远程桌面 服务端全驱动(通信用NDIS HOOK,屏幕直接读显存)

    监控端代码采用 汇编 + Winscok 源代码如下：

 

  local         nNetTimeout,wsa:WSADATA,hScrDC,hMemDC,hBitmap,ScrnBufPoint
  
  PaketLen      equ 1000
.data
  bi            dd 28h,0,0,200 dup (0)
  Buffer        db PaketLen + 20 dup (0)
.code

  invoke WSAStartup,101h,addr wsa
  invoke socket,AF_INET,SOCK_DGRAM,0
  mov    ScrnSocket,eax
  invoke htons,65533
  mov    ScrnSin.sin_port,ax
  mov    ScrnSin.sin_family,AF_INET
  invoke bind,ScrnSocket,addr ScrnSin,SinSize
  mov    nNetTimeout,100                   ;以毫秒为单位设置recvfrom等待时限
  invoke setsockopt,ScrnSocket,SOL_SOCKET,SO_RCVTIMEO,addr nNetTimeout,sizeof nNetTimeout
  invoke sendto,ScrnSocket,addr Buffer,20,0,addr ScrnSin,SinSize ;把收到指令及参数回复对方
  .while ScreenStop                           ;死循环处理数据程序
         invoke RtlZeroMemory,addr Buffer,sizeof Buffer
         invoke recvfrom,ScrnSocket,addr Buffer,sizeof Buffer,0,addr ScrnSin,addr SinSize
         lea    edi,Buffer
         lea    esi,bi
         .if     eax == SOCKET_ERROR
                 ;invoke sendto,ScrnSocket,addr Buffer,20,0,addr ScrnSin,SinSize ;把收到指令及参数回复对方
                 .continue
         .endif
         .if     byte ptr [edi] == 0               ;设置屏幕参数
                 invoke RtlMoveMemory,addr bi,addr Buffer+1,200
                 invoke GlobalAlloc,GMEM_ZEROINIT,[esi+20]
                 mov    ScrnBufPoint,eax
                 invoke SetWindowPos,hScreen,0,0,0,[esi+04],[esi+08],SWP_SHOWWINDOW;根据大小显示窗口
                 invoke GetDC,hScreen
                 mov    hScrDC,eax
                 invoke CreateCompatibleBitmap,hScrDC,[esi+04],[esi+08]
                 mov    hBitmap,eax
                 invoke CreateCompatibleDC,hScrDC
                 mov    hMemDC,eax
                 mov    byte ptr [edi],1           ;改变指令为屏幕数据开始
         .elseif byte ptr [edi] == 1               ;屏幕数据开始
                 mov    byte ptr [edi],2           ;改变指令为屏幕屏幕数据收发
         .elseif byte ptr [edi] == 2               ;屏幕数据收发
                 mov    ebx,ScrnBufPoint           ;本地缓冲区
                 add    ebx,[edi+1]                ;分段指针
                 invoke RtlMoveMemory,ebx,addr Buffer+10,PaketLen
                 add    dword ptr[edi+1],PaketLen  ;调整到下一个分段
         .elseif byte ptr [edi] == 3               ;屏幕数据结束
                 mov    ebx,ScrnBufPoint           ;本地缓冲区
                 add    ebx,[edi+1]
                 invoke RtlMoveMemory,ebx,addr Buffer+10,dword ptr [edi+5]
                 invoke SetDIBits,hScrDC,hBitmap,0,[esi+08],ScrnBufPoint,addr bi,0
                 invoke SelectObject,hMemDC,hBitmap
                 mov    eax,[esi+08]
                 not    eax                        ;旋转180度 因为直接读显存的数据时，显存的屏幕数据是倒过来的。
                 invoke StretchBlt, hScrDC, 0, [esi+08], [esi+04], eax, hMemDC, 0, 0, [esi+04], [esi+08], SRCCOPY
                 ;invoke BitBlt,hScrDC,0,0,[esi+04],[esi+08],hMemDC,0,0,SRCCOPY
                 mov    byte ptr [edi],1           ;改变指令为屏幕数据开始
         .endif
         invoke sendto,ScrnSocket,addr Buffer,20,0,addr ScrnSin,SinSize ;把收到指令及参数回复对方
  .endw