-
-
[讨论]关于在控制台程序中WriteFile的两种调用格式引起的问题
-
发表于: 2005-12-10 11:12
-
一般情况下要想控制台程序具有输出到文件或管道,就不能再用WriteConsole,必须用WriteFile。但我在用WriteFile时,用两种调用格式书写,却出现了两种结果:
1.在命令行下可以用">"有输出到文件;
2.在命令行下用">"有输出到文件,虽然成功,但也弹出内存不能为"Written"的错误提示
源文件:
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
.data
msg DB "Hello, world."
written DD ?
hStdOut DD ?
.CODE
start:
push STD_OUTPUT_HANDLE
call GetStdHandle
mov hStdOut, eax
push 0
push written
push LENGTHOF msg
push OFFSET msg
push hStdOut
call WriteFile
;这种书写格式用">"有输出到文件,虽然成功,但也弹出内存不能为"Written"
invoke WriteFile,hStdOut,offset msg,LENGTHOF msg,written,0
;这种书写格式用">"有输出到文件,一切正常
push hStdOut
call CloseHandle
push 0
call ExitProcess
END start
随后,我用OD将其反编译如下:
00401010 6A F5 push -0B ;DevType=STD_OUTPUT_HANDLE
00401012 E8 6B000000 call <jmp.&kernel32.GetStdHandle> ;GetStdHandle
00401017 A3 11404000 mov dword ptr ds:[404011],eax
0040101C 6A 00 push 0 ;pOverlapped = NULL
0040101E FF35 0D404000 push dword ptr ds:[40400D] ;pBytesWritten = NULL
00401024 6A 0D push 0D
00401026 68 00404000 push pp.00404000 ;ASCII "Hello, world."
0040102B FF35 11404000 push dword ptr ds:[404011]
00401031 E8 52000000 call <jmp.&kernel32.WriteFile>
00401036 6A 00 push 0 ;pOverlapped = NULL
00401038 FF35 0D404000 push dword ptr ds:[40400D] ;pBytesWritten = NULL
0040103E 6A 0D push 0D
00401040 68 00404000 push pp.00404000 ;ASCII "Hello, world."
00401045 FF35 11404000 push dword ptr ds:[404011]
0040104B E8 38000000 call <jmp.&kernel32.WriteFile>
00401050 FF35 11404000 push dword ptr ds:[404011]
00401056 E8 1B000000 call <jmp.&kernel32.CloseHandle>
0040105B 6A 00 push 0
0040105D E8 1A000000 call <jmp.&kernel32.ExitProcess>
00401062 CC int3
... ....
00401075 CC int3
00401076 FF25 70504000 jmp dword ptr ds:[<&kernel32.CloseHandle>] ;kernel32.CloseHandle
0040107C FF25 64504000 jmp dword ptr ds:[<&kernel32.ExitProcess>] ;kernel32.ExitProcess
00401082 FF25 68504000 jmp dword ptr ds:[<&kernel32.GetStdHandle>] ;kernel32.GetStdHandle
00401088 FF25 6C504000 jmp dword ptr ds:[<&kernel32.WriteFile>] ;kernel32.WriteFile
表明两种调用格式书写,实质上是完全一样的,为什么用前者出错,而后者却正常????
1.在命令行下可以用">"有输出到文件;
2.在命令行下用">"有输出到文件,虽然成功,但也弹出内存不能为"Written"的错误提示
源文件:
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
.data
msg DB "Hello, world."
written DD ?
hStdOut DD ?
.CODE
start:
push STD_OUTPUT_HANDLE
call GetStdHandle
mov hStdOut, eax
push 0
push written
push LENGTHOF msg
push OFFSET msg
push hStdOut
call WriteFile
;这种书写格式用">"有输出到文件,虽然成功,但也弹出内存不能为"Written"
invoke WriteFile,hStdOut,offset msg,LENGTHOF msg,written,0
;这种书写格式用">"有输出到文件,一切正常
push hStdOut
call CloseHandle
push 0
call ExitProcess
END start
随后,我用OD将其反编译如下:
00401010 6A F5 push -0B ;DevType=STD_OUTPUT_HANDLE
00401012 E8 6B000000 call <jmp.&kernel32.GetStdHandle> ;GetStdHandle
00401017 A3 11404000 mov dword ptr ds:[404011],eax
0040101C 6A 00 push 0 ;pOverlapped = NULL
0040101E FF35 0D404000 push dword ptr ds:[40400D] ;pBytesWritten = NULL
00401024 6A 0D push 0D
00401026 68 00404000 push pp.00404000 ;ASCII "Hello, world."
0040102B FF35 11404000 push dword ptr ds:[404011]
00401031 E8 52000000 call <jmp.&kernel32.WriteFile>
00401036 6A 00 push 0 ;pOverlapped = NULL
00401038 FF35 0D404000 push dword ptr ds:[40400D] ;pBytesWritten = NULL
0040103E 6A 0D push 0D
00401040 68 00404000 push pp.00404000 ;ASCII "Hello, world."
00401045 FF35 11404000 push dword ptr ds:[404011]
0040104B E8 38000000 call <jmp.&kernel32.WriteFile>
00401050 FF35 11404000 push dword ptr ds:[404011]
00401056 E8 1B000000 call <jmp.&kernel32.CloseHandle>
0040105B 6A 00 push 0
0040105D E8 1A000000 call <jmp.&kernel32.ExitProcess>
00401062 CC int3
... ....
00401075 CC int3
00401076 FF25 70504000 jmp dword ptr ds:[<&kernel32.CloseHandle>] ;kernel32.CloseHandle
0040107C FF25 64504000 jmp dword ptr ds:[<&kernel32.ExitProcess>] ;kernel32.ExitProcess
00401082 FF25 68504000 jmp dword ptr ds:[<&kernel32.GetStdHandle>] ;kernel32.GetStdHandle
00401088 FF25 6C504000 jmp dword ptr ds:[<&kernel32.WriteFile>] ;kernel32.WriteFile
表明两种调用格式书写,实质上是完全一样的,为什么用前者出错,而后者却正常????
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
谢谢thebutterfly,收获不浅啊
|
