# 读内存快捷方式添加

Medusa/Medusa.cpp

@@ -1,4 +1,4 @@
-#include "Medusa.h"
+#include "Medusa.h"
 
 #include "FileCheck.h"
 #include "Hypervisor.h"
@@ -25,6 +25,7 @@ Medusa::Medusa(QWidget *parent)
 	CallBackListUI();
 	SSDTListUI();
 	ShadowSSDTListUI();
+	SSDTRightMenuUI();
 
 
 	ProcessRightMenuUI();
@@ -59,18 +60,18 @@ Medusa::Medusa(QWidget *parent)
 
 void Medusa::Set_SLOTS()
 {
-	connect(ui.tabWidget, SIGNAL(currentChanged(int)), SLOT(ChangeTab()));//序殻
-	connect(ui.tabWidget, SIGNAL(tabBarClicked(int)), SLOT(ChangeTab()));//序殻
+	connect(ui.tabWidget, SIGNAL(currentChanged(int)), SLOT(ChangeTab()));//进程
+	connect(ui.tabWidget, SIGNAL(tabBarClicked(int)), SLOT(ChangeTab()));//进程
 
 
-	connect(&_TableView_Menu_Inject, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//序殻報炎嘔囚暇汽
-	connect(&_TableView_Menu_HookCheck, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//序殻報炎嘔囚暇汽
-	connect(&_TableView_Menu_Modules, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//序殻報炎嘔囚暇汽
-	connect(&_TableView_Menu_Threads, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//序殻報炎嘔囚暇汽
-	connect(&_TableView_Menu_KillProcess, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//序殻報炎嘔囚暇汽
-	connect(&_TableView_Menu_PDBViewProcess, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//序殻報炎嘔囚暇汽
-	connect(&_TableView_Menu_Memory, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//序殻報炎嘔囚暇汽
-	connect(&_TableView_Action_HideProcess, SIGNAL(triggered(bool)), SLOT(HideProcess(bool)));//序殻報炎嘔囚暇汽
+	connect(&_TableView_Menu_Inject, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单
+	connect(&_TableView_Menu_HookCheck, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单
+	connect(&_TableView_Menu_Modules, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单
+	connect(&_TableView_Menu_Threads, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单
+	connect(&_TableView_Menu_KillProcess, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单
+	connect(&_TableView_Menu_PDBViewProcess, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单
+	connect(&_TableView_Menu_Memory, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单
+	connect(&_TableView_Action_HideProcess, SIGNAL(triggered(bool)), SLOT(HideProcess(bool)));//进程鼠标右键菜单
 
 
 	connect(&_TableView_Menu_DriverClear, SIGNAL(triggered(QAction*)), SLOT(DriverRightMenu(QAction*)));
@@ -79,6 +80,9 @@ void Medusa::Set_SLOTS()
 	connect(&_TableView_Menu_IOCTLScanner, SIGNAL(triggered(QAction*)), SLOT(DriverRightMenuIOCTLScanner(QAction*)));
 	connect(&_TableView_Action_ViewExportFunc, SIGNAL(triggered(bool)), SLOT(DriverRightMenuViewExportFunc(bool)));
 
+	connect(&_TableView_Action_SSDT_MemoryView, SIGNAL(triggered(bool)), SLOT(SSDTMemoryView(bool)));
+	connect(&_TableView_Action_SSSDT_MemoryView, SIGNAL(triggered(bool)), SLOT(SSSDTMemoryView(bool)));
+
 	connect(ui.menuMenu, SIGNAL(triggered(QAction*)), SLOT(DriverLoadMenu(QAction*)));
 	connect(ui.menuHypervisor, SIGNAL(triggered(QAction*)), SLOT(HypervisorMenu(QAction*)));
 	connect(ui.menuPDB, SIGNAL(triggered(QAction*)), SLOT(PdbMenu(QAction*)));
@@ -104,42 +108,42 @@ void Medusa::HypervisorMenu(QAction* action)
 	if (action->text() == "R3Check")
 	{
 		Hypervisor _Hypervisor;
-		std::string str = u8"～=detected virtua environment\r\n〔=not\r\n";
+		std::string str = u8"×=detected virtua environment\r\n√=not\r\n";
 		str = str + "[Checking for known hypervisor vendors]:  ";
 		if (_Hypervisor.check_for_known_hypervisor())
 		{
-			str = str + u8"～" + "\r\n";
+			str = str + u8"×" + "\r\n";
 		}
 		else
 		{
-			str = str + u8"〔" + "\r\n";
+			str = str + u8"√" + "\r\n";
 		}
 		str = str + "[Checking highest low function leaf]:  ";
 		if (_Hypervisor.check_highest_low_function_leaf())
 		{
-			str = str + u8"～" + "\r\n";
+			str = str + u8"×" + "\r\n";
 		}
 		else
 		{
-			str = str + u8"〔" + "\r\n";
+			str = str + u8"√" + "\r\n";
 		}
 		str = str + "[Checking invalid leaf]:  ";
 		if (_Hypervisor.check_invalid_leaf())
 		{
-			str = str + u8"～" + "\r\n";
+			str = str + u8"×" + "\r\n";
 		}
 		else
 		{
-			str = str + u8"〔" + "\r\n";
+			str = str + u8"√" + "\r\n";
 		}
 		str = str + "[Profiling CPUID against FYL2XP1]:  ";
 		if (_Hypervisor.take_time_cpuid_against_fyl2xp1())
 		{
-			str = str + u8"～" + "\r\n";
+			str = str + u8"×" + "\r\n";
 		}
 		else
 		{
-			str = str + u8"〔" + "\r\n";
+			str = str + u8"√" + "\r\n";
 		}
 		QMessageBox::information(this, "Ret", str.data());
 	}
@@ -222,23 +226,23 @@ void Medusa::PdbMenu(QAction* action)
 		_Setting_SSDT_SSSDT_PDB = !_Setting_SSDT_SSSDT_PDB;
 		if (_Setting_SSDT_SSSDT_PDB)
 		{
-			action->setText(u8"〔 SSDT& SSSDT Use PDB");
+			action->setText(u8"√ SSDT& SSSDT Use PDB");
 		}
 		else
 		{
-			action->setText(u8"～ SSDT& SSSDT Use PDB");
+			action->setText(u8"× SSDT& SSSDT Use PDB");
 		}
 	}
 	if (action->text().toStdString().find("Use microsoft server") != std::string::npos)
 	{
-		action->setText(u8"〔 Use microsoft server");
-		ui.actionUse_order_server->setText(u8"～ Use Order Server");
+		action->setText(u8"√ Use microsoft server");
+		ui.actionUse_order_server->setText(u8"× Use Order Server");
 		_PDBView._PDBInfo._SymbolServer = "https://msdl.microsoft.com/download/symbols/";
 	}
 	if (action->text().toStdString().find("Use Order Server") != std::string::npos)
 	{
-		action->setText(u8"〔 Use Order Server");
-		ui.actionUse_microsoft_server->setText(u8"～ Use microsoft server");
+		action->setText(u8"√ Use Order Server");
+		ui.actionUse_microsoft_server->setText(u8"× Use microsoft server");
 		_PDBView._PDBInfo._SymbolServer = "https://msdl.szdyg.cn/download/symbols/";
 	}
 	if (action->text() == "SendPDBInfo")
@@ -365,7 +369,7 @@ void Medusa::DriverLoad(QAction* action)
 
 
 
-	//紗墮凪麿駁強
+	//加载其他驱动
 	if (action->text() == "Nt")
 	{
 		QFileDialog file_path;
@@ -609,6 +613,8 @@ void Medusa::DriverRightMenuViewExportFunc(bool)
 	addr_str.erase(0, 2);
 	ULONG64 addr = strtoull(addr_str.data(), 0, 16);
 
+	_ModuleExportFunc._PID = 0;
+	_ModuleExportFunc._Previous = true;
 	_ModuleExportFunc.GetExportFunc(addr, file_name);
 	_ModuleExportFunc.show();
 }
@@ -1457,6 +1463,10 @@ void Medusa::GetALLCallBackList()
 
 void Medusa::GetSSDT()
 {
+	if (!_Driver_Loaded)
+	{
+		return;
+	}
 	_Model_SSDT->removeRows(0, _Model_SSDT->rowCount());
 	std::vector<SSDT_STRUCT2> temp_vector = _KernelModules.GetALLSSDT(_Setting_SSDT_SSSDT_PDB);
 	int i = 0;
@@ -1475,6 +1485,10 @@ void Medusa::GetSSDT()
 
 void Medusa::GetShadowSSDT()
 {
+	if (!_Driver_Loaded)
+	{
+		return;
+	}
 	_Model_SSSDT->removeRows(0, _Model_SSSDT->rowCount());
 	std::vector<SSDT_STRUCT2> temp_vector = _KernelModules.GetALLShadowSSDT(_Setting_SSDT_SSSDT_PDB);
 	int i = 0;

Medusa/Medusa.h

@@ -1,4 +1,4 @@
-#pragma once
+#pragma once
 
 #include <QtWidgets/QMainWindow>
 #include <QStandardItemModel>
@@ -54,6 +54,20 @@ public slots:
 	void DriverRightMenuViewExportFunc(bool);
 	void DriverRightMenuIOCTLScanner(QAction*);
 	void ViewKernelMemory(QAction*);
+	void SSDTMemoryView(bool)
+	{
+		_KernelMemory.ui.lineEdit->setText(
+			ui.tableView_SSDT->model()->index(ui.tableView_SSDT->currentIndex().row(), 2).data().toString());
+		_KernelMemory.QueryMemory();
+		_KernelMemory.show();
+	}
+	void SSSDTMemoryView(bool)
+	{
+		_KernelMemory.ui.lineEdit->setText(
+			ui.tableView_SSSDT->model()->index(ui.tableView_SSSDT->currentIndex().row(), 2).data().toString());
+		_KernelMemory.QueryMemory();
+		_KernelMemory.show();
+	}
 public:
 	void GetProcessList();
 	void GetKernelModuleList();
@@ -136,6 +150,9 @@ public slots:
 
 	QMenu _TableView_Menu_IOCTLScanner;
 	QAction _TableView_Action_IOCTLScanner;
+
+	QAction _TableView_Action_SSDT_MemoryView;
+	QAction _TableView_Action_SSSDT_MemoryView;
 public:
 	void ProcessUI()
 	{
@@ -361,15 +378,23 @@ public slots:
 		ui.tableView_Driver->addAction(&_TableView_Action_IOCTLScanner);
 		ui.tableView_Driver->addAction(&_TableView_Action_ViewExportFunc);
 	}
+	void SSDTRightMenuUI()
+	{
+		_TableView_Action_SSDT_MemoryView.setText("MemoryView");
+		_TableView_Action_SSSDT_MemoryView.setText("MemoryView");
+
+		ui.tableView_SSDT->addAction(&_TableView_Action_SSDT_MemoryView);
+		ui.tableView_SSSDT->addAction(&_TableView_Action_SSSDT_MemoryView);
+	}
 public:
 	int Enable_Debug()
 	{
 		BOOL fOK = FALSE;
 		HANDLE hToken;
-		//把一个访问令牌中没有启用该权限但是本身是具有该权限的进程提权
-		if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) //打开进程访问令牌  
+		//把一个访问令牌中没有启用该权限但是本身是具有该权限的进程提权
+		if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) //打开进程访问令牌  
 		{
-			//试图修改“调试”特权  
+			//试图修改“调试”特权  
 			TOKEN_PRIVILEGES tp;
 			tp.PrivilegeCount = 1;
 			LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);

Medusa/Medusa.vcxproj

@@ -212,7 +212,6 @@
     <MASM Include="asm64.asm">
       <FileType>Document</FileType>
     </MASM>
-    <None Include=".editorconfig" />
     <None Include="SysCall.asm" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

Medusa/Medusa.vcxproj.filters

@@ -251,7 +251,6 @@
     <None Include="SysCall.asm">
       <Filter>Source Files</Filter>
     </None>
-    <None Include=".editorconfig" />
   </ItemGroup>
   <ItemGroup>
     <QtUic Include="Medusa.ui">

Medusa/ModuleExportFunc.cc

@@ -16,6 +16,7 @@ ModuleExportFunc::ModuleExportFunc(QWidget* parent)
 	ui.tableView->horizontalHeader()->setSectionsClickable(false);
 	ui.tableView->verticalHeader()->setDefaultSectionSize(25);
 	ui.tableView->setSelectionBehavior(QAbstractItemView::SelectRows);
+	ui.tableView->setContextMenuPolicy(Qt::ActionsContextMenu);
 
 	_Model->setColumnCount(4);
 	_Model->setHeaderData(0, Qt::Horizontal, u8"Index");
@@ -27,6 +28,10 @@ ModuleExportFunc::ModuleExportFunc(QWidget* parent)
 	ui.tableView->setColumnWidth(1, 250);
 	ui.tableView->setColumnWidth(2, 200);
 	ui.tableView->setColumnWidth(3, 200);
+
+	_TableView_Action_MemoryView.setText("MemoryView");
+	ui.tableView->addAction(&_TableView_Action_MemoryView);
+	connect(&_TableView_Action_MemoryView, SIGNAL(triggered(bool)), SLOT(MemoryView(bool)));
 }
 
 
@@ -103,6 +108,12 @@ std::vector<ExportFunc> ModuleExportFunc::GetExportFunc(ULONG64 Addr, std::strin
 	pAddressOfNames = (PULONG)(pExport->AddressOfNames + (ULONG_PTR)pBase);
 	pAddressOfFuncs = (PULONG)(pExport->AddressOfFunctions + (ULONG_PTR)pBase);
 
+	if ((ULONG64)pAddressOfNames == (ULONG_PTR)pBase)
+	{
+		peconv::free_pe_buffer(loaded_pe);
+		return temp_vector;
+	}
+
 	for (int i = 0; i < pExport->NumberOfFunctions; ++i)
 	{
 		//ULONG_PTR funcRVA = pAddressOfFuncs[i];
@@ -123,12 +134,12 @@ std::vector<ExportFunc> ModuleExportFunc::GetExportFunc(ULONG64 Addr, std::strin
 
 		_Model->setVerticalHeaderItem(i, new QStandardItem);
 		_Model->setData(_Model->index(i, 0), i);
-		_Model->setData(_Model->index(i, 1), funcName);
+		_Model->setData(_Model->index(i, 1), temp_ExportFunc.Name.data());
 		std::ostringstream ret2;
 		ret2 << std::hex << "0x" << temp_ExportFunc.Addr;
 		_Model->setData(_Model->index(i, 2), ret2.str().data());
 		std::ostringstream ret;
-		ret << std::hex << "0x" << *funcRVA;
+		ret << std::hex << "0x" << temp_ExportFunc.RVA;
 		_Model->setData(_Model->index(i, 3), ret.str().data());
 
 		temp_vector.push_back(temp_ExportFunc);

Medusa/ModuleExportFunc.h

@@ -18,6 +18,9 @@
 
 #include "ui_ModuleExportFunc.h"
 
+#include "KernelMemory.h"
+#include "UserMemory.h"
+
 struct ExportFunc
 {
 	ULONG64 RVA;
@@ -35,7 +38,30 @@ class ModuleExportFunc : public QMainWindow
 public:
 	std::vector<ExportFunc> GetExportFunc(ULONG64 Addr, std::string Path);
 public:
+	bool _Previous = false;
+	ULONG64 _PID = 0;
+	KernelMemory _KernelMemory;
+	UserMemory _UserMemory;
+	QAction _TableView_Action_MemoryView;
 public slots:
+	void MemoryView(bool)
+	{
+		if (_Previous)
+		{
+			_KernelMemory.ui.lineEdit->setText(
+				ui.tableView->model()->index(ui.tableView->currentIndex().row(), 2).data().toString());
+			_KernelMemory.QueryMemory();
+			_KernelMemory.show();
+		}
+		else
+		{
+			_UserMemory.PID = _PID;
+			_UserMemory.ui.lineEdit->setText(
+				ui.tableView->model()->index(ui.tableView->currentIndex().row(), 2).data().toString());
+			_UserMemory.QueryMemory();
+			_UserMemory.show();
+		}
+	}
 public:
 	Ui::Form_ModuleExportFunc ui;
 	QStandardItemModel* _Model;

Medusa/ModuleExportFunc.ui

@@ -22,6 +22,9 @@
      <height>831</height>
     </rect>
    </property>
+   <property name="contextMenuPolicy">
+    <enum>Qt::ActionsContextMenu</enum>
+   </property>
   </widget>
  </widget>
  <resources/>

Medusa/Modules.cc

@@ -122,6 +122,8 @@ void Modules::ViewExportFunc(bool)
 	addr_str.erase(0, 2);
 	ULONG64 addr = strtoull(addr_str.data(), 0, 16);
 
+	_ModuleExportFunc._PID = _PID;
+	_ModuleExportFunc._Previous = false;
 	_ModuleExportFunc.GetExportFunc(addr, file_name);
 	_ModuleExportFunc.show();
 }

Medusa/UserMemoryList.cc

@@ -38,9 +38,9 @@ UserMemoryList::UserMemoryList(QWidget* parent)
 	ui.tableView->setColumnWidth(6, 150);
 
 
-	_TableView_Action_Check.setText("Check");
+	_TableView_Action_Check.setText("MemoryView");
 	ui.tableView->addAction(&_TableView_Action_Check);
-	connect(&_TableView_Action_Check, SIGNAL(triggered(bool)), SLOT(Check(bool)));
+	connect(&_TableView_Action_Check, SIGNAL(triggered(bool)), SLOT(MemoryView(bool)));
 }
 
 std::string ProtectToString(DWORD protect) 
@@ -389,13 +389,14 @@ std::vector<UserMemoryListStruct> UserMemoryList::GetUserMemoryListR3CheckHide(U
 	return temp_vector;
 }
 
-void UserMemoryList::Check(bool)
+void UserMemoryList::MemoryView(bool)
 {
 	_UserMemory->ui.tabWidget->setCurrentIndex(1);
 	_UserMemory->PID = _PID;
 	_UserMemory->ui.label->setText("ProcessID:" + QString::number(_PID) + "    CR3:0x0");
 	_UserMemory->ui.lineEdit->setText(ui.tableView->model()->index(ui.tableView->currentIndex().row(), 1).data().toString());
-	_UserMemory->ui.lineEdit_2->setText(ui.tableView->model()->index(ui.tableView->currentIndex().row(), 2).data().toString());
+	//_UserMemory->ui.lineEdit_2->setText(ui.tableView->model()->index(ui.tableView->currentIndex().row(), 2).data().toString());
+	_UserMemory->ui.lineEdit_2->setText("0x1000");
 	if (ui.tableView->model()->index(ui.tableView->currentIndex().row(), 5).data().toString().toStdString().find("MEM_FREE") != std::string::npos)
 	{
 		_UserMemory->ui.lineEdit_2->setText("0x0");

Medusa/UserMemoryList.h

@@ -49,7 +49,7 @@ class UserMemoryList : public QMainWindow
 	std::vector<UserMemoryListStruct> GetUserMemoryListR0(ULONG64 PID);
 public:
 public slots:
-	void Check(bool);
+	void MemoryView(bool);
 public:
 	Ui::Form_UserMemoryList ui;
 	QStandardItemModel* _Model;