void GetCallAddress(HWND hWnd) { DWORD addr = Plugingetvalue(VAL_CPUDASM); addr = *(int*)(addr+0x385); DWORD mask=0xffff0000; DWORD base = addr&mask; IMAGE_DOS_HEADER dosh; char s[64]; Readmemory(&dosh,base,sizeof(IMAGE_DOS_HEADER),MM_RESTORE | MM_SILENT); while(dosh.e_magic!=IMAGE_DOS_SIGNATURE||mask==0) { mask<<=1; base = addr&mask; Readmemory(&dosh,base,sizeof(IMAGE_DOS_HEADER),MM_SILENT); } if(base==0) return; DWORD pebase = base; base+=dosh.e_lfanew+sizeof(IMAGE_NT_SIGNATURE)+sizeof(IMAGE_FILE_HEADER)+sizeof(IMAGE_OPTIONAL_HEADER); IMAGE_SECTION_HEADER sh; Readmemory(&sh,base,sizeof(IMAGE_SECTION_HEADER),MM_SILENT); while(sh.VirtualAddress!=0) { if( sh.VirtualAddress+pebase<addr&&sh.VirtualAddress+sh.SizeOfRawData+pebase>addr) break; base+=sizeof(IMAGE_SECTION_HEADER); Readmemory(&sh,base,sizeof(IMAGE_SECTION_HEADER),MM_SILENT); } if(sh.VirtualAddress==0)return; base = pebase+sh.VirtualAddress; DWORD size = sh.SizeOfRawData; char *data = (char *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, size); Readmemory(data,base,size,MM_SILENT); // wsprintf(s,"0x%08x 0x%08x 0x%08x",base,pebase,addr); // MessageBox(hWnd,s,s,0); for(size_t i=0,j=0;i<size;i++) { // if(data[i]==0xe8) // { // sprintf(s,"0x%08x 0x%08x 0x%08x",*(DWORD*)(data+i+1),pebase,addr); // MessageBox(hWnd,s,s,0); if(*(DWORD*)(data+i) == (addr-base-i-4)) { if(data[i-1]==0xe8||data[i-1]==0xcc) { DWORD target = base+i-1; wsprintf(s,"0x%08x",target); if(data[i-1]==0xcc) target|=0x80000000; SendMessage(hWnd,LB_INSERTSTRING,j,(LPARAM)s); SendMessage(hWnd,LB_SETITEMDATA,j++,target); i+=3; } } } wsprintf(s,"调用0x%08x的参考",addr); SetWindowText((HWND)GetWindowLong(hWnd,GWL_HWNDPARENT),s); HeapFree(hHeap, 0, data); }
void SetEditText(HWND hWnd,DWORD type) { DWORD temp,t1,t2,i; char *info; wchar_t *winfo; if(type == CPUDUMP) { // __try { temp = Plugingetvalue(VAL_CPUDDUMP); t1=*(DWORD*)(temp+0x385); t2=*(DWORD*)(temp+0x389); temp=t2-t1; info = (char *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, temp + 2); winfo = (wchar_t *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, (temp + 2) * sizeof(wchar_t)); Readmemory(info,(DWORD)t1,temp,MM_SILENT); for(i=0;i<temp;i++) { if(info[i]==0) { if(info[i+1]==0) { info[i]=0x0d; info[++i]=0x0a; } else info[i]=' '; } } MultiByteToWideChar(pagecode,0,info,-1,winfo,temp+2); SetWindowTextW(hWnd,winfo); HeapFree(hHeap, 0, info); HeapFree(hHeap, 0, winfo); } // __except(EXCEPTION_EXECUTE_HANDLER) // { // return; // } } else { temp = Plugingetvalue(VAL_CPUDSTACK ); t1 = *(DWORD*)(temp+0x385); char tempchar; // __try { Readmemory(&t2,t1,4,MM_SILENT); /* char s[128] = {0}; sprintf(s,"0x%08x 0x%08x",t2,info); MessageBox(hWnd,s,s,0);*/ t1 = t2; temp=0; do { Readmemory(&tempchar,t2++,1,MM_SILENT); ++temp; }while( tempchar != 0 ); if(temp==1) return; info = (char *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, temp); Readmemory(info,t1,temp,MM_SILENT); winfo = (wchar_t *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, temp * sizeof(wchar_t)); MultiByteToWideChar(pagecode,0,info,-1,winfo,temp); SetWindowTextW(hWnd,winfo); HeapFree(hHeap, 0, info); HeapFree(hHeap, 0, winfo); } // __except(EXCEPTION_EXECUTE_HANDLER) // { // return; // } } }
module_t* module_info(int* err) { HANDLE hFile, hMapping, hProcess; HMODULE* modules; LPVOID pMapping; PIMAGE_DOS_HEADER dos; PIMAGE_NT_HEADERS nt; PIMAGE_SECTION_HEADER sh; ULONG needed, cntr, cbase, csize; TCHAR buffer[TEXTLEN]; t_module* dbg_mod; module_t* info = (module_t*)malloc(sizeof(module_t)); if (g_Config->applytodebuggee) { info->name = (TCHAR*)Plugingetvalue(VAL_EXEFILENAME); hProcess = (HANDLE)Plugingetvalue(VAL_HPROCESS); EnumProcessModules(hProcess, NULL, 0, &needed); modules = malloc(needed); EnumProcessModules(hProcess, modules, needed, &needed); needed /= sizeof(HMODULE); for (cntr = 0, info->base = 0; cntr < needed; cntr++) { GetModuleFileNameEx(hProcess, modules[cntr], buffer, TEXTLEN); if (!strcmp(info->name, buffer)) { info->base = (ULONG)modules[cntr]; break; } } free(modules); if (!info->base) { *err = MODULE_BASE_NOT_FOUND; free(info); return info; } } else { Getdisassemblerrange(&cbase, &csize); dbg_mod = Findmodule(cbase); if (dbg_mod) { info->base = (ULONG)dbg_mod->base; info->name = (TCHAR*)&dbg_mod->path; } else { *err = MODULE_OUT_OF_RANGE; free(info); return info; } } hFile = CreateFile(info->name, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile != INVALID_HANDLE_VALUE) { hMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, 0); if (hMapping) { pMapping = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0); if (pMapping) { dos = (PIMAGE_DOS_HEADER)pMapping; nt = (PIMAGE_NT_HEADERS)((ULONG)dos + dos->e_lfanew); info->nseg = nt->FileHeader.NumberOfSections + 1; info->segments = (PULONG)malloc(info->nseg * sizeof(ULONG)); sh = IMAGE_FIRST_SECTION(nt); info->segments[0] = 0; for (cntr = 1; cntr < info->nseg; cntr++) { info->segments[cntr] = sh->VirtualAddress; sh++; } UnmapViewOfFile(pMapping); CloseHandle(hMapping); CloseHandle(hFile); *err = MODULE_SUCCESS; } else { CloseHandle(hMapping); CloseHandle(hFile); *err = MODULE_FILE_MAPPING_FAILURE; free(info); } } else { CloseHandle(hFile); *err = MODULE_FILE_MAPPING_FAILURE; free(info); } } else { *err = MODULE_FILE_SHARING_VIOLATION; free(info); } return info; }
LRESULT CALLBACK configwnd_msgproc(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam) { HWND wnd; RECT rect; FILE* file; TCHAR buffer[TEXTLEN], errbuf[ERRBUFLEN]; mask_t* msk; mask_t msk_tmp; int counter, index, height, count, result; switch (msg) { case WM_ACTIVATE: SetFocus(g_hwndMaskList); break; case WM_COMMAND: switch (LOWORD(wparam)) { case ID_COMMENTS: if (HIWORD(wparam) == 1) { CheckDlgButton(hwnd, ID_COMMENTS, IsDlgButtonChecked(hwnd, ID_COMMENTS) ^ BST_CHECKED); } break; case ID_LABELS: if (HIWORD(wparam) == 1) { CheckDlgButton(hwnd, ID_LABELS, IsDlgButtonChecked(hwnd, ID_LABELS) ^ BST_CHECKED); } break; case ID_USEMASKS: if (HIWORD(wparam) == 1) { CheckDlgButton(hwnd, ID_USEMASKS, IsDlgButtonChecked(hwnd, ID_USEMASKS) ^ BST_CHECKED); } break; case ID_DEMANGLE: if (HIWORD(wparam) == 1) { CheckDlgButton(hwnd, ID_DEMANGLE, IsDlgButtonChecked(hwnd, ID_DEMANGLE) ^ BST_CHECKED); } break; case ID_SKIP: CheckDlgButton(hwnd, ID_SKIP, BST_CHECKED); CheckDlgButton(hwnd, ID_OVERWRITE, BST_UNCHECKED); break; case ID_OVERWRITE: CheckDlgButton(hwnd, ID_SKIP, BST_UNCHECKED); CheckDlgButton(hwnd, ID_OVERWRITE, BST_CHECKED); break; case ID_MODULE: CheckDlgButton(hwnd, ID_MODULE, BST_CHECKED); CheckDlgButton(hwnd, ID_DEBUGGEE, BST_UNCHECKED); break; case ID_DEBUGGEE: CheckDlgButton(hwnd, ID_DEBUGGEE, BST_CHECKED); CheckDlgButton(hwnd, ID_MODULE, BST_UNCHECKED); break; case ID_ASKTOIMPORT: CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_CHECKED); CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_UNCHECKED); CheckDlgButton(hwnd, ID_DONOTHING, BST_UNCHECKED); break; case ID_IMPORTALWAYS: CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_UNCHECKED); CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_CHECKED); CheckDlgButton(hwnd, ID_DONOTHING, BST_UNCHECKED); break; case ID_DONOTHING: CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_UNCHECKED); CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_UNCHECKED); CheckDlgButton(hwnd, ID_DONOTHING, BST_CHECKED); break; case ID_CANCEL: SendMessage(hwnd, WM_CLOSE, 0, 0); break; case ID_APPLY: if (IsDlgButtonChecked(hwnd, ID_COMMENTS) == BST_CHECKED) { g_Config->comments = TRUE; } else { g_Config->comments = FALSE; } if (IsDlgButtonChecked(hwnd, ID_LABELS) == BST_CHECKED) { g_Config->labels = TRUE; } else { g_Config->labels = FALSE; } if (IsDlgButtonChecked(hwnd, ID_SKIP) == BST_CHECKED) { g_Config->collisionchecks = TRUE; } else { g_Config->collisionchecks = FALSE; } if (IsDlgButtonChecked(hwnd, ID_DEBUGGEE) == BST_CHECKED) { g_Config->applytodebuggee = TRUE; } else { g_Config->applytodebuggee = FALSE; } if (IsDlgButtonChecked(hwnd, ID_ASKTOIMPORT) == BST_CHECKED) { g_Config->aimport = AUTOIMPORT_ASK; } if (IsDlgButtonChecked(hwnd, ID_IMPORTALWAYS) == BST_CHECKED) { g_Config->aimport = AUTOIMPORT_ALWAYS; } if (IsDlgButtonChecked(hwnd, ID_DONOTHING) == BST_CHECKED) { g_Config->aimport = AUTOIMPORT_DISABLED; } if (IsDlgButtonChecked(hwnd, ID_USEMASKS) == BST_CHECKED) { g_Config->usemasks = TRUE; } else { g_Config->usemasks = FALSE; } if (IsDlgButtonChecked(hwnd, ID_DEMANGLE) == BST_CHECKED) { g_Config->demangle = TRUE; } else { g_Config->demangle = FALSE; } list_freemasks(g_Config->masks); g_Config->masks = list_create(); count = SendMessage(g_hwndMaskList, LB_GETCOUNT, 0, 0); for (counter = 0; counter < count; counter++) { SendMessage(g_hwndMaskList, LB_GETTEXT, counter, (LPARAM)buffer); list_addmask(g_Config->masks, buffer); } config_create(config_locate(buffer), g_Config); SendMessage(hwnd, WM_CLOSE, 0, 0); break; case ID_DELETE: index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0); SendMessage(g_hwndMaskList, LB_DELETESTRING, index, 0); if (SendMessage(g_hwndMaskList, LB_SETCURSEL, index, 0) == LB_ERR) { SendMessage(g_hwndMaskList, LB_SETCURSEL, index - 1, 0); } break; case ID_INCREASE: index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0); if (index > 0) { SendMessage(g_hwndMaskList, LB_GETTEXT, index, (LPARAM)buffer); SendMessage(g_hwndMaskList, LB_INSERTSTRING, index - 1, (LPARAM)buffer); SendMessage(g_hwndMaskList, LB_DELETESTRING, index + 1, 0); SendMessage(g_hwndMaskList, LB_SETCURSEL, index - 1, 0); } break; case ID_MAXINCREASE: index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0); if (index > 0) { SendMessage(g_hwndMaskList, LB_GETTEXT, index, (LPARAM)buffer); SendMessage(g_hwndMaskList, LB_INSERTSTRING, 0, (LPARAM)buffer); SendMessage(g_hwndMaskList, LB_DELETESTRING, index + 1, 0); SendMessage(g_hwndMaskList, LB_SETCURSEL, 0, 0); } break; case ID_DECREASE: index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0); if (index != LB_ERR && index < SendMessage(g_hwndMaskList, LB_GETCOUNT, 0, 0) - 1) { SendMessage(g_hwndMaskList, LB_GETTEXT, index, (LPARAM)buffer); SendMessage(g_hwndMaskList, LB_INSERTSTRING, index + 2, (LPARAM)buffer); SendMessage(g_hwndMaskList, LB_DELETESTRING, index, 0); SendMessage(g_hwndMaskList, LB_SETCURSEL, index + 1, 0); } break; case ID_MAXDECREASE: index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0); count = SendMessage(g_hwndMaskList, LB_GETCOUNT, 0, 0); if (index != LB_ERR && index < count - 1) { SendMessage(g_hwndMaskList, LB_GETTEXT, index, (LPARAM)buffer); SendMessage(g_hwndMaskList, LB_SETCURSEL, SendMessage(g_hwndMaskList, LB_ADDSTRING, 0, (LPARAM)buffer), 0); SendMessage(g_hwndMaskList, LB_DELETESTRING, index, 0); } break; case ID_SAVE: count = SendMessage(g_hwndMaskList, LB_GETCOUNT, 0, 0); if (count > 0) { EnableWindow(hwnd, FALSE); buffer[0] = '\0'; if (Browsefilename("Save mask list to:", buffer, ".TXT|*.*", 0x80)) { file = fopen(buffer, "w"); if (file) { for (counter = 0; counter < count; counter++) { SendMessage(g_hwndMaskList, LB_GETTEXT, counter, (LPARAM)buffer); strcat(buffer, "\n"); fputs(buffer, file); } fclose(file); } else { MessageBox(hwnd, "Failed to open the file for writing", 0, MB_ICONERROR); } } EnableWindow(hwnd, TRUE); SetFocus(g_hwndMaskList); } break; case ID_LOAD: EnableWindow(hwnd, FALSE); buffer[0] = '\0'; if (Browsefilename("Load mask list from:", buffer, ".TXT|*.*", 0)) { file = fopen(buffer, "r"); if (file) { while (SendMessage(g_hwndMaskList, LB_DELETESTRING, 0, 0) != LB_ERR) {} while (fgets(buffer, TEXTLEN, file)) { strtok(buffer, "\n"); if (!mask_compile(&msk_tmp, buffer)) { SendMessage(g_hwndMaskList, LB_ADDSTRING, 0, (LPARAM)buffer); pcre_free(msk_tmp.regex); if (msk_tmp.extra) { pcre_free(msk_tmp.extra); } } } SendMessage(g_hwndMaskList, LB_SETCURSEL, 0, 0); fclose(file); } else { MessageBox(hwnd, "Failed to open the file", 0, MB_ICONERROR); } } EnableWindow(hwnd, TRUE); SetFocus(g_hwndMaskList); break; case ID_ADD: EnableWindow(hwnd, FALSE); buffer[0] = '\0'; result = TRUE; while (result) { result = Gettextxy("Add new mask:", buffer, 0, INPUTWND_TYPE, Plugingetvalue(VAL_WINDOWFONT), GetSystemMetrics(SM_CXSCREEN) / 2, GetSystemMetrics(SM_CYSCREEN) / 2); if (result > 0) { if (result = mask_compile(&msk_tmp, buffer)) { strcpy(errbuf, buffer); strcat(errbuf, "\n\n"); mask_error(&msk_tmp, strrchr(errbuf, '\n') + 1); MessageBox(hwnd, errbuf, "Mask syntax error", MB_ICONERROR); } else { SendMessage(g_hwndMaskList, LB_SETCURSEL, SendMessage(g_hwndMaskList, LB_ADDSTRING, 0, (LPARAM)buffer), 0); pcre_free(msk_tmp.regex); if (msk_tmp.extra) { pcre_free(msk_tmp.extra); } } } else { break; } } EnableWindow(hwnd, TRUE); SetFocus(g_hwndMaskList); break; case ID_INSERT: EnableWindow(hwnd, FALSE); buffer[0] = '\0'; result = TRUE; while (result) { result = Gettextxy("Insert new mask:", buffer, 0, INPUTWND_TYPE, Plugingetvalue(VAL_WINDOWFONT), GetSystemMetrics(SM_CXSCREEN) / 2, GetSystemMetrics(SM_CYSCREEN) / 2); if (result > 0) { if (result = mask_compile(&msk_tmp, buffer)) { strcpy(errbuf, buffer); strcat(errbuf, "\n\n"); mask_error(&msk_tmp, strrchr(errbuf, '\n') + 1); MessageBox(hwnd, errbuf, "Mask syntax error", MB_ICONERROR); } else { SendMessage(g_hwndMaskList, LB_SETCURSEL, SendMessage(g_hwndMaskList, LB_INSERTSTRING, SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0), (LPARAM)buffer), 0); pcre_free(msk_tmp.regex); if (msk_tmp.extra) { pcre_free(msk_tmp.extra); } } } else { break; } } EnableWindow(hwnd, TRUE); SetFocus(g_hwndMaskList); break; case ID_EDIT: index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0); if (index != LB_ERR) { EnableWindow(hwnd, FALSE); SendMessage(g_hwndMaskList, LB_GETTEXT, index, (LPARAM)buffer); result = TRUE; while (result) { result = Gettextxy("Edit mask:", buffer, 0, INPUTWND_TYPE, Plugingetvalue(VAL_WINDOWFONT), GetSystemMetrics(SM_CXSCREEN) / 2, GetSystemMetrics(SM_CYSCREEN) / 2); if (result > 0) { if (result = mask_compile(&msk_tmp, buffer)) { strcpy(errbuf, buffer); strcat(errbuf, "\n\n"); mask_error(&msk_tmp, strrchr(errbuf, '\n') + 1); MessageBox(hwnd, errbuf, "Mask syntax error", MB_ICONERROR); } else { SendMessage(g_hwndMaskList, LB_DELETESTRING, index, 0); SendMessage(g_hwndMaskList, LB_SETCURSEL, SendMessage(g_hwndMaskList, LB_INSERTSTRING, (WPARAM)index, (LPARAM)buffer), 0); pcre_free(msk_tmp.regex); if (msk_tmp.extra) { pcre_free(msk_tmp.extra); } } } else { break; } } EnableWindow(hwnd, TRUE); SetFocus(g_hwndMaskList); } break; } break; case WM_CREATE: EnableWindow(g_hwndOlly, FALSE); GetClientRect(hwnd, &rect); height = rect.bottom; GetWindowRect(hwnd, &rect); height = rect.bottom - rect.top - height + OPTWND_WINDOW_HEIGHT; SetWindowPos(hwnd, NULL, 0, 0, rect.right - rect.left, height, SWP_NOMOVE | SWP_NOZORDER); wnd = CreateWindowEx(0, "Button", "Import objects:", 0x50020007, 4, 0, 128, 64, hwnd, (HMENU)ID_IMPORT, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "&Comments", 0x50010003, 12, 16, 112, 20, hwnd, (HMENU)ID_COMMENTS, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "&Labels", 0x50010003, 12, 36, 112, 20, hwnd, (HMENU)ID_LABELS, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "Collisions:", 0x50020007, 4, 68, 128, 64, hwnd, (HMENU)ID_COLLISIONS, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "&Skip if collision", 0x50010009, 12, 86, 116, 16, hwnd, (HMENU)ID_SKIP, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "&Overwrite", 0x50000009, 12, 106, 116, 16, hwnd, (HMENU)ID_OVERWRITE, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "Apply names to:", 0x50020007, 4, 136, 128, 64, hwnd, (HMENU)ID_APPLYTO, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "&Viewed module", 0x50010009, 12, 154, 116, 16, hwnd, (HMENU)ID_MODULE, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "&Debuggee", 0x50010009, 12, 174, 116, 16, hwnd, (HMENU)ID_DEBUGGEE, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "If map file found:", 0x50020007, 4, 204, 128, 80, hwnd, (HMENU)ID_AUTOIMPORT, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "&Ask to import", 0x50000009, 12, 222, 116, 16, hwnd, (HMENU)ID_ASKTOIMPORT, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "&Import always", 0x50000009, 12, 242, 116, 16, hwnd, (HMENU)ID_IMPORTALWAYS, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "Do ¬hing", 0x50000009, 12, 262, 116, 16, hwnd, (HMENU)ID_DONOTHING, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "Filter:", 0x50020007, 136, 0, 208, 284, hwnd, (HMENU)ID_FILTER, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); g_hwndMaskList = CreateWindowEx(0x200, "ListBox", "", WS_CHILD | WS_VISIBLE | WS_BORDER | WS_VSCROLL, 144, 16, 192, 230, hwnd, (HMENU)ID_MASKS, g_hInstance, NULL); SendMessage(g_hwndMaskList, WM_SETFONT, (WPARAM)g_hFont, TRUE); SetWindowLongPtr(g_hwndMaskList, GWLP_USERDATA, SetWindowLongPtr(g_hwndMaskList, GWLP_WNDPROC, (LONG)listbox_msgproc)); SetFocus(g_hwndMaskList); wnd = CreateWindowEx(0, "Button", "Use &masks", 0x50010003, 144, 242, 116, 16, hwnd, (HMENU)ID_USEMASKS, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "D&emangle names", 0x50010003, 144, 262, 116, 16, hwnd, (HMENU)ID_DEMANGLE, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "Apply", 0x50012F00, 204, 288, 68, 20, hwnd, (HMENU)ID_APPLY, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); wnd = CreateWindowEx(0, "Button", "Cancel", 0x50012F00, 276, 288, 68, 20, hwnd, (HMENU)ID_CANCEL, g_hInstance, NULL); SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE); if (g_Config->comments) { CheckDlgButton(hwnd, ID_COMMENTS, BST_CHECKED); } else { CheckDlgButton(hwnd, ID_COMMENTS, BST_UNCHECKED); } if (g_Config->labels) { CheckDlgButton(hwnd, ID_LABELS, BST_CHECKED); } else { CheckDlgButton(hwnd, ID_LABELS, BST_UNCHECKED); } if (g_Config->collisionchecks) { CheckDlgButton(hwnd, ID_SKIP, BST_CHECKED); CheckDlgButton(hwnd, ID_OVERWRITE, BST_UNCHECKED); } else { CheckDlgButton(hwnd, ID_SKIP, BST_UNCHECKED); CheckDlgButton(hwnd, ID_OVERWRITE, BST_CHECKED); } if (g_Config->applytodebuggee) { CheckDlgButton(hwnd, ID_DEBUGGEE, BST_CHECKED); CheckDlgButton(hwnd, ID_MODULE, BST_UNCHECKED); } else { CheckDlgButton(hwnd, ID_DEBUGGEE, BST_UNCHECKED); CheckDlgButton(hwnd, ID_MODULE, BST_CHECKED); } if (g_Config->aimport == AUTOIMPORT_ASK) { CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_CHECKED); CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_UNCHECKED); CheckDlgButton(hwnd, ID_DONOTHING, BST_UNCHECKED); } else if (g_Config->aimport == AUTOIMPORT_ALWAYS) { CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_CHECKED); CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_UNCHECKED); CheckDlgButton(hwnd, ID_DONOTHING, BST_UNCHECKED); } else { CheckDlgButton(hwnd, ID_DONOTHING, BST_CHECKED); CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_UNCHECKED); CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_UNCHECKED); } if (g_Config->usemasks) { CheckDlgButton(hwnd, ID_USEMASKS, BST_CHECKED); } else { CheckDlgButton(hwnd, ID_USEMASKS, BST_UNCHECKED); } if (g_Config->demangle) { CheckDlgButton(hwnd, ID_DEMANGLE, BST_CHECKED); } else { CheckDlgButton(hwnd, ID_DEMANGLE, BST_UNCHECKED); } msk = (mask_t*)g_Config->masks->first; while (msk) { SendMessage(g_hwndMaskList, LB_ADDSTRING, 0, (LPARAM)msk->buffer); msk = msk->next; } SendMessage(g_hwndMaskList, LB_SETCURSEL, 0, 0); break; case WM_CLOSE: EnableWindow(g_hwndOlly, TRUE); SetFocus(g_hwndOlly); DestroyWindow(hwnd); break; case WM_DESTROY: PostQuitMessage(0); break; default: return DefWindowProc(hwnd, msg, wparam, lparam); } return FALSE; }
extc void _export cdecl ODBG_Pluginaction(int origin, int action, void *item) { switch (origin) { case PM_MAIN: switch (action) { case 0: // Malware extractor -> About MessageBox(hwmain, "Malicious code extraction plugin v1.0\n(extracts " "malicious code from obfuscated binaries)\n " "Copyright (C) 2009 Tadas Vilkeliskis\n" "Stevens Institute of Technology", "Malicious code extraction plugin", MB_OK|MB_ICONINFORMATION); break; default: break; } break; case PM_DISASM: switch (action) { case 0: // Malware extractor -> Analyze { HMODULE hKernel32 = GetModuleHandle("kernel32.dll"); char dllName[] = "c:\\Documents and Settings\\T\\Desktop\\research\\unpacker\\release\\unpacker.dll"; HANDLE hProcess = (HANDLE) Plugingetvalue(VAL_HPROCESS); LPVOID addrDll = VirtualAllocEx(hProcess, NULL, sizeof(dllName), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); WriteProcessMemory(hProcess, addrDll, dllName, sizeof(dllName), NULL); HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryA"), addrDll, NULL, NULL); ResumeThread(hThread); //WaitForSingleObject(hThread, INFINITE); return; if (me.IsRunning()) { Error("Malware extractor is already running"); return; } if (me.Initialize() == -1) { switch (me.GetErrorCode()) { case ME_ERROR_NOTHREAD: Error("No threads found."); break; case ME_ERROR_MEMALLOC: Error("Failed to allocate memory."); break; case ME_ERROR_MEMREAD: Error("Failed to read process memory."); break; } me.Reset(); return; } return; if (me.FindNextAddress(0) == -1) { switch (me.GetErrorCode()) { case ME_ERROR_OUTOFBOUNDS: Error("Trying to access illegal address."); break; case ME_ERROR_NOTFOUND: Error("Address not found."); break; } me.Reset(); return; } //sprintf (str, "FINAL: %d, %08X, %08X", cmd_size, dasm.jmpaddr, ip - cmd_size); //Error (str); /*if (Setbreakpointext (ip - cmd_size, TY_ONESHOT, 0, 0) == -1) { ODBG_Pluginreset (); Error ("Cannot set breakpoint on %08X", ip - cmd_size); return; }*/ //Go (me_ctx.thread->threadid, ip - cmd_size, STEP_SKIP, 1, 1); //Error ("%08X", ip - cmd_size); } break; case 1: // Malware extractor -> Stop analysis //Suspendprocess (0); ODBG_Pluginreset (); break; } break; } }
int Dumpcmd(char *answer,ulong parm) { Setcpu(0,0,address,0,CPU_DUMPHIST|CPU_DUMPFIRST|CPU_DUMPFOCUS); if (parm!=0) Setdumptype((t_dump *)Plugingetvalue(VAL_CPUDDUMP),parm); return 0; };
bool GetPEInfo(DWORD ep) { unsigned int i; HANDLE hFile,hHeap; PIMAGE_DOS_HEADER idosh; PIMAGE_NT_HEADERS ipeh; PIMAGE_SECTION_HEADER isech; LPBYTE fbuf; HWND hwmain=hwndOllyDbg(); DWORD dwFsiz,dwRsiz; strCurEIP = ep; DbgePath = (LPTSTR)Plugingetvalue(VAL_EXEFILENAME); DbgeName = (LPTSTR)strrchr(DbgePath,'\\'); memset(szWorkPath,0,sizeof(szWorkPath)); strncpy(szWorkPath,DbgePath,(DbgeName-DbgePath)); DbgeName++; //Read Debuggee hFile = CreateFile(DbgePath,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if(hFile == INVALID_HANDLE_VALUE) { MessageBox(hwmain,"DUMP: 不能访问文件",PNAME,MB_OK); return false; } dwFsiz = GetFileSize(hFile,NULL); hHeap = HeapCreate(HEAP_NO_SERIALIZE,1,0); fbuf = (LPBYTE)HeapAlloc(hHeap, 0, dwFsiz); if(ReadFile(hFile,fbuf,dwFsiz,&dwRsiz,NULL) == 0) { MessageBox(hwmain,"DUMP: 不能读文件",PNAME,MB_OK); CloseHandle(hFile); HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf); return false; } CloseHandle(hFile); idosh = (PIMAGE_DOS_HEADER)fbuf; if(idosh->e_magic != IMAGE_DOS_SIGNATURE) { MessageBox(hwmain,"DUMP: 错误的DOS头(MZ)!!",PNAME,MB_OK | MB_ICONEXCLAMATION); HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf); return false; } ipeh = (PIMAGE_NT_HEADERS)(fbuf + idosh->e_lfanew); if(ipeh->Signature != IMAGE_NT_SIGNATURE) { MessageBox(hwmain,"DUMP: 错误的PE标志头!!",PNAME,MB_OK | MB_ICONEXCLAMATION); HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf); return false; } PEFileInfo.woNumOfSect = ipeh->FileHeader.NumberOfSections; PEFileInfo.dwImageBase = ipeh->OptionalHeader.ImageBase; PEFileInfo.dwSizeOfImage = ipeh->OptionalHeader.SizeOfImage; PEFileInfo.dwBaseOfCode = ipeh->OptionalHeader.BaseOfCode ; PEFileInfo.dwBaseOfData = ipeh->OptionalHeader.BaseOfData ; PEFileInfo.dwAddrOfEP = ipeh->OptionalHeader.AddressOfEntryPoint; lpSectInfo = (LPSECTIONINFO)malloc(sizeof(SECTIONINFO)*PEFileInfo.woNumOfSect+1); isech = IMAGE_FIRST_SECTION(ipeh); for(i=0; i<(int)PEFileInfo.woNumOfSect; i++) { strcpy((char *)(lpSectInfo+i)->byName,(char *)(isech+i)->Name); (lpSectInfo+i)->dwVSize = (isech+i)->Misc.VirtualSize; (lpSectInfo+i)->dwVOffset = (isech+i)->VirtualAddress; (lpSectInfo+i)->dwRSize = (isech+i)->SizeOfRawData; (lpSectInfo+i)->dwROffset = (isech+i)->PointerToRawData; (lpSectInfo+i)->dwCharacteristics = (isech+i)->Characteristics; } HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf); return true; }
HWND hwndOllyDbg() { if (!hwmain) hwmain = (HWND)Plugingetvalue(VAL_HWMAIN); return hwmain; }
BOOL XXX(LPVOID pItem,char *pSubString) { T_X86Instruction tX86Instruction; t_dump *pX86Dasm=NULL; ulong Address; ulong SOffest,EOffset; ulong i; unsigned char InstStr[MAXCMDSIZE]; ulong InstLength; t_disasm da; unsigned char *pdecode=NULL; t_dump *pDasmWnd=(t_dump*)Plugingetvalue(VAL_CPUDASM); pX86Dasm=( t_dump *)pItem; Address=pX86Dasm->base; char cPattern[0x100]={0}; if (Gettext("Search for pattern ...",cPattern,0,0,Plugingetvalue(VAL_WINDOWFONT))==-1){ return FALSE; } while(Address=Findnextproc(Address)){ Getproclimits(Address,&SOffest,&EOffset); for (i=SOffest; i<EOffset; ){ if (!Readcommand(i,(char*)InstStr)) break; InstLength=Disasm(InstStr,MAXCMDSIZE,i,pdecode,&da,DISASM_CODE,0); tX86Instruction.Addresss=i; memcpy(tX86Instruction.Command,da.result,256); tX86Instruction.OpCodeLength=InstLength; if (strstr((char*)tX86Instruction.Command,cPattern) ) { if (pSubString){ if (strstr((char*)tX86Instruction.Command,pSubString)){ DbgMsg("0x%08X %d %s ", tX86Instruction.Addresss, tX86Instruction.OpCodeLength, tX86Instruction.Command); Setbreakpoint(tX86Instruction.Addresss,TY_ACTIVE|TY_KEEPCODE,0); } i+=InstLength; continue; } DbgMsg("0x%08X %d %s ", tX86Instruction.Addresss, tX86Instruction.OpCodeLength, tX86Instruction.Command); Setbreakpoint(tX86Instruction.Addresss,TY_ACTIVE|TY_KEEPCODE,0); } i+=InstLength; } } return TRUE; }