📄 showla.bat
字号:
;@GOTO -)
; See also http://EliCZ.com/Export/ShowGA.zip
.586P
.MODEL FLAT
INCLUDE WINDOWS.inc
UNICODE=0
INCLUDE APIMACRO.mac
INCLUDE APIHOOKS.inc
INCLUDELIB iKERNEL32
INCLUDELIB iUSER32
INCLUDELIB iCRTDLL
INCLUDELIB iPrcWorks
INCLUDELIB iApiHooks
ATOMSTR STRUCT
nAtom DWORD ?
AtomN ACHAR 256 DUP (?)
ATOMSTR ENDS
MAX_ATOMS = 1024
.DATA?
Text SIGN 300 DUP (?)
.CODE
ASSUME EBP : PTR DWORD
GetAtomNameA EQU [EBP][_GetAtomNameA - AtomTable]
StartnAtom = 0C000H
MaxnAtom = 0FFFFH
ALIGN 4
AtomScout PROC
CALL ASDelta
ASDelta:
POP EBP
ADD EBP, (AtomTable - ASDelta)
MOV EBX, StartnAtom
SUB ESI, ESI
MOV EDI, EBP
NextKAtom:
CMP EBX, MaxnAtom
JA CollectDone
CMP ESI, MAX_ATOMS
JAE CollectDone
MOV EAX, EBX
STOSD
sWin32 GetAtomNameA, EBX, EDI, 256
INC EBX
TEST EAX, EAX
JE @F
INC ESI
ADD EDI, 256
JMP NextKAtom
@@:
SUB EDI, 4
JMP NextKAtom
CollectDone:
MOV EAX, ESI
RETN 4
AtomScout ENDP
ASSUME EBP : NOTHING
ALIGN 4
_GetAtomNameA DWORD 0
AtomTable LABEL ATOMSTR ;MAX_ATOMS DUP (<>)
ASSize0 EQU (($-AtomScout+3) AND NOT 3)
ASSize EQU (($-AtomScout+MAX_ATOMS*ATOMSTR+3) AND NOT 3)
TEXTA zAtomTempl, </#.4X ~ /#s/n/0>
; TEXTA Done, <..done..>
TEXTA CRLF, </n>
ShowLA PROC USES EBX EBP ESI EDI, szTargetName
iWin32 LocalAlloc, LPTR, ASSize
TEST EAX, EAX
JE FreeMem
PUSH EAX
oLEA ESI, AtomScout
MOV EDI, EAX
MOV ECX, ASSize0 SHR 2
REP MOVSD
POP ESI
iWin32 GetDefaultRCInfo
MOV EBX, EAX
ASSUME EBX : PTR RCINFO
MOV [EBX].RCFlags, RC_FL_OWNFREE
iWin32i ProcessName2PID, szTargetName
PUSH ESI
iWin32 RemoteExecute, EBX, EAX, 2*60000, ESI, ASSize, 0
CMP EAX, ErrorAHTimeOut
JE FreeMem
CMP EAX, ErrorAHMin
JAE FreeFreeMem
MOV EBP, EAX
MOV ECX, [EBX].ThreadBody
ADD ECX, RCBlockStart + (AtomTable-AtomScout)
iWin32 ReadProcessMemory, [EBX].hProcess, ECX, ESI, MAX_ATOMS*ATOMSTR, NULL
TEST EAX, EAX
JE FreeFreeMem
oLEA EDI, Text
@@:
DEC EBP
JL FreeFreeMem
LODSD
icWin32 wsprintfA, EDI, szAtomTempl, EAX, ESI
iWin32 _lwrite, STD_OUTPUT_HANDLE, EDI, EAX
ADD ESI, 256
JMP @B
FreeFreeMem:
sWin32 [EBX].RtlFreeMem, [EBX].hProcess, [EBX].ThreadBody
FreeMem:
iWin32 LocalFree
iWin32 CloseHandle, [EBX].hProcess
ASSUME EBX : NOTHING
Exit:
; iWin32 _lwrite, STD_OUTPUT_HANDLE, sDone, LDone
; iWin32 _lread, STD_INPUT_HANDLE, ESP, 4
iWin32 _lwrite, STD_OUTPUT_HANDLE, sCRLF, LCRLF
RET
ShowLA ENDP
TEXT zntdll, <ntdll.dll/0>
TEXTA zRAP, <RtlAdjustPrivilege/0>
PrimaryThread:
iMOV EAX, GetAtomNameA
MOV _GetAtomNameA, EAX
iWin32i GetModuleHandle, szntdll
TEST EAX, EAX
JE @F
iWin32 GetProcAddress, EAX, szRAP
TEST EAX, EAX
JE @F
PUSH ECX
sWin32 EAX, 20, TRUE, 0, ESP
POP ECX
@@:
PUSH EAX
MOV EDX, ESP
PUSH EAX
MOV ECX, ESP
PUSH EBX
MOV EAX, ESP
icWin32 __GetMainArgs, EAX, ECX, EDX, FALSE
POP ECX
POP EAX
POP EDX
CMP ECX, 2
JNE PrintUsage
sWin32 ShowLA, [EAX+4]
@@:
iWin32 ExitProcess, EAX
TEXTA Usage, <Usage: ShowLA /(ProcessName/)>
PrintUsage:
iWin32 _lwrite, STD_OUTPUT_HANDLE, sUsage, LUsage
JMP @B
ALIGN 4
END PrimaryThread
:-)
@ECHO OFF
ML /c /coff /Gz /Cp /nologo ShowLA.bat
eLINK ShowLA /IGNORE:4078 /nologo /SUBSYSTEM:CONSOLE /OPTidata /MERGE:.rdata=.text /SECTION:.text,EWR
DEL ShowLA.obj
PAUSE
CLS⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -