Add trackVal jutsu

git-svn-id: file:///home/svn/framework3/trunk@6084 4d416f70-5f16-0410-b530-b9f4589650da
2009-01-07 17:50:31 +00:00 · 2009-01-07 17:50:31 +00:00 · fa334604b9
parent a41e16ded3
commit fa334604b9
13 changed files with 125 additions and 3 deletions
--- a/external/source/byakugan/bin/Vista/byakugan.dll
+++ b/external/source/byakugan/bin/Vista/byakugan.dll
--- a/external/source/byakugan/bin/XPSP2/byakugan.dll
+++ b/external/source/byakugan/bin/XPSP2/byakugan.dll
--- a/external/source/byakugan/exts.cpp
+++ b/external/source/byakugan/exts.cpp
@ -105,7 +105,7 @@ HRESULT CALLBACK symport(PDEBUG_CLIENT4 Client, PCSTR args) {
 }

 HRESULT CALLBACK jutsu(PDEBUG_CLIENT4 Client, PCSTR args) {
-    char    *command, *bufName, *bufPatt, *bindPort;
+    char    *command, *bufName, *bufPatt, *bindPort, *bufSize;

    INIT_API();
    
@ -115,6 +115,12 @@ HRESULT CALLBACK jutsu(PDEBUG_CLIENT4 Client, PCSTR args) {
 			helpJutsu();
 			return (S_OK);
 		}
+		if (!_stricmp(command, "trackVal")) {
+			bufName = strtok(NULL, " ");
+			bufSize = strtok(NULL, " ");
+			bufPatt = strtok(NULL, " ");
+			trackValJutsu(bufName, strtoul(bufSize, NULL, 10), strtoul(bufPatt, NULL, 0x10));
+		}
 		if (!_stricmp(command, "searchOpcode")) {
 			char	*instructions;
 			
--- a/external/source/byakugan/i386/byakugan.dll
+++ b/external/source/byakugan/i386/byakugan.dll
--- a/external/source/byakugan/i386/byakugan.exp
+++ b/external/source/byakugan/i386/byakugan.exp
--- a/external/source/byakugan/i386/byakugan.lib
+++ b/external/source/byakugan/i386/byakugan.lib
--- a/external/source/byakugan/i386/byakugan.pdb
+++ b/external/source/byakugan/i386/byakugan.pdb
--- a/external/source/byakugan/injectsu/i386/injectsu.dll
+++ b/external/source/byakugan/injectsu/i386/injectsu.dll
--- a/external/source/byakugan/injectsu/i386/injectsu.exp
+++ b/external/source/byakugan/injectsu/i386/injectsu.exp
--- a/external/source/byakugan/injectsu/i386/injectsu.lib
+++ b/external/source/byakugan/injectsu/i386/injectsu.lib
--- a/external/source/byakugan/injectsu/i386/injectsu.pdb
+++ b/external/source/byakugan/injectsu/i386/injectsu.pdb
--- a/external/source/byakugan/jutsu.cpp
+++ b/external/source/byakugan/jutsu.cpp
@ -6,7 +6,8 @@
 #include "msfpattern.h"

 struct requestQueue	jutsuRequests;
-struct trackedBuf	*trackedBufList;
+struct trackedBuf	*trackedBufList = NULL;
+struct trackedVal	*trackedValList = NULL;

 ULONG64				disassemblyBuffer;
 HANDLE				processHandle = 0;
@ -33,6 +34,78 @@ void helpJutsu(void) {
 	return;
 }

+void trackValJutsu(char *name, DWORD size, DWORD value) {
+    struct trackedVal   *newTrackedVal, *parent = NULL;
+	struct valInstance	*last, *curr;
+	char				findValExpression[18] =  {'\x00'};
+
+	newTrackedVal = trackedValList;
+	while (newTrackedVal != NULL) {
+		if (!_stricmp(newTrackedVal->valName, name))
+			break;
+		newTrackedVal = newTrackedVal->next;
+	}
+
+	// Search the list for the new value, purge old addresses
+	if (newTrackedVal) {
+		dprintf("[J] Narrowing down candidate list for %s from %d candidates.\n", name, newTrackedVal->candidates);
+		curr = newTrackedVal->instances;
+		last = NULL;
+		while (curr != NULL) {
+			StringCchPrintf(findValExpression, sizeof(findValExpression), "poi(0x%08x)", curr->address);
+        	if (value != GetExpression(findValExpression)) {
+				if (last) {
+					last->next = curr->next;
+					free(curr);
+					curr = last->next;
+				} else {
+					newTrackedVal->instances = curr->next;
+					free(curr);
+					curr = newTrackedVal->instances;
+				}
+				newTrackedVal->candidates--;
+				if (newTrackedVal->candidates == 1) {
+					dprintf("[J] Value %s is stored at address 0x%08x\n", 
+							newTrackedVal->valName, newTrackedVal->instances->address);
+					return;
+				}
+			} else {
+				last = curr; curr = curr->next;
+			}
+		}
+		dprintf("[J] Narrowed down address of %s to %d possible candidates.\n", name, newTrackedVal->candidates);
+		return;
+	} 
+	dprintf("[J] Creating new list of candidates for %s.\n", name);
+
+	// Create a new list and search all memory for the value
+    newTrackedVal = (struct trackedVal *) malloc(sizeof (struct trackedVal));
+    if (newTrackedVal == NULL) {
+        dprintf("[J] OOM!");
+        return;
+    }
+    newTrackedVal->next 		= NULL;
+	newTrackedVal->valSize 		= size;
+	newTrackedVal->valName 		= _strdup(name);
+	if(!newTrackedVal->valName) {
+		free(newTrackedVal);
+		dprintf("[J] OOM!\n");
+		return;
+	}
+
+	newTrackedVal->candidates = findAllVals((BYTE*) &value, size, &(newTrackedVal->instances));	
+	dprintf("[J] Discovered %d possible candidate addresses for %s\n", newTrackedVal->candidates, name);
+
+	newTrackedVal->next = trackedValList;
+	trackedValList = newTrackedVal;
+
+	return;
+}
+
+void listTrackedVals() {
+}
+
+
 void bindJutsu(char  *bindPort) {
 	HANDLE					hThread;
 	DWORD					dwThreadId;
@ -468,6 +541,32 @@ ULONG64 searchMemory(unsigned char * byteBuffer, unsigned long length){
 	return (addressHit);
 }

+DWORD	findAllVals(unsigned char *byteBuffer, BYTE size, struct valInstance **instance) {
+	ULONG64 addressHit = 0;
+	DWORD	addressCount = 0;
+	HRESULT memSearch;
+	struct	valInstance	*newValInstance;
+	
+	*instance = NULL;
+
+	while ((memSearch = g_ExtData->SearchVirtual(addressHit+size, (ULONG64)-1, byteBuffer,
+        size, 1, &addressHit)) == S_OK) {
+		
+		if (!*instance) {
+			*instance = (struct valInstance *) malloc(sizeof (struct valInstance));
+			newValInstance = *instance;
+		} else {
+			newValInstance->next = (struct valInstance *) malloc(sizeof (struct valInstance));
+			newValInstance = newValInstance->next;
+		}
+		newValInstance->address = addressHit;
+		newValInstance->next = NULL;
+		addressCount++;
+	}
+
+	return (addressCount);
+}
+
 BOOL checkExecutability(ULONG64 checkAddress){
 	MEMORY_BASIC_INFORMATION protectionInfo;

--- a/external/source/byakugan/jutsu.h
+++ b/external/source/byakugan/jutsu.h
@ -56,6 +56,21 @@ struct bufInstance {
 	struct bufInstance	*next;
 };

+struct trackedVal {
+    char    *valName;
+    BYTE    valSize;
+    ULONG   candidates;
+
+    struct  valInstance *instances;
+    struct  trackedVal  *next;
+};
+
+struct valInstance {
+    ULONG64 address;
+
+    struct valInstance *next;
+};
+

 void    helpJutsu(void);
 void    bindJutsu(char *);
@ -68,8 +83,10 @@ void	listTrackedBufJutsu(void);
 void	showRequestsJutsu(void);
 void	hunterJutsu(void);
 void	returnAddressHuntJutsu(void);
+void	trackValJutsu(char *name, DWORD size, DWORD value);
 ULONG64 allocateMemoryBlock(unsigned long); 
 ULONG64 searchMemory(unsigned char * byteBuffer, unsigned long length);
+DWORD   findAllVals(unsigned char *byteBuffer, BYTE size, struct valInstance **instance);

 // Handlers
 void	executeJutsu(struct request *);