?? patch2.asm
字號:
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Sample code for < Win32ASM Programming >
; by 羅云彬, http://asm.yeah.net
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Patch2.asm
; 使用斷點和單步跟蹤跳過 Test.exe 上的壓縮外殼代碼,再進行內存補丁
; 的例子程序
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 使用 nmake 或下列命令進行編譯和鏈接:
; ml /c /coff Patch2.asm
; rc Patch2.rc
; Link /subsystem:windows Patch2.obj Patch2.res
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.586
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
BREAK_POINT1 equ 00405120h
BREAK_POINT2 equ 00401000h
PATCH_POSITION equ 00401004h
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 數據段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
align dword
stCT CONTEXT <?>
stDE DEBUG_EVENT <?>
stStartUp STARTUPINFO <>
stProcInfo PROCESS_INFORMATION <>
szBuffer db 1024 dup (?)
.const
dbPatched db 90h,90h
dbInt3 db 0cch
dbOldByte db 60h
szExecFilename db 'Test.exe',0
szErrExec db '無法裝載執行文件!',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代碼段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
Start:
;********************************************************************
; 創建進程
;********************************************************************
invoke GetStartupInfo,addr stStartUp
invoke CreateProcess,offset szExecFilename,NULL,NULL,NULL,NULL,\
DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS,NULL,NULL,\
offset stStartUp,offset stProcInfo
.if !eax
invoke MessageBox,NULL,addr szErrExec,NULL,MB_OK or MB_ICONSTOP
invoke ExitProcess,NULL
.endif
;********************************************************************
; 調試進程
;********************************************************************
.while TRUE
invoke WaitForDebugEvent,addr stDE,INFINITE
.break .if stDE.dwDebugEventCode == EXIT_PROCESS_DEBUG_EVENT
;********************************************************************
; 如果進程開始,則將入口地址處的代碼改為 int 3 斷點中斷
;********************************************************************
.if stDE.dwDebugEventCode == CREATE_PROCESS_DEBUG_EVENT
invoke WriteProcessMemory,stProcInfo.hProcess,\
BREAK_POINT1,addr dbInt3,1,NULL
;********************************************************************
; 如果發生斷點中斷,則恢復斷點處代碼并設置單步中斷
;********************************************************************
.elseif stDE.dwDebugEventCode == EXCEPTION_DEBUG_EVENT
.if stDE.u.Exception.pExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT
mov stCT.ContextFlags,CONTEXT_FULL
invoke GetThreadContext,stProcInfo.hThread,addr stCT
.if stCT.regEip == BREAK_POINT1 + 1
dec stCT.regEip
invoke WriteProcessMemory,stProcInfo.hProcess,\
BREAK_POINT1,addr dbOldByte,1,NULL
or stCT.regFlag,100h
invoke SetThreadContext,stProcInfo.hThread,addr stCT
.endif
;********************************************************************
; 如果單步中斷到了指定位置,則進行內存補丁
;********************************************************************
.elseif stDE.u.Exception.pExceptionRecord.ExceptionCode == EXCEPTION_SINGLE_STEP
mov stCT.ContextFlags,CONTEXT_FULL
invoke GetThreadContext,stProcInfo.hThread,addr stCT
.if stCT.regEip == BREAK_POINT2
invoke WriteProcessMemory,stProcInfo.hProcess,\
PATCH_POSITION,addr dbPatched,sizeof dbPatched,NULL
.else
or stCT.regFlag,100h
invoke SetThreadContext,stProcInfo.hThread,addr stCT
.endif
.endif
.endif
invoke ContinueDebugEvent,stDE.dwProcessId,stDE.dwThreadId,DBG_CONTINUE
.endw
invoke CloseHandle,stProcInfo.hProcess
invoke CloseHandle,stProcInfo.hThread
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end Start
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -