📄 jiurll2glayoutsee.h
字号:
#include <windows.h>
typedef struct _MEMORY_INFO {
unsigned int ProcessId;
void* StartVa;
unsigned int nBytes;
} MEMORY_INFO, *PMEMORY_INFO;
typedef struct _VAD_HEADER {
/*00*/ PVOID StartVPN;
/*04*/ PVOID EndVPN;
/*08*/ _VAD_HEADER* ParentLink;
/*0C*/ _VAD_HEADER* LeftLink;
/*10*/ _VAD_HEADER* RightLink;
/*14*/ ULONG CommitCharge : 20;
/*14*/ ULONG Flags : 12;
/*18*/ PVOID ControlArea;
/*1C*/ PVOID FirstProtoPte;
/*20*/ PVOID LastPTE;
/*24*/ ULONG Unknown;
/*28*/ LIST_ENTRY Secured;
/*30*/ } VAD_HEADER, *PVAD_HEADER;
// -----------------------------------------------------------------
#define CTL_CODE( DeviceType, Function, Method, Access ) ( \
((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \
)
#define FILE_ANY_ACCESS 0
#define METHOD_BUFFERED 0
#define FILE_DEVICE_JIURL 0x8000
#define JIURL_FUNCTION_BASE 0x0800
// 不用担心你的 IOCTL 的值与别人定义的值相同。
// 不要忘了,我们在应用程序中是要打开某个特定驱动程序的句柄的
// 所以这个值一定会发到你的驱动程序,由你的驱动程序来解释这个值
// -----------------------------------------------------------------
#define JIURL_IO(_code) \
CTL_CODE((FILE_DEVICE_JIURL), \
((JIURL_FUNCTION_BASE)+(_code)), \
(METHOD_BUFFERED), \
(FILE_ANY_ACCESS))
// -----------------------------------------------------------------
#define JIURL_PROCESS_MEM_OUTPUT JIURL_IO(0)
#define JIURL_PROCESS_NAME_OUTPUT JIURL_IO(1)
#define JIURL_PROCESS_VADROOT_OUTPUT JIURL_IO(2)
#define JIURL_PROCESS_PEB_OUTPUT JIURL_IO(3)
#define JIURL_ThreadListHead_OUTPUT JIURL_IO(4)
// -----------------------------------------------------------------
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _PEB_FREE_BLOCK {
_PEB_FREE_BLOCK *Next;
ULONG Size;
} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
typedef struct _RTL_DRIVE_LETTER_CURDIR {
USHORT Flags;
USHORT Length;
ULONG TimeStamp;
UNICODE_STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
PVOID ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StdInputHandle;
HANDLE StdOutputHandle;
HANDLE StdErrorHandle;
UNICODE_STRING CurrentDirectoryPath;
HANDLE CurrentDirectoryHandle;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PVOID Environment;
ULONG StartingPositionLeft;
ULONG StartingPositionTop;
ULONG Width;
ULONG Height;
ULONG CharWidth;
ULONG CharHeight;
ULONG ConsoleTextAttributes;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopName;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef void (*PPEBLOCKROUTINE)(PVOID PebLock);
typedef void **PPVOID;
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
BOOLEAN Spare;
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PVOID FastPebLock;
PPEBLOCKROUTINE FastPebLockRoutine;
PPEBLOCKROUTINE FastPebUnlockRoutine;
ULONG EnvironmentUpdateCount;
PPVOID KernelCallbackTable;
PVOID EventLogSection;
PVOID EventLog;
PPEB_FREE_BLOCK FreeList;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[0x2];
PVOID ReadOnlySharedMemoryBase;
PVOID ReadOnlySharedMemoryHeap;
PPVOID ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
BYTE Spare2[0x4];
LARGE_INTEGER CriticalSectionTimeout;
ULONG HeapSegmentReserve;
ULONG HeapSegmentCommit;
ULONG HeapDeCommitTotalFreeThreshold;
ULONG HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PPVOID *ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
PVOID GdiDCAttributeList;
PVOID LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
ULONG OSBuildNumber;
ULONG OSPlatformId;
ULONG ImageSubSystem;
ULONG ImageSubSystemMajorVersion;
ULONG ImageSubSystemMinorVersion;
ULONG GdiHandleBuffer[0x22];
ULONG PostProcessInitRoutine;
ULONG TlsExpansionBitmap;
BYTE TlsExpansionBitmapBits[0x80];
ULONG SessionId;
} PEB, *PPEB;
typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
typedef struct _MyETHREAD {
char block1[0x20];
void *Teb; // +020
char block2[0x180];
struct _LIST_ENTRY ThreadListEntry; // +1a4
char block3[0x38];
DWORD UniqueThread; // +1e4
} MyETHREAD, *PMyETHREAD;
// -----------------------------------------------------------------
BOOL JiurlReadProcessMemory(
HANDLE hDevice,
DWORD pid,
LPVOID lpBaseAddress, // base of memory area
LPVOID lpBuffer, // data buffer
DWORD nSize, // number of bytes to read
LPDWORD lpNumberOfBytesRead // number of bytes read
);
BOOL JiurlGetProcessName(HANDLE hDevice, DWORD pid, LPVOID lpBuffer);
void JiurlLayoutSee(HANDLE hDevice,DWORD pid);
void JiurlVadSee( HANDLE hDevice, DWORD ProcessId );
void JiurlDumpVad(HANDLE hDevice, DWORD ProcessId, PVAD_HEADER pVad, DWORD level);
void JiurlPebSee(HANDLE hDevice,DWORD pid);
void JiurlProcessModulesSee(HANDLE hDevice, DWORD pid,
PPEB_LDR_DATA LoaderDataAddress);
void JiurlProcessParametersSee(HANDLE hDevice, DWORD pid,
PRTL_USER_PROCESS_PARAMETERS ProcessParameters);
void JiurlProcessHeapsSee(HANDLE hDevice, DWORD pid,
PPVOID ProcessHeaps,
DWORD MaximumNumberOfHeaps,
DWORD HeapSegmentReserve);
void JiurlPeSectionsSee(HANDLE hDevice, DWORD pid,PVOID BaseAddress);
void JiurlTebSee(HANDLE hDevice,DWORD pid);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -