程序博客网 > 深圳it外包公司

vb6内联汇编,调用函数指针,不注册调用com

来源:互联网 发布:深圳it外包公司 编辑:程序博客网 时间:2024/05/01 01:13

vb6执行汇编代码一般是使用CallWindowProc,这个方法有参数限制,内部还会执行一些其它调用再到函数指针,我用它调用com里面的“DllGetClassObject”函数时居然出错了,不知道怎么回事,于是乎寻求其它办法,用vc写个dll调用函数指针挺好用的,可惜多了个dll文件。后来采取修改vb模块内函数代码,用AddressOf获取vb函数地址后,再用VirtualProtect修改权限,这样就可以用CopyMemory把汇编代码复制过来,可谓偷梁换柱啊,以后执行这个vb函数就直接运行汇编代码了,不过ide下没效果,得生成exe文件才行,这样就不好调试了。

在网上看到了一种神奇的方法,手动构造一个类,将汇编代码的运行地址写进vtable,前三个方法是IUnknown接口的方法:

HRESULT QueryInterface([in] IID *riid, [in,out] IUnknown **ppvObject);
long AddRef();
long Release();

后面的方法就随意了,我添加了10个调用函数地址的方法,分别对应0个参数-9个参数的呼叫,而且不区分stdcall和cdecl调用约定,ide状态下也正常。

原贴地址:http://demon.tw/programming/vb6-repick-inline-assembly.html

最初只是想不注册调用com,没想折腾出这些东西来的,这是我改过的代码,欢迎测试

Option ExplicitPrivate Type CLSID    d1 As Long    d2 As Integer    d3 As Integer    d4(7) As ByteEnd TypePublic Declare Function LoadLibraryW Lib "Kernel32.dll" (ByVal lpFileName As Long) As LongPublic Declare Function GetProcAddress Lib "Kernel32.dll" (ByVal hModule As Long, ByVal lpProcName As String) As LongPublic Declare Function CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal Destination As Long, ByVal Source As Long, ByVal Length As Long) As LongPublic Declare Function VirtualProtect Lib "kernel32" (ByVal lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As LongPublic Declare Function CLSIDFromString Lib "ole32.dll" (ByVal lpsz As Long, pclsid As Long) As LongDeclare Function CallWindowProcA Lib "user32.dll" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As LongDim m_cthis As LongDim m_vtab(20) As LongDim m_acode(100) As LongDim m_ICallFunAddr As ICallFunAddr'member索引从0开始,IUnknown3个成员函数,IDispatch4个成员函数,IClassFactory.CreateInstance在3号位置Public Function GetClassMemberAddr(ByVal cthis As Long, ByVal member As Long) As Long    Dim vtab As Long    Dim fun As Long    CopyMemory VarPtr(vtab), ByVal cthis, 4    CopyMemory VarPtr(fun), ByVal vtab + member * 4, 4    GetClassMemberAddr = funEnd FunctionPublic Function Dll_GetClassObject(dllname As String, sclsid As String, siid As String) As ObjectDim dll As LongDim hr As LongDim clsid_icf As CLSIDDim clsid_cls As CLSIDDim clsid_iid As CLSIDDim icf As IClassFactoryDim funDllGetClassObject As LongDim funCreateInstance As LongDim funRelease As LongDim calladdr As ICallFunAddr    Set calladdr = MakeCallFunAddrObj    dll = LoadLibraryW(StrPtr(dllname))    If dll > 0 Then        funDllGetClassObject = GetProcAddress(dll, "DllGetClassObject")        If funDllGetClassObject > 0 Then            hr = CLSIDFromString(StrPtr("{00000001-0000-0000-C000-000000000046}"), clsid_icf.d1)            hr = CLSIDFromString(StrPtr(sclsid), clsid_cls.d1)            hr = CLSIDFromString(StrPtr(siid), clsid_iid.d1)            'hr = CallWindowProcA(funDllGetClassObject, VarPtr(clsid_cls.d1), VarPtr(clsid_icf.d1), VarPtr(icf), 0)            hr = calladdr.arg3(funDllGetClassObject, VarPtr(clsid_cls.d1), VarPtr(clsid_icf.d1), VarPtr(icf))            hr = icf.CreateInstance(0, VarPtr(clsid_iid.d1), Dll_GetClassObject)            'funCreateInstance = GetClassMemberAddr(icf, 3)            'funRelease = GetClassMemberAddr(icf, 2)            'hr = calladdr.arg4(funCreateInstance, icf, 0, VarPtr(clsid_iid.d1), VarPtr(Dll_GetClassObject))            'hr = calladdr.arg1(funRelease, icf)            'MsgBox TypeName(obj)        End If        'FreeLibrary dll    Else        MsgBox "dll加载失败"    End IfEnd Function'以下代码为一个参数的例子'00401508 >    55            PUSH EBP'00401509      8BEC          MOV EBP,ESP'0040150B      FF75 10       PUSH DWORD PTR SS:[EBP+10]'0040150E      FF55 0C       CALL DWORD PTR SS:[EBP+C]'00401511      C9            LEAVE'00401512      C2 0C00       RETN C'call方式stdcall和cdecl都可以'在pcode地址处写入汇编代码,argc压入的参数个数,返回汇编长度Public Function MakeCallFunAddrCode(ByVal pcode As Long, ByVal argc As Long) As Long    Dim n As Long    Dim p As Long    Dim code As Long        p = pcode    'push ebp    code = &HEC8B55    CopyMemory p, VarPtr(code), 3    p = p + 3    'push arg    For n = argc To 1 Step -1        code = (n * 4 + 12) * &H10000 + &H75FF        CopyMemory p, VarPtr(code), 3        p = p + 3    Next    'call    code = &HC55FF    CopyMemory p, VarPtr(code), 3    p = p + 3    'leave retn    code = (argc * 4 + 8) * &H10000 + &HC2C9&    CopyMemory p, VarPtr(code), 4    p = p + 4    'nop    code = &H90909090    n = 4 - p Mod 4 '为以后的代码4字节对齐,代码前后都加入nop    CopyMemory p, VarPtr(code), n    MakeCallFunAddrCode = p + n - pcodeEnd Function'    function QueryInterface(riid:^GUID; out ppvObj:^^void);'    function AddRef: UI4;'    function Release: UI4;'00401480 >    8B4424 04     MOV EAX,DWORD PTR SS:[ESP+4]'00401484      8B4C24 0C     MOV ECX,DWORD PTR SS:[ESP+C]'00401488 >    8901          MOV DWORD PTR DS:[ECX],EAX'0040148A      33C0          XOR EAX,EAX'0040148C      C2 0C00       RETN 0C'0040148F      90            NOP'00401490      33C0          XOR EAX,EAX'00401492      40            INC EAX'00401493      C2 0400       RETN 4Public Function MakeCallFunAddrObj() As ICallFunAddr    Dim n As Long    Dim p As Long    Dim narg As Long    Dim nfun As Long        If Not m_ICallFunAddr Is Nothing Then        Set MakeCallFunAddrObj = m_ICallFunAddr        Exit Function    End If        m_cthis = VarPtr(m_vtab(0))    'QueryInterface    m_acode(0) = &H424448B    m_acode(1) = &HC244C8B    m_acode(2) = &HC0330189    m_acode(3) = &H90000CC2   'AddRef Release共用    m_acode(4) = &HC240C033    m_acode(5) = &H90900004        m_vtab(0) = VarPtr(m_acode(0))    m_vtab(1) = VarPtr(m_acode(4))    m_vtab(2) = m_vtab(1)        p = VarPtr(m_acode(6))    nfun = 3    For narg = 0 To 9        n = MakeCallFunAddrCode(p, narg)        m_vtab(nfun) = p        p = p + n        nfun = nfun + 1    Next        p = VarPtr(m_cthis)    CopyMemory VarPtr(m_ICallFunAddr), VarPtr(p), 4    Set MakeCallFunAddrObj = m_ICallFunAddrEnd Function


以下是调用测试

Dim m_ICallFunAddr As ICallFunAddrPrivate Sub Test_com()Dim obj As Object    Set obj = Dll_GetClassObject("D:\Administrator\Documents\VB6.0\内联汇编_类成员函数调用\aatest2.dll", "{6D926E71-56E7-467D-B64F-E7571EF1B806}", "{B1F1024A-7CF1-44C8-B34B-B7BE383F4825}")    MsgBox TypeName(obj)    obj.testadd 1, 2, "abc"End SubPublic Sub Test_CallClassMember()    Dim fun As Long    Dim c As New Class1    Dim p As Long    Dim n As Long    p = ObjPtr(c)    fun = GetClassMemberAddr(p, 7)    n = 3    m_ICallFunAddr.arg3 fun, p, 1, VarPtr(n)End Sub'中断Sub Test_int3()    Dim code As Long    code = &H9090C3CC    m_ICallFunAddr.Arg0 VarPtr(code)End SubSub Test_CallFunAddr()    Dim dll As Long    Dim addr As Long    Dim buf As String    Dim n As Long    Dim s As String        buf = String(500, "0")    dll = LoadLibraryW(StrPtr("user32.dll"))    addr = GetProcAddress(dll, "wsprintfW")    'cdecl方式    n = m_ICallFunAddr.arg4(addr, StrPtr(buf), StrPtr("字符串:%s,数字%d"), StrPtr("中文12345+"), 1234)    addr = GetProcAddress(dll, "MessageBoxW")    'stdcall方式    m_ICallFunAddr.arg4 addr, Me.hWnd, StrPtr(buf), StrPtr("MessageBoxW"), vbOKCancel    s = Left(buf, n)    s = "长度:" & n & vbCrLf & s    MsgBox sEnd SubPrivate Sub Form_Load()    Set m_ICallFunAddr = MakeCallFunAddrObj    Test_com    'Test_CallClassMember    'Test_int3    'Test_CallFunAddrEnd Sub


类型库,用vc6的mktyplib生成

[    uuid(2399BACC-768E-4e37-8B98-80EC39BE4772)]library tlb_callFunAddr{importlib("stdole2.tlb");[uuid(316462C8-FDBA-45f7-856B-325C1AD39737),odl]interface ICallFunAddr : IUnknown{long Arg0([in] long addr);long Arg1([in] long addr, [in] long arg1);long Arg2([in] long addr, [in] long arg1, [in] long arg2);long Arg3([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3);long Arg4([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4);long Arg5([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4, [in] long arg5);long Arg6([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4, [in] long arg5, [in] long arg6);long Arg7([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4, [in] long arg5, [in] long arg6, [in] long arg7);long Arg8([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4, [in] long arg5, [in] long arg6, [in] long arg7, [in] long arg8);long Arg9([in] long addr, [in] long arg1, [in] long arg2, [in] long arg3, [in] long arg4, [in] long arg5, [in] long arg6, [in] long arg7, [in] long arg8, [in] long arg9);};[uuid(00000001-0000-0000-C000-000000000046),odl]interface IClassFactory : IUnknown{long CreateInstance([in] long pUnkOuter,[in] long riid,[in] IUnknown** ppvObject);long LockServer([in] long fLock);};};


clsid我是用eXeScope查看的,挺好用的一个软件,汇编是ollydbg里面打的,也用它调试。

vb6生成的pdb调试文件貌似每次生成新的,要手动删除以前的,害我调试错乱,花了好多时间。

1 0
深圳it外包公司 深圳it外包公司
原创粉丝点击
热门IT博客
nagios监控nginxnagios监控nginx
软件打包有哪些软件打包有哪些
动态网页制作软件
淘宝网红店 排名
windows字体库
qq三国js转职任务流程
生态环境被破坏的数据
书法坊米芾体字体 mac
mac怎么创建网页
java 项目
nba07年总决赛数据
编程分几类
腾讯认证域名
哪个软件站好
linux建立文件夹命令
程序员项目经验范文
window10 安装ubuntu
支付宝数据
马自达 知乎
java 加解密
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 卡波济肉瘤 卡波氏肉瘤 卡波 卡波肉瘤 卡波树童装 卡波氏肉瘤早期图片 卡波树童装价格 啊卡波糖片 卡波济氏肉瘤 卡洛 卡洛婚纱摄影 卡焰led灯 数学卡片 卡片制作 国庆节卡片 祝福卡片 宾馆卡片 生日卡片 日本不卡片 酒店卡片 国庆卡片 卡片机 数字卡片 卡片怪兽 卡片升级 重阳节卡片 卡片图片 小卡片 酒店小卡片 读书卡片 魔法卡片 英语卡片 色盲卡片 马卡片 手工卡片 卡片设计 创意卡片 卡片的英文 卡片英文 卡片怎么做 立体卡片

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里