Support modify memory r3,r0, section.

src/OpenArk.sln

@@ -15,8 +15,8 @@ Global
 		Release|x86 = Release|x86
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{EB561C56-54CC-4CB1-94F5-A6E3429F6275}.Debug|x64.ActiveCfg = Release|x64
-		{EB561C56-54CC-4CB1-94F5-A6E3429F6275}.Debug|x64.Build.0 = Release|x64
+		{EB561C56-54CC-4CB1-94F5-A6E3429F6275}.Debug|x64.ActiveCfg = Debug|x64
+		{EB561C56-54CC-4CB1-94F5-A6E3429F6275}.Debug|x64.Build.0 = Debug|x64
 		{EB561C56-54CC-4CB1-94F5-A6E3429F6275}.Debug|x86.ActiveCfg = Debug|Win32
 		{EB561C56-54CC-4CB1-94F5-A6E3429F6275}.Debug|x86.Build.0 = Debug|Win32
 		{EB561C56-54CC-4CB1-94F5-A6E3429F6275}.Release|x64.ActiveCfg = Release|x64

src/OpenArk/cmds/cmds.cpp

@@ -17,6 +17,7 @@
 #include "constants/constants.h"
 #include "../common/utils/disassembly/disassembly.h"
 #include <time.h>	
+#include <arkdrv-api/arkdrv-api.h>
 
 struct CommandHelpItem {
 	std::wstring cmd;
@@ -680,7 +681,7 @@ Q_INVOKABLE void Cmds::CmdMemoryEditor(QString cmd, QStringList argv)
 	if (argc == 4) {
 		DWORD pid = VariantInt(argv[1].toStdString(), 10);
 		if (argv[0] == "r") {
-			HANDLE phd = OpenProcessWrapper(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
+			HANDLE phd = ArkDrvApi::Process::OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
 			ON_SCOPE_EXIT([&phd] {if (phd) CloseHandle(phd); });
 			if (!phd) return ERR(L"OpenProcess pid:%d err:%d", pid, GetLastError());
 			DWORD64 addr = VariantInt64(argv[2].toStdString());
@@ -697,7 +698,7 @@ Q_INVOKABLE void Cmds::CmdMemoryEditor(QString cmd, QStringList argv)
 			return CmdOutput("%s", hexdump.c_str());
 		}
 		if (argv[0] == "w") {
-			HANDLE phd = OpenProcessWrapper(PROCESS_QUERY_INFORMATION | PROCESS_VM_WRITE, FALSE, pid);
+			HANDLE phd = ArkDrvApi::Process::OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_WRITE, FALSE, pid);
 			ON_SCOPE_EXIT([&phd] {if (phd) CloseHandle(phd); });
 			if (!phd) return ERR(L"OpenProcess pid:%d err:%d", pid, GetLastError());
 			DWORD64 addr = VariantInt64(argv[2].toStdString());

src/OpenArk/common/app/app.cpp

@@ -14,13 +14,8 @@
 **
 ****************************************************************************/
 #include "../common.h"
-#include "../openark/openark.h"
 #include "app.h"
 
-QApplication *app = nullptr;
-QTranslator *app_tr = nullptr;
-OpenArk *openark = nullptr;
-
 void LogOutput(LogOuputLevel lev, const char* func, const wchar_t* format, ...)
 {
 	QString levelstr;

src/OpenArk/common/app/app.h

@@ -14,13 +14,9 @@
 **
 ****************************************************************************/
 #pragma once
-#include "../openark/openark.h"
+#include <unone.h>
 #include <QString>
 
-extern QApplication *app;
-extern QTranslator *app_tr;
-extern OpenArk *openark;
-
 enum LogOuputLevel { LevelInfo, LevelWarn, LevelErr, LevelDbg };
 void LogOutput(LogOuputLevel lev, const char* func, const char* format, ...);
 void LogOutput(LogOuputLevel lev, const char* func, const wchar_t* format, ...);
@@ -39,7 +35,7 @@ void LogOutput(LogOuputLevel lev, const char* func, const wchar_t* format, ...);
 
 inline QString AppFilePath()
 {
-	return WStrToQ(UNONE::PsGetProcessPathW());
+	return QString::fromStdWString(UNONE::PsGetProcessPathW());
 }
 
 inline QString AppVersion()
@@ -49,12 +45,12 @@ inline QString AppVersion()
 	if (!ver.empty()) {
 		ver = ver.substr(0, ver.find_last_of(L"."));
 	}
-	return WStrToQ(ver);
+	return QString::fromStdWString(ver);
 }
 
 inline QString AppBuildTime()
 {
-	QString &&stamp = StrToQ(UNONE::TmFormatUnixTimeA(UNONE::PeGetTimeStamp((CHAR*)GetModuleHandleW(NULL)), "YMDHW"));
+	QString &&stamp = QString::fromStdString(UNONE::TmFormatUnixTimeA(UNONE::PeGetTimeStamp((CHAR*)GetModuleHandleW(NULL)), "YMDHW"));
 	return stamp;
 }
 
@@ -71,13 +67,5 @@ inline QString AppFsUrl(QString url = "")
 		return fsurl;
 	}
 	fsurl = url;
-	return "http://192.168.2.106:50200/openark/files";
 	return fsurl;
-}
-
-// disable logger, exit recover
-#define DISABLE_RECOVER() \
-	UNONE::LogCallback routine;\
-	bool regok = UNONE::InterCurrentLogger(routine);\
-	if (regok) UNONE::InterRegisterLogger([&](const std::wstring &) {});\
-	ON_SCOPE_EXIT([&] {if (regok) UNONE::InterUnregisterLogger(); });
+}

src/OpenArk/common/cache/cache.cpp

@@ -53,7 +53,7 @@ ProcInfo CacheGetProcInfo(unsigned int pid, ProcInfo& info)
 	bool activate = false;
 	auto &&path = UNONE::PsGetProcessPathW(pid);
 	if (path.empty()) {
-		UNONE::InterCreateTlsValue(ArkDrvApi::Process::OpenProcess, UNONE::PROCESS_VID);
+		UNONE::InterCreateTlsValue(ArkDrvApi::Process::OpenProcessR0, UNONE::PROCESS_VID);
 		path = UNONE::PsGetProcessPathW(pid);
 		activate = true;
 	}
@@ -119,7 +119,7 @@ UNONE::PROCESS_BASE_INFOW CacheGetProcessBaseInfo(DWORD pid)
 	bool activate = false;
 	UNONE::PsGetProcessInfoW(pid, info);
 	if (info.ImagePathName.empty()) {
-		UNONE::InterCreateTlsValue(ArkDrvApi::Process::OpenProcess, UNONE::PROCESS_VID);
+		UNONE::InterCreateTlsValue(ArkDrvApi::Process::OpenProcessR0, UNONE::PROCESS_VID);
 		UNONE::PsGetProcessInfoW(pid, info);
 		activate = true;
 	}

src/OpenArk/common/cpp-wrapper/cpp-wrapper.h

@@ -51,4 +51,12 @@ class ScopeGuard
 
 int VariantInt(std::string val, int radix = 16);
 int64_t VariantInt64(std::string val, int radix = 16);
-std::wstring VariantFilePath(std::wstring path);
+std::wstring VariantFilePath(std::wstring path);
+
+
+// disable logger, exit recover
+#define DISABLE_RECOVER() \
+	UNONE::LogCallback routine;\
+	bool regok = UNONE::InterCurrentLogger(routine);\
+	if (regok) UNONE::InterRegisterLogger([&](const std::wstring &) {});\
+	ON_SCOPE_EXIT([&] {if (regok) UNONE::InterUnregisterLogger(); });

src/OpenArk/common/qt-wrapper/qt-wrapper.cpp

@@ -16,6 +16,10 @@
 #include "qt-wrapper.h"
 #include "../common/common.h"
 
+OpenArk *openark = nullptr;
+QTranslator *app_tr = nullptr;
+QApplication *app = nullptr;
+
 QSize OpenArkTabStyle::sizeFromContents(ContentsType type, const QStyleOption *option, const QSize &size, const QWidget *widget) const
 {
 	QSize s = QProxyStyle::sizeFromContents(type, option, size, widget);

src/OpenArk/common/qt-wrapper/qt-wrapper.h

@@ -34,6 +34,12 @@
 #include <QJsonDocument>
 #include <QJsonArray>
 
+#include <openark/openark.h>
+
+extern QTranslator *app_tr;
+extern OpenArk *openark;
+extern QApplication *app;
+
 class OpenArkTabStyle : public QProxyStyle {
 public:
 	QSize sizeFromContents(ContentsType type, const QStyleOption *option, const QSize &size, const QWidget *widget) const;
@@ -103,7 +109,16 @@ inline void MsgBoxError(QString msg)
 {
 	QMessageBox::critical(nullptr, QObject::tr("OpenArk Error"), msg);
 }
-
+inline void LabelSuccess(QLabel* label, QString msg)
+{
+	label->setText(msg);
+	label->setStyleSheet("color:green");
+}
+inline void LabelError(QLabel* label, QString msg)
+{
+	label->setText(msg);
+	label->setStyleSheet("color:red");
+}
 inline QStringList VectorToQList(const std::vector<std::string>& vec)
 {
 	QStringList result;

src/OpenArk/common/win-wrapper/win-wrapper.cpp

@@ -18,6 +18,8 @@
 #include <QString>
 #include <QtCore>
 #include <arkdrv-api/arkdrv-api.h>
+#include <shlwapi.h>
+#pragma comment(lib, "shlwapi.lib")
 
 std::wstring FormatFileTime(FILETIME *file_tm)
 {
@@ -46,7 +48,7 @@ std::wstring CalcFileTime(FILETIME *file_tm)
 
 bool RetrieveThreadTimes(DWORD tid, std::wstring& ct, std::wstring& kt, std::wstring& ut)
 {
-	HANDLE thd = OpenThreadWrapper(THREAD_QUERY_INFORMATION, FALSE, tid);
+	HANDLE thd = ArkDrvApi::Process::OpenThread(THREAD_QUERY_INFORMATION, FALSE, tid);
 	if (!thd) {
 		return false;
 	}
@@ -69,7 +71,7 @@ bool RetrieveThreadTimes(DWORD tid, std::wstring& ct, std::wstring& kt, std::wst
 
 std::wstring ProcessCreateTime(__in DWORD pid)
 {
-	HANDLE Process = OpenProcessWrapper(PROCESS_QUERY_INFORMATION, FALSE, pid);
+	HANDLE Process = ArkDrvApi::Process::OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
 	if (!Process) {
 		return L"";
 	}
@@ -88,7 +90,7 @@ std::wstring ProcessCreateTime(__in DWORD pid)
 
 LONGLONG ProcessCreateTimeValue(__in DWORD pid)
 {
-	HANDLE phd = OpenProcessWrapper(PROCESS_QUERY_INFORMATION, FALSE, pid);
+	HANDLE phd = ArkDrvApi::Process::OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
 	if (!phd) {
 		return 0;
 	}
@@ -120,7 +122,7 @@ bool CreateDump(DWORD pid, const std::wstring& path, bool mini)
 		dmp_type = (MINIDUMP_TYPE)(MiniDumpWithThreadInfo | MiniDumpWithFullMemoryInfo | MiniDumpWithTokenInformation |
 			MiniDumpWithProcessThreadData | MiniDumpWithDataSegs | MiniDumpWithFullMemory | MiniDumpWithHandleData);
 	}
-	HANDLE phd = OpenProcessWrapper(PROCESS_ALL_ACCESS, FALSE, pid);
+	HANDLE phd = ArkDrvApi::Process::OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
 	if (!phd) {
 		return false;
 	}
@@ -201,7 +203,7 @@ SIZE_T GetProcessPrivateWorkingSet(DWORD pid)
 	PROCESS_MEMORY_COUNTERS_EX mm_info;
 	if (!UNONE::MmGetProcessMemoryInfo(pid, mm_info))
 		return 0;
-	HANDLE phd = OpenProcessWrapper(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
+	HANDLE phd = ArkDrvApi::Process::OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
 	if (!phd) {
 		return 0;
 	}
@@ -561,23 +563,61 @@ DWORD OsGetExplorerPid()
 	return PsGetPidByWindowW(L"Progman", L"Program Manager");
 }
 
-
-HANDLE OpenProcessWrapper(DWORD access, BOOL inherit, DWORD pid)
+/*++
+Description:
+	load driver registry
+Arguments:
+	file_path - driver file path
+	srv_name - driver service name
+Return:
+	bool
+--*/
+bool ObLoadDriverRegistryW(__in const std::wstring &file_path, __in std::wstring srv_name)
 {
-	HANDLE phd = OpenProcess(access, inherit, pid);
-	if (!phd && GetLastError()==ERROR_ACCESS_DENIED) {
-		phd = ArkDrvApi::Process::OpenProcess(access, inherit, pid);
-		if (!phd) return 0;
-	}
-	return phd;
+	HKEY subkey = NULL;
+	do {
+		std::wstring driver_path = UNONE::FsPathStandardW(L"\\??\\" + file_path);
+		DWORD dispos;
+		std::wstring key_name = L"SYSTEM\\CurrentControlSet\\services\\" + srv_name;
+		LONG result = RegCreateKeyExW(HKEY_LOCAL_MACHINE, key_name.c_str(), 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, &subkey, &dispos);
+		if (result != ERROR_SUCCESS) {
+			UNONE_ERROR(L"RegCreateKeyExW %s err:%d", key_name.c_str(), result);
+			return false;
+		}
+		DWORD start = SERVICE_DEMAND_START;
+		result = RegSetValueExW(subkey, L"Start", 0, REG_DWORD, (BYTE*)&start, sizeof(start));
+		if (result != ERROR_SUCCESS) {
+			UNONE_ERROR(L"RegSetValueW err:%d", result);
+			break;
+		}
+
+		DWORD type = SERVICE_KERNEL_DRIVER;
+		result = RegSetValueExW(subkey, L"Type", 0, REG_DWORD, (BYTE*)&type, sizeof(type));
+		if (result != ERROR_SUCCESS) {
+			UNONE_ERROR(L"RegSetValueW err:%d", result);
+			break;
+		}
+
+		DWORD errctl = SERVICE_ERROR_NORMAL;
+		result = RegSetValueExW(subkey, L"ErrorControl", 0, REG_DWORD, (BYTE*)&errctl, sizeof(errctl));
+		if (result != ERROR_SUCCESS) {
+			UNONE_ERROR(L"RegSetValueW err:%d", result);
+			break;
+		}
+
+		result = RegSetValueExW(subkey, L"ImagePath", 0, REG_EXPAND_SZ, (BYTE*)driver_path.c_str(), (DWORD)driver_path.size() * 2);
+		if (result != ERROR_SUCCESS) {
+			UNONE_ERROR(L"RegSetValueW err:%d", result);
+			break;
+		}
+	} while (0);
+	if (subkey)	RegCloseKey(subkey);
+	return true;
 }
 
-HANDLE OpenThreadWrapper(DWORD access, BOOL inherit, DWORD tid)
+bool ObUnloadDriverRegistryW(__in const std::wstring &srv_name)
 {
-	HANDLE phd = OpenThread(access, inherit, tid);
-	if (!phd && GetLastError() == ERROR_ACCESS_DENIED) {
-		phd = ArkDrvApi::Process::OpenThread(access, inherit, tid);
-		if (!phd) return 0;
-	}
-	return phd;
-}
+	std::wstring key_name = L"SYSTEM\\CurrentControlSet\\services\\" + srv_name;
+	SHDeleteKeyW(HKEY_LOCAL_MACHINE, key_name.c_str());
+	return true;
+}

src/OpenArk/common/win-wrapper/win-wrapper.h

@@ -47,5 +47,5 @@ bool ReadFileDataW(__in const std::wstring &fpath, __in int64_t offset, __in int
 bool ReadStdout(const std::wstring& cmdline, std::wstring& output, DWORD& exitcode, DWORD timeout = INFINITE);
 DWORD PsGetPidByWindowW(wchar_t *cls, wchar_t *title);
 DWORD OsGetExplorerPid();
-HANDLE OpenProcessWrapper(DWORD access, BOOL inherit, DWORD pid);
-HANDLE OpenThreadWrapper(DWORD access, BOOL inherit, DWORD tid);
+bool ObLoadDriverRegistryW(__in const std::wstring &file_path, __in std::wstring srv_name);
+bool ObUnloadDriverRegistryW(__in const std::wstring &srv_name);

src/OpenArk/kernel/driver/driver.cpp

@@ -140,32 +140,35 @@ void KernelDriver::InitDriverKitView()
 	connect(ui->installUnsignedBtn, SIGNAL(clicked()), this, SLOT(onInstallUnsignedDriver()));
 	connect(ui->installExpiredBtn, SIGNAL(clicked()), this, SLOT(onInstallExpiredDriver()));
 	connect(ui->uninstallBtn, SIGNAL(clicked()), this, SLOT(onUninstallDriver()));
-}
+	connect(ui->writeRegBtn, &QPushButton::clicked, [&] {
+		auto driver = QToWStr(ui->driverFileEdit->text());
+		auto service = QToWStr(ui->serviceEdit->text());
+		ObLoadDriverRegistryW(driver, service) ?
+			LabelSuccess(ui->infoLabel, tr("Write registry ok...")) :
+			LabelError(ui->infoLabel, tr("Write registry failed, open console window to view detail..."));
+	});
+	connect(ui->cleanRegBtn, &QPushButton::clicked, [&] {
+		auto service = QToWStr(ui->serviceEdit->text());
+		ObUnloadDriverRegistryW(service) ?
+			LabelSuccess(ui->infoLabel, tr("Clean registry ok...")) :
+			LabelError(ui->infoLabel, tr("Clean registry failed, open console window to view detail..."));
+	});
 
+}
 
 void KernelDriver::onSignDriver()
 {
 	QString driver = ui->driverFileEdit->text();
-	if (SignExpiredDriver(driver)) {
-		ui->infoLabel->setText(tr("Sign ok..."));
-		ui->infoLabel->setStyleSheet("color:green");
-	}
-	else {
-		ui->infoLabel->setText(tr("Sign failed, open console window to view detail..."));
-		ui->infoLabel->setStyleSheet("color:red");
-	}
+	SignExpiredDriver(driver) ? 
+		LabelSuccess(ui->infoLabel, tr("Sign ok...")) :
+		LabelError(ui->infoLabel, tr("Sign failed, open console window to view detail..."));
 }
 
 void KernelDriver::onInstallNormallyDriver()
 {
-	if (InstallDriver(ui->driverFileEdit->text(), ui->serviceEdit->text())) {
-		ui->infoLabel->setText(tr("Install ok..."));
-		ui->infoLabel->setStyleSheet("color:green");
-	}
-	else {
-		ui->infoLabel->setText(tr("Install failed, open console window to view detail..."));
-		ui->infoLabel->setStyleSheet("color:red");
-	}
+	InstallDriver(ui->driverFileEdit->text(), ui->serviceEdit->text()) ?
+		LabelSuccess(ui->infoLabel, tr("Install ok...")) :
+		LabelError(ui->infoLabel, tr("Install failed, open console window to view detail..."));
 }
 
 void KernelDriver::onInstallUnsignedDriver()
@@ -183,14 +186,9 @@ void KernelDriver::onInstallExpiredDriver()
 
 void KernelDriver::onUninstallDriver()
 {
-	if (UninstallDriver(ui->serviceEdit->text())) {
-		ui->infoLabel->setText(tr("Uninstall ok..."));
-		ui->infoLabel->setStyleSheet("color:green");
-	}
-	else {
-		ui->infoLabel->setText(tr("Uninstall failed, open console window to view detail..."));
-		ui->infoLabel->setStyleSheet("color:red");
-	}
+	UninstallDriver(ui->serviceEdit->text()) ?
+		LabelSuccess(ui->infoLabel, tr("Uninstall ok...")) :
+		LabelError(ui->infoLabel, tr("Uninstall failed, open console window to view detail..."));
 }
 
 bool KernelDriver::InstallDriver(QString driver, QString name)