Win32ASM学习[6]: PTR、OFFSET、ADDR、THIS

本文详细解析了数据尺寸指定、内存赋值、偏移与地址的区别及使用场景,通过具体代码实例深入探讨了如何高效进行数据操作与内存赋值,包括对变量的读取、修改和内存地址的正确应用。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

 

PTR: 指定要操作的数据尺寸

------------------------------------------------------------------------------------------------------------------------------------------

.386
.model flat, stdcall

include    windows.inc
include    kernel32.inc
include    masm32.inc
include    debug.inc
includelib kernel32.lib
includelib masm32.lib
includelib debug.lib

.data
    val db 11h, 22h, 33h, 44h, 55h, 66h, 77h, 88h

.code
main proc
    xor eax, eax                    ;清空 EAX, 同 mov eax, 0
    mov eax, dword ptr val   ;
    PrintHex eax                   ;44332211
   
    xor eax, eax                      ;
    mov eax, dword ptr val+1 ;
    PrintHex eax                      ;55443322
   
    xor eax, eax             ;
    mov ax, word ptr val     ;
    PrintHex eax             ;00002211
   
    xor eax, eax             ;
    mov al, byte ptr val     ;
    PrintHex eax             ;00000011
    ret
main endp
end main

------------------------------------------------------------------------------------------------------------------------------------------

OFFSET 和 ADDR 的异同:
1、offset 不能获取局部变量的地址;
2、addr 只能用于调用函数(invoke)时, 不能用于赋值操作;
3、addr 面对局部变量时会转换为 lea 等指令, addr 面对全局变量时则直接调用 offset;
4、在 invoke 中应尽量使用 addr, 其他只用 offset.

------------------------------------------------------------------------------------------------------------------------------------------

.386
.modelflat,
stdcall

include
   windows.inc

include
   kernel32.inc
include
   masm32.inc
include
   debug.inc
includelib
kernel32.lib
includelib
masm32.lib
includelib
debug.lib

.data
    TextAddr equ this byte  ;伪指令 this 可让当前变量和下一个变量同址
    szText db'Asm', 0
.code
main proc
    PrintHex offset szText  ;00403000
    PrintHex offset TextAddr ;00403000
   
    PrintString szText      ;Asm
    mov [TextAddr], 'a'     ;给 TextAddr 赋值
    PrintString szText      ;asm
    ret
main
endp
end
main

--------------------------------------------------------------------------------------------------------------------

同址异名

struct task_struct_offset { int16_t pid_offset; int16_t tgid_offset; int16_t thread_pid_offset; int16_t ptracer_cred_offset; int16_t real_cred_offset; int16_t cred_offset; int16_t comm_offset; int16_t fs_offset; int16_t files_offset; int16_t loginuid_offset; int16_t sessionid_offset; int16_t seccomp_offset; int16_t security_offset; int16_t stack_offset; int16_t tasks_offset; int16_t mm_offset; int16_t active_mm_offset; }; int resolve_current() { uint64_t sp_el0, sp; asm volatile("mrs %0, sp_el0" : "=r"(sp_el0)); asm volatile("mov %0, sp" : "=r"(sp)); sp_el0_is_current = 0; sp_el0_is_thread_info = 0; init_task = (struct task_struct *)kallsyms_lookup_name("init_task"); uint64_t init_thread_union_addr = kallsyms_lookup_name("init_thread_union"); if (is_kimg_range(sp_el0)) { if (sp_el0 == init_thread_union_addr) { sp_el0_is_thread_info = 1; } else if ((uint64_t)init_task == sp_el0 || (sp_el0 & (page_size - 1)) || (task_struct_offset.comm_offset = find_swapper_comm_offset(sp_el0, TASK_STRUCT_MAX_SIZE)) > 0) { sp_el0_is_current = 1; init_task = (struct task_struct *)sp_el0; } else { sp_el0_is_thread_info = 1; } } int thread_shift_cand[] = { 14, 15, 16 }; for (int i = 0; i < sizeof(thread_shift_cand) / sizeof(thread_shift_cand[0]); i++) { int tsz = 1 << thread_shift_cand[i]; uint64_t sp_low = sp & ~(tsz - 1); uint64_t psp = sp_low; for (; psp < sp_low + THREAD_INFO_MAX_SIZE; psp += 8) { if (*(uint64_t *)psp == STACK_END_MAGIC) { if (psp == sp_low) { thread_size = tsz; stack_end_offset = 0; thread_info_in_task = 1; } else { thread_size = tsz; stack_end_offset = psp - sp_low; thread_info_in_task = 0; } break; } } } if (!thread_info_in_task) { uint64_t thread_info_addr = (uint64_t)current_thread_info_sp(); if (init_task) { for (uint64_t ptr = thread_info_addr; ptr < thread_info_addr + stack_end_offset; ptr += sizeof(uint64_t)) { uint64_t pv = *(uint64_t *)ptr; if (pv == (uint64_t)init_task) { task_in_thread_info_offset = ptr - thread_info_addr; break; } } } else { for (uint64_t ptr = thread_info_addr; ptr < thread_info_addr + stack_end_offset; ptr += sizeof(uint64_t)) { uint64_t pv = *(uint64_t *)ptr; task_struct_offset.comm_offset = find_swapper_comm_offset(pv, TASK_STRUCT_MAX_SIZE); if (task_struct_offset.comm_offset > 0) { init_task = (struct task_struct *)pv; task_in_thread_info_offset = ptr - thread_info_addr; } } } } if (task_struct_offset.comm_offset <= 0) { task_struct_offset.comm_offset = find_swapper_comm_offset((uint64_t)init_task, TASK_STRUCT_MAX_SIZE); } uint64_t stack_base = (sp & ~(thread_size - 1)); for (uintptr_t i = (uintptr_t)init_task; i < (uintptr_t)init_task + TASK_STRUCT_MAX_SIZE; i += sizeof(uintptr_t)) { uintptr_t val = *(uintptr_t *)i; if (stack_base == val) { stack_in_task_offset = i - (uintptr_t)init_task; task_struct_offset.stack_offset = stack_in_task_offset; break; } } return 0; }请问tasks_offset应该按照这样的代码方法获取呢?
03-23
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值