資源簡介
郁金香OD 2012-網授用
代碼片段和文件信息
//?tELock.cpp?:?Plugin?for?ImpREC?to?find?tELock0.92x?real?API?in?its?wrapped?code
////////////////////////////////////////////////////////////////////////////////////////////
//
//?Very?quick?and?simple?example?to?get?all?values?in?“push?[API];?...?garbage?...?;ret“
//?Note?that?this?example?is?not?a?tracer?but?just?an?opcode?checker.
//
////////////////////////////////////////////////////////////////////////////////////////////
#include?
#define?DLLEXPORT?extern?“C“?__declspec(?dllexport?)
//?Exported?function?to?use?(prototypes)
////////////////////////////////////////////////////////////////////////////////////////////
DLLEXPORT?DWORD?Trace(DWORD?hFileMap?DWORD?dwSizeMap?DWORD?dwTimeOut?DWORD?dwToTrace
??DWORD?dwExactCall);
//?Global?variables
////////////////////////////////////////////////////////////////////////////////////////////
//?None
//?Initialize?all?you?need
BOOL?APIENTRY?DllMain(?HANDLE?hModule?
???????????????????????DWORD??ul_reason_for_call?
???????????????????????LPVOID?lpReserved
?)
{
????return?TRUE;
}
//?Exported?function?to?use
//
//?Parameters:
//?-----------
//?????:?HANDLE?of?the?mapped?file
//????:?Size?of?that?mapped?file
//????:?TimeOut?of?ImpREC?in?Options
//????:?Pointer?to?trace?(in?VA)
//??:?EIP?of?the?exact?call?(in?VA)
//
//?Returned?value:
//?---------------
//?Use?a?value?greater?or?equal?to?200.?It?will?be?shown?by?ImpREC?if?no?output?were?created
DLLEXPORT?DWORD?Trace(DWORD?hFileMap?DWORD?dwSizeMap?DWORD?dwTimeOut?DWORD?dwToTrace
??DWORD?dwExactCall)
{
//?Map?the?view?of?the?file
DWORD*?dwPtrOutput?=?(DWORD*)MapViewOfFile((HANDLE)hFileMap?FILE_MAP_READ?|?FILE_MAP_WRITE?0?0?0);
if?(!dwPtrOutput)
{
//?Can‘t?map?view
return?(201);
}
//?Check?the?size?of?the?map?file
if?(dwSizeMap? {
//?Invalid?map?size
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return?(203);
}
//?Check?if?we?read?a?valid?pointer
if?(IsBadReadPtr((VOID*)dwToTrace?4))
{
//?Bad?pointer!
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return?(205);
}
BYTE?*to_trace?=?(BYTE*)dwToTrace;
//?We?must?have?a?“push?[XXXXXXX]“
if?(to_trace[0]?==?0xFF?&&?to_trace[1]?==?0x35)
{
//?Get?the?pointer?in?the?“push?[XXXXXXX]“
DWORD?address?=?*((DWORD*)(to_trace+2));
//?Check?if?this?pointer?is?valid
if?(IsBadReadPtr((VOID*)address?4))
{
//?Bad?pointer!
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return?(205);
}
//?Get?the?value?in?XXXXXX?and?write?it?to?the?mapped?file
*dwPtrOutput?=?*((DWORD*)address);
}
//?OK
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return?(200);
}
評論
共有 條評論
川公網安備 51152502000135號