Ejemplo n.º 1
0
void CSettingDialog::SetUserData(PRunData pRunData)
{
    m_pRunData = pRunData ;
    int nImageBase = 0 ;
    DWORD dwOEP = 0 ;
    ulong uStart = 0 ;
    ulong uEnd = 0 ;
    ulong uBase = 0;
    ulong uSize = 0 ;

    if (0 == pRunData->uStartAddress)
    {
        nImageBase = Plugingetvalue(VAL_MAINBASE) ;

        // 取得oep地址,默认程序设的断点地址是oep的
        dwOEP = GetOEP(nImageBase) ;

        if (0 != dwOEP)
        {
            Getproclimits(dwOEP, &uStart, &uEnd) ;
            m_pRunData->uStartAddress = uStart ;
            m_pRunData->uEndAddress = uEnd ;
        }
        else
        {
            m_pRunData->uStartAddress = nImageBase ;
            m_pRunData->uEndAddress   = nImageBase + 10 ;
        }

        m_RecordDialog.SetUserData(pRunData) ;
    }
}
Ejemplo n.º 2
0
/*******************************************************************************
*
*  函 数 名 : EnumerateFunctionAddress
*  功能描述 : 枚举函数地址,并下断点
*  参数列表 : pRunData       --     RunData指针
*  说    明 : 
*  返回结果 : 如果输入字符串为正确的十六进制字符的话,返回TRUE,否则返回FALSE
*
*******************************************************************************/
BOOL  EnumerateFunctionAddress(PRunData pRunData)
{
    NULLVALUE_CHECK(pRunData, EnumerateFunctionAddress) ;

    ulong uStart,uEnd ,uCurrent;
    char szBuffer[MAX_PATH] = {0} ;

    for (uCurrent = pRunData->uStartAddress;
                uCurrent < pRunData->uEndAddress; )
    {
        if(-1 == Getproclimits(uCurrent, &uStart, &uEnd))
        {
            uCurrent += 5 ;
        }
		
        else
        {
            // 这里再处理
            sprintf_s(szBuffer, sizeof(szBuffer), _T("%x-%x\r\n"),uStart, uEnd) ;
            OutputDebugString(szBuffer) ;
            uCurrent = uEnd + 5;

            // 判断是否是强制下断点
            // 如果不是强制下断点的话
            if (FALSE == pRunData->bIsForceSetBreakPoint)
            {
                if(FALSE == SetCallBreakPoint(pRunData, uStart, uEnd))
                {
                    OutputDebugString(_T("EnumerateFunctionAddress SetCallBreakPoint failed!\r\n")) ;
                    return FALSE ;
                }
            }
            // 强制下断点
            else
            {
                if (FALSE == ForceSetCallBreakPoint(pRunData, uStart, FUN_SIZE))
                {
                    OutputDebugString(_T("EnumerateFunctionAddress ForceSetCallBreakPoint failed!\r\n")) ;
                    return FALSE ;
                }
            }
        }
    }
    return TRUE ;
}
Ejemplo n.º 3
0
BOOL XXX(LPVOID pItem,char *pSubString)
{
	
	
	T_X86Instruction      tX86Instruction;
	
	t_dump                *pX86Dasm=NULL;
    ulong                  Address;
	ulong                  SOffest,EOffset;
	ulong                  i;
	unsigned char         InstStr[MAXCMDSIZE];
	ulong                 InstLength;
    t_disasm              da;
    unsigned char         *pdecode=NULL; 

	t_dump *pDasmWnd=(t_dump*)Plugingetvalue(VAL_CPUDASM);
	
	
	pX86Dasm=(	t_dump *)pItem;
	Address=pX86Dasm->base;
	

	char                 cPattern[0x100]={0};
	if (Gettext("Search for pattern ...",cPattern,0,0,Plugingetvalue(VAL_WINDOWFONT))==-1){


		return FALSE;
	}
	
	
	
	
	while(Address=Findnextproc(Address)){
		
	  Getproclimits(Address,&SOffest,&EOffset);
		
		
		
		for (i=SOffest; i<EOffset; ){
			
			if (!Readcommand(i,(char*)InstStr)) break;
			
			
		
			InstLength=Disasm(InstStr,MAXCMDSIZE,i,pdecode,&da,DISASM_CODE,0); 
			
			
			
			tX86Instruction.Addresss=i;
			memcpy(tX86Instruction.Command,da.result,256);
			tX86Instruction.OpCodeLength=InstLength;
			
			if (strstr((char*)tX86Instruction.Command,cPattern) ) {
				
				if (pSubString){ 
					if (strstr((char*)tX86Instruction.Command,pSubString)){
						
						
						DbgMsg("0x%08X %d %s ",
							tX86Instruction.Addresss,
							tX86Instruction.OpCodeLength,
							tX86Instruction.Command);
						
							
						
						Setbreakpoint(tX86Instruction.Addresss,TY_ACTIVE|TY_KEEPCODE,0);
					}
						i+=InstLength;
						continue;
				}
					DbgMsg("0x%08X %d %s ",
							tX86Instruction.Addresss,
							tX86Instruction.OpCodeLength,
							tX86Instruction.Command);
							Setbreakpoint(tX86Instruction.Addresss,TY_ACTIVE|TY_KEEPCODE,0);
				

			}
				
				
			i+=InstLength;
			
		}
		
		
		
		
		
		
	}
	
	
	
	
	return TRUE;
	



}