📄 plugin.pas
字号:
DEC_NEXTDATA = $03; // Subsequent byte of data
DEC_DWORD = $04; // Accessed as long
DEC_FLOAT4 = $05; // Accessed as float
DEC_FWORD = $06; // Accessed as descriptor/long pointer
DEC_FLOAT8 = $07; // Accessed as double
DEC_QWORD = $08; // Accessed as 8-byte integer
DEC_FLOAT10 = $09; // Accessed as long double
DEC_TBYTE = $0A; // Accessed as 10-byte integer
DEC_STRING = $0B; // Zero-terminated ASCII string
DEC_UNICODE = $0C; // Zero-terminated UNICODE string
DEC_3DNOW = $0D; // Accessed as 3Dnow operand
DEC_SSE = $0E; // Accessed as SSE operand
DEC_TEXT = $10; // For use in t_result only
DEC_BYTESW = $11; // Accessed as byte index to switch
DEC_NEXTCODE = $13; // Subsequent byte of command
DEC_COMMAND = $1D; // First byte of command
DEC_JMPDEST = $1E; // Jump destination
DEC_CALLDEST = $1F; // Call (and maybe jump) destination
DEC_PROCMASK = $60; // Procedure analysis
DEC_PROC = $20; // Start of procedure
DEC_PBODY = $40; // Body of procedure
DEC_PEND = $60; // End of procedure
DEC_CHECKED = $80; // Byte was analysed
DEC_SIGNED = $100; // For use in t_result only
DISASM_SIZE = 0; // Determine command size only
DISASM_DATA = 1; // Determine size and analysis data
DISASM_TRACE = 2; // Trace integer registers
DISASM_FILE = 3; // Disassembly, no symbols/registers
DISASM_CODE = 4; // Disassembly, registers undefined
DISASM_ALL = 5; // Complete disassembly
DISASM_RTRACE = 6; // Disassemble with run-trace registers
DISASM_MODE = $0000000F; // Mask to extract disassembling mode
DISASM_HILITE = $000F0000; // Mask to extract highlighting mode
DISASM_HLSHIFT = 16; // Shift to extract highlighting mode
// Warnings issued by Disasm():
DAW_FARADDR = $0001; // Command is a far jump, call or return
DAW_SEGMENT = $0002; // Command loads segment register
DAW_PRIV = $0004; // Privileged command
DAW_IO = $0008; // I/O command
DAW_SHIFT = $0010; // Shift constant out of range 1..31
DAW_PREFIX = $0020; // Superfluous prefix
DAW_LOCK = $0040; // Command has LOCK prefix
DAW_STACK = $0080; // Unaligned stack operation
DAW_DANGER95 = $1000; // May mess up Win95/98 if executed
DAW_DANGEROUS = $3000; // May mess up any OS if executed
RST_INVALID = 0; // Register undefined
RST_VALUE = 1; // Register contains regdata
RST_VFIXUP = 2; // Reg contains regdata that is fixup
RST_INDIRECT = 3; // Register contains [regdata]
type
p_reg = ^t_reg;
t_reg = packed record // Excerpt from context
modified: Integer; // Some regs modified, update context
modifiedbyuser: Integer; // Among modified, some modified by user
singlestep: Integer; // Type of single step, SS_xxx
r: array[0..7] of ULONG; // EAX,ECX,EDX,EBX,ESP,EBP,ESI,EDI
ip: ULONG; // Instruction pointer (EIP)
flags: ULONG; // Flags
top: Integer; // Index of top-of-stack
f: array[0..7] of Extended; // Float registers, f[top] - top of stack
tag: array[0..7] of Char; // Float tags (0x3 - empty register)
fst: ULONG; // FPU status word
fcw: ULONG; // FPU control word
s: array[0..5] of ULONG; // Segment registers ES,CS,SS,DS,FS,GS
base: array[0..5] of ULONG; // Segment bases
limit: array[0..5] of ULONG; // Segment limits
big: array[0..5] of Char; // Default size (0-16, 1-32 bit)
dr6: ULONG; // Debug register DR6
threadid: ULONG; // ID of thread that owns registers
lasterror: ULONG; // Last thread error or 0xFFFFFFFF
ssevalid: Integer; // Whether SSE registers valid
ssemodified: Integer; // Whether SSE registers modified
ssereg: array[0..7, 0..15] of Char; // SSE registers
mxcsr: ULONG; // SSE control and status register
selected: Integer; // Reports selected register to plugin
dummy: array[0..3] of ULONG; // Reserved for future compatibility
end;
p_operand = ^t_operand;
t_operand = packed record // Full decription of command's operand
optype: Char; // DEC_xxx (mem) or DECR_xxx (reg,const)
opsize: Char; // Size of operand
regscale: array[0..7] of Char; // Scales of registers
seg: Char; // Segment register
opconst: ULONG; // Constant
end;
p_disasm = ^t_disasm;
t_disasm = packed record // Results of disassembling
ip: ULONG; // Instrucion pointer
dump: array[0..TEXTLEN-1] of Char; // Hexadecimal dump of the command
result: array[0..TEXTLEN-1] of Char; // Disassembled command
comment: array[0..TEXTLEN-1] of Char; // Brief comment
opinfo: array[0..2, 0..TEXTLEN-1] of Char; // Comments to command's operands
cmdtype: Integer; // One of C_xxx
memtype: Integer; // Type of addressed variable in memory
nprefix: Integer; // Number of prefixes
indexed: Integer; // Address contains register(s)
jmpconst: ULONG; // Constant jump address
jmptable: ULONG; // Possible address of switch table
adrconst: ULONG; // Constant part of address
immconst: ULONG; // Immediate constant
zeroconst: Integer; // Whether contains zero constant
fixupoffset: Integer; // Possible offset of 32-bit fixups
fixupsize: Integer; // Possible total size of fixups or 0
jmpaddr: ULONG; // Destination of jump/call/return
condition: Integer; // 0xFF:unconditional, 0:false, 1:true
error: Integer; // Error while disassembling command
warnings: Integer; // Combination of DAW_xxx
optype: array[0..2] of Integer; // Type of operand (extended set DEC_xxx)
opsize: array[0..2] of Integer; // Size of operand, bytes
opgood: array[0..2] of Integer; // Whether address and data valid
opaddr: array[0..2] of ULONG; // Address if memory, index if register
opdata: array[0..2] of ULONG; // Actual value (only integer operands)
op: array[0..2] of t_operand; // Full description of operand
regdata: array[0..7] of ULONG; // Registers after command is executed
regstatus: array[0..7] of Integer; // Status of registers, one of RST_xxx
addrdata: ULONG; // Traced memory address
addrstatus: Integer; // Status of addrdata, one of RST_xxx
regstack: array[0..NREGSTACK-1] of ULONG; // Stack tracing buffer
rststatus: array[0..NREGSTACK-1] of Integer;// Status of stack items
nregstack: Integer; // Number of items in stack trace buffer
reserved: array[0..28] of ULONG; // Reserved for plugin compatibility
end;
function Disasm(src: PChar; srcsize: ULONG; srcip: ULONG; srcdec: PChar;
disasm: p_disasm; disasmmode: Integer; threadid: ULONG): ULONG; cdecl;
function Disassembleback(block: PChar; base: ULONG; size: ULONG;
ip: ULONG; n: Integer; usedec: Integer): ULONG; cdecl;
function Disassembleforward(block: PChar; base: ULONG; size: ULONG;
ip: ULONG; n: Integer; usedec: Integer): ULONG; cdecl;
function Issuspicious(cmd: PChar; size: ULONG; ip: ULONG;
threadid: ULONG; preg: p_reg; s: PChar): Integer; cdecl;
function Isfilling(offset: ULONG; data: PChar; size: ULONG; align: ULONG): Integer; cdecl;
function Isprefix(c: Integer): Integer; cdecl;
////////////////////////////////////////////////////////////////////////////////
/////////////////////////////// ASSEMBLY FUNCTIONS /////////////////////////////
function Assemble(cmd: PChar; ip: ULONG; model: p_asmmodel; attempt: Integer;
constsize: Integer; errtext: PChar): Integer; cdecl;
function Checkcondition(code: Integer; flags: ULONG): Integer; cdecl;
