📄 plugin.h
字号:
#define DEC_TEXT 0x10 // For use in t_result only
#define DEC_BYTESW 0x11 // Accessed as byte index to switch
#define DEC_NEXTCODE 0x13 // Subsequent byte of command
#define DEC_COMMAND 0x1D // First byte of command
#define DEC_JMPDEST 0x1E // Jump destination
#define DEC_CALLDEST 0x1F // Call (and maybe jump) destination
#define DEC_PROCMASK 0x60 // Procedure analysis
#define DEC_PROC 0x20 // Start of procedure
#define DEC_PBODY 0x40 // Body of procedure
#define DEC_PEND 0x60 // End of procedure
#define DEC_CHECKED 0x80 // Byte was analysed
#define DEC_SIGNED 0x100 // For use in t_result only
#define DISASM_SIZE 0 // Determine command size only
#define DISASM_DATA 1 // Determine size and analysis data
#define DISASM_TRACE 2 // Trace integer registers
#define DISASM_FILE 3 // Disassembly, no symbols/registers
#define DISASM_CODE 4 // Disassembly, registers undefined
#define DISASM_ALL 5 // Complete disassembly
#define DISASM_RTRACE 6 // Disassemble with run-trace registers
#define DISASM_MODE 0x0000000F // Mask to extract disassembling mode
#define DISASM_HILITE 0x000F0000 // Mask to extract highlighting mode
#define DISASM_HLSHIFT 16 // Shift to extract highlighting mode
// Warnings issued by Disasm():
#define DAW_FARADDR 0x0001 // Command is a far jump, call or return
#define DAW_SEGMENT 0x0002 // Command loads segment register
#define DAW_PRIV 0x0004 // Privileged command
#define DAW_IO 0x0008 // I/O command
#define DAW_SHIFT 0x0010 // Shift constant out of range 1..31
#define DAW_PREFIX 0x0020 // Superfluous prefix
#define DAW_LOCK 0x0040 // Command has LOCK prefix
#define DAW_STACK 0x0080 // Unaligned stack operation
#define DAW_DANGER95 0x1000 // May mess up Win95/98 if executed
#define DAW_DANGEROUS 0x3000 // May mess up any OS if executed
#define RST_INVALID 0 // Register undefined
#define RST_VALUE 1 // Register contains regdata
#define RST_VFIXUP 2 // Reg contains regdata that is fixup
#define RST_INDIRECT 3 // Register contains [regdata]
#define NREGSTACK 32 // Length of stack trace buffer
typedef struct t_reg { // Excerpt from context
int modified; // Some regs modified, update context
int modifiedbyuser; // Among modified, some modified by user
int singlestep; // Type of single step, SS_xxx
ulong r[8]; // EAX,ECX,EDX,EBX,ESP,EBP,ESI,EDI
ulong ip; // Instruction pointer (EIP)
ulong flags; // Flags
int top; // Index of top-of-stack
long double f[8]; // Float registers, f[top] - top of stack
char tag[8]; // Float tags (0x3 - empty register)
ulong fst; // FPU status word
ulong fcw; // FPU control word
ulong s[6]; // Segment registers ES,CS,SS,DS,FS,GS
ulong base[6]; // Segment bases
ulong limit[6]; // Segment limits
char big[6]; // Default size (0-16, 1-32 bit)
ulong dr6; // Debug register DR6
ulong threadid; // ID of thread that owns registers
ulong lasterror; // Last thread error or 0xFFFFFFFF
int ssevalid; // Whether SSE registers valid
int ssemodified; // Whether SSE registers modified
char ssereg[8][16]; // SSE registers
ulong mxcsr; // SSE control and status register
int selected; // Reports selected register to plugin
ulong drlin[4]; // Debug registers DR0..DR3
ulong dr7; // Debug register DR7
} t_reg;
typedef struct t_operand { // Full decription of command's operand
char optype; // DEC_xxx (mem) or DECR_xxx (reg,const)
char opsize; // Size of operand
char regscale[8]; // Scales of registers
char seg; // Segment register
ulong opconst; // Constant
} t_operand;
typedef struct t_disasm { // Results of disassembling
ulong ip; // Instrucion pointer
char dump[TEXTLEN]; // Hexadecimal dump of the command
char result[TEXTLEN]; // Disassembled command
char comment[TEXTLEN]; // Brief comment
char opinfo[3][TEXTLEN]; // Comments to command's operands
int cmdtype; // One of C_xxx
int memtype; // Type of addressed variable in memory
int nprefix; // Number of prefixes
int indexed; // Address contains register(s)
ulong jmpconst; // Constant jump address
ulong jmptable; // Possible address of switch table
ulong adrconst; // Constant part of address
ulong immconst; // Immediate constant
int zeroconst; // Whether contains zero constant
int fixupoffset; // Possible offset of 32-bit fixups
int fixupsize; // Possible total size of fixups or 0
ulong jmpaddr; // Destination of jump/call/return
int condition; // 0xFF:unconditional, 0:false, 1:true
int error; // Error while disassembling command
int warnings; // Combination of DAW_xxx
int optype[3]; // Type of operand (extended set DEC_xxx)
int opsize[3]; // Size of operand, bytes
int opgood[3]; // Whether address and data valid
ulong opaddr[3]; // Address if memory, index if register
ulong opdata[3]; // Actual value (only integer operands)
t_operand op[3]; // Full description of operand
ulong regdata[8]; // Registers after command is executed
int regstatus[8]; // Status of registers, one of RST_xxx
ulong addrdata; // Traced memory address
int addrstatus; // Status of addrdata, one of RST_xxx
ulong regstack[NREGSTACK]; // Stack tracing buffer
int rststatus[NREGSTACK]; // Status of stack items
int nregstack; // Number of items in stack trace buffer
ulong reserved[29]; // Reserved for plugin compatibility
} t_disasm;
extc ulong cdecl Disasm(uchar *src,ulong srcsize,ulong srcip,uchar *srcdec,
t_disasm *disasm,int disasmmode,ulong threadid);
extc ulong cdecl Disassembleback(uchar *block,ulong base,ulong size,
ulong ip,int n,int usedec);
extc ulong cdecl Disassembleforward(uchar *block,ulong base,ulong size,
ulong ip,int n,int usedec);
extc int cdecl Issuspicious(char *cmd,ulong size,ulong ip,
ulong threadid,t_reg *preg,char *s);
extc int cdecl Isfilling(ulong offset,char *data,ulong size,ulong align);
////////////////////////////////////////////////////////////////////////////////
////////////////////////////// ASSEMBLY FUNCTIONS //////////////////////////////
extc int cdecl Assemble(char *cmd,ulong ip,t_asmmodel *model,int attempt,
int constsize,char *errtext);
extc int cdecl Checkcondition(int code,ulong flags);
////////////////////////////////////////////////////////////////////////////////
///////////////////////////////// EXPRESSIONS //////////////////////////////////
typedef struct t_result { // Result of expression's evaluation
int type; // Type of expression, DEC(R)_xxx
int dtype; // Type of data, DEC_xxx
union {
uchar data[10]; // Binary form of expression's value
ulong u; // Value as unsigned integer
long l; // Value as signed integer
long double f; }; // Value as 80-bit float
union {
char value[TEXTLEN]; // ASCII form of expression's value
wchar_t wvalue[TEXTLEN/2]; }; // UNICODE form of expression's value
ulong lvaddr; // Address of lvalue or NULL
} t_result;
extc int cdecl Expression(t_result *result,char *expression,int a,int b,
uchar *data,ulong database,ulong datasize,ulong threadid);
////////////////////////////////////////////////////////////////////////////////
/////////////////////////////// THREAD FUNCTIONS ///////////////////////////////
typedef struct t_thread { // Information about active threads
ulong threadid; // Thread identifier
ulong dummy; // Always 1
ulong type; // Service information, TY_xxx
HANDLE thread; // Thread handle
ulong datablock; // Per-thread data block
ulong entry; // Thread entry point
ulong stacktop; // Working variable of Listmemory()
ulong stackbottom; // Working variable of Listmemory()
CONTEXT context; // Actual context of the thread
t_reg reg; // Actual contents of registers
int regvalid; // Whether reg is valid
t_reg oldreg; // Previous contents of registers
int oldregvalid; // Whether oldreg is valid
int suspendcount; // Suspension count (may be negative)
long usertime; // Time in user mode, 1/10th ms, or -1
long systime; // Time in system mode, 1/10th ms, or -1
ulong reserved[16]; // Reserved for future compatibility
} t_thread;
extc HWND cdecl Createthreadwindow(void);
extc t_thread* cdecl Findthread(ulong threadid);
extc int cdecl Decodethreadname(char *s,ulong threadid,int mode);
extc ulong cdecl Getcputhreadid(void);
extc ulong cdecl Runsinglethread(ulong threadid);
extc void cdecl Restoreallthreads(void);
////////////////////////////////////////////////////////////////////////////////
/////////////////////////////// MEMORY FUNCTIONS ///////////////////////////////
// Mode bits recognized by Readmemory() and Writememory().
#define MM_RESTORE 0x01 // Restore or remove INT3 breakpoints
#define MM_SILENT 0x02 // Don't display error message
#define MM_DELANAL 0x04 // Delete analysis from the memory
#define MM_RESILENT (MM_RESTORE|MM_SILENT)
typedef struct t_memory { // Memory block descriptor
ulong base; // Base address of memory block
ulong size; // Size of block
ulong type; // Service information, TY_xxx
ulong owner; // Address of owner of the memory
ulong initaccess; // Initial read/write access
ulong access; // Actual status and read/write access
ulong threadid; // Block belongs to this thread or 0
char sect[SHORTLEN]; // Name of module section
uchar *copy; // Copy used in CPU window or NULL
ulong reserved[8]; // Reserved for plugin compatibility
} t_memory;
typedef struct t_heap { // Heap block descriptor
ulong base; // Base address of heap block
ulong size; // Size of heap block
ulong type; // Service information, TY_xxx
ulong parent; // Handle of heap descriptor block
} t_heap;
extc int cdecl Listmemory(void);
extc t_memory* cdecl Findmemory(ulong addr);
extc int cdecl Guardmemory(ulong base,ulong size,int guard);
extc void cdecl Havecopyofmemory(uchar *copy,ulong base,ulong size);
extc ulong cdecl Readmemory(void *buf,ulong addr,ulong size,int mode);
extc ulong cdecl Writememory(void *buf,ulong addr,ulong size,int mode);
extc ulong cdecl Readcommand(ulong ip,char *cmd);
////////////////////////////////////////////////////////////////////////////////
/////////////////////////////// MODULE FUNCTIONS ///////////////////////////////
#define NVERS 32 // Max allowed length of file version
// Types of recognized jumps.
#define JT_JUMP 0 // Unconditional jump
#define JT_COND 1 // Conditional jump
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -