为什么没有mov指令显示?
如果你在调试模式下,你需要知道你正在传递一个错误的地址到GetCurrentDate(PVOID),那意味着你是从一个错误的地址读取字节,还有另外一些错误,解决这个问题遵循这些步骤:
首先,从字节生成的代码:
mov eax, x // code bytes: 8B 45 08
mov result, eax // code bytes: 89 45 FC
0x8B和0x89上是你应该看看你的附加组件内(INT,INT)函数的值。
其次,让你添加的第一个字节的地址(INT,INT)功能,我建议使用此功能:
#define ASM_CALL 0x000000E8
#define ASM_JMP 0x000000E9
#define ASM_CALL_SIZE 0x00000001
#define ASM_CALL_FULL_SIZE 0x00000005
DWORD GetFuncAddress(DWORD funcAddress)
{
BYTE calledAddress = *(BYTE*)funcAddress;
while (calledAddress == ASM_CALL || calledAddress == ASM_JMP) {
funcAddress = funcAddress + *(DWORD*)(funcAddress + ASM_CALL_SIZE) + ASM_CALL_FULL_SIZE;
calledAddress = *(BYTE*)funcAddress;
}
return funcAddress; // The address of the first byte of the function.
}
第三,我建议你GetFunctionSize(DOWRD)内部的优化,因为你知道你的附加功能与单符结束:
return result; // code bytes: C3
为什么不循环扔add函数的字节,因此当你发现一个字节equivalente到0xC3,你将最终获得的确切大小你的函数(以字节为单位),这段代码将使事情变得清晰:
#define ASM_RET 0xC3
SIZE_T GetFunctionSize(DWORD functionAddress)
{
SIZE_T funcSize = 0;
// Loop thru func's bytes, and breaks when return byte found.
while (*((PBYTE)functionAddress++) != RET)
funcSize++;
return funcSize;
}
第四,GetCurrentByte(PVOID)函数需要一些维护,所以我建议:
#define ASM_MOV1 0x8B
#define ASM_MOV2 0x89
VOID GetCurrentByte(DWORD functionAddress, UINT &index)
{
BYTE tempByte = *((PBYTE)functionAddress + index);
// search for bytes which contains a mov instruction:
if (tempByte == ASM_MOV1 || tempByte == ASM_MOV2)
cout << "MOV instr found at : " << hex << ((DWORD)functionAddress + index) << endl;
}
最后,完整的代码将是这样的:
#include <iostream>
#include <Windows.h>
#define ASM_RET 0xC3
#define ASM_MOV1 0x8B
#define ASM_MOV2 0x89
#define ASM_CALL 0xE8
#define ASM_JMP 0xE9
#define ASM_CALL_SIZE 0x01
#define ASM_CALL_FULL_SIZE 0x05
using namespace std;
INT add(INT x, INT y)
{
int result;
__asm
{
mov eax, x
add eax, y
mov result, eax
xor eax, eax
}
return result;
}
DWORD GetFuncAddress(DWORD funcAddress)
{
BYTE calledAddress = *(BYTE*)funcAddress;
while (calledAddress == ASM_CALL || calledAddress == ASM_JMP) {
funcAddress = funcAddress + *(DWORD*)(funcAddress + ASM_CALL_SIZE) + ASM_CALL_FULL_SIZE;
calledAddress = *(BYTE*)funcAddress;
}
return funcAddress;
}
SIZE_T GetFunctionSize(DWORD functionAddress)
{
SIZE_T funcSize = 0;
while (*((PBYTE)functionAddress++) != ASM_RET)
{
funcSize++;
}
return funcSize;
}
VOID GetCurrentByte(DWORD functionAddress, UINT &index)
{
BYTE tempByte = *((PBYTE)functionAddress + index);
if (tempByte == ASM_MOV1 || tempByte == ASM_MOV2)
cout << "MOV instr found at : " << hex << ((DWORD)functionAddress + index) << endl;
}
INT main()
{
DWORD funcAddress = GetFuncAddress((DWORD)add); // Get func address.
SIZE_T size = GetFunctionSize(funcAddress); // Get func size (bytes).
for (UINT i = 0; i < size; i++) // loop thru the function memory block.
{
GetCurrentByte(funcAddress, i);
}
system("pause");
return 0;
}
不要如果你在你的函数中发现了很多MOV指令,因为编译器创建了它们,你会感到惊讶。
Amrane Abdelkader。
我还是不明白你要完成什么。我的理解是,函数中的操作码在运行时不会改变,为什么他们需要监视?你是*基准*还是*分析*一些代码? –
我打算在以后增加更多mov的突变。 http://pastebin.com/G8WnSCDY – SamLaren