关于com接口调用的反汇编

只是为了测试，现在只写一个接口的自定义的两个函数

这是接口的定义

[object,uuid(C320028D-2E57-46FD-8D80-F24315B58543),dual,nonextensible,pointer_default(unique)]interface IDiction : IDispatch{HRESULT  justTest();HRESULT test_3();};只有两个成员函数

很简单吧，只是为了测试哈，现在看看调用COM的客户端的源代码

#include#includeusing namespace std;#import"D:\project\Dic\Debug\Dic.dll" no_namespaceint _tmain(int argc, _TCHAR* argv[]){::CoInitialize(NULL);IDictionPtr test;test.CreateInstance(__uuidof(Diction));test->justTest();test->test_3();test.Release();::CoUninitialize ();return 0;}

接连调用IDiction的两个接口而已，现在看看，起反汇编代码：重头戏来了

.text:00401000 ; int __cdecl wmain(int argc, wchar_t **argv).text:00401000 _wmain          proc near               ; CODE XREF: __tmainCRTStartup+11Dp.text:00401000.text:00401000 test            = _com_ptr_t<_com_IIID > ptr -10h.text:00401000 var_C           = dword ptr -0Ch.text:00401000 var_4           = dword ptr -4.text:00401000 argc            = dword ptr  8.text:00401000 argv            = dword ptr  0Ch.text:00401000.text:00401000                 push    ebp.text:00401001                 mov     ebp, esp.text:00401003                 push    0FFFFFFFFh.text:00401005                 push    offset __ehhandler$_wmain.text:0040100A                 mov     eax, large fs:0.text:00401010                 push    eax.text:00401011                 push    ecx.text:00401012                 push    esi             ; dwClsContext.text:00401013                 push    edi             ; pOuter.text:00401014                 mov     eax, ___security_cookie.text:00401019                 xor     eax, ebp.text:0040101B                 push    eax             ; rclsid.text:0040101C                 lea     eax, [ebp+var_C].text:0040101F                 mov     large fs:0, eax.text:00401025                 push    0               ; pvReserved.text:00401027                 call    ds:CoInitialize(x).text:0040102D                 mov     [ebp+test.m_pInterface], 0.text:00401034                 lea     edi, [ebp+test].text:00401037                 mov     [ebp+var_4], 0.text:0040103E                 call    _com_ptr_t<_com_IIID>::CreateInstance(_GUID const &,IUnknown *,ulong);这是调用的智能接口的CreateInstance.text:00401043                 mov     eax, [ebp+test.m_pInterface].text:00401046                 test    eax, eax;检测调用是否成功，如果不成功，则转到错误处理过程.text:00401048                 jnz     short $LN30.text:0040104A                 push    80004003h       ; hr.text:0040104F                 call    _com_issue_error(long).text:00401054 ; ---------------------------------------------------------------------------.text:00401054.text:00401054 $LN30:                                  ; CODE XREF: _wmain+48j.text:00401054                 mov     ecx, [eax].text:00401056                 mov     edx, [ecx+1Ch];注意这个偏移量，1CH,我想这是justTest的所在，也就是说1CH是，该功能函数在接口中的偏移量.text:00401059                 push    eax.text:0040105A                 mov     esi, eax.text:0040105C                 call    edx;这是调用过程.text:0040105E                 test    eax, eax;同上检测函数执行是否成功.text:00401060                 jns     short loc_40106E.text:00401062                 push    offset __GUID_c320028d_2e57_46fd_8d80_f24315b58543 ; riid这是接口的GUID.text:00401067                 push    esi             ; punk.text:00401068                 push    eax             ; hr.text:00401069                 call    _com_issue_errorex(long,IUnknown *,_GUID const &).text:0040106E ; ---------------------------------------------------------------------------.text:0040106E.text:0040106E loc_40106E:                             ; CODE XREF: _wmain+60j.text:0040106E                 mov     eax, [ebp+test.m_pInterface].text:00401071                 test    eax, eax.text:00401073                 jnz     short $LN31.text:00401075                 push    80004003h       ; hr.text:0040107A                 call    _com_issue_error(long).text:0040107F ; ---------------------------------------------------------------------------.text:0040107F.text:0040107F $LN31:                                  ; CODE XREF: _wmain+73j.text:0040107F                 mov     ecx, [eax].text:00401081                 mov     edx, [ecx+20h];20是test_3的偏移量.text:00401084                 push    eax.text:00401085                 mov     esi, eax.text:00401087                 call    edx;这是调用test_3功能的过程.text:00401089                 test    eax, eax;同上检测是否成功执行.text:0040108B                 jns     short loc_401099.text:0040108D                 push    offset __GUID_c320028d_2e57_46fd_8d80_f24315b58543 ; riid.text:00401092                 push    esi             ; punk.text:00401093                 push    eax             ; hr.text:00401094                 call    _com_issue_errorex(long,IUnknown *,_GUID const &).text:00401099 ; ---------------------------------------------------------------------------.text:00401099.text:00401099 loc_401099:                             ; CODE XREF: _wmain+8Bj.text:00401099                 mov     eax, [ebp+test.m_pInterface].text:0040109C                 test    eax, eax.text:0040109E                 jnz     short $LN32.text:004010A0                 push    80004003h       ; hr.text:004010A5                 call    _com_issue_error(long).text:004010AA ; ---------------------------------------------------------------------------.text:004010AA.text:004010AA $LN32:                                  ; CODE XREF: _wmain+9Ej.text:004010AA                 mov     ecx, [eax].text:004010AC                 mov     edx, [ecx+8];这个就比较特殊了，经笔者测试，8是一个定值，也就是说Release的偏移量永远是8.text:004010AF                 push    eax.text:004010B0                 call    edx.text:004010B2                 mov     [ebp+test.m_pInterface], 0.text:004010B9                 call    ds:CoUninitialize().text:004010BF                 mov     [ebp+var_4], 0FFFFFFFFh.text:004010C6                 mov     eax, [ebp+test.m_pInterface].text:004010C9                 test    eax, eax.text:004010CB                 jz      short loc_4010D5.text:004010CD                 mov     ecx, [eax].text:004010CF                 mov     edx, [ecx+8].text:004010D2                 push    eax.text:004010D3                 call    edx.text:004010D5.text:004010D5 loc_4010D5:                             ; CODE XREF: _wmain+CBj.text:004010D5                 xor     eax, eax.text:004010D7                 mov     ecx, [ebp+var_C].text:004010DA                 mov     large fs:0, ecx.text:004010E1                 pop     ecx.text:004010E2                 pop     edi.text:004010E3                 pop     esi.text:004010E4                 mov     esp, ebp.text:004010E6                 pop     ebp.text:004010E7                 retn.text:004010E7 _wmain          endp

我们看下，这几个偏移量1C,20，24，之间间隔是4，也就是说每个函数地址的间隔是4，也就是说是虚函数表，他们的接口成员都是放在同一个虚函数表当中的，这下证实了书

中的话。好了，今天就到这儿吧，虽然还是没能知道__imp_baabba什么的是怎么实现的