如何在C ++中的另一个地址空间中调用函数 [英] How do you call a function in another address-space in C++

问题描述

我知道线程问题等，这可能会导致和它的危险，但我需要知道如何做一个安全项目我在学校做。我需要知道如何使用参数调用给定调用约定的远程地址空间中的函数 - 最好是恢复远程函数返回的数据，尽管它的确不需要。

I'm aware of the threading issues etc that this could cause and of its dangers but I need to know how to do this for a security project I am doing at school. I need to know how to call a function in a remote address space of a given calling convention with arguments - preferably recovering the data the remote function has returned though its really not required that I do.

如果我可以在编译时从远程函数的函数原型获得具体细节，我将能够使这个方法工作。我需要知道参数有多大，如果参数被显式声明为指针或（void *，char *，int *，etc ...）

If I can get specifics from the remote function's function prototype at compile time, I will be able to make this method work. I need to know how big the arguments are and if the arguments are explicitly declared as pointers or not (void*, char*, int*, etc...)

如果我定义一个函数原型，如：

I.e if I define a function prototype like:

typedef void (__cdecl *testFunc_t)(int* pData);

我需要在编译时获取参数的大小， ，哪些是指针或不是。这里我们假设远程函数是 stdcall 或 _cdecl 调用。

I would need to, at compile time, get the size of arguments at least, and if I could, which ones are pointers or not. Here we are assuming the remote function is either an stdcall or _cdecl call.

我使用的IDE是Microsoft Visual Studio 2007，以防解决方案特定于特定产品。

The IDE I am using is Microsoft Visual Studio 2007 in case the solution is specific to a particular product.

这是我的计划：

1. 在函数原点使用 CreateRemoteThread 在远程进程中创建一个线程

1. Create a thread in the remote process using CreateRemoteThread at the origin of the function want to call, though I would do so in a suspended state.

我会建立堆栈，使得返回地址是一个已分配的代码段的地址内部的进程，将调用 ExitThread（eax） - 因为这将退出线程的函数的返回值 - 我将恢复这通过使用 GetExitCodeThread

I would setup the stack such that the return address was that of a stub of code allocated inside of the process that would call ExitThread(eax) - as this would exit the thread with the function's return value - I would then recover this by by using GetExitCodeThread

我还将函数调用的参数从我的本地堆栈复制到新创建的线程 - 是我需要知道函数参数是否是指针和参数大小的地方。

I would also copy the arguments for the function call from my local stack to that of the newly created thread - this is where I need to know if function arguments are pointers and the size of the arguments.

恢复线程并等待它退出，将返回到调用者的线程退出代码。

Resume the thread and wait for it to exit, at which point I will return to the caller with the threads exit code.

我知道这应该是可编译的，编译器有一些方法我可以用它来做，我不知道。我还知道所有这些数据可以很容易地从编译代码后创建的PDB文件恢复，如果编译器执行优化，参数的大小可能会更改。我不需要被告知这是多么危险，因为我完全知道它，但这不是一个商业产品，但一个小项目，我必须为学校做。

I know that this should be doable at compile time but whether the compiler has some method I can use to do it, I'm not sure. I'm also aware all this data can be easily recovered from a PDB file created after compiling the code and that the size of arguments might change if the compiler performs optimizations. I don't need to be told how dangerous this is, as I am fully aware of it, but this is not a commercial product but a small project I must do for school.

问题：
如果我有一个函数原型，如
typedef void（__cdecl testFunc_t）（int pData）;

The question: If I have a function prototype such as typedef void (__cdecl testFunc_t)(int pData);

无论如何我可以在编译时获得这个原型的参数的大小（即在上面的例子中，参数总和为sizeof（int * ）例如，如果我有一个函数：

Is there anyway I can get the size of this prototype's arguments at compile time(i.e in the above example, the arguments would sum to a total size of sizeof(int*) If, for example, I have a function like:

template<typename T> unsigned long getPrototypeArgLength<T>()
{ 
   //would return size of arguments described in the prototype T 
} 

//when called as

getPrototypeArgLength<testFunc>()

推荐答案

BOOST库在编译时得到很多类型信息，具体来说，我使用boost :: function_traits，但是，如果你看看boost库，你会发现你可以恢复相当多的信息。这里有一点

Alright, I figured out that I can use the BOOST library to get a lot of type information at compile-time. Specifically, I am using boost::function_traits however, if you look around the boost library, you will find that you can recover quite a bit of information. Here's a bit of code I wrote to demonstrate how to get the number of arguments of a function prototype.

（实际上，我没有测试下面的代码，它只是一些我的代码， m

(actually, I haven't tested the below code, its just something I'm throwing together from another function I've made and tested.)

template<typename T>
unsigned long getArgCount()
{
    return boost::function_traits<boost::remove_pointer<T>::type>::arity;
}

void (*pFunc)(int, int);

2 = getArgCount<BOOST_TYPEOF(pFunc)>();

这篇关于如何在C ++中的另一个地址空间中调用函数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！