📄 taskmod.asm
字号:
%include "util.mac"
%include "icedump.inc"
%include "vxdn.inc"
%include "wiat.inc"
%include "win32n.inc"
%include "common.inc"
%ifndef MAKEDEP
global TaskFirst
global TaskNext
global TaskEnd
global ModFirst
global ModNext
global ModEnd
global KillProcess
global GetModuleInfo
global GetBaseAddress
global GetPIDName
global GetNamePID
global GetCurrentProcessID
global GetModuleHandle
extern sdata
extern oMTEList
bits 32
segment _LTEXT
;-------------------------------------------------------------------------------
; before first use, the following must be called (should have been taken care
; of in WiniceMainHook):
; GetAPIs in winice context then
; GetK32Info in win32 or VxD context
;-------------------------------------------------------------------------------
;BOOL TaskFirst(Offset TaskEntry);
;
; Fill TaskEntry struct with First task datas.
; Return False if no task anymore
TaskFirst:
push ebp
mov ebp,esp
push ebx
push esi
push gs
%define TaskEntry ebp+8
mov esi,EHS_TaskFirst
VMMCall Install_Exception_Handler
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: TaskFirst: failed to install exception handler"
debug_end
xor eax,eax
jmp short .ret
@@
mov ebx,[TaskEntry]
mov dword [ebx+TASKENTRY.te_dwSize],TASKENTRY_size
.protect_start:
mov eax,[selKernelVars] ; grab first TaskDB
movzx eax,word [eax]
mov gs,eax
mov eax,[headTDB]
mov eax,[eax]
movzx eax,word [gs:eax]
@@
mov [ebx+TASKENTRY.te_hTask],eax
mov gs,eax ; test if win32 task
test word [gs:0x16],0x10
jnz .protect_end
movzx eax,word [gs:0] ; grab next TaskDB
or eax,eax
jnz @B
jmp short .free_eh
.protect_end:
call TaskGetProcName
jmp short .free_eh
.EH:
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: TaskFirst: exception, GS:EAX: #gs:#eax"
debug_end
xor eax,eax
.free_eh:
mov esi,EHS_TaskFirst
VMMCall Remove_Exception_Handler
jnc .ret
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: TaskFirst: failed to uninstall exception handler"
debug_end
.ret:
pop gs
pop esi
pop ebx
pop ebp
%undef TaskEntry
retn 4
segment _LDATA
align 4
EHS_TaskFirst:
istruc Exception_Handler_Struc
at EHS_Reserved, dd 0
at EHS_Start_EIP, dd TaskFirst.protect_start
at EHS_End_EIP, dd TaskFirst.protect_end
at EHS_Handler, dd TaskFirst.EH
iend
segment _LTEXT
;BOOL TaskNext(Offset TaskEntry);
;
; Fill TaskEntry struct with Next task datas.
; Return False if no task anymore
TaskNext:
push ebp
mov ebp,esp
push ebx
push esi
push gs
%define TaskEntry ebp+8
mov esi,EHS_TaskNext
VMMCall Install_Exception_Handler
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: TaskNext: failed to install exception handler"
debug_end
xor eax,eax
jmp short .ret
@@
mov ebx,[TaskEntry]
.protect_start:
mov eax,[ebx+TASKENTRY.te_hTask] ; grab next TaskDB
mov gs,eax
movzx eax,word [gs:0]
or eax,eax
jz .free_eh
mov [ebx+TASKENTRY.te_hTask],eax
mov gs,eax ; test TaskDB.flags
test word [gs:0x16],0x10 ; win32 task?
jz .protect_start
.protect_end:
call TaskGetProcName
jmp short .free_eh
.EH:
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: TaskNext: exception, GS:EAX: #gs:#eax"
debug_end
xor eax,eax
.free_eh:
mov esi,EHS_TaskNext
VMMCall Remove_Exception_Handler
jnc .ret
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: TaskNext: failed to uninstall exception handler"
debug_end
.ret:
pop gs
pop esi
pop ebx
pop ebp
%undef TaskEntry
retn 4
segment _LDATA
align 4
EHS_TaskNext:
istruc Exception_Handler_Struc
at EHS_Reserved, dd 0
at EHS_Start_EIP, dd TaskNext.protect_start
at EHS_End_EIP, dd TaskNext.protect_end
at EHS_Handler, dd TaskNext.EH
iend
segment _LTEXT
;void TaskEnd(void);
;
; Close Task internal handler - WIN32 compatibility API.
TaskEnd:
retn
; fill in ProcName
;
; eax: TaskDB, ebx: TASKENTRY
;
; eax: 0 on error
TaskGetProcName:
push ecx
push esi
push edi
push gs
mov esi,EHS_TaskGetProcName
VMMCall Install_Exception_Handler
jnc .protect_start
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: TaskGetProcName: failed to install exception handler"
debug_end
xor eax,eax
jmp .ret
.protect_start:
mov gs,eax
movzx eax,word [gs:0x1E] ; grab TaskDB.hMod
mov gs,eax
movzx esi,word [gs:0x0A] ; hMod.OFSTRUCT
add esi,byte 9
lea edi,[ebx+TASKENTRY.te_ProcName]
@@
mov al,[gs:esi]
mov [edi],al
inc esi
inc edi
cmp al,0
jnz @B
.protect_end:
mov eax,1
jmp short .free_eh
.EH:
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: TaskGetProcName: exception, GS:EAX: #gs:#eax"
debug_end
xor eax,eax
.free_eh:
mov esi,EHS_TaskGetProcName
VMMCall Remove_Exception_Handler
jnc .ret
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: TaskGetProcName: failed to uninstall exception handler"
debug_end
.ret:
pop gs
pop edi
pop esi
pop ecx
retn
segment _LDATA
align 4
EHS_TaskGetProcName:
istruc Exception_Handler_Struc
at EHS_Reserved, dd 0
at EHS_Start_EIP, dd TaskGetProcName.protect_start
at EHS_End_EIP, dd TaskGetProcName.protect_end
at EHS_Handler, dd TaskGetProcName.EH
iend
segment _LTEXT
;BOOL ModFirst(Offset ModEntry, PID)
;
; Fill ModEntry struct with First Module datas of given PID.
; Return False if no module anymore
ModFirst:
push ebp
mov ebp,esp
push ebx
push esi
push gs
%define PID ebp+12
%define ModEntry ebp+8
mov esi,EHS_ModFirst
VMMCall Install_Exception_Handler
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: ModFirst: failed to install exception handler"
debug_end
xor eax,eax
jmp short .ret
@@
mov ebx,[ModEntry]
mov dword [ebx+MODULEENTRY.me_dwSize],MODULEENTRY_size
.protect_start:
mov eax,[PID]
call TaskDB2ProcessDB
test eax,eax
jz .free_eh
mov eax,[eax+0x4C] ; grab ProcessDB.ModRefList
mov [ebx+MODULEENTRY.me_th32ModuleID],eax
.protect_end:
call ModGetData
jmp short .free_eh
.EH:
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: ModFirst: exception, GS:EAX: #gs:#eax"
debug_end
xor eax,eax
.free_eh:
mov esi,EHS_ModFirst
VMMCall Remove_Exception_Handler
jnc .ret
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: ModFirst: failed to uninstall exception handler"
debug_end
.ret:
pop gs
pop esi
pop ebx
pop ebp
%undef PID
%undef ModEntry
retn 8
segment _LDATA
align 4
EHS_ModFirst:
istruc Exception_Handler_Struc
at EHS_Reserved, dd 0
at EHS_Start_EIP, dd ModFirst.protect_start
at EHS_End_EIP, dd ModFirst.protect_end
at EHS_Handler, dd ModFirst.EH
iend
segment _LTEXT
;BOOL ModNext(Offset ModEntry);
;
; Fill ModEntry struct with Next Module datas.
; Return False if no module anymore
ModNext:
push ebp
mov ebp,esp
push ebx
push esi
%define ModEntry ebp+8
mov esi,EHS_ModNext
VMMCall Install_Exception_Handler
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: ModNext: failed to install exception handler"
debug_end
xor eax,eax
jmp short .ret
@@
mov ebx,[ModEntry]
.protect_start:
mov eax,[ebx+MODULEENTRY.me_th32ModuleID]
mov eax,[eax] ; grab ModRef.NextModRef
or eax,eax
jz .free_eh
mov [ebx+MODULEENTRY.me_th32ModuleID],eax
.protect_end:
call ModGetData
jmp short .free_eh
.EH:
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: ModNext: exception, EAX: #eax"
debug_end
xor eax,eax
.free_eh:
mov esi,EHS_ModNext
VMMCall Remove_Exception_Handler
jnc .ret
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: ModNext: failed to uninstall exception handler"
debug_end
.ret:
pop esi
pop ebx
pop ebp
%undef ModEntry
retn 4
segment _LDATA
align 4
EHS_ModNext:
istruc Exception_Handler_Struc
at EHS_Reserved, dd 0
at EHS_Start_EIP, dd ModNext.protect_start
at EHS_End_EIP, dd ModNext.protect_end
at EHS_Handler, dd ModNext.EH
iend
segment _LTEXT
;void ModEnd(void);
;
; Close Mod internal handler - WIN32 compatibility API.
ModEnd:
retn
; convert TaskDB to ProcessDB
;
; EAX: TaskDB
;
; EAX: ProcessDB or 0 on error
TaskDB2ProcessDB:
push ebx
push ecx
push esi
push edi
push eax
xor ecx,ecx
VMMCall Begin_Critical_Section
VMMCall Get_Sys_VM_Handle
VMMCall Get_Initial_Thread_Handle
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -