C++ 将程序集中的寄存器值从一个位置移动到另一个位置的正确方法
我目前有一些无法解释的寄存器问题,我猜我是在不正确地将寄存器从一个寄存器移动到另一个寄存器 我试图将C++ 将程序集中的寄存器值从一个位置移动到另一个位置的正确方法,c++,assembly,struct,mov,eip,C++,Assembly,Struct,Mov,Eip,我目前有一些无法解释的寄存器问题,我猜我是在不正确地将寄存器从一个寄存器移动到另一个寄存器 我试图将EDX的值放入test.myEDX中,它通常会将EDX的错误值放入test.myEDX中,但是EDX值的一部分似乎是正确的,这是非常奇怪的,我假设存在某种高/低位问题。 让我解释一下我想做什么。 首先,我在内存中钩住一个包含一些任意汇编代码的位置。 我通过在该位置放置一个硬件断点来钩住它,然后我可以及时看到该位置的所有寄存器值。 现在,我做了一个简单的程序,每次CPU进入那个断点位置,我把 EDX
EDXtest.myEDXEDXtest.myEDXEDX让我解释一下我想做什么。
首先,我在内存中钩住一个包含一些任意汇编代码的位置。
我通过在该位置放置一个硬件断点来钩住它,然后我可以及时看到该位置的所有寄存器值。
现在,我做了一个简单的程序,每次CPU进入那个断点位置,我把
EDXEDXEDXEAXEAXEDXEAX另一件事是要考虑把任何操作如把代码> EDX <代码>放入结构中,我必须在C++中做当前的代码> EIP<代码>进入我的裸函数,我知道从以前做过这些事情,裸函数根本不修改任何寄存器,它们被简单地用作将当前的EASP代码扩展到更大的ASM代码的方式,而不需要在进入子程序时添加C++的任何垃圾。 我还使用
PUSHADPUSHFDEDXPOPFDPOPADPUSH/POPEAX不管怎样,这仍然没有帮助我,我仍然得到了错误的值。
我想要么是那些选项的
ALBLEDXTESTJEEDXEDXstruct TestStruct {
int myEDX;
int mySetEDX;
} test;
extern bool optionOne = false;
extern bool optionTwo = false;
DWORD gotoDumpBackAddress = 0x40012345;
void __declspec( naked ) dump(void) {
__asm {
PUSHAD
PUSHFD
XOR EAX, EAX //zero EAX, used below as AL (optionOne)
XOR EBX, EBX //zero EBX, used below as BL (optionTwo)
MOV AL, optionOne //optionOne set
MOV BL, optionTwo //optionTwo set
TEST EAX, EAX //Tests if optionOne equals == 0, then je will be equal.
je gotoOptionOne //Jumps if optionOne equals 0.
TEST EBX, EBX //Tests if optionTwo equals == 0, then je will be equal.
je gotoOptionTwo //Jumps if optionTwo equals 0.
gotoOptionOne:
//This the default case (improper value in EDX..., I could just use address at [ESI+0x2] which is old EDX, which is risky since it's delayed (outdated)
MOV DWORD PTR DS:[ESI+0x2], EDX //(normal operation)
MOV test.myEDX, EDX //Stores freshest EDX to test.myEDX (wrong EDX value)
JMP finish //Clear temporary used registers and go back to next asm code
//Special case. (works mostly properly)
//Thing is EDX gets updated very frequently, Causes no side-effect only because
//[ESI+0x2] gets updated in a different location as well a bit later to renew the value.
//So it's not even noticeable, but when I run this at it's peak speeds, you start to see the flickering effect, which isn't normal, if I run peak speeds without hook.
//I eliminated the problem that the hook could cause the flicker effect since after
//I call a empty naked Hook with just return address to same location and disable hook
//Then re-enable hook and repeat step above (no flicker occurs).
gotoOptionTwo:
//MOV DWORD PTR DS:[ESI+0x2], EDX //(normal operation), omitted
MOV EAX, DWORD PTR DS:[ESI+0x2] //Old EDX, but atleast it's correct.
MOV test.myEDX, EAX //Stores old EDX into struct test.myEDX
MOV EAX, test.mySetEDX //Replace old EDX with what I wish it should be.
MOV DWORD PTR DS:[ESI+0x2], EAX //nySetEDX into what EDX should of did.
JMP finish //Clear temporary used registers and go back to next asm code
finish:
POPFD
POPAD
JMP gotoDumpBackAddress //return to starting location before dump + 1.
}
}
但它通过调用另一个与系统驱动程序通信的DLL来工作 但这应该解释我是如何测试它的 在这个DLL注入中,我在不同的线程中运行
void diffThread() {
while(1) {
if(GetAsyncKeyState(VK_NUMPAD0)) {
optionOne != optionOne;
Sleep(1000);
}
if(GetAsyncKeyState(VK_NUMPAD1)) {
optionTwo != optionTwo;
Sleep(1000);
}
Sleep(10);
}
}
bool __stdcall DllMain(HINSTANCE hInst,DWORD uReason,void* lpReserved)
{
if(uReason == DLL_PROCESS_ATTACH)
{
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&diffThread,0 ,NULL,NULL);
}
else if(uReason == DLL_PROCESS_DETACH)
{
ExitThread(0);
}
return true;
}
我在您的代码中注意到一些事情: 首先,我不认为您真的需要执行
pushadpushfdebxeax XOR EAX, EAX //zero EAX, used below as AL (optionOne)
MOV AL, optionOne //optionOne set
TEST EAX, EAX //Tests if optionOne equals == 0, then je will be equal.
je gotoOptionOne //Jumps if optionOne equals 0.
MOV AL, optionTwo //optionTwo set
TEST EAX, EAX //Tests if optionTwo equals == 0, then je will be equal.
je gotoOptionTwo //Jumps if optionTwo equals 0.
MOV EBX, EDX
MOV EAX, EDX //Theory: in order to move EDX a second time into ECX, I must not move EDX directly into ECX.
MOV ECX, EAX
MOV EBX, EDX
MOV ECX, EDX
ESItestMOV test.myEDX, EAX
MOV EAX, test.mySetEDX
但是这个变量甚至没有声明,所以编译器应该从哪里知道它的地址呢?如果要将其用作偏移量,则必须使用寄存器作为基址。好的,老实说,这在很多级别上都是错误的,我指的是代码本身。 您试图做的是强行进入C领域,告诉编译器退出,然后您自己写代码。这有时可能很方便,但你必须记住,你也失去了一些C特性,特别是那些自动为你完成的事情,据我所知,微软的编译软件不喜欢你在内联代码中胡闹(别误会,MASM编译器很棒,但它与C编译器配合不好) 那么回答你的问题, 我认为这里最大的问题是这条线
MOV test.myEDX, EDX
MOV test.myEDX, EAX
MOV EAX, test.mySetEDX
// doing this is not the best since the compiler may
// do some nasty stuff like aligning the struct that
// you have to take watch out for in asm
struct TestStruct {
int myEDX;
int mySetEDX;
} test;
extern bool optionOne = false;
extern bool optionTwo = false;
DWORD gotoDumpBackAddress = 0x40012345; // static memory address? this should fail like instantly, I dont really know what this is supposed to be
void __declspec( naked ) dump(void) {
__asm {
PUSHAD // you shouldn't normally push all registers only the ones you actually used!
PUSHFD
XOR EAX, EAX // this is how you zero out but honestly you can use EAX's low and high parts as 2 16bit regsiters instead of using 2 32bits for 2 bits of data
XOR EBX, EBX
MOV AL, optionOne //optionOne set
MOV BL, optionTwo //optionTwo set
TEST EAX, EAX // This check is meaning less because if gotoOptionTwo is false you move on regardless of gotoOpeionOne's value
je gotoOptionOne
TEST EBX, EBX // This test should always be true isn't it?
je gotoOptionTwo
gotoOptionOne:
// Assuming that ESI is coming from the system as you said that there is a
// breakpoint that invokes this code, do you even have access to that part of the memory?
MOV DWORD PTR DS:[ESI+0x2], EDX
MOV test.myEDX, EDX // this is just a C idom 'struct' this doesnt really exist in ASM
JMP finish
gotoOptionTwo:
MOV EAX, DWORD PTR DS:[ESI+0x2]
MOV test.myEDX, EAX
MOV EAX, test.mySetEDX
MOV DWORD PTR DS:[ESI+0x2], EAX
JMP finish
finish:
POPFD
POPAD
JMP gotoDumpBackAddress //return to starting location before dump + 1.
}
}
MOV test.myEDX, EDX
LEA ecx,test // get the address of test
MOV DWORD PTR[ecx],edx // use that address to move the data into the struct