分析没有main的exe程序
标题 | 分析没有main的exe程序 (二) |
关键字 | C,汇编 |
出处 | http://blog.csdn.net/heyangbin |
.586
.model flat,stdcall
option casemap:none
.data
.code
extern C myentry: near
extern C TerminateProcess@8: near
extern C GetCurrentProcess@0: near
public STARTCODE
STARTCODE PROC NEAR C
call myentry
push eax
call GetCurrentProcess@0
push eax
call TerminateProcess@8
STARTCODE endp
end STARTCODE
保存为Test.asm,在CMD下键入ML.EXE /c /coff /Cp /nologo /I"C:/RadASM/Masm32/Include" "test.asm"(注C:/RadASM/Masm32/Include路径是函数头文件路径)编译得到Test.obj
下面是一段C++代码:
#include <Windows.h>
int myentry(void)
{
return 0;
}
保存为main.cpp,在CMD下键入CL /c main.cpp 编译得到main.obj
然后输入如下命令:LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"C:/RadASM/Masm32/Lib" /OUT:"test.exe" "test.obj" "main.obj" 得到test.exe.
下面我们将它反汇编:dumpbin /disasm test.exe 得到如下
00401000: E8 1B 00 00 00 call 00401020
00401005: 50 push eax
00401006: E8 23 00 00 00 call 0040102E
0040100B: 50 push eax
0040100C: E8 17 00 00 00 call 00401028
00401011: CC int 3
00401012: CC int 3
00401013: CC int 3
00401014: CC int 3
00401015: CC int 3
00401016: CC int 3
00401017: CC int 3
00401018: CC int 3
00401019: CC int 3
0040101A: CC int 3
0040101B: CC int 3
0040101C: CC int 3
0040101D: CC int 3
0040101E: CC int 3
0040101F: CC int 3
00401020: 55 push ebp
00401021: 8B EC mov ebp,esp
00401023: 33 C0 xor eax,eax
00401025: 5D pop ebp
00401026: C3 ret
00401027: CC int 3
00401028: FF 25 04 20 40 00 jmp dword ptr ds:[00402004h]
0040102E: FF 25 00 20 40 00 jmp dword ptr ds:[00402000h]
我们可以看到
00401000: E8 1B 00 00 00 call 00401020
00401005: 50 push eax
00401006: E8 23 00 00 00 call 0040102E
0040100B: 50 push eax
0040100C: E8 17 00 00 00 call 00401028
是Test.asm的实现,代码从00401000执行,call之后进入我们定义的myentry
00401020: 55 push ebp
00401021: 8B EC mov ebp,esp
00401023: 33 C0 xor eax,eax
00401025: 5D pop ebp
00401026: C3 ret
00401027: CC int 3
此段代码是main.cpp的实现,我们可以在main.cpp中添加要实现的代码,而非一定要在main函数中执行。