从可执行的呼叫功能 [英] Call function from executable

问题描述

我想从一个可执行文件调用一个函数。要达到这一进程的唯一方法是在父进程注入的DLL。我可以注入在父进程一个dll但我怎么称呼从子进程的函数？
类似

I want to call a function from an executable. The only way to reach that process is to inject a dll in the parent process. I can inject a dll in the parent process but how do I call a function from the child process? Something like

_asm
{ 
call/jmp address
}

不工作。我希望你明白我的意思。

doesnt work. I hope you understand what I mean.

推荐答案

如果您在进程内运行，你需要知道你想从模块（exe文件），其中包含基本调用该函数的偏移的功能。然后，你只需要做出一个函数指针并调用它。

If you are running inside the process, you need to know the offset of the function you want to call from the base of the module (the exe) which contains the function. Then, you just need to make a function pointer and call it.

// assuming the function you're calling returns void and takes 0 params
typedef void(__stdcall * voidf_t)();

// make sure func_offset is the offset of the function when the module is loaded
voidf_t func = (voidf_t) (((uint8_t *)GetModuleHandle('module_name')) + func_offset);
func(); // the function you located is called here

您对32位系统就可以了（内联汇编没有在64位允许的），如果你知道函数的地址，但你需要确保你正确地实现调用约定的解决方案。上面的code使用的GetModuleHandle来解决你想调用其功能模块的当前加载的基地。

The solution you have will work on 32bit systems (inline assembly is not permitted in 64 bit) if you know the address of the function, but you'll need to make sure you implement the calling convention properly. The code above uses GetModuleHandle to resolve the currently loaded base of the module whose function you want to call.

一旦你注入你的模块到正在运行的进程ASLR是不是一个真正的问题，因为你可以问问窗户包含code你想调用模块的基础。如果你想找到运行的当前进程exe文件的基础上，你可以调用的GetModuleHandle为NULL参数。如果你有信心，功能失调是不会改变的，你可以硬$ C $你想打电话，你发现后，反汇编或其它工具偏移功能的c中的偏移量。假设包含该函数的exe文件没有改变，这抵消将是恒定的。

Once you've injected your module into the running process ASLR isn't really an issue, since you can just ask windows for the base of the module containing the code you wish to call. If you want to find the base of the exe running the current process, you can call GetModuleHandle with a parameter of NULL. If you are confident that the function offset is not going to change, you can hard code the offset of the function you wish to call, after you've found the offset in a disassembler or other tool. Assuming the exe containing the function isn't altered, that offset will be constant.

正如评论中提到，调用约定是在功能的typedef重要的是，要确保它你调用该函数的调用约定相匹配。

As mentioned in the comments, the calling convention is important in the function typedef, make sure it matches the calling convention of the function you're calling.

这篇关于从可执行的呼叫功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！