📄 vmm.asm
字号:
include head.inc
MemType struct
db 8 dup (0)
MemType ends
ProtectType struct
db 5 dup (0)
ProtectType ends
ModalDlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
ModuleFind PROTO:DWORD,:DWORD
GetMemType PROTO:DWORD
GetProtect PROTO:DWORD
ErgodVaildVirtualMem PROTO
ErgodRegionBlk PROTO :DWORD
.const
IDR_MODALDIALOG equ 101
IDR_MENUDIALOG equ 102
IDC_LIST equ 1001
IDM_VMD equ 10001
IDM_EXITDIALOG equ 10002
.data
pe PROCESSENTRY32 <sizeof PROCESSENTRY32>
me MODULEENTRY32 <sizeof MODULEENTRY32>
MemTypeIndex MemType <"空闲">,<"保留">,<"映像">,<"映射">,<"私有">,<"不可知">
ProtectTypeIndex ProtectType <"-R--">,<"-RW-">,<"-RWC">,<"E---">,<"ER--">,<"ERW-">,<"ERWC">,<" ">
PageGuard db " G--",0
PageOther db " ---",0
ThreadStack db "线程栈",0
interval db 5 dup (32),0
TemplateReg db "%-15.8p%-12lu%-3d%-6.8s%-4.4s",0
TemplateBlk db " %-12.8p%-12lu %-6.8s%-4.4s",0
TitleName db "4GB虚拟内存列表",0
dpl db "SeDebugPrivilege",0
.data?
hListBox HANDLE ?
hOpenProcess HANDLE ?
hSnapshot HANDLE ?
hToken HANDLE ?
tkp TOKEN_PRIVILEGES <>
vmq MEMORY_BASIC_INFORMATION < >
rect RECT <>
CurrentProcessId dd ?
pAllocationBaseAddr dd ?
buffer db 200 dup (?)
BlkNum dd ?
GuardMark BOOL ?
.code
start:
invoke GetCurrentProcess
invoke OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
invoke LookupPrivilegeValue,NULL,addr dpl,addr tkp.Privileges.Luid
mov tkp.PrivilegeCount,1;只修改一种权限。
mov tkp.Privileges.Attributes,SE_PRIVILEGE_ENABLED;特权有效。
invoke AdjustTokenPrivileges,hToken, FALSE, addr tkp, 0,NULL, 0
invoke CloseHandle,hToken
invoke GetCurrentProcessId
mov CurrentProcessId,eax
invoke OpenProcess,PROCESS_QUERY_INFORMATION ,FALSE,eax
mov hOpenProcess,eax
invoke CreateToolhelp32Snapshot,TH32CS_SNAPALL,CurrentProcessId
mov hSnapshot,eax
invoke DialogBoxParam,NULL,IDR_MODALDIALOG,NULL,addr ModalDlgProc,NULL
invoke ExitProcess,eax
ModalDlgProc proc uses edi hWnd:dword,uMsg:dword,wParam:dword,lParam:dword
local temp:dword
.if uMsg==WM_INITDIALOG
mov edi,CurrentProcessId
invoke Process32First,hSnapshot,addr pe
mov temp,eax
.while temp
.break .if (pe.th32ProcessID==edi)
invoke Process32Next,hSnapshot,addr pe
mov temp,eax
.endw
invoke SetWindowText,hWnd, addr pe.szExeFile
invoke GetDlgItem,hWnd,IDC_LIST
mov hListBox,eax
invoke SetFocus,hListBox
mov eax,FALSE
ret
.elseif uMsg==WM_SIZE
invoke GetClientRect,hWnd,addr rect
invoke MoveWindow,hListBox,0,0,rect.right,rect.bottom,TRUE
.elseif uMsg==WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif uMsg==WM_COMMAND
mov eax,wParam
.if !lParam
.if ax==IDM_VMD
invoke SendMessage,hListBox,LB_RESETCONTENT,0,0
invoke ErgodVaildVirtualMem
.elseif ax==IDM_EXITDIALOG
.if hOpenProcess
invoke CloseHandle,hOpenProcess
.endif
invoke EndDialog,hWnd,NULL
.endif
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
ModalDlgProc endp
ModuleFind proc uses esi edi pRgnBaseAddr:DWORD,pme:DWORD
local temp:dword
assume esi:ptr MODULEENTRY32
mov esi,pme
mov edi,pRgnBaseAddr
invoke Module32First,hSnapshot,esi;与进程相关的模块信息。
mov temp,eax
.while temp
.break .if ([esi].modBaseAddr ==edi)
invoke Module32Next,hSnapshot,esi
mov temp,eax
.endw
assume esi: nothing
mov eax,temp
ret
ModuleFind endp
GetMemType proc uses esi edi pvmq:DWORD
assume esi:ptr MEMORY_BASIC_INFORMATION
mov esi,pvmq
.if [esi].State==MEM_FREE
mov eax,0
ret
.elseif [esi].State==MEM_RESERVE
mov eax,1
ret
.elseif [esi].State==MEM_COMMIT
mov edi,[esi].lType
.endif
.if edi==MEM_IMAGE
mov eax,2
.elseif edi==MEM_MAPPED
mov eax,3
.elseif edi ==MEM_PRIVATE
mov eax,4
.else
mov eax,5
.endif
ret
GetMemType endp
GetProtect proc uses edi AttrProtect:DWORD
mov eax,AttrProtect
mov edi,PAGE_GUARD
or edi,PAGE_NOCACHE
or edi,PAGE_WRITECOMBINE
not edi
and edi,eax
.if edi==PAGE_READONLY
mov eax,0
.elseif edi==PAGE_READWRITE
mov eax,1
.elseif edi==PAGE_WRITECOPY
mov eax,2
.elseif edi==PAGE_EXECUTE
mov eax,3
.elseif edi==PAGE_EXECUTE_READ
mov eax,4
.elseif edi==PAGE_EXECUTE_READWRITE
mov eax,5
.elseif edi==PAGE_EXECUTE_WRITECOPY
mov eax,6
.else
mov eax,7
.endif
ret
GetProtect endp
ErgodVaildVirtualMem proc uses ebx esi edi
local tempbuffer[100]:byte
local temp:dword
local pBlock:dword
local pProtectState:dword
local TotalBlkSize:dword
local RegionSize:dword
mov pAllocationBaseAddr,0
invoke VirtualQueryEx,hOpenProcess,pAllocationBaseAddr,addr vmq,sizeof vmq
push vmq.RegionSize
pop RegionSize
mov temp,eax
.while temp
invoke GetMemType,addr vmq
.if eax==1 ;将保留态区域转换成私有态。
mov eax,4
.endif
mov bl,8
mul bl
lea ebx,MemTypeIndex
add ebx,eax
invoke GetProtect,vmq.AllocationProtect
mov cl,5
mul cl
lea ecx,ProtectTypeIndex
add ecx,eax
mov pProtectState,ecx
invoke ErgodRegionBlk,addr vmq;返回后,EAX为区域大小,而vmq变成无意义。
mov RegionSize,eax
invoke wsprintf,addr buffer,addr TemplateReg,pAllocationBaseAddr,RegionSize,BlkNum,ebx,pProtectState
invoke ModuleFind,pAllocationBaseAddr,addr me
.if eax
invoke lstrcat,addr buffer,addr interval
invoke lstrcat,addr buffer,addr me.szExePath
.else
invoke GetMappedFileName,hOpenProcess,pAllocationBaseAddr,addr tempbuffer,sizeof tempbuffer;映射文件信息。
.if eax
invoke lstrcat,addr buffer,addr interval
invoke lstrcat,addr buffer,addr tempbuffer
.endif
.endif
.if GuardMark==TRUE
invoke lstrcat,addr buffer,addr interval
invoke lstrcat,addr buffer,addr ThreadStack
.endif
invoke SendMessage,hListBox,LB_INSERTSTRING,-1,addr buffer
push pAllocationBaseAddr
pop pBlock
.while BlkNum
invoke VirtualQueryEx,hOpenProcess,pBlock,addr vmq,sizeof vmq
invoke GetMemType,addr vmq
mov bl,8
mul bl
lea ebx,MemTypeIndex
add ebx,eax
.if vmq.State==MEM_RESERVE
invoke GetProtect,vmq.AllocationProtect
.else
invoke GetProtect,vmq.Protect
.endif
push eax
pop eax
mov cl,5
mul cl
lea ecx,ProtectTypeIndex
add ecx,eax
mov pProtectState,ecx
invoke wsprintf,addr buffer,addr TemplateBlk,pBlock,vmq.RegionSize,ebx,pProtectState
mov eax,vmq.Protect
test eax,PAGE_GUARD
.if !zero?
invoke lstrcat,addr buffer,addr PageGuard
.else
invoke lstrcat,addr buffer,addr PageOther
.endif
invoke SendMessage,hListBox,LB_INSERTSTRING,-1,addr buffer
mov eax,vmq.RegionSize
add pBlock,eax
dec BlkNum
.endw
push RegionSize
pop eax
add pAllocationBaseAddr,eax
invoke VirtualQueryEx,hOpenProcess,pAllocationBaseAddr,addr vmq,sizeof vmq
mov temp,eax
.endw
ret
ErgodVaildVirtualMem endp
ErgodRegionBlk proc uses ebx esi edi pvmq:DWORD
local temp:dword
local pBlockAddr:dword
assume esi:ptr MEMORY_BASIC_INFORMATION
mov GuardMark ,FALSE
mov temp,TRUE
mov esi,pvmq
mov edi,pAllocationBaseAddr
mov pBlockAddr,edi
.if [esi].State==MEM_FREE
mov BlkNum,0
.else
mov BlkNum,1
.endif
.while temp
mov eax,[esi].RegionSize
add pBlockAddr,eax
mov eax,vmq.Protect
test eax,PAGE_GUARD
.if !zero?
mov GuardMark ,TRUE
.endif
invoke VirtualQueryEx,hOpenProcess,pBlockAddr,addr vmq,sizeof vmq
mov temp,eax
.break .if (vmq.AllocationBase!=edi || !temp)
inc BlkNum
.endw
mov eax, pBlockAddr
sub eax,edi
assume esi:nothing
ret
ErgodRegionBlk endp
end start
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -