Changeset 6084

Timestamp:

01/07/09 09:50:31 (6 months ago)

Author:

pusscat

Message:

Add trackVal jutsu

Location:

framework3/trunk/external/source/byakugan

Files:

• bin/Vista/byakugan.dll (modified) (previous)
• bin/XPSP2/byakugan.dll (modified) (previous)
• exts.cpp (modified) (2 diffs)
• i386/byakugan.dll (modified) (previous)
• i386/byakugan.exp (modified) (previous)
• i386/byakugan.lib (modified) (previous)
• i386/byakugan.pdb (modified) (previous)
• injectsu/i386/injectsu.dll (modified) (previous)
• injectsu/i386/injectsu.exp (modified) (previous)
• injectsu/i386/injectsu.lib (modified) (previous)
• injectsu/i386/injectsu.pdb (modified) (previous)
• jutsu.cpp (modified) (3 diffs)
• jutsu.h (modified) (2 diffs)

framework3/trunk/external/source/byakugan/exts.cpp

@@ -106 +106 @@
 
 HRESULT CALLBACK jutsu(PDEBUG_CLIENT4 Client, PCSTR args) {
-    char    *command, *bufName, *bufPatt, *bindPort;
+    char    *command, *bufName, *bufPatt, *bindPort, *bufSize;
 
     INIT_API();
@@ -115 +115 @@
                         helpJutsu();
                         return (S_OK);
+                }
+                if (!_stricmp(command, "trackVal")) {
+                        bufName = strtok(NULL, " ");
+                        bufSize = strtok(NULL, " ");
+                        bufPatt = strtok(NULL, " ");
+                        trackValJutsu(bufName, strtoul(bufSize, NULL, 10), strtoul(bufPatt, NULL, 0x10));
                 }
                 if (!_stricmp(command, "searchOpcode")) {

framework3/trunk/external/source/byakugan/jutsu.cpp

@@ -7 +7 @@
 
 struct requestQueue     jutsuRequests;
-struct trackedBuf       *trackedBufList;
+struct trackedBuf       *trackedBufList = NULL;
+struct trackedVal       *trackedValList = NULL;
 
 ULONG64                         disassemblyBuffer;
@@ -33 +34 @@
         return;
 }
+
+void trackValJutsu(char *name, DWORD size, DWORD value) {
+    struct trackedVal   *newTrackedVal, *parent = NULL;
+        struct valInstance      *last, *curr;
+        char                            findValExpression[18] =  {'\x00'};
+
+        newTrackedVal = trackedValList;
+        while (newTrackedVal != NULL) {
+                if (!_stricmp(newTrackedVal->valName, name))
+                        break;
+                newTrackedVal = newTrackedVal->next;
+        }
+
+        // Search the list for the new value, purge old addresses
+        if (newTrackedVal) {
+                dprintf("[J] Narrowing down candidate list for %s from %d candidates.\n", name, newTrackedVal->candidates);
+                curr = newTrackedVal->instances;
+                last = NULL;
+                while (curr != NULL) {
+                        StringCchPrintf(findValExpression, sizeof(findValExpression), "poi(0x%08x)", curr->address);
+                if (value != GetExpression(findValExpression)) {
+                                if (last) {
+                                        last->next = curr->next;
+                                        free(curr);
+                                        curr = last->next;
+                                } else {
+                                        newTrackedVal->instances = curr->next;
+                                        free(curr);
+                                        curr = newTrackedVal->instances;
+                                }
+                                newTrackedVal->candidates--;
+                                if (newTrackedVal->candidates == 1) {
+                                        dprintf("[J] Value %s is stored at address 0x%08x\n", 
+                                                        newTrackedVal->valName, newTrackedVal->instances->address);
+                                        return;
+                                }
+                        } else {
+                                last = curr; curr = curr->next;
+                        }
+                }
+                dprintf("[J] Narrowed down address of %s to %d possible candidates.\n", name, newTrackedVal->candidates);
+                return;
+        } 
+        dprintf("[J] Creating new list of candidates for %s.\n", name);
+
+        // Create a new list and search all memory for the value
+    newTrackedVal = (struct trackedVal *) malloc(sizeof (struct trackedVal));
+    if (newTrackedVal == NULL) {
+        dprintf("[J] OOM!");
+        return;
+    }
+    newTrackedVal->next                 = NULL;
+        newTrackedVal->valSize          = size;
+        newTrackedVal->valName          = _strdup(name);
+        if(!newTrackedVal->valName) {
+                free(newTrackedVal);
+                dprintf("[J] OOM!\n");
+                return;
+        }
+
+        newTrackedVal->candidates = findAllVals((BYTE*) &value, size, &(newTrackedVal->instances));     
+        dprintf("[J] Discovered %d possible candidate addresses for %s\n", newTrackedVal->candidates, name);
+
+        newTrackedVal->next = trackedValList;
+        trackedValList = newTrackedVal;
+
+        return;
+}
+
+void listTrackedVals() {
+}
+
 
 void bindJutsu(char  *bindPort) {
@@ -469 +542 @@
 }
 
+DWORD   findAllVals(unsigned char *byteBuffer, BYTE size, struct valInstance **instance) {
+        ULONG64 addressHit = 0;
+        DWORD   addressCount = 0;
+        HRESULT memSearch;
+        struct  valInstance     *newValInstance;
+        
+        *instance = NULL;
+
+        while ((memSearch = g_ExtData->SearchVirtual(addressHit+size, (ULONG64)-1, byteBuffer,
+        size, 1, &addressHit)) == S_OK) {
+                
+                if (!*instance) {
+                        *instance = (struct valInstance *) malloc(sizeof (struct valInstance));
+                        newValInstance = *instance;
+                } else {
+                        newValInstance->next = (struct valInstance *) malloc(sizeof (struct valInstance));
+                        newValInstance = newValInstance->next;
+                }
+                newValInstance->address = addressHit;
+                newValInstance->next = NULL;
+                addressCount++;
+        }
+
+        return (addressCount);
+}
+
 BOOL checkExecutability(ULONG64 checkAddress){
         MEMORY_BASIC_INFORMATION protectionInfo;

framework3/trunk/external/source/byakugan/jutsu.h

@@ -57 +57 @@
 };
 
+struct trackedVal {
+    char    *valName;
+    BYTE    valSize;
+    ULONG   candidates;
+
+    struct  valInstance *instances;
+    struct  trackedVal  *next;
+};
+
+struct valInstance {
+    ULONG64 address;
+
+    struct valInstance *next;
+};
+
 
 void    helpJutsu(void);
@@ -69 +84 @@
 void    hunterJutsu(void);
 void    returnAddressHuntJutsu(void);
-ULONG64         allocateMemoryBlock(unsigned long); 
+void    trackValJutsu(char *name, DWORD size, DWORD value);
+ULONG64 allocateMemoryBlock(unsigned long); 
 ULONG64 searchMemory(unsigned char * byteBuffer, unsigned long length);
+DWORD   findAllVals(unsigned char *byteBuffer, BYTE size, struct valInstance **instance);
 
 // Handlers