; 内存补丁例子一:对 Test.exe 进行内存补丁
.386 .model flat, stdcall option casemap :none
include windows.inc include user32.inc include kernel32.inc includelib user32.lib includelib kernel32.lib
PATCH_POSITION equ 00401004h ;补丁位置的线性地址 PATCH_BYTES equ 2 ;补丁内存的字节数
.data? dbOldBytes db PATCH_BYTES dup (?) ;读 缓冲区 stStartUp STARTUPINFO <?> stProcInfo PROCESS_INFORMATION <?>
.const dbPatch db 74h,15h ;原内容 dbPatched db 90h,90h ;补丁内容 szExecFilename db 'Test.exe',0 ;文件名 szErrExec db '无法装载执行文件!',0 szErrVersion db '执行文件的版本不正确,无法修正!',0
.code Start: ; 创建进程 invoke GetStartupInfo,addr stStartUp invoke CreateProcess,offset szExecFilename,NULL,NULL,NULL,NULL,/ NORMAL_PRIORITY_CLASS or CREATE_SUSPENDED,NULL,NULL,/ offset stStartUp,offset stProcInfo;创建进程时使其暂停,改写后再运行 .if eax ; 读进程内存并验证内容是否正确 invoke ReadProcessMemory,stProcInfo.hProcess,PATCH_POSITION,/ ;读 addr dbOldBytes,PATCH_BYTES,NULL .if eax mov ax,word ptr dbOldBytes .if ax == word ptr dbPatch ;验证 invoke WriteProcessMemory,stProcInfo.hProcess,/ ;写 PATCH_POSITION,addr dbPatched,PATCH_BYTES,NULL invoke ResumeThread,stProcInfo.hThread ;改写后,使程序开始运行 .else invoke TerminateProcess,stProcInfo.hProcess,-1 invoke MessageBox,NULL,addr szErrVersion,NULL,MB_OK or MB_ICONSTOP .endif .endif invoke CloseHandle,stProcInfo.hProcess invoke CloseHandle,stProcInfo.hThread .else invoke MessageBox,NULL,addr szErrExec,NULL,MB_OK or MB_ICONSTOP .endif
invoke ExitProcess,NULL end Start
