Windows assembler
When writing 32-bit Windows applications that do not use a graphical interface (or using a simple graphical interface), use assembly language to make the program simple and fast, and the executable of such programs is relatively small (generally no more than 10K). Fast execution, you can run without installing. In the Windows environment, the programming method of assembly language is similar to the C language, and the Windows API is to be called. Call the API function in assembly language Use the CALL instruction, and the function's parameters use the PUSH instruction to first into the stack, this step works in the MASM32V6 can be automatically completed by the Invoke Macro. The return value of the function is returned by the EAX register.
For example, the statement of the MessageBox function is as follows:
INT MessageBox (HWND H1, LPCTSTR LP1, LPCTSTR LP2, UINT U1);
Their compilation call is as follows:
Invoke Messagebox, H1, LP1, LP2, U1
The parameters are in the stack, check, etc., automatically complete by the INVOKE macro.
A simple Win 32 program is as follows:
.386
.Model flat, stdcall; 32-bit flat storage mode
Option Casemap: None; Case Case Letters
INCLUDE /MASM32/INCLUDE/Windows.inc
INCLUDE /MASM32/INCLUDE / WANEL32.INC
INCLUDELIB /MASM32/LIB/kernel32.lib
.code
Start:
Invoke EXITPROCESS, 0
End Start
The above program is similar to the assembler under a DOS, where statement "Invoke EXITPROCESS, 0" is equivalent to INT 20H or MOV AH, 04CH / INT 21H under DOS, that is, end the program and returns. This framework program does not complete what specific function, the program is returned immediately after running and does not generate a window during its run.
Implement memory modifier
Adding a statement to the above program, it can make it a virtually available memory modifier. Take the calculator program in the Windows attachment as an example. To modify the value of the calculator program virtual memory address 40b181h is 1234h (before running the modifier program, the calculator should be run first).
First add a data segment for the program. Add the following statement before .code:
.DATA
Processid DD?; Process ID
Windowname DB "Calculator", 0; Window Program Name
WriteAddr DD 40B181H; Write address
WriteDate DD 1234H; written data
Then add the following statement in Start:
Invoke FindWindow, Null, AddR Windowname
Invoke GetWindowThreadProcessid, Eax, Addr
Processid
Invoke openprocess, process_all_access, false, processid
Invoke WriteProcessMemory, EAX, Writeaddr,
Addr WriteDate, 4, 0
Invoke EXITPROCESS, 0
In the above code, first use the FindWindow function to acquire the handle of the target window, where the addr window name is the start address of the target window name (string) in memory, and the string ends in 0. The window handle is returned by EAX. If EAX = 0 indicates that the function is wrong, the other values represent the acquired target window handle. Use the getWindowThreadProcessID function to get the process identifier ProcessID via the window handle EAX. Similarly, if the function returns EAX = 0 indicates that the function is wrong, the other values indicate successfully acquired ProcessID. With the OpenProcess function, get the process handle of the calculator program from the process identifier ProcessId. Where process_all_access indicates that all permissions are fixed, the parameter FALSE is fixed. Similarly, the handle returns by EAX, if EAX = 0 indicates a function error, and the other values indicate the acquisition of the target process handle. Then use the WriteProcessMemory function to modify the memory, the calling method is as follows:
Invoke WriteProcessMemory, Eax, Writeaddr, Addr WriteDate, 4, 0
The meaning of its parameters is as follows:
● EAX: Handle of the target process acquired from the openprocess function;
● WriteAddr: The address that will be modified in the virtual memory of the calculator program;
● Addr WriteDate: The address that will be written to the above address;
● 4: I hope to write the number of bytes of the Addr WriteDate address;
● 0: After the function is executed, the actual number of bytes written to the destination address can be used to confirm the actual implementation of the function, and 0 is filled with 0.
This function returns EAX if EAX = 0 indicates a function error.
Finally, the EXITPROCESS function endpare is called, and the 0 value is returned to the operating system.
After editing the above code storage, use the compilation of the Masm32v6 to generate an execution file. This execution file can be executed in Windows 95/98 / ME and complete memory modification. Since the memory management method of Windows NT is different from Windows 98, this program can be executed in Windows NT, but the memory cannot be modified.
Compile:
ML / C / COFF file name .asm
connection:
LINK / SUBSYSTEM: Windows file name .Obj
Memory modifier improvement
Although the above programs can be implemented, it lacks interactive and versatility, which can be improved from two aspects.
1. There is no problem with any prompts whether or not to modify the memory or have other errors after the improvement procedure is improved. To enhance interactivity, the EAX value returned after each function is executed, if EAX = 0, the dialog prompts the user, and returns the operating system.
In order to generate an error prompt, add the following definition in the data segment:
TEXT1 DB "Tips!", 0; dialog
TEXT2 DB "Target Program is not running!", 0
Text3 DB "You cannot get the target process handle!", 0
Text4 db "cannot open the target process!", 0
Text5 DB "Failed to modify the target memory!", 0
TEXT6 DB "Command Format: Program Name Window Name Want to Modify Address New Value", 0
Use the MessageBox function pop-up dialog to prompt the user:
Invoke FindWindow, Null, Windowname
.IF EAX == 0
Invoke Messagebox, Null, Addr Text2, Addr Text1, MB_OKINVOKE EXITPROCESS, 1
.endif
2. Improve the lack of versatility. The above modifier program To modify the memory of another window program, you need to modify the Windowname, WriteAddr, WriteDate in the source program data segment, re-give the initial value to adapt to another window program, then recompile, and connect to implement . If the memory modifier comes with parameters, you can improve the versatility of the program. The format is as follows:
Execute program name parameter 1 parameter 2 parameter 3
Execute the new value of the address to modify the program name window program name
To get the command line parameters, you can define a variable to store the start address stored in the virtual memory in the data segment. Insert the following statement to get the first site of the command line parameter in the start of the code segment (after the start: identifier).
INVOKE GETCOMMANDLINE
Mov Commandline, EAX
After obtaining the order of the command line parameter, the command line parameters are analyzed, separated by parameters 1, parameter 2, parameter 3, and then send the separated parameters to the corresponding variable of the data segment.
summary
This article simply introduces the method of writing a Windows program with assembly language. A complete memory modifier should include memory search features and as high as possible search efficiency and accuracy. The memory search function can utilize an API function ReadProcessMemory with a read memory function, complete through a loop structure. But improve search efficiency and accuracy requires rich programming experience and skills to be implemented.
