private bool HookProcess(string proccessName)
{
NktProcessesEnum enumProcess = _spyMgr.Processes();
NktProcess tempProcess = enumProcess.First();
while (tempProcess != null)
{
if (tempProcess.Name.Equals(proccessName, StringComparison.InvariantCultureIgnoreCase) && tempProcess.PlatformBits > 0 && tempProcess.PlatformBits <= IntPtr.Size * 8)
{
_process = tempProcess;
NktModule module = _process.ModuleByName("mshtml.dll");
if (module != null)
{
IntPtr EA = (IntPtr) new IntPtr(module.BaseAddress.ToInt32() + _RVA.ToInt32());
NktHook hook = _spyMgr.CreateHookForAddress(EA, "mshtml.dll!CStyleSheet::Notify", (int)(eNktHookFlags.flgRestrictAutoHookToSameExecutable | eNktHookFlags.flgOnlyPreCall | eNktHookFlags.flgDontCheckAddress));
hook.Attach(_process, true);
hook.Hook(true);
}
}
tempProcess = enumProcess.Next();
}
_process = null;
return(false);
}
private void comboBoxModules_DropDown(object sender, EventArgs e)
{
if (comboBoxModules.Items.Count == 0)
{
List <NktModule> ModuleList = new List <NktModule>();
comboBoxModules.Tag = ModuleList;
NktModulesEnum modulesEnum = _process.Modules();
NktModule tempModule = modulesEnum.First();
while (tempModule != null)
{
comboBoxModules.Items.Add(tempModule.Name);
ModuleList.Add(tempModule);
tempModule = modulesEnum.Next();
}
}
}
public static Module From(NktModule module, IRunningProcess aProcess, ISpyManager aSpyManager)
{
return new RunningModule(module.Path, module.Name, module.BaseAddress, aProcess, aSpyManager);
}
public static Module From(NktModule module, IRunningProcess aProcess, ISpyManager aSpyManager)
{
return(new RunningModule(module.Path, module.Name, module.BaseAddress, aProcess, aSpyManager));
}
private IntPtr GetModuleSize(string moduleName)
{
NktModule tempModule = _process.ModuleByName(moduleName);
return(tempModule.Size);
}
private IntPtr GetModuleBase(string moduleName)
{
NktModule tempModule = _process.ModuleByName(moduleName);
return(tempModule.BaseAddress);
}
private void comboBoxModules_SelectedIndexChanged(object sender, EventArgs e)
{
comboBoxModules.Enabled = false;
int selected = comboBoxModules.SelectedIndex;
List <NktModule> ModuleList = (List <NktModule>)comboBoxModules.Tag;
NktModule module = ModuleList.ElementAt(selected);
NktStructPESections sections = module.Sections();
int nSectionCode = 0;
for (int n = 0; n < sections.Count; n++)
{
if (sections.get_Name(n) == ".text")
{
nSectionCode = n;
break;
}
}
SecStartAddress = (UInt64)sections.get_StartAddress(nSectionCode);
SecEndAddress = (UInt64)sections.get_EndAddress(nSectionCode);
ModStartAddress = (UInt64)GetModuleBase(_process.Name);
ModEndAddress = ModStartAddress + (UInt64)GetModuleSize(_process.Name);
NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);
uint nvtable = 0;
ulong tmpAddress = 0;
VTBL vtbl;
vtbl.Address = 0;
vtbl.ValuesList = null;
for (UInt64 CurAddress = ModStartAddress; CurAddress < ModEndAddress; CurAddress++)
{
progressBar.Value = (int)(CurAddress * 100 / ModEndAddress);
UInt32 CurValue = (UInt32)memory.Read((IntPtr)CurAddress, eNktDboFundamentalType.ftUnsignedDoubleWord);
if (CurValue >= SecStartAddress && CurValue <= SecEndAddress)
{
UInt32 PreOpcodeSize = 50;
byte[] PreOpcode = new byte[PreOpcodeSize];
for (UInt32 n = 0; n < PreOpcodeSize; n++)
{
PreOpcode[n] =
(byte)memory.Read((IntPtr)(CurValue - PreOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
}
UInt32 PostOpcodeSize = 50;
byte[] PostOpcode = new byte[PostOpcodeSize];
for (UInt32 n = 0; n < PostOpcodeSize; n++)
{
PostOpcode[n] =
(byte)memory.Read((IntPtr)(CurValue + n), eNktDboFundamentalType.ftUnsignedByte);
}
if (isValidPreOpCode(PreOpcode, PreOpcodeSize) && isValidPostOpCode(PostOpcode, PostOpcodeSize))
{
if ((CurAddress - tmpAddress) > 500 || tmpAddress == 0) //este valor lo podemos ir adaptando, lo correcto seria (CurAddress - tmpAddress != 4)
{
vtbl = new VTBL();
vtbl.Address = CurAddress;
vtbl.ValuesList = new List <UInt64>();
VTableList.Add(vtbl);
nvtable++;
}
tmpAddress = CurAddress;
vtbl.ValuesList.Add((UInt64)SkipHook((IntPtr)CurValue, _process.Id));
}
}
}
progressBar.Value = 100;
for (int n = 0; n < VTableList.Count; n++)
{
string vtblname = "VTBL_" + n.ToString("X") + "_" + VTableList.ElementAt(n).Address.ToString("X") + "_" + VTableList.ElementAt(n).ValuesList.Count;
listBoxVTBL.Items.Add(vtblname);
}
btnHook.Enabled = true;
btnClear.Enabled = true;
}
