首页 > 安全 > 网络安全 >

网络安全攻防_MFC逆向小结

2017-03-08

网络安全攻防_MFC逆向小结,首先看看进入main函数的c++代码。

网络安全攻防_MFC逆向小结,首先看看进入main函数的c++代码

int AFXAPI AfxWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
_In_ LPTSTR lpCmdLine, int nCmdShow)
{
ASSERT(hPrevInstance == NULL);

int nReturnCode = -1;
CWinThread* pThread = AfxGetThread();
CWinApp* pApp = AfxGetApp();

// AFX internal initialization
if (!AfxWinInit(hInstance, hPrevInstance, lpCmdLine, nCmdShow))
goto InitFailure;

// App global initializations (rare)
if (pApp != NULL && !pApp->InitApplication())
goto InitFailure;

// Perform specific initializations
if (!pThread->InitInstance())
{
if (pThread->m_pMainWnd != NULL)
{
TRACE(traceAppMsg, 0, "Warning: Destroying non-NULL m_pMainWnd\n");
pThread->m_pMainWnd->DestroyWindow();
}
nReturnCode = pThread->ExitInstance();
goto InitFailure;
}
nReturnCode = pThread->Run();

InitFailure:
#ifdef _DEBUG
// Check for missing AfxLockTempMap calls
if (AfxGetModuleThreadState()->m_nTempMapLock != 0)
{
TRACE(traceAppMsg, 0, "Warning: Temp map lock count non-zero (%ld).\n",
AfxGetModuleThreadState()->m_nTempMapLock);
}
AfxLockTempMaps();
AfxUnlockTempMaps(-1);
#endif

AfxWinTerm();
return nReturnCode;
}
反汇编代码:

73D3C19E > 53 push ebx
73D3C19F 56 push esi
73D3C1A0 57 push edi
73D3C1A1 83CB FF or ebx,-0x1
73D3C1A4 E8 574EFFFF call mfc42.#AfxGetThread_1175 ; pthread
73D3C1A9 8BF0 mov esi,eax ;
73D3C1AB E8 D71C0800 call mfc42.#AfxGetModuleState_1168
73D3C1B0 FF7424 1C push dword ptr ss:[esp+0x1C]
73D3C1B4 8B78 04 mov edi,dword ptr ds:[eax+0x4] ;pApp
73D3C1B7 FF7424 1C push dword ptr ss:[esp+0x1C]
73D3C1BB FF7424 1C push dword ptr ss:[esp+0x1C]
73D3C1BF FF7424 1C push dword ptr ss:[esp+0x1C]
73D3C1C3 E8 4F340800 call mfc42.#AfxWinInit_1575
73D3C1C8 85C0 test eax,eax ;
73D3C1CA 74 3C je short mfc42.73D3C208
73D3C1CC 85FF test edi,edi
73D3C1CE 74 0E je short mfc42.73D3C1DE

73D3C1D0 8B07 mov eax,dword ptr ds:[edi]
73D3C1D2 8BCF mov ecx,edi
73D3C1D4 FF90 8C000000 call dword ptr ds:[eax+0x8C] ;initApplication
73D3C1DA 85C0 test eax,eax ;
73D3C1DC 74 2A je short mfc42.73D3C208
73D3C1DE 8B06 mov eax,dword ptr ds:[esi]
73D3C1E0 8BCE mov ecx,esi
73D3C1E2 FF50 58 call dword ptr ds:[eax+0x58] ;用户代码
73D3C1E5 85C0 test eax,eax ;.
73D3C1E7 75 16 jnz short mfc42.73D3C1FF
73D3C1E9 3946 20 cmp dword ptr ds:[esi+0x20],eax ;
73D3C1EC 74 08 je short mfc42.73D3C1F6
73D3C1EE 8B4E 20 mov ecx,dword ptr ds:[esi+0x20]
73D3C1F1 8B01 mov eax,dword ptr ds:[ecx]
73D3C1F3 FF50 60 call dword ptr ds:[eax+0x60]
73D3C1F6 8B06 mov eax,dword ptr ds:[esi]
73D3C1F8 8BCE mov ecx,esi
73D3C1FA FF50 70 call dword ptr ds:[eax+0x70]
73D3C1FD EB 07 jmp short mfc42.73D3C206
73D3C1FF 8B06 mov eax,dword ptr ds:[esi]
73D3C201 8BCE mov ecx,esi
73D3C203 FF50 5C call dword ptr ds:[eax+0x5C]
73D3C206 8BD8 mov ebx,eax ;
73D3C208 E8 B4BAFFFF call mfc42.#AfxWinTerm_1577
73D3C20D 5F pop edi
73D3C20E 5E pop esi
73D3C20F 8BC3 mov eax,ebx
73D3C211 5B pop ebx
73D3C212 C2 1000 retn 0x10
CWinApp由 CWinThread派生出来,是应用程序类,可以说是主要的类了。


class CWinThread : public CCmdTarget
{
DECLARE_DYNAMIC(CWinThread)

friend BOOL AfxInternalPreTranslateMessage(MSG* pMsg);

public:
// Constructors
CWinThread();
BOOL CreateThread(DWORD dwCreateFlags = 0, UINT nStackSize = 0,
LPSECURITY_ATTRIBUTES lpSecurityAttrs = NULL);

// Attributes
CWnd* m_pMainWnd; // main window (usually same AfxGetApp()->m_pMainWnd)

CWnd* m_pActiveWnd; // active main window (may not be m_pMainWnd)
BOOL m_bAutoDelete; // enables 'delete this' after thread termination

// only valid while running
HANDLE m_hThread; // this thread's HANDLE
operator HANDLE() const;
DWORD m_nThreadID; // this thread's ID

int GetThreadPriority();
BOOL SetThreadPriority(int nPriority);

// Operations
DWORD SuspendThread();
DWORD ResumeThread();
BOOL PostThreadMessage(UINT message, WPARAM wParam, LPARAM lParam);

// Overridables
// thread initialization
virtual BOOL InitInstance();

// running and idle processing
virtual int Run();
virtual BOOL PreTranslateMessage(MSG* pMsg);
virtual BOOL PumpMessage(); // low level message pump
virtual BOOL OnIdle(LONG lCount); // return TRUE if more idle processing
virtual BOOL IsIdleMessage(MSG* pMsg); // checks for special messages

// thread termination
virtual int ExitInstance(); // default will 'delete this'

// Advanced: exception handling
virtual LRESULT ProcessWndProcException(CException* e, const MSG* pMsg);

// Advanced: handling messages sent to message filter hook
virtual BOOL ProcessMessageFilter(int code, LPMSG lpMsg);

// Advanced: virtual access to m_pMainWnd
virtual CWnd* GetMainWnd();

// Implementation
public:
virtual ~CWinThread();
#ifdef _DEBUG
virtual void AssertValid() const;
virtual void Dump(CDumpContext& dc) const;
#endif
void CommonConstruct();
virtual void Delete();
// 'delete this' only if m_bAutoDelete == TRUE

public:
// constructor used by implementation of AfxBeginThread
CWinThread(AFX_THREADPROC pfnThreadProc, LPVOID pParam);

// valid after construction
LPVOID m_pThreadParams; // generic parameters passed to starting function
AFX_THREADPROC m_pfnThreadProc;

// set after OLE is initialized
void (AFXAPI* m_lpfnOleTermOrFreeLib)(BOOL, BOOL);
COleMessageFilter* m_pMessageFilter;

protected:
BOOL DispatchThreadMessageEx(MSG* msg); // helper
void DispatchThreadMessage(MSG* msg); // obsolete
};
AFXGetThread返回一个指针,指向了一个虚函数表指针,通过虚函数表指针找到函数表

逐个分析上边【eax+number】就是调用虚函数表中的函数表
相关文章
最新文章
热点推荐