mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1260 lines
36 KiB
1260 lines
36 KiB
|
|
|
|
#include <wmiexts.h>
|
|
#include <malloc.h>
|
|
|
|
|
|
void GetTeb(HANDLE hThread,TEB ** ppTeb)
|
|
{
|
|
NTSTATUS Status;
|
|
ULONG Long;
|
|
THREAD_BASIC_INFORMATION TBasicInfo;
|
|
Status = NtQueryInformationThread(hThread,
|
|
ThreadBasicInformation,
|
|
&TBasicInfo,
|
|
sizeof(TBasicInfo),
|
|
&Long);
|
|
|
|
if ( Status == 0 )
|
|
{
|
|
//dprintf(" %p %x.%x\n",TBasicInfo.TebBaseAddress,TBasicInfo.ClientId.UniqueProcess,TBasicInfo.ClientId.UniqueThread);
|
|
if (ppTeb)
|
|
{
|
|
*ppTeb = TBasicInfo.TebBaseAddress;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf(" NtQueryInformationThread %08x\n",Status);
|
|
}
|
|
}
|
|
|
|
void GetCid(HANDLE hThread,CLIENT_ID * pCid)
|
|
{
|
|
NTSTATUS Status;
|
|
ULONG Long;
|
|
THREAD_BASIC_INFORMATION TBasicInfo;
|
|
Status = NtQueryInformationThread(hThread,
|
|
ThreadBasicInformation,
|
|
&TBasicInfo,
|
|
sizeof(TBasicInfo),
|
|
&Long);
|
|
|
|
if ( Status == 0 )
|
|
{
|
|
//dprintf(" %p %x.%x\n",TBasicInfo.TebBaseAddress,TBasicInfo.ClientId.UniqueProcess,TBasicInfo.ClientId.UniqueThread);
|
|
if (pCid)
|
|
{
|
|
memcpy(pCid,&TBasicInfo.ClientId, sizeof(CLIENT_ID));
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf(" NtQueryInformationThread %08x\n",Status);
|
|
}
|
|
}
|
|
|
|
void GetPeb(HANDLE hSourceProcess, PEB ** ppPeb, ULONG_PTR * pId)
|
|
{
|
|
NTSTATUS Status;
|
|
ULONG Long;
|
|
PROCESS_BASIC_INFORMATION PBasicInfo;
|
|
Status = NtQueryInformationProcess(hSourceProcess,
|
|
ProcessBasicInformation,
|
|
&PBasicInfo,
|
|
sizeof(PBasicInfo),
|
|
&Long);
|
|
|
|
if ( Status == 0 )
|
|
{
|
|
if (ppPeb)
|
|
{
|
|
*ppPeb = PBasicInfo.PebBaseAddress;
|
|
}
|
|
if (pId)
|
|
{
|
|
*pId = PBasicInfo.UniqueProcessId;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf(" NTSTATUS %08x\n",Status);
|
|
}
|
|
}
|
|
|
|
//
|
|
void PrintHandleBackTrace(HANDLE hHandle,WCHAR * pFileName)
|
|
{
|
|
WCHAR pPath[MAX_PATH+1];
|
|
GetEnvironmentVariableW(L"windir",pPath,MAX_PATH);
|
|
lstrcatW(pPath,L"\\system32\\");
|
|
lstrcatW(pPath,pFileName);
|
|
|
|
HANDLE hFile = NULL;
|
|
hFile = CreateFileW(pPath,
|
|
GENERIC_READ,
|
|
FILE_SHARE_READ|FILE_SHARE_WRITE,
|
|
NULL,
|
|
OPEN_EXISTING,
|
|
0,NULL);
|
|
|
|
if (INVALID_HANDLE_VALUE != hFile)
|
|
{
|
|
DWORD dwSize = GetFileSize(hFile,NULL);
|
|
HANDLE hFileMap = CreateFileMapping(hFile,
|
|
NULL,
|
|
PAGE_READONLY,
|
|
0,
|
|
dwSize,
|
|
NULL);
|
|
if (hFileMap)
|
|
{
|
|
HANDLE * pHandle = (HANDLE *)MapViewOfFile(hFileMap,
|
|
FILE_MAP_READ,
|
|
0,0,0);
|
|
|
|
if(pHandle)
|
|
{
|
|
//dprintf("hEvent %p dwSize %x\n",hEvent,dwSize);
|
|
DWORD SizeRecord = 8*sizeof(HANDLE);
|
|
DWORD nRecord = dwSize/SizeRecord;
|
|
HANDLE * pThisHandle = NULL;
|
|
DWORD i;
|
|
|
|
if (hHandle)
|
|
{
|
|
for(i=0;i<nRecord;i++)
|
|
{
|
|
if (hHandle == pHandle[(SizeRecord/sizeof(HANDLE))*(nRecord-1-i)])
|
|
{
|
|
pThisHandle = &pHandle[(SizeRecord/sizeof(HANDLE))*(nRecord-1-i)];
|
|
break;
|
|
}
|
|
else
|
|
{
|
|
//dprintf(" %d %p\n",nRecord-1-i,pHandle[(SizeRecord/sizeof(HANDLE))*(nRecord-1-i)]);
|
|
}
|
|
}
|
|
if(pThisHandle)
|
|
{
|
|
dprintf(" found rec %x handle %p\n",nRecord-1-i,*pThisHandle);
|
|
PrintStackTrace((ULONG_PTR)pThisHandle+sizeof(HANDLE),7,FALSE);
|
|
}
|
|
else
|
|
{
|
|
dprintf("handle %x not found\n",hHandle);
|
|
}
|
|
}
|
|
else // print all of them
|
|
{
|
|
dprintf("all records\n");
|
|
for(i=0;i<nRecord;i++)
|
|
{
|
|
pThisHandle = &pHandle[(SizeRecord/sizeof(HANDLE))*(nRecord-1-i)];
|
|
dprintf(" ------ %p\n",*pThisHandle);
|
|
PrintStackTrace((ULONG_PTR)pThisHandle+sizeof(HANDLE),7,FALSE);
|
|
|
|
if (CheckControlC())
|
|
break;
|
|
}
|
|
}
|
|
UnmapViewOfFile(pHandle);
|
|
}
|
|
else
|
|
{
|
|
dprintf("MapViewOfFile %d\n",GetLastError());
|
|
}
|
|
CloseHandle(hFileMap);
|
|
}
|
|
else
|
|
{
|
|
dprintf("CreateFileMapping %d\n",GetLastError());
|
|
};
|
|
|
|
CloseHandle(hFile);
|
|
}
|
|
else
|
|
{
|
|
dprintf("CreateFile %S %d\n",pPath,GetLastError());
|
|
}
|
|
|
|
}
|
|
|
|
//
|
|
|
|
DECLARE_API( refcnt )
|
|
{
|
|
INIT_API();
|
|
PrintHandleBackTrace(NULL,L"refcount.dat");
|
|
}
|
|
|
|
//
|
|
|
|
DECLARE_API( evtst )
|
|
{
|
|
INIT_API();
|
|
|
|
ULONG_PTR Addr = GetExpression(args);
|
|
HANDLE hEvent = (HANDLE)Addr;
|
|
|
|
if (hEvent)
|
|
{
|
|
PrintHandleBackTrace(hEvent,L"events.dat");
|
|
}
|
|
}
|
|
|
|
#define INCREMENT_ALLOC (4*1024)
|
|
|
|
char * g_HandleType[] =
|
|
{
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"Event",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"Token",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"", // 15
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"Port",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
""
|
|
};
|
|
|
|
DECLARE_API( handle )
|
|
{
|
|
INIT_API();
|
|
|
|
NTSTATUS Status;
|
|
SYSTEM_HANDLE_INFORMATION * pSysHandleInfo = NULL;
|
|
DWORD dwSize = INCREMENT_ALLOC;
|
|
DWORD nReturned;
|
|
|
|
ULONG_PTR lProcId;
|
|
GetPeb(hCurrentProcess,NULL,&lProcId);
|
|
USHORT ProcId = (USHORT)lProcId;
|
|
|
|
|
|
alloc_again:
|
|
|
|
pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION *)HeapAlloc(GetProcessHeap(),0,dwSize);
|
|
|
|
if (pSysHandleInfo)
|
|
{
|
|
Status = NtQuerySystemInformation(SystemHandleInformation,
|
|
pSysHandleInfo,
|
|
dwSize,
|
|
&nReturned);
|
|
}
|
|
else
|
|
{
|
|
goto leave;
|
|
}
|
|
|
|
if (STATUS_INFO_LENGTH_MISMATCH == Status)
|
|
{
|
|
HeapFree(GetProcessHeap(),0,pSysHandleInfo);
|
|
dwSize += INCREMENT_ALLOC;
|
|
goto alloc_again;
|
|
}
|
|
else if (0 == Status)
|
|
{
|
|
// we have all the handles
|
|
// SYSTEM_HANDLE_TABLE_ENTRY_INFO
|
|
|
|
for (DWORD i=0; i < pSysHandleInfo->NumberOfHandles; i++)
|
|
{
|
|
if (ProcId == pSysHandleInfo->Handles[i].UniqueProcessId)
|
|
{
|
|
//dprintf(" %s - %x\n",
|
|
// g_HandleType[pSysHandleInfo->Handles[i].ObjectTypeIndex],
|
|
// pSysHandleInfo->Handles[i].HandleValue);
|
|
if (4 == pSysHandleInfo->Handles[i].ObjectTypeIndex)
|
|
{
|
|
PrintHandleBackTrace((HANDLE)(pSysHandleInfo->Handles[i].HandleValue),L"events.dat");
|
|
}
|
|
}
|
|
if (CheckControlC())
|
|
break;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf("");
|
|
}
|
|
|
|
leave:
|
|
if (pSysHandleInfo)
|
|
{
|
|
HeapFree(GetProcessHeap(),0,pSysHandleInfo);
|
|
}
|
|
return;
|
|
}
|
|
//
|
|
//
|
|
// Invoke a function in the remote process
|
|
//
|
|
//////////////////////////////////////////
|
|
|
|
DECLARE_API( inv )
|
|
{
|
|
INIT_API();
|
|
|
|
int Len = strlen(args);
|
|
CHAR * pArgs = (CHAR *)_alloca((Len+1));
|
|
lstrcpy(pArgs,(CHAR *)args);
|
|
|
|
ULONG_PTR pFunction = 0;
|
|
ULONG_PTR pArgument = 0;
|
|
|
|
while (isspace(*pArgs))
|
|
{
|
|
pArgs++;
|
|
}
|
|
|
|
CHAR * pSaved = pArgs;
|
|
|
|
while(!isspace(*pArgs)) pArgs++;
|
|
// terminate string, if possible
|
|
if (isspace(*pArgs))
|
|
{
|
|
*pArgs = 0;
|
|
pArgs++;
|
|
}
|
|
else
|
|
{
|
|
pArgs = NULL;
|
|
}
|
|
|
|
pFunction = GetExpression(pSaved);
|
|
|
|
if (pArgs)
|
|
{
|
|
pArgument = GetExpression(pArgs);
|
|
}
|
|
|
|
dprintf("invoking %s(%p) @ %p\n",pSaved,pArgument,pFunction);
|
|
|
|
DWORD dwID;
|
|
HANDLE hThread = CreateRemoteThread(hCurrentProcess,
|
|
NULL,
|
|
0,
|
|
(LPTHREAD_START_ROUTINE )pFunction,
|
|
(LPVOID)pArgument,
|
|
0,
|
|
&dwID);
|
|
if (hThread)
|
|
{
|
|
CLIENT_ID Cid;
|
|
GetCid(hThread,&Cid);
|
|
|
|
DEBUG_EVENT de;
|
|
BOOL bRet = FALSE;
|
|
BOOL StatusRemoteThreadCreated = FALSE;
|
|
|
|
wait_again:
|
|
|
|
bRet = WaitForDebugEvent(&de,INFINITE);
|
|
|
|
if (bRet)
|
|
{
|
|
switch(de.dwDebugEventCode)
|
|
{
|
|
case OUTPUT_DEBUG_STRING_EVENT:
|
|
{
|
|
OUTPUT_DEBUG_STRING_INFO * pDbgStr = &de.u.DebugString;
|
|
WCHAR * pData = new WCHAR[pDbgStr->nDebugStringLength+1];
|
|
if(pDbgStr->fUnicode)
|
|
{
|
|
ReadMemory((ULONG_PTR)pDbgStr->lpDebugStringData,pData,pDbgStr->nDebugStringLength*sizeof(WCHAR),NULL);
|
|
dprintf("%S",pData);
|
|
}
|
|
else
|
|
{
|
|
ReadMemory((ULONG_PTR)pDbgStr->lpDebugStringData,pData,pDbgStr->nDebugStringLength*sizeof(CHAR),NULL);
|
|
dprintf("%s",pData);
|
|
}
|
|
delete [] pData;
|
|
}
|
|
|
|
bRet = ContinueDebugEvent((DWORD)((DWORD_PTR)Cid.UniqueProcess),(DWORD)((DWORD_PTR)Cid.UniqueThread),DBG_CONTINUE);
|
|
if (bRet)
|
|
{
|
|
goto wait_again;
|
|
}
|
|
break;
|
|
case CREATE_THREAD_DEBUG_EVENT:
|
|
if ((DWORD)((DWORD_PTR)Cid.UniqueProcess) == de.dwProcessId &&
|
|
(DWORD)((DWORD_PTR)Cid.UniqueThread) == de.dwThreadId)
|
|
{
|
|
if (!StatusRemoteThreadCreated)
|
|
{
|
|
StatusRemoteThreadCreated = TRUE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf("%x.%x != %x.%x\n",
|
|
de.dwProcessId,de.dwThreadId,
|
|
(DWORD)((DWORD_PTR)Cid.UniqueProcess),(DWORD)((DWORD_PTR)Cid.UniqueThread));
|
|
}
|
|
bRet = ContinueDebugEvent((DWORD)((DWORD_PTR)Cid.UniqueProcess),(DWORD)((DWORD_PTR)Cid.UniqueThread),DBG_CONTINUE);
|
|
if (bRet)
|
|
{
|
|
goto wait_again;
|
|
};
|
|
break;
|
|
case CREATE_PROCESS_DEBUG_EVENT:
|
|
case EXIT_PROCESS_DEBUG_EVENT:
|
|
|
|
//dprintf("DebugEventCode %08x for %x.%x\n",de.dwDebugEventCode,de.dwProcessId,de.dwThreadId);
|
|
bRet = ContinueDebugEvent((DWORD)((DWORD_PTR)Cid.UniqueProcess),(DWORD)((DWORD_PTR)Cid.UniqueThread),DBG_CONTINUE);
|
|
if (bRet)
|
|
{
|
|
goto wait_again;
|
|
};
|
|
break;
|
|
case EXCEPTION_DEBUG_EVENT:
|
|
{
|
|
EXCEPTION_DEBUG_INFO * pExcDebug = &de.u.Exception;
|
|
dprintf("%08x %08x FIRST? %d\n",
|
|
pExcDebug->ExceptionRecord.ExceptionCode,
|
|
pExcDebug->ExceptionRecord.ExceptionAddress,
|
|
pExcDebug->dwFirstChance);
|
|
bRet = ContinueDebugEvent((DWORD)((DWORD_PTR)Cid.UniqueProcess),(DWORD)((DWORD_PTR)Cid.UniqueThread),DBG_TERMINATE_THREAD);
|
|
if (bRet)
|
|
{
|
|
goto wait_again;
|
|
}
|
|
}
|
|
break;
|
|
case EXIT_THREAD_DEBUG_EVENT:
|
|
if ((DWORD)((DWORD_PTR)Cid.UniqueProcess) == de.dwProcessId &&
|
|
(DWORD)((DWORD_PTR)Cid.UniqueThread) == de.dwThreadId)
|
|
{
|
|
if (StatusRemoteThreadCreated)
|
|
{
|
|
// ok
|
|
}
|
|
else
|
|
{
|
|
dprintf("EXIT_THREAD_DEBUG_EVENT %x.%x =?= %x.%x\n",
|
|
de.dwProcessId,de.dwThreadId,(DWORD)((DWORD_PTR)Cid.UniqueProcess),(DWORD)((DWORD_PTR)Cid.UniqueThread));
|
|
}
|
|
//
|
|
// we are done
|
|
//
|
|
}
|
|
else
|
|
{
|
|
bRet = ContinueDebugEvent((DWORD)((DWORD_PTR)Cid.UniqueProcess),(DWORD)((DWORD_PTR)Cid.UniqueThread),DBG_CONTINUE);
|
|
if (bRet)
|
|
{
|
|
goto wait_again;
|
|
}
|
|
}
|
|
break;
|
|
case LOAD_DLL_DEBUG_EVENT:
|
|
case UNLOAD_DLL_DEBUG_EVENT:
|
|
//dprintf("DebugEventCode %08x for %x.%x CONTINUE\n",de.dwDebugEventCode,de.dwProcessId,de.dwThreadId);
|
|
bRet = ContinueDebugEvent((DWORD)((DWORD_PTR)Cid.UniqueProcess),(DWORD)((DWORD_PTR)Cid.UniqueThread),DBG_CONTINUE);
|
|
if (bRet)
|
|
{
|
|
goto wait_again;
|
|
}
|
|
break;
|
|
default:
|
|
dprintf("DebugEventCode %08x\n ?????",de.dwDebugEventCode);
|
|
//ContinueDebugEvent((DWORD)Cid.UniqueProcess,(DWORD)Cid.UniqueThread,DBG_TERMINATE_THREAD);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf("WaitForDebugEvent err: %d\n",GetLastError());
|
|
}
|
|
|
|
CloseHandle(hThread);
|
|
}
|
|
else
|
|
{
|
|
dprintf("CreateRemoteThread %d\n",GetLastError());
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
//
|
|
//
|
|
// Dumps the thread list with some info on OLE and RPC
|
|
//
|
|
//
|
|
|
|
//
|
|
//
|
|
// rpcrt4!THREAD
|
|
// ole32!SOleTlsData
|
|
//
|
|
|
|
void
|
|
DumpRpcOle(ULONG_PTR pRpc,ULONG_PTR pOle)
|
|
{
|
|
if (pRpc)
|
|
{
|
|
|
|
ULONG OffsetContext;
|
|
ULONG_PTR pRpcLRPC = 0;
|
|
if (0 != GetFieldOffset("rpcrt4!THREAD","Context",&OffsetContext))
|
|
{
|
|
#ifdef _WIN64
|
|
OffsetContext = 0x18;
|
|
#else
|
|
OffsetContext = 0x10;
|
|
#endif
|
|
}
|
|
|
|
ReadMemory(pRpc+OffsetContext,&pRpcLRPC,sizeof(ULONG_PTR),0);
|
|
|
|
ULONG_PTR pFirstVoid = 0;
|
|
ReadMemory((ULONG_PTR)pRpcLRPC,&pFirstVoid,sizeof(ULONG_PTR),0);
|
|
|
|
BYTE pString[256];
|
|
pString[0]=0;
|
|
|
|
#ifdef KDEXT_64BIT
|
|
ULONG64 Displ;
|
|
#else
|
|
ULONG Displ;
|
|
#endif
|
|
if (pFirstVoid)
|
|
GetSymbol(pFirstVoid,(PCHAR)pString,&Displ);
|
|
if (lstrlenA((CHAR *)pString))
|
|
{
|
|
dprintf(" %s+%x %p\n",pString,Displ,pRpcLRPC);
|
|
if (strstr((const char *)pString,"LRPC_SCALL"))
|
|
{
|
|
ULONG OffsetCID;
|
|
if (0 != GetFieldOffset("rpcrt4!LRPC_SCALL","ClientId",&OffsetCID))
|
|
{
|
|
#ifdef _WIN64
|
|
OffsetCID = 0x100;
|
|
#else
|
|
OffsetCID = 0xa0;
|
|
#endif
|
|
}
|
|
CLIENT_ID CID;
|
|
ReadMemory(pRpcLRPC+OffsetCID,&CID,sizeof(CLIENT_ID),NULL);
|
|
dprintf(" - - - - called from: %x.%x\n",CID.UniqueProcess,CID.UniqueThread);
|
|
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf(" rpcrt4!THREAD.Context %p\n",pRpcLRPC);
|
|
}
|
|
}
|
|
if (pOle)
|
|
{
|
|
ULONG OffsetCallContext;
|
|
ULONG_PTR pCallCtx = 0;
|
|
if (0 != GetFieldOffset("ole32!SOleTlsData","pCallContext",&OffsetCallContext))
|
|
{
|
|
#ifdef _WIN64
|
|
OffsetCallContext = 0x88;
|
|
#else
|
|
OffsetCallContext = 0x54;
|
|
#endif
|
|
}
|
|
ReadMemory(pOle+OffsetCallContext,&pCallCtx,sizeof(ULONG_PTR),0);
|
|
|
|
dprintf(" ole32!CServerSecurity %p\n",pCallCtx);
|
|
}
|
|
}
|
|
|
|
//
|
|
//
|
|
// call HeapFree(GetProcessHeap) on the OUT pointers
|
|
//
|
|
//////////////////////////////////////////////////////
|
|
|
|
DWORD
|
|
GetThreadArrays(HANDLE hCurrentProcess,
|
|
DWORD * pdwThreads,
|
|
SYSTEM_EXTENDED_THREAD_INFORMATION ** ppExtThreadInfo,
|
|
TEB *** pppTebs)
|
|
{
|
|
|
|
if (!pdwThreads || !ppExtThreadInfo || !pppTebs)
|
|
{
|
|
return ERROR_INVALID_PARAMETER;
|
|
};
|
|
|
|
NTSTATUS Status;
|
|
DWORD dwInc = 8*1024;
|
|
DWORD dwSize = dwInc;
|
|
VOID * pData = NULL;
|
|
DWORD dwReturned;
|
|
|
|
loop_realloc:
|
|
pData = HeapAlloc(GetProcessHeap(),0,dwSize);
|
|
if (!pData)
|
|
{
|
|
return ERROR_OUTOFMEMORY;
|
|
}
|
|
|
|
Status = NtQuerySystemInformation(SystemExtendedProcessInformation,
|
|
pData,
|
|
dwSize,
|
|
&dwReturned);
|
|
|
|
if (STATUS_INFO_LENGTH_MISMATCH == Status)
|
|
{
|
|
HeapFree(GetProcessHeap(),0,pData);
|
|
dwSize += dwInc;
|
|
goto loop_realloc;
|
|
}
|
|
else if (STATUS_SUCCESS == Status)
|
|
{
|
|
// here we have the snapshot:parse it
|
|
SYSTEM_PROCESS_INFORMATION * pProcInfo = (SYSTEM_PROCESS_INFORMATION *)pData;
|
|
SYSTEM_EXTENDED_THREAD_INFORMATION * pThreadInfo;
|
|
|
|
// get the process id;
|
|
|
|
ULONG_PTR IdProc;
|
|
GetPeb(hCurrentProcess,NULL,&IdProc);
|
|
|
|
while (TRUE)
|
|
{
|
|
//dprintf(" process %p curr %p\n",pProcInfo->UniqueProcessId,IdProc);
|
|
if (IdProc == (ULONG_PTR)pProcInfo->UniqueProcessId)
|
|
{
|
|
DWORD Threads = pProcInfo->NumberOfThreads;
|
|
*pdwThreads = Threads;
|
|
DWORD i;
|
|
pThreadInfo = (SYSTEM_EXTENDED_THREAD_INFORMATION *)((ULONG_PTR)pProcInfo+sizeof(SYSTEM_PROCESS_INFORMATION));
|
|
|
|
SYSTEM_EXTENDED_THREAD_INFORMATION * pOutThreadInfo = NULL;
|
|
TEB ** ppOutTebs = NULL;
|
|
|
|
pOutThreadInfo = (SYSTEM_EXTENDED_THREAD_INFORMATION *)HeapAlloc(GetProcessHeap(),0,Threads*sizeof(SYSTEM_EXTENDED_THREAD_INFORMATION));
|
|
if (pOutThreadInfo)
|
|
{
|
|
ppOutTebs = (TEB **)HeapAlloc(GetProcessHeap(),0,Threads*sizeof(TEB *));
|
|
if (!ppOutTebs)
|
|
{
|
|
HeapFree(GetProcessHeap(),0,pOutThreadInfo);
|
|
Status = ERROR_OUTOFMEMORY;
|
|
Threads = 0; // to stop loop
|
|
}
|
|
else
|
|
{
|
|
memcpy(pOutThreadInfo,pThreadInfo,Threads*sizeof(SYSTEM_EXTENDED_THREAD_INFORMATION));
|
|
}
|
|
}
|
|
else
|
|
{
|
|
Status = ERROR_OUTOFMEMORY;
|
|
Threads = 0; // to stop loop
|
|
}
|
|
|
|
for (i=0;i<Threads;i++)
|
|
{
|
|
//dprintf(" %x.%x\n",pThreadInfo->ThreadInfo.ClientId.UniqueProcess,pThreadInfo->ThreadInfo.ClientId.UniqueThread);
|
|
|
|
NTSTATUS StatusThread;
|
|
HANDLE hThread;
|
|
OBJECT_ATTRIBUTES Obja = {sizeof( OBJECT_ATTRIBUTES ), 0, 0, 0 ,0 };
|
|
|
|
StatusThread = NtOpenThread(&hThread,THREAD_QUERY_INFORMATION,&Obja,&(pThreadInfo->ThreadInfo.ClientId));
|
|
if (((NTSTATUS)0L) == StatusThread)
|
|
{
|
|
TEB * pTeb = NULL;
|
|
GetTeb(hThread,&pTeb);
|
|
|
|
ppOutTebs[i] = pTeb;
|
|
|
|
CloseHandle(hThread);
|
|
}
|
|
else
|
|
{
|
|
dprintf("NtOpenThread %d\n",StatusThread);
|
|
}
|
|
|
|
pThreadInfo++;
|
|
}
|
|
// once found our process,
|
|
// don't bother with the others
|
|
*pppTebs = ppOutTebs;
|
|
*ppExtThreadInfo = pOutThreadInfo;
|
|
Status = NO_ERROR;
|
|
break;
|
|
}
|
|
if (0 == pProcInfo->NextEntryOffset)
|
|
{
|
|
break;
|
|
}
|
|
else
|
|
{
|
|
pProcInfo = (SYSTEM_PROCESS_INFORMATION *)((ULONG_PTR)pProcInfo+pProcInfo->NextEntryOffset);
|
|
}
|
|
}
|
|
|
|
}
|
|
else // other cases
|
|
{
|
|
dprintf("NtQuerySystemInformation %08x\n",Status);
|
|
return Status;
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
DECLARE_API(t)
|
|
{
|
|
INIT_API();
|
|
|
|
DWORD dwThreads;
|
|
TEB ** ppTebs;
|
|
SYSTEM_EXTENDED_THREAD_INFORMATION * pSysThreadInfo;
|
|
|
|
// get the offsets only once
|
|
ULONG OffsetRPC;
|
|
ULONG_PTR pRpcThread;
|
|
if (0 != GetFieldOffset("ntdll!TEB","ReservedForNtRpc",&OffsetRPC))
|
|
{
|
|
#ifdef _WIN64
|
|
OffsetRPC = 0x1698;
|
|
#else
|
|
OffsetRPC = 0xf1c;
|
|
#endif
|
|
}
|
|
ULONG OffsetOLE;
|
|
ULONG_PTR pOleThread;
|
|
if (0 != GetFieldOffset("ntdll!TEB","ReservedForOle",&OffsetOLE))
|
|
{
|
|
#ifdef _WIN64
|
|
OffsetOLE = 0x1758;
|
|
#else
|
|
OffsetOLE = 0xf80;
|
|
#endif
|
|
}
|
|
|
|
if (NO_ERROR == GetThreadArrays(hCurrentProcess,&dwThreads,
|
|
&pSysThreadInfo,&ppTebs))
|
|
{
|
|
for (DWORD i=0;i<dwThreads;i++)
|
|
{
|
|
TEB * pTeb = ppTebs[i];
|
|
SYSTEM_EXTENDED_THREAD_INFORMATION * pThreadInfo = &pSysThreadInfo[i];
|
|
|
|
if (ReadMemory((ULONG_PTR)pTeb+OffsetOLE,&pOleThread,sizeof(ULONG_PTR),0) &&
|
|
ReadMemory((ULONG_PTR)pTeb+OffsetRPC,&pRpcThread,sizeof(ULONG_PTR),0))
|
|
{
|
|
|
|
NT_TIB NtTib;
|
|
ReadMemory((ULONG_PTR)pTeb,&NtTib,sizeof(NT_TIB),NULL);
|
|
|
|
dprintf(" %03d %x.%x Addr: %p TEB: %p FiberData %p\n"
|
|
" limit %p base %p\n"
|
|
" RPC %p OLE %p\n",
|
|
i,
|
|
pThreadInfo->ThreadInfo.ClientId.UniqueProcess,pThreadInfo->ThreadInfo.ClientId.UniqueThread,
|
|
pThreadInfo->Win32StartAddress,
|
|
pTeb,NtTib.FiberData,
|
|
NtTib.StackLimit,NtTib.StackBase,
|
|
pRpcThread,
|
|
pOleThread);
|
|
|
|
#ifdef _WIN64
|
|
|
|
// +0x1788 DeallocationBStore : (null)
|
|
// +0x1790 BStoreLimit : 0x000006fb`faba2000
|
|
|
|
ULONG_PTR lDeAlloc;
|
|
ULONG_PTR lBPLimit;
|
|
ULONG Offset_DeallocationBStore = 0x1788;
|
|
ReadMemory((ULONG_PTR)pTeb+Offset_DeallocationBStore,&lDeAlloc,sizeof(ULONG_PTR),0);
|
|
|
|
ULONG Offset_BStoreLimit = 0x1790;
|
|
ReadMemory((ULONG_PTR)pTeb+Offset_BStoreLimit,&lBPLimit,sizeof(ULONG_PTR),0);
|
|
|
|
dprintf(" DAll %p BStL %p\n",lDeAlloc,lBPLimit);
|
|
#endif
|
|
|
|
DumpRpcOle(pRpcThread,pOleThread);
|
|
}
|
|
else
|
|
{
|
|
dprintf("RM %p %p\n",(ULONG_PTR)pTeb+OffsetOLE,(ULONG_PTR)pTeb+OffsetRPC);
|
|
}
|
|
}
|
|
|
|
HeapFree(GetProcessHeap(),0,ppTebs);
|
|
HeapFree(GetProcessHeap(),0,pSysThreadInfo);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
DECLARE_API(srt)
|
|
{
|
|
INIT_API();
|
|
|
|
DWORD dwThreads;
|
|
TEB ** ppTebs;
|
|
SYSTEM_EXTENDED_THREAD_INFORMATION * pSysThreadInfo;
|
|
|
|
ULONG_PTR Addr = GetExpression(args);
|
|
ULONG_PTR * ThreadMem = NULL;
|
|
ULONG_PTR Size = 0;
|
|
|
|
if (NO_ERROR == GetThreadArrays(hCurrentProcess,&dwThreads,
|
|
&pSysThreadInfo,&ppTebs))
|
|
{
|
|
for (DWORD i=0;i<dwThreads;i++)
|
|
{
|
|
TEB * pTeb = ppTebs[i];
|
|
SYSTEM_EXTENDED_THREAD_INFORMATION * pThreadInfo = &pSysThreadInfo[i];
|
|
|
|
NT_TIB NtTib;
|
|
ReadMemory((ULONG_PTR)pTeb,&NtTib,sizeof(NT_TIB),NULL);
|
|
|
|
ULONG_PTR Base = (ULONG_PTR)NtTib.StackBase;
|
|
ULONG_PTR Limit = (ULONG_PTR)NtTib.StackLimit;
|
|
ULONG_PTR CurrSize = Base-Limit;
|
|
|
|
//dprintf("searching %p between %p and %p\n",Addr,Limit,Base);
|
|
|
|
if (CurrSize > Size)
|
|
{
|
|
Size = CurrSize;
|
|
if (ThreadMem)
|
|
{
|
|
HeapFree(GetProcessHeap(),0,ThreadMem);
|
|
ThreadMem = NULL;
|
|
}
|
|
ThreadMem = (ULONG_PTR *)HeapAlloc(GetProcessHeap(),0,Size);
|
|
|
|
}
|
|
if (ThreadMem)
|
|
{
|
|
if (ReadMemory(Limit,ThreadMem,(ULONG)CurrSize,NULL))
|
|
{
|
|
for(DWORD j=0;j<CurrSize/sizeof(ULONG_PTR);j++)
|
|
{
|
|
if (Addr == ThreadMem[j])
|
|
{
|
|
dprintf(" %x.%x %p\n",
|
|
pThreadInfo->ThreadInfo.ClientId.UniqueProcess,pThreadInfo->ThreadInfo.ClientId.UniqueThread,
|
|
Limit+((ULONG_PTR)&ThreadMem[j]-(ULONG_PTR)ThreadMem));
|
|
}
|
|
}
|
|
}
|
|
};
|
|
}
|
|
|
|
HeapFree(GetProcessHeap(),0,ppTebs);
|
|
HeapFree(GetProcessHeap(),0,pSysThreadInfo);
|
|
|
|
}
|
|
|
|
if (ThreadMem)
|
|
HeapFree(GetProcessHeap(),0,ThreadMem);
|
|
}
|
|
|
|
|
|
#if defined(_X86_)
|
|
#ifndef PAGE_SIZE
|
|
#define PAGE_SIZE 0x1000
|
|
#endif
|
|
#define USER_ALIGNMENT 8
|
|
|
|
#elif defined(_IA64_)
|
|
#ifndef PAGE_SIZE
|
|
#define PAGE_SIZE 0x2000
|
|
#endif
|
|
#define USER_ALIGNMENT 16
|
|
|
|
#elif defined(_AMD64_)
|
|
#ifndef PAGE_SIZE
|
|
#define PAGE_SIZE 0x1000
|
|
#endif
|
|
#define USER_ALIGNMENT 16
|
|
|
|
#else
|
|
#error // platform not defined
|
|
#endif
|
|
|
|
DECLARE_API(ksrt)
|
|
{
|
|
INIT_API();
|
|
|
|
char * pArgs = (char *)args;
|
|
while(isspace(*pArgs)) pArgs++;
|
|
|
|
ULONG_PTR EProcess = GetExpression(pArgs);
|
|
|
|
while(!isspace(*pArgs)) pArgs++;
|
|
|
|
ULONG_PTR SearchFor = GetExpression(pArgs);
|
|
|
|
ULONG OffsetProcessThreadList;
|
|
|
|
if (0 != GetFieldOffset("nt!_KPROCESS","ThreadListHead",&OffsetProcessThreadList))
|
|
{
|
|
#ifdef _WIN64
|
|
OffsetProcessThreadList = 0x0; // BUGBUG
|
|
#else
|
|
OffsetProcessThreadList = 0x050;
|
|
#endif
|
|
}
|
|
|
|
ULONG OffsetThreadThreadList;
|
|
if (0 != GetFieldOffset("nt!_KTHREAD","ThreadListEntry",&OffsetThreadThreadList))
|
|
{
|
|
#ifdef _WIN64
|
|
OffsetThreadThreadList = 0x0;
|
|
#else
|
|
OffsetThreadThreadList = 0x1b0; // BUGBUG
|
|
#endif
|
|
}
|
|
|
|
ULONG OffsetThreadTEB;
|
|
if (0 != GetFieldOffset("nt!_KTHREAD","Teb",&OffsetThreadTEB))
|
|
{
|
|
#ifdef _WIN64
|
|
OffsetThreadTEB = 0x0;
|
|
#else
|
|
OffsetThreadTEB = 0x020; // BUGBUG
|
|
#endif
|
|
}
|
|
|
|
if (EProcess)
|
|
{
|
|
LIST_ENTRY HeadList;
|
|
LIST_ENTRY * pListEntry = &HeadList;
|
|
EProcess += OffsetProcessThreadList;
|
|
|
|
DWORD SizeToRead = max(OffsetThreadTEB,OffsetThreadThreadList)+sizeof(LIST_ENTRY);
|
|
ULONG_PTR KThreadAddr;
|
|
ULONG_PTR Teb;
|
|
|
|
ULONG_PTR * pKTHREAD = (ULONG_PTR *)_alloca(SizeToRead);
|
|
|
|
if (ReadMemory(EProcess,&HeadList,sizeof(LIST_ENTRY),NULL))
|
|
{
|
|
DWORD i = 0;
|
|
while ((LIST_ENTRY *)EProcess != pListEntry->Flink)
|
|
{
|
|
//dprintf("pListEntry->Flink %p\n",pListEntry->Flink);
|
|
|
|
KThreadAddr = (ULONG_PTR)pListEntry->Flink - (ULONG_PTR)OffsetThreadThreadList;
|
|
if (ReadMemory((ULONG_PTR)KThreadAddr,pKTHREAD,SizeToRead,NULL))
|
|
{
|
|
// do useful work
|
|
Teb = *((ULONG_PTR *)((BYTE *)pKTHREAD+OffsetThreadTEB));
|
|
dprintf(" %d - _KTHREAD %p TEB %p\n",i++,KThreadAddr,Teb);
|
|
|
|
NT_TIB ThreadTib;
|
|
if (ReadMemory(Teb,&ThreadTib,sizeof(NT_TIB),NULL))
|
|
{
|
|
dprintf(" EL %p B %p L %p\n",ThreadTib.ExceptionList,ThreadTib.StackBase,ThreadTib.StackLimit);
|
|
|
|
ULONG_PTR Current = (ULONG_PTR)ThreadTib.StackLimit;
|
|
ULONG_PTR nPages = (ULONG_PTR)ThreadTib.StackBase-(ULONG_PTR)ThreadTib.StackLimit;
|
|
nPages /= PAGE_SIZE;
|
|
ULONG_PTR j;
|
|
for (j=0;j<nPages;j++)
|
|
{
|
|
ULONG_PTR pPage[PAGE_SIZE/sizeof(ULONG_PTR)];
|
|
if (ReadMemory(Current,pPage,sizeof(pPage),NULL))
|
|
{
|
|
for(DWORD k=0;k<(PAGE_SIZE/sizeof(ULONG_PTR));k++)
|
|
{
|
|
if(SearchFor == pPage[k])
|
|
{
|
|
dprintf(" %p\n",Current+k*sizeof(ULONG_PTR));
|
|
}
|
|
if (CheckControlC())
|
|
break;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf(" page @ %p not paged-in\n",Current);
|
|
}
|
|
Current += PAGE_SIZE;
|
|
|
|
if (CheckControlC())
|
|
break;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf(" RM Teb %p\n",Teb);
|
|
}
|
|
|
|
// equivalent of i++
|
|
pListEntry = (LIST_ENTRY *)((BYTE *)pKTHREAD+OffsetThreadThreadList);
|
|
}
|
|
else
|
|
{
|
|
dprintf("RM %p\n",KThreadAddr);
|
|
break;
|
|
}
|
|
if (CheckControlC())
|
|
break;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf("RM %p\n",EProcess);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf("unable to resolve %s\n",args);
|
|
}
|
|
}
|
|
|
|
|
|
#ifdef i386
|
|
#define MAGIC_START (16+2)
|
|
#endif
|
|
|
|
char *
|
|
GetCall(ULONG_PTR Addr)
|
|
{
|
|
static char pBuff[1024];
|
|
|
|
#ifdef KDEXT_64BIT
|
|
ULONG64 ThisAddr = Addr-2;
|
|
#else
|
|
ULONG_PTR ThisAddr = Addr-2;
|
|
#endif
|
|
|
|
Disasm(&ThisAddr,pBuff,FALSE);
|
|
if (strstr(pBuff,"call"))
|
|
{
|
|
dprintf(" %s\n",pBuff);
|
|
return pBuff;
|
|
}
|
|
|
|
ThisAddr = Addr-3;
|
|
Disasm(&ThisAddr,pBuff,FALSE);
|
|
if (strstr(pBuff,"call"))
|
|
{
|
|
dprintf(" %s\n",pBuff);
|
|
return pBuff;
|
|
}
|
|
|
|
ThisAddr = Addr-5;
|
|
Disasm(&ThisAddr,pBuff,FALSE);
|
|
if (strstr(pBuff,"call"))
|
|
{
|
|
dprintf(" %s\n",pBuff);
|
|
return pBuff;
|
|
}
|
|
|
|
ThisAddr = Addr-6;
|
|
Disasm(&ThisAddr,pBuff,FALSE);
|
|
if (strstr(pBuff,"call"))
|
|
{
|
|
dprintf(" %s\n",pBuff);
|
|
return pBuff;
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
DECLARE_API(bs)
|
|
{
|
|
|
|
#ifdef i386
|
|
INIT_API();
|
|
|
|
ULONG_PTR pTeb = GetExpression(args);
|
|
if (pTeb)
|
|
{
|
|
NT_TIB Tib;
|
|
ReadMemory(pTeb,&Tib,sizeof(Tib),NULL);
|
|
dprintf(" exception %p base %p limit %p\n",
|
|
Tib.ExceptionList,Tib.StackBase,Tib.StackLimit);
|
|
|
|
ULONG_PTR dwSize = (ULONG_PTR)Tib.StackBase-(ULONG_PTR)Tib.StackLimit;
|
|
BYTE * pStack = new BYTE[dwSize];
|
|
ULONG_PTR OldEBP = 0;
|
|
|
|
if (pStack)
|
|
{
|
|
ULONG_PTR * pBase = (ULONG_PTR *)(pStack+dwSize);
|
|
ULONG_PTR * pLimit = (ULONG_PTR *)pStack;
|
|
|
|
ReadMemory((ULONG_PTR)Tib.StackLimit,pStack,(ULONG_PTR)Tib.StackBase-(ULONG_PTR)Tib.StackLimit,NULL);
|
|
|
|
ULONG_PTR EBP = (ULONG_PTR)(Tib.StackBase)-(MAGIC_START*sizeof(ULONG_PTR));
|
|
ULONG_PTR * pEBP = (ULONG_PTR *)pBase-MAGIC_START;
|
|
BOOL bGoOn = TRUE;
|
|
BOOL bRpcRt4Fix = FALSE;
|
|
|
|
while(bGoOn)
|
|
{
|
|
dprintf("%p %p\n",pEBP[0],pEBP[1]);
|
|
char * pFunction = GetCall(pEBP[1]);
|
|
BOOL bFound = FALSE;
|
|
|
|
if (pFunction)
|
|
{
|
|
if (strstr(pFunction,"ComInvokeWithLockAndIPID"))
|
|
{
|
|
EBP -= 0x70;
|
|
}
|
|
}
|
|
else // try to move back
|
|
{
|
|
pEBP--;
|
|
EBP = OldEBP;
|
|
}
|
|
|
|
//dprintf("looking for %p = cmp %p \n",EBP,pEBP[0]);
|
|
|
|
if (!bRpcRt4Fix)
|
|
{
|
|
if (pEBP[0] < (ULONG_PTR)Tib.StackLimit || pEBP[0] > (ULONG_PTR)Tib.StackBase)
|
|
{
|
|
bRpcRt4Fix = TRUE;
|
|
// rpcrt4 call_stack fix
|
|
EBP = (ULONG_PTR)(Tib.StackBase) - 0x6c;
|
|
}
|
|
}
|
|
//dprintf("looking for %p\n",EBP);
|
|
|
|
while ((ULONG_PTR)pEBP > (ULONG_PTR)pLimit){
|
|
if (*pEBP-- == EBP){
|
|
bFound = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
if (bFound)
|
|
{
|
|
pEBP++;
|
|
OldEBP = EBP;
|
|
EBP = (ULONG_PTR)(Tib.StackBase)-((ULONG_PTR)pBase-(ULONG_PTR)pEBP);
|
|
}
|
|
else
|
|
{
|
|
bGoOn = FALSE;
|
|
}
|
|
}
|
|
|
|
delete [] pStack;
|
|
}
|
|
|
|
}
|
|
else
|
|
{
|
|
dprintf("%s cannot be interpreted\b",args);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
//
|
|
// given the TEB, prints the ExceptionList
|
|
//
|
|
|
|
struct _C9_REGISTRATION_RECORD
|
|
{
|
|
_C9_REGISTRATION_RECORD * prev;
|
|
void * handler;
|
|
void * scopetable;
|
|
void * trylevel;
|
|
void * pSpare0;
|
|
void * pSpare1;
|
|
};
|
|
|
|
DECLARE_API(el)
|
|
{
|
|
INIT_API();
|
|
|
|
#ifndef _X86_
|
|
dprintf("unsupported on this platform\n");
|
|
return;
|
|
#endif
|
|
|
|
ULONG_PTR pTeb = GetExpression(args);
|
|
if (pTeb)
|
|
{
|
|
NT_TIB Tib;
|
|
if (ReadMemory(pTeb,&Tib,sizeof(Tib),NULL))
|
|
{
|
|
//Tib.ExceptionList,Tib.StackBase,Tib.StackLimit);
|
|
_C9_REGISTRATION_RECORD ExRegRec;
|
|
ExRegRec.prev = (_C9_REGISTRATION_RECORD *)Tib.ExceptionList;
|
|
do
|
|
{
|
|
_C9_REGISTRATION_RECORD * pThis = ExRegRec.prev;
|
|
if (ReadMemory((MEMORY_ADDRESS)pThis,&ExRegRec,sizeof(ExRegRec),NULL))
|
|
{
|
|
dprintf(" %p (%p %p %p %p)\n",pThis,ExRegRec.prev,ExRegRec.handler,ExRegRec.scopetable,ExRegRec.trylevel);
|
|
|
|
#ifdef KDEXT_64BIT
|
|
ULONG64 Displ;
|
|
#else
|
|
ULONG Displ;
|
|
#endif
|
|
char pString[256];
|
|
pString[0]=0;
|
|
GetSymbol((ULONG_PTR)ExRegRec.handler,(PCHAR)pString,&Displ);
|
|
if (lstrlenA((CHAR *)pString))
|
|
dprintf(" %s+%x\n",pString,Displ);
|
|
|
|
|
|
if (!GetCall((ULONG_PTR)ExRegRec.pSpare1))
|
|
{
|
|
GetCall((ULONG_PTR)ExRegRec.pSpare0);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf("RM %p\n",Tib.ExceptionList);
|
|
break;
|
|
}
|
|
} while((ULONG_PTR)(-1) != (ULONG_PTR)ExRegRec.prev);
|
|
}
|
|
else
|
|
{
|
|
dprintf("RM %p\n",pTeb);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dprintf("invalid TEB %s\n",args);
|
|
}
|
|
}
|