windows sdk编程 ---- 加速键
相关网站:http://edu.关于DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]的一些介绍
关于LoadConfig的介绍较少,这里简单介绍一下
这个是在winnt.h中的定义
typedef struct {
DWORD Size;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD GlobalFlagsClear;
DWORD GlobalFlagsSet;
DWORD CriticalSectionDefaultTimeout;
DWORD DeCommitFreeBlockThreshold;
DWORD DeCommitTotalFreeThreshold;
DWORD LockPrefixTable; // VA
DWORD MaximumAllocationSize;
DWORD VirtualMemoryThreshold;
DWORD ProcessHeapFlags;
DWORD ProcessAffinityMask;
WORD CSDVersion;
WORD Reserved1;
DWORD EditList; // VA
DWORD SecurityCookie; // VA
DWORD SEHandlerTable; // VA
DWORD SEHandlerCount;
} IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;
复制一下MSDN中关于IMAGE_LOAD_CONFIG_DIRECTORY64的介绍(没发现IMAGE_LOAD_CONFIG_DIRECTORY32)
Members
Characteristics
Flags indicating attributes of the file. This member is currently unused.
TimeDateStamp
Date and time stamp value. The value is represented in the number of seconds elapsed since midnight (00:00:00), January 1, 1970, Universal Coordinated Time, according to the system clock. The time stamp can be printed using the C run-time (CRT) function ctime.
MajorVersion
Major version number.
MinorVersion
Minor version number.
GlobalFlagsClear
Global flags that control system behavior. For more information, see Gflags.exe.
GlobalFlagsSet
Global flags that control system behavior. For more information, see Gflags.exe.
CriticalSectionDefaultTimeout
Critical section default time-out value.
DeCommitFreeBlockThreshold
Memory that must be freed before it is returned to the system, in bytes.
DeCommitTotalFreeThreshold
Total amount of free memory, in bytes.
LockPrefixTable
Reserved for use by the system.
MaximumAllocationSize
Maximum allocation size, in bytes.
VirtualMemoryThreshold
Maximum virtual memory size, in bytes.
ProcessAffinityMask
Process affinity mask. For more information, see GetProcessAffinityMask.
ProcessHeapFlags
Process heap flags.
CSDVersion
CSD version.
Reserved1
Reserved for use by the operating system.
EditList
Reserved for use by the system.
Reserved
Reserved for use by the operating system.
它的内容和32位的很相近,略有不同
DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddrss的值为这个结构的Rva
DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size 为0x40
Size成员必须为sizeof(IMAGE_LOAD_CONFIG_DIRECTORY32) = 0x48
以上是系统Dll的值。也许将最后两个成员排除了
只简要介绍下面3个成员
DWORD SecurityCookie; // VA
DWORD SEHandlerTable; // VA
DWORD SEHandlerCount;
以下介绍是根据对kernel32.dll和ntdll.dll分析,如有错误,请谅解。
SecurityCookie 是用来检测栈溢出的。Visula C++2005默认使用这个功能。
设置开关在C/C++|Code Generation|Buffer Security Check中,但程序编译以后,这个值好像没有用到,
SEHandlerTable 是指向一个Seh处理函数Rva的表格。SEHandlerCount是这个表格的长度。如果这个表格存在,那么只有该表格中的Seh处理函数才是合法的 处理函数。如果异常发生时,顺序查找并执行Fs:[0]中的处理函数时,如果认为当前函数非法,则Seh无法继续执行,程序会中止。而且连 UnhandledExceptionFilter都无法执行到。除非PE在被调试,依靠调试器来恢复。
每个PE有一个单独表格。如kernel32.dll和user32.dll有各自的表格。当PE被载入时,PE的基址,大小、 SEHandlerTable(表格的地址)、SEHandlerCount(长度)会被存在一个表格中。当一个异常发生时,系统每个PE的基址和大小检 查当前seh处理函数属于哪一个PE,然后取出相应的表格地址和长度。由于是载入时就已经取出,载入后SEHandlerTable和 SEHandlerCount就没什么用处了,对它进行修改当然也没什么用了。但修改表格内容还是有效的。
如果seh处于动态申请的内存中, 因为不处于任何一个PE Image内,所以seh是没有任何限制的,否则如果不在相应表格中,会导致PE中止。visual c++的try..catch等的seh处理函数会自动加入该表格。但如果使用inline asm对fs:[0]进行操作加seh是无效的,如果发生异常只会导致PE中止。
目前基本所有的壳软件都是将loadconfig删除,对该PE基本没什么影响。但如果要保留的话,则需要将Pe Image内的seh处理函数加入到该表格中。微软称这个表格中的处理函数为"safe handler",
关掉safe handler的开关在Liker|CommandLine 加入/SAFESEH:NO
处理办法2:(转载于http://bbs.)
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include te.inc
includelib user32.lib
includelib kernel32.lib
.data
FileFilter db "*.exe",0
FindData WIN32_FIND_DATA <>
CurPath db 256 dup(0)
hFile dd 0
hFind dd 0
PE_head_addr dd 0
byte_read dd 0
Link dw 0808h
Msg db "Well done",0
Clr dd 0
dd 0
PE_head IMAGE_NT_HEADERS <0>
Section_table db 280h dup (0)
.code
start:
invoke GetCurrentDirectory,256,offset CurPath
invoke FindFirstFile,offset FileFilter,offset FindData
cmp eax,INVALID_HANDLE_VALUE
jz FindEnds
mov hFind,eax
GoOnFind:
invoke CreateFile,offset FindData.cFileName,GENERIC_READ+GENERIC_WRITE,FILE_SHARE_READ+FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
cmp eax,INVALID_HANDLE_VALUE
jz createfail
mov hFile,eax
invoke SetFilePointer,hFile,3ch,0,FILE_BEGIN
invoke ReadFile,hFile,offset PE_head_addr,4,offset byte_read,0 ;从3ch读PE头地址
cmp eax,0
jz readfail
invoke SetFilePointer,hFile,PE_head_addr,0,FILE_BEGIN ;指针移到PE头
invoke ReadFile,hFile,offset PE_head,sizeof PE_head+sizeof Section_table,offset byte_read,0 ;读出PE头
cmp DWORD ptr PE_head.Signature,IMAGE_NT_SIGNATURE
jnz exitwrite
lea edx,PE_head
lea edx,(IMAGE_NT_HEADERS ptr [edx]).OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG * sizeof IMAGE_DATA_DIRECTORY]
mov edx,[edx]
test edx,edx
je NoLCT
lea esi,[Section_table]
@@:
mov ecx,esi
mov eax,(IMAGE_SECTION_HEADER ptr [esi]).VirtualAddress
add esi,sizeof IMAGE_SECTION_HEADER
cmp edx,eax
ja @B
sub edx,(IMAGE_SECTION_HEADER ptr [ecx]).VirtualAddress
add edx,(IMAGE_SECTION_HEADER ptr [ecx]).PointerToRawData
lea edx,(IMAGE_LOAD_CONFIG_DIRECTORY32 ptr [edx]).SEHandlerTable
invoke SetFilePointer,hFile,edx,0,FILE_BEGIN
invoke WriteFile,hFile,offset Clr,8,offset byte_read,0
NoLCT:
cmp WORD ptr PE_head[1ah],0808h ;001ah 链接器版本号
jz exitwrite
mov eax,DWORD ptr PE_head_addr
add eax,1ah
invoke SetFilePointer,hFile,eax,0,FILE_BEGIN
invoke WriteFile,hFile,offset Link,2,offset byte_read,0
exitwrite:
readfail:
invoke CloseHandle,hFile
createfail:
invoke FindNextFile,hFind,offset FindData
test eax,eax
jnz GoOnFind
FindEnds:
invoke FindClose,hFile
invoke MessageBox,NULL,offset Msg,offset Msg,64
invoke ExitProcess,0
end start
/****************te.inc*********************************************************/
IMAGE_LOAD_CONFIG_DIRECTORY32 struct
_size DWORD ?
TimeDateStamp DWORD ?
MajorVersion WORD ?
MinorVersion WORD ?
GlobalFlagsClear DWORD ?
GlobalFlagsSet DWORD ?
CriticalSectionDefaultTimeout DWORD ?
DeCommitFreeBlockThreshold DWORD ?
DeCommitTotalFreeThreshold DWORD ?
LockPrefixTable DWORD ?
MaximumAllocationSize DWORD ?
VirtualMemoryThreshold DWORD ?
ProcessHeapFlags DWORD ?
ProcessAffinityMask DWORD ?
CSDVersion WORD ?
Reserved1 WORD ?
EditList DWORD ?
SecurityCookie DWORD ?
SEHandlerTable DWORD ?
SEHandlerCount DWORD ?
IMAGE_LOAD_CONFIG_DIRECTORY32 ends
相关网站:http://edu.