📄 mainunit.pas.svn-base
字号:
application.Terminate;
end;
end;
procedure TForm1.GetPEProcessData;
var ths: thandle;
pe32: tagProcessentry32;
process1name: string;
process1processid: dword;
process1peprocess:dword;
process1buffer: array [0..512] of byte;
process2name: string;
process2processid: dword;
process2peprocess:dword;
process2buffer: array [0..512] of byte;
process3name: string;
process3processid: dword;
process3peprocess:dword;
process3buffer: array [0..512] of byte;
nobr: dword;
a,b,c: boolean;
p,p2: ^dword;
offset: dword;
temp:dword;
currentchar: byte;
i: integer;
tempname: pchar;
idleprocesspeprocess: dword;
idleprocessbuffer: array [0..512] of byte;
idleprocesswithdebuggerbuffer: array [0..512] of byte;
processhandle1,processhandl2: thandle;
si:_startupinfoa;
pi:_process_information;
si2:_startupinfoa;
pi2:_process_information;
begin
listbox1.lines.Add('Get Processlist');
ths:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
try
pe32.dwSize:=sizeof(pe32);
if process32first(ths,pe32) then
begin
if pe32.th32ProcessID<>0 then
begin
process1name:=pe32.szExeFile;
process1processid:=pe32.th32ProcessID;
process1peprocess:=getpeprocess(process1processid);
end
else
if process32next(ths,pe32) then
begin
process1name:=pe32.szExeFile;
process1processid:=pe32.th32ProcessID;
process1peprocess:=getpeprocess(process1processid);
end else
begin
listbox1.Lines.Add('Couldn''t get a valid process list(1). No kerneldata can be gathered');
exit;
end;
if process32next(ths,pe32) then
begin
process2name:=pe32.szExeFile;
process2processid:=pe32.th32ProcessID;
process2peprocess:=getpeprocess(process2processid);
end else
begin
listbox1.Lines.Add('Couldn''t get a valid process list(2). No kerneldata can be gathered');
exit;
end;
if process32next(ths,pe32) then
begin
process3name:=pe32.szExeFile;
process3processid:=pe32.th32ProcessID;
process3peprocess:=getpeprocess(process3processid);
end else
begin
listbox1.Lines.Add('Couldn''t get a valid process list(3). No kerneldata can be gathered');
exit;
end;
listbox1.Lines.Add('Reading the PEProcess structures');
a:=ReadProcessmemory(processhandle,pointeR(process1peprocess),@process1buffer[0],512,nobr);
b:=ReadProcessmemory(processhandle,pointeR(process2peprocess),@process2buffer[0],512,nobr);
c:=ReadProcessmemory(processhandle,pointeR(process3peprocess),@process3buffer[0],512,nobr);
if not (a and b and c) then
begin
listbox1.Lines.Add('The PEProcess structures could not be read');
exit;
end;
listbox1.Lines.Add('Finding the offset for the name');
currentchar:=1;
for i:=0 to 511 do
begin
if uppercase(chr(process1buffer[i]))=uppercase(process1name[currentchar]) then
begin
inc(currentchar);
if currentchar>length(process1name) then
begin
listbox1.Lines.add('name of the process was found at offset '+IntToHex(i-currentchar+2,3));
processnameoffset:=i-currentchar+2;
break;
end;
end else currentchar:=1;
end;
if processnameoffset=0 then
begin
listbox1.Lines.Add('The name of the process couldn''t be found in the peprocess structure...');
exit;
end;
listbox1.Lines.Add('Confirming the offset');
if length(process2name)<=14 then
begin
getmem(tempname,length(process2name)+1);
try
copymemory(tempname,@process2buffer[processnameoffset],length(process2name));
tempname[length(process2name)]:=#0;
if uppercase(tempname)=uppercase(process2name) then
listbox1.Lines.Add('The offset is correct(1)')
else
begin
processnameoffset:=0;
listbox1.Lines.Add('The offset doesn''t seem to be correct(1). ');
exit;
end;
finally
freemem(tempname);
end;
end else listbox1.Lines.Add('Skipped compare of process2 because of a too big name');
if length(process3name)<=14 then
begin
getmem(tempname,length(process3name)+1);
try
copymemory(tempname,@process3buffer[processnameoffset],length(process3name));
tempname[length(process3name)]:=#0;
if uppercase(tempname)=uppercase(process3name) then
listbox1.Lines.Add('The offset is correct(2)')
else
begin
processnameoffset:=0;
listbox1.Lines.Add('The offset doesn''t seem to be correct(2). ');
exit;
end;
finally
freemem(tempname);
end;
end else listbox1.Lines.Add('Skipped compare of process3 because of a too big name');
listbox1.Lines.Add('');
listbox1.Lines.Add('Finding out the activeprocess offset');
p:=@process1buffer;
offset:=0;
//scan till p^ finds (process2peprocess+offset)
while offset<2048 do
begin
if (p^=process2peprocess+offset) then
begin
activelinkoffset:=offset;
listbox1.Lines.Add('The activeprocess linked list is propably at '+IntToHex(offset,3));
break;
end;
inc(p);
inc(offset,4);
end;
if activelinkoffset=0 then
begin
listbox1.Lines.Add('I couldn''t find a activelistprocess structure...');
exit;
end;
temp:=pdword(@process2buffer[activelinkoffset+4])^-activelinkoffset;
listbox1.Lines.Add('According to process2 the previous peprocess in the list is '+IntToHex(temp,8));
listbox1.Lines.Add('PEProcess of process1 is at '+IntToHex(process1peprocess,8));
if temp=process1peprocess then
listbox1.Lines.Add('This seems to be alright')
else
begin
listbox1.Lines.Add('This isn''t what I was expecting...');
activelinkoffset:=0;
exit;
end;
listbox1.Lines.Add('');
listbox1.Lines.Add('Going to figure out the debugport');
//spawn a process. (no debuggng)
zeromemory(@si,sizeof(si));
zeromemory(@pi,sizeof(pi));
if CreateProcess('emptyprocess.exe',nil,nil,nil,false,0,nil, nil, si, pi) then
begin
//create another one so it doesnt find a the processlist/threadlist as a valid entry in win2k
zeromemory(@si2,sizeof(si));
zeromemory(@pi2,sizeof(pi));
CreateProcess('emptyprocess.exe',nil,nil,nil,false,0,nil, nil, si2, pi2);
try
idleprocesspeprocess:=getpeprocess(pi.dwProcessId);
if not readprocessmemory(processhandle,pointeR(idleprocesspeprocess),@idleprocessbuffer[0],512,nobr) then
begin
listbox1.Lines.Add('The peprocess structure of the idle process couldn''t be read');
exit;
end;
listbox1.Lines.Add('The peprocess structure of the idleprocess has been stored. Now going to attach a debugger');
if debugactiveprocess(pi.dwProcessId) then
begin
sleep(1000);
if not readprocessmemory(processhandle,pointeR(idleprocesspeprocess),@idleprocesswithdebuggerbuffer[0],512,nobr) then
begin
listbox1.Lines.Add('Failed to get the peprocess structure of the idle process AFTER the debugger was attached. (What kind of shit is this?)');
exit;
end;
listbox1.Lines.Add('Obtained a copy of the peprocess structure WITH and WITHOUT a debugger. Now going to do a compare and hopefully find the debugport');
offset:=0;
p:=@idleprocessbuffer[0];
p2:=@idleprocesswithdebuggerbuffer[0];
while offset<512 do
begin
if (p^=0) and (p2^>$80000000) then
begin
debugportoffset:=offset;
break;
end;
inc(p);
inc(p2);
inc(offset,4);
end;
if debugportoffset=0 then
begin
listbox1.Lines.Add('Failed to find the debugport offset');
exit;
end;
Listbox1.Lines.Add('I believe the debugport offset is at '+IntToHex(debugportoffset,3));
end
else
begin
listbox1.Lines.Add('Failed to attach the debugger');
exit;
end;
finally
terminateprocess(pi2.hProcess,0);
end;
end
else listbox1.Lines.Add('Failed to spawn the idle process');
end else
begin
listbox1.Lines.Add('Couldn''t get a process list. No kerneldata can be gathered');
exit;
end;
finally
closehandle(ths);
end;
if paramcount>0 then
begin
if ParamStr(1)='O' then
listbox1.Lines.SaveToFile('c:\kernellog.txt');
end;
exit;
end;
procedure TForm1.FormCreate(Sender: TObject);
var ar:dword;
begin
if Messagedlg('This application will try to find out some information about your current system and may crash if something unexpected happens. It''s best to save your data before going further. Continue?',mtConfirmation,[mbyes,mbno],0)=mrno then terminateprocess(getcurrentprocess,1);
listbox1.Lines.Add('Initializing data structures');
phase:=0;
ok:=false;
SharedMemMapping:=CreateFileMapping($FFFFFFFF,nil,PAGE_READWRITE,0,sizeof(tsharedmem),'SystemCallInfo');
SharedMem:=MapViewOfFile(SharedMemMapping,FILE_MAP_ALL_ACCESS,0,0,0);
if sharedmem=nil then
begin
showmessage('The systemcallnumber retriever failed to initialize');
terminateprocess(getcurrentprocess,2);
end
else
begin
sharedmem^.Infunction:=false;
sharedmem^.RetrieverWindowHandle:=handle;
end;
Listbox1.Lines.Add('Opening the windows kernel');
UseDBKOpenProcess;
UseDBKReadWriteMemory;
processhandle:=OpenProcess(process_all_access,true,getcurrentprocessid);
if processhandle=0 then showmessage('this process couldn''t be opened');
sdtshadow:=GetSdtshadow;
if sdtshadow=0 then
begin
listbox1.Lines.Add('No SDTShadow found. So no window stealth possible');
end else
begin
Paramlist:=sdtshadow+12;
if (paramlist=12) or (not ReadProcessMemory(processhandle,pointer(paramlist),@paramlist,4,ar)) then
listbox1.Lines.Add('The SDTShadow table that was reported to be found isn''t valid. No stealth...');
end;
end;
procedure TForm1.Timer1Timer(Sender: TObject);
begin
postmessage(sharedmem^.RetrieverWindowHandle,wm_user+1,1,0);
end;
procedure TForm1.Timer2Timer(Sender: TObject);
begin
progressbar1.StepIt;
end;
procedure TForm1.FormShow(Sender: TObject);
begin
//get peprocessinfo
application.ProcessMessages;
GetPEProcessData;
if sdtshadow<>0 then
begin
listbox1.Lines.Add('Going to retrieve some callnumbers used inside windows.');
listbox1.Lines.Add('This will take a while and you may see the progressbar at the bottom go completly full 4 times');
debugger:=tdebugger.Create(false);
timer1.Enabled:=true;
end else listbox1.Lines.Add('Done! You can close this window now')
end;
end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -