private void SendControlMessageThread(B_MESSAGE_FORM message)
{
if (!SendControlMessage(message.Type, message))
{
MessageBox.Show(String.Format("Failed to send a control message : 0x{0:4X}", message.Type), "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
private bool GetByteStreamFromKernel(ushort Type, string ObjectName, uint StartAddress, uint Size = 0)
{
bool result = false;
// 이거 플래그 하나 만들어야 할 듯...
if (dumpedByteStream == null)
{
switch (Type)
{
case GET_BYTE_STREAM:
if ((StartAddress != 0) && (Size != 0))
{
B_MESSAGE_FORM message = new B_MESSAGE_FORM();
message.Address = StartAddress;
message.Size = Size;
message.Type = Type;
dumpedByteStream = new byte[message.Size];
result = SendControlMessage(Type, message);
}
break;
case GET_KERNEL_OBJECT_CONTENTS:
if (ObjectName != null)
{
U_MESSAGE_FORM message = new U_MESSAGE_FORM();
message.Size = kernelObjects.GetObjectSize(ObjectName);
if (message.Size != 0)
{
message.uMessage = ObjectName;
message.Type = Type;
dumpedByteStream = new byte[message.Size];
result = SendControlMessage(Type, message);
}
}
break;
default:
break;
}
// This result is only need for UI. The Buffer will be initialized by Communication thread.
//if (!result)
// InitializeCurrentDump();
}
else
{
MessageBox.Show("The last 'dumpedBytestream' Buffer still remains.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
return(result);
}
private void CommunicationRoutine()
{
B_MESSAGE_FORM message;
do
{
message = new B_MESSAGE_FORM();
if (ReceiveMessage(message))
{
switch (message.Type)
{
case INITIALIZE_COMMUNICATION:
isCommunicationThreadStarted = true;
// For Test...
//MessageBox.Show(ByteArrayToString((message as B_MESSAGE_FORM).bMessage, 1024));
break;
case URGENT_GET_REQUIRED_OFFSET:
GetRequiredOffsets((REQUIRED_OFFSET)ByteToStructure(message.bMessage, typeof(REQUIRED_OFFSET)));
break;
case GET_KERNEL_OBJECT_CONTENTS:
ShowKernelObjectContents(message);
break;
default:
// For test...
//isCommunicationThreadStarted = false;
//MessageBox.Show(String.Format("READ TYPE : {0:X8}", message.Type));
break;
}
}
else
{
isCommunicationThreadStarted = false;
}
} while (isCommunicationThreadStarted);
if (!isOwnTermination)
{
isOwnTermination = false;
MessageBox.Show("Disconnected with the Driver.\r\nIf you want to continue, You can find the CONNECT Button in the Menu.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
private static extern bool ReceiveMessage([In, Out] B_MESSAGE_FORM message);
private static extern bool SendControlMessage(ushort ctlCode, [In, Out] B_MESSAGE_FORM message);
private void bSelect_Click(object sender, EventArgs e)
{
if (bSelect.Text == "Select")
{
if (lvProcessList.SelectedItems.Count == 1)
{
U_MESSAGE_FORM message = new U_MESSAGE_FORM();
message.uMessage = lvProcessList.SelectedItems[0].SubItems[0].Text.Trim();
message.Res = Convert.ToUInt16(lvProcessList.SelectedItems[0].SubItems[1].Text.Trim()); // 커널에는 PID가 4바이트로 저장됨 -> 바꾸던지 생각해 볼 것.
message.Type = SELECT_TARGET_PROCESS;
if (SendControlMessage(SELECT_TARGET_PROCESS, message))
{
// Parse the EPROCESS.
if (GetByteStreamFromKernel(GET_KERNEL_OBJECT_CONTENTS, "_EPROCESS", 0))
{
tSelectedProcess.Text = "[" + lvProcessList.SelectedItems[0].SubItems[1].Text.Trim() + "] " + lvProcessList.SelectedItems[0].SubItems[0].Text;
if (lvProcessList.SelectedItems[0].SubItems[2].Text.Contains(":::"))
{
tSelectedProcess.Text += (" -" + lvProcessList.SelectedItems[0].SubItems[2].Text.Remove(0, 3));
}
bSelect.Text = "Deselect";
bSelect.BackColor = Color.LightCoral;
lvProcessList.Visible = false;
tSelectedProcess.Enabled = false;
}
else
{
//MessageBox.Show("Failed to get _EPROCESS Data of \"" + message.uMessage + "\".\r\nTry it, later.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
message.Type = DESELECT_TARGET_PROCESS;
SendControlMessage(DESELECT_TARGET_PROCESS, message);
}
}
else
{
if (message.Res != 0x89)
{
MessageBox.Show("Failed to find this Process.", "Failed", MessageBoxButtons.OK, MessageBoxIcon.Information);
}
// else -> Failed to Get Offsets.
/////////////////////////////////////////////////////
/////// 이거 메시지가 너무 늦게 뜬다..... 각자 하는 걸로 변경할 것.
// 드라이버에서 TEST 값이 0으로 뜸.
}
}
}
else
{
////////////////////////////////////////////////// UI 관련 리소스 정리해야 함.
B_MESSAGE_FORM message = new B_MESSAGE_FORM();
message.Type = DESELECT_TARGET_PROCESS;
SendControlMessage(DESELECT_TARGET_PROCESS, message);
InitializeCurrentDump();
this.tabProcess.SelectedIndex = 0;
this.tvEprocess.Nodes.Clear(); ///////////////////////// 이거 모든 트리 클리어로 바꿔야 함.
bSelect.Text = "Select";
bSelect.BackColor = SystemColors.Control;
lvProcessList.Visible = true;
GetProcess();
tSelectedProcess.Enabled = true;
tSelectedProcess.Focus();
tSelectedProcess.SelectAll();
}
}
private void ShowKernelObjectContents(B_MESSAGE_FORM message)
{
if (dumpedByteStream != null)
{
// It's the first message for this dump.
if (receivedByteStreamLength == 0)
{
startAddressForThisStream = message.Address;
}
// Error check.
if ((message.Res != 0) || (startAddressForThisStream + receivedByteStreamLength != message.Address) || (receivedByteStreamLength + message.Size > dumpedByteStream.Length))
{
InitializeCurrentDump(); // 이거 에러 상황 전까지 받은 데이터는 그냥 출력하는 걸로 바꿀 수도...
if (message.Res != 0x89)
{
MessageBox.Show(String.Format("Error occured while dumping at 0x{0:X8}.", message.Address), "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
// else -> Failed to get Offset.
return;
}
// Store the received data.
uint currentStartIndex = message.Address - startAddressForThisStream;
for (uint i = 0; i < message.Size; i++)
{
dumpedByteStream[currentStartIndex + i] = message.bMessage[i];
}
receivedByteStreamLength += message.Size;
// Received whole data.
if (receivedByteStreamLength == dumpedByteStream.Length)
{
TreeView currentTree = null;
string currentObjectName = null;
int indexForKernelObjectInRegistered = -1;
switch (this.tabProcess.SelectedIndex)
{
case 0:
// _EPROCESS
currentTree = this.tvEprocess;
currentObjectName = "_EPROCESS";
break;
case 1:
break;
default:
break;
}
indexForKernelObjectInRegistered = KernelObjects.IndexOfThisObject(KernelObjects.Registered, currentObjectName);
if ((currentTree != null) && (indexForKernelObjectInRegistered != -1))
{
// Parsing Start...
List <string> parsed = KernelObjects.Registered[indexForKernelObjectInRegistered].ShowFieldsInfo(true);
if ((parsed != null) && (parsed.Count > 1))
{
AppendTree(currentTree, new TreeNode(parsed[0]));
for (int i = 1; i < parsed.Count; i++)
{
string[] splitLine = parsed[i].Split(new char[] { '!' }, StringSplitOptions.RemoveEmptyEntries);
AppendTree(currentTree, new TreeNode(splitLine[0]), currentTree.Nodes[0].Nodes);
if (splitLine.Length > 1)
{
for (int j = 1; j < splitLine.Length; j++)
{
AppendTree(currentTree, new TreeNode(splitLine[j]), currentTree.Nodes[0].LastNode.Nodes);
}
}
}
}
// For Test...
//AppendTree(currentTree, new TreeNode(currentObjectName));
//AppendTree(currentTree, new TreeNode(String.Format("0x{0:X2}{1:X2}{2:X2}{3:X2}", dumpedByteStream[3], dumpedByteStream[2], dumpedByteStream[1], dumpedByteStream[0])), currentTree.Nodes[0].Nodes);
//AppendTree(currentTree, new TreeNode(String.Format("0x{0:X2}{1:X2}{2:X2}{3:X2}", dumpedByteStream[7], dumpedByteStream[6], dumpedByteStream[5], dumpedByteStream[4])), currentTree.Nodes[0].Nodes);
}
}
}
else
{
// 위에 에러날 상황과 연계해서 생각해봐야 함. 에러나기 전까지 받은 것들 출력할지 말지.
MessageBox.Show("The 'dumpedByteStream' Buffer does not exist.\r\nTHIS MESSAGE IS FOR TEST.", "Error");
InitializeCurrentDump();
}
}
