void CSettingDialog::SetUserData(PRunData pRunData) { m_pRunData = pRunData ; int nImageBase = 0 ; DWORD dwOEP = 0 ; ulong uStart = 0 ; ulong uEnd = 0 ; ulong uBase = 0; ulong uSize = 0 ; if (0 == pRunData->uStartAddress) { nImageBase = Plugingetvalue(VAL_MAINBASE) ; // 取得oep地址,默认程序设的断点地址是oep的 dwOEP = GetOEP(nImageBase) ; if (0 != dwOEP) { Getproclimits(dwOEP, &uStart, &uEnd) ; m_pRunData->uStartAddress = uStart ; m_pRunData->uEndAddress = uEnd ; } else { m_pRunData->uStartAddress = nImageBase ; m_pRunData->uEndAddress = nImageBase + 10 ; } m_RecordDialog.SetUserData(pRunData) ; } }
/******************************************************************************* * * 函 数 名 : EnumerateFunctionAddress * 功能描述 : 枚举函数地址,并下断点 * 参数列表 : pRunData -- RunData指针 * 说 明 : * 返回结果 : 如果输入字符串为正确的十六进制字符的话,返回TRUE,否则返回FALSE * *******************************************************************************/ BOOL EnumerateFunctionAddress(PRunData pRunData) { NULLVALUE_CHECK(pRunData, EnumerateFunctionAddress) ; ulong uStart,uEnd ,uCurrent; char szBuffer[MAX_PATH] = {0} ; for (uCurrent = pRunData->uStartAddress; uCurrent < pRunData->uEndAddress; ) { if(-1 == Getproclimits(uCurrent, &uStart, &uEnd)) { uCurrent += 5 ; } else { // 这里再处理 sprintf_s(szBuffer, sizeof(szBuffer), _T("%x-%x\r\n"),uStart, uEnd) ; OutputDebugString(szBuffer) ; uCurrent = uEnd + 5; // 判断是否是强制下断点 // 如果不是强制下断点的话 if (FALSE == pRunData->bIsForceSetBreakPoint) { if(FALSE == SetCallBreakPoint(pRunData, uStart, uEnd)) { OutputDebugString(_T("EnumerateFunctionAddress SetCallBreakPoint failed!\r\n")) ; return FALSE ; } } // 强制下断点 else { if (FALSE == ForceSetCallBreakPoint(pRunData, uStart, FUN_SIZE)) { OutputDebugString(_T("EnumerateFunctionAddress ForceSetCallBreakPoint failed!\r\n")) ; return FALSE ; } } } } return TRUE ; }
BOOL XXX(LPVOID pItem,char *pSubString) { T_X86Instruction tX86Instruction; t_dump *pX86Dasm=NULL; ulong Address; ulong SOffest,EOffset; ulong i; unsigned char InstStr[MAXCMDSIZE]; ulong InstLength; t_disasm da; unsigned char *pdecode=NULL; t_dump *pDasmWnd=(t_dump*)Plugingetvalue(VAL_CPUDASM); pX86Dasm=( t_dump *)pItem; Address=pX86Dasm->base; char cPattern[0x100]={0}; if (Gettext("Search for pattern ...",cPattern,0,0,Plugingetvalue(VAL_WINDOWFONT))==-1){ return FALSE; } while(Address=Findnextproc(Address)){ Getproclimits(Address,&SOffest,&EOffset); for (i=SOffest; i<EOffset; ){ if (!Readcommand(i,(char*)InstStr)) break; InstLength=Disasm(InstStr,MAXCMDSIZE,i,pdecode,&da,DISASM_CODE,0); tX86Instruction.Addresss=i; memcpy(tX86Instruction.Command,da.result,256); tX86Instruction.OpCodeLength=InstLength; if (strstr((char*)tX86Instruction.Command,cPattern) ) { if (pSubString){ if (strstr((char*)tX86Instruction.Command,pSubString)){ DbgMsg("0x%08X %d %s ", tX86Instruction.Addresss, tX86Instruction.OpCodeLength, tX86Instruction.Command); Setbreakpoint(tX86Instruction.Addresss,TY_ACTIVE|TY_KEEPCODE,0); } i+=InstLength; continue; } DbgMsg("0x%08X %d %s ", tX86Instruction.Addresss, tX86Instruction.OpCodeLength, tX86Instruction.Command); Setbreakpoint(tX86Instruction.Addresss,TY_ACTIVE|TY_KEEPCODE,0); } i+=InstLength; } } return TRUE; }