vb6内联汇编,调用函数指针,不注册调用com
来源:互联网 发布:深圳it外包公司 编辑:程序博客网 时间:2024/05/01 01:13
vb6执行汇编代码一般是使用CallWindowProc,这个方法有参数限制,内部还会执行一些其它调用再到函数指针,我用它调用com里面的“DllGetClassObject”函数时居然出错了,不知道怎么回事,于是乎寻求其它办法,用vc写个dll调用函数指针挺好用的,可惜多了个dll文件。后来采取修改vb模块内函数代码,用AddressOf获取vb函数地址后,再用VirtualProtect修改权限,这样就可以用CopyMemory把汇编代码复制过来,可谓偷梁换柱啊,以后执行这个vb函数就直接运行汇编代码了,不过ide下没效果,得生成exe文件才行,这样就不好调试了。
在网上看到了一种神奇的方法,手动构造一个类,将汇编代码的运行地址写进vtable,前三个方法是IUnknown接口的方法:
HRESULT QueryInterface([in] IID *riid, [in,out] IUnknown **ppvObject);
long AddRef();
long Release();
后面的方法就随意了,我添加了10个调用函数地址的方法,分别对应0个参数-9个参数的呼叫,而且不区分stdcall和cdecl调用约定,ide状态下也正常。
原贴地址:http://demon.tw/programming/vb6-repick-inline-assembly.html
最初只是想不注册调用com,没想折腾出这些东西来的,这是我改过的代码,欢迎测试
Option ExplicitPrivate Type CLSID d1 As Long d2 As Integer d3 As Integer d4(7) As ByteEnd TypePublic Declare Function LoadLibraryW Lib "Kernel32.dll" (ByVal lpFileName As Long) As LongPublic Declare Function GetProcAddress Lib "Kernel32.dll" (ByVal hModule As Long, ByVal lpProcName As String) As LongPublic Declare Function CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal Destination As Long, ByVal Source As Long, ByVal Length As Long) As LongPublic Declare Function VirtualProtect Lib "kernel32" (ByVal lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As LongPublic Declare Function CLSIDFromString Lib "ole32.dll" (ByVal lpsz As Long, pclsid As Long) As LongDeclare Function CallWindowProcA Lib "user32.dll" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As LongDim m_cthis As LongDim m_vtab(20) As LongDim m_acode(100) As LongDim m_ICallFunAddr As ICallFunAddr'member索引从0开始,IUnknown3个成员函数,IDispatch4个成员函数,IClassFactory.CreateInstance在3号位置Public Function GetClassMemberAddr(ByVal cthis As Long, ByVal member As Long) As Long Dim vtab As Long Dim fun As Long CopyMemory VarPtr(vtab), ByVal cthis, 4 CopyMemory VarPtr(fun), ByVal vtab + member * 4, 4 GetClassMemberAddr = funEnd FunctionPublic Function Dll_GetClassObject(dllname As String, sclsid As String, siid As String) As ObjectDim dll As LongDim hr As LongDim clsid_icf As CLSIDDim clsid_cls As CLSIDDim clsid_iid As CLSIDDim icf As IClassFactoryDim funDllGetClassObject As LongDim funCreateInstance As LongDim funRelease As LongDim calladdr As ICallFunAddr Set calladdr = MakeCallFunAddrObj dll = LoadLibraryW(StrPtr(dllname)) If dll > 0 Then funDllGetClassObject = GetProcAddress(dll, "DllGetClassObject") If funDllGetClassObject > 0 Then hr = CLSIDFromString(StrPtr("{00000001-0000-0000-C000-000000000046}"), clsid_icf.d1) hr = CLSIDFromString(StrPtr(sclsid), clsid_cls.d1) hr = CLSIDFromString(StrPtr(siid), clsid_iid.d1) 'hr = CallWindowProcA(funDllGetClassObject, VarPtr(clsid_cls.d1), VarPtr(clsid_icf.d1), VarPtr(icf), 0) hr = calladdr.arg3(funDllGetClassObject, VarPtr(clsid_cls.d1), VarPtr(clsid_icf.d1), VarPtr(icf)) hr = icf.CreateInstance(0, VarPtr(clsid_iid.d1), Dll_GetClassObject) 'funCreateInstance = GetClassMemberAddr(icf, 3) 'funRelease = GetClassMemberAddr(icf, 2) 'hr = calladdr.arg4(funCreateInstance, icf, 0, VarPtr(clsid_iid.d1), VarPtr(Dll_GetClassObject)) 'hr = calladdr.arg1(funRelease, icf) 'MsgBox TypeName(obj) End If 'FreeLibrary dll Else MsgBox "dll加载失败" End IfEnd Function'以下代码为一个参数的例子'00401508 > 55 PUSH EBP'00401509 8BEC MOV EBP,ESP'0040150B FF75 10 PUSH DWORD PTR SS:[EBP+10]'0040150E FF55 0C CALL DWORD PTR SS:[EBP+C]'00401511 C9 LEAVE'00401512 C2 0C00 RETN C'call方式stdcall和cdecl都可以'在pcode地址处写入汇编代码,argc压入的参数个数,返回汇编长度Public Function MakeCallFunAddrCode(ByVal pcode As Long, ByVal argc As Long) As Long Dim n As Long Dim p As Long Dim code As Long p = pcode 'push ebp code = &HEC8B55 CopyMemory p, VarPtr(code), 3 p = p + 3 'push arg For n = argc To 1 Step -1 code = (n * 4 + 12) * &H10000 + &H75FF CopyMemory p, VarPtr(code), 3 p = p + 3 Next 'call code = &HC55FF CopyMemory p, VarPtr(code), 3 p = p + 3 'leave retn code = (argc * 4 + 8) * &H10000 + &HC2C9& CopyMemory p, VarPtr(code), 4 p = p + 4 'nop code = &H90909090 n = 4 - p Mod 4 '为以后的代码4字节对齐,代码前后都加入nop CopyMemory p, VarPtr(code), n MakeCallFunAddrCode = p + n - pcodeEnd Function' function QueryInterface(riid:^GUID; out ppvObj:^^void);' function AddRef: UI4;' function Release: UI4;'00401480 > 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]'00401484 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]'00401488 > 8901 MOV DWORD PTR DS:[ECX],EAX'0040148A 33C0 XOR EAX,EAX'0040148C C2 0C00 RETN 0C'0040148F 90 NOP'00401490 33C0 XOR EAX,EAX'00401492 40 INC EAX'00401493 C2 0400 RETN 4Public Function MakeCallFunAddrObj() As ICallFunAddr Dim n As Long Dim p As Long Dim narg As Long Dim nfun As Long If Not m_ICallFunAddr Is Nothing Then Set MakeCallFunAddrObj = m_ICallFunAddr Exit Function End If m_cthis = VarPtr(m_vtab(0)) 'QueryInterface m_acode(0) = &H424448B m_acode(1) = &HC244C8B m_acode(2) = &HC0330189 m_acode(3) = &H90000CC2 'AddRef Release共用 m_acode(4) = &HC240C033 m_acode(5) = &H90900004 m_vtab(0) = VarPtr(m_acode(0)) m_vtab(1) = VarPtr(m_acode(4)) m_vtab(2) = m_vtab(1) p = VarPtr(m_acode(6)) nfun = 3 For narg = 0 To 9 n = MakeCallFunAddrCode(p, narg) m_vtab(nfun) = p p = p + n nfun = nfun + 1 Next p = VarPtr(m_cthis) CopyMemory VarPtr(m_ICallFunAddr), VarPtr(p), 4 Set MakeCallFunAddrObj = m_ICallFunAddrEnd Function
以下是调用测试
Dim m_ICallFunAddr As ICallFunAddrPrivate Sub Test_com()Dim obj As Object Set obj = Dll_GetClassObject("D:\Administrator\Documents\VB6.0\内联汇编_类成员函数调用\aatest2.dll", "{6D926E71-56E7-467D-B64F-E7571EF1B806}", "{B1F1024A-7CF1-44C8-B34B-B7BE383F4825}") MsgBox TypeName(obj) obj.testadd 1, 2, "abc"End SubPublic Sub Test_CallClassMember() Dim fun As Long Dim c As New Class1 Dim p As Long Dim n As Long p = ObjPtr(c) fun = GetClassMemberAddr(p, 7) n = 3 m_ICallFunAddr.arg3 fun, p, 1, VarPtr(n)End Sub'中断Sub Test_int3() Dim code As Long code = &H9090C3CC m_ICallFunAddr.Arg0 VarPtr(code)End SubSub Test_CallFunAddr() Dim dll As Long Dim addr As Long Dim buf As String Dim n As Long Dim s As String buf = String(500, "0") dll = LoadLibraryW(StrPtr("user32.dll")) addr = GetProcAddress(dll, "wsprintfW") 'cdecl方式 n = m_ICallFunAddr.arg4(addr, StrPtr(buf), StrPtr("字符串:%s,数字%d"), StrPtr("中文12345+"), 1234) addr = GetProcAddress(dll, "MessageBoxW") 'stdcall方式 m_ICallFunAddr.arg4 addr, Me.hWnd, StrPtr(buf), StrPtr("MessageBoxW"), vbOKCancel s = Left(buf, n) s = "长度:" & n & vbCrLf & s MsgBox sEnd SubPrivate Sub Form_Load() Set m_ICallFunAddr = MakeCallFunAddrObj Test_com 'Test_CallClassMember 'Test_int3 'Test_CallFunAddrEnd Sub
类型库,用vc6的mktyplib生成
[ uuid(2399BACC-768E-4e37-8B98-80EC39BE4772)]library tlb_callFunAddr{importlib("stdole2.tlb");[uuid(316462C8-FDBA-45f7-856B-325C1AD39737),odl]interface ICallFunAddr : IUnknown{long Arg0([in] long addr);long Arg1([in] long addr, [in] long arg1);long Arg2([in] long addr, [in] long arg1, [in] long arg2);long Arg3([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3);long Arg4([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4);long Arg5([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4, [in] long arg5);long Arg6([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4, [in] long arg5, [in] long arg6);long Arg7([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4, [in] long arg5, [in] long arg6, [in] long arg7);long Arg8([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4, [in] long arg5, [in] long arg6, [in] long arg7, [in] long arg8);long Arg9([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4, [in] long arg5, [in] long arg6, [in] long arg7, [in] long arg8, [in] long arg9);};[uuid(00000001-0000-0000-C000-000000000046),odl]interface IClassFactory : IUnknown{long CreateInstance([in] long pUnkOuter,[in] long riid,[in] IUnknown** ppvObject);long LockServer([in] long fLock);};};
clsid我是用eXeScope查看的,挺好用的一个软件,汇编是ollydbg里面打的,也用它调试。
vb6生成的pdb调试文件貌似每次生成新的,要手动删除以前的,害我调试错乱,花了好多时间。
- vb6内联汇编,调用函数指针,不注册调用com
- VC++ 内联汇编函数调用方式
- 内联汇编调用WINAPI函数调用类函数
- Delphi(Lazarus)怎样不注册调用COM
- 不注册COM组件直接调用接口
- 不注册COM组件直接调用接口
- vb6 functionPtr 函数指针 CallbyName CallbyAddress 虚函数 Matthew Curland的VB函数指针调用
- Vb6免注册调用dm.dll
- Delphi 怎么不注册 dll 就调用 com
- 不注册dll调用atl实现的com对象
- .Net调用VB6 DLL(COM)步骤
- VC内联汇编实现跳转调用
- 用asm内联汇编实现系统调用
- 跟据函数指针调用函数的反汇编
- 汇编函数的调用
- C调用汇编函数
- 函数调用反汇编
- 虚函数调用汇编
- 1302 Snail
- Android中MenuInflater实例
- UTF-8 字节数,及首字节的对应关系
- 字符和字符串的基础知识
- Map数据类型使用new map()和null及clear方法后的不同之处
- vb6内联汇编,调用函数指针,不注册调用com
- C语言中关键字auto、static、register、const、volatile、extern的作用
- HDU 3746 Cyclic Nacklace(KMP找循环节)
- leetcode -- Largest Number
- JAVA 输入输出txt三种方法
- 中国软件开发工程师之痛
- hdu 1045 Fire Net
- POJ 2002 - Squares(hash)
- mbed OS - ARM关于物联网(IoT)的战略布局