;made by correy
;Email:leguanyuan@126.com
;QQ:112426112
;rc me.rc
;ml /coff test.asm /link /subsystem:windows me.res
;本文用了汇编语言的高级语法及结构,请大家谅解。
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include comdlg32.inc
;Email:leguanyuan@126.com
;QQ:112426112
;rc me.rc
;ml /coff test.asm /link /subsystem:windows me.res
;本文用了汇编语言的高级语法及结构,请大家谅解。
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include comdlg32.inc
includelib comdlg32.lib
includelib user32.lib
includelib kernel32.lib
includelib user32.lib
includelib kernel32.lib
.data
correy db "made by correy",0
ofn OPENFILENAME <>
FilterString db "Executable Files",0,"*.exe",0,0
szexitprocess db "程序退出,退出码是:%8x",0
szcreateprocess db "程序创建",0dh,0Ah
db "hFile: %lx ",0dh,0Ah
db "hProcess: %lx",0Dh,0Ah
db "hThread: %lx",0Dh,0Ah
db "lpBaseOfImage: %lx",0Dh,0Ah
db "dwDebugInfoFileOffset: %lx",0dh,0Ah
db "nDebugInfoSize: %lx ",0dh,0Ah
db "lpThreadLocalBase: %lx",0Dh,0Ah
db "lpStartAddress: %lx",0
;db "lpImageName: %8s",0
;db "fUnicode: %lx",0
szloaddll db "dll加载信息",0dh,0Ah
db "hFile: %lx ",0dh,0Ah
db "lpBaseOfDll: %lx",0Dh,0Ah
db "dwDebugInfoFileOffset: %lx",0Dh,0Ah
db "nDebugInfoSize: %lx",0Dh,0Ah
db "lpImageName: %s",0
;db "fUnicode: %lx",0
szunloaddll db "unloaddll,the lpBaseOfDll is :%8x",0
szcreatethread db "线程创建:",0Dh,0Ah
db "hThread:%8x",0Dh,0Ah
db "lpThreadLocalBase:%8x",0Dh,0Ah
db "lpStartAddress:%8x",0
szexitthread db "线程退出,退出码是:%8x",0
szoutputstr db "OUTPUT_DEBUG_STRING_EVENT,the lpDebugStringData is :%8x",0
szrip db "RIP_EVENT,the dwError is %8x;the dwType is %8x",0
szexception db "EXCEPTION_DEBUG_INFO",0Dh,0Ah
db "the ExceptionCode is %8x",0Dh,0Ah
db "the ExceptionCode is %8x",0Dh,0Ah
db "the ExceptionFlags is %8x",0Dh,0Ah
db "the pExceptionRecord is %8x",0Dh,0Ah
db "the ExceptionAddress is %8x",0Dh,0Ah
db "the NumberParameters is %8x",0Dh,0Ah
db "the dwFirstChance is %8x",0
correy db "made by correy",0
ofn OPENFILENAME <>
FilterString db "Executable Files",0,"*.exe",0,0
szexitprocess db "程序退出,退出码是:%8x",0
szcreateprocess db "程序创建",0dh,0Ah
db "hFile: %lx ",0dh,0Ah
db "hProcess: %lx",0Dh,0Ah
db "hThread: %lx",0Dh,0Ah
db "lpBaseOfImage: %lx",0Dh,0Ah
db "dwDebugInfoFileOffset: %lx",0dh,0Ah
db "nDebugInfoSize: %lx ",0dh,0Ah
db "lpThreadLocalBase: %lx",0Dh,0Ah
db "lpStartAddress: %lx",0
;db "lpImageName: %8s",0
;db "fUnicode: %lx",0
szloaddll db "dll加载信息",0dh,0Ah
db "hFile: %lx ",0dh,0Ah
db "lpBaseOfDll: %lx",0Dh,0Ah
db "dwDebugInfoFileOffset: %lx",0Dh,0Ah
db "nDebugInfoSize: %lx",0Dh,0Ah
db "lpImageName: %s",0
;db "fUnicode: %lx",0
szunloaddll db "unloaddll,the lpBaseOfDll is :%8x",0
szcreatethread db "线程创建:",0Dh,0Ah
db "hThread:%8x",0Dh,0Ah
db "lpThreadLocalBase:%8x",0Dh,0Ah
db "lpStartAddress:%8x",0
szexitthread db "线程退出,退出码是:%8x",0
szoutputstr db "OUTPUT_DEBUG_STRING_EVENT,the lpDebugStringData is :%8x",0
szrip db "RIP_EVENT,the dwError is %8x;the dwType is %8x",0
szexception db "EXCEPTION_DEBUG_INFO",0Dh,0Ah
db "the ExceptionCode is %8x",0Dh,0Ah
db "the ExceptionCode is %8x",0Dh,0Ah
db "the ExceptionFlags is %8x",0Dh,0Ah
db "the pExceptionRecord is %8x",0Dh,0Ah
db "the ExceptionAddress is %8x",0Dh,0Ah
db "the NumberParameters is %8x",0Dh,0Ah
db "the dwFirstChance is %8x",0
.data?
buffer db 1024 dup(?)
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
DBEvent DEBUG_EVENT <>
.code
start:
mov ofn.lStructSize,sizeof ofn
mov ofn.lpstrFilter, offset FilterString
mov ofn.lpstrFile, offset buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName,ADDR ofn
.if eax==TRUE
invoke GetStartupInfo,addr startinfo
invoke CreateProcess,addr buffer,0,0,0,0,DEBUG_PROCESS+ DEBUG_ONLY_THIS_PROCESS,0,0,addr startinfo,addr pi
.while TRUE
invoke WaitForDebugEvent,addr DBEvent,INFINITE
.if DBEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szexitprocess,DBEvent.u.ExitProcess.dwExitCode
invoke MessageBox,0,addr buffer, addr correy,0
.break
.elseif DBEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT
invoke wsprintf, addr buffer, addr szcreateprocess,DBEvent.u.CreateProcessInfo.hFile,\
DBEvent.u.CreateProcessInfo.hProcess,\
DBEvent.u.CreateProcessInfo.hThread,\
DBEvent.u.CreateProcessInfo.lpBaseOfImage,\
DBEvent.u.CreateProcessInfo.dwDebugInfoFileOffset,\
DBEvent.u.CreateProcessInfo.nDebugInfoSize ,\
DBEvent.u.CreateProcessInfo.lpThreadLocalBase,\
DBEvent.u.CreateProcessInfo.lpStartAddress ;,DBEvent.u.CreateProcessInfo.lpImageName
invoke MessageBox,0, addr buffer, addr correy,0
;我想显示ipimagename,但是为空,为什吗呢?请高手告诉我?
;invoke MessageBox,0,DBEvent.u.CreateProcessInfo.lpImageName, addr correy,0
;我想显示dll文件的加载时机,没有办成功,请高手告诉我。
.elseif DBEvent.dwDebugEventCode==LOAD_DLL_DEBUG_INFO
invoke wsprintf,addr buffer,addr szloaddll,\
DBEvent.u.LoadDll.hFile,\
DBEvent.u.LoadDll.lpBaseOfDll,\
DBEvent.u.LoadDll.dwDebugInfoFileOffset,\
DBEvent.u.LoadDll.nDebugInfoSize,\
DBEvent.u.LoadDll.lpImageName
;,DBEvent.u.LoadDll.fUnicode
;我想显示dll文件名字,没有办成功,请高手告诉我。
;我知道分析pe文件能做到这。
invoke MessageBox,0,addr buffer,addr correy,0
;卸载dll文件能发现。
.elseif DBEvent.dwDebugEventCode==UNLOAD_DLL_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szunloaddll,DBEvent.u.UnloadDll.lpBaseOfDll
invoke MessageBox,0,addr buffer,addr correy,0
.elseif DBEvent.dwDebugEventCode==CREATE_THREAD_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szcreatethread,\
DBEvent.u.CreateThread.hThread,\
DBEvent.u.CreateThread.lpThreadLocalBase,\
DBEvent.u.CreateThread.lpStartAddress
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==EXIT_THREAD_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szexitthread,DBEvent.u.ExitThread.dwExitCode
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
;.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT
;invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
;.continue
;.endif
invoke wsprintf,addr buffer,addr szexception,DBEvent.u.Exception.pExceptionRecord.ExceptionCode,\
DBEvent.u.Exception.pExceptionRecord.ExceptionFlags,\
DBEvent.u.Exception.pExceptionRecord.pExceptionRecord,\
DBEvent.u.Exception.pExceptionRecord.ExceptionAddress,\
DBEvent.u.Exception.pExceptionRecord.NumberParameters,\
DBEvent.u.Exception.pExceptionRecord.ExceptionInformation,\
DBEvent.u.Exception.dwFirstChance
invoke MessageBox,0, addr buffer, addr correy,0
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
.continue
.elseif DBEvent.dwDebugEventCode==OUTPUT_DEBUG_STRING_EVENT
invoke wsprintf,addr buffer,addr szoutputstr,DBEvent.u.DebugString.lpDebugStringData
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==RIP_EVENT
invoke wsprintf,addr buffer,addr szrip,DBEvent.u.RipInfo.dwError,DBEvent.u.RipInfo.dwType
invoke MessageBox,0, addr buffer, addr correy,0
.endif
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED
.endw
invoke CloseHandle,pi.hProcess
invoke CloseHandle,pi.hThread
.endif
invoke ExitProcess, 0
end start
buffer db 1024 dup(?)
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
DBEvent DEBUG_EVENT <>
.code
start:
mov ofn.lStructSize,sizeof ofn
mov ofn.lpstrFilter, offset FilterString
mov ofn.lpstrFile, offset buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName,ADDR ofn
.if eax==TRUE
invoke GetStartupInfo,addr startinfo
invoke CreateProcess,addr buffer,0,0,0,0,DEBUG_PROCESS+ DEBUG_ONLY_THIS_PROCESS,0,0,addr startinfo,addr pi
.while TRUE
invoke WaitForDebugEvent,addr DBEvent,INFINITE
.if DBEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szexitprocess,DBEvent.u.ExitProcess.dwExitCode
invoke MessageBox,0,addr buffer, addr correy,0
.break
.elseif DBEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT
invoke wsprintf, addr buffer, addr szcreateprocess,DBEvent.u.CreateProcessInfo.hFile,\
DBEvent.u.CreateProcessInfo.hProcess,\
DBEvent.u.CreateProcessInfo.hThread,\
DBEvent.u.CreateProcessInfo.lpBaseOfImage,\
DBEvent.u.CreateProcessInfo.dwDebugInfoFileOffset,\
DBEvent.u.CreateProcessInfo.nDebugInfoSize ,\
DBEvent.u.CreateProcessInfo.lpThreadLocalBase,\
DBEvent.u.CreateProcessInfo.lpStartAddress ;,DBEvent.u.CreateProcessInfo.lpImageName
invoke MessageBox,0, addr buffer, addr correy,0
;我想显示ipimagename,但是为空,为什吗呢?请高手告诉我?
;invoke MessageBox,0,DBEvent.u.CreateProcessInfo.lpImageName, addr correy,0
;我想显示dll文件的加载时机,没有办成功,请高手告诉我。
.elseif DBEvent.dwDebugEventCode==LOAD_DLL_DEBUG_INFO
invoke wsprintf,addr buffer,addr szloaddll,\
DBEvent.u.LoadDll.hFile,\
DBEvent.u.LoadDll.lpBaseOfDll,\
DBEvent.u.LoadDll.dwDebugInfoFileOffset,\
DBEvent.u.LoadDll.nDebugInfoSize,\
DBEvent.u.LoadDll.lpImageName
;,DBEvent.u.LoadDll.fUnicode
;我想显示dll文件名字,没有办成功,请高手告诉我。
;我知道分析pe文件能做到这。
invoke MessageBox,0,addr buffer,addr correy,0
;卸载dll文件能发现。
.elseif DBEvent.dwDebugEventCode==UNLOAD_DLL_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szunloaddll,DBEvent.u.UnloadDll.lpBaseOfDll
invoke MessageBox,0,addr buffer,addr correy,0
.elseif DBEvent.dwDebugEventCode==CREATE_THREAD_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szcreatethread,\
DBEvent.u.CreateThread.hThread,\
DBEvent.u.CreateThread.lpThreadLocalBase,\
DBEvent.u.CreateThread.lpStartAddress
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==EXIT_THREAD_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szexitthread,DBEvent.u.ExitThread.dwExitCode
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
;.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT
;invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
;.continue
;.endif
invoke wsprintf,addr buffer,addr szexception,DBEvent.u.Exception.pExceptionRecord.ExceptionCode,\
DBEvent.u.Exception.pExceptionRecord.ExceptionFlags,\
DBEvent.u.Exception.pExceptionRecord.pExceptionRecord,\
DBEvent.u.Exception.pExceptionRecord.ExceptionAddress,\
DBEvent.u.Exception.pExceptionRecord.NumberParameters,\
DBEvent.u.Exception.pExceptionRecord.ExceptionInformation,\
DBEvent.u.Exception.dwFirstChance
invoke MessageBox,0, addr buffer, addr correy,0
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
.continue
.elseif DBEvent.dwDebugEventCode==OUTPUT_DEBUG_STRING_EVENT
invoke wsprintf,addr buffer,addr szoutputstr,DBEvent.u.DebugString.lpDebugStringData
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==RIP_EVENT
invoke wsprintf,addr buffer,addr szrip,DBEvent.u.RipInfo.dwError,DBEvent.u.RipInfo.dwType
invoke MessageBox,0, addr buffer, addr correy,0
.endif
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED
.endw
invoke CloseHandle,pi.hProcess
invoke CloseHandle,pi.hThread
.endif
invoke ExitProcess, 0
end start
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;made by correy
;Email:leguanyuan@126.com
;QQ:112426112
;rc me.rc
;ml /coff test.asm /link /subsystem:windows me.res
;跟踪(tracing)
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include comdlg32.inc
;Email:leguanyuan@126.com
;QQ:112426112
;rc me.rc
;ml /coff test.asm /link /subsystem:windows me.res
;跟踪(tracing)
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include comdlg32.inc
includelib comdlg32.lib
includelib user32.lib
includelib kernel32.lib
includelib user32.lib
includelib kernel32.lib
.data
correy db "made by correy",0
ofn OPENFILENAME <>
FilterString db "Executable Files",0,"*.exe",0,0
szexitprocess db "程序退出,退出码是:%8x",0
szcreateprocess db "程序创建",0dh,0Ah
db "hFile: %lx ",0dh,0Ah
db "hProcess: %lx",0Dh,0Ah
db "hThread: %lx",0Dh,0Ah
db "lpBaseOfImage: %lx",0Dh,0Ah
db "dwDebugInfoFileOffset: %lx",0dh,0Ah
db "nDebugInfoSize: %lx ",0dh,0Ah
db "lpThreadLocalBase: %lx",0Dh,0Ah
db "lpStartAddress: %lx",0
;db "lpImageName: %8s",0
;db "fUnicode: %lx",0
szloaddll db "dll加载信息",0dh,0Ah
db "hFile: %lx ",0dh,0Ah
db "lpBaseOfDll: %lx",0Dh,0Ah
db "dwDebugInfoFileOffset: %lx",0Dh,0Ah
db "nDebugInfoSize: %lx",0Dh,0Ah
db "lpImageName: %s",0
;db "fUnicode: %lx",0
szunloaddll db "unloaddll,the lpBaseOfDll is :%8x",0
szcreatethread db "线程创建:",0Dh,0Ah
db "hThread:%8x",0Dh,0Ah
db "lpThreadLocalBase:%8x",0Dh,0Ah
db "lpStartAddress:%8x",0
szexitthread db "线程退出,退出码是:%8x",0
szoutputstr db "OUTPUT_DEBUG_STRING_EVENT,the lpDebugStringData is :%8x",0
szrip db "RIP_EVENT,the dwError is %8x;the dwType is %8x",0
szexception db "EXCEPTION_DEBUG_INFO",0Dh,0Ah
db "the ExceptionCode is %8x",0Dh,0Ah
db "the ExceptionCode is %8x",0Dh,0Ah
db "the ExceptionFlags is %8x",0Dh,0Ah
db "the pExceptionRecord is %8x",0Dh,0Ah
db "the ExceptionAddress is %8x",0Dh,0Ah
db "the NumberParameters is %8x",0Dh,0Ah
db "the dwFirstChance is %8x",0
szcpu db "eip:%8x;cs:%8x",0
szexceptioncode db "发生异常,异常代码是%8x",0
correy db "made by correy",0
ofn OPENFILENAME <>
FilterString db "Executable Files",0,"*.exe",0,0
szexitprocess db "程序退出,退出码是:%8x",0
szcreateprocess db "程序创建",0dh,0Ah
db "hFile: %lx ",0dh,0Ah
db "hProcess: %lx",0Dh,0Ah
db "hThread: %lx",0Dh,0Ah
db "lpBaseOfImage: %lx",0Dh,0Ah
db "dwDebugInfoFileOffset: %lx",0dh,0Ah
db "nDebugInfoSize: %lx ",0dh,0Ah
db "lpThreadLocalBase: %lx",0Dh,0Ah
db "lpStartAddress: %lx",0
;db "lpImageName: %8s",0
;db "fUnicode: %lx",0
szloaddll db "dll加载信息",0dh,0Ah
db "hFile: %lx ",0dh,0Ah
db "lpBaseOfDll: %lx",0Dh,0Ah
db "dwDebugInfoFileOffset: %lx",0Dh,0Ah
db "nDebugInfoSize: %lx",0Dh,0Ah
db "lpImageName: %s",0
;db "fUnicode: %lx",0
szunloaddll db "unloaddll,the lpBaseOfDll is :%8x",0
szcreatethread db "线程创建:",0Dh,0Ah
db "hThread:%8x",0Dh,0Ah
db "lpThreadLocalBase:%8x",0Dh,0Ah
db "lpStartAddress:%8x",0
szexitthread db "线程退出,退出码是:%8x",0
szoutputstr db "OUTPUT_DEBUG_STRING_EVENT,the lpDebugStringData is :%8x",0
szrip db "RIP_EVENT,the dwError is %8x;the dwType is %8x",0
szexception db "EXCEPTION_DEBUG_INFO",0Dh,0Ah
db "the ExceptionCode is %8x",0Dh,0Ah
db "the ExceptionCode is %8x",0Dh,0Ah
db "the ExceptionFlags is %8x",0Dh,0Ah
db "the pExceptionRecord is %8x",0Dh,0Ah
db "the ExceptionAddress is %8x",0Dh,0Ah
db "the NumberParameters is %8x",0Dh,0Ah
db "the dwFirstChance is %8x",0
szcpu db "eip:%8x;cs:%8x",0
szexceptioncode db "发生异常,异常代码是%8x",0
.data?
buffer db 1024 dup(?)
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
DBEvent DEBUG_EVENT <>
context CONTEXT <>
buffer2 db 1024 dup(?)
buffer db 1024 dup(?)
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
DBEvent DEBUG_EVENT <>
context CONTEXT <>
buffer2 db 1024 dup(?)
.code
start:
mov ofn.lStructSize,sizeof ofn
mov ofn.lpstrFilter, offset FilterString
mov ofn.lpstrFile, offset buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName,ADDR ofn
.if eax==TRUE
invoke GetStartupInfo,addr startinfo
invoke CreateProcess,addr buffer,0,0,0,0,DEBUG_PROCESS+ DEBUG_ONLY_THIS_PROCESS,0,0,addr startinfo,addr pi
.while TRUE
invoke WaitForDebugEvent,addr DBEvent,INFINITE
.if DBEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szexitprocess,DBEvent.u.ExitProcess.dwExitCode
invoke MessageBox,0,addr buffer, addr correy,0
.break
.elseif DBEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT
invoke wsprintf, addr buffer, addr szcreateprocess,DBEvent.u.CreateProcessInfo.hFile,\
DBEvent.u.CreateProcessInfo.hProcess,\
DBEvent.u.CreateProcessInfo.hThread,\
DBEvent.u.CreateProcessInfo.lpBaseOfImage,\
DBEvent.u.CreateProcessInfo.dwDebugInfoFileOffset,\
DBEvent.u.CreateProcessInfo.nDebugInfoSize ,\
DBEvent.u.CreateProcessInfo.lpThreadLocalBase,\
DBEvent.u.CreateProcessInfo.lpStartAddress ;,DBEvent.u.CreateProcessInfo.lpImageName
invoke MessageBox,0, addr buffer, addr correy,0
;我想显示ipimagename,但是为空,为什吗呢?请高手告诉我?
;invoke MessageBox,0,DBEvent.u.CreateProcessInfo.lpImageName, addr correy,0
;我想显示dll文件的加载时机,没有办成功,请高手告诉我。
.elseif DBEvent.dwDebugEventCode==LOAD_DLL_DEBUG_INFO
invoke wsprintf,addr buffer,addr szloaddll,\
DBEvent.u.LoadDll.hFile,\
DBEvent.u.LoadDll.lpBaseOfDll,\
DBEvent.u.LoadDll.dwDebugInfoFileOffset,\
DBEvent.u.LoadDll.nDebugInfoSize,\
DBEvent.u.LoadDll.lpImageName
;,DBEvent.u.LoadDll.fUnicode
;我想显示dll文件名字,没有办成功,请高手告诉我。
;我知道分析pe文件能做到这。
invoke MessageBox,0,addr buffer,addr correy,0
;卸载dll文件能发现。
.elseif DBEvent.dwDebugEventCode==UNLOAD_DLL_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szunloaddll,DBEvent.u.UnloadDll.lpBaseOfDll
invoke MessageBox,0,addr buffer,addr correy,0
.elseif DBEvent.dwDebugEventCode==CREATE_THREAD_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szcreatethread,\
DBEvent.u.CreateThread.hThread,\
DBEvent.u.CreateThread.lpThreadLocalBase,\
DBEvent.u.CreateThread.lpStartAddress
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==EXIT_THREAD_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szexitthread,DBEvent.u.ExitThread.dwExitCode
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
;.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT
;invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
;.continue
;.endif
;invoke wsprintf,addr buffer,addr szexception,DBEvent.u.Exception.pExceptionRecord.ExceptionCode,\
;DBEvent.u.Exception.pExceptionRecord.ExceptionFlags,\
;DBEvent.u.Exception.pExceptionRecord.pExceptionRecord,\
;DBEvent.u.Exception.pExceptionRecord.ExceptionAddress,\
;DBEvent.u.Exception.pExceptionRecord.NumberParameters,\
;DBEvent.u.Exception.pExceptionRecord.ExceptionInformation,\
;DBEvent.u.Exception.dwFirstChance
;invoke MessageBox,0, addr buffer, addr correy,0
mov context.ContextFlags, CONTEXT_CONTROL
invoke GetThreadContext, pi.hThread, addr context
or context.regFlag,100h
invoke SetThreadContext,pi.hThread, addr context
invoke wsprintf,addr buffer,addr szcpu,context.regEip,context.regCs
invoke wsprintf,addr buffer2,addr szexceptioncode,DBEvent.u.Exception.pExceptionRecord.ExceptionCode
invoke MessageBox,0, addr buffer, addr buffer2,0
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
.continue
.elseif DBEvent.dwDebugEventCode==OUTPUT_DEBUG_STRING_EVENT
invoke wsprintf,addr buffer,addr szoutputstr,DBEvent.u.DebugString.lpDebugStringData
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==RIP_EVENT
invoke wsprintf,addr buffer,addr szrip,DBEvent.u.RipInfo.dwError,DBEvent.u.RipInfo.dwType
invoke MessageBox,0, addr buffer, addr correy,0
.endif
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED
.endw
invoke CloseHandle,pi.hProcess
invoke CloseHandle,pi.hThread
.endif
invoke ExitProcess, 0
end start
start:
mov ofn.lStructSize,sizeof ofn
mov ofn.lpstrFilter, offset FilterString
mov ofn.lpstrFile, offset buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName,ADDR ofn
.if eax==TRUE
invoke GetStartupInfo,addr startinfo
invoke CreateProcess,addr buffer,0,0,0,0,DEBUG_PROCESS+ DEBUG_ONLY_THIS_PROCESS,0,0,addr startinfo,addr pi
.while TRUE
invoke WaitForDebugEvent,addr DBEvent,INFINITE
.if DBEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szexitprocess,DBEvent.u.ExitProcess.dwExitCode
invoke MessageBox,0,addr buffer, addr correy,0
.break
.elseif DBEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT
invoke wsprintf, addr buffer, addr szcreateprocess,DBEvent.u.CreateProcessInfo.hFile,\
DBEvent.u.CreateProcessInfo.hProcess,\
DBEvent.u.CreateProcessInfo.hThread,\
DBEvent.u.CreateProcessInfo.lpBaseOfImage,\
DBEvent.u.CreateProcessInfo.dwDebugInfoFileOffset,\
DBEvent.u.CreateProcessInfo.nDebugInfoSize ,\
DBEvent.u.CreateProcessInfo.lpThreadLocalBase,\
DBEvent.u.CreateProcessInfo.lpStartAddress ;,DBEvent.u.CreateProcessInfo.lpImageName
invoke MessageBox,0, addr buffer, addr correy,0
;我想显示ipimagename,但是为空,为什吗呢?请高手告诉我?
;invoke MessageBox,0,DBEvent.u.CreateProcessInfo.lpImageName, addr correy,0
;我想显示dll文件的加载时机,没有办成功,请高手告诉我。
.elseif DBEvent.dwDebugEventCode==LOAD_DLL_DEBUG_INFO
invoke wsprintf,addr buffer,addr szloaddll,\
DBEvent.u.LoadDll.hFile,\
DBEvent.u.LoadDll.lpBaseOfDll,\
DBEvent.u.LoadDll.dwDebugInfoFileOffset,\
DBEvent.u.LoadDll.nDebugInfoSize,\
DBEvent.u.LoadDll.lpImageName
;,DBEvent.u.LoadDll.fUnicode
;我想显示dll文件名字,没有办成功,请高手告诉我。
;我知道分析pe文件能做到这。
invoke MessageBox,0,addr buffer,addr correy,0
;卸载dll文件能发现。
.elseif DBEvent.dwDebugEventCode==UNLOAD_DLL_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szunloaddll,DBEvent.u.UnloadDll.lpBaseOfDll
invoke MessageBox,0,addr buffer,addr correy,0
.elseif DBEvent.dwDebugEventCode==CREATE_THREAD_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szcreatethread,\
DBEvent.u.CreateThread.hThread,\
DBEvent.u.CreateThread.lpThreadLocalBase,\
DBEvent.u.CreateThread.lpStartAddress
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==EXIT_THREAD_DEBUG_EVENT
invoke wsprintf,addr buffer,addr szexitthread,DBEvent.u.ExitThread.dwExitCode
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
;.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT
;invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
;.continue
;.endif
;invoke wsprintf,addr buffer,addr szexception,DBEvent.u.Exception.pExceptionRecord.ExceptionCode,\
;DBEvent.u.Exception.pExceptionRecord.ExceptionFlags,\
;DBEvent.u.Exception.pExceptionRecord.pExceptionRecord,\
;DBEvent.u.Exception.pExceptionRecord.ExceptionAddress,\
;DBEvent.u.Exception.pExceptionRecord.NumberParameters,\
;DBEvent.u.Exception.pExceptionRecord.ExceptionInformation,\
;DBEvent.u.Exception.dwFirstChance
;invoke MessageBox,0, addr buffer, addr correy,0
mov context.ContextFlags, CONTEXT_CONTROL
invoke GetThreadContext, pi.hThread, addr context
or context.regFlag,100h
invoke SetThreadContext,pi.hThread, addr context
invoke wsprintf,addr buffer,addr szcpu,context.regEip,context.regCs
invoke wsprintf,addr buffer2,addr szexceptioncode,DBEvent.u.Exception.pExceptionRecord.ExceptionCode
invoke MessageBox,0, addr buffer, addr buffer2,0
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
.continue
.elseif DBEvent.dwDebugEventCode==OUTPUT_DEBUG_STRING_EVENT
invoke wsprintf,addr buffer,addr szoutputstr,DBEvent.u.DebugString.lpDebugStringData
invoke MessageBox,0, addr buffer, addr correy,0
.elseif DBEvent.dwDebugEventCode==RIP_EVENT
invoke wsprintf,addr buffer,addr szrip,DBEvent.u.RipInfo.dwError,DBEvent.u.RipInfo.dwType
invoke MessageBox,0, addr buffer, addr correy,0
.endif
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED
.endw
invoke CloseHandle,pi.hProcess
invoke CloseHandle,pi.hThread
.endif
invoke ExitProcess, 0
end start
没有评论:
发表评论