部分代码欣赏:
function TForm1.DumpPE(FileName:String):Bool;
var
ProcessHandle: THandle;
SrcBuf,DscBuf: pchar;
nSize,lpNumberOfBytes: DWORD;
imgBase,imgSize:dword;
pid,RawFileSize: integer;
addr,AddrOfSecTable:dword;
NumberOfSections{,SectionAlignment},FileAlignment: Dword;
hfile:Dword;
begin
pid:=tv.Items.Item[rec].ImageIndex;
ProcessHandle:=openprocess(process_all_access,false,pid);
GetProcessBaseSize(pid,@imgBase,@imgSize);
addr:=integer(imgBase);
//先读1K字节过来分析其影像大小
SrcBuf:=AllocMem($400);
ReadProcessMemory(ProcessHandle, Pointer(addr), SrcBuf, $400, lpNumberOfBytes);
asm
mov eax,SrcBuf
xor ecx,ecx
mov cx,word ptr [eax+$3C]
add eax,ecx
mov eax,[eax+$50] //SizeOfImage
mov nSize,eax
end;
FreeMem(SrcBuf,$400);
SrcBuf:=AllocMem(nSize);
ReadProcessMemory(ProcessHandle, Pointer(addr), SrcBuf, nSize, lpNumberOfBytes); //可能要设置一下内存属性
asm
pushad
mov eax,SrcBuf
xor ecx,ecx
mov cx,word ptr [eax+$3c]
add eax,ecx //e_ifanew
//mov ecx,[eax+$38]
//mov SectionAlignment,ecx
mov ecx,[eax+$3c]
mov FileAlignment,ecx
xor ecx,ecx
mov cx,word ptr [eax+6]
mov NumberOfSections,ecx
xor ecx,ecx
mov cx,word ptr [eax+$14] //SizeOfOptionalHeader
add eax,ecx
add eax,$18
mov AddrOfSectable,eax
mov ecx,NumberOfSections
@NumberOfSectionsDec:
dec ecx
jz @NumberOfSectionsZero
add eax,$28
jmp @NumberOfSectionsDec
@NumberOfSectionsZero: //eax=Last Section Table
mov ecx,[eax+$10]
add ecx,[eax+$14]
mov RawFileSize,ecx
popad
end;
DscBuf:=AllocMem(RawFileSize);
asm
pushad
mov edi,DscBuf
mov esi,SrcBuf
mov ecx,FileAlignment
shl ecx,1
rep movsb //PE头
mov eax,AddrOfSecTable
@SectionCopy:
mov edi,[eax+$14] //Raw Offset
mov ecx,[eax+$10] //Raw Size
add edi,DscBuf
mov esi,[eax+$c] //Virtual Offset
add esi,SrcBuf
rep movsb //Section
add eax,$28
dec NumberOfSections
jnz @SectionCopy
popad
end;
hfile:=CreateFile(PChar(FileName),
GENERIC_WRITE,
FILE_SHARE_WRITE,
nil,
CREATE_NEW,
FILE_ATTRIBUTE_NORMAL,
0);
if (hFile=$FFFFFFFF)and(MessageBox(Handle,'文件已存在,是否覆盖?','注意',MB_YESNO)=ID_YES) then
begin
hfile:=CreateFile(PChar(FileName),
GENERIC_WRITE,
FILE_SHARE_WRITE,
nil,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
0);
end;
if (hFile<>$FFFFFFFF) then if WriteFile(hFile,DscBuf^,RawFileSize,lpNumberOfBytes,0) then
MessageBox(Handle,'完成转存。','信息',0) else
MessageBox(Handle,'写文件出错。','错误',0);
CloseHandle(hFile);
FreeMem(DscBuf,RawFileSize);
FreeMem(SrcBuf, nSize);
CloseHandle(ProcessHandle);
end;
全部代码打包下载
迅雷专用高速下载