extcmd.asm

WINXP下的ICE驱动程序源码,驱动程序练习

;==============================================================================
;
;  作者：一块三毛钱
;  邮箱：zhongts@163.com
;  日期：2005.4.30
;
;  实现各种扩展命令
;
;==============================================================================

include img.inc
include c:\masm32\include\w2k\hal.inc
includelib c:\masm32\lib\w2k\hal.lib

.const
	szHelp		db 13, 10
			db "=============================", 13, 10
			db "  ZtsICE v0.0.1 by zhongts   ", 13, 10
			db "  Email:zhongts@163.com      ", 13, 10
			db "  Date: 2005.4.30            ", 13, 10
			db "=============================", 13, 10, 13, 10
			db "zts_help      - show this help", 13, 10
			db "zts_pestruct  - show pe header struct", 13, 10
			db "                Ex: zts_pestruct 400000", 13, 10
			db "zts_string    - show all string in some address range", 13, 10
			db "                Ex: zts_string 402000 403000", 13, 10, 0

	szPeStruct	db "Signature                  ",0
	
			db "FileHeader Value           ",0
			db "Machine                    ",0
			db "NumberOfSections           ",0
			db "TimeDateStamp              ",0
			db "PointerToSymbolTable       ",0
			db "NumberOfSymbols            ",0
			db "SizeOfOptionalHeader       ",0
			db "Characteristics            ",0
			
			db "OptionalHeader Value       ",0
			db "Magic                      ",0
			db "MajorLinkerVersion         ",0
			db "MinorLinkerVersion         ",0
			db "SizeOfCode                 ",0
			db "SizeOfInitializedData      ",0
			db "SizeOfUninitializedData    ",0
			db "AddressOfEntryPoint        ",0
			db "BaseOfCode                 ",0
			db "BaseOfData                 ",0
			db "ImageBase                  ",0
			db "SectionAlignment           ",0
			db "FileAlignment              ",0
			db "MajorOperatingSystemVersion",0
			db "MinorOperatingSystemVersion",0
			db "MajorImageVersion          ",0
			db "MinorImageVersion          ",0
			db "MajorSubsystemVersion      ",0
			db "MinorSubsystemVersion      ",0
			db "Win32VersionValue          ",0
			db "SizeOfImage                ",0
			db "SizeOfHeaders              ",0
			db "CheckSum                   ",0
			db "Subsystem                  ",0
			db "DllCharacteristics         ",0
			db "SizeOfStackReserve         ",0
			db "SizeOfStackCommit          ",0
			db "SizeOfHeapReserve          ",0
			db "SizeOfHeapCommit           ",0
			db "LoaderFlags                ",0
			db "NumberOfRvaAndSizes        ",0
			
			db "DataDirectory              ",0
			db "Export                     ",0
			db "Import                     ",0
			db "Resource                   ",0
			db "Exception                  ",0
			db "Certificates               ",0
			db "Base Relocation            ",0
			db "Debug                      ",0
			db "Architecture               ",0
			db "Special                    ",0
			db "Thread Storage             ",0
			db "Load Configuration         ",0
			db "Bound Import               ",0
			db "Import Address Table       ",0
			db "Delay Import               ",0
			db "Reserved                   ",0
			db "Reserved                   ",0
			
			db "Section Header Value", 13, 10, 13, 10
			db "Name        V.Offset    V.Size      R.Offset    R.Size      Flags", 13, 10
			db "--------------------------------------------------------------------", 0

.code

GetExpressionEx proc uses ebx, Expression:DWORD, pValue:DWORD, pRemainder:DWORD
	LOCAL	_Expr : GET_EXPRESSION_EX
	
	mov	eax, Expression
	mov	_Expr.Expression, eax
	invoke	Ioctl, IG_GET_EXPRESSION_EX, addr _Expr, sizeof _Expr
	.if eax
		mov	eax, _Expr.Value
		mov	ebx, pValue
		mov	dword ptr [ebx], eax
		.if pRemainder
			mov	eax, _Expr.Remainder
			mov	ebx, pRemainder
			mov	dword ptr [ebx], eax
		.endif
		mov	eax, 1
	.else
		xor	eax, eax
	.endif
	ret
GetExpressionEx endp

zts_help proc hCurrentProcess:DWORD, hCurrentThread:DWORD, dwCurrentPc:DWORD, dwProcessor:DWORD, args:DWORD
	invoke	DbgPrint, addr szHelp
;	invoke	GetExpression, args
;	invoke	DbgPrint, $CTA0("hCurrentProcess = %8Xh\nhCurrentThread = %8Xh\ndwCurrentPc = %8Xh\ndwProcessor = %8Xh\nargs = %8Xh\nargs[] = %s\nAddress = %8Xh\n"),\
;			hCurrentProcess, hCurrentThread, dwCurrentPc, dwProcessor, args, args, eax
	ret
zts_help endp

;===================================================================
;
; zts_pestruct 显示 PE 头结构
;
; 用法: !zts_pestruct <dos header address>
; 比如: !zts_pestruct 400000
;
;===================================================================

zts_pestruct proc uses ebx ecx, hCurrentProcess:DWORD, hCurrentThread:DWORD, dwCurrentPc:DWORD, dwProcessor:DWORD, args:DWORD
	LOCAL	_addr
	
	invoke	GetExpression, args
	assume	eax : ptr IMAGE_DOS_HEADER
	cmp	word ptr [eax], 'ZM'
	jnz	exit_0
	add	eax, [eax].e_lfanew
	cmp	word ptr [eax], 'EP'
	jnz	exit_0
	
	mov	_addr, eax
	invoke	DbgPrint, $CTA0("\nPE Header Address = %08Xh\n\n"), eax
	
	mov	edi, offset szPeStruct
	mov	esi, _addr
	assume	esi : ptr IMAGE_NT_HEADERS
	
	;FileHeader
	mov	eax, [esi].Signature
	invoke	DbgPrint, $CTA0("%8Xh : %s\n"), eax, edi
	add	edi, 28
	invoke	DbgPrint, $CTA0("\n%s\n\n"), edi
	add	edi, 28
	movzx	eax, [esi].FileHeader.Machine
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].FileHeader.NumberOfSections
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].FileHeader.TimeDateStamp
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].FileHeader.PointerToSymbolTable
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].FileHeader.NumberOfSymbols
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].FileHeader.SizeOfOptionalHeader
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].FileHeader.Characteristics
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	
	;Optional Header
	invoke	DbgPrint, $CTA0("\n%s\n\n"), edi
	add	edi, 28
	movzx	eax, [esi].OptionalHeader.Magic
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].OptionalHeader.MajorLinkerVersion
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].OptionalHeader.MinorLinkerVersion
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.SizeOfCode
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.SizeOfInitializedData
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.SizeOfUninitializedData
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.AddressOfEntryPoint
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.BaseOfCode
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.BaseOfData
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.ImageBase
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.SectionAlignment
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.FileAlignment
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].OptionalHeader.MajorOperatingSystemVersion
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].OptionalHeader.MinorOperatingSystemVersion
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].OptionalHeader.MajorImageVersion
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].OptionalHeader.MinorImageVersion
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].OptionalHeader.MajorSubsystemVersion
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].OptionalHeader.MinorSubsystemVersion
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.Win32VersionValue
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.SizeOfImage
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.SizeOfHeaders
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.CheckSum
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].OptionalHeader.Subsystem
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	movzx	eax, [esi].OptionalHeader.DllCharacteristics
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.SizeOfStackReserve
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.SizeOfStackCommit
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.SizeOfHeapReserve
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.SizeOfHeapCommit
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.LoaderFlags
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	mov	eax, [esi].OptionalHeader.NumberOfRvaAndSizes
	invoke	DbgPrint, $CTA0("\t%8Xh : %s\n"), eax, edi
	add	edi, 28
	
	;Data Directory
	invoke	DbgPrint, $CTA0("\t%s\n"), edi
	add	edi, 28
	sub	ebx, ebx
	.while	ebx<16
		mov	eax, [esi].OptionalHeader.DataDirectory[ebx*sizeof IMAGE_DATA_DIRECTORY].VirtualAddress
		mov	ecx, [esi].OptionalHeader.DataDirectory[ebx*sizeof IMAGE_DATA_DIRECTORY].isize
		invoke	DbgPrint, $CTA0("\t\t%8X - %-8X : %s\n"), eax, ecx, edi
		add	edi, 28
		inc	ebx
	.endw
	
	;Section Header
	invoke	DbgPrint, $CTA0("\n%s\n"), edi
	movzx	ebx, [esi].FileHeader.NumberOfSections
	movzx	eax, [esi].FileHeader.SizeOfOptionalHeader
	add	eax, sizeof IMAGE_FILE_HEADER + 4
	add	esi, eax
	assume	esi : ptr IMAGE_SECTION_HEADER
	.while ebx
		invoke	DbgPrint, $CTA0("%-8s    %08X    %08X    %08X    %08X    %08X\n"), esi, [esi].VirtualAddress, \
				[esi].Misc.VirtualSize, [esi].PointerToRawData, [esi].SizeOfRawData, [esi].Characteristics
		add	esi, sizeof IMAGE_SECTION_HEADER
		dec	ebx
	.endw
	assume	esi : nothing
	ret
	
exit_0:
	invoke	DbgPrint, $CTA0("%08Xh address is not a valid pe struct\n"), eax
	ret
zts_pestruct endp

;===================================================================
;
; zts_string 显示指定地址范围内的所有字符串
;
; 用法: !zts_string <start address> <end address>
; 比如: !zts_string 401000 402000
;       !zts_string ebx ebx+1000
;
;===================================================================

zts_string proc uses ebx, hCurrentProcess:DWORD, hCurrentThread:DWORD, dwCurrentPc:DWORD, dwProcessor:DWORD, args:DWORD
	LOCAL	_Start, _End
	
;	invoke	GetExpressionEx, args, addr _Start, addr args
;	.if !eax
;		invoke	DbgPrint, $CTA0("Usage:   \:zts_string \[start address\] \[end address\]\n")
;		ret
;	.endif
;	invoke	GetExpression, args
;	mov	_End, eax
;	invoke	DbgPrint, $CTA0("Start Address = %08Xh\nEnd Address = %08Xh\n"), _Start, _End

	mov	esi, args
	call	_si_Expression2Integer
	jb	syntax_error
	
	mov	_Start, eax
	cmp	byte ptr [esi], 0
	jz	syntax_error
	
	call	_si_Expression2Integer
	jb	syntax_error
	
	test	eax, eax
	jz	syntax_error
	mov	_End, eax
	
	invoke	DbgPrint, $CTA0("\nStart Address = %08Xh\nEnd Address = %08Xh\n\n"), _Start, _End
	
	mov	esi, _Start
	sub	ebx, ebx
	.while esi<_End
		movzx	eax, byte ptr [esi]
		.if (eax>='0' && eax<='9') || (eax>='a' && eax<='z') || (eax>='A' && eax<='Z')
			inc	ebx
		.else
			sub	ebx, ebx
		.endif
		inc	esi
		
		;判断字符串的长度是否大于 6
		.if ebx>=6
			mov	eax, esi
			sub	eax, ebx
			invoke	DbgPrint, $CTA0("%08Xh : %s\n"), eax, eax
			
			.while	esi<_End
				movzx	eax, byte ptr [esi]
				.break .if eax==0
				inc	esi
			.endw
		.endif
	.endw
	
	ret
	
syntax_error:
	invoke	DbgPrint, $CTA0("Usage:   \:zts_string \[start address\] \[end address\]\n")
	ret
zts_string endp