📄 jiurlvadsee.cpp
字号:
#include "JiurlVadSee.h"
#include "JiurlCommon.h"
void RedLight()
{
printf("[");
printfcolor("\4",0xc);
printf("]");
}
void GreenLight()
{
printf("[");
printfcolor("\4",0xa);
printf("]");
}
void main()
{
int ret;
JiurlAbout();
printf("\n");
///////////////////////////////////////////////
char ServiceFile[256];
GetCurrentDirectory(256,ServiceFile);
sprintf(ServiceFile,"%s\\JiurlDriver.sys",ServiceFile);
SC_HANDLE schSCManager;
schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
ret=InstallDriver(schSCManager,DRIVER_NAME,ServiceFile);
if(ret==0)
{
StopDriver (schSCManager,DRIVER_NAME);
RemoveDriver (schSCManager,DRIVER_NAME);
RedLight();
printf(" Press any key to Exit\n");
getch();
return;
}
ret=StartDriver(schSCManager,DRIVER_NAME);
if(ret==0)
{
StopDriver (schSCManager,DRIVER_NAME);
RemoveDriver (schSCManager,DRIVER_NAME);
RedLight();
printf(" Press any key to Exit\n");
getch();
return;
}
GreenLight();
printf(" ServiceFile: %s\n",ServiceFile);
GreenLight();
printf(" CreateService SUCCESS StartService SUCCESS\n");
/////////////////////////////////////////
HANDLE hDevice;
hDevice= CreateFile("\\\\.\\JiurlSymbolicLink",
GENERIC_READ | GENERIC_WRITE,
0, // share mode none
NULL, // no security
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL ); // no template
if (hDevice == INVALID_HANDLE_VALUE)
{
RedLight();
printf(" Open JiurlSymbolicLink handle Error: %d\n",GetLastError() );
}
else
{
GreenLight();
printf(" Open JiurlSymbolicLink handle SUCCESS\n");
}
printf("__________________________________________________\n");
/////////////////////////////////////////
DWORD ProcessId;
printf("ProcessId(Decimal): ");
scanf("%d",&ProcessId);
DWORD Type;
printf("0 - Min Information 1 - Max Information\n");
printf("Type: ");
scanf("%d",&Type);
if(Type!=0&&Type!=1)
{
Type=0;
}
HANDLE hOut;
hOut=GetStdHandle(STD_OUTPUT_HANDLE);
COORD dwSize;
dwSize.X=80;
dwSize.Y=2000;
SetConsoleScreenBufferSize(hOut,dwSize);
JiurlVadSee(hDevice,ProcessId,Type);
/////////////////////////////////////////
printf("__________________________________________________\n\n");
ret = CloseHandle(hDevice);
if (ret==0)
{
RedLight();
printf(" CloseHandle Error: %d\n",GetLastError());
}
else
{
GreenLight();
printf(" CloseHandle SUCCESS\n");
}
/////////////////////////////////////////
StopDriver (schSCManager,DRIVER_NAME);
ret=RemoveDriver (schSCManager,DRIVER_NAME);
if(ret==0)
{
RedLight();
printf(" Press any key to Exit\n");
getch();
}
GreenLight();
printf(" DeleteService SUCCESS\n");
CloseServiceHandle (schSCManager);
/////////////////////////////////////////
printf("\n");
printfcolor(
" "" "
"PRESS ANY KEY TO EXIT .."" "
,0x70);
getch();
}
// -----------------------------------------------------------------
void JiurlVadSee( HANDLE hDevice, DWORD ProcessId, DWORD Type)
{
DWORD ret;
DWORD NumberOfBytesRead;
PVAD_HEADER VadRoot;
ret=DeviceIoControl(
hDevice,
IOCTL_PROCESS_VADROOT_OUTPUT,
&ProcessId,
sizeof(ProcessId),
&VadRoot,
sizeof(VadRoot),
&NumberOfBytesRead,
NULL);
if(ret==0)
{
printf("DeviceIoControl Error: %d\n",GetLastError());
return;
}
if(NumberOfBytesRead!=sizeof(VadRoot))
{
printf("NOT FOUND PROCESS\n");
return;
}
if(Type==0)
{
printf("Vad Level StartVPN EndVPN Commit Flags\n");
JiurlDumpVad(hDevice,VadRoot,0);
}
if(Type==1)
{
JiurlDumpVad2(hDevice,VadRoot,0);
}
}
// -----------------------------------------------------------------
void JiurlDumpVad(HANDLE hDevice, PVAD_HEADER pVad, ULONG level)
{
DWORD ret;
DWORD NumberOfBytesRead;
MEMORY_INFO MemInfo;
VAD_HEADER Vad;
MemInfo.StartVa=pVad;
MemInfo.nBytes=sizeof(Vad);
ret=DeviceIoControl(
hDevice,
IOCTL_MEM_OUTPUT,
&MemInfo,
sizeof(MemInfo),
&Vad,
sizeof(Vad),
&NumberOfBytesRead,
NULL);
if(ret==0)
{
printf("DeviceIoControl Error: %d\n",GetLastError());
return;
}
if(NumberOfBytesRead!=sizeof(Vad))
{
printf("\nADDRESS 0x%08x IS NOT VALID\n",pVad);
return;
}
if(Vad.LeftLink!=NULL)
{
level++;
JiurlDumpVad(hDevice,Vad.LeftLink,level);
level--;
}
printf("0x%08x [%2d] 0x%05x 0x%05x %7d %03x\n",
pVad,level,Vad.StartVPN,Vad.EndVPN,
Vad.CommitCharge,Vad.Flags);
if(Vad.RightLink!=NULL)
{
level++;
JiurlDumpVad(hDevice,Vad.RightLink,level);
level--;
}
}
// -----------------------------------------------------------------
void JiurlDumpVad2(HANDLE hDevice, PVAD_HEADER pVad, ULONG level)
{
DWORD ret;
DWORD NumberOfBytesRead;
MEMORY_INFO MemInfo;
VAD_HEADER Vad;
MemInfo.StartVa=pVad;
MemInfo.nBytes=sizeof(Vad);
ret=DeviceIoControl(
hDevice,
IOCTL_MEM_OUTPUT,
&MemInfo,
sizeof(MemInfo),
&Vad,
sizeof(Vad),
&NumberOfBytesRead,
NULL);
if(ret==0)
{
printf("DeviceIoControl Error: %d\n",GetLastError());
return;
}
if(NumberOfBytesRead!=sizeof(Vad))
{
printf("\nADDRESS 0x%08x IS NOT VALID\n",pVad);
return;
}
if(Vad.LeftLink!=NULL)
{
level++;
JiurlDumpVad2(hDevice,Vad.LeftLink,level);
level--;
}
printf("\n");
printf("0x%08x [%2d] 0x%05x 0x%05x %7d %03x\n",
pVad,level,Vad.StartVPN,Vad.EndVPN,
Vad.CommitCharge,Vad.Flags);
printf("StartVirtualAddress: 0x%08x EndVirtualAddress: 0x%08x\n",
(DWORD)Vad.StartVPN*0x1000,(DWORD)Vad.EndVPN*0x1000+0xFFF);
printf("/*00*/ PVOID StartVPN; = 0x%05x\n",Vad.StartVPN);
printf("/*04*/ PVOID EndVPN; = 0x%05x\n",Vad.EndVPN);
printf("/*08*/ _VAD_HEADER* ParentLink; = 0x%08x\n",Vad.ParentLink);
printf("/*0C*/ _VAD_HEADER* LeftLink; = 0x%08x\n",Vad.LeftLink);
printf("/*10*/ _VAD_HEADER* RightLink; = 0x%08x\n",Vad.RightLink);
printf("/*14*/ ULONG CommitCharge:20; = 0x%05x\n",Vad.CommitCharge);
printf("/*14*/ ULONG Flags :12; = 0x%03x\n",Vad.Flags);
printf("/*18*/ PVOID ControlArea; = 0x%08x\n",Vad.ControlArea);
printf("/*1C*/ PVOID FirstProtoPte; = 0x%08x\n",Vad.FirstProtoPte);
printf("/*20*/ PVOID LastPTE; = 0x%08x\n",Vad.LastPTE);
printf("/*24*/ ULONG Unknown; = 0x%08x\n",Vad.Unknown);
printf("/*28*/ LIST_ENTRY Secured; = 0x%08x 0x%08x\n",
Vad.Secured.Flink,Vad.Secured.Blink);
printf("\n");
if(Vad.RightLink!=NULL)
{
level++;
JiurlDumpVad2(hDevice,Vad.RightLink,level);
level--;
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -