Copy Link
Add to Bookmark
Report
29A Issue 02 03 03
;
; . .: .:.. :.. .. .:.::. :. ..:
; <<-==ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ===<
; .:: ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ .:.
; . .:.ÜÜÜÛÛß.ßÛÛÛÛÛÛ.ÛÛÛÛÛÛÛ:..
; ...ÛÛÛÜÜÜÜ:ÜÜÜÜÛÛÛ:ÛÛÛ ÛÛÛ.::.
; >===ÛÛÛÛÛÛÛ=ÛÛÛÛÛÛß=ÛÛÛ ÛÛÛ=->>
; .: .:.. ..:. .: ..:.::. ::.. :.:.
;
; [29A INC files]
; by Jacky Qwerty/29A
;
;
; Here you have the "famous" 29A INC filez, written by me. These INCz surely
; will become almost completely necessary for you at the moment of writing
; your Win32 PE infectorz as they contain lotz of very useful structurez and
; routinez used in such kind of virusez. At the very least you will need the
; INC filez to understand the functioning of the Win32 infectorz written he-
; re by us in 29A, as we all use them in order to make thingz much easier :)
;
; The set is formed by four filez (MZ.INC, PE.INC, USEFUL.INC, WIN32API.INC)
; which work separately, and whose corresponding utility has been described
; below. You might want either to cut them off from this file or just to un-
; zip the file containing them (29A_INCS.ZIP), in the \FILES directory.
;
; Hope they will be useful for you!
;
;
; - -[MZ.INC] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
;
; . .: .:.. :.. .. .:.::. :. ..:
; <<-==ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ===<
; .:: ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ .:.
; . .:.ÜÜÜÛÛß.ßÛÛÛÛÛÛ.ÛÛÛÛÛÛÛ:..
; ...ÛÛÛÜÜÜÜ:ÜÜÜÜÛÛÛ:ÛÛÛ ÛÛÛ.::.
; >===ÛÛÛÛÛÛÛ=ÛÛÛÛÛÛß=ÛÛÛ ÛÛÛ=->>
; .: .:.. ..:. .: ..:.::. ::.. :.:.
;
; [29A INC files]
; DOS EXE MZ executable format
; by Jacky Qwerty/29A
;
; Description
; ÄÄÄÄÄÄÄÄÄÄÄ
; This include file contains all the constantz and structurez needed to work
; with the DOS EXE MZ executable format inside ASM filez. For use with TASM,
; of course (also with TASM32). MASM sucks.. :P
;
; Disclaimer
; ÄÄÄÄÄÄÄÄÄÄ
; This file was built up by Jacky Qwerty from 29A. The author is not respon-
; sible for any problemz caused due to use/misuse of this file.
;
;
; (c) 1997. No rightz reserved. Use without permision >8P.
; ÄÄ´ MZ_magic value ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_DOS_SIGNATURE EQU 5A4Dh ;'MZ'
IMAGE_DOS_HEADER STRUC
MZ_magic DW ? ; Magic number
MZ_cblp DW ? ; Bytes on last page of file
MZ_cp DW ? ; Pages in file
MZ_crlc DW ? ; Relocations
MZ_cparhdr DW ? ; Size of header in paragraphs
MZ_minalloc DW ? ; Minimum extra paragraphs needed
MZ_maxalloc DW ? ; Maximum extra paragraphs needed
MZ_ss DW ? ; Initial (relative) SS value
MZ_sp DW ? ; Initial SP value
MZ_csum DW ? ; Checksum
MZ_ip DW ? ; Initial IP value
MZ_cs DW ? ; Initial (relative) CS value
MZ_lfarlc DW ? ; File address of relocation table
MZ_ovno DW ? ; Overlay number
MZ_res DW 4 DUP (?) ; Reserved words
MZ_oemid DW ? ; OEM identifier (for e_oeminfo)
MZ_oeminfo DW ? ; OEM information; e_oemid specific
MZ_res2 DW 10 DUP (?) ; Reserved words
MZ_lfanew DD ? ; File address of new exe header
IMAGE_DOS_HEADER ENDS
IMAGE_SIZEOF_DOS_HEADER EQU SIZE IMAGE_DOS_HEADER
; - -[PE.INC] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
;
; . .: .:.. :.. .. .:.::. :. ..:
; <<-==ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ===<
; .:: ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ .:.
; . .:.ÜÜÜÛÛß.ßÛÛÛÛÛÛ.ÛÛÛÛÛÛÛ:..
; ...ÛÛÛÜÜÜÜ:ÜÜÜÜÛÛÛ:ÛÛÛ ÛÛÛ.::.
; >===ÛÛÛÛÛÛÛ=ÛÛÛÛÛÛß=ÛÛÛ ÛÛÛ=->>
; .: .:.. ..:. .: ..:.::. ::.. :.:.
;
; [29A INC files]
; Portable Executable format
; by Jacky Qwerty/29A
;
; Description
; ÄÄÄÄÄÄÄÄÄÄÄ
; This include file contains all the constantz and structurez needed to work
; with the PE (Portable Executable) format from inside ASM filez. For exclu-
; sive use with TASM(32), of course. MASM sucks.. :P
;
; Disclaimer
; ÄÄÄÄÄÄÄÄÄÄ
; This file was built up by Jacky Qwerty from 29A. The author is not respon-
; sible for any problemz caused due to use/misuse of this file.
;
;
; (c) 1997. No rightz reserved. Use without permision >8P.
; ÄÄ´ Based relocation type valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_REL_BASED_ABSOLUTE EQU 0
IMAGE_REL_BASED_HIGH EQU 1
IMAGE_REL_BASED_LOW EQU 2
IMAGE_REL_BASED_HIGHLOW EQU 3
IMAGE_REL_BASED_HIGHADJ EQU 4
IMAGE_REL_BASED_MIPS_JMPADDR EQU 5
IMAGE_RELOCATION_DATA RECORD {
RD_RelocType :4
RD_RelocOffset :12
}
IMAGE_BASE_RELOCATION STRUC
BR_VirtualAddress DD ?
BR_SizeOfBlock DD ?
; BR_TypeOffset IMAGE_RELOCATION_DATA 1 DUP (?) ; Array of zero or more relocations (type + RVAs)
IMAGE_BASE_RELOCATION ENDS
IMAGE_SIZEOF_BASE_RELOCATION EQU SIZE IMAGE_BASE_RELOCATION ; 8
IMAGE_IMPORT_BY_NAME STRUC
IBN_Hint DW ?
IBN_Name DB 1 DUP (?) ; ASCIIZ function name (variable size)
IMAGE_IMPORT_BY_NAME ENDS
IMAGE_ORDINAL_FLAG EQU 80000000h
IMAGE_THUNK_DATA STRUC
UNION
TD_AddressOfData DD IMAGE_IMPORT_BY_NAME PTR ? ; Ptr to IMAGE_IMPORT_BY_NAME structure
TD_Ordinal DD ? ; Ordinal ORed with IMAGE_ORDINAL_FLAG
TD_Function DD BYTE PTR ? ; CODE PTR ; Ptr to function (i.e. Function address after program load)
TD_ForwarderString DD BYTE PTR ? ; Ptr to a forwarded API function.
ENDS
IMAGE_THUNK_DATA ENDS
; ÄÄ´ Import format ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_IMPORT_DESCRIPTOR STRUC
UNION
ID_Characteristics DD ? ; 0 for terminating null import descriptor
ID_OriginalFirstThunk DD IMAGE_THUNK_DATA PTR ? ; RVA to original unbound IAT
ENDS
ID_TimeDateStamp DD ? ; 0 if not bound,
; -1 if bound, and real date\time stamp
; in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
; O.W. date/time stamp of DLL bound to (Old BIND)
ID_ForwarderChain DD ? ; -1 if no forwarders
ID_Name DD BYTE PTR ? ; RVA to name of imported DLL
ID_FirstThunk DD IMAGE_THUNK_DATA PTR ? ; RVA to IAT (if bound this IAT has actual addresses)
IMAGE_IMPORT_DESCRIPTOR ENDS
IMAGE_SIZEOF_IMPORT_DESCRIPTOR EQU SIZE IMAGE_IMPORT_DESCRIPTOR
; ÄÄ´ Export format ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_EXPORT_DIRECTORY STRUC
ED_Characteristics DD ?
ED_TimeDateStamp DD ?
ED_MajorVersion DW ?
ED_MinorVersion DW ?
ED_Name DD BYTE PTR ? ; Ptr to name of exported DLL
UNION
ED_Base DD ?
ED_BaseOrdinal DD ?
ENDS
ED_NumberOfFunctions DD ?
UNION
ED_NumberOfNames DD ?
ED_NumberOfOrdinals DD ?
ENDS
ED_AddressOfFunctions DD DWORD PTR ? ; Ptr to array of function addresses
ED_AddressOfNames DD DWORD PTR ? ; Ptr to array of (function) name addresses
UNION
ED_AddressOfNameOrdinals DD WORD PTR ? ; Ptr to array of ordinals
ED_AddressOfOrdinals DD WORD PTR ? ;
ENDS
IMAGE_EXPORT_DIRECTORY ENDS
IMAGE_SIZEOF_EXPORT_DIRECTORY EQU SIZE IMAGE_EXPORT_DIRECTORY
; ÄÄ´ SH_Characteristics valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;MAGE_SCN_TYPE_REG EQU 00000000h ; Reserved
;MAGE_SCN_TYPE_REGULAR EQU 00000000h ; Reserved
;MAGE_SCN_TYPE_DSECT EQU 00000001h ; Reserved
;MAGE_SCN_TYPE_DUMMY EQU 00000001h ; Reserved
;MAGE_SCN_TYPE_NOLOAD EQU 00000002h ; Reserved
;MAGE_SCN_TYPE_NO_LOAD EQU 00000002h ; Reserved
;MAGE_SCN_TYPE_GROUP EQU 00000004h ; Reserved. Used for 16-bit offset code
;MAGE_SCN_TYPE_GROUPED EQU 00000004h ; Reserved. Used for 16-bit offset code
IMAGE_SCN_TYPE_NO_PAD EQU 00000008h ; Reserved
;MAGE_SCN_TYPE_COPY EQU 00000010h ; Reserved
IMAGE_SCN_CNT_CODE EQU 00000020h ; Section contains code.
IMAGE_SCN_CNT_INITIALIZED_DATA EQU 00000040h ; Section contains initialized data.
IMAGE_SCN_CNT_UNINITIALIZED_DATA EQU 00000080h ; Section contains uninitialized data.
IMAGE_SCN_LNK_OTHER EQU 00000100h ; Reserved.
IMAGE_SCN_LNK_INFO EQU 00000200h ; Section contains comments or some other type of information.
;MAGE_SCN_TYPE_OVER EQU 00000400h ; Reserved. Section contains an overlay.
;MAGE_SCN_LNK_OVERLAY EQU 00000400h ; Reserved. Section contains an overlay.
IMAGE_SCN_LNK_REMOVE EQU 00000800h ; Section contents will not become part of image.
IMAGE_SCN_LNK_COMDAT EQU 00001000h ; Section contents comdat.
; EQU 00002000h ; Reserved.
;MAGE_SCN_MEM_PROTECTED EQU 00004000h ; Obsolete.
IMAGE_SCN_MEM_FARDATA EQU 00008000h
;MAGE_SCN_MEM_SYSHEAP EQU 00010000h ; Obsolete.
IMAGE_SCN_MEM_PURGEABLE EQU 00020000h
IMAGE_SCN_MEM_16BIT EQU 00020000h
IMAGE_SCN_MEM_LOCKED EQU 00040000h
IMAGE_SCN_MEM_PRELOAD EQU 00080000h
IMAGE_SCN_ALIGN_1BYTES EQU 00100000h
IMAGE_SCN_ALIGN_2BYTES EQU 00200000h
IMAGE_SCN_ALIGN_4BYTES EQU 00300000h
IMAGE_SCN_ALIGN_8BYTES EQU 00400000h
IMAGE_SCN_ALIGN_16BYTES EQU 00500000h ; Default alignment if no others are specified.
IMAGE_SCN_ALIGN_32BYTES EQU 00600000h
IMAGE_SCN_ALIGN_64BYTES EQU 00700000h
; EQU 00800000h ; Unused.
IMAGE_SCN_LNK_NRELOC_OVFL EQU 01000000h ; Section contains extended relocations.
IMAGE_SCN_MEM_DISCARDABLE EQU 02000000h ; Section can be discarded.
IMAGE_SCN_MEM_NOT_CACHED EQU 04000000h ; Section is not cachable.
IMAGE_SCN_MEM_NOT_PAGED EQU 08000000h ; Section is not pageable.
IMAGE_SCN_MEM_SHARED EQU 10000000h ; Section is shareable.
IMAGE_SCN_MEM_EXECUTE EQU 20000000h ; Section is executable.
IMAGE_SCN_MEM_READ EQU 40000000h ; Section is readable.
IMAGE_SCN_MEM_WRITE EQU 80000000h ; Section is writeable.
IMAGE_SIZEOF_SHORT_NAME EQU 8
; ÄÄ´ Section header format ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_SECTION_HEADER STRUC
SH_Name DB IMAGE_SIZEOF_SHORT_NAME DUP (?)
UNION
SH_PhysicalAddress DD BYTE PTR ?
SH_VirtualSize DD ?
ENDS
SH_VirtualAddress DD BYTE PTR ?
SH_SizeOfRawData DD ?
SH_PointerToRawData DD BYTE PTR ?
SH_PointerToRelocations DD BYTE PTR ?
SH_PointerToLinenumbers DD BYTE PTR ?
SH_NumberOfRelocations DW ?
SH_NumberOfLinenumbers DW ?
SH_Characteristics DD ?
IMAGE_SECTION_HEADER ENDS
IMAGE_SIZEOF_SECTION_HEADER EQU SIZE IMAGE_SECTION_HEADER
; ÄÄ´ OH_DataDirectory index valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_DIRECTORY_ENTRY_EXPORT EQU 0 ; Export Directory
IMAGE_DIRECTORY_ENTRY_IMPORT EQU 1 ; Import Directory
IMAGE_DIRECTORY_ENTRY_RESOURCE EQU 2 ; Resource Directory
IMAGE_DIRECTORY_ENTRY_EXCEPTION EQU 3 ; Exception Directory
IMAGE_DIRECTORY_ENTRY_SECURITY EQU 4 ; Security Directory
IMAGE_DIRECTORY_ENTRY_BASERELOC EQU 5 ; Base Relocation Table
IMAGE_DIRECTORY_ENTRY_DEBUG EQU 6 ; Debug Directory
IMAGE_DIRECTORY_ENTRY_COPYRIGHT EQU 7 ; Description String
IMAGE_DIRECTORY_ENTRY_GLOBALPTR EQU 8 ; Machine Value (MIPS GP)
IMAGE_DIRECTORY_ENTRY_TLS EQU 9 ; TLS Directory
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG EQU 10 ; Load Configuration Directory
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT EQU 11 ; Bound Import Directory in headers
IMAGE_DIRECTORY_ENTRY_IAT EQU 12 ; Import Address Table
IMAGE_NUMBEROF_DIRECTORY_ENTRIES EQU 16
; ÄÄ´ OH_DataDirectory format ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_DATA_DIRECTORY STRUC
DD_VirtualAddress DD BYTE PTR ?
DD_Size DD ?
IMAGE_DATA_DIRECTORY ENDS
IMAGE_DIRECTORY_ENTRIES STRUC
DE_Export IMAGE_DATA_DIRECTORY ?
DE_Import IMAGE_DATA_DIRECTORY ?
DE_Resource IMAGE_DATA_DIRECTORY ?
DE_Exception IMAGE_DATA_DIRECTORY ?
DE_Security IMAGE_DATA_DIRECTORY ?
DE_BaseReloc IMAGE_DATA_DIRECTORY ?
DE_Debug IMAGE_DATA_DIRECTORY ?
DE_Copyright IMAGE_DATA_DIRECTORY ?
DE_GlobalPtr IMAGE_DATA_DIRECTORY ?
DE_TLS IMAGE_DATA_DIRECTORY ?
DE_LoadConfig IMAGE_DATA_DIRECTORY ?
DE_BoundImport IMAGE_DATA_DIRECTORY ?
DE_IAT IMAGE_DATA_DIRECTORY ?
IMAGE_DIRECTORY_ENTRIES ENDS
; ÄÄ´ OH_LoaderFlags valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;MAGE_LOADER_FLAGS_BREAK_ON_LOAD EQU 00000001h
;MAGE_LOADER_FLAGS_DEBUG_ON_LOAD EQU 00000002h
; ÄÄ´ OH_DllCharacteristics valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;MAGE_LIBRARY_PROCESS_INIT EQU 1 ; Dll has a process initialization routine
;MAGE_LIBRARY_PROCESS_TERM EQU 2 ; Dll has a thread termination routine
;MAGE_LIBRARY_THREAD_INIT EQU 4 ; Dll has a thread initialization routine
;MAGE_LIBRARY_THREAD_TERM EQU 8 ; Dll has a thread termination routine
; ÄÄ´ OH_Subsystem Valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_SUBSYSTEM_UNKNOWN EQU 0 ; Unknown subsystem
IMAGE_SUBSYSTEM_NATIVE EQU 1 ; Image doesn't require a subsystem
IMAGE_SUBSYSTEM_WINDOWS_GUI EQU 2 ; Image runs in the Windows GUI subsystem
IMAGE_SUBSYSTEM_WINDOWS_CUI EQU 3 ; Image runs in the Windows character subsystem
IMAGE_SUBSYSTEM_OS2_CUI EQU 5 ; Image runs in the OS/2 character subsystem
IMAGE_SUBSYSTEM_POSIX_CUI EQU 7 ; Image run in the Posix character subsystem
; ÄÄ´ OH_Magic value ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_NT_OPTIONAL_HDR_MAGIC EQU 10Bh
; ÄÄ´ Optional header format ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_OPTIONAL_HEADER STRUC
; Standard fields:
OH_Magic DW ?
OH_MajorLinkerVersion DB ?
OH_MinorLinkerVersion DB ?
OH_SizeOfCode DD ?
OH_SizeOfInitializedData DD ?
OH_SizeOfUninitializedData DD ?
OH_AddressOfEntryPoint DD BYTE PTR ?
OH_BaseOfCode DD BYTE PTR ?
OH_BaseOfData DD BYTE PTR ?
; NT additional fields:
OH_ImageBase DD BYTE PTR ?
OH_SectionAlignment DD ?
OH_FileAlignment DD ?
OH_MajorOperatingSystemVersion DW ?
OH_MinorOperatingSystemVersion DW ?
OH_MajorImageVersion DW ?
OH_MinorImageVersion DW ?
OH_MajorSubsystemVersion DW ?
OH_MinorSubsystemVersion DW ?
OH_Reserved1 DD ?
OH_SizeOfImage DD ?
OH_SizeOfHeaders DD ?
OH_CheckSum DD ?
OH_Subsystem DW ?
OH_DllCharacteristics DW ?
OH_SizeOfStackReserve DD ?
OH_SizeOfStackCommit DD ?
OH_SizeOfHeapReserve DD ?
OH_SizeOfHeapCommit DD ?
OH_LoaderFlags DD ?
OH_NumberOfRvaAndSizes DD ?
UNION
OH_DataDirectory IMAGE_DATA_DIRECTORY \
IMAGE_NUMBEROF_DIRECTORY_ENTRIES \
DUP (?)
OH_DirectoryEntries IMAGE_DIRECTORY_ENTRIES ?
ENDS
IMAGE_OPTIONAL_HEADER ENDS
IMAGE_SIZEOF_STD_OPTIONAL_HEADER EQU 28d
IMAGE_SIZEOF_NT_OPTIONAL_HEADER EQU SIZE IMAGE_OPTIONAL_HEADER
; ÄÄ´ FH_Characteristics valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_FILE_RELOCS_STRIPPED EQU 0001h ; Relocation info stripped from file
IMAGE_FILE_EXECUTABLE_IMAGE EQU 0002h ; File is executable (i.e. no unresolved external references)
IMAGE_FILE_LINE_NUMS_STRIPPED EQU 0004h ; Line numbers stripped from file
IMAGE_FILE_LOCAL_SYMS_STRIPPED EQU 0008h ; Local symbols stripped from file
;MAGE_FILE_MINIMAL_OBJECT EQU 0010h ; Reserved
;MAGE_FILE_UPDATE_OBJECT EQU 0020h ; Reserved
;MAGE_FILE_16BIT_MACHINE EQU 0040h ; 16 bit word machine
IMAGE_FILE_BYTES_REVERSED_LO EQU 0080h ; Bytes of machine word are reversed
IMAGE_FILE_32BIT_MACHINE EQU 0100h ; 32 bit word machine
IMAGE_FILE_DEBUG_STRIPPED EQU 0200h ; Debugging info stripped from file in .DBG file
;MAGE_FILE_PATCH EQU 0400h ; Reserved
IMAGE_FILE_SYSTEM EQU 1000h ; System File
IMAGE_FILE_DLL EQU 2000h ; File is a DLL
IMAGE_FILE_BYTES_REVERSED_HI EQU 8000h ; Bytes of machine word are reversed
; ÄÄ´ FH_Machine valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_FILE_MACHINE_UNKNOWN EQU 0
IMAGE_FILE_MACHINE_I386 EQU 14Ch ; Intel 386
IMAGE_FILE_MACHINE_R3000 EQU 162h ; MIPS L-endian, 0160h B-endian
IMAGE_FILE_MACHINE_R4000 EQU 166h ; MIPS L-endian
IMAGE_FILE_MACHINE_R10000 EQU 168h ; MIPS L-endian
IMAGE_FILE_MACHINE_ALPHA EQU 184h ; Alpha_AXP
IMAGE_FILE_MACHINE_POWERPC EQU 1F0h ; IBM PowerPC L-Endian
IMAGE_FILE_HEADER STRUC
FH_Machine DW ?
FH_NumberOfSections DW ?
FH_TimeDateStamp DD ?
FH_PointerToSymbolTable DD BYTE PTR ?
FH_NumberOfSymbols DD ?
FH_SizeOfOptionalHeader DW ?
FH_Characteristics DW ?
IMAGE_FILE_HEADER ENDS
IMAGE_SIZEOF_FILE_HEADER EQU SIZE IMAGE_FILE_HEADER
; ÄÄ´ NT_Signature value ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IMAGE_NT_SIGNATURE EQU 00004550h ; 'PE',0,0
IMAGE_NT_HEADERS STRUC
NT_Signature DD ?
NT_FileHeader IMAGE_FILE_HEADER ?
NT_OptionalHeader IMAGE_OPTIONAL_HEADER ?
IMAGE_NT_HEADERS ENDS
; - -[USEFUL.INC] - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
;
; . .: .:.. :.. .. .:.::. :. ..:
; <<-==ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ===<
; .:: ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ .:.
; . .:.ÜÜÜÛÛß.ßÛÛÛÛÛÛ.ÛÛÛÛÛÛÛ:..
; ...ÛÛÛÜÜÜÜ:ÜÜÜÜÛÛÛ:ÛÛÛ ÛÛÛ.::.
; >===ÛÛÛÛÛÛÛ=ÛÛÛÛÛÛß=ÛÛÛ ÛÛÛ=->>
; .: .:.. ..:. .: ..:.::. ::.. :.:.
;
; [29A INC files]
; Basic useful structurez
; by Jacky Qwerty/29A
;
; Description
; ÄÄÄÄÄÄÄÄÄÄÄ
; This include file contains all basic constantz and general common structu-
; rez needed to work with other include and source ASM filez. This file will
; work only with TASM(32), of course. MASM sucks.. :P
;
; Disclaimer
; ÄÄÄÄÄÄÄÄÄÄ
; This file was built up by Jacky Qwerty from 29A. The author is not respon-
; sible for any problemz caused due to use/misuse of this file.
;
;
; (c) 1997. No rightz reserved. Use without permision >8P.
LF equ 10
CR equ 13
CRLF equ <13,10>
lo_hi_byte_word struc
union
struc
lob db ?
hib db ?
ends
lo_w dw ?
ends
hiw dw ?
lo_hi_byte_word ends
Pusha_struc struc
Pusha_di dw ?
Pusha_si dw ?
Pusha_bp dw ?
Pusha_sp dw ?
Pusha_bx dw ?
Pusha_dx dw ?
Pusha_cx dw ?
Pusha_ax dw ?
Pusha_struc ends
cPusha equ size Pusha_struc
Pushad_struc struc
Pushad_edi dd ?
Pushad_esi dd ?
Pushad_ebp dd ?
Pushad_esp dd ?
Pushad_ebx dd ?
Pushad_edx dd ?
Pushad_ecx dd ?
Pushad_eax dd ?
Pushad_struc ends
cPushad equ size Pushad_struc
@copysz macro
local nxtchr
nxtchr: lodsb
stosb
or al,al
jnz nxtchr
endm
@endsz macro
local nxtchr
nxtchr: lodsb
test al,al
jnz nxtchr
endm
@pushsz macro msg2psh, empty
local next_instr
ifnb <empty>
%out too much arguments in macro '@pushsz'
.err
endif
call next_instr
db msg2psh,0
next_instr:
endm
@pushbytes macro bts2psh, empty
local next_instr
ifnb <empty>
%out too much arguments in macro '@push_bytes'
.err
endif
call next_instr
db bts2psh
next_instr:
endm
if @WordSize eq 2 ; 16 bits
API_Args struc
RetAddr dw ?
union
Pshd dw ? ;pushed
Arg1 dw ?
ends
irp Num, <2,3,4,5,6,7,8,9,10,11,12,13,14,15,16>
Arg&Num dw ?
endm
API_Args ends
endif
if @WordSize eq 4 ; 32 bits
API_Args struc
RetAddr dd ?
union
Pshd dd ? ;pushed
Arg1 dd ?
ends
irp Num, <2,3,4,5,6,7,8,9,10,11,12,13,14,15,16>
Arg&Num dd ?
endm
API_Args ends
endif
; - -[WIN32API.INC] - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
;
; . .: .:.. :.. .. .:.::. :. ..:
; <<-==ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ===<
; .:: ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ .:.
; . .:.ÜÜÜÛÛß.ßÛÛÛÛÛÛ.ÛÛÛÛÛÛÛ:..
; ...ÛÛÛÜÜÜÜ:ÜÜÜÜÛÛÛ:ÛÛÛ ÛÛÛ.::.
; >===ÛÛÛÛÛÛÛ=ÛÛÛÛÛÛß=ÛÛÛ ÛÛÛ=->>
; .: .:.. ..:. .: ..:.::. ::.. :.:.
;
; [29A INC files]
; Win32 API definitionz
; by Jacky Qwerty/29A
;
; Description
; ÄÄÄÄÄÄÄÄÄÄÄ
; This include file contains some of the constantz and structurez needed to
; work with typical Win32 API functionz from inside ASM filez. This file can
; work only with TASM(32), of course. MASM sucks.. :P
;
; Disclaimer
; ÄÄÄÄÄÄÄÄÄÄ
; This file was built up by Jacky Qwerty from 29A. The author is not respon-
; sible for any problemz caused due to use/misuse of this file.
;
;
; (c) 1997. No rightz reserved. Use without permision >8P.
; ÄÄ´ Some global constantz ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NULL EQU 0
FALSE EQU 0
TRUE EQU 1
MAX_PATH EQU 260
INVALID_HANDLE_VALUE EQU -1
STANDARD_RIGHTS_REQUIRED EQU 000F0000h
; ÄÄ´ Desired access valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
GENERIC_READ EQU 80000000h
GENERIC_WRITE EQU 40000000h
; ÄÄ´ Share mode valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
FILE_SHARE_READ EQU 00000001h
FILE_SHARE_WRITE EQU 00000002h
; ÄÄ´ Creation disposition valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
CREATE_NEW EQU 1
CREATE_ALWAYS EQU 2
OPEN_EXISTING EQU 3
OPEN_ALWAYS EQU 4
TRUNCATE_EXISTING EQU 5
; ÄÄ´ File attributez and flag valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
FILE_ATTRIBUTE_READONLY EQU 00000001h
FILE_ATTRIBUTE_HIDDEN EQU 00000002h
FILE_ATTRIBUTE_SYSTEM EQU 00000004h
FILE_ATTRIBUTE_DIRECTORY EQU 00000010h
FILE_ATTRIBUTE_ARCHIVE EQU 00000020h
FILE_ATTRIBUTE_NORMAL EQU 00000080h
FILE_ATTRIBUTE_TEMPORARY EQU 00000100h
FILE_ATTRIBUTE_ATOMIC_WRITE EQU 00000200h
FILE_ATTRIBUTE_XACTION_WRITE EQU 00000400h
FILE_ATTRIBUTE_COMPRESSED EQU 00000800h
FILE_ATTRIBUTE_HAS_EMBEDDING EQU 00001000h
FILE_FLAG_POSIX_SEMANTICS EQU 01000000h
FILE_FLAG_BACKUP_SEMANTICS EQU 02000000h
FILE_FLAG_DELETE_ON_CLOSE EQU 04000000h
FILE_FLAG_SEQUENTIAL_SCAN EQU 08000000h
FILE_FLAG_RANDOM_ACCESS EQU 10000000h
FILE_FLAG_NO_BUFFERING EQU 20000000h
FILE_FLAG_OVERLAPPED EQU 40000000h
FILE_FLAG_WRITE_THROUGH EQU 80000000h
; ÄÄ´ Protection and other valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
SECTION_QUERY EQU 00000001h
SECTION_MAP_WRITE EQU 00000002h
SECTION_MAP_READ EQU 00000004h
SECTION_MAP_EXECUTE EQU 00000008h
SECTION_EXTEND_SIZE EQU 00000010h
SECTION_ALL_ACCESS EQU STANDARD_RIGHTS_REQUIRED OR \
SECTION_QUERY OR \
SECTION_MAP_WRITE OR \
SECTION_MAP_READ OR \
SECTION_MAP_EXECUTE OR \
SECTION_EXTEND_SIZE
FILE_MAP_COPY EQU SECTION_QUERY
FILE_MAP_WRITE EQU SECTION_MAP_WRITE
FILE_MAP_READ EQU SECTION_MAP_READ
FILE_MAP_ALL_ACCESS EQU SECTION_ALL_ACCESS
PAGE_NOACCESS EQU 00000001h
PAGE_READONLY EQU 00000002h
PAGE_READWRITE EQU 00000004h
PAGE_WRITECOPY EQU 00000008h
PAGE_EXECUTE EQU 00000010h
PAGE_EXECUTE_READ EQU 00000020h
PAGE_EXECUTE_READWRITE EQU 00000040h
PAGE_EXECUTE_WRITECOPY EQU 00000080h
PAGE_GUARD EQU 00000100h
PAGE_NOCACHE EQU 00000200h
MEM_COMMIT EQU 00001000h
MEM_RESERVE EQU 00002000h
MEM_DECOMMIT EQU 00004000h
MEM_RELEASE EQU 00008000h
MEM_FREE EQU 00010000h
MEM_PRIVATE EQU 00020000h
MEM_MAPPED EQU 00040000h
MEM_TOP_DOWN EQU 00100000h
SEC_FILE EQU 00800000h
SEC_IMAGE EQU 01000000h
SEC_RESERVE EQU 04000000h
SEC_COMMIT EQU 08000000h
SEC_NOCACHE EQU 10000000h
MEM_IMAGE EQU SEC_IMAGE
; ÄÄ´ Code Page valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
CP_ACP EQU 0 ; ANSI code page
CP_OEMCP EQU 1 ; OEM code page
CP_MACCP EQU 2 ; MAC code page
; ÄÄ´ Message Box suport valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MB_OK EQU 00000000h
MB_OKCANCEL EQU 00000001h
MB_ABORTRETRYIGNORE EQU 00000002h
MB_YESNOCANCEL EQU 00000003h
MB_YESNO EQU 00000004h
MB_RETRYCANCEL EQU 00000005h
MB_TYPEMASK EQU 0000000Fh
MB_ICONHAND EQU 00000010h
MB_ICONQUESTION EQU 00000020h
MB_ICONEXCLAMATION EQU 00000030h
MB_ICONASTERISK EQU 00000040h
MB_ICONMASK EQU 000000F0h
MB_ICONINFORMATION EQU MB_ICONASTERISK
MB_ICONSTOP EQU MB_ICONHAND
MB_DEFBUTTON1 EQU 00000000h
MB_DEFBUTTON2 EQU 00000100h
MB_DEFBUTTON3 EQU 00000200h
MB_DEFMASK EQU 00000F00h
MB_APPLMODAL EQU 00000000h
MB_SYSTEMMODAL EQU 00001000h
MB_TASKMODAL EQU 00002000h
MB_NOFOCUS EQU 00008000h
; ÄÄ´ Some general Win32 related structurez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
FILETIME STRUC
FT_dwLowDateTime DD ?
FT_dwHighDateTime DD ?
FILETIME ENDS
WIN32_FIND_DATA STRUC
WFD_dwFileAttributes DD ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh DD ?
WFD_nFileSizeLow DD ?
WFD_dwReserved0 DD ?
WFD_dwReserved1 DD ?
WFD_szFileName DB MAX_PATH DUP (?)
WFD_szAlternateFileName DB 13 DUP (?)
DB 3 DUP (?) ; dword padding
WIN32_FIND_DATA ENDS
SIZEOF_WIN32_FIND_DATA EQU SIZE WIN32_FIND_DATA
; ÄÄ´ Context related stuff (i386, i486) ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; The following flagz control the contentz of the CONTEXT structure:
CONTEXT_i386 EQU 00010000h ; This assumes that i386 and i486
CONTEXT_i486 EQU 00010000h ; have identical context recordz.
CONTEXT_CONTROL EQU (CONTEXT_i386 OR 01h) ; SS:SP, CS:IP, FLAGS, BP.
CONTEXT_INTEGER EQU (CONTEXT_i386 OR 02h) ; AX, BX, CX, DX, SI, DI.
CONTEXT_SEGMENTS EQU (CONTEXT_i386 OR 04h) ; DS, ES, FS, GS.
CONTEXT_FLOATING_POINT EQU (CONTEXT_i386 OR 08h) ; 387 state
CONTEXT_DEBUG_REGISTERS EQU (CONTEXT_i386 OR 10h) ; DB 0-3,6,7
CONTEXT_FULL EQU (CONTEXT_CONTROL OR CONTEXT_INTEGER OR \
CONTEXT_SEGMENTS)
; Size of the 80387 save area, which is in the context frame:
SIZE_OF_80387_REGISTERS EQU 80
FLOATING_SAVE_AREA STRUC
ControlWord DD ?
StatusWord DD ?
TagWord DD ?
ErrorOffset DD ?
ErrorSelector DD ?
DataOffset DD ?
DataSelector DD ?
RegisterArea DB SIZE_OF_80387_REGISTERS DUP (?)
Cr0NpxState DD ?
FLOATING_SAVE_AREA ENDS
; Context Frame:
CONTEXT STRUC
; The flags valuez - within the ContextFlags field - control the
; contentz of the CONTEXT structure.
;
; If the context record is used as an input parameter, then
; for each portion of the context record controlled by a flag
; whose value is set, it is asumed that that portion of the
; context record contains valid context. If the context record
; is being used to modify a threadz context, then only that
; portion of the threadz context will be modified.
;
; If the context record is used as an IN OUT parameter to capture
; the context of a thread, then only those portionz of the thread's
; context corresponding to set flags will be returned.
;
; The context record is never used as an OUT only parameter.
CONTEXT_ContextFlags DD ?
; This section is specified/returned if CONTEXT_DEBUG_REGISTERS is
; set in ContextFlags. Note that CONTEXT_DEBUG_REGISTERS is NOT
; included in CONTEXT_FULL:
CONTEXT_Dr0 DD ?
CONTEXT_Dr1 DD ?
CONTEXT_Dr2 DD ?
CONTEXT_Dr3 DD ?
CONTEXT_Dr6 DD ?
CONTEXT_Dr7 DD ?
; This section is specified/returned if the
; ContextFlags word contains the flag CONTEXT_FLOATING_POINT:
CONTEXT_FloatSave FLOATING_SAVE_AREA ?
; This section is specified/returned if the
; ContextFlags word contains the flag CONTEXT_SEGMENTS:
CONTEXT_SegGs DD ?
CONTEXT_SegFs DD ?
CONTEXT_SegEs DD ?
CONTEXT_SegDs DD ?
; This section is specified/returned if the
; ContextFlags word contains the flag CONTEXT_INTEGER:
CONTEXT_Edi DD ?
CONTEXT_Esi DD ?
CONTEXT_Ebx DD ?
CONTEXT_Edx DD ?
CONTEXT_Ecx DD ?
CONTEXT_Eax DD ?
; This section is specified/returned if the
; ContextFlags word contains the flag CONTEXT_CONTROL:
CONTEXT_Ebp DD ?
CONTEXT_Eip DD ?
CONTEXT_SegCs DD ? ; MUST BE SANITIZED
CONTEXT_EFlags DD ? ; MUST BE SANITIZED
CONTEXT_Esp DD ?
CONTEXT_SegSs DD ?
CONTEXT ENDS
; ÄÄ´ Structured Exception Handling (SEH) related stuff ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; This structure is the one pointed to by FS:[0]:
EXCEPTIONREGISTRATIONRECORD STRUC ; != EXCEPTION_RECORD structure
ERR_prev_structure DD EXCEPTIONREGISTRATIONRECORD PTR ?
ERR_ExceptionHandler DD BYTE PTR ? ; CODE PTR
; These are the minimun fieldz required for proper OS operation
; Other undocumented fieldz exist for Microsoft and Borland compilerz
EXCEPTIONREGISTRATIONRECORD ENDS
; Exception record definition:
EXCEPTION_MAXIMUM_PARAMETERS EQU 15 ; max # of except paramz
EXCEPTION_RECORD STRUC
ER_ExceptionCode DD ?
ER_ExceptionFlags DD ?
ER_ExceptionRecord DD EXCEPTION_RECORD PTR ?
ER_ExceptionAddress DD BYTE PTR ? ; CODE PTR
ER_NumberParameters DD ?
ER_ExceptionInformation DD EXCEPTION_MAXIMUM_PARAMETERS DUP (?)
EXCEPTION_RECORD ENDS
EXCEPTION_POINTERS STRUC
EP_ExceptionRecord DD EXCEPTION_RECORD PTR ?
EP_ContextRecord DD CONTEXT PTR ?
EXCEPTION_POINTERS ENDS
; Other SEH related constantz and return valuez:
EXCEPTION_EXECUTE_HANDLER EQU 1
EXCEPTION_CONTINUE_SEARCH EQU 0
EXCEPTION_CONTINUE_EXECUTION EQU -1
EXCEPTION_ACCESS_VIOLATION EQU 0C0000005h
EXCEPTION_DATATYPE_MISALIGNMENT EQU 080000002h
EXCEPTION_BREAKPOINT EQU 080000003h
EXCEPTION_SINGLE_STEP EQU 080000004h
EXCEPTION_ARRAY_BOUNDS_EXCEEDED EQU 0C000008Ch
EXCEPTION_FLT_DENORMAL_OPERAND EQU 0C000008Dh
EXCEPTION_FLT_DIVIDE_BY_ZERO EQU 0C000008Eh
EXCEPTION_FLT_INEXACT_RESULT EQU 0C000008Fh
EXCEPTION_FLT_INVALID_OPERATION EQU 0C0000090h
EXCEPTION_FLT_OVERFLOW EQU 0C0000091h
EXCEPTION_FLT_STACK_CHECK EQU 0C0000092h
EXCEPTION_FLT_UNDERFLOW EQU 0C0000093h
EXCEPTION_INT_DIVIDE_BY_ZERO EQU 0C0000094h
EXCEPTION_INT_OVERFLOW EQU 0C0000095h
EXCEPTION_PRIV_INSTRUCTION EQU 0C0000096h
EXCEPTION_IN_PAGE_ERROR EQU 0C0000006h
EXCEPTION_ILLEGAL_INSTRUCTION EQU 0C000001Dh
EXCEPTION_NONCONTINUABLE_EXCEPTION EQU 0C0000025h
EXCEPTION_STACK_OVERFLOW EQU 0C00000FDh
EXCEPTION_INVALID_DISPOSITION EQU 0C0000026h
EXCEPTION_GUARD_PAGE EQU 080000001h
; Useful structure to access the "Except_Handler" function argumentz:
Except_Handler STRUC
EH_Dummy DD ? ; Ret address
EH_ExceptionRecord DD EXCEPTION_RECORD PTR ?
EH_EstablisherFrame DD BYTE PTR ?
EH_ContextRecord DD CONTEXT PTR ?
EH_DispatcherContext DD BYTE PTR ?
Except_Handler ENDS
; The following macroz "@SEH_SetupFrame" and "@SEH_RemoveFrame" are limited
; assembler versionz of the _try and _except keywordz used in C language.
; They provide fast and powerful "Structured Exception Handling" support
; for Win32 applicationz in a few linez of code. Though Microsoft seems
; intent on hiding the details of OS-level structured exception handling,
; this code relies on documented featurez of the Win32 API implementation
; and as such it works in both Windoze 95 and Windoze NT.
@SEH_SetupFrame macro ExceptionHandler
local set_new_eh
call set_new_eh
mov esp,[esp.EH_EstablisherFrame]
ExceptionHandler
set_new_eh: xor edx,edx ; Setup new SEH frame
push dword ptr fs:[edx]
mov fs:[edx],esp
endm
; The ExceptionHandler argument in the @SEH_SetupFrame macro definition
; can be a single instruction or another macro containing several of them.
@SEH_RemoveFrame macro
xor edx,edx ; Remove new SEH frame and set old
pop dword ptr fs:[edx]
pop edx
endm
comment #
// Exception disposition return values.
typedef enum _EXCEPTION_DISPOSITION {
ExceptionContinueExecution,
ExceptionContinueSearch,
ExceptionNestedException,
ExceptionCollidedUnwind
} EXCEPTION_DISPOSITION;
EXCEPTION_DISPOSITION __cdecl _except_handler (
struct _EXCEPTION_RECORD *ExceptionRecord,
void * EstablisherFrame,
struct _CONTEXT *ContextRecord,
void * DispatcherContext
);
#
; ÄÄ´ Some Win32 function prototypez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
comment *
HANDLE CreateFileA
(ptr) lpFileName ; ptr to name of file
dwDesiredAccess ; access (read-write) mode
dwShareMode ; share mode
(ptr) lpSecurityAttributes ; ptr to SECURITY_ATTRIBUTES struc
dwCreationDisposition ; how to create
dwFlagsAndAttributes ; file and flag attributez
(hnd) hTemplateFile ; handle to file with attributez to copy
Returns: opened handle if ok, INVALID_HANDLE_VALUE if error.
; dwDesiredAccess valuez:
GENERIC_READ
GENERIC_WRITE
; dwShareMode valuez:
0 ; not shared
FILE_SHARE_READ
FILE_SHARE_WRITE
; dwCreationDisposition valuez:
CREATE_NEW
CREATE_ALWAYS
OPEN_EXISTING
OPEN_ALWAYS
TRUNCATE_EXISTING
; dwFlagsAndAttributes valuez:
FILE_ATTRIBUTE_READONLY
FILE_ATTRIBUTE_HIDDEN
FILE_ATTRIBUTE_SYSTEM
FILE_ATTRIBUTE_ARCHIVE
FILE_ATTRIBUTE_NORMAL
FILE_ATTRIBUTE_COMPRESSED
FILE_FLAG_WRITE_THROUGH
FILE_FLAG_OVERLAPPED
FILE_FLAG_NO_BUFFERING
FILE_FLAG_RANDOM_ACCESS
FILE_FLAG_SEQUENTIAL_SCAN
FILE_FLAG_DELETE_ON_CLOSE
FILE_FLAG_BACKUP_SEMANTICS
FILE_FLAG_POSIX_SEMANTICS
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
HANDLE CreateFileMappingA
(hnd) hFile ; file handle to map
(ptr) lpFileMappingAttributes ; ptr to SECURITY_ATTRIBUTES struc
flProtect ; protection for mapping object
dwMaximumSizeHigh ; high-order 32 bitz of object size
dwMaximumSizeLow ; low-order 32 bitz of object size
(ptr) lpName ; name of file-mapping object
Returns: handle to file-mapping object if ok, NULL if error.
; flProtect valuez:
PAGE_READONLY
PAGE_READWRITE
PAGE_WRITECOPY
SEC_COMMIT
SEC_IMAGE
SEC_NOCACHE
SEC_RESERVE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LPVOID MapViewOfFile
(hnd) hFileMappingObject ; mapping object to map into address space
dwDesiredAccess ; access mode
dwFileOffsetHigh ; high-order 32 bitz of file offset
dwFileOffsetLow ; low-order 32 bitz of file offset
dwNumberOfBytesToMap ; number of bytez to map
Returns: starting address of the mapped view if ok, NULL if error.
; dwDesiredAccess:
FILE_MAP_WRITE
FILE_MAP_READ
FILE_MAP_ALL_ACCESS
FILE_MAP_COPY
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
HANDLE FindFirstFileA
(ptr) lpFileName ; ptr to name of file to search for
(ptr) lpFindFileData ; ptr to WIN32_FIND_DATA struc
Returns: opened handle if ok, INVALID_HANDLE_VALUE if error.
it also fills structure pointed by lpFindFileData on return.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
*
; ÄÄ´ Some macroz for most common functionz ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
@OpenFile macro ; open file with r/o or r/w access, not shared
; on input: ECX = desired access, EDX = pszFileName
xor eax,eax
push eax ; 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push eax ; NULL
push eax ; 0
push ecx ; desired access
push edx ; pszFileName
call CreateFileA
endm
@OpenFileR macro pszFileName ; Open file for r/o access, not shared
xor eax,eax
push eax ; 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push eax ; NULL
push eax ; 0
push GENERIC_READ
push pszFileName
call CreateFileA
endm
@OpenFileW macro pszFileName ; Open file for r/w access, not shared
xor eax,eax
push eax ; 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push eax ; NULL
push eax ; 0
push GENERIC_READ OR GENERIC_WRITE
push pszFileName
call CreateFileA
endm
