diff --git a/NewLife.Core/Reflection/AsmX86.cs b/NewLife.Core/Reflection/AsmX86.cs
new file mode 100644
index 0000000..d9ad9c0
--- /dev/null
+++ b/NewLife.Core/Reflection/AsmX86.cs
@@ -0,0 +1,1633 @@
+using System;
+using System.Runtime.InteropServices;
+using System.Text;
+using NewLife.Security;
+
+namespace NewLife.Reflection
+{
+ /// <summary>X86内联汇编</summary>
+ public class AsmX86
+ {
+ #region 原生WinApi
+ [DllImport("kernel32.dll", EntryPoint = "CloseHandle")]
+ static extern Int32 CloseHandle(Int32 hObject);
+
+ [DllImport("kernel32.dll")]
+ static extern Int32 WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] Byte[] buffer, Int32 size, out IntPtr lpNumberOfBytesWritten);
+
+ [DllImport("kernel32.dll")]
+ static extern Int32 WriteProcessMemory(Int32 hProcess, Int32 lpBaseAddress, Byte[] buffer, Int32 size, Int32 lpNumberOfBytesWritten);
+
+ [DllImport("kernel32", EntryPoint = "CreateRemoteThread")]
+ static extern Int32 CreateRemoteThread(Int32 hProcess, Int32 lpThreadAttributes, Int32 dwStackSize, Int32 lpStartAddress, Int32 lpParameter, Int32 dwCreationFlags, ref Int32 lpThreadId);
+
+ [DllImport("Kernel32.dll")]
+ static extern System.Int32 VirtualAllocEx(IntPtr hProcess, Int32 lpAddress, Int32 dwSize, Int16 flAllocationType, Int16 flProtect);
+
+ [DllImport("Kernel32.dll")]
+ static extern System.Int32 VirtualAllocEx(Int32 hProcess, Int32 lpAddress, Int32 dwSize, Int32 flAllocationType, Int32 flProtect);
+
+ [DllImport("Kernel32.dll")]
+ static extern System.Int32 VirtualFreeEx(Int32 hProcess, Int32 lpAddress, Int32 dwSize, Int32 flAllocationType);
+
+ [DllImport("kernel32.dll", EntryPoint = "OpenProcess")]
+ static extern Int32 OpenProcess(Int32 dwDesiredAccess, Int32 bInheritHandle, Int32 dwProcessId);
+ #endregion
+
+ #region 常量
+ private const Int32 PAGE_EXECUTE_READWRITE = 0x4;
+ private const Int32 MEM_COMMIT = 4096;
+ private const Int32 MEM_RELEASE = 0x8000;
+ private const Int32 MEM_DECOMMIT = 0x4000;
+ private const Int32 PROCESS_ALL_ACCESS = 0x1F0FFF;
+ private const Int32 PROCESS_CREATE_THREAD = 0x2;
+ private const Int32 PROCESS_VM_OPERATION = 0x8;
+ private const Int32 PROCESS_VM_WRITE = 0x20;
+ #endregion
+
+ /// <summary>汇编代码</summary>
+ StringBuilder Builder = new StringBuilder();
+
+ String intTohex(Int32 value, Int32 num)
+ {
+ String str1;
+ String str2 = "";
+ str1 = "0000000" + value.ToString("X");
+ str1 = str1.Substring(str1.Length - num, num);
+ for (Int32 i = 0; i < str1.Length / 2; i++)
+ {
+ str2 = str2 + str1.Substring(str1.Length - 2 - 2 * i, 2);
+ }
+ return str2;
+ }
+
+ /// <summary>Sub ESP</summary>
+ /// <param name="addre"></param>
+ /// <returns></returns>
+ public AsmX86 SUB_ESP(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ {
+ Builder.Append("83EC" + intTohex(addre, 2));
+ }
+ else
+ {
+ Builder.Append("81EC" + intTohex(addre, 8));
+ }
+
+ return this;
+ }
+
+ public AsmX86 Nop()
+ {
+ Builder.Append("90");
+
+ return this;
+ }
+
+ public AsmX86 RetA(Int32 addre)
+ {
+ Builder.Append(intTohex(addre, 4));
+
+ return this;
+ }
+
+ public AsmX86 IN_AL_DX()
+ {
+ Builder.Append("EC");
+
+ return this;
+ }
+
+ public AsmX86 TEST_EAX_EAX()
+ {
+ Builder.Append("85C0");
+
+ return this;
+ }
+
+ public AsmX86 Leave()
+ {
+ Builder.Append("C9");
+
+ return this;
+ }
+
+ public AsmX86 Pushad()
+ {
+ Builder.Append("60");
+
+ return this;
+ }
+
+ public AsmX86 Popad()
+ {
+ Builder.Append("61");
+
+ return this;
+ }
+
+ public AsmX86 Ret()
+ {
+ Builder.Append("C3");
+
+ return this;
+ }
+
+ #region ADD
+ public AsmX86 Add_EAX_EDX()
+ {
+ Builder.Append("03C2");
+
+ return this;
+ }
+
+ public void Add_EBX_EAX()
+ {
+ Builder.Append("03D8");
+ }
+
+ public void Add_EAX_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("0305" + intTohex(addre, 8));
+ }
+
+ public void Add_EBX_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("031D" + intTohex(addre, 8));
+ }
+
+ public void Add_EBP_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("032D" + intTohex(addre, 8));
+ }
+
+ public void Add_EAX(Int32 addre)
+ {
+ Builder.Append("05" + intTohex(addre, 8));
+ }
+
+ public void Add_EBX(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("83C3" + intTohex(addre, 2));
+ else
+ Builder.Append("81C3" + intTohex(addre, 8));
+ }
+
+ public void Add_ECX(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("83C1" + intTohex(addre, 2));
+ else
+ Builder.Append("81C1" + intTohex(addre, 8));
+ }
+
+ public void Add_EDX(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("83C2" + intTohex(addre, 2));
+ else
+ Builder.Append("81C2" + intTohex(addre, 8));
+ }
+
+ public void Add_ESI(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("83C6" + intTohex(addre, 2));
+ else
+ Builder.Append("81C6" + intTohex(addre, 8));
+ }
+
+ public void Add_ESP(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("83C4" + intTohex(addre, 2));
+ else
+ Builder.Append("81C4" + intTohex(addre, 8));
+ }
+ #endregion
+
+ #region mov
+
+ public void Mov_DWORD_Ptr_EAX_ADD(Int32 addre, Int32 addre1)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ {
+ Builder.Append("C740" + intTohex(addre, 2) + intTohex(addre1, 8));
+ }
+ else
+ {
+ Builder.Append("C780" + intTohex(addre, 8) + intTohex(addre1, 8));
+ }
+ }
+
+ public void Mov_DWORD_Ptr_ESP_ADD(Int32 addre, Int32 addre1)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ {
+ Builder.Append("C74424" + intTohex(addre, 2) + intTohex(addre1, 8));
+ }
+ else
+ {
+ Builder.Append("C78424" + intTohex(addre, 8) + intTohex(addre1, 8));
+ }
+ }
+
+ public void Mov_DWORD_Ptr_ESP_ADD_EAX(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ {
+ Builder.Append("894424" + intTohex(addre, 2));
+ }
+ else
+ {
+ Builder.Append("898424" + intTohex(addre, 8));
+ }
+ }
+
+ public void Mov_DWORD_Ptr_ESP(Int32 addre)
+ {
+ Builder.Append("C70424" + intTohex(addre, 8));
+ }
+
+ public void Mov_DWORD_Ptr_EAX(Int32 addre)
+ {
+ Builder.Append("A3" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBX_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("8B1D" + intTohex(addre, 8));
+ }
+
+ public void Mov_ECX_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("8B0D" + intTohex(addre, 8));
+ }
+
+ public void Mov_EAX_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("A1" + intTohex(addre, 8));
+ }
+
+ public void Mov_EDX_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("8B15" + intTohex(addre, 8));
+ }
+
+ public void Mov_ESI_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("8B35" + intTohex(addre, 8));
+ }
+
+ public void Mov_ESP_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("8B25" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBP_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("8B2D" + intTohex(addre, 8));
+ }
+
+ public void Mov_EAX_DWORD_Ptr_EAX(Int32 addre)
+ {
+ Builder.Append("8B00");
+ }
+
+ public void Mov_EAX_DWORD_Ptr_EAX()
+ {
+ Builder.Append("8B00");
+ }
+
+ public void Mov_EAX_DWORD_Ptr_EBP()
+ {
+ Builder.Append("8B4500");
+ }
+
+ public void Mov_EAX_DWORD_Ptr_EBX()
+ {
+ Builder.Append("8B03");
+ }
+
+ public void Mov_EAX_DWORD_Ptr_ECX()
+ {
+ Builder.Append("8B01");
+ }
+
+ public void Mov_EAX_DWORD_Ptr_EDX()
+ {
+ Builder.Append("8B02");
+ }
+
+ public void Mov_EAX_DWORD_Ptr_EDI()
+ {
+ Builder.Append("8B07");
+ }
+
+ public void Mov_EAX_DWORD_Ptr_ESP()
+ {
+ Builder.Append("8B0424");
+ }
+
+ public void Mov_EAX_DWORD_Ptr_ESI()
+ {
+ Builder.Append("8B06");
+ }
+
+ public void Mov_EAX_DWORD_Ptr_EAX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ {
+ Builder.Append("8B40" + intTohex(addre, 2));
+ }
+ else
+ {
+ Builder.Append("8B80" + intTohex(addre, 8));
+ }
+ }
+
+ public void Mov_EAX_DWORD_Ptr_ESP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B4424" + intTohex(addre, 2));
+ else
+ Builder.Append("8B8424" + intTohex(addre, 8));
+ }
+
+ public void Mov_EAX_DWORD_Ptr_EBX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B43" + intTohex(addre, 2));
+ else
+ Builder.Append("8B83" + intTohex(addre, 8));
+ }
+
+ public void Mov_EAX_DWORD_Ptr_ECX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B41" + intTohex(addre, 2));
+ else
+ Builder.Append("8B81" + intTohex(addre, 8));
+ }
+
+ public void Mov_EAX_DWORD_Ptr_EDX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B42" + intTohex(addre, 2));
+ else
+ Builder.Append("8B82" + intTohex(addre, 8));
+ }
+
+ public void Mov_EAX_DWORD_Ptr_EDI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B47" + intTohex(addre, 2));
+ else
+ Builder.Append("8B87" + intTohex(addre, 8));
+ }
+
+ public void Mov_EAX_DWORD_Ptr_EBP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B45" + intTohex(addre, 2));
+ else
+ Builder.Append("8B85" + intTohex(addre, 8));
+ }
+
+ public void Mov_EAX_DWORD_Ptr_ESI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B46" + intTohex(addre, 2));
+ else
+ Builder.Append("8B86" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBX_DWORD_Ptr_EAX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B58" + intTohex(addre, 2));
+ else
+ Builder.Append("8B98" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBX_DWORD_Ptr_ESP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B5C24" + intTohex(addre, 2));
+ else
+ Builder.Append("8B9C24" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBX_DWORD_Ptr_EBX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B5B" + intTohex(addre, 2));
+ else
+ Builder.Append("8B9B" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBX_DWORD_Ptr_ECX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B59" + intTohex(addre, 2));
+ else
+ Builder.Append("8B99" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBX_DWORD_Ptr_EDX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B5A" + intTohex(addre, 2));
+ else
+ Builder.Append("8B9A" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBX_DWORD_Ptr_EDI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B5F" + intTohex(addre, 2));
+ else
+ Builder.Append("8B9F" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBX_DWORD_Ptr_EBP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B5D" + intTohex(addre, 2));
+ else
+ Builder.Append("8B9D" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBX_DWORD_Ptr_ESI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B5E" + intTohex(addre, 2));
+ else
+ Builder.Append("8B9E" + intTohex(addre, 8));
+ }
+
+ public void Mov_ECX_DWORD_Ptr_EAX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B48" + intTohex(addre, 2));
+ else
+ Builder.Append("8B88" + intTohex(addre, 8));
+ }
+
+ public void Mov_ECX_DWORD_Ptr_ESP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B4C24" + intTohex(addre, 2));
+ else
+ Builder.Append("8B8C24" + intTohex(addre, 8));
+ }
+
+ public void Mov_ECX_DWORD_Ptr_EBX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B4B" + intTohex(addre, 2));
+ else
+ Builder.Append("8B8B" + intTohex(addre, 8));
+ }
+
+ public void Mov_ECX_DWORD_Ptr_ECX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B49" + intTohex(addre, 2));
+ else
+ Builder.Append("8B89" + intTohex(addre, 8));
+ }
+
+ public void Mov_ECX_DWORD_Ptr_EDX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B4A" + intTohex(addre, 2));
+ else
+ Builder.Append("8B8A" + intTohex(addre, 8));
+ }
+
+ public void Mov_ECX_DWORD_Ptr_EDI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B4F" + intTohex(addre, 2));
+ else
+ Builder.Append("8B8F" + intTohex(addre, 8));
+ }
+
+ public void Mov_ECX_DWORD_Ptr_EBP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B4D" + intTohex(addre, 2));
+ else
+ Builder.Append("8B8D" + intTohex(addre, 8));
+ }
+
+ public void Mov_ECX_DWORD_Ptr_ESI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B4E" + intTohex(addre, 2));
+ else
+ Builder.Append("8B8E" + intTohex(addre, 8));
+ }
+
+ public void Mov_EDX_DWORD_Ptr_EAX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B50" + intTohex(addre, 2));
+ else
+ Builder.Append("8B90" + intTohex(addre, 8));
+ }
+
+ public void Mov_EDX_DWORD_Ptr_ESP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B5424" + intTohex(addre, 2));
+ else
+ Builder.Append("8B9424" + intTohex(addre, 8));
+ }
+
+ public void Mov_EDX_DWORD_Ptr_EBX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B53" + intTohex(addre, 2));
+ else
+ Builder.Append("8B93" + intTohex(addre, 8));
+ }
+
+ public void Mov_EDX_DWORD_Ptr_ECX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B51" + intTohex(addre, 2));
+ else
+ Builder.Append("8B91" + intTohex(addre, 8));
+ }
+
+ public void Mov_EDX_DWORD_Ptr_EDX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B52" + intTohex(addre, 2));
+ else
+ Builder.Append("8B92" + intTohex(addre, 8));
+ }
+
+ public void Mov_EDX_DWORD_Ptr_EDI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B57" + intTohex(addre, 2));
+ else
+ Builder.Append("8B97" + intTohex(addre, 8));
+ }
+
+ public void Mov_EDX_DWORD_Ptr_EBP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B55" + intTohex(addre, 2));
+ else
+ Builder.Append("8B95" + intTohex(addre, 8));
+ }
+
+ public void Mov_EDX_DWORD_Ptr_ESI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8B56" + intTohex(addre, 2));
+ else
+ Builder.Append("8B96" + intTohex(addre, 8));
+ }
+
+ public void Mov_ECX_EAX()
+ {
+ Builder.Append("8BC8");
+ }
+
+ public void Mov_EAX(Int32 addre)
+ {
+ Builder.Append("B8" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBX(Int32 addre)
+ {
+ Builder.Append("BB" + intTohex(addre, 8));
+ }
+
+ public void Mov_ECX(Int32 addre)
+ {
+ Builder.Append("B9" + intTohex(addre, 8));
+ }
+
+ public void Mov_EDX(Int32 addre)
+ {
+ Builder.Append("BA" + intTohex(addre, 8));
+ }
+
+ public void Mov_ESI(Int32 addre)
+ {
+ Builder.Append("BE" + intTohex(addre, 8));
+ }
+
+ public void Mov_ESP(Int32 addre)
+ {
+ Builder.Append("BC" + intTohex(addre, 8));
+ }
+
+ public void Mov_EBP(Int32 addre)
+ {
+ Builder.Append("BD" + intTohex(addre, 8));
+ }
+
+ public void Mov_EDI(Int32 addre)
+ {
+ Builder.Append("BF" + intTohex(addre, 8));
+ }
+
+ public void Mov_ESI_DWORD_Ptr_EAX()
+ {
+ Builder.Append("8B7020");
+ }
+
+ public void Mov_EBX_DWORD_Ptr_EAX()
+ {
+ Builder.Append("8B18");
+ }
+
+ public void Mov_EBX_DWORD_Ptr_EBP()
+ {
+ Builder.Append("8B5D00");
+ }
+
+ public void Mov_EBX_DWORD_Ptr_EBX()
+ {
+ Builder.Append("8B1B");
+ }
+
+ public void Mov_EBX_DWORD_Ptr_ECX()
+ {
+ Builder.Append("8B19");
+ }
+
+ public void Mov_EBX_DWORD_Ptr_EDX()
+ {
+ Builder.Append("8B1A");
+ }
+
+ public void Mov_EBX_DWORD_Ptr_EDI()
+ {
+ Builder.Append("8B1F");
+ }
+
+ public void Mov_EBX_DWORD_Ptr_ESP()
+ {
+ Builder.Append("8B1C24");
+ }
+
+ public void Mov_EBX_DWORD_Ptr_ESI()
+ {
+ Builder.Append("8B1E");
+ }
+
+ public void Mov_ECX_DWORD_Ptr_EAX()
+ {
+ Builder.Append("8B08");
+ }
+
+ public void Mov_ECX_DWORD_Ptr_EBP()
+ {
+ Builder.Append("8B4D00");
+ }
+
+ public void Mov_ECX_DWORD_Ptr_EBX()
+ {
+ Builder.Append("8B0B");
+ }
+
+ public void Mov_ECX_DWORD_Ptr_ECX()
+ {
+ Builder.Append("8B09");
+ }
+
+ public void Mov_ECX_DWORD_Ptr_EDX()
+ {
+ Builder.Append("8B0A");
+ }
+
+ public void Mov_ECX_DWORD_Ptr_EDI()
+ {
+ Builder.Append("8B0F");
+ }
+
+ public void Mov_ECX_DWORD_Ptr_ESP()
+ {
+ Builder.Append("8B0C24");
+ }
+
+ public void Mov_ECX_DWORD_Ptr_ESI()
+ {
+ Builder.Append("8B0E");
+ }
+
+ public void Mov_EDX_DWORD_Ptr_EAX()
+ {
+ Builder.Append("8B10");
+ }
+
+ public void Mov_EDX_DWORD_Ptr_EBP()
+ {
+ Builder.Append("8B5500");
+ }
+
+ public void Mov_EDX_DWORD_Ptr_EBX()
+ {
+ Builder.Append("8B13");
+ }
+
+ public void Mov_EDX_DWORD_Ptr_ECX()
+ {
+ Builder.Append("8B11");
+ }
+
+ public void Mov_EDX_DWORD_Ptr_EDX()
+ {
+ Builder.Append("8B12");
+ }
+
+ public void Mov_EDX_DWORD_Ptr_EDI()
+ {
+ Builder.Append("8B17");
+ }
+
+ public void Mov_EDX_DWORD_Ptr_ESI()
+ {
+ Builder.Append("8B16");
+ }
+
+ public void Mov_EDX_DWORD_Ptr_ESP()
+ {
+ Builder.Append("8B1424");
+ }
+
+ public void Mov_EAX_EBP()
+ {
+ Builder.Append("8BC5");
+ }
+
+ public void Mov_EAX_EBX()
+ {
+ Builder.Append("8BC3");
+ }
+
+ public void Mov_EAX_ECX()
+ {
+ Builder.Append("8BC1");
+ }
+
+ public void Mov_EAX_EDI()
+ {
+ Builder.Append("8BC7");
+ }
+
+ public void Mov_EAX_EDX()
+ {
+ Builder.Append("8BC2");
+ }
+
+ public void Mov_EAX_ESI()
+ {
+ Builder.Append("8BC6");
+ }
+
+ public void Mov_EAX_ESP()
+ {
+ Builder.Append("8BC4");
+ }
+
+ public void Mov_EBX_EBP()
+ {
+ Builder.Append("8BDD");
+ }
+
+ public void Mov_EBX_EAX()
+ {
+ Builder.Append("8BD8");
+ }
+
+ public void Mov_EBX_ECX()
+ {
+ Builder.Append("8BD9");
+ }
+
+ public void Mov_EBX_EDI()
+ {
+ Builder.Append("8BDF");
+ }
+
+ public void Mov_EBX_EDX()
+ {
+ Builder.Append("8BDA");
+ }
+
+ public void Mov_EBX_ESI()
+ {
+ Builder.Append("8BDE");
+ }
+
+ public void Mov_EBX_ESP()
+ {
+ Builder.Append("8BDC");
+ }
+
+ public void Mov_ECX_EBP()
+ {
+ Builder.Append("8BCD");
+ }
+
+ /* public void Mov_ECX_EAX()
+ {
+ Builder.Append("8BC8");
+ }*/
+
+ public void Mov_ECX_EBX()
+ {
+ Builder.Append("8BCB");
+ }
+
+ public void Mov_ECX_EDI()
+ {
+ Builder.Append("8BCF");
+ }
+
+ public void Mov_ECX_EDX()
+ {
+ Builder.Append("8BCA");
+ }
+
+ public void Mov_ECX_ESI()
+ {
+ Builder.Append("8BCE");
+ }
+
+ public void Mov_ECX_ESP()
+ {
+ Builder.Append("8BCC");
+ }
+
+ public void Mov_EDX_EBP()
+ {
+ Builder.Append("8BD5");
+ }
+
+ public void Mov_EDX_EBX()
+ {
+ Builder.Append("8BD3");
+ }
+
+ public void Mov_EDX_ECX()
+ {
+ Builder.Append("8BD1");
+ }
+
+ public void Mov_EDX_EDI()
+ {
+ Builder.Append("8BD7");
+ }
+
+ public void Mov_EDX_EAX()
+ {
+ Builder.Append("8BD0");
+ }
+
+ public void Mov_EDX_ESI()
+ {
+ Builder.Append("8BD6");
+ }
+
+ public void Mov_EDX_ESP()
+ {
+ Builder.Append("8BD4");
+ }
+
+ public void Mov_ESI_EBP()
+ {
+ Builder.Append("8BF5");
+ }
+
+ public void Mov_ESI_EBX()
+ {
+ Builder.Append("8BF3");
+ }
+
+ public void Mov_ESI_ECX()
+ {
+ Builder.Append("8BF1");
+ }
+
+ public void Mov_ESI_EDI()
+ {
+ Builder.Append("8BF7");
+ }
+
+ public void Mov_ESI_EAX()
+ {
+ Builder.Append("8BF0");
+ }
+
+ public void Mov_ESI_EDX()
+ {
+ Builder.Append("8BF2");
+ }
+
+ public void Mov_ESI_ESP()
+ {
+ Builder.Append("8BF4");
+ }
+
+ public void Mov_ESP_EBP()
+ {
+ Builder.Append("8BE5");
+ }
+
+ public void Mov_ESP_EBX()
+ {
+ Builder.Append("8BE3");
+ }
+
+ public void Mov_ESP_ECX()
+ {
+ Builder.Append("8BE1");
+ }
+
+ public void Mov_ESP_EDI()
+ {
+ Builder.Append("8BE7");
+ }
+
+ public void Mov_ESP_EAX()
+ {
+ Builder.Append("8BE0");
+ }
+
+ public void Mov_ESP_EDX()
+ {
+ Builder.Append("8BE2");
+ }
+
+ public void Mov_ESP_ESI()
+ {
+ Builder.Append("8BE6");
+ }
+
+ public void Mov_EDI_EBP()
+ {
+ Builder.Append("8BFD");
+ }
+
+ public void Mov_EDI_EAX()
+ {
+ Builder.Append("8BF8");
+ }
+
+ public void Mov_EDI_EBX()
+ {
+ Builder.Append("8BFB");
+ }
+
+ public void Mov_EDI_ECX()
+ {
+ Builder.Append("8BF9");
+ }
+
+ public void Mov_EDI_EDX()
+ {
+ Builder.Append("8BFA");
+ }
+
+ public void Mov_EDI_ESI()
+ {
+ Builder.Append("8BFE");
+ }
+
+ public void Mov_EDI_ESP()
+ {
+ Builder.Append("8BFC");
+ }
+
+ public void Mov_EBP_EDI()
+ {
+ Builder.Append("8BDF");
+ }
+
+ public void Mov_EBP_EAX()
+ {
+ Builder.Append("8BE8");
+ }
+
+ public void Mov_EBP_EBX()
+ {
+ Builder.Append("8BEB");
+ }
+
+ public void Mov_EBP_ECX()
+ {
+ Builder.Append("8BE9");
+ }
+
+ public void Mov_EBP_EDX()
+ {
+ Builder.Append("8BEA");
+ }
+
+ public void Mov_EBP_ESI()
+ {
+ Builder.Append("8BEE");
+ }
+
+ public void Mov_EBP_ESP()
+ {
+ Builder.Append("8BEC");
+ }
+ #endregion
+
+ #region Push
+ public void Push68(Int32 addre)
+ {
+ Builder.Append("68" + intTohex(addre, 8));
+
+ }
+
+ public void Push6A(Int32 addre)
+ {
+ Builder.Append("6A" + intTohex(addre, 2));
+ }
+
+ public void Push_EAX()
+ {
+ Builder.Append("50");
+ }
+
+ public void Push_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("FF35" + intTohex(addre, 8));
+ }
+
+ public void Push_ECX()
+ {
+ Builder.Append("51");
+ }
+
+ public void Push_EDX()
+ {
+ Builder.Append("52");
+ }
+
+ public void Push_EBX()
+ {
+ Builder.Append("53");
+ }
+
+ public void Push_ESP()
+ {
+ Builder.Append("54");
+ }
+
+ public void Push_EBP()
+ {
+ Builder.Append("55");
+ }
+
+ public void Push_ESI()
+ {
+ Builder.Append("56");
+ }
+
+ public void Push_EDI()
+ {
+ Builder.Append("57");
+ }
+ #endregion
+
+ #region Call
+ public void Call_EAX()
+ {
+ Builder.Append("FFD0");
+ }
+
+ public void Call_EBX()
+ {
+ Builder.Append("FFD3");
+ }
+
+ public void Call_ECX()
+ {
+ Builder.Append("FFD1");
+ }
+
+ public void Call_EDX()
+ {
+ Builder.Append("FFD2");
+ }
+
+ public void Call_ESI()
+ {
+ Builder.Append("FFD2");
+ }
+
+ public void Call_ESP()
+ {
+ Builder.Append("FFD4");
+ }
+
+ public void Call_EBP()
+ {
+ Builder.Append("FFD5");
+ }
+
+ public void Call_EDI()
+ {
+ Builder.Append("FFD7");
+ }
+
+ public void Call_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("FF15" + intTohex(addre, 8));
+ }
+
+ public void Call_DWORD_Ptr_EAX()
+ {
+ Builder.Append("FF10");
+ }
+
+ public void Call_DWORD_Ptr_EBX()
+ {
+ Builder.Append("FF13");
+ }
+ #endregion
+
+ #region Lea
+ public void Lea_EAX_DWORD_Ptr_EAX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D40" + intTohex(addre, 2));
+ else
+ Builder.Append("8D80" + intTohex(addre, 8));
+ }
+
+ public void Lea_EAX_DWORD_Ptr_EBX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D43" + intTohex(addre, 2));
+ else
+ Builder.Append("8D83" + intTohex(addre, 8));
+ }
+
+ public void Lea_EAX_DWORD_Ptr_ECX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D41" + intTohex(addre, 2));
+ else
+ Builder.Append("8D81" + intTohex(addre, 8));
+ }
+
+ public void Lea_EAX_DWORD_Ptr_EDX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D42" + intTohex(addre, 2));
+ else
+ Builder.Append("8D82" + intTohex(addre, 8));
+ }
+
+ public void Lea_EAX_DWORD_Ptr_ESI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D46" + intTohex(addre, 2));
+ else
+ Builder.Append("8D86" + intTohex(addre, 8));
+ }
+
+ public void Lea_EAX_DWORD_Ptr_ESP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D40" + intTohex(addre, 2));
+ else
+ Builder.Append("8D80" + intTohex(addre, 8));
+ }
+
+ public void Lea_EAX_DWORD_Ptr_EBP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D4424" + intTohex(addre, 2));
+ else
+ Builder.Append("8D8424" + intTohex(addre, 8));
+ }
+
+ public void Lea_EAX_DWORD_Ptr_EDI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D47" + intTohex(addre, 2));
+ else
+ Builder.Append("8D87" + intTohex(addre, 8));
+ }
+
+ public void Lea_EBX_DWORD_Ptr_EAX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D58" + intTohex(addre, 2));
+ else
+ Builder.Append("8D98" + intTohex(addre, 8));
+ }
+
+ public void Lea_EBX_DWORD_Ptr_ESP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D5C24" + intTohex(addre, 2));
+ else
+ Builder.Append("8D9C24" + intTohex(addre, 8));
+ }
+
+ public void Lea_EBX_DWORD_Ptr_EBX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D5B" + intTohex(addre, 2));
+ else
+ Builder.Append("8D9B" + intTohex(addre, 8));
+ }
+
+ public void Lea_EBX_DWORD_Ptr_ECX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D59" + intTohex(addre, 2));
+ else
+ Builder.Append("8D99" + intTohex(addre, 8));
+ }
+
+ public void Lea_EBX_DWORD_Ptr_EDX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D5A" + intTohex(addre, 2));
+ else
+ Builder.Append("8D9A" + intTohex(addre, 8));
+ }
+
+ public void Lea_EBX_DWORD_Ptr_EDI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D5F" + intTohex(addre, 2));
+ else
+ Builder.Append("8D9F" + intTohex(addre, 8));
+ }
+
+ public void Lea_EBX_DWORD_Ptr_EBP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D5D" + intTohex(addre, 2));
+ else
+ Builder.Append("8D9D" + intTohex(addre, 8));
+ }
+
+ public void Lea_EBX_DWORD_Ptr_ESI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D5E" + intTohex(addre, 2));
+ else
+ Builder.Append("8D9E" + intTohex(addre, 8));
+ }
+
+ public void Lea_ECX_DWORD_Ptr_EAX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D48" + intTohex(addre, 2));
+ else
+ Builder.Append("8D88" + intTohex(addre, 8));
+ }
+
+ public void Lea_ECX_DWORD_Ptr_ESP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D4C24" + intTohex(addre, 2));
+ else
+ Builder.Append("8D8C24" + intTohex(addre, 8));
+ }
+
+ public void Lea_ECX_DWORD_Ptr_EBX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D4B" + intTohex(addre, 2));
+ else
+ Builder.Append("8D8B" + intTohex(addre, 8));
+ }
+
+ public void Lea_ECX_DWORD_Ptr_ECX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D49" + intTohex(addre, 2));
+ else
+ Builder.Append("8D89" + intTohex(addre, 8));
+ }
+
+ public void Lea_ECX_DWORD_Ptr_EDX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D4A" + intTohex(addre, 2));
+ else
+ Builder.Append("8D8A" + intTohex(addre, 8));
+ }
+
+ public void Lea_ECX_DWORD_Ptr_EDI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D4F" + intTohex(addre, 2));
+ else
+ Builder.Append("8D8F" + intTohex(addre, 8));
+ }
+
+ public void Lea_ECX_DWORD_Ptr_EBP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D4D" + intTohex(addre, 2));
+ else
+ Builder.Append("8D8D" + intTohex(addre, 8));
+ }
+
+ public void Lea_ECX_DWORD_Ptr_ESI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D4E" + intTohex(addre, 2));
+ else
+ Builder.Append("8D8E" + intTohex(addre, 8));
+ }
+
+ public void Lea_EDX_DWORD_Ptr_EAX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D50" + intTohex(addre, 2));
+ else
+ Builder.Append("8D90" + intTohex(addre, 8));
+ }
+
+ public void Lea_EDX_DWORD_Ptr_ESP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D5424" + intTohex(addre, 2));
+ else
+ Builder.Append("8D9424" + intTohex(addre, 8));
+ }
+
+ public void Lea_EDX_DWORD_Ptr_EBX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D53" + intTohex(addre, 2));
+ else
+ Builder.Append("8D93" + intTohex(addre, 8));
+ }
+
+ public void Lea_EDX_DWORD_Ptr_ECX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D51" + intTohex(addre, 2));
+ else
+ Builder.Append("8D91" + intTohex(addre, 8));
+ }
+
+ public void Lea_EDX_DWORD_Ptr_EDX_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D52" + intTohex(addre, 2));
+ else
+ Builder.Append("8D92" + intTohex(addre, 8));
+ }
+
+ public void Lea_EDX_DWORD_Ptr_EDI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D57" + intTohex(addre, 2));
+ else
+ Builder.Append("8D97" + intTohex(addre, 8));
+ }
+
+ public void Lea_EDX_DWORD_Ptr_EBP_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D55" + intTohex(addre, 2));
+ else
+ Builder.Append("8D95" + intTohex(addre, 8));
+ }
+
+ public void Lea_EDX_DWORD_Ptr_ESI_Add(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("8D56" + intTohex(addre, 2));
+ else
+ Builder.Append("8D96" + intTohex(addre, 8));
+ }
+ #endregion
+
+ #region POP
+ public void Pop_EAX()
+ {
+ Builder.Append("58");
+ }
+
+ public void Pop_EBX()
+ {
+ Builder.Append("5B");
+ }
+
+ public void Pop_ECX()
+ {
+ Builder.Append("59");
+ }
+
+ public void Pop_EDX()
+ {
+ Builder.Append("5A");
+ }
+
+ public void Pop_ESI()
+ {
+ Builder.Append("5E");
+ }
+
+ public void Pop_ESP()
+ {
+ Builder.Append("5C");
+ }
+
+ public void Pop_EDI()
+ {
+ Builder.Append("5F");
+ }
+
+ public void Pop_EBP()
+ {
+ Builder.Append("5D");
+ }
+ #endregion
+
+ #region CMP
+ public void Cmp_EAX(Int32 addre)
+ {
+ if ((addre <= 127) && (addre >= -128))
+ Builder.Append("83F8" + intTohex(addre, 2));
+ else
+ Builder.Append("3D" + intTohex(addre, 8));
+ }
+
+ public void Cmp_EAX_EDX()
+ {
+ Builder.Append("3BC2");
+ }
+
+ public void Cmp_EAX_DWORD_Ptr(Int32 addre)
+ {
+ Builder.Append("3B05" + intTohex(addre, 8));
+ }
+
+ public void Cmp_DWORD_Ptr_EAX(Int32 addre)
+ {
+ Builder.Append("3905" + intTohex(addre, 8));
+ }
+ #endregion
+
+ #region DEC
+ public void Dec_EAX()
+ {
+ Builder.Append("48");
+ }
+
+ public void Dec_EBX()
+ {
+ Builder.Append("4B");
+ }
+
+ public void Dec_ECX()
+ {
+ Builder.Append("49");
+ }
+
+ public void Dec_EDX()
+ {
+ Builder.Append("4A");
+ }
+ #endregion
+
+ #region idiv
+ public void Idiv_EAX()
+ {
+ Builder.Append("F7F8");
+ }
+
+ public void Idiv_EBX()
+ {
+ Builder.Append("F7FB");
+ }
+
+ public void Idiv_ECX()
+ {
+ Builder.Append("F7F9");
+ }
+
+ public void Idiv_EDX()
+ {
+ Builder.Append("F7FA");
+ }
+ #endregion
+
+ #region Imul
+ public void Imul_EAX_EDX()
+ {
+ Builder.Append("0FAFC2");
+ }
+
+ public void Imul_EAX(Int32 addre)
+ {
+ Builder.Append("6BC0" + intTohex(addre, 2));
+ }
+
+ public void ImulB_EAX(Int32 addre)
+ {
+ Builder.Append("69C0" + intTohex(addre, 8));
+ }
+ #endregion
+
+ #region Inc
+ public void Inc_EAX()
+ {
+ Builder.Append("40");
+ }
+
+ public void Inc_EBX()
+ {
+ Builder.Append("43");
+ }
+
+ public void Inc_ECX()
+ {
+ Builder.Append("41");
+ }
+
+ public void Inc_EDX()
+ {
+ Builder.Append("42");
+ }
+
+ public void Inc_EDI()
+ {
+ Builder.Append("47");
+ }
+
+ public void Inc_ESI()
+ {
+ Builder.Append("46");
+ }
+
+ public void Inc_DWORD_Ptr_EAX()
+ {
+ Builder.Append("FF00");
+ }
+
+ public void Inc_DWORD_Ptr_EBX()
+ {
+ Builder.Append("FF03");
+ }
+
+ public void Inc_DWORD_Ptr_ECX()
+ {
+ Builder.Append("FF01");
+ }
+
+ public void Inc_DWORD_Ptr_EDX()
+ {
+ Builder.Append("FF02");
+ }
+ #endregion
+
+ #region jmp
+ /// <summary>跳转</summary>
+ public void JMP_EAX()
+ {
+ Builder.Append("FFE0");
+ }
+ #endregion
+
+ /// <summary>在目标进程上执行</summary>
+ /// <param name="pid"></param>
+ public void Run(Int32 pid)
+ {
+ var asm = DataHelper.FromHex(Builder.ToString());
+ if (pid != 0)
+ {
+ var hwnd = OpenProcess(PROCESS_ALL_ACCESS | PROCESS_CREATE_THREAD | PROCESS_VM_WRITE, 0, pid);
+ if (hwnd != 0)
+ {
+ var addre = VirtualAllocEx(hwnd, 0, asm.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+ WriteProcessMemory(hwnd, addre, asm, asm.Length, 0);
+
+ var threadhwnd = CreateRemoteThread(hwnd, 0, 0, addre, 0, 0, ref pid);
+ VirtualFreeEx(hwnd, addre, asm.Length, MEM_RELEASE);
+ CloseHandle(threadhwnd);
+ CloseHandle(hwnd);
+ }
+ }
+ Builder.Length = 0;
+ }
+ }
+}
\ No newline at end of file