📄 pe.asm

📁 MemoryToolz 0.1 example written in assembly use NtSystemDebugControl, veery good to study
💻 ASM
字号:

.data
fmt_pe_basic	db	"( basic pe information )", 13, 10
				db	"Entrypoint... : 0x%08x", 13, 10
				db	"Sizeofimage.. : 0x%x", 13, 10
				db	"Checksum..... : 0x%x", 13, 10
				db	"Timedatastamp : 0x%08x", 13, 10
				db	"Subsystem.... : %s", 13, 10, 13, 10, 13, 10, 0

fmt_pe_sections	db	"( %u sections header )", 13, 10
				db	":name       :viraddr      :virsize      :rawaddr      :rawsize      :charac", 13, 10, 0

fmt_pe_dir		db	"( %u directories header )", 13, 10
				db	":name           :viraddr     :size", 13, 10, 0

.data?
pe_temp db 512 dup (?)

.code

DumpPeInfo proc ImageBase:DWORD
	LOCAL lpBuffer:PTR BYTE
	LOCAL NtHeader:PTR IMAGE_NT_HEADERS
	LOCAL EntryPoint:DWORD
	LOCAL Temp[128]:BYTE
	
	invoke SendMessage, HwndInfo, WM_SETTEXT, 0, CTXT("Not available")
	invoke MiAllocateMemory, PAGE_SIZE
	.if (eax)
		mov lpBuffer, eax
		
		invoke MiReadVirtualMemory, ImageBase, lpBuffer, PAGE_SIZE
		.if (eax)
			mov esi, lpBuffer
			.if (word ptr [esi] == 'ZM')
				add esi, IMAGE_DOS_HEADER.e_lfanew[esi]
				mov NtHeader, esi
				invoke IsBadReadPtr, esi, 4
				.if (!eax && word ptr [esi] == 'EP')
					assume esi:ptr IMAGE_NT_HEADERS
					
					movsx eax, [esi].OptionalHeader.Subsystem ; subsystem
					.if		(eax == 1)
						push CTXT("Native")
					.elseif (eax == 2)
						push CTXT("GUI")
					.elseif (eax == 3)
						push CTXT("Console")
					.else
						push CTXT("Unknown subsystem")
					.endif
					push [esi].FileHeader.TimeDateStamp ;TimeStamp
					push [esi].OptionalHeader.CheckSum ; Checksum
					push [esi].OptionalHeader.SizeOfImage ; SizeofImage
					mov eax, ImageBase
					add eax, [esi].OptionalHeader.AddressOfEntryPoint
					push eax ; EntryPoint
					push offset fmt_pe_basic ; format
					push offset pe_temp ; buffer
					call wsprintf
					add esp, 28 ; restore stack pointer
					
					invoke SendMessage, HwndInfo, WM_SETTEXT, 0, addr pe_temp
					invoke SendMessage, HwndInfo, WM_GETTEXTLENGTH, 0, 0
					invoke SendMessage, HwndInfo, EM_SETSEL, eax, eax
					
					invoke wsprintf, addr pe_temp, addr fmt_pe_sections, [esi].FileHeader.NumberOfSections
					movsx edi, [esi].FileHeader.SizeOfOptionalHeader
					lea eax, [esi].OptionalHeader
					add edi, eax
					assume edi:ptr IMAGE_SECTION_HEADER
					xor ebx, ebx
					.while (bx < [esi].FileHeader.NumberOfSections)
						xor ecx, ecx
						.while (ecx < 8)
							.if (byte ptr [edi + ecx] == 0)
								mov byte ptr [edi + ecx], ' '
							.endif
							inc ecx
						.endw
						invoke wsprintf, addr Temp, CTXT("%.8s    0x%.8x    0x%.8x    0x%.8x    0x%.8x    0x%.8x", 13, 10),\
							addr [edi].Name1, [edi].VirtualAddress, [edi].Misc.VirtualSize, [edi].PointerToRawData,\
							[edi].SizeOfRawData, [edi].Characteristics
						invoke lstrcat, addr pe_temp, addr Temp
						lea edi, [edi + sizeof IMAGE_SECTION_HEADER]
						inc ebx
					.endw
					assume edi:nothing
					
					invoke lstrcat, addr pe_temp, CTXT(13, 10, 13, 10)
					invoke SendMessage, HwndInfo, EM_REPLACESEL, FALSE, addr pe_temp ; sections information
					invoke SendMessage, HwndInfo, WM_GETTEXTLENGTH, 0, 0
					invoke SendMessage, HwndInfo, EM_SETSEL, eax, eax
					
					lea edi, [esi].OptionalHeader.DataDirectory
					assume edi:ptr IMAGE_DATA_DIRECTORY
					xor ebx, ebx
					xor ecx, ecx
					.while (ebx < IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
						.if ([edi].VirtualAddress)
							inc ecx
						.endif
						lea edi, [edi + sizeof IMAGE_DATA_DIRECTORY]
						inc ebx
					.endw
					invoke wsprintf, addr pe_temp, addr fmt_pe_dir, ecx
					
					lea edi, [esi].OptionalHeader.DataDirectory
					xor ebx, ebx
					xor ecx, ecx
					.while (ebx < IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
						.if ([edi].VirtualAddress)
							.if		(ebx == 0)
								mov edx, CTXT("Export       ")
							.elseif	(ebx == 1)
								mov edx, CTXT("Import       ")
							.elseif	(ebx == 2)
								mov edx, CTXT("Resource     ")
							.elseif	(ebx == 3)
								mov edx, CTXT("Exception    ")
							.elseif	(ebx == 4)
								mov edx, CTXT("Security     ")
							.elseif	(ebx == 5)
								mov edx, CTXT("Relocation   ")
							.elseif	(ebx == 6)
								mov edx, CTXT("Debug        ")
							.elseif	(ebx == 7)
								mov edx, CTXT("Architecture ")
							.elseif	(ebx == 8)
								mov edx, CTXT("GP           ")
							.elseif	(ebx == 9)
								mov edx, CTXT("TLS          ")
							.elseif	(ebx == 10)
								mov edx, CTXT("Configuration")
							.elseif	(ebx == 11)
								mov edx, CTXT("Bound Import ")
							.elseif	(ebx == 12)
								mov edx, CTXT("IAT          ")
							.elseif	(ebx == 13)
								mov edx, CTXT("Delay Import ")
							.elseif	(ebx == 14)
								mov edx, CTXT(".NET MetaData")
							.endif
							invoke wsprintf, addr Temp, CTXT("%s   0x%.8x    0x%.8x", 13, 10), edx, [edi].VirtualAddress, [edi].isize
							invoke lstrcat, addr pe_temp, addr Temp
						.endif
						lea edi, [edi + sizeof IMAGE_DATA_DIRECTORY]
						inc ebx
					.endw
					assume edi:nothing
					
					invoke lstrcat, addr pe_temp, CTXT(13, 10, 13, 10)
					invoke SendMessage, HwndInfo, EM_REPLACESEL, FALSE, addr pe_temp ; sections information
					invoke SendMessage, HwndInfo, WM_GETTEXTLENGTH, 0, 0
					invoke SendMessage, HwndInfo, EM_SETSEL, eax, eax
					
					assume esi:nothing
				.endif
			.endif
		.endif
		invoke MiFreeMemory, lpBuffer
	.endif
	
	ret
DumpPeInfo endp
💿 文件大小 14 K
👤 上传用户 zhou28
📂 所属分类汇编语言
🏷️ 相关标签

#NtSystemDebugControl #MemoryToolz #assembly #example
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -