Title: Peasant Toolz [kernel disassembler]
Question: This project contains:disassembler,object viewer...etc..
Anything is provided with full source code (except disasm,driver)..
(HALF finished project)
Answer:
Download complete project:
http://web.vip.hr/inga.vip/tpt.zip
unit vfpower;
interface
uses classes,sysutils,windows;
//Const DIFFERENCE = 11
//Const RT_ACCELERATOR = 9&
//Const RT_ANICURSOR = (21)
//Const RT_ANIICON = (22)
//Const RT_BITMAP = 2&
//Const RT_CURSOR = 1&
//Const RT_DIALOG = 5&
//Const RT_DLGINCLUDE = (17)
//Const RT_FONT = 8&
//Const RT_FONTDIR = 7&
//Const RT_ICON = 3&
//Const RT_GROUP_CURSOR = (RT_CURSOR + DIFFERENCE)
//Const RT_GROUP_ICON = (RT_ICON + DIFFERENCE)
//Const RT_HTML = (23)
//Const RT_MENU = 4&
//Const RT_MESSAGETABLE = (11)
//Const RT_PLUGPLAY = (19)
//Const RT_RCDATA = 10&
//Const RT_STRING = 6&
//Const RT_VERSION = (16)
//Const RT_VXD = (20)
const IRP_MJ_MAXIMUM_FUNCTION = $1B;
const SERVICE_ALL_ACCESS=$f003f;
const SERVICE_ERROR_NORMAL=1;
Const SERVICE_CONTROL_STOP = 1;
Const SERVICE_CONTROL_PAUSE = 2;
Const SERVICE_CONTROL_CONTINUE = 3;
const SERVICE_ACTIVE = 1;
Const SERVICE_INACTIVE = 2;
type
SERVICE_TYPES=(SERVICE_KERNEL_DRIVER=1,SERVICE_FILE_SYSTEM_DRIVER=2,SERVICE_WIN32_OWN_PROCESS=$10,SERVICE_WIN32_SHARE_PROCESS=$20,SERVICE_INTERACTIVE_PROCESS=$100);
SERVICE_START=(SERVICE_BOOT_START=0,SERVICE_SYSTEM_START = 1,SERVICE_AUTO_START=2,SERVICE_DEMAND_START =3, SERVICE_DISABLED = 4);
SERVICE_STATE=(SERVICE_STOPPED = 1, SERVICE_START_PENDING=2,SERVICE_STOP_PENDING =3,SERVICE_RUNNING = 4,SERVICE_CONTINUE_PENDING =5 ,SERVICE_PAUSE_PENDING = 6,SERVICE_PAUSED = 7);
IMAGE_IMPORT_DIRECTORY=record
dwRVAFunctionNameList:pointer;
TimeDateStamp,
ForwarderChain:Cardinal;
dwRVAModuleName,
dwRVAFunctionAddressList:pointer
end;
IMAGE_RESOURCE_DIRECTORY_ENTRY=record
Name_Id:cardinal;
Data_Directory_RVA:pointer;
end;
pIMAGE_RESOURCE_DIRECTORY_ENTRY=^IMAGE_RESOURCE_DIRECTORY_ENTRY;
IMAGE_RESOURCE_DATA_ENTRY=RECORD
DataRVA:pointer;
rSize,CodePage,Reserved:cardinal;
end;
pIMAGE_RESOURCE_DATA_ENTRY=^IMAGE_RESOURCE_DATA_ENTRY;
IMAGE_RESOURCE_DIRECTORY=record
Characteristics,TimeDateStamp:cardinal;
MajorVersion,MinorVersion:word;
NumberOfNamedEntries,NumberOfIdEntries:word;
end;
pIMAGE_RESOURCE_DIRECTORY=^IMAGE_RESOURCE_DIRECTORY;
BITMAPINFOHEADER=record
biSize,biWidth,biHeight:cardinal;
biPlanes,biBitCount:word;
biCompression,biSizeImage,
biXPelsPerMeter, biYPelsPerMeter,
biClrUsed,biClrImportant:cardinal;
end;
pBITMAPINFOHEADER=^BITMAPINFOHEADER;
RegKind = record
REG_Kind, //' ;1=8 bits \ 2=16 bits \ 3=32 bits \ 4=MMX \ 5=XMM \ 6=Float stack \ 7=Segment \ 8=Debug \ 9=Control \ 10=Test
REG_Ptr_Kind, // ' ;1=Byte PTR \ 2=Word PTR \ 3=Dword PTR \ 4=Qword PTR \ 5=mmword ptr \ 6=xmmword ptr \ 7=FWord PTR \ 8=tbyte ptr \ 9=null ptr (LEA)
REG_Type, //' ;0-7= direct register index \ 16 register=byte && 7 \ 32 register=(byte && 63)/8 \ 64=[32/16 address only] \ 128=[using x86 relatives]
REG_BaseAsReg:byte //' ? ;1=Register only (BASE exposed)!
end;
Reg=record
SEG_TYPE,
BASE,
INDEX,
SCALE,
DISPLACEMENTS,
DISPLACEMENT_TYPE:cardinal;
REG_KIND:RegKind;
PTR_TYPE:cardinal;
end;
Imm =record
VALUE_LO,VALUE_HI,VALUE_TYPE:cardinal;
end;
DisAsm=packed record
INSTRUCTION_PREFIX,
INSTRUCTION:pansichar;
REG1,
REG2:Reg;
REG_REG:cardinal;
IMMEDIATE:Imm;
INSTRUCTION_LENGTH:cardinal;
end;
TCopySMEM=record
Destination,Source:pointer;length:cardinal;
end;
EnumDataType=(eExport,eImport,eResource);
EnumDataTypeExport=(fExp,fImp,fRes);
EnumerateModuleType=set of EnumDataType;
EnumerateModuleTypeExport=set of EnumDataTypeExport;
Const TH32CS_SNAPHEAPLIST = 1 ;
Const TH32CS_SNAPMODULE = 8 ;
Const TH32CS_SNAPPROCESS = 2 ;
Const TH32CS_SNAPTHREAD = 4 ;
type PROCESSENTRY32=record
dwSize,
cntUsage,
th32ProcessID,
th32DefaultHeapID,
th32ModuleID,
cntThreads,
th32ParentProcessID,
pcPriClassBase,
dwFlags:cardinal;
szExeFile:array [0..259] of char;
end;
pPROCESSENTRY32=^PROCESSENTRY32;
THREADENTRY32=record
dwSize,
cntUsage,
th32ThreadID,
th32OwnerProcessID,
tpBasePri,
tpDeltaPri,
dwFlags:cardinal
end;
pTHREADENTRY32=^THREADENTRY32;
MODULEENTRY32=record
dwSize,
th32ModuleID,
th32ProcessID,
GlblcntUsage,
ProccntUsage,
modBaseAddr,
modBaseSize,
hModule:cardinal;
szModule:array [0..255] of char;
szExePath:array [0..259] of char;
end;
pMODULEENTRY32=^MODULEENTRY32;
PROCESS_BASIC_INFORMATION=record
ExitStatus:cardinal;
PebBaseAddress:pointer;
AffinityMask,BasePriority,
UniqueProcessId,InheritedFromUniqueProcessId:cardinal
end;
Type PUNICODE_STRING =record
StrLen,MaxLen:word;
pString:pWideChar ;
End;
pPUNICODE_STRING=^PUNICODE_STRING;
LIST_ENTRY=record
FList,BList:pointer;
end;
PEB_LDR_DATA=record
Length:cardinal;
Initialized:longbool;
SsHandle:cardinal;
InLoadOrderModuleList,
InMemoryOrderModuleList,
InInitializationOrderModuleList:LIST_ENTRY;
end;
pPEB_LDR_DATA=^PEB_LDR_DATA;
LDR_MODULE =record
InLoadOrderModuleList,InMemoryOrderModuleList,InInitializationOrderModuleList: LIST_ENTRY;
BaseAddress,EntryPoint:pointer;
SizeOfImage:cardinal;
FullDllName,BaseDllName:PUNICODE_STRING;
Flags:cardinal;
LoadCount,TlsIndex:word;
HashTableEntry:LIST_ENTRY;
TimeDateStamp:cardinal;
end;
pLDR_MODULE=^LDR_MODULE;
OBJECT_ATTRIBUTES = record
Length:integer;
RootDirectory,pObjectName:pPUNICODE_STRING;
Attributes,SecurityDescriptor,SecurityQualityOfService:integer
end;
pOBJECT_ATTRIBUTES=^OBJECT_ATTRIBUTES;
IMPORT_BY_MODULE=record
BaseAddress,IAT,FunctionAddress:pointer;FunctionName,ModuleName:pansichar
end;
pIMPORT_BY_MODULE=^IMPORT_BY_MODULE;
RESOURCE_BY_MODULE=record
BaseAddress,ResourceAddress:pointer;ResourceLength:cardinal;
rType,rName,rLangId:cardinal;
ObjectHandle:cardinal;
pData:pointer;
end;
pRESOURCE_BY_MODULE=^RESOURCE_BY_MODULE;
EXPORT_BY_MODULE=record
ModuleName,FunctionName:pansichar;
Ordinal:cardinal;
FuncAddress,BaseAddress:pointer;
end;
pEXPORT_BY_MODULE=^EXPORT_BY_MODULE;
SYSTEM_MODULE_INFORMATION_ENTRY=record
Unknown1,Unknown2,Base,Size,Flags:cardinal;
Index,NameLength,LoadCount,PathLength:word;
ImageName:array [0..255] of char;
end;
pSYSTEM_MODULE_INFORMATION_ENTRY=^SYSTEM_MODULE_INFORMATION_ENTRY;
SYSTEM_HANDLE_INFORMATION =record
ProcessId:cardinal;
ObjectTypeNumber,Flags:byte;
Handle:word;
ObjectAddress:pointer;
GrantedAccess:cardinal;
end;
pSYSTEM_HANDLE_INFORMATION=^SYSTEM_HANDLE_INFORMATION;
THREAD_STATE =(StateInitialized,
StateReady,
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown);
VM_COUNTERS=record
PeakVirtualSize,VirtualSize,PageFaultCount,PeakWorkingSetSize,
WorkingSetSize,QuotaPeakPagedPoolUsage,QuotaPagedPoolUsage,
QuotaPeakNonPagedPoolUsage,QuotaNonPagedPoolUsage,PagefileUsage,
PeakPagefileUsage:cardinal;
end;
pVM_COUNTERS=^VM_COUNTERS;
IO_COUNTERS=record
ReadOperationCount,WriteOperationCount,OtherOperationCount,
ReadTransferCount,WriteTransferCount,OtherTransferCount:cardinal;
end;
pIO_COUNTERS=^IO_COUNTERS;
// DEVICE TYPES::
//FILE_DEVICE_BEEP equ 01
//FILE_DEVICE_CD_ROM equ 02
//FILE_DEVICE_CD_ROM_FILE_SYSTEM equ 03
//FILE_DEVICE_CONTROLLER equ 04
//FILE_DEVICE_DATALINK equ 05
//FILE_DEVICE_DFS equ 06
//FILE_DEVICE_DISK equ 07
//FILE_DEVICE_DISK_FILE_SYSTEM equ 08
//FILE_DEVICE_FILE_SYSTEM equ 09
//FILE_DEVICE_INPORT_PORT equ 0ah
//FILE_DEVICE_KEYBOARD equ 0bh
//FILE_DEVICE_MAILSLOT equ 0ch
//FILE_DEVICE_MIDI_IN equ 0dh
//FILE_DEVICE_MIDI_OUT equ 0eh
//FILE_DEVICE_MOUSE equ 0fh
//FILE_DEVICE_MULTI_UNC_PROVIDER equ 10h
//FILE_DEVICE_NAMED_PIPE equ 11h
//FILE_DEVICE_NETWORK equ 12h
//FILE_DEVICE_NETWORK_BROWSER equ 13h
//FILE_DEVICE_NETWORK_FILE_SYSTEM equ 14h
//FILE_DEVICE_NULL equ 15h
//FILE_DEVICE_PARALLEL_PORT equ 16h
//FILE_DEVICE_PHYSICAL_NETCARD equ 17h
//FILE_DEVICE_PRINTER equ 18h
//FILE_DEVICE_SCANNER equ 19h
//FILE_DEVICE_SERIAL_MOUSE_PORT equ 1ah
//FILE_DEVICE_SERIAL_PORT equ 1bh
//FILE_DEVICE_SCREEN equ 1ch
//FILE_DEVICE_SOUND equ 1dh
//FILE_DEVICE_STREAMS equ 1eh
//FILE_DEVICE_TAPE equ 1fh
//FILE_DEVICE_TAPE_FILE_SYSTEM equ 20h
//FILE_DEVICE_TRANSPORT equ 21h
//FILE_DEVICE_UNKNOWN equ 22h
//FILE_DEVICE_VIDEO equ 23h
//FILE_DEVICE_VIRTUAL_DISK equ 24h
//FILE_DEVICE_WAVE_IN equ 25h
//FILE_DEVICE_WAVE_OUT equ 26h
//FILE_DEVICE_8042_PORT equ 27h
//FILE_DEVICE_NETWORK_REDIRECTOR equ 28h
//FILE_DEVICE_BATTERY equ 29h
//FILE_DEVICE_BUS_EXTENDER equ 2ah
//FILE_DEVICE_MODEM equ 2bh
//FILE_DEVICE_VDM equ 2ch
//FILE_DEVICE_MASS_STORAGE equ 2dh
//FILE_DEVICE_SMB equ 2eh
//FILE_DEVICE_KS equ 2fh
//FILE_DEVICE_CHANGER equ 30h
//FILE_DEVICE_SMARTCARD equ 31h
//FILE_DEVICE_ACPI equ 32h
//FILE_DEVICE_DVD equ 33h
//FILE_DEVICE_FULLSCREEN_VIDEO equ 34h
//FILE_DEVICE_DFS_FILE_SYSTEM equ 35h
//FILE_DEVICE_DFS_VOLUME equ 36h
//FILE_DEVICE_SERENUM equ 37h
//FILE_DEVICE_TERMSRV equ 38h
//FILE_DEVICE_KSEC equ 39h
DRIVER_EXTENSION=record // ; sizeof = 14h
// ; Back pointer to Driver Object
DriverObject:pointer;// PVOID ? ; 00h PDRIVER_OBJECT
// ; The AddDevice entry point is called by the Plug & Play manager
// ; to inform the driver when a new device instance arrives that this
// ; driver must control.
AddDevice :pointer;// PVOID ? ; 04h PDRIVER_ADD_DEVICE
// ; The count field is used to count the number of times the driver has
// ; had its registered reinitialization routine invoked.
Count:cardinal;// DWORD ? ; 08h
// ; The service name field is used by the pnp manager to determine
// ; where the driver related info is stored in the registry.
ServiceKeyName:pUNICODE_STRING ;// ; 0Ch
// ; Note: any new shared fields get added here.
// ; *!!!* The field below is not defined in original ntddk.h file *!!!*
// ; Use it on your own
ClientDriverExtension:pointer ;// PVOID ? ; 0014h PTR IO_CLIENT_EXTENSION
end;
pDRIVER_EXTENSION=^DRIVER_EXTENSION;// ENDS
KDEVICE_QUEUE_ENTRY=record // ; sizeof = 010h
DeviceListEntry:LIST_ENTRY; // ; 0000h
SortKey:cardinal; // DWORD ? ; 0008h
Inserted:byte ;// ? ; 000Ch
Padding:array [0..2] of byte; //db 3 dup(?); padding
end;
pKDEVICE_QUEUE_ENTRY=^KDEVICE_QUEUE_ENTRY;
WAIT_CONTEXT_BLOCK =record // ; sizeof = 028h
WaitQueueEntry:KDEVICE_QUEUE_ENTRY; //; 0000h
DeviceRoutine, //PVOID ? ; 0010h PDRIVER_CONTROL
DeviceContext:pointer; // PVOID ? ; 0014h
NumberOfMapRegisters:cardinal;// DWORD ? ; 0018h
DeviceObject, //PVOID ? ; 001Ch
CurrentIrp, //PVOID ? ; 0020h
BufferChainingDpc:pointer; // PVOID ? ; 0024h PTR KDPC
end;
pWAIT_CONTEXT_BLOCK=^WAIT_CONTEXT_BLOCK;
KDEVICE_QUEUE =record // ; sizeof = 014h
_Type :word; // SWORD ? ; 0000h (original name Type)
_Size:word; // SWORD ? ; 0002h (original name Size)
DeviceListHead:LIST_ENTRY ;// 0004h
slLock:cardinal; // DWORD ? ; 000Ch KSPIN_LOCK (original name Lock)
Busy:byte; // ? ; 0010h BOOLEAN
Padding:array [0..2] of byte; //db 3 dup(?); padding
end;
pKDEVICE_QUEUE=^KDEVICE_QUEUE;
KDPC=Record // ; sizeof = 020h
_Type:word ;// SWORD ? ; 0000h (IO_TYPE_DPC = 13h) (original name Type)
Number, // BYTE ? ; 0002h
Importance:BYTE; // ? ; 0003h
DpcListEntry:LIST_ENTRY; // ; 0004h
DeferredRoutine, //PVOID ? ; 000Ch
DeferredContext, // PVOID ? ; 0010h
SystemArgument1, // PVOID ? ; 0014h
SystemArgument2, // PVOID ? ; 0018h
pLock:pointer; // PVOID ? ; 001Ch (original Lock)
end;
pKDPC=^KDPC;
DISPATCHER_HEADER=record // ; sizeof = 010h
_Type,// BYTE ? ; 0000h DISP_TYPE_* (original name Type)
_Absolute, // BYTE ? ; 0001h
_Size, // BYTE ? ; 0002h (original name Size)
Inserted:byte ;// BYTE ? ; 0003h
SignalState:integer; // SDWORD ? ; 0004h
WaitListHead: LIST_ENTRY ;// ; 0008h
end;
pDISPATCHER_HEADER=^DISPATCHER_HEADER;
KEVENT=record // ; sizeof = 10h
Header:DISPATCHER_HEADER; //
end;
pKEVENT=^KEVENT;
FILE_OBJECT=record // ; sizeof = 070h
_Type, // SWORD ? ; 0000h IO_TYPE_FILE (original field name Type)
_Size:word; // SWORD ? ; 0002h (original name Size)
DeviceObject, // PVOID ? ; 0004h PTR DEVICE_OBJECT
Vpb, // PVOID ? ; 0008h PTR VPB
FsContext, // PVOID ? ; 000Ch
FsContext2, // PVOID ? ; 0010h
SectionObjectPointer,// PVOID ? ; 0014h PTR SECTION_OBJECT_POINTERS
PrivateCacheMap:pointer ;// PVOID ? ; 0018h
FinalStatus :integer ;// SDWORD ? ; 001Ch
RelatedFileObject :pointer; // PVOID ? ; 0020h PTR FILE_OBJECT
LockOperation ,// BYTE ? ; 0024h BOOLEAN
DeletePending ,// BYTE ? ; 0025h BOOLEAN
ReadAccess ,// BYTE ? ; 0026h BOOLEAN
WriteAccess , // BYTE ? ; 0027h BOOLEAN
DeleteAccess , // BYTE ? ; 0028h BOOLEAN
SharedRead , // BYTE ? ; 0029h BOOLEAN
SharedWrite , // BYTE ? ; 002Ah BOOLEAN
SharedDelete :byte;// BYTE ? ; 002Bh BOOLEAN
Flags :cardinal ;// DWORD ? ; 002Ch
FileName :pUNICODE_STRING ;// UNICODE_STRING ; 0030h
CurrentByteOffset : LARGE_INTEGER ;// ; 0038h
Waiters,// DWORD ? ; 0040h
Busy :cardinal;// DWORD ? ; 0044h
LastLock :pointer ;// PVOID ? ; 0048h
_Lock,// KEVENT ; 004Ch (org name Lock)
Event: KEVENT ;// ; 005Ch
CompletionContext :pointer ;// PVOID ? ; 006Ch PTR IO_COMPLETION_CONTEXT
end;
pFILE_OBJECT=^FILE_OBJECT;
DEVICE_OBJECT =record //; sizeof = 0B8h
_Type:word ;// SWORD ? ; 0000h (IO_TYPE_DEVICE = 3) (original field name Type)
_Size:word ;// WORD ? ; 0002h (original name Size)
ReferenceCount:integer; // SDWORD ? ; 0004h
DriverObject, //PVOID ? ; 0008h PTR DRIVER_OBJECT
NextDevice, //PVOID ? ; 000Ch PTR DEVICE_OBJECT
AttachedDevice, // PVOID ? ; 0010h PTR DEVICE_OBJECT
CurrentIrp, // PVOID ? ; 0014h PTR IRP
Timer:pointer; // PVOID ? ; 0018h PTR IO_TIMER
Flags, // DWORD ? ; 001Ch DO_*
Characteristics:cardinal; // DWORD ? ; 0020h FILE_*
Vpb, // PVOID ? ; 0024h PTR VPB
DeviceExtension:pointer; // PVOID ? ; 0028h
DeviceType:cardinal; // DWORD ? ; 002Ch DEVICE_TYPE
StackSize:byte; // BYTE ? ; 0030h
Padding:array [0..2] of byte; //db 3 dup(?); padding
Wcb:WAIT_CONTEXT_BLOCK ; //; 0034h
AlignmentRequirement:cardinal; //? ; 005Ch
DeviceQueue:KDEVICE_QUEUE ;// 0060h
Dpc:KDPC ; // ; 0074h
// ; The following field is for exclusive use by the filesystem to keep
// ; track of the number of Fsp threads currently using the device
ActiveThreadCount:cardinal ;//DWORD ? ; 0094h
SecurityDescriptor:pointer; // PVOID ? ; 0098h PSECURITY_DESCRIPTOR
DeviceLock:KEVENT ;// ; 009Ch
SectorSize, // ? ; 00ACh
Spare1:WORD ;// ? ; 00AEh
DeviceObjectExtension:pointer; // PVOID ? ; 00B0h PTR DEVOBJ_EXTENSION
Reserved :cardinal;// PVOID ? ; 00B4h
end;
pDEVICE_OBJECT=^DEVICE_OBJECT;
DRIVER_OBJECT=record // ; sizeof= 0A8h
_Type, // SWORD ? ; 0000h (IO_TYPE_DRIVER = 4) (original field name Type)
_Size:word ;// SWORD ? ; 0004h (original name Size)
// ; The following links all of the devices created by a single driver
// ; together on a list, and the Flags word provides an extensible flag
// ; location for driver objects.
DeviceObject:pointer ;// PVOID ? ; 0004h PTR DEVICE_OBJECT
Flags:cardinal ;//; DWORD ? ; 0008h
// ; The following section describes where the driver is loaded. The count
// ; field is used to count the number of times the driver has had its
// ; registered reinitialization routine invoked.
DriverStart:pointer ;// PVOID ? ; 000Ch
DriverSize:cardinal ;// DWORD ? ; 0010h
DriverSection, // PVOID ? ; 0014h
DriverExtension:pDRIVER_EXTENSION; // PVOID ? ; 0018h PTR DRIVER_EXTENSION
// ; The driver name field is used by the error log thread
// ; determine the name of the driver that an I/O request is/was bound.
DriverName:PUNICODE_STRING; // ; 001Ch
// ; The following section is for registry support. Thise is a pointer
// ; to the path to the hardware information in the registry
HardwareDatabase:pPUNICODE_STRING ;// PVOID ? ; 0024h PTR UNICODE_STRING
// ; The following section contains the optional pointer to an array of
// ; alternate entry points to a driver for "fast I/O" support. Fast I/O
// ; is performed by invoking the driver routine directly with separate
// ; parameters, rather than using the standard IRP call mechanism. Note
// ; that these functions may only be used for synchronous I/O, and when
// ; the file is cached.
FastIoDispatch :pointer ; // PVOID ? ; 0028h PTR FAST_IO_DISPATCH
// ; The following section describes the entry points to this particular
// ; driver. Note that the major function dispatch table must be the last
// ; field in the object so that it remains extensible.
DriverInit, // PVOID ? ; 002Ch
DriverStartIo, //PVOID ? ; 0030h
DriverUnload:pointer; // PVOID ? ; 0034h
MajorFunction:array [0..IRP_MJ_MAXIMUM_FUNCTION] of pointer ;// PVOID (IRP_MJ_MAXIMUM_FUNCTION + 1) dup(?) ; 0038h
end;
pDRIVER_OBJECT=^DRIVER_OBJECT;
SYSTEM_THREADS=record
KernelTime,UserTime,CreateTime: LARGE_INTEGER ;
WaitTime:cardinal;
StartAddress:pointer;
OwnerProcessId:cardinal;
ThreadId:Cardinal;
Priority,BasePriority:cardinal;
ContextSwitchCount:cardinal;
State:cardinal;
WaitReason:cardinal;
end;
pSYSTEM_THREADS=^SYSTEM_THREADS;
type SYSTEM_PROCESSES=record
NextEntryDelta,ThreadCount:cardinal;
Reserved1:array [0..5] of cardinal;
CreateTime,UserTime,KernelTime:LARGE_INTEGER;
ProcessName:PUNICODE_STRING;
BasePriority,ProcessId,InheritedFromProcessId,HandleCount:cardinal;
Reserved2:array [0..1] of cardinal;
VmCounters:VM_COUNTERS;
IoCounters:IO_COUNTERS;
//SYS THREADS
end;
pSYSTEM_PROCESSES=^SYSTEM_PROCESSES;
SERVICE_STATUS=record
dwServiceType:cardinal;dwCurrentState:cardinal;dwControlsAccepted,
dwWin32ExitCode,dwServiceSpecificExitCode,dwCheckPoint,dwWaitHint:cardinal ;
end;
pSERVICE_STATUS=^SERVICE_STATUS;
SERVICE_STATUS_PROCESS =record
dwServiceType,dwCurrentState,dwControlsAccepted,dwWin32ExitCode,dwServiceSpecificExitCode,dwCheckPoint,dwWaitHint,dwProcessId,dwServiceFlags:cardinal;
end;
pSERVICE_STATUS_PROCESS=^SERVICE_STATUS_PROCESS;
ENUM_SERVICE_STATUS_PROCESS=record //
pServiceName,pDisplayName:pansichar;
SSP:SERVICE_STATUS_PROCESS ;
end;
pENUM_SERVICE_STATUS_PROCESS=^ENUM_SERVICE_STATUS_PROCESS;
IMAGE_SECTIONS=array of IMAGE_SECTION_HEADER;
eEnumKernel=procedure (var UserData) of object;
eEnumKernelType=(DeviceDrivers,Objects,Processes,Threads,Modules,ProcessObjects,ModuleImports,ModuleExports,ModuleResources);
eEnumObjects=(Root,Devices,Drivers,BaseNamedObjects,Custom);
function CopyMem0 (Param:cardinal):cardinal; stdcall;
function CreateDIBSection (hDc:cardinal;BmpINFOHEADER:pointer;p1,p2,p3,p4:cardinal):cardinal;stdcall;external 'gdi32.dll';
function ImportTable (MAddress:cardinal;var UserData,UserData2):cardinal;
function ExportTable (MAddress:cardinal;var UserData,UserData2):cardinal;
function ResourceTable (MAddress:Cardinal;var UserData,UserData2):cardinal;
//function ResourceDirectory (MAddress,ResSection:Cardinal;ResLast:cardinal;RDIR:pIMAGE_RESOURCE_DIRECTORY; var UserData,UserData2;var pRES:RESOURCE_BY_MODULE;var CNextData:cardinal):cardinal; stdcall;
function ResourceDirectory (MAddress,ResSection:Cardinal;RDIR:pIMAGE_RESOURCE_DIRECTORY; var UserData,UserData2;var pRES:RESOURCE_BY_MODULE;var CNextData:cardinal):cardinal; stdcall;
function CExports (MName:pansichar;FName:pansichar;Ord,Address:cardinal;var UserData,UserData2):cardinal; stdcall;
function CImports(IAT,FuncAdr:pointer;FunctionNameOrOrdinal:cardinal;ModuleName:pansichar;var UserData,UserData2):cardinal;stdcall;
function OpenSCManagerA(MachineName,DataBaseName:pansichar;Access:cardinal):cardinal;stdcall;external 'advapi32.dll';
function CloseServiceHandle(SCHandle:cardinal):cardinal;stdcall;external 'advapi32.dll';
function OpenServiceA (SCHandle:cardinal;ServiceName:pansichar;Access:cardinal):cardinal;stdcall;external 'advapi32.dll';
function CreateServiceA (SCHandle:cardinal;ServiceName,DisplayName:pansichar;Access,ServiceType,StartType,
ErrorControl:cardinal;BinaryPathName,LoadOrderGroup:pansichar;TagId:cardinal;Dependencies,ServiceStartName,Password:pansichar):cardinal;stdcall;external 'advapi32.dll';
function StartServiceA (SHandle,ArgCount:cardinal;Args:pointer):longbool;stdcall;external 'advapi32.dll';
function DeleteService (SHandle:cardinal):longbool;stdcall;external 'advapi32.dll';
function ControlService (SHandle,Control:cardinal;Var SVR_status:SERVICE_STATUS):longbool;stdcall;external 'advapi32.dll';
function QueryServiceStatus (SHandle:cardinal;var SVR_status:SERVICE_STATUS):longbool;stdcall;external 'advapi32.dll';
function EnumServicesStatusExA (SCHandle,InfoLevel,dServiceType,dServiceState:cardinal;bfrServices:pointer;
bfrLength:cardinal;var BytesNeeded,ServiceReturned,ResumeHandle:cardinal;GroupName:pansichar):longbool;stdcall;external 'advapi32.dll';
function NtQueryInformationProcess(HProcess,ClassInfo:cardinal;Buffer:pointer;BufferLength:cardinal;var requiredLen:cardinal) : cardinal ; stdcall; external 'ntdll.dll';
function NtQuerySystemInformation(ClassInfo:cardinal;Buffer:pointer;BufferLength:cardinal;var requiredLen:cardinal) : cardinal ; stdcall; external 'ntdll.dll';
function NtOpenDirectoryObject(var DirHandle;access_mask:cardinal;pObject:pOBJECT_ATTRIBUTES):cardinal; stdcall;external 'ntdll.dll';
function NtQueryDirectoryObject (DirHandle:cardinal;Buffer:pointer;BufferLength,GetNextIndex,IgnoreInputIndex:cardinal;var ObjectIndex;var Bufferlen):cardinal; stdcall;external 'ntdll.dll';
function IsRangeValid(Pid:integer;Address:pointer;size:integer):cardinal;stdcall;external 'ring0provider.dll';
function IsAddressValid (PID,Address:cardinal):cardinal;stdcall;external 'ring0provider.dll' ;
function GetSys:pointer;stdcall;external 'ring0provider.dll';
function CCopyMemory(Destination,Source:Pointer;mLength:cardinal) : cardinal ; stdcall; external 'ring0provider.dll' name 'CopyMemory';
function QueryString(Pid:cardinal;Address:Pointer;nType:cardinal) : cardinal ; stdcall; external 'ring0provider.dll';
function TestModuleData(Pid:cardinal;Address:Pointer) : EnumerateModuleTypeExport ; stdcall; external 'ring0provider.dll';
function FindPMemory (Pid:cardinal;SearchBuffer:pointer;len:integer;StartAddress:pointer):pointer; stdcall;external 'ring0provider.dll' name 'SearchProcessMemory';
function Dasm(Buffer,BaseAddress:cardinal;OutBuffer:pointer;var DisAsmStruct;
DisAsmOption:cardinal) : cardinal ; stdcall; external 'disasm.dll' name 'DisAssemble';
function QueryObj(Pid,Handle,ClassInfo:cardinal;Buffer:pointer;BufferLength:cardinal):cardinal; stdcall ;external 'ring0provider.dll';
function QueryThread(Pid,Tid:cardinal):pointer;stdcall;external 'ring0provider.dll';
//function EnumImports(Pid:cardinal;PHandle,Buffer:pointer;BufferLength:cardinal):cardinal ;stdcall;external 'ring0provider.dll';
function GetDeviceObjectPointer (DeviceName:pansichar;pDevObjs:pointer):longbool;stdcall;external 'ring0provider.dll';
function InitializeDriver:boolean ;stdcall ; external 'ring0provider.dll';
procedure UninitializeDriver ;stdcall ; external 'ring0provider.dll';
function GetSystemStartAddress:cardinal ;stdcall;external 'ring0provider.dll';
function CopyKMemory (Pid:cardinal;sourceBuffer:POINTER;length:cardinal;destination:pointer):cardinal; stdcall;external 'ring0provider.dll' name 'CopyProcessMemory';
function GetEThreadAddress (Tid:cardinal):pointer; stdcall;external 'ring0provider.dll' ;
function GetEProcessAddress (Pid:cardinal):pointer; stdcall;external 'ring0provider.dll' ;
procedure DereferenceEObject (pObj:pointer); stdcall;external 'ring0provider.dll';
procedure EnableInt60Gate(); stdcall; external 'ring0provider.dll' name 'EnableInt60Gate';
function Ring0Int(FAddress:Pointer;Param:cardinal) : cardinal ; stdcall; external 'ring0provider.dll' name 'Ring0Int';
function CreateToolhelp32Snapshot (dwFlag,th32ProcessID:cardinal):cardinal; stdcall ; external 'kernel32.dll';
function Process32First (hSnapshot:cardinal;const uProcess:PROCESSENTRY32):cardinal;stdcall; external 'kernel32.dll';
function Process32Next (hSnapshot:cardinal;const uProcess:PROCESSENTRY32):cardinal;stdcall; external 'kernel32.dll';
function Thread32First (hSnapshot:cardinal;const uThread:THREADENTRY32):cardinal;stdcall; external 'kernel32.dll';
function Thread32Next (hSnapshot:cardinal;const uThread:THREADENTRY32):cardinal;stdcall; external 'kernel32.dll';
function Module32First (hSnapshot:cardinal;const uThread:MODULEENTRY32):cardinal;stdcall; external 'kernel32.dll';
function Module32Next (hSnapshot:cardinal;const uThread:MODULEENTRY32):cardinal;stdcall; external 'kernel32.dll';
function OpenThread (dwAccess:cardinal;bInheritHandle:longbool;dwThreadId:cardinal):cardinal;stdcall; external 'kernel32.dll';
type TBaseDriverLoader=class
IsInit:BOOLEAN;
public
constructor Create;
property DriverInitialized:boolean read IsInit;
end;
type TServiceManager=class
private
hServiceManager,hService:cardinal;
SvrName:string;
EnPrc:pENUM_SERVICE_STATUS_PROCESS;
kd:eEnumKernel;
private
function GetSvc(var SStatus:SERVICE_STATUS):longbool;
public
constructor Create;
destructor Destroy;
function OpenService(ServiceName:pansichar):longbool;
function CreateService(ServiceName,FullServicePath:pansichar;ServiceType:SERVICE_TYPES;ServiceStart:SERVICE_START):longbool;
function StartService(Args:pointer;ArgsCount:cardinal):longbool;
function DeleteService:longbool;
property ServiceName:string read SvrName;
property ServiceState[var SStatus:SERVICE_STATUS]:longbool read GetSvc;
function StopService:longbool;
function PauseService:longbool;
function ContinueService:longbool;
function EnumServices(var UserData):longbool;
property EnumNotification:eEnumKernel read kd write kd;
property EnumeratedService:pENUM_SERVICE_STATUS_PROCESS read EnPrc;
end;
type TKernelEnums=class (TBaseDriverLoader)
private
kd:eEnumKernel;
kdType:eEnumKernelType;
pCustomName:pWideChar;
pKernelDrv:pSYSTEM_MODULE_INFORMATION_ENTRY;
pKernelObj:pPUNICODE_STRING;
pKernelObjType:pPUNICODE_STRING;
pProcessObj:pSYSTEM_HANDLE_INFORMATION;
pProcess:pSYSTEM_PROCESSES;
pThread:pSYSTEM_THREADS;
pModule:pLDR_MODULE;
pImports:pIMPORT_BY_MODULE;
pExports:pEXPORT_BY_MODULE;
pResources:pRESOURCE_BY_MODULE;
pResObj:longbool;
pExpBase:cardinal;
iBfr:pointer;
protected
function QueryProcesses:pointer;
function QueryModule(PID: cardinal;BaseAddress: pointer; Length: cardinal):pointer;
public
property EnumNotification:eEnumKernel read kd write kd;
procedure EnumKernelDrivers(var UserData);
procedure EnumObjects(ObjEnumType:eEnumObjects;var UserData);
procedure EnumProcesses(var UserData);
//procedure EnumThreads(var UserData);virtual; //TOOLHELP maknuo
procedure EnumModules(PID:cardinal;var UserData);
procedure EnumProcessesObjects(var UserData);
function EnumModuleData(EnumData:EnumerateModuleType;PID:cardinal;BaseAddress:pointer;Length:cardinal;var UserData):cardinal;
function ModuleData(PID: cardinal; BaseAddress: pointer): EnumerateModuleTypeExport; virtual;
property EnumeratedDriver:pSYSTEM_MODULE_INFORMATION_ENTRY read pKernelDrv;
property EnumeratedObject:pPUNICODE_STRING read pKernelObj;
property EnumeratedObjectType:pPUNICODE_STRING read pKernelObjType;
property EnumeratedProcess:pSYSTEM_PROCESSES read pProcess;
property EnumeratedThread:pSYSTEM_THREADS read pThread;
property EnumeratedModule:pLDR_MODULE read pModule;
property EnumeratedProcessObject:pSYSTEM_HANDLE_INFORMATION read pProcessObj;
property EnumeratedImport:pIMPORT_BY_MODULE read pImports;
property EnumeratedExport:pEXPORT_BY_MODULE read pExports;
property EnumeratedResource:pRESOURCE_BY_MODULE read pResources;
property EnumCustomObjectType:pWideChar read pCustomName write pCustomName;
property EnumType:eEnumKernelType read kdType;
property EnumResourcesCreateObject:longbool read pResObj write pResObj;
function GetProcessInfo(Pid:cardinal;var sProcess:SYSTEM_PROCESSES;var ProcessName,StartParam:widestring):longbool;virtual;
function GetThreadInfo (Pid,Tid:cardinal;var sThread:SYSTEM_THREADS):longbool; virtual;
function GetEProcessAddress (Pid:cardinal):pointer ;virtual;
function GetEThreadAddress (Tid:cardinal):pointer ;virtual;
function GetObjectInformation(Pid, Handle: cardinal;var ObjectName:widestring;var ObjectType:widestring):boolean;
function GetPEHeader (Pid:cardinal;BaseAddress:cardinal;var _NT_HEAD:IMAGE_NT_HEADERS;var _SEC_HEAD: IMAGE_SECTIONS ):longbool;
function GetDeviceInfo (DeviceName:pansichar;var DevObj:DEVICE_OBJECT;var DrvObj:DRIVER_OBJECT;var DrvExt:DRIVER_EXTENSION;var DrvName,ServiceName:widestring):longbool;
function GetDeviceInfoFromPtr(pDevice: pointer;var DevObj: DEVICE_OBJECT; var DrvObj: DRIVER_OBJECT;var DrvExt: DRIVER_EXTENSION; var DrvName,ServiceName: widestring): longbool;
destructor Destroy; override;
end;
{ TDisassembler }
TDisassembler=class
private
PCurAdr:pointer;
Pid:cardinal;
Opt:cardinal;
AutoInc:boolean;
pDisasmAnalyze:DisAsm;
public
function ReadMem (FromAdr,Buffer:pointer;bLen:cardinal):cardinal ;virtual;
constructor Create (Pid:cardinal);
property Address:pointer read PCurAdr write PCurAdr ;
property Analyze:DisAsm read pDisasmAnalyze;
property Option:cardinal read Opt write Opt ;
property AutoIncrement:boolean read AutoInc write AutoInc;
function MoveNext (InstructionNumber:cardinal):pointer; //vraa adresu intrukcija za koliko je pomaknut!
function MoveLast (InstructionNumber:cardinal):pointer;
function DisAssemble (Output:pointer;var OutputLength:cardinal) :boolean;
end;
{ TPowerMemory }
type TPowerMemory=class(TBaseDriverLoader)
private
KAddressBegin:cardinal;
Pid:cardinal;
public
constructor Create (PID:cardinal); virtual;
destructor Destroy; override;
property FirstSystemAddress:cardinal read KAddressBegin;
function GetMemory (Destination,SourceAddress:pointer;length:cardinal):cardinal;
function SearchForString (StartAddress:pointer;Pattern:string):pointer;
end;
var
cpHandle,bMLen:cardinal;
BI:PROCESS_BASIC_INFORMATION;
implementation
function CopyMem0 (Param:cardinal):cardinal;
asm
push esi
push edi
mov eax,dword ptr [Param]
mov edi,dword ptr [eax]
mov esi,dword ptr [eax+4]
mov ecx,dword ptr [eax+8]
mov edx,ecx
shr ecx,2
rep movsd
mov ecx,edx
and ecx,3
rep movsb
pop edi
pop esi
end;
constructor TBaseDriverLoader.Create;
begin
IsInit:=boolean(InitializeDriver);
if IsInit then EnableInt60Gate
end;
/////////////////////////////////////////////////
constructor TPowerMemory.Create(PID:cardinal);
begin
inherited Create;
if not DriverInitialized then raise Exception.Create('Driver not initialized');
self.Pid:=PID;
KAddressBegin:= GetSystemStartAddress;
end;
destructor TPowerMemory.Destroy;
begin
inherited;
end;
////////////////////////////////////////////////////////////
procedure TKernelEnums.EnumKernelDrivers(var UserData);
var
MMem:pointer;
ReqLen:cardinal;
VLen,VMem:cardinal;
begin
if not assigned(KD) then exit;
ReqLen:=0;
NtQuerySystemInformation(11,addr(MMem),4,ReqLen); //GET REQUIRED LENGTH
GetMem(MMem,ReqLen);
NtQuerySystemInformation(11,MMem,ReqLen,ReqLen);
VLen:=cardinal(MMem^);
VMem:=cardinal(MMem)+4;
while VLen0 do begin
pKernelDrv:=pointer(VMem);
kdType:=DeviceDrivers;
KD (UserData);
inc(VMeM,sizeof (SYSTEM_MODULE_INFORMATION_ENTRY));
dec(VLen);
end;
FreeMem(MMem,ReqLen);
end;
procedure TKernelEnums.EnumProcessesObjects(var UserData);
label oOut;
var
RetLen:cardinal;
Bfr,TTemp:pointer;
cMax:cardinal;
begin
if not assigned(KD) then exit;
kdType:=ProcessObjects;
Getmem(Bfr,$100);
NtQuerySystemInformation($10,Bfr,$100,RetLen);
FreeMem(Bfr);
GetMem(Bfr,RetLen);
if 0NtQuerySystemInformation($10,Bfr,RetLen,RetLen) then goto oOut;
TTemp:=pointer(cardinal(Bfr)+4);
cMax:=cardinal(Bfr)+RetLen;
while cardinal(TTemp)pProcessObj:=TTemp;
KD (UserData);
Ttemp:=pointer(cardinal(TTemp)+sizeof(SYSTEM_HANDLE_INFORMATION));
end;
oOut:
FreeMem(Bfr);
end;
procedure TKernelEnums.EnumObjects(ObjEnumType:eEnumObjects;var UserData);
var
pDirO:pOBJECT_ATTRIBUTES;
pName:pPUNICODE_STRING;
HDir:cardinal;
sMEM:pointer;
sLen,iObj:cardinal;
pStr:pWideChar;
begin
if not assigned(KD) then exit;
HDir:=0;
case ObjEnumType of
Devices:begin pstr:='\Device'; end;
Drivers:begin pstr:='\Driver'; end;
BaseNamedObjects:begin pstr:='\BaseNamedObjects'; end;
Custom:begin pstr:=pCustomName;end;
Root:begin pstr:='\'; end;
else begin raise exception.Create('Unknown Enumeration Object Type');end;
end;
kdType:=objects;
new(pDirO);
zeromemory(pDiro,sizeof(OBJECT_ATTRIBUTES));
new(pName);
pDirO.pObjectName:=pName;
pname.pString:=pstr;
pname.StrLen :=length(pDirO.pObjectName.pString)*2;
pname.MaxLen:=pDirO.pObjectName.StrLen+2;
pDirO.Attributes:=$40;
pDirO.Length:=sizeof (OBJECT_ATTRIBUTES);
NtOpenDirectoryObject(HDir,$20001,pDirO);
if HDir0 then
begin
getmem(sMEM,32768);
iObj:=0;
while true do begin
if NtQueryDirectoryObject(HDir,sMEM,32768,1,0,iObj,sLen)0 then break;
pKernelObj:=sMEM;
pKernelObjType:=pointer(cardinal(sMEM)+8);
kd (UserData);
end;
freemem(sMEM);
end;
dispose(pName);
dispose(pDirO);
if HDir0 then CloseHandle(HDir);
end;
function TPowerMemory.GetMemory(Destination,SourceAddress: pointer;
length: cardinal): cardinal;
begin
if IsRangeValid(self.Pid,SourceAddress,length)=0 then exit;
result:=CopyKMemory (self.Pid,SourceAddress,length,Destination) ;
end;
function TPowerMemory.SearchForString(StartAddress: pointer;
Pattern: string): pointer;
begin
result:=FindPMemory(self.Pid,pointer(Pattern),length(pattern),StartAddress);
end;
function TKernelEnums.GetProcessInfo(Pid: cardinal;var sProcess:SYSTEM_PROCESSES;var ProcessName,StartParam:widestring):longbool;
var
BFR:pointer;
x:cardinal;
sPRC:pSYSTEM_PROCESSES;
PebOuts:cardinal;
PmLen:cardinal;
begin
result:=false;
BFR:=QueryProcesses;
x:=0;
while TRUE do begin
sPRC:=pointer(cardinal(bfr)+x);
if sPRC.ProcessId=Pid then begin
ProcessName:=widestring(sPRC.ProcessName.pString);
CopyMemory(addr(sProcess),sPRC,sizeof (SYSTEM_PROCESSES));
sProcess.ProcessName.pString:=pointer(ProcessName);
if IsAddressValid(Pid,cardinal(BI.PebBaseAddress)+16)0 then begin
CopyKMemory(Pid,pointer(cardinal(BI.PebBaseAddress)+16),4,addr(PebOuts));
if IsAddressValid(Pid,PebOuts+68)0 then begin
CopyKMemory(Pid,pointer(PebOuts+68),4,addr(PebOuts));
pmLen:=QueryString(Pid,pointer(PebOuts),1);
if pmLen0 then begin
setLength(StartParam,PmLen div 2);
CopyKMemory(Pid,pointer(PebOuts),PmLen,pointer(StartParam));
end;
end;
end;
result:=true;break;
end;
if sPRC.NextEntryDelta=0 then break;
inc (x,sPRC.NextEntryDelta);
end;
GlobalFree(cardinal(bfr));
end;
function TKernelEnums.GetThreadInfo(Pid, Tid: cardinal;
var sThread: SYSTEM_THREADS): longbool;
label oOut;
var
BFR:pointer;
x,y:cardinal;
sPRC:pSYSTEM_PROCESSES;
sTHR:pSYSTEM_THREADS;
begin
result:=false;
bfr:=QueryProcesses;
x:=0;
while TRUE do begin
sPRC:=pointer(cardinal(bfr)+x);
if sPRC.ProcessId=Pid then begin
sTHR:= pointer(cardinal(pointer(sPRC))+$b8); //postavi adresu
y:=1;
while y if sTHR.ThreadId=Tid then begin
CopyMemory(addr(sThread),sTHR,sizeof (SYSTEM_THREADS));
result:=true;goto oOut;
end;
sTHR:=pointer(cardinal(sTHR)+sizeof(SYSTEM_THREADS));
inc(y);
end;
end;
if sPRC.NextEntryDelta=0 then break;
inc (x,sPRC.NextEntryDelta);
end;
oOut:
GlobalFree(cardinal(bfr));
end;
procedure TKernelEnums.EnumProcesses(var UserData);
var
BFR:pointer;
x,y:cardinal;
begin
bfr:=QueryProcesses;
x:=0;
while TRUE do begin
pProcess:=pointer(cardinal(bfr)+x);
kdType:=Processes;
if assigned(kd) then kd(UserData);
pThread:= pointer(cardinal(pointer(pProcess))+$b8); //postavi adresu
y:=1;
while y kdType:=Threads;
if assigned(kd) then kd(UserData);
pThread:=pointer(cardinal(pThread)+sizeof(SYSTEM_THREADS));
inc(y);
end;
if pProcess.NextEntryDelta=0 then break;
inc (x,pProcess.NextEntryDelta);
end;
GlobalFree(cardinal(bfr));
end;
//TOOLHELP--- izbacio..
//procedure TKernelEnums.EnumProcesses(var UserData);
//var
//TH:cardinal;
//tRet:cardinal;
//begin
//if not assigned(KD) then exit;
//TH:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
//pProcess.dwSize:=sizeof (PROCESSENTRY32);
//tRet:=Process32First(TH,pProcess);
//while boolean(tRet) do begin
//kdType:=Processes;
//kd(UserData);
//tRet:=Process32Next(TH,pProcess);
//end;
//CloseHandle(TH);
//end;
//TOOLHELP--- izbacio..
//procedure TKernelEnums.EnumThreads(var UserData);
//var
//TH:cardinal;
//tRet:cardinal;
//begin
//if not assigned(KD) then exit;
//TH:=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
//pThread.dwSize:=sizeof (THREADENTRY32);
//tRet:=Thread32First(TH,pThread);
//while boolean(tRet) do begin
//kdType:=Threads;
//kd(UserData);
//tRet:=Thread32Next(TH,pThread);
//end;
//CloseHandle(TH);
//end;
//procedure TKernelEnums.EnumModules(PID:cardinal;var UserData);
//var
//TH:cardinal;
//tRet:cardinal;
//begin
//if not assigned(KD) then exit;
//TH:=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PID);
//if TH=$ffffffff then exit;
//pModule.dwSize:=sizeof (MODULEENTRY32);
//tRet:=Module32First(TH,pModule);
//while boolean(tRet) do begin
//kdType:=Modules;
//kd(UserData);
//tRet:=Module32Next(TH,pModule);
//end;
//CloseHandle(TH);
//end;
procedure TKernelEnums.EnumModules(PID:cardinal;var UserData);
var
PADR:pointer;
pld:PEB_LDR_DATA;
LDR:LDR_MODULE;
sW,sP:widestring;
pLast:pointer;
begin
if IsAddressValid(Pid,cardinal(BI.PebBaseAddress)+12)=0 then exit;
CopyKMemory (Pid,pointer(cardinal(BI.PebBaseAddress)+12),4,addr(PADR));
if IsAddressValid(Pid,cardinal(PADR))=0 then exit;
CopyKMemory (Pid,PADR,sizeof(PEB_LDR_DATA),addr(pld));
pLAST:=pld.InLoadOrderModuleList.BList;
CopyKMemory (Pid,pld.InLoadOrderModuleList.FList,sizeof (LDR_MODULE),addr(LDR));
while TRUE do begin
setLength(sW,LDR.FullDllName.StrLen div 2);
CopyKMemory (Pid,LDR.FullDllName.pString,LDR.FullDllName.StrLen,pointer(sW));
LDR.FullDllName.pString:=pointer(sW);
setLength(sP,LDR.BaseDllName.StrLen div 2);
CopyKMemory (Pid,LDR.BaseDllName.pString,LDR.BaseDllName.StrLen,pointer(sP));
LDR.BaseDllName.pString:=pointer(sP);
pModule:=addr(LDR);
kdType:=Modules;
kd(UserData);
//EVENT
CopyKMemory (Pid,LDR.InLoadOrderModuleList.FList,sizeof (LDR_MODULE),addr(LDR));
if cardinal(LDR.InLoadOrderModuleList.BList)=cardinal(pLast) then exit;
end;
end;
{ TDisassembler }
constructor TDisassembler.Create(Pid: cardinal);
begin
inherited Create;
self.Pid:=pid;
end;
function TDisassembler.DisAssemble(Output: pointer;
var OutputLength: cardinal): boolean;
var
BFR:array[0..15] of byte;
cRet:cardinal;
begin
cRet:=ReadMem(pointer(PCurAdr),addr(BFR [0]),15);
if cRet0 then begin
OutputLength:=Dasm(cardinal(addr(BFR [0])),cardinal(pCurAdr),Output,pDisasmAnalyze,cardinal(opt));
if AutoInc then PCurAdr:=pointer(cardinal(PCurAdr)+pDisasmAnalyze.INSTRUCTION_LENGTH);
end
else begin
PCurAdr:=pointer(cardinal(PCurAdr)+1);outputlength:=0; end;
end;
function TDisassembler.MoveLast(InstructionNumber: cardinal): pointer;
label Fstart,Ilp,Il,Fout;
var
Cnt,BaseX,TempX,CurAdr,ConC:cardinal;
BFR:array[0..15] of byte;s:String;dback:cardinal;
begin
cnt:=0; ConC:=cardinal(pCurAdr);
repeat
BaseX:=49;TempX:=ConC;
Ilp:
CurAdr:=TempX-BaseX;
Il:
if ReadMem(pointer(CurAdr),addr(BFR [0]),15)0 then begin
Dasm(cardinal(addr(BFR [0])),TempX,pointer(s),pDisasmAnalyze,$ffffffff); dback:=pDisasmAnalyze.INSTRUCTION_LENGTH;
CurAdr:=CurAdr+dback; end
else begin inc(CurAdr);dback:=1;end;
if CurAdr
else if CurAdr TempX then begin
dec (BaseX);
if BaseX=0 then begin Dec (TempX);end
else goto Ilp
end
else
TempX:=TempX-dback;
Fout:
ConC:=TempX;inc(Cnt);
until (InstructionNumber-cnt)= 0 ;
pCurAdr:=pointer(ConC);
result:=pointer(ConC);
end;
function TDisassembler.MoveNext(InstructionNumber: cardinal): pointer;
var
i:cardinal;
BFR:array[0..15] of byte;
begin
if InstructionNumber=0 then begin result:=PCurAdr;exit;end;
for i:=1 to InstructionNumber do begin
if ReadMem(PCurAdr,addr(BFR [0]),15)0 then begin
Dasm(cardinal(addr(BFR [0])),cardinal(PCurAdr),pointer(0),pDisasmAnalyze,$ffffffff);
PCurAdr:=pointer(cardinal(PCurAdr)+pDisasmAnalyze.INSTRUCTION_LENGTH);end
else
PCurAdr:=pointer(cardinal(PCurAdr)+1); //ako ne moe proitati idi bajt naprijed
end;
result:=PCurAdr; //Vrati adresu
end;
function TDisassembler.ReadMem(FromAdr, Buffer: pointer;
bLen: cardinal): cardinal;
var
maxLn,curLn:cardinal;
begin
curLn:=0;
maxLn:=bLen-1;
while curLn if IsAddressValid(Pid,cardinal(FromAdr)+curLn)=0 then break;
inc(curLn);
end;
result:=curLn;
if maxLn=0 then exit;
// if IsRangeValid(Pid,FromAdr,bLen)=0 then begin result:=false;exit;end;
ZeroMemory(Buffer,bLen);
CopyKMemory (pid,FromAdr,curLn,Buffer);
end;
function TKernelEnums.GetEProcessAddress(Pid: cardinal): pointer;
begin
result:=GetEProcessAddress(Pid);
DereferenceEObject(result);
end;
function TKernelEnums.GetEThreadAddress(Tid: cardinal): pointer;
begin
result:=GetEThreadAddress(Tid);
DereferenceEObject(result);
end;
function TKernelEnums.GetObjectInformation(Pid, Handle: cardinal;var ObjectName:widestring;var ObjectType:widestring):boolean;
var
P:pointer;
vret:cardinal;
cP,wLen:cardinal;
begin
result:=false;
getmem(p,4096);
vret:=QueryObj(Pid,Handle,2,P,4096); //GETNAME
if vret=0 then exit;
cP:=cardinal (pointer(cardinal(p)+8)^)-cardinal(p^);
wLen:=integer(word(pointer(cardinal(p)+4)^));
setlength(ObjectType,wLen div 2);
windows.CopyMemory(pointer(ObjectType),pointer(cardinal(p)+cP),wLen);
vret:=QueryObj(Pid,Handle,1,P,4096);
if vret0 then begin
cP:=cardinal (pointer(cardinal(p)+8)^)-cardinal(p^);
wLen:=integer(word(pointer(cardinal(p)+4)^));
if wLen0 then begin
setlength(ObjectName,wLen div 2);
windows.CopyMemory(pointer(ObjectName),pointer(cardinal(p)+cP),wLen);
end;
end;
freemem(p);
result:=true;
end;
destructor TKernelEnums.Destroy;
begin
if cardinal(iBfr)0 then FreeMem(iBfr);
inherited;
end;
function TKernelEnums.EnumModuleData(EnumData:EnumerateModuleType;PID: cardinal;
BaseAddress: pointer; Length: cardinal;var UserData):cardinal;
var
X:pointer;
begin
x:=QueryModule(PID,BaseAddress,Length);
pExpBase:=cardinal(BaseAddress);
if eExport in EnumData then
result:=ExportTable(cardinal(X),self,UserData);
if eImport in EnumData then
result:=ImportTable(cardinal(X),self,UserData);
if eResource in EnumData then
result:=ResourceTable(cardinal(X),self,UserData);
VirtualFree(x,length,MEM_DECOMMIT);
VirtualFree(x,0,MEM_RELEASE);
end;
function TKernelEnums.ModuleData(PID: cardinal;BaseAddress: pointer):EnumerateModuleTypeExport;
begin
result:=TestModuleData(Pid,BaseAddress);
end;
function CImports(IAT,FuncAdr:pointer;FunctionNameOrOrdinal:cardinal;ModuleName:pansichar;var UserData,UserData2):cardinal;
var
PIMP:IMPORT_BY_MODULE;
tString:string;
begin
PIMP.IAT:=IAT;
if FunctionNameOrOrdinal begin
tstring:='Ord:' + inttohex(FunctionNameOrOrdinal,1) + 'h';
PIMP.FunctionName:=pointer(tString);
end
else
PIMP.FunctionName:=pointer(FunctionNameOrOrdinal);
PIMP.FunctionAddress:=FuncAdr;
PIMP.ModuleName:=ModuleName;
PIMP.BaseAddress:=pointer(TKernelEnums(UserData).pExpBase);
TKernelEnums(UserData).pImports:=addr(PIMP);
if assigned (TKernelEnums(UserData).kd) then begin
with TKernelEnums(UserData) do begin
kdType:=ModuleImports;
kd(UserData2);
end;
end;
result:=1;
end;
function CExports (MName:pansichar;FName:pansichar;Ord,Address:cardinal;var UserData,UserData2):cardinal;
var
PEXP:EXPORT_BY_MODULE;
begin
PEXP.ModuleName:=MName;
PEXP.FunctionName:=FName;
PEXP.Ordinal:=Ord;
PEXP.FuncAddress:=pointer(Address);
PEXP.BaseAddress:=pointer(TKernelEnums(UserData).pExpBase);
TKernelEnums(UserData).pExports:=addr(PEXP);
if assigned (TKernelEnums(UserData).kd) then begin
with TKernelEnums(UserData) do begin
kdType:=ModuleExports;
kd(UserData2);
end;
end;
result:=1;
end;
//IMAGE_IMPORT_DIRECTORY
// dwRVAFunctionNameList:pointer;
// TimeDateStamp,
// ForwarderChain:Cardinal;
// dwRVAModuleName,
// dwRVAFunctionAddressList:pointer
function ImportTable (MAddress:cardinal;var UserData,UserData2):cardinal;
var
DOSH:^IMAGE_DOS_HEADER; //TREBAJU NAM POINTERI
NTH:^IMAGE_NT_HEADERS;
IIMP:^IMAGE_IMPORT_DIRECTORY;
u,nImp:cardinal;
nIAT,nListAddress,nCallAddress:pointer;
mName,fName:pansichar;
tst:pointer;
begin
result:=0;
DOSH:=pointer(MAddress);
if word(pointer(MAddress)^)$5A4D then exit; //AKO NIJE MAGIC WORD..
NTH:=pointer(Maddress+DOSH._lfanew);
if NTH.Signature$4550 then exit; //Ako nije PE,0,0
if (NTH.OptionalHeader.DataDirectory[1].VirtualAddress=0) or (NTH.OptionalHeader.DataDirectory[1].Size=0) then exit;
nImp:=NTH.OptionalHeader.DataDirectory[1].Size div sizeof(IMAGE_IMPORT_DIRECTORY);
dec(nImp);
IIMP:=pointer(Maddress+NTH.OptionalHeader.DataDirectory[1].VirtualAddress);
u:=0;
while TRUE do begin
//Read...
if (cardinal(IIMP.dwRVAFunctionAddressList)nil) then begin
nListAddress:= pointer(cardinal(IIMP.dwRVAFunctionAddressList)+Maddress);
nIAT:= pointer(cardinal(IIMP.dwRVAFunctionAddressList)+TKernelEnums(UserData).pExpBase);
mName:=pointer(cardinal(IIMP.dwRVAModuleName )+Maddress);
tst:=pointer(cardinal(IIMP.dwRVAFunctionNameList )+Maddress);;
while TRUE do begin
nCallAddress:=pointer(pointer(nListAddress^));
if cardinal(nCallAddress)=0 then break;
if cardinal(IIMP.dwRVAFunctionNameList) fName:=pointer(cardinal(tst^)+Maddress+2)
else
fName:=nil;
//Event
CImports(nIAT,nCallAddress,cardinal(fName),mName,UserData,UserData2);
nListAddress:=pointer(cardinal(nListAddress)+4);
tst:=pointer(cardinal(tst)+4);
nIAT:=pointer(cardinal(nIAT)+4);
end;
end;
if u=nImp then break;
IIMP:=pointer(cardinal(pointer(IIMP))+sizeof(IMAGE_IMPORT_DIRECTORY));
inc(u)
end;
result:=1;
end;
// IMAGE_EXPORT_DIRECTORY
// Characteristics,
// TimeDateStamp, //+4
// MajorVersion, //+8
// MinorVersion:cardinal; //+10
// Name, //+12
// Base:pointer; //+16
// NumberOfFunctions, //+20
// NumberOfNames:cardinal; //+24
// AddressOfFunctions, //+28
// AddressOfNames, //+32
// AddressOfNameOrdinals:pointer; //+36
function ExportTable (MAddress:cardinal;var UserData,UserData2):cardinal;
var
DOSH:^IMAGE_DOS_HEADER; //TREBAJU NAM POINTERI
NTH:^IMAGE_NT_HEADERS;
IEXP:^IMAGE_EXPORT_DIRECTORY;
SName:pansichar;
Faddr:pointer;
FOrd:cardinal;
FBOrd:cardinal;
FName:pansichar;
FNameTemp:string;
u:integer;
OrdNames:pointer;
begin
result:=0;
DOSH:=pointer(MAddress);
if word(pointer(MAddress)^)$5A4D then exit; //AKO NIJE MAGIC WORD..
NTH:=pointer(Maddress+DOSH._lfanew);
if NTH.Signature$4550 then exit; //Ako nije PE,0,0
if (NTH.OptionalHeader.DataDirectory[0].VirtualAddress=0) or (NTH.OptionalHeader.DataDirectory[0].Size=0) then exit;
IEXP:=pointer(Maddress+NTH.OptionalHeader.DataDirectory[0].VirtualAddress);
SNAME:=pointer(Maddress+IEXP.Name);
OrdNames:=pointer(GlobalAlloc(GMEM_FIXED or GMEM_ZEROINIT,IEXP.NumberOfFunctions shl 2));
for u:=0 to IEXP.NumberOfNames-1 do begin
FOrd:=word(pointer(Maddress+cardinal(IEXP.AddressOfNameOrdinals)+(u shl 1))^);
FName:= pointer(Maddress+cardinal(pointer(Maddress+cardinal(IEXP.AddressOfNames)+(u shl 2))^)) ;
cardinal(pointer(cardinal(OrdNames)+FOrd shl 2)^):=cardinal(FName);
end;
for u:=0 to IEXP.NumberOfFunctions-1 do begin
Faddr:= pointer(pointer(Maddress+cardinal(IEXP.AddressOfFunctions)+u shl 2)^);
if cardinal(Faddr)0 then begin
FBOrd:=u+IEXP.Base;
if cardinal(pointer(cardinal(OrdNames)+u shl 2)^) 0 then
FName:= pointer(cardinal(pointer(cardinal(OrdNames)+u shl 2)^))
else
begin
FNameTemp:='Export By Ordinal:' + inttostr(FBOrd);
FName:=pointer(FNameTemp);
end;
cExports(sname,fname,FBOrd,cardinal(Faddr),UserData,UserData2);
inc(result);
end
end;
GlobalFree(cardinal(OrdNames));
end;
function ResourceTable (MAddress:Cardinal;var UserData,UserData2):cardinal;
var
DOSH:^IMAGE_DOS_HEADER;
NTH:^IMAGE_NT_HEADERS;
RDIR:pIMAGE_RESOURCE_DIRECTORY;
PRES:RESOURCE_BY_MODULE;
cNextRef:cardinal;
begin
result:=0;
DOSH:=pointer(MAddress);
if word(pointer(MAddress)^)$5A4D then exit; //AKO NIJE MAGIC WORD..
NTH:=pointer(Maddress+DOSH._lfanew);
if NTH.Signature$4550 then exit; //Ako nije PE,0,0
if (NTH.OptionalHeader.DataDirectory[2].VirtualAddress=0) or (NTH.OptionalHeader.DataDirectory[2].Size=0) then exit;
RDIR:=pointer(NTH.OptionalHeader.DataDirectory[2].VirtualAddress+MAddress);
cNextRef:=0;
try
ResourceDirectory(MAddress,cardinal(RDIR),RDIR,UserData,UserData2,PRES,cNextRef);
//ResourceDirectory(MAddress,cardinal(RDIR),cardinal(RDIR)+NTH.OptionalHeader.DataDirectory[2].Size,RDIR,UserData,UserData2,PRES,cNextRef);
result:=1;
except end;
end;
//function ResourceDirectory (MAddress,ResSection:Cardinal;ResLast:cardinal;RDIR:pIMAGE_RESOURCE_DIRECTORY; var UserData,UserData2;var pRES:RESOURCE_BY_MODULE;var CNextData:cardinal):cardinal;
function ResourceDirectory (MAddress,ResSection:Cardinal;RDIR:pIMAGE_RESOURCE_DIRECTORY; var UserData,UserData2;var pRES:RESOURCE_BY_MODULE;var CNextData:cardinal):cardinal;
label
OnEnd;
var
D_ENTRY: pIMAGE_RESOURCE_DIRECTORY_ENTRY;
x:cardinal;
IsDirectory:longbool;
IsNumber:longbool;
rMax:cardinal;
RNEXT:pointer;
rResult:cardinal;
pRES_ENTRY:pIMAGE_RESOURCE_DATA_ENTRY;
cBMP:pBITMAPINFOHEADER;
begin
// if (cardinal(pointer(RDIR))ResLast) or (cardinal(pointer(RDIR))// raise exception.Create('Invalid reference');
D_ENTRY:=pointer(cardinal(pointer(RDIR))+sizeof (IMAGE_RESOURCE_DIRECTORY));
// if (cardinal(pointer(D_ENTRY))ResLast) or (cardinal(pointer(D_ENTRY))// raise exception.Create('Invalid reference');
x:=1;
rMax:=RDIR.NumberOfNamedEntries+RDIR.NumberOfIdEntries;
if rMax=0 then goto OnEnd;
while TRUE do begin
asm
and dword ptr [IsDirectory],0
and dword ptr [IsNumber],0
mov eax,dword ptr [D_ENTRY]
mov ecx,dword ptr[eax+4]
mov edx,dword ptr[eax]
test ecx,$80000000
je @fwd
or dword ptr [IsDirectory],$FFFFFFFF
@fwd:
test edx,$80000000
jne @fwd2
or dword ptr [IsNumber],$FFFFFFFF
jmp @fwd3
@fwd2:
xor edx,$80000000
add edx,ResSection
@fwd3:
mov dword ptr [rResult],edx
end;
if cNextData=0 then begin
pRES.rType:=rResult;
inc(cNextData);
end
else if cNextData=1 then begin
pRES.rName:=rResult;
inc(cNextData);
end
else if cNextData =2 then begin
pRES.rLangId:=rResult;
end;
//procesuiraj
if IsDirectory then
//Ako je direktorij
begin
asm
xor ecx,$80000000
add ecx,dword ptr [ResSection]
mov dword ptr [RNEXT],ecx
end;
ResourceDirectory(Maddress,ResSection,RNEXT,UserData,UserData2,pRES,cNextData)
end
else
//Ako je referenca
begin
asm
add ecx,dword ptr [ResSection]
mov dword ptr [pRES_ENTRY],ecx
end;
pRES.ObjectHandle:=0;
pRES.ResourceAddress :=pointer(cardinal(pRES_ENTRY.DataRVA)+TKernelEnums(UserData).pExpBase);
pRES.ResourceLength:=pRES_ENTRY.rSize;
pRES.BaseAddress:=pointer(TKernelEnums(UserData).pExpBase);
pRES.pData:=pointer(cardinal(pRES_ENTRY.DataRVA)+MAddress);
if (pRES.rType=3) and TKernelEnums(UserData).pResObj then begin
pRES.ObjectHandle:=CreateIconFromResource(pRES.pData,
pRES_ENTRY.rSize,true,$30000);
end
else if (pRES.rType=1) and TKernelEnums(UserData).pResObj then begin
pRES.ObjectHandle:=CreateIconFromResource(pRES.pData,
pRES_ENTRY.rSize,false,$30000);
end
else if (pRES.rType=2) and TKernelEnums(UserData).pResObj then begin
cBMP:=pRES.pData;
pRes.ObjectHandle:=CreateBitmap(CBMP.biWidth,CBMP.biHeight,CBMP.biPlanes,
CBMP.biBitCount,pointer(cardinal(cBMP)+CBMP.biSize));
end;
//OPALI EVENT
if assigned (TKernelEnums(UserData).kd) then begin
with TKernelEnums(UserData) do begin
pResources:=addr(pRES);
kdType:=ModuleResources;
kd(UserData2);
end;
end;
end;
if X=rmax then break;
// if cNextData=0 then asm int 3 end;
D_ENTRY:=pointer(cardinal(pointer( D_ENTRY))+sizeof (IMAGE_RESOURCE_DIRECTORY_ENTRY));
inc (x);
end;
OnEnd:
dec(cNextData);
end;
// push esi
// push edi
// push ebx
// push offset @exceptHandler
// push dword ptr fs:[0]
// mov dword ptr fs:[0],esp
//@OnEnd:
// mov esp,dword ptr fs:[0]
// pop dword ptr fs:[0]
// lea esp,[esp+4]
//@exceptHandler:
// mov eax,dword ptr [esp+12] //FAST HANDLER!
// mov dword ptr [eax+$b8],offset @Onexcept
// xor eax,eax
// ret 16
function TKernelEnums.QueryProcesses: pointer;
var
cLen,h:cardinal;
begin
cLen:=$20000;
while TRUE do begin
result:=pointer(globalAlloc(GMEM_FIXED,cLen));
NtQuerySystemInformation(5,result,cLen,h);
if (h=0) or (cLen begin
GlobalFree(cardinal(result));inc (cLen,$10000);
end
else
break;
end ;
end;
function TKernelEnums.QueryModule(PID: cardinal;BaseAddress: pointer; Length: cardinal):pointer;
var
y,yMax:cardinal;
z:cardinal;
begin
result:=VirtualAlloc(0,Length,MEM_RESERVE or MEM_COMMIT,PAGE_READWRITE);
y:=cardinal(result);
yMax:=y+Length;
z:=cardinal(BaseAddress);
while y cardinal(pointer(Y)^):=0; //Validate any page (4kb granularity)!!!
if IsRangeValid(PID,pointer(z),$1000)0 then
CopyKMemory(PID,pointer(Z),$1000,pointer(Y));
inc(Y,$1000);
inc(Z,$1000);
end;
end;
function TKernelEnums.GetPEHeader(Pid, BaseAddress: cardinal;
var _NT_HEAD: IMAGE_NT_HEADERS;
var _SEC_HEAD: IMAGE_SECTIONS): longbool;
label Kraj;
var
X:pointer;
DOSH:^IMAGE_DOS_HEADER;
NTH:^IMAGE_NT_HEADERS;
PS:^IMAGE_SECTION_HEADER;
u:cardinal;
begin
x:=QueryModule(PID,pointer(BaseAddress),$1000);
result:=false;
DOSH:=X;
if word(X^)$5A4D then goto Kraj; //AKO NIJE MAGIC WORD..
NTH:=pointer(cardinal(X)+DOSH._lfanew);
if NTH.Signature$4550 then exit; //Ako nije PE,0,0
_NT_HEAD:=NTH^;
setlength(_SEC_HEAD,NTH.FileHeader.NumberOfSections);
PS:=pointer(cardinal(NTH)+sizeof(IMAGE_NT_HEADERS));
For u:=0 to NTH.FileHeader.NumberOfSections-1 do begin
_SEC_HEAD[u]:=PS^;
PS:=pointer(cardinal(pointer(PS))+sizeof(IMAGE_SECTION_HEADER));
end;
result:=true;
Kraj:
VirtualFree(x,$1000,MEM_DECOMMIT);
VirtualFree(x,0,MEM_RELEASE);
end;
function TKernelEnums.GetDeviceInfoFromPtr(pDevice:pointer;var DevObj: DEVICE_OBJECT; var DrvObj: DRIVER_OBJECT;var DrvExt:DRIVER_EXTENSION;var DrvName,ServiceName:widestring): longbool;
var
pSTR:PUNICODE_STRING;
begin
result:=false;
if not longbool(isRangeValid(GetCurrentProcessId,pDevice,sizeof (DEVICE_OBJECT))) then exit;
CCopyMemory(addr(DevObj),pDevice,sizeof (DEVICE_OBJECT));
CCopyMemory(addr(DrvObj),DevObj.DriverObject,sizeof (DRIVER_OBJECT));
if DrvObj.DriverExtensionnil then
begin
CCopyMemory(addr(DrvExt),DrvObj.DriverExtension,sizeof (DRIVER_EXTENSION));
DrvObj.DriverExtension:=addr(DrvExt);
Setlength(ServiceName,DrvObj.DriverExtension.ServiceKeyName.StrLen div 2);
CCopyMemory(pointer(ServiceName),DrvObj.DriverExtension.ServiceKeyName.pString,DrvObj.DriverExtension.ServiceKeyName.StrLen);
DrvObj.DriverExtension.ServiceKeyName.pString:= pointer(ServiceName);
end;
Setlength(DrvName,DrvObj.DriverName.StrLen div 2);
CCopyMemory(pointer(DrvName),DrvObj.DriverName.pString,DrvObj.DriverName.StrLen);
DrvObj.DriverName.pString:=pointer(DrvName);
DereferenceEObject(pDevice);
result:=true;
end;
function TKernelEnums.GetDeviceInfo(DeviceName: pansichar;
var DevObj: DEVICE_OBJECT; var DrvObj: DRIVER_OBJECT;var DrvExt:DRIVER_EXTENSION;var DrvName,ServiceName:widestring): longbool;
var
FOBJS:array [0..1] of pointer;
pSTR:PUNICODE_STRING;
begin
result:=false;
GetDeviceObjectPointer(DeviceName,addr (FOBJS));
if FOBJS[0]=nil then exit;
CCopyMemory(addr(DevObj),FOBJS[0],sizeof (DEVICE_OBJECT));
CCopyMemory(addr(DrvObj),DevObj.DriverObject,sizeof (DRIVER_OBJECT));
if DrvObj.DriverExtensionnil then
begin
CCopyMemory(addr(DrvExt),DrvObj.DriverExtension,sizeof (DRIVER_EXTENSION));
DrvObj.DriverExtension:=addr(DrvExt);
Setlength(ServiceName,DrvObj.DriverExtension.ServiceKeyName.StrLen div 2);
CCopyMemory(pointer(ServiceName),DrvObj.DriverExtension.ServiceKeyName.pString,DrvObj.DriverExtension.ServiceKeyName.StrLen);
DrvObj.DriverExtension.ServiceKeyName.pString:= pointer(ServiceName);
end;
Setlength(DrvName,DrvObj.DriverName.StrLen div 2);
CCopyMemory(pointer(DrvName),DrvObj.DriverName.pString,DrvObj.DriverName.StrLen);
DrvObj.DriverName.pString:=pointer(DrvName);
if FOBJS[1]nil then begin
// CCopyMemory(addr(FileObj),FOBJS[1],sizeof (FILE_OBJECT));
DereferenceEObject(FOBJS[1]);
end;
// if DrvObj.HardwareDatabasenil then begin
// CCopyMemory(addr(pSTR),DrvObj.HardwareDatabase,12);
// Setlength(HardwareName,pstr.StrLen div 2);
// CCopyMemory(pointer(HardwareName),pstr.pString,pstr.StrLen);
// end;
result:=true;
end;
{ TServiceManager }
constructor TServiceManager.Create;
begin
hServiceManager:=OpenSCManagerA(0,0,SERVICE_ALL_ACCESS);
end;
destructor TServiceManager.Destroy;
begin
if hService0 then CloseServiceHandle(hService);
if hServiceManager0 then CloseServiceHandle(hServiceManager);
end;
function TServiceManager.OpenService(ServiceName: pansichar): longbool;
begin
result:=false;
if (hServiceManager0) and (hService=0) then begin
hService:=OpenServiceA(hServiceManager,ServiceName,$f01ff);
result:=longbool(hService);
if result then SvrName:=string(ServiceName);
end;
end;
function TServiceManager.CreateService(ServiceName,FullServicePath:pansichar;ServiceType:SERVICE_TYPES;ServiceStart:SERVICE_START):longbool;
begin
result:=false;
if (hServiceManager0) and (hService=0) then begin
hService:=CreateServiceA(hServiceManager,ServiceName,ServiceName,$f01ff,cardinal(ServiceType),cardinal(ServiceStart),SERVICE_ERROR_NORMAL,
FullServicePath,0,0,0,0,0);
result:=longbool(hService);
if result then SvrName:=string(ServiceName);
end;
end;
function TServiceManager.StartService(Args:pointer;ArgsCount:cardinal): longbool;
begin
result:=false;
if (hService0) then begin
result:=StartServiceA(hService,ArgsCount,Args);
end;
end;
function TServiceManager.DeleteService: longbool;
var
SS:SERVICE_STATUS;
begin
result:=false;
if (hService0) then begin
ControlService(hService,SERVICE_CONTROL_STOP,SS);
SleepEx(0,false); //YIELD EXECUTION
result:=vfpower.DeleteService(hService);
end;
end;
function TServiceManager.GetSvc (var SStatus:SERVICE_STATUS):longbool;
begin
result:=false;
if hService0 then result:=QueryServiceStatus(hService,SStatus);
end;
function TServiceManager.StopService: longbool;
var
SS:SERVICE_STATUS;
begin
result:=false;
if hService0 then begin
if ControlService(hService,SERVICE_CONTROL_STOP,SS) then begin
if (SS.dwCurrentState=1) or (SS.dwCurrentState=3) then result:=true;
end
end;
end;
function TServiceManager.ContinueService: longbool;
var
SS:SERVICE_STATUS;
begin
result:=false;
if hService0 then begin
if ControlService(hService,SERVICE_CONTROL_CONTINUE,SS) then begin
if (SS.dwCurrentState=4) or (SS.dwCurrentState=5) then result:=true;
end
end;
end;
function TServiceManager.PauseService: longbool;
var
SS:SERVICE_STATUS;
begin
result:=false;
if hService0 then begin
if ControlService(hService,SERVICE_CONTROL_PAUSE,SS) then begin
if (SS.dwCurrentState=6) or (SS.dwCurrentState=7) then result:=true;
end
end;
end;
function TServiceManager.EnumServices(var UserData):longbool;
label oOut;
var
BF:cardinal;
cRet,cLen,bNeed,sRet,RH:cardinal;
x:cardinal;
xp:pointer;
begin
if (hServiceManager0) and (Assigned(kd)) then begin
RH:=0;
EnumServicesStatusExA(hServiceManager,0,$33,SERVICE_ACTIVE or SERVICE_INACTIVE,pointer(0),
0,bNeed,Sret,RH,0) ;
BF:=GlobalAlloc(GMEM_FIXED or GMEM_ZEROINIT,bNeed);
if not EnumServicesStatusExA(hServiceManager,0,$33,SERVICE_ACTIVE or SERVICE_INACTIVE,pointer(bf),bNeed,bNeed,Sret,RH,0) then goto oOut;
xp:=pointer(BF);
for x:=0 to Sret-1 do begin
EnPrc:=xp;
kd(UserData);
xp:=pointer(cardinal(xp)+sizeof (ENUM_SERVICE_STATUS_PROCESS));
end;
result:=true;
oOut:
GlobalFree(bf);
end;
end;
initialization
cPHandle:=OpenProcess(PROCESS_ALL_ACCESS,false,GetCurrentProcessId);
NtQueryInformationProcess(cPHandle,0,addr(BI),sizeof (PROCESS_BASIC_INFORMATION),bMLen);
CloseHandle(cPHandle);
finalization
end.