Beispiel #1
0
static _inline void b64conv(HWND hwnd){
	char B64D[8*10];
	char buf[2][4*4];
	DWORD adrs,s;
	t_memory *pmem;
	BYTE *buff[2];

	GetWindowTextM(IDC_EDT_TOPADDR,buf[0],sizeof(buf[0]));
	GetWindowTextM(IDC_EDT_NUMBER,buf[1],sizeof(buf[1]));
	s=GetWindowTextM(IDC_COMBO1,B64D,sizeof(B64D));
	if(s<64) return;
	adrs = strtoul(buf[0],NULL,16);
	s = strtoul(buf[1],NULL,10);
	if(adrs==0 || s==0) return;
	pmem=Findmemory(adrs);
	if(pmem==NULL) return;

	if ((buff[0] = (BYTE *)malloc(s+4)) == NULL)
		return;
  if(Readmemory(buff[0], pdump->sel0, s, MM_RESTORE | MM_SILENT) == s){
		buff[1]=MS_Base64Encodes(B64D,buff[0],s);
		if(buff[1]){
			SetWindowTextM(IDC_EDIT1,buff[1]);
			free(buff[1]);
		}
		free(buff[0]);
	}
}
int AddBreakpoint(unsigned long addr, unsigned int type) {
t_polymorphicbreakpoint crt_breakpoint;

	if(numberofpatch>=__MAX_PMBP__) {
		olly_add_to_list(0, __ERROR__, "[Error at %x08X] Too many breakpoint are already set.", addr);
		return 0;
	}

	crt_breakpoint.index=numberofpatch;
	crt_breakpoint.addr=addr;
	crt_breakpoint.type=type;
	crt_breakpoint.able=1;	

	if(Readmemory(tpatch[numberofpatch].original, addr, (unsigned long)size[crt_breakpoint.type], MM_RESILENT) == 0) {
		olly_add_to_list(0, __ERROR__, "[Error at %x08X] Can't read the memory.", addr);
		return 0;
	}
	
	if(Writememory(polymorph[crt_breakpoint.type], addr, (unsigned long)size[crt_breakpoint.type], MM_RESILENT) == 0) {
		olly_add_to_list(0, __ERROR__, "[Error at %x08X] Can't write the memory / Set the breakpoint.", addr);
		return 0;
	}

	tpatch[numberofpatch].addr = addr;
	tpatch[numberofpatch].size = size[crt_breakpoint.type];

	olly_add_sorted_data(&(breakpoint.data),&crt_breakpoint);
	olly_add_to_list(0,0,"New breakpoint at 0x%08X", addr);

	numberofpatch++;

	return 1;
}
Beispiel #3
0
//---------------------------------------------------------------------------
BOOL RtlDeleteCriticalSection_Call( LPLOGDATA pLogData, t_reg * pRegisters )
{
	DWORD dwParameter;
	Readmemory( &dwParameter, pRegisters->r[REG_ESP]+4, 4, MM_SILENT );
	snprintf( pLogData->cMessage, BUFFER_SIZE, "RtlDeleteCriticalSection( 0x%.8X )", dwParameter );
	return TRUE;
}
int MalwareExtractor::Initialize()
{
	m_thread = Findthread(Getcputhreadid());
	if (m_thread == NULL) {
		m_error_code = ME_ERROR_NOTHREAD;
		return -1;
	}

	m_module = Findmodule(m_thread->reg.ip);
	m_imagecopy = new uchar[m_module->size];
	if (m_imagecopy == NULL) {
		m_error_code = ME_ERROR_MEMALLOC;
		return -1;
	}

	if (Readmemory(m_imagecopy, m_module->base, m_module->size, MM_RESTORE) == 0) {
		m_error_code = ME_ERROR_MEMREAD;
		return -1;
	}

	this->BackupModuleRanges();

	m_running = 1;
	return 0;
}
bool SaveDump(string fileName, DWORD ep)
{
	strCurEIP = ep;
	//OPENFILENAME ofn;
	HANDLE hHeap, hFile;
	PIMAGE_DOS_HEADER idosh;
	PIMAGE_NT_HEADERS ipeh;
	PIMAGE_SECTION_HEADER isech;
	LPBYTE lpDumpData;
	DWORD dwFrom,dwSize,dwAccBytes;
	unsigned int i;
	dwFrom = PEFileInfo.dwImageBase;
	dwSize = PEFileInfo.dwSizeOfImage;
	hHeap = HeapCreate(HEAP_NO_SERIALIZE,1,0);
	lpDumpData = (LPBYTE)HeapAlloc(hHeap,HEAP_NO_SERIALIZE | HEAP_ZERO_MEMORY,dwSize);
	dwSize = Readmemory(lpDumpData,dwFrom,dwSize,MM_RESTORE);
	idosh = (PIMAGE_DOS_HEADER)lpDumpData;
	if(idosh->e_magic != IMAGE_DOS_SIGNATURE) 
	{
		MessageBox(0, "DUMP: 错误的DOS头(MZ)!!",PNAME,MB_OK | MB_ICONEXCLAMATION);
		HeapFree(hHeap,HEAP_NO_SERIALIZE,lpDumpData);
		return false;
	}
	ipeh = (PIMAGE_NT_HEADERS)(lpDumpData + idosh->e_lfanew);
	if(ipeh->Signature != IMAGE_NT_SIGNATURE) 
	{
		MessageBox(0, "DUMP: 错误的PE标志头!!",PNAME,MB_OK | MB_ICONEXCLAMATION);
		HeapFree(hHeap,HEAP_NO_SERIALIZE,lpDumpData);
		return false;
	}
	ipeh->FileHeader.NumberOfSections        = PEFileInfo.woNumOfSect;
	ipeh->OptionalHeader.ImageBase           = PEFileInfo.dwImageBase;
	ipeh->OptionalHeader.SizeOfImage         = PEFileInfo.dwSizeOfImage;
	ipeh->OptionalHeader.BaseOfCode          = PEFileInfo.dwBaseOfCode;
	ipeh->OptionalHeader.BaseOfData          = PEFileInfo.dwBaseOfData;
	ipeh->OptionalHeader.AddressOfEntryPoint = (strCurEIP - PEFileInfo.dwImageBase) ;
	isech = IMAGE_FIRST_SECTION(ipeh);
	if(FixSect) {
		for(i=0; i<(int)PEFileInfo.woNumOfSect; i++) 
		{
			strcpy((char *)(isech+i)->Name,(char *)(lpSectInfo+i)->byName);
			(isech+i)->Misc.VirtualSize = (lpSectInfo+i)->dwVSize;
			(isech+i)->VirtualAddress   = (lpSectInfo+i)->dwVOffset;
			(isech+i)->SizeOfRawData    = (lpSectInfo+i)->dwVSize;
			(isech+i)->PointerToRawData = (lpSectInfo+i)->dwVOffset;
			(isech+i)->Characteristics  = (lpSectInfo+i)->dwCharacteristics;
		}
	}

	strcpy( szFileName, fileName.c_str() );
	hFile = CreateFile(szFileName, GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
	if(hFile != INVALID_HANDLE_VALUE) 
	{
		SetFilePointer(hFile, 0, 0, FILE_BEGIN);
		WriteFile(hFile, lpDumpData, dwSize, &dwAccBytes, NULL);
		CloseHandle(hFile);
	}
	HeapFree(hHeap,HEAP_NO_SERIALIZE,lpDumpData);
	return true;
}
Beispiel #6
0
//---------------------------------------------------------------------------
BOOL RtlCreateHeap_Call( LPLOGDATA pLogData, t_reg * pRegisters )
{
	char cFlagsOutput[MAX_PATH];
	DWORD dwParameters[3];
	Readmemory( &dwParameters, pRegisters->r[REG_ESP]+4, 12, MM_SILENT );
	ResolveHeapFlags(  dwParameters[0], (char *)&cFlagsOutput );
	snprintf( pLogData->cMessage, BUFFER_SIZE, "RtlCreateHeap( %s, %d, %d )", cFlagsOutput, dwParameters[1], dwParameters[2] );
	return TRUE;
}
Beispiel #7
0
//---------------------------------------------------------------------------
BOOL RtlDestroyHeap_Call( LPLOGDATA pLogData, t_reg * pRegisters )
{
	DWORD dwParameter;
	Readmemory( &dwParameter, pRegisters->r[REG_ESP]+4, 4, MM_SILENT );
	if( dwProcessHeap != NULL && dwParameter == dwProcessHeap )
		snprintf( pLogData->cMessage, BUFFER_SIZE, "RtlDestroyHeap( GetProcessHeap() )" );
	else
		snprintf( pLogData->cMessage, BUFFER_SIZE, "RtlDestroyHeap( 0x%.8X )", dwParameter );
	pLogData->dwHeap = dwParameter;
	return TRUE;
}
Beispiel #8
0
// Standard function Painttable() makes most of OllyDbg windows redrawing. You
// only need to supply another function that prepares text strings and
// optionally colours them. Case of custom windows is a bit more complicated,
// please read documentation.
int Bookmarkgettext(char *s, char *mask, int *select,
                    t_sortheader *ph, int column)
{
	int n;
	ulong cmdsize, decodesize;
	char cmd[MAXCMDSIZE], *pdecode;
	t_memory *pmem;
	t_disasm da;
	t_bookmark *pb = (t_bookmark *)ph;
	if (column == 0)                     // Name of bookmark
	{
		// Column 0 contains name of bookmark in form "Alt+n", where n is the
		// digit from 0 to 9. Mainly for demonstration purposes, I display prefix
		// "Alt+" in grayed and digit in normal text. Standard table windows do
		// not need to bother about selection.
		n = sprintf(s, "Alt+%i", pb->index);
		*select = DRAW_MASK;
		memset(mask, DRAW_GRAY, 4);
		mask[4] = DRAW_NORMAL;
	}
	else if (column == 1)                // Address of bookmark
		n = sprintf(s, "%08X", pb->addr);
	else if (column == 2)                // Disassembled command
	{
		// Function Disasm() requires that calling routine supplies code to be
		// disassembled. Read this code from memory. First determine possible
		// code size.
		pmem = Findmemory(pb->addr);       // Find memory block containing code
		if (pmem == NULL)
		{
			*select = DRAW_GRAY;
			return sprintf(s, "???");
		};
		cmdsize = pmem->base + pmem->size - pb->addr;
		if (cmdsize > MAXCMDSIZE)
			cmdsize = MAXCMDSIZE;
		if (Readmemory(cmd, pb->addr, cmdsize, MM_RESTORE | MM_SILENT) != cmdsize)
		{
			*select = DRAW_GRAY;
			return sprintf(s, "???");
		};
		pdecode = Finddecode(pb->addr, &decodesize);
		if (decodesize < cmdsize) pdecode = NULL;
		Disasm(cmd, cmdsize, pb->addr, pdecode, &da, DISASM_CODE, 0);
		strcpy(s, da.result);
		n = strlen(s);
	}
	else if (column == 3)                // Comment
		// Only user-defined comments are displayed here.
		n = Findname(pb->addr, NM_COMMENT, s);
	else n = 0;                          // s is not necessarily 0-terminated
	return n;
};
Beispiel #9
0
void ShowOriAddr(HWND hWnd)
{
	DWORD addr,index,data;
	index = SendMessage(hWnd,LB_GETCURSEL,0,0);
	addr = SendMessage(hWnd,LB_GETITEMDATA,index,0);
	addr &= 0x7fffffff;
	Readmemory(&data,addr+1,4,MM_SILENT);
	addr = data+addr+5;
	Setcpu(0,addr,0,0,CPU_ASMFOCUS);
	HWND  phWnd = (HWND)GetWindowLong(hWnd,GWL_HWNDPARENT);
	ShowWindow(phWnd,SW_SHOWMINIMIZED);
	SetFocus(odghwnd);
}
Beispiel #10
0
//---------------------------------------------------------------------------
BOOL RtlAllocateHeap_Call( LPLOGDATA pLogData, t_reg * pRegisters )
{
	char cFlagsOutput[MAX_PATH];
	DWORD dwParameters[3];
	Readmemory( &dwParameters, pRegisters->r[REG_ESP]+4, 12, MM_SILENT );
	ResolveHeapFlags(  dwParameters[1], (char *)&cFlagsOutput );
	if( dwProcessHeap != NULL && dwParameters[0] == dwProcessHeap )
		snprintf( pLogData->cMessage, BUFFER_SIZE, "RtlAllocateHeap( GetProcessHeap(), %s, %d )", cFlagsOutput, dwParameters[2] );
	else
		snprintf( pLogData->cMessage, BUFFER_SIZE, "RtlAllocateHeap( 0x%.8X, %s, %d )", dwParameters[0], cFlagsOutput, dwParameters[2] );
	pLogData->dwHeap = dwParameters[0];
	pLogData->dwHeapBlockSize = dwParameters[2];
	return TRUE;
}
/*******************************************************************************
*
*  函 数 名 : GetOEP
*  功能描述 : 取得程序入口地址
*  参数列表 : dwImageBase       --     程序映像基础
*  说    明 : 函数并没有对程序正确性做检测
*  返回结果 : 如果成功返回程序OEP,否则返回0
*
*******************************************************************************/
DWORD GetOEP(DWORD dwImageBase)
{
    DWORD dwOEP = 0 ;
    char szBuffer[1024] ;
    if(0 == Readmemory(szBuffer, dwImageBase, 1024, 0))
    {
        return dwOEP ;
    }

    PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)szBuffer ;

    PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)(pDosHeader->e_lfanew + szBuffer) ;
    
    dwOEP = pNtHeader->OptionalHeader.AddressOfEntryPoint + dwImageBase ; 
    return dwOEP ;
}
Beispiel #12
0
void FlashListBox(HWND hWnd)
{
	DWORD i,count,addr;
	char data;
	count = SendMessage(hWnd,LB_GETCOUNT,0,0);
	for(i=0;i<count;i++)
	{
		addr = SendMessage(hWnd,LB_GETITEMDATA,i,0);
		Readmemory(&data,addr&0x7fffffff,1,MM_SILENT);
		if(data == 0xcc)
		{
			addr|=0x80000000;
			SendMessage(hWnd,LB_SETITEMDATA,i,addr);
		}
		else
		{
			addr&=0x7fffffff;
			SendMessage(hWnd,LB_SETITEMDATA,i,addr);
		}
	}
}
LRESULT CALLBACK polybp_winproc(HWND hw,UINT msg,WPARAM wp,LPARAM lp) {

HMENU menu;
unsigned int i;
unsigned long retaddr;
t_polymorphicbreakpoint	*slt_breakpoint;
t_thread *pthread;

	switch (msg) {
		case WM_DESTROY:
		case WM_MOUSEMOVE:
		case WM_LBUTTONDOWN:
		case WM_LBUTTONDBLCLK:
		case WM_LBUTTONUP:
		case WM_RBUTTONDOWN:
		case WM_RBUTTONDBLCLK:
		case WM_HSCROLL:
		case WM_VSCROLL:
		case WM_TIMER:
		case WM_SYSKEYDOWN:
		case WM_USER_SCR:
		case WM_USER_VABS:
		case WM_USER_VREL:
		case WM_USER_VBYTE:
		case WM_USER_STS:
		case WM_USER_CNTS:
		case WM_USER_CHGS:
		case WM_WINDOWPOSCHANGED:
			return olly_table_function(&breakpoint,hw,msg,wp,lp);

		case WM_USER_MENU:

			slt_breakpoint=(t_polymorphicbreakpoint *)olly_get_sorted_by_selection(&(breakpoint.data),breakpoint.data.selected);
			menu=olly_create_popup_menu();

			if (menu != 0 && slt_breakpoint != 0) {

				olly_append_menu(menu,MF_STRING,1,"Follow\tEnter");
				olly_append_menu(menu,MF_STRING,2,"Disable\tDel");

				i = olly_table_function(&breakpoint,hw,WM_USER_MENU,0,(LPARAM)menu);

					if (menu != 0) DestroyMenu(menu);

					if(i==1) olly_set_cpu(0,slt_breakpoint->addr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS);

					if(i==2) {
						/* Remove a PolyMorphic Breakpoint */

						if((slt_breakpoint->able == 1) && (ispaused == 1)) {
								
							switch(slt_breakpoint->type) {

							case 0:
								pthread=olly_find_thread(olly_get_cpu_thread_id());
								context = pthread->context;
								
								if((context.Eip >= slt_breakpoint->addr+4) && (context.Eip < slt_breakpoint->addr + 12)) {
									
									// Ajust esp
									context.Esp += 4;
									pthread->reg.r[4] += 4;
									// Restore eip
									context.Eip = slt_breakpoint->addr;
									pthread->reg.ip = slt_breakpoint->addr;
									

								}
									// Delete
									DisableBreakpoint(slt_breakpoint);
							break;
							
							case 1:
								pthread=olly_find_thread(olly_get_cpu_thread_id());
								context = pthread->context;
								
								if((context.Eip >= slt_breakpoint->addr+4) && (context.Eip < slt_breakpoint->addr + 17)) {

									// Ajust esp
									context.Esp += 4;
									pthread->reg.r[4] += 4;
									// Restore eip
									context.Eip = slt_breakpoint->addr;
									pthread->reg.ip = slt_breakpoint->addr;

								}
									// Delete
									DisableBreakpoint(slt_breakpoint);

							break;

							case 2:
								
									// Delete
									DisableBreakpoint(slt_breakpoint);

							break;

							case 3:
								pthread=olly_find_thread(olly_get_cpu_thread_id());
								context = pthread->context;

								if((context.Eip >= slt_breakpoint->addr+4) && (context.Eip < slt_breakpoint->addr + 15)) {

									// Ajust esp
									context.Esp += 4;
									pthread->reg.r[4] += 4;
									// Restore eip
									pthread->reg.ip = slt_breakpoint->addr;
									context.Eip = slt_breakpoint->addr;


								}
								else if(context.Eip == context.Esp) {

									if(Readmemory(&retaddr,pthread->reg.r[4]+2,4,MM_RESILENT) == 0) {
										olly_add_to_list(0, __ERROR__, "[Error at %x08X] Can't read the memory.", pthread->reg.r[4]+2);
										break;
									}
									if(retaddr == slt_breakpoint->addr+5) {

									// Ajust esp
									context.Esp += 6;
									pthread->reg.r[4] += 6;
									// Restore eip
									pthread->reg.ip = slt_breakpoint->addr;
									context.Eip = slt_breakpoint->addr;

									}

								}
									// Delete
									DisableBreakpoint(slt_breakpoint);
							break;

							} // switch(slt_breakpoint->type)
						} // pause

					} // ifremove

				InvalidateRect(hw,NULL,FALSE);

		}
		return 0;

		case WM_USER_DBLCLK:
			slt_breakpoint=(t_polymorphicbreakpoint *)olly_get_sorted_by_selection(
				&(breakpoint.data),breakpoint.data.selected);
				if(slt_breakpoint != 0)
					olly_set_cpu(0,slt_breakpoint->addr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS);
		return 0;

		case WM_KEYDOWN:
			if (wp==VK_RETURN && (GetKeyState(VK_SHIFT) & 0x8000)==0 && (GetKeyState(VK_CONTROL) & 0x8000)==0) {
				slt_breakpoint=(t_polymorphicbreakpoint *)Getsortedbyselection(
						&(breakpoint.data),breakpoint.data.selected);
						if(slt_breakpoint!=NULL)
							olly_set_cpu(0,slt_breakpoint->addr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS);
			}
		return 0;

        case WM_USER_CHALL:
        case WM_USER_CHMEM:
            InvalidateRect(hw, NULL, FALSE);
            return 0;
        case WM_PAINT:
            olly_paint_table(hw, &breakpoint, polybp_get_text);
		return 0;

		default:
		break;
	}

	return DefMDIChildProc(hw,msg,wp,lp);
}
Beispiel #14
0
void SetEditText(HWND hWnd,DWORD type)
{
	DWORD  temp,t1,t2,i;
	char *info;
	wchar_t *winfo;
	if(type == CPUDUMP)
	{
//		__try
		{
			temp = Plugingetvalue(VAL_CPUDDUMP);
			t1=*(DWORD*)(temp+0x385);
			t2=*(DWORD*)(temp+0x389);
			temp=t2-t1;
			info = (char *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, temp + 2);
			winfo = (wchar_t *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, (temp + 2) * sizeof(wchar_t));
			Readmemory(info,(DWORD)t1,temp,MM_SILENT);
			for(i=0;i<temp;i++)
			{
				if(info[i]==0)
				{
					if(info[i+1]==0)
					{
					info[i]=0x0d;
					info[++i]=0x0a;
					}
					else
						info[i]=' ';
				}
			}
			MultiByteToWideChar(pagecode,0,info,-1,winfo,temp+2);
			SetWindowTextW(hWnd,winfo);
			HeapFree(hHeap, 0, info);
			HeapFree(hHeap, 0, winfo);
		}
//		__except(EXCEPTION_EXECUTE_HANDLER)
//		{
//			return;
//		}
	}
	else
	{
		temp = Plugingetvalue(VAL_CPUDSTACK	);
		t1 = *(DWORD*)(temp+0x385);
		char tempchar;
//		__try
		{
			Readmemory(&t2,t1,4,MM_SILENT);
/*			char s[128] = {0};
			sprintf(s,"0x%08x 0x%08x",t2,info);
			MessageBox(hWnd,s,s,0);*/
			t1 = t2;
			temp=0;
			do
			{
				Readmemory(&tempchar,t2++,1,MM_SILENT);
				++temp;
			}while( tempchar != 0 );
			if(temp==1)
				return;
			info = (char *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, temp);
			Readmemory(info,t1,temp,MM_SILENT);
			winfo = (wchar_t *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, temp * sizeof(wchar_t));
			MultiByteToWideChar(pagecode,0,info,-1,winfo,temp);
			SetWindowTextW(hWnd,winfo);
			HeapFree(hHeap, 0, info);
			HeapFree(hHeap, 0, winfo);
		}
//		__except(EXCEPTION_EXECUTE_HANDLER)
//		{
//			return;
//		}
	}
}
Beispiel #15
0
void GetCallAddress(HWND hWnd)
{
	DWORD addr = Plugingetvalue(VAL_CPUDASM);
	addr = *(int*)(addr+0x385);
	DWORD mask=0xffff0000;
	DWORD base = addr&mask;
	IMAGE_DOS_HEADER dosh;
	char s[64];
	Readmemory(&dosh,base,sizeof(IMAGE_DOS_HEADER),MM_RESTORE | MM_SILENT);
	while(dosh.e_magic!=IMAGE_DOS_SIGNATURE||mask==0)
	{		
		mask<<=1;
		base = addr&mask;
		Readmemory(&dosh,base,sizeof(IMAGE_DOS_HEADER),MM_SILENT);
	}
	if(base==0) return;

	DWORD pebase = base;
	
	base+=dosh.e_lfanew+sizeof(IMAGE_NT_SIGNATURE)+sizeof(IMAGE_FILE_HEADER)+sizeof(IMAGE_OPTIONAL_HEADER);
	IMAGE_SECTION_HEADER sh;
	Readmemory(&sh,base,sizeof(IMAGE_SECTION_HEADER),MM_SILENT);
	while(sh.VirtualAddress!=0)
	{
		if( sh.VirtualAddress+pebase<addr&&sh.VirtualAddress+sh.SizeOfRawData+pebase>addr)
			break;
		base+=sizeof(IMAGE_SECTION_HEADER);
		Readmemory(&sh,base,sizeof(IMAGE_SECTION_HEADER),MM_SILENT);
	}
	if(sh.VirtualAddress==0)return;
	base = pebase+sh.VirtualAddress;
	DWORD size = sh.SizeOfRawData;
	char *data = (char *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, size);
	Readmemory(data,base,size,MM_SILENT);
//	wsprintf(s,"0x%08x 0x%08x 0x%08x",base,pebase,addr);
//	MessageBox(hWnd,s,s,0);
	for(size_t i=0,j=0;i<size;i++)
	{
//		if(data[i]==0xe8)
//		{
//			sprintf(s,"0x%08x 0x%08x 0x%08x",*(DWORD*)(data+i+1),pebase,addr);
//				MessageBox(hWnd,s,s,0);
		if(*(DWORD*)(data+i) == (addr-base-i-4))
		{
				
			if(data[i-1]==0xe8||data[i-1]==0xcc)
			{
				DWORD target = base+i-1;
				wsprintf(s,"0x%08x",target);
				if(data[i-1]==0xcc)
					target|=0x80000000;
				
				SendMessage(hWnd,LB_INSERTSTRING,j,(LPARAM)s);
				SendMessage(hWnd,LB_SETITEMDATA,j++,target);
				i+=3;

			}
		}
	}
	wsprintf(s,"调用0x%08x的参考",addr);
	SetWindowText((HWND)GetWindowLong(hWnd,GWL_HWNDPARENT),s);
	HeapFree(hHeap, 0, data);
}
Beispiel #16
0
static int MCompareTrace(t_table *pt,wchar_t *name,ulong index,int mode) {
  wchar_t buffer[100];
  uchar * codeline;
  ulong codelinesize;

  if (mode==MENU_VERIFY)
    return MENU_NORMAL;                // Always available
  else if (mode==MENU_EXECUTE) {
    ulong i,j,length, declength;
    uchar cmd[MAXCMDSIZE],*decode;
	t_disasm da;
    t_reg *reg;
	void * result;
	t_memory *pmem;
    t_hitlist hitlistitem;
    Deletesorteddatarange(&(hitlisttable.sorted),0,0xFFFFFFFF);
	for ( i=0; i<memory.sorted.n; i++) {
      pmem=(t_memory *)Getsortedbyindex(&memory.sorted,i);    // Get next memory block.
	  if ((pmem->type & MEM_GAP)!=0)
        continue;                        // Unallocated memory
      // Check whether it contains executable code.
      if ((pmem->type & (MEM_CODE|MEM_SFX))==0)
        continue;                        // Not a code   	  
	  // iterate through code
      for ( j=pmem->base; j<=pmem->base +pmem->size; j++) {
	    codeline = Finddecode(j,&codelinesize);
		if (codeline)
			if (((*codeline)&DEC_TRACED)==DEC_TRACED){
				result = Findsorteddata(&baselist,j,0);
				//Addtolist(result,DRAW_NORMAL,L"sorted");
				if(!result){
                  length=Readmemory(cmd,j,MAXCMDSIZE,MM_SILENT|MM_PARTIAL);
                  if (length==0) Addtolist(j,DRAW_NORMAL,L"Readmemory returned zero!");
                  decode=Finddecode(j,&declength);
                  if (decode!=NULL && declength<length) 
                     decode=NULL;
                  length=Disasm(cmd,length,j,decode,&da,DA_TEXT|DA_OPCOMM|DA_MEMORY,NULL,NULL);
                  if (length==0) Addtolist(j,DRAW_NORMAL,L"Disasm returned zero!");
                  StrcopyW(hitlistitem.decodedinstruction,TEXTLEN,da.result);
			      hitlistitem.index=j;
                  hitlistitem.size=1;
                  hitlistitem.type=0;
                  Addsorteddata(&(hitlisttable.sorted),&hitlistitem);
				}
			}
		}
	  }
	if (hitlisttable.hw==NULL){
      // Create table window. Third parameter (ncolumn) is the number of
      // visible columns in the newly created window (ignored if appearance is
      // restored from the initialization file). If it's lower than the total
      // number of columns, remaining columns are initially invisible. Fourth
      // parameter is the name of icon - as OllyDbg resource.
      Createtablewindow(&hitlisttable,0,hitlisttable.bar.nbar,NULL, L"ICO_PLUGIN",PLUGINNAME);
	}
    else
      Activatetablewindow(&hitlisttable);
	return MENU_REDRAW;
	}
  return MENU_ABSENT;
};