我正在尝试创建一个编译器,并开始了代码生成部分。基于我使用 fasm 编译的简单可执行文件,我开始使用 Python 进行导入的代码生成。
这是Assembly中测试程序的源代码:
format PE console
entry start
include 'win32a.inc'
macro import_part1 library, [api]
{
common
library#_str: db `library
forward
if rva $ mod 2 = 0
; db 0
end if
; When align is right, one byte from previous import name
; is used as byte for next import's hint.
api#_str = $-1
db 0, `api
common
db 0
}
import_part2_first = 0
macro import_part2 library, [api]
{
common
if import_part2_first = 0
align 4
import_part2_first = 1
else
dd 0
end if
library#_import:
forward
api dd rva api#_str
}
macro import_part3 [library]
{
common
data import
forward
dd 0, 0, 0, rva library#_str, rva library#_import
common
rd 5
end data
}
import_list equ
import_libraries equ
macro import library,[api]
{
common
import_list equ import_list import_#library
import_#library equ library,api
import_libraries equ import_libraries,library
}
macro importend
{
match a, import_list
\{
irps b, a \\{ match c, b \\\{ import_part1 c \\\} \\}
irps b, a \\{ match c, b \\\{ import_part2 c \\\} \\}
\}
match =,a,import_libraries \{ import_part3 a \}
}
start:
push var
call [printf]
push 0
call [ExitProcess]
var db 'Test', 0
;data import
;
;library kernel32, 'kernel32.dll', msvcrt, 'msvcrt.dll'
;
;import kernel32, ExitProcess, 'ExitProcess'
;import msvcrt, printf, 'printf'
;end data
import kernel32.dll, ExitProcess, AttachConsole
import msvcrt.dll, printf, scanf, puts
import user32.dll, MessageBoxA
importend
(OllyDbg)这是我用来生成导入的部分(我无法发布图像):
CPU Disasm
Address Hex dump Command Comments
00401017 . 006B 65 ADD BYTE PTR DS:[EBX+65], CH
0040101A . 72 6E 65 6C 33 32 2E 64 6C 6C 00 ASCII "rnel32.dll",0 ; ASCII "rnel32.dll"
00401025 . 45 78 69 74 50 72 6F 63 65 73 73 00 ASCII "ExitProcess",0 ; ASCII "ExitProcess"
00401031 . 41 74 74 61 63 68 43 6F 6E 73 6F 6C 65 00 ASCII "AttachConsole",0 ; ASCII "AttachConsole"
0040103F . 6D 73 76 63 72 74 2E 64 6C 6C 00 ASCII "msvcrt.dll",0 ; ASCII "msvcrt.dll"
0040104A . 70 72 69 6E 74 66 00 ASCII "printf",0 ; ASCII "printf"
00401051 . 73 63 61 6E 66 00 ASCII "scanf",0 ; ASCII "scanf"
00401057 . 70 75 74 73 00 ASCII "puts",0 ; ASCII "puts"
0040105C . 75 73 65 72 33 32 2E 64 6C 6C 00 ASCII "user32.dll",0 ; ASCII "user32.dll"
00401067 . 4D 65 73 73 61 67 65 42 6F 78 41 00 ASCII "MessageBoxA",0 ; ASCII "MessageBoxA"
00401073 90 NOP
Here is the problem:
00401074 . 647FA577 DD 77A57F64 -> ExitProcess
00401078 . 1878A577 DD 77A57818
0040107C . 00000000 DD 00000000
00401080 . C4D2B777 DD 77B7D2C4
00401084 . BF16C077 DD 77C016BF
00401088 . 9C3BC077 DD 77C03B9C
0040108C . 00000000 DD 00000000
00401090 . 9E278B77 DD 778B279E
00401094 . 00000000 DD 00000000 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
00401098 . 00000000 DD 00000000
0040109C . 00000000 DD 00000000
004010A0 . 18100000 DD 00001018
004010A4 . 74100000 DD 00001074
004010A8 . 00000000 DD 00000000 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
004010AC . 00000000 DD 00000000
004010B0 . 00000000 DD 00000000
004010B4 . 3F100000 DD 0000103F
004010B8 . 80100000 DD 00001080
004010BC . 00000000 DD 00000000 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
004010C0 . 00000000 DD 00000000
004010C4 . 00000000 DD 00000000
004010C8 . 5C100000 DD 0000105C
004010CC . 90100000 DD 00001090
004010D0 . 00000000 DD 00000000 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
004010D4 . 00000000 DD 00000000
004010D8 . 00000000 DD 00000000
004010DC . 00000000 DD 00000000
004010E0 . 00000000 DD 00000000
这是我的程序输出:
kernel32.dll , 0
ExitProcess , 0
AttachConsole , 0
msvcrt.dll , 0
printf , 0
scanf , 0
puts , 0
user32.dll , 0
MessageBoxA , 0
90
-------------------
0x77a57f64
0x77a57818
0x0
0x77b7d2c4
0x77c016bf
0x77c03b9c
0x0
0x778b279e
-------------------
0x0
0x0
0x0
0x1018
0x1074
0x0
0x0
0x0
0x103f
0x1080
0x0
0x0
0x0
0x105c
0x1090
0x0
0x0
0x0
0x0
0x0
生成的文件:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 45 78 69 kernel32.dll.Exi
00000010 74 50 72 6F 63 65 73 73 00 41 74 74 61 63 68 43 tProcess.AttachC
00000020 6F 6E 73 6F 6C 65 00 6D 73 76 63 72 74 2E 64 6C onsole.msvcrt.dl
00000030 6C 00 70 72 69 6E 74 66 00 73 63 61 6E 66 00 70 l.printf.scanf.p
00000040 75 74 73 00 75 73 65 72 33 32 2E 64 6C 6C 00 4D uts.user32.dll.M
00000050 65 73 73 61 67 65 42 6F 78 41 00 90 64 7F A5 77 essageBoxA..d.¥w
00000060 18 78 A5 77 00 00 00 00 C4 D2 B7 77 BF 16 C0 77 .x¥w....ÄÒ·w¿.Àw
00000070 9C 3B C0 77 00 00 00 00 9E 27 8B 77 00 00 00 00 œ;Àw....ž'‹w....
00000080 00 00 00 00 00 00 00 00 00 00 00 00 18 10 00 00 ................
00000090 74 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t...............
000000A0 3F 10 00 00 80 10 00 00 00 00 00 00 00 00 00 00 ?...€...........
000000B0 00 00 00 00 5C 10 00 00 90 10 00 00 00 00 00 00 ....\...........
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
这是十六进制编辑器中测试程序的导入部分:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000210 6B 65 72 6E 65 6C 33 32 kernel32
00000220 2E 64 6C 6C 00 45 78 69 74 50 72 6F 63 65 73 73 .dll.ExitProcess
00000230 00 41 74 74 61 63 68 43 6F 6E 73 6F 6C 65 00 6D .AttachConsole.m
00000240 73 76 63 72 74 2E 64 6C 6C 00 70 72 69 6E 74 66 svcrt.dll.printf
00000250 00 73 63 61 6E 66 00 70 75 74 73 00 75 73 65 72 .scanf.puts.user
00000260 33 32 2E 64 6C 6C 00 4D 65 73 73 61 67 65 42 6F 32.dll.MessageBo
00000270 78 41 00 90 23 10 00 00 2F 10 00 00 00 00 00 00 xA..#.../.......
00000280 48 10 00 00 4F 10 00 00 55 10 00 00 00 00 00 00 H...O...U.......
00000290 65 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e...............
000002A0 18 10 00 00 74 10 00 00 00 00 00 00 00 00 00 00 ....t...........
000002B0 00 00 00 00 3F 10 00 00 80 10 00 00 00 00 00 00 ....?...€.......
000002C0 00 00 00 00 00 00 00 00 5C 10 00 00 90 10 00 00 ........\.......
000002D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
我不明白的是为什么 OllyDbg 和十六进制编辑器中的某些字节不同?我还需要做一些计算吗?
最佳答案
Here is the problem:
00401074 . 647FA577 DD 77A57F64 -> ExitProcess
00401078 . 1878A577 DD 77A57818
没问题。
在左列(转储)中,字节按照它们在内存中的顺序排列。所以先低字节。
最后一列(命令)显示与双字相同的 4 个字节,但它没有添加常见的前缀 0x 或后缀 h。
关于c - 十六进制编辑器和 OllyDbg 中的字节,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30018559/