📄 taskmod.asm
字号:
mov ebx,edi
@@
mov esi,[edi+TCB_ClientPtr] ; R0TCB.CRS
test byte [esi+CRS.EFlags+2],2 ; is client in V86 mode?
jnz .next
push dword [esp]
call _TaskDB2ProcessDB
test eax,eax
jnz .ret
.next:
VMMCall Get_Next_Thread_Handle
cmp ebx,edi
jnz @B
xor eax,eax
.ret:
VMMCall End_Critical_Section
pop edi
pop edi
pop esi
pop ecx
pop ebx
retn
; find out if the process owning the thread is the one we want
;
; [esp+4]: TaskDB
; EDI: R0TCB
;
; EAX: ProcessDB or 0 on error
_TaskDB2ProcessDB:
push ebx
push ecx
push edx
push esi
mov esi,EHS_TaskDB2ProcessDB
VMMCall Install_Exception_Handler
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: _TaskDB2ProcessDB: failed to install exception handler"
debug_end
xor eax,eax
jmp short .ret
@@
mov ebx,[edi+TCB_VMHandle]
mov eax,[edi+TCB_ClientPtr]
movzx eax,word [eax+CRS.FS] ; selTIB
VMMCall _SelectorMapFlat, ebx, eax, byte 0
cmp eax,0x80000000
jae @F
xor eax,eax
jmp short .free_eh
@@
cmp eax,0xC0000000
jb @F
xor eax,eax
jmp short .free_eh
@@
.protect_start:
mov eax,[eax+0x30] ; TIB.ProcessDB
movzx ebx,word [eax+0x38] ; ProcessDB.TaskDB
.protect_end:
cmp bx,[esp+20]
jz .free_eh
xor eax,eax
jmp short .free_eh
.EH:
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: _TaskDB2ProcessDB: exception, EAX: #eax"
debug_end
xor eax,eax
.free_eh:
mov esi,EHS_TaskDB2ProcessDB
VMMCall Remove_Exception_Handler
jnc .ret
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: _TaskDB2ProcessDB: failed to uninstall exception handler"
debug_end
.ret:
pop esi
pop edx
pop ecx
pop ebx
retn 4
segment _LDATA
align 4
EHS_TaskDB2ProcessDB:
istruc Exception_Handler_Struc
at EHS_Reserved, dd 0
at EHS_Start_EIP, dd _TaskDB2ProcessDB.protect_start
at EHS_End_EIP, dd _TaskDB2ProcessDB.protect_end
at EHS_Handler, dd _TaskDB2ProcessDB.EH
iend
segment _LTEXT
; fill in module info
;
; EAX: ModRef, ebx: MODULEENTRY
;
; EAX: 0 on error
ModGetData:
push ecx
push edx
push esi
push edi
mov esi,EHS_ModGetData
VMMCall Install_Exception_Handler
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: ModGetData: failed to install exception handler"
debug_end
xor eax,eax
jmp .ret
@@
mov edx,[oMTEList]
mov edx,[edx] ; edx: MTEList
test edx,edx
jnz .protect_start
xor eax,eax
jmp short .free_eh
.protect_start:
movzx eax,word [eax+0x10] ; grab ModRef.MTEIndex
mov eax,[edx+4*eax] ; grab MTE
movzx ecx,word [eax+0x14] ; grab MTE.cbFileName
mov esi,[eax+0x0C] ; grab MTE.FileName
lea edi,[ebx+MODULEENTRY.me_ExePath]
rep movsb
mov byte [edi],0
movzx ecx,word [eax+0x16] ; grab MTE.cbModName
mov esi,[eax+0x10] ; grab MTE.ModName
lea edi,[ebx+MODULEENTRY.me_ModuleName]
rep movsb
mov byte [edi],0
mov eax,[eax+0x04] ; grab MTE.PEHeaders
mov ecx,[eax+0x34] ; imagebase
mov [ebx+MODULEENTRY.me_modBaseAddr],ecx
mov [ebx+MODULEENTRY.me_hModule],ecx
mov ecx,[eax+0x50] ; imagesize
mov [ebx+MODULEENTRY.me_modBaseSize],ecx
.protect_end:
mov eax,1
jmp short .free_eh
.EH:
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: ModGetData: exception, EAX: #eax"
debug_end
xor eax,eax
.free_eh:
mov esi,EHS_ModGetData
VMMCall Remove_Exception_Handler
jnc .ret
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TASKMOD
Trace_Out "ICEDUMP: ModGetData: failed to uninstall exception handler"
debug_end
.ret:
pop edi
pop esi
pop edx
pop ecx
retn
segment _LDATA
align 4
EHS_ModGetData:
istruc Exception_Handler_Struc
at EHS_Reserved, dd 0
at EHS_Start_EIP, dd ModGetData.protect_start
at EHS_End_EIP, dd ModGetData.protect_end
at EHS_Handler, dd ModGetData.EH
iend
segment _LTEXT
;BOOL KillProcess(DWORD PID);
;
; Terminate given PID.
; Return TRUE on success.
;KillProcess:
; push ebp
; mov ebp,esp
;
;%define PID ebp+8
;
;
; pop ebp
;
;%undef PID
;
; retn 4
;DWORD GetModuleInfo(char *FNAME, DWORD PID);
;
; Retrieve size and Base address of module FNAME of given PID.
; Size is in EAX (0 on failure), Base in EBX.
;GetModuleInfo:
; push ebp
; mov ebp,esp
;
;%define FNAME ebp+8
;%define PID ebp+12
;
;
; pop ebp
;
;%undef FNAME
;%undef PID
;
; retn 8
;DWORD GetBaseAddress(PID,Offset Size);
;
; Retrieve Base Address and size of Given PID.
; Base in EAX (0 on failure), Size stored in Size Variable.
;GetBaseAddress:
; push ebp
; mov ebp,esp
;
;%define PID ebp+8
;%define Size ebp+12
;
;
; pop ebp
;
;%undef PID
;%undef Size
;
; retn 8
;北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
; Get PID of a given Name.
;北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
;鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍
;esp+4 : Filename
;
;EAX=PID
;鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍
GetPIDName:
push ebp
mov ebp, esp
sub esp, TASKENTRY_size
push ebx
lea ebx, [ebp-TASKENTRY_size]
push ebx
Call TaskFirst
.CompareFN:
test eax, eax
jz .GetPIDEnd
push dword [ebp+08h]
lea eax, [ebx+TASKENTRY.te_ProcName]
push eax
Call strcmp
jz .ProcFetched
push ebx
call TaskNext
jmp .CompareFN
.ProcFetched:
mov eax, [ebx+TASKENTRY.te_hTask]
Call TaskEnd
.GetPIDEnd:
pop ebx
add esp, TASKENTRY_size
pop ebp
retn 04h
;北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
; Get Name of a given PID.
;北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
;鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍
;ebp+8 : PID
;ebp+0c : Filename buffer
;
;EAX=1 on succes.
;鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍
GetNamePID:
push ebp
mov ebp, esp
sub esp, TASKENTRY_size
push esi
push edi
lea ebx, [ebp-TASKENTRY_size]
mov eax, [ebp+8]
call TaskGetProcName
test eax, eax
jz .GetNameEnd
.NameFetched:
lea esi, [ebx+TASKENTRY.te_ProcName]
push dword [ebp+0Ch]
push esi
call strcopy
xor eax, eax
inc eax
.GetNameEnd:
pop edi
pop esi
add esp, TASKENTRY_size
pop ebp
retn 08h
;北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
; Retrieve Current Process ID.
;北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
;鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍
;eax=PID.
;鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍
GetCurrentProcessID:
VxDCall VWIN32_GetCurrentProcessHandle
test eax,eax
jz @F
movzx eax,word [eax+0x38] ; PDB.W16TDB
@@
retn
;北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
; Retrieve ImageBase of given Name (Null for Main Base).
;北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
;鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍
;ebp+8 : Name or 0.
;
;eax=ImageBase, 0 if failure.
;鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍
GetModuleHandle:
push ebp
mov ebp, esp
sub esp, TASKENTRY_size+MAX_PATH+MODULEENTRY_size
push esi
push edi
push edx
push ecx
push ebx
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
; Setup registers [Name/Current PID].
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
Call GetCurrentProcessID
mov edx, eax
mov esi, [ebp+08h]
test esi, esi ; SelfBase ?
jnz .ScanThis
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
; Retrieve name of current PID.
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
lea ebx, [ebp-TASKENTRY_size]
push ebx
Call TaskFirst
.CmpTaskDB:
test eax, eax
jz .RetFailure
cmp [ebx+TASKENTRY.te_hTask], edx
jz .CopyFN
push ebx
Call TaskNext
jmp .CmpTaskDB
.CopyFN:
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
; Replicate name.
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
lea esi, [ebx+TASKENTRY.te_ProcName]
lea edi, [ebp-(TASKENTRY_size+MAX_PATH)]
push edi
push esi
call strcopy
mov esi, edi
.ScanThis:
push esi
Call CharUpper ; Fool Proof Measure :)
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
; Retrieve Short name of Target.
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
push esi
Call ExtractNamePos
add esi, eax
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
; Browse Module List.
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
lea ebx, [ebp-(TASKENTRY_size+MAX_PATH+MODULEENTRY_size)]
push edx
push ebx
Call ModFirst
.CmpModShort:
test eax, eax
jz .RetFailure
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
; Found it ?.
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
lea eax, [ebx+MODULEENTRY.me_ModuleName]
push eax
push esi
call strcmp
test eax, eax
jz .OkFoundModule
push ebx
Call ModNext
jmp .CmpModShort
.OkFoundModule:
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
; Return hMod.
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
mov eax, [ebx+MODULEENTRY.me_hModule]
.RetFailure:
pop ebx
pop ecx
pop edx
pop edi
pop esi
add esp, TASKENTRY_size+MAX_PATH+MODULEENTRY_size
pop ebp
retn 4
%endif
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -