📄 mainunit.pas
字号:
unit mainunit;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls,debugger,newkernelhandler, ExtCtrls, ComCtrls,tlhelp32;
type
TForm1 = class(TForm)
Timer1: TTimer;
Image1: TImage;
ProgressBar1: TProgressBar;
Timer2: TTimer;
listbox1: TMemo;
procedure FormCreate(Sender: TObject);
procedure Timer1Timer(Sender: TObject);
procedure Timer2Timer(Sender: TObject);
procedure FormShow(Sender: TObject);
private
{ Private declarations }
activelinkoffset: dword;
processnameoffset: dword;
debugportoffset: dword;
debugger: tdebugger;
sdtshadow: dword;
procedure GetPEProcessData;
procedure Done(var m:tmessage); message wm_user+1;
public
{ Public declarations }
end;
type tsharedmem=record
Infunction:boolean;
RetrieverWindowHandle: thandle;
end;
var
Form1: TForm1;
sharedmemmapping: thandle;
sharedmem: ^tsharedmem;
paramlist: dword;
processhandle:thandle;
phase: integer;
implementation
{$R *.dfm}
uses resultwindowunit;
function GetSystemType: Integer; //from Stuart Johnson with a little change by me
const
{ operating system constants }
cOsUnknown = -1;
cOsWin95 = 0;
cOsWin98 = 1;
cOsWin98SE = 2;
cOsWinME = 3;
cOsWinNT = 4;
cOsWin2000 = 5;
cOsWinXP = 6;
cOsNewer = 7;
var
osVerInfo : TOSVersionInfo;
majorVer, minorVer : Integer;
begin
{ set operating system type flag }
osVerInfo.dwOSVersionInfoSize := SizeOf(TOSVersionInfo);
if GetVersionEx(osVerInfo) then
begin
majorVer := osVerInfo.dwMajorVersion;
minorVer := osVerInfo.dwMinorVersion;
case osVerInfo.dwPlatformId of
VER_PLATFORM_WIN32_NT : { Windows NT/2000 }
begin
if majorVer <= 4 then
result := cOsWinNT
else
if (majorVer = 5) AND (minorVer= 0) then
result := cOsWin2000
else
if (majorVer = 5) AND (minorVer = 1) then
result := cOsWinXP
else if (majorver = 5) then result:=cOsNewer
else
result := cOsUnknown;
end; {case }
VER_PLATFORM_WIN32_WINDOWS : { Windows 9x/ME }
begin
if (majorVer = 4) AND (minorVer = 0) then
result := cOsWin95
else
if (majorVer = 4) AND (minorVer = 10) then
begin
if osVerInfo.szCSDVersion[1] = 'A' then
result := cOsWin98SE
else
result := cOsWin98;
end {if Version = 'A'}
else
if (majorVer = 4) AND (minorVer = 90) then
result := cOsWinME
else
result := cOsUnknown;
end; {case VER_PLATFORM_WIN32_WINDOWS}
else
result := cOsUnknown;
end;
end
else
result := cOsUnknown;
end;
procedure TForm1.Done(var m:tmessage);
var callnumbersfile:tfilestream;
i:integer;
NtUserBuildHwndListCallnumber: DWORD;
NtUserQueryWindowCallnumber:DWORD;
NtUserFindWindowExCallnumber:DWORD;
NtUserGetForegroundWindowCallnumber:DWORD;
PossibleNtUserBuildHwndListCallnumbers:array of dword;
PossibleNtUserQueryWindowCallnumbers:array of dword;
PossibleNtUserFindWindowExCallnumbers:array of dword;
PossibleNtUserGetForegroundWindowCallnumbers:array of dword;
input:string;
question:string;
buf: byte;
temp:dword;
ar:dword;
winversion:_osversioninfoa;
begin
timer1.Enabled:=false;
timer2.Enabled:=false;
progressbar1.Position:=0;
if m.WParam=1 then //it was a cancel, it took too long so it might have been crashed
begin
terminateprocess(debuggedprocesshandle,0);
debugger.Terminate;
//showmessage('First part failed, but let''s hope I managed to get the data I needed');
end;
if phase<=2 then //prepare for next debugging sesion
begin
inc(phase);
debugger:=tdebugger.Create(false);
timer1.Enabled:=true;
timer2.Enabled:=true;
end
else
begin
//this was the last one , now lets check everything
//NtUserBuildHwndListCallnumber
setlength(PossibleNtUserBuildHwndListCallnumbers,0);
for i:=0 to length(callnumbers[0])-1 do
begin
//search the list for a callnumber that takes $1c parameters (if there are more ask)
if callnumbers[0][i].parametercount=$1c then
begin
setlength(PossibleNtUserBuildHwndListCallnumbers,length(PossibleNtUserBuildHwndListCallnumbers)+1);
PossibleNtUserBuildHwndListCallnumbers[length(PossibleNtUserBuildHwndListCallnumbers)-1]:=callnumbers[0][i].callnumber;
end;
end;
if length(PossibleNtUserBuildHwndListCallnumbers)=1 then
begin
NtUserBuildHwndListCallnumber:=PossibleNtUserBuildHwndListCallnumbers[0]
end
else //not 1, not 0, so multiple
begin
input:='0';
question:='Multiple systemcalls where recorded with the same ammount of parameters. Select the right one. (default=0)';
for i:=0 to length(PossibleNtUserBuildHwndListCallnumbers)-1 do
question:=question+#13#10+IntToStr(i)+':'+IntTohex(PossibleNtUserBuildHwndListCallnumbers[i],4);
if inputquery('Systemcall retriever error',question ,input) then
begin
try
i:=StrToInt(input);
if i>=length(PossibleNtUserBuildHwndListCallnumbers) then raise exception.Create('I can''t do that dave');
NtUserBuildHwndListCallnumber:=PossibleNtUserBuildHwndListCallnumbers[i];
except
NtUserBuildHwndListCallnumber:=0;
end;
end
else //choose the first one
NtUserBuildHwndListCallnumber:=PossibleNtUserBuildHwndListCallnumbers[0];
end;
//NtUserqueryWindow
setlength(PossibleNtUserQueryWindowCallnumbers,0);
for i:=0 to length(callnumbers[1])-1 do
begin
//search the list for a callnumber that takes $08 parameters (if there are more ask)
if callnumbers[1][i].parametercount=$08 then
begin
setlength(PossibleNtUserQueryWindowCallnumbers,length(PossibleNtUserQueryWindowCallnumbers)+1);
PossibleNtUserQueryWindowCallnumbers[length(PossibleNtUserQueryWindowCallnumbers)-1]:=callnumbers[1][i].callnumber;
end;
end;
if length(PossibleNtUserQueryWindowCallnumbers)=1 then
begin
NtUserQueryWindowCallnumber:=PossibleNtUserQueryWindowCallnumbers[0]
end
else //not 1, not 0, so multiple
begin
input:='0';
question:='Multiple systemcalls where recorded with the same ammount of parameters. Select the right one. (default=0)';
for i:=0 to length(PossibleNtUserQueryWindowCallnumbers)-1 do
question:=question+#13#10+IntToStr(i)+':'+IntTohex(PossibleNtUserQueryWindowCallnumbers[i],4);
if inputquery('Systemcall retriever error',question ,input) then
begin
try
i:=StrToInt(input);
if i>=length(PossibleNtUserQueryWindowCallnumbers) then raise exception.Create('I can''t do that dave');
NtUserQueryWindowCallnumber:=PossibleNtUserQueryWindowCallnumbers[i];
except
NtUserQueryWindowCallnumber:=0;
end;
end
else //choose the first one
NtUserQueryWindowCallnumber:=PossibleNtUserQueryWindowCallnumbers[0];
end;
//NtUserFindWindowEx
setlength(PossibleNtUserFindWindowExCallnumbers,0);
for i:=0 to length(callnumbers[2])-1 do
begin
//search the list for a callnumber that takes $14 parameters (if there are more ask)
if callnumbers[2][i].parametercount=$14 then
begin
setlength(PossibleNtUserFindWindowExCallnumbers,length(PossibleNtUserFindWindowExCallnumbers)+1);
PossibleNtUserFindWindowExCallnumbers[length(PossibleNtUserFindWindowExCallnumbers)-1]:=callnumbers[2][i].callnumber;
end;
end;
if length(PossibleNtUserFindWindowExCallnumbers)=1 then
begin
NtUserFindWindowExCallnumber:=PossibleNtUserFindWindowExCallnumbers[0]
end
else //not 1, not 0, so multiple
begin
input:='0';
question:='Multiple systemcalls where recorded with the same ammount of parameters. Select the right one. (default=0)';
for i:=0 to length(PossibleNtUserFindWindowExCallnumbers)-1 do
question:=question+#13#10+IntToStr(i)+':'+IntTohex(PossibleNtUserFindWindowExCallnumbers[i],4);
if inputquery('Systemcall retriever error',question ,input) then
begin
try
i:=StrToInt(input);
if i>=length(PossibleNtUserFindWindowExCallnumbers) then raise exception.Create('I can''t do that dave');
NtUserFindWindowExCallnumber:=PossibleNtUserFindWindowExCallnumbers[i];
except
NtUserFindWindowExCallnumber:=0;
end;
end
else //choose the first one
NtUserFindWindowExCallnumber:=PossibleNtUserFindWindowExCallnumbers[0];
end;
//NtUserGetForegroundWindow
setlength(PossibleNtUserGetForegroundWindowCallnumbers,0);
for i:=0 to length(callnumbers[3])-1 do
begin
//search the list for a callnumber that takes 0 parameters (if there are more ask)
if callnumbers[3][i].parametercount=0 then
begin
setlength(PossibleNtUserGetForegroundWindowCallnumbers,length(PossibleNtUserGetForegroundWindowCallnumbers)+1);
PossibleNtUserGetForegroundWindowCallnumbers[length(PossibleNtUserGetForegroundWindowCallnumbers)-1]:=callnumbers[3][i].callnumber;
end;
end;
if length(PossibleNtUserGetForegroundWindowCallnumbers)=1 then
begin
NtUserGetForegroundWindowCallnumber:=PossibleNtUserGetForegroundWindowCallnumbers[0]
end
else //not 1, not 0, so multiple
begin
input:='0';
question:='Multiple systemcalls where recorded with the same ammount of parameters. Select the right one. (default=0)';
for i:=0 to length(PossibleNtUserGetForegroundWindowCallnumbers)-1 do
question:=question+#13#10+IntToStr(i)+':'+IntTohex(PossibleNtUserGetForegroundWindowCallnumbers[i],4);
if inputquery('Systemcall retriever error',question ,input) then
begin
try
i:=StrToInt(input);
if i>=length(PossibleNtUserGetForegroundWindowCallnumbers) then raise exception.Create('I can''t do that dave');
NtUserGetForegroundWindowCallnumber:=PossibleNtUserGetForegroundWindowCallnumbers[i];
except
NtUserGetForegroundWindowCallnumber:=0;
end;
end
else //choose the first one
NtUserGetForegroundWindowCallnumber:=PossibleNtUserGetForegroundWindowCallnumbers[0];
end;
winversion.dwOSVersionInfoSize:=sizeof(winversion);
getversionex(winversion);
if (debugportoffset=0) and (getsystemtype=6) then
begin
if messagedlg('It seems the debugport wasn''t found. But I see windows XP is used. So it should be safe to assume that the debugport offset is 188. Do you want to fill that in?',mtConfirmation,[mbyes,mbno],0)=mryes then
debugportoffset:=188;
end;
with tresultwindow.create(self) do
begin
//fill the window with the collected data
edit1.text:=inttostr(NtUserBuildHwndListCallnumber);
edit2.text:=inttostr(NtUserQueryWindowCallnumber);
edit3.text:=inttostr(NtUserFindWindowExCallnumber);
edit4.text:=inttostr(NtUserGetForegroundWindowCallnumber);
edit5.text:=inttostr(activelinkoffset);
edit6.text:=inttostr(processnameoffset);
edit7.text:=inttostr(debugportoffset);
if showmodal =mrok then
begin
NtUserBuildHwndListCallnumber:=strtoint(edit1.text);
NtUserQueryWindowCallnumber:=strtoint(edit2.text);
NtUserFindWindowExCallnumber:=strtoint(edit3.text);
NtUserGetForegroundWindowCallnumber:=strtoint(edit4.text);
activelinkoffset:=strtoint(edit5.text);
processnameoffset:=strtoint(edit6.text);
debugportoffset:=strtoint(edit7.text);
end;
//fill the data with the data from the window
end;
callnumbersfile:=tfilestream.Create(extractfilepath(application.ExeName)+'kerneldata.dat',fmcreate,fmsharedenynone);
try
callnumbersfile.WriteBuffer(winversion.dwMajorVersion,4);
callnumbersfile.WriteBuffer(winversion.dwMinorVersion,4);
callnumbersfile.WriteBuffer(winversion.dwBuildNumber,4);
callnumbersfile.WriteBuffer(winversion.szCSDVersion,128);
callnumbersfile.WriteBuffer(NtUserBuildHwndListCallnumber,4);
callnumbersfile.WriteBuffer(NtUserQueryWindowCallnumber,4);
callnumbersfile.WriteBuffer(NtUserFindWindowExCallnumber,4);
callnumbersfile.WriteBuffer(NtUserGetForegroundWindowCallnumber,4);
callnumbersfile.WriteBuffer(activelinkoffset,4);
callnumbersfile.WriteBuffer(processnameoffset,4);
callnumbersfile.WriteBuffer(debugportoffset,4);
finally
callnumbersfile.Free;
end;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -