📄 w2k_mem.c
字号:
// __________________________________________________________
//
// w2k_mem.c
// SBS Windows 2000 Memory Spy V1.00
// 08-27-2000 Sven B. Schreiber
// sbs@orgon.com
// __________________________________________________________
#include "w2k_mem.h"
// =================================================================
// DISCLAIMER
// =================================================================
/*
This software is provided "as is" and any express or implied
warranties, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
In no event shall the author Sven B. Schreiber be liable for any
direct, indirect, incidental, special, exemplary, or consequential
damages (including, but not limited to, procurement of substitute
goods or services; loss of use, data, or profits; or business
interruption) however caused and on any theory of liability,
whether in contract, strict liability, or tort (including negligence
or otherwise) arising in any way out of the use of this software,
even if advised of the possibility of such damage.
*/
// =================================================================
// REVISION HISTORY
// =================================================================
/*
08-27-2000 V1.00 Original version (SBS).
*/
// =================================================================
// GLOBAL VARIABLES
// =================================================================
BOOL gfSpyUnload = FALSE;
// =================================================================
// GLOBAL STRINGS
// =================================================================
WORD awSpyFile [] = SW(DRV_FILENAME);
WORD awSpyDevice [] = SW(DRV_MODULE);
WORD awSpyDisplay [] = SW(DRV_NAME);
WORD awSpyPath [] = SW(DRV_PATH);
// -----------------------------------------------------------------
WORD awArguments [] =
L"{ { [+option|-option] [/<path>] } "
L"[#[[0]x]<size>] [[0]x]<base> }";
WORD awMoreInfo [] =
L"\r\n"
L"<path> specifies a module to be loaded into memory.\r\n"
L"Use the +x/-x switch to enable/disable its startup code.\r\n"
L"If <size> is missing, the default size is %lu bytes.\r\n";
WORD awOptions [] =
L"\r\n"
L"Display address options (mutually exclusive):\r\n"
L"\r\n"
L" +z -z zero-based display on / OFF\r\n"
L" +r -r physical RAM addresses on / OFF\r\n"
L"\r\n"
L"Display mode options (mutually exclusive):\r\n"
L"\r\n"
L" +w -w WORD data formatting on / OFF\r\n"
L" +d -d DWORD data formatting on / OFF\r\n"
L" +q -q QWORD data formatting on / OFF\r\n"
L"\r\n"
L"Addressing options (mutually exclusive):\r\n"
L"\r\n"
L" +t -t TEB-relative addressing on / OFF\r\n"
L" +f -f FS-relative addressing on / OFF\r\n"
L" +u -u user-mode FS:[<base>] on / OFF\r\n"
L" +k -k kernel-mode FS:[<base>] on / OFF\r\n"
L" +h -h handle/object resolution on / OFF\r\n"
L" +a -a add bias to last base on / OFF\r\n"
L" +s -s sub bias from last base on / OFF\r\n"
L" +p -p pointer from last block on / OFF\r\n"
L"\r\n"
L"System status options (cumulative):\r\n"
L"\r\n"
L" +o -o display OS information on / OFF\r\n"
L" +c -c display CPU information on / OFF\r\n"
L" +g -g display GDT information on / OFF\r\n"
L" +i -i display IDT information on / OFF\r\n"
L" +b -b display contiguous blocks on / OFF\r\n"
L"\r\n"
L"Other options (cumulative):\r\n"
L"\r\n"
L" +x -x execute DLL startup code on / OFF\r\n";
WORD awExamples [] =
L"\r\n"
L"Example: The following command displays the first 64\r\n"
L"bytes of the current Process Environment Block (PEB)\r\n"
L"in zero-based DWORD format, assuming that a pointer to\r\n"
L"the PEB is located at offset 0x30 inside the current\r\n"
L"Thread Environment Block (TEB):\r\n"
L"\r\n"
L" " SW(MAIN_MODULE) L" +t #0 0 +pzd #64 0x30\r\n"
L"\r\n"
L"Note: Specifying #0 after +t causes the TEB to be\r\n"
L"addressed without displaying its contents.\r\n";
WORD awSummary [] = L"\r\n"
L"%10lu %s requested\r\n"
L"%10lu %s received\r\n";
WORD awInvalidCommand [] = L"%sYou didn't request any data!\r\n";
WORD awInvalidArgument [] = L"%sInvalid argument: \"%s\"\r\n";
WORD awInvalidOption [] = L"%sInvalid option: \"%c%c\"\r\n";
WORD awInvalidModule [] = L"%sLoad error 0x%08lX: \"%s\"\r\n";
WORD awLoadLibrary [] = L"\r\nLoadLibrary (%s) = 0x%08lX\r\n";
// -----------------------------------------------------------------
WORD awOsInfoCaption [] =
L"\r\n"
L"OS information:\r\n"
L"---------------\r\n";
// -----------------------------------------------------------------
WORD awCpuInfoCaption [] =
L"\r\n"
L"CPU information:\r\n"
L"----------------\r\n";
WORD awCpuInfoUser [] =
L"\r\n"
L"User mode segments:\r\n"
L"\r\n";
WORD awCpuInfoKernel [] =
L"\r\n"
L"Kernel mode segments:\r\n"
L"\r\n";
WORD awCpuInfoOther [] =
L"\r\n"
L"IDT : Limit = %04X, Base = %08lX\r\n"
L"GDT : Limit = %04X, Base = %08lX\r\n"
L"LDT : Selector = %04X\r\n"
L"\r\n"
L"CR0 : Contents = %08lX\r\n"
L"CR2 : Contents = %08lX\r\n"
L"CR3 : Contents = %08lX\r\n";
// -----------------------------------------------------------------
WORD awGdtInfoCaption [] =
L"\r\n"
L"GDT information:\r\n"
L"----------------\r\n"
L"\r\n";
WORD awGdtInfoSegment [] =
L"%s : Selector = %04X, "
L"Base = %08lX, Limit = %08lX, DPL%u, Type = %s\r\n";
// -----------------------------------------------------------------
WORD awIdtInfoCaption [] =
L"\r\n"
L"IDT information:\r\n"
L"----------------\r\n"
L"\r\n";
WORD awIdtInfoPointer [] =
L"%02lX : Pointer = %04X:%08lX, "
L"Base = %08lX, Limit = %08lX, Type = %s\r\n";
WORD awIdtInfoSegment [] =
L"%02lX : TSS = %04X, "
L"Base = %08lX, Limit = %08lX, Type = %s\r\n";
// -----------------------------------------------------------------
#define N_SEGMENT N_HEX32
WORD awSegment [] = L"%03lX";
WORD awSegmentCS [] = L"CS ";
WORD awSegmentDS [] = L"DS ";
WORD awSegmentES [] = L"ES ";
WORD awSegmentFS [] = L"FS ";
WORD awSegmentGS [] = L"GS ";
WORD awSegmentSS [] = L"SS ";
WORD awSegmentTSS [] = L"TSS";
// -----------------------------------------------------------------
PWORD apwTypeApplication [] =
{
L"DATA ---", L"DATA --a", L"DATA -w-", L"DATA -wa",
L"DATA e--", L"DATA e-a", L"DATA ew-", L"DATA ewa",
L"CODE ---", L"CODE --a", L"CODE -r-", L"CODE -ra",
L"CODE c--", L"CODE c-a", L"CODE cr-", L"CODE cra",
};
PWORD apwTypeSystem [] =
{
NULL, L"TSS16 a", L"LDT", L"TSS16 b",
L"CALL16", L"TASK", L"INT16", L"TRAP16",
NULL, L"TSS32 a", NULL, L"TSS32 b",
L"CALL32", NULL, L"INT32", L"TRAP32",
};
// -----------------------------------------------------------------
WORD awTableCaption [] = L"\r\n%08lX..%08lX: %lu valid %s\r\n";
WORD awTableNoData [] = L"\r\n%08lX: No data\r\n";
WORD awTableAddress [] = L"Address "; // 8 characters
WORD awTableSpace1 [] = L" ";
WORD awTableSpace2 [] = L" ";
WORD awTableHex1 [] = L"%01lX";
WORD awTableHex2 [] = L"%02lX";
WORD awTableHex8 [] = L"%08lX";
WORD awByte [] = L"byte";
WORD awBytes [] = L"bytes";
WORD awNot [] = L"not ";
WORD awUndefined [] = L"???";
WORD awNewLine [] = L"\r\n";
WORD awString [] = L"%s";
WORD awNull [] = L"";
// -----------------------------------------------------------------
WORD awTableDataByte [] =
L"\r\n%s | "
L"%s %s %s %s-%s %s %s %s : %s %s %s %s-%s %s %s %s | "
L"%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s";
WORD awTableBarByte [] =
L"\r\n---------|-"
L"------------------------:-------------------------|-"
L"----------------";
WORD awTableDataWord [] =
L"\r\n%s | "
L"%s%s %s%s-%s%s %s%s : %s%s %s%s-%s%s %s%s | "
L"%s%s %s%s %s%s %s%s %s%s %s%s %s%s %s%s";
WORD awTableBarWord [] =
L"\r\n---------|-"
L"--------------------:---------------------|-"
L"-----------------------";
WORD awTableDataDword [] =
L"\r\n%s | "
L"%s%s%s%s - %s%s%s%s : %s%s%s%s - %s%s%s%s | "
L"%s%s%s%s %s%s%s%s %s%s%s%s %s%s%s%s";
WORD awTableBarDword [] =
L"\r\n---------|-"
L"--------------------:---------------------|-"
L"-------------------";
WORD awTableDataQword [] =
L"\r\n%s | "
L"%s%s%s%s-%s%s%s%s : %s%s%s%s-%s%s%s%s | "
L"%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s";
WORD awTableBarQword [] =
L"\r\n---------|-"
L"------------------:-------------------|-"
L"-----------------";
// =================================================================
// SPY DEVICE I/O
// =================================================================
BOOL WINAPI IoControl (HANDLE hDevice,
DWORD dCode,
PVOID pInput,
DWORD dInput,
PVOID pOutput,
DWORD dOutput)
{
DWORD dData = 0;
return DeviceIoControl (hDevice, dCode,
pInput, dInput,
pOutput, dOutput,
&dData, NULL)
&&
(dData == dOutput);
}
// -----------------------------------------------------------------
BOOL WINAPI ReadBinary (HANDLE hDevice,
DWORD dCode,
PVOID pOutput,
DWORD dOutput)
{
return IoControl (hDevice, dCode, NULL, 0, pOutput, dOutput);
}
// -----------------------------------------------------------------
BOOL WINAPI ReadCpuInfo (HANDLE hDevice,
PSPY_CPU_INFO psci)
{
return IoControl (hDevice, SPY_IO_CPU_INFO,
NULL, 0,
psci, SPY_CPU_INFO_);
}
// -----------------------------------------------------------------
BOOL WINAPI ReadSegment (HANDLE hDevice,
DWORD dSelector,
PSPY_SEGMENT pss)
{
return IoControl (hDevice, SPY_IO_SEGMENT,
&dSelector, DWORD_,
pss, SPY_SEGMENT_);
}
// -----------------------------------------------------------------
BOOL WINAPI ReadPhysical (HANDLE hDevice,
PVOID pLinear,
PPHYSICAL_ADDRESS ppa)
{
return IoControl (hDevice, SPY_IO_PHYSICAL,
&pLinear, PVOID_,
ppa, PHYSICAL_ADDRESS_)
&&
(ppa->LowPart || ppa->HighPart);
}
// =================================================================
// MEMORY MANAGEMENT
// =================================================================
PSPY_MEMORY_DATA WINAPI MemoryRelease (PSPY_MEMORY_DATA psmd)
{
if (psmd != NULL) LocalFree (psmd);
return NULL;
}
// -----------------------------------------------------------------
PSPY_MEMORY_DATA WINAPI MemoryRead (HANDLE hDevice,
PVOID pAddress,
DWORD dBytes)
{
SPY_MEMORY_BLOCK smb;
DWORD dData = SPY_MEMORY_DATA__ (dBytes);
PSPY_MEMORY_DATA psmd = NULL;
if ((psmd = LocalAlloc (LMEM_FIXED, dData)) != NULL)
{
smb.pAddress = pAddress;
smb.dBytes = dBytes;
if (!IoControl (hDevice, SPY_IO_MEMORY_DATA,
&smb, SPY_MEMORY_BLOCK_,
psmd, dData))
{
psmd = MemoryRelease (psmd);
}
}
return psmd;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -