXP ( - __out PHANDLE FileHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes, - __out PIO_STATUS_BLOCK IoStatusBlock, - __in_opt PLARGE_INTEGER AllocationSize, - __in ULONG FileAttributes, - __in ULONG ShareAccess, - __in ULONG CreateDisposition, - __in ULONG CreateOptions, - __in_bcount_opt(EaLength) PVOID EaBuffer, - __in ULONG EaLength - ); + NTSTATUS + Fake_NtCreateFileWinXP ( + __out PHANDLE FileHandle, + __in ACCESS_MASK DesiredAccess, + __in POBJECT_ATTRIBUTES ObjectAttributes, + __out PIO_STATUS_BLOCK IoStatusBlock, + __in_opt PLARGE_INTEGER AllocationSize, + __in ULONG FileAttributes, + __in ULONG ShareAccess, + __in ULONG CreateDisposition, + __in ULONG CreateOptions, + __in_bcount_opt(EaLength) PVOID EaBuffer, + __in ULONG EaLength + ); VOID HookSSDT(ULONG_PTR ulIndex); @@ -126,33 +118,30 @@ VOID HookWrite(ULONG_PTR ulIndex); VOID - UnHookSSDTDelete(ULONG_PTR ulIndex); + UnHookSSDTDelete(ULONG_PTR ulIndex); VOID - UnHookSSDTWrite(ULONG_PTR ulIndex); + UnHookSSDTWrite(ULONG_PTR ulIndex); VOID - UnHookSSDT(ULONG_PTR ulIndex); + UnHookSSDT(ULONG_PTR ulIndex); VOID WPON(); VOID WPOFF(); LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName); NTSTATUS - MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL, - OUT PVOID *BaseAddress, - OUT PSIZE_T ViewSize OPTIONAL); + MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL, + OUT PVOID *BaseAddress, + OUT PSIZE_T ViewSize OPTIONAL); NTSYSAPI - PIMAGE_NT_HEADERS - NTAPI - RtlImageNtHeader(PVOID Base); + PIMAGE_NT_HEADERS + NTAPI + RtlImageNtHeader(PVOID Base); PVOID GetFunctionAddressByNameFromSSDT(CHAR* szFunctionName,ULONG_PTR SSDTDescriptor); -ULONG_PTR GetFunctionAddressByIndexFromSSDT64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor); -PVOID GetKeServiceDescriptorTable64(); - ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor); PVOID - GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName); + GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName); @@ -163,18 +152,18 @@ PVOID typedef struct _C2P_DEV_EXT { - // 这个结构的大小 - ULONG NodeSize; - // 过滤设备对象 - PDEVICE_OBJECT pFilterDeviceObject; - // 同时调用时的保护锁 - KSPIN_LOCK IoRequestsSpinLock; - // 进程间同步处理 - KEVENT IoInProgressEvent; - // 绑定的设备对象 - PDEVICE_OBJECT TargetDeviceObject; - // 绑定前底层设备对象 - PDEVICE_OBJECT LowerDeviceObject; + // 这个结构的大小 + ULONG NodeSize; + // 过滤设备对象 + PDEVICE_OBJECT pFilterDeviceObject; + // 同时调用时的保护锁 + KSPIN_LOCK IoRequestsSpinLock; + // 进程间同步处理 + KEVENT IoInProgressEvent; + // 绑定的设备对象 + PDEVICE_OBJECT TargetDeviceObject; + // 绑定前底层设备对象 + PDEVICE_OBJECT LowerDeviceObject; } C2P_DEV_EXT, *PC2P_DEV_EXT; extern POBJECT_TYPE IoDriverObjectType; @@ -191,65 +180,65 @@ extern POBJECT_TYPE IoDriverObjectType; // 这个函数是事实存在的,只是文档中没有公开。声明一下 // 就可以直接使用了。 NTSTATUS - ObReferenceObjectByName( - PUNICODE_STRING ObjectName, - ULONG Attributes, - PACCESS_STATE AccessState, - ACCESS_MASK DesiredAccess, - POBJECT_TYPE ObjectType, - KPROCESSOR_MODE AccessMode, - PVOID ParseContext, - PVOID *Object - ); + ObReferenceObjectByName( + PUNICODE_STRING ObjectName, + ULONG Attributes, + PACCESS_STATE AccessState, + ACCESS_MASK DesiredAccess, + POBJECT_TYPE ObjectType, + KPROCESSOR_MODE AccessMode, + PVOID ParseContext, + PVOID *Object + ); NTSTATUS - c2pDevExtInit( - IN PC2P_DEV_EXT devExt, - IN PDEVICE_OBJECT pFilterDeviceObject, - IN PDEVICE_OBJECT pTargetDeviceObject, - IN PDEVICE_OBJECT pLowerDeviceObject ) ; + c2pDevExtInit( + IN PC2P_DEV_EXT devExt, + IN PDEVICE_OBJECT pFilterDeviceObject, + IN PDEVICE_OBJECT pTargetDeviceObject, + IN PDEVICE_OBJECT pLowerDeviceObject ) ; NTSTATUS - c2pAttachDevices( - IN PDRIVER_OBJECT DriverObject, - IN PUNICODE_STRING RegistryPath - ) ; + c2pAttachDevices( + IN PDRIVER_OBJECT DriverObject, + IN PUNICODE_STRING RegistryPath + ) ; NTSTATUS c2pDispatchRead( - IN PDEVICE_OBJECT DeviceObject, - IN PIRP Irp ) ; + IN PDEVICE_OBJECT DeviceObject, + IN PIRP Irp ) ; NTSTATUS c2pReadComplete( - IN PDEVICE_OBJECT DeviceObject, - IN PIRP Irp, - IN PVOID Context - ) ; + IN PDEVICE_OBJECT DeviceObject, + IN PIRP Irp, + IN PVOID Context + ) ; NTSTATUS c2pPnP( - IN PDEVICE_OBJECT DeviceObject, - IN PIRP Irp - ) ; + IN PDEVICE_OBJECT DeviceObject, + IN PIRP Irp + ) ; NTSTATUS c2pPower( - IN PDEVICE_OBJECT DeviceObject, - IN PIRP Irp - ) ; + IN PDEVICE_OBJECT DeviceObject, + IN PIRP Irp + ) ; NTSTATUS c2pDispatchGeneral( - IN PDEVICE_OBJECT DeviceObject, - IN PIRP Irp - ) ; + IN PDEVICE_OBJECT DeviceObject, + IN PIRP Irp + ) ; typedef struct _KEYBOARD_INPUT_DATA { - USHORT UnitId; - USHORT MakeCode; - USHORT Flags; - USHORT Reserved; - ULONG ExtraInformation; + USHORT UnitId; + USHORT MakeCode; + USHORT Flags; + USHORT Reserved; + ULONG ExtraInformation; }KEYBOARD_INPUT_DATA,*PKEYBOARD_INPUT_DATA; //Flags可能取值 #define KEY_MAKE 0 @@ -265,15 +254,15 @@ typedef struct _KEYBOARD_INPUT_DATA #define S_NUM 4 extern - UCHAR * - PsGetProcessImageFileName( - __in PEPROCESS Process - ); + UCHAR * + PsGetProcessImageFileName( + __in PEPROCESS Process + ); VOID - c2pUnload(IN PDRIVER_OBJECT DriverObject) ; + c2pUnload(IN PDRIVER_OBJECT DriverObject) ; -#endif +#endif diff --git a/ProtectFilex86/common.h b/ProtectFilex86/common.h index 50e7885..fc07f00 100644 --- a/ProtectFilex86/common.h +++ b/ProtectFilex86/common.h @@ -4,10 +4,10 @@ * MODULE : common.h * * Command: -* IOCTRL Common Header +* IOCTRL Common Header * * Description: -* Common data for the IoCtrl driver and application +* Common data for the IoCtrl driver and application * **************************************************************************************** * Copyright (C) 2010 MZ. diff --git a/ProtectFilex86/struct.h b/ProtectFilex86/struct.h index 78d907a..0592e10 100644 --- a/ProtectFilex86/struct.h +++ b/ProtectFilex86/struct.h @@ -46,12 +46,12 @@ typedef BYTE BOOLEAN; #pragma pack(4) typedef struct _PEB_LDR_DATA { - ULONG Length; - BOOLEAN Initialized; - PVOID SsHandle; - LIST_ENTRY InLoadOrderModuleList; - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; + ULONG Length; + BOOLEAN Initialized; + PVOID SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; #pragma pack() @@ -66,106 +66,106 @@ typedef struct _PEB_ORIG { typedef void (*PPEBLOCKROUTINE)(PVOID PebLock); struct _PEB_FREE_BLOCK { - struct _PEB_FREE_BLOCK *Next; - ULONG Size; + struct _PEB_FREE_BLOCK *Next; + ULONG Size; }; typedef struct _PEB_FREE_BLOCK PEB_FREE_BLOCK; typedef struct _PEB_FREE_BLOCK *PPEB_FREE_BLOCK; typedef struct _RTL_DRIVE_LETTER_CURDIR { - USHORT Flags; - USHORT Length; - ULONG TimeStamp; - UNICODE_STRING DosPath; + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + UNICODE_STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; typedef struct _RTL_USER_PROCESS_PARAMETERS { - ULONG MaximumLength; - ULONG Length; - ULONG Flags; - ULONG DebugFlags; - PVOID ConsoleHandle; - ULONG ConsoleFlags; - HANDLE StdInputHandle; - HANDLE StdOutputHandle; - HANDLE StdErrorHandle; - UNICODE_STRING CurrentDirectoryPath; - HANDLE CurrentDirectoryHandle; - UNICODE_STRING DllPath; - UNICODE_STRING ImagePathName; - UNICODE_STRING CommandLine; - PVOID Environment; - ULONG StartingPositionLeft; - ULONG StartingPositionTop; - ULONG Width; - ULONG Height; - ULONG CharWidth; - ULONG CharHeight; - ULONG ConsoleTextAttributes; - ULONG WindowFlags; - ULONG ShowWindowFlags; - UNICODE_STRING WindowTitle; - UNICODE_STRING DesktopName; - UNICODE_STRING ShellInfo; - UNICODE_STRING RuntimeData; - RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; + ULONG MaximumLength; + ULONG Length; + ULONG Flags; + ULONG DebugFlags; + PVOID ConsoleHandle; + ULONG ConsoleFlags; + HANDLE StdInputHandle; + HANDLE StdOutputHandle; + HANDLE StdErrorHandle; + UNICODE_STRING CurrentDirectoryPath; + HANDLE CurrentDirectoryHandle; + UNICODE_STRING DllPath; + UNICODE_STRING ImagePathName; + UNICODE_STRING CommandLine; + PVOID Environment; + ULONG StartingPositionLeft; + ULONG StartingPositionTop; + ULONG Width; + ULONG Height; + ULONG CharWidth; + ULONG CharHeight; + ULONG ConsoleTextAttributes; + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING WindowTitle; + UNICODE_STRING DesktopName; + UNICODE_STRING ShellInfo; + UNICODE_STRING RuntimeData; + RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB { - BOOLEAN InheritedAddressSpace; - BOOLEAN ReadImageFileExecOptions; - BOOLEAN BeingDebugged; - BOOLEAN Spare; - HANDLE Mutant; - PVOID ImageBaseAddress; - PPEB_LDR_DATA LoaderData; - PRTL_USER_PROCESS_PARAMETERS ProcessParameters; - PVOID SubSystemData; - PVOID ProcessHeap; - PVOID FastPebLock; - PPEBLOCKROUTINE FastPebLockRoutine; - PPEBLOCKROUTINE FastPebUnlockRoutine; - ULONG EnvironmentUpdateCount; - PVOID *KernelCallbackTable; - PVOID EventLogSection; - PVOID EventLog; - PPEB_FREE_BLOCK FreeList; - ULONG TlsExpansionCounter; - PVOID TlsBitmap; - ULONG TlsBitmapBits[0x2]; - PVOID ReadOnlySharedMemoryBase; - PVOID ReadOnlySharedMemoryHeap; - PVOID *ReadOnlyStaticServerData; - PVOID AnsiCodePageData; - PVOID OemCodePageData; - PVOID UnicodeCaseTableData; - ULONG NumberOfProcessors; - ULONG NtGlobalFlag; - BYTE Spare2[0x4]; - LARGE_INTEGER CriticalSectionTimeout; - ULONG HeapSegmentReserve; - ULONG HeapSegmentCommit; - ULONG HeapDeCommitTotalFreeThreshold; - ULONG HeapDeCommitFreeBlockThreshold; - ULONG NumberOfHeaps; - ULONG MaximumNumberOfHeaps; - PVOID **ProcessHeaps; - PVOID GdiSharedHandleTable; - PVOID ProcessStarterHelper; - PVOID GdiDCAttributeList; - PVOID LoaderLock; - ULONG OSMajorVersion; - ULONG OSMinorVersion; - ULONG OSBuildNumber; - ULONG OSPlatformId; - ULONG ImageSubSystem; - ULONG ImageSubSystemMajorVersion; - ULONG ImageSubSystemMinorVersion; - ULONG GdiHandleBuffer[0x22]; - ULONG PostProcessInitRoutine; - ULONG TlsExpansionBitmap; - BYTE TlsExpansionBitmapBits[0x80]; - ULONG SessionId; + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + BOOLEAN Spare; + HANDLE Mutant; + PVOID ImageBaseAddress; + PPEB_LDR_DATA LoaderData; + PRTL_USER_PROCESS_PARAMETERS ProcessParameters; + PVOID SubSystemData; + PVOID ProcessHeap; + PVOID FastPebLock; + PPEBLOCKROUTINE FastPebLockRoutine; + PPEBLOCKROUTINE FastPebUnlockRoutine; + ULONG EnvironmentUpdateCount; + PVOID *KernelCallbackTable; + PVOID EventLogSection; + PVOID EventLog; + PPEB_FREE_BLOCK FreeList; + ULONG TlsExpansionCounter; + PVOID TlsBitmap; + ULONG TlsBitmapBits[0x2]; + PVOID ReadOnlySharedMemoryBase; + PVOID ReadOnlySharedMemoryHeap; + PVOID *ReadOnlyStaticServerData; + PVOID AnsiCodePageData; + PVOID OemCodePageData; + PVOID UnicodeCaseTableData; + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + BYTE Spare2[0x4]; + LARGE_INTEGER CriticalSectionTimeout; + ULONG HeapSegmentReserve; + ULONG HeapSegmentCommit; + ULONG HeapDeCommitTotalFreeThreshold; + ULONG HeapDeCommitFreeBlockThreshold; + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + PVOID **ProcessHeaps; + PVOID GdiSharedHandleTable; + PVOID ProcessStarterHelper; + PVOID GdiDCAttributeList; + PVOID LoaderLock; + ULONG OSMajorVersion; + ULONG OSMinorVersion; + ULONG OSBuildNumber; + ULONG OSPlatformId; + ULONG ImageSubSystem; + ULONG ImageSubSystemMajorVersion; + ULONG ImageSubSystemMinorVersion; + ULONG GdiHandleBuffer[0x22]; + ULONG PostProcessInitRoutine; + ULONG TlsExpansionBitmap; + BYTE TlsExpansionBitmapBits[0x80]; + ULONG SessionId; } PEB, *PPEB; typedef struct _SYSTEM_PROCESS_INFORMATION { @@ -214,36 +214,36 @@ typedef struct _SYSTEM_THREAD_INFORMATION { struct _SYSTEM_THREADS { - LARGE_INTEGER KernelTime; - LARGE_INTEGER UserTime; - LARGE_INTEGER CreateTime; - ULONG WaitTime; - PVOID StartAddress; - CLIENT_ID ClientIs; - KPRIORITY Priority; - KPRIORITY BasePriority; - ULONG ContextSwitchCount; - ULONG ThreadState; - KWAIT_REASON WaitReason; + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientIs; + KPRIORITY Priority; + KPRIORITY BasePriority; + ULONG ContextSwitchCount; + ULONG ThreadState; + KWAIT_REASON WaitReason; }; struct _SYSTEM_PROCESSES { - ULONG NextEntryDelta; - ULONG ThreadCount; - ULONG Reserved[6]; - LARGE_INTEGER CreateTime; - LARGE_INTEGER UserTime; - LARGE_INTEGER KernelTime; - UNICODE_STRING ProcessName; - KPRIORITY BasePriority; - ULONG ProcessId; - ULONG InheritedFromProcessId; - ULONG HandleCount; - ULONG Reserved2[2]; - VM_COUNTERS VmCounters; - IO_COUNTERS IoCounters; //windows 2000 only - struct _SYSTEM_THREADS Threads[1]; + ULONG NextEntryDelta; + ULONG ThreadCount; + ULONG Reserved[6]; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ProcessName; + KPRIORITY BasePriority; + ULONG ProcessId; + ULONG InheritedFromProcessId; + ULONG HandleCount; + ULONG Reserved2[2]; + VM_COUNTERS VmCounters; + IO_COUNTERS IoCounters; //windows 2000 only + struct _SYSTEM_THREADS Threads[1]; }; typedef struct _HANDLE_TABLE_ENTRY_INFO @@ -294,42 +294,42 @@ typedef struct _HANDLE_TABLE } HANDLE_TABLE, *PHANDLE_TABLE; typedef struct _OBJECT_TYPE_INITIALIZER { - USHORT Length; - BOOLEAN UseDefaultObject; - BOOLEAN CaseInsensitive; - ULONG InvalidAttributes; - GENERIC_MAPPING GenericMapping; - ULONG ValidAccessMask; - BOOLEAN SecurityRequired; - BOOLEAN MaintainHandleCount; - BOOLEAN MaintainTypeList; - POOL_TYPE PoolType; - ULONG DefaultPagedPoolCharge; - ULONG DefaultNonPagedPoolCharge; - PVOID DumpProcedure; - PVOID OpenProcedure; - PVOID CloseProcedure; - PVOID DeleteProcedure; - PVOID ParseProcedure; - PVOID SecurityProcedure; - PVOID QueryNameProcedure; - PVOID OkayToCloseProcedure; + USHORT Length; + BOOLEAN UseDefaultObject; + BOOLEAN CaseInsensitive; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccessMask; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + BOOLEAN MaintainTypeList; + POOL_TYPE PoolType; + ULONG DefaultPagedPoolCharge; + ULONG DefaultNonPagedPoolCharge; + PVOID DumpProcedure; + PVOID OpenProcedure; + PVOID CloseProcedure; + PVOID DeleteProcedure; + PVOID ParseProcedure; + PVOID SecurityProcedure; + PVOID QueryNameProcedure; + PVOID OkayToCloseProcedure; } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; typedef struct _OBJECT_TYPE { - ERESOURCE Mutex; - LIST_ENTRY TypeList; - UNICODE_STRING Name; // Copy from object header for convenience - PVOID DefaultObject; - ULONG Index; - ULONG TotalNumberOfObjects; - ULONG TotalNumberOfHandles; - ULONG HighWaterNumberOfObjects; - ULONG HighWaterNumberOfHandles; - OBJECT_TYPE_INITIALIZER TypeInfo; - ULONG Key; - ERESOURCE ObjectLocks[4]; + ERESOURCE Mutex; + LIST_ENTRY TypeList; + UNICODE_STRING Name; // Copy from object header for convenience + PVOID DefaultObject; + ULONG Index; + ULONG TotalNumberOfObjects; + ULONG TotalNumberOfHandles; + ULONG HighWaterNumberOfObjects; + ULONG HighWaterNumberOfHandles; + OBJECT_TYPE_INITIALIZER TypeInfo; + ULONG Key; + ERESOURCE ObjectLocks[4]; } OBJECT_TYPE, *POBJECT_TYPE; typedef struct _OBJECT_DIRECTORY { @@ -337,8 +337,8 @@ typedef struct _OBJECT_DIRECTORY { ULONG Lock; PVOID DeviceMap; ULONG SessionId; - USHORT Reserved; - USHORT SymbolicLinkUsageCount; + USHORT Reserved; + USHORT SymbolicLinkUsageCount; } OBJECT_DIRECTORY, *POBJECT_DIRECTORY; /* @@ -353,8 +353,8 @@ typedef enum _KAPC_ENVIRONMENT { typedef enum { OriginalApcEnvironment, - AttachedApcEnvironment, - CurrentApcEnvironment + AttachedApcEnvironment, + CurrentApcEnvironment } KAPC_ENVIRONMENT; //---------------------------------------------------- @@ -362,10 +362,10 @@ typedef enum NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( - IN ULONG SystemInformationClass, - IN PVOID SystemInformation, - IN ULONG SystemInformationLength, - OUT PULONG ReturnLength); + IN ULONG SystemInformationClass, + IN PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength);