Addition of searchVtptr

git-svn-id: file:///home/svn/framework3/trunk@6952 4d416f70-5f16-0410-b530-b9f4589650da
2009-08-12 21:31:45 +00:00 · 2009-08-12 21:31:45 +00:00 · c3011bd07c
parent 5a84e7b47f
commit c3011bd07c
12 changed files with 90 additions and 1 deletions
--- a/external/source/byakugan/bin/XPSP2/byakugan.dll
+++ b/external/source/byakugan/bin/XPSP2/byakugan.dll
--- a/external/source/byakugan/exts.cpp
+++ b/external/source/byakugan/exts.cpp
@ -150,6 +150,16 @@ HRESULT CALLBACK jutsu(PDEBUG_CLIENT4 Client, PCSTR args) {
 			searchOpcodes(instructions);
 			return (S_OK);
 		}
+		if (!_stricmp(command, "searchVtptr")) {
+            char    *instructions, *offsetString;
+			DWORD	offset;
+			
+			offsetString = strtok(NULL, " ");
+			offset = strtoul(offsetString, NULL, 16);
+            instructions = offsetString + strlen(offsetString) + 1;
+            searchVtptr(offset, instructions);
+            return (S_OK);
+        }
 		if (!_stricmp(command, "listen")) {
 			bindPort = strtok(NULL, " ");
 			if (bindPort == NULL)
--- a/external/source/byakugan/i386/byakugan.dll
+++ b/external/source/byakugan/i386/byakugan.dll
--- a/external/source/byakugan/i386/byakugan.exp
+++ b/external/source/byakugan/i386/byakugan.exp
--- a/external/source/byakugan/i386/byakugan.lib
+++ b/external/source/byakugan/i386/byakugan.lib
--- a/external/source/byakugan/i386/byakugan.pdb
+++ b/external/source/byakugan/i386/byakugan.pdb
--- a/external/source/byakugan/injectsu/i386/injectsu.dll
+++ b/external/source/byakugan/injectsu/i386/injectsu.dll
--- a/external/source/byakugan/injectsu/i386/injectsu.exp
+++ b/external/source/byakugan/injectsu/i386/injectsu.exp
--- a/external/source/byakugan/injectsu/i386/injectsu.lib
+++ b/external/source/byakugan/injectsu/i386/injectsu.lib
--- a/external/source/byakugan/injectsu/i386/injectsu.pdb
+++ b/external/source/byakugan/injectsu/i386/injectsu.pdb
--- a/external/source/byakugan/jutsu.cpp
+++ b/external/source/byakugan/jutsu.cpp
@ -857,13 +857,91 @@ void searchOpcodes(char *instructions) {

 	// Search for sequence in executable memory
 	while((ptr = searchMemory(byteSequence, offset, &ptr)) != 0) {
-		if (ptr && checkExecutability(ptr))
+		if (ptr && checkExecutability(ptr)) {
 			dprintf("[J] Executable opcode sequence found at: 0x%08x\n", ptr);
+		}
 		ptr++;
 	}
 	return;
 }

+void searchVtptr(DWORD vtOffset, char *instructions) {
+    char            **instructionList;
+    unsigned char   *byteSequence;
+    DWORD           length, i, j, semiCount = 1, offset = 0;
+    ULONG64         ptr = 0;
+
+    // Split instructions into seperate strings at pipes
+    length = 0;
+    while (instructions[length] != NULL) {
+        if (instructions[length] == '|')
+            semiCount++;
+        length++;
+    }
+
+    // Malloc space for instructionList;
+    instructionList = (char **) malloc((semiCount+1) * sizeof (char *));
+    if (instructionList == NULL) {
+        dprintf("[J] OOM!\n");
+        return;
+    }
+    instructionList[0] = instructions;
+    dprintf("[J] Searching for:\n");
+    i = 0; j = 0;
+    while (i < length) {
+        if (instructions[i] == '|') {
+            instructions[i] = '\x00';
+            dprintf("> %s\n", instructionList[j++]);
+            instructionList[j] = &(instructions[i+1]);
+        }
+        i++;
+    }
+    dprintf("> %s\n", instructionList[j]);
+
+
+    // Allocate space for byteSequence
+    byteSequence = (unsigned char *) malloc(semiCount * 6);
+    if (byteSequence == NULL) {
+        dprintf("[J] OOM!\n");
+        return;
+    }
+
+    // Generate byte sequence and display it
+    for (i = 0; i < semiCount; i++) {
+        unsigned char   tmpbuf[8];
+        offset += getInstructionBytes(instructionList[i], byteSequence+offset);
+    }
+
+    dprintf("[J] Machine Code:\n> ");
+    for (i = 0; i < offset; i++) {
+        dprintf("%02x ", byteSequence[i]);
+        if (i != 0 && !(i % 16))
+            dprintf("\n> ");
+    }
+    dprintf("\n");
+
+    // Search for sequence in executable memory
+    while((ptr = searchMemory(byteSequence, offset, &ptr)) != 0) {
+        if (ptr && checkExecutability(ptr)) {
+            ULONG64 copyPtr = 0, otherPtr = ptr;
+            //dprintf("[J] Executable opcode sequence found at: 0x%08x\n", ptr);
+            while((copyPtr = searchMemory((unsigned char *)&otherPtr, 4, &copyPtr)) != 0) {
+                ULONG64 fptr = 0, vtPtr = copyPtr-vtOffset;
+                //dprintf("\tPtr @ 0x%08x\n", copyPtr);
+                while((fptr = searchMemory((unsigned char *)&vtPtr, 4, &fptr)) != 0) {
+                    //dprintf("\t\tvTable Ptr @ 0x%08x\n", vtPtr);
+                    dprintf("0x%08x -> 0x%08x -> 0x%08x -> sequence\n", 
+                            (ULONG)fptr, (ULONG)vtPtr, (ULONG)otherPtr);
+                    fptr++;
+                }
+                copyPtr++;
+            }
+        }
+        ptr++;
+    }
+    return;
+}
+
 void returnAddressHuntJutsu(){
 	struct trackedBuf *curBuf;
 	int i = 0, bufferIndex = 0;
--- a/external/source/byakugan/jutsu.h
+++ b/external/source/byakugan/jutsu.h
@ -83,6 +83,7 @@ struct corruption {
 void    helpJutsu(void);
 void    bindJutsu(char *);
 void	searchOpcodes(char *);
+void	searchVtptr(DWORD, char *);
 DWORD WINAPI listenJutsu(LPVOID lpvParam);
 void	parseJutsu(char *, ULONG);
 void	identBufJutsu(char *, char *, char *, DWORD);