void GetCallAddress(HWND hWnd)
{
DWORD addr = Plugingetvalue(VAL_CPUDASM);
addr = *(int*)(addr+0x385);
DWORD mask=0xffff0000;
DWORD base = addr&mask;
IMAGE_DOS_HEADER dosh;
char s[64];
Readmemory(&dosh,base,sizeof(IMAGE_DOS_HEADER),MM_RESTORE | MM_SILENT);
while(dosh.e_magic!=IMAGE_DOS_SIGNATURE||mask==0)
{
mask<<=1;
base = addr&mask;
Readmemory(&dosh,base,sizeof(IMAGE_DOS_HEADER),MM_SILENT);
}
if(base==0) return;
DWORD pebase = base;
base+=dosh.e_lfanew+sizeof(IMAGE_NT_SIGNATURE)+sizeof(IMAGE_FILE_HEADER)+sizeof(IMAGE_OPTIONAL_HEADER);
IMAGE_SECTION_HEADER sh;
Readmemory(&sh,base,sizeof(IMAGE_SECTION_HEADER),MM_SILENT);
while(sh.VirtualAddress!=0)
{
if( sh.VirtualAddress+pebase<addr&&sh.VirtualAddress+sh.SizeOfRawData+pebase>addr)
break;
base+=sizeof(IMAGE_SECTION_HEADER);
Readmemory(&sh,base,sizeof(IMAGE_SECTION_HEADER),MM_SILENT);
}
if(sh.VirtualAddress==0)return;
base = pebase+sh.VirtualAddress;
DWORD size = sh.SizeOfRawData;
char *data = (char *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, size);
Readmemory(data,base,size,MM_SILENT);
// wsprintf(s,"0x%08x 0x%08x 0x%08x",base,pebase,addr);
// MessageBox(hWnd,s,s,0);
for(size_t i=0,j=0;i<size;i++)
{
// if(data[i]==0xe8)
// {
// sprintf(s,"0x%08x 0x%08x 0x%08x",*(DWORD*)(data+i+1),pebase,addr);
// MessageBox(hWnd,s,s,0);
if(*(DWORD*)(data+i) == (addr-base-i-4))
{
if(data[i-1]==0xe8||data[i-1]==0xcc)
{
DWORD target = base+i-1;
wsprintf(s,"0x%08x",target);
if(data[i-1]==0xcc)
target|=0x80000000;
SendMessage(hWnd,LB_INSERTSTRING,j,(LPARAM)s);
SendMessage(hWnd,LB_SETITEMDATA,j++,target);
i+=3;
}
}
}
wsprintf(s,"调用0x%08x的参考",addr);
SetWindowText((HWND)GetWindowLong(hWnd,GWL_HWNDPARENT),s);
HeapFree(hHeap, 0, data);
}
void SetEditText(HWND hWnd,DWORD type)
{
DWORD temp,t1,t2,i;
char *info;
wchar_t *winfo;
if(type == CPUDUMP)
{
// __try
{
temp = Plugingetvalue(VAL_CPUDDUMP);
t1=*(DWORD*)(temp+0x385);
t2=*(DWORD*)(temp+0x389);
temp=t2-t1;
info = (char *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, temp + 2);
winfo = (wchar_t *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, (temp + 2) * sizeof(wchar_t));
Readmemory(info,(DWORD)t1,temp,MM_SILENT);
for(i=0;i<temp;i++)
{
if(info[i]==0)
{
if(info[i+1]==0)
{
info[i]=0x0d;
info[++i]=0x0a;
}
else
info[i]=' ';
}
}
MultiByteToWideChar(pagecode,0,info,-1,winfo,temp+2);
SetWindowTextW(hWnd,winfo);
HeapFree(hHeap, 0, info);
HeapFree(hHeap, 0, winfo);
}
// __except(EXCEPTION_EXECUTE_HANDLER)
// {
// return;
// }
}
else
{
temp = Plugingetvalue(VAL_CPUDSTACK );
t1 = *(DWORD*)(temp+0x385);
char tempchar;
// __try
{
Readmemory(&t2,t1,4,MM_SILENT);
/* char s[128] = {0};
sprintf(s,"0x%08x 0x%08x",t2,info);
MessageBox(hWnd,s,s,0);*/
t1 = t2;
temp=0;
do
{
Readmemory(&tempchar,t2++,1,MM_SILENT);
++temp;
}while( tempchar != 0 );
if(temp==1)
return;
info = (char *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, temp);
Readmemory(info,t1,temp,MM_SILENT);
winfo = (wchar_t *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, temp * sizeof(wchar_t));
MultiByteToWideChar(pagecode,0,info,-1,winfo,temp);
SetWindowTextW(hWnd,winfo);
HeapFree(hHeap, 0, info);
HeapFree(hHeap, 0, winfo);
}
// __except(EXCEPTION_EXECUTE_HANDLER)
// {
// return;
// }
}
}
module_t* module_info(int* err)
{
HANDLE hFile, hMapping, hProcess;
HMODULE* modules;
LPVOID pMapping;
PIMAGE_DOS_HEADER dos;
PIMAGE_NT_HEADERS nt;
PIMAGE_SECTION_HEADER sh;
ULONG needed, cntr, cbase, csize;
TCHAR buffer[TEXTLEN];
t_module* dbg_mod;
module_t* info = (module_t*)malloc(sizeof(module_t));
if (g_Config->applytodebuggee)
{
info->name = (TCHAR*)Plugingetvalue(VAL_EXEFILENAME);
hProcess = (HANDLE)Plugingetvalue(VAL_HPROCESS);
EnumProcessModules(hProcess, NULL, 0, &needed);
modules = malloc(needed);
EnumProcessModules(hProcess, modules, needed, &needed);
needed /= sizeof(HMODULE);
for (cntr = 0, info->base = 0; cntr < needed; cntr++)
{
GetModuleFileNameEx(hProcess, modules[cntr], buffer, TEXTLEN);
if (!strcmp(info->name, buffer))
{
info->base = (ULONG)modules[cntr];
break;
}
}
free(modules);
if (!info->base)
{
*err = MODULE_BASE_NOT_FOUND;
free(info);
return info;
}
}
else
{
Getdisassemblerrange(&cbase, &csize);
dbg_mod = Findmodule(cbase);
if (dbg_mod)
{
info->base = (ULONG)dbg_mod->base;
info->name = (TCHAR*)&dbg_mod->path;
}
else
{
*err = MODULE_OUT_OF_RANGE;
free(info);
return info;
}
}
hFile = CreateFile(info->name, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
hMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, 0);
if (hMapping)
{
pMapping = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
if (pMapping)
{
dos = (PIMAGE_DOS_HEADER)pMapping;
nt = (PIMAGE_NT_HEADERS)((ULONG)dos + dos->e_lfanew);
info->nseg = nt->FileHeader.NumberOfSections + 1;
info->segments = (PULONG)malloc(info->nseg * sizeof(ULONG));
sh = IMAGE_FIRST_SECTION(nt);
info->segments[0] = 0;
for (cntr = 1; cntr < info->nseg; cntr++)
{
info->segments[cntr] = sh->VirtualAddress;
sh++;
}
UnmapViewOfFile(pMapping);
CloseHandle(hMapping);
CloseHandle(hFile);
*err = MODULE_SUCCESS;
}
else
{
CloseHandle(hMapping);
CloseHandle(hFile);
*err = MODULE_FILE_MAPPING_FAILURE;
free(info);
}
}
else
{
CloseHandle(hFile);
*err = MODULE_FILE_MAPPING_FAILURE;
free(info);
}
}
else
{
*err = MODULE_FILE_SHARING_VIOLATION;
free(info);
}
return info;
}
LRESULT CALLBACK configwnd_msgproc(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam)
{
HWND wnd;
RECT rect;
FILE* file;
TCHAR buffer[TEXTLEN], errbuf[ERRBUFLEN];
mask_t* msk;
mask_t msk_tmp;
int counter, index, height, count, result;
switch (msg)
{
case WM_ACTIVATE:
SetFocus(g_hwndMaskList);
break;
case WM_COMMAND:
switch (LOWORD(wparam))
{
case ID_COMMENTS:
if (HIWORD(wparam) == 1)
{
CheckDlgButton(hwnd, ID_COMMENTS, IsDlgButtonChecked(hwnd, ID_COMMENTS) ^ BST_CHECKED);
}
break;
case ID_LABELS:
if (HIWORD(wparam) == 1)
{
CheckDlgButton(hwnd, ID_LABELS, IsDlgButtonChecked(hwnd, ID_LABELS) ^ BST_CHECKED);
}
break;
case ID_USEMASKS:
if (HIWORD(wparam) == 1)
{
CheckDlgButton(hwnd, ID_USEMASKS, IsDlgButtonChecked(hwnd, ID_USEMASKS) ^ BST_CHECKED);
}
break;
case ID_DEMANGLE:
if (HIWORD(wparam) == 1)
{
CheckDlgButton(hwnd, ID_DEMANGLE, IsDlgButtonChecked(hwnd, ID_DEMANGLE) ^ BST_CHECKED);
}
break;
case ID_SKIP:
CheckDlgButton(hwnd, ID_SKIP, BST_CHECKED);
CheckDlgButton(hwnd, ID_OVERWRITE, BST_UNCHECKED);
break;
case ID_OVERWRITE:
CheckDlgButton(hwnd, ID_SKIP, BST_UNCHECKED);
CheckDlgButton(hwnd, ID_OVERWRITE, BST_CHECKED);
break;
case ID_MODULE:
CheckDlgButton(hwnd, ID_MODULE, BST_CHECKED);
CheckDlgButton(hwnd, ID_DEBUGGEE, BST_UNCHECKED);
break;
case ID_DEBUGGEE:
CheckDlgButton(hwnd, ID_DEBUGGEE, BST_CHECKED);
CheckDlgButton(hwnd, ID_MODULE, BST_UNCHECKED);
break;
case ID_ASKTOIMPORT:
CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_CHECKED);
CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_UNCHECKED);
CheckDlgButton(hwnd, ID_DONOTHING, BST_UNCHECKED);
break;
case ID_IMPORTALWAYS:
CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_UNCHECKED);
CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_CHECKED);
CheckDlgButton(hwnd, ID_DONOTHING, BST_UNCHECKED);
break;
case ID_DONOTHING:
CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_UNCHECKED);
CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_UNCHECKED);
CheckDlgButton(hwnd, ID_DONOTHING, BST_CHECKED);
break;
case ID_CANCEL:
SendMessage(hwnd, WM_CLOSE, 0, 0);
break;
case ID_APPLY:
if (IsDlgButtonChecked(hwnd, ID_COMMENTS) == BST_CHECKED)
{
g_Config->comments = TRUE;
}
else
{
g_Config->comments = FALSE;
}
if (IsDlgButtonChecked(hwnd, ID_LABELS) == BST_CHECKED)
{
g_Config->labels = TRUE;
}
else
{
g_Config->labels = FALSE;
}
if (IsDlgButtonChecked(hwnd, ID_SKIP) == BST_CHECKED)
{
g_Config->collisionchecks = TRUE;
}
else
{
g_Config->collisionchecks = FALSE;
}
if (IsDlgButtonChecked(hwnd, ID_DEBUGGEE) == BST_CHECKED)
{
g_Config->applytodebuggee = TRUE;
}
else
{
g_Config->applytodebuggee = FALSE;
}
if (IsDlgButtonChecked(hwnd, ID_ASKTOIMPORT) == BST_CHECKED)
{
g_Config->aimport = AUTOIMPORT_ASK;
}
if (IsDlgButtonChecked(hwnd, ID_IMPORTALWAYS) == BST_CHECKED)
{
g_Config->aimport = AUTOIMPORT_ALWAYS;
}
if (IsDlgButtonChecked(hwnd, ID_DONOTHING) == BST_CHECKED)
{
g_Config->aimport = AUTOIMPORT_DISABLED;
}
if (IsDlgButtonChecked(hwnd, ID_USEMASKS) == BST_CHECKED)
{
g_Config->usemasks = TRUE;
}
else
{
g_Config->usemasks = FALSE;
}
if (IsDlgButtonChecked(hwnd, ID_DEMANGLE) == BST_CHECKED)
{
g_Config->demangle = TRUE;
}
else
{
g_Config->demangle = FALSE;
}
list_freemasks(g_Config->masks);
g_Config->masks = list_create();
count = SendMessage(g_hwndMaskList, LB_GETCOUNT, 0, 0);
for (counter = 0; counter < count; counter++)
{
SendMessage(g_hwndMaskList, LB_GETTEXT, counter, (LPARAM)buffer);
list_addmask(g_Config->masks, buffer);
}
config_create(config_locate(buffer), g_Config);
SendMessage(hwnd, WM_CLOSE, 0, 0);
break;
case ID_DELETE:
index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0);
SendMessage(g_hwndMaskList, LB_DELETESTRING, index, 0);
if (SendMessage(g_hwndMaskList, LB_SETCURSEL, index, 0) == LB_ERR)
{
SendMessage(g_hwndMaskList, LB_SETCURSEL, index - 1, 0);
}
break;
case ID_INCREASE:
index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0);
if (index > 0)
{
SendMessage(g_hwndMaskList, LB_GETTEXT, index, (LPARAM)buffer);
SendMessage(g_hwndMaskList, LB_INSERTSTRING, index - 1, (LPARAM)buffer);
SendMessage(g_hwndMaskList, LB_DELETESTRING, index + 1, 0);
SendMessage(g_hwndMaskList, LB_SETCURSEL, index - 1, 0);
}
break;
case ID_MAXINCREASE:
index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0);
if (index > 0)
{
SendMessage(g_hwndMaskList, LB_GETTEXT, index, (LPARAM)buffer);
SendMessage(g_hwndMaskList, LB_INSERTSTRING, 0, (LPARAM)buffer);
SendMessage(g_hwndMaskList, LB_DELETESTRING, index + 1, 0);
SendMessage(g_hwndMaskList, LB_SETCURSEL, 0, 0);
}
break;
case ID_DECREASE:
index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0);
if (index != LB_ERR && index < SendMessage(g_hwndMaskList, LB_GETCOUNT, 0, 0) - 1)
{
SendMessage(g_hwndMaskList, LB_GETTEXT, index, (LPARAM)buffer);
SendMessage(g_hwndMaskList, LB_INSERTSTRING, index + 2, (LPARAM)buffer);
SendMessage(g_hwndMaskList, LB_DELETESTRING, index, 0);
SendMessage(g_hwndMaskList, LB_SETCURSEL, index + 1, 0);
}
break;
case ID_MAXDECREASE:
index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0);
count = SendMessage(g_hwndMaskList, LB_GETCOUNT, 0, 0);
if (index != LB_ERR && index < count - 1)
{
SendMessage(g_hwndMaskList, LB_GETTEXT, index, (LPARAM)buffer);
SendMessage(g_hwndMaskList, LB_SETCURSEL, SendMessage(g_hwndMaskList, LB_ADDSTRING, 0, (LPARAM)buffer), 0);
SendMessage(g_hwndMaskList, LB_DELETESTRING, index, 0);
}
break;
case ID_SAVE:
count = SendMessage(g_hwndMaskList, LB_GETCOUNT, 0, 0);
if (count > 0)
{
EnableWindow(hwnd, FALSE);
buffer[0] = '\0';
if (Browsefilename("Save mask list to:", buffer, ".TXT|*.*", 0x80))
{
file = fopen(buffer, "w");
if (file)
{
for (counter = 0; counter < count; counter++)
{
SendMessage(g_hwndMaskList, LB_GETTEXT, counter, (LPARAM)buffer);
strcat(buffer, "\n");
fputs(buffer, file);
}
fclose(file);
}
else
{
MessageBox(hwnd, "Failed to open the file for writing", 0, MB_ICONERROR);
}
}
EnableWindow(hwnd, TRUE);
SetFocus(g_hwndMaskList);
}
break;
case ID_LOAD:
EnableWindow(hwnd, FALSE);
buffer[0] = '\0';
if (Browsefilename("Load mask list from:", buffer, ".TXT|*.*", 0))
{
file = fopen(buffer, "r");
if (file)
{
while (SendMessage(g_hwndMaskList, LB_DELETESTRING, 0, 0) != LB_ERR)
{}
while (fgets(buffer, TEXTLEN, file))
{
strtok(buffer, "\n");
if (!mask_compile(&msk_tmp, buffer))
{
SendMessage(g_hwndMaskList, LB_ADDSTRING, 0, (LPARAM)buffer);
pcre_free(msk_tmp.regex);
if (msk_tmp.extra)
{
pcre_free(msk_tmp.extra);
}
}
}
SendMessage(g_hwndMaskList, LB_SETCURSEL, 0, 0);
fclose(file);
}
else
{
MessageBox(hwnd, "Failed to open the file", 0, MB_ICONERROR);
}
}
EnableWindow(hwnd, TRUE);
SetFocus(g_hwndMaskList);
break;
case ID_ADD:
EnableWindow(hwnd, FALSE);
buffer[0] = '\0';
result = TRUE;
while (result)
{
result = Gettextxy("Add new mask:", buffer, 0, INPUTWND_TYPE, Plugingetvalue(VAL_WINDOWFONT),
GetSystemMetrics(SM_CXSCREEN) / 2, GetSystemMetrics(SM_CYSCREEN) / 2);
if (result > 0)
{
if (result = mask_compile(&msk_tmp, buffer))
{
strcpy(errbuf, buffer);
strcat(errbuf, "\n\n");
mask_error(&msk_tmp, strrchr(errbuf, '\n') + 1);
MessageBox(hwnd, errbuf, "Mask syntax error", MB_ICONERROR);
}
else
{
SendMessage(g_hwndMaskList, LB_SETCURSEL, SendMessage(g_hwndMaskList, LB_ADDSTRING, 0, (LPARAM)buffer), 0);
pcre_free(msk_tmp.regex);
if (msk_tmp.extra)
{
pcre_free(msk_tmp.extra);
}
}
}
else
{
break;
}
}
EnableWindow(hwnd, TRUE);
SetFocus(g_hwndMaskList);
break;
case ID_INSERT:
EnableWindow(hwnd, FALSE);
buffer[0] = '\0';
result = TRUE;
while (result)
{
result = Gettextxy("Insert new mask:", buffer, 0, INPUTWND_TYPE, Plugingetvalue(VAL_WINDOWFONT),
GetSystemMetrics(SM_CXSCREEN) / 2, GetSystemMetrics(SM_CYSCREEN) / 2);
if (result > 0)
{
if (result = mask_compile(&msk_tmp, buffer))
{
strcpy(errbuf, buffer);
strcat(errbuf, "\n\n");
mask_error(&msk_tmp, strrchr(errbuf, '\n') + 1);
MessageBox(hwnd, errbuf, "Mask syntax error", MB_ICONERROR);
}
else
{
SendMessage(g_hwndMaskList, LB_SETCURSEL, SendMessage(g_hwndMaskList, LB_INSERTSTRING,
SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0), (LPARAM)buffer), 0);
pcre_free(msk_tmp.regex);
if (msk_tmp.extra)
{
pcre_free(msk_tmp.extra);
}
}
}
else
{
break;
}
}
EnableWindow(hwnd, TRUE);
SetFocus(g_hwndMaskList);
break;
case ID_EDIT:
index = SendMessage(g_hwndMaskList, LB_GETCURSEL, 0, 0);
if (index != LB_ERR)
{
EnableWindow(hwnd, FALSE);
SendMessage(g_hwndMaskList, LB_GETTEXT, index, (LPARAM)buffer);
result = TRUE;
while (result)
{
result = Gettextxy("Edit mask:", buffer, 0, INPUTWND_TYPE, Plugingetvalue(VAL_WINDOWFONT),
GetSystemMetrics(SM_CXSCREEN) / 2, GetSystemMetrics(SM_CYSCREEN) / 2);
if (result > 0)
{
if (result = mask_compile(&msk_tmp, buffer))
{
strcpy(errbuf, buffer);
strcat(errbuf, "\n\n");
mask_error(&msk_tmp, strrchr(errbuf, '\n') + 1);
MessageBox(hwnd, errbuf, "Mask syntax error", MB_ICONERROR);
}
else
{
SendMessage(g_hwndMaskList, LB_DELETESTRING, index, 0);
SendMessage(g_hwndMaskList, LB_SETCURSEL, SendMessage(g_hwndMaskList, LB_INSERTSTRING, (WPARAM)index, (LPARAM)buffer), 0);
pcre_free(msk_tmp.regex);
if (msk_tmp.extra)
{
pcre_free(msk_tmp.extra);
}
}
}
else
{
break;
}
}
EnableWindow(hwnd, TRUE);
SetFocus(g_hwndMaskList);
}
break;
}
break;
case WM_CREATE:
EnableWindow(g_hwndOlly, FALSE);
GetClientRect(hwnd, &rect);
height = rect.bottom;
GetWindowRect(hwnd, &rect);
height = rect.bottom - rect.top - height + OPTWND_WINDOW_HEIGHT;
SetWindowPos(hwnd, NULL, 0, 0, rect.right - rect.left, height, SWP_NOMOVE | SWP_NOZORDER);
wnd = CreateWindowEx(0, "Button", "Import objects:", 0x50020007, 4, 0, 128, 64, hwnd, (HMENU)ID_IMPORT, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "&Comments", 0x50010003, 12, 16, 112, 20, hwnd, (HMENU)ID_COMMENTS, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "&Labels", 0x50010003, 12, 36, 112, 20, hwnd, (HMENU)ID_LABELS, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "Collisions:", 0x50020007, 4, 68, 128, 64, hwnd, (HMENU)ID_COLLISIONS, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "&Skip if collision", 0x50010009, 12, 86, 116, 16, hwnd, (HMENU)ID_SKIP, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "&Overwrite", 0x50000009, 12, 106, 116, 16, hwnd, (HMENU)ID_OVERWRITE, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "Apply names to:", 0x50020007, 4, 136, 128, 64, hwnd, (HMENU)ID_APPLYTO, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "&Viewed module", 0x50010009, 12, 154, 116, 16, hwnd, (HMENU)ID_MODULE, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "&Debuggee", 0x50010009, 12, 174, 116, 16, hwnd, (HMENU)ID_DEBUGGEE, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "If map file found:", 0x50020007, 4, 204, 128, 80, hwnd, (HMENU)ID_AUTOIMPORT, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "&Ask to import", 0x50000009, 12, 222, 116, 16, hwnd, (HMENU)ID_ASKTOIMPORT, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "&Import always", 0x50000009, 12, 242, 116, 16, hwnd, (HMENU)ID_IMPORTALWAYS, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "Do ¬hing", 0x50000009, 12, 262, 116, 16, hwnd, (HMENU)ID_DONOTHING, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "Filter:", 0x50020007, 136, 0, 208, 284, hwnd, (HMENU)ID_FILTER, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
g_hwndMaskList = CreateWindowEx(0x200, "ListBox", "", WS_CHILD | WS_VISIBLE | WS_BORDER | WS_VSCROLL, 144, 16, 192, 230, hwnd, (HMENU)ID_MASKS, g_hInstance, NULL);
SendMessage(g_hwndMaskList, WM_SETFONT, (WPARAM)g_hFont, TRUE);
SetWindowLongPtr(g_hwndMaskList, GWLP_USERDATA, SetWindowLongPtr(g_hwndMaskList, GWLP_WNDPROC, (LONG)listbox_msgproc));
SetFocus(g_hwndMaskList);
wnd = CreateWindowEx(0, "Button", "Use &masks", 0x50010003, 144, 242, 116, 16, hwnd, (HMENU)ID_USEMASKS, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "D&emangle names", 0x50010003, 144, 262, 116, 16, hwnd, (HMENU)ID_DEMANGLE, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "Apply", 0x50012F00, 204, 288, 68, 20, hwnd, (HMENU)ID_APPLY, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
wnd = CreateWindowEx(0, "Button", "Cancel", 0x50012F00, 276, 288, 68, 20, hwnd, (HMENU)ID_CANCEL, g_hInstance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM)g_hFont, TRUE);
if (g_Config->comments)
{
CheckDlgButton(hwnd, ID_COMMENTS, BST_CHECKED);
}
else
{
CheckDlgButton(hwnd, ID_COMMENTS, BST_UNCHECKED);
}
if (g_Config->labels)
{
CheckDlgButton(hwnd, ID_LABELS, BST_CHECKED);
}
else
{
CheckDlgButton(hwnd, ID_LABELS, BST_UNCHECKED);
}
if (g_Config->collisionchecks)
{
CheckDlgButton(hwnd, ID_SKIP, BST_CHECKED);
CheckDlgButton(hwnd, ID_OVERWRITE, BST_UNCHECKED);
}
else
{
CheckDlgButton(hwnd, ID_SKIP, BST_UNCHECKED);
CheckDlgButton(hwnd, ID_OVERWRITE, BST_CHECKED);
}
if (g_Config->applytodebuggee)
{
CheckDlgButton(hwnd, ID_DEBUGGEE, BST_CHECKED);
CheckDlgButton(hwnd, ID_MODULE, BST_UNCHECKED);
}
else
{
CheckDlgButton(hwnd, ID_DEBUGGEE, BST_UNCHECKED);
CheckDlgButton(hwnd, ID_MODULE, BST_CHECKED);
}
if (g_Config->aimport == AUTOIMPORT_ASK)
{
CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_CHECKED);
CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_UNCHECKED);
CheckDlgButton(hwnd, ID_DONOTHING, BST_UNCHECKED);
}
else if (g_Config->aimport == AUTOIMPORT_ALWAYS)
{
CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_CHECKED);
CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_UNCHECKED);
CheckDlgButton(hwnd, ID_DONOTHING, BST_UNCHECKED);
}
else
{
CheckDlgButton(hwnd, ID_DONOTHING, BST_CHECKED);
CheckDlgButton(hwnd, ID_ASKTOIMPORT, BST_UNCHECKED);
CheckDlgButton(hwnd, ID_IMPORTALWAYS, BST_UNCHECKED);
}
if (g_Config->usemasks)
{
CheckDlgButton(hwnd, ID_USEMASKS, BST_CHECKED);
}
else
{
CheckDlgButton(hwnd, ID_USEMASKS, BST_UNCHECKED);
}
if (g_Config->demangle)
{
CheckDlgButton(hwnd, ID_DEMANGLE, BST_CHECKED);
}
else
{
CheckDlgButton(hwnd, ID_DEMANGLE, BST_UNCHECKED);
}
msk = (mask_t*)g_Config->masks->first;
while (msk)
{
SendMessage(g_hwndMaskList, LB_ADDSTRING, 0, (LPARAM)msk->buffer);
msk = msk->next;
}
SendMessage(g_hwndMaskList, LB_SETCURSEL, 0, 0);
break;
case WM_CLOSE:
EnableWindow(g_hwndOlly, TRUE);
SetFocus(g_hwndOlly);
DestroyWindow(hwnd);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hwnd, msg, wparam, lparam);
}
return FALSE;
}
extc void _export cdecl ODBG_Pluginaction(int origin, int action, void *item)
{
switch (origin) {
case PM_MAIN:
switch (action) {
case 0: // Malware extractor -> About
MessageBox(hwmain,
"Malicious code extraction plugin v1.0\n(extracts "
"malicious code from obfuscated binaries)\n "
"Copyright (C) 2009 Tadas Vilkeliskis\n"
"Stevens Institute of Technology",
"Malicious code extraction plugin",
MB_OK|MB_ICONINFORMATION);
break;
default:
break;
}
break;
case PM_DISASM:
switch (action) {
case 0: // Malware extractor -> Analyze
{
HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
char dllName[] = "c:\\Documents and Settings\\T\\Desktop\\research\\unpacker\\release\\unpacker.dll";
HANDLE hProcess = (HANDLE) Plugingetvalue(VAL_HPROCESS);
LPVOID addrDll = VirtualAllocEx(hProcess, NULL, sizeof(dllName), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
WriteProcessMemory(hProcess, addrDll, dllName, sizeof(dllName), NULL);
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryA"),
addrDll, NULL, NULL);
ResumeThread(hThread);
//WaitForSingleObject(hThread, INFINITE);
return;
if (me.IsRunning()) {
Error("Malware extractor is already running");
return;
}
if (me.Initialize() == -1) {
switch (me.GetErrorCode()) {
case ME_ERROR_NOTHREAD:
Error("No threads found.");
break;
case ME_ERROR_MEMALLOC:
Error("Failed to allocate memory.");
break;
case ME_ERROR_MEMREAD:
Error("Failed to read process memory.");
break;
}
me.Reset();
return;
}
return;
if (me.FindNextAddress(0) == -1) {
switch (me.GetErrorCode()) {
case ME_ERROR_OUTOFBOUNDS:
Error("Trying to access illegal address.");
break;
case ME_ERROR_NOTFOUND:
Error("Address not found.");
break;
}
me.Reset();
return;
}
//sprintf (str, "FINAL: %d, %08X, %08X", cmd_size, dasm.jmpaddr, ip - cmd_size);
//Error (str);
/*if (Setbreakpointext (ip - cmd_size, TY_ONESHOT, 0, 0) == -1) {
ODBG_Pluginreset ();
Error ("Cannot set breakpoint on %08X", ip - cmd_size);
return;
}*/
//Go (me_ctx.thread->threadid, ip - cmd_size, STEP_SKIP, 1, 1);
//Error ("%08X", ip - cmd_size);
}
break;
case 1: // Malware extractor -> Stop analysis
//Suspendprocess (0);
ODBG_Pluginreset ();
break;
}
break;
}
}
int Dumpcmd(char *answer,ulong parm) {
Setcpu(0,0,address,0,CPU_DUMPHIST|CPU_DUMPFIRST|CPU_DUMPFOCUS);
if (parm!=0) Setdumptype((t_dump *)Plugingetvalue(VAL_CPUDDUMP),parm);
return 0;
};
bool GetPEInfo(DWORD ep)
{
unsigned int i;
HANDLE hFile,hHeap;
PIMAGE_DOS_HEADER idosh;
PIMAGE_NT_HEADERS ipeh;
PIMAGE_SECTION_HEADER isech;
LPBYTE fbuf;
HWND hwmain=hwndOllyDbg();
DWORD dwFsiz,dwRsiz;
strCurEIP = ep;
DbgePath = (LPTSTR)Plugingetvalue(VAL_EXEFILENAME);
DbgeName = (LPTSTR)strrchr(DbgePath,'\\');
memset(szWorkPath,0,sizeof(szWorkPath));
strncpy(szWorkPath,DbgePath,(DbgeName-DbgePath));
DbgeName++;
//Read Debuggee
hFile = CreateFile(DbgePath,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile == INVALID_HANDLE_VALUE)
{
MessageBox(hwmain,"DUMP: 不能访问文件",PNAME,MB_OK);
return false;
}
dwFsiz = GetFileSize(hFile,NULL);
hHeap = HeapCreate(HEAP_NO_SERIALIZE,1,0);
fbuf = (LPBYTE)HeapAlloc(hHeap, 0, dwFsiz);
if(ReadFile(hFile,fbuf,dwFsiz,&dwRsiz,NULL) == 0)
{
MessageBox(hwmain,"DUMP: 不能读文件",PNAME,MB_OK);
CloseHandle(hFile);
HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf);
return false;
}
CloseHandle(hFile);
idosh = (PIMAGE_DOS_HEADER)fbuf;
if(idosh->e_magic != IMAGE_DOS_SIGNATURE)
{
MessageBox(hwmain,"DUMP: 错误的DOS头(MZ)!!",PNAME,MB_OK | MB_ICONEXCLAMATION);
HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf);
return false;
}
ipeh = (PIMAGE_NT_HEADERS)(fbuf + idosh->e_lfanew);
if(ipeh->Signature != IMAGE_NT_SIGNATURE)
{
MessageBox(hwmain,"DUMP: 错误的PE标志头!!",PNAME,MB_OK | MB_ICONEXCLAMATION);
HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf);
return false;
}
PEFileInfo.woNumOfSect = ipeh->FileHeader.NumberOfSections;
PEFileInfo.dwImageBase = ipeh->OptionalHeader.ImageBase;
PEFileInfo.dwSizeOfImage = ipeh->OptionalHeader.SizeOfImage;
PEFileInfo.dwBaseOfCode = ipeh->OptionalHeader.BaseOfCode ;
PEFileInfo.dwBaseOfData = ipeh->OptionalHeader.BaseOfData ;
PEFileInfo.dwAddrOfEP = ipeh->OptionalHeader.AddressOfEntryPoint;
lpSectInfo = (LPSECTIONINFO)malloc(sizeof(SECTIONINFO)*PEFileInfo.woNumOfSect+1);
isech = IMAGE_FIRST_SECTION(ipeh);
for(i=0; i<(int)PEFileInfo.woNumOfSect; i++)
{
strcpy((char *)(lpSectInfo+i)->byName,(char *)(isech+i)->Name);
(lpSectInfo+i)->dwVSize = (isech+i)->Misc.VirtualSize;
(lpSectInfo+i)->dwVOffset = (isech+i)->VirtualAddress;
(lpSectInfo+i)->dwRSize = (isech+i)->SizeOfRawData;
(lpSectInfo+i)->dwROffset = (isech+i)->PointerToRawData;
(lpSectInfo+i)->dwCharacteristics = (isech+i)->Characteristics;
}
HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf);
return true;
}
HWND hwndOllyDbg() {
if (!hwmain)
hwmain = (HWND)Plugingetvalue(VAL_HWMAIN);
return hwmain;
}
BOOL XXX(LPVOID pItem,char *pSubString)
{
T_X86Instruction tX86Instruction;
t_dump *pX86Dasm=NULL;
ulong Address;
ulong SOffest,EOffset;
ulong i;
unsigned char InstStr[MAXCMDSIZE];
ulong InstLength;
t_disasm da;
unsigned char *pdecode=NULL;
t_dump *pDasmWnd=(t_dump*)Plugingetvalue(VAL_CPUDASM);
pX86Dasm=( t_dump *)pItem;
Address=pX86Dasm->base;
char cPattern[0x100]={0};
if (Gettext("Search for pattern ...",cPattern,0,0,Plugingetvalue(VAL_WINDOWFONT))==-1){
return FALSE;
}
while(Address=Findnextproc(Address)){
Getproclimits(Address,&SOffest,&EOffset);
for (i=SOffest; i<EOffset; ){
if (!Readcommand(i,(char*)InstStr)) break;
InstLength=Disasm(InstStr,MAXCMDSIZE,i,pdecode,&da,DISASM_CODE,0);
tX86Instruction.Addresss=i;
memcpy(tX86Instruction.Command,da.result,256);
tX86Instruction.OpCodeLength=InstLength;
if (strstr((char*)tX86Instruction.Command,cPattern) ) {
if (pSubString){
if (strstr((char*)tX86Instruction.Command,pSubString)){
DbgMsg("0x%08X %d %s ",
tX86Instruction.Addresss,
tX86Instruction.OpCodeLength,
tX86Instruction.Command);
Setbreakpoint(tX86Instruction.Addresss,TY_ACTIVE|TY_KEEPCODE,0);
}
i+=InstLength;
continue;
}
DbgMsg("0x%08X %d %s ",
tX86Instruction.Addresss,
tX86Instruction.OpCodeLength,
tX86Instruction.Command);
Setbreakpoint(tX86Instruction.Addresss,TY_ACTIVE|TY_KEEPCODE,0);
}
i+=InstLength;
}
}
return TRUE;
}
