- Автор темы
- Добавить закладку
- #21
Indy
Thx`s.
Thx`s.
Код:
; (c) Flint_ta, wasm.ru
; (c) Little mod by Chococream.
; - Writing export of each dll in current directory to "api.txt".
; - Writing parsed export(preg: "callback") of each dll in current directory to "callback.txt".
; *.09.2011
.686
.model flat, stdcall
option casemap :none
include \MASM32\INCLUDE\ntdll.inc
includelib \MASM32\LIB\ntdll.lib
include \MASM32\INCLUDE\kernel32.inc
includelib \MASM32\LIB\kernel32.lib
include \MASM32\INCLUDE\user32.inc
includelib \MASM32\LIB\user32.lib
include \MASM32\INCLUDE\msvcrt.inc
includelib \MASM32\LIB\msvcrt.lib
.data
filter db "*.dll", 0
spisok db "api.txt", 0; <<<< все найденные апи будут в этом файле
subj db "callback", 0; <<<<<<<<<<<<<<< СТРОКА КОТОРУЮ ИЩЕМ
subj2 db "callback.txt", 0; <<<<<<<<<< Файл куда будут сохранены имена апи удовлетворяющие условию
perenos db 00dh,00ah, 000h
.data?
handle db 4 dup (?)
hfile db 4 dup (?)
hfile2 db 4 dup (?)
sfile db 4 dup (?)
hMapping db 4 dup (?)
pamat db 4 dup (?)
prochitali db 4 dup (?)
PE db 4 dup (?)
ExportTableaddress db 4 dup (?)
ExportTablesize db 4 dup (?)
ExportDirectoryTable db 4 dup (?)
NumofNamePointers db 4 dup (?)
NamePointersRVA db 4 dup (?)
pos db 4 dup (?)
buff db 200h dup (?)
buff2 db 200h dup (?)
WIN32_FIND_DATA2 db WIN32_FIND_DATA dup (?)
.code
writefuncname proc
pushad
mov edi, eax
invoke lstrlen, eax
invoke WriteFile, dword ptr [hfile2], edi, eax, offset prochitali, 0
invoke WriteFile, dword ptr [hfile2], offset perenos, 2, offset prochitali, 0
popad
ret
writefuncname endp
poisk_i_zapis proc
pushad
invoke RtlZeroMemory, offset buff2, 200h
invoke lstrlen, offset buff
mov ecx, eax
mov esi, offset buff
mov edi, offset buff2
REP movsb
invoke crt__strlwr, offset buff
invoke crt_strstr, offset buff, offset subj
or eax, eax
jz her
invoke lstrlen, offset buff2
invoke WriteFile, dword ptr [hfile], offset buff2, eax, offset prochitali, 0
invoke WriteFile, dword ptr [hfile], offset perenos, 2, offset prochitali, 0
her:
popad
ret
poisk_i_zapis endp
getapi proc
invoke CreateFile, offset WIN32_FIND_DATA2+2Ch, GENERIC_READ+GENERIC_WRITE, FILE_SHARE_READ+FILE_SHARE_WRITE,\
0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0
cmp eax, -1
jz err2
mov dword ptr [hfile], eax
;Создаем объект "проекция файла"
invoke CreateFileMappingA, dword ptr [hfile], 0, PAGE_READWRITE or SEC_IMAGE, 0, 0, 0
mov dword ptr [hMapping], eax
cmp eax,0
jz err
;Проецируем файл на адресное пространство
invoke MapViewOfFile, dword ptr [hMapping], FILE_MAP_ALL_ACCESS, 0, 0, 0
mov dword ptr [pamat], eax
invoke CloseHandle, dword ptr [hMapping]
mov eax, dword ptr [pamat]
mov ecx, 3ch
add ecx, eax
mov ecx, dword ptr [ecx]
add ecx, eax
mov dword ptr [PE], ecx
mov eax, dword ptr [ecx + 78h]
mov dword ptr [ExportTableaddress], eax
mov eax, dword ptr [ecx + 7Ch]
mov dword ptr [ExportTablesize], eax
cmp dword ptr [ExportTableaddress], 0
jz err
cmp dword ptr [ExportTablesize], 0
jz err
mov eax, dword ptr [ExportTableaddress]
add eax, dword ptr [pamat]
mov dword ptr [ExportDirectoryTable], eax
mov ecx, eax
mov ecx, dword ptr [ecx+ 18h]
cmp ecx, 0
jz err
mov dword ptr [NumofNamePointers], ecx; кол-во функций экспортируемых по именам
mov ecx, eax
mov ecx, dword ptr [ecx+ 20h]
mov dword ptr [NamePointersRVA], ecx; указатель на таблицу указателей на имена экспорта
mov ecx, dword ptr [NumofNamePointers]
cicl:
mov eax, dword ptr [pamat]
add eax, dword ptr [NamePointersRVA]
add dword ptr [NamePointersRVA], 4
mov eax, dword ptr [eax]
add eax,dword ptr [pamat]
invoke writefuncname
dec ecx
cmp ecx, 0
jnz cicl
;-------------------------------------
err:
invoke UnmapViewOfFile, dword ptr [pamat]
invoke CloseHandle, dword ptr [hfile]
err2:
ret
getapi endp
findsubj proc
invoke CreateFile, offset subj2, GENERIC_READ+GENERIC_WRITE, FILE_SHARE_READ+FILE_SHARE_WRITE,\
0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
mov dword ptr [hfile], eax
invoke CreateFile, offset spisok, GENERIC_READ+GENERIC_WRITE, FILE_SHARE_READ+FILE_SHARE_WRITE,\
0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0
mov dword ptr [hfile2], eax
invoke GetFileSize, dword ptr [hfile2], 0
mov dword ptr [sfile], eax
invoke VirtualAlloc, 0, dword ptr [sfile], MEM_COMMIT+MEM_RESERVE, PAGE_EXECUTE_READWRITE
mov dword ptr [pamat], eax
invoke ReadFile, dword ptr [hfile2], dword ptr [pamat], dword ptr [sfile], offset prochitali, 0
invoke CloseHandle, dword ptr [hfile2]
mov esi, dword ptr [pamat]
mov dword ptr [pos], esi
xor eax, eax
yyy:
invoke RtlZeroMemory, offset buff, 200h
mov esi, dword ptr [pos]
mov edi, esi
xxx:
lods byte ptr [esi]
cmp al, 00dh
jnz xxx
mov dword ptr [pos], esi
sub esi, edi
mov ecx, esi
dec ecx
mov esi, edi
mov edi, offset buff
REP movsb
inc dword ptr [pos]
invoke poisk_i_zapis
cmp byte ptr [esi + 2], 0
jnz yyy
invoke VirtualFree, dword ptr [pamat], 0, 8000h
invoke CloseHandle, dword ptr [hfile]
ret
findsubj endp
start:
invoke CreateFile, offset spisok, GENERIC_READ+GENERIC_WRITE, FILE_SHARE_READ+FILE_SHARE_WRITE,\
0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
mov dword ptr [hfile2], eax
invoke FindFirstFile, offset filter, offset WIN32_FIND_DATA2
mov dword ptr [handle], eax
jmp firstfile
cicle:
invoke FindNextFile, dword ptr [handle], offset WIN32_FIND_DATA2
cmp eax, 1
jnz vse
firstfile:
xor eax, eax
mov ecx, offset WIN32_FIND_DATA2
mov al , byte ptr [ecx]
shr eax, 4
cmp eax, 1
jz thisfile
invoke getapi
jmp cicle
thisfile:
jmp cicle
vse:
invoke FindClose, dword ptr [handle]
invoke CloseHandle, dword ptr [hfile2]
invoke findsubj
invoke ExitProcess, 0
ret
end start
