📄 plugin.pas
字号:
t_heap = packed record // Heap block descriptor
base: ULONG; // Base address of heap block
size: ULONG; // Size of heap block
ltype: ULONG; // Service information, TY_xxx
parent: ULONG; // Handle of heap descriptor block
end;
function Listmemory: Integer; cdecl;
function Findmemory(addr: ULONG): p_memory; cdecl;
function Guardmemory(base: ULONG; size: ULONG; guard: Integer): Integer; cdecl;
procedure Havecopyofmemory(copy: PChar; base: ULONG; size: ULONG); cdecl;
function Readmemory(buf: Pointer; addr: ULONG; size: ULONG; mode: Integer): ULONG; cdecl;
function Writememory(buf: Pointer; addr: ULONG; size: ULONG; mode: Integer): ULONG; cdecl;
function Readcommand(ip: ULONG; cmd: PChar): ULONG; cdecl;
////////////////////////////////////////////////////////////////////////////////
//////////////////////////////// MODULE FUNCTIONS //////////////////////////////
const
NVERS = 32; // Max allowed length of file version
// Types of recognized jumps.
JT_JUMP = 0; // Unconditional jump
JT_COND = 1; // Conditional jump
JT_SWITCH = 2; // Jump via switch table
type
p_ahint = ^t_ahint;
t_ahint = packed record // User-supplied hint for analysis
addr: ULONG; // Hint address
size: ULONG; // Hint size
ltype: ULONG; // Hint type, bits from DEC_TYPEMASK
end;
p_stringtable = ^t_stringtable;
t_stringtable = packed record // Pointers to string resources
name: ULONG; // Name of block of strings
language: ULONG; // Language identifier
addr: ULONG; // Address of block in memory
size: ULONG; // Size of block in memory
end;
p_fixup = ^t_fixup;
t_fixup = packed record
base: ULONG; // Address of fixup
size: ULONG; // Size of fixup (usually 2 or 4 bytes)
end;
t_symvar_union1 = packed record
case Byte of
0: (ltype: ULONG); // Type of variable
1: (regs: ULONG); // Registers in optvar
end;
t_symvar_union2 = packed record
case Byte of
1: (addr: ULONG); // Address or description of registers
2: (offset: LongInt); // Offset for EBP-relative data
end;
p_symvar = ^t_symvar;
t_symvar = packed record // Symbolic variable from debug data
next: Integer; // Index of next variable in chain or -1
kind: Word; // Kind of variable
u1: t_symvar_union1;
u2: t_symvar_union2;
size: ULONG; // Size of variable or optvar data
optvar: Integer; // Index of optvar chain or -1
nameaddr: ULONG; // NM_DEBUG address of var's name
end;
p_jdest = ^t_jdest;
t_jdest = packed record // Element of jump data
ctype: Char; // Type of jump, one of JT_xxx
lfrom: ULONG; // Jump source
lto: ULONG; // Jump destination
end;
p_module = ^t_module;
t_module = packed record // Executable module descriptor
base: ULONG; // Base address of module
size: ULONG; // Size occupied by module
ltype: ULONG; // Service information, TY_xxx
codebase: ULONG; // Base address of module code block
codesize: ULONG; // Size of module code block
resbase: ULONG; // Base address of resources
ressize: ULONG; // Size of resources
stringtable: p_stringtable; // Pointers to string resources or NULL
nstringtable: Integer; // Actual number of used stringtable
maxstringtable: Integer; // Actual number of allocated stringtable
entry: ULONG; // Address of <ModuleEntryPoint> or NULL
database: ULONG; // Base address of module data block
idatatable: ULONG; // Base address of import data table
idatabase: ULONG; // Base address of import data block
edatatable: ULONG; // Base address of export data table
edatasize: ULONG; // Size of export data table
reloctable: ULONG; // Base address of relocation table
relocsize: ULONG; // Size of relocation table
name: array[0..SHORTLEN-1] of Char; // Short name of the module
path: array[0..MAX_PATH-1] of Char; // Full name of the module
nsect: Integer; // Number of sections in the module
sect: PImageSectionHeader; // Copy of section headers from file
headersize: ULONG; // Total size of headers in executable
fixupbase: ULONG; // Base of image in executable file
nfixup: Integer; // Number of fixups in executable
fixup: p_fixup; // Extracted fixups or NULL
codedec: PChar; // Decoded code features or NULL
codecrc: ULONG; // Code CRC for actual decoding
hittrace: PChar; // Hit tracing data or NULL
hittracecopy: PChar; // Copy of INT3-substituted code
datadec: PChar; // Decoded data features or NULL
namelist: t_table; // List of module names
symvar: p_symvar; // Descriptions of symbolic variables
nsymvar: Integer; // Actual number of elements in symvar
maxsymvar: Integer; // Maximal number of elements in symvar
globaltypes: PChar; // Global types from debug info
mainentry: ULONG; // Address of WinMain() etc. in dbg data
realsfxentry: ULONG; // Entry of packed code or NULL
updatenamelist: Integer; // Request to update namelist
origcodesize: ULONG; // Original size of module code block
sfxbase: ULONG; // Base of memory block with SFX
sfxsize: ULONG; // Size of memory block with SFX
issystemdll: Integer; // Whether system DLL
processed: Integer; // 0: not processed, 1: good, -1: bad
dbghelpsym: Integer; // 1: symbols loaded by dbghelp.dll
version: array[0..NVERS-1] of Char; // Version of executable file
jddata: p_jdest; // Recognized jumps within the module
njddata: Integer; // Number of recognized jumps
reserved: array[0..14] of ULONG; // Reserved for plugin compatibility
end;
function Findmodule(addr: ULONG): p_module; cdecl;
function Findfixup(pmod: p_module; addr: ULONG): p_fixup; cdecl;
function Finddecode(addr: ULONG; psize: PULONG): PChar; cdecl;
function Findfileoffset(pmod: p_module; addr: ULONG): ULONG; cdecl;
function Decoderange(addr: ULONG; size: ULONG; s: PChar): Integer; cdecl;
function Analysecode(pm: p_module): Integer; cdecl;
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////// DUMP ////////////////////////////////////
const
// Standard dump types.
DU_ESCAPABLE = $20000; // Create escapable dump window
DU_BACKUP = $10000; // Bit indicates that backup is displayed
DU_TYPE = $0F000; // Mask for dump type
DU_COUNT = $00FF0; // Mask for number of items/line
DU_SIZE = $0000F; // Mask for size of single item
DU_UNDEF = $00000; // Undefined dump type
DU_HEXTEXT = $01000; // Hexadecimal dump with ASCII text
DU_TEXT = $02000; // Character dump
DU_UNICODE = $03000; // Unicode dump
DU_INT = $04000; // Integer signed dump
DU_UINT = $05000; // Integer unsigned dump
DU_IHEX = $06000; // Integer hexadecimal dump
DU_FLOAT = $07000; // Floating-point dump
DU_ADDR = $08000; // Address dump
DU_DISASM = $09000; // Disassembly
DU_HEXUNI = $0A000; // Hexadecimal dump with UNICODE text
DU_ADRASC = $0B000; // Address dump with ASCII text
DU_ADRUNI = $0C000; // Address dump with UNICODE text
DU_SPEC = $0D000; // Special decoding
// Standard menu types.
MT_BACKUP = $0001; // Backup, Undo
MT_COPY = $0002; // Copy to clipboard
MT_EDIT = $0004; // Edit, Modify, Assemble
MT_SEARCH = $0008; // Search, Next
MT_DHISTORY = $0010; // Previous, Next in history
type
SPECFUNC = function(pc: PChar; a, b, c: ULONG; pdisam: p_disasm; i: Integer): ULONG; cdecl;
p_dump = ^t_dump;
t_dump = packed record // Current status of dump window
table: t_table; // Treat dump window as custom table
dimmed: Integer; // Draw in lowcolor if nonzero
threadid: ULONG; // Use decoding and registers if not 0
dumptype: Integer; // Current dump type, DU_xxx+count+size
specdump: SPECFUNC; // Decoder of DU_SPEC dump types
menutype: Integer; // Standard menues, MT_xxx
itemwidth: Integer; // Length of displayed item, characters
showstackframes: Integer; // Show stack frames in address dump
showstacklocals: Integer; // Show names of locals in stack
commentmode: Integer; // 0: comment, 1: source, 2: profile
filename: array[0..MAX_PATH-1] of Char; // Name of displayed or backup file
base: ULONG; // Start of memory block or file
size: ULONG; // Size of memory block or file
addr: ULONG; // Address of first displayed byte
lastaddr: ULONG; // Address of last displayed byte + 1
sel0: ULONG; // Address of first selected byte
sel1: ULONG; // Last selected byte (not included!)
startsel: ULONG; // Start of last selection
captured: Integer; // Mouse is captured by dump
reladdr: ULONG; // Addresses relative to this
relname: array[0..SHORTLEN-1] of Char; // Symbol for relative zero address base
filecopy: PChar; // Copy of the file or NULL
backup: PChar; // Old backup of memory/file or NULL
runtraceoffset: Integer; // Offset back in run trace
reserved: array[0..7] of ULONG; // Reserved for the future extentions
end;
////////////////////////////////////////////////////////////////////////////////
//////////////////////////////// WINDOW FUNCTIONS //////////////////////////////
const
WM_USER_MENU = WM_USER + 101; // Activate context-sensitive menu
WM_USER_SCR = WM_USER + 102; // Redraw scroll(s)
WM_USER_SAVE = WM_USER + 103; // Save data to disk
WM_USER_VABS = WM_USER + 104; // Scroll contents of window by lines
WM_USER_VREL = WM_USER + 105; // Scroll contents of window by percent
WM_USER_VBYTE = WM_USER + 106; // Scroll contents of window by bytes
WM_USER_STS = WM_USER + 107; // Start selection in window
WM_USER_CNTS = WM_USER + 108; // Continue selection in window
WM_USER_CHGS = WM_USER + 109; // Move single-line selection
WM_USER_BAR = WM_USER + 110; // Message from bar segment as button
WM_USER_DBLCLK = WM_USER + 111; // Doubleclick in column
WM_USER_SIZE = WM_USER + 112; // Resize children in CPU window
WM_USER_FOCUS = WM_USER + 113; // Set focus to child of CPU window
WM_USER_FILE = WM_USER + 114; // Change state of file dump
WM_USER_HERE = WM_USER + 115; // Query presence list
WM_USER_CHALL = WM_USER + 116; // Redraw (almost) everything
WM_USER_CHMEM = WM_USER + 117; // Range of debuggee's memory changed
WM_USER_CHREG = WM_USER + 118; // Debuggee's register(s) changed
WM_USER_CHNAM = WM_USER + 119; // Redraw name tables
WM_USER_MOUSE = WM_USER + 120; // Check mouse coordinates
WM_USER_KEY = WM_USER + 121; // Emulate WM_KEYDOWN
WM_USER_SYSKEY = WM_USER + 122; // Emulate WM_SYSKEYDOWN
// Constants used for scrolling and selection.
MAXTRACK = 16384; // Maximal scroll of user-drawn table
MOVETOP = ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -