-
-
[求助]BeaEngine的问题
-
发表于:
2015-3-28 13:26
4029
-
用BeaEngine反汇编PE文件,查找所有跳转指令。
查找时用的是递归算法,遇到ret或无效指令时返回,遇到跳转指令的时候打印,并以跳转的目标地址为参数递归调用自己,小文件运行还正常,跳转指令一多就出问题了,程序卡死在Disasm
vector<LONGLONG> disokAddr;
DWORD MaxAddress; /*最大地址*/
DWORD MinAddress; /*最小分析地址 = 载入基址*/
DWORD count1=0;
DWORD WINAPI FindJmpInstructionThread(DWORD EIP)
{
bool bRet=true;
DISASM dis={0};
dis.EIP=EIP;
while (bRet)
{
int len;
len=Disasm(&dis);
if (len!=UNKNOWN_OPCODE)
{
dis.EIP+=len;
if (dis.Instruction.BranchType)
{
if (dis.Instruction.BranchType==RetType)
{
return false;
}
vector<LONGLONG>::iterator iter;
iter=find(disokAddr.begin(),disokAddr.end(),dis.Instruction.AddrValue);
if(iter==disokAddr.end())
{
if (dis.Instruction.AddrValue>=MaxAddress || dis.Instruction.AddrValue<MinAddress)
continue;
printf("发现跳转指令:%s\t指令类型:%x\t跳转地址:%x\n",dis.CompleteInstr,dis.Instruction.BranchType,dis.Instruction.AddrValue);
;
disokAddr.push_back(dis.Instruction.AddrValue);
count1++;
FindJmpInstructionThread(dis.Instruction.AddrValue);
}
}
}else
{
bRet = false;
}
}
return 0;
}
这个是调用代码:
char *a_sb_Named_LiuYi;
PIMAGE_DOS_HEADER pDosHead;
PIMAGE_NT_HEADERS a_lovely_girl_named_moncake;
DISASM disasmInfo={0};
//C:\\Windows\\System32\\user32.dll
a_sb_Named_LiuYi =(char *) LoadPE("C:\\Windows\\explorer.exe");
if (!a_sb_Named_LiuYi)
{
printf("Load PE err!\n");
getchar();
}
pDosHead=(PIMAGE_DOS_HEADER)a_sb_Named_LiuYi;
a_lovely_girl_named_moncake=(PIMAGE_NT_HEADERS)&a_sb_Named_LiuYi[pDosHead->e_lfanew];
disasmInfo.EIP=p_add(a_sb_Named_LiuYi,a_lovely_girl_named_moncake->OptionalHeader.AddressOfEntryPoint);
disasmInfo.VirtualAddr=(DWORD)a_sb_Named_LiuYi;//a_lovely_girl_named_moncake->OptionalHeader.ImageBase;
MinAddress = (DWORD)a_sb_Named_LiuYi;
MaxAddress = p_add(a_sb_Named_LiuYi,a_lovely_girl_named_moncake->OptionalHeader.SizeOfImage);
FindJmpInstructionThread(disasmInfo.EIP);
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
