测试CallWindowProc执行汇编

menglv · 发表于 2015-5-9 16:44:09

我们在Form1.frm写入如下代码：
Private Sub Command1_Click()

   Dim myBAry() As Byte
   Dim myL As Long
   myBAry = StrConv(Text1.Text, vbFromUnicode)
   myL = AsmCrc(myBAry, Len(Text1.Text))
   MsgBox "ueruewrew" & myL
   Text2.Text = "字符串" & Text1.Text & "fhdsfksdfs:" & myL

End Sub

在Module1.bas写入如下代码：
Option Explicit

Public Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, _
            ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Public Function AsmCrc(bytInput() As Byte, ByVal Init As Long) As Long
   Dim Asm(5) As Long
   Asm(0) = &H5B5A5958
   Asm(1) = &HC033505E
   Asm(2) = &H3018A36
   Asm(3) = &H41CED1F0
   Asm(4) = &HF47ECA3B
   Asm(5) = &HC3338936
   CallWindowProc VarPtr(Asm(0)), _
                  VarPtr(bytInput(LBound(bytInput))), _
                  VarPtr(bytInput(UBound(bytInput))), _
                  VarPtr(AsmCrc), _
                  Init
End Function

我们可以看到od里面的关键代码：
00402010 .  50             push eax
00402011 .  8D45 E4       lea    eax, dword ptr [ebp-0x1C]
00402014 .  50             push eax
00402015 .  E8 16020000    call 00402230                            ;  AsmCrc(myBAry, Len(Text1.Text))
0040201A .  8BF8          mov    edi, eax
0040201C .  8D4D E0       lea    ecx, dword ptr [ebp-0x20]
0040201F .  897D E8       mov    dword ptr [ebp-0x18], edi
00402022 .  FF15 CC104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]  ;  msvbvm60.__vbaFreeStr

我们跟进call 00402230
00402230 $  55             push ebp
00402231 .  8BEC          mov    ebp, esp
00402233 .  83EC 08       sub    esp, 0x8
00402236 .  68 06114000    push <jmp.&MSVBVM60.__vbaExceptHandler> ;  SE 处理程序安装
0040223B .  64:A1 00000000 mov    eax, dword ptr fs:[0]
00402241 .  50             push eax
00402242 .  64:8925 00000000 mov    dword ptr fs:[0], esp
00402249 .  83EC 3C       sub    esp, 0x3C
0040224C .  53             push ebx
0040224D .  56             push esi
0040224E .  57             push edi
0040224F .  8965 F8       mov    dword ptr [ebp-0x8], esp
00402252 .  C745 FC E8104000 mov    dword ptr [ebp-0x4], 004010E8
00402259 .  33C0          xor    eax, eax
0040225B .  6A 03          push 0x3
0040225D .  8945 EC       mov    dword ptr [ebp-0x14], eax
00402260 .  8945 CC       mov    dword ptr [ebp-0x34], eax
00402263 .  8945 C8       mov    dword ptr [ebp-0x38], eax
00402266 .  8945 C4       mov    dword ptr [ebp-0x3C], eax
00402269 .  68 9C1D4000    push 00401D9C
0040226E .  8D45 D4       lea    eax, dword ptr [ebp-0x2C]
00402271 .  50             push eax
00402272 .  FF15 54104000 call dword ptr [<&MSVBVM60.__vbaAryConstru>;  msvbvm60.__vbaAryConstruct2
00402278 .  8B4D E0       mov    ecx, dword ptr [ebp-0x20]
0040227B .  8B3D 88104000 mov    edi, dword ptr [<&MSVBVM60.#644>]    ;  msvbvm60.VarPtr
00402281 .  C701 58595A5B mov    dword ptr [ecx], 0x5B5A5958
00402287 .  8B55 E0       mov    edx, dword ptr [ebp-0x20]
0040228A .  C742 04 5E5033C0 mov    dword ptr [edx+0x4], 0xC033505E
00402291 .  8B45 E0       mov    eax, dword ptr [ebp-0x20]
00402294 .  C740 08 368A0103 mov    dword ptr [eax+0x8], 0x3018A36
0040229B .  8B4D E0       mov    ecx, dword ptr [ebp-0x20]
0040229E .  C741 0C F0D1CE41 mov    dword ptr [ecx+0xC], 0x41CED1F0
004022A5 .  8B55 E0       mov    edx, dword ptr [ebp-0x20]
004022A8 .  C742 10 3BCA7EF4 mov    dword ptr [edx+0x10], 0xF47ECA3B
004022AF .  8B45 E0       mov    eax, dword ptr [ebp-0x20]
004022B2 .  C740 14 368933C3 mov    dword ptr [eax+0x14], 0xC3338936
004022B9 .  8B4D E0       mov    ecx, dword ptr [ebp-0x20]
004022BC .  51             push ecx
004022BD .  FFD7          call edi                                  ;  <&MSVBVM60.#644>
004022BF .  8B55 08       mov    edx, dword ptr [ebp+0x8]
004022C2 .  8B32          mov    esi, dword ptr [edx]
004022C4 .  8BD8          mov    ebx, eax
004022C6 .  56             push esi
004022C7 .  8D45 CC       lea    eax, dword ptr [ebp-0x34]
004022CA .  50             push eax
004022CB .  FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaAryLock>]  ;  msvbvm60.__vbaAryLock
004022D1 .  56             push esi
004022D2 .  6A 01          push 0x1
004022D4 .  FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaLbound>] ;  msvbvm60.__vbaLbound
004022DA .  8BC8          mov    ecx, eax
004022DC .  8B45 CC       mov    eax, dword ptr [ebp-0x34]
004022DF .  8B50 0C       mov    edx, dword ptr [eax+0xC]
004022E2 .  2B50 14       sub    edx, dword ptr [eax+0x14]
004022E5 .  03CA          add    ecx, edx
004022E7 .  51             push ecx
004022E8 .  FFD7          call edi
004022EA .  8945 C4       mov    dword ptr [ebp-0x3C], eax
004022ED .  8D45 CC       lea    eax, dword ptr [ebp-0x34]
004022F0 .  50             push eax
004022F1 .  FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaAryUnlock>>;  msvbvm60.__vbaAryUnlock
004022F7 .  56             push esi
004022F8 .  8D4D C8       lea    ecx, dword ptr [ebp-0x38]
004022FB .  51             push ecx
004022FC .  FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaAryLock>]  ;  msvbvm60.__vbaAryLock
00402302 .  56             push esi
00402303 .  6A 01          push 0x1
00402305 .  FF15 84104000 call dword ptr [<&MSVBVM60.__vbaUbound>] ;  msvbvm60.__vbaUbound
0040230B .  8BD0          mov    edx, eax
0040230D .  8B45 C8       mov    eax, dword ptr [ebp-0x38]
00402310 .  8B48 0C       mov    ecx, dword ptr [eax+0xC]
00402313 .  2B48 14       sub    ecx, dword ptr [eax+0x14]
00402316 .  03D1          add    edx, ecx
00402318 .  52             push edx
00402319 .  FFD7          call edi
0040231B .  8D55 C8       lea    edx, dword ptr [ebp-0x38]
0040231E .  52             push edx
0040231F .  8BF0          mov    esi, eax
00402321 .  FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaAryUnlock>>;  msvbvm60.__vbaAryUnlock
00402327 .  8D45 EC       lea    eax, dword ptr [ebp-0x14]
0040232A .  50             push eax
0040232B .  FFD7          call edi
0040232D .  8B4D 0C       mov    ecx, dword ptr [ebp+0xC]
00402330 .  8B55 C4       mov    edx, dword ptr [ebp-0x3C]
00402333 .  51             push ecx
00402334 .  50             push eax
00402335 .  56             push esi
00402336 .  52             push edx
00402337 .  53             push ebx
00402338 .  E8 FBF8FFFF    call <<------user32-CallWindowProcA------>>
0040233D .  FF15 28104000 call dword ptr [<&MSVBVM60.__vbaSetSystemE>;  msvbvm60.__vbaSetSystemError
00402343 .  68 70234000    push 00402370
00402348 .  EB 13          jmp    short 0040235D
0040234A .  8B35 C0104000 mov    esi, dword ptr [<&MSVBVM60.__vbaAryUn>;  msvbvm60.__vbaAryUnlock
00402350 .  8D45 CC       lea    eax, dword ptr [ebp-0x34]
00402353 .  50             push eax
00402354 .  FFD6          call esi                                  ;  <&MSVBVM60.__vbaAryUnlock>
00402356 .  8D4D C8       lea    ecx, dword ptr [ebp-0x38]
00402359 .  51             push ecx
0040235A .  FFD6          call esi
0040235C .  C3             retn
0040235D >  8D45 C4       lea    eax, dword ptr [ebp-0x3C]
00402360 .  50             push eax
00402361 .  8D55 D4       lea    edx, dword ptr [ebp-0x2C]
00402364 .  6A 00          push 0x0
00402366 .  8955 C4       mov    dword ptr [ebp-0x3C], edx
00402369 .  FF15 34104000 call dword ptr [<&MSVBVM60.__vbaAryDestruc>;  msvbvm60.__vbaAryDestruct
0040236F .  C3             retn

如果我们将所有代码放入Form1.frm
Option Explicit

Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, _
            ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long

Private Function AsmCrc(bytInput() As Byte, ByVal Init As Long) As Long

   Dim Asm(5) As Long
   Asm(0) = &H5B5A5958
   Asm(1) = &HC033505E
   Asm(2) = &H3018A36
   Asm(3) = &H41CED1F0
   Asm(4) = &HF47ECA3B
   Asm(5) = &HC3338936
   CallWindowProc VarPtr(Asm(0)), _
                  VarPtr(bytInput(LBound(bytInput))), _
                  VarPtr(bytInput(UBound(bytInput))), _
                  VarPtr(AsmCrc), _
                  Init
End Function

Private Sub Command1_Click()

   Dim myBAry() As Byte
   Dim myL As Long
   myBAry = StrConv(Text1.Text, vbFromUnicode)
   myL = AsmCrc(myBAry, Len(Text1.Text))
   MsgBox "ueruewrew" & myL
   Text2.Text = "字符串" & Text1.Text & "fhdsfksdfs:" & myL

End Sub

我们看看关键的代码：

00402119 .  FF15 10104000 call dword ptr [<&MSVBVM60.__vbaLenBs>;  msvbvm60.__vbaLenBstr
0040211F .  50          push eax
00402120 .  8D4D E4    lea    ecx, dword ptr [ebp-0x1C]
00402123 .  51          push ecx
00402124 .  56          push esi
00402125 .  FF97 F8060000 call dword ptr [edi+0x6F8]          ;  myBAry = StrConv(Text1.Text, vbFromUnicode)

下面是关键call代码：

00401E60 > \55          push ebp
00401E61 .  8BEC       mov    ebp, esp
00401E63 .  83EC 08    sub    esp, 0x8
00401E66 .  68 06114000 push <jmp.&MSVBVM60.__vbaExceptHandle>;  SE 处理程序安装
00401E6B .  64:A1 0000000>mov    eax, dword ptr fs:[0]
00401E71 .  50          push eax
00401E72 .  64:8925 00000>mov    dword ptr fs:[0], esp
00401E79 .  83EC 3C    sub    esp, 0x3C
00401E7C .  53          push ebx
00401E7D .  56          push esi
00401E7E .  57          push edi
00401E7F .  8965 F8    mov    dword ptr [ebp-0x8], esp
00401E82 .  C745 FC D8104>mov    dword ptr [ebp-0x4], 004010D8
00401E89 .  33C0       xor    eax, eax
00401E8B .  6A 03       push 0x3
00401E8D .  8945 EC    mov    dword ptr [ebp-0x14], eax
00401E90 .  8945 CC    mov    dword ptr [ebp-0x34], eax
00401E93 .  8945 C8    mov    dword ptr [ebp-0x38], eax
00401E96 .  8945 C4    mov    dword ptr [ebp-0x3C], eax
00401E99 .  68 F01B4000 push 00401BF0
00401E9E .  8D45 D4    lea    eax, dword ptr [ebp-0x2C]
00401EA1 .  50          push eax
00401EA2 .  FF15 54104000 call dword ptr [<&MSVBVM60.__vbaAryCo>;  msvbvm60.__vbaAryConstruct2
00401EA8 .  8B4D E0    mov    ecx, dword ptr [ebp-0x20]
00401EAB .  8B3D 88104000 mov    edi, dword ptr [<&MSVBVM60.#644>>;  msvbvm60.VarPtr
00401EB1 .  C701 58595A5B mov    dword ptr [ecx], 0x5B5A5958
00401EB7 .  8B55 E0    mov    edx, dword ptr [ebp-0x20]
00401EBA .  C742 04 5E503>mov    dword ptr [edx+0x4], 0xC033505E
00401EC1 .  8B45 E0    mov    eax, dword ptr [ebp-0x20]
00401EC4 .  C740 08 368A0>mov    dword ptr [eax+0x8], 0x3018A36
00401ECB .  8B4D E0    mov    ecx, dword ptr [ebp-0x20]
00401ECE .  C741 0C F0D1C>mov    dword ptr [ecx+0xC], 0x41CED1F0
00401ED5 .  8B55 E0    mov    edx, dword ptr [ebp-0x20]
00401ED8 .  C742 10 3BCA7>mov    dword ptr [edx+0x10], 0xF47ECA3B
00401EDF .  8B45 E0    mov    eax, dword ptr [ebp-0x20]
00401EE2 .  C740 14 36893>mov    dword ptr [eax+0x14], 0xC3338936
00401EE9 .  8B4D E0    mov    ecx, dword ptr [ebp-0x20]
00401EEC .  51          push ecx
00401EED .  FFD7       call edi                            ;  <&MSVBVM60.#644>
00401EEF .  8B55 0C    mov    edx, dword ptr [ebp+0xC]
00401EF2 .  8B32       mov    esi, dword ptr [edx]
00401EF4 .  8BD8       mov    ebx, eax
00401EF6 .  56          push esi
00401EF7 .  8D45 CC    lea    eax, dword ptr [ebp-0x34]
00401EFA .  50          push eax
00401EFB .  FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaAryLo>;  msvbvm60.__vbaAryLock
00401F01 .  56          push esi
00401F02 .  6A 01       push 0x1
00401F04 .  FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaLboun>;  msvbvm60.__vbaLbound
00401F0A .  8BC8       mov    ecx, eax
00401F0C .  8B45 CC    mov    eax, dword ptr [ebp-0x34]
00401F0F .  8B50 0C    mov    edx, dword ptr [eax+0xC]
00401F12 .  2B50 14    sub    edx, dword ptr [eax+0x14]
00401F15 .  03CA       add    ecx, edx
00401F17 .  51          push ecx
00401F18 .  FFD7       call edi
00401F1A .  8945 C4    mov    dword ptr [ebp-0x3C], eax
00401F1D .  8D45 CC    lea    eax, dword ptr [ebp-0x34]
00401F20 .  50          push eax
00401F21 .  FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaAryUn>;  msvbvm60.__vbaAryUnlock
00401F27 .  56          push esi
00401F28 .  8D4D C8    lea    ecx, dword ptr [ebp-0x38]
00401F2B .  51          push ecx
00401F2C .  FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaAryLo>;  msvbvm60.__vbaAryLock
00401F32 .  56          push esi
00401F33 .  6A 01       push 0x1
00401F35 .  FF15 84104000 call dword ptr [<&MSVBVM60.__vbaUboun>;  msvbvm60.__vbaUbound
00401F3B .  8BD0       mov    edx, eax
00401F3D .  8B45 C8    mov    eax, dword ptr [ebp-0x38]
00401F40 .  8B48 0C    mov    ecx, dword ptr [eax+0xC]
00401F43 .  2B48 14    sub    ecx, dword ptr [eax+0x14]
00401F46 .  03D1       add    edx, ecx
00401F48 .  52          push edx
00401F49 .  FFD7       call edi
00401F4B .  8D55 C8    lea    edx, dword ptr [ebp-0x38]
00401F4E .  52          push edx
00401F4F .  8BF0       mov    esi, eax
00401F51 .  FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaAryUn>;  msvbvm60.__vbaAryUnlock
00401F57 .  8D45 EC    lea    eax, dword ptr [ebp-0x14]
00401F5A .  50          push eax
00401F5B .  FFD7       call edi
00401F5D .  8B4D 10    mov    ecx, dword ptr [ebp+0x10]
00401F60 .  8B55 C4    mov    edx, dword ptr [ebp-0x3C]
00401F63 .  51          push ecx
00401F64 .  50          push eax
00401F65 .  56          push esi
00401F66 .  52          push edx
00401F67 .  53          push ebx
00401F68 .  E8 57FCFFFF call <<------user32-CallWindowProcA-->
00401F6D .  FF15 28104000 call dword ptr [<&MSVBVM60.__vbaSetSy>;  msvbvm60.__vbaSetSystemError
00401F73 .  68 A01F4000 push 00401FA0
00401F78 .  EB 13       jmp    short 00401F8D
00401F7A .  8B35 C0104000 mov    esi, dword ptr [<&MSVBVM60.__vba>;  msvbvm60.__vbaAryUnlock
00401F80 .  8D45 CC    lea    eax, dword ptr [ebp-0x34]
00401F83 .  50          push eax
00401F84 .  FFD6       call esi                            ;  <&MSVBVM60.__vbaAryUnlock>
00401F86 .  8D4D C8    lea    ecx, dword ptr [ebp-0x38]
00401F89 .  51          push ecx
00401F8A .  FFD6       call esi
00401F8C .  C3          retn
00401F8D >  8D45 C4    lea    eax, dword ptr [ebp-0x3C]
00401F90 .  50          push eax
00401F91 .  8D55 D4    lea    edx, dword ptr [ebp-0x2C]
00401F94 .  6A 00       push 0x0
00401F96 .  8955 C4    mov    dword ptr [ebp-0x3C], edx
00401F99 .  FF15 34104000 call dword ptr [<&MSVBVM60.__vbaAryDe>;  msvbvm60.__vbaAryDestruct
00401F9F .  C3          retn

看来生成的call里面的内容是一样的，一个简单的call，却包含很多垃圾的代码。
然后我们看看那个CallWindowProcA：
00401BC4 > $  A1 DC324000 mov    eax, dword ptr [0x4032DC]       ;  <------user32-CallWindowProcA------>
00401BC9 .  0BC0       or    eax, eax
00401BCB .  74 02       je    short 00401BCF
00401BCD .  FFE0       jmp    eax
00401BCF >  68 AC1B4000 push 00401BAC                      ;  user32
00401BD4 .  B8 90114000 mov    eax, <jmp.&MSVBVM60.DllFunctionC>
00401BD9 .  FFD0       call eax
00401BDB .- FFE0       jmp    eax                            ;  user32.CallWindowProcA

基本可以看出这种方式的汇编还是很没有效率的！嵌入汇编还是asminvb更有效率！

		自动登录	找回密码
密码			加入我们

[VB] 测试CallWindowProc执行汇编