MFC消息映射表内存布局
发布日期:2021-06-30 22:10:32
浏览次数:2
分类:技术文章
本文共 16813 字,大约阅读时间需要 56 分钟。
前言
Demo是MFC静态连接的程序. 框架代码太多了. 不可能像SDK程序那样,一个一个去看.
找到MFC程序消息映射表在内存中的布局,直接看消息映射函数, 这样可操作性强.试验
在IDA中按CTRL+S, 跳到.rdata区
依次摆放的是类A消息映射表, 虚表, 类B消息映射表, 虚表… 不同类或同类的不同部分之间,用单位size内容为0的数据隔开.struct AFX_MSGMAP{#ifdef _AFXDLL const AFX_MSGMAP* (PASCAL* pfnGetBaseMap)();#else const AFX_MSGMAP* pBaseMap;#endif const AFX_MSGMAP_ENTRY* lpEntries;};struct AFX_MSGMAP_ENTRY{ UINT nMessage; // windows message UINT nCode; // control code or WM_NOTIFY code UINT nID; // control ID (or 0 for windows messages) UINT nLastID; // used for entries specifying a range of control id's UINT nSig; // signature type (action) or pointer to message # AFX_PMSG pfn; // routine to call (or special value)}; 最后要去还原的是AFX_MSGMAP_ENTRY.pfn.
虚表地址就是一个一个的放,最后一个是0地址.
用VC6生成一个对话框程序,加个按钮,在按钮函数内弹出AfxMessageBox, 做实验,找出按钮函数.
现在遇到的问题,MFC框架的签名没加全,不容易分辨消息映射函数里面是用户自己写的,还是框架自带的代码.编译成Release版做试验.
.rdata:00422510 ; ===========================================================================.rdata:00422510.rdata:00422510 ; Segment type: Pure data.rdata:00422510 ; Segment permissions: Read.rdata:00422510 _rdata segment para public 'DATA' use32.rdata:00422510 assume cs:_rdata.rdata:00422510 ;org 422510h.rdata:00422510 MSG_MAP_CWinApp dd offset off_422848 ; DATA XREF: sub_401000o.rdata:00422514 dd offset MSG_MAP_ENTRY_CWinApp.rdata:00422518 MSG_MAP_ENTRY_CWinApp AFX_MSGMAP_ENTRY <111h, 0, 0E146h, 0E146h, 0Ch, 41C9E7h>.rdata:00422518 ; DATA XREF: .rdata:00422514o.rdata:00422530 AFX_MSGMAP_ENTRY <0>.rdata:00422548 VTL_CWinApp dd offset sub_41D80E ; DATA XREF: unknown_libname_1-56o.rdata:0042254C dd offset sub_401030.rdata:00422550 dd offset nullsub_9.rdata:00422554 dd offset sub_4166EF.rdata:00422558 dd offset sub_416853.rdata:0042255C dd offset sub_4167FE.rdata:00422560 dd offset sub_416804.rdata:00422564 dd offset sub_416074.rdata:00422568 dd offset sub_416074.rdata:0042256C dd offset ?GetTypeLib@CCmdTarget@@UAEJKPAPAUITypeLib@@@Z ; CCmdTarget::GetTypeLib(ulong,ITypeLib * *).rdata:00422570 dd offset sub_401000.rdata:00422574 dd offset sub_41688F.rdata:00422578 dd offset sub_416841.rdata:0042257C dd offset sub_416889.rdata:00422580 dd offset sub_41684D.rdata:00422584 dd offset sub_416847.rdata:00422588 dd offset sub_416885.rdata:0042258C dd offset sub_416804.rdata:00422590 dd offset sub_416804.rdata:00422594 dd offset sub_416804.rdata:00422598 dd offset sub_4010A0.rdata:0042259C dd offset ?Run@CWinApp@@UAEHXZ ; CWinApp::Run(void).rdata:004225A0 dd offset sub_4162D9.rdata:004225A4 dd offset sub_416563.rdata:004225A8 dd offset sub_415ED7.rdata:004225AC dd offset sub_4160F6.rdata:004225B0 dd offset ?ExitInstance@CWinApp@@UAEHXZ ; CWinApp::ExitInstance(void).rdata:004225B4 dd offset sub_415E60.rdata:004225B8 dd offset sub_4163FE.rdata:004225BC dd offset ?GetMainWnd@CWinThread@@UAEPAVCWnd@@XZ ; CWinThread::GetMainWnd(void).rdata:004225C0 dd offset ?Delete@CWinThread@@UAEXXZ ; CWinThread::Delete(void).rdata:004225C4 dd offset ?GetNextDocTemplate@CWinApp@@QBEPAVCDocTemplate@@AAPAU__POSITION@@@Z ; CWinApp::GetNextDocTemplate(__POSITION * &).rdata:004225C8 dd offset sub_41CA9D.rdata:004225CC dd offset ?InitApplication@CWinApp@@UAEHXZ ; CWinApp::InitApplication(void).rdata:004225D0 dd offset sub_41CA8A.rdata:004225D4 dd offset sub_41CB62.rdata:004225D8 dd offset ?DoWaitCursor@CWinApp@@UAEXH@Z ; CWinApp::DoWaitCursor(int).rdata:004225DC dd offset sub_41CAE7.rdata:004225E0 dd offset sub_415E29.rdata:004225E4 dd 0.rdata:004225E8 MSG_MAP_1 dd offset off_422B58 ; DATA XREF: sub_401190o.rdata:004225EC dd offset MSG_MAP_ENTRY_1.rdata:004225F0 MSG_MAP_ENTRY_1 AFX_MSGMAP_ENTRY <0> ; DATA XREF: .rdata:004225ECo.rdata:00422608 MSG_MAP_2 dd offset off_422B58 ; DATA XREF: sub_401210o.rdata:0042260C dd offset MSG_MAP_ENTRY_2.rdata:00422610 MSG_MAP_ENTRY_2 AFX_MSGMAP_ENTRY <112h, 0, 0, 0, 12h, 401300h>.rdata:00422610 ; DATA XREF: .rdata:0042260Co.rdata:00422628 AFX_MSGMAP_ENTRY <0Fh, 0, 0, 0, 0Ch, 401380h>.rdata:00422640 AFX_MSGMAP_ENTRY <37h, 0, 0, 0, 23h, 401440h>.rdata:00422658 AFX_MSGMAP_ENTRY <111h, 0, 3E8h, 3E8h, 0Ch, 401450h> ; 401450h 就是按钮函数实现了.rdata:00422670 AFX_MSGMAP_ENTRY <0>.rdata:00422688 off_422688 dd offset sub_41DA76 ; DATA XREF: sub_401130+Co.rdata:0042268C dd offset sub_401150.rdata:00422690 dd offset nullsub_9.rdata:00422694 dd offset sub_416B81 ; ?OnCmdMsg@CPropertySheet@@UAEHIHPAXPAUAFX_CMDHANDLERINFO@@@Z.rdata:00422694 ; doubtful name.rdata:00422698 dd offset sub_4180A4.rdata:0042269C dd offset sub_4167FE.rdata:004226A0 dd offset sub_416804.rdata:004226A4 dd offset sub_416074.rdata:004226A8 dd offset sub_416074.rdata:004226AC dd offset ?GetTypeLib@CCmdTarget@@UAEJKPAPAUITypeLib@@@Z ; CCmdTarget::GetTypeLib(ulong,ITypeLib * *).rdata:004226B0 dd offset sub_401190.rdata:004226B4 dd offset sub_41688F.rdata:004226B8 dd offset sub_416841.rdata:004226BC dd offset sub_416889.rdata:004226C0 dd offset sub_41684D.rdata:004226C4 dd offset sub_416847.rdata:004226C8 dd offset sub_416885.rdata:004226CC dd offset sub_416804.rdata:004226D0 dd offset sub_416804.rdata:004226D4 dd offset sub_416804.rdata:004226D8 dd offset nullsub_10.rdata:004226DC dd offset sub_417EAB.rdata:004226E0 dd offset sub_4180B5.rdata:004226E4 dd offset sub_417E8B.rdata:004226E8 dd offset ?CalcWindowRect@CWnd@@UAEXPAUtagRECT@@I@Z ; CWnd::CalcWindowRect(tagRECT *,uint).rdata:004226EC dd offset ?OnToolHitTest@CWnd@@UBEHVCPoint@@PAUtagTOOLINFOA@@@Z ; CWnd::OnToolHitTest(CPoint,tagTOOLINFOA *).rdata:004226F0 dd offset sub_416804.rdata:004226F4 dd offset sub_4184A8.rdata:004226F8 dd offset ?ContinueModal@CWnd@@UAEHXZ ; CWnd::ContinueModal(void).rdata:004226FC dd offset ?EndModalLoop@CWnd@@UAEXH@Z ; CWnd::EndModalLoop(int).rdata:00422700 dd offset ?OnCommand@CWnd@@MAEHIJ@Z ; CWnd::OnCommand(uint,long).rdata:00422704 dd offset ?OnNotify@CWnd@@MAEHIJPAJ@Z ; CWnd::OnNotify(uint,long,long *).rdata:00422708 dd offset sub_418149.rdata:0042270C dd offset nullsub_11.rdata:00422710 dd offset sub_401460.rdata:00422714 dd offset sub_401470.rdata:00422718 dd offset ?PreTranslateMessage@CDialog@@UAEHPAUtagMSG@@@Z ; CDialog::PreTranslateMessage(tagMSG *).rdata:0042271C dd offset sub_419DDD.rdata:00422720 dd offset sub_4185D0.rdata:00422724 dd offset sub_418614.rdata:00422728 dd offset sub_418102.rdata:0042272C dd offset nullsub_10.rdata:00422730 dd offset ?OnChildNotify@CWnd@@MAEHIIJPAJ@Z ; CWnd::OnChildNotify(uint,uint,long,long *).rdata:00422734 dd offset sub_41724F.rdata:00422738 dd offset sub_416074.rdata:0042273C dd offset ?SetOccDialogInfo@CDialog@@MAEHPAU_AFX_OCC_DIALOG_INFO@@@Z ; CDialog::SetOccDialogInfo(_AFX_OCC_DIALOG_INFO *).rdata:00422740 dd offset sub_416F44.rdata:00422744 dd offset ?OnInitDialog@CDialog@@UAEHXZ ; CDialog::OnInitDialog(void).rdata:00422748 dd offset nullsub_12.rdata:0042274C dd offset ?OnOK@CDialog@@MAEXXZ ; CDialog::OnOK(void).rdata:00422750 dd offset sub_417247.rdata:00422754 dd offset nullsub_10.rdata:00422758 off_422758 dd offset sub_41DA76 ; DATA XREF: sub_4011A0+31o.rdata:0042275C dd offset sub_401150.rdata:00422760 dd offset nullsub_9.rdata:00422764 dd offset sub_416B81 ; ?OnCmdMsg@CPropertySheet@@UAEHIHPAXPAUAFX_CMDHANDLERINFO@@@Z.rdata:00422764 ; doubtful name.rdata:00422768 dd offset sub_4180A4.rdata:0042276C dd offset sub_4167FE.rdata:00422770 dd offset sub_416804.rdata:00422774 dd offset sub_416074.rdata:00422778 dd offset sub_416074.rdata:0042277C dd offset ?GetTypeLib@CCmdTarget@@UAEJKPAPAUITypeLib@@@Z ; CCmdTarget::GetTypeLib(ulong,ITypeLib * *).rdata:00422780 dd offset sub_401210.rdata:00422784 dd offset sub_41688F.rdata:00422788 dd offset sub_416841.rdata:0042278C dd offset sub_416889.rdata:00422790 dd offset sub_41684D.rdata:00422794 dd offset sub_416847.rdata:00422798 dd offset sub_416885.rdata:0042279C dd offset sub_416804.rdata:004227A0 dd offset sub_416804.rdata:004227A4 dd offset sub_416804.rdata:004227A8 dd offset nullsub_10.rdata:004227AC dd offset sub_417EAB.rdata:004227B0 dd offset sub_4180B5.rdata:004227B4 dd offset sub_417E8B.rdata:004227B8 dd offset ?CalcWindowRect@CWnd@@UAEXPAUtagRECT@@I@Z ; CWnd::CalcWindowRect(tagRECT *,uint).rdata:004227BC dd offset ?OnToolHitTest@CWnd@@UBEHVCPoint@@PAUtagTOOLINFOA@@@Z ; CWnd::OnToolHitTest(CPoint,tagTOOLINFOA *).rdata:004227C0 dd offset sub_416804.rdata:004227C4 dd offset sub_4184A8.rdata:004227C8 dd offset ?ContinueModal@CWnd@@UAEHXZ ; CWnd::ContinueModal(void).rdata:004227CC dd offset ?EndModalLoop@CWnd@@UAEXH@Z ; CWnd::EndModalLoop(int).rdata:004227D0 dd offset ?OnCommand@CWnd@@MAEHIJ@Z ; CWnd::OnCommand(uint,long).rdata:004227D4 dd offset ?OnNotify@CWnd@@MAEHIJPAJ@Z ; CWnd::OnNotify(uint,long,long *).rdata:004227D8 dd offset sub_418149.rdata:004227DC dd offset nullsub_11.rdata:004227E0 dd offset sub_401460.rdata:004227E4 dd offset sub_401470.rdata:004227E8 dd offset ?PreTranslateMessage@CDialog@@UAEHPAUtagMSG@@@Z ; CDialog::PreTranslateMessage(tagMSG *).rdata:004227EC dd offset sub_419DDD.rdata:004227F0 dd offset sub_4185D0.rdata:004227F4 dd offset sub_418614.rdata:004227F8 dd offset sub_418102.rdata:004227FC dd offset nullsub_10.rdata:00422800 dd offset ?OnChildNotify@CWnd@@MAEHIIJPAJ@Z ; CWnd::OnChildNotify(uint,uint,long,long *).rdata:00422804 dd offset sub_41724F.rdata:00422808 dd offset sub_416074.rdata:0042280C dd offset ?SetOccDialogInfo@CDialog@@MAEHPAU_AFX_OCC_DIALOG_INFO@@@Z ; CDialog::SetOccDialogInfo(_AFX_OCC_DIALOG_INFO *).rdata:00422810 dd offset sub_416F44.rdata:00422814 dd offset sub_401220.rdata:00422818 dd offset nullsub_12.rdata:0042281C dd offset ?OnOK@CDialog@@MAEXXZ ; CDialog::OnOK(void).rdata:00422820 dd offset sub_417247.rdata:00422824 dd offset nullsub_10.rdata:00422828 off_422828 dd offset aCwinapp ; DATA XREF: sub_41D80Eo.rdata:00422828 ; "CWinApp".rdata:0042282C dd 0C0h.rdata:00422830 dd 0FFFFh.rdata:00422834 dd 0.rdata:00422838 dd offset off_422978.rdata:0042283C dd 0.rdata:00422840 aCwinapp db 'CWinApp',0 ; DATA XREF: .rdata:off_422828o
我现在一个一个的消息映射函数去翻,大概能看的出来函数的功能。
但是Demo复杂了,这么找不靠谱, 有可能会漏掉线索..text:00401450 ; =============== S U B R O U T I N E =======================================.text:00401450.text:00401450.text:00401450 sub_401450 proc near.text:00401450 push 0 ; uType.text:00401452 push 0.text:00401454 push offset Text ; "void CADlg::OnButtonTest()".text:00401459 call sub_41CC49.text:0040145E retn.text:0040145E sub_401450 endp.text:0040145E.text:0040145E ; ---------------------------------------------------------------------------
sub_41CC49 就是AfxMessageBox, 如果能加上IDA签名就好了.
试验的源码
class CADlg : public CDialog{// Constructionpublic: CADlg(CWnd* pParent = NULL); // standard constructor// Dialog Data //{ { AFX_DATA(CADlg) enum { IDD = IDD_A_DIALOG }; // NOTE: the ClassWizard will add data members here //}}AFX_DATA // ClassWizard generated virtual function overrides //{ { AFX_VIRTUAL(CADlg) protected: virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support //}}AFX_VIRTUAL// Implementationprotected: HICON m_hIcon; // Generated message map functions //{ { AFX_MSG(CADlg) virtual BOOL OnInitDialog(); afx_msg void OnSysCommand(UINT nID, LPARAM lParam); afx_msg void OnPaint(); afx_msg HCURSOR OnQueryDragIcon(); afx_msg void OnButtonTest(); //}}AFX_MSG DECLARE_MESSAGE_MAP()}; BEGIN_MESSAGE_MAP(CADlg, CDialog) //{ { AFX_MSG_MAP(CADlg) ON_WM_SYSCOMMAND() ON_WM_PAINT() ON_WM_QUERYDRAGICON() ON_BN_CLICKED(IDC_BUTTON_TEST, OnButtonTest) //}}AFX_MSG_MAPEND_MESSAGE_MAP() void CADlg::OnButtonTest(){ // TODO: Add your control notification handler code here AfxMessageBox("void CADlg::OnButtonTest()");} <2016_0923>
做了MFC静态库的签名,加入后,可以看到AfxMessageBox的调用了.
只是在看消息映射表中,还是要自己翻消息映射函数看. 不确定哪个是自己要的消息处理函数..rdata:004225F0 stru_4225F0 AFX_MSGMAP_ENTRY <0> ; DATA XREF: .rdata:004225ECo.rdata:00422608 off_422608 dd offset off_422B58 ; DATA XREF: sub_401210o.rdata:0042260C dd offset stru_422610.rdata:00422610 stru_422610 AFX_MSGMAP_ENTRY <112h, 0, 0, 0, 12h, 401300h>.rdata:00422610 ; DATA XREF: .rdata:0042260Co.rdata:00422628 AFX_MSGMAP_ENTRY <0Fh, 0, 0, 0, 0Ch, 401380h>.rdata:00422640 AFX_MSGMAP_ENTRY <37h, 0, 0, 0, 23h, 401440h>.rdata:00422658 AFX_MSGMAP_ENTRY <111h, 0, 3E8h, 3E8h, 0Ch, 401450h> // 401450h是按钮消息处理函数.rdata:00422670 AFX_MSGMAP_ENTRY <0>.rdata:00422688 off_422688 dd offset sub_41DA76 ; DATA XREF: sub_401130+Co.rdata:0042268C dd offset sub_401150.rdata:00422690 dd offset nullsub_9.rdata:00422694 dd offset unknown_libname_484 ; ?OnCmdMsg@CPropertySheet@@UAEHIHPAXPAUAFX_CMDHANDLERINFO@@@Z.rdata:00422694 ; doubtful name.rdata:00422694 ; NAFXCW.lib.rdata:00422694 ; UAFXCW.lib.rdata:00422698 dd offset ?OnFinalRelease@CWnd@@UAEXXZ ; CWnd::OnFinalRelease(void).rdata:0042269C dd offset sub_4167FE.rdata:004226A0 dd offset sub_416804.rdata:004226A4 dd offset sub_416074.rdata:004226A8 dd offset sub_416074.rdata:004226AC dd offset ?GetTypeLib@CCmdTarget@@UAEJKPAPAUITypeLib@@@Z ; CCmdTarget::GetTypeLib(ulong,ITypeLib * *)
.text:00401443 ; ---------------------------------------------------------------------------.text:00401444 align 10h.text:00401450 push 0.text:00401452 push 0.text:00401454 push offset aVoidCadlgOnbut ; "void CADlg::OnButtonTest()".text:00401459 call ?AfxMessageBox@@YGHPBDII@Z ; AfxMessageBox(char const *,uint,uint).text:0040145E retn.text:0040145E ; ---------------------------------------------------------------------------.text:0040145F align 10h
转载地址:https://lostspeed.blog.csdn.net/article/details/52632187 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!
发表评论
最新留言
留言是一种美德,欢迎回访!
[***.207.175.100]2024年04月24日 21时06分11秒
关于作者
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!
推荐文章
b/bl与ldr区别 位置无关码
2019-04-30
程序运行代码动态重定位原理
2019-04-30
比较好用的二进制文件编辑与比较软件
2019-04-30
stm32等cortex-m内核单片机启动文件执行过程详解(通俗易懂!!!)
2019-04-30
串口接收文件数据实现以及判定接收完成的方法
2019-04-30
stm32修改编译链接地址烧录下载后照样能正常运行原因
2019-04-30
arm编译后指令定位地址分析(编译顺序和运行顺序)
2019-04-30
微信小程序通过小程序云实现微信支付功能
2019-04-30
百度搜索排名优化和SEO搜索引擎优化
2019-04-30
2021-06-20嵌入式学习杂记---链表
2019-04-30
项目一、基于WeMos的感应开盖式垃圾桶
2019-04-30
项目二、wifi避障小车
2019-04-30
2021-06-23嵌入式学习杂记---Linux文件编程
2019-04-30
2021-06-25嵌入式学习---Linux文件操作原理
2019-04-30
2021-06-25嵌入式学习--文件编程小应用
2019-04-30
2021-06-26嵌入式学习---open和fopen区别
2019-04-30
2021-06-27嵌入式学习---进程概念
2019-04-30
2021-06-27嵌入式学习----创建进程函数fork原理
2019-04-30
2021-06-29嵌入式学习---exec族函数
2019-04-30
2021-06-29嵌入式学习---exec函数和system函数
2019-04-30
白红宇的个人博客 - 记录点点滴滴的事 - 您是第 311144331 位访客
访问时间: 2024-05-05 17:01:23
访问IP: 3.145.93.210
Copyright © 2020 - 2023 blog.css8.cn 京ICP备2021015314号-1
手机版