-
-
[求助]在ollydbg中调试dll时遇到的问题
-
发表于: 2008-9-17 09:56 5323
-
自己编写了一个简单的dll文件,然后在ollydbg中加载执行调试
源码如下:
首先ollydbg停在了dll的入口处
然后ctrl+F9,执行到10001183处,再F8,此时发现程序执行到
查看了一下ollydbg显示的内存窗口,发现现在所在的内存并不是属于该DLL的内存空间
如附件中图所示
并且60001069执行后,发现又进入到ntdll.dll的内存空间中
请问该dll调试时出现这样的执行流程是什么原因,为什么执行10001183后会进入到那个内存中,之后又进入到ntdll中,谢谢
源码如下:
#include <windows.h> #define MYLIBAPI extern "C" __declspec(dllexport) #include "mylib.h" int g_nResult; int Add(int nLeft, int nRight) { g_nResult = nLeft + nRight; return g_nResult; }
#ifdef MYLIBAPI #else #define MYLIBAPI extern "C" __declspec(dllimport) #endif //define any data structures and symbols here. //define exported variables here.(NOTE: Avoid exporting variables.) MYLIBAPI int g_nResult; //define exported function prototypes here. MYLIBAPI int Add(int nLeft, int nRight);
首先ollydbg停在了dll的入口处
[COLOR="Red"]100010E9 >/$ 55 PUSH EBP[/COLOR] 100010EA |. 8BEC MOV EBP,ESP 100010EC |. 53 PUSH EBX 100010ED |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] 100010F0 |. 56 PUSH ESI 100010F1 |. 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] 100010F4 |. 57 PUSH EDI 100010F5 |. 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10] 100010F8 |. 85F6 TEST ESI,ESI 100010FA |. 75 09 JNZ SHORT DLLTest2.10001105 100010FC |. 833D 64530010>CMP DWORD PTR DS:[10005364],0 10001103 |. EB 26 JMP SHORT DLLTest2.1000112B 10001105 |> 83FE 01 CMP ESI,1 10001108 |. 74 05 JE SHORT DLLTest2.1000110F 1000110A |. 83FE 02 CMP ESI,2 1000110D |. 75 22 JNZ SHORT DLLTest2.10001131 1000110F |> A1 DC580010 MOV EAX,DWORD PTR DS:[100058DC] 10001114 |. 85C0 TEST EAX,EAX 10001116 |. 74 09 JE SHORT DLLTest2.10001121 10001118 |. 57 PUSH EDI 10001119 |. 56 PUSH ESI 1000111A |. 53 PUSH EBX 1000111B |. FFD0 CALL EAX 1000111D |. 85C0 TEST EAX,EAX 1000111F |. 74 0C JE SHORT DLLTest2.1000112D 10001121 |> 57 PUSH EDI 10001122 |. 56 PUSH ESI 10001123 |. 53 PUSH EBX 10001124 |. E8 E7FEFFFF CALL DLLTest2.10001010 10001129 |. 85C0 TEST EAX,EAX 1000112B |> 75 04 JNZ SHORT DLLTest2.10001131 1000112D |> 33C0 XOR EAX,EAX 1000112F |. EB 4E JMP SHORT DLLTest2.1000117F 10001131 |> 57 PUSH EDI 10001132 |. 56 PUSH ESI 10001133 |. 53 PUSH EBX 10001134 |. E8 BC090000 CALL DLLTest2.10001AF5 10001139 |. 83FE 01 CMP ESI,1 1000113C |. 8945 0C MOV DWORD PTR SS:[EBP+C],EAX 1000113F |. 75 0C JNZ SHORT DLLTest2.1000114D 10001141 |. 85C0 TEST EAX,EAX 10001143 |. 75 37 JNZ SHORT DLLTest2.1000117C 10001145 |. 57 PUSH EDI 10001146 |. 50 PUSH EAX 10001147 |. 53 PUSH EBX 10001148 |. E8 C3FEFFFF CALL DLLTest2.10001010 1000114D |> 85F6 TEST ESI,ESI 1000114F |. 74 05 JE SHORT DLLTest2.10001156 10001151 |. 83FE 03 CMP ESI,3 10001154 |. 75 26 JNZ SHORT DLLTest2.1000117C 10001156 |> 57 PUSH EDI 10001157 |. 56 PUSH ESI 10001158 |. 53 PUSH EBX 10001159 |. E8 B2FEFFFF CALL DLLTest2.10001010 1000115E |. 85C0 TEST EAX,EAX 10001160 |. 75 03 JNZ SHORT DLLTest2.10001165 10001162 |. 2145 0C AND DWORD PTR SS:[EBP+C],EAX 10001165 |> 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0 10001169 |. 74 11 JE SHORT DLLTest2.1000117C 1000116B |. A1 DC580010 MOV EAX,DWORD PTR DS:[100058DC] 10001170 |. 85C0 TEST EAX,EAX 10001172 |. 74 08 JE SHORT DLLTest2.1000117C 10001174 |. 57 PUSH EDI 10001175 |. 56 PUSH ESI 10001176 |. 53 PUSH EBX 10001177 |. FFD0 CALL EAX 10001179 |. 8945 0C MOV DWORD PTR SS:[EBP+C],EAX 1000117C |> 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 1000117F |> 5F POP EDI 10001180 |. 5E POP ESI 10001181 |. 5B POP EBX 10001182 |. 5D POP EBP [COLOR="Red"]10001183 \. C2 0C00 RET 0C[/COLOR]
然后ctrl+F9,执行到10001183处,再F8,此时发现程序执行到
[COLOR="Red"]60001057 A3 0C300060 MOV DWORD PTR DS:[6000300C],EAX[/COLOR] 6000105C 8B25 10300060 MOV ESP,DWORD PTR DS:[60003010] 60001062 A1 0C300060 MOV EAX,DWORD PTR DS:[6000300C] 60001067 5E POP ESI 60001068 5D POP EBP [COLOR="Red"]60001069 C2 0C00 RET 0C[/COLOR]
查看了一下ollydbg显示的内存窗口,发现现在所在的内存并不是属于该DLL的内存空间
如附件中图所示
并且60001069执行后,发现又进入到ntdll.dll的内存空间中
请问该dll调试时出现这样的执行流程是什么原因,为什么执行10001183后会进入到那个内存中,之后又进入到ntdll中,谢谢
赞赏
他的文章
- [求助]如何截获从主机外传入的文件 4736
- [求助]OllyDbg脚本 4919
- [求助]Ollydbg脚本 5089
- [求助]调试未知DLL遇到的问题 4537
- [求助]在ollydbg中调试dll时遇到的问题 5324
谁下载
kanxue
海风月影
tyzam
wch2004
coolgg
脱脱
somuch
backboy
BlueT
peaceclub
liupeng2002
xyz123abc
书林跋涉
blackeyes
thinkSJ
gegon
pathletboy
jbenq
xievazi
lclee
hyuanqing
cham
ansi
better
cradiator
zexp
nipcdll
rmb
轩辕小聪
金华
doghib
wangdell
fnzhangyao
heiyeyehei
alexcom
fengwfy
tjxiaowu
lzqbbsid
CHYX
knighthui
文少哥哥
zycgps
vxworks
向志
xrainfir
拒绝抽烟
hais
snailxp
学会浪漫
小星
zylzylzyl
itcool
caozhihua
放心男人
cmcxtm
笨石头
iceway
zhiy
bluearies
鹿丸
winslyLord
happyDG
whzh
cgerist
Nochoice
谢哑聋
蓝精灵a
对对JJ
sheepotter
aliu刘
mohaixin
bingxue冰雪
未知
zhshw
geniusyu
eastsea
zzdanger
welldyeing
ylsh
apie
shineway
perphiex
看原图
赞赏
雪币:
留言: