Мой первый pe-дампер (ассемблер)
Весь код вместе с gui частью очень большой, привожу основной код.
Код:
Create_Dump proc
mov dword ptr lpofn.lStructSize,SIZEOF OPENFILENAME
push hInstance
pop lpofn.hInstance
mov dword ptr lpofn.lpstrFilter,offset filter_
mov dword ptr lpofn.Flags,1800h
mov dword ptr lpofn.lpstrFile,offset file_buf
mov dword ptr lpofn.lpstrTitle,offset title__
mov dword ptr lpofn.hwndOwner,0
mov dword ptr lpofn.nMaxFile,100h
invoke GetSaveFileName,offset lpofn
test eax,eax
je exit_
invoke CreateFileA,offset file_buf,GENERIC_ALL,FILE_SHARE_READ or FILE_SHARE_WRITE,0,2,0,0
.if eax!=-1
mov h_cd,eax
.endif
exit_:
ret
Create_Dump endp
dump__ proc par__:dword
local procEntry:PROCESSENTRY32
local buffertool:dword
local bufferfirst:dword
local hProcess:dword
LOCAL pNumberOfBytesRead:dword
local written_:dword
local szModulePath[256]:byte
local lpflOldProtect:dword
local pr_id:dword
local mEntry:MODULEENTRY32
local snap_:dword
local addr_module:dword
local h_dump_file:dword
local s_size:dword
local lpNumberOfBytesRead:dword
local _address_:dword
local size_headers:dword
local lpNumberOfBytesWritten:dword
local opt_size:dword
local first_sect:dword
invoke CreateToolhelp32Snapshot,2,0
mov buffertool, eax
mov procEntry.dwSize,500
invoke Process32First,buffertool, addr procEntry
mov bufferfirst, eax
.if eax!=INVALID_HANDLE_VALUE
xor edi,edi
.while eax!=0
invoke Process32Next,buffertool,addr procEntry
lea esi,procEntry
pushad
invoke lstrcmpiA,addr procEntry.szExeFile,par__
.if eax==0
mov esi,procEntry.th32ProcessID
mov pr_id,esi
invoke OpenProcess,PROCESS_ALL_ACCESS,0,esi
.if eax!=0
mov hProcess,eax
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE,pr_id
mov snap_,eax
mov mEntry.dwSize,SIZEOF mEntry
invoke Module32First,snap_,addr mEntry
mov edi,mEntry.modBaseAddr
mov addr_module,edi
invoke lstrcat,offset module_text,offset ct1
invoke lstrcat,offset module_text,addr mEntry.szModule
invoke lstrcat,offset module_text,addr ct2
invoke MessageBoxA,0,offset module_text,offset title_,0
invoke CreateFile,addr mEntry.szExePath,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0
.if eax!=-1
mov h_dump_file,eax
invoke GetFileSize,h_dump_file,0
mov s_size,eax
.if eax!=0
invoke VirtualAlloc,0,s_size,MEM_COMMIT,PAGE_READWRITE
mov _address_,eax
invoke ReadFile,h_dump_file,_address_,s_size,addr lpNumberOfBytesRead,0
mov edi,lpNumberOfBytesRead
.if edi==s_size
mov eax,_address_
cmp word ptr[eax],IMAGE_DOS_SIGNATURE ; ïðîâåðÿåì èñïîëíÿåìûé ëè ýòî ôàéë
jnz ext
add eax, 03ch
mov esi, dword ptr [eax]
sub esi, 03ch
add eax, esi
cmp dword ptr [eax],IMAGE_NT_SIGNATURE ; åñëè íå PE, òî âûõîäèì
jnz ext
assume eax:ptr IMAGE_NT_HEADERS
mov esi,[eax].OptionalHeader.SizeOfHeaders
mov size_headers,esi
mov esi,[eax].OptionalHeader.SizeOfImage
sub esi, size_headers
xor edx,edx
mov dx,[eax].FileHeader.NumberOfSections
xor ebx,ebx
mov bx,[eax].FileHeader.SizeOfOptionalHeader
mov num_of_sect,edx
mov opt_size,ebx
mov edx,18h
add edx,opt_size
mov first_sect,edx
add first_sect,eax
pushad
call Create_Dump
popad
pushad
invoke WriteFile,h_cd,_address_,size_headers,addr lpNumberOfBytesWritten,0
popad
mov edi,first_sect
looo_:
assume edi:ptr IMAGE_SECTION_HEADER
mov esi,[edi].VirtualAddress
mov edx,addr_module
add edx,esi
pushad
invoke VirtualAlloc,0,dword ptr [edi+8],MEM_COMMIT,PAGE_READWRITE
mov REGION_,eax
popad
pushad
invoke ReadProcessMemory,hProcess,edx,REGION_,dword ptr [edi+8],addr lpNumberOfBytesRead
popad
pushad
invoke WriteFile,h_cd,REGION_,[edi].SizeOfRawData,addr lpNumberOfBytesWritten,0
popad
pushad
invoke VirtualFree,REGION_,dword ptr [edi+8],MEM_DECOMMIT
popad
add first_sect, SIZEOF IMAGE_SECTION_HEADER
mov edi,first_sect
dec num_of_sect
jnz looo_
ext:
invoke VirtualFree,_address_,s_size,MEM_DECOMMIT
invoke CloseHandle,hProcess
invoke CloseHandle,h_cd
jmp ret_
.endif
.endif
.endif
.endif
.endif
popad
.endw
.endif
ret_:
leave
ret
dump__ endp
Сам дампер можно скачать тут
http://slil.ru/24458259
P.S. Дабл клик по процессу чтобы сдампить |
