--- d:\projects\lab\call_type\call_type.cpp ------------------------------------
#include
int __stdcall add(int a, int b)
{
013D13B0 push ebp
013D13B1 mov ebp,esp
013D13B3 sub esp,0C0h
013D13B9 push ebx
013D13BA push esi
013D13BB push edi
013D13BC lea edi,[ebp-0C0h]
013D13C2 mov ecx,30h
013D13C7 mov eax,0CCCCCCCCh
013D13CC rep stos dword ptr es:[edi]
return a+b;
013D13CE mov eax,dword ptr [a]
013D13D1 add eax,dword ptr [b]
}
013D13D4 pop edi
013D13D5 pop esi
013D13D6 pop ebx
013D13D7 mov esp,ebp
013D13D9 pop ebp
013D13DA ret 8
---------------
--- d:\projects\lab\call_type\call_type.cpp ------------------------------------
int main()
{
013D13F0 push ebp
013D13F1 mov ebp,esp
013D13F3 sub esp,0C0h
013D13F9 push ebx
013D13FA push esi
013D13FB push edi
013D13FC lea edi,[ebp-0C0h]
013D1402 mov ecx,30h
013D1407 mov eax,0CCCCCCCCh
013D140C rep stos dword ptr es:[edi]
printf("%d\n", add(1,2));
013D140E push 2
013D1410 push 1
013D1412 call add (13D1109h)
013D1417 mov esi,esp
013D1419 push eax
013D141A push offset string "%d\n" (13D573Ch)
013D141F call dword ptr [__imp__printf (13D82BCh)]
013D1425 add esp,8
013D1428 cmp esi,esp
013D142A call @ILT+315(__RTC_CheckEsp) (13D1140h)
return 0;
013D142F xor eax,eax
}
013D1431 pop edi
013D1432 pop esi
013D1433 pop ebx
013D1434 add esp,0C0h
013D143A cmp ebp,esp
013D143C call @ILT+315(__RTC_CheckEsp) (13D1140h)
013D1441 mov esp,ebp
013D1443 pop ebp
013D1444 ret
=====================================
--- d:\projects\lab\call_type\call_type.cpp ------------------------------------
#include
int add(int a, int b)
{
00D513B0 push ebp
00D513B1 mov ebp,esp
00D513B3 sub esp,0C0h
00D513B9 push ebx
00D513BA push esi
00D513BB push edi
00D513BC lea edi,[ebp-0C0h]
00D513C2 mov ecx,30h
00D513C7 mov eax,0CCCCCCCCh
00D513CC rep stos dword ptr es:[edi]
return a+b;
00D513CE mov eax,dword ptr [a]
00D513D1 add eax,dword ptr [b]
}
00D513D4 pop edi
00D513D5 pop esi
00D513D6 pop ebx
00D513D7 mov esp,ebp
00D513D9 pop ebp
00D513DA ret
---------------------
--- d:\projects\lab\call_type\call_type.cpp ------------------------------------
int main()
{
00D513F0 push ebp
00D513F1 mov ebp,esp
00D513F3 sub esp,0C0h
00D513F9 push ebx
00D513FA push esi
00D513FB push edi
00D513FC lea edi,[ebp-0C0h]
00D51402 mov ecx,30h
00D51407 mov eax,0CCCCCCCCh
00D5140C rep stos dword ptr es:[edi]
printf("%d\n", add(1,2));
00D5140E push 2
00D51410 push 1
00D51412 call add (0D51096h)
00D51417 add esp,8
00D5141A mov esi,esp
00D5141C push eax
00D5141D push offset string "%d\n" (0D5573Ch)
00D51422 call dword ptr [__imp__printf (0D582BCh)]
00D51428 add esp,8
00D5142B cmp esi,esp
00D5142D call @ILT+315(__RTC_CheckEsp) (0D51140h)
return 0;
00D51432 xor eax,eax
}
00D51434 pop edi
00D51435 pop esi
00D51436 pop ebx
00D51437 add esp,0C0h
00D5143D cmp ebp,esp
00D5143F call @ILT+315(__RTC_CheckEsp) (0D51140h)
00D51444 mov esp,ebp
00D51446 pop ebp
00D51447 ret
---------------------------------------------------
我们的thunkCode如下:
const unsigned char thunkCodeTemplate[] =
{
0x55, // push ebp
0x8B, 0xEC, // mov ebp, esp
0xB8, 0x00, 0x00, 0x00, 0x00, // mov eax, [new_addr]
0xB9, 0x00, 0x00, 0x00, 0x00, // mov ecx, [old_addr]
0x51, // push ecx
0xFF, 0xD0, // call eax
0xC9, // leave
0xC3 // ret
};
本文转sinojelly51CTO博客,原文链接:
http://blog.51cto.com/sinojelly/431695
,如需转载请自行联系原作者