📄 cmd_imports.asm
字号:
%include "util.mac"
%include "icedump.inc"
%include "vxdn.inc"
%include "wiat.inc"
%ifndef MAKEDEP
global Parse_Imports
global Service_Imports
extern sdata
extern Parser.error
extern Parser.errorMsg
extern SetCB
extern IsPageCommitted
extern ParseAddress
extern ParseExpression
bits 32
segment _LTEXT
;-------------------------------------------------------------------------------
; IMPORTS <imagebase> <imports-address>
;-------------------------------------------------------------------------------
Parse_Imports:
mov edi,.Error_BadBase
call ParseExpression ; parse <imagebase>
jb near Parser.errorMsg
mov ebp,[dClient_ESI]
mov [ebp],eax
call [pSkipWhiteSpace]
jz near Parser.error
mov edi,.Error_BadAddress
call ParseAddress ; parse <address>
jb near Parser.errorMsg
mov ebp,[dClient_EDI]
mov [ebp],eax
push byte SERVICE_IMPORTS
mov ebp,[dClient_EAX]
pop dword [ebp]
call SetCB
jc near Parser.error
xor eax,eax
inc eax
mov ebp,[fPAGEIN_InProgress] ; set internal Winice flag to 1
mov [ebp],eax
mov ebp,[fExecuteMoreCommands] ; set internal Winice flag to 0
mov [ebp],ah
popad
retn
segment _LDATA
.Error_BadBase: db 'invalid imagebase',0
.Error_BadAddress: db 'invalid address',0
segment _LTEXT
;-------------------------------------------------------------------------------
Service_Imports:
mov edi,[ebp+CRS.EDI]
Trace_Out "processing imports at #edi"
.nextimport:
mov eax,edi
call .checkpage
jz near .abort
; check IAT address
mov eax,[edi+0x10]
or eax,eax
jz near .endofimports
add eax,[ebp+CRS.ESI]
call .checkpage
jnz @F
; print no-page msg and skip
call ebp
jmp short .gotonext
@@
mov ebx,eax
; check Libname address
mov eax,[edi+0x0C]
test eax,eax
jz .nextthunk
add eax,[ebp+CRS.ESI]
call .checkpage
jz .nextthunk
; print libname
push eax
VMMCall _Trace_Out_Service
Trace_Out ""
; process all thunks
.nextthunk:
mov eax,[ebx]
or eax,eax
jz .gotonext
mov [.SaveAddy],eax
.nextlevel:
mov [ebx],eax
test eax,eax
js .gotonextthunk ; already a system addr, leave it alone
call .checkpage
jnz .deref
; restore prev addr
mov eax,[.SaveAddy]
mov [ebx],eax
; print no-page msg and skip
push esi
VMMCall _Trace_Out_Service
jmp short .gotonextthunk
.deref:
mov [.SaveAddy],eax
cmp byte [eax],0xE9 ; jmp rel32
jne .notJmp
; dereference rel32 jump and then try again =)
add eax,[eax+1]
add eax,byte 5
jmp short .nextlevel
.notJmp:
cmp byte [eax],0x68 ; push imm32
jne .gotonextthunk
cmp byte [eax+5], 0xE9 ; jmp rel32
jne .gotonextthunk
; dereference push+jump
mov eax,[eax+1]
jmp short .nextlevel
.gotonextthunk:
add ebx,byte 4
jmp short .nextthunk
.gotonext:
add edi,byte 0x14
jmp .nextimport
.endofimports:
mov esi,.Msg_End
.abort:
push esi
VMMCall _Trace_Out_Service
popfd
popad
retn
.checkpage:
mov esi,.Msg_NoPage
push eax
shr eax,12
call IsPageCommitted
pop eax
ret
segment _LDATA
align 4
.SaveAddy: dd 0
.Msg_NoPage: db 'page is not present or committed',CRLF0
.Msg_End: db 'finished',CRLF0
%endif
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -