📄 win32wlk.c
字号:
plbdata = malloc( sizeof(LBITEMDATA) ); // These will be freed in
if ( plbdata ) // out WM_DELETEITEM handler
{ // in the dlg proc
plbdata->type = type;
plbdata->value = value;
}
SendMessage( hWnd, LB_SETITEMDATA, lastIndex, (LPARAM)plbdata );
}
BOOL RetrieveListboxLineTypeAndValue(HWND hWnd, DWORD *type, DWORD *value)
{
PLBITEMDATA plbdata;
unsigned index = SendMessage( hWnd, LB_GETCURSEL, 0, 0 );
plbdata = (PLBITEMDATA)SendMessage( hWnd, LB_GETITEMDATA, index, 0 );
if ( !plbdata || ((DWORD)plbdata == LB_ERR) )
return FALSE;
*type = plbdata->type;
*value = plbdata->value;
return TRUE;
}
BOOL IsProcessId(DWORD pid)
{
PPROCESS_DATABASE ppdb = PIDToPDB( pid );
if ( (DWORD)ppdb < 0x80000000 )
return FALSE;
if ( IsBadReadPtr((PVOID)ppdb, sizeof(DWORD)) )
return FALSE;
if ( *(PDWORD)ppdb != 5 )
return FALSE;
// There are additional sanity checks that can be made here
return TRUE;
}
BOOL IsThreadId(DWORD tid)
{
PTHREAD_DATABASE ptdb = TIDToTDB( tid );
if ( (DWORD)ptdb < 0x80000000 )
return FALSE;
if ( IsBadReadPtr((PVOID)ptdb, sizeof(DWORD)) )
return FALSE;
if ( *(PDWORD)ptdb != 6 )
return FALSE;
// There are additional sanity checks that can be made here
return TRUE;
}
BOOL IsModule( PIMTE pimte )
{
__try
{
// Verify there's a pointer to an IMAGE_NT_HEADER
if ( pimte->pNTHdr->Signature != IMAGE_NT_SIGNATURE )
return FALSE;
// Verify that the number of sections that are stored in two
// places match up.
if ( pimte->pNTHdr->FileHeader.NumberOfSections != pimte->cSections )
return FALSE;
// Verify the pointers to the EXE/module names
if ( IsBadReadPtr( pimte->pszFileName, 1) )
return FALSE;
if ( IsBadReadPtr( pimte->pszModName, 1) )
return FALSE;
if ( pimte->pszFileName > pimte->pszModName )
return FALSE;
}
__except( 1 )
{
return FALSE;
}
return TRUE;
}
BOOL IsMODREF( PMODREF pModRef )
{
if ( (DWORD)pModRef < 0x80000000 )
return FALSE;
if ( IsBadReadPtr( pModRef, sizeof(MODREF) ) )
return FALSE;
if ( pModRef->pNextModRef != 0 )
{
if ( (DWORD)pModRef->pNextModRef < 0x80000000 )
return FALSE;
if ( IsBadReadPtr(pModRef->pNextModRef, sizeof(MODREF)) )
return FALSE;
}
return TRUE;
}
PPROCESS_DATABASE PIDToPDB( DWORD pid )
{
return (PPROCESS_DATABASE)(pid ^ Unobsfucator);
}
PTHREAD_DATABASE TIDToTDB( DWORD tid )
{
return (PTHREAD_DATABASE)(tid ^ Unobsfucator);
}
void GetProcessNameFromHTask( HTASK hTask, PSTR pszBuffer )
{
pszBuffer[0] = 0;
__try
{
__asm
{
push ds
push ds
pop es
mov ds, word ptr [hTask]
mov esi, 0F2h
mov edi, [pszBuffer]
mov ecx, 2
cld
rep movsd
mov byte ptr es:[edi], 0
pop ds
}
}
__except( 1 ){}
}
void InitUnobsfucator(void)
{
DWORD tid;
tid = GetCurrentThreadId();
__asm {
mov ax, fs
mov es, ax
mov eax, 18h
mov eax, es:[eax]
sub eax, 10h
xor eax,[tid]
mov [Unobsfucator], eax
}
}
void WINAPI GDIReallyCares( HINSTANCE );
void InitModuleTableBase(void)
{
// Yes, this is really disgusting!
GDIReallyCares( GetModuleHandle(0) );
__asm mov [PModuleTable], ecx
}
void InitKernel32HeapHandle(void)
{
PPROCESS_DATABASE ppdb;
ppdb = PIDToPDB( GetCurrentProcessId() );
HKernel32Heap = ppdb->HeapHandle;
}
//
// Dialog proc for the main dialog
//
BOOL CALLBACK Win32WlkDlgProc(HWND hWndDlg, UINT msg,
WPARAM wParam, LPARAM lParam)
{
switch ( msg )
{
case WM_COMMAND:
Handle_WM_COMMAND(hWndDlg, wParam, lParam); return TRUE;
case WM_INITDIALOG:
Handle_WM_INITDIALOG(hWndDlg); return TRUE;
case WM_CLOSE:
EndDialog(hWndDlg, 0); return FALSE;
case WM_DELETEITEM:
Handle_WM_DELETEITEM( hWndDlg, wParam, lParam ); return TRUE;
}
return FALSE;
}
//
// Handle the dialog's WM_COMMAND messages
//
void Handle_WM_COMMAND(HWND hWndDlg, WPARAM wParam, LPARAM lParam)
{
//
// If user hit <enter> see which listbox has the focus, and
// change wParam and lParam to look as if the user performed
// the equivalent dbl-click action.
//
if ( LOWORD(wParam) == IDOK )
{
HWND hWndFocus = GetFocus();
if (hWndFocus == HWndDetails )
{
wParam = IDC_LB_DETAILS; lParam = MAKELONG(0,LBN_DBLCLK);
}
}
switch ( LOWORD(wParam) )
{
case IDC_RB_PROCESSES:
UpdateProcessList();
break;
case IDC_RB_THREADS:
UpdateThreadList();
break;
case IDC_RB_MODULES:
UpdateModuleList();
break;
case IDC_LB_MAIN_LIST:
if ( HIWORD(wParam) == LBN_SELCHANGE )
{
DWORD handle, type;
DWORD lbSelectedIndex;
lbSelectedIndex = SendMessage(HWndMainList,LB_GETCURSEL, 0, 0);
RetrieveListboxLineTypeAndValue(HWndMainList, &type, &handle);
if ( IsDlgButtonChecked(hWndDlg, IDC_RB_PROCESSES) )
ShowProcessDetails( handle );
else if ( IsDlgButtonChecked(hWndDlg, IDC_RB_THREADS) )
ShowThreadDetails( handle );
else
ShowModuleDetails( (HMODULE)handle );
}
break;
case IDC_LB_DETAILS:
if ( HIWORD(wParam) == LBN_DBLCLK )
{
DWORD type, value;
if ( !RetrieveListboxLineTypeAndValue(HWndDetails,
&type, &value) )
break;
switch ( type )
{
case LB_ITEM_HMODULE:
ShowModuleDetails( (PIMTE)value ); break;
case LB_ITEM_PROCESS:
ShowProcessDetails( value ); break;
case LB_ITEM_MODREF_LIST:
ShowMODREFListDetails( (PMODREF)value ); break;
case LB_ITEM_HANDLE_TABLE:
ShowHandleTableDetails( (PHANDLE_TABLE)value ); break;
case LB_ITEM_TIB:
ShowTIBDetails( (PTIB)value ); break;
}
}
break;
}
return;
}
void Handle_WM_INITDIALOG(HWND hWndDlg)
{
HWndMainList = GetDlgItem(hWndDlg, IDC_LB_MAIN_LIST);
HWndDetails = GetDlgItem(hWndDlg, IDC_LB_DETAILS);
HWndDetailsDescription = GetDlgItem(hWndDlg, IDC_DETAILS_TYPE );
fDebugVersion = (BOOL)GetSystemMetrics( SM_DEBUG );
InitUnobsfucator();
InitModuleTableBase();
InitKernel32HeapHandle();
CheckDlgButton(hWndDlg, IDC_RB_PROCESSES, 1);
if ( IsDlgButtonChecked(hWndDlg, IDC_RB_PROCESSES) )
UpdateProcessList();
}
void Handle_WM_DELETEITEM(HWND hWndDlg, WPARAM wParam, LPARAM lParam)
{
if ( wParam != IDC_LB_DETAILS )
return;
// Free the pointer stored in the item data
free( (PVOID)((LPDELETEITEMSTRUCT)lParam)->itemData );
}
void GetModuleNameFromIMTEIndex( unsigned short index, PSTR pszBuffer )
{
lstrcpy( pszBuffer, PModuleTable[index]->pszModName );
}
PSTR GetKernel32ObjectType( PVOID pObject )
{
if ( IsBadReadPtr(pObject, 4) )
return "<???>";
switch( *(PDWORD)pObject )
{
case K32OBJ_SEMAPHORE: return "SEMAPHORE";
case K32OBJ_EVENT: return "EVENT";
case K32OBJ_MUTEX: return "MUTEX";
case K32OBJ_CRITICAL_SECTION: return "CRITICAL_SECTION";
case K32OBJ_PROCESS: return "PROCESS";
case K32OBJ_THREAD: return "THREAD";
case K32OBJ_FILE: return "FILE";
case K32OBJ_CHANGE: return "CHANGE";
case K32OBJ_CONSOLE: return "CONSOLE";
case K32OBJ_SCREEN_BUFFER: return "SCREEN_BUFFER";
case K32OBJ_MEM_MAPPED_FILE: return "MEM_MAPPED_FILE";
case K32OBJ_SERIAL: return "SERIAL";
case K32OBJ_DEVICE_IOCTL: return "DEVICE_IOCTL";
case K32OBJ_PIPE: return "PIPE";
case K32OBJ_MAILSLOT: return "MAILSLOT";
case K32OBJ_TOOLHELP_SNAPSHOT: return "TOOLHELP_SNAPSHOT";
case K32OBJ_SOCKET: return "SOCKET";
default: return "<unknown>";
}
}
// Our own custom assert for GUI programs
void __cdecl _MBassert(void *pszExp, void *pszFile, unsigned lineNum)
{
char buffer[512];
wsprintf(buffer, "assert: %s (%s line %u)", pszExp, pszFile, lineNum);
MessageBox( 0, buffer, 0, MB_OK );
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -