📄 getbitmap2.asm
字号:
.486
.model flat, stdcall
option casemap :none ; case sensitive
include WINDOWS.INC
include kernel32.inc
includelib kernel32.lib
include user32.inc
includelib user32.lib
include SpiderPoker.inc
lstrcmpiW proto :DWORD,:DWORD
szText MACRO Name, Text:VARARG
LOCAL lbl
jmp lbl
Name db Text,0
lbl:
ENDM
_GetOffset MACRO _Struct,_Field,_Base
push esi
mov esi,0
assume esi:ptr _Struct
lea esi,[esi]._Field
mov _Base,esi
pop esi
ENDM
.code
_GetBitmap2 proc _lpString:DWORD,_lpSize:DWORD,_hBitmapData:DWORD,_dwSize:DWORD
LOCAL dwResBase :DWORD
LOCAL @Offset :DWORD
LOCAL @Buffer :DWORD
LOCAL @szStringBuf[MAX_PATH]: BYTE
LOCAL @Level:DWORD
LOCAL @ResourceDir:DWORD
LOCAL @ResourceEntry:DWORD
LOCAL @Count:DWORD
LOCAL @Length:DWORD
LOCAL @DbgBuf[256]:BYTE
pushad
mov esi,_lpModuleBase ; esi --> ModuleBase
assume esi:ptr IMAGE_DOS_HEADER
_GetOffset IMAGE_DOS_HEADER,e_lfanew,@Offset
add esi,@Offset
invoke ReadProcessMemory,_hProcHandle,esi,addr @Buffer,sizeof DWORD,NULL
mov esi,_lpModuleBase
add esi,@Buffer
assume esi:ptr IMAGE_NT_HEADERS
_GetOffset IMAGE_NT_HEADERS,OptionalHeader,@Offset
add esi,@Offset
assume esi:ptr IMAGE_OPTIONAL_HEADER32
_GetOffset IMAGE_OPTIONAL_HEADER32,DataDirectory,@Offset
add esi,@Offset
assume esi:ptr IMAGE_DATA_DIRECTORY
mov ebx,esi
add ebx,2* sizeof IMAGE_DATA_DIRECTORY ;Get Resource Directory of this PE file
_GetOffset IMAGE_DATA_DIRECTORY,VirtualAddress,@Offset
add ebx,@Offset
invoke ReadProcessMemory,_hProcHandle,ebx,addr @Buffer,sizeof DWORD,NULL
mov ebx,@Buffer
add ebx,_lpModuleBase
mov dwResBase,ebx
;pushad
;szText szResBase,"ResourceDirctroy base address is %x"
;invoke wsprintfA,addr @DbgBuf,addr szResBase,dwResBase
;invoke MessageBoxA,NULL,addr @DbgBuf,NULL,MB_OK
;popad
mov @ResourceDir,ebx ;root directory
mov ecx,3
mov @Level,ecx ;modify ecx to a new value
.WHILE @Level
;pushad
;szText szResDir,"ResourceDirctory address is %x"
;invoke wsprintfA,addr @DbgBuf,addr szResDir,@ResourceDir
;invoke MessageBoxA,NULL,addr @DbgBuf,NULL,MB_OK
;popad
mov ebx,@ResourceDir ;cmp can compara memory and immedita
assume ebx:ptr IMAGE_RESOURCE_DIRECTORY
_GetOffset IMAGE_RESOURCE_DIRECTORY,NumberOfIdEntries,@Offset
push ebx
add ebx,@Offset
invoke ReadProcessMemory,_hProcHandle,ebx,addr @Buffer,sizeof DWORD,NULL
pop ebx
mov eax,@Buffer
mov @Count,eax
_GetOffset IMAGE_RESOURCE_DIRECTORY,NumberOfNamedEntries,@Offset
push ebx
add ebx,@Offset
invoke ReadProcessMemory,_hProcHandle,ebx,addr @Buffer,sizeof DWORD,NULL
pop ebx
mov eax,@Buffer
add @Count,eax
mov ecx,@ResourceDir
add ecx,sizeof IMAGE_RESOURCE_DIRECTORY ; esi point to IMAGE_RESOURCE_DIRECTORY_ENTRY
mov @ResourceEntry,ecx
.IF @Level == 3 ;LEVEL ONE
again3:
;pushad
;szText szAgain3,"in again3,level1"
;invoke MessageBoxA,NULL,addr szAgain3,NULL,MB_OK
;popad
;szText szDbgAddr1,"DirctoryEntry's addr=%x",0
;pushad
;mov ecx,@ResourceEntry
;invoke wsprintfA,addr @DbgBuf,addr szDbgAddr1,ecx
;invoke MessageBoxA,NULL,addr @DbgBuf,NULL,MB_OK
;popad
mov ecx,@ResourceEntry
invoke ReadProcessMemory,_hProcHandle,ecx,addr @Buffer,sizeof DWORD,NULL
;pushad
;szText szDbgStr1,"DirctoryEntry's first value=%x",0
;invoke wsprintfA,addr @DbgBuf,addr szDbgStr1,@Buffer
;invoke MessageBox,NULL,addr @DbgBuf,NULL,MB_OK
;popad
.IF !(@Buffer & 80000000H) ;ID
.IF (@Buffer == RT_BITMAP) ;find it,go to the next level
mov ecx,@ResourceEntry
add ecx,4
invoke ReadProcessMemory,_hProcHandle,ecx,addr @Buffer,sizeof DWORD,NULL
and @Buffer,7fffffffH
mov eax,@Buffer
add eax,dwResBase
mov @ResourceDir,eax
dec @Level
.ELSEIF ;NOT BITMAP,OTHER RESOURCE
mov ecx,@ResourceEntry
add ecx,sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY
mov @ResourceEntry,ecx
dec @Count
jne again3
jmp fail
.ENDIF
.ELSE ;NAME STRING
mov ecx,@ResourceEntry
add ecx,sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY
mov @ResourceEntry,ecx
dec @Count
jne again3
jmp fail
.ENDIF
.ELSEIF @Level == 2 ;LEVEL TWO
again2:
;pushad
;szText szAgain2,"in again2,level2"
;invoke MessageBoxA,NULL,addr szAgain2,NULL,MB_OK
;popad
mov ecx,@ResourceEntry
invoke ReadProcessMemory,_hProcHandle,ecx,addr @Buffer,sizeof DWORD,NULL
.IF @Buffer & 80000000H ;string ?? id
and @Buffer,7fffffffH ;yes,is string
mov eax,dwResBase
add @Buffer,eax ;point to string
mov ecx,@Buffer
assume ecx:ptr IMAGE_RESOURCE_DIR_STRING_U
_GetOffset IMAGE_RESOURCE_DIR_STRING_U,Length1,@Offset
push ecx
add ecx,@Offset
mov @Length,0
invoke ReadProcessMemory,_hProcHandle,ecx,addr @Length,sizeof WORD,NULL ;Get String Length
pop ecx
_GetOffset IMAGE_RESOURCE_DIR_STRING_U,NameString,@Offset
push ecx
add ecx,@Offset
;pushad
;szText szECX1,"ecx=%x"
;invoke wsprintfA,addr @DbgBuf,addr szECX1,ecx
;invoke MessageBoxA,NULL,addr @DbgBuf,NULL,MB_OK
;popad
mov ebx,@Length
shl ebx,01h
;pushad
;szText szEBX1,"LENGTH=%x"
;invoke wsprintfA,addr @DbgBuf,addr szEBX1,@Length
;invoke MessageBoxA,NULL,addr @DbgBuf,NULL,MB_OK
;popad
invoke ReadProcessMemory,_hProcHandle,ecx,addr @szStringBuf,ebx,NULL
mov ebx,@Length
shl ebx,01h
lea esi,@szStringBuf
mov WORD PTR [esi+ebx],0
;pushad
;invoke MessageBoxW,NULL,addr @szStringBuf,NULL,MB_OK
;popad
invoke lstrcmpiW,addr @szStringBuf,_lpString ;_lpString must point a UNICODE
pop ecx
.IF eax == 0 ;return value
mov ecx,@ResourceEntry
add ecx,4
invoke ReadProcessMemory,_hProcHandle,ecx,addr @Buffer,sizeof DWORD,NULL
and @Buffer,7fffffffH
mov eax,@Buffer
add eax,dwResBase
mov @ResourceDir,eax
dec @Level
.ELSE
mov ecx,@ResourceEntry
add ecx,sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY
mov @ResourceEntry,ecx
dec @Count
jne again2
jmp fail
.ENDIF
.ELSE ;not string,is id
mov ecx,@ResourceEntry
add ecx,sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY
mov @ResourceEntry,ecx
dec @Count
jne again2
jmp fail
.ENDIF
.ELSEIF @Level == 1
;pushad
;szText szLevel3,"in level3"
;invoke MessageBoxA,NULL,addr szLevel3,NULL,MB_OK
;popad
mov ecx,@ResourceEntry
add ecx,4
;pushad
;szText szECX2,"ecx=%x in level3"
;invoke wsprintfA,addr @DbgBuf,addr szECX2,ecx
;invoke MessageBoxA,NULL,addr @DbgBuf,NULL,MB_OK
;popad
invoke ReadProcessMemory,_hProcHandle,ecx,addr @Buffer,sizeof DWORD,0
;;LAST LEVEL
mov eax,dwResBase ;eax like a carrier
add eax,@Buffer
assume eax:ptr IMAGE_RESOURCE_DATA_ENTRY
_GetOffset IMAGE_RESOURCE_DATA_ENTRY,Size1,@Offset
push eax
add eax,@Offset
invoke ReadProcessMemory,_hProcHandle,eax,_lpSize,sizeof DWORD,0
pop eax
mov ecx,_lpSize
mov ebx,[ecx]
;pushad
;szText szSize1,"sizel=%x"
;invoke wsprintfA,addr @DbgBuf,addr szSize1,ebx
;invoke MessageBoxA,NULL,addr @DbgBuf,NULL,MB_OK
;popad
.IF ebx <= _dwSize
push ebx
_GetOffset IMAGE_RESOURCE_DATA_ENTRY,OffsetToData,@Offset
push eax
add eax,@Offset
mov ecx,eax
invoke ReadProcessMemory,_hProcHandle,ecx,addr @Buffer,sizeof DWORD,0
pop eax
mov eax,@Buffer
add eax,_lpModuleBase
pop ebx
.IF _hBitmapData ;this argument can be null
invoke ReadProcessMemory,_hProcHandle,eax,_hBitmapData,ebx,0 ;_hBitmapData is ARG
.ELSE
jmp fail
.ENDIF
popad
mov eax,1
ret
.ELSE ;[_lpSize]>_dwSize
fail:
popad
xor eax,eax
ret
;RETURN
.ENDIF
.ENDIF
.ENDW
ret
_GetBitmap2 endp
END⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -