Visual C ++在函数末尾附加0xCC(int3)字节 [英] Visual C++ appends 0xCC (int3) bytes at the end of functions
问题描述
这是我第一次来,我真的希望你们能为我提供帮助,因为到目前为止我已经没有足够的想法了.
This is my first time around, and I really hope you guys can help me, as I have ran out of ideas by now.
我已经搜索了几个小时的答案,却找不到实际可行的答案.
I have searched for an answer for a couple of hours now, and could not find an answer that would actually work.
我想直接将代码注入正在运行的进程中.是的,您已正确阅读.我试图将代码注入另一个应用程序,并且-信不信由你-这仅仅是为了扩展它的功能.
I would like to directly inject code into a running process. Yes, you have read it right. I am trying to inject code into another application, and - believe it or not - this is only to extend the functionality of it.
我正在Windows上使用Visual Studio 2012 Express Edition.
I am using Visual Studio 2012 Express Edition on Windows.
我有以下代码:
__declspec(naked) void Foo()
{
__asm
{
// Inline assembly code here
}
}
__declspec(naked) void FooEnd() {}
int main()
{
cout << HEX(Foo) << endl;
cout << HEX(FooEnd) << endl;
cout << (int)FooEnd - (int)Foo << endl;
// Inject code here using WriteProcessMemory
return 0;
}
为了保持可读性,大多数代码已被删除,尽管我可以根据要求发布其他代码.
Most of the code has been removed in order to maintain readability, though I can post other portions of it on request.
输出如下:
0x010B1000
0x010B1010
16
结果大小实际上是不正确的.这些函数以正确的顺序编译(确保使用/ORDER进行编译),但是编译器在每种方法之后添加了一堆0xCC(整数3)字节,这扩大了它的大小,因此我无法获得真实的(有用的)数字包含实际可执行代码的字节数.
The resulting size is actually incorrect. The functions are compiled in the right order (made sure using /ORDER), but the compiler adds a bunch of 0xCC (int 3) bytes after each method which extends it's size, and so I can't get the real (useful) number of bytes that contains actual executable code.
在另一个stackoverflow问题中,有人说禁用编辑并继续"将使这些多余的字节消失,但是无论如何,这对我不起作用.
In another stackoverflow question, it has been said that disabling "Edit and Continue" would make these extra bytes go away, but no matter what, that didn't work for me.
我也尝试使用Release setup而不是Debug,更改了一堆优化设置,但是这些都不起作用.您认为什么是解决方案?我可能缺少明显的东西.
I also tried using Release setup instead of Debug, changed a bunch of optimization settings, but none of these had any effect. What do you think could be the solution? I may be missing something obvious.
无论如何,(您认为)这是获取功能长度(可读性,可靠性,易用性)的最佳方法吗?
Anyway, is this (in your opinion) the best way to acquire a function's length (readability, reliability, ease of use)?
我希望我能解释一切,以便您能够提供帮助.如果您还有其他疑问,请随时发表评论.
I hope I explained everything I had to in order for you to be able to help. If you have further questions, please feel free to leave a comment.
感谢您的时间和精力.
推荐答案
在注入代码时不需要多余的填充,因此可以丢弃它们.复制它们也应该很好,这只会导致复制一些额外的字节.无论如何,机会都是通过页面对齐的块注入的内存,因此,通过剥离它并不会真正获得任何好处.
You don't need the extra padding when you're injecting the code, so it's fine to discard them. It should also be fine to copy them over, it will just result in a few extra bytes of copying. Chances are the memory you're injecting to will by a page-aligned block anyway, so you're not really gaining anything by stripping it out.
但是,如果您真的要剥离它,一个简单的解决方案是从下一个函数之前的最后一个字节向后迭代,直到不再有0xcc字节为止.
But if you really want to strip it out, a simple solution to your problem would be to just iterate backwards from the last byte before the next function, until there are no more 0xcc bytes.
即:
__declspec(naked) void Foo()
{
__asm
{
_emit 0x4A
_emit 0x4B
}
}
__declspec(naked) void FooEnd() {}
int main(int argc, char** argv)
{
//start at the last byte of the memory-aligned code instead of the first byte of FooEnd
unsigned char* fooLast = (unsigned char*)FooEnd-1;
//keep going backwards until we don't have a 0xcc
while(*fooLast == 0xCC)
fooLast--;
//fooLast will now point at the last byte of your function, so you need to add 1
int length = ((int)fooLast - (int)Foo) + 1;
//should output 2 for the length of Foo
std::cout << length;
}
这篇关于Visual C ++在函数末尾附加0xCC(int3)字节的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
