MFC thunk技术模拟

//参考http://www.cnblogs.com/satng/archive/2010/12/30/2138833.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#include<iostream>
using namespace std;
//thunk技术模拟
typedef void (*fun)(void *,int i);
class CFun;//类声明。
#pragma pack(push)
#pragma pack(1)
typedef struct Thunk{
unsigned char call;
int offset;
fun pf;//函数指针。
unsigned char code[5];
CFun *ths;//this指针。
unsigned char jmp;
unsigned char ecx;
}Thunk;
#pragma pack(pop)
#define OFF(s,m) ((unsigned int)&((s*)0)->m)//求结构体的偏移量,s为结构体的类型,m为结构体的数据成员。
class CFun{
public:
CFun()
{
createThunk();
}
~CFun()
{
delete thunk;
}
public:
void createThunk()
{
Thunk* tk=new Thunk;
//call des
tk->call=0xE8;//call
tk->offset=OFF(Thunk,code[0])-OFF(Thunk,pf);//des
tk->pf=CFun::funx;//函数地址。
//pop ecx
//等价于:
//mov ecx,[esp]
//sub esp,4
tk->code[0]=0x59;//pop ecx
//mov [esp+4],this
tk->code[1]=0xc7;//mov
tk->code[2]=0x44;//dword ptr
//4[esp]
tk->code[3]=0x24;//[esp]
tk->code[4]=0x04;//+4
tk->ths=this;//修改栈,设置this指针。
//jmp [ecx]
tk->jmp=0xFF;//jmp
tk->ecx=0x21;//[ecx]
thunk=(fun)tk;
return ;
}
static void funx(void *pFun,int i)
{
CFun *pf=(CFun*)pFun;
pf->print(i);
}
void print(int i )
{
cout<<"Recevie="<<i<<endl;
}
fun GetThunk()
{
return thunk;
}
private:
fun thunk;
};
int main()
{
CFun cf;
fun pf=cf.GetThunk();
pf("Hello",123);
return 0;
}