c-->汇编

课程链接
https://www.ichunqiu.com/course/50571

获取函数地址

#include "windows.h"#include "stdio.h"void main(){    HINSTANCE LibHandle = LoadLibrary("Kernel32.dll");    printf("Kernel32.dll address = 0x%x \n", LibHandle);    // LoadLibrary地址    LPTSTR mAddr = (LPTSTR)GetProcAddress(LibHandle, "LoadLibraryA");    printf("LoadLibraryA address = 0x%x \n", mAddr);    LibHandle = LoadLibrary("MSVCRT.DLL");    printf("MSVCRT.DLL address = 0x%x \n", LibHandle);    // system地址    mAddr = (LPTSTR)GetProcAddress(LibHandle, "system");    printf("system address = 0x%x \n", mAddr);}

编写汇编

编写以下两句话的汇编
LoadLibrary(“msvcrt.dll”);
system(“start cmd”);

#include "windows.h"#include "stdio.h"void main(){    //LoadLibrary("msvcrt.dll");  //汇编    _asm    {        // 构建堆栈        push ebp        // 栈底指针入栈        mov ebp, esp    // 新的栈底指针        xor eax, eax    // eax清零，异或，为存放参数作准备        push eax        // 一个寄存器4个字节，“msvcrt.dll”字符串长度为10，需3个寄存器大小的栈空间        push eax        push eax        // 存放参数        mov byte ptr[ebp-0ch], 6dh  // 'm'的ASCII码        mov byte ptr[ebp-0bh], 73h  // 's'        mov byte ptr[ebp-0ah], 76h  // 'v'        mov byte ptr[ebp-09h], 63h  // 'c'        mov byte ptr[ebp-08h], 72h  // 'r'        mov byte ptr[ebp-07h], 74h  // 't'        mov byte ptr[ebp-06h], 2eh  // '.'        mov byte ptr[ebp-05h], 64h  // 'd'        mov byte ptr[ebp-04h], 6ch  // 'l'        mov byte ptr[ebp-03h], 6ch  // 'l'        lea eax, [ebp-0ch]          // eax 中为"msvcrt.dll"这个字符串的地址        push eax                    // esp指向eax        // 调用函数        mov eax, 0x76074977         // LoadLibrary 函数的地址        call eax    }    //system("start cmd");     _asm    {        push ebp        mov ebp, esp        xor edi, edi        push edi        push edi        push edi        mov byte ptr[ebp-0ch], 73h  // s        mov byte ptr[ebp-0bh], 74h  // t        mov byte ptr[ebp-0ah], 61h  // a        mov byte ptr[ebp-09h], 72h  // r        mov byte ptr[ebp-08h], 74h  // t        mov byte ptr[ebp-07h], 20h  //        mov byte ptr[ebp-06h], 63h  // c        mov byte ptr[ebp-05h], 6dh  // m        mov byte ptr[ebp-04h], 64h  // d        lea edi, [ebp-0ch]        push edi        mov edx, 0x752bb177        call edx    }    exit(0);}