📄 memscan.c
字号:
{
memoryregion[0].Size-=CurrentScan.Start-memoryregion[0].BaseAddress;
TotalSize-=CurrentScan.Start-memoryregion[0].BaseAddress;
memoryregion[0].BaseAddress=CurrentScan.Start;
}
if (memoryregion[memoryregionentries-1].BaseAddress+memoryregion[memoryregionentries-1].Size>CurrentScan.Stop)
{
TotalSize-=(memoryregion[memoryregionentries-1].BaseAddress+memoryregion[memoryregionentries-1].Size)-CurrentScan.Stop;
memoryregion[memoryregionentries-1].Size-=(memoryregion[memoryregionentries-1].BaseAddress+memoryregion[memoryregionentries-1].Size)-CurrentScan.Stop;
}
//DbgPrint("After:TotalSize=%x\nMemoryregion[0].BaseAddress=%x\n",TotalSize,memoryregion[0].BaseAddress);
}
/*
//this works:
mempointer=(PVOID)CurrentScan.Start;
if (((PBYTE)mempointer)[0]==12)
return;
*/
//DbgPrint("Checking the TotalSize:%x\n",TotalSize);
if ((TotalSize==0) || (TotalSize>0xf0000000))
{
//I don't accept 0 memory
//and also not if there is more than 0xf0000000 bytes readable memory (more likely a signed underflow or other bug)
//DbgPrint("Error with memory regions\n");
ScanResultCount(SE_NoMemoryFound);
return;
}
//now start the scan
//DbgPrint("Initializing the progressbar. Totalsize=%d (%x)\n",TotalSize,TotalSize);
UpdateProgressBar(TotalSize,0); //max size of progressbar and the current pos (0) (both devided by 2)
BytesRead=0;
if (CurrentScan.Scantype==ST_Exact_value)
{
//DbgPrint("Scantype=Exact value\n");
}
for (i=0; (i<memoryregionentries) && (CurrentScan.scanning);i++)
{
ULONG StopAddress;
//DbgPrint("Region %d\n",i);
mempointer=(PVOID)(memoryregion[i].BaseAddress);
StopAddress=memoryregion[i].BaseAddress+memoryregion[i].Size;
//adjust the stopaddress so you dont scan unreadable memory
StopAddress-=CurrentScan.scanvaluelength-1;
UpdateProgressBar(TotalSize,BytesRead);
#define MemCheckAndHandle(nr,type,varsize,value) if ( /*it's faster to do this in a seperate code segment for each type, but lets try this first (less code)*/ \
((CurrentScan.Scantype==ST_Exact_value) && (*(##type)mempointer==value)) ||\
((CurrentScan.Scantype==ST_SmallerThan) && (*(##type)mempointer<value)) ||\
((CurrentScan.Scantype==ST_BiggerThan) && (*(##type)mempointer>value))\
)\
{\
/*found one*/ \ /*
DbgPrint("Found one!!!\n");\ */
AddressList[found]=(ULONG)mempointer;\
ValueList##nr[found]=*(##type)mempointer;\
found++;\
if (found==AddressListSize)\
{\ /*
DbgPrint("Writing tempfile\n");\ */
\
/*write the addresses and values to disk*/ \
CETC_Write(addressfile,AddressList,found*4,&iosb);\
CETC_Write(valuefile,ValueList##nr,found*varsize,&iosb);\
\
foundsaved+=found;\
found=0;\
}\
}
while ((ULONG)mempointer<StopAddress)
{
__try
{
switch (CurrentScan.Vartype)
{
case 0:
{
MemCheckAndHandle(0,PBYTE,1,bytevalue);
((ULONG)mempointer)++;
break;
}
case 1: //2 byte
{
MemCheckAndHandle(1,PWORD,2,wordvalue);
if (FastScan)
((ULONG)mempointer)+=2;
else
((ULONG)mempointer)++;
break;
}
case 2: //4 byte
{
MemCheckAndHandle(2,PDWORD,4,dwordvalue);
if (FastScan)
((ULONG)mempointer)+=4;
else
((ULONG)mempointer)++;
break;
}
case 3: //float
{
MemCheckAndHandle(3,float*,4,floatvalue)
if (FastScan)
((ULONG)mempointer)+=4;
else
((ULONG)mempointer)++;
break;
}
case 4: //double
{
MemCheckAndHandle(4,double*,8,doublevalue)
if (FastScan)
((ULONG)mempointer)+=8;
else
((ULONG)mempointer)++;
break;
}
case 6: //int64
{
MemCheckAndHandle(6,PINT64,8,int64value)
if (FastScan)
((ULONG)mempointer)+=8;
else
((ULONG)mempointer)++;
break;
}
case 7:
{
if (RtlCompareMemory(mempointer,stringvalue,CurrentScan.scanvaluelength)==CurrentScan.scanvaluelength)
{
found++;
if (found==AddressListSize)
{
//DbgPrint("Writing tempfile\n");
/*write the addresses to disk*/
CETC_Write(addressfile,AddressList,found*4,&iosb);
foundsaved+=found;
found=0;
}
}
break;
}
default:
((ULONG)mempointer)++;
}
}
__except(1)
{
//unreadable
//DbgPrint("unreadable %p\n",mempointer);
((ULONG)mempointer)+=PAGE_SIZE; //try the next page
//align on the base
(ULONG)mempointer=(ULONG)mempointer/0x1000*0x1000; //shouldn't be neccesary, but lets do it anyhow
}
} //while
BytesRead+=memoryregion[i].Size;
}
//now save the results
if (found>0)
{
//DbgPrint("Writing tempfile\n");
ntStatus=CETC_Write(addressfile,AddressList,found*4,&iosb);
switch (CurrentScan.Vartype)
{
case 0:
{
//write the addresses and values to disk
ntStatus=CETC_Write(valuefile,ValueList0,found,&iosb);
break;
}
case 1:
{
//write the addresses and values to disk
ntStatus=CETC_Write(valuefile,ValueList1,found*2,&iosb);
break;
}
case 2:
{
//write the addresses and values to disk
ntStatus=CETC_Write(valuefile,ValueList2,found*4,&iosb);
break;
}
case 3:
{
//write the addresses and values to disk
ntStatus=CETC_Write(valuefile,ValueList3,found*4,&iosb);
break;
}
case 4:
{
//write the addresses and values to disk
ntStatus=CETC_Write(valuefile,ValueList4,found*8,&iosb);
break;
}
case 6:
{
//write the addresses and values to disk
ntStatus=CETC_Write(valuefile,ValueList6,found*8,&iosb);
break;
}
}
foundsaved+=found;
found=0;
}
//and tell the client the results
//DbgPrint("found=%d and foundsaved=%d\n",found,foundsaved);
if ((found+foundsaved)<=MemscanOptions.max)
{
//read the addresses and values and tell them to the client
//first reposition the file pointer to the start
IO_STATUS_BLOCK isb;
FILE_POSITION_INFORMATION fpi;
int j,k;
fpi.CurrentByteOffset.QuadPart=0;
//DbgPrint("Resetting the file position to 0\n");
ntStatus=ZwSetInformationFile(addressfile,&isb,&fpi,sizeof(FILE_POSITION_INFORMATION),FilePositionInformation);
//DbgPrint("ntStatus=%d",ntStatus);
//read the AddressFile
i=0;
while ((i<MemscanOptions.max) && (i<foundsaved))
{
//DbgPrint("Reading addressfile\n");
//DbgPrint("(foundsaved<AddressListSize)? (foundsaved*4):(AddressListSize*4)=%d\n",(foundsaved<AddressListSize)? (foundsaved*4):(AddressListSize*4));
ntStatus=ZwReadFile(addressfile,NULL,NULL,NULL,&isb,AddressList,(foundsaved<AddressListSize)? (foundsaved*4):(AddressListSize*4),NULL,NULL);
//DbgPrint("ntStatus=%x\n",ntStatus);
//DbgPrint("isb.Information=%d\n",isb.Information);
if (isb.Information>4)
{
j=(int)isb.Information/4;
for (k=0; k<j; k++)
{
switch (CurrentScan.Vartype)
{
case 0://byte
ScanResult(AddressList[k],1);
break;
case 1:
ScanResult(AddressList[k],2);
break;
case 2:
case 3:
ScanResult(AddressList[k],4);
break;
case 4:
case 6:
ScanResult(AddressList[k],8);
break;
case 7:
ScanResult(AddressList[k],CurrentScan.scanvaluelength);
break;
}
//AddressList[k]
}
i+=j;
}
else
{
//DbgPrint("Failed to read AddressList\n");
break;
}
}
FlushScanresultBuffer();
}
ScanResultCount(foundsaved);
}
__finally
{
}
}
__finally
{
//DbgPrint("Detaching\n");
KeDetachProcess();
}
//DbgPrint("returning\n");
}
__finally
{
//End of the thread.
//Free all the used memory and close the files
//DbgPrint("Terminating\n");
//DbgPrint("Free memory\n");
if (memoryregion!=NULL) ExFreePool(memoryregion);
if (AddressList!=NULL) ExFreePool(AddressList);
if (ValueList0!=NULL) ExFreePool(ValueList0);
if (ValueList1!=NULL) ExFreePool(ValueList1);
if (ValueList2!=NULL) ExFreePool(ValueList2);
if (ValueList3!=NULL) ExFreePool(ValueList3);
if (ValueList4!=NULL) ExFreePool(ValueList4);
if (ValueList6!=NULL) ExFreePool(ValueList6);
//DbgPrint("Close files\n");
if (addressfile!=0) ZwClose(addressfile);
if (valuefile!=0) ZwClose(valuefile);
CurrentScan.scanning=FALSE;
CurrentScan.ThreadActive=FALSE;
PsTerminateSystemThread(STATUS_SUCCESS);
}
return;
}
BOOLEAN FirstScan(PEPROCESS ActivePEPROCESS, DWORD start,DWORD stop,BYTE vartype,BYTE scantype,BYTE scanvaluesize,char *scanvalue,BYTE ScanOptions)
{
BOOLEAN status=FALSE;
CurrentScan.process=ActivePEPROCESS;
CurrentScan.Start=start;
CurrentScan.Stop=stop;
CurrentScan.Vartype=vartype;
CurrentScan.Scantype=scantype;
CurrentScan.ScanOptions=ScanOptions;
if (CurrentScan.scanvalue!=NULL)
{
//a leftover from last scan (e.g thread crashed...)
ExFreePool(CurrentScan.scanvalue);
CurrentScan.scanvalue=NULL;
}
CurrentScan.scanvalue=ExAllocatePoolWithTag(PagedPool,scanvaluesize,0);
if (CurrentScan.scanvalue==NULL)
return FALSE; //error
RtlCopyMemory(CurrentScan.scanvalue,scanvalue,scanvaluesize);
CurrentScan.scanvaluelength=scanvaluesize;
__try
{
OBJECT_ATTRIBUTES oaCreateThread;
HANDLE th;
CurrentScan.scanning=TRUE;
//start the scan
if (scantype==ST_Advanced_Scan)
{
//unknown initial value scan
InitializeObjectAttributes(&oaCreateThread, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
//DbgPrint("Creating scanthread\n");
if (NT_SUCCESS(PsCreateSystemThread(&th,0L,&oaCreateThread,NULL,NULL,UnknownInitialValueScan,NULL)))
{
//DbgPrint("Created thread\n");
ZwClose(th); //I dont want this handle (useless anyhow except for setting priority)
}
else
{
//DbgPrint("Failed to create thread\n");
}
}
else
{
//first scan for value
InitializeObjectAttributes(&oaCreateThread, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
//DbgPrint("Creating scanthread\n");
if (NT_SUCCESS(PsCreateSystemThread(&th,0L,&oaCreateThread,NULL,NULL,FirstScanThread,NULL)))
{
//DbgPrint("Created thread\n");
ZwClose(th); //I dont want this handle (useless anyhow except for setting priority)
}
else
{
//DbgPrint("Failed to create thread\n");
}
}
//and resume the command listener
}
__except(1)
{
//DbgPrint("Error\n");
}
return status;
}
#endif⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -