First, you need to know that the function has several parameters and then refines the parameter type. The detailed analysis process is as follows: You can know the parameters of the interface function. It is recommended to use W32DSM to analyze, or you can use VC to analyze, it is trouble. Now use W32DSM to specify: 1. First open the DLL you need to analyze, then use menu features - "export to find the function you need to analyze, you can double click. It can be positioned directly to the function. 2. See the entrance to the function, the general function is used as the following code. Push Ebpmov EBP, ESP ... 3. Then find the exit of the function, and the general function exit has the following statement. ... RET XXXX; // where xxxx is all bytes of the function difference, a multiple of 4, XXXX divided by 4 results are the number of parameters. Where parameters are stored: EBP 08 // First parameter EBP 0C // Second parameter EBP 10 // third parameter EBP 14 // fourth parameter EBP 18 // fifth Parameter EBP 1C // Sixth parameters. . . . -------------------------------------------- also has a often seen Calling method: Sub ESP, XXXX / / The content of the beginning of the part // function. . . // The content of the function add ESP, the XXXXRET / / end section of the XXXX / 4 is also the number of parameters. -------------------------------------------------also There is a way of calling: It is relatively simple in this function. There is no parameter, the ESP 04 inside is the first parameter ESP 08 is the second parameter. . . ESP XX is the first XX / 4 parameter you said that the maximum number of XXs that you see is divided by the result of 4, which is the number of parameters transmitted by the function. --------------------------------------------- to the present position, You should be able to see the number of passed parameters. As for the passing, there is still a further analysis. The most convenient way is to find what software is called in calling this function, and then finds the function called by the function by debugging. Generally, the PUSH instruction is generally transmitted by the parameter. At this point, you can look at what something is pressed into the stack. Generally, if the parameter is an integer, you can know, if it is a string, it is relatively simple, as long as you go to the address. Yes. If the structure is transmitted, there is no convenient way to solve it, just read the compilation.
In addition, due to the optimization of the compiler, some parameters may not be as simple as I say before. If in a function of the DLL, the parameters of the API are called, and the parameters calling the API are the parameters of the DLL function. Then you can easily know the parameters of the DLL function. For example: The following assembly code is obtained by W32DSM. Exported fn (): myTestFunction - Ord: 0001h: 10001010 8B442410 mov eax, dword ptr [esp 10]: 10001014 56 push esi: 10001015 8B74240C mov esi, dword ptr [esp 0C]: 10001019 0FAF742410 imul esi, dword ptr [ esp 10]: 1000101E 85C0 test eax, eax: 10001020 7414 je 10001036: 10001022 8B442418 mov eax, dword ptr [esp 18]: 10001026 8B4C2408 mov ecx, dword ptr [esp 08]: 1000102A 6A63 push 00000000: 1000102C 50 PUSH EAX: 1000102D 51 Push ECX: 1000102e 6A00 Push 00000000 * Reference to: user32.Messageboxa, Ord: 01beh |: 10001030 FF15B0400010 Call Dword PTR [100040B0]
* Reference by A (u) Nconditional or (c) ONDITIONAL JUMP ATITY: |: 100020 (C) |: 10001020 (C) |: 10001020 (C) |: 10001020 (C) |: 10001020 (C) |: 10001020 (C) |: 10001020 (C) | ESI: 10001038 5e Pop ESI: 10001039 C3 RET ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ --------------------------------------------, where MyTestFunction is needed The function, its inside calls the user32.MessageBoxa function to calculate the number of parameters, it is not the result of 0x18 / 4, because the second statement of the program entry is Push, Push's ESP 10 is the fourth parameter, which is the statement ESP XX after 0x10 / 4 = 4push, where (XX-4) / 4 corresponds to the first few parameters. ESP 0C == 2nd parameter ESP 10 == third parameter ESP 18 == Fifth parameter ESP 08 == 1st parameter -------------- ------------ The number of copies of the total parameter is 5, pay attention to the Push ESI before PUSH ESI, the value of the ESP is reduced 4, especially necessary attention ! ! ! Then look at the return RET instruction of the function. Since the value is assigned to EAX before seeing RET, you can know that the function must return a value. Everyone knows that the EAX register is 4 bytes. We will use it. Long is replaced, and now the basic interface of the function is already available, long mytestfunction (long p1, long p2, long p3, long p4, long p5); but the specific parameter type is also adjusted, if the function is not used To any one of the parameters. Then, the type of parameters is more than the parameter. It is generally not too encountered. So, how do we get the parameters of this function? Please see the following: Have you seen * Reference to: user32.MessageBoxa, ord: 01beh This statement, this shows, use WinAPI :: messagebox functions in its internal, let's take a look at its definition: int MessageBox (HWND HWND, // Handle Owner Window LPCTSTR LPTEXT, // Address of Text In Message Box LPCTSTSTLLPCAPTION, / / Address of Title of Message Box Uint Utype // Style of Message Box); it has 4 parameters.
Generally, we know that the parameters that call the API function are translated from right left, translate its calling process into pseudo ASM is: Push Utype Push LPCAPTION PUSH LPTEXT PUSH HWND CALL MESSAGEBOX ----------- ---------------------------- We can clearly know about hwnd = null (0) lptext = ECXLPCAPTION = EAXUTYPE = MB_OK (0) --------------------------------- in the top, the original EAX The value is that the content in ESP 18 gets the value in ECX is the content in ESP 08. You can know that LPText = ECX = [ESP 08] == 1st parameter lpcaption = EAX = [ESP 18] == 5th parameters
Now we can further write the DLL function interface: long mytestfunction (lpctstr lptext, long p2, long p3, long p4, lpctstr lpcaption);
As for the third parameter ESP 10, then locate the parameter, IMUL ESI, DWORD PTR [ESP 10] has such an instruction. Because IMUL is a multiplication instruction, we can definitely make the ESP 10 hypothesis LONG will not be wrong. Similarly you can know that the second parameter ESP 0C is definitely not wrong, as for the 4th parameters, it Only play a test role, Mov Eax, DWORD PTR [ESP 10] Test Eax, eaxje 10001036 see this parameter usage? The translation bit C language is: if (p3) {// Do those instructions below JE 1000103} Return; now you can see the third parameter as a pointer! Just return directly if P3 is empty, if you don't have time, do something else.
Ok, now you can list the correct interface: long mytestfunction (lpctstr lptext, long n1, char * pisnull, long n2, lpctstr lpcaption);
// --------------- above from http://www.9cbs.net/expert/topic/636/636873.xml to organize -------- ----------------
This parameter is analyzed using APIHOOK2.0 below, quite convenient. In order to better understand the following programs, it is exemplified by a MessageBox, assuming that I don't know the number of parameters of the function, and parameter type. Prime Minister gets APIHOK2.0 (available on the Internet, you can find it), unpack the mouth, put the system, APIHOOKS.EXE, APIHOOKS.DLL in the system directory, or where you can find in Path. Put APIHOOKS.LIB, APIHOKS.H into your project, you need to build one, such as: MyapiHook, Type Win32 Dynamic-Link Library, (empty), then add myapihook.cpp, the content in this file is as follows: / /------------------------------- MYAPIHOK.CPP file start ------------ ----------------------------- // myapihook.cpp: Defines the entry point for the dll Application.// Function: Put myapiHook .dll Injection into the process of TestDlg.exe, replacing the API // of the DLL called in TestDlg.exe as follows: // c: /> apihook -nq myapihook.dll testdlg.exe // apihook = APIHOK.EXE And APIHOOKS.DLL // -NQ open a program (TestDlg.exe), Q does not pop up information //myapihook.dll = by this file create // testdlg.exe = program that needs to be replaced
#include
#define win32_lean_and_mean #include
INT (WinAPI * PFunction) (long p1, long p2, long p3, long p4); typedef int (WinApi function) (long p1, long p2, long p3, long p4);
INT WINAPI MyMessageboxa (long p1, long p2, long p3, long p4) {const ncountparam = 4; long pp [ncountparam]; pp [0] = p1, pp [1] = p2, pp [2] = P3, PP [3] = P4;
File * fp = fopen ("c: //1.txt", "w"); char szbuf [1024];
Sprintf (SZBUF, "list, it is easy to determine if it is a string, or NULL / N"); FPUTS (SZBUF, FP);
For (long i = 0; i Extern "C" __ decspec (dllexport) API_HOOK APIOKCHAIN [2] = {{"User32.dll", "MessageBoxa", hook_exact, null, null, mymessageboxa}, {hooks_end}}; BOOL APIENTRY DllMain (HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {HMODULE hDLL = LoadLibrary ( "USER32.DLL"); if (hDLL) {pFunction = (Function *) GetProcAddress (hDLL, "MessageBoxA"); FreeLibrary (hDLL) Return True;} // -------------------------------- Myapihook.cpp file end ----- ------------------------------------ The above example analyzes everyone familiar with MessageBox, assume you Do not know the parameters of the function, through the methods mentioned above, you can easily know that the function has 4 parameters, there is a number of returns. So we can define this function as: int WINAPI MessageBox (long p1, long p2, long p3, long p4); then define a function of MyMessageBoxa (this function can easily determine if the parameter is string) int WinAPI MyMessageBoxa (long p1, long p2, long p3, long p4) actual content of the call can be generated by this function, / / ------------ The following is the information obtained on the author ----------- Parameter content, it is easy to determine if it is a string, or NULL [p0] = 0x00000000 (0) [P1] = 0x00416698 (4286104) "Test Dialog Box" [P2] = 0x004166A0 (4286112) "Information" [P3] = 0x00000040 (64) // ---------- ----------------------- According to the above information, you can easily know that the second, 3 parameters are strings. The actual use of this parameter can then be easily known according to the content inside.
