-
-
[原创]反汇编中计算函数大小
-
发表于: 2013-5-7 20:22
-
第一次发原创贴,写得很搓,不要喷我
好了,废话不多说,回归正题,今天无聊,写了个得到函数体具体长度的代码大概测试了,还勉强可用.
这玩意谈不上什么算法,就是逐条指令扫描,遇到短跳转就记录到一个链表中保存起来,然后继续。
遇到ret指令就查询链表,看是否结束了,否则继续...大概就是这样的,不知道大家能不能看懂
代码很简单很搓,有很多情况没有考虑进去,希望大家多多指教,谢谢.
#define GetShortOffset(addr) *(char*)( (addr) + 1 )
#define GetShortAddr(addr) (addr) + GetShortOffset(addr) + 2
enum _MACHINE_CODE{
OPCODE_EB = 0xEB,
OPCODE_PUSH = 0x68,
OPCODE_CALL = 0xE8,
OPCODE_JMP = 0xE9,
OPCODE_JO = 0x70,
OPCODE_JNO,
OPCODE_JB,
OPCODE_JNB,
OPCODE_JE,
OPCODE_JNZ,
OPCODE_JBE,
OPCODE_JA,
OPCODE_JS,
OPCODE_JNS,
OPCODE_JPE,
OPCODE_JPO,
OPCODE_JL,
OPCODE_JGE,
OPCODE_JLE,
OPCODE_JG,
OPCODE_JO_LONG = 0x800F ,
OPCODE_JNO_LONG = 0x810F ,
OPCODE_JB_LONG = 0x820F ,
OPCODE_JNB_LONG = 0x830F ,
OPCODE_JE_LONG = 0x840F ,
OPCODE_JNZ_LONG = 0x850F ,
OPCODE_JBE_LONG = 0x860F ,
OPCODE_JA_LONG = 0x870F ,
OPCODE_JS_LONG = 0x880F ,
OPCODE_JNS_LONG = 0x890F ,
OPCODE_JPE_LONG = 0x8A0F ,
OPCODE_JPO_LONG = 0x8B0F ,
OPCODE_JL_LONG = 0x8C0F ,
OPCODE_JGE_LONG = 0x8D0F ,
OPCODE_JLE_LONG = 0x8E0F ,
OPCODE_JG_LONG = 0x8F0F
};
#define CASESHORTADDR case OPCODE_EB: \
case OPCODE_JO: \
case OPCODE_JNO: \
case OPCODE_JB: \
case OPCODE_JNB: \
case OPCODE_JE: \
case OPCODE_JNZ: \
case OPCODE_JBE: \
case OPCODE_JA: \
case OPCODE_JS: \
case OPCODE_JNS: \
case OPCODE_JPE: \
case OPCODE_JPO: \
case OPCODE_JL: \
case OPCODE_JGE: \
case OPCODE_JLE: \
case OPCODE_JG:
ULONG GetProcSize(PUCHAR Opcode){
ULONG iOffSet = 0;
ULONG iOpcodeOfSize = 0;
ULONG iStart = (ULONG)Opcode;
LONG addr ;
PSHORT_JUMP_ADDR_LIST ListHead = NULL;
PSHORT_JUMP_ADDR_LIST pCurrent = NULL;
BOOL bNext = TRUE;
InitializeList ( ListHead ,pCurrent,SHORT_JUMP_ADDR_LIST ) ;
do
{
addr = 0;
iOpcodeOfSize = GetOpCodeSize( Opcode + iOffSet );
switch( *(BYTE*)( Opcode + iOffSet ) ){
CASESHORTADDR; {
if ( iOpcodeOfSize != 2 )
break;
addr = GetShortAddr( (LONG)Opcode + iOffSet ) ;
if ( iStart > addr ) // 说明这个跳转超出了函数头,直接不管
break;
// 重复的不记录
if ( FindDuplicate( ListHead, addr ) )
break;
PSHORT_JUMP_ADDR_LIST p = (PSHORT_JUMP_ADDR_LIST)malloc( sizeof(SHORT_JUMP_ADDR_LIST) );
if ( !p ){
iOffSet = 0;
goto eXit0;
}
p->pos = addr ;
InsertList( p,pCurrent );
__DEBUG(DebugPrint("[*] Short Address:0x%08x\r\n" , p->pos ));
}
break;
case 0xC3:
case 0xC2: {
// 在链表中查找这个地址是否大于所有跳转,如果是,说明函数结束
if ( DetectedEnd( ListHead, (LONG)Opcode + iOffSet ) ){
bNext = FALSE;
__DEBUG(DebugPrint("[*] End address:0x%08X\r\n" ,(LONG)Opcode + iOffSet ));
}
}
break;
}
iOffSet += iOpcodeOfSize ;
}
while ( bNext );
eXit0:
ReleaseListResource( ListHead );
return iOffSet;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
弱弱的回下,这个局限比较大呀,不是我理想的
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
