//////////////////////////////////////////////////////////////////////////////////////////
//
//
//???PESpin?[1.3.04]?API?Tracer?plugin?for?ImportRec
//????
//???Author?:?Nagareshwar?Y?Talekar.
//???Date???:?1st?May?2006.
//
//
//
//////////////////////////////////////////////////////////////////////////////////////////


#include?
#include?

#define?DLLEXPORT?extern?“C“?__declspec（?dllexport?）


DLLEXPORT?DWORD?Trace（DWORD?hFileMap?DWORD?dwSizeMap?DWORD?dwTimeOut?DWORD?dwToTrace??DWORD?dwExactCall）;


//?Initialize?all?you?need
BOOL?APIENTRY?DllMain（?HANDLE?hModule?DWORD??reason?LPVOID?lpReserved?）
{
????return?TRUE;
}

//?Exported?function?to?use
//
//?Parameters:
//?-----------
//?????:?HANDLE?of?the?mapped?file
//????:?Size?of?that?mapped?file
//????:?TimeOut?of?ImpREC?in?Options
//????:?Pointer?to?trace?（in?VA）
//??:?EIP?of?the?exact?call?（in?VA）
//
//?Returned?value:
//?---------------
//?Use?a?value?greater?or?equal?to?200.?It?will?be?shown?by?ImpREC?if?no?output?were?created

DLLEXPORT?DWORD?Trace（DWORD?hFileMap?DWORD?dwSizeMap?DWORD?dwTimeOut?DWORD?dwToTrace?DWORD?dwExactCall）
{
	//FILE?*logFile;
	//char?str[1024];
	DWORD?finalAddress;
	DWORD?jmpAddress;
	DWORD?nextAddress;


	//logFile?=?fopen（“C:\\pespin_log.txt“?“a“）;
	
	//if（?logFile?==?NULL?）
	//	return?201;

	//?Map?the?view?of?the?file
	DWORD*?dwPtrOutput?=?（DWORD*）MapViewOfFile（（HANDLE）hFileMap?FILE_MAP_READ?|?FILE_MAP_WRITE?0?0?0）;
	
	if?（!dwPtrOutput）
	{
		return?（201）;??//?mapping?failed
	}
	
	//?Check?the?size?of?the?map?file
	if?（dwSizeMap?	{
		//?Invalid?map?size
		UnmapViewOfFile（（LPCVOID）dwPtrOutput）;
		CloseHandle（（HANDLE）hFileMap）;
		return?（203）;
	}

	
	if?（IsBadReadPtr（（VOID*）dwToTrace?4））
	{
		//?Bad?pointer!
		UnmapViewOfFile（（LPCVOID）dwPtrOutput）;
		CloseHandle（（HANDLE）hFileMap）;
		return?（205）;
	}
	
	/*
	Steps
??????1）??First?instruction?must?be?EB?01
??????2）??Add?3?to?starting?address?to?skip?the?first?jmp?instruction
	??3）??Next?go?through?each?byte?until?you?encounter?EB?07?instruction
	??????Also?keep?the?count?of?bytes?passed.
??????4）??Next?add?3?to?current?address?to?reach?jmp??instruction
	??5）??api?adresss?=??+?next?instrn?addr?-?count?of?bytes

	*/
	
	BYTE?*taddr?=?（BYTE*）dwToTrace;

	//?First?instruction?must?be?EB?01
	if?（taddr[0]?!=?0xEB?||?taddr[1]?!=?0x01）
	{
		//fputs（“\nThis?is?not?api?redirected?address..returning“?logFile）;
		//fclose（logFile）;
		UnmapViewOfFile（（LPCVOID）dwPtrOutput）;
		CloseHandle（（HANDLE）hFileMap）;

		return?211;		
	}

	taddr?=?taddr?+?3;

	//?Now?go?through?each?byte?until?the?EB?07?instruction?comes
	int?byteCount?=?0;

	while（1）
	{
		if（?taddr[0]?==?0xEB）
		{
			if（?taddr[1]?==?0x07?）
			{
				//fputs（“\nWe?have?got?EB?07“?logFile）;
				break;
			}
			else
			{
				//fputs（“\nGot

?屬性????????????大小?????日期????時間???名稱
-----------?---------??----------?-----??----

?????文件???????1649??2006-05-01?16:39??ImpREC?1.7e\Plugin?Source\PESpin?1.3.04\ReadMe.txt

?????文件??????16966??2003-07-25?02:45??ImpREC?1.7e\Documentation\ReadMe.txt

?????文件??????17909??2010-10-01?23:01??ImpREC?1.7e\History.txt

?????文件????????443??2006-05-29?20:27??ImpREC?1.7e\Plugin\HowTo.txt

?????文件???????3340??2002-04-17?04:51??ImpREC?1.7e\Documentation\Loader.txt

?????文件????????914??2003-07-25?03:08??ImpREC?1.7e\Documentation\News.txt

?????文件????????551??2007-04-15?14:31??ImpREC?1.7e\Plugin\Obsidium?1.3.dll.txt

?????文件????????847??2007-04-15?14:14??ImpREC?1.7e\Plugin\PELock?1.06?（regged）.dll.txt

?????文件???????2145??2002-04-25?06:20??ImpREC?1.7e\Plugin\Plugin.txt

?????文件????????738??2007-04-15?14:15??ImpREC?1.7e\Plugin\PrivateExeProtector?1.8.txt

?????文件???????4237??2002-04-25?14:23??ImpREC?1.7e\Documentation\Tips.txt

?????文件????????422??2008-03-11?14:02??ImpREC?1.7e\ImpREC.ini

?????文件????????197??2007-04-03?09:26??ImpREC?1.7e\Plugin?Source\eXcalibur?1.x\src\BuildDLL.bat

?????文件????????217??2007-03-10?23:06??ImpREC?1.7e\Plugin?Source\tELock?0.92x\Masm\BuildDLL.bat

?????文件????????233??2007-03-10?23:06??ImpREC?1.7e\Plugin?Source\tELock?0.92x\Tasm\BuildDLL.bat

?????文件????????802??2006-05-01?16:39??ImpREC?1.7e\Plugin?Source\PESpin?1.3.04\StdAfx.h

?????文件???????4045??2006-06-17?14:33??ImpREC?1.7e\Plugin?Source\PESpin?1.3.04\PESpinPlugin.cpp

?????文件????????299??2006-05-01?16:39??ImpREC?1.7e\Plugin?Source\PESpin?1.3.04\StdAfx.cpp

?????文件???????2883??2007-03-10?23:06??ImpREC?1.7e\Plugin?Source\tELock?0.92x\VC++\tELock0.92x\tELock.cpp

?????文件???????4153??2007-03-10?23:06??ImpREC?1.7e\Plugin?Source\tELock?0.92x\VC++\tELock0.95\tELock.cpp

?????文件???????3823??2007-04-06?11:32??ImpREC?1.7e\Plugin?Source\eXcalibur?1.x\src\EXC.asm

?????文件???????2353??2006-11-16?22:34??ImpREC?1.7e\Plugin?Source\Morphine?3.3\morphine.Asm

?????文件???????1746??2006-02-12?02:09??ImpREC?1.7e\Plugin?Source\Perplex?1.01\Perplex101.Asm

?????文件???????1946??2006-02-13?00:19??ImpREC?1.7e\Plugin?Source\RLPack?0.7\RLP07.Asm

?????文件???????3821??2007-03-10?23:06??ImpREC?1.7e\Plugin?Source\tELock?0.92x\Tasm\tELock.asm

?????文件???????3866??2007-03-10?23:06??ImpREC?1.7e\Plugin?Source\tELock?0.92x\Masm\tELock.asm

?????文件???????1743??2006-02-13?00:35??ImpREC?1.7e\Plugin?Source\Yoda?1.02\Yoda102.Asm

?????文件?????540160??2010-09-14?19:02??ImpREC?1.7e\ImportREC.exe

?????文件???????3072??2004-06-13?02:20??ImpREC?1.7e\Plugin\ACProtect?#1.dll

?????文件??????14848??2004-05-19?18:31??ImpREC?1.7e\Plugin\ACProtect?#2.dll

............此處省略134個文件信息