Process Memory Dumper is a memory dumper tool. Easy to use, read readme.txt for more information.
.386
.model flat, stdcall
option casemap :none
include masm32includewindows.inc
include masm32includekernel32.inc
include masm32includeuser32.inc
includelib masm32libuser32.lib
includelib masm32libkernel32.lib
WndProc PROTO :HWND,:UINT,:WPARAM,:LPARAM
crlf EQU 13, 10
.data
theProgram db "PMD", 0
myApp db "PMD v1.0 by BoR0", 0
myFerr db "Cannot create dump file.", 0
myPerr db "Cannot create/open process!", 0
myPress db "Press OK when process is fully loaded.", 0
myRWerr db "There was an error due to accessing memory", 13, 10,
"or writing to dump file!", 13, 10, "Dump file might be trimmed.", 0
noErr db "Successfully dumped whole section!", 0
Help db "Process Memory Dumper v1.0 by BoR0", crlf,
"-----------------------------------------------", crlf,
"Example (how to dump from Filename):", crlf,
"We will take Sol.exe (Solitaire) as an example.", crlf
db "Fill the 'Memory to dump' editbox with 16806000.", crlf,
"Note that addressing is in decimal", crlf,
"(0x1007070 = 16806000d)", crlf,
"Fill the size of dump with 4096 (4kb).", crlf,
"Check the 'From filename' radiobox.", crlf,
"In the next editbox, type:", crlf,
"'C:WindowsSystem32Sol.exe'", crlf,
"In the next, type C:PMD.dmp", crlf,
"If everything goes fine, you should ", crlf,
"find your dump within the C:PMD.dmp file."
db crlf, crlf, "Example (how to dump from Pid):", crlf,
"We will take Solitaire as an example again.", crlf,
"Run Sol.exe and then run taskmgr.exe to obtain", crlf,
"its pid. After this do everything like the first", crlf,
"example, except check the Radiobox 'From pid',", crlf,
"and in the next editbox after the radioboxes", crlf,
"type the pid value. This should work.", crlf, crlf,
"Greetings fly out to:", crlf,
"thorpe, upb, Muad'Dib, TDC, Detten", crlf, crlf,
"This program is coded 29/09/2005 by BoR0", 0
.data?
ProcessInfo PROCESS_INFORMATION <>
StartupInfo STARTUPINFO <>
lpFileName db MAX_PATH dup(?) ;receive filename directory (to write)
lpApplicationName db MAX_PATH dup(?) ;receive filename directory (to read)
hInstance dd ? ;handle instance
fHandle dd ? ;file handle
mybuffer db ? ;one byte for readprocmem
bytwrit dd ? ;bytes written
myAddress dd ? ;we are going to receive address here
mySize dd ? ;size of reading
frompid dd ? ;frompid (see further code)
.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, eax, ADDR theProgram, 0, ADDR WndProc, 0
WndProc proc hWin:DWORD, uMsg:DWORD, wParam:DWORD, lParam:DWORD
.if uMsg == WM_INITDIALOG
invoke LoadIcon, hInstance, 500
invoke PostMessage, hWin, WM_SETICON, ICON_BIG, eax
invoke SetWindowText, hWin, ADDR myApp
invoke CheckDlgButton, hWin, 100, BST_CHECKED
.elseif uMsg == WM_COMMAND
.if wParam == 7
invoke GetDlgItemInt, hWin, 1, 0, 0 ;receive address here (decimal)
test eax, eax ;if nothing
je @ProcError ;goto error
mov [myAddress], eax
invoke GetDlgItemInt, hWin, 2, 0, 0 ;receive size to read (decimal)
test eax, eax ;if nothing
je @ProcError ;goto error
mov [mySize], eax
invoke GetDlgItemText, hWin, 4, ADDR lpFileName, MAX_PATH ;receive file text (write)
test eax, eax ;if nothing
je @ProcError ;goto error
invoke CreateFile, ADDR lpFileName, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, 0 ;create writefile
cmp eax, INVALID_HANDLE_VALUE ;if nothing
je @FileError ;goto error
mov fHandle, eax
invoke IsDlgButtonChecked, hWin, 100 ;check if Radio button "From file" is checked
mov frompid, eax ;store in memory
test eax, eax ;if BST_UNCHECKED
je @Frompid ;goto "from pid"
invoke GetDlgItemText, hWin, 3, ADDR lpApplicationName, MAX_PATH ;receive text "from file"
test eax, eax ;if nothing
je @ProcError ;goto error
invoke CreateProcess, ADDR lpApplicationName, 0, 0, 0, 0, 0, 0, 0, ADDR StartupInfo, ADDR ProcessInfo
test eax, eax ;^-create process, if nothing
je @ProcError ;then error
;notify user
invoke MessageBox, hWin, ADDR myPress, ADDR myApp, MB_OK+MB_ICONINFORMATION
; ллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллл
; MAIN MEMORY READING/FILE WRITING LOOP
@here:push esi
push edi
xor esi, esi
mov edi, mySize
@Loop:cmp esi, edi ;compare the loop with size
jge @end ;if greater or equal then halt loop
invoke ReadProcessMemory, [ProcessInfo.hProcess], [myAddress], ADDR mybuffer, 1, ADDR bytwrit
; ^- read one byte
test eax, eax ; if cant read
je @RWError ; show error
invoke WriteFile, [fHandle], ADDR mybuffer, 1, ADDR bytwrit, 0 ;write the byte that is read
test eax, eax ; if cant write
je @RWError ; show error
inc esi ;increase memory loop
inc myAddress ;increase address to read from
jmp @Loop ;loopback
@end:
; ллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллл
invoke MessageBox, hWin, ADDR noErr, ADDR myApp, MB_OK+MB_ICONINFORMATION
; ^- notify the user that the dump is successful ;-)
@end2:
cmp frompid, BST_UNCHECKED ; if its dumped from pid
je @Ending ; dont terminate process
invoke TerminateProcess, [ProcessInfo.hProcess], 0
@Ending:
invoke CloseHandle, [ProcessInfo.hProcess]
invoke CloseHandle, [fHandle]
@Justquit:
ret
@FileError:
invoke MessageBox, hWin, ADDR myFerr, ADDR myApp, MB_OK+MB_ICONERROR
jmp @Ending
@ProcError:
invoke MessageBox, hWin, ADDR myPerr, ADDR myApp, MB_OK+MB_ICONERROR
jmp @Justquit
@RWError:
pop edi
pop esi
invoke MessageBox, hWin, ADDR myRWerr, ADDR myApp, MB_OK+MB_ICONERROR
jmp @end2
@Frompid:
invoke GetDlgItemInt, hWin, 3, 0, 0 ;receive text (pid)
invoke OpenProcess, PROCESS_ALL_ACCESS, 0, eax ;open process with pid
test eax, eax ;if nothing goto error
je @ProcError
mov [ProcessInfo.hProcess], eax
jmp @here
.elseif wParam == 8
invoke MessageBox, hWin, ADDR Help, ADDR myApp, MB_OK+MB_ICONINFORMATION
.elseif wParam == 9
invoke ExitProcess, 0
.ENDIF
.elseif uMsg == WM_CLOSE
invoke ExitProcess, 0
.else
mov eax, FALSE
ret
.endif
mov eax, TRUE
ret
WndProc endp
end start
|
Submit Your Paper!
