From 70a6948111f824e257ff6f207468a956554d6245 Mon Sep 17 00:00:00 2001
From: khz_df <zhaoanhua6763@dingtalk.com>
Date: Mon, 20 May 2019 19:41:25 +0800
Subject: [PATCH] =?UTF-8?q?[tools-MFC]=20=E8=AF=BB=E5=8F=96=E8=BF=9B?=
 =?UTF-8?q?=E7=A8=8B=E5=86=85=E5=AD=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 course/WinDriver/tools/tools-MFC/Resource.h   |  30 ++--
 .../tools/tools-MFC/tools-MFC.vcxproj         |   5 +-
 .../tools/tools-MFC/tools-MFCDlg.cpp          | 143 ++++++++++++++++++
 .../WinDriver/tools/tools-MFC/tools-MFCDlg.h  |   7 +
 course/WinDriver/tools/tools-MFC/toolsMFC.rc  | Bin 10010 -> 11872 bytes
 5 files changed, 171 insertions(+), 14 deletions(-)

diff --git a/course/WinDriver/tools/tools-MFC/Resource.h b/course/WinDriver/tools/tools-MFC/Resource.h
index 13fd891..42747d8 100644
--- a/course/WinDriver/tools/tools-MFC/Resource.h
+++ b/course/WinDriver/tools/tools-MFC/Resource.h
@@ -1,21 +1,25 @@
 //{{NO_DEPENDENCIES}}
 // Microsoft Visual C++ 生成的包含文件。
-// 由 toolsMFC.rc 使用
+// 供 toolsMFC.rc 使用
 //
-#define IDR_MAINFRAME					128
-#define IDM_ABOUTBOX					0x0010
-#define IDD_ABOUTBOX					100
-#define IDS_ABOUTBOX					101
-#define IDD_TOOLSMFC_DIALOG				102
+#define IDM_ABOUTBOX                    0x0010
+#define IDD_ABOUTBOX                    100
+#define IDS_ABOUTBOX                    101
+#define IDD_TOOLSMFC_DIALOG             102
+#define IDR_MAINFRAME                   128
+#define IDC_EDIT_LENGTH                 1000
+#define IDC_EDIT_ADDRESS                1001
+#define IDC_COMBO_PROCESS               1002
+#define IDC_EDIT_MEM_DATA               1003
+#define IDC_BUTTON_READ                 1004
 
-// 新对象的下一组默认值
-//
+// Next default values for new objects
+// 
 #ifdef APSTUDIO_INVOKED
 #ifndef APSTUDIO_READONLY_SYMBOLS
-
-#define _APS_NEXT_RESOURCE_VALUE	129
-#define _APS_NEXT_CONTROL_VALUE		1000
-#define _APS_NEXT_SYMED_VALUE		101
-#define _APS_NEXT_COMMAND_VALUE		32771
+#define _APS_NEXT_RESOURCE_VALUE        130
+#define _APS_NEXT_COMMAND_VALUE         32771
+#define _APS_NEXT_CONTROL_VALUE         1005
+#define _APS_NEXT_SYMED_VALUE           101
 #endif
 #endif
diff --git a/course/WinDriver/tools/tools-MFC/tools-MFC.vcxproj b/course/WinDriver/tools/tools-MFC/tools-MFC.vcxproj
index 33f6978..4a6a565 100644
--- a/course/WinDriver/tools/tools-MFC/tools-MFC.vcxproj
+++ b/course/WinDriver/tools/tools-MFC/tools-MFC.vcxproj
@@ -29,7 +29,7 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v141_xp</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
     <UseOfMfc>Dynamic</UseOfMfc>
   </PropertyGroup>
@@ -93,6 +93,8 @@
       <Optimization>Disabled</Optimization>
       <SDLCheck>true</SDLCheck>
       <PreprocessorDefinitions>WIN32;_WINDOWS;_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalOptions>/I"../../../../third/Blackbone/src" %(AdditionalOptions)</AdditionalOptions>
+      <LanguageStandard>stdcpplatest</LanguageStandard>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -115,6 +117,7 @@
       <Optimization>Disabled</Optimization>
       <SDLCheck>true</SDLCheck>
       <PreprocessorDefinitions>_WINDOWS;_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalOptions>/I"../../../../third/Blackbone/src" %(AdditionalOptions)</AdditionalOptions>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
diff --git a/course/WinDriver/tools/tools-MFC/tools-MFCDlg.cpp b/course/WinDriver/tools/tools-MFC/tools-MFCDlg.cpp
index 0f33806..11d98ea 100644
--- a/course/WinDriver/tools/tools-MFC/tools-MFCDlg.cpp
+++ b/course/WinDriver/tools/tools-MFC/tools-MFCDlg.cpp
@@ -11,6 +11,22 @@
 #define new DEBUG_NEW
 #endif
 
+//////////////////////////////////////////////////////////////////////////
+#include <BlackBone/Config.h>
+#include <BlackBone/Process/Process.h>
+#include <BlackBone/Process/MultPtr.hpp>
+#include <BlackBone/Process/RPC/RemoteFunction.hpp>
+#include <BlackBone/PE/PEImage.h>
+#include <BlackBone/Misc/Utils.h>
+#include <BlackBone/Misc/DynImport.h>
+#include <BlackBone/Syscalls/Syscall.h>
+#include <BlackBone/Patterns/PatternSearch.h>
+#include <BlackBone/Asm/LDasm.h>
+#include <BlackBone/localHook/VTableHook.hpp>
+
+// /I"../../../../third/Blackbone/src"
+#pragma comment(lib, "../../../../third/Blackbone/build/Win32/Debug(XP)/BlackBone.lib")
+//////////////////////////////////////////////////////////////////////////
 
 // 用于应用程序“关于”菜单项的 CAboutDlg 对话框
 
@@ -51,6 +67,8 @@ END_MESSAGE_MAP()
 
 CtoolsMFCDlg::CtoolsMFCDlg(CWnd* pParent /*=nullptr*/)
 	: CDialogEx(IDD_TOOLSMFC_DIALOG, pParent)
+	, m_mem_data(_T(""))
+	, m_mem_length(0)
 {
 	m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
 }
@@ -58,12 +76,18 @@ CtoolsMFCDlg::CtoolsMFCDlg(CWnd* pParent /*=nullptr*/)
 void CtoolsMFCDlg::DoDataExchange(CDataExchange* pDX)
 {
 	CDialogEx::DoDataExchange(pDX);
+	DDX_Text(pDX, IDC_EDIT_MEM_DATA, m_mem_data);
+	DDX_Text(pDX, IDC_EDIT_LENGTH, m_mem_length);
+	DDX_Control(pDX, IDC_EDIT_ADDRESS, m_mem_address);
+	DDX_Control(pDX, IDC_COMBO_PROCESS, m_combo_process);
 }
 
 BEGIN_MESSAGE_MAP(CtoolsMFCDlg, CDialogEx)
 	ON_WM_SYSCOMMAND()
 	ON_WM_PAINT()
 	ON_WM_QUERYDRAGICON()
+	ON_BN_CLICKED(IDC_BUTTON_READ, &CtoolsMFCDlg::OnBnClickedButtonRead)
+	ON_CBN_DROPDOWN(IDC_COMBO_PROCESS, &CtoolsMFCDlg::OnCbnDropdownComboProcess)
 END_MESSAGE_MAP()
 
 
@@ -99,6 +123,11 @@ BOOL CtoolsMFCDlg::OnInitDialog()
 	SetIcon(m_hIcon, FALSE);		// 设置小图标
 
 	// TODO: 在此添加额外的初始化代码
+	OnCbnDropdownComboProcess();
+	m_combo_process.SetCurSel(0);
+	m_mem_address.SetWindowText(_T("400000"));
+	m_mem_length = 0x20;
+	UpdateData(FALSE);
 
 	return TRUE;  // 除非将焦点设置到控件，否则返回 TRUE
 }
@@ -152,3 +181,117 @@ HCURSOR CtoolsMFCDlg::OnQueryDragIcon()
 	return static_cast<HCURSOR>(m_hIcon);
 }
 
+std::string ToHex(PBYTE bytes, DWORD length)
+{
+	if (bytes == NULL || length <= 0)
+	{
+		return "";
+	}
+
+	std::string result;
+	for (DWORD i = 0; i < length; ++i)
+	{
+		char hex_byte[4] = { 0 };
+		sprintf_s(hex_byte, 4, "%02X ", bytes[i]);
+		result += hex_byte;
+	}
+
+	return result;
+}
+
+
+std::string ToHexLines(PBYTE bytes, DWORD length)
+{
+	if (bytes == NULL || length <= 0)
+	{
+		return "";
+	}
+	
+	DWORD line = length / 0x10;
+	DWORD left = length % 0x10;
+
+	std::string result;
+	for (DWORD i = 0; i < line; ++i)
+	{
+		result += ToHex(bytes + 0x10 * i, 0x10);
+		result += "\r\n";
+	}
+
+	result += ToHex(bytes + 0x10 * line, left);
+
+	return result;
+}
+
+void CtoolsMFCDlg::OnBnClickedButtonRead()
+{
+	// TODO: 在此添加控件通知处理程序代码
+	UpdateData();
+
+	CString str_address;
+	m_mem_address.GetWindowText(str_address);
+	str_address = _T("0x") + str_address;
+	LONGLONG dw_address = _tcstoull_l(str_address.GetBuffer(), NULL, 16, 0);
+
+	int nIndex = m_combo_process.GetCurSel();
+	DWORD pid = m_combo_process.GetItemData(nIndex);
+
+	blackbone::Process process;
+	process.Attach(pid);
+	if (!process.valid())
+	{
+		AfxMessageBox(_T("打开进程失败。"));
+		return;
+	}
+
+	PBYTE bytes = new BYTE[m_mem_length];
+	if (NULL == bytes)
+	{
+		return;
+	}
+	NTSTATUS status = process.memory().Read(dw_address, m_mem_length, (PVOID)bytes);
+	if (!NT_SUCCESS(status))
+	{
+		AfxMessageBox(_T("读取进程内存失败，请检查内存地址和大小。"));
+		return;
+	}
+// 	m_mem_data.Format(_T("%02X %02X %02X %02X   %02X %02X %02X %02X "), bytes[0], bytes[1], bytes[2], bytes[3]
+// 		, bytes[4], bytes[5], bytes[6], bytes[7]);
+	std::string str_mem_data = ToHexLines(bytes, m_mem_length);
+	m_mem_data = CStringA(str_mem_data.data());
+	UpdateData(FALSE);
+}
+
+
+void CtoolsMFCDlg::OnCbnDropdownComboProcess()
+{
+	// TODO: 在此添加控件通知处理程序代码
+	m_combo_process.ResetContent();
+	blackbone::Process process;
+
+	std::vector<DWORD> vct_pids = blackbone::Process::EnumByName(L"");
+	for (auto pid : vct_pids)
+	{
+		NTSTATUS status = process.Attach(pid);
+		CString msg;
+
+		if (NT_SUCCESS(status))
+		{
+			if (process.modules().GetMainModule())
+			{
+				CString str_64 = process.core().isWow64() ? _T("x86") : _T("x64");
+				msg.Format(_T("[%05d][%s] %s"), process.pid(), str_64.GetBuffer(), process.modules().GetMainModule()->fullPath.data());
+			}
+			else
+			{
+				msg.Format(_T("[%d] %s"), process.pid(), _T("failed_get_path"));
+			}
+		}
+		else
+		{
+			msg.Format(_T("[%d] %s"), pid, _T("failed_Attach"));
+		}
+		m_combo_process.AddString(msg);
+		int nIndex = m_combo_process.GetCount() - 1;
+		m_combo_process.SetItemData(nIndex, pid);
+	}
+}
diff --git a/course/WinDriver/tools/tools-MFC/tools-MFCDlg.h b/course/WinDriver/tools/tools-MFC/tools-MFCDlg.h
index 39d30c5..9efa990 100644
--- a/course/WinDriver/tools/tools-MFC/tools-MFCDlg.h
+++ b/course/WinDriver/tools/tools-MFC/tools-MFCDlg.h
@@ -31,4 +31,11 @@ protected:
 	afx_msg void OnPaint();
 	afx_msg HCURSOR OnQueryDragIcon();
 	DECLARE_MESSAGE_MAP()
+public:
+	CString m_mem_data;
+	DWORD m_mem_length;
+	CEdit m_mem_address;
+	CComboBox m_combo_process;
+	afx_msg void OnBnClickedButtonRead();
+	afx_msg void OnCbnDropdownComboProcess();
 };
diff --git a/course/WinDriver/tools/tools-MFC/toolsMFC.rc b/course/WinDriver/tools/tools-MFC/toolsMFC.rc
index 4ba1449e992b310c2951ba4c38547de5d5d22b30..f20f0e5f0607c88b0c02da0d63b43c6f9ff774b1 100644
GIT binary patch
delta 1920
zcmb7FU2Icj7=AlSH}^x=bz9f2=;>r*Bg3_4Wo#jtbY-#=`!m{YokkoLy3x45(8^G7
zTfE`I__Mr73^72a;ffed6E6rCaE&I!7-M2$xKU%G338`k@Oi(}b&4!PPQLGZzw^C6
z&-c9VdC$4nt(V@{_e@cSW-*RYn(|nWkOnzJIhv!_ARUIRVRsmEmgb@J4AoF2bx{|G
z%G`X`TEBAq-qZV`_Mn?dn9R`(%=2`VGMu)$H*2Jmwvu)hKC)c1@Rh37?HcWjozAq=
z^2ubp`u@(?Ut=8)fskXP=AC$iLKLI@G(lk+A_MXuB{4c-k)%-?pp7&paBfhPhM{55
za~OlPkJDTC@VlFSwP<|6*UV?ELq(~7v#oH?demZW3yZdKE9a~3EE%9-4)-h)pw=~6
zgHQ8RqXkeUch+bc`U{HAJaz`{!+ac6PlH?`b{<k%ku1bd!tNNz7Tr87HN|R9B?8(@
zP@PvMS(r$^vI>rd_20nE9L_)|3%EHrGS73^i+f3y1d+>V(3-|0S$@5EI)l~Bvp`OO
z@F=L~Th;x%+*F~)#o7wiYIHv5{j@TxT+GoF6+YZ@$kHJB@T;t>%_k@Tj<>R{rim}s
z+6sDYbs6ui3$o4L#Qk=iFV(g4qTRz^*KOl^r`MGNSuw<pQ%X{Wqz}UBDfT&cS00Sn
z5<ebXIPm#N9(U>+Mr-CzoLAZFXes~xy{b1n_gnb+TDN^SaLMRab1&N+U3PzJZ>k-L
zPf!OH^&Fz3QxJ1-U9)`YgG(<LHCja@NC7p=J$qF>Xn-k?fHr7^)AjBtAu$XRi|-&s
zAWJ2WppH9f7tjczzLFeJk)^sPK>R55;?PXOO9D~^kJQ~mV!is`SRq80B#O6WDT0pM
ztwnykXkj3T;#-UJn?4u53G;5Hw?I6sP=+6fXfoQPDx*(D55tSxP|(F;Wu`lZd!52a
zsk1T6>$m>r$q1Mk@Zwm=8QzGH62NuxqW~6FVMDMDfd+xLi+V731D>n_JVKC}f+$iD
zfv$nsY&#~9M@SI=;oSc0-M7C@w!qsOSpzDif;$Erk{U^p6kM+=D7{z^f&hs4cZZX|
zsQPTn7`|L-5axH!XBzzcWrMdv`k7SJ7)Anw7|OAxTuEih2na#!YxMC@qyGu1^=|Z=
z2w!OIE0<jW@^6i!c9DaykSB<DX_vcne%kevlKps(j#>E5b>6~@?icw7_igmbuRJ%f
zYvXIpt9-=UQ#k8AR93k2<Xh6{FL#8{cE=U#25uVxL}}#GuwQ^IC0=Z$eAf~1{jatF
zu#}i-N}`|1A8Hm&NQ195y@H;WA@1~DM(_5tKGI)i<@(2)gr=W;zdXh-t=s&i{n>KU
o!rxSQ_@`}?9BW<Xo2|WNJqfOC+kxb*3JTjST5g{BcH54>0kkrCjQ{`u

delta 834
zcmYjPUr1AN6h3#GwysVmPM5pa-Mfi8=a!c#rWN99o0@qi{@Db>$^0{+7$qoC;goy`
zDl$(H_#h}@Qa%_LdWw)9gQP&B7pa$CBq}0=5VZ5#jO6nBbI<SlzVn^K`EqGNo%30x
z33GgQGH`z`X`AsRbczXhsDT>%Q7yf=$8)+(70qs2o)2VTAO_bd+77qDX?<CC4ws#_
zhqJ}Fn(bp(oHiQfd4sl}J(_;frj30De5PN-;*&OXm48a@M~;mh<^Xp7yUWl90ZMYV
z6B258c9P+mMqE)ybacfZ=N^1jlh?Pyj|N;5IX4~*995CQ6>W|mPwd_LJmpol!`u+4
zzh^R)FwHKAK?nFrUxg69%WFh2zYd41=Ws>8f*U42`%nM&-O!k3G!HV<qP9@r*5RAN
z`utW1!bSQ*5GHaDN|ts#8OGa|a{O+#<Ell(9g7RaqD=KuMX$K?$XOkZ9%2M&ou-mp
z(c#NYBgs@I&C{V>Ri`-dLxE7LfCn0(p7vT$=<`5Bx*<Wz7QiL_b7s%bI_^o}H=B|r
zlbDPpf>b7xr8Y7agb1xJ=%znrF^$OVm=dfQ7i2x-q=eea2%%!cV@!5t_#sm9LkqpJ
z9(6-I`kjTiDO42w$H%CYAe@6<Xu&<9SBg+BrbR8GJxWSsmts+h)`AaXVu>k28Q7~I
zI-wI&qGZiPd=%>?d^;`1P;tpAXdB`pcUayvxeCqsM!Z^@hYNOl+WtYQ6<<qr^U^Bn
z>=wGd#Bup8r{EdKDVnZj)+WvAT<5fpWm6p5OzXyIf5lCoI(7%gE7x!<*NlT+1ODO~
zu(@h2Gt_qe$Urx{-*dRdi|F=@Vlt-~pLnj&$>RyHqT5yRg4d0cj`SECOlr+2{>*j%
E1qCwRmjD0&

-- 
GitLab