|
阅读:1818回复:3
一个函数的代码中间会有“空隙”吗?
问:一个函数的代码中间会有“空隙”吗?
数据定义: “空隙”= 没用的代码 没用的代码 = nop | 0 | 其他 谢谢! (本来想在看雪问的,但突然觉得看雪的论坛太难看了,就转到这里来了) 0:000> u kernel32!UnhandledExceptionFilter l300 kernel32!UnhandledExceptionFilter: 7c862b8a 6848020000 push 248h 7c862b8f 68e035867c push offset kernel32!`string'+0x1c (7c8635e0) 7c862b94 e832f9f9ff call kernel32!_SEH_prolog (7c8024cb) ................ ................ 7c863086 834dfcff or dword ptr [ebp-4],0FFFFFFFFh 7c86308a eb4c jmp kernel32!UnhandledExceptionFilter+0x544 (7c8630d8) 7c86308c 90 nop 7c86308d 90 nop 7c86308e 90 nop 7c86308f 90 nop 7c863090 90 nop 7c863091 33c0 xor eax,eax 7c863093 40 inc eax 7c863094 c3 ret ===>??? ? 7c863095 90 nop 7c863096 90 nop 7c863097 90 nop 7c863098 90 nop 7c863099 90 nop 7c86309a 8b65e8 mov esp,dword ptr [ebp-18h] 7c86309d c785c8feffff01000000 mov dword ptr [ebp-138h],1 ................ ................ 7c863294 4f dec edi 7c863295 eb45 jmp kernel32!UnhandledExceptionFilter+0x73e (7c8632dc) 7c863297 90 nop 7c863298 90 nop 7c863299 90 nop 7c86329a 90 nop 7c86329b 90 nop 7c86329c 33c0 xor eax,eax 7c86329e 40 inc eax 7c86329f c3 ret ===>??? 7c8632a0 90 nop 7c8632a1 90 nop 7c8632a2 90 nop 7c8632a3 90 nop 7c8632a4 90 nop 7c8632a5 e9a3000000 jmp kernel32!UnhandledExceptionFilter+0x7a5 (7c86334d) 7c8632aa 33ff xor edi,edi ................ ................ 7c863337 898590feffff mov dword ptr [ebp-170h],eax 7c86333d eb15 jmp kernel32!UnhandledExceptionFilter+0x7ac (7c863354) 7c86333f 90 nop 7c863340 90 nop 7c863341 90 nop 7c863342 90 nop 7c863343 90 nop 7c863344 33c0 xor eax,eax 7c863346 40 inc eax 7c863347 c3 ret ===>??? 7c863348 90 nop 7c863349 90 nop 7c86334a 90 nop 7c86334b 90 nop 7c86334c 90 nop 7c86334d 8b65e8 mov esp,dword ptr [ebp-18h] 7c863350 834dfcff or dword ptr [ebp-4],0FFFFFFFFh ................ ................ 7c863461 e8ab62faff call kernel32!__security_check_cookie (7c809711) 7c863466 e8a0f0f9ff call kernel32!_SEH_epilog (7c80250b) 7c86346b c20400 ret 4 ===>这个才是返回地址 再次提出疑问:一个函数内部怎么会有空隙? 都来赐教! |
|
|
沙发#
发布于:2009-04-24 16:27
每次留5个NOP就是给HOT PATCH 留着的.
|
|
|
|
板凳#
发布于:2009-04-24 16:42
wowocock 谢谢啊
再问:除了5个NOP以外,函数代码中间有没有可能有其它的“空隙”,存放数据(呵呵,说不准)或者什么别的? wowocock 你的见识那么广,有没有见过? |
|
|
地板#
发布于:2009-04-24 16:47
比如说,我在函数内搜索call kernel32!_SEH_prolog的编码e832f9f9ff 除了搜到指令call kernel32!_SEH_prolog外,有没有可能搜到别的不是指令但内存数据也等于e832f9f9ff的东西?
 |
|