vb6执行汇编代码一般是使用CallWindowProc,这个方法有参数限制,内部还会执行一些其它调用再到函数指针,我用它调用com里面的“DllGetClassObject”函数时居然出错了,不知道怎么回事,于是乎寻求其它办法,用vc写个dll调用函数指针挺好用的,可惜多了个dll文件。后来采取修改vb模块内函数代码,用AddressOf获取vb函数地址后,再用VirtualProtect修改权限,这样就可以用CopyMemory把汇编代码复制过来,可谓偷梁换柱啊,以后执行这个vb函数就直接运行汇编代码了,不过ide下没效果,得生成exe文件才行,这样就不好调试了。
在网上看到了一种神奇的方法,手动构造一个类,将汇编代码的运行地址写进vtable,前三个方法是IUnknown接口的方法:
HRESULT QueryInterface([in] IID *riid,[in,out] IUnknown **ppvObject);
long AddRef();
long Release();
后面的方法就随意了,我添加了10个调用函数地址的方法,分别对应0个参数-9个参数的呼叫,而且不区分stdcall和cdecl调用约定,ide状态下也正常。
原贴地址:http://demon.tw/programming/vb6-repick-inline-assembly.html
最初只是想不注册调用com,没想折腾出这些东西来的,这是我改过的代码,欢迎测试
Option Explicit
Private Type CLSID
d1 As Long
d2 As Integer
d3 As Integer
d4(7) As Byte
End Type
Public Declare Function LoadLibraryW Lib "Kernel32.dll" (ByVal lpFileName As Long) As Long
Public Declare Function GetProcAddress Lib "Kernel32.dll" (ByVal hModule As Long,ByVal lpProcName As String) As Long
Public Declare Function CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal Destination As Long,ByVal Source As Long,ByVal Length As Long) As Long
Public Declare Function VirtualProtect Lib "kernel32" (ByVal lpAddress As Any,ByVal dwSize As Long,ByVal flNewProtect As Long,lpflOldProtect As Long) As Long
Public Declare Function CLSIDFromString Lib "ole32.dll" (ByVal lpsz As Long,pclsid As Long) As Long
Declare Function CallWindowProcA Lib "user32.dll" (ByVal lpPrevWndFunc As Long,ByVal hWnd As Long,ByVal Msg As Long,ByVal wParam As Long,ByVal lParam As Long) As Long
Dim m_cthis As Long
Dim m_vtab(20) As Long
Dim m_acode(100) As Long
Dim m_ICallFunAddr As ICallFunAddr
'member索引从0开始,IUnknown3个成员函数,IDispatch4个成员函数,IClassFactory.CreateInstance在3号位置
Public Function GetClassMemberAddr(ByVal cthis As Long,ByVal member As Long) As Long
Dim vtab As Long
Dim fun As Long
CopyMemory VarPtr(vtab),ByVal cthis,4
CopyMemory VarPtr(fun),ByVal vtab + member * 4,4
GetClassMemberAddr = fun
End Function
Public Function Dll_GetClassObject(dllname As String,sclsid As String,siid As String) As Object
Dim dll As Long
Dim hr As Long
Dim clsid_icf As CLSID
Dim clsid_cls As CLSID
Dim clsid_iid As CLSID
Dim icf As IClassFactory
Dim funDllGetClassObject As Long
Dim funCreateInstance As Long
Dim funRelease As Long
Dim calladdr As ICallFunAddr
Set calladdr = MakeCallFunAddrObj
dll = LoadLibraryW(StrPtr(dllname))
If dll > 0 Then
funDllGetClassObject = GetProcAddress(dll,"DllGetClassObject")
If funDllGetClassObject > 0 Then
hr = CLSIDFromString(StrPtr("{00000001-0000-0000-C000-000000000046}"),clsid_icf.d1)
hr = CLSIDFromString(StrPtr(sclsid),clsid_cls.d1)
hr = CLSIDFromString(StrPtr(siid),clsid_iid.d1)
'hr = CallWindowProcA(funDllGetClassObject,VarPtr(clsid_cls.d1),VarPtr(clsid_icf.d1),VarPtr(icf),0)
hr = calladdr.arg3(funDllGetClassObject,VarPtr(icf))
hr = icf.CreateInstance(0,VarPtr(clsid_iid.d1),Dll_GetClassObject)
'funCreateInstance = GetClassMemberAddr(icf,3)
'funRelease = GetClassMemberAddr(icf,2)
'hr = calladdr.arg4(funCreateInstance,icf,VarPtr(Dll_GetClassObject))
'hr = calladdr.arg1(funRelease,icf)
'MsgBox TypeName(obj)
End If
'FreeLibrary dll
Else
MsgBox "dll加载失败"
End If
End Function
'以下代码为一个参数的例子
'00401508 > 55 PUSH EBP
'00401509 8BEC MOV EBP,ESP
'0040150B FF75 10 PUSH DWORD PTR SS:[EBP+10]
'0040150E FF55 0C CALL DWORD PTR SS:[EBP+C]
'00401511 C9 LEAVE
'00401512 C2 0C00 RETN C
'call方式stdcall和cdecl都可以
'在pcode地址处写入汇编代码,argc压入的参数个数,返回汇编长度
Public Function MakeCallFunAddrCode(ByVal pcode As Long,ByVal argc As Long) As Long
Dim n As Long
Dim p As Long
Dim code As Long
p = pcode
'push ebp
code = &HEC8B55
CopyMemory p,VarPtr(code),3
p = p + 3
'push arg
For n = argc To 1 Step -1
code = (n * 4 + 12) * &H10000 + &H75FF
CopyMemory p,3
p = p + 3
Next
'call
code = &HC55FF
CopyMemory p,3
p = p + 3
'leave retn
code = (argc * 4 + 8) * &H10000 + &HC2C9&
CopyMemory p,4
p = p + 4
'nop
code = &H90909090
n = 4 - p Mod 4 '为以后的代码4字节对齐,代码前后都加入nop
CopyMemory p,n
MakeCallFunAddrCode = p + n - pcode
End Function
' function QueryInterface(riid:^GUID; out ppvObj:^^void);
' function AddRef: UI4;
' function Release: UI4;
'00401480 > 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
'00401484 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
'00401488 > 8901 MOV DWORD PTR DS:[ECX],EAX
'0040148A 33C0 XOR EAX,EAX
'0040148C C2 0C00 RETN 0C
'0040148F 90 NOP
'00401490 33C0 XOR EAX,EAX
'00401492 40 INC EAX
'00401493 C2 0400 RETN 4
Public Function MakeCallFunAddrObj() As ICallFunAddr
Dim n As Long
Dim p As Long
Dim narg As Long
Dim nfun As Long
If Not m_ICallFunAddr Is Nothing Then
Set MakeCallFunAddrObj = m_ICallFunAddr
Exit Function
End If
m_cthis = VarPtr(m_vtab(0))
'QueryInterface
m_acode(0) = &H424448B
m_acode(1) = &HC244C8B
m_acode(2) = &HC0330189
m_acode(3) = &H90000CC2
'AddRef Release共用
m_acode(4) = &HC240C033
m_acode(5) = &H90900004
m_vtab(0) = VarPtr(m_acode(0))
m_vtab(1) = VarPtr(m_acode(4))
m_vtab(2) = m_vtab(1)
p = VarPtr(m_acode(6))
nfun = 3
For narg = 0 To 9
n = MakeCallFunAddrCode(p,narg)
m_vtab(nfun) = p
p = p + n
nfun = nfun + 1
Next
p = VarPtr(m_cthis)
CopyMemory VarPtr(m_ICallFunAddr),VarPtr(p),4
Set MakeCallFunAddrObj = m_ICallFunAddr
End Function
以下是调用测试
Dim m_ICallFunAddr As ICallFunAddr
Private Sub Test_com()
Dim obj As Object
Set obj = Dll_GetClassObject("D:\Administrator\Documents\VB6.0\内联汇编_类成员函数调用\aatest2.dll","{6D926E71-56E7-467D-B64F-E7571EF1B806}","{B1F1024A-7CF1-44C8-B34B-B7BE383F4825}")
MsgBox TypeName(obj)
obj.testadd 1,2,"abc"
End Sub
Public Sub Test_CallClassMember()
Dim fun As Long
Dim c As New Class1
Dim p As Long
Dim n As Long
p = ObjPtr(c)
fun = GetClassMemberAddr(p,7)
n = 3
m_ICallFunAddr.arg3 fun,p,1,VarPtr(n)
End Sub
'中断
Sub Test_int3()
Dim code As Long
code = &H9090C3CC
m_ICallFunAddr.Arg0 VarPtr(code)
End Sub
Sub Test_CallFunAddr()
Dim dll As Long
Dim addr As Long
Dim buf As String
Dim n As Long
Dim s As String
buf = String(500,"0")
dll = LoadLibraryW(StrPtr("user32.dll"))
addr = GetProcAddress(dll,"wsprintfW")
'cdecl方式
n = m_ICallFunAddr.arg4(addr,StrPtr(buf),StrPtr("字符串:%s,数字%d"),StrPtr("中文12345+"),1234)
addr = GetProcAddress(dll,"MessageBoxW")
'stdcall方式
m_ICallFunAddr.arg4 addr,Me.hWnd,StrPtr("MessageBoxW"),vbOKCancel
s = Left(buf,n)
s = "长度:" & n & vbCrLf & s
MsgBox s
End Sub
Private Sub Form_Load()
Set m_ICallFunAddr = MakeCallFunAddrObj
Test_com
'Test_CallClassMember
'Test_int3
'Test_CallFunAddr
End Sub
类型库,用vc6的mktyplib生成
[
uuid(2399BACC-768E-4e37-8B98-80EC39BE4772)
]
library tlb_callFunAddr
{
importlib("stdole2.tlb");
[uuid(316462C8-FDBA-45f7-856B-325C1AD39737),odl]
interface ICallFunAddr : IUnknown
{
long Arg0([in] long addr);
long Arg1([in] long addr,[in] long arg1);
long Arg2([in] long addr,[in] long arg1,[in] long arg2);
long Arg3([in] long addr,[in] long arg2,[in] long arg3);
long Arg4([in] long addr,[in] long arg3,[in] long arg4);
long Arg5([in] long addr,[in] long arg4,[in] long arg5);
long Arg6([in] long addr,[in] long arg5,[in] long arg6);
long Arg7([in] long addr,[in] long arg6,[in] long arg7);
long Arg8([in] long addr,[in] long arg7,[in] long arg8);
long Arg9([in] long addr,[in] long arg8,[in] long arg9);
};
[uuid(00000001-0000-0000-C000-000000000046),odl]
interface IClassFactory : IUnknown
{
long CreateInstance([in] long pUnkOuter,[in] long riid,[in] IUnknown** ppvObject);
long LockServer([in] long fLock);
};
};
clsid我是用eXeScope查看的,挺好用的一个软件,汇编是ollydbg里面打的,也用它调试。
vb6生成的pdb调试文件貌似每次生成新的,要手动删除以前的,害我调试错乱,花了好多时间。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。