int MalwareExtractor::Initialize() { m_thread = Findthread(Getcputhreadid()); if (m_thread == NULL) { m_error_code = ME_ERROR_NOTHREAD; return -1; } m_module = Findmodule(m_thread->reg.ip); m_imagecopy = new uchar[m_module->size]; if (m_imagecopy == NULL) { m_error_code = ME_ERROR_MEMALLOC; return -1; } if (Readmemory(m_imagecopy, m_module->base, m_module->size, MM_RESTORE) == 0) { m_error_code = ME_ERROR_MEMREAD; return -1; } this->BackupModuleRanges(); m_running = 1; return 0; }
bool ESPRun(void) { DWORD EIP,ESP,ESP2; ulong cpuid; cpuid = Getcputhreadid(); t_thread *pt = Findthread(cpuid); EIP = pt->reg.ip; ESP = pt->reg.r[4]; /* char code[2]={0}; char pushad=0x60; char pushaf=0x9c; uint pushwf=0x669c; Readmemory(code,EIP,1,MM_RESTORE); t_status st = Getstatus(); try { while(code[0] != pushad) { int er=Go(cpuid, 0, STEP_IN, 1, 1); st = Getstatus(); Suspendprocess(cpuid); t_thread *pt = Findthread(cpuid); EIP = pt->reg.ip; Readmemory(code,EIP,1,MM_RESTORE); Runsinglethread(cpuid); st = Getstatus(); } } catch (...) { cout <<"error"; exit(100); } ESP2 = pt->reg.r[4]; DWORD tmpesp =ESP2 - 8; */ ESP=ESP-0x04; Sethardwarebreakpoint(ESP, 1, HB_WRITE); Sendshortcut(PM_MAIN, 0, WM_KEYDOWN, 0, 1, VK_F9); return true; }