---------------------------------------------------- LordPE Dumper Server - plugin developer's references ---------------------------------------------------- Prolog ------ Since the 'Gathering' version includes LordPE a plugin interface with the name LordPE Dumper Server (in a nutshell: LDS) which provides the following features: - dump process modules and rebuild them - dump process module blocks - task tracer which provides module... - pathes - ImageBase/ImageSize - one can search a PID with an (incomplete) path as input The interface system -------------------- The communication system is relative equal to the one of ProcDump. First one has to receive the window handle of LDS by the 'FindWindow' API ("LDS_WND_NAME"). Afterwards one can interact with LDS by 'SendMessage' calls which have the following prototype: void SendMessage( - no return value ! HWND hWnd, - LDS window Handle UINT Msg, - WM_LDS_CMD_XXX action command WPARAM wParam, - Process ID of the plugin LPARAM lParam - pointer to a LDS_XXX structure ); The LDS SDK supports the following programming languages/compilers through the fitting include files: - C(++) - MASM/TASM/NASM - Delphi - Visual Basic There's a command line parameter for LordPE.exe ("/LDS%modifiers%") which causes that LDS will be lunched directly. Look at 'ReadMe.tXt' or the MASM plugin example for more information. Notes ----- Have a look at the include files or the example plugins (C, Delphi, ASM) for a demo on how to use LDS live. All include files are equal commented with the exception that 'LDS.h' provides the INput and OUTput tags which sign input and output structure elements. All commands/structures should be self explaining. Some things are commented now... (1) Dumped process module images or memory blocks can either be saved by a save dialog of LDS or the output will be saved to a memory buffer being accessible by the client, so the plugin can handle the dumped data itself. This concerns the following 2 structures for dumping operations: typedef struct _LDS_FULL_DUMP { IN DWORD dwStructSize; IN DWORD dwFlags; // LDS_DUMP_XXX/LDS_REB_XXX IN DWORD dwPID; IN HMODULE hModuleBase; // NULL - calling module is dumped OUT BOOL bDumpSuccessfully; OUT DWORD dwSizeOfDumpedImage; OUT BOOL bUserSaved; // LDS_DUMP_SAVEVIAOFN OUT char cSavedTo[MAX_PATH]; // LDS_DUMP_SAVEVIAOFN OUT void* pDumpedImage; // !LDS_DUMP_SAVEVIAOFN // rebuilding structure elements IN DWORD dwRealignType; // 0-normal 1-hardcore 2-nice IN DWORD dwNewImageBase; // format: 0xXXXX0000 } LDS_FULL_DUMP, *PLDS_FULL_DUMP; typedef struct _LDS_PARTIAL_DUMP { IN DWORD dwStructSize; IN DWORD dwPID; IN void* pBlock; IN DWORD dwBlockSize; IN BOOL bSaveViaOfn; OUT BOOL bDumpSuccessfully; OUT BOOL bUserSaved; // bSaveViaOfn OUT char cSavedTo[MAX_PATH]; // bSaveViaOfn OUT void* pDumpedImage; // !bSaveViaOfn } LDS_PARTIAL_DUMP, *PLDS_PARTIAL_DUMP; "STRUCT.bSaveViaOfn" - Indicates whether the output should be saved by the user through a LDS save dialog ("STRUCT.bUserSaved" + "STRUCT.cSavedTo" are valid) or will be saved to a memory buffer ("STRUCT.pDumpedImage" is valid) The buffer is freed automatically either when LDS is closed or a new dump is performed. "STRUCT.bUserSaved" - Indicates whether the user did cancel the save dialog or not. Only if 'bUserSaved' is TRUE, "STRUCT.cSavedTo" is valid. (2) Due to the fact that LDS doesn't respond directly to commands with a success or an error, one has to check the success of the LDS command in a different way. Error checking is not always necessary but can be done in the following way: (...) LDS_FIND_PID.dwPID = -1; SendMessage( LDSWindowHandle, WM_LDS_CMD_FINDPROCESSID, WParam(ClientPid), LParam(address of LDS_FIND_PID)); if (LDS_FIND_PID.dwPID == -1) { // an error occurred (...) } (...) Near the EOF ------------ It would be nice to see some plugins :D If you can say of yourself that you did so, then please send your plugin to LordPE@gmx.net. yoda (23th Feb 2k2)