常用x86汇编Thunk

一下指令为增加参数只能对(__stdcall)有作用,因为__stdcall是被调用方负责栈平衡。__cdecl 会导致栈不平衡
如 Sleep(DWORD) --> Sleep(DWORD, DWORD)

#pragma pack(push, 1)
  struct Thunk {
    BYTE m_pop_eax;  // pop eax        // origin ret address
    BYTE m_push;     // push this
    DWORD m_this;
    BYTE m_push_eax;  // push eax
    BYTE m_jmp;       // jmp
    DWORD m_relproc;  // relative jmp

    BOOL Init(_In_ DWORD_PTR proc, _In_opt_ void* pThis) {
      m_pop_eax = 0x58;
      m_push = 0x68;      
      m_this = PtrToUlong(pThis);
      m_push_eax = 0x50;
      m_jmp = 0xe9;
      m_relproc = DWORD((INT_PTR)proc - ((INT_PTR)this + sizeof(Thunk)));
      // write block from data cache and
      //  flush from instruction cache
      FlushInstructionCache(GetCurrentProcess(), this, sizeof(Thunk));
      return TRUE;
    }
  };
#pragma pack(pop)

一下汇编代码是从 chromium的沙箱代码用来给被hook的函数添加参数,但是需要配合 ServiceEntry来使用,不然会碰到栈平衡问题

pragma pack(push, 1)

struct InternalThunk {
// This struct contains roughly the following code:
// sub esp, 8 // Create working space
// push edx // Save register
// mov edx, [esp + 0xc] // Get return adddress
// mov [esp + 8], edx // Store return address
// mov dword ptr [esp + 0xc], 0x7c401200 // Store extra argument
// mov dword ptr [esp + 4], 0x40010203 // Store address to jump to
// pop edx // Restore register
// ret // Jump to interceptor
//
// This code only modifies esp and eip so it must work with to normal calling
// convention. It is assembled as:
//
// 00 83ec08 sub esp,8
// 03 52 push edx
// 04 8b54240c mov edx,dword ptr [esp + 0Ch]
// 08 89542408 mov dword ptr [esp + 8], edx
// 0c c744240c0012407c mov dword ptr [esp + 0Ch], 7C401200h
// 14 c744240403020140 mov dword ptr [esp + 4], 40010203h
// 1c 5a pop edx
// 1d c3 ret
InternalThunk() {
opcodes_1 = 0x5208ec83;
opcodes_2 = 0x0c24548b;
opcodes_3 = 0x08245489;
opcodes_4 = 0x0c2444c7;
opcodes_5 = 0x042444c7;
opcodes_6 = 0xc35a;
extra_argument = 0;
interceptor_function = 0;
}
ULONG opcodes_1; // = 0x5208ec83
ULONG opcodes_2; // = 0x0c24548b
ULONG opcodes_3; // = 0x08245489
ULONG opcodes_4; // = 0x0c2444c7
ULONG extra_argument;
ULONG opcodes_5; // = 0x042444c7
ULONG interceptor_function;
USHORT opcodes_6; // = 0xc35a
};

pragma pack(pop)

posted @ 2025-03-27 09:46  吱吱的笔记  阅读(57)  评论(0)    收藏  举报