在X64的情况下,JMP反汇编出来的 FF 25 后面加的是 00 00 00 00 和导出表函数地址
测试代码如下:
void JmpFunctionAddressOfExportTableInX64Using00() { DWORD OldProtect; ULONG_PTR v1 = (ULONG_PTR)GetProcAddress(LoadLibrary(L"user32.dll"), "MessageBoxA"); ULONG_PTR v2 = 0; printf("%p\r\n", v1); printf("%p\r\n", v2 = Sub_1()); VirtualProtect((PVOID)v2, 0x1000, PAGE_EXECUTE_READWRITE, &OldProtect); memcpy((PVOID)((ULONG_PTR)v2 + 48), (PVOID)&v1, sizeof(ULONG_PTR)); VirtualProtect((PVOID)v2, 0x1000, OldProtect, NULL); Sub_8InX64(); }
Sub_1和 Sub_8InX64同样是汇编
Sub_1 PROC lea rax, Sub_8InX64; inc rax mov ebx, [rax] lea rax, Sub_8InX64 add rax, rbx add rax, 5 ret Sub_1 ENDP Sub_8InX64 PROC sub rsp,28H mov r9, 0 mov r8, 0 mov rdx, 0 mov rcx, 0 call Flag1 add rsp,28H ret Flag0 : db 0FFH db 25H db 00H db 00H db 00H db 00H db 00H db 00H db 00H db 00H db 00H db 00H db 00H db 00H Flag1: jmp Flag0 Sub_8InX64 ENDP
注:在这之前要调用下MessageBoxA函数。
X64下 FF 25 + 00 00 00 00 + 导出表函数地址小测试
原文:http://www.cnblogs.com/a997002636/p/6441369.html