我正在为win32编写PePacker,同时发现CONTEXT中有一个无效的GetThreadContext。
...
push PINFO ; PROCESS_INFORMATION struct (null initialized)
push STINFO ; STARTUPINFO struct (null initialized)
push 0
push 0
push CREATE_SUSPENDED
push 0
push 0
push 0
push 0
push filepointer ; Program file name
call [CreateProcessA] ; GetLastError returns 0
cmp eax, 0
jz ending
mov eax, [PINFO+4] ; Pinfo.hThread
push eax
call [ResumeThread] ; GetLastError returns 0
push 4h ; PAGE_READWRITE
push 1000h ; MEM_COMMIT
push 4h ; sizeof(PCONTEXT)
push 0
call [VirtualAlloc] ; GetLastError returns 0
mov [ptrCtx], eax
mov ebx, CONTEXT_FULL
mov [eax], ebx
push eax
mov ebx, [PINFO+4]
push ebx
call [GetThreadContext] ; GetLastError returns 0 but the values of the Context do not fit
cmp eax, 0
jz ending
mov ebx, [ptrCtx]
mov eax, [ebx+56] ; CTX.Ebx
push eax ; all below for Testing purpose
push prStr ; prStr = "%d\n"
call [printf] ; prints 0 which is odd because CTX->Ebx should contain an address
pop ecx ;
pop ecx ;
...
下面的ReadProcessMemory函数GetLastError调用返回299,这可能是由无效的CONTEXT条目引起的。
感谢您的帮助。
答案 0 :(得分:1)
将寻址模式从[PINFO+4]更改为
mov ebx, [Pinfo]
mov eax, [ebx+4]
push eax
在GetThreadContext和ResumeThread中都使用。