mainpd.pas

dede 的源代码 3.10b

unit MainPD;

interface

uses
  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
  StdCtrls, ComCtrls;

type
  TForm1 = class(TForm)
    Button1: TButton;
    PLV: TListView;
    MLV: TListView;
    Button2: TButton;
    Label1: TLabel;
    Label2: TLabel;
    SLV: TListView;
    Label3: TLabel;
    PB: TProgressBar;
    SaveDlg: TSaveDialog;
    Label4: TLabel;
    boclbl: TLabel;
    Button3: TButton;
    Label5: TLabel;
    socLbl: TLabel;
    Button4: TButton;
    Label6: TLabel;
    bodLbl: TLabel;
    Label8: TLabel;
    soidLbl: TLabel;
    Label10: TLabel;
    soudLbl: TLabel;
    Label7: TLabel;
    soiLbl: TLabel;
    Label11: TLabel;
    sohLbl: TLabel;
    Label9: TLabel;
    itrLbl: TLabel;
    Label13: TLabel;
    itsLbl: TLabel;
    Label15: TLabel;
    rtrLbl: TLabel;
    Label17: TLabel;
    rtsLbl: TLabel;
    saLbl: TLabel;
    Label21: TLabel;
    etrLbl: TLabel;
    Label23: TLabel;
    etsLbl: TLabel;
    Label12: TLabel;
    ttrLbl: TLabel;
    Label16: TLabel;
    ttsLbl: TLabel;
    Button5: TButton;
    Button6: TButton;
    procedure Button1Click(Sender: TObject);
    procedure PLVChange(Sender: TObject; Item: TListItem;
      Change: TItemChange);
    procedure Button2Click(Sender: TObject);
    procedure MLVClick(Sender: TObject);
    procedure Button3Click(Sender: TObject);
    procedure Button4Click(Sender: TObject);
    procedure Button5Click(Sender: TObject);
    procedure Button6Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.DFM}

uses DeDeMemDumps, DeDeClasses;

procedure TForm1.Button1Click(Sender: TObject);
var ProcessArr, ModuleArr : Array of Cardinal;
    sz,sz1,i : Cardinal;
    hProcess : THandle;
    s : String;
    inst : TListItem;
    mi : MODULEINFO;
begin
  SetLength(ProcessArr,256);
  SetLength(ModuleArr,256);
  EnumProcesses(ProcessArr[0],256,sz);
  PLV.Items.BeginUpdate;
  Try
    PLV.Items.Clear;
    For i:=0 To sz Do
      Begin
        If ProcessArr[i]=0 Then Continue;
        hProcess:=OpenProcess(PROCESS_ALL_ACCESS,False,ProcessArr[i]);
        EnumProcessModules(hProcess,ModuleArr[0],256,sz1);
        SetLength(s,256);
        //FillChar(s,256,0);
        sz1:=GetModuleBaseNameA(hProcess,ModuleArr[0],@s[1],256);
        SetLength(s,sz1);
        if s='' Then Continue;
        inst:=PLV.Items.Add;
        inst.Caption:=IntToStr(ProcessArr[i]);
        inst.SubItems.Add(s);
        GetModuleInformation(hProcess,ModuleArr[0],mi,sz1);
        inst.SubItems.Add(IntToHex(mi.SizeOfImage,8));
        inst.SubItems.Add(IntToHex(LongInt(mi.EntryPoint),8));
        inst.SubItems.Add(IntToHex(LongInt(mi.lpBaseOfDll),8));
        CloseHandle(hProcess);
      End;
   Finally
     PLV.Items.EndUpdate;
   End;
end;

procedure TForm1.PLVChange(Sender: TObject; Item: TListItem;
  Change: TItemChange);
var ProcessArr, ModuleArr : Array of Cardinal;
    sz,sz1,sz2,i, SectionCount : Cardinal;
    hProcess, hThread : THandle;
    s : String;
    inst : TListItem;
    mi : MODULEINFO;
    buff : TSectionArray;
    peHdrOffset : DWORD;
    ntHdr : IMAGE_NT_HEADERS;
    context : _CONTEXT;
    PEFile : ThePEFile;
    PEHEader : TPEHeader;
    TmpStrm : TMemoryStream;
    b : Array of Byte;
begin
  If PLV.Selected=nil Then Exit;
  MLV.Items.BeginUpdate;
  SLV.Items.BeginUpdate;
  Try
  MLV.Items.Clear;
  hProcess:=OpenProcess(PROCESS_ALL_ACCESS,False,StrToInt(PLV.Selected.Caption));
  SetLength(ModuleArr,256);
  If Not EnumProcessModules(hProcess,ModuleArr[0],256,sz) Then Exit;
  For i:=0 To sz Do
    Begin
      If ModuleArr[i]=0 Then Continue;
      inst:=MLV.Items.Add;
      inst.Caption:=IntToHex(ModuleArr[i],8);
      GetModuleInformation(hProcess,ModuleArr[i],mi,sz1);
      SetLength(s,256);
      sz1:=GetModuleBaseNameA(hProcess,ModuleArr[i],@s[1],256);
      SetLength(s,sz1);
      inst.SubItems.Add(s);
      inst.SubItems.Add(IntToHex(mi.SizeOfImage,8));
      inst.SubItems.Add(IntToHex(LongInt(mi.lpBaseOfDll),8));
      inst.SubItems.Add(IntToHex(LongInt(mi.EntryPoint),8));
    End;

  //hProcess:=OpenProcess(PROCESS_ALL_ACCESS,False,StrToInt(PLV.Selected.Caption));
  GetModuleInformation(hProcess,ModuleArr[0],mi,sz);
  EnumSections(hProcess,mi.lpBaseOfDll,buff,SectionCount);
  SLV.Items.Clear;
  For i:=1 To SectionCount Do
    Begin
      inst:=SLV.Items.Add;
      inst.Caption:=StrPas(@buff[i].Name[0]);
      inst.SubItems.Add(IntToHex(buff[i].VirtualAddress,8));
      inst.SubItems.Add(IntToHex(buff[i].Misc.VirtualSize,8));
      inst.SubItems.Add(IntToHex(buff[i].Misc.PhysicalAddress,8));
      inst.SubItems.Add(IntToHex(buff[i].PointerToRawData,8));
      inst.SubItems.Add(IntToHex(buff[i].SizeOfRawData,8));

    End;

  Finally
    MLV.Items.EndUpdate;
    SLV.Items.EndUpdate;
  End;

    // Read in the offset of the PE header
    if ( not ReadProcessMemory(hProcess,
                            Pointer(LongInt(mi.lpBaseOfDll)+$3C),
                            @peHdrOffset,
                            sizeof(peHdrOffset),
                            sz)) then exit;

    // Read in the IMAGE_NT_HEADERS.OptionalHeader.BaseOfCode field
    if ( not ReadProcessMemory(hProcess,
                            Pointer(LongInt(mi.lpBaseOfDll) + peHdrOffset),
                            @ntHdr, sizeof(ntHdr), sz)) then exit;

   boclbl.Caption:=IntToHex(ntHdr.OptionalHeader.BaseOfCode,8);
   soclbl.Caption:=IntToHex(ntHdr.OptionalHeader.SizeOfCode,8);
   bodlbl.Caption:=IntToHex(ntHdr.OptionalHeader.BaseOfData,8);
   soidlbl.Caption:=IntToHex(ntHdr.OptionalHeader.SizeOfInitializedData,8);
   soudlbl.Caption:=IntToHex(ntHdr.OptionalHeader.SizeOfUninitializedData,8);
   soiLbl.Caption:=IntToHex(ntHdr.OptionalHeader.SizeOfImage,8);
   sohlbl.Caption:=IntToHex(ntHdr.OptionalHeader.SizeOfHeaders,8);
   salbl.Caption:=IntToHex(ntHdr.OptionalHeader.SectionAlignment,8);

   // Export Data
   etrlbl.Caption:=IntToHex(ntHdr.OptionalHeader.DataDirectory[0].VirtualAddress,8);
   etslbl.Caption:=IntToHex(ntHdr.OptionalHeader.DataDirectory[0].Size,8);
   // Import Data
   itrlbl.Caption:=IntToHex(ntHdr.OptionalHeader.DataDirectory[1].VirtualAddress,8);
   itslbl.Caption:=IntToHex(ntHdr.OptionalHeader.DataDirectory[1].Size,8);
   // Resource Data
   rtrlbl.Caption:=IntToHex(ntHdr.OptionalHeader.DataDirectory[2].VirtualAddress,8);
   rtslbl.Caption:=IntToHex(ntHdr.OptionalHeader.DataDirectory[2].Size,8);
   // Fixup Data
   ttrlbl.Caption:=IntToHex(ntHdr.OptionalHeader.DataDirectory[9].VirtualAddress,8);
   ttslbl.Caption:=IntToHex(ntHdr.OptionalHeader.DataDirectory[9].Size,8);

   // Fixup Data
   //rlbl.Caption:=IntToHex(ntHdr.OptionalHeader.DataDirectory[12].VirtualAddress,8);
   //slbl.Caption:=IntToHex(ntHdr.OptionalHeader.DataDirectory[12].Size,8);

 {  DebugActiveProcess(PLV.Selected.Caption)
   SuspendThread(hThread);
   context.ContextFlags:=CONTEXT_CONTROL;
   GetThreadContext(hThread,context);
   ResumeThread(hThread);

   EIPLbl.Caption:=IntToHex(context.Eip,8);}

 { GetModuleInformation(hProcess,ModuleArr[0],mi,sz1);
  EnumSections(hProcess,mi.lpBaseOfDll,buff,sz);
  For i:=1 To sz Do
    Begin
      s:=StrPas(@buff[i].Name[0]);
      ShowMessage(s)
    End;}
  CloseHandle(hProcess);
end;

procedure TForm1.Button2Click(Sender: TObject);
Var MemStr : TMemoryStream;
    ProcessArr, ModuleArr : Array of Cardinal;
    sz,sz1,sz2,i, iSection, SectionCount, CurrSecPos, CurrSecSize : Cardinal;
    hProcess : THandle;
    s : String;
    inst : TListItem;
    mi : MODULEINFO;
    buff : TSectionArray;
    b : array [0..255] of Byte;
    sections : Array of TPEObject;
    dw, PE_HED_SIZE, PE_HED_OFFS, FIRST_SECTION : DWORD;
    OBJ_NUM : WORD;
    ntHdr : IMAGE_NT_HEADERS;
    bt : Byte;