前言
Demo是MFC静态连接的程序. 框架代码太多了. 不可能像SDK程序那样,一个一个去看.
找到MFC程序消息映射表在内存中的布局,直接看消息映射函数, 这样可操作性强.
试验
在IDA中按CTRL+S, 跳到.rdata区
依次摆放的是类A消息映射表, 虚表, 类B消息映射表, 虚表…
不同类或同类的不同部分之间,用单位size内容为0的数据隔开.
struct AFX_MSGMAP
{
#ifdef _AFXDLL
const AFX_MSGMAP* (PASCAL* pfnGetBaseMap)();
#else
const AFX_MSGMAP* pBaseMap;
#endif
const AFX_MSGMAP_ENTRY* lpEntries;
};
struct AFX_MSGMAP_ENTRY
{
UINT nMessage; // windows message
UINT nCode; // control code or WM_NOTIFY code
UINT nID; // control ID (or 0 for windows messages)
UINT nLastID; // used for entries specifying a range of control id's
UINT nSig; // signature type (action) or pointer to message #
AFX_PMSG pfn; // routine to call (or special value)
};
最后要去还原的是AFX_MSGMAP_ENTRY.pfn.
虚表地址就是一个一个的放,最后一个是0地址.
用VC6生成一个对话框程序,加个按钮,在按钮函数内弹出AfxMessageBox, 做实验,找出按钮函数.
现在遇到的问题,MFC框架的签名没加全,不容易分辨消息映射函数里面是用户自己写的,还是框架自带的代码.
编译成Release版做试验.
.rdata:00422510 ; ===========================================================================
.rdata:00422510
.rdata:00422510 ; Segment type: Pure data
.rdata:00422510 ; Segment permissions: Read
.rdata:00422510 _rdata segment para public 'DATA' use32
.rdata:00422510 assume cs:_rdata
.rdata:00422510 ;org 422510h
.rdata:00422510 MSG_MAP_CWinApp dd offset off_422848 ; DATA XREF: sub_401000o
.rdata:00422514 dd offset MSG_MAP_ENTRY_CWinApp
.rdata:00422518 MSG_MAP_ENTRY_CWinApp AFX_MSGMAP_ENTRY <111h, 0, 0E146h, 0E146h, 0Ch, 41C9E7h>
.rdata:00422518 ; DATA XREF: .rdata:00422514o
.rdata:00422530 AFX_MSGMAP_ENTRY <0>
.rdata:00422548 VTL_CWinApp dd offset sub_41D80E ; DATA XREF: unknown_libname_1-56o
.rdata:0042254C dd offset sub_401030
.rdata:00422550 dd offset nullsub_9
.rdata:00422554 dd offset sub_4166EF
.rdata:00422558 dd offset sub_416853
.rdata:0042255C dd offset sub_4167FE
.rdata:00422560 dd offset sub_416804
.rdata:00422564 dd offset sub_416074
.rdata:00422568 dd offset sub_416074
.rdata:0042256C dd offset ?GetTypeLib@CCmdTarget@@UAEJKPAPAUITypeLib@@@Z ; CCmdTarget::GetTypeLib(ulong,ITypeLib * *)
.rdata:00422570 dd offset sub_401000
.rdata:00422574 dd offset sub_41688F
.rdata:00422578 dd offset sub_416841
.rdata:0042257C dd offset sub_416889
.rdata:00422580 dd offset sub_41684D
.rdata:00422584 dd offset sub_416847
.rdata:00422588 dd offset sub_416885
.rdata:0042258C dd offset sub_416804
.rdata:00422590 dd offset sub_416804
.rdata:00422594 dd offset sub_416804
.rdata:00422598 dd offset sub_4010A0
.rdata:0042259C dd offset ?Run@CWinApp@@UAEHXZ ; CWinApp::Run(void)
.rdata:004225A0 dd offset sub_4162D9
.rdata:004225A4 dd offset sub_416563
.rdata:004225A8 dd offset sub_415ED7
.rdata:004225AC dd offset sub_4160F6
.rdata:004225B0 dd offset ?ExitInstance@CWinApp@@UAEHXZ ; CWinApp::ExitInstance(void)
.rdata:004225B4 dd offset sub_415E60
.rdata:004225B8 dd offset sub_4163FE
.rdata:004225BC dd offset ?GetMainWnd@CWinThread@@UAEPAVCWnd@@XZ ; CWinThread::GetMainWnd(void)
.rdata:004225C0 dd offset ?Delete@CWinThread@@UAEXXZ ; CWinThread::Delete(void)
.rdata:004225C4 dd offset ?GetNextDocTemplate@CWinApp@@QBEPAVCDocTemplate@@AAPAU__POSITION@@@Z ; CWinApp::GetNextDocTemplate(__POSITION * &)
.rdata:004225C8 dd offset sub_41CA9D
.rdata:004225CC dd offset ?InitApplication@CWinApp@@UAEHXZ ; CWinApp::InitApplication(void)
.rdata:004225D0 dd offset sub_41CA8A
.rdata:004225D4 dd offset sub_41CB62
.rdata:004225D8 dd offset ?DoWaitCursor@CWinApp@@UAEXH@Z ; CWinApp::DoWaitCursor(int)
.rdata:004225DC dd offset sub_41CAE7
.rdata:004225E0 dd offset sub_415E29
.rdata:004225E4 dd 0
.rdata:004225E8 MSG_MAP_1 dd offset off_422B58 ; DATA XREF: sub_401190o
.rdata:004225EC dd offset MSG_MAP_ENTRY_1
.rdata:004225F0 MSG_MAP_ENTRY_1 AFX_MSGMAP_ENTRY <0> ; DATA XREF: .rdata:004225ECo
.rdata:00422608 MSG_MAP_2 dd offset off_422B58 ; DATA XREF: sub_401210o
.rdata:0042260C dd offset MSG_MAP_ENTRY_2
.rdata:00422610 MSG_MAP_ENTRY_2 AFX_MSGMAP_ENTRY <112h, 0, 0, 0, 12h, 401300h>
.rdata:00422610 ; DATA XREF: .rdata:0042260Co
.rdata:00422628 AFX_MSGMAP_ENTRY <0Fh, 0, 0, 0, 0Ch, 401380h>
.rdata:00422640 AFX_MSGMAP_ENTRY <37h, 0, 0, 0, 23h, 401440h>
.rdata:00422658 AFX_MSGMAP_ENTRY <111h, 0, 3E8h, 3E8h, 0Ch, 401450h> ; 401450h 就是按钮函数实现了
.rdata:00422670 AFX_MSGMAP_ENTRY <0>
.rdata:00422688 off_422688 dd offset sub_41DA76 ; DATA XREF: sub_401130+Co
.rdata:0042268C dd offset sub_401150
.rdata:00422690 dd offset nullsub_9
.rdata:00422694 dd offset sub_416B81 ; ?OnCmdMsg@CPropertySheet@@UAEHIHPAXPAUAFX_CMDHANDLERINFO@@@Z
.rdata:00422694 ; doubtful name
.rdata:00422698 dd offset sub_4180A4
.rdata:0042269C dd offset sub_4167FE
.rdata:004226A0 dd offset sub_416804
.rdata:004226A4 dd offset sub_416074
.rdata:004226A8 dd offset sub_416074
.rdata:004226AC dd offset ?GetTypeLib@CCmdTarget@@UAEJKPAPAUITypeLib@@@Z ; CCmdTarget::GetTypeLib(ulong,ITypeLib * *)
.rdata:004226B0 dd offset sub_401190
.rdata:004226B4 dd offset sub_41688F
.rdata:004226B8 dd offset sub_416841
.rdata:004226BC dd offset sub_416889
.rdata:004226C0 dd offset sub_41684D
.rdata:004226C4 dd offset sub_416847
.rdata:004226C8 dd offset sub_416885
.rdata:004226CC dd offset sub_416804
.rdata:004226D0 dd offset sub_416804
.rdata:004226D4 dd offset sub_416804
.rdata:004226D8 dd offset nullsub_10
.rdata:004226DC dd offset sub_417EAB
.rdata:004226E0 dd offset sub_4180B5
.rdata:004226E4 dd offset sub_417E8B
.rdata:004226E8 dd offset ?CalcWindowRect@CWnd@@UAEXPAUtagRECT@@I@Z ; CWnd::CalcWindowRect(tagRECT *,uint)
.rdata:004226EC dd offset ?OnToolHitTest@CWnd@@UBEHVCPoint@@PAUtagTOOLINFOA@@@Z ; CWnd::OnToolHitTest(CPoint,tagTOOLINFOA *)
.rdata:004226F0 dd offset sub_416804
.rdata:004226F4 dd offset sub_4184A8
.rdata:004226F8 dd offset ?ContinueModal@CWnd@@UAEHXZ ; CWnd::ContinueModal(void)
.rdata:004226FC dd offset ?EndModalLoop@CWnd@@UAEXH@Z ; CWnd::EndModalLoop(int)
.rdata:00422700 dd offset ?OnCommand@CWnd@@MAEHIJ@Z ; CWnd::OnCommand(uint,long)
.rdata:00422704 dd offset ?OnNotify@CWnd@@MAEHIJPAJ@Z ; CWnd::OnNotify(uint,long,long *)
.rdata:00422708 dd offset sub_418149
.rdata:0042270C dd offset nullsub_11
.rdata:00422710 dd offset sub_401460
.rdata:00422714 dd offset sub_401470
.rdata:00422718 dd offset ?PreTranslateMessage@CDialog@@UAEHPAUtagMSG@@@Z ; CDialog::PreTranslateMessage(tagMSG *)
.rdata:0042271C dd offset sub_419DDD
.rdata:00422720 dd offset sub_4185D0
.rdata:00422724 dd offset sub_418614
.rdata:00422728 dd offset sub_418102
.rdata:0042272C dd offset nullsub_10
.rdata:00422730 dd offset ?OnChildNotify@CWnd@@MAEHIIJPAJ@Z ; CWnd::OnChildNotify(uint,uint,long,long *)
.rdata:00422734 dd offset sub_41724F
.rdata:00422738 dd offset sub_416074
.rdata:0042273C dd offset ?SetOccDialogInfo@CDialog@@MAEHPAU_AFX_OCC_DIALOG_INFO@@@Z ; CDialog::SetOccDialogInfo(_AFX_OCC_DIALOG_INFO *)
.rdata:00422740 dd offset sub_416F44
.rdata:00422744 dd offset ?OnInitDialog@CDialog@@UAEHXZ ; CDialog::OnInitDialog(void)
.rdata:00422748 dd offset nullsub_12
.rdata:0042274C dd offset ?OnOK@CDialog@@MAEXXZ ; CDialog::OnOK(void)
.rdata:00422750 dd offset sub_417247
.rdata:00422754 dd offset nullsub_10
.rdata:00422758 off_422758 dd offset sub_41DA76 ; DATA XREF: sub_4011A0+31o
.rdata:0042275C dd offset sub_401150
.rdata:00422760 dd offset nullsub_9
.rdata:00422764 dd offset sub_416B81 ; ?OnCmdMsg@CPropertySheet@@UAEHIHPAXPAUAFX_CMDHANDLERINFO@@@Z
.rdata:00422764 ; doubtful name
.rdata:00422768 dd offset sub_4180A4
.rdata:0042276C dd offset sub_4167FE
.rdata:00422770 dd offset sub_416804
.rdata:00422774 dd offset sub_416074
.rdata:00422778 dd offset sub_416074
.rdata:0042277C dd offset ?GetTypeLib@CCmdTarget@@UAEJKPAPAUITypeLib@@@Z ; CCmdTarget::GetTypeLib(ulong,ITypeLib * *)
.rdata:00422780 dd offset sub_401210
.rdata:00422784 dd offset sub_41688F
.rdata:00422788 dd offset sub_416841
.rdata:0042278C dd offset sub_416889
.rdata:00422790 dd offset sub_41684D
.rdata:00422794 dd offset sub_416847
.rdata:00422798 dd offset sub_416885
.rdata:0042279C dd offset sub_416804
.rdata:004227A0 dd offset sub_416804
.rdata:004227A4 dd offset sub_416804
.rdata:004227A8 dd offset nullsub_10
.rdata:004227AC dd offset sub_417EAB
.rdata:004227B0 dd offset sub_4180B5
.rdata:004227B4 dd offset sub_417E8B
.rdata:004227B8 dd offset ?CalcWindowRect@CWnd@@UAEXPAUtagRECT@@I@Z ; CWnd::CalcWindowRect(tagRECT *,uint)
.rdata:004227BC dd offset ?OnToolHitTest@CWnd@@UBEHVCPoint@@PAUtagTOOLINFOA@@@Z ; CWnd::OnToolHitTest(CPoint,tagTOOLINFOA *)
.rdata:004227C0 dd offset sub_416804
.rdata:004227C4 dd offset sub_4184A8
.rdata:004227C8 dd offset ?ContinueModal@CWnd@@UAEHXZ ; CWnd::ContinueModal(void)
.rdata:004227CC dd offset ?EndModalLoop@CWnd@@UAEXH@Z ; CWnd::EndModalLoop(int)
.rdata:004227D0 dd offset ?OnCommand@CWnd@@MAEHIJ@Z ; CWnd::OnCommand(uint,long)
.rdata:004227D4 dd offset ?OnNotify@CWnd@@MAEHIJPAJ@Z ; CWnd::OnNotify(uint,long,long *)
.rdata:004227D8 dd offset sub_418149
.rdata:004227DC dd offset nullsub_11
.rdata:004227E0 dd offset sub_401460
.rdata:004227E4 dd offset sub_401470
.rdata:004227E8 dd offset ?PreTranslateMessage@CDialog@@UAEHPAUtagMSG@@@Z ; CDialog::PreTranslateMessage(tagMSG *)
.rdata:004227EC dd offset sub_419DDD
.rdata:004227F0 dd offset sub_4185D0
.rdata:004227F4 dd offset sub_418614
.rdata:004227F8 dd offset sub_418102
.rdata:004227FC dd offset nullsub_10
.rdata:00422800 dd offset ?OnChildNotify@CWnd@@MAEHIIJPAJ@Z ; CWnd::OnChildNotify(uint,uint,long,long *)
.rdata:00422804 dd offset sub_41724F
.rdata:00422808 dd offset sub_416074
.rdata:0042280C dd offset ?SetOccDialogInfo@CDialog@@MAEHPAU_AFX_OCC_DIALOG_INFO@@@Z ; CDialog::SetOccDialogInfo(_AFX_OCC_DIALOG_INFO *)
.rdata:00422810 dd offset sub_416F44
.rdata:00422814 dd offset sub_401220
.rdata:00422818 dd offset nullsub_12
.rdata:0042281C dd offset ?OnOK@CDialog@@MAEXXZ ; CDialog::OnOK(void)
.rdata:00422820 dd offset sub_417247
.rdata:00422824 dd offset nullsub_10
.rdata:00422828 off_422828 dd offset aCwinapp ; DATA XREF: sub_41D80Eo
.rdata:00422828 ; "CWinApp"
.rdata:0042282C dd 0C0h
.rdata:00422830 dd 0FFFFh
.rdata:00422834 dd 0
.rdata:00422838 dd offset off_422978
.rdata:0042283C dd 0
.rdata:00422840 aCwinapp db 'CWinApp',0 ; DATA XREF: .rdata:off_422828o
我现在一个一个的消息映射函数去翻,大概能看的出来函数的功能。
但是Demo复杂了,这么找不靠谱, 有可能会漏掉线索.
.text:00401450 ; =============== S U B R O U T I N E =======================================
.text:00401450
.text:00401450
.text:00401450 sub_401450 proc near
.text:00401450 push 0 ; uType
.text:00401452 push 0
.text:00401454 push offset Text ; "void CADlg::OnButtonTest()"
.text:00401459 call sub_41CC49
.text:0040145E retn
.text:0040145E sub_401450 endp
.text:0040145E
.text:0040145E ; ---------------------------------------------------------------------------
sub_41CC49 就是AfxMessageBox, 如果能加上IDA签名就好了.
试验的源码
class CADlg : public CDialog
{
// Construction
public:
CADlg(CWnd* pParent = NULL); // standard constructor
// Dialog Data
//{{AFX_DATA(CADlg)
enum { IDD = IDD_A_DIALOG };
// NOTE: the ClassWizard will add data members here
//}}AFX_DATA
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CADlg)
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
//}}AFX_VIRTUAL
// Implementation
protected:
HICON m_hIcon;
// Generated message map functions
//{{AFX_MSG(CADlg)
virtual BOOL OnInitDialog();
afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
afx_msg void OnPaint();
afx_msg HCURSOR OnQueryDragIcon();
afx_msg void OnButtonTest();
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};
BEGIN_MESSAGE_MAP(CADlg, CDialog)
//{{AFX_MSG_MAP(CADlg)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
ON_BN_CLICKED(IDC_BUTTON_TEST, OnButtonTest)
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
void CADlg::OnButtonTest()
{
// TODO: Add your control notification handler code here
AfxMessageBox("void CADlg::OnButtonTest()");
}
<2016_0923>
做了MFC静态库的签名,加入后,可以看到AfxMessageBox的调用了.
只是在看消息映射表中,还是要自己翻消息映射函数看. 不确定哪个是自己要的消息处理函数.
.rdata:004225F0 stru_4225F0 AFX_MSGMAP_ENTRY <0> ; DATA XREF: .rdata:004225ECo
.rdata:00422608 off_422608 dd offset off_422B58 ; DATA XREF: sub_401210o
.rdata:0042260C dd offset stru_422610
.rdata:00422610 stru_422610 AFX_MSGMAP_ENTRY <112h, 0, 0, 0, 12h, 401300h>
.rdata:00422610 ; DATA XREF: .rdata:0042260Co
.rdata:00422628 AFX_MSGMAP_ENTRY <0Fh, 0, 0, 0, 0Ch, 401380h>
.rdata:00422640 AFX_MSGMAP_ENTRY <37h, 0, 0, 0, 23h, 401440h>
.rdata:00422658 AFX_MSGMAP_ENTRY <111h, 0, 3E8h, 3E8h, 0Ch, 401450h> // 401450h是按钮消息处理函数
.rdata:00422670 AFX_MSGMAP_ENTRY <0>
.rdata:00422688 off_422688 dd offset sub_41DA76 ; DATA XREF: sub_401130+Co
.rdata:0042268C dd offset sub_401150
.rdata:00422690 dd offset nullsub_9
.rdata:00422694 dd offset unknown_libname_484 ; ?OnCmdMsg@CPropertySheet@@UAEHIHPAXPAUAFX_CMDHANDLERINFO@@@Z
.rdata:00422694 ; doubtful name
.rdata:00422694 ; NAFXCW.lib
.rdata:00422694 ; UAFXCW.lib
.rdata:00422698 dd offset ?OnFinalRelease@CWnd@@UAEXXZ ; CWnd::OnFinalRelease(void)
.rdata:0042269C dd offset sub_4167FE
.rdata:004226A0 dd offset sub_416804
.rdata:004226A4 dd offset sub_416074
.rdata:004226A8 dd offset sub_416074
.rdata:004226AC dd offset ?GetTypeLib@CCmdTarget@@UAEJKPAPAUITypeLib@@@Z ; CCmdTarget::GetTypeLib(ulong,ITypeLib * *)
.text:00401443 ; ---------------------------------------------------------------------------
.text:00401444 align 10h
.text:00401450 push 0
.text:00401452 push 0
.text:00401454 push offset aVoidCadlgOnbut ; "void CADlg::OnButtonTest()"
.text:00401459 call ?AfxMessageBox@@YGHPBDII@Z ; AfxMessageBox(char const *,uint,uint)
.text:0040145E retn
.text:0040145E ; ---------------------------------------------------------------------------
.text:0040145F align 10h