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////// EXPRESSIONS /////////////////////////////////
type
t_result_union1 = packed record
case Byte of
0: (data: array[0..9] of Char); // Binary form of expression's value
1: (u: ULONG); // Value as unsigned integer
2: (l: LongInt); // Value as signed integer
3: (f: Extended); // Value as 80-bit float
end;
t_result_union2 = packed record
case Byte of
0: (value: array[0..TEXTLEN - 1] of Char); // ASCII form of expression's value
1: (wvalue: array[0..(TEXTLEN div 2) - 1] of WChar); // UNICODE form of expression's value
end;
p_result = ^t_result;
t_result = packed record // Result of expression's evaluation
etype: Integer; // Type of expression, DEC(R)_xxx
dtype: Integer; // Type of data, DEC_xxx
u1: t_result_union1;
u2: t_result_union2;
lvaddr: ULONG; // Address of lvalue or NULL
end;
function Expression(result: p_result; expression: PChar; a, b: Integer;
data: PChar; database, datasize, threadid: ULONG): Integer; cdecl;
////////////////////////////////////////////////////////////////////////////////
//////////////////////////////// THREAD FUNCTIONS //////////////////////////////
type
p_thread = ^t_thread;
t_thread = packed record // Information about active threads
threadid: ULONG; // Thread identifier
dummy: ULONG; // Always 1
ltype: ULONG; // Service information, TY_xxx
thread: THandle; // Thread handle
datablock: ULONG; // Per-thread data block
entry: ULONG; // Thread entry point
stacktop: ULONG; // Working variable of Listmemory()
stackbottom: ULONG; // Working variable of Listmemory()
context: CONTEXT; // Actual context of the thread
reg: t_reg; // Actual contents of registers
regvalid: Integer; // Whether reg is valid
oldreg: t_reg; // Previous contents of registers
oldregvalid: Integer; // Whether oldreg is valid
suspendcount: Integer; // Suspension count (may be negative)
usertime: LongInt; // Time in user mode, 1/10th ms, or -1
systime: LongInt; // Time in system mode, 1/10th ms, or -1
reserved: array[0..15] of ULONG; // Reserved for future compatibility
end;
function Createthreadwindow: HWND; cdecl;
function Findthread(threadid: ULONG): p_thread; cdecl;
function Decodethreadname(s: PChar; threadid: ULONG; mode: Integer): Integer; cdecl;
function Getcputhreadid: ULONG; cdecl;
function Runsinglethread(threadid: ULONG): ULONG; cdecl;
procedure Restoreallthreads; cdecl;
////////////////////////////////////////////////////////////////////////////////
//////////////////////////////// MEMORY FUNCTIONS //////////////////////////////
// Mode bits recognized by Readmemory() and Writememory().
const
MM_RESTORE = $01; // Restore or remove INT3 breakpoints
MM_SILENT = $02; // Don't display error message
MM_DELANAL = $04; // Delete analysis from the memory
MM_RESILENT = MM_RESTORE or MM_SILENT;
type
p_memory = ^t_memory;
t_memory = packed record // Memory block descriptor
base: ULONG; // Base address of memory block
size: ULONG; // Size of block
ltype: ULONG; // Service information, TY_xxx
owner: ULONG; // Address of owner of the memory
initaccess: ULONG; // Initial read/write access
access: ULONG; // Actual status and read/write access
threadid: ULONG; // Block belongs to this thread or 0
sect: array[0..SHORTLEN-1] of Char; // Name of module section
copy: PChar; // Copy used in CPU window or NULL
reserved: array[0..7] of ULONG; // Reserved for plugin compatibility
end;
p_heap = ^t_heap;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -