📄 process.asm
字号:
;过程声明
DlgProcessProc proto :DWORD,:DWORD,:DWORD,:DWORD
_treeview_get_curitemdata proto:DWORD ,:DWORD
_treeview_globalfree proto:DWORD ,:DWORD ,:DWORD
_enumprocess proto:DWORD
_ReadMemory proto:DWORD ,:DWORD ,:DWORD ,:DWORD ,:DWORD
_GetMemoryInfo proto:DWORD ,:DWORD ,:DWORD
_allocmem_for_itemdata proto:DWORD ,:DWORD ,:DWORD
_treeview_gettext proto:DWORD ,:DWORD
;-------------------------------------------------------
tvITEMDATA struct
dwProcessID dd ?
dwAddress dd ?
dwSize dd ?
tvITEMDATA ends
.data
szinikey_process db 'addr_in_ram_editor',0
.CODE
DlgProcessProc proc @hDlg,uMsg,wParam,lParam
local @szBuf[255]:BYTE
.if uMsg==WM_INITDIALOG
invoke _enumprocess,@hDlg
invoke _IniSet2Default
invoke _IniGetStr2Edit,@hDlg,1002,0,addr szinikey_process
.elseif uMsg==WM_COMMAND
mov eax,wParam
.if ax==IDOK
invoke _treeview_get_curitemdata,@hDlg,1000
.if eax
push esi
mov esi,eax
assume esi:ptr tvITEMDATA
invoke OpenProcess,PROCESS_ALL_ACCESS ,FALSE ,[esi].dwProcessID
.if eax
mov wParam,eax
invoke IsDlgButtonChecked,@hDlg,1003
.if eax==0;模块
.if [esi].dwSize
invoke GlobalAlloc,GPTR ,[esi].dwSize
.if eax
invoke _ReadMemory,eax,wParam,[esi].dwProcessID,[esi].dwAddress,[esi].dwSize
jmp _ok_
.else
call _ShowError
invoke CloseHandle,wParam
.endif
.endif
.else;指定位置
invoke _GetInt,@hDlg,1002
invoke _GetMemoryInfo,wParam,[esi].dwProcessID,eax
.if eax==-1
invoke MessageBox,@hDlg,ctext("无法读取指定的地址"),addr szAppName,30h
.else
mov dwBlockEnd,eax
mov dwBlockStart,eax
mov dwCurPos,eax
shr eax,4
mov g_TopLine,eax
_ok_:
invoke _treeview_gettext,@hDlg,addr @szBuf
invoke _SetWindowTitle,0,eax
invoke _Scroll2Visible
invoke SendMessage,@hDlg,WM_CLOSE ,0,0
.endif
.endif
.else
@@:
invoke MessageBox,@hDlg,ctext("无法打开进程"),addr szAppName,30h
.endif
assume esi:nothing
pop esi
.else
invoke MessageBox,@hDlg,ctext("请选择一个模块或可读写区域"),addr szAppName,20h
.endif
.elseif ax==1001
invoke SendMessage,@hDlg,WM_CLOSE ,0,0
.elseif ax==1003
invoke IsDlgButtonChecked,@hDlg,1003
push eax
invoke GetDlgItem,@hDlg,1002
push eax
call EnableWindow
.endif
.elseif uMsg==WM_CLOSE
invoke _IniSetStrFromEdit,@hDlg,1002,0,addr szinikey_process
invoke SendDlgItemMessage,@hDlg,1000,TVM_GETNEXTITEM ,TVGN_ROOT ,0
invoke _treeview_globalfree,@hDlg,1000,eax
invoke EndDialog,@hDlg,FALSE
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
DlgProcessProc endp
;=======================================================
;查询内存块的属性,如果成功,则读取它
_GetMemoryInfo proc wParam,@pid,@addr
local @mbi:MEMORY_BASIC_INFORMATION
invoke VirtualQueryEx,wParam,@addr,addr @mbi,sizeof MEMORY_BASIC_INFORMATION
.if (@mbi.Protect !=PAGE_NOACCESS) && (@mbi.State==MEM_COMMIT)
invoke GlobalAlloc,GPTR ,@mbi.RegionSize
.if eax
invoke _ReadMemory,eax,wParam,@pid,@mbi.BaseAddress,@mbi.RegionSize
mov eax,@addr
sub eax,@mbi.BaseAddress
.endif
.else
mov eax,-1
.endif
ret
_GetMemoryInfo endp
;-----------------------------------------------
;读出内存的内容到缓冲区
_ReadMemory proc lpBuf,wParam,@pid,@addr,@size
push lpBuf
m2m dwRamProcessID,@pid
m2m dwRamAddress,@addr
m2m dwFileSize,@size
invoke ReadProcessMemory,wParam,dwRamAddress,lpBuf,dwFileSize,0
invoke CloseHandle,wParam
call _Release
pop lpMemFile
mov dwFileType,FILE_RAM
invoke _InitData,NULL
mov [szFileName+1],0;主要用于禁止/允许"工具->打开"菜单
ret
_ReadMemory endp
;=======================================================
;列举进程
_enumprocess proc @hDlg
local pe:PROCESSENTRY32,me:MODULEENTRY32 ,tvi:TVITEM
local hSnapProc,hSnapModule
local tvis:TV_INSERTSTRUCT ,hParentItem,hRootItem,dwVer:SDWORD
local @szBuf[200]:BYTE
local @si:SYSTEM_INFO, dwMinAppAddresss,@mbi:MEMORY_BASIC_INFORMATION,hProc
local curPid
pushad
xor eax,eax
mov tvis.hParent,eax
mov tvis.hInsertAfter,eax
mov tvis.item._mask,TVIF_TEXT or TVIF_PARAM
invoke GetVersion
mov dwVer,eax
invoke GetSystemInfo ,addr @si
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov hSnapProc,eax
mov pe.dwSize,sizeof PROCESSENTRY32
mov me.dwSize,sizeof MODULEENTRY32
invoke GetCurrentProcessId
mov curPid,eax
invoke Process32First,hSnapProc,addr pe
.while eax
lea edi,pe.szExeFile
.if dwVer<0;98
invoke lstrlen,edi
add edi,eax
mov al,'\'
std
repne scasb
add edi,2
cld
.endif
mov tvis.item.pszText,edi
mov edi,pe.th32ProcessID
.if edi && edi!=curPid
mov tvis.hParent,0
invoke _allocmem_for_itemdata,0,0,edi;只保存pid以供[指定内存]使用
mov tvis.item.lParam,eax
invoke SendDlgItemMessage,@hDlg,1000, TVM_INSERTITEM ,0,addr tvis
mov hParentItem,eax
;----------------------------列举模块---------------------------------
invoke CreateToolhelp32Snapshot,TH32CS_SNAPMODULE,edi
push eax;for closehandle
mov hSnapModule,eax
invoke Module32First,hSnapModule,addr me
.while eax
lea edi,@szBuf
mov eax,me.modBaseSize
shr eax,10;eax=eax/1024
invoke wsprintf,edi,ctext("%s %08X %ukb"),addr me.szModule,me.modBaseAddr,eax
mov tvis.item.pszText,edi
invoke _allocmem_for_itemdata,me.modBaseAddr,me.modBaseSize,pe.th32ProcessID
mov tvis.item.lParam,eax
m2m tvis.hParent,hParentItem
invoke SendDlgItemMessage,@hDlg,1000, TVM_INSERTITEM ,0,addr tvis
invoke Module32Next,hSnapModule,addr me
.endw
call CloseHandle
add esi,@mbi.RegionSize
.endif
invoke Process32Next,hSnapProc,addr pe
.endw
invoke CloseHandle,hSnapProc
popad
ret
_enumprocess endp
;-----------------------------------------------
;申请空间,保存每个TreeNode关联资料
_allocmem_for_itemdata proc @addr,@size,@pid
invoke GlobalAlloc,GPTR ,sizeof tvITEMDATA
assume eax:ptr tvITEMDATA
m2m [eax].dwAddress,@addr
m2m [eax].dwSize,@size
m2m [eax].dwProcessID,@pid
assume eax:nothing
ret
_allocmem_for_itemdata endp
;------------------------------------------
_treeview_get_curitemdata proc uses esi @hDlg,nID
local @szBuf[255]:BYTE
local tvi:TVITEM
invoke SendDlgItemMessage,@hDlg,nID,TVM_GETNEXTITEM ,TVGN_CARET,0
mov tvi._mask,TVIF_PARAM or TVIF_HANDLE
mov tvi.hItem,eax
invoke SendDlgItemMessage,@hDlg,nID,TVM_GETITEM ,0,addr tvi
mov eax,tvi.lParam
ret
_treeview_get_curitemdata endp
;----------------------------------------
;取<进程名>:<模块名>
_treeview_gettext proc uses esi @hDlg,@lpBuf
local @szBuf[80]:BYTE ,@szBuf2[80]:BYTE
local tvi:TVITEM ,@hItem
lea eax,@szBuf
mov tvi.pszText,eax
mov tvi.cchTextMax,255
mov tvi._mask,TVIF_TEXT
invoke SendDlgItemMessage,@hDlg,1000,TVM_GETNEXTITEM ,TVGN_CARET,0
mov @hItem,eax
invoke SendDlgItemMessage,@hDlg,1000,TVM_GETNEXTITEM ,TVGN_PARENT,eax
.if eax==0
m2m tvi.hItem,@hItem
invoke SendDlgItemMessage,@hDlg,1000,TVM_GETITEM ,0,addr tvi
invoke wsprintf,@lpBuf,ctext("[%s]"),addr @szBuf
.else
mov tvi.hItem,eax
invoke SendDlgItemMessage,@hDlg,1000,TVM_GETITEM ,0,addr tvi
lea eax,@szBuf2
mov tvi.pszText,eax
m2m tvi.hItem,@hItem
invoke SendDlgItemMessage,@hDlg,1000,TVM_GETITEM ,0,addr tvi
invoke wsprintf,@lpBuf,ctext("[%s:%s]"),addr @szBuf,addr @szBuf2
.endif
mov eax,@lpBuf
ret
_treeview_gettext endp
;----------------------------------------------
;列举所有的Node,释放其占用的内存
_treeview_globalfree proc @hDlg,nID,hParentItem
local @szBuf[255]:BYTE
local tvi:TVITEM
mov tvi._mask,TVIF_PARAM or TVIF_HANDLE
invoke SendDlgItemMessage,@hDlg,nID,TVM_GETNEXTITEM ,TVGN_CHILD ,hParentItem
.if eax
push eax
push nID
push @hDlg
mov tvi.hItem,eax
invoke SendDlgItemMessage,@hDlg,nID,TVM_GETITEM ,0,addr tvi
.if tvi.lParam
invoke GlobalFree,tvi.lParam
.endif
call _treeview_globalfree
.endif
invoke SendDlgItemMessage,@hDlg,nID,TVM_GETNEXTITEM ,TVGN_NEXT,hParentItem
.if eax
push eax
push nID
push @hDlg
mov tvi.hItem,eax
invoke SendDlgItemMessage,@hDlg,nID,TVM_GETITEM ,0,addr tvi
.if tvi.lParam
invoke GlobalFree,tvi.lParam
.endif
call _treeview_globalfree
.endif
ret
_treeview_globalfree endp
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -