📄 cefuncproc.pas
字号:
FoundValue7:Array of Int64;
FoundValue7switch:Array of Int64;
FoundValue8:array of byte;
FoundValue8switch:array of byte;
FoundAddress: array of dword;
FoundAddressSwitch: array of dword;
foundaddressB: array of bitaddress;
foundaddressBswitch: array of bitaddress;
tempbytearray: array of byte;
tempwordarray: array of word;
tempdwordarray: array of dword;
tempsinglearray: array of single;
tempdoublearray: array of double;
tempint64array: array of int64;
//--------
previousmemory: array of byte;
SearchAddress: array of dword;
searchaddressswitch: array of dword;
SearchAddressB: array of BitAddress;
previousmemory1,previousmemory1switch: array of Byte;
previousmemory2,previousmemory2switch: array of word;
previousmemory3,previousmemory3switch: array of dword;
previousmemory4,previousmemory4switch: array of Single;
previousmemory5,previousmemory5switch: array of Double;
previousmemory6,previousmemory6switch: array of int64; //Byte;
PreviousMemory7,previousmemory7switch: Array of Int64;
PreviousMemory8,previousmemory8switch: array of byte;
//---------
helpstr,helpstr2: string;
bytes: array of integer; //-1=wildcard
bytearray: array of byte;
MemoryRegion: array of TMemoryRegion;
MemoryRegions: Integer;
// Memory: Array of Byte;
Memory: ^Byte;
memory2: ^byte;
advanced: boolean;
//global files, so when an exception happens I can close them
addressfile, memoryfile: File;
newAddressfile,newmemoryfile: File;
buffersize: dword;
overridedebug: boolean;
totalbytes: dword;
currentbyte: dword;
//hide/show windows
windowlist: array of thandle;
lastforeground,lastactive: thandle;
donthidelist: array of string;
onlyfront: boolean;
allwindowsareback:boolean;
HyperscanFileMapping: THandle;
HyperscanView: ^TScanSettings;
hookedin:boolean;
keys: PKeys;
keys2: PKeys2;
keysfilemapping: THandle;
//stealth globals
le: dword;
ownprocesshandle: THandle;
stealthhook: thandle;
//windows version data
iswin2kplus: boolean;
{$ifndef standalonetrainer}
{$ifndef net}
hypermode: thypermode;
useAPCtoInjectDLL: boolean;
{$endif}
{$endif}
implementation
{$ifdef net}
uses disassembler,debugger;
{$endif}
{$ifndef net}
{$ifndef standalonetrainer}
uses disassembler,debugger,symbolhandler,frmProcessWatcherUnit;
{$else}
uses symbolhandler;
{$endif}
{$endif}
procedure TFreememorythread.execute;
begin
setlength(bitscan,0);
setlength(tempbits,0);
setlength(FoundAddress,0);
setlength(FoundValue1,0);
setlength(FoundValue2,0);
setlength(FoundValue3,0);
setlength(FoundValue4,0);
setlength(FoundValue5,0);
setlength(foundValue6,0);
setlength(FoundValue7,0);
setlength(FoundValue8,0);
setlength(FoundValue1switch,0);
setlength(FoundValue2switch,0);
setlength(FoundValue3switch,0);
setlength(FoundValue4switch,0);
setlength(FoundValue5switch,0);
setlength(foundValue6switch,0);
setlength(FoundValue7switch,0);
setlength(FoundValue8switch,0);
//floating point notations
setlength(foundaddressB,0);
setlength(previousmemory,0);
setlength(SearchAddress,0);
setlength(SearchAddressB,0);
setlength(previousmemory1,0);
setlength(previousmemory2,0);
setlength(previousmemory3,0);
setlength(previousmemory4,0);
setlength(previousmemory5,0);
setlength(previousmemory6,0);
setlength(PreviousMemory7,0);
setlength(PreviousMemory8,0);
setlength(previousmemory1switch,0);
setlength(previousmemory2switch,0);
setlength(previousmemory3switch,0);
setlength(previousmemory4switch,0);
setlength(previousmemory5switch,0);
setlength(previousmemory6switch,0);
setlength(PreviousMemory7switch,0);
setlength(PreviousMemory8switch,0);
if not advanced then //if the lastscan was a advanced, better not whipe the memory (yet!)
begin
if memory<>nil then freemem(memory);
memory:=nil;
if memory2<>nil then freemem(memory2);
memory2:=nil;
end;
setlength(bytes,0);
setlength(bytearray,0);
end;
type TSaveDataThread=class(tthread)
public
buffer1: pointer;
buffer2: pointer;
buffersize1: dword;
buffersize2: dword;
file1: ^file;
file2: ^file;
datawritten: tevent;
dataavailable:tevent;
procedure execute; override;
constructor create(suspended:boolean);
destructor destroy; override;
end;
procedure TSaveDataThread.execute;
var ignore: dword;
begin
dataavailable.WaitFor(infinite);
while not terminated do
begin
blockwrite(file1^,buffer1^,buffersize1,ignore);
blockwrite(file2^,buffer2^,buffersize2,ignore);
datawritten.SetEvent; //tell the others that you're ready to write again
dataavailable.WaitFor(infinite); //wait for the 'ready to write' event
end;
end;
destructor TSaveDataThread.destroy;
begin
datawritten.Free;
dataavailable.free;
inherited destroy;
end;
constructor TSaveDataThread.create(suspended:boolean);
begin
datawritten:=tevent.Create(nil,false,true,'');
dataavailable:=tevent.create(nil,false,false,'');
inherited create(suspended);
end;
var FlushThread:TSaveDataThread;
procedure flushbuffer(var file1, file2:file; buffer1:pointer; buffer1size:integer; buffer2:pointer; buffer2size:integer);
begin
flushthread.datawritten.ResetEvent;
flushthread.file1:=@file1;
flushthread.file2:=@file2;
flushthread.buffer1:=buffer1;
flushthread.buffer2:=buffer2;
flushthread.buffersize1:=buffer1size;
flushthread.buffersize2:=buffer2size;
flushthread.dataavailable.SetEvent;
end;
procedure finishflushing;
begin
flushthread.datawritten.WaitFor(infinite);
flushthread.datawritten.SetEvent;
end;
//------------------------------------
type TPrefetchDataThread=class(tthread)
public
buffer1: pointer;
buffer2: pointer;
buffersize1: dword;
buffersize2: dword;
file1: ^file;
file2: ^file;
dataread: tevent;
startreading:tevent;
actualread: dword;
procedure execute; override;
constructor create(suspended:boolean);
destructor destroy; override;
end;
procedure TPrefetchDataThread.execute;
var ignore,tmp: dword;
begin
startreading.WaitFor(infinite);
while not terminated do
begin
self.actualread:=0;
blockread(file1^,buffer1^,buffersize1,tmp);
blockread(file2^,buffer2^,buffersize2,ignore);
self.actualread:=tmp;
dataread.SetEvent; //tell the others that you're ready to read again
startreading.WaitFor(infinite);
end;
end;
destructor TPrefetchDataThread.destroy;
begin
dataread.Free;
startreading.free;
inherited destroy;
end;
constructor TPrefetchDataThread.create(suspended:boolean);
begin
dataread:=tevent.Create(nil,false,true,'');
startreading:=tevent.create(nil,false,false,'');
inherited create(suspended);
end;
var PrefetchThread:TPrefetchDataThread;
procedure prefetchbuffer(var file1, file2:file; buffer1:pointer; buffer1size:integer; buffer2:pointer; buffer2size:integer);
begin
PrefetchThread.dataread.ResetEvent;
PrefetchThread.file1:=@file1;
PrefetchThread.file2:=@file2;
PrefetchThread.buffer1:=buffer1;
PrefetchThread.buffer2:=buffer2;
PrefetchThread.buffersize1:=buffer1size;
PrefetchThread.buffersize2:=buffer2size;
PrefetchThread.startreading.SetEvent;
end;
function finishprefetching:dword;
begin
PrefetchThread.dataread.WaitFor(infinite);//wait for the datread event to be set
result:=prefetchthread.actualread;
end;
procedure errorbeep;
begin
beep;
sleep(100);
beep;
sleep(100);
beep;
sleep(100);
end;
function isreadable(address:dword):boolean;
var mbi: _MEMORY_BASIC_INFORMATION;
begin
VirtualQueryEx(processhandle,pointer(address),mbi,sizeof(mbi));
result:=mbi.State=mem_commit;
end;
function RawToString(const buf: array of byte; vartype: integer;showashex: boolean; bufsize: integer):string;
var x: pchar;
i: integer;
begin
//buffsize has to match the type else error
if bufsize=0 then
begin
result:='???';
exit;
end;
try
case vartype of
0: if bufsize<>1 then result:='???' else if showashex then result:=inttohex(buf[0],2) else result:=inttostr(buf[0]);
1: if bufsize<>2 then result:='???' else if showashex then result:=inttohex(pshortint(@buf[0])^,2) else result:=inttostr(pshortint(@buf[0])^);
2: if bufsize<>4 then result:='???' else if showashex then result:=inttohex(pint(@buf[0])^,4) else result:=inttostr(pint(@buf[0])^);
3: if bufsize<>4 then result:='???' else result:=floattostr(psingle(@buf[0])^);
4: if bufsize<>8 then result:='???' else result:=floattostr(pdouble(@buf[0])^);
6: if bufsize<>4 then result:='???' else if showashex then result:=inttohex(pint64(@buf[0])^,8) else result:=inttostr(pint64(@buf[0])^);
7:
begin
getmem(x,bufsize+1);
x[bufsize]:=#0;
result:=x;
freemem(x);
end;
8: //array of bytes
begin
result:='';
for i:=0 to bufsize-1 do
result:=result+'-'+inttohex(buf[bufsize],2);
end;
else result:='not supported in this version';
end;
except
result:='Not convertable';
end;
end;
function ConvertKeyComboToString(x: tkeycombo):string;
var i: integer;
newstr: string;
begin
result:='';
for i:=0 to 4 do
if x[i]=0 then
break
else
begin
newstr:='';
case x[i] of
vk_lbutton: newstr:='Left MB';
vk_mbutton: newstr:='Middle MB';
vk_rbutton: newstr:='Right MB';
VK_BACK : newstr:='Backspace';
VK_SHIFT: newstr:='Shift';
VK_CONTROL: newstr:='Ctrl';
VK_MENU: newstr:='Alt';
VK_TAB : newstr:='Tab';
VK_CLEAR : newstr:='Clear';
VK_RETURN : newstr:='Enter';
VK_PAUSE : newstr:='Pause';
VK_CAPITAL : newstr:='Caps Lock';
VK_ESCAPE : newstr:='Esc';
VK_SPACE : newstr:='Space bar';
VK_PRIOR : newstr:='Page Up';
VK_NEXT : newstr:='Page Down';
VK_END : newstr:='End';
VK_HOME : newstr:='Home';
VK_LEFT : newstr:='Left Arrow';
VK_UP : newstr:='Up Arrow';
VK_RIGHT : newstr:='Right Arrow';
VK_DOWN : newstr:='Down Arrow';
VK_SELECT : newstr:='Select';
VK_PRINT : newstr:='Print';
VK_EXECUTE : newstr:='Execute';
VK_SNAPSHOT : newstr:='Print Screen';
VK_INSERT : newstr:='Insert';
VK_DELETE : newstr:='Delete';
VK_HELP : newstr:='Help';
VK_LWIN : newstr:='Left Windows key';
VK_RWIN : newstr:='Right Windows key';
VK_APPS : newstr:='Applications key';
VK_NUMPAD0 : newstr:='numeric 0';
VK_NUMPAD1 : newstr:='numeric 1';
VK_NUMPAD2 : newstr:='numeric 2';
VK_NUMPAD3 : newstr:='numeric 3';
VK_NUMPAD4 : newstr:='numeric 4';
VK_NUMPAD5 : newstr:='numeric 5';
VK_NUMPAD6 : newstr:='numeric 6';
VK_NUMPAD7 : newstr:='numeric 7';
VK_NUMPAD8 : newstr:='numeric 8';
VK_NUMPAD9 : newstr:='numeric 9';
VK_MULTIPLY : newstr:='numeric *';
VK_ADD : newstr:='numeric +';
VK_SEPARATOR : newstr:='numeric Separator';
VK_SUBTRACT : newstr:='numeric -';
VK_DECIMAL : newstr:='numeric .';
VK_DIVIDE : newstr:='numeric /';
VK_F1 : newstr:='F1';
VK_F2 : newstr:='F2';
VK_F3 : newstr:='F3';
VK_F4 : newstr:='F4';
VK_F5 : newstr:='F5';
VK_F6 : newstr:='F6';
VK_F7 : newstr:='F7';
VK_F8 : newstr:='F8';
VK_F9 : newstr:='F9';
VK_F10 : newstr:='F10';
VK_F11 : newstr:='F11';
VK_F12 : newstr:='F12';
VK_F13 : newstr:='F13';
VK_F14 : newstr:='F14';
VK_F15 : newstr:='F15';
VK_F16 : newstr:='F16';
VK_F17 : newstr:='F17';
VK_F18 : newstr:='F18';
VK_F19 : newstr:='F19';
VK_F20 : newstr:='F20';
VK_F21 : newstr:='F21';
VK_F22 : newstr:='F22';
VK_F23 : newstr:='F23';
VK_F24 : newstr:='F24';
VK_NUMLOCK : newstr:='Num Lock';
VK_SCROLL : newstr:='Scroll Lock';
48..57 : newstr:=chr(x[i]);
65..90 : newstr:=chr(x[i]);
else newstr:='#'+inttostr(x[i]);
end;
result:=result+newstr+'+';
end;
result:=copy(result,1,length(result)-1);
end;
procedure getexecutablememoryregionsfromregion(start: dword; stop:dword; var memoryregions: tmemoryregions);
var address: dword;
mbi: memory_basic_information;
begin
setlength(memoryregions,0);
address:=start;
while (address<stop) and (VirtualQueryEx(processhandle,pointer(address),mbi,sizeof(mbi))<>0) and ((address+mbi.RegionSize)>address) do
begin
if ((mbi.AllocationProtect and PAGE_EXECUTE)=PAGE_EXECUTE) or
((mbi.AllocationProtect and PAGE_EXECUTE_READ)=PAGE_EXECUTE_READ) or
((mbi.AllocationProtect and PAGE_EXECUTE_READWRITE)=PAGE_EXECUTE_READWRITE) or
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -