Windows AT&T 程序集中的 MessageBoxA
我试图使用 gcc 内联直接在程序集中调用 MessageBoxA() 。然而,我需要通过两种方式来做到这一点:首先是使用动态寻址,使用 LoadLibrary() 和 GetProcAddress() - 我找到了一个关于此的教程,试图遵循它。但我也有兴趣直接调用MessageBoxA的地址,在我的Windows SP3英文中是0x7e4507ea。
我正在尝试执行此代码:
/*
* eax holds return value
* ebx will hold function addresses
* ecx will hold string pointers
* edx will hold NULL
*
*/
int main(int argc, char **argv)
{
asm(" xor %eax, %eax \t\n\
xor %ebx, %ebx \t\n\
xor %ecx, %ecx \t\n\
xor %edx, %edx \t\n\
push $0x0 \t\n\
push $0x44444444 \t\n\
push $0x44444444 \t\n\
pop %ecx \t\n\
mov %dl,0x3(%ecx) \t\n\
mov $0x7e4507ea, %ebx \t\n\
push %edx \t\n\
push %ecx \t\n\
push %ecx \t\n\
push %edx \t\n\
mov $0x8, %ax \t\n\
call *%ebx \t\n\
");
}
我不确定在 Windows 中是否可以执行此操作,直接调用地址,而不指定库(在本例中为 user32.dll)。我知道在 Linux 中调用 write() 系统调用很简单,但在 Windows 中我还不太熟悉......
我希望看到一个带有“DDDDDDDD”的消息框。有人可以帮我吗?感谢任何帮助,还有教程链接!
多谢
I'm trying to call MessageBoxA() directly in assembly, using gcc inline. However I need to do this in 2 ways: first is using dynamic addressing, with LoadLibrary() and GetProcAddress() - I found a tutorial about this, trying to follow it. But I'm also interested in calling directly the address of MessageBoxA, wich is 0x7e4507ea in my Windows SP3 English.
I'm trying to execute this code:
/*
* eax holds return value
* ebx will hold function addresses
* ecx will hold string pointers
* edx will hold NULL
*
*/
int main(int argc, char **argv)
{
asm(" xor %eax, %eax \t\n\
xor %ebx, %ebx \t\n\
xor %ecx, %ecx \t\n\
xor %edx, %edx \t\n\
push $0x0 \t\n\
push $0x44444444 \t\n\
push $0x44444444 \t\n\
pop %ecx \t\n\
mov %dl,0x3(%ecx) \t\n\
mov $0x7e4507ea, %ebx \t\n\
push %edx \t\n\
push %ecx \t\n\
push %ecx \t\n\
push %edx \t\n\
mov $0x8, %ax \t\n\
call *%ebx \t\n\
");
}
I'm not sure if in Windows is even possible to do this, directly call the address, without specifying the library (user32.dll in this case). I know in Linux it's simple to call write() syscall, but in Windows I'm not so familiar yet..
I expect to see a message box with "DDDDDDDD". Could someone help me on that please? Appreciate any help, with tutorial links also!
Thanks a lot
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
首先用 C 编写,编译并查看汇编列表以查看编译器生成的内容。这是最简单的学习方法。
如果您看到不理解的指令,请在英特尔指令集参考 PDF 中查找。
Write it in C first, compile and view the assembly listing to see what the compiler generated. This is the easiest way to learn.
If you see an instruction that you don't understand look for it in the Intel Instruction Set Reference PDFs.
我这样做是这样的:
即使很难,也完全可以对函数的地址进行硬编码,我更喜欢动态加载(尽管我对 kernel32 地址进行硬编码),以便它可以在任何 Windows XP(SP1、2、3)上运行
I did this in this way:
Even tough is perfectly possible to hardcode the addresses of the functions, I preferred to load dynamically (although I'm hardcoding kernel32 address), so that it works on any Windows XP (SP1, 2, 3)
听起来像是一个很大的禁忌。 API调用没有固定地址。这取决于它在内存中的加载位置。虽然我确定 User32.dll 在操作系统启动时加载,但我不指望它会占用相同的空间。
要调用 API 例程,您必须导入它,以便操作系统可以为您提供正确的调用地址。
Sounds like a big no-no. API calls do not have a fixed address. It depends on where in memory it got loaded. Although I'm sure User32.dll is loaded at OS start-up, I wouldn't count on it ever occupying the same space.
To call an API routine, you must import it so the OS can supply you with a correct address to the call.
“直接”调用 MessageBoxA 是不可能的。是的,您可以添加对
0x7e4507ea的调用,但这并不重要。您必须向导入地址表添加一个条目,该条目表明您正在从 user32.dll 以及何处调用MessageBoxA。当 Windows 加载您的可执行文件时,它会发现您正在调用MessageBoxA,为您加载 user32.dll,并修补MessageBoxA结束的实际地址。"Directly" calling MessageBoxA isn't really possible. Yes, you can add a call to
0x7e4507ea, but it doesn't really matter. You must add an entry to your Import Address Table, which says that you're callingMessageBoxAfrom user32.dll, and from where. When Windows loads your executable, it will see that you're callingMessageBoxA, load user32.dll for you, and patch up the actual address whereMessageBoxAended.