第6课 动态调试预备知识.docx
《第6课 动态调试预备知识.docx》由会员分享,可在线阅读,更多相关《第6课 动态调试预备知识.docx(16页珍藏版)》请在冰豆网上搜索。
第6课动态调试预备知识
第六课动态调试预备知识
一、API
Windows程序都是高级程序,它需要调用通用的系统底层函数,这些函数被封装在kerner32.dll、user32.dll、gdi2.dll等dll中。
底层和高层之间的联络是通过api来牵线搭桥的。
api就像和珅,皇帝和大臣之间的沟通、上下级传达都得通过他来实现。
ØKernerl32.dll为系统服务,主要为系统内部管理。
ØGdi32.dll主要提供图形服务。
ØUser32.dll提供用户服务,创建窗口和传递消息等。
例如:
某函数定义如下:
函数(参数1,参数2,参数3,参数4)
则汇编语言的函数调用为
Push参数4
Push参数3
Push参数2
Push参数1
Call函数返回值永远保存在eax中
下面看一个用32位汇编编写的应用程序。
此程序运行后弹出一个消息框,点‘确定’按钮后,程序退出。
其ollydbg反汇编代码如下:
00403000=MSGBOX2.00403000(ASCII"Iczelion'stutorialno.2")消息框标题
00403019=MSGBOX2.00403019(ASCII"Win32AssemblyisGreat!
")消息框正文
其中用到了api函数:
MessageBox和ExitProcess。
查api手册,MessageBox原型如下:
×××××××××××××××××××××××××××××××××××××××
以下全部来自api手册
MessageBox
TheMessageBoxfunctioncreates,displays,andoperatesamessagebox.Themessageboxcontainsanapplication-definedmessageandtitle,plusanycombinationofpredefinediconsandpushbuttons.
intMessageBox(
HWNDhWnd,//handleofownerwindow父窗口句柄
LPCTSTRlpText,//addressoftextinmessagebox消息正文内容地址
LPCTSTRlpCaption,//addressoftitleofmessagebox消息标题地址
UINTuType//styleofmessagebox消息框的类型
);
Parameters
hWnd
Identifiestheownerwindowofthemessageboxtobecreated.IfthisparameterisNULL,themessageboxhasnoownerwindow.
lpText
Pointstoanull-terminatedstringcontainingthemessagetobedisplayed.
lpCaption
Pointstoanull-terminatedstringusedforthedialogboxtitle.IfthisparameterisNULL,thedefaulttitleErrorisused.
uType
Specifiesasetofbitflagsthatdeterminethecontentsandbehaviorofthedialogbox.Thisparametercanbeacombinationofflagsfromthefollowinggroupsofflags.
Specifyoneofthefollowingflagstoindicatethebuttonscontainedinthemessagebox:
FlagMeaning
MB_ABORTRETRYIGNOREThemessageboxcontainsthreepushbuttons:
Abort,Retry,andIgnore.
MB_OKThemessageboxcontainsonepushbutton:
OK.Thisisthedefault.
MB_OKCANCELThemessageboxcontainstwopushbuttons:
OKandCancel.
MB_RETRYCANCELThemessageboxcontainstwopushbuttons:
RetryandCancel.
MB_YESNOThemessageboxcontainstwopushbuttons:
YesandNo.
MB_YESNOCANCELThemessageboxcontainsthreepushbuttons:
Yes,No,andCancel.
Specifyoneofthefollowingflagstodisplayaniconinthemessagebox:
FlagMeaning
MB_ICONEXCLAMATION,
MB_ICONWARNING
Anexclamation-pointiconappearsinthemessagebox.
MB_ICONINFORMATION,MB_ICONASTERISK
Aniconconsistingofalowercaseletteriinacircleappearsinthemessagebox.
MB_ICONQUESTIONAquestion-markiconappearsinthemessagebox.
MB_ICONSTOP,
MB_ICONERROR,
MB_ICONHAND
Astop-signiconappearsinthemessagebox.
Specifyoneofthefollowingflagstoindicatethedefaultbutton:
FlagMeaning
MB_DEFBUTTON1Thefirstbuttonisthedefaultbutton.MB_DEFBUTTON1isthedefaultunlessMB_DEFBUTTON2,MB_DEFBUTTON3,orMB_DEFBUTTON4isspecified.
MB_DEFBUTTON2Thesecondbuttonisthedefaultbutton.
MB_DEFBUTTON3Thethirdbuttonisthedefaultbutton.
MB_DEFBUTTON4Thefourthbuttonisthedefaultbutton.
Specifyoneofthefollowingflagstoindicatethemodalityofthedialogbox:
FlagMeaning
MB_APPLMODALTheusermustrespondtothemessageboxbeforecontinuingworkinthewindowidentifiedbythehWndparameter.However,theusercanmovetothewindowsofotherapplicationsandworkinthosewindows.Dependingonthehierarchyofwindowsintheapplication,theusermaybeabletomovetootherwindowswithintheapplication.Allchildwindowsoftheparentofthemessageboxareautomaticallydisabled,butpopupwindowsarenot.MB_APPLMODAListhedefaultifneitherMB_SYSTEMMODALnorMB_TASKMODALisspecified.
MB_SYSTEMMODALSameasMB_APPLMODALexceptthatthemessageboxhastheWS_EX_TOPMOSTstyle.Usesystem-modalmessageboxestonotifytheuserofserious,potentiallydamagingerrorsthatrequireimmediateattention(forexample,runningoutofmemory).Thisflaghasnoeffectontheuser'sabilitytointeractwithwindowsotherthanthoseassociatedwithhWnd.
MB_TASKMODALSameasMB_APPLMODALexceptthatallthetop-levelwindowsbelongingtothecurrenttaskaredisabledifthehWndparameterisNULL.Usethisflagwhenthecallingapplicationorlibrarydoesnothaveawindowhandleavailablebutstillneedstopreventinputtootherwindowsinthecurrentapplicationwithoutsuspendingotherapplications.
Inaddition,youcanspecifythefollowingflags:
MB_DEFAULT_DESKTOP_ONLY
Thedesktopcurrentlyreceivinginputmustbeadefaultdesktop;otherwise,thefunctionfails.Adefaultdesktopisoneanapplicationrunsonaftertheuserhasloggedon.
MB_HELP
AddsaHelpbuttontothemessagebox.ChoosingtheHelpbuttonorpressingF1generatesaHelpevent.
MB_RIGHT
Thetextisright-justified.
MB_RTLREADING
Displaysmessageandcaptiontextusingright-to-leftreadingorderonHebrewandArabicsystems.
MB_SETFOREGROUND
Themessageboxbecomestheforegroundwindow.Internally,WindowscallstheSetForegroundWindowfunctionforthemessagebox.
MB_TOPMOST
ThemessageboxiscreatedwiththeWS_EX_TOPMOSTwindowstyle.
MB_SERVICE_NOTIFICATION
WindowsNTonly:
Thecallerisaservicenotifyingtheuserofanevent.Thefunctiondisplaysamessageboxonthecurrentactivedesktop,evenifthereisnouserloggedontothecomputer.
Ifthisflagisset,thehWndparametermustbeNULL.ThisissothemessageboxcanappearonadesktopotherthanthedesktopcorrespondingtothehWnd.
ForWindowsNTversion4.0,thevalueofMB_SERVICE_NOTIFICATIONhaschanged.SeeWINUSER.Hfortheoldandnewvalues.WindowsNT4.0providesbackwardcompatibilityforpre-existingservicesbymappingtheoldvaluetothenewvalueintheimplementationofMessageBoxandMessageBoxEx.Thismappingisonlydoneforexecutablesthathaveaversionnumber,assetbythelinker,lessthan4.0.
TobuildaservicethatusesMB_SERVICE_NOTIFICATION,andcanrunonbothWindowsNT3.xandWindowsNT4.0,youhavetwochoices.
1.Atlink-time,specifyaversionnumberlessthan4.0;or
2.Atlink-time,specifyversion4.0.Atrun-time,usetheGetVersionExfunctiontocheckthesystemversion.ThenwhenrunningonWindowsNT3.x,useMB_SERVICE_NOTIFICATION_NT3X;andonWindowsNT4.0,useMB_SERVICE_NOTIFICATION.
MB_SERVICE_NOTIFICATION_NT3X
WindowsNTonly:
ThisvaluecorrespondstothevaluedefinedforMB_SERVICE_NOTIFICATIONforWindowsNTversion3.51.
ReturnValues返回值
Thereturnvalueiszeroifthereisnotenoughmemorytocreatethemessagebox.
Ifthefunctionsucceeds,thereturnvalueisoneofthefollowingmenu-itemvaluesreturnedbythedialogbox:
ValueMeaning
IDABORTAbortbuttonwasselected.
IDCANCELCancelbuttonwasselected.
IDIGNOREIgnorebuttonwasselected.
IDNONobuttonwasselected.
IDOKOKbuttonwasselected.
IDRETRYRetrybuttonwasselected.
IDYESYesbuttonwasselected.
IfamessageboxhasaCancelbutton,thefunctionreturnstheIDCANCELvalueifeithertheESCkeyispressedortheCancelbuttonisselected.IfthemessageboxhasnoCancelbutton,pressingESChasnoeffect.
Remarks
Whenyouuseasystem-modalmessageboxtoindicatethatthesystemislowonmemory,thestringspointedtobythelpTextandlpCaptionparametersshouldnotbetakenfromaresourcefile,becauseanattempttoloadtheresourcemayfail.
WhenanapplicationcallsMessageBoxandspecifiestheMB_ICONHANDandMB_SYSTEMMODALflagsfortheuTypeparameter,Windowsdisplaystheresultingmessageboxregardlessofavailablememory.Whentheseflagsarespecified,Windowslimitsthelengthofthemessageboxtexttothreelines.Windowsdoesnotautomaticallybreakthelinestofitinthemessagebox,however,sothemessagestringmustcontaincarriagereturnstobreakthelinesattheappropriateplaces.
Ifyoucreateamessageboxwhileadialogboxispresent,usethehandleofthedialogboxasthehWndparameter.ThehWnd
parametershouldnotidentifyachildwindow,suchasacontrolinadialogbox.
Windows95:
Thesystemcansupportamaximumof16,364windowhandles.
×××××××××××××××××××××××××××××××××××××××
查api手册,ExitProcess原型如下:
×××××××××××××××××××××××××××××××××××××××
ExitProcess
TheExitProcessfunctionendsaprocessandallitsthreads.函数的作用:
中止一个进程
VOIDExitProcess(
UINTuExitCode//exitcodeforallthreads
);
Parameters
uExitCode参数
Specifiestheexitcodefortheprocess,andforallthreadsthatareterminatedasaresultofthiscall.UsetheGetExitCodeProcessfunctiontoretrievetheprocess'sexitvalue.UsetheGetExitCodeThreadfunctiontoretrieveathread'sexitvalue.
指定想中断的那个进程的一个退出代码
ReturnValues返回值
Thisfunctiondoesnotreturnavalue.这个函数不返回任何值
Remarks
ExitProcessisthepreferredmethodofendingaprocess.Thisfunctionprovidesacleanprocessshutdown.Thisincludescallingtheentry-pointfunctionofallattacheddynamic-linklibraries(DLLs)withavalueindicatingthattheprocessisdetachingfromtheDLL.IfaprocessterminatesbycallingTerminateProcess,theDLLsthattheprocessisattachedtoarenotnotifiedoftheprocesstermination.
AfterallattachedDLLshaveexecutedanyprocessterminationvalue,thisfunctionterminatesthecurrentprocess.
Terminatingaprocesscausesthefollowing:
1.Alloftheobjecthandlesopenedbytheprocessareclosed.
2.Allofthethreadsintheprocessterminatetheirexecution.
3.Thestateoftheprocessobjectbecomessignaled,satisfyinganythreadsthathadbeenwaitingfortheprocesstoterminate.
4.Thestatesofallthreadsoftheprocessbecomesignaled,satisfyinganythreadsthathadbeenwaitingforthethreadstoterminate.
5.TheterminationstatusoftheprocesschangesfromSTILL_ACTIVEtotheexitvalueoftheprocess.
升级会员 