-
-
-
[原创]windbg预览版 JavaScript 遍历所有窗口
- 5天前 498
-
[原创]windbg预览版 JavaScript 遍历所有窗口
系统版本win10 64 1903 10.0.18362
先附加到 explorer.exe 进程再执行
"use strict";
function initializeScript()
{
return [new host.apiVersionSupport(1, 6)];
}
let logln = function (e) {
host.diagnostics.debugLog(e + '\n');
}
function read_u64(addr) {
var ret =0;
try {
ret = host.memory.readMemoryValues(addr, 1, 8)[0];
} catch(e) {
// Error: 64 bit value loses precision on conversion to number
// logln(e);
ret = 0
}
return ret;
}
function invokeScript()
{
let gpKernelHandleTable = host.parseInt64('0xffffb9bb1a9c5758',16);
gpKernelHandleTable = read_u64(gpKernelHandleTable);
let gSharedInfo = host.parseInt64('0xffffb9bb1a9c5770',16);
gSharedInfo = read_u64(gSharedInfo);
// let i = 0x0392
for(let i=0;i<0xffff;i++){
let t1 = gSharedInfo.multiply(i);
t1 = t1.bitwiseShiftRight(5);
t1 = t1.multiply(0x18);
let tagWnd = gpKernelHandleTable.add(t1);
tagWnd = read_u64(tagWnd);
if(tagWnd.compareTo(0)==0)
continue;
//host.diagnostics.debugLog("tagWnd:",t1.toString(16), "\n");
//窗口名称 +b8
let nameof = tagWnd;
nameof = nameof.add(0xb8);
nameof = read_u64(nameof);
if(nameof.compareTo(0)==0)
continue;
//host.diagnostics.debugLog("窗口名称偏移地址:",nameof.toString(16), "\n");
try {
let wndName = host.memory.readWideString(nameof);
host.diagnostics.debugLog("index: ",i.toString(16)," tagWnd: ",tagWnd," 名称:",wndName, "\n");
} catch(e) {
// Error: 64 bit value loses precision on conversion to number
//logln(e);
}
}
//logln(a);
}
gpKernelHandleTable 和 gSharedInfo 都是导出的
[公告]SDC2020 看雪安全者开发者峰会10月23日将在上海举行!欢迎参加!
最后于 5天前 被~时光荏苒编辑 ,原因:
文章来源: https://bbs.pediy.com/thread-261512.htm
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh