PE文件中的跳转存根 [英] jump stubs in PE files

问题描述

最近我反汇编了一个 DLL(用 c/c++ 编写)并注意到代码段中有很多跳转存根".这些存根除了跳转到 DLL 内的函数之外什么都不做.

Recently I disassembled a DLL (written in c/c++) and noticed that there are many "jump stubs" inside the code segment. These stubs do nothing but jump to a function inside the DLL.

例如:

jmp foo() 
jmp foo2()
...

为什么编译器 (Visual Studio 2012) 在二进制文件中包含这些函数存根?

Why does the compiler (Visual studio 2012) include these function stubs inside the binary?

谢谢！

推荐答案

在所有存根之后是否有一大堆 0xCC 字节?如果是这样，您正在查看已在启用增量链接的情况下编译的代码(调试版本的默认设置).

Is there a big bunch of 0xCC bytes after all the stubs? If so, you're looking at code which has been compiled with incremental linking enabled (default for debug builds).

在为增量链接编译时，编译器为每个函数创建一个存根，并确保所有调用都通过存根.如果一个函数需要用更新的代码替换，新代码可以添加到最后，只需要修补跳转 thunk - 所有现有调用都将重定向到新代码.额外的 CC 是为更多存根保留的，以防添加新功能.

When compiling for incremental linking, the compiler creates a stub for every function and makes sure that all calls go via the stub. In case a function needs to be replaced with updated code, the new code can be added the end and only the jump thunk needs to be patched - all existing calls will be redirected to the new code. The extra CCs are reserved for more stubs in case new functions are added.

有关更多背景信息，请参阅 MSDN.

这篇关于PE文件中的跳转存根的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！