📄 jiurlpebsee.cpp
字号:
#include "JiurlPebSee.h"
#include "JiurlCommon.h"
void RedLight()
{
printf("[");
printfcolor("\4",0xc);
printf("]");
}
void GreenLight()
{
printf("[");
printfcolor("\4",0xa);
printf("]");
}
void main()
{
int ret;
JiurlAbout();
printf("\n");
///////////////////////////////////////////////
char ServiceFile[256];
GetCurrentDirectory(256,ServiceFile);
sprintf(ServiceFile,"%s\\JiurlDriver.sys",ServiceFile);
SC_HANDLE schSCManager;
schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
ret=InstallDriver(schSCManager,DRIVER_NAME,ServiceFile);
if(ret==0)
{
RemoveDriver (schSCManager,DRIVER_NAME);
RedLight();
printf(" Press any key to Exit\n");
getch();
return;
}
ret=StartDriver(schSCManager,DRIVER_NAME);
if(ret==0)
{
StopDriver (schSCManager,DRIVER_NAME);
RemoveDriver (schSCManager,DRIVER_NAME);
RedLight();
printf(" Press any key to Exit\n");
getch();
return;
}
GreenLight();
printf(" ServiceFile: %s\n",ServiceFile);
GreenLight();
printf(" CreateService SUCCESS StartService SUCCESS\n");
/////////////////////////////////////////
HANDLE hDevice;
hDevice= CreateFile("\\\\.\\JiurlSymbolicLink",
GENERIC_READ | GENERIC_WRITE,
0, // share mode none
NULL, // no security
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL ); // no template
if (hDevice == INVALID_HANDLE_VALUE)
{
RedLight();
printf(" Open JiurlSymbolicLink handle Error: %d\n",GetLastError() );
}
else
{
GreenLight();
printf(" Open JiurlSymbolicLink handle SUCCESS\n");
}
//getch();
printf("__________________________________________________\n");
/////////////////////////////////////////
HANDLE hOut;
hOut=GetStdHandle(STD_OUTPUT_HANDLE);
COORD dwSize;
dwSize.X=80;
dwSize.Y=3000;
SetConsoleScreenBufferSize(hOut,dwSize);
//JiurlPageDirectorySee(hDevice);
DWORD pid;
printf("ProcessId(Decimal): ");
scanf("%d",&pid);
JiurlPebSee(hDevice,pid);
/////////////////////////////////////////
printf("__________________________________________________\n\n");
ret = CloseHandle(hDevice);
if (ret==0)
{
RedLight();
printf(" CloseHandle Error: %d\n",GetLastError());
}
else
{
GreenLight();
printf(" CloseHandle SUCCESS\n");
}
/////////////////////////////////////////
StopDriver (schSCManager,DRIVER_NAME);
ret=RemoveDriver (schSCManager,DRIVER_NAME);
if(ret==0)
{
RedLight();
printf(" Press any key to Exit\n");
getch();
}
GreenLight();
printf(" DeleteService SUCCESS\n");
CloseServiceHandle (schSCManager);
/////////////////////////////////////////
printf("\n");
printfcolor(
" "" "
"PRESS ANY KEY TO EXIT .."" "
,0x70);
getch();
}
// -----------------------------------------------------------------
BOOL JiurlReadProcessMemory(
HANDLE hDevice,
DWORD pid,
LPVOID lpBaseAddress, // base of memory area
LPVOID lpBuffer, // data buffer
DWORD nSize, // number of bytes to read
LPDWORD lpNumberOfBytesRead // number of bytes read
)
{
MEMORY_INFO MemInfo;
MemInfo.ProcessId=pid;
MemInfo.StartVa=lpBaseAddress;
MemInfo.nBytes=nSize;
int ret;
ret=DeviceIoControl(
hDevice,
IOCTL_MEM_OUTPUT,
&MemInfo,
sizeof(MemInfo),
lpBuffer,
nSize,
lpNumberOfBytesRead,
NULL);
if(ret==0)
{
printf("DeviceIoControl Error: %d\n",GetLastError());
}
return ret;
}
//-------------------------------------------------
void JiurlPebSee(HANDLE hDevice,DWORD pid)
{
DWORD Peb[1024];
#define PEB_BASE 0x7FFDF000
void* pAddress;
DWORD nBytes;
DWORD BytesReturned;
pAddress=(void*)PEB_BASE;
nBytes=4096;
int ret;
char ProcessName[16];
ret=JiurlGetProcessName(hDevice, pid,ProcessName);
if(ret==0)
printf("Get Process Name Error\n");
else
printf("%s:\n\n",ProcessName);
JiurlReadProcessMemory(
hDevice,pid,pAddress,Peb,nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
return;
}
#define LINEDWORD 4
int i;
PPEB pPeb;
pPeb=(PPEB)Peb;
printf("[");
printfcolor("\4",0xf);
printf("] ");
printf("PEB at 0x%08x\n\n",pAddress);
printf("LoaderData: 0x%08x\n",pPeb->LoaderData);
//printf("\n");
printf("ProcessParameters: 0x%08x\n",pPeb->ProcessParameters);
//printf("\n");
printf("ProcessHeap: 0x%08x\n",pPeb->ProcessHeap);
printf("NumberOfHeaps: %d\n",pPeb->NumberOfHeaps);
printf("MaximumNumberOfHeaps: %d\n",pPeb->MaximumNumberOfHeaps);
printf("*ProcessHeaps: 0x%08x\n",pPeb->ProcessHeaps);
printf("\n");
for(i=0;i<1024;i++)
{
if(i%LINEDWORD==0)
printf("%08x:",(unsigned int)PEB_BASE+i*4);
printf(" %08x",Peb[i]);
if((i+1)%LINEDWORD==0)
printf("\n");
}
printf("\n");
JiurlProcessModulesSee(hDevice, pid, pPeb->LoaderData);
JiurlProcessParametersSee(hDevice, pid, pPeb->ProcessParameters);
printf("\n");
JiurlProcessHeapsSee(hDevice, pid,
(PPVOID)pPeb->ProcessHeaps, pPeb->MaximumNumberOfHeaps);
}
// -----------------------------------------------------------------
BOOL JiurlGetProcessName(HANDLE hDevice, DWORD pid, LPVOID lpBuffer)
{
int ret;
DWORD NumberOfBytesRead;
ret=DeviceIoControl(
hDevice,
IOCTL_PROCESS_NAME_OUTPUT,
&pid,
sizeof(pid),
lpBuffer,
16,
&NumberOfBytesRead,
NULL);
if(ret==0)
{
printf("DeviceIoControl Error: %d\n",GetLastError());
}
if(NumberOfBytesRead!=16)
{
//printf("NumberOfBytesRead: %d\n",NumberOfBytesRead);//
ret=0;
}
return ret;
}
// -----------------------------------------------------------------
void JiurlProcessModulesSee(HANDLE hDevice, DWORD pid,
PPEB_LDR_DATA LoaderDataAddress)
{
PEB_LDR_DATA LoaderData;
void* LdrDataAddress;
DWORD nBytes;
DWORD BytesReturned;
LdrDataAddress= LoaderDataAddress;
nBytes=sizeof(LoaderData);
JiurlReadProcessMemory(
hDevice,pid,LdrDataAddress,&LoaderData,nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
}
printf("[");
printfcolor("\4",0xf);
printf("] ");
printf("LoaderData at 0x%08x\n",LdrDataAddress);
printf("\n");
printf("Length: %d Bytes\n",
LoaderData.Length);
printf("Initialized: %d\n",
LoaderData.Initialized);
printf("SsHandle: 0x%08x\n",
LoaderData.SsHandle);
printf("InLoadOrderModuleList\n"
"Flink: 0x%08x Blink: 0x%08x\n",
LoaderData.InLoadOrderModuleList.Flink,
LoaderData.InLoadOrderModuleList.Blink);
printf("InMemoryOrderModuleList\n"
"Flink: 0x%08x Blink: 0x%08x\n",
LoaderData.InMemoryOrderModuleList.Flink,
LoaderData.InMemoryOrderModuleList.Blink);
printf("InInitializationOrderModuleList\n"
"Flink: 0x%08x Blink: 0x%08x\n",
LoaderData.InInitializationOrderModuleList.Flink,
LoaderData.InInitializationOrderModuleList.Blink);
printf("\n");
///////////////////////////////////////
PLIST_ENTRY pModuleListHead , pModuleListEntry;
pModuleListHead=
(PLIST_ENTRY)((char*)LoaderDataAddress+0xc);
pModuleListEntry=
(PLIST_ENTRY)(LoaderData.InLoadOrderModuleList.Flink);
LDR_MODULE Module;
char* ModuleAddress;
wchar_t NameBuf[256];
do
{
ModuleAddress=(char*)pModuleListEntry-0;
nBytes=sizeof(Module);
JiurlReadProcessMemory(
hDevice,pid,ModuleAddress,&Module,nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
return;
}
pModuleListEntry=Module.InLoadOrderModuleList.Flink;
printf("Module at 0x%08x\n",ModuleAddress);
JiurlReadProcessMemory(
hDevice,pid,(Module.FullDllName.Buffer),NameBuf,sizeof(NameBuf),
&BytesReturned);
printf("FullDllName: %ws\n",NameBuf);
JiurlReadProcessMemory(
hDevice,pid,Module.BaseDllName.Buffer,NameBuf,sizeof(NameBuf),
&BytesReturned);
printf("BaseDllName: %ws\n",NameBuf);
printf("BaseAddress: 0x%08x\n",Module.BaseAddress);
printf("SizeOfImage: 0x%08x\n",Module.SizeOfImage);
printf("\n");
}
while(pModuleListEntry!=pModuleListHead);
}
// -----------------------------------------------------------------
void JiurlProcessParametersSee(HANDLE hDevice, DWORD pid,
PRTL_USER_PROCESS_PARAMETERS ProcessParameters)
{
RTL_USER_PROCESS_PARAMETERS Parameters;
void* ParaAddress;
DWORD nBytes;
DWORD BytesReturned;
ParaAddress= ProcessParameters;
nBytes=sizeof(Parameters);
JiurlReadProcessMemory(
hDevice,pid,ParaAddress,&Parameters,nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
}
printf("[");
printfcolor("\4",0xf);
printf("] ");
printf("ProcessParameters at 0x%08x\n",ParaAddress);
printf("\n");
printf("MaximumLength: 0x%08x\n",Parameters.MaximumLength);
printf("Length: 0x%08x\n",Parameters.Length);
printf("Flags: 0x%08x\n",Parameters.Flags);
printf("DebugFlags: 0x%08x\n",Parameters.DebugFlags);
printf("ConsoleHandle: 0x%08x\n",Parameters.ConsoleHandle);
printf("ConsoleFlags: 0x%08x\n",Parameters.ConsoleFlags);
printf("StdInputHandle: 0x%08x\n",Parameters.StdInputHandle);
printf("StdOutputHandle: 0x%08x\n",Parameters.StdOutputHandle);
printf("StdErrorHandle: 0x%08x\n",Parameters.StdErrorHandle);
printf("CurrentDirectoryPath: %ws\n",
Parameters.CurrentDirectoryPath.Buffer);
printf("CurrentDirectoryHandle: 0x%08x\n",Parameters.CurrentDirectoryHandle);
printf("DllPath: %ws\n",Parameters.DllPath.Buffer);
printf("ImagePathName: %ws\n",Parameters.ImagePathName.Buffer);
printf("CommandLine: %ws\n",Parameters.CommandLine.Buffer);
printf("Environment: 0x%08x\n",Parameters.Environment);
printf("StartingPositionLeft: 0x%08x\n",Parameters.StartingPositionLeft);
printf("StartingPositionTop: 0x%08x\n",Parameters.StartingPositionTop);
printf("Width: 0x%08x\n",Parameters.Width);
printf("Height: 0x%08x\n",Parameters.Height);
printf("CharWidth: 0x%08x\n",Parameters.CharWidth);
printf("CharHeight: 0x%08x\n",Parameters.CharHeight);
printf("ConsoleTextAttributes: 0x%08x\n",Parameters.ConsoleTextAttributes);
printf("WindowFlags: 0x%08x\n",Parameters.WindowFlags);
printf("WindowTitle: %ws\n",Parameters.WindowTitle.Buffer);
printf("DesktopName: %ws\n",Parameters.DesktopName.Buffer);
printf("ShellInfo: %ws\n",Parameters.ShellInfo.Buffer);
printf("RuntimeData: %ws\n",Parameters.RuntimeData.Buffer);
int i;
for(i=0;i<20;i++)
{
printf("DLCurrentDirectory[%d].DosPath: %ws\n",
i,Parameters.DLCurrentDirectory[i].DosPath.Buffer);
}
printf("\n");
printf("[");
printfcolor("\4",0xf);
printf("] ");
printf("Environment at 0x%08x\n",Parameters.Environment);
printf("\n");
DWORD Environment[1024];
JiurlReadProcessMemory(
hDevice,pid,Parameters.Environment,Environment,
sizeof(Environment),&BytesReturned);
if(BytesReturned!=sizeof(Environment))
{
printf("JiurlReadProcessMemory Failed\n");
return;
}
unsigned int j;
char str[32];
#define LINEDWORD 4
for(i=0;i<1024;i++)
{
if(i%LINEDWORD==0)
printf("%08x:",(char*)Parameters.Environment+i*4);
printf(" %08x",Environment[i]);
if((i+1)%LINEDWORD==0)
{
memcpy(str,(char*)(Environment+i-3),16);
printf(" ");
for(j=0;j<16;j++)
{
if(str[j]>=32&&str[j]<=126)
printf("%c",str[j]);
else
printf(".");
}
printf("\n");
}
}
}
// -----------------------------------------------------------------
void JiurlProcessHeapsSee(HANDLE hDevice, DWORD pid,
PPVOID ProcessHeaps, DWORD MaximumNumberOfHeaps)
{
void* HeapsAddress;
DWORD nBytes;
DWORD BytesReturned;
DWORD* Heaps=(DWORD*)malloc(sizeof(PVOID)*MaximumNumberOfHeaps);
HeapsAddress= ProcessHeaps;
nBytes=MaximumNumberOfHeaps*sizeof(PVOID);
JiurlReadProcessMemory(
hDevice,pid,HeapsAddress,Heaps,nBytes,&BytesReturned);
if(BytesReturned!=nBytes)
{
printf("JiurlReadProcessMemory Failed\n");
}
printf("[");
printfcolor("\4",0xf);
printf("] ");
printf("ProcessHeaps at 0x%08x\n",HeapsAddress);
printf("\n");
unsigned int i=0;
while(Heaps[i]!=0)
{
printf("ProcessHeaps[%d]: 0x%08x\n",i,Heaps[i]);
i++;
}
printf("\n");
#define LINEDWORD 4
for(i=0;i<MaximumNumberOfHeaps;i++)
{
if(i%LINEDWORD==0)
printf("%08x:",(unsigned int)HeapsAddress+i*4);
printf(" %08x",Heaps[i]);
if((i+1)%LINEDWORD==0)
printf("\n");
}
free(Heaps);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -