测试CallWindowProc执行汇编
我们在Form1.frm写入如下代码:
Private Sub Command1_Click()
Dim myBAry() As Byte
Dim myL As Long
myBAry = StrConv(Text1.Text, vbFromUnicode)
myL = AsmCrc(myBAry, Len(Text1.Text))
MsgBox "ueruewrew" & myL
Text2.Text = "字符串" & Text1.Text & "fhdsfksdfs:" & myL
End Sub
在Module1.bas写入如下代码:
Option Explicit
Public Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, _
ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Public Function AsmCrc(bytInput() As Byte, ByVal Init As Long) As Long
Dim Asm(5) As Long
Asm(0) = &H5B5A5958
Asm(1) = &HC033505E
Asm(2) = &H3018A36
Asm(3) = &H41CED1F0
Asm(4) = &HF47ECA3B
Asm(5) = &HC3338936
CallWindowProc VarPtr(Asm(0)), _
VarPtr(bytInput(LBound(bytInput))), _
VarPtr(bytInput(UBound(bytInput))), _
VarPtr(AsmCrc), _
Init
End Function
我们可以看到od里面的关键代码:
00402010 .50 push eax
00402011 .8D45 E4 lea eax, dword ptr
00402014 .50 push eax
00402015 .E8 16020000 call 00402230 ;AsmCrc(myBAry, Len(Text1.Text))
0040201A .8BF8 mov edi, eax
0040201C .8D4D E0 lea ecx, dword ptr
0040201F .897D E8 mov dword ptr , edi
00402022 .FF15 CC104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>];msvbvm60.__vbaFreeStr
我们跟进call 00402230
00402230 $55 push ebp
00402231 .8BEC mov ebp, esp
00402233 .83EC 08 sub esp, 0x8
00402236 .68 06114000 push <jmp.&MSVBVM60.__vbaExceptHandler> ;SE 处理程序安装
0040223B .64:A1 00000000 mov eax, dword ptr fs:
00402241 .50 push eax
00402242 .64:8925 00000000 mov dword ptr fs:, esp
00402249 .83EC 3C sub esp, 0x3C
0040224C .53 push ebx
0040224D .56 push esi
0040224E .57 push edi
0040224F .8965 F8 mov dword ptr , esp
00402252 .C745 FC E8104000 mov dword ptr , 004010E8
00402259 .33C0 xor eax, eax
0040225B .6A 03 push 0x3
0040225D .8945 EC mov dword ptr , eax
00402260 .8945 CC mov dword ptr , eax
00402263 .8945 C8 mov dword ptr , eax
00402266 .8945 C4 mov dword ptr , eax
00402269 .68 9C1D4000 push 00401D9C
0040226E .8D45 D4 lea eax, dword ptr
00402271 .50 push eax
00402272 .FF15 54104000 call dword ptr [<&MSVBVM60.__vbaAryConstru>;msvbvm60.__vbaAryConstruct2
00402278 .8B4D E0 mov ecx, dword ptr
0040227B .8B3D 88104000 mov edi, dword ptr [<&MSVBVM60.#644>] ;msvbvm60.VarPtr
00402281 .C701 58595A5B mov dword ptr , 0x5B5A5958
00402287 .8B55 E0 mov edx, dword ptr
0040228A .C742 04 5E5033C0 mov dword ptr , 0xC033505E
00402291 .8B45 E0 mov eax, dword ptr
00402294 .C740 08 368A0103 mov dword ptr , 0x3018A36
0040229B .8B4D E0 mov ecx, dword ptr
0040229E .C741 0C F0D1CE41 mov dword ptr , 0x41CED1F0
004022A5 .8B55 E0 mov edx, dword ptr
004022A8 .C742 10 3BCA7EF4 mov dword ptr , 0xF47ECA3B
004022AF .8B45 E0 mov eax, dword ptr
004022B2 .C740 14 368933C3 mov dword ptr , 0xC3338936
004022B9 .8B4D E0 mov ecx, dword ptr
004022BC .51 push ecx
004022BD .FFD7 call edi ;<&MSVBVM60.#644>
004022BF .8B55 08 mov edx, dword ptr
004022C2 .8B32 mov esi, dword ptr
004022C4 .8BD8 mov ebx, eax
004022C6 .56 push esi
004022C7 .8D45 CC lea eax, dword ptr
004022CA .50 push eax
004022CB .FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaAryLock>];msvbvm60.__vbaAryLock
004022D1 .56 push esi
004022D2 .6A 01 push 0x1
004022D4 .FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaLbound>] ;msvbvm60.__vbaLbound
004022DA .8BC8 mov ecx, eax
004022DC .8B45 CC mov eax, dword ptr
004022DF .8B50 0C mov edx, dword ptr
004022E2 .2B50 14 sub edx, dword ptr
004022E5 .03CA add ecx, edx
004022E7 .51 push ecx
004022E8 .FFD7 call edi
004022EA .8945 C4 mov dword ptr , eax
004022ED .8D45 CC lea eax, dword ptr
004022F0 .50 push eax
004022F1 .FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaAryUnlock>>;msvbvm60.__vbaAryUnlock
004022F7 .56 push esi
004022F8 .8D4D C8 lea ecx, dword ptr
004022FB .51 push ecx
004022FC .FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaAryLock>];msvbvm60.__vbaAryLock
00402302 .56 push esi
00402303 .6A 01 push 0x1
00402305 .FF15 84104000 call dword ptr [<&MSVBVM60.__vbaUbound>] ;msvbvm60.__vbaUbound
0040230B .8BD0 mov edx, eax
0040230D .8B45 C8 mov eax, dword ptr
00402310 .8B48 0C mov ecx, dword ptr
00402313 .2B48 14 sub ecx, dword ptr
00402316 .03D1 add edx, ecx
00402318 .52 push edx
00402319 .FFD7 call edi
0040231B .8D55 C8 lea edx, dword ptr
0040231E .52 push edx
0040231F .8BF0 mov esi, eax
00402321 .FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaAryUnlock>>;msvbvm60.__vbaAryUnlock
00402327 .8D45 EC lea eax, dword ptr
0040232A .50 push eax
0040232B .FFD7 call edi
0040232D .8B4D 0C mov ecx, dword ptr
00402330 .8B55 C4 mov edx, dword ptr
00402333 .51 push ecx
00402334 .50 push eax
00402335 .56 push esi
00402336 .52 push edx
00402337 .53 push ebx
00402338 .E8 FBF8FFFF call <<------user32-CallWindowProcA------>>
0040233D .FF15 28104000 call dword ptr [<&MSVBVM60.__vbaSetSystemE>;msvbvm60.__vbaSetSystemError
00402343 .68 70234000 push 00402370
00402348 .EB 13 jmp short 0040235D
0040234A .8B35 C0104000 mov esi, dword ptr [<&MSVBVM60.__vbaAryUn>;msvbvm60.__vbaAryUnlock
00402350 .8D45 CC lea eax, dword ptr
00402353 .50 push eax
00402354 .FFD6 call esi ;<&MSVBVM60.__vbaAryUnlock>
00402356 .8D4D C8 lea ecx, dword ptr
00402359 .51 push ecx
0040235A .FFD6 call esi
0040235C .C3 retn
0040235D >8D45 C4 lea eax, dword ptr
00402360 .50 push eax
00402361 .8D55 D4 lea edx, dword ptr
00402364 .6A 00 push 0x0
00402366 .8955 C4 mov dword ptr , edx
00402369 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaAryDestruc>;msvbvm60.__vbaAryDestruct
0040236F .C3 retn
如果我们将所有代码放入Form1.frm
Option Explicit
Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, _
ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Function AsmCrc(bytInput() As Byte, ByVal Init As Long) As Long
Dim Asm(5) As Long
Asm(0) = &H5B5A5958
Asm(1) = &HC033505E
Asm(2) = &H3018A36
Asm(3) = &H41CED1F0
Asm(4) = &HF47ECA3B
Asm(5) = &HC3338936
CallWindowProc VarPtr(Asm(0)), _
VarPtr(bytInput(LBound(bytInput))), _
VarPtr(bytInput(UBound(bytInput))), _
VarPtr(AsmCrc), _
Init
End Function
Private Sub Command1_Click()
Dim myBAry() As Byte
Dim myL As Long
myBAry = StrConv(Text1.Text, vbFromUnicode)
myL = AsmCrc(myBAry, Len(Text1.Text))
MsgBox "ueruewrew" & myL
Text2.Text = "字符串" & Text1.Text & "fhdsfksdfs:" & myL
End Sub
我们看看关键的代码:
00402119 .FF15 10104000 call dword ptr [<&MSVBVM60.__vbaLenBs>;msvbvm60.__vbaLenBstr
0040211F .50 push eax
00402120 .8D4D E4 lea ecx, dword ptr
00402123 .51 push ecx
00402124 .56 push esi
00402125 .FF97 F8060000 call dword ptr ;myBAry = StrConv(Text1.Text, vbFromUnicode)
下面是关键call代码:
00401E60 > \55 push ebp
00401E61 .8BEC mov ebp, esp
00401E63 .83EC 08 sub esp, 0x8
00401E66 .68 06114000 push <jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
00401E6B .64:A1 0000000>mov eax, dword ptr fs:
00401E71 .50 push eax
00401E72 .64:8925 00000>mov dword ptr fs:, esp
00401E79 .83EC 3C sub esp, 0x3C
00401E7C .53 push ebx
00401E7D .56 push esi
00401E7E .57 push edi
00401E7F .8965 F8 mov dword ptr , esp
00401E82 .C745 FC D8104>mov dword ptr , 004010D8
00401E89 .33C0 xor eax, eax
00401E8B .6A 03 push 0x3
00401E8D .8945 EC mov dword ptr , eax
00401E90 .8945 CC mov dword ptr , eax
00401E93 .8945 C8 mov dword ptr , eax
00401E96 .8945 C4 mov dword ptr , eax
00401E99 .68 F01B4000 push 00401BF0
00401E9E .8D45 D4 lea eax, dword ptr
00401EA1 .50 push eax
00401EA2 .FF15 54104000 call dword ptr [<&MSVBVM60.__vbaAryCo>;msvbvm60.__vbaAryConstruct2
00401EA8 .8B4D E0 mov ecx, dword ptr
00401EAB .8B3D 88104000 mov edi, dword ptr [<&MSVBVM60.#644>>;msvbvm60.VarPtr
00401EB1 .C701 58595A5B mov dword ptr , 0x5B5A5958
00401EB7 .8B55 E0 mov edx, dword ptr
00401EBA .C742 04 5E503>mov dword ptr , 0xC033505E
00401EC1 .8B45 E0 mov eax, dword ptr
00401EC4 .C740 08 368A0>mov dword ptr , 0x3018A36
00401ECB .8B4D E0 mov ecx, dword ptr
00401ECE .C741 0C F0D1C>mov dword ptr , 0x41CED1F0
00401ED5 .8B55 E0 mov edx, dword ptr
00401ED8 .C742 10 3BCA7>mov dword ptr , 0xF47ECA3B
00401EDF .8B45 E0 mov eax, dword ptr
00401EE2 .C740 14 36893>mov dword ptr , 0xC3338936
00401EE9 .8B4D E0 mov ecx, dword ptr
00401EEC .51 push ecx
00401EED .FFD7 call edi ;<&MSVBVM60.#644>
00401EEF .8B55 0C mov edx, dword ptr
00401EF2 .8B32 mov esi, dword ptr
00401EF4 .8BD8 mov ebx, eax
00401EF6 .56 push esi
00401EF7 .8D45 CC lea eax, dword ptr
00401EFA .50 push eax
00401EFB .FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaAryLo>;msvbvm60.__vbaAryLock
00401F01 .56 push esi
00401F02 .6A 01 push 0x1
00401F04 .FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaLboun>;msvbvm60.__vbaLbound
00401F0A .8BC8 mov ecx, eax
00401F0C .8B45 CC mov eax, dword ptr
00401F0F .8B50 0C mov edx, dword ptr
00401F12 .2B50 14 sub edx, dword ptr
00401F15 .03CA add ecx, edx
00401F17 .51 push ecx
00401F18 .FFD7 call edi
00401F1A .8945 C4 mov dword ptr , eax
00401F1D .8D45 CC lea eax, dword ptr
00401F20 .50 push eax
00401F21 .FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaAryUn>;msvbvm60.__vbaAryUnlock
00401F27 .56 push esi
00401F28 .8D4D C8 lea ecx, dword ptr
00401F2B .51 push ecx
00401F2C .FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaAryLo>;msvbvm60.__vbaAryLock
00401F32 .56 push esi
00401F33 .6A 01 push 0x1
00401F35 .FF15 84104000 call dword ptr [<&MSVBVM60.__vbaUboun>;msvbvm60.__vbaUbound
00401F3B .8BD0 mov edx, eax
00401F3D .8B45 C8 mov eax, dword ptr
00401F40 .8B48 0C mov ecx, dword ptr
00401F43 .2B48 14 sub ecx, dword ptr
00401F46 .03D1 add edx, ecx
00401F48 .52 push edx
00401F49 .FFD7 call edi
00401F4B .8D55 C8 lea edx, dword ptr
00401F4E .52 push edx
00401F4F .8BF0 mov esi, eax
00401F51 .FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaAryUn>;msvbvm60.__vbaAryUnlock
00401F57 .8D45 EC lea eax, dword ptr
00401F5A .50 push eax
00401F5B .FFD7 call edi
00401F5D .8B4D 10 mov ecx, dword ptr
00401F60 .8B55 C4 mov edx, dword ptr
00401F63 .51 push ecx
00401F64 .50 push eax
00401F65 .56 push esi
00401F66 .52 push edx
00401F67 .53 push ebx
00401F68 .E8 57FCFFFF call <<------user32-CallWindowProcA-->
00401F6D .FF15 28104000 call dword ptr [<&MSVBVM60.__vbaSetSy>;msvbvm60.__vbaSetSystemError
00401F73 .68 A01F4000 push 00401FA0
00401F78 .EB 13 jmp short 00401F8D
00401F7A .8B35 C0104000 mov esi, dword ptr [<&MSVBVM60.__vba>;msvbvm60.__vbaAryUnlock
00401F80 .8D45 CC lea eax, dword ptr
00401F83 .50 push eax
00401F84 .FFD6 call esi ;<&MSVBVM60.__vbaAryUnlock>
00401F86 .8D4D C8 lea ecx, dword ptr
00401F89 .51 push ecx
00401F8A .FFD6 call esi
00401F8C .C3 retn
00401F8D >8D45 C4 lea eax, dword ptr
00401F90 .50 push eax
00401F91 .8D55 D4 lea edx, dword ptr
00401F94 .6A 00 push 0x0
00401F96 .8955 C4 mov dword ptr , edx
00401F99 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaAryDe>;msvbvm60.__vbaAryDestruct
00401F9F .C3 retn
看来生成的call里面的内容是一样的,一个简单的call,却包含很多垃圾的代码。
然后我们看看那个CallWindowProcA:
00401BC4 > $A1 DC324000 mov eax, dword ptr ;<------user32-CallWindowProcA------>
00401BC9 .0BC0 or eax, eax
00401BCB .74 02 je short 00401BCF
00401BCD .FFE0 jmp eax
00401BCF >68 AC1B4000 push 00401BAC ;user32
00401BD4 .B8 90114000 mov eax, <jmp.&MSVBVM60.DllFunctionC>
00401BD9 .FFD0 call eax
00401BDB .- FFE0 jmp eax ;user32.CallWindowProcA
基本可以看出这种方式的汇编还是很没有效率的!嵌入汇编还是asminvb更有效率!
页:
[1]