RubygemsResearch

Sha256: f11c4a0f3748a5813ea2703154fe588f381f0d1b8efded03177cf835b2f30ae2

Contents?: true

Size: 882 Bytes

Versions: 6

Compression:

Stored size: 882 Bytes

#    This file is part of Metasm, the Ruby assembly manipulation suite
#    Copyright (C) 2006-2009 Yoann GUILLOT
#
#    Licence is LGPL, see LICENCE in the top-level directory


require 'metasm'
Metasm.require 'samples/metasm-shell'

include Metasm

# open target
WinOS.get_debug_privilege
if not pr = WinOS.find_process(ARGV.first)
	puts WinOS.list_processes.sort_by { |pr_| pr_.pid }
	exit
end

# retrieve the pe load address
baseaddr = pr.modules[0].addr

# decode the COFF headers
pe = Metasm::LoadedPE.load pr.memory[baseaddr, 0x100000]
pe.decode_header

# get the entrypoint address
eip = baseaddr + pe.label_rva(pe.optheader.entrypoint)

# use degraded disasm mode: assume all calls will return
String.cpu.opcode_list.each { |op| op.props.delete :stopexec if op.props[:saveip] }

# disassemble & dump opcodes
puts pe.encoded[pe.optheader.entrypoint, 0x100].data.decode(eip)

Version data entries

6 entries across 6 versions & 1 rubygems

Version	Path
metasm-1.0.5	samples/win32livedasm.rb
metasm-1.0.4	samples/win32livedasm.rb
metasm-1.0.3	samples/win32livedasm.rb
metasm-1.0.2	samples/win32livedasm.rb
metasm-1.0.1	samples/win32livedasm.rb
metasm-1.0.0	samples/win32livedasm.rb