-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathAPIInfo.Asm
1423 lines (1157 loc) · 50.9 KB
/
APIInfo.Asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
;=====================================================================================
; x64dbg plugin SDK for Masm - fearless 2016 - www.LetTheLight.in
;
; APIInfo.asm
;
; v1.0.0.2 - Last updated: 01/03/2016
;
; - Added function APIInfoLoadMenuIcon to load png resource image as raw bytes
; - Added menu icon for plugin (uses _plugin_menuseticon)
; - Added menu entry icons for options and gen api (uses _plugin_menuentryseticon)
;
;-------------------------------------------------------------------------------------
.686
.MMX
.XMM
.model flat,stdcall
option casemap:none
;DEBUG32 EQU 1
IFDEF DEBUG32
PRESERVEXMMREGS equ 1
includelib M:\Masm32\lib\Debug32.lib
DBG32LIB equ 1
DEBUGEXE textequ <'M:\Masm32\DbgWin.exe'>
include M:\Masm32\include\debug32.inc
ENDIF
;**************************************************************************
; MOD Macro
;**************************************************************************
_mod MACRO val1:REQ, val2:REQ
push ecx
mov eax,val1
mov ecx,val2
xor edx,edx
div ecx
pop ecx
exitm <edx>
endm
Include x64dbgpluginsdk.inc ; Main x64dbg Plugin SDK for your program, and prototypes for the main exports
Include APIInfo.inc ; plugin's include file
pluginit PROTO C :DWORD ; Required prototype and export for x64dbg plugin SDK
plugstop PROTO C ; Required prototype and export for x64dbg plugin SDK
plugsetup PROTO C :DWORD ; Required prototype and export for x64dbg plugin SDK
;=====================================================================================
.CONST
PLUGIN_VERSION EQU 1
.DATA
PLUGIN_NAME DB "APIInfo",0
.DATA?
;-------------------------------------------------------------------------------------
; GLOBAL Plugin SDK variables
;-------------------------------------------------------------------------------------
PUBLIC pluginHandle
PUBLIC hwndDlg
PUBLIC hMenu
PUBLIC hMenuDisasm
PUBLIC hMenuDump
PUBLIC hMenuStack
pluginHandle DD ?
hwndDlg DD ?
hMenu DD ?
hMenuDisasm DD ?
hMenuDump DD ?
hMenuStack DD ?
;-------------------------------------------------------------------------------------
.CODE
;=====================================================================================
; Main entry function for a DLL file - required.
;-------------------------------------------------------------------------------------
DllEntry PROC hInst:HINSTANCE, reason:DWORD, reserved:DWORD
.IF reason == DLL_PROCESS_ATTACH
mov eax, hInst
mov hInstance, eax
.ENDIF
mov eax,TRUE
ret
DllEntry Endp
;=====================================================================================
; pluginit - Called by debugger when plugin.dp32 is loaded - needs to be EXPORTED
;
; Arguments: initStruct - a pointer to a PLUG_INITSTRUCT structure
;
; Notes: you must fill in the pluginVersion, sdkVersion and pluginName members.
; The pluginHandle is obtained from the same structure - it may be needed in
; other function calls.
;
; you can call your own setup routine from within this function to setup
; menus and commands, and pass the initStruct parameter to this function.
;
;-------------------------------------------------------------------------------------
pluginit PROC C PUBLIC USES EBX initStruct:DWORD
mov ebx, initStruct
; Fill in required information of initStruct, which is a pointer to a PLUG_INITSTRUCT structure
mov eax, PLUGIN_VERSION
mov [ebx].PLUG_INITSTRUCT.pluginVersion, eax
mov eax, PLUG_SDKVERSION
mov [ebx].PLUG_INITSTRUCT.sdkVersion, eax
Invoke lstrcpy, Addr [ebx].PLUG_INITSTRUCT.pluginName, Addr PLUGIN_NAME
mov ebx, initStruct
mov eax, [ebx].PLUG_INITSTRUCT.pluginHandle
mov pluginHandle, eax
; Do any other initialization here
; Construct plugin's .ini file from module filename
Invoke GetModuleFileName, hInstance, Addr APIInfoIni, SIZEOF APIInfoIni
Invoke lstrlen, Addr APIInfoIni
lea ebx, APIInfoIni
add ebx, eax
sub ebx, 4 ; move back past 'dp32' extention
mov byte ptr [ebx], 0 ; null so we can use lstrcat
Invoke lstrcat, ebx, Addr szIni ; add 'ini' to end of string instead
Invoke GetCurrentDirectory, MAX_PATH, Addr szCurrentDirectory
Invoke lstrcat, Addr szCurrentDirectory, Addr szBackslash
Invoke lstrcpy, Addr szFindApiFiles, Addr szCurrentDirectory
Invoke lstrcat, Addr szFindApiFiles, Addr szStarApi
Invoke LoadIcon, hInstance, ICO_APIINFO
mov hIcoAPIInfo, eax
mov eax, TRUE
ret
pluginit endp
;=====================================================================================
; plugstop - Called by debugger when the plugin.dp32 is unloaded - needs to be EXPORTED
;
; Arguments: none
;
; Notes: perform cleanup operations here, clearing menus and other housekeeping
;
;-------------------------------------------------------------------------------------
plugstop PROC C PUBLIC
; remove any menus, unregister any callbacks etc
Invoke _plugin_menuclear, hMenu
Invoke GuiAddLogMessage, Addr szPluginUnloaded
mov eax, TRUE
ret
plugstop endp
;=====================================================================================
; plugsetup - Called by debugger to initialize your plugins setup - needs to be EXPORTED
;
; Arguments: setupStruct - a pointer to a PLUG_SETUPSTRUCT structure
;
; Notes: setupStruct contains useful handles for use within x64_dbg, mainly Qt
; menu handles (which are not supported with win32 api) and the main window
; handle with this information you can add your own menus and menu items
; to an existing menu, or one of the predefined supported right click
; context menus: hMenuDisam, hMenuDump & hMenuStack
;
; plugsetup is called after pluginit.
;-------------------------------------------------------------------------------------
plugsetup PROC C PUBLIC USES EBX setupStruct:DWORD
LOCAL hIconData:ICONDATA
mov ebx, setupStruct
; Extract handles from setupStruct which is a pointer to a PLUG_SETUPSTRUCT structure
mov eax, [ebx].PLUG_SETUPSTRUCT.hwndDlg
mov hwndDlg, eax
mov eax, [ebx].PLUG_SETUPSTRUCT.hMenu
mov hMenu, eax
;PrintText 'APIInfo'
;PrintDec hMenu
mov eax, [ebx].PLUG_SETUPSTRUCT.hMenuDisasm
mov hMenuDisasm, eax
mov eax, [ebx].PLUG_SETUPSTRUCT.hMenuDump
mov hMenuDump, eax
mov eax, [ebx].PLUG_SETUPSTRUCT.hMenuStack
mov hMenuStack, eax
; Do any setup here: add menus, menu items, callback and commands etc
Invoke _plugin_menuaddentry, hMenu, MENU_APIINFOGENAPI1, Addr szMenuAPIInfo
Invoke _plugin_menuaddentry, hMenu, MENU_APIINFOOPTIONS1, Addr szMenuAPIOptions
Invoke _plugin_menuaddentry, hMenuDisasm, MENU_APIINFOGENAPI2, Addr szMenuAPIInfo
Invoke _plugin_menuaddentry, hMenuDisasm, MENU_APIINFOOPTIONS2, Addr szMenuAPIOptions
Invoke APIInfoLoadMenuIcon, IMG_APIINFO, Addr hIconData
.IF eax == TRUE
Invoke _plugin_menuseticon, hMenu, Addr hIconData
Invoke _plugin_menuseticon, hMenuDisasm, Addr hIconData
.ENDIF
Invoke APIInfoLoadMenuIcon, IMG_APIINFOOPTIONS, Addr hIconData
.IF eax == TRUE
Invoke _plugin_menuentryseticon, pluginHandle, MENU_APIINFOOPTIONS1, Addr hIconData
Invoke _plugin_menuentryseticon, pluginHandle, MENU_APIINFOOPTIONS2, Addr hIconData
.ENDIF
Invoke APIInfoLoadMenuIcon, IMG_APIINFOGENAPI, Addr hIconData
.IF eax == TRUE
Invoke _plugin_menuentryseticon, pluginHandle, MENU_APIINFOGENAPI1, Addr hIconData
Invoke _plugin_menuentryseticon, pluginHandle, MENU_APIINFOGENAPI2, Addr hIconData
.ENDIF
Invoke GuiAddLogMessage, Addr szAPIInfoInfo
Invoke GuiGetWindowHandle
mov hwndDlg, eax
Invoke APIInfoLoadIniSettings
mov eax, TRUE
ret
plugsetup endp
;=====================================================================================
; CBMENUENTRY - Called by debugger when a menu item is clicked - needs to be EXPORTED
;
; Arguments: cbType
; cbInfo - a pointer to a PLUG_CB_MENUENTRY structure. The hEntry contains
; the resource id of menu item identifiers
;
; Notes: hEntry can be used to determine if the user has clicked on your plugins
; menu item(s) and to do something in response to it.
; Needs to be PROC C type procedure call to be compatible with debugger
;-------------------------------------------------------------------------------------
CBMENUENTRY PROC C PUBLIC USES EBX cbType:DWORD, cbInfo:DWORD
mov ebx, cbInfo
mov eax, [ebx].PLUG_CB_MENUENTRY.hEntry
.IF eax == MENU_APIINFOGENAPI1 || eax == MENU_APIINFOGENAPI2
Invoke DbgIsDebugging
.IF eax == FALSE
Invoke GuiAddStatusBarMessage, Addr szDebuggingRequired
Invoke GuiAddLogMessage, Addr szDebuggingRequired
.ELSE
Invoke GenAPIInfo
.ENDIF
.ELSEIF eax == MENU_APIINFOOPTIONS1 || eax == MENU_APIINFOOPTIONS2
Invoke DialogBoxParam, hInstance, IDD_APIInfoOptionsDlg, hwndDlg, OFFSET APIInfoOptionsDlgProc, NULL
.ENDIF
mov eax, TRUE
ret
CBMENUENTRY endp
;=====================================================================================
; Plugin Dialog Procedure
;-------------------------------------------------------------------------------------
APIInfoOptionsDlgProc PROC USES EBX ECX hWin:HWND,iMsg:DWORD,wParam:WPARAM, lParam:LPARAM
LOCAL nItem:DWORD
mov eax, iMsg
.IF eax == WM_INITDIALOG
; Any initialization here
Invoke SendMessage, hWin, WM_SETICON, ICON_SMALL, hIcoAPIInfo
mov InitDlg, 0
mov gOptionsChanged, FALSE
Invoke GetDlgItem, hWin, IDC_LV_APIFILES
mov hLVApiFiles, eax
Invoke InitLVApiFiles, hLVApiFiles
Invoke LoadLVApiFiles, hLVApiFiles
Invoke APIInfoLoadIniSettings
.IF gIniDisplayOptions == 0
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayNothing, BM_SETCHECK, BST_CHECKED, 0
.ELSEIF gIniDisplayOptions == 1
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayModuleOnly, BM_SETCHECK, BST_CHECKED, 0
.ELSEIF gIniDisplayOptions == 2
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayFunctionOnly, BM_SETCHECK, BST_CHECKED, 0
.ELSEIF gIniDisplayOptions == 3
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayModuleAndFunction, BM_SETCHECK, BST_CHECKED, 0
.ELSEIF gIniDisplayOptions == 4
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayFunctionDef, BM_SETCHECK, BST_CHECKED, 0
.ELSEIF gIniDisplayOptions == 5
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayFunctionDefParams, BM_SETCHECK, BST_CHECKED, 0
.ENDIF
.IF gIniAutoLoadAtEntry == 0
Invoke SendDlgItemMessage, hWin, IDC_ChkAutoLoad, BM_SETCHECK, BST_UNCHECKED, 0
.ELSE
Invoke SendDlgItemMessage, hWin, IDC_ChkAutoLoad, BM_SETCHECK, BST_CHECKED, 0
.ENDIF
.IF gIniPreserveExistingComments == 0
Invoke SendDlgItemMessage, hWin, IDC_ChkPreserveExistingComments, BM_SETCHECK, BST_UNCHECKED, 0
.ELSE
Invoke SendDlgItemMessage, hWin, IDC_ChkPreserveExistingComments, BM_SETCHECK, BST_CHECKED, 0
.ENDIF
mov InitDlg, 1
.ELSEIF eax == WM_CLOSE
Invoke EndDialog, hWin, NULL
.ELSEIF eax == WM_COMMAND
mov eax, wParam
and eax, 0FFFFh
.IF eax == IDC_BtnAPIInfoOptionsOk
.IF gOptionsChanged == TRUE
Invoke SendDlgItemMessage, hWin, IDC_ChkAutoLoad, BM_GETCHECK, 0, 0
.IF eax == BST_CHECKED
mov gNewIniAutoLoadAtEntry, 1
.ELSE
mov gNewIniAutoLoadAtEntry, 0
.ENDIF
mov eax, gNewIniAutoLoadAtEntry
mov gIniAutoLoadAtEntry, eax
Invoke SendDlgItemMessage, hWin, IDC_ChkPreserveExistingComments, BM_GETCHECK, 0, 0
.IF eax == BST_CHECKED
mov gNewIniPreserveExistingComments, 1
.ELSE
mov gNewIniPreserveExistingComments, 0
.ENDIF
mov eax, gNewIniPreserveExistingComments
mov gIniPreserveExistingComments, eax
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayNothing, BM_GETCHECK, 0, 0
.IF eax == BST_CHECKED
mov gNewIniDisplayOptions, 0
.ENDIF
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayModuleOnly, BM_GETCHECK, 0, 0
.IF eax == BST_CHECKED
mov gNewIniDisplayOptions, 1
.ENDIF
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayFunctionOnly, BM_GETCHECK, 0, 0
.IF eax == BST_CHECKED
mov gNewIniDisplayOptions, 2
.ENDIF
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayModuleAndFunction, BM_GETCHECK, 0, 0
.IF eax == BST_CHECKED
mov gNewIniDisplayOptions, 3
.ENDIF
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayFunctionDef, BM_GETCHECK, 0, 0
.IF eax == BST_CHECKED
mov gNewIniDisplayOptions, 4
.ENDIF
Invoke SendDlgItemMessage, hWin, IDC_RbDisplayFunctionDefParams, BM_GETCHECK, 0, 0
.IF eax == BST_CHECKED
mov gNewIniDisplayOptions, 5
.ENDIF
mov eax, gNewIniDisplayOptions
mov gIniDisplayOptions, eax
;PrintDec gNewIniDisplayOptions
;PrintDec gNewIniAutoLoadAtEntry
;PrintDec gIniDisplayOptions
;PrintDec gIniAutoLoadAtEntry
;PrintDec gIniPreserveExistingComments
Invoke APIInfoSaveIniSettings
.ENDIF
Invoke SendMessage, hWin, WM_CLOSE, NULL, NULL
.ELSEIF eax == IDC_BtnAPIInfoOptionsCancel
Invoke SendMessage, hWin, WM_CLOSE, NULL, NULL
.ELSEIF eax == IDC_RbDisplayNothing
mov gOptionsChanged, TRUE
;mov gNewIniDisplayOptions, 0
.ELSEIF eax == IDC_RbDisplayModuleOnly
mov gOptionsChanged, TRUE
;mov gNewIniDisplayOptions, 1
.ELSEIF eax == IDC_RbDisplayFunctionOnly
mov gOptionsChanged, TRUE
;mov gNewIniDisplayOptions, 2
.ELSEIF eax == IDC_RbDisplayModuleAndFunction
mov gOptionsChanged, TRUE
;mov gNewIniDisplayOptions, 3
.ELSEIF eax == IDC_RbDisplayFunctionDef
mov gOptionsChanged, TRUE
;mov gNewIniDisplayOptions, 4
.ELSEIF eax == IDC_RbDisplayFunctionDefParams
mov gOptionsChanged, TRUE
;mov gNewIniDisplayOptions, 5
.ELSEIF eax == IDC_ChkAutoLoad
mov gOptionsChanged, TRUE
;Invoke SendDlgItemMessage, hWin, IDC_ChkAutoLoad, BM_GETCHECK, 0, 0
;.IF eax == BST_CHECKED
; mov gNewIniAutoLoadAtEntry, 1
;.ELSE
; mov gNewIniAutoLoadAtEntry, 0
;.ENDIF
.ELSEIF eax == IDC_ChkPreserveExistingComments
mov gOptionsChanged, TRUE
;Invoke SendDlgItemMessage, hWin, IDC_ChkPreserveExistingComments, BM_GETCHECK, 0, 0
;.IF eax == BST_CHECKED
; mov gNewIniPreserveExistingComments, 1
;.ELSE
; mov gNewIniPreserveExistingComments, 0
;.ENDIF
.ENDIF
.ELSEIF eax==WM_NOTIFY
mov ecx, lParam
mov eax, ( [ecx].NMHDR.code)
mov ebx, ( [ecx].NMHDR.hwndFrom)
.IF ebx == hLVApiFiles
.IF eax == NM_DBLCLK
mov gOptionsChanged, TRUE
.ELSEIF eax == NM_CLICK
mov gOptionsChanged, TRUE
.ELSEIF eax == NM_CUSTOMDRAW
mov ecx, lParam
mov eax, (NMLVCUSTOMDRAW ptr[ecx]).nmcd.dwDrawStage
.IF eax == CDDS_PREPAINT
mov eax, CDRF_NOTIFYITEMDRAW
invoke SetWindowLong,hWin,DWL_MSGRESULT,eax
mov eax, TRUE
ret
.ELSEIF eax == CDDS_ITEMPREPAINT
mov eax, CDRF_NOTIFYSUBITEMDRAW
invoke SetWindowLong,hWin,DWL_MSGRESULT,eax
mov eax, TRUE
ret
.ELSEIF eax == CDDS_ITEMPREPAINT or CDDS_SUBITEM
mov ecx, lParam
;mov eax, (NMLVCUSTOMDRAW ptr[ecx]).iSubItem
;mov nSubItem, eax
mov eax, (NMLVCUSTOMDRAW ptr[ecx]).nmcd.dwItemSpec ; item
mov nItem, eax
.IF _mod(nItem,2) == 1 ; Calc mod of item to see if the background should be applied
mov (NMLVCUSTOMDRAW ptr[ecx]).clrTextBk, 00FFF3F2h ;00F9F9F9h; 00F9F9F9h ; Light Grey | 00FFF3F2h Light Blue | 00FFF0E6h; 00FFE4D0h ; 00A6F7F0h ;Background text = light yellow
mov (NMLVCUSTOMDRAW ptr[ecx]).clrText,00000000h ; text color = red
.ELSE
mov (NMLVCUSTOMDRAW ptr[ecx]).clrTextBk,0FFFFFFh ;Background text = white
mov (NMLVCUSTOMDRAW ptr[ecx]).clrText,00h ; text color = black
.ENDIF
mov eax, CDRF_NOTIFYSUBITEMDRAW ;CDRF_DODEFAULT
invoke SetWindowLong,hWin,DWL_MSGRESULT,eax
mov eax, TRUE
ret
.ELSE
mov eax, CDRF_DODEFAULT
invoke SetWindowLong,hWin,DWL_MSGRESULT,eax
mov eax, TRUE
ret
.ENDIF
.ELSEIF eax == LVN_ITEMCHANGED ; maybe create a ListViewCompareStates
.IF InitDlg == 1
mov ecx, lParam
mov eax, (NM_LISTVIEW Ptr [ecx]).uChanged
.IF eax == LVIF_STATE
mov eax, (NM_LISTVIEW Ptr [ecx]).uNewState
mov ebx, (NM_LISTVIEW Ptr [ecx]).uOldState
.IF (eax == 8192d && ebx == 4096d) || (eax == 4096d && ebx == 8192d)
;PrintText 'Changes'
mov gOptionsChanged, TRUE
.ENDIF
.ENDIF
.ENDIF
.ENDIF
.ENDIF
.ELSE
mov eax, FALSE
ret
.ENDIF
mov eax, TRUE
ret
APIInfoOptionsDlgProc endp
;=====================================================================================
; Init Listivew
;-------------------------------------------------------------------------------------
InitLVApiFiles PROC hListview:DWORD
LOCAL LVC:LV_COLUMN
mov eax, LVS_EX_CHECKBOXES + LVS_EX_FULLROWSELECT + LVS_EX_GRIDLINES + LVS_EX_DOUBLEBUFFER
Invoke SendMessage, hListview, LVM_SETEXTENDEDLISTVIEWSTYLE, eax, eax
mov LVC.imask, LVCF_FMT or LVCF_TEXT ;or LVCF_WIDTH ;or LVCFMT_COL_HAS_IMAGES
mov LVC.fmt, LVCFMT_LEFT ; defaults to LVCFMT_LEFT
lea ebx, szLVApiFilesColumnText
mov LVC.pszText, ebx
;mov LVC.lx, 150d
Invoke SendMessage, hListview, LVM_INSERTCOLUMN, 0, Addr LVC
Invoke SendMessage, hListview, LVM_SETCOLUMNWIDTH, 0, LVSCW_AUTOSIZE_USEHEADER
ret
InitLVApiFiles endp
;=====================================================================================
; Load listview with api files
;-------------------------------------------------------------------------------------
LoadLVApiFiles PROC USES EBX hListview:DWORD
LOCAL LVItem:LV_ITEM
LOCAL nItemIndex:DWORD
LOCAL wfd:WIN32_FIND_DATA
LOCAL hFind:DWORD
LOCAL dwCheckedState:DWORD
mov nItemIndex, 0
mov LVItem.imask, LVIF_TEXT + LVIF_STATE
;mov LVItem.iItem, eax
mov LVItem.iSubItem, 0
mov LVItem.stateMask, LVIS_STATEIMAGEMASK
;PrintString szFindApiFiles
Invoke FindFirstFile, Addr szFindApiFiles, Addr wfd
.IF eax == INVALID_HANDLE_VALUE
;PrintText 'FindFirstFile Fail'
mov eax, FALSE
ret
.ENDIF
mov hFind, eax
;PrintDec hFind
mov eax, TRUE
.WHILE eax == TRUE
Invoke FindNextFile, hFind, Addr wfd
.IF eax != 0
mov eax, nItemIndex
mov LVItem.iItem, eax
lea ebx, wfd.cFileName
;mov DbgVar, ebx
;PrintStringByAddr DbgVar
lea ebx, wfd.cFileName
mov LVItem.pszText, ebx
Invoke GetPrivateProfileInt, Addr szAPIFilesToExclude, ebx, 1, Addr APIInfoIni
mov dwCheckedState, eax
invoke SendMessage, hListview, LVM_INSERTITEM, 0, Addr LVItem
.IF eax == -1
;PrintText 'Failed to add'
.endif
xor eax, eax
.IF dwCheckedState == 1
mov eax, 2 ; set check
.ELSE ; 0
mov eax, 1 ; set uncheck
.ENDIF
shl eax,12
mov LVItem.state, eax
mov LVItem.state, eax
Invoke SendMessage, hListview, LVM_SETITEMSTATE, nItemIndex, addr LVItem
inc nItemIndex
;PrintDec nItemIndex
mov eax, TRUE
.ELSE
mov eax, FALSE
.ENDIF
.ENDW
ret
LoadLVApiFiles endp
;=====================================================================================
; GenAPIInfo Procedure
;-------------------------------------------------------------------------------------
GenAPIInfo PROC USES EBX ECX
LOCAL CurrentAddress:DWORD
LOCAL CallDestination:DWORD
LOCAL JmpDestination:DWORD
LOCAL bii:BASIC_INSTRUCTION_INFO ; basic
LOCAL cbii:BASIC_INSTRUCTION_INFO ; call destination
LOCAL dwEntry:DWORD
LOCAL dwExit:DWORD
LOCAL iscounter:DWORD
LOCAL ParamCount:DWORD
LOCAL CurrentParam:DWORD
LOCAL CurrentISIndex:DWORD
LOCAL ParamAddress:DWORD
Invoke DbgIsDebugging
.IF eax == FALSE
Invoke GuiAddLogMessage, Addr szDebuggingRequired
ret
.ENDIF
.IF gIniDisplayOptions == 0
Invoke GuiAddStatusBarMessage, Addr szSetToDisplayNothing
mov eax, FALSE
ret
.ENDIF
Invoke GuiAddStatusBarMessage, Addr szStartAddAPIInfo
Invoke DbgGetEntryExitPoints, Addr dwEntry, Addr dwExit
Invoke DbgClearAutoCommentRange, dwEntry, dwExit
;Invoke DbgClearCommentRange, dwEntry, dwExit
Invoke GuiUpdateDisassemblyView
mov eax, dwEntry
mov CurrentAddress, eax
mov ISCOUNT, 0
mov iscounter, 0
.WHILE eax < dwExit ;ExitPoint
Invoke DbgDisasmFastAt, CurrentAddress, Addr bii
movzx eax, byte ptr bii.call_
movzx ebx, byte ptr bii.branch
.IF eax == 1 && ebx == 1 ; we have call statement
Invoke GuiGetDisassembly, CurrentAddress, Addr szDisasmText
Invoke Strip_x64dbg_calls, Addr szDisasmText, Addr szAPIFunction ; Addr szDisasmText
.IF eax == TRUE
.IF gIniDisplayOptions == 2 ; just function name
;Invoke DbgSetAutoCommentAt, CurrentAddress, Addr szAPIFunction
Invoke SetAutoCommentIfCommentIsEmpty, CurrentAddress, Addr szAPIFunction
.ELSE
mov eax, bii.address
mov CallDestination, eax
Invoke DbgDisasmFastAt, CallDestination, Addr cbii
movzx eax, byte ptr cbii.branch
.IF eax == 1 ; jmp
Invoke DbgGetBranchDestination, CallDestination
mov JmpDestination, eax
.IF gIniDisplayOptions == 1
_DbgFunctions ModNameFromAddr, JmpDestination, ADDR szAPIModuleName, TRUE ; show .dll
.ELSE
_DbgFunctions ModNameFromAddr, JmpDestination, ADDR szAPIModuleName, FALSE; for other options we just need the module name without the .dll ext
.ENDIF
;PrintString szAPIModuleName
;PrintString szAPIFunction
.IF gIniDisplayOptions == 1 ; just module name
;Invoke DbgSetAutoCommentAt, CurrentAddress, Addr szAPIModuleName
Invoke SetAutoCommentIfCommentIsEmpty, CurrentAddress, Addr szAPIModuleName
.ELSEIF gIniDisplayOptions == 3 ; module:function
Invoke lstrcpy, Addr szAPIComment, Addr szAPIModuleName
invoke lstrcat, Addr szAPIComment, Addr szColon
invoke lstrcat, Addr szAPIComment, Addr szAPIFunction
;Invoke DbgSetAutoCommentAt, CurrentAddress, Addr szAPIComment
Invoke SetAutoCommentIfCommentIsEmpty, CurrentAddress, Addr szAPIComment
.ELSE
Invoke SearchApiFileForDefinition, Addr szAPIModuleName, Addr szAPIFunction, Addr szAPIDefinition
.IF eax == FALSE
Invoke lstrcpy, Addr szAPIComment, Addr szAPIModuleName
invoke lstrcat, Addr szAPIComment, Addr szColon
invoke lstrcat, Addr szAPIComment, Addr szAPIFunction
;Invoke DbgSetAutoCommentAt, CurrentAddress, Addr szAPIComment
Invoke SetAutoCommentIfCommentIsEmpty, CurrentAddress, Addr szAPIComment
.ELSE
;Invoke DbgSetAutoCommentAt, CurrentAddress, Addr szAPIDefinition
Invoke SetAutoCommentIfCommentIsEmpty, CurrentAddress, Addr szAPIDefinition
.ENDIF
.IF gIniDisplayOptions == 5 ; do parameters as well as definition
Invoke GetFunctionParamCount, Addr szAPIModuleName, Addr szAPIFunction
mov ParamCount, eax
.IF eax != -1 && eax != 0 ; make sure we are only checked for functions that are succesfully found in api file and have 1 or more parameters
.IF eax <= ISCOUNT ; make sure we have enough in our stack to check for parameters
;PrintString szAPIFunction
;PrintDec ParamCount
;PrintDec CurrentAddress
;PrintDec ISCOUNT
mov eax, ISCOUNT
mov CurrentISIndex, eax
mov CurrentParam, 1
.WHILE eax != 0
;PrintDec CurrentParam
mov ecx, CurrentISIndex
dec ecx ; for 0 based index
lea ebx, IS
mov eax, [ebx+ecx*4] ; eax contains address of last param to get
mov ParamAddress, eax
Invoke GetFunctionParam, Addr szAPIModuleName, Addr szAPIFunction, CurrentParam, Addr szAPIFunctionParameter
.IF eax == TRUE
Invoke SetAutoCommentIfCommentIsEmpty, ParamAddress, Addr szAPIFunctionParameter
.ENDIF
inc CurrentParam
dec CurrentISIndex
mov eax, CurrentISIndex
.ENDW
.ENDIF
.ENDIF
mov ISCOUNT, 0 ; reset instruction stack
.ENDIF
.ENDIF
.ELSE ; internal function call
Invoke lstrcpy, Addr szAPIComment, Addr szDashSpace
Invoke DbgGetLabelAt, CurrentAddress, SEG_DEFAULT, Addr szAPIFunction
Invoke lstrcat, Addr szAPIComment, Addr szAPIFunction
;Invoke DbgSetAutoCommentAt, CurrentAddress, Addr szAPIComment
Invoke SetAutoCommentIfCommentIsEmpty, CurrentAddress, Addr szAPIComment
mov ISCOUNT, 0 ; reset instruction stack
;PrintText '-----------------------------------'
;PrintString szAPIFunction
;Invoke InternalTest, CurrentAddress, Addr szAPIFunction
.ENDIF
.ENDIF
.ENDIF
.ELSE
.IF gIniDisplayOptions == 5
movzx eax, byte ptr bii.branch
.IF eax != 1 ; jmp instruction
lea ebx, bii.instruction
mov eax, [ebx]
mov ecx, [ebx+4]
mov ebx, [ebx+1]
.IF eax == "hsup" && ebx == " hsu" && ecx != "pbe " ; save to our instruction stack - only push instruction
mov eax, ISCOUNT
.IF eax < INSTRUCTIONSTACK_MAXSIZE
lea ebx, IS
mov eax, CurrentAddress
mov ecx, ISCOUNT
mov [ebx+ecx*4] , eax
inc ISCOUNT
;PrintDec CurrentAddress
;lea ebx, bii.instruction
;mov DbgVar, ebx
;PrintStringByAddr DbgVar
.ELSE
IFDEF DEBUG32
PrintText 'Stack too full!'
PrintDec ISCOUNT
PrintDec CurrentAddress
ENDIF
.ENDIF
.ELSEIF eax == " ter" ;|| eax == " ter"
mov ISCOUNT, 0 ; reset stack
.ENDIF
.ENDIF
.ENDIF
;Invoke SetAutoCommentIfCommentIsEmpty, CurrentAddress, Addr szSpace ;DbgClearAutoCommentRange, CurrentAddress, CurrentAddress ; SetAutoCommentIfCommentIsEmpty, CurrentAddress, Addr szNull
.ENDIF
mov eax, bii.size_
add CurrentAddress, eax
mov eax, CurrentAddress
.ENDW
Invoke GuiAddStatusBarMessage, Addr szFinishAddAPIInfo
Invoke GuiUpdateDisassemblyView
ret
GenAPIInfo endp
;=====================================================================================
; Set Auto Comment only if a comment isnt already set
;
;-------------------------------------------------------------------------------------
SetAutoCommentIfCommentIsEmpty PROC CommentAddress:DWORD, CommentString:DWORD
;PrintDec gIniPreserveExistingComments
.IF gIniPreserveExistingComments == 1
Invoke RtlZeroMemory, Addr szComment, SIZEOF szComment
Invoke DbgGetCommentAt, CommentAddress, Addr szComment
.IF eax == TRUE
Invoke lstrlen, Addr szComment
.IF eax != 0
mov eax, FALSE
ret
.ENDIF
.ENDIF
.ENDIF
;Invoke DbgSetAutoCommentAt, CommentAddress, CommentString
Invoke DbgSetCommentAt, CommentAddress, CommentString
mov eax, TRUE
ret
SetAutoCommentIfCommentIsEmpty endp
;-------------------------------------------------------------------------------------
; TEST FUNCTION - NOT IN USE
;-------------------------------------------------------------------------------------
InternalTest PROC USES EDI functionAddress:DWORD, functionName:DWORD
LOCAL entry:DWORD
LOCAL base:DWORD
LOCAL modname[MAX_MODULE_SIZE]:BYTE
LOCAL hProcess:DWORD
LOCAL isf:IMAGEHLP_STACK_FRAME
LOCAL qfuncaddr[2]:DWORD
;PrintText 'InternalTest'
Invoke GetContextData, UE_CIP
mov entry, eax
Invoke DbgGetModuleAt, entry, Addr modname
Invoke DbgModBaseFromName, Addr modname
mov base, eax
Invoke TitanGetProcessInformation
mov eax, [eax].PROCESS_INFORMATION.hProcess
mov hProcess, eax
;lea edi, dword ptr isf.InstructionOffset
mov eax, functionAddress
add dword ptr isf.InstructionOffset, eax
adc dword ptr isf.InstructionOffset+4, 0
;mov eax, functionAddress
;mov dword ptr isf.InstructionOffset, eax ; InstructionOffset = functionAddress
Invoke SymSetContext, hProcess, Addr isf, NULL
Invoke SymEnumSymbols, hProcess, base, 0, functionName, Offset InternalTestCallback, NULL
;Invoke SymEnumTypesByName, hProcess, base, 0, Addr modname, Offset InternalTestCallback, NULL
;Invoke SymEnumSymbolsForAddr, hProcess, functionAddress, 0, Offset InternalTestCallback, NULL
;.IF eax == FALSE
; Invoke GetLastError
; PrintDec eax
;.endif
ret
InternalTest endp
;-------------------------------------------------------------------------------------
; TEST FUNCTION - NOT IN USE
;-------------------------------------------------------------------------------------
InternalTestCallback PROC USES EBX EDX pSymInfo:DWORD, SymbolSize:ULONG, UserContext:PVOID
LOCAL nNameLen:DWORD
LOCAL nMaxNameLen:DWORD
LOCAL nFlags:DWORD
LOCAL nValue:DWORD
LOCAL nTag:DWORD
LOCAL nAddress:DWORD
;PrintText 'InternalTestCallback'
mov ebx, pSymInfo
;lea eax, [ebx].SYMBOL_INFO.Name_
mov eax, [ebx].SYMBOL_INFO.NameLen
mov nNameLen, eax
mov eax, [ebx].SYMBOL_INFO.MaxNameLen
mov nMaxNameLen, eax
mov eax, [ebx].SYMBOL_INFO.Flags
mov nFlags, eax
mov eax, [ebx].SYMBOL_INFO.Tag
mov nTag, eax
mov eax, dword ptr [ebx].SYMBOL_INFO.Address
mov nAddress, eax
;mov edx, dword ptr [ebx+4].SYMBOL_INFO.Address
;PrintDec eax
;PrintDec edx
;PrintDec nNameLen
;PrintDec nMaxNameLen
;PrintDec nFlags
;PrintDec nTag
mov ebx, pSymInfo
lea eax, [ebx].SYMBOL_INFO.Name_
Invoke lstrcpyn, Addr szSymbolName, eax, nMaxNameLen
IFDEF DEBUG32
PrintString szSymbolName
PrintDec nAddress
ENDIF
;add ebx, 88d
;DbgDump ebx, 10
;mov eax, DbgVar
;PrintStringByAddr DbgVar
;DbgDump [ebx].SYMBOL_INFO.Name_, [ebx].SYMBOL_INFO.NameLen
;DbgDump ebx, 90d
;PrintDec [ebx].SYMBOL_INFO.NameLen
;PrintDec [ebx].SYMBOL_INFO.TypeIndex
;PrintDec [ebx].SYMBOL_INFO.MaxNameLen
;mov eax, [ebx].SYMBOL_INFO.Name_
;PrintDec eax
;mov DbgVar, eax
;PrintStringByAddr DbgVar
;mov eax, [ebx].SYMBOL_INFO.Name_
;mov eax, [eax]
;mov DbgVar, eax
;PrintStringByAddr DbgVar
ret
InternalTestCallback ENDP
;=====================================================================================
; Search the .api file (.ini) - based on the module name, for the section that
; describes the api function, and return the definition value
; eg. Module = kernel32, api filename will be 'kernel32.api'
;-------------------------------------------------------------------------------------
SearchApiFileForDefinition PROC lpszApiModule:DWORD, lpszApiFunction:DWORD, lpszApiDefinition:DWORD
.IF lpszApiModule == NULL && lpszApiFunction == NULL
mov ebx, lpszApiDefinition
mov byte ptr [ebx], 0
mov eax, FALSE
ret
.ENDIF
Invoke lstrcpy, Addr szApiFile, Addr szCurrentDirectory
Invoke lstrcat, Addr szApiFile, lpszApiModule
Invoke lstrcat, Addr szApiFile, Addr szApi
;PrintString szApiFile
;PrintString szAPIFunction
Invoke GetPrivateProfileString, lpszApiFunction, Addr szAt, Addr szColon, lpszApiDefinition, MAX_COMMENT_SIZE, Addr szApiFile
;PrintDec eax
.IF eax == 0 || eax == 1 ; just got nothing or the colon and nothing else
mov ebx, lpszApiDefinition
mov byte ptr [ebx], 0
mov eax, FALSE
.ELSE
;PrintString szAPIDefinition
mov eax, TRUE
.ENDIF
ret
SearchApiFileForDefinition endp
;=====================================================================================
; Returns parameters for function in .api file, or -1 if not found
;-------------------------------------------------------------------------------------
GetFunctionParamCount PROC lpszApiModule:DWORD, lpszApiFunction:DWORD
.IF lpszApiModule == NULL && lpszApiFunction == NULL
mov eax, -1
ret
.ENDIF
Invoke lstrcpy, Addr szApiFile, Addr szCurrentDirectory
Invoke lstrcat, Addr szApiFile, lpszApiModule
Invoke lstrcat, Addr szApiFile, Addr szApi
Invoke GetPrivateProfileInt, lpszApiFunction, Addr szIniParamCount, 0, Addr szApiFile
ret
GetFunctionParamCount endp
;=====================================================================================
; Returns parameter type and name for a specified parameter of a function in a api file
;-------------------------------------------------------------------------------------
GetFunctionParam PROC lpszApiModule:DWORD, lpszApiFunction:DWORD, dwParamNo:DWORD, lpszApiFunctionParameter:DWORD
.IF lpszApiModule == NULL && lpszApiFunction == NULL
mov ebx, lpszApiFunctionParameter
mov byte ptr [ebx], 0
mov eax, FALSE
ret
.ENDIF
Invoke lstrcpy, Addr szApiFile, Addr szCurrentDirectory
Invoke lstrcat, Addr szApiFile, lpszApiModule