[求助]RtlLookupFunctionEntry是做什么用的？-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
yvqvan 雪币： 121 活跃值： (121) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 43 粉丝 1 关注私信	yvqvan 2 楼 VS2008带的MSDN，有这个函数的说明 RtlLookupFunctionEntry Function Searches the active function tables for an entry that corresponds to the specified PC value. PVOID WINAPI RtlLookupFunctionEntry( __in ULONGLONG ControlPC, __out PULONGLONG ImageBase, __out PULONGLONG TargetGp ); Parameters ControlPC The virtual address of an instruction bundle within the function. ImageBase The base address of module to which the function belongs. TargetGp The global pointer value of the module. This parameter has a different declaration on x64 systems. For more information, see x64 Definition. Return Value If there is no entry in the function table for the specified PC, the function returns NULL. Otherwise, the function returns the address of the function table entry that corresponds to the specified PC. x64 Definition This function is declared as follows: PRUNTIME_FUNCTION WINAPI RtlLookupFunctionEntry ( IN ULONG64 ControlPc, OUT PULONG64 ImageBase, IN OUT PUNWIND_HISTORY_TABLE HistoryTable OPTIONAL ); #define UNWIND_HISTORY_TABLE_SIZE 12 typedef struct _UNWIND_HISTORY_TABLE_ENTRY { ULONG64 ImageBase; PRUNTIME_FUNCTION FunctionEntry; } UNWIND_HISTORY_TABLE_ENTRY, PUNWIND_HISTORY_TABLE_ENTRY; #define UNWIND_HISTORY_TABLE_NONE 0 #define UNWIND_HISTORY_TABLE_GLOBAL 1 #define UNWIND_HISTORY_TABLE_LOCAL 2 typedef struct _UNWIND_HISTORY_TABLE { ULONG Count; UCHAR Search; ULONG64 LowAddress; ULONG64 HighAddress; UNWIND_HISTORY_TABLE_ENTRY Entry[UNWIND_HISTORY_TABLE_SIZE]; } UNWIND_HISTORY_TABLE, PUNWIND_HISTORY_TABLE; Requirements Client Requires Windows XP 64-Bit Edition Version 2003. Server Requires 64-bit edition of Windows Server 2003. Library Use Kernel32.lib. DLL Requires Kernel32.dll. 2012-3-13 17:30 0
无聊的菜鸟雪币： 622 活跃值： (294) 能力值： ( LV13，RANK：410 ) 在线值：发帖 59 回帖 561 粉丝 5 关注私信	无聊的菜鸟 9 3 楼查找某个指令位置对应在哪一个模块的哪一个函数里面 2012-3-13 19:42 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)
yvqvan 雪币： 121 活跃值： (121) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 43 粉丝 1 关注私信	yvqvan 2 楼 VS2008带的MSDN，有这个函数的说明 RtlLookupFunctionEntry Function Searches the active function tables for an entry that corresponds to the specified PC value. PVOID WINAPI RtlLookupFunctionEntry( __in ULONGLONG ControlPC, __out PULONGLONG ImageBase, __out PULONGLONG TargetGp ); Parameters ControlPC The virtual address of an instruction bundle within the function. ImageBase The base address of module to which the function belongs. TargetGp The global pointer value of the module. This parameter has a different declaration on x64 systems. For more information, see x64 Definition. Return Value If there is no entry in the function table for the specified PC, the function returns NULL. Otherwise, the function returns the address of the function table entry that corresponds to the specified PC. x64 Definition This function is declared as follows: PRUNTIME_FUNCTION WINAPI RtlLookupFunctionEntry ( IN ULONG64 ControlPc, OUT PULONG64 ImageBase, IN OUT PUNWIND_HISTORY_TABLE HistoryTable OPTIONAL ); #define UNWIND_HISTORY_TABLE_SIZE 12 typedef struct _UNWIND_HISTORY_TABLE_ENTRY { ULONG64 ImageBase; PRUNTIME_FUNCTION FunctionEntry; } UNWIND_HISTORY_TABLE_ENTRY, PUNWIND_HISTORY_TABLE_ENTRY; #define UNWIND_HISTORY_TABLE_NONE 0 #define UNWIND_HISTORY_TABLE_GLOBAL 1 #define UNWIND_HISTORY_TABLE_LOCAL 2 typedef struct _UNWIND_HISTORY_TABLE { ULONG Count; UCHAR Search; ULONG64 LowAddress; ULONG64 HighAddress; UNWIND_HISTORY_TABLE_ENTRY Entry[UNWIND_HISTORY_TABLE_SIZE]; } UNWIND_HISTORY_TABLE, PUNWIND_HISTORY_TABLE; Requirements Client Requires Windows XP 64-Bit Edition Version 2003. Server Requires 64-bit edition of Windows Server 2003. Library Use Kernel32.lib. DLL Requires Kernel32.dll. 2012-3-13 17:30 0
无聊的菜鸟雪币： 622 活跃值： (294) 能力值： ( LV13，RANK：410 ) 在线值：发帖 59 回帖 561 粉丝 5 关注私信	无聊的菜鸟 9 3 楼查找某个指令位置对应在哪一个模块的哪一个函数里面 2012-3-13 19:42 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复