下面是一个处理callwndproc钩子消息的回调函数,请教它的返回参数在哪个位置?
100010A0 . A1 70530>mov eax,dword ptr ds:[10005370]
100010A5 . 81EC 000>sub esp,100
100010AB . 85C0 test eax,eax
100010AD . 74 5C je short Shell.1000110B ;eax总是0,所以要调用fance.dll必须改为jnz
100010AF . A1 74530>mov eax,dword ptr ds:[10005374]
100010B4 . 85C0 test eax,eax
100010B6 EB 53 je short Shell.1000110B
100010B8 . A1 78530>mov eax,dword ptr ds:[10005378](是10000000)
100010BD . 53 push ebx
100010BE . 56 push esi
100010BF . 57 push edi
100010C0 . 8D4C24 0>lea ecx,dword ptr ss:[esp+C]
100010C4 . 50 push eax
100010C5 . 51 push ecx
100010C6 . E8 D5000>call Shell.100011A0 ;结果得到‘shell.dll'
100010CB . BF 3C500>mov edi,Shell.1000503C ; ASCII "fance.dll"
100010D0 . 83C9 FF or ecx,FFFFFFFF
100010D3 . 33C0 xor eax,eax
100010D5 . 83C4 08 add esp,8
100010D8 . F2:AE repne scas byte ptr es:[edi]
100010DA . F7D1 not ecx
100010DC . 2BF9 sub edi,ecx
100010DE . 8D5424 0>lea edx,dword ptr ss:[esp+C]
100010E2 . 8BF7 mov esi,edi
100010E4 . 8BD9 mov ebx,ecx
100010E6 . 8BFA mov edi,edx
100010E8 . 83C9 FF or ecx,FFFFFFFF
100010EB . F2:AE repne scas byte ptr es:[edi]
100010ED . 8BCB mov ecx,ebx
100010EF . 4F dec edi
100010F0 . C1E9 02 shr ecx,2
100010F3 . F3:A5 rep movs dword ptr es:[edi],dword >
100010F5 . 8BCB mov ecx,ebx
100010F7 . 52 push edx ; /FileName
100010F8 . 83E1 03 and ecx,3 ; |
100010FB . F3:A4 rep movs byte ptr es:[edi],byte pt>; |
100010FD . FF15 084>call dword ptr ds:[<&KERNEL32.Load>; \LoadLibraryA
10001103 . 5F pop edi
10001104 . 5E pop esi
10001105 . A3 74530>mov dword ptr ds:[10005374],eax
1000110A . 5B pop ebx
1000110B > 8B8424 0>mov eax,dword ptr ss:[esp+10C]
10001112 . 8B8C24 0>mov ecx,dword ptr ss:[esp+108]
10001119 . 8B9424 0>mov edx,dword ptr ss:[esp+104]
10001120 . 50 push eax ; /lParam
10001121 . A1 00600>mov eax,dword ptr ds:[10006000] ; |
10001126 . 51 push ecx ; |wParam
10001127 . 52 push edx ; |HookCode
10001128 . 50 push eax ; |hHook => 013601E3
10001129 . FF15 C04>call dword ptr ds:[<&USER32.CallNe>; \CallNextHookEx
1000112F . 81C4 000>add esp,100
10001135 . C2 0C00 retn 0C
下面是放钩子的函数
10001140 Sh>/$ A1 00600>mov eax,dword ptr ds:[10006000]
10001145 |. 85C0 test eax,eax
10001147 |. 75 19 jnz short Shell.10001162
10001149 |. 50 push eax ; /ThreadID => 13601E3
1000114A |. A1 78530>mov eax,dword ptr ds:[10005378] ; |
1000114F |. 50 push eax ; |hModule => 10000000 (Shell)
10001150 |. 68 A0100>push Shell.100010A0 ; |Hookproc = Shell.100010A0
10001155 |. 6A 04 push 4 ; |HookType = WH_CALLWNDPROC
10001157 |. FF15 BC4>call dword ptr ds:[<&USER32.SetWin>; \SetWindowsHookExA
1000115D |. A3 00600>mov dword ptr ds:[10006000],eax
10001162 \> C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课