📄 win32wlk.c
字号:
//==================================
// WIN32WLK - Matt Pietrek 1995
// FILE: WIN32WLK.C
//==================================
#include <windows.h>
#include <stdio.h>
#include <stddef.h>
#include <string.h>
#include <stdarg.h>
#include <malloc.h>
#include <tlhelp32.h>
#pragma hdrstop
#include "mbassert.h"
#include "win32wlk.h"
#include "module32.h"
#include "procdb.h"
#include "threaddb.h"
#include "k32objs.h"
// Prototype the functions for this
void Handle_WM_COMMAND(HWND hWndDlg, WPARAM wParam, LPARAM lParam);
void Handle_WM_INITDIALOG(HWND hWndDlg);
void Handle_WM_DELETEITEM(HWND hWndDlg, WPARAM wParam, LPARAM lParam);
BOOL CALLBACK Win32WlkDlgProc(HWND, UINT, WPARAM, LPARAM);
void RecordListboxLineTypeAndValue(HWND hWnd, DWORD type, DWORD value);
BOOL RetrieveListboxLineTypeAndValue(HWND hWnd, DWORD *type, DWORD *value);
void UpdateProcessList(void);
void UpdateThreadList(void);
void UpdateModuleList(void);
void ShowProcessDetails( DWORD processID );
void ShowHandleTableDetails( PHANDLE_TABLE pHndTbl );
void ShowThreadDetails( DWORD threadID );
void ShowTIBDetails( PTIB ptib );
void ShowModuleDetails( PIMTE pimte );
void ShowPEHeader( PIMAGE_NT_HEADERS pNTHdr );
void ShowMODREFListDetails( PMODREF pModRef );
void lbprintf(HWND hWnd, char * format, ...);
BOOL IsModule(PIMTE pimte);
BOOL IsProcessId( DWORD pid);
BOOL IsThreadId( DWORD tid);
BOOL IsMODREF( PMODREF pModRef );
PPROCESS_DATABASE PIDToPDB( DWORD pid );
PTHREAD_DATABASE TIDToTDB( DWORD tid );
void InitUnobsfucator(void);
void InitModuleTableBase(void);
void InitKernel32HeapHandle(void);
void GetProcessNameFromHTask( HTASK hTask, PSTR szBuffer );
void GetModuleNameFromIMTEIndex( unsigned short index, PSTR pszBuffer );
PSTR GetKernel32ObjectType( PVOID pObject );
// HWNDs of the commonly used dialog controls
HWND HWndMainList;
HWND HWndDetails;
HWND HWndDetailsDescription;
DWORD Unobsfucator = 0;
PIMTE *PModuleTable = 0;
HANDLE HKernel32Heap;
BOOL fDebugVersion;
int PASCAL WinMain( HANDLE hInstance, HANDLE hPrevInstance,
LPSTR lpszCmdLine, int nCmdShow )
{
DialogBox(hInstance, "Win32WlkDlg", 0, (DLGPROC)Win32WlkDlgProc);
return 0;
}
void UpdateProcessList(void)
{
HANDLE hSnapshot;
SendMessage(HWndMainList, LB_RESETCONTENT, 0, 0);
hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPALL, 0 );
if ( hSnapshot )
{
PROCESSENTRY32 process;
BOOL fMore;
process.dwSize = sizeof(process);
fMore = Process32First( hSnapshot, &process );
while ( fMore )
{
PPROCESS_DATABASE ppdb;
char szBuffer[20];
ppdb = PIDToPDB( process.th32ProcessID );
GetProcessNameFromHTask( ppdb->W16TDB, szBuffer );
lbprintf(HWndMainList, "%08X %s", process.th32ProcessID, szBuffer);
RecordListboxLineTypeAndValue( HWndMainList, LB_ITEM_PROCESS,
process.th32ProcessID );
fMore = Process32Next( hSnapshot, &process );
}
CloseHandle( hSnapshot );
}
// Set selection to first process in list, and show its details
SendMessage( HWndMainList, LB_SETCURSEL, 0, 0 );
PostMessage( GetParent(HWndMainList), WM_COMMAND,
MAKEWPARAM(IDC_LB_MAIN_LIST, LBN_SELCHANGE),
(LPARAM)HWndMainList );
}
void UpdateThreadList(void)
{
HANDLE hSnapshot;
SendMessage(HWndMainList, LB_RESETCONTENT, 0, 0);
hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPALL, 0 );
if ( hSnapshot )
{
THREADENTRY32 thread;
BOOL fMore;
thread.dwSize = sizeof(thread);
fMore = Thread32First( hSnapshot, &thread );
while ( fMore )
{
PPROCESS_DATABASE ppdb;
char szBuffer[20];
ppdb = PIDToPDB( thread.th32OwnerProcessID );
GetProcessNameFromHTask( ppdb->W16TDB, szBuffer );
lbprintf( HWndMainList, "%08X %s", thread.th32ThreadID, szBuffer );
RecordListboxLineTypeAndValue( HWndMainList, LB_ITEM_PROCESS,
thread.th32ThreadID );
fMore = Thread32Next( hSnapshot, &thread );
}
CloseHandle( hSnapshot );
}
// Set selection to first thread in list, and show its details
SendMessage( HWndMainList, LB_SETCURSEL, 0, 0 );
PostMessage( GetParent(HWndMainList), WM_COMMAND,
MAKEWPARAM(IDC_LB_MAIN_LIST, LBN_SELCHANGE),
(LPARAM)HWndMainList );
}
void UpdateModuleList(void)
{
unsigned i, cIMTEs;
InitModuleTableBase(); // In case PModuleTableArray got reallocated
SendMessage(HWndMainList, LB_RESETCONTENT, 0, 0);
cIMTEs = HeapSize( HKernel32Heap, 0, (PVOID)PModuleTable ) / sizeof(PIMTE);
for( i=0; i < cIMTEs; i++ )
{
if ( PModuleTable[i] )
{
lbprintf( HWndMainList, "%s", PModuleTable[i]->pszModName );
RecordListboxLineTypeAndValue( HWndMainList, LB_ITEM_HMODULE,
(DWORD)PModuleTable[i] );
}
}
// Set selection to first module in list, and show its details
SendMessage( HWndMainList, LB_SETCURSEL, 0, 0 );
PostMessage( GetParent(HWndMainList), WM_COMMAND,
MAKEWPARAM(IDC_LB_MAIN_LIST, LBN_SELCHANGE),
(LPARAM)HWndMainList );
}
DWORD_FLAGS ProcessFlagNames[] =
{
{ 0x00000001, "fDebugSingle" },
{ 0x00000002, "fCreateProcessEvent" },
{ 0x00000004, "fExitProcessEvent" },
{ 0x00000008, "fWin16Process" },
{ 0x00000010, "fDosProcess" },
{ 0x00000020, "fConsoleProcess" },
{ 0x00000040, "fFileApisAreOem" },
{ 0x00000080, "fNukeProcess" },
{ 0x00000100, "fServiceProcess" },
{ 0x00000800, "fLoginScriptHack" },
{ 0x00200000, "fSendDLLNotifications" },
{ 0x00400000, "fDebugEventPending" },
{ 0x00800000, "fNearlyTerminating" },
{ 0x08000000, "fFaulted" },
{ 0x10000000, "fTerminating" },
{ 0x20000000, "fTerminated" },
{ 0x40000000, "fInitError" },
{ 0x80000000, "fSignaled" },
};
void ShowProcessDetails( DWORD pid )
{
char szBuffer[512];
char szBuffer2[384];
PPROCESS_DATABASE ppdb;
PENVIRONMENT_DATABASE pedb;
unsigned i;
if ( !IsProcessId(pid) )
{
MessageBox( 0, "Not a valid process", 0, MB_OK );
return;
}
ppdb = PIDToPDB(pid);
pedb = ppdb->pEDB;
MBassert( IsK32HeapHandle(ppdb->pEDB) || !ppdb->pEDB);
GetProcessNameFromHTask( (HTASK)ppdb->W16TDB, szBuffer2 );
InitModuleTableBase(); // In case PModuleTableArray got reallocated
wsprintf(szBuffer, "Process: %08X (%08X) %s", pid, ppdb, szBuffer2 );
SendMessage( HWndDetailsDescription, WM_SETTEXT, 0, (LPARAM)szBuffer );
SendMessage(HWndDetails, LB_RESETCONTENT, 0, 0);
SendMessage( HWndDetails, WM_SETREDRAW, FALSE, 0 ); // Turn off redraws
lbprintf( HWndDetails, "Type: %08X", ppdb->Type );
lbprintf( HWndDetails, "cReference: %08X", ppdb->cReference );
MBassert( !ppdb->un1 );
lbprintf( HWndDetails, "someEvent: %08X", ppdb->someEvent );
MBassert( IsK32HeapHandle(ppdb->someEvent) || !ppdb->someEvent );
lbprintf( HWndDetails, "TerminationStatus: %08X", ppdb->TerminationStatus );
MBassert( !ppdb->un2 );
lbprintf( HWndDetails, "DefaultHeap: %08X", ppdb->DefaultHeap );
MBassert( IsHeapStart(ppdb->DefaultHeap) ) ;
lbprintf( HWndDetails, "MemoryContext: %08X", ppdb->MemoryContext );
MBassert( IsRing0HeapHandle(ppdb->MemoryContext) );
wsprintf(szBuffer, "flags: %08X ", ppdb->flags );
for ( i=0; i < (sizeof(ProcessFlagNames)/sizeof(DWORD_FLAGS)); i++ )
if ( ppdb->flags & ProcessFlagNames[i].value )
wsprintf(szBuffer + lstrlen(szBuffer), "%s ",
ProcessFlagNames[i].name);
lbprintf( HWndDetails, szBuffer );
lbprintf( HWndDetails, "pPSP: %08X", ppdb->pPSP );
lbprintf( HWndDetails, "PSPSelector: %04X", ppdb->PSPSelector );
MBassert( IsSelector( ppdb->PSPSelector ) );
lbprintf( HWndDetails, "+MTE Index: %04X", ppdb->MTEIndex );
RecordListboxLineTypeAndValue( HWndDetails, LB_ITEM_HMODULE,
(DWORD)PModuleTable[ppdb->MTEIndex] );
lbprintf( HWndDetails, "cThreads: %04X", ppdb->cThreads );
MBassert( ppdb->cThreads );
lbprintf( HWndDetails, "cNotTermThreads: %04X", ppdb->cNotTermThreads );
MBassert( !ppdb->un3 );
lbprintf( HWndDetails, "cRing0Threads: %08X", ppdb->cRing0Threads );
MBassert( ppdb->cRing0Threads >= ppdb->cThreads );
lbprintf( HWndDetails, "HeapHandle: %08X", ppdb->HeapHandle );
MBassert( IsHeapStart(ppdb->HeapHandle) ) ;
lbprintf( HWndDetails, "W16TDB: %08X", ppdb->W16TDB );
MBassert( Is16BitGlobalHandle(ppdb->W16TDB) );
lbprintf( HWndDetails, "MemMapFiles: %08X", ppdb->MemMapFiles );
MBassert( IsK32HeapHandle(ppdb->MemMapFiles) || !ppdb->MemMapFiles );
lbprintf( HWndDetails, "pEDB: %08X", ppdb->pEDB );
lbprintf( HWndDetails, "+pHandleTable: %08X", ppdb->pHandleTable );
RecordListboxLineTypeAndValue( HWndDetails, LB_ITEM_HANDLE_TABLE,
(DWORD)ppdb->pHandleTable );
MBassert( IsK32HeapHandle(ppdb->pHandleTable) );
lbprintf( HWndDetails, "+Parent process: %08X", ppdb->ParentPDB );
RecordListboxLineTypeAndValue( HWndDetails, LB_ITEM_PROCESS,
(DWORD)PIDToPDB((DWORD)ppdb->ParentPDB));
MBassert( IsK32HeapHandle( ppdb->ParentPDB ) || !ppdb->ParentPDB );
lbprintf( HWndDetails, "+MODREFlist: %08X", ppdb->MODREFlist );
RecordListboxLineTypeAndValue( HWndDetails, LB_ITEM_MODREF_LIST,
(DWORD)ppdb->MODREFlist );
MBassert( IsK32HeapHandle( ppdb->MODREFlist ) );
lbprintf( HWndDetails, "ThreadList: %08X", ppdb->ThreadList );
MBassert( IsK32HeapHandle(ppdb->ThreadList) );
lbprintf( HWndDetails, "DebuggeeCB: %08X", ppdb->DebuggeeCB );
lbprintf( HWndDetails, "LocalHeapFreeHead: %08X", ppdb->LocalHeapFreeHead );
MBassert( IsDivisibleBy4(ppdb->LocalHeapFreeHead)
|| !ppdb->LocalHeapFreeHead );
lbprintf( HWndDetails, "InitialRing0ID: %08X", ppdb->InitialRing0ID );
MBassert( !ppdb->un4[0] );
MBassert( !ppdb->un4[1] );
MBassert( !ppdb->un4[2] );
if ( !fDebugVersion )
ppdb = (PPROCESS_DATABASE)( (PBYTE)ppdb - 4 );
lbprintf( HWndDetails, "pConsole: %08X", ppdb->pConsole );
MBassert( IsK32HeapHandle(ppdb->pConsole) || !ppdb->pConsole );
lbprintf( HWndDetails, "tlsInUseBits1: %08X", ppdb->tlsInUseBits1 );
lbprintf( HWndDetails, "tlsInUseBits2: %08X", ppdb->tlsInUseBits2 );
lbprintf( HWndDetails, "ProcessDWORD: %08X", ppdb->ProcessDWORD );
lbprintf( HWndDetails, "+ProcessGroup: %08X", ppdb->ProcessGroup );
RecordListboxLineTypeAndValue( HWndDetails, LB_ITEM_PROCESS,
(DWORD)PIDToPDB((DWORD)ppdb->ProcessGroup));
MBassert( IsK32HeapHandle( ppdb->ProcessGroup ) || !ppdb->ProcessGroup );
lbprintf( HWndDetails, "pExeMODREF: %08X", ppdb->pExeMODREF );
MBassert( IsK32HeapHandle( ppdb->pExeMODREF ) );
lbprintf( HWndDetails, "TopExcFilter: %08X", ppdb->TopExcFilter );
lbprintf( HWndDetails, "BasePriority: %08X", ppdb->BasePriority );
MBassert( (ppdb->BasePriority <= 31) );
lbprintf( HWndDetails, "HeapOwnList: %08X", ppdb->HeapOwnList );
MBassert( IsHeapStart(ppdb->HeapOwnList) );
lbprintf( HWndDetails, "HeapHandleBlockList: %08X", ppdb->HeapHandleBlockList );
MBassert( IsDivisibleBy4(ppdb->HeapHandleBlockList)
|| !ppdb->HeapHandleBlockList );
lbprintf( HWndDetails, "pSomeHeapPtr: %08X", ppdb->pSomeHeapPtr );
MBassert( IsK32HeapHandle(ppdb->pSomeHeapPtr) || !ppdb->pSomeHeapPtr );
lbprintf( HWndDetails, "pConsoleProvider: %08X", ppdb->pConsoleProvider );
MBassert( IsK32HeapHandle(ppdb->pConsoleProvider) ||
!ppdb->pConsoleProvider );
lbprintf( HWndDetails, "EnvironSelector: %04X", ppdb->EnvironSelector );
MBassert( IsSelector( ppdb->EnvironSelector) || !ppdb->EnvironSelector );
lbprintf( HWndDetails, "ErrorMode: %04X", ppdb->ErrorMode );
lbprintf( HWndDetails, "pevtLoadFinished: %08X", ppdb->pevtLoadFinished );
MBassert( IsK32HeapHandle(ppdb->pevtLoadFinished) );
lbprintf( HWndDetails, "UTState: %04X", ppdb->UTState );
SendMessage( HWndDetails, WM_SETREDRAW, TRUE, 0 ); // Turn on redraws
if ( IsBadReadPtr(pedb, sizeof(ENVIRONMENT_DATABASE)) )
lbprintf( HWndDetails, "Environment Database ptr invalid" );
else
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -