dump.dpr

来自「very useful codes by uall,very useful co」· DPR 代码 · 共 59 行

DPR
59
字号 
library dump;

uses
  windows,
  uallTableHook,
  uallUtil,
  uallKernel,
  classes,
  sysutils;

var nextva, oldva: function (lpvAddress: Pointer; dwSize, flAllocationType, flProtect: DWORD): Pointer; stdcall;
  addr: cardinal;

function pesize(p: pointer): integer;
var IDH: PImageDosHeader;
    INH: PImageNtHeaders;
    sectionh: PImageSectionHeader;
begin
  result := 0;
  IDH := p;
  if (IDH^.e_magic = IMAGE_DOS_SIGNATURE) then
  begin
    INH := pointer(cardinal(p)+cardinal(IDH^._lfanew));
    if (INH^.Signature = IMAGE_NT_SIGNATURE) then
    begin
       sectionh := pointer(integer(INH)+sizeof(TImageNtHeaders)
           +(INH^.FileHeader.NumberOfSections-1)*sizeof(TImageSectionHeader));
       result := sectionh^.PointerToRawData+sectionh^.SizeOfRawData;
    end;
  end;
end;

procedure dumpmem;
var fm: TFilestream;
    s: String;
begin
  s := uallUtil.GetExeDirectory+'unmorphed_'+
    uallUtil.ExtractFileNameWithExtention(paramstr(0));
  fm := TFilestream.Create(s,fmcreate);
  fm.Write(pointer(addr)^,pesize(pointer(addr)));
  fm.free;
  MessageBox(0,pchar('unmorphed file saved to: '+
    uallUtil.GetExeDirectory+'unmorphed_'+
    uallUtil.ExtractFileNameWithExtention(paramstr(0))),'unmorphine',0);
  ExitProcess(0);
end;

procedure myva;
asm
  mov eax, [ebp+8]
  mov addr, eax
  call dumpmem
end;

begin
  @oldva := GetProcAddress(GetModuleHandle('kernel32.dll'),'VirtualAlloc');
  uallTableHook.HookAPIJMP(@oldva,@myva,@nextva);
end.

dump.dpr - 源码说明

本页面展示了「very useful codes by uall,very useful codes by uall,very useful codes by uall,very useful codes by u」中的 dump.dpr 源码文件,采用 DPR 编程语言编写,共 59 行代码。您可以在线阅读完整代码内容,也可以返回资源详情页下载完整源码包进行本地学习和开发。

虫虫下载站收录了大量与useful相关的技术资源,包括源代码、技术文档、电路图等,是电子工程师和嵌入式开发者的专业学习平台。

⌨️ 快捷键说明

复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?