diff --git a/Medusa/Medusa.cpp b/Medusa/Medusa.cpp index f359fc5..23488d7 100644 --- a/Medusa/Medusa.cpp +++ b/Medusa/Medusa.cpp @@ -1,4 +1,4 @@ -#include "Medusa.h" +#include "Medusa.h" #include "FileCheck.h" #include "Hypervisor.h" @@ -25,6 +25,7 @@ Medusa::Medusa(QWidget *parent) CallBackListUI(); SSDTListUI(); ShadowSSDTListUI(); + SSDTRightMenuUI(); ProcessRightMenuUI(); @@ -59,18 +60,18 @@ Medusa::Medusa(QWidget *parent) void Medusa::Set_SLOTS() { - connect(ui.tabWidget, SIGNAL(currentChanged(int)), SLOT(ChangeTab()));// - connect(ui.tabWidget, SIGNAL(tabBarClicked(int)), SLOT(ChangeTab()));// + connect(ui.tabWidget, SIGNAL(currentChanged(int)), SLOT(ChangeTab()));//进程 + connect(ui.tabWidget, SIGNAL(tabBarClicked(int)), SLOT(ChangeTab()));//进程 - connect(&_TableView_Menu_Inject, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//Ҽ˵ - connect(&_TableView_Menu_HookCheck, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//Ҽ˵ - connect(&_TableView_Menu_Modules, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//Ҽ˵ - connect(&_TableView_Menu_Threads, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//Ҽ˵ - connect(&_TableView_Menu_KillProcess, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//Ҽ˵ - connect(&_TableView_Menu_PDBViewProcess, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//Ҽ˵ - connect(&_TableView_Menu_Memory, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//Ҽ˵ - connect(&_TableView_Action_HideProcess, SIGNAL(triggered(bool)), SLOT(HideProcess(bool)));//Ҽ˵ + connect(&_TableView_Menu_Inject, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单 + connect(&_TableView_Menu_HookCheck, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单 + connect(&_TableView_Menu_Modules, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单 + connect(&_TableView_Menu_Threads, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单 + connect(&_TableView_Menu_KillProcess, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单 + connect(&_TableView_Menu_PDBViewProcess, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单 + connect(&_TableView_Menu_Memory, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//进程鼠标右键菜单 + connect(&_TableView_Action_HideProcess, SIGNAL(triggered(bool)), SLOT(HideProcess(bool)));//进程鼠标右键菜单 connect(&_TableView_Menu_DriverClear, SIGNAL(triggered(QAction*)), SLOT(DriverRightMenu(QAction*))); @@ -79,6 +80,9 @@ void Medusa::Set_SLOTS() connect(&_TableView_Menu_IOCTLScanner, SIGNAL(triggered(QAction*)), SLOT(DriverRightMenuIOCTLScanner(QAction*))); connect(&_TableView_Action_ViewExportFunc, SIGNAL(triggered(bool)), SLOT(DriverRightMenuViewExportFunc(bool))); + connect(&_TableView_Action_SSDT_MemoryView, SIGNAL(triggered(bool)), SLOT(SSDTMemoryView(bool))); + connect(&_TableView_Action_SSSDT_MemoryView, SIGNAL(triggered(bool)), SLOT(SSSDTMemoryView(bool))); + connect(ui.menuMenu, SIGNAL(triggered(QAction*)), SLOT(DriverLoadMenu(QAction*))); connect(ui.menuHypervisor, SIGNAL(triggered(QAction*)), SLOT(HypervisorMenu(QAction*))); connect(ui.menuPDB, SIGNAL(triggered(QAction*)), SLOT(PdbMenu(QAction*))); @@ -104,42 +108,42 @@ void Medusa::HypervisorMenu(QAction* action) if (action->text() == "R3Check") { Hypervisor _Hypervisor; - std::string str = u8"=detected virtua environment\r\n=not\r\n"; + std::string str = u8"×=detected virtua environment\r\n√=not\r\n"; str = str + "[Checking for known hypervisor vendors]: "; if (_Hypervisor.check_for_known_hypervisor()) { - str = str + u8"" + "\r\n"; + str = str + u8"×" + "\r\n"; } else { - str = str + u8"" + "\r\n"; + str = str + u8"√" + "\r\n"; } str = str + "[Checking highest low function leaf]: "; if (_Hypervisor.check_highest_low_function_leaf()) { - str = str + u8"" + "\r\n"; + str = str + u8"×" + "\r\n"; } else { - str = str + u8"" + "\r\n"; + str = str + u8"√" + "\r\n"; } str = str + "[Checking invalid leaf]: "; if (_Hypervisor.check_invalid_leaf()) { - str = str + u8"" + "\r\n"; + str = str + u8"×" + "\r\n"; } else { - str = str + u8"" + "\r\n"; + str = str + u8"√" + "\r\n"; } str = str + "[Profiling CPUID against FYL2XP1]: "; if (_Hypervisor.take_time_cpuid_against_fyl2xp1()) { - str = str + u8"" + "\r\n"; + str = str + u8"×" + "\r\n"; } else { - str = str + u8"" + "\r\n"; + str = str + u8"√" + "\r\n"; } QMessageBox::information(this, "Ret", str.data()); } @@ -222,23 +226,23 @@ void Medusa::PdbMenu(QAction* action) _Setting_SSDT_SSSDT_PDB = !_Setting_SSDT_SSSDT_PDB; if (_Setting_SSDT_SSSDT_PDB) { - action->setText(u8" SSDT& SSSDT Use PDB"); + action->setText(u8"√ SSDT& SSSDT Use PDB"); } else { - action->setText(u8" SSDT& SSSDT Use PDB"); + action->setText(u8"× SSDT& SSSDT Use PDB"); } } if (action->text().toStdString().find("Use microsoft server") != std::string::npos) { - action->setText(u8" Use microsoft server"); - ui.actionUse_order_server->setText(u8" Use Order Server"); + action->setText(u8"√ Use microsoft server"); + ui.actionUse_order_server->setText(u8"× Use Order Server"); _PDBView._PDBInfo._SymbolServer = "https://msdl.microsoft.com/download/symbols/"; } if (action->text().toStdString().find("Use Order Server") != std::string::npos) { - action->setText(u8" Use Order Server"); - ui.actionUse_microsoft_server->setText(u8" Use microsoft server"); + action->setText(u8"√ Use Order Server"); + ui.actionUse_microsoft_server->setText(u8"× Use microsoft server"); _PDBView._PDBInfo._SymbolServer = "https://msdl.szdyg.cn/download/symbols/"; } if (action->text() == "SendPDBInfo") @@ -365,7 +369,7 @@ void Medusa::DriverLoad(QAction* action) - // + //加载其他驱动 if (action->text() == "Nt") { QFileDialog file_path; @@ -609,6 +613,8 @@ void Medusa::DriverRightMenuViewExportFunc(bool) addr_str.erase(0, 2); ULONG64 addr = strtoull(addr_str.data(), 0, 16); + _ModuleExportFunc._PID = 0; + _ModuleExportFunc._Previous = true; _ModuleExportFunc.GetExportFunc(addr, file_name); _ModuleExportFunc.show(); } @@ -1457,6 +1463,10 @@ void Medusa::GetALLCallBackList() void Medusa::GetSSDT() { + if (!_Driver_Loaded) + { + return; + } _Model_SSDT->removeRows(0, _Model_SSDT->rowCount()); std::vector temp_vector = _KernelModules.GetALLSSDT(_Setting_SSDT_SSSDT_PDB); int i = 0; @@ -1475,6 +1485,10 @@ void Medusa::GetSSDT() void Medusa::GetShadowSSDT() { + if (!_Driver_Loaded) + { + return; + } _Model_SSSDT->removeRows(0, _Model_SSSDT->rowCount()); std::vector temp_vector = _KernelModules.GetALLShadowSSDT(_Setting_SSDT_SSSDT_PDB); int i = 0; diff --git a/Medusa/Medusa.h b/Medusa/Medusa.h index 3fd28f6..939d426 100644 --- a/Medusa/Medusa.h +++ b/Medusa/Medusa.h @@ -1,4 +1,4 @@ -#pragma once +#pragma once #include #include @@ -54,6 +54,20 @@ public slots: void DriverRightMenuViewExportFunc(bool); void DriverRightMenuIOCTLScanner(QAction*); void ViewKernelMemory(QAction*); + void SSDTMemoryView(bool) + { + _KernelMemory.ui.lineEdit->setText( + ui.tableView_SSDT->model()->index(ui.tableView_SSDT->currentIndex().row(), 2).data().toString()); + _KernelMemory.QueryMemory(); + _KernelMemory.show(); + } + void SSSDTMemoryView(bool) + { + _KernelMemory.ui.lineEdit->setText( + ui.tableView_SSSDT->model()->index(ui.tableView_SSSDT->currentIndex().row(), 2).data().toString()); + _KernelMemory.QueryMemory(); + _KernelMemory.show(); + } public: void GetProcessList(); void GetKernelModuleList(); @@ -136,6 +150,9 @@ public slots: QMenu _TableView_Menu_IOCTLScanner; QAction _TableView_Action_IOCTLScanner; + + QAction _TableView_Action_SSDT_MemoryView; + QAction _TableView_Action_SSSDT_MemoryView; public: void ProcessUI() { @@ -361,15 +378,23 @@ public slots: ui.tableView_Driver->addAction(&_TableView_Action_IOCTLScanner); ui.tableView_Driver->addAction(&_TableView_Action_ViewExportFunc); } + void SSDTRightMenuUI() + { + _TableView_Action_SSDT_MemoryView.setText("MemoryView"); + _TableView_Action_SSSDT_MemoryView.setText("MemoryView"); + + ui.tableView_SSDT->addAction(&_TableView_Action_SSDT_MemoryView); + ui.tableView_SSSDT->addAction(&_TableView_Action_SSSDT_MemoryView); + } public: int Enable_Debug() { BOOL fOK = FALSE; HANDLE hToken; - //һûøȨ޵DZǾиȨ޵ĽȨ - if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) //򿪽̷ + //把一个访问令牌中没有启用该权限但是本身是具有该权限的进程提权 + if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) //打开进程访问令牌 { - //ͼ޸ġԡȨ + //试图修改“调试”特权 TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); diff --git a/Medusa/Medusa.vcxproj b/Medusa/Medusa.vcxproj index 48ef6bd..e866b14 100644 --- a/Medusa/Medusa.vcxproj +++ b/Medusa/Medusa.vcxproj @@ -212,7 +212,6 @@ Document - diff --git a/Medusa/Medusa.vcxproj.filters b/Medusa/Medusa.vcxproj.filters index 38a5588..cdd4967 100644 --- a/Medusa/Medusa.vcxproj.filters +++ b/Medusa/Medusa.vcxproj.filters @@ -251,7 +251,6 @@ Source Files - diff --git a/Medusa/ModuleExportFunc.cc b/Medusa/ModuleExportFunc.cc index 47011d2..d8c495c 100644 --- a/Medusa/ModuleExportFunc.cc +++ b/Medusa/ModuleExportFunc.cc @@ -16,6 +16,7 @@ ModuleExportFunc::ModuleExportFunc(QWidget* parent) ui.tableView->horizontalHeader()->setSectionsClickable(false); ui.tableView->verticalHeader()->setDefaultSectionSize(25); ui.tableView->setSelectionBehavior(QAbstractItemView::SelectRows); + ui.tableView->setContextMenuPolicy(Qt::ActionsContextMenu); _Model->setColumnCount(4); _Model->setHeaderData(0, Qt::Horizontal, u8"Index"); @@ -27,6 +28,10 @@ ModuleExportFunc::ModuleExportFunc(QWidget* parent) ui.tableView->setColumnWidth(1, 250); ui.tableView->setColumnWidth(2, 200); ui.tableView->setColumnWidth(3, 200); + + _TableView_Action_MemoryView.setText("MemoryView"); + ui.tableView->addAction(&_TableView_Action_MemoryView); + connect(&_TableView_Action_MemoryView, SIGNAL(triggered(bool)), SLOT(MemoryView(bool))); } @@ -103,6 +108,12 @@ std::vector ModuleExportFunc::GetExportFunc(ULONG64 Addr, std::strin pAddressOfNames = (PULONG)(pExport->AddressOfNames + (ULONG_PTR)pBase); pAddressOfFuncs = (PULONG)(pExport->AddressOfFunctions + (ULONG_PTR)pBase); + if ((ULONG64)pAddressOfNames == (ULONG_PTR)pBase) + { + peconv::free_pe_buffer(loaded_pe); + return temp_vector; + } + for (int i = 0; i < pExport->NumberOfFunctions; ++i) { //ULONG_PTR funcRVA = pAddressOfFuncs[i]; @@ -123,12 +134,12 @@ std::vector ModuleExportFunc::GetExportFunc(ULONG64 Addr, std::strin _Model->setVerticalHeaderItem(i, new QStandardItem); _Model->setData(_Model->index(i, 0), i); - _Model->setData(_Model->index(i, 1), funcName); + _Model->setData(_Model->index(i, 1), temp_ExportFunc.Name.data()); std::ostringstream ret2; ret2 << std::hex << "0x" << temp_ExportFunc.Addr; _Model->setData(_Model->index(i, 2), ret2.str().data()); std::ostringstream ret; - ret << std::hex << "0x" << *funcRVA; + ret << std::hex << "0x" << temp_ExportFunc.RVA; _Model->setData(_Model->index(i, 3), ret.str().data()); temp_vector.push_back(temp_ExportFunc); diff --git a/Medusa/ModuleExportFunc.h b/Medusa/ModuleExportFunc.h index e025f4d..722469a 100644 --- a/Medusa/ModuleExportFunc.h +++ b/Medusa/ModuleExportFunc.h @@ -18,6 +18,9 @@ #include "ui_ModuleExportFunc.h" +#include "KernelMemory.h" +#include "UserMemory.h" + struct ExportFunc { ULONG64 RVA; @@ -35,7 +38,30 @@ class ModuleExportFunc : public QMainWindow public: std::vector GetExportFunc(ULONG64 Addr, std::string Path); public: + bool _Previous = false; + ULONG64 _PID = 0; + KernelMemory _KernelMemory; + UserMemory _UserMemory; + QAction _TableView_Action_MemoryView; public slots: + void MemoryView(bool) + { + if (_Previous) + { + _KernelMemory.ui.lineEdit->setText( + ui.tableView->model()->index(ui.tableView->currentIndex().row(), 2).data().toString()); + _KernelMemory.QueryMemory(); + _KernelMemory.show(); + } + else + { + _UserMemory.PID = _PID; + _UserMemory.ui.lineEdit->setText( + ui.tableView->model()->index(ui.tableView->currentIndex().row(), 2).data().toString()); + _UserMemory.QueryMemory(); + _UserMemory.show(); + } + } public: Ui::Form_ModuleExportFunc ui; QStandardItemModel* _Model; diff --git a/Medusa/ModuleExportFunc.ui b/Medusa/ModuleExportFunc.ui index d77446f..e809b19 100644 --- a/Medusa/ModuleExportFunc.ui +++ b/Medusa/ModuleExportFunc.ui @@ -22,6 +22,9 @@ 831 + + Qt::ActionsContextMenu + diff --git a/Medusa/Modules.cc b/Medusa/Modules.cc index aeb8771..2b09034 100644 --- a/Medusa/Modules.cc +++ b/Medusa/Modules.cc @@ -122,6 +122,8 @@ void Modules::ViewExportFunc(bool) addr_str.erase(0, 2); ULONG64 addr = strtoull(addr_str.data(), 0, 16); + _ModuleExportFunc._PID = _PID; + _ModuleExportFunc._Previous = false; _ModuleExportFunc.GetExportFunc(addr, file_name); _ModuleExportFunc.show(); } diff --git a/Medusa/UserMemoryList.cc b/Medusa/UserMemoryList.cc index a33ce7e..5a90a45 100644 --- a/Medusa/UserMemoryList.cc +++ b/Medusa/UserMemoryList.cc @@ -38,9 +38,9 @@ UserMemoryList::UserMemoryList(QWidget* parent) ui.tableView->setColumnWidth(6, 150); - _TableView_Action_Check.setText("Check"); + _TableView_Action_Check.setText("MemoryView"); ui.tableView->addAction(&_TableView_Action_Check); - connect(&_TableView_Action_Check, SIGNAL(triggered(bool)), SLOT(Check(bool))); + connect(&_TableView_Action_Check, SIGNAL(triggered(bool)), SLOT(MemoryView(bool))); } std::string ProtectToString(DWORD protect) @@ -389,13 +389,14 @@ std::vector UserMemoryList::GetUserMemoryListR3CheckHide(U return temp_vector; } -void UserMemoryList::Check(bool) +void UserMemoryList::MemoryView(bool) { _UserMemory->ui.tabWidget->setCurrentIndex(1); _UserMemory->PID = _PID; _UserMemory->ui.label->setText("ProcessID:" + QString::number(_PID) + " CR3:0x0"); _UserMemory->ui.lineEdit->setText(ui.tableView->model()->index(ui.tableView->currentIndex().row(), 1).data().toString()); - _UserMemory->ui.lineEdit_2->setText(ui.tableView->model()->index(ui.tableView->currentIndex().row(), 2).data().toString()); + //_UserMemory->ui.lineEdit_2->setText(ui.tableView->model()->index(ui.tableView->currentIndex().row(), 2).data().toString()); + _UserMemory->ui.lineEdit_2->setText("0x1000"); if (ui.tableView->model()->index(ui.tableView->currentIndex().row(), 5).data().toString().toStdString().find("MEM_FREE") != std::string::npos) { _UserMemory->ui.lineEdit_2->setText("0x0"); diff --git a/Medusa/UserMemoryList.h b/Medusa/UserMemoryList.h index 278b8b7..ec90538 100644 --- a/Medusa/UserMemoryList.h +++ b/Medusa/UserMemoryList.h @@ -49,7 +49,7 @@ class UserMemoryList : public QMainWindow std::vector GetUserMemoryListR0(ULONG64 PID); public: public slots: - void Check(bool); + void MemoryView(bool); public: Ui::Form_UserMemoryList ui; QStandardItemModel* _Model; diff --git a/MedusaKernel/IO_Control.cc b/MedusaKernel/IO_Control.cc index 4dce15e..a3998cd 100644 --- a/MedusaKernel/IO_Control.cc +++ b/MedusaKernel/IO_Control.cc @@ -1,4 +1,4 @@ -#include "IO_Control.h" +#include "IO_Control.h" #include @@ -59,7 +59,7 @@ IO_Control* IO_Control::_This; NTSTATUS IO_Control::Create_IO_Control() { NTSTATUS status = 0; - //豸 + //创建设备对象 RtlInitUnicodeString(&Device_Name, DEVICE_NAME); status = IoCreateDevice(Driver_Object, 0, &Device_Name, FILE_DEVICE_UNKNOWN, 0, FALSE, &Device_Object); if (!NT_SUCCESS(status)) @@ -69,7 +69,7 @@ NTSTATUS IO_Control::Create_IO_Control() } Device_Object->Flags |= DO_BUFFERED_IO; - // + //创建符号连接 RtlInitUnicodeString(&Link_Name, LINK_NAME); status = IoCreateSymbolicLink(&Link_Name, &Device_Name); if (!NT_SUCCESS(status)) diff --git a/MedusaKernel/MedusaKernel.vcxproj b/MedusaKernel/MedusaKernel.vcxproj index ff29106..8982d6a 100644 --- a/MedusaKernel/MedusaKernel.vcxproj +++ b/MedusaKernel/MedusaKernel.vcxproj @@ -163,9 +163,6 @@ - - - diff --git a/MedusaKernel/MedusaKernel.vcxproj.filters b/MedusaKernel/MedusaKernel.vcxproj.filters index 8e86279..36db766 100644 --- a/MedusaKernel/MedusaKernel.vcxproj.filters +++ b/MedusaKernel/MedusaKernel.vcxproj.filters @@ -24,9 +24,6 @@ {611dad42-9171-4066-992f-7022646d44c3} - - - Source Files diff --git a/MedusaKernel/SSDT.h b/MedusaKernel/SSDT.h index aa9df9b..ecada3e 100644 --- a/MedusaKernel/SSDT.h +++ b/MedusaKernel/SSDT.h @@ -23,7 +23,7 @@ class SSDT SSDT() = default; ~SSDT() = default; public: - ULONG64 _KeServiceDescriptorTableShadow; + ULONG64 _KeServiceDescriptorTableShadow = 0; std::vector _SSDTALL; std::vector _SSSDTALL; public: diff --git a/MedusaKernel/packages.config b/MedusaKernel/packages.config deleted file mode 100644 index 7d7b6ea..0000000 --- a/MedusaKernel/packages.config +++ /dev/null @@ -1,5 +0,0 @@ - - - - - \ No newline at end of file diff --git a/Readme.md b/Readme.md index fd68ef9..fa26faa 100644 --- a/Readme.md +++ b/Readme.md @@ -4,6 +4,10 @@ ##### 更新日志: +###### 11-27 调整了一些快捷读内存 和BUG修复 + +###### 11-27 新增了查看导出函数的功能 新增了查看SSDT和SSSDT的功能 + ###### 11-5 添加了一个IOCTL只读的菜单 方便使用 添加了右键查看导出表函数 以及查看SSDT和SSSDT ###### 9-12 添加了应用层内存查看和检索列表 类似之前的内核查看 和一些细节优化