📄 immplugin.pas
字号:
opaddr: array[0..2] of ULONG; // Address if memory, index if register
opdata: array[0..2] of ULONG; // Actual value (only integer operands)
op: array[0..2] of t_operand; // Full description of operand
regdata: array[0..7] of ULONG; // Registers after command is executed
regstatus: array[0..7] of Integer; // Status of registers, one of RST_xxx
addrdata: ULONG; // Traced memory address
addrstatus: Integer; // Status of addrdata, one of RST_xxx
regstack: array[0..NREGSTACK-1] of ULONG; // Stack tracing buffer
rststatus: array[0..NREGSTACK-1] of Integer;// Status of stack items
nregstack: Integer; // Number of items in stack trace buffer
reserved: array[0..28] of ULONG; // Reserved for plugin compatibility
end;
Var
Disasm : function (src: PChar; srcsize: ULONG; srcip: ULONG; srcdec: PChar; disasm: p_disasm; disasmmode: Integer; threadid: ULONG): ULONG; cdecl;
Disassembleback : function (block: PChar; base: ULONG; size: ULONG; ip: ULONG; n: Integer; usedec: Integer): ULONG; cdecl;
Disassembleforward : function (block: PChar; base: ULONG; size: ULONG; ip: ULONG; n: Integer; usedec: Integer): ULONG; cdecl;
Issuspicious : function (cmd: PChar; size: ULONG; ip: ULONG; threadid: ULONG; preg: p_reg; s: PChar): Integer; cdecl;
Isfilling : function (offset: ULONG; data: PChar; size: ULONG; align: ULONG): Integer; cdecl;
Isprefix : function (c: Integer): Integer; cdecl;
////////////////////////////////////////////////////////////////////////////////
/////////////////////////////// ASSEMBLY FUNCTIONS /////////////////////////////
Assemble : function (cmd: PChar; ip: ULONG; model: p_asmmodel; attempt: Integer; constsize: Integer; errtext: PChar): Integer; cdecl;
Checkcondition : function (code : Integer; flags: ULONG): Integer; cdecl;
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////// EXPRESSIONS /////////////////////////////////
type
t_result_union1 = packed record
case Byte of
0: (data: array[0..9] of Char); // Binary form of expression's value
1: (u: ULONG); // Value as unsigned integer
2: (l: LongInt); // Value as signed integer
3: (f: Extended); // Value as 80-bit float
end;
t_result_union2 = packed record
case Byte of
0: (value: array[0..TEXTLEN - 1] of Char); // ASCII form of expression's value
1: (wvalue: array[0..(TEXTLEN div 2) - 1] of WChar); // UNICODE form of expression's value
end;
p_result = ^t_result;
t_result = packed record // Result of expression's evaluation
etype: Integer; // Type of expression, DEC(R)_xxx
dtype: Integer; // Type of data, DEC_xxx
u1: t_result_union1;
u2: t_result_union2;
lvaddr: ULONG; // Address of lvalue or NULL
end;
Var
Expression : function (result: p_result; expression: PChar; a, b: Integer; data: PChar; database, datasize, threadid: ULONG): Integer; cdecl;
////////////////////////////////////////////////////////////////////////////////
//////////////////////////////// THREAD FUNCTIONS //////////////////////////////
type
p_thread = ^t_thread;
t_thread = packed record // Information about active threads
threadid: ULONG; // Thread identifier
dummy: ULONG; // Always 1
ltype: ULONG; // Service information, TY_xxx
thread: THandle; // Thread handle
datablock: ULONG; // Per-thread data block
entry: ULONG; // Thread entry point
stacktop: ULONG; // Working variable of Listmemory()
stackbottom: ULONG; // Working variable of Listmemory()
context: CONTEXT; // Actual context of the thread
reg: t_reg; // Actual contents of registers
regvalid: Integer; // Whether reg is valid
oldreg: t_reg; // Previous contents of registers
oldregvalid: Integer; // Whether oldreg is valid
suspendcount: Integer; // Suspension count (may be negative)
usertime: LongInt; // Time in user mode, 1/10th ms, or -1
systime: LongInt; // Time in system mode, 1/10th ms, or -1
reserved: array[0..15] of ULONG; // Reserved for future compatibility
end;
Var
Createthreadwindow : function : HWND; cdecl;
Findthread : function (threadid: ULONG): p_thread; cdecl;
Decodethreadname : function (s: PChar; threadid: ULONG; mode: Integer): Integer; cdecl;
Getcputhreadid : function : ULONG; cdecl;
Runsinglethread : function (threadid: ULONG): ULONG; cdecl;
Restoreallthreads : procedure; cdecl;
////////////////////////////////////////////////////////////////////////////////
//////////////////////////////// MEMORY FUNCTIONS //////////////////////////////
// Mode bits recognized by Readmemory() and Writememory().
const
MM_RESTORE = $01; // Restore or remove INT3 breakpoints
MM_SILENT = $02; // Don't display error message
MM_DELANAL = $04; // Delete analysis from the memory
MM_RESILENT = MM_RESTORE or MM_SILENT;
type
p_memory = ^t_memory;
t_memory = packed record // Memory block descriptor
base: ULONG; // Base address of memory block
size: ULONG; // Size of block
ltype: ULONG; // Service information, TY_xxx
owner: ULONG; // Address of owner of the memory
initaccess: ULONG; // Initial read/write access
access: ULONG; // Actual status and read/write access
threadid: ULONG; // Block belongs to this thread or 0
sect: array[0..SHORTLEN-1] of Char; // Name of module section
copy: PChar; // Copy used in CPU window or NULL
reserved: array[0..7] of ULONG; // Reserved for plugin compatibility
end;
p_heap = ^t_heap;
t_heap = packed record // Heap block descriptor
base: ULONG; // Base address of heap block
size: ULONG; // Size of heap block
ltype: ULONG; // Service information, TY_xxx
parent: ULONG; // Handle of heap descriptor block
end;
Var
Listmemory : function : Integer; cdecl;
Findmemory : function (addr: ULONG): p_memory; cdecl;
Guardmemory : function (base: ULONG; size: ULONG; guard: Integer): Integer; cdecl;
Havecopyofmemory : Procedure (copy: PChar; base: ULONG; size: ULONG); cdecl;
Readmemory : function (buf: Pointer; addr: ULONG; size: ULONG; mode: Integer): ULONG; cdecl;
Writememory : function (buf: Pointer; addr: ULONG; size: ULONG; mode: Integer): ULONG; cdecl;
Readcommand : function (ip: ULONG; cmd: PChar): ULONG; cdecl;
////////////////////////////////////////////////////////////////////////////////
//////////////////////////////// MODULE FUNCTIONS //////////////////////////////
const
NVERS = 32; // Max allowed length of file version
// Types of recognized jumps.
JT_JUMP = 0; // Unconditional jump
JT_COND = 1; // Conditional jump
JT_SWITCH = 2; // Jump via switch table
type
p_ahint = ^t_ahint;
t_ahint = packed record // User-supplied hint for analysis
addr: ULONG; // Hint address
size: ULONG; // Hint size
ltype: ULONG; // Hint type, bits from DEC_TYPEMASK
end;
p_stringtable = ^t_stringtable;
t_stringtable = packed record // Pointers to string resources
name: ULONG; // Name of block of strings
language: ULONG; // Language identifier
addr: ULONG; // Address of block in memory
size: ULONG; // Size of block in memory
end;
p_fixup = ^t_fixup;
t_fixup = packed record
base: ULONG; // Address of fixup
size: ULONG; // Size of fixup (usually 2 or 4 bytes)
end;
t_symvar_union1 = packed record
case Byte of
0: (ltype: ULONG); // Type of variable
1: (regs: ULONG); // Registers in optvar
end;
t_symvar_union2 = packed record
case Byte of
1: (addr: ULONG); // Address or description of registers
2: (offset: LongInt); // Offset for EBP-relative data
end;
p_symvar = ^t_symvar;
t_symvar = packed record // Symbolic variable from debug data
next: Integer; // Index of next variable in chain or -1
kind: Word; // Kind of variable
u1: t_symvar_union1;
u2: t_symvar_union2;
size: ULONG; // Size of variable or optvar data
optvar: Integer; // Index of optvar chain or -1
nameaddr: ULONG; // NM_DEBUG address of var's name
end;
p_jdest = ^t_jdest;
t_jdest = packed record // Element of jump data
ctype: Char; // Type of jump, one of JT_xxx
lfrom: ULONG; // Jump source
lto: ULONG; // Jump destination
end;
p_module = ^t_module;
t_module = packed record // Executable module descriptor
base: ULONG; // Base address of module
size: ULONG; // Size occupied by module
ltype: ULONG; // Service information, TY_xxx
codebase: ULONG; // Base address of module code block
codesize: ULONG; // Size of module code block
resbase: ULONG; // Base address of resources
ressize: ULONG; // Size of resources
stringtable: p_stringtable; // Pointers to string resources or NULL
nstringtable: Integer; // Actual number of used stringtable
maxstringtable: Integer; // Actual number of allocated stringtable
entry: ULONG; // Address of <ModuleEntryPoint> or NULL
database: ULONG; // Base address of module data block
idatatable: ULONG; // Base address of import data table
idatabase: ULONG; // Base address of import data block
edatatable: ULONG; // Base address of export data table
edatasize: ULONG; // Size of export data table
reloctable: ULONG; // Base address of relocation table
relocsize: ULONG; // Size of relocation table
name: array[0..SHORTLEN-1] of Char; // Short name of the module
path: array[0..MAX_PATH-1] of Char; // Full name of the module
nsect: Integer; // Number of sections in the module
sect: PImageSectionHeader; // Copy of section headers from file
headersize: ULONG; // Total size of headers in executable
fixupbase: ULONG; // Base of image in executable file
nfixup: Intege⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -