📄 vm.cpp
字号:
}
if (fp_out)
{
fclose(fp_out);
fp_out = NULL;
}
SetRetVal(nRetResult);
return nRetResult;
}
inline int CVM::DoDumpMem()
{
return DumpMemWithMode("wb");
}
inline int CVM::DoDumpMemAppend()
{
return DumpMemWithMode("a+b");
}
int CVM::_DumpAsPE(
/* [in] */ const unsigned long ImageBase,
/* [in] */ const unsigned long ImageSize,
/* [in] */ const HANDLE hProcess,
/* [in] */ const unsigned long CustomEntryPoint,
/* [in] */ const char *szOutputPEFileName
)
{
ASSERT(szOutputPEFileName);
int nRetResult = 0;
int nRetCode;
char *pBuffer = NULL;
FILE *fp = NULL;
unsigned long ulReadSize = 0;
unsigned long ulWriteSize = 0;
unsigned long RealImageSize = 0;
int nBufSizeEnough = 1;
IMAGE_DOS_HEADER DosHeader = { 0 };
IMAGE_NT_HEADERS PeHeader = { 0 };
pBuffer = new char[ImageSize];
OM_PROCESS_ERROR(pBuffer);
nRetCode = ReadProcessMemory(
hProcess,
(void *)ImageBase,
pBuffer,
ImageSize,
&ulReadSize
);
if (!(nRetCode && (ulReadSize == ImageSize)))
{
goto Exit0;
}
// Prevent PeHeader.OptionalHeader.SizeOfImage > MainModuleInfo.SizeOfImage
nRetCode = GetPEHeader(
pBuffer, ImageSize,
&DosHeader, &PeHeader,
&nBufSizeEnough
);
if ((!nRetCode) && (!nBufSizeEnough))
goto Exit0;
RealImageSize = PeHeader.OptionalHeader.SizeOfImage;
if (RealImageSize > ImageSize)
{
if (pBuffer)
{
delete pBuffer;
pBuffer = NULL;
}
pBuffer = new char[RealImageSize];
OM_PROCESS_ERROR(pBuffer);
nRetCode = ReadProcessMemory(
hProcess,
(void *)ImageBase,
pBuffer,
RealImageSize,
&ulReadSize
);
if (!(nRetCode && (ulReadSize == RealImageSize)))
{
goto Exit0;
}
}
else
{
RealImageSize = ImageSize;
}
nRetCode = FixPEHeader(pBuffer, RealImageSize, CustomEntryPoint);
if (!nRetCode)
goto Exit0;
fp = fopen(szOutputPEFileName, "wb");
if (!fp)
goto Exit0;
ulWriteSize = fwrite(pBuffer, 1, RealImageSize, fp);
if (RealImageSize != ulWriteSize)
goto Exit0;
nRetResult = 1;
Exit0:
if (pBuffer)
{
delete pBuffer;
pBuffer = NULL;
}
if (fp)
{
fclose(fp);
fp = NULL;
}
return nRetResult;
}
int CVM::GetPEHeader(
/* [in] */ const char *pBuffer,
/* [in] */ const int nBufferSize,
/* [out] */ IMAGE_DOS_HEADER *pDosHeader,
/* [out] */ IMAGE_NT_HEADERS32 *pPeHeader,
/* [out] */ int *pBufSizeEnough
)
{
ASSERT(pDosHeader);
ASSERT(pPeHeader);
ASSERT(pBufSizeEnough);
int nRetResult = 0;
int nPEHeadSize = 0;
*pBufSizeEnough = 1;
if ((!pBuffer) || (!pDosHeader) || (!pPeHeader))
goto Exit0;
memcpy(pDosHeader , pBuffer, sizeof(IMAGE_DOS_HEADER));
if (pDosHeader->e_lfanew <= 0) //Make sure e_lfanew > 0.
goto Exit0;
if(pDosHeader->e_lfanew > nBufferSize) //Make sure lfanew is valid.
{
pBufSizeEnough = 0;
goto Exit0;
}
memcpy(
pPeHeader,
(pBuffer + (pDosHeader->e_lfanew)),
sizeof(IMAGE_NT_HEADERS32)
);
if (IMAGE_NT_SIGNATURE != pPeHeader->Signature) //not PE Sign.
goto Exit0;
nRetResult = 1;
Exit0:
if (!nRetResult)
{
memset(pDosHeader, 0, sizeof(IMAGE_DOS_HEADER));
memset(pPeHeader, 0, sizeof(IMAGE_NT_HEADERS32));
}
return nRetResult;
}
int CVM::FixPEHeader(
/* [in] */ char *pMainFileBuffer,
/* [in] */ const unsigned int uBufferSize,
/* [in] */ const unsigned long CustomEntryPoint
)
{
ASSERT(pMainFileBuffer);
int nRetResult = 0;
int nRetCode;
int i = 0;
int nBufSizeEnough = 1;
int nCurPos = -1;
IMAGE_DOS_HEADER DosHeader = { 0 };
IMAGE_NT_HEADERS PeHeader = { 0 };
IMAGE_SECTION_HEADER *pSections = NULL;
int nSectionTableSize = 0;
if (!pMainFileBuffer)
goto Exit0;
nRetCode = GetPEHeader(
pMainFileBuffer, uBufferSize,
&DosHeader, &PeHeader,
&nBufSizeEnough
);
if ((!nRetCode) && (!nBufSizeEnough))
goto Exit0;
*(long *)&pMainFileBuffer[DosHeader.e_lfanew + 0x28] = CustomEntryPoint;
// Get Section table.
nSectionTableSize =
(PeHeader.FileHeader.NumberOfSections) * sizeof(IMAGE_SECTION_HEADER);
pSections = new IMAGE_SECTION_HEADER[PeHeader.FileHeader.NumberOfSections];
if (!pSections)
goto Exit0;
memcpy(
pSections,
pMainFileBuffer + DosHeader.e_lfanew + sizeof(IMAGE_NT_HEADERS),
nSectionTableSize
);
// Fix all Raw Infos of each section.
for (i = 0; i < PeHeader.FileHeader.NumberOfSections; i++)
{
pSections[i].SizeOfRawData = pSections[i].Misc.VirtualSize;
pSections[i].PointerToRawData = pSections[i].VirtualAddress;
}
nCurPos = DosHeader.e_lfanew + sizeof(IMAGE_NT_HEADERS);
memcpy(
(pMainFileBuffer + nCurPos),
pSections,
(PeHeader.FileHeader.NumberOfSections) * sizeof(IMAGE_SECTION_HEADER)
);
nRetResult = 1;
Exit0:
if (pSections)
{
delete pSections;
pSections = NULL;
}
return nRetResult;
}
int CVM::DoDumpAsPE()
{
int nRetResult = 0;
int nRetCode;
long lFileNameOffset;
char szPEFileName[MAX_PATH];
long lEip;
t_module *pModule;
nRetCode = Pop(&lFileNameOffset);
OM_PROCESS_ERROR(nRetCode);
nRetCode = CheckDataAddrValid(lFileNameOffset);
if (0 == nRetCode)
{
if (NULL != m_listMallocMemAddr.Find(lFileNameOffset))
{
strcpy(szPEFileName, (char *)lFileNameOffset);
}
else
goto Exit0;
}
else
{
strcpy(szPEFileName, &m_Data[lFileNameOffset]);
}
nRetCode = Pop(&lEip);
OM_PROCESS_ERROR(nRetCode);
strcpy(szPEFileName, &m_Data[lFileNameOffset]);
pModule = Findmodule(Plugingetvalue(VAL_MAINBASE));
OM_PROCESS_ERROR(pModule);
nRetCode = _DumpAsPE(
pModule->base,
pModule->size,
(HANDLE)Plugingetvalue(VAL_HPROCESS),
lEip - pModule->base, // it is a RVA!
szPEFileName
);
OM_PROCESS_ERROR(nRetCode);
nRetResult = 1;
Exit0:
SetRetVal(nRetResult);
return nRetResult;
}
int CVM::DoGetPrevOpAddr()
{
int nRetResult = 0;
int nRetCode;
long lAddr;
long lN;
long lRetAddr;
t_memory *tmem;
nRetCode = Pop(&lAddr);
OM_PROCESS_ERROR(nRetCode);
nRetCode = Pop(&lN);
OM_PROCESS_ERROR(nRetCode);
tmem = Findmemory(lAddr);
OM_PROCESS_ERROR(tmem);
lRetAddr = Disassembleback(0, tmem->base, tmem->size, lAddr, lN, 0);
nRetResult = 1;
Exit0:
if (nRetResult)
SetRetVal(lRetAddr);
else
SetRetVal(-1);
return nRetResult;
}
int CVM::DoGetNextOpAddr()
{
int nRetResult = 0;
int nRetCode;
long lAddr;
long lN;
long lRetAddr;
t_memory *tmem;
nRetCode = Pop(&lAddr);
OM_PROCESS_ERROR(nRetCode);
nRetCode = Pop(&lN);
OM_PROCESS_ERROR(nRetCode);
tmem = Findmemory(lAddr);
OM_PROCESS_ERROR(tmem);
lRetAddr = Disassembleforward(0, tmem->base, tmem->size, lAddr, lN, 0);
nRetResult = 1;
Exit0:
if (nRetResult)
SetRetVal(lRetAddr);
else
SetRetVal(-1);
return nRetResult;
}
int CVM::DoGetProcAddress()
{
int nRetResult = 0;
int nRetCode;
long lFuncNameOffset;
long lDllNameOffset;
char szFuncName[50];
char szDllName[MAX_PATH];
HMODULE hModuleDll = NULL;
FARPROC pFuncAddr;
nRetCode = Pop(&lFuncNameOffset);
OM_PROCESS_ERROR(nRetCode);
nRetCode = CheckDataAddrValid(lFuncNameOffset);
OM_PROCESS_ERROR(nRetCode);
nRetCode = Pop(&lDllNameOffset);
OM_PROCESS_ERROR(nRetCode);
nRetCode = CheckDataAddrValid(lDllNameOffset);
OM_PROCESS_ERROR(nRetCode);
strcpy(szFuncName, &m_Data[lFuncNameOffset]);
strcpy(szDllName, &m_Data[lDllNameOffset]);
hModuleDll = LoadLibrary(szDllName);
OM_PROCESS_ERROR(hModuleDll);
pFuncAddr = GetProcAddress(hModuleDll, szFuncName);
OM_PROCESS_ERROR(pFuncAddr);
nRetResult = 1;
Exit0:
if (nRetResult)
SetRetVal(*(long *)&pFuncAddr);
else
SetRetVal(-1);
if (hModuleDll)
{
FreeLibrary(hModuleDll);
hModuleDll = NULL;
}
return nRetResult;
}
inline void CVM::DoRunToReturn()
{
Sendshortcut(PM_MAIN, 0, WM_KEYDOWN, 1, 0, VK_F9);
ReturnToOD();
}
inline void CVM::DoRunToUserCode()
{
Sendshortcut(PM_MAIN, 0, WM_SYSKEYDOWN, 0, 0, VK_F9);
ReturnToOD();
}
inline void CVM::DoRun()
{
Go(Getcputhreadid(), 0, STEP_RUN, 0, 1);
ReturnToOD();
}
inline void CVM::DoAnimateInto()
{
Animate(ANIMATE_IN);
Go(Getcputhreadid(), 0, STEP_IN, 0, 1);
ReturnToOD();
}
inline void CVM::DoAnimateOver()
{
Animate(ANIMATE_OVER);
Go(Getcputhreadid(), 0, STEP_OVER, 0, 1);
ReturnToOD();
}
inline int CVM::DoStepInto()
{
int nRetResult = 0;
int nRetCode;
nRetCode = Go(Getcputhreadid(), 0, STEP_IN, 0, 1);
if (-1 == nRetCode) // fail!
goto Exit0;
ReturnToOD();
nRetResult = 1;
Exit0:
SetRetVal(nRetResult);
return nRetResult;
}
inline int CVM::DoStepOver()
{
int nRetResult = 0;
int nRetCode;
nRetCode = Go(Getcputhreadid(), 0, STEP_OVER, 0, 1);
if (-1 == nRetCode) // fail!
goto Exit0;
ReturnToOD();
nRetResult = 1;
Exit0:
SetRetVal(nRetResult);
return nRetResult;
}
inline int CVM::DoStepIntoS(
/* [out] */ long *lInstLen
)
{
ASSERT(lInstLen);
int nRetResult = 0;
int nRetCode;
static long lTimes;
static long i = 0;
if (0 == i)
{
nRetCode = Pop(&lTimes);
OM_PROCESS_ERROR(nRetCode);
}
if (i < lTimes)
{
nRetCode = DoStepInto();
OM_PROCESS_ERROR(nRetCode);
++i;
*lInstLen = 0;
}
else
{
lTimes = 0;
i = 0;
*lInstLen = m_nMnemonicLen[MC_STEPINTOS];
}
nRetResult = 1;
Exit0:
SetRetVal(nRetResult);
return nRetResult;
}
inline int CVM::DoStepOverS(
/* [out] */ long *lInstLen
)
{
ASSERT(lInstLen);
int nRetResult = 0;
int nRetCode;
static long lTimes;
static long i = 0;
if (0 == i)
{
nRetCode = Pop(&lTimes);
OM_PROCESS_ERROR(nRetCode);
}
if (i < lTimes)
{
nRetCode = DoStepOver();
OM_PROCESS_ERROR(nRetCode);
++i;
*lInstLen = 0;
}
else
{
lTimes = 0;
i = 0;
*lInstLen = m_nMnemonicLen[MC_STEPOVERS];
}
nRetResult = 1;
Exit0:
SetRetVal(nRetResult);
return nRetResult;
}
inline void CVM::DoESTI()
{
Sendshortcut(PM_MAIN, 0, WM_KEYDOWN, 0, 1, VK_F7);
ReturnToOD();
}
inline void CVM::DoESTO()
{
Sendshortcut(PM_MAIN, 0, WM_KEYDOWN, 0, 1, VK_F9);
ReturnToOD();
}
int CVM::DoGo()
{
int nRetResult = 0;
int nRetCode;
long lAddr;
nRetCode = Pop(&lAddr);
OM_PROCESS_ERROR(nRetCode);
nRetCode = Go(Getcputhreadid(), lAddr, STEP_RUN, 0, 1);
if (-1 == nRetCode) // fail!
goto Exit0;
ReturnToOD();
nRetResult = 1;
Exit0:
SetRetVal(nRetResult);
return nRetResult;
}
int CVM::Tracing(
/* [in] */ const long lAddr,
/* [in] */ char *szCond,
/* [in] */ const int nMode // 0 == trace_into, other == trace_over
)
{
int nRetResult = 0;
int nRetCode;
ulong threadid;
t_thread *pthr;
// If run trace buffer is not active, create it.
// It requires actual registers of current thread.
if (0 == Runtracesize())
{
threadid = Getcputhreadid();
if (0 == threadid)
threadid = Plugingetvalue(VAL_MAINTHREADID);
pthr = Findthread(threadid);
if (NULL != pthr)
{
nRetCode = Startruntrace(&(pthr->reg));
OM_PROCESS_ERROR(0 == nRetCode);
}
}
// If buffer is open, set optional condition and start run trace.
if (Runtracesize() > 0)
{
if (0 == lAddr)
Settracecondition(szCond, 0, 0, 0, 0, 0);
else
Settracecondition(szCond, 0, lAddr, lAddr + 1, 0, 0);
if (0 == nMode)
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -