📄 memorytoolz.asm
字号:
;++
;
; 2009-01-24
;
; Abstract:
;
; This tool can dump virtual memory from
; kernel space and user space.
; It can also dump some NT structures information.
;
; Author:
;
; GamingMaster/AT4RE ( main tool body - MiXxx routines)
;
; Environment:
;
; WIN XP x86
;
;--
.386
.model flat, stdcall
option casemap : none
include MemoryToolz.inc
include MiVirtualMemory.asm
include pe.asm
.data?
buffer db 100 dup (?)
.code
main:
invoke MiInitVirtualMemory
invoke InitCommonControls
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, IDD_DLG, NULL, addr DialogProc, NULL
ret
DialogProc proc hwndDlg:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
LOCAL Temp[32]:BYTE
LOCAL badptr:PTR BYTE
mov eax, uMsg
.if (eax == WM_INITDIALOG)
invoke SendMessage, hwndDlg, WM_SETTEXT, 0, addr ApplicationName
invoke LoadIcon, hInstance, addr IconName
push eax
invoke SendMessage, hwndDlg, WM_SETICON, ICON_SMALL, eax
pop eax
invoke DestroyIcon, eax
invoke GetDlgItem, hwndDlg, IDC_MEMORY
mov HwndMemory, eax
invoke GetDlgItem, hwndDlg, IDC_INFO
mov HwndInfo, eax
invoke GetDlgItem, hwndDlg, IDC_ADDRESS
invoke SetWindowLong, eax, GWL_WNDPROC, addr MemoryWindowProc
mov WndPrevProc, eax
invoke GetDlgItem, hwndDlg, IDC_CB
invoke SetWindowLong, eax, GWL_WNDPROC, addr MemoryWindowProc
.elseif (eax == WM_COMMAND)
mov eax, wParam
and eax, 0ffffh
.if (eax == IDC_PRINT)
xor edi, edi
invoke crt_memset, addr Temp, 0, sizeof Temp
invoke GetDlgItemText, hwndDlg, IDC_ADDRESS, addr Temp, 12
mov badptr, edi
invoke crt_strtoul, addr Temp, addr badptr, 16
.if (badptr)
mov esi, eax
invoke GetDlgItemText, hwndDlg, IDC_CB, addr Temp, 12
mov badptr, edi
invoke crt_strtoul, addr Temp, addr badptr, 16
.if (badptr)
invoke PrintVirtualMemory, esi, eax
invoke DumpPeInfo, esi
.endif
.endif
.endif
.elseif (eax == WM_CLOSE)
invoke EndDialog, hwndDlg, 0
.else
xor eax, eax
ret
.endif
xor eax, eax
inc eax
ret
DialogProc endp
MemoryWindowProc proc hwnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
mov eax, uMsg
.if (eax == WM_CHAR)
mov eax, wParam
and eax, 0ffh
.if ((eax >= '0' && eax <= '9') || (eax >= 'A' && eax <= 'F') || (eax >= 'a' && eax <= 'f') || eax == 'x' || eax == 'X' || eax == VK_BACK)
invoke CallWindowProc, WndPrevProc, hwnd, uMsg, eax, lParam
.endif
.else
invoke CallWindowProc, WndPrevProc, hwnd, uMsg, wParam, lParam
.endif
ret
MemoryWindowProc endp
PrintVirtualMemory proc uses ebx edi esi VirtualAddress:DWORD, nSize:DWORD
LOCAL lpBuffer:DWORD
LOCAL Text:DWORD
LOCAL counter:DWORD
LOCAL Temp[50]:BYTE
invoke SendMessage, HwndMemory, WM_SETTEXT, 0, NULL
xor esi, esi
; align nSize
mov eax, nSize
xor edx,edx
mov ecx, 16
div ecx
.if (edx)
inc eax
.endif
mul ecx
mov nSize, eax
invoke MiAllocateMemory, nSize
mov lpBuffer, eax
.if (eax)
invoke MiReadVirtualMemory, VirtualAddress, lpBuffer, nSize
.if (eax)
mov eax, nSize
mov ecx, 6
mul ecx
push eax
invoke MiAllocateMemory, eax
mov Text, eax
pop eax
.if (Text)
mov esi, nSize
shr esi, 4 ; esi = nSize/16 ==> number of raws
mov counter, esi
xor ebx, ebx
mov esi, lpBuffer
.while (ebx < counter)
mov edi, ebx
shl edi, 4
add edi, VirtualAddress
invoke wsprintf, addr Temp, addr fmt_ulong, edi
invoke lstrcat, Text, addr Temp
mov edi, 16
.while (edi != 0)
dec edi
movsx eax, byte ptr [esi + edi]
and eax, 0ffh
push eax
.endw
push offset fmt_hex
lea eax, Temp
push eax
call wsprintf
add esp, 72 ; restore stack pointer
invoke lstrcat, Text, addr Temp
push esi
invoke lstrlen, Text
mov edx, esi
mov esi, Text
add esi, eax
xor edi, edi
.while (edi < 16)
movzx eax, byte ptr [edx + edi]
and eax, 0ffh
mov al, byte ptr [eax + chardump]
mov byte ptr [esi + edi], al
inc edi
.endw
mov byte ptr [esi + 16], 13
mov byte ptr [esi + 17], 10
pop esi
add esi, 16
inc ebx
.endw
mov eax, VirtualAddress
; print dump text
invoke SendMessage, HwndMemory, WM_SETTEXT, 0, Text
invoke MiFreeMemory, Text
.endif
.endif
invoke MiFreeMemory, lpBuffer
.endif
ret
PrintVirtualMemory endp
end main
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -