📄 jiurll2glayoutsee.cpp
字号:
#include "JiurlL2gLayoutSee.h"
#include "JiurlCommon.h"
void RedLight()
{
printf("[");
printfcolor("\4",0xc);
printf("]");
}
void GreenLight()
{
printf("[");
printfcolor("\4",0xa);
printf("]");
}
void main()
{
int ret;
JiurlAbout();
printf("\n");
///////////////////////////////////////////////
char ServiceFile[256];
GetCurrentDirectory(256,ServiceFile);
sprintf(ServiceFile,"%s\\JiurlDriver.sys",ServiceFile);
SC_HANDLE schSCManager;
schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
ret=InstallDriver(schSCManager,DRIVER_NAME,ServiceFile);
if(ret==0)
{
RemoveDriver (schSCManager,DRIVER_NAME);
RedLight();
printf(" Press any key to Exit\n");
getch();
return;
}
ret=StartDriver(schSCManager,DRIVER_NAME);
if(ret==0)
{
StopDriver (schSCManager,DRIVER_NAME);
RemoveDriver (schSCManager,DRIVER_NAME);
RedLight();
printf(" Press any key to Exit\n");
getch();
return;
}
GreenLight();
printf(" ServiceFile: %s\n",ServiceFile);
GreenLight();
printf(" CreateService SUCCESS StartService SUCCESS\n");
/////////////////////////////////////////
HANDLE hDevice;
hDevice= CreateFile("\\\\.\\JiurlSymbolicLink",
GENERIC_READ | GENERIC_WRITE,
0, // share mode none
NULL, // no security
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL ); // no template
if (hDevice == INVALID_HANDLE_VALUE)
{
RedLight();
printf(" Open JiurlSymbolicLink handle Error: %d\n",GetLastError() );
}
else
{
GreenLight();
printf(" Open JiurlSymbolicLink handle SUCCESS\n");
}
//getch();
printf("__________________________________________________\n");
/////////////////////////////////////////
HANDLE hOut;
hOut=GetStdHandle(STD_OUTPUT_HANDLE);
COORD dwSize;
dwSize.X=80;
dwSize.Y=3000;
SetConsoleScreenBufferSize(hOut,dwSize);
DWORD pid;
printf("ProcessId(Decimal): ");
scanf("%d",&pid);
JiurlLayoutSee(hDevice,pid);
/////////////////////////////////////////
printf("__________________________________________________\n\n");
ret = CloseHandle(hDevice);
if (ret==0)
{
RedLight();
printf(" CloseHandle Error: %d\n",GetLastError());
}
else
{
GreenLight();
printf(" CloseHandle SUCCESS\n");
}
/////////////////////////////////////////
StopDriver (schSCManager,DRIVER_NAME);
ret=RemoveDriver (schSCManager,DRIVER_NAME);
if(ret==0)
{
RedLight();
printf(" Press any key to Exit\n");
getch();
}
GreenLight();
printf(" DeleteService SUCCESS\n");
CloseServiceHandle (schSCManager);
/////////////////////////////////////////
printf("\n");
printfcolor(
" "" "
"PRESS ANY KEY TO EXIT .."" "
,0x70);
getch();
}
// -----------------------------------------------------------------
BOOL JiurlReadProcessMemory(
HANDLE hDevice,
DWORD pid,
LPVOID lpBaseAddress, // base of memory area
LPVOID lpBuffer, // data buffer
DWORD nSize, // number of bytes to read
LPDWORD lpNumberOfBytesRead // number of bytes read
)
{
MEMORY_INFO MemInfo;
MemInfo.ProcessId=pid;
MemInfo.StartVa=lpBaseAddress;
MemInfo.nBytes=nSize;
int ret;
ret=DeviceIoControl(
hDevice,
JIURL_PROCESS_MEM_OUTPUT,
&MemInfo,
sizeof(MemInfo),
lpBuffer,
nSize,
lpNumberOfBytesRead,
NULL);
if(ret==0)
{
printf("DeviceIoControl Error: %d\n",GetLastError());
}
return ret;
}
// -----------------------------------------------------------------
BOOL JiurlGetProcessName(HANDLE hDevice, DWORD pid, LPVOID lpBuffer)
{
int ret;
DWORD NumberOfBytesRead;
ret=DeviceIoControl(
hDevice,
JIURL_PROCESS_NAME_OUTPUT,
&pid,
sizeof(pid),
lpBuffer,
16,
&NumberOfBytesRead,
NULL);
if(ret==0)
{
printf("DeviceIoControl Error: %d\n",GetLastError());
}
if(NumberOfBytesRead!=16)
{
//printf("NumberOfBytesRead: %d\n",NumberOfBytesRead);//
ret=0;
}
return ret;
}
// -----------------------------------------------------------------
void JiurlLayoutSee(HANDLE hDevice,DWORD pid)
{
ULONG ret;
char ProcessName[16];
ret=JiurlGetProcessName(hDevice, pid,ProcessName);
if(ret==0)
printf("Get Process Name Error\n");
else
printf("%s:\n\n",ProcessName);
JiurlVadSee(hDevice,pid);
printf("\n");
printf("[");
printfcolor("\4",0xf);
printf("] ");
printf("Layout:\n\n");
JiurlPebSee(hDevice,pid);
JiurlTebSee(hDevice,pid);
}
// -----------------------------------------------------------------
void JiurlVadSee( HANDLE hDevice, DWORD ProcessId )
{
DWORD ret;
DWORD NumberOfBytesRead;
PVAD_HEADER VadRoot;
ret=DeviceIoControl(
hDevice,
JIURL_PROCESS_VADROOT_OUTPUT,
&ProcessId,
sizeof(ProcessId),
&VadRoot,
sizeof(VadRoot),
&NumberOfBytesRead,
NULL);
if(ret==0)
{
printf("DeviceIoControl Error: %d\n",GetLastError());
return;
}
if(NumberOfBytesRead!=sizeof(VadRoot))
{
printf("NOT FOUND PROCESS\n");
return;
}
printf("[");
printfcolor("\4",0xf);
printf("] ");
printf("VADs:\n\n");
printf("#define MEM_IMAGE 0x001\n"
"#define MEM_PRIVATE 0x800\n"
"#define PAGE_READONLY 0x010\n"
"#define PAGE_READWRITE 0x040\n"
"#define PAGE_WRITECOPY 0x050\n"
"#define PAGE_EXECUTE 0x020\n"
"#define PAGE_EXECUTE_READ 0x030\n"
"#define PAGE_EXECUTE_READWRITE 0x060\n"
"#define PAGE_EXECUTE_WRITECOPY 0x070\n"
"\n");
JiurlDumpVad(hDevice,ProcessId,VadRoot,0);
}
// -----------------------------------------------------------------
void JiurlDumpVad(HANDLE hDevice, DWORD ProcessId, PVAD_HEADER pVad, DWORD level)
{
DWORD ret;
DWORD NumberOfBytesRead;
MEMORY_INFO MemInfo;
VAD_HEADER Vad;
MemInfo.ProcessId=ProcessId;
MemInfo.StartVa=pVad;
MemInfo.nBytes=sizeof(Vad);
ret=DeviceIoControl(
hDevice,
JIURL_PROCESS_MEM_OUTPUT,
&MemInfo,
sizeof(MemInfo),
&Vad,
sizeof(Vad),
&NumberOfBytesRead,
NULL);
if(ret==0)
{
printf("DeviceIoControl Error: %d\n",GetLastError());
return;
}
if(NumberOfBytesRead!=sizeof(Vad))
{
printf("\nADDRESS 0x%08x IS NOT VALID\n",pVad);
return;
}
if(Vad.LeftLink!=NULL)
{
level++;
JiurlDumpVad(hDevice,ProcessId,Vad.LeftLink,level);
level--;
}
printf("0x%08x - 0x%08x ",
(DWORD)Vad.StartVPN*0x1000,(DWORD)Vad.EndVPN*0x1000+0x1000);
printf("Flags= 0x%03x",Vad.Flags);
printf("\n");
if(Vad.RightLink!=NULL)
{
level++;
JiurlDumpVad(hDevice,ProcessId,Vad.RightLink,level);
level--;
}
}
// -----------------------------------------------------------------
void JiurlPebSee(HANDLE hDevice,DWORD pid)
{
DWORD ret;
DWORD NumberOfBytesRead;
PVOID PebBase;
ret=DeviceIoControl(
hDevice,
JIURL_PROCESS_PEB_OUTPUT,
&pid,
sizeof(pid),
&PebBase,
sizeof(PebBase),
&NumberOfBytesRead,
NULL);
if(ret==0)
{
printf("DeviceIoControl Error: %d\n",GetLastError());
return;
}
if(NumberOfBytesRead!=sizeof(PebBase))
{
printf("NOT FOUND PROCESS\n");
return;
}
if(PebBase==0)
{
printf("No PEB\n");
return;
}
DWORD Peb[1024];
void* pAddress;
DWORD nBytes;
DWORD BytesReturned;
pAddress=PebBase;
nBytes=4096;
JiurlReadProcessMemory(
hDevice,pid,pAddress,Peb,nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
return;
}
PPEB pPeb;
pPeb=(PPEB)Peb;
JiurlProcessParametersSee(hDevice, pid, pPeb->ProcessParameters);
JiurlProcessHeapsSee(hDevice, pid,(PPVOID)pPeb->ProcessHeaps,
pPeb->MaximumNumberOfHeaps,pPeb->HeapSegmentReserve);
JiurlProcessModulesSee(hDevice, pid, pPeb->LoaderData);
printf("0x%08x - 0x%08x PEB\n\n",pAddress,(char*)pAddress+0x1000);
}
// -----------------------------------------------------------------
void JiurlProcessModulesSee(HANDLE hDevice, DWORD pid,
PPEB_LDR_DATA LoaderDataAddress)
{
PEB_LDR_DATA LoaderData;
void* LdrDataAddress;
DWORD nBytes;
DWORD BytesReturned;
LdrDataAddress= LoaderDataAddress;
nBytes=sizeof(LoaderData);
JiurlReadProcessMemory(
hDevice,pid,LdrDataAddress,&LoaderData,nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
}
///////////////////////////////////////
PLIST_ENTRY pModuleListHead , pModuleListEntry;
pModuleListHead=
(PLIST_ENTRY)((char*)LoaderDataAddress+0x14);
pModuleListEntry=
(PLIST_ENTRY)(LoaderData.InMemoryOrderModuleList.Blink);
LDR_MODULE Module;
char* ModuleAddress;
wchar_t NameBuf[256];
do
{
ModuleAddress=(char*)pModuleListEntry-8;
nBytes=sizeof(Module);
JiurlReadProcessMemory(
hDevice,pid,ModuleAddress,&Module,nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
return;
}
pModuleListEntry=Module.InMemoryOrderModuleList.Blink;
JiurlReadProcessMemory(
hDevice,pid,Module.BaseDllName.Buffer,NameBuf,sizeof(NameBuf),
&BytesReturned);
printf("0x%08x - 0x%08x %ws\n",
Module.BaseAddress,
(char*)Module.BaseAddress+Module.SizeOfImage,
NameBuf);
JiurlPeSectionsSee(hDevice,pid,Module.BaseAddress);
printf("\n");
}
while(pModuleListEntry!=pModuleListHead);
}
// -----------------------------------------------------------------
void JiurlProcessParametersSee(HANDLE hDevice, DWORD pid,
PRTL_USER_PROCESS_PARAMETERS ProcessParameters)
{
RTL_USER_PROCESS_PARAMETERS Parameters;
void* ParaAddress;
DWORD nBytes;
DWORD BytesReturned;
ParaAddress= ProcessParameters;
nBytes=sizeof(Parameters);
JiurlReadProcessMemory(
hDevice,pid,ParaAddress,&Parameters,nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
}
printf("0x%08x - 0x%08x Environment\n",
Parameters.Environment,
(char*)Parameters.Environment+0x1000);
printf("\n");
printf("0x%08x - 0x%08x ProcessParameters\n",
ParaAddress,(char*)ParaAddress+Parameters.MaximumLength);
printf("\n");
}
// -----------------------------------------------------------------
void JiurlProcessHeapsSee(HANDLE hDevice, DWORD pid,
PPVOID ProcessHeaps,
DWORD MaximumNumberOfHeaps,
DWORD HeapSegmentReserve)
{
void* HeapsAddress;
DWORD nBytes;
DWORD BytesReturned;
DWORD* Heaps=(DWORD*)malloc(sizeof(PVOID)*MaximumNumberOfHeaps);
HeapsAddress= ProcessHeaps;
nBytes=MaximumNumberOfHeaps*sizeof(PVOID);
JiurlReadProcessMemory(
hDevice,pid,HeapsAddress,Heaps,nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
}
unsigned int i=0;
while(Heaps[i]!=0)
{
printf("0x%08x - 0x%08x ProcessHeap %d\n",
Heaps[i],Heaps[i]+HeapSegmentReserve,i);
i++;
}
printf("\n");
free(Heaps);
}
// -----------------------------------------------------------------
void JiurlPeSectionsSee(HANDLE hDevice, DWORD pid,PVOID BaseAddress)
{
DWORD nBytes;
DWORD BytesReturned;
char pe[4096];
nBytes=4096;
JiurlReadProcessMemory(
hDevice,pid,BaseAddress,pe,nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
return;
}
PIMAGE_DOS_HEADER pDosHeader;
pDosHeader= (PIMAGE_DOS_HEADER)pe;
if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
{
printf("Not a PE File\n");
return;
}
PIMAGE_NT_HEADERS pNtHeader;
pNtHeader= (PIMAGE_NT_HEADERS)(pe+pDosHeader->e_lfanew);
if ( pNtHeader->Signature != IMAGE_NT_SIGNATURE)
{
printf("Not a PE File\n");
return;
}
PIMAGE_SECTION_HEADER section;
DWORD nSections;
DWORD i;
nSections= pNtHeader->FileHeader.NumberOfSections;
section=IMAGE_FIRST_SECTION(pNtHeader);
char SectionName[9];
memset(SectionName,0,9);
DWORD SectionStart,SectionEnd,SectionSize;
for (i=0; i<nSections; i++)
{
SectionSize=((section->Misc.VirtualSize)/0x1000)*0x1000;
if((section->Misc.VirtualSize)%0x1000)
{
SectionSize+=0x1000;
}
SectionStart= (DWORD)((char*)BaseAddress+section->VirtualAddress);
SectionEnd= SectionStart+SectionSize;
memcpy(SectionName,(char*)section->Name,8);
printf(" ");
printf("0x%08x - 0x%08x %s\n",
SectionStart,SectionEnd,SectionName);
section++;
}
}
// -----------------------------------------------------------------
void JiurlTebSee(HANDLE hDevice,DWORD pid)
{
DWORD ret;
DWORD nBytes;
DWORD BytesReturned;
DWORD NumberOfBytesRead;
PLIST_ENTRY pThreadListHead;
ret=DeviceIoControl(
hDevice,
JIURL_ThreadListHead_OUTPUT,
&pid,
sizeof(pid),
&pThreadListHead,
sizeof(pThreadListHead),
&NumberOfBytesRead,
NULL);
if(ret==0)
{
printf("DeviceIoControl Error: %d\n",GetLastError());
return;
}
if(NumberOfBytesRead!=sizeof(pThreadListHead))
{
printf("NOT FOUND PROCESS\n");
return;
}
PLIST_ENTRY pThreadListEntry=NULL;
char* EthreadAddress;
MyETHREAD myEthread;
NT_TIB NtTib;
JiurlReadProcessMemory(
hDevice,pid,pThreadListHead,&pThreadListEntry,
sizeof(pThreadListEntry),&BytesReturned);
if(BytesReturned!=sizeof(pThreadListEntry))
{
printf("JiurlReadProcessMemory Failed\n");
return;
}
do
{
EthreadAddress=(char*)pThreadListEntry-0x1a4;
nBytes=sizeof(myEthread);
JiurlReadProcessMemory(
hDevice,pid,EthreadAddress,&myEthread,
nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
return;
}
pThreadListEntry=myEthread.ThreadListEntry.Flink;
JiurlReadProcessMemory(
hDevice,pid,myEthread.Teb,&NtTib,
sizeof(NtTib),&BytesReturned);
if(BytesReturned!=sizeof(NtTib))
{
printf("JiurlReadProcessMemory Failed\n");
return;
}
printf("0x%08x - 0x%08x Stack Thread 0x%x\n",
NtTib.StackLimit,NtTib.StackBase,
myEthread.UniqueThread);
printf("0x%08x - 0x%08x TEB Thread 0x%x\n",
myEthread.Teb,(char*)myEthread.Teb+0x1000,
myEthread.UniqueThread);
printf("\n");
}
while(pThreadListEntry!=pThreadListHead);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -