HRESULT STDMETHODCALLTYPE DnCLRDataTarget_ReadVirtual( __in ICLRDataTarget *This, __in CLRDATA_ADDRESS address, __out BYTE *buffer, __in ULONG32 bytesRequested, __out ULONG32 *bytesRead ) { DnCLRDataTarget *this = (DnCLRDataTarget *)This; NTSTATUS status; SIZE_T numberOfBytesRead; if (NT_SUCCESS(status = PhReadVirtualMemory( this->ProcessHandle, (PVOID)address, buffer, bytesRequested, &numberOfBytesRead ))) { *bytesRead = (ULONG32)numberOfBytesRead; return S_OK; } else { ULONG result; result = RtlNtStatusToDosError(status); return HRESULT_FROM_WIN32(result); } }
NTSTATUS PhGetProcessDefaultHeap( __in HANDLE ProcessHandle, __out PPVOID Heap ) { NTSTATUS status; PROCESS_BASIC_INFORMATION basicInfo; if (!NT_SUCCESS(status = PhGetProcessBasicInformation( ProcessHandle, &basicInfo ))) return status; return status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.PebBaseAddress, FIELD_OFFSET(PEB, ProcessHeap)), Heap, sizeof(PVOID), NULL ); }
NTSTATUS PhGetThreadServiceTag( __in HANDLE ThreadHandle, __in_opt HANDLE ProcessHandle, __out PVOID *ServiceTag ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; BOOLEAN openedProcessHandle = FALSE; if (!NT_SUCCESS(status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) return status; if (!ProcessHandle) { if (!NT_SUCCESS(status = PhOpenThreadProcess( &ProcessHandle, PROCESS_VM_READ, ThreadHandle ))) return status; openedProcessHandle = TRUE; } status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.TebBaseAddress, FIELD_OFFSET(TEB, SubProcessTag)), ServiceTag, sizeof(PVOID), NULL ); if (openedProcessHandle) NtClose(ProcessHandle); return status; }
INT_PTR CALLBACK PhpMemoryEditorDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PMEMORY_EDITOR_CONTEXT context; if (uMsg != WM_INITDIALOG) { context = GetProp(hwndDlg, PhMakeContextAtom()); } else { context = (PMEMORY_EDITOR_CONTEXT)lParam; SetProp(hwndDlg, PhMakeContextAtom(), (HANDLE)context); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { NTSTATUS status; if (context->Title) { SetWindowText(hwndDlg, context->Title->Buffer); } else { PPH_PROCESS_ITEM processItem; if (processItem = PhReferenceProcessItem(context->ProcessId)) { SetWindowText(hwndDlg, PhaFormatString(L"%s (%u) (0x%Ix - 0x%Ix)", processItem->ProcessName->Buffer, HandleToUlong(context->ProcessId), context->BaseAddress, (ULONG_PTR)context->BaseAddress + context->RegionSize)->Buffer); PhDereferenceObject(processItem); } } PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); if (context->RegionSize > 1024 * 1024 * 1024) // 1 GB { PhShowError(NULL, L"Unable to edit the memory region because it is too large."); return TRUE; } if (!NT_SUCCESS(status = PhOpenProcess( &context->ProcessHandle, PROCESS_VM_READ, context->ProcessId ))) { PhShowStatus(NULL, L"Unable to open the process", status, 0); return TRUE; } context->Buffer = PhAllocatePage(context->RegionSize, NULL); if (!context->Buffer) { PhShowError(NULL, L"Unable to allocate memory for the buffer."); return TRUE; } if (!NT_SUCCESS(status = PhReadVirtualMemory( context->ProcessHandle, context->BaseAddress, context->Buffer, context->RegionSize, NULL ))) { PhShowStatus(PhMainWndHandle, L"Unable to read memory", status, 0); return TRUE; } PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_SAVE), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_BYTESPERROW), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_GOTO), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_WRITE), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_REREAD), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); if (MinimumSize.left == -1) { RECT rect; rect.left = 0; rect.top = 0; rect.right = 290; rect.bottom = 140; MapDialogRect(hwndDlg, &rect); MinimumSize = rect; MinimumSize.left = 0; } context->HexEditHandle = GetDlgItem(hwndDlg, IDC_MEMORY); PhAddLayoutItem(&context->LayoutManager, context->HexEditHandle, NULL, PH_ANCHOR_ALL); HexEdit_SetBuffer(context->HexEditHandle, context->Buffer, (ULONG)context->RegionSize); { PH_RECTANGLE windowRectangle; windowRectangle.Position = PhGetIntegerPairSetting(L"MemEditPosition"); windowRectangle.Size = PhGetScalableIntegerPairSetting(L"MemEditSize", TRUE).Pair; PhAdjustRectangleToWorkingArea(NULL, &windowRectangle); MoveWindow(hwndDlg, windowRectangle.Left, windowRectangle.Top, windowRectangle.Width, windowRectangle.Height, FALSE); // Implement cascading by saving an offsetted rectangle. windowRectangle.Left += 20; windowRectangle.Top += 20; PhSetIntegerPairSetting(L"MemEditPosition", windowRectangle.Position); PhSetScalableIntegerPairSetting2(L"MemEditSize", windowRectangle.Size); } { PWSTR bytesPerRowStrings[7]; ULONG i; ULONG bytesPerRow; for (i = 0; i < sizeof(bytesPerRowStrings) / sizeof(PWSTR); i++) bytesPerRowStrings[i] = PhaFormatString(L"%u bytes per row", 1 << (2 + i))->Buffer; PhAddComboBoxStrings(GetDlgItem(hwndDlg, IDC_BYTESPERROW), bytesPerRowStrings, sizeof(bytesPerRowStrings) / sizeof(PWSTR)); bytesPerRow = PhGetIntegerSetting(L"MemEditBytesPerRow"); if (bytesPerRow >= 4) { HexEdit_SetBytesPerRow(context->HexEditHandle, bytesPerRow); PhSelectComboBoxString(GetDlgItem(hwndDlg, IDC_BYTESPERROW), PhaFormatString(L"%u bytes per row", bytesPerRow)->Buffer, FALSE); } } context->LoadCompleted = TRUE; } break; case WM_DESTROY: { if (context->LoadCompleted) { PhSaveWindowPlacementToSetting(L"MemEditPosition", L"MemEditSize", hwndDlg); PhRemoveElementAvlTree(&PhMemoryEditorSet, &context->Links); PhUnregisterDialog(hwndDlg); } RemoveProp(hwndDlg, PhMakeContextAtom()); PhDeleteLayoutManager(&context->LayoutManager); if (context->Buffer) PhFreePage(context->Buffer); if (context->ProcessHandle) NtClose(context->ProcessHandle); PhClearReference(&context->Title); if ((context->Flags & PH_MEMORY_EDITOR_UNMAP_VIEW_OF_SECTION) && context->ProcessId == NtCurrentProcessId()) NtUnmapViewOfSection(NtCurrentProcess(), context->BaseAddress); PhFree(context); } break; case WM_SHOWWINDOW: { SendMessage(hwndDlg, WM_NEXTDLGCTL, (WPARAM)context->HexEditHandle, TRUE); } break; case WM_COMMAND: { switch (LOWORD(wParam)) { case IDCANCEL: case IDOK: DestroyWindow(hwndDlg); break; case IDC_SAVE: { static PH_FILETYPE_FILTER filters[] = { { L"Binary files (*.bin)", L"*.bin" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog; PPH_PROCESS_ITEM processItem; fileDialog = PhCreateSaveFileDialog(); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); if (!context->Title && (processItem = PhReferenceProcessItem(context->ProcessId))) { PhSetFileDialogFileName(fileDialog, PhaFormatString(L"%s_0x%Ix-0x%Ix.bin", processItem->ProcessName->Buffer, context->BaseAddress, context->RegionSize)->Buffer); PhDereferenceObject(processItem); } else { PhSetFileDialogFileName(fileDialog, L"Memory.bin"); } if (PhShowFileDialog(hwndDlg, fileDialog)) { NTSTATUS status; PPH_STRING fileName; PPH_FILE_STREAM fileStream; fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { status = PhWriteFileStream(fileStream, context->Buffer, (ULONG)context->RegionSize); PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } break; case IDC_GOTO: { PPH_STRING selectedChoice = NULL; while (PhaChoiceDialog( hwndDlg, L"Go to Offset", L"Enter an offset:", NULL, 0, NULL, PH_CHOICE_DIALOG_USER_CHOICE, &selectedChoice, NULL, L"MemEditGotoChoices" )) { ULONG64 offset; if (selectedChoice->Length == 0) continue; if (PhStringToInteger64(&selectedChoice->sr, 0, &offset)) { if (offset >= context->RegionSize) { PhShowError(hwndDlg, L"The offset is too large."); continue; } SendMessage(hwndDlg, WM_NEXTDLGCTL, (WPARAM)context->HexEditHandle, TRUE); HexEdit_SetSel(context->HexEditHandle, (LONG)offset, (LONG)offset); break; } } } break; case IDC_WRITE: { NTSTATUS status; if (!context->WriteAccess) { HANDLE processHandle; if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_VM_READ | PROCESS_VM_WRITE, context->ProcessId ))) { PhShowStatus(hwndDlg, L"Unable to open the process", status, 0); break; } if (context->ProcessHandle) NtClose(context->ProcessHandle); context->ProcessHandle = processHandle; context->WriteAccess = TRUE; } if (!NT_SUCCESS(status = PhWriteVirtualMemory( context->ProcessHandle, context->BaseAddress, context->Buffer, context->RegionSize, NULL ))) { PhShowStatus(hwndDlg, L"Unable to write memory", status, 0); } } break; case IDC_REREAD: { NTSTATUS status; if (!NT_SUCCESS(status = PhReadVirtualMemory( context->ProcessHandle, context->BaseAddress, context->Buffer, context->RegionSize, NULL ))) { PhShowStatus(hwndDlg, L"Unable to read memory", status, 0); } InvalidateRect(context->HexEditHandle, NULL, TRUE); } break; case IDC_BYTESPERROW: if (HIWORD(wParam) == CBN_SELCHANGE) { PPH_STRING bytesPerRowString = PhaGetDlgItemText(hwndDlg, IDC_BYTESPERROW); PH_STRINGREF firstPart; PH_STRINGREF secondPart; ULONG64 bytesPerRow64; if (PhSplitStringRefAtChar(&bytesPerRowString->sr, ' ', &firstPart, &secondPart)) { if (PhStringToInteger64(&firstPart, 10, &bytesPerRow64)) { PhSetIntegerSetting(L"MemEditBytesPerRow", (ULONG)bytesPerRow64); HexEdit_SetBytesPerRow(context->HexEditHandle, (ULONG)bytesPerRow64); SendMessage(hwndDlg, WM_NEXTDLGCTL, (WPARAM)context->HexEditHandle, TRUE); } } } break; } } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, MinimumSize.right, MinimumSize.bottom); } break; case WM_PH_SELECT_OFFSET: { HexEdit_SetEditMode(context->HexEditHandle, EDIT_ASCII); HexEdit_SetSel(context->HexEditHandle, (ULONG)wParam, (ULONG)wParam + (ULONG)lParam); } break; } return FALSE; }
/** * Determines the OS compatibility context of a process. * * \param ProcessHandle A handle to a process. * \param Guid A variable which receives a GUID identifying an * operating system version. */ NTSTATUS PhGetProcessSwitchContext( __in HANDLE ProcessHandle, __out PGUID Guid ) { NTSTATUS status; PROCESS_BASIC_INFORMATION basicInfo; #ifdef _M_X64 PVOID peb32; ULONG contextData32; #endif PVOID contextData; // Reverse-engineered from WdcGetProcessSwitchContext (wdc.dll). #ifdef _M_X64 if (NT_SUCCESS(PhGetProcessPeb32(ProcessHandle, &peb32)) && peb32) { if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(peb32, FIELD_OFFSET(PEB32, pContextData)), &contextData32, sizeof(ULONG), NULL ))) return status; contextData = UlongToPtr(contextData32); } else { #endif if (!NT_SUCCESS(status = PhGetProcessBasicInformation(ProcessHandle, &basicInfo))) return status; if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.PebBaseAddress, FIELD_OFFSET(PEB, pContextData)), &contextData, sizeof(PVOID), NULL ))) return status; #ifdef _M_X64 } #endif if (!contextData) return STATUS_UNSUCCESSFUL; // no compatibility context data if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(contextData, 32), // Magic value from WdcGetProcessSwitchContext Guid, sizeof(GUID), NULL ))) return status; return STATUS_SUCCESS; }
BOOLEAN EtpRefreshUnloadedDlls( __in HWND hwndDlg, __in PUNLOADED_DLLS_CONTEXT Context ) { NTSTATUS status; PULONG elementSize; PULONG elementCount; PVOID eventTrace; HANDLE processHandle = NULL; ULONG eventTraceSize; ULONG capturedElementSize; ULONG capturedElementCount; PVOID capturedEventTracePointer; PVOID capturedEventTrace = NULL; ULONG i; PVOID currentEvent; HWND lvHandle; lvHandle = GetDlgItem(hwndDlg, IDC_LIST); ListView_DeleteAllItems(lvHandle); RtlGetUnloadEventTraceEx(&elementSize, &elementCount, &eventTrace); if (!NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_VM_READ, Context->ProcessItem->ProcessId))) goto CleanupExit; // We have the pointers for the unload event trace information. // Since ntdll is loaded at the same base address across all processes, // we can read the information in. if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, elementSize, &capturedElementSize, sizeof(ULONG), NULL ))) goto CleanupExit; if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, elementCount, &capturedElementCount, sizeof(ULONG), NULL ))) goto CleanupExit; if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, eventTrace, &capturedEventTracePointer, sizeof(PVOID), NULL ))) goto CleanupExit; if (!capturedEventTracePointer) goto CleanupExit; // no events if (capturedElementCount > 0x4000) capturedElementCount = 0x4000; eventTraceSize = capturedElementSize * capturedElementCount; capturedEventTrace = PhAllocateSafe(eventTraceSize); if (!capturedEventTrace) { status = STATUS_NO_MEMORY; goto CleanupExit; } if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, capturedEventTracePointer, capturedEventTrace, eventTraceSize, NULL ))) goto CleanupExit; currentEvent = capturedEventTrace; ExtendedListView_SetRedraw(lvHandle, FALSE); for (i = 0; i < capturedElementCount; i++) { PRTL_UNLOAD_EVENT_TRACE rtlEvent = currentEvent; INT lvItemIndex; WCHAR buffer[128]; PPH_STRING string; LARGE_INTEGER time; SYSTEMTIME systemTime; if (!rtlEvent->BaseAddress) break; PhPrintUInt32(buffer, rtlEvent->Sequence); lvItemIndex = PhAddListViewItem(lvHandle, MAXINT, buffer, rtlEvent); // Name if (PhCopyUnicodeStringZ(rtlEvent->ImageName, sizeof(rtlEvent->ImageName) / sizeof(WCHAR), buffer, sizeof(buffer) / sizeof(WCHAR), NULL)) { PhSetListViewSubItem(lvHandle, lvItemIndex, 1, buffer); } // Base Address PhPrintPointer(buffer, rtlEvent->BaseAddress); PhSetListViewSubItem(lvHandle, lvItemIndex, 2, buffer); // Size string = PhFormatSize(rtlEvent->SizeOfImage, -1); PhSetListViewSubItem(lvHandle, lvItemIndex, 3, string->Buffer); PhDereferenceObject(string); // Time Stamp RtlSecondsSince1970ToTime(rtlEvent->TimeDateStamp, &time); PhLargeIntegerToLocalSystemTime(&systemTime, &time); string = PhFormatDateTime(&systemTime); PhSetListViewSubItem(lvHandle, lvItemIndex, 4, string->Buffer); PhDereferenceObject(string); // Checksum PhPrintPointer(buffer, UlongToPtr(rtlEvent->CheckSum)); PhSetListViewSubItem(lvHandle, lvItemIndex, 5, buffer); currentEvent = PTR_ADD_OFFSET(currentEvent, capturedElementSize); } ExtendedListView_SortItems(lvHandle); ExtendedListView_SetRedraw(lvHandle, TRUE); if (Context->CapturedEventTrace) PhFree(Context->CapturedEventTrace); Context->CapturedEventTrace = capturedEventTrace; CleanupExit: if (processHandle) NtClose(processHandle); if (NT_SUCCESS(status)) { return TRUE; } else { PhShowStatus(hwndDlg, L"Unable to retrieve unload event trace information", status, 0); return FALSE; } }