因为本人不会使用C,只会用asm , 所以玩命兄弟的LDisEngine反汇编引擎成了我的最爱。
最近在研究怎么取得函数块,用到了这个反汇编引擎,发现了一个BUG
上图:
004010F4 . /E9 9D000000 JMP GetModeL.00401196
004010F9 . |0F87 97000000 JA GetModeL.00401196
004010FF . |0F82 91000000 JB GetModeL.00401196
00401105 . |7C 16 JL SHORT GetModeL.0040111D
00401107 . |8BC0 MOV EAX,EAX
00401109 . |8BC0 MOV EAX,EAX
0040110B . |EB 10 JMP SHORT GetModeL.0040111D
反汇编引擎 解析的结果为:
0012FF90 : 00 00 00 00 - 00 00 00 00 - E9 00 00 00 - 01 00 00 00
0012FFA0 : 00 00 00 00 - 00 00 00 00 - 9D 00 00 00 - 04 00 00 00
0012FFB0 : 05 00 00 00 - 00 00 00 00 - 00 00 00 00 - 00 00 00 00
00000036 : BYTES TOTAL
0012FF90 : 00 00 00 00 - 00 00 00 00 - 0F 87 00 00 - 02 00 00 00
0012FFA0 : 00 00 00 00 - 00 00 00 00 - 97 00 00 00 - 04 00 00 00
0012FFB0 : 05 00 00 00 - 00 00 00 00 - 00 00 00 00 - 00 00 00 00
00000036 : BYTES TOTAL
0012FF90 : 00 00 00 00 - 00 00 00 00 - 00 00 00 00 - 01 00 00 00
0012FFA0 : 0F 00 00 00 - 00 00 00 00 - 00 00 00 00 - 00 00 00 00
0012FFB0 : 02 00 00 00 - 00 00 00 00 - 00 00 00 00 - 00 00 00 00
00000036 : BYTES TOTAL
0012FF90 : 00 00 00 00 - 00 00 00 00 - 82 00 00 00 - 01 00 00 00
0012FFA0 : 00 00 00 00 - 00 00 00 00 - 00 00 00 00 - 00 00 00 00
0012FFB0 : 01 00 00 00 - 00 00 00 00 - 00 00 00 00 - 00 00 00 00004010F9 . /0F87 97000000 JA GetModeL.00401196 (能完整解析)
004010FF . |0F82 91000000 JB GetModeL.00401196 (不能解析)
我的测试代码:
nop
nop
nop
jmp @F
ja @F
jb @f (这里有问题)
jl @Look
mov eax , eax
mov eax , eax
jmp @Look
mov eax , eax
mov eax , eax
有劳修正一下,不会用C,唯一会用的asm版就是这个了,等米下锅啊~~
另外,关于取得函数长度,有个特例很奇怪:
kd> uf NtUserFindWindowEx
起点在这里
win32k!NtUserFindWindowEx+0x1f:
bf8b11f9 e89203f5ff call win32k!ValidateHwnd (bf801590)
bf8b11fe 8945e4 mov dword ptr [ebp-1Ch],eax
bf8b1201 3bc6 cmp eax,esi
bf8b1203 0f85a9000000 jne win32k!NtUserFindWindowEx+0x3d (bf8b12b2)
.....................................
win32k!NtUserFindWindowEx+0xec:
bf8b124d ff1574ce98bf call dword ptr [win32k!_imp__ExRaiseAccessViolation (bf98ce74)]
bf8b1253 e9fd000000 jmp win32k!NtUserFindWindowEx+0xf2 (bf8b1355)
入口在这里:
win32k!NtUserFindWindowEx:
bf8b128c 6a30 push 30h
bf8b128e 6870db98bf push offset win32k!`string'+0x5d8 (bf98db70)
bf8b1293 e8f0f8f4ff call win32k!_SEH_prolog (bf800b88)
bf8b1298 e83df8f4ff call win32k!EnterCrit (bf800ada)
bf8b129d 8b4d08 mov ecx,dword ptr [ebp+8]
bf8b12a0 83f9fd cmp ecx,0FFFFFFFDh
bf8b12a3 74d8 je win32k!NtUserFindWindowEx+0x35 (bf8b127d)
win32k!NtUserFindWindowEx+0x19:
bf8b12a5 33f6 xor esi,esi
bf8b12a7 3bce cmp ecx,esi
bf8b12a9 0f854affffff jne win32k!NtUserFindWindowEx+0x1f (bf8b11f9)
...................
win32k!NtUserFindWindowEx+0x128:
bf8b136f e892f7f4ff call win32k!LeaveCrit (bf800b06)
bf8b1374 8bc6 mov eax,esi
bf8b1376 e848f8f4ff call win32k!_SEH_epilog (bf800bc3)
bf8b137b c21400 ret 14h
win32k!NtUserFindWindowEx+0x10a:
bf8b137e 33f6 xor esi,esi
bf8b1380 ebed jmp win32k!NtUserFindWindowEx+0x128 (bf8b136f)
函数在这里结束,在ret 后仍然有代码
这种函数如何取得其长度?我这几天正在用判断跳转的方法来处理,不知有没有更简单的方法?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
