📄 dump.dpr
字号:
library dump;
uses
windows,
uallTableHook,
uallUtil,
uallKernel,
classes,
sysutils;
var nextva, oldva: function (lpvAddress: Pointer; dwSize, flAllocationType, flProtect: DWORD): Pointer; stdcall;
addr: cardinal;
function pesize(p: pointer): integer;
var IDH: PImageDosHeader;
INH: PImageNtHeaders;
sectionh: PImageSectionHeader;
begin
result := 0;
IDH := p;
if (IDH^.e_magic = IMAGE_DOS_SIGNATURE) then
begin
INH := pointer(cardinal(p)+cardinal(IDH^._lfanew));
if (INH^.Signature = IMAGE_NT_SIGNATURE) then
begin
sectionh := pointer(integer(INH)+sizeof(TImageNtHeaders)
+(INH^.FileHeader.NumberOfSections-1)*sizeof(TImageSectionHeader));
result := sectionh^.PointerToRawData+sectionh^.SizeOfRawData;
end;
end;
end;
procedure dumpmem;
var fm: TFilestream;
s: String;
begin
s := uallUtil.GetExeDirectory+'unmorphed_'+
uallUtil.ExtractFileNameWithExtention(paramstr(0));
fm := TFilestream.Create(s,fmcreate);
fm.Write(pointer(addr)^,pesize(pointer(addr)));
fm.free;
MessageBox(0,pchar('unmorphed file saved to: '+
uallUtil.GetExeDirectory+'unmorphed_'+
uallUtil.ExtractFileNameWithExtention(paramstr(0))),'unmorphine',0);
ExitProcess(0);
end;
procedure myva;
asm
mov eax, [ebp+8]
mov addr, eax
call dumpmem
end;
begin
@oldva := GetProcAddress(GetModuleHandle('kernel32.dll'),'VirtualAlloc');
uallTableHook.HookAPIJMP(@oldva,@myva,@nextva);
end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -