;显示内存信息
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
include macros.asm
include user32.inc
includelib user32.lib
include Psapi.inc
includelib Psapi.lib
IDD_DIALOG equ 104
IDC_LIST equ 1001
.data?
hInstance dd ?
hWinMain dd ?
hProcess dd ?
.const
msg db "%10p %15s %15s %10p %10s",0
memfree db "MEM_FREE ",0
memcommit db "MEM_COMMIT ",0
memreserve db "MEM_RESERVE",0
unknow db ' ',0
memimage db "MEM_IMAGE ",0
memmapped db "MEM_MAPPED ",0
memprivate db "MEM_PRIVATE",0
.code
;内存状态
_FormatState proc wState
mov eax,wState
.if eax == MEM_COMMIT
lea eax,offset memcommit
.elseif eax == MEM_FREE
lea eax,offset memfree
.elseif eax == MEM_RESERVE
lea eax,offset memreserve
.else
lea eax,offset unknow
.endif
ret
_FormatState endp
;内存类型
_FormatType proc wType
mov eax,wType
.if eax == MEM_IMAGE
lea eax,offset memimage
.elseif eax == MEM_MAPPED
lea eax,offset memmapped
.elseif eax == MEM_PRIVATE
lea eax,offset memprivate
.else
lea eax,offset unknow
.endif
ret
_FormatType endp
;保护属性
_FormatProtect proc wProtect,szBuffer
mov eax,wProtect
.if eax == PAGE_READONLY
invoke wsprintf,szBuffer,offset CTXT('%s'),CTXT('-R--')
.elseif eax == PAGE_READWRITE
invoke wsprintf,szBuffer,offset CTXT('%s'),CTXT("-RW-")
.elseif eax == PAGE_WRITECOPY
invoke wsprintf,szBuffer,offset CTXT('%s'),CTXT("-RWC")
.elseif eax == PAGE_EXECUTE
invoke wsprintf,szBuffer,offset CTXT('%s'),CTXT("E---")
.elseif eax == PAGE_EXECUTE_READ
invoke wsprintf,szBuffer,offset CTXT('%s'),CTXT("ER--")
.elseif eax == PAGE_EXECUTE_READWRITE
invoke wsprintf,szBuffer,offset CTXT('%s'),CTXT("ERW-")
.elseif eax == PAGE_EXECUTE_WRITECOPY
invoke wsprintf,szBuffer,offset CTXT('%s'),CTXT("ERWC")
.else
invoke wsprintf,szBuffer,offset CTXT('%s'),CTXT("----")
.endif
ret
_FormatProtect endp
;显示内存信息
_ShowMemoryState proc uses ecx hwndLB
local @msg[1024]:byte
local @path[MAX_PATH]:byte
local @mbi:MEMORY_BASIC_INFORMATION
local @Ret:dword
local @szState:dword
local @szType:dword
local @szProtect[5]:byte
local @pHeapAddress:dword
;ebx作为下一个查询的内存地址
xor ebx,ebx
_loopbegin:
invoke VirtualQuery,ebx,addr @mbi,sizeof @mbi
mov @Ret,eax
mov eax,@mbi.BaseAddress
invoke _FormatState,@mbi.State
mov @szState,eax
invoke _FormatType,@mbi.lType
mov @szType,eax
invoke _FormatProtect,@mbi.Protect,addr @szProtect
invoke wsprintf,addr @msg,offset msg,@mbi.BaseAddress,@szState,@szType,@mbi.RegionSize,addr @szProtect
;标志内存映射,映像文件
.if @mbi.State != MEM_PRIVATE
invoke GetCurrentProcess
mov hProcess,eax
invoke GetMappedFileName,hProcess,ebx,addr @path,MAX_PATH
.if eax
invoke lstrcat,addr @msg,CTXT(' ')
invoke lstrcat,addr @msg,addr @path
.endif
.endif
;标志堆地址
invoke GetProcessHeap
mov @pHeapAddress,eax
.if ebx==eax
invoke lstrcat,addr @msg,CTXT(' ')
invoke lstrcat,addr @msg,CTXT('Process Heap Address')
.endif
invoke SendMessage,hwndLB,LB_ADDSTRING,0,addr @msg
add ebx,@mbi.RegionSize
cmp @Ret,sizeof @mbi
je _loopbegin
ret
_ShowMemoryState endp
_DlgProc proc hWnd,wMsg,wParam,lParam
mov eax,wMsg
.if eax == WM_CLOSE
invoke EndDialog,hWnd,0
.elseif eax == WM_INITDIALOG
invoke GetDlgItem,hWnd,IDC_LIST
invoke _ShowMemoryState,eax
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
_DlgProc endp
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,IDD_DIALOG,NULL,offset _DlgProc,WM_INITDIALOG
invoke ExitProcess,NULL
end start
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
