private void SendControlMessageThread(B_MESSAGE_FORM message) { if (!SendControlMessage(message.Type, message)) { MessageBox.Show(String.Format("Failed to send a control message : 0x{0:4X}", message.Type), "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } }
private bool GetByteStreamFromKernel(ushort Type, string ObjectName, uint StartAddress, uint Size = 0) { bool result = false; // 이거 플래그 하나 만들어야 할 듯... if (dumpedByteStream == null) { switch (Type) { case GET_BYTE_STREAM: if ((StartAddress != 0) && (Size != 0)) { B_MESSAGE_FORM message = new B_MESSAGE_FORM(); message.Address = StartAddress; message.Size = Size; message.Type = Type; dumpedByteStream = new byte[message.Size]; result = SendControlMessage(Type, message); } break; case GET_KERNEL_OBJECT_CONTENTS: if (ObjectName != null) { U_MESSAGE_FORM message = new U_MESSAGE_FORM(); message.Size = kernelObjects.GetObjectSize(ObjectName); if (message.Size != 0) { message.uMessage = ObjectName; message.Type = Type; dumpedByteStream = new byte[message.Size]; result = SendControlMessage(Type, message); } } break; default: break; } // This result is only need for UI. The Buffer will be initialized by Communication thread. //if (!result) // InitializeCurrentDump(); } else { MessageBox.Show("The last 'dumpedBytestream' Buffer still remains.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } return(result); }
private void CommunicationRoutine() { B_MESSAGE_FORM message; do { message = new B_MESSAGE_FORM(); if (ReceiveMessage(message)) { switch (message.Type) { case INITIALIZE_COMMUNICATION: isCommunicationThreadStarted = true; // For Test... //MessageBox.Show(ByteArrayToString((message as B_MESSAGE_FORM).bMessage, 1024)); break; case URGENT_GET_REQUIRED_OFFSET: GetRequiredOffsets((REQUIRED_OFFSET)ByteToStructure(message.bMessage, typeof(REQUIRED_OFFSET))); break; case GET_KERNEL_OBJECT_CONTENTS: ShowKernelObjectContents(message); break; default: // For test... //isCommunicationThreadStarted = false; //MessageBox.Show(String.Format("READ TYPE : {0:X8}", message.Type)); break; } } else { isCommunicationThreadStarted = false; } } while (isCommunicationThreadStarted); if (!isOwnTermination) { isOwnTermination = false; MessageBox.Show("Disconnected with the Driver.\r\nIf you want to continue, You can find the CONNECT Button in the Menu.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } }
private static extern bool ReceiveMessage([In, Out] B_MESSAGE_FORM message);
private static extern bool SendControlMessage(ushort ctlCode, [In, Out] B_MESSAGE_FORM message);
private void bSelect_Click(object sender, EventArgs e) { if (bSelect.Text == "Select") { if (lvProcessList.SelectedItems.Count == 1) { U_MESSAGE_FORM message = new U_MESSAGE_FORM(); message.uMessage = lvProcessList.SelectedItems[0].SubItems[0].Text.Trim(); message.Res = Convert.ToUInt16(lvProcessList.SelectedItems[0].SubItems[1].Text.Trim()); // 커널에는 PID가 4바이트로 저장됨 -> 바꾸던지 생각해 볼 것. message.Type = SELECT_TARGET_PROCESS; if (SendControlMessage(SELECT_TARGET_PROCESS, message)) { // Parse the EPROCESS. if (GetByteStreamFromKernel(GET_KERNEL_OBJECT_CONTENTS, "_EPROCESS", 0)) { tSelectedProcess.Text = "[" + lvProcessList.SelectedItems[0].SubItems[1].Text.Trim() + "] " + lvProcessList.SelectedItems[0].SubItems[0].Text; if (lvProcessList.SelectedItems[0].SubItems[2].Text.Contains(":::")) { tSelectedProcess.Text += (" -" + lvProcessList.SelectedItems[0].SubItems[2].Text.Remove(0, 3)); } bSelect.Text = "Deselect"; bSelect.BackColor = Color.LightCoral; lvProcessList.Visible = false; tSelectedProcess.Enabled = false; } else { //MessageBox.Show("Failed to get _EPROCESS Data of \"" + message.uMessage + "\".\r\nTry it, later.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); message.Type = DESELECT_TARGET_PROCESS; SendControlMessage(DESELECT_TARGET_PROCESS, message); } } else { if (message.Res != 0x89) { MessageBox.Show("Failed to find this Process.", "Failed", MessageBoxButtons.OK, MessageBoxIcon.Information); } // else -> Failed to Get Offsets. ///////////////////////////////////////////////////// /////// 이거 메시지가 너무 늦게 뜬다..... 각자 하는 걸로 변경할 것. // 드라이버에서 TEST 값이 0으로 뜸. } } } else { ////////////////////////////////////////////////// UI 관련 리소스 정리해야 함. B_MESSAGE_FORM message = new B_MESSAGE_FORM(); message.Type = DESELECT_TARGET_PROCESS; SendControlMessage(DESELECT_TARGET_PROCESS, message); InitializeCurrentDump(); this.tabProcess.SelectedIndex = 0; this.tvEprocess.Nodes.Clear(); ///////////////////////// 이거 모든 트리 클리어로 바꿔야 함. bSelect.Text = "Select"; bSelect.BackColor = SystemColors.Control; lvProcessList.Visible = true; GetProcess(); tSelectedProcess.Enabled = true; tSelectedProcess.Focus(); tSelectedProcess.SelectAll(); } }
private void ShowKernelObjectContents(B_MESSAGE_FORM message) { if (dumpedByteStream != null) { // It's the first message for this dump. if (receivedByteStreamLength == 0) { startAddressForThisStream = message.Address; } // Error check. if ((message.Res != 0) || (startAddressForThisStream + receivedByteStreamLength != message.Address) || (receivedByteStreamLength + message.Size > dumpedByteStream.Length)) { InitializeCurrentDump(); // 이거 에러 상황 전까지 받은 데이터는 그냥 출력하는 걸로 바꿀 수도... if (message.Res != 0x89) { MessageBox.Show(String.Format("Error occured while dumping at 0x{0:X8}.", message.Address), "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } // else -> Failed to get Offset. return; } // Store the received data. uint currentStartIndex = message.Address - startAddressForThisStream; for (uint i = 0; i < message.Size; i++) { dumpedByteStream[currentStartIndex + i] = message.bMessage[i]; } receivedByteStreamLength += message.Size; // Received whole data. if (receivedByteStreamLength == dumpedByteStream.Length) { TreeView currentTree = null; string currentObjectName = null; int indexForKernelObjectInRegistered = -1; switch (this.tabProcess.SelectedIndex) { case 0: // _EPROCESS currentTree = this.tvEprocess; currentObjectName = "_EPROCESS"; break; case 1: break; default: break; } indexForKernelObjectInRegistered = KernelObjects.IndexOfThisObject(KernelObjects.Registered, currentObjectName); if ((currentTree != null) && (indexForKernelObjectInRegistered != -1)) { // Parsing Start... List <string> parsed = KernelObjects.Registered[indexForKernelObjectInRegistered].ShowFieldsInfo(true); if ((parsed != null) && (parsed.Count > 1)) { AppendTree(currentTree, new TreeNode(parsed[0])); for (int i = 1; i < parsed.Count; i++) { string[] splitLine = parsed[i].Split(new char[] { '!' }, StringSplitOptions.RemoveEmptyEntries); AppendTree(currentTree, new TreeNode(splitLine[0]), currentTree.Nodes[0].Nodes); if (splitLine.Length > 1) { for (int j = 1; j < splitLine.Length; j++) { AppendTree(currentTree, new TreeNode(splitLine[j]), currentTree.Nodes[0].LastNode.Nodes); } } } } // For Test... //AppendTree(currentTree, new TreeNode(currentObjectName)); //AppendTree(currentTree, new TreeNode(String.Format("0x{0:X2}{1:X2}{2:X2}{3:X2}", dumpedByteStream[3], dumpedByteStream[2], dumpedByteStream[1], dumpedByteStream[0])), currentTree.Nodes[0].Nodes); //AppendTree(currentTree, new TreeNode(String.Format("0x{0:X2}{1:X2}{2:X2}{3:X2}", dumpedByteStream[7], dumpedByteStream[6], dumpedByteStream[5], dumpedByteStream[4])), currentTree.Nodes[0].Nodes); } } } else { // 위에 에러날 상황과 연계해서 생각해봐야 함. 에러나기 전까지 받은 것들 출력할지 말지. MessageBox.Show("The 'dumpedByteStream' Buffer does not exist.\r\nTHIS MESSAGE IS FOR TEST.", "Error"); InitializeCurrentDump(); } }