一个简单的内存补丁程序

; 内存补丁例子一：对 Test.exe 进行内存补丁

   .386
   .model flat, stdcall
   option casemap :none

include   windows.inc
include   user32.inc
include   kernel32.inc
includelib user32.lib
includelib kernel32.lib

PATCH_POSITION equ 00401004h       ;补丁位置的线性地址
PATCH_BYTES equ 2               ;补丁内存的字节数

    .data?
dbOldBytes db PATCH_BYTES dup (?) ;读 缓冲区
stStartUp STARTUPINFO   <?>
stProcInfo PROCESS_INFORMATION <?>

     .const
dbPatch   db 74h,15h               ;原内容
dbPatched db 90h,90h               ;补丁内容
szExecFilename db 'Test.exe',0          ;文件名
szErrExec db '无法装载执行文件!',0
szErrVersion db '执行文件的版本不正确，无法修正!',0

    .code
Start:
; 创建进程
        invoke GetStartupInfo,addr stStartUp
          invoke CreateProcess,offset szExecFilename,NULL,NULL,NULL,NULL,/
                     NORMAL_PRIORITY_CLASS or CREATE_SUSPENDED,NULL,NULL,/   
                       offset stStartUp,offset stProcInfo;创建进程时使其暂停，改写后再运行
   .if eax    ; 读进程内存并验证内容是否正确
     invoke ReadProcessMemory,stProcInfo.hProcess,PATCH_POSITION,/   ;读
                  addr dbOldBytes,PATCH_BYTES,NULL
    .if eax
              mov ax,word ptr dbOldBytes
             .if ax == word ptr dbPatch           ;验证
                  invoke WriteProcessMemory,stProcInfo.hProcess,/   ;写
                              PATCH_POSITION,addr dbPatched,PATCH_BYTES,NULL
                invoke ResumeThread,stProcInfo.hThread   ;改写后，使程序开始运行
             .else
                  invoke TerminateProcess,stProcInfo.hProcess,-1
                 invoke MessageBox,NULL,addr szErrVersion,NULL,MB_OK or MB_ICONSTOP
              .endif
    .endif
    invoke CloseHandle,stProcInfo.hProcess
    invoke CloseHandle,stProcInfo.hThread
   .else
     invoke MessageBox,NULL,addr szErrExec,NULL,MB_OK or MB_ICONSTOP
   .endif

invoke ExitProcess,NULL
   end Start