diff --git a/KsDumperClient/Driver/DriverInterface.cs b/KsDumperClient/Driver/DriverInterface.cs
index cc70210..2534b14 100644
--- a/KsDumperClient/Driver/DriverInterface.cs
+++ b/KsDumperClient/Driver/DriverInterface.cs
@@ -7,7 +7,7 @@
namespace KsDumperClient.Driver
{
- public class DriverInterface
+ public class DriverInterface : IDisposable
{
private readonly IntPtr driverHandle;
@@ -106,5 +106,25 @@ public bool CopyVirtualMemory(int targetProcessId, IntPtr targetAddress, IntPtr
}
return false;
}
+
+ public bool UnloadDriver()
+ {
+ if (driverHandle != WinApi.INVALID_HANDLE_VALUE)
+ {
+ return WinApi.DeviceIoControl(driverHandle, IO_UNLOAD_DRIVER, IntPtr.Zero, 0, IntPtr.Zero, 0, IntPtr.Zero, IntPtr.Zero);
+ }
+ return false;
+ }
+
+ public void Dispose()
+ {
+ WinApi.CloseHandle(driverHandle);
+ }
+
+ ~DriverInterface()
+ {
+ WinApi.CloseHandle(driverHandle);
+ }
+
}
}
diff --git a/KsDumperClient/Driver/Operations.cs b/KsDumperClient/Driver/Operations.cs
index 4047219..a4fe555 100644
--- a/KsDumperClient/Driver/Operations.cs
+++ b/KsDumperClient/Driver/Operations.cs
@@ -10,6 +10,8 @@ public static class Operations
public static readonly uint IO_COPY_MEMORY = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1725, METHOD_BUFFERED, FILE_ANY_ACCESS);
+ public static readonly uint IO_UNLOAD_DRIVER = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1726, METHOD_BUFFERED, FILE_ANY_ACCESS);
+
[StructLayout(LayoutKind.Sequential)]
public struct KERNEL_PROCESS_LIST_OPERATION
{
diff --git a/KsDumperClient/Dumper.Designer.cs b/KsDumperClient/Dumper.Designer.cs
index 29e2f6b..9dc9fa8 100644
--- a/KsDumperClient/Dumper.Designer.cs
+++ b/KsDumperClient/Dumper.Designer.cs
@@ -1,239 +1,250 @@
-namespace KsDumperClient
-{
- partial class Dumper
- {
- ///
- /// Required designer variable.
- ///
- private System.ComponentModel.IContainer components = null;
-
- ///
- /// Clean up any resources being used.
- ///
- /// true if managed resources should be disposed; otherwise, false.
- protected override void Dispose(bool disposing)
- {
- if (disposing && (components != null))
- {
- components.Dispose();
- }
- base.Dispose(disposing);
- }
-
- #region Windows Form Designer generated code
-
- ///
- /// Required method for Designer support - do not modify
- /// the contents of this method with the code editor.
- ///
- private void InitializeComponent()
- {
- this.components = new System.ComponentModel.Container();
- this.toolStrip1 = new System.Windows.Forms.ToolStrip();
- this.refreshMenuBtn = new System.Windows.Forms.ToolStripButton();
- this.hideSystemProcessMenuBtn = new System.Windows.Forms.ToolStripButton();
- this.groupBox1 = new System.Windows.Forms.GroupBox();
- this.logsTextBox = new System.Windows.Forms.RichTextBox();
- this.contextMenuStrip1 = new System.Windows.Forms.ContextMenuStrip(this.components);
- this.dumpMainModuleToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
- this.toolStripSeparator1 = new System.Windows.Forms.ToolStripSeparator();
- this.openInExplorerToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
- this.processList = new KsDumperClient.Utility.ProcessListView();
- this.PIDHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
- this.NameHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
- this.PathHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
- this.BaseAddressHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
- this.EntryPointHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
- this.ImageSizeHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
- this.ImageTypeHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
- this.toolStrip1.SuspendLayout();
- this.groupBox1.SuspendLayout();
- this.contextMenuStrip1.SuspendLayout();
- this.SuspendLayout();
- //
- // toolStrip1
- //
- this.toolStrip1.AllowMerge = false;
- this.toolStrip1.GripStyle = System.Windows.Forms.ToolStripGripStyle.Hidden;
- this.toolStrip1.Items.AddRange(new System.Windows.Forms.ToolStripItem[] {
- this.refreshMenuBtn,
- this.hideSystemProcessMenuBtn});
- this.toolStrip1.Location = new System.Drawing.Point(0, 0);
- this.toolStrip1.Margin = new System.Windows.Forms.Padding(2);
- this.toolStrip1.Name = "toolStrip1";
- this.toolStrip1.Padding = new System.Windows.Forms.Padding(2, 3, 2, 2);
- this.toolStrip1.ShowItemToolTips = false;
- this.toolStrip1.Size = new System.Drawing.Size(1004, 27);
- this.toolStrip1.TabIndex = 4;
- this.toolStrip1.Text = "toolStrip1";
- //
- // refreshMenuBtn
- //
- this.refreshMenuBtn.DisplayStyle = System.Windows.Forms.ToolStripItemDisplayStyle.Text;
- this.refreshMenuBtn.ImageTransparentColor = System.Drawing.Color.Magenta;
- this.refreshMenuBtn.Name = "refreshMenuBtn";
- this.refreshMenuBtn.Size = new System.Drawing.Size(50, 19);
- this.refreshMenuBtn.Text = "Refresh";
- this.refreshMenuBtn.Click += new System.EventHandler(this.refreshMenuBtn_Click);
- //
- // hideSystemProcessMenuBtn
- //
- this.hideSystemProcessMenuBtn.Alignment = System.Windows.Forms.ToolStripItemAlignment.Right;
- this.hideSystemProcessMenuBtn.DisplayStyle = System.Windows.Forms.ToolStripItemDisplayStyle.Text;
- this.hideSystemProcessMenuBtn.ImageTransparentColor = System.Drawing.Color.Magenta;
- this.hideSystemProcessMenuBtn.Name = "hideSystemProcessMenuBtn";
- this.hideSystemProcessMenuBtn.Size = new System.Drawing.Size(135, 19);
- this.hideSystemProcessMenuBtn.Text = "Show System Processes";
- this.hideSystemProcessMenuBtn.Click += new System.EventHandler(this.hideSystemProcessMenuBtn_Click);
- //
- // groupBox1
- //
- this.groupBox1.Controls.Add(this.logsTextBox);
- this.groupBox1.Location = new System.Drawing.Point(5, 525);
- this.groupBox1.Name = "groupBox1";
- this.groupBox1.Size = new System.Drawing.Size(992, 222);
- this.groupBox1.TabIndex = 5;
- this.groupBox1.TabStop = false;
- this.groupBox1.Text = "Logs";
- //
- // logsTextBox
- //
- this.logsTextBox.BackColor = System.Drawing.SystemColors.Control;
- this.logsTextBox.BorderStyle = System.Windows.Forms.BorderStyle.None;
- this.logsTextBox.Location = new System.Drawing.Point(12, 19);
- this.logsTextBox.Name = "logsTextBox";
- this.logsTextBox.ReadOnly = true;
- this.logsTextBox.ScrollBars = System.Windows.Forms.RichTextBoxScrollBars.Vertical;
- this.logsTextBox.Size = new System.Drawing.Size(968, 197);
- this.logsTextBox.TabIndex = 0;
- this.logsTextBox.Text = "";
- this.logsTextBox.TextChanged += new System.EventHandler(this.logsTextBox_TextChanged);
- //
- // contextMenuStrip1
- //
- this.contextMenuStrip1.Items.AddRange(new System.Windows.Forms.ToolStripItem[] {
- this.dumpMainModuleToolStripMenuItem,
- this.toolStripSeparator1,
- this.openInExplorerToolStripMenuItem});
- this.contextMenuStrip1.Name = "contextMenuStrip1";
- this.contextMenuStrip1.Size = new System.Drawing.Size(182, 76);
- this.contextMenuStrip1.Opening += new System.ComponentModel.CancelEventHandler(this.contextMenuStrip1_Opening);
- //
- // dumpMainModuleToolStripMenuItem
- //
- this.dumpMainModuleToolStripMenuItem.Name = "dumpMainModuleToolStripMenuItem";
- this.dumpMainModuleToolStripMenuItem.Size = new System.Drawing.Size(181, 22);
- this.dumpMainModuleToolStripMenuItem.Text = "Dump Main Module";
- this.dumpMainModuleToolStripMenuItem.Click += new System.EventHandler(this.dumpMainModuleToolStripMenuItem_Click);
- //
- // toolStripSeparator1
- //
- this.toolStripSeparator1.Name = "toolStripSeparator1";
- this.toolStripSeparator1.Size = new System.Drawing.Size(178, 6);
- //
- // openInExplorerToolStripMenuItem
- //
- this.openInExplorerToolStripMenuItem.Name = "openInExplorerToolStripMenuItem";
- this.openInExplorerToolStripMenuItem.Size = new System.Drawing.Size(181, 22);
- this.openInExplorerToolStripMenuItem.Text = "Open In Explorer";
- this.openInExplorerToolStripMenuItem.Click += new System.EventHandler(this.openInExplorerToolStripMenuItem_Click);
- //
- // processList
- //
- this.processList.Columns.AddRange(new System.Windows.Forms.ColumnHeader[] {
- this.PIDHeader,
- this.NameHeader,
- this.PathHeader,
- this.BaseAddressHeader,
- this.EntryPointHeader,
- this.ImageSizeHeader,
- this.ImageTypeHeader});
- this.processList.ContextMenuStrip = this.contextMenuStrip1;
- this.processList.FullRowSelect = true;
- this.processList.Location = new System.Drawing.Point(5, 28);
- this.processList.MultiSelect = false;
- this.processList.Name = "processList";
- this.processList.Size = new System.Drawing.Size(992, 491);
- this.processList.TabIndex = 2;
- this.processList.UseCompatibleStateImageBehavior = false;
- this.processList.View = System.Windows.Forms.View.Details;
- //
- // PIDHeader
- //
- this.PIDHeader.Text = "PID";
- this.PIDHeader.Width = 76;
- //
- // NameHeader
- //
- this.NameHeader.Text = "Name";
- this.NameHeader.Width = 143;
- //
- // PathHeader
- //
- this.PathHeader.Text = "Path";
- this.PathHeader.Width = 375;
- //
- // BaseAddressHeader
- //
- this.BaseAddressHeader.Text = "Base Address";
- this.BaseAddressHeader.Width = 106;
- //
- // EntryPointHeader
- //
- this.EntryPointHeader.Text = "Entry Point";
- this.EntryPointHeader.Width = 106;
- //
- // ImageSizeHeader
- //
- this.ImageSizeHeader.Text = "Image Size";
- this.ImageSizeHeader.Width = 88;
- //
- // ImageTypeHeader
- //
- this.ImageTypeHeader.Text = "Image Type";
- this.ImageTypeHeader.Width = 72;
- //
- // Dumper
- //
- this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);
- this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
- this.ClientSize = new System.Drawing.Size(1004, 756);
- this.Controls.Add(this.groupBox1);
- this.Controls.Add(this.toolStrip1);
- this.Controls.Add(this.processList);
- this.FormBorderStyle = System.Windows.Forms.FormBorderStyle.FixedSingle;
- this.MaximizeBox = false;
- this.Name = "Dumper";
- this.StartPosition = System.Windows.Forms.FormStartPosition.CenterScreen;
- this.Text = "KsDumper";
- this.Load += new System.EventHandler(this.Dumper_Load);
- this.toolStrip1.ResumeLayout(false);
- this.toolStrip1.PerformLayout();
- this.groupBox1.ResumeLayout(false);
- this.contextMenuStrip1.ResumeLayout(false);
- this.ResumeLayout(false);
- this.PerformLayout();
-
- }
-
- #endregion
- private KsDumperClient.Utility.ProcessListView processList;
- private System.Windows.Forms.ColumnHeader PIDHeader;
- private System.Windows.Forms.ColumnHeader NameHeader;
- private System.Windows.Forms.ColumnHeader PathHeader;
- private System.Windows.Forms.ColumnHeader BaseAddressHeader;
- private System.Windows.Forms.ColumnHeader EntryPointHeader;
- private System.Windows.Forms.ColumnHeader ImageSizeHeader;
- private System.Windows.Forms.ColumnHeader ImageTypeHeader;
- private System.Windows.Forms.ToolStrip toolStrip1;
- private System.Windows.Forms.ToolStripButton refreshMenuBtn;
- private System.Windows.Forms.ToolStripButton hideSystemProcessMenuBtn;
- private System.Windows.Forms.GroupBox groupBox1;
- private System.Windows.Forms.RichTextBox logsTextBox;
- private System.Windows.Forms.ContextMenuStrip contextMenuStrip1;
- private System.Windows.Forms.ToolStripMenuItem dumpMainModuleToolStripMenuItem;
- private System.Windows.Forms.ToolStripSeparator toolStripSeparator1;
- private System.Windows.Forms.ToolStripMenuItem openInExplorerToolStripMenuItem;
- }
-}
-
+namespace KsDumperClient
+{
+ partial class Dumper
+ {
+ ///
+ /// Required designer variable.
+ ///
+ private System.ComponentModel.IContainer components = null;
+
+ ///
+ /// Clean up any resources being used.
+ ///
+ /// true if managed resources should be disposed; otherwise, false.
+ protected override void Dispose(bool disposing)
+ {
+ if (disposing && (components != null))
+ {
+ components.Dispose();
+ }
+ base.Dispose(disposing);
+ }
+
+ #region Windows Form Designer generated code
+
+ ///
+ /// Required method for Designer support - do not modify
+ /// the contents of this method with the code editor.
+ ///
+ private void InitializeComponent()
+ {
+ this.components = new System.ComponentModel.Container();
+ this.toolStrip1 = new System.Windows.Forms.ToolStrip();
+ this.refreshMenuBtn = new System.Windows.Forms.ToolStripButton();
+ this.unloadDriverBtn = new System.Windows.Forms.ToolStripButton();
+ this.hideSystemProcessMenuBtn = new System.Windows.Forms.ToolStripButton();
+ this.groupBox1 = new System.Windows.Forms.GroupBox();
+ this.logsTextBox = new System.Windows.Forms.RichTextBox();
+ this.contextMenuStrip1 = new System.Windows.Forms.ContextMenuStrip(this.components);
+ this.dumpMainModuleToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
+ this.toolStripSeparator1 = new System.Windows.Forms.ToolStripSeparator();
+ this.openInExplorerToolStripMenuItem = new System.Windows.Forms.ToolStripMenuItem();
+ this.processList = new KsDumperClient.Utility.ProcessListView();
+ this.PIDHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
+ this.NameHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
+ this.PathHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
+ this.BaseAddressHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
+ this.EntryPointHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
+ this.ImageSizeHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
+ this.ImageTypeHeader = ((System.Windows.Forms.ColumnHeader)(new System.Windows.Forms.ColumnHeader()));
+ this.toolStrip1.SuspendLayout();
+ this.groupBox1.SuspendLayout();
+ this.contextMenuStrip1.SuspendLayout();
+ this.SuspendLayout();
+ //
+ // toolStrip1
+ //
+ this.toolStrip1.AllowMerge = false;
+ this.toolStrip1.GripStyle = System.Windows.Forms.ToolStripGripStyle.Hidden;
+ this.toolStrip1.Items.AddRange(new System.Windows.Forms.ToolStripItem[] {
+ this.refreshMenuBtn,
+ this.unloadDriverBtn,
+ this.hideSystemProcessMenuBtn});
+ this.toolStrip1.Location = new System.Drawing.Point(0, 0);
+ this.toolStrip1.Margin = new System.Windows.Forms.Padding(2);
+ this.toolStrip1.Name = "toolStrip1";
+ this.toolStrip1.Padding = new System.Windows.Forms.Padding(2, 3, 2, 2);
+ this.toolStrip1.ShowItemToolTips = false;
+ this.toolStrip1.Size = new System.Drawing.Size(1004, 27);
+ this.toolStrip1.TabIndex = 4;
+ this.toolStrip1.Text = "toolStrip1";
+ //
+ // refreshMenuBtn
+ //
+ this.refreshMenuBtn.DisplayStyle = System.Windows.Forms.ToolStripItemDisplayStyle.Text;
+ this.refreshMenuBtn.ImageTransparentColor = System.Drawing.Color.Magenta;
+ this.refreshMenuBtn.Name = "refreshMenuBtn";
+ this.refreshMenuBtn.Size = new System.Drawing.Size(50, 19);
+ this.refreshMenuBtn.Text = "Refresh";
+ this.refreshMenuBtn.Click += new System.EventHandler(this.refreshMenuBtn_Click);
+ //
+ // unloadDriverBtn
+ //
+ this.unloadDriverBtn.DisplayStyle = System.Windows.Forms.ToolStripItemDisplayStyle.Text;
+ this.unloadDriverBtn.ImageTransparentColor = System.Drawing.Color.Magenta;
+ this.unloadDriverBtn.Name = "unloadDriverBtn";
+ this.unloadDriverBtn.Size = new System.Drawing.Size(83, 19);
+ this.unloadDriverBtn.Text = "Unload Driver";
+ this.unloadDriverBtn.Click += new System.EventHandler(this.unloadDriverBtn_Click);
+ //
+ // hideSystemProcessMenuBtn
+ //
+ this.hideSystemProcessMenuBtn.Alignment = System.Windows.Forms.ToolStripItemAlignment.Right;
+ this.hideSystemProcessMenuBtn.DisplayStyle = System.Windows.Forms.ToolStripItemDisplayStyle.Text;
+ this.hideSystemProcessMenuBtn.ImageTransparentColor = System.Drawing.Color.Magenta;
+ this.hideSystemProcessMenuBtn.Name = "hideSystemProcessMenuBtn";
+ this.hideSystemProcessMenuBtn.Size = new System.Drawing.Size(135, 19);
+ this.hideSystemProcessMenuBtn.Text = "Show System Processes";
+ this.hideSystemProcessMenuBtn.Click += new System.EventHandler(this.hideSystemProcessMenuBtn_Click);
+ //
+ // groupBox1
+ //
+ this.groupBox1.Controls.Add(this.logsTextBox);
+ this.groupBox1.Location = new System.Drawing.Point(5, 525);
+ this.groupBox1.Name = "groupBox1";
+ this.groupBox1.Size = new System.Drawing.Size(992, 222);
+ this.groupBox1.TabIndex = 5;
+ this.groupBox1.TabStop = false;
+ this.groupBox1.Text = "Logs";
+ //
+ // logsTextBox
+ //
+ this.logsTextBox.BackColor = System.Drawing.SystemColors.Control;
+ this.logsTextBox.BorderStyle = System.Windows.Forms.BorderStyle.None;
+ this.logsTextBox.Location = new System.Drawing.Point(12, 19);
+ this.logsTextBox.Name = "logsTextBox";
+ this.logsTextBox.ReadOnly = true;
+ this.logsTextBox.ScrollBars = System.Windows.Forms.RichTextBoxScrollBars.Vertical;
+ this.logsTextBox.Size = new System.Drawing.Size(968, 197);
+ this.logsTextBox.TabIndex = 0;
+ this.logsTextBox.Text = "";
+ this.logsTextBox.TextChanged += new System.EventHandler(this.logsTextBox_TextChanged);
+ //
+ // contextMenuStrip1
+ //
+ this.contextMenuStrip1.Items.AddRange(new System.Windows.Forms.ToolStripItem[] {
+ this.dumpMainModuleToolStripMenuItem,
+ this.toolStripSeparator1,
+ this.openInExplorerToolStripMenuItem});
+ this.contextMenuStrip1.Name = "contextMenuStrip1";
+ this.contextMenuStrip1.Size = new System.Drawing.Size(182, 76);
+ this.contextMenuStrip1.Opening += new System.ComponentModel.CancelEventHandler(this.contextMenuStrip1_Opening);
+ //
+ // dumpMainModuleToolStripMenuItem
+ //
+ this.dumpMainModuleToolStripMenuItem.Name = "dumpMainModuleToolStripMenuItem";
+ this.dumpMainModuleToolStripMenuItem.Size = new System.Drawing.Size(181, 22);
+ this.dumpMainModuleToolStripMenuItem.Text = "Dump Main Module";
+ this.dumpMainModuleToolStripMenuItem.Click += new System.EventHandler(this.dumpMainModuleToolStripMenuItem_Click);
+ //
+ // toolStripSeparator1
+ //
+ this.toolStripSeparator1.Name = "toolStripSeparator1";
+ this.toolStripSeparator1.Size = new System.Drawing.Size(178, 6);
+ //
+ // openInExplorerToolStripMenuItem
+ //
+ this.openInExplorerToolStripMenuItem.Name = "openInExplorerToolStripMenuItem";
+ this.openInExplorerToolStripMenuItem.Size = new System.Drawing.Size(181, 22);
+ this.openInExplorerToolStripMenuItem.Text = "Open In Explorer";
+ this.openInExplorerToolStripMenuItem.Click += new System.EventHandler(this.openInExplorerToolStripMenuItem_Click);
+ //
+ // processList
+ //
+ this.processList.Columns.AddRange(new System.Windows.Forms.ColumnHeader[] {
+ this.PIDHeader,
+ this.NameHeader,
+ this.PathHeader,
+ this.BaseAddressHeader,
+ this.EntryPointHeader,
+ this.ImageSizeHeader,
+ this.ImageTypeHeader});
+ this.processList.ContextMenuStrip = this.contextMenuStrip1;
+ this.processList.FullRowSelect = true;
+ this.processList.Location = new System.Drawing.Point(5, 28);
+ this.processList.MultiSelect = false;
+ this.processList.Name = "processList";
+ this.processList.Size = new System.Drawing.Size(992, 491);
+ this.processList.TabIndex = 2;
+ this.processList.UseCompatibleStateImageBehavior = false;
+ this.processList.View = System.Windows.Forms.View.Details;
+ //
+ // PIDHeader
+ //
+ this.PIDHeader.Text = "PID";
+ this.PIDHeader.Width = 76;
+ //
+ // NameHeader
+ //
+ this.NameHeader.Text = "Name";
+ this.NameHeader.Width = 143;
+ //
+ // PathHeader
+ //
+ this.PathHeader.Text = "Path";
+ this.PathHeader.Width = 375;
+ //
+ // BaseAddressHeader
+ //
+ this.BaseAddressHeader.Text = "Base Address";
+ this.BaseAddressHeader.Width = 106;
+ //
+ // EntryPointHeader
+ //
+ this.EntryPointHeader.Text = "Entry Point";
+ this.EntryPointHeader.Width = 106;
+ //
+ // ImageSizeHeader
+ //
+ this.ImageSizeHeader.Text = "Image Size";
+ this.ImageSizeHeader.Width = 88;
+ //
+ // ImageTypeHeader
+ //
+ this.ImageTypeHeader.Text = "Image Type";
+ this.ImageTypeHeader.Width = 72;
+ //
+ // Dumper
+ //
+ this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);
+ this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
+ this.ClientSize = new System.Drawing.Size(1004, 756);
+ this.Controls.Add(this.groupBox1);
+ this.Controls.Add(this.toolStrip1);
+ this.Controls.Add(this.processList);
+ this.FormBorderStyle = System.Windows.Forms.FormBorderStyle.FixedSingle;
+ this.MaximizeBox = false;
+ this.Name = "Dumper";
+ this.StartPosition = System.Windows.Forms.FormStartPosition.CenterScreen;
+ this.Text = "KsDumper";
+ this.Load += new System.EventHandler(this.Dumper_Load);
+ this.toolStrip1.ResumeLayout(false);
+ this.toolStrip1.PerformLayout();
+ this.groupBox1.ResumeLayout(false);
+ this.contextMenuStrip1.ResumeLayout(false);
+ this.ResumeLayout(false);
+ this.PerformLayout();
+
+ }
+
+ #endregion
+ private KsDumperClient.Utility.ProcessListView processList;
+ private System.Windows.Forms.ColumnHeader PIDHeader;
+ private System.Windows.Forms.ColumnHeader NameHeader;
+ private System.Windows.Forms.ColumnHeader PathHeader;
+ private System.Windows.Forms.ColumnHeader BaseAddressHeader;
+ private System.Windows.Forms.ColumnHeader EntryPointHeader;
+ private System.Windows.Forms.ColumnHeader ImageSizeHeader;
+ private System.Windows.Forms.ColumnHeader ImageTypeHeader;
+ private System.Windows.Forms.ToolStrip toolStrip1;
+ private System.Windows.Forms.ToolStripButton refreshMenuBtn;
+ private System.Windows.Forms.ToolStripButton unloadDriverBtn;
+ private System.Windows.Forms.ToolStripButton hideSystemProcessMenuBtn;
+ private System.Windows.Forms.GroupBox groupBox1;
+ private System.Windows.Forms.RichTextBox logsTextBox;
+ private System.Windows.Forms.ContextMenuStrip contextMenuStrip1;
+ private System.Windows.Forms.ToolStripMenuItem dumpMainModuleToolStripMenuItem;
+ private System.Windows.Forms.ToolStripSeparator toolStripSeparator1;
+ private System.Windows.Forms.ToolStripMenuItem openInExplorerToolStripMenuItem;
+ }
+}
diff --git a/KsDumperClient/Dumper.cs b/KsDumperClient/Dumper.cs
index 15ce5aa..b296f92 100644
--- a/KsDumperClient/Dumper.cs
+++ b/KsDumperClient/Dumper.cs
@@ -125,6 +125,24 @@ private void openInExplorerToolStripMenuItem_Click(object sender, EventArgs e)
{
ProcessSummary targetProcess = processList.SelectedItems[0].Tag as ProcessSummary;
Process.Start("explorer.exe", Path.GetDirectoryName(targetProcess.MainModuleFileName));
- }
+ }
+
+ private void unloadDriverBtn_Click(object sender, EventArgs e)
+ {
+ var result = MessageBox.Show("Are you sure?", "Driver unload", MessageBoxButtons.YesNo);
+ if (result == DialogResult.Yes)
+ {
+ bool unloadResult = driver.UnloadDriver();
+ if (unloadResult)
+ {
+ MessageBox.Show("Unload good");
+ }
+ else
+ {
+ MessageBox.Show("Unload failed");
+
+ }
+ }
+ }
}
}
diff --git a/KsDumperClient/Utility/ProcessListView.cs b/KsDumperClient/Utility/ProcessListView.cs
index 3c2e187..1ec5bc5 100644
--- a/KsDumperClient/Utility/ProcessListView.cs
+++ b/KsDumperClient/Utility/ProcessListView.cs
@@ -1,164 +1,170 @@
-using System;
-using System.Collections;
-using System.IO;
-using System.Runtime.InteropServices;
-using System.Windows.Forms;
-
-namespace KsDumperClient.Utility
-{
- public class ProcessListView : ListView
- {
- public bool SystemProcessesHidden { get; private set; } = true;
-
- private int sortColumnIndex = 1;
- private ProcessSummary[] processCache;
-
- public ProcessListView()
- {
- DoubleBuffered = true;
- Sorting = SortOrder.Ascending;
- }
-
- public void LoadProcesses(ProcessSummary[] processSummaries)
- {
- processCache = processSummaries;
- ReloadItems();
- }
-
- public void ShowSystemProcesses()
- {
- SystemProcessesHidden = false;
- ReloadItems();
- }
-
- public void HideSystemProcesses()
- {
- SystemProcessesHidden = true;
- ReloadItems();
- }
-
- private void ReloadItems()
- {
- Items.Clear();
-
- string systemRootFolder = Environment.GetFolderPath(Environment.SpecialFolder.Windows).ToLower();
-
- foreach (ProcessSummary processSummary in processCache)
- {
- if (SystemProcessesHidden &&
- (processSummary.MainModuleFileName.ToLower().StartsWith(systemRootFolder) ||
- processSummary.MainModuleFileName.StartsWith(@"\")))
- {
- continue;
- }
-
- ListViewItem lvi = new ListViewItem(processSummary.ProcessId.ToString());
- lvi.SubItems.Add(Path.GetFileName(processSummary.MainModuleFileName));
- lvi.SubItems.Add(processSummary.MainModuleFileName);
- lvi.SubItems.Add(string.Format("0x{0:x8}", processSummary.MainModuleBase));
- lvi.SubItems.Add(string.Format("0x{0:x8}", processSummary.MainModuleEntryPoint));
- lvi.SubItems.Add(string.Format("0x{0:x4}", processSummary.MainModuleImageSize));
- lvi.SubItems.Add(processSummary.IsWOW64 ? "x86" : "x64");
- lvi.Tag = processSummary;
-
- Items.Add(lvi);
- }
-
- ListViewItemSorter = new ProcessListViewItemComparer(sortColumnIndex, Sorting);
- Sort();
- }
-
- protected override void OnColumnClick(ColumnClickEventArgs e)
- {
- if (e.Column != sortColumnIndex)
- {
- sortColumnIndex = e.Column;
- Sorting = SortOrder.Ascending;
- }
- else
- {
- if (Sorting == SortOrder.Ascending)
- {
- Sorting = SortOrder.Descending;
- }
- else
- {
- Sorting = SortOrder.Ascending;
- }
- }
-
- ListViewItemSorter = new ProcessListViewItemComparer(e.Column, Sorting);
- Sort();
- }
-
- private class ProcessListViewItemComparer : IComparer
- {
- private readonly int columnIndex;
- private readonly SortOrder sortOrder;
-
- public ProcessListViewItemComparer(int columnIndex, SortOrder sortOrder)
- {
- this.columnIndex = columnIndex;
- this.sortOrder = sortOrder;
- }
-
- public int Compare(object x, object y)
- {
- if ((x is ListViewItem) && (y is ListViewItem))
- {
- ProcessSummary p1 = ((ListViewItem)x).Tag as ProcessSummary;
- ProcessSummary p2 = ((ListViewItem)y).Tag as ProcessSummary;
-
- if (!(p1 == null || p2 == null))
- {
- int result = 0;
-
- switch (columnIndex)
- {
- case 0:
- result = p1.ProcessId.CompareTo(p2.ProcessId);
- break;
- case 1:
- result = p1.ProcessName.CompareTo(p2.ProcessName);
- break;
- case 2:
- result = p1.MainModuleFileName.CompareTo(p2.MainModuleFileName);
- break;
- case 3:
- result = p1.MainModuleBase.CompareTo(p2.MainModuleBase);
- break;
- case 4:
- result = p1.MainModuleEntryPoint.CompareTo(p2.MainModuleEntryPoint);
- break;
- case 5:
- result = p1.MainModuleImageSize.CompareTo(p2.MainModuleImageSize);
- break;
- case 6:
- result = p1.IsWOW64.CompareTo(p2.IsWOW64);
- break;
- }
-
- if (sortOrder == SortOrder.Descending)
- {
- result = -result;
- }
- return result;
- }
- }
- return 0;
- }
- }
-
- protected override void WndProc(ref Message m)
- {
- if (m.Msg == 0x1)
- {
- SetWindowTheme(Handle, "Explorer", null);
- }
- base.WndProc(ref m);
- }
-
- [DllImport("uxtheme.dll", CharSet = CharSet.Unicode)]
- private extern static int SetWindowTheme(IntPtr hWnd, string pszSubAppName, string pszSubIdList);
- }
-}
+using System;
+using System.Collections;
+using System.IO;
+using System.Runtime.InteropServices;
+using System.Windows.Forms;
+
+namespace KsDumperClient.Utility
+{
+ public class ProcessListView : ListView
+ {
+ public bool SystemProcessesHidden { get; private set; } = true;
+
+ private int sortColumnIndex = 1;
+ private ProcessSummary[] processCache;
+
+ public ProcessListView()
+ {
+ DoubleBuffered = true;
+ Sorting = SortOrder.Ascending;
+ }
+
+ public void LoadProcesses(ProcessSummary[] processSummaries)
+ {
+ processCache = processSummaries;
+ ReloadItems();
+ }
+
+ public void ShowSystemProcesses()
+ {
+ SystemProcessesHidden = false;
+ ReloadItems();
+ }
+
+ public void HideSystemProcesses()
+ {
+ SystemProcessesHidden = true;
+ ReloadItems();
+ }
+
+ private void ReloadItems()
+ {
+ Items.Clear();
+
+ string systemRootFolder = Environment.GetFolderPath(Environment.SpecialFolder.Windows).ToLower();
+
+ if (processCache == null)
+ {
+ MessageBox.Show("Driver not loaded!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
+ return;
+ }
+
+ foreach (ProcessSummary processSummary in processCache)
+ {
+ if (SystemProcessesHidden &&
+ (processSummary.MainModuleFileName.ToLower().StartsWith(systemRootFolder) ||
+ processSummary.MainModuleFileName.StartsWith(@"\")))
+ {
+ continue;
+ }
+
+ ListViewItem lvi = new ListViewItem(processSummary.ProcessId.ToString());
+ lvi.SubItems.Add(Path.GetFileName(processSummary.MainModuleFileName));
+ lvi.SubItems.Add(processSummary.MainModuleFileName);
+ lvi.SubItems.Add(string.Format("0x{0:x8}", processSummary.MainModuleBase));
+ lvi.SubItems.Add(string.Format("0x{0:x8}", processSummary.MainModuleEntryPoint));
+ lvi.SubItems.Add(string.Format("0x{0:x4}", processSummary.MainModuleImageSize));
+ lvi.SubItems.Add(processSummary.IsWOW64 ? "x86" : "x64");
+ lvi.Tag = processSummary;
+
+ Items.Add(lvi);
+ }
+
+ ListViewItemSorter = new ProcessListViewItemComparer(sortColumnIndex, Sorting);
+ Sort();
+ }
+
+ protected override void OnColumnClick(ColumnClickEventArgs e)
+ {
+ if (e.Column != sortColumnIndex)
+ {
+ sortColumnIndex = e.Column;
+ Sorting = SortOrder.Ascending;
+ }
+ else
+ {
+ if (Sorting == SortOrder.Ascending)
+ {
+ Sorting = SortOrder.Descending;
+ }
+ else
+ {
+ Sorting = SortOrder.Ascending;
+ }
+ }
+
+ ListViewItemSorter = new ProcessListViewItemComparer(e.Column, Sorting);
+ Sort();
+ }
+
+ private class ProcessListViewItemComparer : IComparer
+ {
+ private readonly int columnIndex;
+ private readonly SortOrder sortOrder;
+
+ public ProcessListViewItemComparer(int columnIndex, SortOrder sortOrder)
+ {
+ this.columnIndex = columnIndex;
+ this.sortOrder = sortOrder;
+ }
+
+ public int Compare(object x, object y)
+ {
+ if ((x is ListViewItem) && (y is ListViewItem))
+ {
+ ProcessSummary p1 = ((ListViewItem)x).Tag as ProcessSummary;
+ ProcessSummary p2 = ((ListViewItem)y).Tag as ProcessSummary;
+
+ if (!(p1 == null || p2 == null))
+ {
+ int result = 0;
+
+ switch (columnIndex)
+ {
+ case 0:
+ result = p1.ProcessId.CompareTo(p2.ProcessId);
+ break;
+ case 1:
+ result = p1.ProcessName.CompareTo(p2.ProcessName);
+ break;
+ case 2:
+ result = p1.MainModuleFileName.CompareTo(p2.MainModuleFileName);
+ break;
+ case 3:
+ result = p1.MainModuleBase.CompareTo(p2.MainModuleBase);
+ break;
+ case 4:
+ result = p1.MainModuleEntryPoint.CompareTo(p2.MainModuleEntryPoint);
+ break;
+ case 5:
+ result = p1.MainModuleImageSize.CompareTo(p2.MainModuleImageSize);
+ break;
+ case 6:
+ result = p1.IsWOW64.CompareTo(p2.IsWOW64);
+ break;
+ }
+
+ if (sortOrder == SortOrder.Descending)
+ {
+ result = -result;
+ }
+ return result;
+ }
+ }
+ return 0;
+ }
+ }
+
+ protected override void WndProc(ref Message m)
+ {
+ if (m.Msg == 0x1)
+ {
+ SetWindowTheme(Handle, "Explorer", null);
+ }
+ base.WndProc(ref m);
+ }
+
+ [DllImport("uxtheme.dll", CharSet = CharSet.Unicode)]
+ private extern static int SetWindowTheme(IntPtr hWnd, string pszSubAppName, string pszSubIdList);
+ }
+}
diff --git a/KsDumperClient/Utility/WinApi.cs b/KsDumperClient/Utility/WinApi.cs
index 6f6788b..58e60de 100644
--- a/KsDumperClient/Utility/WinApi.cs
+++ b/KsDumperClient/Utility/WinApi.cs
@@ -31,5 +31,8 @@ public static extern bool DeviceIoControl(IntPtr hDevice, uint dwIoControlCode,
[DllImport("kernel32.dll")]
public static extern int GetLongPathName(string path, StringBuilder pszPath, int cchPath);
+
+ [DllImport("kernel32.dll")]
+ public static extern int CloseHandle(IntPtr handle);
}
}
diff --git a/KsDumperDriver/Driver.c b/KsDumperDriver/Driver.c
index 11afd7f..6a737b0 100644
--- a/KsDumperDriver/Driver.c
+++ b/KsDumperDriver/Driver.c
@@ -8,6 +8,10 @@ DRIVER_INITIALIZE DriverEntry;
UNICODE_STRING deviceName, symLink;
+PDRIVER_OBJECT pDriverObject;
+
+DRIVER_UNLOAD Unload;
+
NTSTATUS CopyVirtualMemory(PEPROCESS targetProcess, PVOID sourceAddress, PVOID targetAddress, SIZE_T size)
{
PSIZE_T readBytes;
@@ -61,6 +65,12 @@ NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
bytesIO = 0;
}
}
+ else if (controlCode == IO_UNLOAD_DRIVER)
+ {
+ Unload(pDriverObject);
+ bytesIO = 0;
+ status = STATUS_SUCCESS;
+ }
else
{
status = STATUS_INVALID_PARAMETER;
@@ -99,7 +109,7 @@ NTSTATUS CloseDispatch(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp)
return Irp->IoStatus.Status;
}
-NTSTATUS Unload(IN PDRIVER_OBJECT DriverObject)
+void Unload(PDRIVER_OBJECT DriverObject)
{
IoDeleteSymbolicLink(&symLink);
IoDeleteDevice(DriverObject->DeviceObject);
@@ -115,6 +125,8 @@ NTSTATUS DriverInitialize(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING
RtlInitUnicodeString(&deviceName, L"\\Device\\KsDumper");
RtlInitUnicodeString(&symLink, L"\\DosDevices\\KsDumper");
+ pDriverObject = DriverObject;
+
status = IoCreateDevice(DriverObject, 0, &deviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &deviceObject);
if (!NT_SUCCESS(status))
diff --git a/KsDumperDriver/UserModeBridge.h b/KsDumperDriver/UserModeBridge.h
index 88f9349..956f88e 100644
--- a/KsDumperDriver/UserModeBridge.h
+++ b/KsDumperDriver/UserModeBridge.h
@@ -5,6 +5,8 @@
#define IO_COPY_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1725, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
+#define IO_UNLOAD_DRIVER CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1726, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
+
typedef struct _KERNEL_PROCESS_LIST_OPERATION
{
PVOID bufferAddress;