📄 physmembrowser.bat
字号:
;@echo off
;goto make
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
; Physical Memory Browser - Let you browse physical memory
;
; Based on Mark Russinovich's Physmem code ( http://www.sysinternals.com )
;
; Written by Four-F (four-f@mail.ru)
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.386
.model flat, stdcall
option casemap:none
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include \masm32\include\windows.inc
include \masm32\include\w2k\native.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\comctl32.inc
include \masm32\include\gdi32.inc
include \masm32\include\advapi32.inc
include \masm32\include\w2k\ntdll.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\comctl32.lib
includelib \masm32\lib\gdi32.lib
includelib \masm32\lib\advapi32.lib
includelib \masm32\lib\w2k\ntdll.lib
include \masm32\Macros\Strings.mac
;include ReportLastError.asm
include memory.asm
include string.asm
include MaskedEdit.asm
include htodw.asm
include theme.asm
include seh3.inc
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; S T R U C T U R E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; F U N C T I O N S P R O T O T Y P E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DlgProc proto :HWND, :UINT, :WPARAM, :LPARAM
GetNtdllEntries proto
externdef GetNtdllEntries:proc
OpenPhysicalMemory proto
externdef OpenPhysicalMemory:proc
MapPhysicalMemory proto :HANDLE, :PDWORD, :PDWORD, :PDWORD
externdef MapPhysicalMemory:proc
UnmapPhysicalMemory proto :DWORD
externdef UnmapPhysicalMemory:proc
NtStatusToDosError proto :DWORD
externdef NtStatusToDosError:proc
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; F U N C T I O N S P R O T O T Y P E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include protos.inc
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; M A C R O S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
$invoke MACRO vars:VARARG
invoke vars
EXITM <eax>
ENDM
mrm MACRO Des:REQ, Sor:REQ
mov eax, Sor
mov Des, eax
ENDM
$LOWORD MACRO dwVar:REQ
IFDIFI <dwVar>, <eax> ;; don't move eax onto itself
mov eax, dwVar
ENDIF
and eax, 0FFFFh
EXITM <eax>
ENDM
$HIWORD MACRO dwVar:REQ
IFDIFI <dwVar>, <eax> ;; don't move eax onto itself
mov eax, dwVar
ENDIF
shr eax, 16
EXITM <eax>
ENDM
date MACRO
local pos, month
;; Day
pos = 1
% FORC chr, @Date
IF (pos EQ 4) OR (pos EQ 5)
db "&chr"
ENDIF
pos = pos + 1
ENDM
;; Month
pos = 1
% FORC chr, @Date
IF (pos EQ 1)
month TEXTEQU @SubStr(%@Date, 1 , 2)
IF month EQ 01
db " Jan "
ELSEIF month EQ 02
db " Feb "
ELSEIF month EQ 03
db " Mar "
ELSEIF month EQ 04
db " Apr "
ELSEIF month EQ 05
db " May "
ELSEIF month EQ 06
db " Jun "
ELSEIF month EQ 07
db " Jul "
ELSEIF month EQ 08
db " Aug "
ELSEIF month EQ 09
db " Sep "
ELSEIF month EQ 10
db " Oct "
ELSEIF month EQ 11
db " Nov "
ELSEIF month EQ 12
db " Dec "
ENDIF
ENDIF
pos = pos + 1
ENDM
;; Year
db "20"
pos = 1
% FORC chr, @Date
IF (pos EQ 7) OR (pos EQ 8)
db "&chr"
ENDIF
pos = pos + 1
ENDM
ENDM
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Fix helper macro
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Fix MACRO txt:=<Fix this later!!!!>
local pos, spos
pos = 0
spos = 0
% FORC chr, @FileCur ;; Don't display full path. Easier to read.
pos = pos + 1
IF "&chr" EQ 5Ch ;; "/"
spos = pos
ENDIF
ENDM
% ECHO @CatStr(<Fix: >, @SubStr(%@FileCur, spos+1,), <(%@Line) - txt>)
ENDM
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; E Q U A T E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
IDD_MAIN equ 1000
IDE_ADDRESS equ 1001
IDCB_SIZE equ 1002
IDB_DUMP equ 1003
IDE_DUMP equ 1004
IDB_CLEAR equ 1005
IDR_BYTE equ 1006
IDR_WORD equ 1007
IDR_DWORD equ 1008
IDC_TOTAL_PHYS_PAGES equ 1009
IDC_LOWEST_PHYS_ADDRESS equ 1010
IDC_HIGHEST_PHYS_ADDRESS equ 1011
IDC_LINE equ 1020
;IDM_CLEAR equ 2001
;IDM_COPY_CLIPBOARD equ 2002
IDM_ABOUT equ 2000
IDI_ICON equ 3000
STATUS_SUCCESS equ 0
TEXT_BUFFER_SIZE equ 30000
TOP_INDENT equ 62
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; R E A D O N L Y D A T A
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.const
szAbout db "About...", 0
szWrittenBy db "Physical Memory Browser v1.2", 0Ah, 0Dh
db "Built on "
date
db 0Ah, 0Dh, 0Ah, 0Dh
db "Written by Four-F <four-f@mail.ru>", 0
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; U N I N I T I A L I Z E D D A T A
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.data?
g_hInstance HINSTANCE ?
g_hDlg HWND ?
g_hwndEditAddress HWND ?
g_hwndComboSize HWND ?
g_hwndEditDump HWND ?
g_hwndStatusBar HWND ?
;g_hPopupMenu HMENU ?
g_hPhysMem HANDLE ?
g_hFontOld HFONT ?
g_hFontNew HFONT ?
g_pTextBuffer LPSTR ?
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; ErrorToStatusBar
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ErrorToStatusBar proc pszError:LPSTR, status:DWORD
; pError:
; Pointer to message
; NULL - Grab error description from system
; -1 - Clear Status Bar
local dwLanguageId:DWORD
local acErrorDescription[256]:CHAR
local acBuffer[1024]:CHAR
pushfd
pushad
.if pszError == -1
; Clear status bar
invoke SendMessage, g_hwndStatusBar, SB_SETTEXT, 0, NULL
.else
.if pszError != NULL
invoke lstrcpy, addr acBuffer, pszError
.endif
.if status != 0
invoke NtStatusToDosError, status
mov ecx, eax
invoke FormatMessage, FORMAT_MESSAGE_FROM_SYSTEM, NULL,\
ecx, SUBLANG_DEFAULT SHL 10 + LANG_NEUTRAL, addr acErrorDescription, sizeof acErrorDescription, NULL
.if eax != 0
invoke lstrcat, addr acBuffer, addr acErrorDescription
.else
invoke lstrcat, addr acBuffer, $CTA0("Error number not found.")
.endif
.endif
invoke SendMessage, g_hwndStatusBar, SB_SETTEXT, 0, addr acBuffer
.endif
popad
popfd
ret
ErrorToStatusBar endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; FillComboBox
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
FillComboBox proc uses esi edi ebx
.data
aszSizes dd $CTA0("16")
dd $CTA0("32")
dd $CTA0("64")
dd $CTA0("128")
dd $CTA0("256")
dd $CTA0("512")
dd $CTA0("1024")
dd $CTA0("2048")
dd $CTA0("4096")
cbSizes equ $-aszSizes
.code
invoke SendMessage, g_hwndComboSize, CB_RESETCONTENT, 0, 0
mov esi, cbSizes
shr esi, 2 ; / sizeof DWORD = number of strings
lea edi, aszSizes
xor ebx, ebx
.while ebx < esi
invoke SendMessage, g_hwndComboSize, CB_ADDSTRING, 0, [edi]
mov ecx, ebx
mov edx, 10h
shl edx, cl
invoke SendMessage, g_hwndComboSize, CB_SETITEMDATA, eax, edx
add edi, sizeof DWORD ; next string pointer
inc ebx
.endw
; set size of 64 bytes by default
invoke SendMessage, g_hwndComboSize, CB_SETCURSEL , 2, 0
ret
FillComboBox endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; PrintHexDump
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
PrintHexDump proc uses esi edi ebx pVirtAddress:LPVOID, dwPhysAddress:DWORD, dwSize:DWORD
local acBuffer[256]:CHAR
local dwPhysAddressCurrent:DWORD
local dwFmt:DWORD
.data
szFmt1 db "%08X: %02X %02X %02X %02X %02X %02X %02X %02X-%02X %02X %02X %02X %02X %02X %02X %02X ", 0
szFmt2 db "%08X: %04X %04X %04X %04X %04X %04X %04X %04X ", 0
szFmt4 db "%08X: %08X %08X %08X %08X ", 0
.code
_try
mov edi, g_pTextBuffer
invoke fZeroMemory, edi, TEXT_BUFFER_SIZE
mov esi, pVirtAddress
push dwPhysAddress
pop dwPhysAddressCurrent
mov ebx, dwSize
.if ( esi != NULL ) && ( ebx != 0 )
; wich format: byte, word or dword?
invoke IsDlgButtonChecked, g_hDlg, IDR_BYTE
.if eax == BST_CHECKED
mov dwFmt, IDR_BYTE
.endif
invoke IsDlgButtonChecked, g_hDlg, IDR_WORD
.if eax == BST_CHECKED
mov dwFmt, IDR_WORD
.endif
invoke IsDlgButtonChecked, g_hDlg, IDR_DWORD
.if eax == BST_CHECKED
mov dwFmt, IDR_DWORD
.endif
shr ebx, 4 ; / 16 - number of 16-byte lines to print
.while ebx
mov ecx, 16
xor eax, eax
.while ecx
.if dwFmt == IDR_WORD
dec ecx
dec ecx
mov ax, [esi][ecx]
.elseif dwFmt == IDR_DWORD
sub ecx, 4
mov eax, [esi][ecx]
.else
dec ecx
mov al, [esi][ecx]
.endif
push eax
.endw
push dwPhysAddressCurrent
.if dwFmt == IDR_WORD
push offset szFmt2
.elseif dwFmt == IDR_DWORD
push offset szFmt4
.else
push offset szFmt1
.endif
push edi ; current pointer to text buffer
call wsprintf
.if dwFmt == IDR_WORD
add esp, 02Ch
.elseif dwFmt == IDR_DWORD
add esp, 01Ch
.else
add esp, 04Ch
.endif
add edi, eax ; shift current pointer to next free place
xor ecx, ecx
.while ecx < 16
mov al, [esi][ecx]
.if al < ' '
mov al, '.'
.endif
stosb
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -