逆向分析

DLL基础(3) DllMain处理

(一) 创建dll release项目(sum)

//sum.cpp #include<windows.h> #include<stdio.h> extern "C" int __declspec(dllexport) __stdcall add(int x, int y); int __stdcall add(int x, int y) { return x + y; } BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved ){ switch (fdwReason) //Dll被调用的原因 { case DLL_PROCESS_ATTACH: printf("process attach of dll\n"); break; case DLL_THREAD_ATTACH: printf("thread attach of dll\n"); break; case DLL_THREAD_DETACH: printf("thread detach of dll\n"); break; case DLL_PROCESS_DETACH: printf("process detach of dll\n"); break; } return TRUE; }

(二) 静态加载DLL

创建Win32 Console空项目，添加文件my_dll_main.cpp,把sum.lib sum.dll复制到该项目下

//my_dll_main.cpp //#define APIENTRY WINAPI //#define WINAPI __stdcall /* BOOL WINAPI DllMain( _In_ HINSTANCE hinstDLL, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved ); */ #include <stdio.h> #include <stdlib.h> #include <windows.h> #pragma comment(lib,"sum.lib") typedef int(__stdcall *lpAddFunc)(int,int); //宏定义函数指针类型 int main(int argc, char *argv[]) { HINSTANCE hDll; //DLL 句柄 lpAddFunc addFunc; //函数指针 hDll = LoadLibrary("sum.dll"); if(hDll != NULL) { //addFunc = (lpAddFunc)GetProcAddress(hDll,"add"); addFunc = (lpAddFunc)GetProcAddress(hDll, MAKEINTRESOURCE(1)); //MAKEINTRESOURCE 直接使用导出文件中的序号 if(addFunc != NULL) { int result = addFunc(2,3); printf("%d\n", result); system("pause"); } } FreeLibrary(hDll); return 0; }

进程中的每个DLL模块被全局唯一的32字节的HINSTANCE句柄标识，只有在特定的进程内部有效,句柄代表了DLL模块在进程虚拟空间中的起始地址。

GetProcAddress(hDll, MAKEINTRESOURCE(1))直接通过.def文件中add函数指定的顺序号访问函数,MAKEINTRESOURCE是一个通过序号获取函数名的宏。