好友
阅读权限40
听众
最后登录1970-1-1
|
本来想用SoftSnoop监视CreateFile/OpenFile/ReadFile/SetFilePointer,后来发现太难用了。
于是自己写了个脚本,把程序运行中上面几个API的执行信息记录下来,供自己分析用。
不知有没有人需要,发个玩玩。
=============================================
var x1,x2,x3,x4,x5
gpa "CreateFileA", "kernel32.dll"
mov x1,$RESULT
bp $RESULT
gpa "OpenFile", "kernel32.dll"
mov x2,$RESULT
bp $RESULT
gpa "SetFilePointer","kernel32.dll"
mov x3,$RESULT
bp $RESULT
gpa "ReadFile","kernel32.dll"
mov x4,$RESULT
bp $RESULT
mov x,0
run
WWWWW:
mov x5,eax
mov eax,x1
cmp eip,eax
jne next_1
log "hFile:"
log [esp+4]
log "OffsetLo"
log [esp+8]
log "pOffsetHi"
log [esp+0c]
log "Origin"
log [esp+10]
next_1:
mov eax,x2
cmp eip,eax
jne next_2
log "FileName:"
log [esp+4]
log "Access"
log [esp+8]
log "ShareMode"
log [esp+0c]
log "pSecurity"
log [esp+10]
log "Mode"
log [esp+14]
log "hTemplateFile"
log [esp+1c]
next_2:
mov eax,x3
cmp eip,eax
jne next_3
log "FileName:"
log [esp+4]
log "pOfstruct"
log [esp+8]
log "Mode"
log [esp+0c]
next_3:
mov eax,x4
cmp eip,eax
jne next_4
log "hFile:"
log [esp+4]
log "Buffer"
log [esp+8]
log "BytesToRead"
log [esp+0c]
log "pBytesRead"
log [esp+10]
log "pOverlapped"
log [esp+14]
next_4:
mov eax,x5
run
cmp x,0
je WWWWW
================================
|
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2012-6-15 01:24
发表于 2012-6-15 01:25
