|
/* 描敘:Thunk技術(shù)學(xué)習(xí) 作者:朱劍 時(shí)間:2008/8/20
環(huán)境:VC8 #include "stdafx.h" #include <Windows.h> #include <conio.h> #pragma pack(push, 1) //由于沒(méi)有虛方法所以this地址就是m_mov成員的地址 class Thunk { unsigned char m_mov; unsigned int m_this; unsigned int m_xchg_push; unsigned char m_jmp; unsigned int m_relproc; public: typedef void (_stdcall Thunk::*TMFP)(); void start() { Init((TMFP)&Thunk::TimerProc,this); ::SetTimer(0,0,500,(TIMERPROC )this);//用構(gòu)造的假數(shù)據(jù)欺騙回調(diào)函數(shù) } void Init(TMFP method, const Thunk *pThis) { //用union的特點(diǎn)巧取成員地址 union { unsigned int func; TMFP method; } addr; addr.method = method; m_jmp = 0xE9; m_mov = 0xB8; m_this = (unsigned int)(void *) pThis; m_xchg_push = 0x50240487; m_relproc = addr.func - (unsigned int)(void *)(this + 1); //this指針是Thunk類型的,,所以this+1就 //對(duì)象地址+所有成員大小= 對(duì)象數(shù)據(jù)結(jié)束的地址 //e9進(jìn)行跳轉(zhuǎn)的距離 = 成員函數(shù)的地址-對(duì)象數(shù)據(jù)結(jié)束的地址 } VOID CALLBACK TimerProc( HWND hwnd, // handle to window UINT uMsg, // WM_TIMER message UINT_PTR idEvent, // timer identifier DWORD dwTime // current system time ) { printf("test timer!\n"); } }; #pragma pack(pop) int _tmain(int argc, _TCHAR* argv[]) { Thunk myThunk; MSG msg; myThunk.start(); while (GetMessage(&msg, NULL, 0, 0)) { if (kbhit()) { break; } DispatchMessage(&msg); } return 0; } |
|
|
