📄 cdump.asm
字号:
MOV AL, [EDI]
TEST AL, AL
JE @F
INC EDI
CMP AL, "\"
JE ToMem
JMP NChar
@@:
MOV BYTE PTR [EDI-5], '_'
iWin32 CreateFileA, ECX, GENERIC_WRITE, FILE_SHARE_READ,\
NULL, CREATE_NEW, NULL, NULL
CMP EAX, INVALID_HANDLE_VALUE
JE DRet
MOV Written, EAX
@@:
PUSH EAX
iWin32 VirtualProtect, ESI, 1000H, PAGE_READWRITE, ESP
TEST EAX, EAX
POP EDI
JE @F
iWin32 _lwrite, Written, ESI, 1000H
PUSH EAX
PUSH EAX
iWin32 VirtualProtect, ESI, 1000H, EDI, ESP
POP EAX
POP EAX
CMP EAX, HFILE_ERROR
JE @F
ADD ESI, 1000H
SUB EBX, 1000H ;EAX
JG @B
@@:
iWin32 _lclose, Written
DRet:
RET
DumpIt ENDP
;Microsoft (Visual) C code patterns before GetVersion (and GetCommandLineA)
DLLstart = -19
DLLbytes BYTE 8BH,44H,24H,08H,83H,0F8H,01H,0FH,85H
LDLLbytes = $-DLLbytes
EXEstart = -12
EXEbytes BYTE 53H,56H,57H,89H,65H,0E8H,0FFH,15H
LEXEbytes = $-EXEbytes
Shift = 19
;------------------------------------------------------------------
IFDEF Soft9x
NewGetProcAddress PROC USES ESI EDI ,hLibrary, lpszProc
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
iMOV ESI, GetModuleHandleA
iMOV EDI, lstrcmpA
CmpApi MACRO __ApiNomen
sWin32 EDI, lpszProc, s&__ApiNomen
TEST EAX, EAX
JNE @F
MOV EAX, New&__ApiNomen
JMP RetMe
@@:
ENDM
sWin32 ESI, sKERNEL32
CMP EAX, hLibrary
JNE CheckCRTDLL
CmpApi GetVersion
CmpApi GetCommandLineA
CmpApi GetStartupInfoA
CmpApi GetStdHandle
CmpApi ExitProcess
CmpApi LoadLibraryA
CmpApi VirtualQuery
CmpApi GetProcAddress
CheckCRTDLL:
sWin32 ESI, sCRTDLL
CMP EAX, hLibrary
JNE CheckMSVCRT
CmpApi __GetMainArgs
CmpApi __set_app_type
CheckMSVCRT:
sWin32 ESI, sMSVCRT
CMP EAX, hLibrary
JNE CheckDone
CmpApi _open_osfhandle
CheckDone:
Return:
POPc ESI, EDI
LEAVE
iWin32j GetProcAddress
RetMe:
RET
NewGetProcAddress ENDP
ENDIF
NewVirtualQuery PROC lpvAddress, pmbiBuffer, cbLength
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
MOV EAX, lpvAddress
CMP EAX, OFFSET kernel32 - 13F0H
MOV ECX, lpvAddress
JB DoQuery
CMP EAX, OFFSET crtdll
iMOV ECX, ExitProcess
JB DoQuery
CMP EAX, OFFSET msvcrt
iMOV ECX, __GetMainArgs
JB DoQuery
CMP EAX, OFFSET msvcrt + 1000H
iMOV ECX, __set_app_type
JB DoQuery
MOV ECX, lpvAddress
DoQuery:
Return:
iWin32 VirtualQuery, ECX, pmbiBuffer, cbLength
RET
NewVirtualQuery ENDP
;------------------------------------------------------------------
.code crtdll
New__GetMainArgs PROC ;for newer C compilers
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j __GetMainArgs
New__GetMainArgs ENDP
;-----------------------------------------------------
New_open_osfhandle PROC ;for newer C compilers
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j _open_osfhandle
New_open_osfhandle ENDP
;-----------------------------------------------------
.CODE msvcrt
New__set_app_type PROC ;for newer C compilers
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j __set_app_type
New__set_app_type ENDP
.CODE kernel32
NewGetStdHandle PROC ;for console applications
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j GetStdHandle
NewGetStdHandle ENDP
;-----------------------------------------------------
.DATA
IFDEF Hard9x
HHH = HOOK_ALL+H_H
ELSE
HHH = HOOK_ALL
ENDIF
IFDEF Hard9x
MkUnhook GetVersion, 19
MkUnhook GetCommandLineA,19
MkUnhook GetStartupInfoA,19
MkUnhook __GetMainArgs, 19
MkUnhook _open_osfhandle,19
MkUnhook __set_app_type, 19
MkUnhook GetStdHandle, 19
MkUnhook ExitProcess, 21
MkUnhook LoadLibraryA, 20
MkUnhook VirtualQuery, 19
ENDIF
BeginHooks Cdump
IFDEF Soft9x
MkHook , , GetProcAddress, HHH
ENDIF
MkHook , , GetVersion, HHH
MkHook , , GetCommandLineA, HHH
MkHook , , GetStartupInfoA, HHH
MkHook ,CRTDLL, __GetMainArgs, HHH
MkHook ,CRTDLL, _open_osfhandle, HHH
MkHook ,MSVCRT, __set_app_type, HHH
MkHook , , GetStdHandle, HHH
MkHook , , ExitProcess, HHH
MkHook , , LoadLibraryA, HHH
MkHook , , VirtualQuery, HHH
EndHooks
TEXTA KERNEL32, <KERNEL32.dll/0>
TEXTA CRTDLL, <CRTDLL.dll/0>
TEXTA MSVCRT, <MSVCRT.dll/0>
IFDEF Soft9x
TEXTA GetProcAddress, <GetProcAddress/0>
ENDIF
TEXTA GetVersion, <GetVersion/0>
TEXTA GetCommandLineA,<GetCommandLineA/0>
TEXTA GetStartupInfoA,<GetStartupInfoA/0>
TEXTA __GetMainArgs, <__GetMainArgs/0>
TEXTA __set_app_type, <__set_app_type/0>
TEXTA _open_osfhandle,<_open_osfhandle/0>
TEXTA GetStdHandle, <GetStdHandle/0>
TEXTA ExitProcess, <ExitProcess/0>
TEXTA LoadLibraryA, <LoadLibraryA/0>
TEXTA VirtualQuery, <VirtualQuery/0>
END DllMain
:TRANSLATE
@ECHO OFF
ML /c /coff /DNTonly /nologo Cdump.bat
LINK3 Cdump /OUT:CdumpNT.dll /MERGE:.data=kernel32 /IGNORE:4078,4060 /STUB:PESTUB.EXE /nologo /DLL /NOENTRY /EXPORT:Cdump,@1,NONAME /SUBSYSTEM:WINDOWS /MERGE:.rdata=kernel32 /MERGE:.idata=kernel32 /BASE:0X77770000
ML /c /coff /DSoft9x /nologo Cdump.bat
LINK3 Cdump /OUT:Cdump9xSoft.dll /MERGE:.data=kernel32 /IGNORE:4078,4060 /STUB:PESTUB.EXE /nologo /DLL /NOENTRY /EXPORT:Cdump,@1,NONAME /SUBSYSTEM:WINDOWS /MERGE:.rdata=kernel32 /MERGE:.idata=kernel32 /BASE:0X77770000
ML /c /coff /DHard9x /nologo Cdump.bat
LINK3 Cdump /OUT:Cdump9xHard.dll /IGNORE:4078,4060,4086,4092 /STUB:PESTUB.EXE /nologo /DLL /EXPORT:Cdump,@1,NONAME /SUBSYSTEM:WINDOWS /MERGE:.rdata=kernel32 /MERGE:.idata=kernel32 /SECTION:.data,S /SECTION:.bss,S /BASE:0XBFA50000
DEL Cdump.obj
DEL CdumpNT.exp
DEL CdumpNT.lib
DEL Cdump9xSoft.exp
DEL Cdump9xSoft.lib
DEL Cdump9xHard.exp
DEL Cdump9xHard.lib
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -