看完第一章实践一下:主要功能就是Dump,科普一下 对于dump来说,他的英文翻译就是“转存”。也就是说把内存中或者其他的输入转存到另一个位置,当然对于我们现在说的dump就是把内存中运行的PE进程的数据,从内存中抓取出来,然后在用文件的形式保存下来。
代码如下:
unit Unit1111;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ExtCtrls, TlHelp32;
type
TForm1 = class(TForm)
pnl1: TPanel;
btn1: TButton;
btn2: TButton;
lst1: TListBox;
dlgSave1: TSaveDialog;
procedure btn1Click(Sender: TObject);
procedure btn2Click(Sender: TObject);
private
{ Private declarations }
mypr32:PROCESSENTRY32;
imagesize:Cardinal;
mprocess :Cardinal;
public
{ Public declarations }
function GetProccesList (): Boolean;
function DumProces(): string;
function DumpFile(Name:string): Boolean;
function CheakPE (IsPe:string):THandle;
procedure getsize(isize:Cardinal);
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
function TForm1.DumProces ():string ;
var
inum: string ;
begin
inum:=Lst1.Items[Lst1.ItemIndex];
DumProces:=inum;
end;
function TForm1.CheakPE(IsPe:string) :THandle;
var
Process:Cardinal;
mread:Cardinal;
mflag:Cardinal ;
WMax: DWord;
NTag: DWord;
ImageDosHeader : IMAGE_DOS_HEADER;
//ImageNtHeaders : IMAGE_NT_HEADERS;
//ImageSectionHeader: IMAGE_SECTION_HEADER;
begin
Process:=0;
//ImageDosHeader:=
mflag:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) ;
if (mflag = GetLastError()) then
begin
ExitProcess(Null);
end ;
mypr32.dwSize:=SizeOf(TPROCESSENTRY32);
if Process32First(mflag,mypr32) then
begin
while Process32Next(mflag,mypr32) do
if mypr32.szExeFile=IsPe then
begin
Process:=mypr32.th32ProcessID;
//ShowMessage(IntToStr(Process));
Break;
end;
end;
mprocess:= OpenProcess(PROCESS_VM_READ,False,Process);
//ShowMessage(IntToStr(mprocess));
if (ReadProcessMemory(mprocess, Pointer($00400000), @WMax, 2, NTag)) then
//ShowMessage('ok')
else
ShowMessage(IntToStr(GetLastError()));
//ShowMessage(Format('%x',[WMax]));
mread:=SizeOf(ImageDosHeader) ;
mread:=mread-$4 ;
if (WMax = $5A4D) then
// ShowMessage(Format('%x',[WMax]));
if (ReadProcessMemory(mprocess, Pointer($00400000+mread),@WMax, 2, NTag))
then
//ShowMessage(Format('%x',[WMax]));
mread:=WMax;
if (ReadProcessMemory(mprocess, Pointer($00400000+mread),@WMax, 2, NTag))
then
//ShowMessage(Format('%x',[WMax]));
if (WMax = $4550) then
begin
//ShowMessage(Format('%x',[WMax]));
end;
mread:=mread+$50;
if (ReadProcessMemory(mprocess, Pointer($00400000+mread),@WMax, 4, NTag))
then
//ShowMessage(Format('%x',[WMax]));
imagesize:=WMax;
Result:=Process ;
end;
function TForm1.DumpFile (Name:string):Boolean ;
var
writeDW,oldG,Gall:Cardinal;
SI: TSystemInfo;
mbi_thunk:TMemoryBasicInformation;
WMax,NTag:Cardinal;
resize:DWord;
hndl2:Cardinal;
adder,adder1:Cardinal;
begin
resize:=0;
if CheakPE(Name)>0 then
begin
GetSystemInfo(SI);
//ShowMessage(IntToStr(SI.dwAllocationGranularity) );
Gall:=GlobalAlloc(GMEM_FIXED,SizeOf(imagesize));
oldG:=Gall;
adder:=$00400000;
mbi_thunk.AllocationBase:=Pointer(Gall) ;
mbi_thunk.RegionSize:=resize;
mbi_thunk.BaseAddress:=Pointer($00400000);
//mbi_thunk.AllocationProtect=PAGE_READWRITE;
// mbi_thunk.State=MEM_FREE;
while ((adder-$00400000)<=imagesize) do
begin
VirtualQueryEx(mprocess,Pointer(adder),mbi_thunk,sizeof(TMemoryBasicInformation));
if mbi_thunk.Protect=PAGE_READWRITE then
ExitProcess(0)
else
ReadProcessMemory(mprocess, Pointer(adder),@WMax, 4, NTag);
WriteProcessMemory(mprocess, mbi_thunk.AllocationBase,@WMax, 4, NTag);
adder:=adder+$4;
Gall:=Gall+$4 ;
mbi_thunk.AllocationBase:=Pointer(Gall);
end;
//ShowMessage('save file');
dlgSave1.Filter :='*.exe';
dlgSave1.filename :='Dump.exe';
adder1:=$00400000;
if dlgSave1.Execute then
begin
hndl2:=CreateFile(pchar(dlgSave1.filename),GENERIC_WRITE or GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,nil,
CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
if hndl2 =INVALID_HANDLE_VALUE then
ExitProcess(0)
else
//ShowMessage(IntToStr(GetLastError()));
while (adder1-$00400000)<= imagesize do
begin
//ReadFile(hndl2,oldG,4,writeDW,nil);
WriteFile(hndl2,oldG,4,writeDW,nil);
oldG:=oldG+$4;
adder1:=adder1+$4;
end;
CloseHandle(hndl2);
end
else
GlobalFree(Gall);
dlgSave1.Free;
end;
Result:=True;
end;
function TForm1.GetProccesList():Boolean;
var
mflag:THandle ;
begin
mflag:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) ;
if (mflag = GetLastError()) then
begin
ExitProcess(Null);
end ;
mypr32.dwSize:=SizeOf(TPROCESSENTRY32);
if Process32First(mflag,mypr32) then
begin
while Process32Next(mflag,mypr32) do
lst1.Items.Add(mypr32.szExeFile);
end;
Result:=True;
end;
procedure TForm1.btn1Click(Sender: TObject);
begin
lst1.Clear;
GetProccesList();
end;
procedure TForm1.getsize (isize:Cardinal);
var
sum:Cardinal;
begin
sum:=$1000;
if((isize mod sum)=0) then
imagesize:=isize
else
imagesize:=Trunc((isize/sum+$1)*(sum));
end;
procedure TForm1.btn2Click(Sender: TObject);
var
restr:string;
begin
restr:=DumProces();
//MessageBox(Handle,PAnsiChar(restr),'',0);
getsize(imagesize);
DumpFile(restr);
end;
end.
最后说一下写的比较烂不太好用 因为懒得调试!最近又在搞别的东西,有空的话再搞一下。