沉思录：垫脚石 (转)

沉思录：垫脚石 (转)[@more@]

沉思录：垫脚石

荣耀  2003

  新技术往往以老技术为“垫脚石”。.NET之于COM，就是如此。

  假如你已安装.NET framework，系统目录中（可能是C:WinntSystem32）会有一个mSCOree.dll，它就是微软.NET运行时执行引擎（.NET Runtime Execution Engine），其重要性不言而喻—“ShARPei”病毒就是通过查找它来确定计算机是否安装了.NET。

  让我们来观察观察这个dll到底都导出了些啥：

  C:WINNTsystem32>dumpbin /exports mscoree.dll

  Dump of file mscoree.dll

  File Type: DLL

  Section contains the following exports for mscoree.dll

  00000000 characteristics
  3C368FBE time date stamp Sat Jan 05 13:31:42 2002
  0.00 version
  17 ordinal base
  100 number of functions
  94 number of names

  ordinal hint RVA name


  36 0 0001161E CallFunctionShim
  21 1 000108E2 CloseCtrs
  37 2 0000B998 ClrCreateManagedInstance
  38 3 00011163 CoEEShutDownCOM
  39 4 0000B7C7 CoInitializeCor
  40 5 00010CA1 CoInitializeEE
  24 6 00011372 CoLogCurrentStack
  41 7 00010D41 CoUninitializeCor
  42 8 00010CF3 CoUninitializeEE
  25 9 000108D8 CollectCtrs
  43 A 0000A8B0 CorBindToCurrentRuntime
  44 B 000118A9 CorBindToRuntime
  45 C 000108FF CorBindToRuntimeByCfg
  46 D 0000FA0E CorBindToRuntimeByPath
  47 E 00011826 CorBindToRuntimeEx
  48 F 0000B9F9 CorBindToRuntimeHost
  49 10 0000B25B CorExitProcess
  50 11 00011320 CorMarkThreadInThreadPool
  51 12 00008C2E CreateConfigStream
  52 13 0000B2AB DllCanUnloadNow   
  53 14 00007F2A DllGetClassobject   
  54 15 00011678 DllRegisterServer  
  55 16 00010BE9 DllUnregisterServer
  26 17 0000FA42 EEDllGetClassObjectFromClass
  56 18 0001156A EEDllRegisterServer
  57 19 000115C0 EEDllUnregisterServer
  58 1A 000023AC GetAssemblyMDImport
  59 1B 0000B2F4 GetCORRequiredVersion
  60 1C 00002290 GetCORSystemDirectory
  61 1D 000092A1 GetCORVersion
  62 1E 0001111A GetCompileInfo
  27 1F 00011513 GetGlobalContextsPerfcounters
  63 20 00010054 GetHashFromAssemblyFile
  64 21 000100BC GetHashFromAssemblyFileW
  65 22 00010246 GetHashFromBlob
  66 23 00010125 GetHashFromFile
  67 24 00010184 GetHashFromFileW
  68 25 000101E5 GetHashFromHandle
  69 26 0000B818 GetHostConfigurationFile
  70 27 00010E6B GetMetaDataInternalInterface
  71 28 00010DFB GetMetaDataInternalInterfaceFromPublic
  72 29 00010D8A GetMetaDataPublicInterfaceFromInternal
  73 2A 000110B0 GetPeRmissionRequests
  28 2B 000114BA GetPrivateContextsPerfCounters
  74 2C 0001099D GetRealProcAddress
  29 2D 0000B7C1 GetStartupFlags
  75 2E 000122CE GetXMLElement
  76 2F 000122D6 GetXMLElementAttribute
  77 30 00005BE8 GetXMLObject
  78 31 0000B8CC LoadLibraryShim
  79 32 00011848 LoadLibraryWithPolicyShim
  30 33 000113C6 LogHelp_LogAssert
  31 34 0001141A LogHelp_NoGuiOnAssert
  32 35 0001146A LogHelp_TerminateOnAssert
  80 36 00010C44 MetaDataGetDispenser
  81 37 0000FB96 ND_CopyObjDst
  82 38 0000FB6E ND_CopyObjSrc
  83 39 0000B977 ND_RI2
  84 3A 0000B988 ND_RI4
  85 3B 0000FB18 ND_RI8
  86 3C 0000B8A8 ND_RU1
  87 3D 0000FB2C ND_WI2
  88 3E 0000FB41 ND_WI4
  89 3F 0000FB54 ND_WI8
  90 40 0000B8B9 ND_WU1
  33 41 0001077E OpenCtrs
  34 42 0000FA4A ReleaseFusionInterfaces
  91 43 000109DE RunDll32ShimW
  35 44 00011269 RuntimeImageType
  92 45 000112C1 RuntimeOSHandle
  93 46 000111A8 RuntimeOpenImage
  94 47 00011209 RuntimeReleaseHandle
  95 48 0000FF3D StroNGNameCompareAssemblies
  96 49 0000B3C0 StrongNameErrorInfo
  97 4A 0000220F StrongNameFreeBuffer
  98 4B 0000FCC8 StrongNameGetPublicKey
  99 4C 0000FFA0 StrongNameHashSize
  100 4D 0000FC75 StrongNameKeyDelete
  101 4E 0000FBBE StrongNameKeyGen
  102 4F 0000FC19 StrongNameKeyInstall
  103 50 0000FD2B StrongNameSignatureGeneration
  104 51 0000FFF7 StrongNameSignatureSize
  105 52 0000B35B StrongNameSignatureVerification
  106 53 0000FE62 StrongNameSignatureVerificationEx
  107 54 0000FECA StrongNameSignatureVerificationFromImage
  108 55 0000FD96 StrongNameTokenFromAssembly
  109 56 0000FDF8 StrongNameTokenFromAssemblyEx
  110 57 00002175 StrongNameTokenFromPublicKey
  111 58 00011041 TranslateSecurityAttributes
  112 59 00002064 _CorDllMain
  114 5A 0000B865 _CorExeMain
  113 5B 000116EE _CorExeMain2
  115 5C 0001077B _CorImageUnloading
  116 5D 00011739 _CorValidateImage
  17 00010ED5 [NONAME]
  18 00010F0C [NONAME]
  19 00010F4E [NONAME]
  20 00010F84 [NONAME]
  22 00010FB6 [NONAME]
  23 00010FFD [NONAME]

  Summary
 
  3000 .data
  2000 .reloc
  1000 .rsrc
  1A000 .text

  你注意到那些蓝颜色文字了吗？.NET运行时执行引擎是一个COM组件。

  执行下面命令试试，可以进一步证实这个事实：

  regsvr32 C:WINNTsystem32mscoree.dll

  假如你来了兴趣，不妨探究探究另外一些.NET dll的庐山真面目（我并没有暗示它们都是COM组件）。

  仅为说明一个简单道理，是犯不着列出一大滩dump信息的，我还想顺带例证一个道理：学问来自于认真细心。

  “Be careful”。

－完－

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/10748419/viewspace-987362/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/10748419/viewspace-987362/