From 9b4611d874f6491e6c649c9bdc6ae2df1aa010fc Mon Sep 17 00:00:00 2001
From: khz_df <zhaoanhua6763@dingtalk.com>
Date: Tue, 21 May 2019 18:51:20 +0800
Subject: [PATCH] =?UTF-8?q?[=E5=86=85=E5=AD=98=E8=AF=BB=E5=8F=96]=20?=
 =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E8=AF=BB=E5=8F=96=E6=96=B9=E5=BC=8F=E9=80=89?=
 =?UTF-8?q?=E9=A1=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 course/WinDriver/tools/tools-MFC/Resource.h   |   4 +-
 .../tools/tools-MFC/tools-MFCDlg.cpp          |  50 ++++++++++++++++--
 .../WinDriver/tools/tools-MFC/tools-MFCDlg.h  |   2 +
 course/WinDriver/tools/tools-MFC/toolsMFC.rc  | Bin 11872 -> 12226 bytes
 third/Blackbone/src/BlackBone/Include/Macro.h |   4 ++
 5 files changed, 54 insertions(+), 6 deletions(-)

diff --git a/course/WinDriver/tools/tools-MFC/Resource.h b/course/WinDriver/tools/tools-MFC/Resource.h
index 42747d8..b0197b7 100644
--- a/course/WinDriver/tools/tools-MFC/Resource.h
+++ b/course/WinDriver/tools/tools-MFC/Resource.h
@@ -12,6 +12,8 @@
 #define IDC_COMBO_PROCESS               1002
 #define IDC_EDIT_MEM_DATA               1003
 #define IDC_BUTTON_READ                 1004
+#define IDC_COMBO1                      1005
+#define IDC_COMBO_READ_TYPE             1005
 
 // Next default values for new objects
 // 
@@ -19,7 +21,7 @@
 #ifndef APSTUDIO_READONLY_SYMBOLS
 #define _APS_NEXT_RESOURCE_VALUE        130
 #define _APS_NEXT_COMMAND_VALUE         32771
-#define _APS_NEXT_CONTROL_VALUE         1005
+#define _APS_NEXT_CONTROL_VALUE         1006
 #define _APS_NEXT_SYMED_VALUE           101
 #endif
 #endif
diff --git a/course/WinDriver/tools/tools-MFC/tools-MFCDlg.cpp b/course/WinDriver/tools/tools-MFC/tools-MFCDlg.cpp
index f535837..b3b2376 100644
--- a/course/WinDriver/tools/tools-MFC/tools-MFCDlg.cpp
+++ b/course/WinDriver/tools/tools-MFC/tools-MFCDlg.cpp
@@ -85,6 +85,7 @@ void CtoolsMFCDlg::DoDataExchange(CDataExchange* pDX)
 	DDX_Text(pDX, IDC_EDIT_LENGTH, m_mem_length);
 	DDX_Control(pDX, IDC_EDIT_ADDRESS, m_mem_address);
 	DDX_Control(pDX, IDC_COMBO_PROCESS, m_combo_process);
+	DDX_Control(pDX, IDC_COMBO_READ_TYPE, m_combo_read_type);
 }
 
 BEGIN_MESSAGE_MAP(CtoolsMFCDlg, CDialogEx)
@@ -93,6 +94,7 @@ BEGIN_MESSAGE_MAP(CtoolsMFCDlg, CDialogEx)
 	ON_WM_QUERYDRAGICON()
 	ON_BN_CLICKED(IDC_BUTTON_READ, &CtoolsMFCDlg::OnBnClickedButtonRead)
 	ON_CBN_DROPDOWN(IDC_COMBO_PROCESS, &CtoolsMFCDlg::OnCbnDropdownComboProcess)
+	ON_CBN_SELCHANGE(IDC_COMBO_PROCESS, &CtoolsMFCDlg::OnCbnSelchangeComboProcess)
 END_MESSAGE_MAP()
 
 
@@ -134,6 +136,11 @@ BOOL CtoolsMFCDlg::OnInitDialog()
 	m_mem_length = 0x20;
 	UpdateData(FALSE);
 
+	m_combo_read_type.AddString(_T("ReadProcessMemory"));
+	m_combo_read_type.AddString(_T("BlackBone_R3"));
+	m_combo_read_type.AddString(_T("BlackBone_R0"));
+	m_combo_read_type.SetCurSel(0);
+
 	return TRUE;  // 除非将焦点设置到控件，否则返回 TRUE
 }
 
@@ -229,18 +236,25 @@ std::string ToHexLines(PBYTE bytes, DWORD length)
 
 void CtoolsMFCDlg::OnBnClickedButtonRead()
 {
-	// TODO: 在此添加控件通知处理程序代码
+	// 更新控件数据，清空16进制显示控件内容
 	UpdateData();
 	m_mem_data.SetString(_T(""));
 
+	// 获取目标进程内存地址：ll_address
 	CString str_address;
 	m_mem_address.GetWindowText(str_address);
 	str_address = _T("0x") + str_address;
 	LONGLONG ll_address = _tcstoull_l(str_address.GetBuffer(), NULL, 16, 0);
 
+	// 获取目标进程ID：pid
 	int nIndex = m_combo_process.GetCurSel();
 	DWORD pid = m_combo_process.GetItemData(nIndex);
 
+	// 获取读取方式：str_read_type
+	CString str_read_type;
+	m_combo_read_type.GetWindowText(str_read_type);
+
+	// 打开目标进程
 	blackbone::Process process;
 	process.Attach(pid);
 	if (!process.valid())
@@ -256,7 +270,7 @@ void CtoolsMFCDlg::OnBnClickedButtonRead()
 	}
 
 	// ReadProcessMemory方式
-	if (false)
+	if (str_read_type == _T("ReadProcessMemory"))
 	{
 		SIZE_T byte_read;
 		BOOL result = ReadProcessMemory(process.core().handle(), (LPCVOID)ll_address, (LPVOID)bytes, (SIZE_T)m_mem_length, &byte_read);
@@ -266,8 +280,8 @@ void CtoolsMFCDlg::OnBnClickedButtonRead()
 			return;
 		}
 	}
-	// blackbone方式
-	else if (false)
+	// blackbone方式: NtWow64ReadVirtualMemory64
+	else if (str_read_type == _T("BlackBone_R3"))
 	{
 		NTSTATUS status = process.memory().Read(ll_address, m_mem_length, (PVOID)bytes);
 		if (!NT_SUCCESS(status))
@@ -277,14 +291,16 @@ void CtoolsMFCDlg::OnBnClickedButtonRead()
 		}
 	}
 	// 驱动方式
-	else
+	else if (str_read_type == _T("BlackBone_R0"))
 	{
+		// 加载驱动
 		NTSTATUS status = blackbone::Driver().EnsureLoaded();
 		if (!NT_SUCCESS(status))
 		{
 			AfxMessageBox(_T("加载驱动失败。"));
 			return;
 		}
+		// 驱动内存读取
 		status = blackbone::Driver().ReadMem(pid, ll_address, m_mem_length, (PVOID)bytes);
 		if (!NT_SUCCESS(status))
 		{
@@ -339,3 +355,27 @@ void CtoolsMFCDlg::OnCbnDropdownComboProcess()
 		m_combo_process.SetItemData(nIndex, pid);
 	}
 }
+
+
+void CtoolsMFCDlg::OnCbnSelchangeComboProcess()
+{
+	// TODO: 在此添加控件通知处理程序代码
+	int nIndex = m_combo_process.GetCurSel();
+	DWORD pid = m_combo_process.GetItemData(nIndex);
+
+	blackbone::Process process;
+	process.Attach(pid);
+	if (!process.valid())
+	{
+		return;
+	}
+
+	if (process.modules().GetMainModule() == nullptr)
+	{
+		return;
+	}
+
+	CString str_address;
+	str_address.Format(_T("%llX"), process.modules().GetMainModule()->baseAddress);
+	m_mem_address.SetWindowText(str_address);
+}
diff --git a/course/WinDriver/tools/tools-MFC/tools-MFCDlg.h b/course/WinDriver/tools/tools-MFC/tools-MFCDlg.h
index 9efa990..40552d6 100644
--- a/course/WinDriver/tools/tools-MFC/tools-MFCDlg.h
+++ b/course/WinDriver/tools/tools-MFC/tools-MFCDlg.h
@@ -38,4 +38,6 @@ public:
 	CComboBox m_combo_process;
 	afx_msg void OnBnClickedButtonRead();
 	afx_msg void OnCbnDropdownComboProcess();
+	afx_msg void OnCbnSelchangeComboProcess();
+	CComboBox m_combo_read_type;
 };
diff --git a/course/WinDriver/tools/tools-MFC/toolsMFC.rc b/course/WinDriver/tools/tools-MFC/toolsMFC.rc
index f20f0e5f0607c88b0c02da0d63b43c6f9ff774b1..8d5a574a26f8346223137dedf4301fc35f4f9261 100644
GIT binary patch
delta 330
zcmaD5b0~hpC1G9*1~Ud71_cHq1_K7e&G&_`GIE=Ng$x-i7z`#Wib+o1C8;#|m#7r4
zF;I~uP%%u#o<%$;qhoS{m<qEAgX!e=V#bqqiFI%rG8hA)4p6blWKZ#MRzn7J2FuB+
z61I~ch&%C{0F4F7839RipbA5YQmB|YPz0pYaPn4(jm+i@Mw2ro%_l#S5SctlQifN7
zp$6#6aE4%pc!sda3ni1qjTuaUCV<QW*#>ePh%}fSD&eRZ#Nf){$lwB08^RFD5CG)q
z09Au*HUaum2j~qGsOsGk(UW<ElsJBOUkl!u${!E(jsmX<*f5Avi^=hdhd1AoTEz);
aljUSaS<%T0RD2jsCeK$8-^`*K!wCR(mPfDv

delta 211
zcmX>U{~%_=C1GA81_K5i1_cHXZLs;i@Kr``0|rZ=kRgLPgXLsJG0Dj{L~Ve|%ovQ3
zMC~UBNGq_K14WD{e-tyFyicrSa)THPvk8OY<UsLoep9e&W3Wj;_GD`b!^yA2otQ!F
zwc@su^Q25BFOU#`ssot=vcX{Teu<6D1`KACizUq`Ul5m?B<00w#9#q5)L%+`@-d}-
gn;m3UaWWeMO}Qv9I+;n$htYU4qmuaMG_@E`0FGia3jhEB

diff --git a/third/Blackbone/src/BlackBone/Include/Macro.h b/third/Blackbone/src/BlackBone/Include/Macro.h
index d8d70b5..a42b838 100644
--- a/third/Blackbone/src/BlackBone/Include/Macro.h
+++ b/third/Blackbone/src/BlackBone/Include/Macro.h
@@ -16,8 +16,12 @@
 #define CALL_64_86(b, f, ...) (b ? f<uint64_t>(__VA_ARGS__) : f<uint32_t>(__VA_ARGS__))
 #define FIELD_PTR_64_86(b, e, t, f) (b ? fieldPtr( e, &t<uint64_t>::f ) : fieldPtr( e, &t<uint32_t>::f ))
 
+#ifndef LODWORD
 #define LODWORD(l) ((uint32_t)(((uint64_t)(l)) & 0xffffffff))
+#endif
+#ifndef HIDWORD
 #define HIDWORD(l) ((uint32_t)((((uint64_t)(l)) >> 32) & 0xffffffff))
+#endif
 
 // Set or reset particular bit
 #define SET_BIT(v, b)   v |= (1ull << b)
-- 
GitLab