; ; . .: .:.. :.. .. .:.::. :. ..: ; <<-==ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ===< ; .:: ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ .:. ; . .:.ÜÜÜÛÛß.ßÛÛÛÛÛÛ.ÛÛÛÛÛÛÛ:.. ; ...ÛÛÛÜÜÜÜ:ÜÜÜÜÛÛÛ:ÛÛÛ ÛÛÛ.::. ; >===ÛÛÛÛÛÛÛ=ÛÛÛÛÛÛß=ÛÛÛ ÛÛÛ=->> ; .: .:.. ..:. .: ..:.::. ::.. :.:. ; ; [29A INC files] ; by Jacky Qwerty/29A ; ; ; Here you have the "famous" 29A INC filez, written by me. These INCz surely ; will become almost completely necessary for you at the moment of writing ; your Win32 PE infectorz as they contain lotz of very useful structurez and ; routinez used in such kind of virusez. At the very least you will need the ; INC filez to understand the functioning of the Win32 infectorz written he- ; re by us in 29A, as we all use them in order to make thingz much easier :) ; ; The set is formed by four filez (MZ.INC, PE.INC, USEFUL.INC, WIN32API.INC) ; which work separately, and whose corresponding utility has been described ; below. You might want either to cut them off from this file or just to un- ; zip the file containing them (29A_INCS.ZIP), in the \FILES directory. ; ; Hope they will be useful for you! ; ; ; - -[MZ.INC] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 ; ; . .: .:.. :.. .. .:.::. :. ..: ; <<-==ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ===< ; .:: ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ .:. ; . .:.ÜÜÜÛÛß.ßÛÛÛÛÛÛ.ÛÛÛÛÛÛÛ:.. ; ...ÛÛÛÜÜÜÜ:ÜÜÜÜÛÛÛ:ÛÛÛ ÛÛÛ.::. ; >===ÛÛÛÛÛÛÛ=ÛÛÛÛÛÛß=ÛÛÛ ÛÛÛ=->> ; .: .:.. ..:. .: ..:.::. ::.. :.:. ; ; [29A INC files] ; DOS EXE MZ executable format ; by Jacky Qwerty/29A ; ; Description ; ÄÄÄÄÄÄÄÄÄÄÄ ; This include file contains all the constantz and structurez needed to work ; with the DOS EXE MZ executable format inside ASM filez. For use with TASM, ; of course (also with TASM32). MASM sucks.. :P ; ; Disclaimer ; ÄÄÄÄÄÄÄÄÄÄ ; This file was built up by Jacky Qwerty from 29A. The author is not respon- ; sible for any problemz caused due to use/misuse of this file. ; ; ; (c) 1997. No rightz reserved. Use without permision >8P. ; ÄÄ´ MZ_magic value ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_DOS_SIGNATURE EQU 5A4Dh ;'MZ' IMAGE_DOS_HEADER STRUC MZ_magic DW ? ; Magic number MZ_cblp DW ? ; Bytes on last page of file MZ_cp DW ? ; Pages in file MZ_crlc DW ? ; Relocations MZ_cparhdr DW ? ; Size of header in paragraphs MZ_minalloc DW ? ; Minimum extra paragraphs needed MZ_maxalloc DW ? ; Maximum extra paragraphs needed MZ_ss DW ? ; Initial (relative) SS value MZ_sp DW ? ; Initial SP value MZ_csum DW ? ; Checksum MZ_ip DW ? ; Initial IP value MZ_cs DW ? ; Initial (relative) CS value MZ_lfarlc DW ? ; File address of relocation table MZ_ovno DW ? ; Overlay number MZ_res DW 4 DUP (?) ; Reserved words MZ_oemid DW ? ; OEM identifier (for e_oeminfo) MZ_oeminfo DW ? ; OEM information; e_oemid specific MZ_res2 DW 10 DUP (?) ; Reserved words MZ_lfanew DD ? ; File address of new exe header IMAGE_DOS_HEADER ENDS IMAGE_SIZEOF_DOS_HEADER EQU SIZE IMAGE_DOS_HEADER ; - -[PE.INC] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 ; ; . .: .:.. :.. .. .:.::. :. ..: ; <<-==ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ===< ; .:: ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ .:. ; . .:.ÜÜÜÛÛß.ßÛÛÛÛÛÛ.ÛÛÛÛÛÛÛ:.. ; ...ÛÛÛÜÜÜÜ:ÜÜÜÜÛÛÛ:ÛÛÛ ÛÛÛ.::. ; >===ÛÛÛÛÛÛÛ=ÛÛÛÛÛÛß=ÛÛÛ ÛÛÛ=->> ; .: .:.. ..:. .: ..:.::. ::.. :.:. ; ; [29A INC files] ; Portable Executable format ; by Jacky Qwerty/29A ; ; Description ; ÄÄÄÄÄÄÄÄÄÄÄ ; This include file contains all the constantz and structurez needed to work ; with the PE (Portable Executable) format from inside ASM filez. For exclu- ; sive use with TASM(32), of course. MASM sucks.. :P ; ; Disclaimer ; ÄÄÄÄÄÄÄÄÄÄ ; This file was built up by Jacky Qwerty from 29A. The author is not respon- ; sible for any problemz caused due to use/misuse of this file. ; ; ; (c) 1997. No rightz reserved. Use without permision >8P. ; ÄÄ´ Based relocation type valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_REL_BASED_ABSOLUTE EQU 0 IMAGE_REL_BASED_HIGH EQU 1 IMAGE_REL_BASED_LOW EQU 2 IMAGE_REL_BASED_HIGHLOW EQU 3 IMAGE_REL_BASED_HIGHADJ EQU 4 IMAGE_REL_BASED_MIPS_JMPADDR EQU 5 IMAGE_RELOCATION_DATA RECORD { RD_RelocType :4 RD_RelocOffset :12 } IMAGE_BASE_RELOCATION STRUC BR_VirtualAddress DD ? BR_SizeOfBlock DD ? ; BR_TypeOffset IMAGE_RELOCATION_DATA 1 DUP (?) ; Array of zero or more relocations (type + RVAs) IMAGE_BASE_RELOCATION ENDS IMAGE_SIZEOF_BASE_RELOCATION EQU SIZE IMAGE_BASE_RELOCATION ; 8 IMAGE_IMPORT_BY_NAME STRUC IBN_Hint DW ? IBN_Name DB 1 DUP (?) ; ASCIIZ function name (variable size) IMAGE_IMPORT_BY_NAME ENDS IMAGE_ORDINAL_FLAG EQU 80000000h IMAGE_THUNK_DATA STRUC UNION TD_AddressOfData DD IMAGE_IMPORT_BY_NAME PTR ? ; Ptr to IMAGE_IMPORT_BY_NAME structure TD_Ordinal DD ? ; Ordinal ORed with IMAGE_ORDINAL_FLAG TD_Function DD BYTE PTR ? ; CODE PTR ; Ptr to function (i.e. Function address after program load) TD_ForwarderString DD BYTE PTR ? ; Ptr to a forwarded API function. ENDS IMAGE_THUNK_DATA ENDS ; ÄÄ´ Import format ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_IMPORT_DESCRIPTOR STRUC UNION ID_Characteristics DD ? ; 0 for terminating null import descriptor ID_OriginalFirstThunk DD IMAGE_THUNK_DATA PTR ? ; RVA to original unbound IAT ENDS ID_TimeDateStamp DD ? ; 0 if not bound, ; -1 if bound, and real date\time stamp ; in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) ; O.W. date/time stamp of DLL bound to (Old BIND) ID_ForwarderChain DD ? ; -1 if no forwarders ID_Name DD BYTE PTR ? ; RVA to name of imported DLL ID_FirstThunk DD IMAGE_THUNK_DATA PTR ? ; RVA to IAT (if bound this IAT has actual addresses) IMAGE_IMPORT_DESCRIPTOR ENDS IMAGE_SIZEOF_IMPORT_DESCRIPTOR EQU SIZE IMAGE_IMPORT_DESCRIPTOR ; ÄÄ´ Export format ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_EXPORT_DIRECTORY STRUC ED_Characteristics DD ? ED_TimeDateStamp DD ? ED_MajorVersion DW ? ED_MinorVersion DW ? ED_Name DD BYTE PTR ? ; Ptr to name of exported DLL UNION ED_Base DD ? ED_BaseOrdinal DD ? ENDS ED_NumberOfFunctions DD ? UNION ED_NumberOfNames DD ? ED_NumberOfOrdinals DD ? ENDS ED_AddressOfFunctions DD DWORD PTR ? ; Ptr to array of function addresses ED_AddressOfNames DD DWORD PTR ? ; Ptr to array of (function) name addresses UNION ED_AddressOfNameOrdinals DD WORD PTR ? ; Ptr to array of ordinals ED_AddressOfOrdinals DD WORD PTR ? ; ENDS IMAGE_EXPORT_DIRECTORY ENDS IMAGE_SIZEOF_EXPORT_DIRECTORY EQU SIZE IMAGE_EXPORT_DIRECTORY ; ÄÄ´ SH_Characteristics valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ;MAGE_SCN_TYPE_REG EQU 00000000h ; Reserved ;MAGE_SCN_TYPE_REGULAR EQU 00000000h ; Reserved ;MAGE_SCN_TYPE_DSECT EQU 00000001h ; Reserved ;MAGE_SCN_TYPE_DUMMY EQU 00000001h ; Reserved ;MAGE_SCN_TYPE_NOLOAD EQU 00000002h ; Reserved ;MAGE_SCN_TYPE_NO_LOAD EQU 00000002h ; Reserved ;MAGE_SCN_TYPE_GROUP EQU 00000004h ; Reserved. Used for 16-bit offset code ;MAGE_SCN_TYPE_GROUPED EQU 00000004h ; Reserved. Used for 16-bit offset code IMAGE_SCN_TYPE_NO_PAD EQU 00000008h ; Reserved ;MAGE_SCN_TYPE_COPY EQU 00000010h ; Reserved IMAGE_SCN_CNT_CODE EQU 00000020h ; Section contains code. IMAGE_SCN_CNT_INITIALIZED_DATA EQU 00000040h ; Section contains initialized data. IMAGE_SCN_CNT_UNINITIALIZED_DATA EQU 00000080h ; Section contains uninitialized data. IMAGE_SCN_LNK_OTHER EQU 00000100h ; Reserved. IMAGE_SCN_LNK_INFO EQU 00000200h ; Section contains comments or some other type of information. ;MAGE_SCN_TYPE_OVER EQU 00000400h ; Reserved. Section contains an overlay. ;MAGE_SCN_LNK_OVERLAY EQU 00000400h ; Reserved. Section contains an overlay. IMAGE_SCN_LNK_REMOVE EQU 00000800h ; Section contents will not become part of image. IMAGE_SCN_LNK_COMDAT EQU 00001000h ; Section contents comdat. ; EQU 00002000h ; Reserved. ;MAGE_SCN_MEM_PROTECTED EQU 00004000h ; Obsolete. IMAGE_SCN_MEM_FARDATA EQU 00008000h ;MAGE_SCN_MEM_SYSHEAP EQU 00010000h ; Obsolete. IMAGE_SCN_MEM_PURGEABLE EQU 00020000h IMAGE_SCN_MEM_16BIT EQU 00020000h IMAGE_SCN_MEM_LOCKED EQU 00040000h IMAGE_SCN_MEM_PRELOAD EQU 00080000h IMAGE_SCN_ALIGN_1BYTES EQU 00100000h IMAGE_SCN_ALIGN_2BYTES EQU 00200000h IMAGE_SCN_ALIGN_4BYTES EQU 00300000h IMAGE_SCN_ALIGN_8BYTES EQU 00400000h IMAGE_SCN_ALIGN_16BYTES EQU 00500000h ; Default alignment if no others are specified. IMAGE_SCN_ALIGN_32BYTES EQU 00600000h IMAGE_SCN_ALIGN_64BYTES EQU 00700000h ; EQU 00800000h ; Unused. IMAGE_SCN_LNK_NRELOC_OVFL EQU 01000000h ; Section contains extended relocations. IMAGE_SCN_MEM_DISCARDABLE EQU 02000000h ; Section can be discarded. IMAGE_SCN_MEM_NOT_CACHED EQU 04000000h ; Section is not cachable. IMAGE_SCN_MEM_NOT_PAGED EQU 08000000h ; Section is not pageable. IMAGE_SCN_MEM_SHARED EQU 10000000h ; Section is shareable. IMAGE_SCN_MEM_EXECUTE EQU 20000000h ; Section is executable. IMAGE_SCN_MEM_READ EQU 40000000h ; Section is readable. IMAGE_SCN_MEM_WRITE EQU 80000000h ; Section is writeable. IMAGE_SIZEOF_SHORT_NAME EQU 8 ; ÄÄ´ Section header format ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_SECTION_HEADER STRUC SH_Name DB IMAGE_SIZEOF_SHORT_NAME DUP (?) UNION SH_PhysicalAddress DD BYTE PTR ? SH_VirtualSize DD ? ENDS SH_VirtualAddress DD BYTE PTR ? SH_SizeOfRawData DD ? SH_PointerToRawData DD BYTE PTR ? SH_PointerToRelocations DD BYTE PTR ? SH_PointerToLinenumbers DD BYTE PTR ? SH_NumberOfRelocations DW ? SH_NumberOfLinenumbers DW ? SH_Characteristics DD ? IMAGE_SECTION_HEADER ENDS IMAGE_SIZEOF_SECTION_HEADER EQU SIZE IMAGE_SECTION_HEADER ; ÄÄ´ OH_DataDirectory index valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_DIRECTORY_ENTRY_EXPORT EQU 0 ; Export Directory IMAGE_DIRECTORY_ENTRY_IMPORT EQU 1 ; Import Directory IMAGE_DIRECTORY_ENTRY_RESOURCE EQU 2 ; Resource Directory IMAGE_DIRECTORY_ENTRY_EXCEPTION EQU 3 ; Exception Directory IMAGE_DIRECTORY_ENTRY_SECURITY EQU 4 ; Security Directory IMAGE_DIRECTORY_ENTRY_BASERELOC EQU 5 ; Base Relocation Table IMAGE_DIRECTORY_ENTRY_DEBUG EQU 6 ; Debug Directory IMAGE_DIRECTORY_ENTRY_COPYRIGHT EQU 7 ; Description String IMAGE_DIRECTORY_ENTRY_GLOBALPTR EQU 8 ; Machine Value (MIPS GP) IMAGE_DIRECTORY_ENTRY_TLS EQU 9 ; TLS Directory IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG EQU 10 ; Load Configuration Directory IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT EQU 11 ; Bound Import Directory in headers IMAGE_DIRECTORY_ENTRY_IAT EQU 12 ; Import Address Table IMAGE_NUMBEROF_DIRECTORY_ENTRIES EQU 16 ; ÄÄ´ OH_DataDirectory format ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_DATA_DIRECTORY STRUC DD_VirtualAddress DD BYTE PTR ? DD_Size DD ? IMAGE_DATA_DIRECTORY ENDS IMAGE_DIRECTORY_ENTRIES STRUC DE_Export IMAGE_DATA_DIRECTORY ? DE_Import IMAGE_DATA_DIRECTORY ? DE_Resource IMAGE_DATA_DIRECTORY ? DE_Exception IMAGE_DATA_DIRECTORY ? DE_Security IMAGE_DATA_DIRECTORY ? DE_BaseReloc IMAGE_DATA_DIRECTORY ? DE_Debug IMAGE_DATA_DIRECTORY ? DE_Copyright IMAGE_DATA_DIRECTORY ? DE_GlobalPtr IMAGE_DATA_DIRECTORY ? DE_TLS IMAGE_DATA_DIRECTORY ? DE_LoadConfig IMAGE_DATA_DIRECTORY ? DE_BoundImport IMAGE_DATA_DIRECTORY ? DE_IAT IMAGE_DATA_DIRECTORY ? IMAGE_DIRECTORY_ENTRIES ENDS ; ÄÄ´ OH_LoaderFlags valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ;MAGE_LOADER_FLAGS_BREAK_ON_LOAD EQU 00000001h ;MAGE_LOADER_FLAGS_DEBUG_ON_LOAD EQU 00000002h ; ÄÄ´ OH_DllCharacteristics valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ;MAGE_LIBRARY_PROCESS_INIT EQU 1 ; Dll has a process initialization routine ;MAGE_LIBRARY_PROCESS_TERM EQU 2 ; Dll has a thread termination routine ;MAGE_LIBRARY_THREAD_INIT EQU 4 ; Dll has a thread initialization routine ;MAGE_LIBRARY_THREAD_TERM EQU 8 ; Dll has a thread termination routine ; ÄÄ´ OH_Subsystem Valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_SUBSYSTEM_UNKNOWN EQU 0 ; Unknown subsystem IMAGE_SUBSYSTEM_NATIVE EQU 1 ; Image doesn't require a subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI EQU 2 ; Image runs in the Windows GUI subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI EQU 3 ; Image runs in the Windows character subsystem IMAGE_SUBSYSTEM_OS2_CUI EQU 5 ; Image runs in the OS/2 character subsystem IMAGE_SUBSYSTEM_POSIX_CUI EQU 7 ; Image run in the Posix character subsystem ; ÄÄ´ OH_Magic value ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_NT_OPTIONAL_HDR_MAGIC EQU 10Bh ; ÄÄ´ Optional header format ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_OPTIONAL_HEADER STRUC ; Standard fields: OH_Magic DW ? OH_MajorLinkerVersion DB ? OH_MinorLinkerVersion DB ? OH_SizeOfCode DD ? OH_SizeOfInitializedData DD ? OH_SizeOfUninitializedData DD ? OH_AddressOfEntryPoint DD BYTE PTR ? OH_BaseOfCode DD BYTE PTR ? OH_BaseOfData DD BYTE PTR ? ; NT additional fields: OH_ImageBase DD BYTE PTR ? OH_SectionAlignment DD ? OH_FileAlignment DD ? OH_MajorOperatingSystemVersion DW ? OH_MinorOperatingSystemVersion DW ? OH_MajorImageVersion DW ? OH_MinorImageVersion DW ? OH_MajorSubsystemVersion DW ? OH_MinorSubsystemVersion DW ? OH_Reserved1 DD ? OH_SizeOfImage DD ? OH_SizeOfHeaders DD ? OH_CheckSum DD ? OH_Subsystem DW ? OH_DllCharacteristics DW ? OH_SizeOfStackReserve DD ? OH_SizeOfStackCommit DD ? OH_SizeOfHeapReserve DD ? OH_SizeOfHeapCommit DD ? OH_LoaderFlags DD ? OH_NumberOfRvaAndSizes DD ? UNION OH_DataDirectory IMAGE_DATA_DIRECTORY \ IMAGE_NUMBEROF_DIRECTORY_ENTRIES \ DUP (?) OH_DirectoryEntries IMAGE_DIRECTORY_ENTRIES ? ENDS IMAGE_OPTIONAL_HEADER ENDS IMAGE_SIZEOF_STD_OPTIONAL_HEADER EQU 28d IMAGE_SIZEOF_NT_OPTIONAL_HEADER EQU SIZE IMAGE_OPTIONAL_HEADER ; ÄÄ´ FH_Characteristics valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_FILE_RELOCS_STRIPPED EQU 0001h ; Relocation info stripped from file IMAGE_FILE_EXECUTABLE_IMAGE EQU 0002h ; File is executable (i.e. no unresolved external references) IMAGE_FILE_LINE_NUMS_STRIPPED EQU 0004h ; Line numbers stripped from file IMAGE_FILE_LOCAL_SYMS_STRIPPED EQU 0008h ; Local symbols stripped from file ;MAGE_FILE_MINIMAL_OBJECT EQU 0010h ; Reserved ;MAGE_FILE_UPDATE_OBJECT EQU 0020h ; Reserved ;MAGE_FILE_16BIT_MACHINE EQU 0040h ; 16 bit word machine IMAGE_FILE_BYTES_REVERSED_LO EQU 0080h ; Bytes of machine word are reversed IMAGE_FILE_32BIT_MACHINE EQU 0100h ; 32 bit word machine IMAGE_FILE_DEBUG_STRIPPED EQU 0200h ; Debugging info stripped from file in .DBG file ;MAGE_FILE_PATCH EQU 0400h ; Reserved IMAGE_FILE_SYSTEM EQU 1000h ; System File IMAGE_FILE_DLL EQU 2000h ; File is a DLL IMAGE_FILE_BYTES_REVERSED_HI EQU 8000h ; Bytes of machine word are reversed ; ÄÄ´ FH_Machine valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_FILE_MACHINE_UNKNOWN EQU 0 IMAGE_FILE_MACHINE_I386 EQU 14Ch ; Intel 386 IMAGE_FILE_MACHINE_R3000 EQU 162h ; MIPS L-endian, 0160h B-endian IMAGE_FILE_MACHINE_R4000 EQU 166h ; MIPS L-endian IMAGE_FILE_MACHINE_R10000 EQU 168h ; MIPS L-endian IMAGE_FILE_MACHINE_ALPHA EQU 184h ; Alpha_AXP IMAGE_FILE_MACHINE_POWERPC EQU 1F0h ; IBM PowerPC L-Endian IMAGE_FILE_HEADER STRUC FH_Machine DW ? FH_NumberOfSections DW ? FH_TimeDateStamp DD ? FH_PointerToSymbolTable DD BYTE PTR ? FH_NumberOfSymbols DD ? FH_SizeOfOptionalHeader DW ? FH_Characteristics DW ? IMAGE_FILE_HEADER ENDS IMAGE_SIZEOF_FILE_HEADER EQU SIZE IMAGE_FILE_HEADER ; ÄÄ´ NT_Signature value ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IMAGE_NT_SIGNATURE EQU 00004550h ; 'PE',0,0 IMAGE_NT_HEADERS STRUC NT_Signature DD ? NT_FileHeader IMAGE_FILE_HEADER ? NT_OptionalHeader IMAGE_OPTIONAL_HEADER ? IMAGE_NT_HEADERS ENDS ; - -[USEFUL.INC] - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 ; ; . .: .:.. :.. .. .:.::. :. ..: ; <<-==ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ===< ; .:: ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ .:. ; . .:.ÜÜÜÛÛß.ßÛÛÛÛÛÛ.ÛÛÛÛÛÛÛ:.. ; ...ÛÛÛÜÜÜÜ:ÜÜÜÜÛÛÛ:ÛÛÛ ÛÛÛ.::. ; >===ÛÛÛÛÛÛÛ=ÛÛÛÛÛÛß=ÛÛÛ ÛÛÛ=->> ; .: .:.. ..:. .: ..:.::. ::.. :.:. ; ; [29A INC files] ; Basic useful structurez ; by Jacky Qwerty/29A ; ; Description ; ÄÄÄÄÄÄÄÄÄÄÄ ; This include file contains all basic constantz and general common structu- ; rez needed to work with other include and source ASM filez. This file will ; work only with TASM(32), of course. MASM sucks.. :P ; ; Disclaimer ; ÄÄÄÄÄÄÄÄÄÄ ; This file was built up by Jacky Qwerty from 29A. The author is not respon- ; sible for any problemz caused due to use/misuse of this file. ; ; ; (c) 1997. No rightz reserved. Use without permision >8P. LF equ 10 CR equ 13 CRLF equ <13,10> lo_hi_byte_word struc union struc lob db ? hib db ? ends lo_w dw ? ends hiw dw ? lo_hi_byte_word ends Pusha_struc struc Pusha_di dw ? Pusha_si dw ? Pusha_bp dw ? Pusha_sp dw ? Pusha_bx dw ? Pusha_dx dw ? Pusha_cx dw ? Pusha_ax dw ? Pusha_struc ends cPusha equ size Pusha_struc Pushad_struc struc Pushad_edi dd ? Pushad_esi dd ? Pushad_ebp dd ? Pushad_esp dd ? Pushad_ebx dd ? Pushad_edx dd ? Pushad_ecx dd ? Pushad_eax dd ? Pushad_struc ends cPushad equ size Pushad_struc @copysz macro local nxtchr nxtchr: lodsb stosb or al,al jnz nxtchr endm @endsz macro local nxtchr nxtchr: lodsb test al,al jnz nxtchr endm @pushsz macro msg2psh, empty local next_instr ifnb %out too much arguments in macro '@pushsz' .err endif call next_instr db msg2psh,0 next_instr: endm @pushbytes macro bts2psh, empty local next_instr ifnb %out too much arguments in macro '@push_bytes' .err endif call next_instr db bts2psh next_instr: endm if @WordSize eq 2 ; 16 bits API_Args struc RetAddr dw ? union Pshd dw ? ;pushed Arg1 dw ? ends irp Num, <2,3,4,5,6,7,8,9,10,11,12,13,14,15,16> Arg&Num dw ? endm API_Args ends endif if @WordSize eq 4 ; 32 bits API_Args struc RetAddr dd ? union Pshd dd ? ;pushed Arg1 dd ? ends irp Num, <2,3,4,5,6,7,8,9,10,11,12,13,14,15,16> Arg&Num dd ? endm API_Args ends endif ; - -[WIN32API.INC] - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 ; ; . .: .:.. :.. .. .:.::. :. ..: ; <<-==ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ=ÜÛÛÛÛÛÜ===< ; .:: ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ .:. ; . .:.ÜÜÜÛÛß.ßÛÛÛÛÛÛ.ÛÛÛÛÛÛÛ:.. ; ...ÛÛÛÜÜÜÜ:ÜÜÜÜÛÛÛ:ÛÛÛ ÛÛÛ.::. ; >===ÛÛÛÛÛÛÛ=ÛÛÛÛÛÛß=ÛÛÛ ÛÛÛ=->> ; .: .:.. ..:. .: ..:.::. ::.. :.:. ; ; [29A INC files] ; Win32 API definitionz ; by Jacky Qwerty/29A ; ; Description ; ÄÄÄÄÄÄÄÄÄÄÄ ; This include file contains some of the constantz and structurez needed to ; work with typical Win32 API functionz from inside ASM filez. This file can ; work only with TASM(32), of course. MASM sucks.. :P ; ; Disclaimer ; ÄÄÄÄÄÄÄÄÄÄ ; This file was built up by Jacky Qwerty from 29A. The author is not respon- ; sible for any problemz caused due to use/misuse of this file. ; ; ; (c) 1997. No rightz reserved. Use without permision >8P. ; ÄÄ´ Some global constantz ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ NULL EQU 0 FALSE EQU 0 TRUE EQU 1 MAX_PATH EQU 260 INVALID_HANDLE_VALUE EQU -1 STANDARD_RIGHTS_REQUIRED EQU 000F0000h ; ÄÄ´ Desired access valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ GENERIC_READ EQU 80000000h GENERIC_WRITE EQU 40000000h ; ÄÄ´ Share mode valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ FILE_SHARE_READ EQU 00000001h FILE_SHARE_WRITE EQU 00000002h ; ÄÄ´ Creation disposition valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ CREATE_NEW EQU 1 CREATE_ALWAYS EQU 2 OPEN_EXISTING EQU 3 OPEN_ALWAYS EQU 4 TRUNCATE_EXISTING EQU 5 ; ÄÄ´ File attributez and flag valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ FILE_ATTRIBUTE_READONLY EQU 00000001h FILE_ATTRIBUTE_HIDDEN EQU 00000002h FILE_ATTRIBUTE_SYSTEM EQU 00000004h FILE_ATTRIBUTE_DIRECTORY EQU 00000010h FILE_ATTRIBUTE_ARCHIVE EQU 00000020h FILE_ATTRIBUTE_NORMAL EQU 00000080h FILE_ATTRIBUTE_TEMPORARY EQU 00000100h FILE_ATTRIBUTE_ATOMIC_WRITE EQU 00000200h FILE_ATTRIBUTE_XACTION_WRITE EQU 00000400h FILE_ATTRIBUTE_COMPRESSED EQU 00000800h FILE_ATTRIBUTE_HAS_EMBEDDING EQU 00001000h FILE_FLAG_POSIX_SEMANTICS EQU 01000000h FILE_FLAG_BACKUP_SEMANTICS EQU 02000000h FILE_FLAG_DELETE_ON_CLOSE EQU 04000000h FILE_FLAG_SEQUENTIAL_SCAN EQU 08000000h FILE_FLAG_RANDOM_ACCESS EQU 10000000h FILE_FLAG_NO_BUFFERING EQU 20000000h FILE_FLAG_OVERLAPPED EQU 40000000h FILE_FLAG_WRITE_THROUGH EQU 80000000h ; ÄÄ´ Protection and other valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ SECTION_QUERY EQU 00000001h SECTION_MAP_WRITE EQU 00000002h SECTION_MAP_READ EQU 00000004h SECTION_MAP_EXECUTE EQU 00000008h SECTION_EXTEND_SIZE EQU 00000010h SECTION_ALL_ACCESS EQU STANDARD_RIGHTS_REQUIRED OR \ SECTION_QUERY OR \ SECTION_MAP_WRITE OR \ SECTION_MAP_READ OR \ SECTION_MAP_EXECUTE OR \ SECTION_EXTEND_SIZE FILE_MAP_COPY EQU SECTION_QUERY FILE_MAP_WRITE EQU SECTION_MAP_WRITE FILE_MAP_READ EQU SECTION_MAP_READ FILE_MAP_ALL_ACCESS EQU SECTION_ALL_ACCESS PAGE_NOACCESS EQU 00000001h PAGE_READONLY EQU 00000002h PAGE_READWRITE EQU 00000004h PAGE_WRITECOPY EQU 00000008h PAGE_EXECUTE EQU 00000010h PAGE_EXECUTE_READ EQU 00000020h PAGE_EXECUTE_READWRITE EQU 00000040h PAGE_EXECUTE_WRITECOPY EQU 00000080h PAGE_GUARD EQU 00000100h PAGE_NOCACHE EQU 00000200h MEM_COMMIT EQU 00001000h MEM_RESERVE EQU 00002000h MEM_DECOMMIT EQU 00004000h MEM_RELEASE EQU 00008000h MEM_FREE EQU 00010000h MEM_PRIVATE EQU 00020000h MEM_MAPPED EQU 00040000h MEM_TOP_DOWN EQU 00100000h SEC_FILE EQU 00800000h SEC_IMAGE EQU 01000000h SEC_RESERVE EQU 04000000h SEC_COMMIT EQU 08000000h SEC_NOCACHE EQU 10000000h MEM_IMAGE EQU SEC_IMAGE ; ÄÄ´ Code Page valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ CP_ACP EQU 0 ; ANSI code page CP_OEMCP EQU 1 ; OEM code page CP_MACCP EQU 2 ; MAC code page ; ÄÄ´ Message Box suport valuez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ MB_OK EQU 00000000h MB_OKCANCEL EQU 00000001h MB_ABORTRETRYIGNORE EQU 00000002h MB_YESNOCANCEL EQU 00000003h MB_YESNO EQU 00000004h MB_RETRYCANCEL EQU 00000005h MB_TYPEMASK EQU 0000000Fh MB_ICONHAND EQU 00000010h MB_ICONQUESTION EQU 00000020h MB_ICONEXCLAMATION EQU 00000030h MB_ICONASTERISK EQU 00000040h MB_ICONMASK EQU 000000F0h MB_ICONINFORMATION EQU MB_ICONASTERISK MB_ICONSTOP EQU MB_ICONHAND MB_DEFBUTTON1 EQU 00000000h MB_DEFBUTTON2 EQU 00000100h MB_DEFBUTTON3 EQU 00000200h MB_DEFMASK EQU 00000F00h MB_APPLMODAL EQU 00000000h MB_SYSTEMMODAL EQU 00001000h MB_TASKMODAL EQU 00002000h MB_NOFOCUS EQU 00008000h ; ÄÄ´ Some general Win32 related structurez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ FILETIME STRUC FT_dwLowDateTime DD ? FT_dwHighDateTime DD ? FILETIME ENDS WIN32_FIND_DATA STRUC WFD_dwFileAttributes DD ? WFD_ftCreationTime FILETIME ? WFD_ftLastAccessTime FILETIME ? WFD_ftLastWriteTime FILETIME ? WFD_nFileSizeHigh DD ? WFD_nFileSizeLow DD ? WFD_dwReserved0 DD ? WFD_dwReserved1 DD ? WFD_szFileName DB MAX_PATH DUP (?) WFD_szAlternateFileName DB 13 DUP (?) DB 3 DUP (?) ; dword padding WIN32_FIND_DATA ENDS SIZEOF_WIN32_FIND_DATA EQU SIZE WIN32_FIND_DATA ; ÄÄ´ Context related stuff (i386, i486) ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; The following flagz control the contentz of the CONTEXT structure: CONTEXT_i386 EQU 00010000h ; This assumes that i386 and i486 CONTEXT_i486 EQU 00010000h ; have identical context recordz. CONTEXT_CONTROL EQU (CONTEXT_i386 OR 01h) ; SS:SP, CS:IP, FLAGS, BP. CONTEXT_INTEGER EQU (CONTEXT_i386 OR 02h) ; AX, BX, CX, DX, SI, DI. CONTEXT_SEGMENTS EQU (CONTEXT_i386 OR 04h) ; DS, ES, FS, GS. CONTEXT_FLOATING_POINT EQU (CONTEXT_i386 OR 08h) ; 387 state CONTEXT_DEBUG_REGISTERS EQU (CONTEXT_i386 OR 10h) ; DB 0-3,6,7 CONTEXT_FULL EQU (CONTEXT_CONTROL OR CONTEXT_INTEGER OR \ CONTEXT_SEGMENTS) ; Size of the 80387 save area, which is in the context frame: SIZE_OF_80387_REGISTERS EQU 80 FLOATING_SAVE_AREA STRUC ControlWord DD ? StatusWord DD ? TagWord DD ? ErrorOffset DD ? ErrorSelector DD ? DataOffset DD ? DataSelector DD ? RegisterArea DB SIZE_OF_80387_REGISTERS DUP (?) Cr0NpxState DD ? FLOATING_SAVE_AREA ENDS ; Context Frame: CONTEXT STRUC ; The flags valuez - within the ContextFlags field - control the ; contentz of the CONTEXT structure. ; ; If the context record is used as an input parameter, then ; for each portion of the context record controlled by a flag ; whose value is set, it is asumed that that portion of the ; context record contains valid context. If the context record ; is being used to modify a threadz context, then only that ; portion of the threadz context will be modified. ; ; If the context record is used as an IN OUT parameter to capture ; the context of a thread, then only those portionz of the thread's ; context corresponding to set flags will be returned. ; ; The context record is never used as an OUT only parameter. CONTEXT_ContextFlags DD ? ; This section is specified/returned if CONTEXT_DEBUG_REGISTERS is ; set in ContextFlags. Note that CONTEXT_DEBUG_REGISTERS is NOT ; included in CONTEXT_FULL: CONTEXT_Dr0 DD ? CONTEXT_Dr1 DD ? CONTEXT_Dr2 DD ? CONTEXT_Dr3 DD ? CONTEXT_Dr6 DD ? CONTEXT_Dr7 DD ? ; This section is specified/returned if the ; ContextFlags word contains the flag CONTEXT_FLOATING_POINT: CONTEXT_FloatSave FLOATING_SAVE_AREA ? ; This section is specified/returned if the ; ContextFlags word contains the flag CONTEXT_SEGMENTS: CONTEXT_SegGs DD ? CONTEXT_SegFs DD ? CONTEXT_SegEs DD ? CONTEXT_SegDs DD ? ; This section is specified/returned if the ; ContextFlags word contains the flag CONTEXT_INTEGER: CONTEXT_Edi DD ? CONTEXT_Esi DD ? CONTEXT_Ebx DD ? CONTEXT_Edx DD ? CONTEXT_Ecx DD ? CONTEXT_Eax DD ? ; This section is specified/returned if the ; ContextFlags word contains the flag CONTEXT_CONTROL: CONTEXT_Ebp DD ? CONTEXT_Eip DD ? CONTEXT_SegCs DD ? ; MUST BE SANITIZED CONTEXT_EFlags DD ? ; MUST BE SANITIZED CONTEXT_Esp DD ? CONTEXT_SegSs DD ? CONTEXT ENDS ; ÄÄ´ Structured Exception Handling (SEH) related stuff ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; This structure is the one pointed to by FS:[0]: EXCEPTIONREGISTRATIONRECORD STRUC ; != EXCEPTION_RECORD structure ERR_prev_structure DD EXCEPTIONREGISTRATIONRECORD PTR ? ERR_ExceptionHandler DD BYTE PTR ? ; CODE PTR ; These are the minimun fieldz required for proper OS operation ; Other undocumented fieldz exist for Microsoft and Borland compilerz EXCEPTIONREGISTRATIONRECORD ENDS ; Exception record definition: EXCEPTION_MAXIMUM_PARAMETERS EQU 15 ; max # of except paramz EXCEPTION_RECORD STRUC ER_ExceptionCode DD ? ER_ExceptionFlags DD ? ER_ExceptionRecord DD EXCEPTION_RECORD PTR ? ER_ExceptionAddress DD BYTE PTR ? ; CODE PTR ER_NumberParameters DD ? ER_ExceptionInformation DD EXCEPTION_MAXIMUM_PARAMETERS DUP (?) EXCEPTION_RECORD ENDS EXCEPTION_POINTERS STRUC EP_ExceptionRecord DD EXCEPTION_RECORD PTR ? EP_ContextRecord DD CONTEXT PTR ? EXCEPTION_POINTERS ENDS ; Other SEH related constantz and return valuez: EXCEPTION_EXECUTE_HANDLER EQU 1 EXCEPTION_CONTINUE_SEARCH EQU 0 EXCEPTION_CONTINUE_EXECUTION EQU -1 EXCEPTION_ACCESS_VIOLATION EQU 0C0000005h EXCEPTION_DATATYPE_MISALIGNMENT EQU 080000002h EXCEPTION_BREAKPOINT EQU 080000003h EXCEPTION_SINGLE_STEP EQU 080000004h EXCEPTION_ARRAY_BOUNDS_EXCEEDED EQU 0C000008Ch EXCEPTION_FLT_DENORMAL_OPERAND EQU 0C000008Dh EXCEPTION_FLT_DIVIDE_BY_ZERO EQU 0C000008Eh EXCEPTION_FLT_INEXACT_RESULT EQU 0C000008Fh EXCEPTION_FLT_INVALID_OPERATION EQU 0C0000090h EXCEPTION_FLT_OVERFLOW EQU 0C0000091h EXCEPTION_FLT_STACK_CHECK EQU 0C0000092h EXCEPTION_FLT_UNDERFLOW EQU 0C0000093h EXCEPTION_INT_DIVIDE_BY_ZERO EQU 0C0000094h EXCEPTION_INT_OVERFLOW EQU 0C0000095h EXCEPTION_PRIV_INSTRUCTION EQU 0C0000096h EXCEPTION_IN_PAGE_ERROR EQU 0C0000006h EXCEPTION_ILLEGAL_INSTRUCTION EQU 0C000001Dh EXCEPTION_NONCONTINUABLE_EXCEPTION EQU 0C0000025h EXCEPTION_STACK_OVERFLOW EQU 0C00000FDh EXCEPTION_INVALID_DISPOSITION EQU 0C0000026h EXCEPTION_GUARD_PAGE EQU 080000001h ; Useful structure to access the "Except_Handler" function argumentz: Except_Handler STRUC EH_Dummy DD ? ; Ret address EH_ExceptionRecord DD EXCEPTION_RECORD PTR ? EH_EstablisherFrame DD BYTE PTR ? EH_ContextRecord DD CONTEXT PTR ? EH_DispatcherContext DD BYTE PTR ? Except_Handler ENDS ; The following macroz "@SEH_SetupFrame" and "@SEH_RemoveFrame" are limited ; assembler versionz of the _try and _except keywordz used in C language. ; They provide fast and powerful "Structured Exception Handling" support ; for Win32 applicationz in a few linez of code. Though Microsoft seems ; intent on hiding the details of OS-level structured exception handling, ; this code relies on documented featurez of the Win32 API implementation ; and as such it works in both Windoze 95 and Windoze NT. @SEH_SetupFrame macro ExceptionHandler local set_new_eh call set_new_eh mov esp,[esp.EH_EstablisherFrame] ExceptionHandler set_new_eh: xor edx,edx ; Setup new SEH frame push dword ptr fs:[edx] mov fs:[edx],esp endm ; The ExceptionHandler argument in the @SEH_SetupFrame macro definition ; can be a single instruction or another macro containing several of them. @SEH_RemoveFrame macro xor edx,edx ; Remove new SEH frame and set old pop dword ptr fs:[edx] pop edx endm comment # // Exception disposition return values. typedef enum _EXCEPTION_DISPOSITION { ExceptionContinueExecution, ExceptionContinueSearch, ExceptionNestedException, ExceptionCollidedUnwind } EXCEPTION_DISPOSITION; EXCEPTION_DISPOSITION __cdecl _except_handler ( struct _EXCEPTION_RECORD *ExceptionRecord, void * EstablisherFrame, struct _CONTEXT *ContextRecord, void * DispatcherContext ); # ; ÄÄ´ Some Win32 function prototypez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ comment * HANDLE CreateFileA (ptr) lpFileName ; ptr to name of file dwDesiredAccess ; access (read-write) mode dwShareMode ; share mode (ptr) lpSecurityAttributes ; ptr to SECURITY_ATTRIBUTES struc dwCreationDisposition ; how to create dwFlagsAndAttributes ; file and flag attributez (hnd) hTemplateFile ; handle to file with attributez to copy Returns: opened handle if ok, INVALID_HANDLE_VALUE if error. ; dwDesiredAccess valuez: GENERIC_READ GENERIC_WRITE ; dwShareMode valuez: 0 ; not shared FILE_SHARE_READ FILE_SHARE_WRITE ; dwCreationDisposition valuez: CREATE_NEW CREATE_ALWAYS OPEN_EXISTING OPEN_ALWAYS TRUNCATE_EXISTING ; dwFlagsAndAttributes valuez: FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_NORMAL FILE_ATTRIBUTE_COMPRESSED FILE_FLAG_WRITE_THROUGH FILE_FLAG_OVERLAPPED FILE_FLAG_NO_BUFFERING FILE_FLAG_RANDOM_ACCESS FILE_FLAG_SEQUENTIAL_SCAN FILE_FLAG_DELETE_ON_CLOSE FILE_FLAG_BACKUP_SEMANTICS FILE_FLAG_POSIX_SEMANTICS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - HANDLE CreateFileMappingA (hnd) hFile ; file handle to map (ptr) lpFileMappingAttributes ; ptr to SECURITY_ATTRIBUTES struc flProtect ; protection for mapping object dwMaximumSizeHigh ; high-order 32 bitz of object size dwMaximumSizeLow ; low-order 32 bitz of object size (ptr) lpName ; name of file-mapping object Returns: handle to file-mapping object if ok, NULL if error. ; flProtect valuez: PAGE_READONLY PAGE_READWRITE PAGE_WRITECOPY SEC_COMMIT SEC_IMAGE SEC_NOCACHE SEC_RESERVE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - LPVOID MapViewOfFile (hnd) hFileMappingObject ; mapping object to map into address space dwDesiredAccess ; access mode dwFileOffsetHigh ; high-order 32 bitz of file offset dwFileOffsetLow ; low-order 32 bitz of file offset dwNumberOfBytesToMap ; number of bytez to map Returns: starting address of the mapped view if ok, NULL if error. ; dwDesiredAccess: FILE_MAP_WRITE FILE_MAP_READ FILE_MAP_ALL_ACCESS FILE_MAP_COPY - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - HANDLE FindFirstFileA (ptr) lpFileName ; ptr to name of file to search for (ptr) lpFindFileData ; ptr to WIN32_FIND_DATA struc Returns: opened handle if ok, INVALID_HANDLE_VALUE if error. it also fills structure pointed by lpFindFileData on return. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * ; ÄÄ´ Some macroz for most common functionz ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ @OpenFile macro ; open file with r/o or r/w access, not shared ; on input: ECX = desired access, EDX = pszFileName xor eax,eax push eax ; 0 push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push eax ; NULL push eax ; 0 push ecx ; desired access push edx ; pszFileName call CreateFileA endm @OpenFileR macro pszFileName ; Open file for r/o access, not shared xor eax,eax push eax ; 0 push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push eax ; NULL push eax ; 0 push GENERIC_READ push pszFileName call CreateFileA endm @OpenFileW macro pszFileName ; Open file for r/w access, not shared xor eax,eax push eax ; 0 push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push eax ; NULL push eax ; 0 push GENERIC_READ OR GENERIC_WRITE push pszFileName call CreateFileA endm