第06课_动态调试预备知识

《第06课_动态调试预备知识》由会员上传分享，免费在线阅读，更多相关内容在行业资料-天天文库。

1、第六课动态调试预备知识一、APIWindows程序都是高级程序，它需要调用通用的系统底层函数，这些函数被封装在kerner32.dll、user32.dll、gdi2.dll等dll中。底层和高层之间的联络是通过api来牵线搭桥的。api就像和珅，皇帝和大臣之间的沟通、上下级传达都得通过他来实现。ØKernerl32.dll为系统服务，主要为系统内部管理。ØGdi32.dll主要提供图形服务。ØUser32.dll提供用户服务，创建窗口和传递消息等。例如：某函数定义如下：函数（参数1，参数2，参数3，参数4）则汇编语言的函数调用为Push参数4Push参数3Push参

2、数2Push参数1Call函数返回值永远保存在eax中下面看一个用32位汇编编写的应用程序。此程序运行后弹出一个消息框，点‘确定’按钮后，程序退出。其ollydbg反汇编代码如下：00403000=MSGBOX2.00403000(ASCII"Iczelion'stutorialno.2")消息框标题00403019=MSGBOX2.00403019(ASCII"Win32AssemblyisGreat!")消息框正文其中用到了api函数：MessageBox和ExitProcess。查api手册，MessageBox原型如下：××××××××××××××××××××

3、×××××××××××××××××××以下全部来自api手册MessageBoxTheMessageBoxfunctioncreates,displays,andoperatesamessagebox.Themessageboxcontainsanapplication-definedmessageandtitle,plusanycombinationofpredefinediconsandpushbuttons.intMessageBox(HWNDhWnd,//handleofownerwindow父窗口句柄LPCTSTRlpText,//addressoftext

4、inmessagebox消息正文内容地址LPCTSTRlpCaption,//addressoftitleofmessagebox消息标题地址UINTuType//styleofmessagebox消息框的类型);ParametershWndIdentifiestheownerwindowofthemessageboxtobecreated.IfthisparameterisNULL,themessageboxhasnoownerwindow.lpTextPointstoanull-terminatedstringcontainingthemessagetobedis

5、played.lpCaptionPointstoanull-terminatedstringusedforthedialogboxtitle.IfthisparameterisNULL,thedefaulttitleErrorisused.uTypeSpecifiesasetofbitflagsthatdeterminethecontentsandbehaviorofthedialogbox.Thisparametercanbeacombinationofflagsfromthefollowinggroupsofflags.Specifyoneofthefollowi

6、ngflagstoindicatethebuttonscontainedinthemessagebox:FlagMeaningMB_ABORTRETRYIGNOREThemessageboxcontainsthreepushbuttons:Abort,Retry,andIgnore.MB_OKThemessageboxcontainsonepushbutton:OK.Thisisthedefault.MB_OKCANCELThemessageboxcontainstwopushbuttons:OKandCancel.MB_RETRYCANCELThemessagebo

7、xcontainstwopushbuttons:RetryandCancel.MB_YESNOThemessageboxcontainstwopushbuttons:YesandNo.MB_YESNOCANCELThemessageboxcontainsthreepushbuttons:Yes,No,andCancel.Specifyoneofthefollowingflagstodisplayaniconinthemessagebox:FlagMeaningMB_ICONEXCLAMATION,MB_ICONWARNINGAnexclamation