📄 cdump.asm
字号:
;@GOTO TRANSLATE
.586P
.MODEL FLAT, STDCALL
OPTION CASEMAP: NONE
INCLUDE WINDOWS.inc
UNICODE = FALSE
INCLUDE APIMACRO.mac
INCLUDE ApiHooks.inc
INCLUDELIB iKERNEL32.lib
INCLUDELIB iCRTDLL.lib
INCLUDELIB iMSVCRT.lib
HFILE_ERROR EQU -1
IFDEF Hard9x
.DATA?
ELSE
bss SEGMENT 'BSS'
ENDIF
IFDEF Hard9x
MyPID DWORD ?
ENDIF
Buffer DWORD 4096/4 DUP (?)
ModName ACHAR MAX_PATH+2 DUP (?)
IFNDEF Hard9x
bss ENDS
ENDIF
.CODE kernel32
IFDEF Hard9x
DllMain PROC
iWin32 GetCurrentProcessId
CMP DWORD PTR [ESP+8] ,DLL_PROCESS_ATTACH
JNE @F
CMP MyPID, 0
JE GoOn
MOV EAX, FALSE ;fail if another proces will try to load me
RET 12
GoOn:
MOV MyPID, EAX
JMP Return
@@:
CMP DWORD PTR [ESP+8] ,DLL_PROCESS_DETACH
JNE Return
CMP EAX, MyPID
JNE Return
sWin32 UnhookApi, OFFSET UnhookGetVersion
sWin32 UnhookApi, OFFSET UnhookGetCommandLineA
sWin32 UnhookApi, OFFSET UnhookGetStartupInfoA
sWin32 UnhookApi, OFFSET Unhook__GetMainArgs
sWin32 UnhookApi, OFFSET Unhook_open_osfhandle
sWin32 UnhookApi, OFFSET Unhook__set_app_type
sWin32 UnhookApi, OFFSET UnhookGetStdHandle
sWin32 UnhookApi, OFFSET UnhookExitProcess
sWin32 UnhookApi, OFFSET UnhookLoadLibraryA
sWin32 UnhookApi, OFFSET UnhookVirtualQuery
Return:
MOV EAX, TRUE
RET 12
DllMain ENDP
UnhookApi PROC USES EBX ESI EDI, UnhStruc: PTR UNHOOK_API
MOV ESI, UnhStruc
ASSUME ESI :PTR API_UNHOOK
MOV EBX, [ESI].CurNoAddr
@@:
DEC EBX
JL UnhookFin
MOV EDI, [ESI].WhereWhat
MOV EDI, (ADDR_CONTENTS PTR [EDI][EBX*SIZEOF ADDR_CONTENTS]).ReturnWhere
CMP EDI, 80000000H ;only kernel space matters
JB @B
PUSH EAX
iWin32 VirtualProtect, EDI, 4, PAGE_READWRITE, ESP
TEST EAX, EAX
POP EDX
JE UnhookNext
MOV EAX, [ESI].WhereWhat
MOV EAX, (ADDR_CONTENTS PTR [EAX][EBX*SIZEOF ADDR_CONTENTS]).ReturnWhat
MOV [EDI], EAX
PUSH EAX
iWin32 VirtualProtect, EDI, 4, EDX, ESP
POP EAX
UnhookNext:
JMP @B
UnhookFin:
RET
ASSUME ESI: NOTHING
UnhookApi ENDP
ELSE
DllMain TEXTEQU < >
ENDIF
;------------------------------------------------------------------
NewGetVersion PROC ;for Microsoft C compilers
PUSHp EBX, ESI, EDI
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP+12]
MOV EBX, EIP
LEA ESI, [EBX+DLLstart]
iWin32 IsBadReadPtr, ESI, Shift
JNE Return
;compare DLL bytes
MOV EDI, OFFSET DLLbytes
MOV ECX, LDLLbytes
REPE CMPSB
JE @F
LEA ESI, [EBX+EXEstart]
MOV EDI, OFFSET EXEbytes
MOV ECX, LEXEbytes
REPE CMPSB
JNE Return
@@:
sWin32 DumpIt, ESI
Return:
POPc EBX, ESI, EDI
iWin32j GetVersion
NewGetVersion ENDP
;-----------------------------------------------------
NewGetCommandLineA PROC ;was for old Microsoft C compilers, is for all
; PUSHp EBX, ESI, EDI
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
; EIP EQU [ESP+12]
; MOV EBX, EIP
; LEA ESI, [EBX+DLLstart]
; iWin32 IsBadReadPtr, ESI, Shift
; JNE Return
; LEA ESI, [EBX+EXEstart]
; MOV EDI, OFFSET EXEbytes
; MOV ECX, LEXEbytes
; REPE CMPSB
; JNE Return
EIP EQU [ESP]
sWin32 DumpIt, EIP ;ESI
Return:
; POPc EBX, ESI, EDI
iWin32j GetCommandLineA
NewGetCommandLineA ENDP
;-----------------------------------------------------
NewGetStartupInfoA PROC ;for old Microsoft C compilers
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j GetStartupInfoA
NewGetStartupInfoA ENDP
NewExitProcess PROC ;always drop something
IFDEF NTonly ;to make one packer happy
BYTE 55H
BYTE 8BH, 0ECH
BYTE 6AH, 0FFH
BYTE 68H, 0FFH,0FFH,0FFH,0FFH
BYTE 68H, 0FFH,0FFH,0FFH,0FFH
BYTE 50H
LEAVE
ENDIF
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j ExitProcess
NewExitProcess ENDP
;-----------------------------------------------------
NewLoadLibraryA PROC
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
iWin32 GetModuleHandleA, [ESP+4]
TEST EAX, EAX
JE @F
iWin32j LoadLibraryA
@@:
iWin32 LoadLibraryA, [ESP+4]
TEST EAX, EAX
JE Return
PUSH EAX
sWin32 DumpIt, EAX
POP EAX
Return:
RET 4
NewLoadLibraryA ENDP
;-----------------------------------------------------
DumpIt PROC USES EBX ESI EDI, FromWhere
LOCAL Written : DWORD
MOV ESI, FromWhere
AND ESI, NOT 0FFFH
IFNDEF NTonly
CMP ESI, 80000000H
JAE DRet
ENDIF
MOV EBX, 1000H
MOV EDI, OFFSET ModName
JMP @F
IsHeader:
SUB ESI, EBX
@@:
PUSH EAX
iWin32 VirtualProtect, ESI, EBX, PAGE_READWRITE, ESP
TEST EAX, EAX
POP EDX
JE DRet
PUSH ECX
iWin32 VirtualProtect, ESI, EBX, EDX, ESP
POP EAX
iWin32 GetModuleFileNameA, ESI, EDI, MAX_PATH
TEST EAX, EAX
JE IsHeader
iWin32 _lopen, EDI, OF_READ
CMP EAX, HFILE_ERROR
JE DRet
MOV Written, EAX
iWin32 _lread, EAX, OFFSET Buffer, SIZEOF Buffer
PUSH EAX
iWin32 _lclose, Written
POP EAX
CMP EAX, HFILE_ERROR
JE DRet
MOV EBX, Buffer[3CH]
MOV EBX, Buffer[EBX+50H]
ADD EBX, (1000H -1)
AND EBX, NOT (1000H -1)
ToMem:
MOV ECX, EDI
NChar:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -