RGB macro red,green,blue xor eax,eax mov ah,blue shl eax,8 mov ah,green mov al,red endm InsertColumn proc LOCAL lvc:LV_COLUMN mov lvc.imask,LVCF_TEXT+LVCF_WIDTH mov lvc.pszText,offset Heading1 .if langage != 40Ch mov lvc.pszText,offset Heading1A .endif mov lvc.lx,150 invoke SendMessage,hList, LVM_INSERTCOLUMN,0,addr lvc or lvc.imask,LVCF_FMT mov lvc.fmt,LVCFMT_RIGHT mov lvc.pszText,offset Heading2 mov lvc.lx,150 invoke SendMessage,hList, LVM_INSERTCOLUMN, 1 ,addr lvc or lvc.imask,LVCF_FMT mov lvc.fmt,LVCFMT_RIGHT mov lvc.pszText,offset Heading3 mov lvc.lx,150 invoke SendMessage,hList, LVM_INSERTCOLUMN, 2 ,addr lvc ret InsertColumn endp RemplirListView proc uses edi row:DWORD, addrNomFonction:DWORD, addrCall:DWORD, addrDLL:DWORD LOCAL lvi:LV_ITEM LOCAL bufferListView[20]:BYTE mov lvi.imask,LVIF_TEXT+LVIF_PARAM push row ; pousse le numéro de la colonne sur la pile pop lvi.iItem ; récupère le numéro de la colonne dans la structure mov lvi.iSubItem,0 mov eax, addrNomFonction ;<----------------------------------------------------- Noms des Fonctions mov lvi.pszText,eax push row pop lvi.lParam invoke SendMessage,hList, LVM_INSERTITEM,0, addr lvi mov lvi.imask,LVIF_TEXT inc lvi.iSubItem mov eax, addrCall ;<------------------------------------------------------ Call dword ptr [........] mov lvi.pszText,eax invoke SendMessage,hList,LVM_SETITEM, 0,addr lvi push row pop lvi.lParam invoke SendMessage,hList, LVM_INSERTITEM,0, addr lvi mov lvi.imask,LVIF_TEXT inc lvi.iSubItem mov eax, addrDLL ;<------------------------------------------------------ Nom de la DLL parente mov lvi.pszText,eax invoke SendMessage,hList,LVM_SETITEM, 0,addr lvi ret RemplirListView endp ShowTheFunctions proc uses esi ecx ebx pNTHdr:DWORD LOCAL seh:SEH LOCAL temp[50] :BYTE LOCAL temp2[50] :BYTE LOCAL FirstThunk :DWORD LOCAL addrDLL :DWORD LOCAL deplacementFirstThunk :DWORD LOCAL debutSection :DWORD jmp data@7 NO db "N°",0 NORDI db "h (ordinal)",0 Trai db "------------------------------------",0 TraiIAT db "--------------- IAT ---------------",0 TraiLoader db "------------ LOADER ------------",0 data@7: ;invoke SetDlgItemText,hDlg,IDC_EDIT,0 ;invoke AppendText,hDlg,addr buffer mov edi,pNTHdr assume edi:ptr IMAGE_NT_HEADERS mov eax, [edi].OptionalHeader.ImageBase mov ImageBase, eax mov eax, [edi].OptionalHeader.DataDirectory[sizeof IMAGE_DATA_DIRECTORY].VirtualAddress invoke RVAToOffset,pMapping,eax mov edi,eax add edi,pMapping assume edi:ptr IMAGE_IMPORT_DESCRIPTOR .while !([edi].OriginalFirstThunk==0 && [edi].TimeDateStamp==0 && [edi].ForwarderChain==0 && [edi].Name1==0 && [edi].FirstThunk==0) invoke RVAToOffset,pMapping, [edi].Name1 mov edx,eax add edx,pMapping mov addrDLL, edx ;invoke wsprintf, addr temp, addr IDTemplate,[edi].OriginalFirstThunk,[edi].TimeDateStamp,[edi].ForwarderChain,edx,[edi].FirstThunk .if [edi].FirstThunk!=0 mov esi,[edi].FirstThunk .else mov esi,[edi].OriginalFirstThunk .endif mov FirstThunk, esi invoke RVAToOffset,pMapping,esi add eax,pMapping mov esi,eax mov deplacementFirstThunk, 0 .while dword ptr [esi]!=0 assume fs:nothing ; push fs:[0] ; Début du pop seh.PrevLink ; SEH mov seh.CurrentHandler,offset SEHHandler ; mov seh.SafeOffset,offset _FinalExit0 ; lea eax,seh ; mov fs:[0], eax ; mov seh.PrevEsp,esp ; mov seh.PrevEbp,ebp ; test dword ptr [esi],IMAGE_ORDINAL_FLAG32 jnz ImportByOrdinal;------------------------------- jmp Ordinal invoke RVAToOffset,pMapping,dword ptr [esi] mov edx,eax add edx,pMapping assume edx:ptr IMAGE_IMPORT_BY_NAME mov cx, [edx].Hint movzx ecx,cx ;invoke wsprintf,addr temp,addr NameTemplate,ecx,addr [edx].Name1 invoke wsprintf,addr temp,addr formatChar, addr [edx].Name1 mov eax, FirstThunk add eax, ImageBase add eax, deplacementFirstThunk add deplacementFirstThunk, 4 invoke wsprintf,addr temp2,addr formatHexa, eax xor eax, eax ;<-- eax : 0 lea ebx, temp ;<-- ebx : pointe sur le nom de la fonction lea ecx, temp2 ;<-- ecx : Adresse du CALL DWORD PTR [........] invoke RemplirListView,eax, ebx, ecx, addrDLL jmp ShowTheText ImportByOrdinal: mov edx,dword ptr [esi] and edx,0FFFFh invoke lstrcpy, addr temp, addr NO ; temp = "N°" invoke Hexa2Char, edx invoke lstrcat, addr temp, addr nombreHChar ; temp = "N°1E" invoke lstrcat, addr temp, addr NORDI ; temp = "N°1Eh (ordinal) mov eax, FirstThunk add eax, ImageBase add eax, deplacementFirstThunk add deplacementFirstThunk, 4 invoke wsprintf,addr temp2,addr formatHexa, eax lea ecx, temp2 ;<-- ecx : Adresse du CALL DWORD PTR [........] invoke RemplirListView,0, addr temp, ecx, addrDLL ;invoke wsprintf,addr temp,addr OrdinalTemplate,edx ShowTheText: _FinalExit0: ; Sortie en catastrophe push seh.PrevLink ; du SEH pop fs:[0] ; add esi,4 .endw add edi,sizeof IMAGE_IMPORT_DESCRIPTOR .endw ;------------------------------------------ Ajoute dans le list view les fonctions de la section .pitit----------------------------------------------- mov edi, pMapping assume edi:ptr IMAGE_DOS_HEADER add edi, [edi].e_lfanew assume edi:ptr IMAGE_NT_HEADERS movzx ebx, [edi].FileHeader.NumberOfSections mov eax, [edi].OptionalHeader.ImageBase mov ImageBase, eax add edi, sizeof IMAGE_NT_HEADERS assume edi:ptr IMAGE_SECTION_HEADER invoke RemplirListView,0, addr Trai, addr TraiIAT, addr Trai .while ebx>=1 push ebx invoke RVAToOffset, pMapping, [edi].VirtualAddress add eax, pMapping mov debutSection, eax add eax, 0Bh cmp dword ptr [eax], 06E72654Bh jne pasdesection_pitit push eax mov ebx, eax add ebx, 13 mov ecx, [edi].VirtualAddress add ecx, ImageBase add ecx, 45h ;<-- ecx : Adresse du CALL DWORD PTR [........] invoke wsprintf, addr Buffer, addr formatHexa, ecx pop edx push edx invoke RemplirListView,0, ebx, addr Buffer, edx ;<-- edx pointe sur le nom de la DLL mov ebx, debutSection add ebx, 25h mov ecx, [edi].VirtualAddress add ecx, ImageBase add ecx, 49h ;<-- ecx : Adresse du CALL DWORD PTR [........] invoke wsprintf, addr Buffer, addr formatHexa, ecx pop edx push edx invoke RemplirListView,0, ebx, addr Buffer, edx ;<-- edx pointe sur le nom de la DLL mov ebx, debutSection add ebx, 34h mov ecx, [edi].VirtualAddress add ecx, ImageBase add ecx, 4Dh ;<-- ecx : Adresse du CALL DWORD PTR [........] invoke wsprintf, addr Buffer, addr formatHexa, ecx pop edx invoke RemplirListView,0, ebx, addr Buffer, edx ;<-- edx pointe sur le nom de la DLL invoke NouvellesFonctions, debutSection, [edi].VirtualAddress invoke RemplirListView,0, addr Trai, addr TraiLoader, addr Trai pasdesection_pitit: add edi, IMAGE_SECTION_HEADER pop ebx dec ebx .endw ;------------------------------------------------------------------------------------------------------------------------------------------------ ret ShowTheFunctions endp FindIAT proc uses edi LOCAL seh:SEH jmp data@6 Zero dw 0 data@6: invoke lstrcpy, addr buffer, addr Zero mov ofn.lStructSize,SIZEOF ofn mov ofn.lpstrFilter, OFFSET FilterString mov ofn.lpstrFile, OFFSET buffer mov ofn.nMaxFile,512 mov ofn.Flags, OFN_FILEMUSTEXIST or \ OFN_PATHMUSTEXIST or OFN_LONGNAMES or\ OFN_EXPLORER or OFN_HIDEREADONLY mov ofn.lpstrInitialDir, offset CheminFichier invoke GetOpenFileName, ADDR ofn .if eax==TRUE invoke CreateFile, addr buffer, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL .if eax!=INVALID_HANDLE_VALUE mov hFile, eax invoke CreateFileMapping, hFile, NULL, PAGE_READONLY,0,0,0 .if eax!=NULL mov hMapping, eax invoke MapViewOfFile,hMapping,FILE_MAP_READ,0,0,0 .if eax!=NULL mov pMapping,eax assume fs:nothing push fs:[0] pop seh.PrevLink mov seh.CurrentHandler,offset SEHHandler mov seh.SafeOffset,offset Final_Exit lea eax,seh mov fs:[0], eax mov seh.PrevEsp,esp mov seh.PrevEbp,ebp mov edi, pMapping assume edi:ptr IMAGE_DOS_HEADER .if [edi].e_magic==IMAGE_DOS_SIGNATURE add edi, [edi].e_lfanew assume edi:ptr IMAGE_NT_HEADERS .if [edi].Signature==IMAGE_NT_SIGNATURE mov ValidPE, TRUE .else mov ValidPE, FALSE .endif .else mov ValidPE,FALSE .endif Final_Exit: push seh.PrevLink pop fs:[0] .if ValidPE==TRUE invoke ShowTheFunctions, edi .else invoke MessageBox,0, addr FileInValidPE, addr AppName,MB_OK+MB_ICONERROR .endif invoke UnmapViewOfFile, pMapping .else invoke MessageBox, 0, addr FileMappingError, addr AppName,MB_OK+MB_ICONERROR .endif invoke CloseHandle,hMapping .else invoke MessageBox, 0, addr FileOpenMappingError, addr AppName,MB_OK+MB_ICONERROR .endif invoke CloseHandle, hFile .else invoke MessageBox, 0, addr FileOpenError, addr AppName, MB_OK+MB_ICONERROR .endif .endif ret FindIAT endp String2Dword proc uses ecx edi edx esi String:DWORD LOCAL Result:DWORD mov Result,0 mov edi,String invoke lstrlen,String .while eax!=0 xor edx,edx mov dl,byte ptr [edi] sub dl,"0" ; subtrack each digit with "0" to convert it to hex value mov esi,eax dec esi push eax mov eax,edx push ebx mov ebx,10 .while esi > 0 mul ebx dec esi .endw pop ebx add Result,eax pop eax inc edi dec eax .endw mov eax,Result ret String2Dword endp CompareFunc proc uses edi lParam1:DWORD, lParam2:DWORD, SortType:DWORD LOCAL bufferListView[256]:BYTE LOCAL bufferListView1[256]:BYTE LOCAL lvi:LV_ITEM mov lvi.imask,LVIF_TEXT lea eax,bufferListView mov lvi.pszText,eax mov lvi.cchTextMax,256 .if SortType==1 mov lvi.iSubItem,1 invoke SendMessage,hList,LVM_GETITEMTEXT,lParam1,addr lvi invoke String2Dword,addr bufferListView mov edi,eax invoke SendMessage,hList,LVM_GETITEMTEXT,lParam2,addr lvi invoke String2Dword,addr bufferListView sub edi,eax mov eax,edi .elseif SortType==2 mov lvi.iSubItem,1 invoke SendMessage,hList,LVM_GETITEMTEXT,lParam1,addr lvi invoke String2Dword,addr bufferListView mov edi,eax invoke SendMessage,hList,LVM_GETITEMTEXT,lParam2,addr lvi invoke String2Dword,addr bufferListView sub eax,edi .elseif SortType==3 mov lvi.iSubItem,0 invoke SendMessage,hList,LVM_GETITEMTEXT,lParam1,addr lvi invoke lstrcpy,addr bufferListView1,addr bufferListView invoke SendMessage,hList,LVM_GETITEMTEXT,lParam2,addr lvi invoke lstrcmpi,addr bufferListView1,addr bufferListView .else mov lvi.iSubItem,0 invoke SendMessage,hList,LVM_GETITEMTEXT,lParam1,addr lvi invoke lstrcpy,addr bufferListView1,addr bufferListView invoke SendMessage,hList,LVM_GETITEMTEXT,lParam2,addr lvi invoke lstrcmpi,addr bufferListView,addr bufferListView1 .endif ret CompareFunc endp UpdatelParam proc uses edi LOCAL lvi:LV_ITEM invoke SendMessage,hList, LVM_GETITEMCOUNT,0,0 mov edi,eax mov lvi.imask,LVIF_PARAM mov lvi.iSubItem,0 mov lvi.iItem,0 .while edi>0 push lvi.iItem pop lvi.lParam invoke SendMessage,hList, LVM_SETITEM,0,addr lvi inc lvi.iItem dec edi .endw ret UpdatelParam endp ShowCurrentFocus proc LOCAL lvi:LV_ITEM LOCAL bufferAddr[10]:BYTE LOCAL bufferListView[256]:BYTE LOCAL bufferNomFonc[50]:BYTE jmp data@6 calldwordptr db "Call dword ptr [",0 Fermer db "]",0 data@6: invoke lstrcpy, addr bufferListView, addr calldwordptr invoke SendMessage,hList,LVM_GETNEXTITEM,-1,LVNI_FOCUSED mov lvi.iItem,eax mov lvi.iSubItem,1 mov lvi.imask,LVIF_TEXT lea eax,bufferAddr mov lvi.pszText,eax mov lvi.cchTextMax,256 invoke SendMessage,hList,LVM_GETITEM,0,addr lvi invoke lstrcat, addr bufferListView, addr bufferAddr invoke lstrcat, addr bufferListView, addr Fermer ;----------------- invoke SendMessage,hList,LVM_GETNEXTITEM,-1,LVNI_FOCUSED mov lvi.iItem,eax mov lvi.iSubItem,0 mov lvi.imask,LVIF_TEXT lea eax,bufferNomFonc mov lvi.pszText,eax mov lvi.cchTextMax,256 invoke SendMessage,hList,LVM_GETITEM,0,addr lvi invoke MessageBox, 0, addr bufferListView, addr bufferNomFonc, MB_OK ret ShowCurrentFocus endp DlgProc PROC hWndLV:HWND,iMsg:DWORD,wParam:WPARAM, lParam:LPARAM LOCAL rect:RECT .if iMsg==WM_INITDIALOG invoke CreateWindowEx, NULL, addr ListViewClassName, NULL, LVS_REPORT+WS_CHILD+WS_VISIBLE, 0,0,0,0,hWndLV, NULL, hInstance, NULL mov hList, eax call InsertColumn ;call FillFileInfo call FindIAT RGB 255,255,255 invoke SendMessage,hList,LVM_SETTEXTCOLOR,0,eax RGB 55,55,100 invoke SendMessage,hList,LVM_SETBKCOLOR,0,eax RGB 55,55,100 invoke SendMessage,hList,LVM_SETTEXTBKCOLOR,0,eax invoke GetMenu,hWndLV mov hMenu,eax invoke CheckMenuRadioItem,hMenu,IDM_ICON,IDM_LIST, IDM_REPORT,MF_CHECKED .elseif iMsg==WM_CREATE invoke GetWindowRect, hwndDlg, addr rect mov ecx, rect.right ; ecx = sub ecx, rect.left ; Largeur de la fenêtre ListView push ecx mov ebx, rect.bottom ; ebx = sub ebx, rect.top ; Hauteur de la fenêtre ListView invoke GetWindowRect, HWNDParent, addr rect pop ecx invoke MoveWindow, hwndDlg, rect.left,rect.bottom,ecx, ebx, TRUE .elseif iMsg==WM_COMMAND .if lParam==0 invoke GetWindowLong,hList,GWL_STYLE and eax,not LVS_TYPEMASK mov edx,wParam and edx,0FFFFh push edx or eax,edx invoke SetWindowLong,hList,GWL_STYLE,eax pop edx invoke CheckMenuRadioItem,hMenu,IDM_ICON,IDM_LIST, edx,MF_CHECKED .endif .elseif iMsg==WM_NOTIFY push edi mov edi,lParam assume edi:ptr NMHDR mov eax,[edi].hwndFrom .if eax==hList .if [edi].code==LVN_COLUMNCLICK assume edi:ptr NM_LISTVIEW .if [edi].iSubItem==1 .if SizeSortOrder==0 || SizeSortOrder==2 invoke SendMessage,hList,LVM_SORTITEMS,1,offset CompareFunc invoke UpdatelParam mov SizeSortOrder,1 .else invoke SendMessage,hList,LVM_SORTITEMS,2,offset CompareFunc invoke UpdatelParam mov SizeSortOrder,2 .endif .else .if FileNameSortOrder==0 || FileNameSortOrder==4 invoke SendMessage,hList,LVM_SORTITEMS,3,offset CompareFunc invoke UpdatelParam mov FileNameSortOrder,3 .else invoke SendMessage,hList,LVM_SORTITEMS,4,offset CompareFunc invoke UpdatelParam mov FileNameSortOrder,4 .endif .endif assume edi:ptr NMHDR .elseif [edi].code==NM_DBLCLK invoke ShowCurrentFocus .endif .endif pop edi .elseif iMsg==WM_SIZE mov eax,lParam mov edx,eax and eax,0ffffh shr edx,16 invoke MoveWindow,hList, 0, 0, eax,edx,TRUE .elseif iMsg==WM_MOVE invoke GetWindowRect, hwndDlg, addr rect mov ecx, rect.right ; ecx = sub ecx, rect.left ; Largeur de la fenêtre ListView push ecx mov ebx, rect.bottom ; ebx = sub ebx, rect.top ; Hauteur de la fenêtre ListView invoke GetWindowRect, HWNDParent, addr rect pop ecx invoke MoveWindow, hwndDlg, rect.left,rect.bottom,ecx, ebx, TRUE .elseif iMsg==WM_CLOSE invoke EndDialog,hwndDlg,NULL mov hwndDlg,0 .elseif iMsg==WM_DESTROY invoke PostQuitMessage,NULL .endif xor eax,eax ret DlgProc endp NouvellesFonctions proc uses esi edi eax ebx ecx edx debutSection:DWORD, VAddress:DWORD LOCAL addrNomDLL :DWORD LOCAL addrNomFonction :DWORD mov ebx, debutSection add ebx, 245h ;<-- ecx pointe dans la section .pitit sur le 1er dword "DLLD" debut0: mov eax, ebx cmp dword ptr [eax], "DLLD" jne saute1 add eax, 5 ; eax pointe sur le nom d'une DLL mov addrNomDLL, eax mov ebx, eax tailleDLL: inc ebx cmp byte ptr [ebx], 0 jne tailleDLL inc ebx ; ebx pointe sur le nom d'une fonction push eax call LoadLibrary cmp eax, 0 je fin mov ecx, eax ; ecx = handle de la dll jmp debut0 saute1: ;<--- ici ecx = handle de la DLL; ebx pointe sur la fonction aussi mov addrNomFonction, ebx saute2: inc ebx cmp byte ptr [ebx], 0 jne saute2 inc ebx ; ebx pointe à la fin de la fonction (& byte après) push ecx ; on sauve l'handle de la DLL push eax push ecx call GetProcAddress cmp eax, 0 je fin pop ecx ; ecx = handle de la DLL; eax = handle de la fonction; ebx = pointe sur l'endroit où l'écrire pushad sub ebx, debutSection add ebx, VAddress add ebx, ImageBase mov eax, ebx invoke wsprintf, addr Buffer, addr formatHexa, eax invoke RemplirListView,0, addrNomFonction ,addr Buffer, addrNomDLL popad add ebx, 4 jmp debut0 fin: ret NouvellesFonctions endp