-
-
[求助]在ollydbg中调试dll时遇到的问题
-
发表于: 2008-9-17 09:56
-
自己编写了一个简单的dll文件,然后在ollydbg中加载执行调试
源码如下:
首先ollydbg停在了dll的入口处
然后ctrl+F9,执行到10001183处,再F8,此时发现程序执行到
查看了一下ollydbg显示的内存窗口,发现现在所在的内存并不是属于该DLL的内存空间
如附件中图所示
并且60001069执行后,发现又进入到ntdll.dll的内存空间中
请问该dll调试时出现这样的执行流程是什么原因,为什么执行10001183后会进入到那个内存中,之后又进入到ntdll中,谢谢
源码如下:
#include <windows.h>
#define MYLIBAPI extern "C" __declspec(dllexport)
#include "mylib.h"
int g_nResult;
int Add(int nLeft, int nRight)
{
g_nResult = nLeft + nRight;
return g_nResult;
}
#ifdef MYLIBAPI #else #define MYLIBAPI extern "C" __declspec(dllimport) #endif //define any data structures and symbols here. //define exported variables here.(NOTE: Avoid exporting variables.) MYLIBAPI int g_nResult; //define exported function prototypes here. MYLIBAPI int Add(int nLeft, int nRight);
首先ollydbg停在了dll的入口处
[COLOR="Red"]100010E9 >/$ 55 PUSH EBP[/COLOR] 100010EA |. 8BEC MOV EBP,ESP 100010EC |. 53 PUSH EBX 100010ED |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] 100010F0 |. 56 PUSH ESI 100010F1 |. 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] 100010F4 |. 57 PUSH EDI 100010F5 |. 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10] 100010F8 |. 85F6 TEST ESI,ESI 100010FA |. 75 09 JNZ SHORT DLLTest2.10001105 100010FC |. 833D 64530010>CMP DWORD PTR DS:[10005364],0 10001103 |. EB 26 JMP SHORT DLLTest2.1000112B 10001105 |> 83FE 01 CMP ESI,1 10001108 |. 74 05 JE SHORT DLLTest2.1000110F 1000110A |. 83FE 02 CMP ESI,2 1000110D |. 75 22 JNZ SHORT DLLTest2.10001131 1000110F |> A1 DC580010 MOV EAX,DWORD PTR DS:[100058DC] 10001114 |. 85C0 TEST EAX,EAX 10001116 |. 74 09 JE SHORT DLLTest2.10001121 10001118 |. 57 PUSH EDI 10001119 |. 56 PUSH ESI 1000111A |. 53 PUSH EBX 1000111B |. FFD0 CALL EAX 1000111D |. 85C0 TEST EAX,EAX 1000111F |. 74 0C JE SHORT DLLTest2.1000112D 10001121 |> 57 PUSH EDI 10001122 |. 56 PUSH ESI 10001123 |. 53 PUSH EBX 10001124 |. E8 E7FEFFFF CALL DLLTest2.10001010 10001129 |. 85C0 TEST EAX,EAX 1000112B |> 75 04 JNZ SHORT DLLTest2.10001131 1000112D |> 33C0 XOR EAX,EAX 1000112F |. EB 4E JMP SHORT DLLTest2.1000117F 10001131 |> 57 PUSH EDI 10001132 |. 56 PUSH ESI 10001133 |. 53 PUSH EBX 10001134 |. E8 BC090000 CALL DLLTest2.10001AF5 10001139 |. 83FE 01 CMP ESI,1 1000113C |. 8945 0C MOV DWORD PTR SS:[EBP+C],EAX 1000113F |. 75 0C JNZ SHORT DLLTest2.1000114D 10001141 |. 85C0 TEST EAX,EAX 10001143 |. 75 37 JNZ SHORT DLLTest2.1000117C 10001145 |. 57 PUSH EDI 10001146 |. 50 PUSH EAX 10001147 |. 53 PUSH EBX 10001148 |. E8 C3FEFFFF CALL DLLTest2.10001010 1000114D |> 85F6 TEST ESI,ESI 1000114F |. 74 05 JE SHORT DLLTest2.10001156 10001151 |. 83FE 03 CMP ESI,3 10001154 |. 75 26 JNZ SHORT DLLTest2.1000117C 10001156 |> 57 PUSH EDI 10001157 |. 56 PUSH ESI 10001158 |. 53 PUSH EBX 10001159 |. E8 B2FEFFFF CALL DLLTest2.10001010 1000115E |. 85C0 TEST EAX,EAX 10001160 |. 75 03 JNZ SHORT DLLTest2.10001165 10001162 |. 2145 0C AND DWORD PTR SS:[EBP+C],EAX 10001165 |> 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0 10001169 |. 74 11 JE SHORT DLLTest2.1000117C 1000116B |. A1 DC580010 MOV EAX,DWORD PTR DS:[100058DC] 10001170 |. 85C0 TEST EAX,EAX 10001172 |. 74 08 JE SHORT DLLTest2.1000117C 10001174 |. 57 PUSH EDI 10001175 |. 56 PUSH ESI 10001176 |. 53 PUSH EBX 10001177 |. FFD0 CALL EAX 10001179 |. 8945 0C MOV DWORD PTR SS:[EBP+C],EAX 1000117C |> 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 1000117F |> 5F POP EDI 10001180 |. 5E POP ESI 10001181 |. 5B POP EBX 10001182 |. 5D POP EBP [COLOR="Red"]10001183 \. C2 0C00 RET 0C[/COLOR]
然后ctrl+F9,执行到10001183处,再F8,此时发现程序执行到
[COLOR="Red"]60001057 A3 0C300060 MOV DWORD PTR DS:[6000300C],EAX[/COLOR] 6000105C 8B25 10300060 MOV ESP,DWORD PTR DS:[60003010] 60001062 A1 0C300060 MOV EAX,DWORD PTR DS:[6000300C] 60001067 5E POP ESI 60001068 5D POP EBP [COLOR="Red"]60001069 C2 0C00 RET 0C[/COLOR]
查看了一下ollydbg显示的内存窗口,发现现在所在的内存并不是属于该DLL的内存空间
如附件中图所示
并且60001069执行后,发现又进入到ntdll.dll的内存空间中
请问该dll调试时出现这样的执行流程是什么原因,为什么执行10001183后会进入到那个内存中,之后又进入到ntdll中,谢谢
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
