memscan.c

一个用于按键模拟的驱动 利用 port I/O

#include "ntifs.h"
#include <windef.h>
#ifdef CETC
#include "tdiwrapper.h"
#include "kfiles.h"
#endif
#include "memscan.h"
#include "DBKFunc.h"
#include "jumper.h"



BOOLEAN IsAddressSafe(UINT_PTR StartAddress)
{


	//note: Add support for PAE enabled systems
	//return TRUE;
#ifdef AMD64
	return TRUE; //for now
#endif
	MDL x;


	if ((!HiddenDriver) && (StartAddress<0x80000000))
		return TRUE;


    {

		UINT_PTR PTE,PDE;
		struct PTEStruct *x;


	//	PHYSICAL_ADDRESS physical;
	//	physical=MmGetPhysicalAddress((PVOID)StartAddress);
	//	return (physical.QuadPart!=0);


		PTE=(UINT_PTR)StartAddress;
		PTE=PTE/0x1000*PTESize+pagedirstart;

    	//now check if the address in PTE is valid by checking the page table directory at 0xc0300000 (same location as CR3 btw)
	    PDE=PTE/0x1000*PTESize+pagedirstart; //same formula

		x=(PVOID)PDE;
		if ((x->P==0) && (x->A2==0))
		{
			//Not present or paged, and since paging in this area isn't such a smart thing to do just skip it
			//perhaps this is only for the 4 mb pages, but those should never be paged out, so it should be 1
			//bah, I've got no idea what this is used for
			return FALSE;
		}

		if (x->PS==1)
		{
			//This is a 4 MB page (no pte list)
			//so, (startaddress/0x400000*0x400000) till ((startaddress/0x400000*0x400000)+(0x400000-1) ) ) is specified by this page
		}
		else //if it's not a 4 MB page then check the PTE
		{
			//still here so the page table directory agreed that it is a usable page table entry
			x=(PVOID)PTE;
			if ((x->P==0) && (x->A2==0))
				return FALSE; //see for explenation the part of the PDE
		}


		return TRUE;
	}


}

ULONG getPEThread(ULONG threadid)
{
    //UINT_PTR *threadid;
	PETHREAD selectedthread;
	ULONG result=0;


	if (PsLookupThreadByThreadId((PVOID)threadid,&selectedthread)==STATUS_SUCCESS)
	{
		result=(ULONG)selectedthread;
		ObDereferenceObject(selectedthread);
	}

	return result;
}

BOOLEAN WriteProcessMemory(DWORD PID,PEPROCESS PEProcess,PVOID Address,DWORD Size, PVOID Buffer)
{
	NTSTATUS ntStatus=STATUS_SUCCESS;

	PEPROCESS selectedprocess=PEProcess;
	KAPC_STATE apc_state;


	if (selectedprocess==NULL)
	{
		//DbgPrint("WriteProcessMemory:Getting PEPROCESS\n");
        if (!NT_SUCCESS(PsLookupProcessByProcessId((PVOID)PID,&selectedprocess)))
		   return FALSE; //couldn't get the PID

		//DbgPrint("Retrieved peprocess");
	}

	//selectedprocess now holds a valid peprocess value
	__try
	{
		unsigned int temp=(unsigned int)Address;

		RtlZeroMemory(&apc_state,sizeof(apc_state));

    	KeAttachProcess((PEPROCESS)selectedprocess);

        __try
        {
			char* target;
			char* source;
			unsigned int i;

			//DbgPrint("Checking safety of memory\n");

			if ((!IsAddressSafe((ULONG)Address)) || (!IsAddressSafe((ULONG)Address+Size)))
				return FALSE; //if the first or last byte of this region is not safe then exit; //I know I should also check the regions inbetween, but since my own dll doesn't request more than 512 bytes it wont overlap

    		//still here, then I gues it's safe to read. (But I can't be 100% sure though, it's still the users problem if he accesses memory that doesn't exist)

			//DbgPrint("Copying memory to target\n");
			target=Address;
			source=Buffer;
			for (i=0; i<Size; i++)
			{
               target[i]=source[i];
			}

			ntStatus = STATUS_SUCCESS;
		}
		__finally
		{
			KeDetachProcess();
		}
	}
	__except(1)
	{
		//DbgPrint("Error while writing\n");
		ntStatus = STATUS_UNSUCCESSFUL;
	}

	if (PEProcess==NULL) //no valid peprocess was given so I made a reference, so lets also dereference
		ObDereferenceObject(selectedprocess);



	return NT_SUCCESS(ntStatus);
}


BOOLEAN ReadProcessMemory(DWORD PID,PEPROCESS PEProcess,PVOID Address,DWORD Size, PVOID Buffer)
{
	NTSTATUS ntStatus=STATUS_SUCCESS;

	PEPROCESS selectedprocess=PEProcess;
	KAPC_STATE apc_state;


//	if ((DWORD)PsGetCurrentProcessId() != PID)
		//return FALSE;

	DbgPrint("[M100] %x",(PVOID)PID);
	if (PEProcess==NULL)
	{
		//DbgPrint("ReadProcessMemory:Getting PEPROCESS\n");
		DbgPrint("[M110] %x",(PVOID)PID);
        if (!NT_SUCCESS(PsLookupProcessByProcessId((PVOID)PID,&selectedprocess)))
		   return FALSE; //couldn't get the PID

		DbgPrint("[M111]");
		//DbgPrint("Retrieved peprocess");
	}

	//selectedprocess now holds a valid peprocess value
	__try
	{
		unsigned int temp=(unsigned int)Address;

		DbgPrint("[M120] %x",temp);

		RtlZeroMemory(&apc_state,sizeof(apc_state));

		RtlZeroMemory(Buffer,Size);
    	KeAttachProcess((PEPROCESS)selectedprocess);

        __try
        {
			char* target;
			char* source;
			unsigned int i;

			//DbgPrint("Checking safety of memory\n");
			DbgPrint("[M130]");

			if ((!IsAddressSafe((ULONG)Address)) || (!IsAddressSafe((ULONG)Address+Size)))
				return FALSE; //if the first or last byte of this region is not safe then exit;

    		//still here, then I gues it's safe to read. (But I can't be 100% sure though, it's still the users problem if he accesses memory that doesn't exist)

			DbgPrint("[M131]");
			//DbgPrint("Copying memory to target\n");
			target=Buffer;
			source=Address;
			for (i=0; i<Size; i++)
			{
               target[i]=source[i];
			}

			ntStatus = STATUS_SUCCESS;
		}
		__finally
		{
			KeDetachProcess();
		}
	}
	__except(1)
	{
		//DbgPrint("Error while reading\n");
		DbgPrint("[M140]");
		ntStatus = STATUS_UNSUCCESSFUL;
	}

	if (PEProcess==NULL) //no valid peprocess was given so I made a reference, so lets also dereference
	{
		ObDereferenceObject(selectedprocess);
	}

	DbgPrint("[M150]");
	return NT_SUCCESS(ntStatus);
}

BOOLEAN GetMemoryRegionData(DWORD PID,PEPROCESS PEProcess, PVOID mempointer,ULONG *regiontype, DWORD *memorysize,DWORD *baseaddress)
{
	NTSTATUS ntStatus=STATUS_SUCCESS;

	UINT_PTR StartAddress;
	KAPC_STATE apc_state;

	struct PTEStruct *PPTE,*PPDE;
	PEPROCESS selectedprocess=PEProcess;

	if (PEProcess==NULL)
	{
		//DbgPrint("GetMemoryRegionData:Getting PEPROCESS\n");
        if (!NT_SUCCESS(PsLookupProcessByProcessId((PVOID)PID,&selectedprocess)))
		   return FALSE; //couldn't get the PID

		//DbgPrint("Retrieved peprocess");
	}

	StartAddress=(UINT_PTR)mempointer;

	*baseaddress=((StartAddress) /0x1000) *0x1000;

	//switch context to the target process

	RtlZeroMemory(&apc_state,sizeof(apc_state));

	__try
	{
		KeAttachProcess((PEPROCESS)selectedprocess);
		__try
		{
			//do my stuff here

			(UINT_PTR)PPTE=*baseaddress / 0x1000 *PTESize+0xc0000000;
			(UINT_PTR)PPDE=((UINT_PTR)PPTE) / 0x1000 *PTESize+0xc0000000;

			//DbgPrint("PPTE=%p\nPPDE=%p\n",PPTE,PPDE);
			if ((PPDE->P==0) && (PPDE->A2==0))
			{
				//Not paged
    			//thats 4KB of PTE, wich is 1024 PTE's wich is 4096*1024 bytes wich is 4MB non-paged memory(in case of PAE obnlt 512 PTE's wich is 4096*512=2MB)
				UINT_PTR BaseAddressOfPDE;

				BaseAddressOfPDE=(((UINT_PTR)PPDE)-0xc0000000)/PTESize * 0x1000 ; //=address of pte (if it had one)
				BaseAddressOfPDE=((BaseAddressOfPDE)-0xc0000000)/PTESize * 0x1000 ; //=*baseaddress that this PDE points too . (Actually, just looking at the last 3 hex digits and filling the rest with 0's should also have worked)

				*memorysize=PAGE_SIZE_LARGE-(*baseaddress-BaseAddressOfPDE);
				*regiontype=PAGE_NOACCESS;
				(UINT_PTR)PPDE=(UINT_PTR)PPDE+PTESize;  //perhaps PPDE++ also works but at least I'm sure this works
				(UINT_PTR)PPTE=((UINT_PTR)(PPDE)-0xc0000000)/PTESize*0x1000; //point to the first PTE of the new PDE
			}
			else
			if (PPDE->PS) //it's a 4mb page meaning the PTE is invalid
			{
				UINT_PTR BaseAddressOfPDE;

				BaseAddressOfPDE=(((UINT_PTR)PPDE)-0xc0000000)/PTESize * 0x1000 ; //=address of pte (if it had one)
				BaseAddressOfPDE=((BaseAddressOfPDE)-0xc0000000)/PTESize * 0x1000 ; //=*baseaddress that this PDE points too . (Actually, just looking at the last 3 hex digits and filling the rest with 0's should also have worked)
				//find the *baseaddress in this 4 MB page

				*memorysize=PAGE_SIZE_LARGE-(*baseaddress-BaseAddressOfPDE);

				if ((PPDE->P)==0)
				{
					if (PPDE->A2==1)
                        *regiontype=PAGE_EXECUTE_READ;
					else
						*regiontype=PAGE_NOACCESS;
				}
				else
				{
					if (PPDE->RW)
						*regiontype=PAGE_EXECUTE_READWRITE;
					else
		                *regiontype=PAGE_EXECUTE_READ;
				}


                //next PDE
				(UINT_PTR)PPDE=(UINT_PTR)PPDE+PTESize;  //perhaps PPDE++ also works but at least I'm sure this works
				(UINT_PTR)PPTE=((UINT_PTR)(PPDE)-0xc0000000)/PTESize*0x1000; //point to the first PTE of the new PDE
			}
			else
			{
				//4 KB
				*memorysize=0x1000;

				//the PTE is readable
				if ((PPTE->P==0) && (PPTE->A2==0))
					*regiontype=PAGE_NOACCESS;
                else
				{
					if (PPTE->P==1)
					{
						if (PPTE->RW==1)
							*regiontype=PAGE_EXECUTE_READWRITE;
						else
			                *regiontype=PAGE_EXECUTE_READ;
					}
					else
					{
						//not present, but paged
						//and since I don''t know if it's writable or not lets make it readonly
                        *regiontype=PAGE_EXECUTE_READ;
					}
				}

				(UINT_PTR)PPTE=(UINT_PTR)PPTE+PTESize; //next PTE in the list
    			(UINT_PTR)PPDE=((UINT_PTR)PPTE) / 0x1000 *PTESize+0xc0000000;
			}

			//now the location of the PDE and PTE are set as they should and I can scan the rest of the memory
			//DbgPrint("after first check: PPTE=%p\nPPDE=%p\n",PPTE,PPDE);

			while ((UINT_PTR)PPDE<MAX_PDE_POS)
			{
				//DbgPrint("PPTE=%p(%x)\nPPDE=%p(%x)\n",PPTE,(UINT_PTR)PPTE,PPDE,(UINT_PTR)PPDE);
				DbgPrint("Test");

				if (!((PPDE->P==0) && (PPDE->A2==0)))
				{
					//this is a valid PDE
					if (PPDE->PS==1)
					{
                        //it's a 4 MB PDE (so no PTE)
						//now check the protection, if it is the same as *regiontype add 4 MB to the size
						//else break out of the loop
						if (*regiontype==PAGE_EXECUTE_READ)
						{
							if ((PPDE->RW==0) || ((PPDE->P==0) && (PPDE->A2==1)) )  //paged to disk, I gues it's read-only
							{
								// for undetect... start.
								*memorysize+=17;
								*memorysize+=PAGE_SIZE_LARGE;
								*memorysize-=17;
								// for undetect... End.
							}
							else
								break; //not the same protection so let's quit
						}

						if (*regiontype==PAGE_EXECUTE_READWRITE)
						{
							if ((PPDE->RW==1) && (PPDE->P==1) ) //only if it's present in memory.
							{
								// for undetect... start.
								*memorysize+=16;
								*memorysize+=PAGE_SIZE_LARGE;
								*memorysize-=16;
								// for undetect... End.
							}
							else
								break;
						}

						if (*regiontype==PAGE_NOACCESS)
						{
							if ((PPDE->P==0) && (PPDE->A2==0))
							{
								// for undetect... start.
								*memorysize+=15;
								*memorysize+=PAGE_SIZE_LARGE;
								*memorysize-=15;
								// for undetect... End.
							}
							else
								break;
						}


					}
					else
					{
						//the 4MB bit wasn't set
						//this means that we'll have to look through the PTEa PTE follows
						BOOLEAN EverythingOK=TRUE;
						while ((UINT_PTR)PPTE<((((UINT_PTR)(PPDE)+PTESize)-0xc0000000)/PTESize*0x1000)) //while the current PTE isn't in the memorylocation of the next PDE check the memory
						{
							if (*regiontype==PAGE_NOACCESS)
							{
								if ((PPTE->P==0) && (PPTE->A2==0)) //not readable so
								{
    								// for undetect... start.
									*memorysize+=0x300;
									*memorysize-=0x200;
									*memorysize+=0x900;
    								// for undetect... end.
								}
								else
								{
									EverythingOK=FALSE;
									break; //the memory I found IS accessible
								}


							}

							if (*regiontype==PAGE_EXECUTE_READWRITE)
							{
								if ((PPTE->RW==1) || ((PPTE->P==1) || (PPTE->A2==1) ))
								{
    								// for undetect... start.
									*memorysize+=0x300;
									*memorysize-=0x200;
									*memorysize+=0x900;
    								// for undetect... end.
									//*memorysize+=0x1000; //writable or paged
								}
								else
								{
									EverythingOK=FALSE;
									break;
								}


							}