//on load
private void MainForm_Load(object sender, EventArgs e)
{
Driver LookupDriver = new Driver();
//load driver as a service
LookupDriver.Load();
//open a device for the service
if (!LookupDriver.Open("\\\\.\\Lookup"))
{
statusText.Text = "couldn't open lookup device";
LookupDriver.Unload();
return;
}
//create the kiServiceTable and get it from ring0
kiServiceTable = LookupDriver.GetKiServiceTable();
//reslove every service number into its name from ntdll.dll
LookupDriver.GetKiServiceNames(kiServiceTable);
//fill the table into the list field
FillServiceTableList();
//same for the interrupt table
interruptTable = LookupDriver.GetInterruptTable();
FillIntTableList();
//close device handle
LookupDriver.Close();
//unload driver, we don't need it anymore
LookupDriver.Unload();
}
//calls the driver and recieve complete idt
public unsafe InterruptTable GetInterruptTable()
{
//new idt, we will return this object later
InterruptTable interruptTable = new InterruptTable();
int Count;
try
{
//our in and out buffer
byte[] inBuffer = new byte[0];
byte[] outBuffer = new byte[256 * 4];
//call driver and recieve data
Interact(IOCTL_GET_INT_TABLE(), inBuffer, outBuffer);
Count = 0;
fixed (byte* pOut = outBuffer) //unmanaged data
{
//first dword is cnt
Count = ((int*)pOut)[0];
//afterwards is the idt
for (int cnt = 0; cnt < Count; cnt++)
{
//get address
uint address = ((uint*)pOut)[cnt+1];
//create new entry
InterruptTableEntry entry = new InterruptTableEntry(address);
//reslove module name for that address
entry.Module = GetModuleName(address);
//and add into our table for later display
interruptTable.Add(entry);
}
}
}
catch (Exception e)
{
string msg = e.StackTrace + "\n\n" +
e.Message + "\n\n" +
e.HelpLink + "\n please contact the developer";
MessageBox.Show(msg);
}
return interruptTable;
}
//calls the driver and recieve complete idt
public unsafe InterruptTable GetInterruptTable()
{
//new idt, we will return this object later
InterruptTable interruptTable = new InterruptTable();
int Count;
try
{
//our in and out buffer
byte[] inBuffer = new byte[0];
byte[] outBuffer = new byte[256 * 4];
//call driver and recieve data
Interact(IOCTL_GET_INT_TABLE(), inBuffer, outBuffer);
Count = 0;
fixed(byte *pOut = outBuffer) //unmanaged data
{
//first dword is cnt
Count = ((int *)pOut)[0];
//afterwards is the idt
for (int cnt = 0; cnt < Count; cnt++)
{
//get address
uint address = ((uint *)pOut)[cnt + 1];
//create new entry
InterruptTableEntry entry = new InterruptTableEntry(address);
//reslove module name for that address
entry.Module = GetModuleName(address);
//and add into our table for later display
interruptTable.Add(entry);
}
}
}
catch (Exception e)
{
string msg = e.StackTrace + "\n\n" +
e.Message + "\n\n" +
e.HelpLink + "\n please contact the developer";
MessageBox.Show(msg);
}
return(interruptTable);
}
