Memory patch Example 1: Use a memory patch for test.exe
. 386
. Model flat, stdcall
Option Casemap: None
Include windows. inc
Include user32.inc
Include kernel32.inc
Includelib user32.lib
Includelib kernel32.lib
Patch_position equ 00401004 h; linear address of patch position
Patch_bytes equ 2; patch memory bytes
. Data?
Dboldbytes dB patch_bytes DUP (?) ; Read buffer
Ststartup startupinfo <?>
Stprocinfo process_information <?>
. Const
Dbpatch dB 74 h, 15 h; original content
Dbpatched dB 90 h, 90 h; patch content
Szexecfilename dB 'test.exe ', 0; file name
The execution file cannot be loaded in szerrexec db! ', 0
The version of the szerrversion db' execution file is incorrect and cannot be corrected! ', 0
. Code
Start:
; Create a process
Invoke getstartupinfo, ADDR ststartup
Invoke CreateProcess, offset szexecfilename, null ,/
Normal_priority_class or create_suincluded, null, null ,/
Offset ststartup, offset stprocinfo; pause the process when it is created, rewrite it, and run it again
. If eax; read the process memory and verify that the content is correct
Invoke readprocessmemory, stprocinfo. hprocess, patch_position,/; read
ADDR dboldbytes, patch_bytes, null
. If eax
MoV ax, word PTR dboldbytes
. If AX = word PTR dbpatch; Verification
Invoke writeprocessmemory, stprocinfo. hprocess,/; write
Patch_position, ADDR dbpatched, patch_bytes, null
Invoke resumethread, stprocinfo. hthread;
. Else
Invoke terminateprocess, stprocinfo. hprocess,-1
Invoke MessageBox, null, ADDR szerrversion, null, mb_ OK or mb_iconstop
. Endif
. Endif
Invoke closehandle, stprocinfo. hprocess
Invoke closehandle, stprocinfo. hthread
. Else
Invoke MessageBox, null, ADDR szerrexec, null, mb_ OK or mb_iconstop
. Endif
Invoke exitprocess, null
End start