bool DumpRunner::DumpProcess(Dumper* dumper, DumpLevel level, DWORD processId)
{
bool result = false;
HANDLE process = ::OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processId);
if (process != NULL)
{
EnumThread enumThread;
if (enumThread.open() == true)
{
DWORD threadId = enumThread.getFirst(processId);
enumThread.close();
if (threadId != 0)
{
HANDLE thread = ::OpenThread(THREAD_ALL_ACCESS, FALSE, threadId);
if (thread != NULL)
{
result = DumpProcess(dumper, level, EXCEPTION_BREAKPOINT, process, processId, thread, threadId);
::CloseHandle(thread);
thread = NULL;
}
}
}
::CloseHandle(process);
process = NULL;
}
return result;
}
bool DumpRunner::DumpProcess(Dumper* dumper, int level, const wchar_t* processName)
{
bool result = false;
EnumProcess enumProcess;
if (enumProcess.open() == true)
{
DWORD processId = 0;
const wchar_t* enumProcessName = enumProcess.getFirst();
while (enumProcessName != NULL)
{
if (::_wcsicmp(processName, enumProcessName) == 0)
{
processId = enumProcess.getProcessID();
break;
}
enumProcessName = enumProcess.getNext();
}
enumProcess.close();
if (processId != 0)
{
result = DumpProcess(dumper, level, processId);
}
}
return result;
}
bool DumpRunner::DumpProcess(Dumper* dumper, DumpLevel level, const char* processName)
{
bool result = false;
EnumProcess enumProcess;
if (enumProcess.open() == true)
{
DWORD processId = 0;
std::string enumProcessName = enumProcess.getFirst();
while (enumProcessName.empty() == false)
{
if (::_stricmp(processName, enumProcessName.c_str()) == 0)
{
processId = enumProcess.getProcessID();
break;
}
enumProcessName = enumProcess.getNext();
}
enumProcess.close();
if (processId != 0)
{
result = DumpProcess(dumper, level, processId);
}
}
return result;
}
static DWORD Process2(LPVOID pData)
{
int i = 0;
for(i = 0;i < 5;i ++)
{
_hx_printf(" I'm process 2.\r\n");
DumpProcess();
Sleep(20);
}
return 0;
}
static void DumpProcessAll(void) {
int i;
Process *proc;
printf("*** process table dump ***\n");
for (i = 0; i < g_list_length(ProcessList); i++) {
proc = g_list_nth_data(ProcessList, i);
DumpProcess(proc);
}
printf("**************************\n");
}
int main()
{
unsigned long ulSize = 0;
void* lpBase = 0;
if (lpBase = DumpProcess(GetCurrentProcess(), GetModuleHandle(0), &ulSize))
{
FILE* hFile = fopen("dump.exe", "wb");
fwrite(lpBase,sizeof(unsigned char), ulSize,hFile);
fclose(hFile);
HeapFree(GetProcessHeap(),0,lpBase);
}
return 0;
}
// main menu click
static int MtakeSnapshot(t_table *pt,wchar_t *name,ulong index,int mode) {
int ret;
switch(mode) {
case MENU_VERIFY:
ret=MENU_NORMAL;
break;
case MENU_EXECUTE:
ret=MENU_NOREDRAW;
if(run.status == STAT_IDLE) {
MessageBox(hwollymain, L"NO TARGET ATTACHED", L"ERROR", MB_OK);
} else {
DumpProcess(process);
}
break;
default:
ret=MENU_ABSENT;
break;
}
return ret;
};
void IH_GetImportTableAddresses() //Retrieve basic import data
{
HINSTANCE kernel32; // Handle to kernel32
unsigned int VirtualProtect_Addr; // VirtualProtect Address
unsigned int OutputDebugStringA_Addr; // OutputDebugStringA Address
unsigned int WriteProcessMemory_Addr; // WriteProcessMemory Address
unsigned int GetEnvironmentVariableA_Addr; // GetEnvironmentVariableA Address
unsigned int SetEnvironmentVariableA_Addr; // SetEnvironmentVariableA Address
unsigned int LoadLibraryA_Addr; // LoadLibraryA Address
unsigned int GetProcAddress_Addr; // GetProcAddress address
DeleteFile("loaded_binary.mem");
DumpProcess(IH_fdProcessInfo->hProcess, (void*)g_fdImageBase, (char*)"loaded_binary.mem", g_fdEntryPoint);
kernel32=GetModuleHandleA("kernel32");
VirtualProtect_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "VirtualProtect"));
OutputDebugStringA_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "OutputDebugStringA"));
GetEnvironmentVariableA_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "GetEnvironmentVariableA"));
SetEnvironmentVariableA_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "SetEnvironmentVariableA"));
LoadLibraryA_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "LoadLibraryA"));
GetProcAddress_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "GetProcAddress"));
WriteProcessMemory_Addr=ImporterGetRemoteAPIAddress(IH_fdProcessInfo->hProcess, (unsigned int)GetProcAddress(kernel32, "WriteProcessMemory"));
HANDLE hFile=CreateFileA("loaded_binary.mem", GENERIC_ALL, 0, 0, OPEN_EXISTING, 0, 0);
DWORD high=0,filesize=GetFileSize(hFile, &high);
BYTE* dump_addr=(BYTE*)VirtualAlloc(VirtualAlloc(0, filesize+0x1000, MEM_RESERVE, PAGE_EXECUTE_READWRITE), filesize+0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
ReadFile(hFile, dump_addr, filesize, &high, 0);
CloseHandle(hFile);
unsigned int result_addr=0;
// Find VirtualProtect address
result_addr=FindDwordInMemory(dump_addr, VirtualProtect_Addr, filesize);
if(result_addr)
VirtualProtect_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
VirtualProtect_Addr=0;
g_PtrTargetData->VirtualProtect_Addr=VirtualProtect_Addr;
// Find OutputDebugStringA address
result_addr=FindDwordInMemory(dump_addr, OutputDebugStringA_Addr, filesize);
if(result_addr)
OutputDebugStringA_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
OutputDebugStringA_Addr=0;
g_PtrTargetData->OutputDebugStringA_Addr=OutputDebugStringA_Addr;
// Find GetEnvironmentVariableA address
result_addr=FindDwordInMemory(dump_addr, GetEnvironmentVariableA_Addr, filesize);
if(result_addr)
GetEnvironmentVariableA_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
GetEnvironmentVariableA_Addr=0;
g_PtrTargetData->GetEnvironmentVariableA_Addr=GetEnvironmentVariableA_Addr;
// Find SetEnvironmentVariableA address
result_addr=FindDwordInMemory(dump_addr, SetEnvironmentVariableA_Addr, filesize);
if(result_addr)
SetEnvironmentVariableA_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
SetEnvironmentVariableA_Addr=0;
g_PtrTargetData->SetEnvironmentVariableA_Addr=SetEnvironmentVariableA_Addr;
// Find LoadLibraryA address
result_addr=FindDwordInMemory(dump_addr, LoadLibraryA_Addr, filesize);
if(result_addr)
LoadLibraryA_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
LoadLibraryA_Addr=0;
g_PtrTargetData->LoadLibraryA_Addr=LoadLibraryA_Addr;
// Find GetProcAddress address
result_addr=FindDwordInMemory(dump_addr, GetProcAddress_Addr, filesize);
if(result_addr)
GetProcAddress_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
GetProcAddress_Addr=0;
g_PtrTargetData->GetProcAddress_Addr=GetProcAddress_Addr;
// Find WriteProcessMemory address
result_addr=FindDwordInMemory(dump_addr, WriteProcessMemory_Addr, filesize);
if(result_addr)
WriteProcessMemory_Addr=(unsigned int)(result_addr+g_fdImageBase);
else
WriteProcessMemory_Addr=0;
g_PtrTargetData->WriteProcessMemory_Addr=WriteProcessMemory_Addr;
// Free the memory and close the handle
VirtualFree(dump_addr, filesize+0x1000, MEM_DECOMMIT);
}
int main(int argc, char* argv[] )
{
uint pid=0;
char* dll= 0;
int rv = 0;
bool handled = false;
if(argc < 2) usage();
if( argv[1][0] == '-') argv[1][0] = '/'; //standardize
EnableSeDebug();
//HANDLE hWatchDog = startWatchDog(); //still getting hangs once in a while..monitor external :-\
setvbuf(stdout, NULL, _IONBF, 0); //autoflush - allows external apps to read cmdline output in realtime..
// /inject decimal_pid dll_path
if(strstr(argv[1],"/inject") > 0 ){
if(argc!=4) usage(3);
pid = atoi( argv[2] );
dll = strdup(argv[3]);
if(!FileExists(dll)){
printf("Error: dll file not found: %s\n\n",dll);
usage();
}
rv = inject(dll,pid);
handled = true;
}
// /loadlib path
if(strstr(argv[1],"/loadlib") > 0 ){
if(argc!=3) usage(2);
dll = strdup(argv[2]);
if(!FileExists(dll)){
printf("Error: dll file not found: %s\n\n",dll);
usage();
}
printf("loadlib=%x\npress any key to continue...", LoadLibrary(dll));
getch();
handled = true;
}
// /dlls decimal_pid
if(strstr(argv[1],"/dlls") > 0 ){
if(argc!=3) usage(2);
pid = atoi( argv[2] );
rv = PrintModules(pid);
handled = true;
}
// /dumpprocess decimal_pid out_file_path
if(strstr(argv[1],"/dumpproc") > 0 ){
if(argc!=4) usage(3);
pid = atoi( argv[2] );
char* dumpFile = strdup(argv[3]);
if(FileExists(dumpFile)){
printf("Error: dump file already exists aborting: %s\n\n", dumpFile);
}
else{
rv = DumpProcess(pid,dumpFile);
}
handled = true;
}
// /dump decimal_pid, hex_string_base, hex_string_size out_file_path
if(!handled && strstr(argv[1],"/dumpmod") > 0 ){
if(argc!=6) usage(5);
pid = atoi( argv[2] );
__int64 base = _strtoi64(argv[3], NULL, 16);
__int64 sz = _strtoi64(argv[4], NULL, 16);
char* dumpFile = strdup(argv[5]);
if(FileExists(dumpFile)){
printf("Error: dump file already exists aborting: %s\n\n", dumpFile);
}
else{
rv = dump(pid,base,sz,dumpFile);
}
handled = true;
}
// /startwdll exe_path dll_path
if(strstr(argv[1],"/startwdll") > 0 ){
if(argc!=4) usage(3);
char* exe = strdup(argv[2]);
dll = strdup(argv[3]);
if(!FileExists(dll)){
printf("Error: dll file not found: %s\n\n",dll);
usage();
}
rv = startwdll(dll,exe);
handled = true;
}
// /memmap decimal_pid out_path
if(strstr(argv[1],"/memmap") > 0 ){
if(argc!=4) usage(3);
pid = atoi( argv[2] );
dll = strdup(argv[3]);
if(FileExists(dll)){
printf("Error: out file already exists: %s\n\n",dll);
usage();
}
rv = memMap(pid,dll);
handled = true;
}
if(handled==false){
printf("Error: Unknown option %s\n\n", argv[1]);
usage();
}
//TerminateThread(hWatchDog,0);
//CloseHandle(hWatchDog);
if( IsDebuggerPresent() ){
printf("press any key to exit...");
getch();
}
return rv;
}
//////////////////////////////////////////////////////////////////////// main.
//
int CDECL main(int argc, char **argv)
{
BOOLEAN fNeedHelp = FALSE;
BOOLEAN fVerbose = FALSE;
PCHAR pszDllPath = NULL;
int arg = 1;
for (; arg < argc && (argv[arg][0] == '-' || argv[arg][0] == '/'); arg++) {
CHAR *argn = argv[arg] + 1;
CHAR *argp = argn;
while (*argp && *argp != ':' && *argp != '=')
argp++;
if (*argp == ':' || *argp == '=')
*argp++ = '\0';
switch (argn[0]) {
case 'd': // Set DLL Name
case 'D':
pszDllPath = argp;
break;
case 'v': // Verbose
case 'V':
fVerbose = TRUE;
break;
case '?': // Help
fNeedHelp = TRUE;
break;
default:
fNeedHelp = TRUE;
printf("withdll.exe: Bad argument: %s\n", argv[arg]);
break;
}
}
if (arg >= argc) {
fNeedHelp = TRUE;
}
if (pszDllPath == NULL) {
fNeedHelp = TRUE;
}
if (fNeedHelp) {
PrintUsage();
return 9001;
}
/////////////////////////////////////////////////////////// Validate DLLs.
//
CHAR szDllPath[1024];
PCHAR pszFilePart = NULL;
if (!GetFullPathName(pszDllPath, ARRAYSIZE(szDllPath), szDllPath, &pszFilePart)) {
printf("withdll.exe: Error: %s is not a valid path name..\n",
pszDllPath);
return 9002;
}
HMODULE hDll = LoadLibraryEx(pszDllPath, NULL, DONT_RESOLVE_DLL_REFERENCES);
if (hDll == NULL) {
printf("withdll.exe: Error: %s failed to load (error %d).\n",
pszDllPath,
GetLastError());
return 9003;
}
ExportContext ec;
ec.fHasOrdinal1 = FALSE;
ec.nExports = 0;
DetourEnumerateExports(hDll, &ec, ExportCallback);
FreeLibrary(hDll);
if (!ec.fHasOrdinal1) {
printf("withdll.exe: Error: %s does not export ordinal #1.\n",
pszDllPath);
printf(" See help entry DetourCreateProcessWithDllEx in Detours.chm.\n");
return 9004;
}
//////////////////////////////////////////////////////////////////////////
STARTUPINFO si;
PROCESS_INFORMATION pi;
CHAR szCommand[2048];
CHAR szExe[1024];
CHAR szFullExe[1024] = "\0";
PCHAR pszFileExe = NULL;
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
si.cb = sizeof(si);
szCommand[0] = L'\0';
#ifdef _CRT_INSECURE_DEPRECATE
strcpy_s(szExe, sizeof(szExe), argv[arg]);
#else
strcpy(szExe, argv[arg]);
#endif
for (; arg < argc; arg++) {
if (strchr(argv[arg], ' ') != NULL || strchr(argv[arg], '\t') != NULL) {
#ifdef _CRT_INSECURE_DEPRECATE
strcat_s(szCommand, sizeof(szCommand), "\"");
strcat_s(szCommand, sizeof(szCommand), argv[arg]);
strcat_s(szCommand, sizeof(szCommand), "\"");
#else
strcat(szCommand, "\"");
strcat(szCommand, argv[arg]);
strcat(szCommand, "\"");
#endif
}
else {
#ifdef _CRT_INSECURE_DEPRECATE
strcat_s(szCommand, sizeof(szCommand), argv[arg]);
#else
strcat(szCommand, argv[arg]);
#endif
}
if (arg + 1 < argc) {
#ifdef _CRT_INSECURE_DEPRECATE
strcat_s(szCommand, sizeof(szCommand), " ");
#else
strcat(szCommand, " ");
#endif
}
}
printf("withdll.exe: Starting: `%s'\n", szCommand);
printf("withdll.exe: with `%s'\n", szDllPath);
fflush(stdout);
DWORD dwFlags = CREATE_DEFAULT_ERROR_MODE | CREATE_SUSPENDED;
SetLastError(0);
SearchPath(NULL, szExe, ".exe", ARRAYSIZE(szFullExe), szFullExe, &pszFileExe);
if (!DetourCreateProcessWithDllEx(szFullExe[0] ? szFullExe : NULL, szCommand,
NULL, NULL, TRUE, dwFlags, NULL, NULL,
&si, &pi, szDllPath, NULL)) {
DWORD dwError = GetLastError();
printf("withdll.exe: DetourCreateProcessWithDllEx failed: %d\n", dwError);
if (dwError == ERROR_INVALID_HANDLE) {
#if DETOURS_64BIT
printf("withdll.exe: Can't detour a 32-bit target process from a 64-bit parent process.\n");
#else
printf("withdll.exe: Can't detour a 64-bit target process from a 32-bit parent process.\n");
#endif
}
ExitProcess(9009);
}
if (fVerbose) {
DumpProcess(pi.hProcess);
}
ResumeThread(pi.hThread);
WaitForSingleObject(pi.hProcess, INFINITE);
DWORD dwResult = 0;
if (!GetExitCodeProcess(pi.hProcess, &dwResult)) {
printf("withdll.exe: GetExitCodeProcess failed: %d\n", GetLastError());
return 9010;
}
return dwResult;
}
INT_PTR CALLBACK MainDlgProc(HWND hwndDlg, UINT message, WPARAM wParam, LPARAM lParam)
{
int lbItem=0;
HWND hwndList=0;
DWORD pid=0xFFFFFFFF;
HDC dc = 0;
PAINTSTRUCT ps;
gHWND = hwndDlg;
char szpid[1024] = {0};
switch (message)
{
case WM_INITDIALOG:
// reset progress bar
SetProgressBar(0);
gProcList = new ProcessList(hwndDlg, hInst);
gProcList->FillList();
szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs);
if(nArgs > 1) {
wsprintf(szpid, "%S", szArglist[1]);
gProcList->SetSelectionFromPid(atoi(szpid));
if(nArgs >2 ) {
MemorySnapshot *gMemSnap = new MemorySnapshot;
char filename[MAX_PATH];
wsprintf(filename, "%S", szArglist[2]);
bool res = gMemSnap->Dump(atoi(szpid), filename);
SendMessage(hwndDlg, WM_CLOSE, IDC_DUMP, (LPARAM)res);
} else {
DumpProcess(atoi(szpid));
}
}
return TRUE;
case WM_PAINT:
{
BeginPaint(gHWND, &ps);
RECT rc;
GetClientRect(gHWND, &rc);
EndPaint(gHWND, &ps);
}
break;
case WM_CLOSE:
delete gProcList;
gProcList = 0;
EndDialog(gHWND, 0);
ExitProcess((UINT)lParam);
break;
case WM_COMMAND:
switch(LOWORD(wParam))
{
case IDC_DUMP:
pid = gProcList->GetSelectedPid();
gProcList->EnableDisable(FALSE);
DumpProcess(pid);
gProcList->EnableDisable(TRUE);
break;
case IDC_REFRESH:
gProcList->FillList();
break;
case IDC_EXIT:
SendMessage(gHWND, WM_CLOSE, 0, 0);
break;
case IDC_PROCLIST:
if(pid == 0xFFFFFFFF) {
if(gProcList) {
pid = gProcList->GetSelectedPid();
}
if(pid == 0xFFFFFFFF)
EnableWindow(GetDlgItem(gHWND, IDC_DUMP), TRUE);
}
switch (HIWORD(wParam))
{
case LBN_DBLCLK:
SendMessage(gHWND, WM_COMMAND, IDC_DUMP, 0);
break;
default:
break;
}
default:
break;
}
default:
break;
}
// UpdateWindow(gHWND);
return (INT_PTR)FALSE;
}
BOOL CALLBACK DumpDialogFunct(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
BOOL bCheck;
static HWND hEditVA,hEditSize,hSecFix,hPasteOrgIt;
switch(uMsg)
{
case WM_INITDIALOG:
// save some handles
hSecFix = GetDlgItem(hDlg,IDC_FIXSECTIONS);
hEditVA = GetDlgItem(hDlg,IDC_VA);
hEditSize = GetDlgItem(hDlg,IDC_DUMPSIZE);
hPasteOrgIt = GetDlgItem(hDlg,IDC_PASTEORGIT);
hDumpDlg = hDlg;
// set the default
CheckDlgButton(hDlg,IDC_DUMPFULL,BST_CHECKED);
SendMessage(hDlg,WM_COMMAND,MAKEWPARAM(IDC_DUMPFULL,0),NULL);
CheckDlgButton(hDlg,IDC_FIXSECTIONS,BST_CHECKED);
CheckDlgButton(hDlg,IDC_PASTEORGIT,TRUE);
// set max text length
SendDlgItemMessage(hDlg,IDC_VA,EM_LIMITTEXT,8,0);
SendDlgItemMessage(hDlg,IDC_DUMPSIZE,EM_LIMITTEXT,8,0);
// hook edit procs
pOrgDumpEditProc = (WNDPROC)SetWindowLong(
GetDlgItem(hDlg, IDC_VA),
GWL_WNDPROC,
(DWORD)DumpEditProcs);
SetWindowLong(
GetDlgItem(hDlg, IDC_DUMPSIZE),
GWL_WNDPROC,
(LONG)DumpEditProcs);
break;
case WM_COMMAND:;
switch(LOWORD(wParam))
{
case ID_DUMPDLG_DUMP:
// check the entered values
if (!CheckEnteredValues())
{
MessageBox(
hDumpDlg,
"Invalid dump values !",
"ERROR",
MB_ICONERROR);
return TRUE;
}
if (!DumpProcess(dwPID,dwImageBase,dwSizeOfImage))
{
MessageBox(hDumpDlg,"Couldn't dump process :(","ERROR",MB_ICONERROR);
return TRUE;
}
// fix the sections ?
if (IsDlgButtonChecked(hDumpDlg,IDC_DUMPFULL) &&
IsDlgButtonChecked(hDumpDlg,IDC_FIXSECTIONS))
if (!FixSections((CHAR*)&szFilePath))
{
MessageBox(
hDumpDlg,
"Dumping done but there was\nan error while fixing the sections !",
"ERROR",
MB_ICONERROR);
EndDialog(hDumpDlg,0);
return TRUE;
}
// rebuild the import table ?
if (IsDlgButtonChecked(hDumpDlg,IDC_DUMPFULL) &&
IsDlgButtonChecked(hDumpDlg,IDC_PASTEORGIT))
if (!PasteOrgIT((CHAR*)szFname,(CHAR*)&szFilePath))
{
MessageBox(
hDumpDlg,
"Dumping done but there was\nan error while rebuilding the Import Table !",
"ERROR",
MB_ICONERROR);
EndDialog(hDumpDlg,0);
return TRUE;
}
MessageBox(hDumpDlg,"Dumping done.",":)",MB_ICONINFORMATION);
EndDialog(hDumpDlg,0);
return TRUE;
case ID_DUMPDLG_CANCEL:
EndDialog(hDlg,0);
return TRUE;
case IDC_DUMPFULL:
case IDC_DUMPPARTIAL:
bCheck = IsDlgButtonChecked(hDlg,IDC_DUMPFULL);
EnableWindow(hSecFix,bCheck);
EnableWindow(hPasteOrgIt,bCheck);
EnableWindow(hEditVA,!bCheck);
EnableWindow(hEditSize,!bCheck);
return TRUE;
}
break;
case WM_CLOSE:
EndDialog(hDlg,0);
return TRUE;
}
return FALSE;
}