您所在位置:主题:CALL指令的疑问
aaronwang
[专家分:16870] 发布于 2006-12-08 14:53:00
对汇编接触比较少:
关于CALL指令,
如果我想通过CALL来调用WIN32 API.(如:LoadLiraryW)用GetProcAddress得到LoadLiraryW的地址.为什么使用CALL调用的时候不能直接使用这个地址呢(第一个参数已经压入栈了).而是要通过一点点计算.
相关代码链接为:http://www.codeproject.com/w2k/regsvrex.asp
m_pushEAX = 0x50; // push eax
m_pushECX = 0x51; // push ecx
m_pushEDX = 0x52; // push edx
m_push = 0x68;
m_dwAddrLibPath = dwRemoteAddrOfThis;
m_call = 0xE8; // call
DWORD dwAddrLoadLibraryW = PtrToUlong(GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "LoadLibraryW"));
m_dwRelAddrLoadLibraryW = dwAddrLoadLibraryW - (dwRemoteAddrOfThis + ((BYTE*)&m_dwRelAddrLoadLibraryW - (BYTE*)this) + sizeof(DWORD));//这里为什么这样计算,我始终没弄明白.
m_popEDX = 0x5A; // pop edx
m_popECX = 0x59; // pop ecx
m_popEAX = 0x58; // pop eax
m_jmp = 0xE9; // jmp
m_dwRelAddr = dwAddrToJump - (dwRemoteAddrOfThis + sizeof(LoadLibraryCode)) ;
关于CALL指令,
如果我想通过CALL来调用WIN32 API.(如:LoadLiraryW)用GetProcAddress得到LoadLiraryW的地址.为什么使用CALL调用的时候不能直接使用这个地址呢(第一个参数已经压入栈了).而是要通过一点点计算.
相关代码链接为:http://www.codeproject.com/w2k/regsvrex.asp
m_pushEAX = 0x50; // push eax
m_pushECX = 0x51; // push ecx
m_pushEDX = 0x52; // push edx
m_push = 0x68;
m_dwAddrLibPath = dwRemoteAddrOfThis;
m_call = 0xE8; // call
DWORD dwAddrLoadLibraryW = PtrToUlong(GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "LoadLibraryW"));
m_dwRelAddrLoadLibraryW = dwAddrLoadLibraryW - (dwRemoteAddrOfThis + ((BYTE*)&m_dwRelAddrLoadLibraryW - (BYTE*)this) + sizeof(DWORD));//这里为什么这样计算,我始终没弄明白.
m_popEDX = 0x5A; // pop edx
m_popECX = 0x59; // pop ecx
m_popEAX = 0x58; // pop eax
m_jmp = 0xE9; // jmp
m_dwRelAddr = dwAddrToJump - (dwRemoteAddrOfThis + sizeof(LoadLibraryCode)) ;
