Some stuff since I'm bored...

[Apoc]

Got bored. Created an NtQueryVirtualMemory hook, and VEH wrapper for C#.

Yes. I was THAT bored.

At any rate; here you go, for the leechers!

Code:

using System;
using System.Runtime.InteropServices;

using WhiteMagic;

using Win32InternalHooks.Win32;

namespace Win32InternalHooks
{
    public enum MemoryInformationClass : uint
    {
        MemoryBasicInformation = 0,
        MemoryWorkingSetList = 1,
        MemorySectionName = 2,
        MemoryBasicVlmInformation = 3
    }

    public class QueryVirtualMemory : IDisposable
    {
        #region Delegates

        [UnmanagedFunctionPointer(CallingConvention.Winapi)]
        public delegate int NtQueryVirtualMemoryDelegate(
            IntPtr processHandle, IntPtr baseAddress, MemoryInformationClass memoryInformationClass,
            IntPtr buffer, uint length, IntPtr returnLength);

        #endregion

        private readonly Magic _magic;
        private readonly IntPtr _ntdll;
        private readonly IntPtr _queryVirtualMemory;

        public QueryVirtualMemory()
        {
            _magic = new Magic();

            _ntdll = LibraryImports.GetModuleHandle("ntdll.dll");
            if (_ntdll == IntPtr.Zero)
            {
                Console.WriteLine("Could not find a handle to ntdll, loading the library!");
                _ntdll = LibraryImports.LoadLibrary("ntdll.dll");
            }
            _queryVirtualMemory = LibraryImports.GetProcAddress(_ntdll, "NtQueryVirtualMemory");

            NtQueryVirtualMemory = _magic.RegisterDelegate<NtQueryVirtualMemoryDelegate>(_queryVirtualMemory);
            NtQueryVirtualMemoryHook = NtQueryVirtualMemoryHookHandler;
            _magic.Detours.CreateAndApply(NtQueryVirtualMemory, NtQueryVirtualMemoryHook, "NtQueryVirtualMemory");
        }

        private NtQueryVirtualMemoryDelegate NtQueryVirtualMemory { get; set; }
        private NtQueryVirtualMemoryDelegate NtQueryVirtualMemoryHook { get; set; }

        public IntPtr QueryVirtualMemoryAddress { get { return _queryVirtualMemory; } }

        #region IDisposable Members

        public void Dispose()
        {
            _magic.Detours.RemoveAll();
            GC.SuppressFinalize(this);
        }

        #endregion

        private int NtQueryVirtualMemoryHookHandler(IntPtr processhandle, IntPtr baseaddress,
                                                    MemoryInformationClass memoryinformationclass, IntPtr buffer, uint length,
                                                    IntPtr returnlength)
        {
            string msg = string.Format("ProcessHandle: {0}, BaseAddress: {1}, MIC: {2}, Buffer: {3}, Length: {4}, ReturnLength: {5}",
                                       processhandle.ToString("X"), baseaddress.ToString("X"), memoryinformationclass,
                                       buffer.ToString("X"), length, returnlength);
            Console.WriteLine(msg);

            return
                (int)
                _magic.Detours["NtQueryVirtualMemory"].CallOriginal(processhandle, baseaddress, memoryinformationclass, buffer, length,
                                                                    returnlength);
        }

        ~QueryVirtualMemory()
        {
            Dispose();
        }
    }
}

Code:

using System;
using System.Runtime.InteropServices;

using Win32InternalHooks.Structs;

namespace Win32InternalHooks
{
    public class VectoredExceptionHandler : IDisposable
    {
        #region Delegates

        /// <summary>
        /// A callback handler for a vectored exception.
        /// </summary>
        /// <param name="exceptionPointers">A pointer to a <see cref="ExceptionPointers"/> struct instance.</param>
        /// <returns>-1 if you wish to return control back to where the exception occurred, 0 if you want to continue the handler search. [Typically, return -1]</returns>
        [UnmanagedFunctionPointer(CallingConvention.Winapi)]
        public delegate int VectoredHandler(IntPtr exceptionPointers);

        #endregion

        public VectoredExceptionHandler(VectoredHandler handler)
        {
            IntPtr handle = AddVectoredExceptionHandler(1, Marshal.GetFunctionPointerForDelegate(handler));

            if (handle == IntPtr.Zero)
            {
                throw new Exception("Failed to set the VEH!");
            }

            Handle = handle;
        }

        public IntPtr Handle { get; private set; }

        #region IDisposable Members

        public void Dispose()
        {
            Remove();
            GC.SuppressFinalize(this);
        }

        #endregion

        public ExceptionPointers GetExceptionPointers(IntPtr address)
        {
            return (ExceptionPointers) Marshal.PtrToStructure(address, typeof (ExceptionPointers));
        }

        [DllImport("kernel32.dll")]
        private static extern IntPtr AddVectoredExceptionHandler(uint firstHandler, IntPtr vectoredHandler);

        [DllImport("kernel32.dll")]
        private static extern uint RemoveVectoredExceptionHandler(IntPtr handler);

        public void Remove()
        {
            if (Handle != IntPtr.Zero)
            {
                RemoveVectoredExceptionHandler(Handle);
            }
        }

        ~VectoredExceptionHandler()
        {
            Dispose();
        }
    }
}

Code:

    [StructLayout(LayoutKind.Sequential)]
    public struct ExceptionPointers
    {
        public IntPtr ExceptionRecord;
        public IntPtr ContextRecord;

        public ExceptionRecord GetExceptionRecord()
        {
            return (ExceptionRecord)Marshal.PtrToStructure(ExceptionRecord, typeof(ExceptionRecord));
        }

        public Context GetContextRecord()
        {
            return (Context)Marshal.PtrToStructure(ContextRecord, typeof(Context));
        }
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct Context
    {
        public uint ContextFlags;
        public uint Dr0;
        public uint Dr1;
        public uint Dr2;
        public uint Dr3;
        public uint Dr6;
        public uint Dr7;
        public FloatingSaveArea FloatSave;
        public uint SegGs;
        public uint SegFs;
        public uint SegEs;
        public uint SegDs;
        public uint Edi;
        public uint Esi;
        public uint Ebx;
        public uint Edx;
        public uint Ecx;
        public uint Eax;
        public uint Ebp;
        public uint Eip;
        public uint SegCs;
        public uint EFlags;
        public uint Esp;
        public uint SegSs;

        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 512, ArraySubType = UnmanagedType.I1)]
        public byte[] ExtendedRegisters;
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct FloatingSaveArea
    {
        public uint ControlWord;
        public uint StatusWord;
        public uint TagWord;
        public uint ErrorOffset;
        public uint ErrorSelector;
        public uint DataOffset;
        public uint DataSelector;

        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 80, ArraySubType = UnmanagedType.I1)]
        public byte[] RegisterArea;

        public uint Cr0NpxState;
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct MemoryBasicInformation
    {
        public IntPtr BaseAddress;
        public IntPtr AllocationBase;
        public uint AllocationProtect;
        public uint RegionSize;
        public uint State;
        public uint Protect;
        public uint Type;
    }

    [StructLayout(LayoutKind.Explicit)]
    public struct ProcessorInfoUnion
    {
        [FieldOffset(0)]
        internal uint OemId;
        [FieldOffset(0)]
        internal ushort ProcessorArchitecture;
        [FieldOffset(2)]
        internal ushort Reserved;
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct SystemInfo
    {
        public ProcessorInfoUnion ProcessorInfoUnion;
        public uint PageSize;
        public uint MinimumApplicationAddress;
        public uint MaximumApplicationAddress;
        public uint ActiveProcessorMask;
        public uint NumberOfProcessors;
        public uint ProcessorType;
        public uint AllocationGranularity;
        public uint ProcessorLevel;
        public uint ProcessorRevision;
    }

Code:

using System;
using System.Runtime.InteropServices;

namespace Win32InternalHooks.Win32
{
    class LibraryImports
    {
        [DllImport("kernel32", SetLastError = true)]
        public static extern IntPtr LoadLibrary(string lpFileName);

        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        public static extern IntPtr GetModuleHandle(string lpModuleName);

        [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
        public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern bool FreeLibrary(IntPtr hModule);
    }
}

Enjoy you leeching ****s!

[Cypher]

Failure.

Why don't you actually implement the NtQueryVirtualMemory hook if you're so bored? Noob.

At least then I'll be able to complain too because you're bound to make mistakes.

[Robske]

Nomnomnmonomnonmonm

Robske uses leech.

It was super effective!

Thanks for C#haring.

[Cypher]

Thanks for C#haring.

Oh god, that was painful to even read. >_>

[flo8464]

I think a thread for code snippets would make sense, imo even more than the Screenshots-thread.

Besides Cypher who makes at least one thread per month with some neat code, there are also other sharing stuff. I also would share some of my stuff, I only don't really want to open a thread for things for which I don't know if someone cares.

The rest of this subforum is kinda degenerated, reversing WoW doesn't offer many secrets anymore so most threads are about general coding/repition of old questions anyway.

[namreeb]

Failure.

Why don't you actually implement the NtQueryVirtualMemory hook if you're so bored? Noob.

At least then I'll be able to complain too because you're bound to make mistakes.

This post is evidence you don't need a reason to complain.

[Cypher]

This post is evidence you don't need a reason to complain.

Who needs evidence? I never claimed otherwise.

[dekz]

I think a thread for code snippets would make sense, imo even more than the Screenshots-thread.

Besides Cypher who makes at least one thread per month with some neat code, there are also other sharing stuff. I also would share some of my stuff, I only don't really want to open a thread for things for which I don't know if someone cares.

The rest of this subforum is kinda degenerated, reversing WoW doesn't offer many secrets anymore so most threads are about general coding/repition of old questions anyway.

Or you could just write a crawler to grab every code tag? Lets not make it easier for leechers?

[wraithZX]

If you're still bored, watch this and try not to laugh:

[ame=http://www.youtube.com/watch?v=8zEQhhaJsU4]YouTube - Steve Ballmer - developers musicvideo[/ame]

[Cypher]

If you're still bored, watch this and try not to laugh:

YouTube - Steve Ballmer - developers musicvideo

Steve Ballmer is my hero.

True story.

[snigelmannen]

How can he get so sweaty and motivated to represent a company that still haven't found a better solution to BSOD?

[Xeranor]

If you're still bored, watch this and try not to laugh:

YouTube - Steve Ballmer - developers musicvideo

its impossible

[lanman92]

Off-topic(somewhat), but is there any chance you'll show us how to hook functions with vararg parameters? Without writing native code to hook it.

[Robske]

Off-topic(somewhat), but is there any chance you'll show us how to hook functions with vararg parameters? Without writing native code to hook it.

I've hooked Framescript_SignalEvents succesfully, but my methods to do so are very alarming. (It screams YOUR DOIN IT WRONG)

Code:

        [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
        protected delegate int Framescript_SignalEvent(int Event, IntPtr pFormat, SArguments Args);

pFormat points to a string that contains the formatting for the passed arguments, seperated by the % char. (Example: %s%d%d%s%f would indicate 5 arguments: String Int Int String Double)
If it's null, there obviously aren't any arguments to that event.

SArguments is... and brace your self for ugly:

Code:

            [StructLayout(LayoutKind.Sequential)]
            public struct SArguments
            {
                [MarshalAs(UnmanagedType.ByValArray, SizeConst = 14)]
                public uint[] Arguments;
            }

Believe me when I say this really was my last resort.

[Cypher]

How can he get so sweaty and motivated to represent a company that still haven't found a better solution to BSOD?

What the **** are you talking about? Most BSODs are caused by poorly written drivers, NOT Microsoft's code.

You can go look up the statistics if you don't believe me.

Besides, I haven't had a single BSOD caused by Windows (only BSODs caused by me ****ing with the kernel in ways I shouldn't be) since upgrading to Vista (and then 7).