/ if ee Ba z 4 WX OBE, =a KA qc 5 id 2 © FES ae ® HK PEK es we ——=S | RSID Windows LJ ke Rat MiC4 Fmd© TASCA aa + TH RRA AR cr he wnrmibroneiowcomen FERRERS A + Ae Ne A BT HH HB BS shes eS sheeted ( 2EAMATARWER, RORAREMME, MSCRRREKMRA I | HODRAHED RMR, | SRNFhRSMRWA—WinDdgh, —WAHERRZAP. RABBESHE | ARLSHALRARRAAAMWindowsHe, MEEAMBLRUAB AIT Bett Bh, —RWindowskRHROLM. AFRP MAHI, HARAWindows a SRS? MRSEARHBS, HABEAS TH. ABRADLE, HALLE, MMF, R2N-AAR, REUMARMBMZ. BaF ARIK 3 Beensoft) = ) Tene ; WR. \2002FF/2008F, 1A AAR to Windows PHC ah OO 3 | To A2008F FS S— TEP R AG R12 [a] ESS BY SCOT HB EIE AR HAGOAR WHO EME (www.dr BERRIES RRAR. BES Je NB i) F x86 tk ARIS G Windows RMI BA Ha 5185618 | WIRE ONFE RB BTCENA BB — TE es IB ERT 8 Windows AVR AY FT Be ) Ltt. BH SM Rrootkit LADarkSpyi+#2—. M%wowococks =a www.dearbook.com.en LIT: H-te R— Rae: Be n) ESE: AAT 787124 I ie eerre rT es ARAMARES, MAMB. Ett: 45.007© \\iCeai® Windows Pulaoatz WN WES S SaM Sh SFL Et Rat Publishing House of Electronics Industry AG3*BELINGAS i tr ABM ARAN Windows FEF SiH 4 HIE, ARHURUHEE T Windows ABE, ER, BUR, DR ATT IT. UATE C)CH IFA Windows FEAPRUAER L, HERR HRI C TROLL, BEAT iF Windows 1/2. IFA B BE Windows AY BEI AEATI I, LLB Windows PY BRO ME AHL Ht. RAE AAU CCH YE Windows LameE tine, JLIGE Aa AINE A CHEARTHIRM Windows [ZAIRE PB. DLL PR TPR APB: SLAY Windows PUREREE AR. ASOT MAB (O BIER REAL BRL TE BEAN BE RENT, MAME A KM RBA BZ IPRA. ABU, ALF. BBAMURE (CIP) BE RACE: INCRE! Windows ABA / HK, AME. Ab: FIAMMA, 2008.10 EOE AM BD ISBN 978-7-121-07339-7, 1 Fee A. Dit QB ML. OL IV, TP313. TP316.7 it QRUK, Windows— AFIT "PILAS 50H CIP MAREE (2008) 3% 136007 Tt: BO Cl Ril: ACR AGA ENA RRA os dea aE A) HAART: LF LM a ASR HiME TARE 173-48 ESR 100036 HR: 787X980 6 EN: 17.79 “FM, 303-FF Flt: 2008 4 10 AS 1 PERRY Fs SOOO AR EFT: 45.00 70 AFNOLF LH RTC EL, ROSSI. SCR, AERATOR. KAR MOM: (010) 88254888. ALBLVEIMRR AUPE cles @phei.com.en, HENLE BLASHLIRMMIHEE dbqa@ phei.com.cn. ASIA: (010) 88258888.2 Olt Windows JLBEAM AWRY. th Windows JFARA THRE, RACER ALAR Bot, TEE RRMA) A CACY SURAT. BAT CAREY, RABBIS AUR IESE AL ADIL TE SABE. REMEMBER, GOT. URES. BU. AR ASB AR NOESL ER, MSH 2 de ACME DIE RRR TDA AS ED A AR ET CL RR ate. IRAE OG, AL CIR APES, WS ZR GPT, BILE Windows LEE AS ATT LAS, OCALA, Eb RRR Re WAAL OT BESTE AEIEIRAS OSE. DEIR BRAT AEDE ME C (RE, fo] LRA RETR TBR? 18 SEED. PAE C HRB. BEAT IPLA RUSH Windows RIKI. (UEREIA TERA AIA FB, AEF Windows MERA ATI, GEER AIEEE BTR, RAL HATES. ATSSRUN IIE MOLI. SUR SATA SFA ORE STAT SS A ARE TR A ICES. RUE SR, ZEST BY RZAN Be. (ERICA T PAR) EL CSE BAPE Windows WEAAEE, 24 WDK, WinDbg (RFT, ( Windows AK FREREALE, RHMWCAARS OSHA RE. EKER RBA TAM, SEA BEAT ABS 6 ERATE, ICSE TDR Windows REE FIFA BIA MERIT HO ae, RRA T IE. “mM:PRR AMAL A OR, LBA RAI". “KREWE” RMA ARAN TASER. REPRINT MMR, HAC CPU RRL ICME. Windows ARM. RAE CE SER, FERALAS AR, FF SAROR-PEE TERT BET ER BEA BEE fil. FA OER, FYE, EER RT RAT, GP Pa ABBY RAVER AL, JPILADE SCD ES — FF RG TRL ES A SAS BT ERA AS TN F, WASTE CL BOH, TAREE Sik aN THM ALA. ABS TE SCOTS 25 His ASE AAR TE A AT a 2 FA ER SO SPC SIMRAN KR, APU C WAGGA Windows AK HEH. a FER Windows V9 Pi (R) C ies Si ELI ERM. LEE AERA ARE C18 FPR Windows WK FLF « POR SE MT A INTE RRA, PRAT TAR: Windows HRMOMITRRG, FRRACELME. HAN, MET RMOAAK fis PARE DORIMAT BLE AILS SKA, DATE ERLE RIL WINE, FEE ABER, SHAT MEAT Windows Pit% Hook FRMIAIE. Zak Windows PK Hook (I —AMAUHY: ERATE TAS I BEAR RS eB EA PET FE JEZIG, MESA T RRR IE ee HRL HL: Rootkit 5 HIPS. bet — Sebi (UE GA hey. AMES, TCC AHIR, A Windows MALIA, WL BX Windows AEM T MAA RELY. PARE MME, Mea sl—P CRE seme. im xX 2008 4A 2AAFM BKGICM ABO MD, HP MRA RTC RR, BRIM. KAD OH 1-3 HF. MBARYWA, Cite Windows ARAK, RAC HES LMETHR AGE H. REA CAM ICMES, IMENT MICRA, HAL Aa. 1B RRS CBR mm " 2 Ll EBLE sn 7 4 LLL JH Visual Studio fat FE ~ " meee Mvsvensearnannnnennneing 4 1.1.2 Hj Visual Studio M4711 Be{Ui5, ‘S 12 BES SAUL BS ~~ 6 1.21 ERM EH Em - 6 12.2 RUB MeikIS- 7 1.23, BRA late 8 13 CRRMS Mea 9 B2R CHAN RRMA 4 21 CANE BRIG mmm Is 2A for HER - se 1s 2.1.2 do fH " ™ mrseerneennarsanans 16 21.3 while HH ” ” 7 2.2 Cie SHIM eM RA ~ ~ 18 2.2.1 iftelse JIMA a} 18 2.2.2 switeh-case PISS sons 19 23 CRRA Sey - 2224 Ci MSE AHI sen serene 24 B38 SIRLMCRARE~ moe “26 BL FRETS rrr 27 BAL AEG BRIL BA RSHATT mn 7 3.1.2 Mik Ke ga BETS 28 3.2 RATA BRI sans 38 3.3 WR C iB THD) sesssenuneonsnanennsnnenneneennereane Sen A AK HAR KEORALHD, BIZ Windows AMEPRAA LHR, AAP OUB 407%, SORRA AT Windows AARC A— ZH TM, TARAS, oR AAR RAL Windows ABE, AAD -TRA TH Windows AAU, FRRM WOK, FRAARRAH TESTE A PRS open ennnnnemnnnnmnr 38 A PPAR IYLSE oe rnnenn 39 ALL SUB PREBLE mm sv tunnnannnmnee 39 412 “PAPO ITOAE, . an 413 FAERIE 2 414 re AA Be 42 4.15 PRE RNETED 43 42 WHE ~ 45 4.241 TPO SHRL SRR seen 45 4.2.2 (HAI LIST_ENTRY: ssn sone AG 42.3 HALEN ssn 49 4.24 HUAN crn 50 BSR MASA RIRTE mentee 52 5.1 SURE 33 5.1.1 $&] OBJECT_ATTRIBUTES S12 FRA S13 SCPE Bet . ese enna 5.2 HEAREHRE sonntninninnnnnnnnnnnnne nee 6 S21 HEAR METIF vm so “VI+5.2.2 TRAE REM E mmo - . 6 5.2.3 TeARAHS “ - 6s Bom mia swe . . en GL WET eR aE - 68 611 RA “68, 6.1.2 RA 69 6.1.3. 40H tn snc TD 6.2 ALGER : 7 a 6.2.1 AI REREY S “ B 622 eeRREst ORE sn +5 6.2.3 (EAD att ~ z 16 7H Wi. SRK " 9 Te SRE BR fh one os 80 TAA SDA CL GBR RYR oo se 8 712 AR RCA M TAS BARRE me 82 TAA TBE rn ™ 83 TAS BRT RES ERE MDD HE ~ ~ 85 7.2 WPRALAL - 86 7.2.1 IRP 43 10_STACK_LOCATION cn 86 722 HFSKA fe eh ~ ” 88. 723 BUM A mee 89 7.2.4 Beanie ett meee OL RR AR AK ABOR SAD, FAK Windows AMBP, FRAIL BRED 3831, KD OAH 8-10, RRA A Windows AMBALA ZH TM, RPDS RA; SORIRA MAIL Windows AHA, that RAED HARD, HAC SARBFHRERAT AREA, RRALRA-RRD He PENARSHRARBHRA, HACRER AR —w, (em iH, 8H iD Windows AK ~ 96 8.1 JERE Windows PG EE orem - wee QT + Vil82 83 84 85 on 8.1L APBREBDPEAERHR YE nner vennnes QT 812 ACIRAS +H bE “E21 WinDbg HET WA: 8.21 MRM A 8.2.2 HLH Windows XP illstVty-~ 8.2.3 RE VMWare ELH 8.2.4 BERR REABL Vista BOTHER ~ 8.2.5 BL Windows WHR A sree: 106 8.2.6 Wikt Y diskperf 106 VARA BARI CAT 107 FARR C ABARE ; seme LH ‘aod ARH 3 4 a BEL sesenenenennimenne 1 ROR A Ce SAE FI CHP RABE crn 18 9 REE CHART 18 9.1.2 EC He Cane “119 9.1.3 (RA was wat ~~ 120 9.1.4 SBE new BREA 241 9.2 93 R108 10.1 10.2 10.3 10.4 * VIII SPS Bk At A BE son 12 9.2.1 new BYE AFAR “122 922 Mike, 124 TRS HY CHEE 126 WERE Windows ALK sennninnninnnnnnnnnnnnees (Bl RR Windows 241 A Kia ~ 132 A CSREL XP MSTA 102.1 RS 10.22 SH C RHR REAR non BATES RENTER 64 HBR TE RAE FRI BL 10.4.1 SPB 64 (LB ARSE IIE, orn 143, 10.4.2 PRAT fi 64 1A Hei HH PREWAM Bek AK BRAAPHFORD, RH CBSALRK Windows AMARA, HPRMIE BLS, IRL ER, LIS A ART. EA Windows AAA, ABT VLA Windows ARASH —A “AAT” 5 AMRERMRAA, aAILE COTE ART AP at CA HY AA A AT ARB AA IH 11-13 H, £S1p48H 2A Hook. BNE NRBSRCMTE 150, ILL TAF Intel LARS: cose ve peennnnnnnnarnnna 1st VLD ei ptTa 5 ~ 151 112 HAHA moe - oo 152 11.1.3 MOD-REG-R/M (JAE 155 Hdd Se ARAMA a 1s7 11.2 Bei 4851 XDE32 Jk ABER AE HS 159, 113 Beil HG] % XDE32 FLARE “162 E12 B CPU ARBRE SG SYTTBLI neers nnn 166 12.1 RingO All Ring3 BLIREF -ennnnnnnnnnnninnnnninnannnannnnn 167 12.2 PRPMBESL BINS LAL TEER 169 12.3 POL TEAST AT CR “ mee 172 12.3.1 ASHP PRAT PRP RE 172 123.2 Bul dar OAPs em 173 12.4 ARBRE AIH “ soe 177 124.1 WAIT R SEMI 178 12.4.2 sysenter All sysenit HH) z sn 181 913% FF Windows Pitk Hook 186 13.1. XP F Hook R#¢iAHH] loCallDriver“---~ 187 13.2 Vista F lofCaliDriver M2 189 13.3. Vista F inline hook 193 133.1 GABE 48 LAE “193 13.3.2 EBLE REE : 196 +Ix+KG RAR KRAPAA ARAL RM HY, O46% 14~17 #, ATLA GRD HAR, ATA PALAME, ARMA MMAR S HRs RHF SRA EM HBA RRP OEMS AA, Baldo, AAR Hook 65 FPR AE FD, DIME R—A MB) AH Hook HAMM KH, RAMA TH BS HREPAKD ORE. KI, AMPERAH-E, PRM LR ERG, RLM RALHKA WR, LHAPWHEELSWA, ERMMLR, B4E RAB. ADLHFR 200 141 Rea, ATV 201 14.2 FPR AB SRAY errr rns ren ” 204 14.2.1 ZEA BR Re AE RT EE 204 14.2.2 CARD ERLE IT nro snnnnnnnninanennnnnnmnnannanosnnsne 208 14.2.3 2A Beeb APF ME Rn Mec mE 210 14.3 FPR 216 14.4 ACIDE AG IE Bo seen ren 218 15% Rootkit 5 HIPS. sername 30) 15.1 Rootkit 9 fi (88 9 e-em smn DOD 15.2 Rootkit 4 fa] ia BEY srnmnennuennnnrnennnennneninnnnecnennss 2d 15,3 HIPS 4ufAl#:Hlj Rootkit 234 B16 we 237 16.1 238 16.2 244 16.3 RAT'S ROB RE “251 163.1 ewe : z enmnnnnns SY 16.3.2 AAR RES 253 5817 FR VMProtect GRIME HB omnes 258 17.1 42% VMProtect ; nn 259 17.2. HHI VMProtect 261 17.3. #8 VMProtect 2 on ntononnnnnnininnenininnninnnnnenenenes 167 “XeAFF AAILH APAS—-BD, CHOPRA CRABR, WECM ABE 1-3, MRMRHZ, ECA Windows ABAK, EMC BS SCRE SHKAHAY. URESCSHELRBS, HERMAN CHRS, Ba BRIAR.B18 miss S Cw ao 140 EMRE —FLE 1.1.1 Visual Studio €)22 T-#E » 1.1.2 HJ Visual Studio #24411 481003 » 1.2 MRR S AML RRS 1.2.1 HERI S 1.2.2 RGRERS 1.2.3 BREET LEB S 13 C RMMS MBRA Cees CS AF ALB RIR AN “AEE” KE CCH. CHURE Java Sea CH, MIR TAA CiBG.) HiT Microsoft #245 4: Windows OHTA IY C ARIE, Dat ears BU 4B SHEL, BZ, BERET eA CPS A TR A A CZ TE AL BRT BR AK RB Zh, IE — SBE. AEM BREE C ia. RSH BRE , FORRES. Meh DM BAF MTA. (HEEL. Windows MABAUHIEA bab C STU aa TE MAA. te eee FRIAS I Bad BNI IS. AC TA RRR. AE EMIZINMKA, (QE CIR ARERR, Bie eT HEMT AT BAAR AR. AAA CNS HAS CG, CM eR. WMARARLE GALE) HA ARRIGH LR, KS MANE MA LA” HOE, LAA A RTAB BY GAGS SPARE TARAOME BHA. RIAN AMRH, Z DRE TARR ONE SG, HALTARMOLAUA MIE, RAMAT, its ABBA SoS MAM LRRK, BIBBERAHAF NAR, AAEM GH AMHR P RAKE, T HARPR, GRA, RE, AHEWBCAMAAALTR, ROBASNMKRAL Ky REAR, HS RE” ARB LA. ARHRLEARPRAER TALE —RAASKHHRARH, REHRAABGAS, CRAMAAEAME HER, AHRRLLEE ESM RARE PLB, Vd Windows RAHM, WAT MA TZ bug 0 HA, HALBRADA, REE, MRAWALBTA, PRARARHRE, WARRIOR PE BATA. ARE T MAR LAIRA, TAMIR (Reversin, GAME). HAE Bde F BENZ. Reversing:Secrets of Reverse Engineering PRE. Reversing: MOLAMRERABI Mc#iSSH) Windows HBT re He OU IR nia. Tab Nea : | Ged, GUDEEM, MRNA eee, MReRWET Windows RIRIZEE | _ AS OrTMRm ERLE. 11 bp SAT FAS ATRL AN, LOANS AMOR MERC SAE AE BR, OBA AREF 8 ERR I SEO 5 CRETE SCE IER MPH Ca SUR ATSE. CLL A, TREAT REO C era a OE AT TR. SULA BEM SERA C ACB AUAB SE. UR ATLL UN, UAE ACESI ICM HA — EE TEA Da CALS BR ERE. 1.2 4 CEB ALICRARS > SEALERS, IHORIELR ASL AE SM. 1.1.1 FA Visual Studio #32142 RAGED ULTRAM E Windows XP See MUNA, (AD Vista AMR RA, SURAT MAD SARA AA. Ble, ES RERRAM Visual Studio, HE? Visual Studio 2003 SLA RIANA. FTA ADH IAT BL Visual Studio 2003 I Visual Studio 2005 AUfHIR. WH EMA WIE. FIRM AIRE E Visual Studio L3B57— TH FSH LAE. AAR ATL RS. CD 47 7F Microsoft Visual Studio 2005, #338 “File”, (Bik TIM “New” FiHBY “Project”, 317F “New Project” #tid#E. (A Wie HF Visual CH, Win32; #71 Win32 Console Application; “FIRE A—~7+ TAS, Mai “OK” Hei, HORAIS. —WASRTRRRU GE, Jaa “Finish” 24H.HK Cwiees CBs EY REE TREE SEE RBH cpp MILE, HPF ERODES Nc HIE. Windows FRERGEA LAE CH ARSIN, BC Wa MIMI KR AV AVES © Arlt, RDA AE THE Nc MIC. IPE VC A AAU Ci FEAT ME. AAS SRT 1 I ORE Coe POD CIE COB 9 HY C++ 85 HN A ELE D0 @ to Rik 4 HFA Visual Studio 2005, HHEZE/EUAY Solution Explorer 4/1) & #54 8-4 fF SCF YourProjectName.cpp, i&## “Rename”, */a4®.cpp Hc BAT. DURA ELCE MY Visual Studio MRA, i AhitiAT HE, Remove KNEE. RRTES AL %, PMLA M AB, BPE “Add”, FLEE “Exist Item”, i8 MEK. EI EAE GED: #include "stdafx.h* int _tmain(int argc, TCHAR* argv[)) return 0; ) 1.1.2 FA Visual Studio S Ail CBRE MIC MeR ES, BT DLZE VC PRAT RS GE ASI KR. IRIE AS FAA Ai Ae A A OT A TC Sid B.C TBH. OD Ve wie FRA HER BNCGAES OL. BLE, iE return 0 — 4) hE AWA: IGRI AT, RRC FO BBB 2D te F Fs BULA. RRR Ide ATOR, FTIR “Debug” “Windows” 3%, 2&HE “Disassembly”. iXfE, HR —PRO, fas FIRMA: s+ £:\root \work\any\tla\t1a\t12.c // €12.cpp : Defines the entry point for the console application. uw Winclude *stdafx.h" int _tmain(int arge, _TCHAR* argv[]) ¢ 00411360 push ebp 00411361 mov ebp, esp 00411363 sub esp, 0COhKA BIE — ic 88841 Windows ABBE 00411369 push ebx 00411364 push esi 00411368 push edi 0041136C lea edi, [ebp-0Coh) 00411372 mov ecx, 30h 00411377 mov eax, OCCCCCCCCh 0041137¢ rep stos dword ptr es: [edi] return 0; 0041137E xor eax, eax 00411380 pop edi 00411381 pop esi 00411382 pop bx 00411383 mov esp, ebp 00411385 pop —ebp oo4ii3e6 ret URETHRA ETE A, PR ESL) — Pi at. ChAT Be SLIE RAY. S278E TIM push, mov, sub, lea. stos, xory pop, ret, #LATELARBEAS WEALTH SHAE POR AEH. 1.2 HES SIL aad 1.2.1 EAB RES AGRA ATTEAT TR. VAHEDD Intel REA AUE SFA. LEAL TERA ABE A KES ARTO ATS. DEPT TLL A Te, a, SBA BYR, TESLA TET GES © push: 48-4 32 BME ME AERO. MERLE SL esp BE 4. esp BIER SOA URI. BAU ARSE OR, ABA, ER ASRS, SS JE BUD RL RLHERL RY. esp HMROKE/). 7F 32 OOP AL, esp AK 4 CFA. © pop: HAR. esp BEI 4, — BGR. pop MSM — BEATER, BRT UE A BURT AE TE REP RA ZHE, sub, add XPHUSEARIA, D2 call, ret RRR U5 SEAL KRHA. (AI LEB RS MBM, sub Al add RAR BRENERE: call #1SAK cMees CBS ret RY HERG A AR 0 IOP LARS UCRERAD R © sub: MIA. BPS RULE ER, BOP SRE. ONIN AE Hi add 484.) @ add: mid. eo rets BIG]. ACS TRL iM A OH. ORLA call #RSORIAAN SR, GLE Bical ZiGH FARE.) scall: mR. BAN. AER AS HE. RASS “Fah” HORE EHH, JXBLAE call A jmp MAIZ Me. call HSA EAM FAH AEE ERE, A DE AEA AMA FT, MOEA jmp RAIA. FAY, ret 2 Aah 3B Ls 7 Q call #424 F pushtjmp. ret #4 JK #0 4 F poptimp. | AME push. pop. call #il ret 2 BRVEHERR, sub A add tA] LFA PERE MEH. tm RAR BUR EHERE TP AL 4 4 ECS), ARATE 4 YC push, (12 (8) FH AE esp WA: 4*4=16 WNT. MRE, HAT LAAN add HHO RKRE. LAAT ON BB) ABE BR eT] Ay Ci PRE bP RE 1.2.2 BURRIAIES © mov; BUBBA). BOM EAUE AI, BMS ROLIUR. 2 CHES Pet MS. RAL A RE © xor: FFA. PRAMS IS, (LARA, xor cax.cax PME AS TEAL mov cax0. KERB, AAP WBE >. lea: RAPHE (PIF SHO BARAT M MAE GB-TEHD be QQ BF xoceancan, KI Lh ARH ] (RESELL, FUT lea HDR ACA mov IFAS, LUA. FI RtS: lea edi, [ebp-Occh)RA RIE ice | Windows (A292 TAGTAE AAG BAR, LAE ebp-Ooch IX HL HTN AFR BE A Ze. EE lea FERAL [ebp-Occh(*s#tibih, ABA Hit tk JE ebp-Occh, iXMIbALHS HEI AT edi Tt. ADI, SAF: mov edi,ebp-Occh {ELFEUAL. mov FSA, By mov AV RE MR ES I BS FF BRR A BF {LAE lea CHF, PULAPT VASE lea KARE FRO HORE RE RAL GE AE SAA SE ATH. UR EAR, EHH Fail. Ja T BERR stos, “FI AF iN ai Be FAA AH. mov ecx, 30h mov eax, Occececech. rep stos dword ptr es: (edi) stos KER FPATES, “EMA cax MY BARB edi HTH MIHLLEH, FAIR, edi BHM 4 (FARO. rep (ERO SLINT ecx PETS. FTAA ATER, IAS SAL SEER FBLA edi HUAI ASTER ID SHE. IXIA) stos JESEMMLINIE stosd, TAAL stosb. stosw, SPS XI TAbIE 4. 1, 2S, BALA 30h*4(0cOn) PF 4 HA Occh CHB int 3 RS MUALERES ), REALE ROHN EAE AS Ce 1.2.3 BES tBIES BSB Soo © jmp: EAR, RSE RR aN RR SZ o jg: MARX, KEM. BHAA ABS. 8 jl: BRL, DT IMRBE. AMT A LEAS. © jee: MAEM, ATS PNB. MMT AIRES. AWM AH, KE RASMAT 5 PISA teaRHRS = scmp: BAM, WAR. TEPER jes jl. jge ZAKIR ABIES MTA AE.RAR Cees Ce ASRS RTE TLR TE RTE MATL She TAS, Be Jes A So Aa BIS SG BUT eT. AP a BE AE CR, HEPE (Windows ASE FM 32 SCM TR BID) Ti. BRIT AM BE. Windows HEF A 32 eB, BE HAE. BFC RR AAR FAY Intel HOTA, MEHR BAF. 1.3 C MRS RE BTR BiAIR A FE AD AS NS A). TA ET ERA MRE. ee OER AE ARV, LUD, CUPL HEME ROOD RBH A SIROTA LSP. ZE He Ge NA ee UPA push A pop #4, APTA esp HITT ETNA — ART ERR ALLASMEISCBL. push BUTMIEEM, esp EULA. pop RUsMIN. IF C AIRE ROU PN, MERE AIA TIES RR A BIA) MER ASE, HE AA I SERS AILS). RLSM SIMTK, 160. 324%. 64 CPU FABIA FBI 4, BME. ROMA C MRRERMIA RY C7734, BRAM BD GE BBS OBA HOME? , Bd (MARA MITA) RK TYHRAEL, CBEORFESO RRR, MHRARBHRAE-D HRY, Pascal Rs bt Ait 2, AA MRR RIG, PTA HE, RALPEA h&, BA CPU RKS—H—-RHRS, FFAS EMNARLH HA HH, call 44-4 ret HORAATAAMARHE, RERRMAAM MAHER,‘| Windows At ae#= RAAYRAURA jmp $8 CARR, BTA RM AH Ae. tk, A BT ATE RAMAN, HRA RRR, ART SAK BAA A PREAMM, R-AK SHR RBA MAR, ABA ATHY RO ae BAR, BAA AA 1 LA OMA BRO EBRMKARORMHAE, £ Windows L, #19 4% Pascal A, WINAPI #A (_stdcall ), C FX, ( _cdecl ) edec! C 8130.8) : (1) BAAS] LRA; (2) AB AE ES, AREA IRA, ORAS ATI sae, _stdcall 245.2 WINAPT, 338 ARS: (C1) RRB H) EAA, (2) IAM A OH ATR, PE RH Ra cdecl Pascal #8). 4230) : Pascal MARAE AA Winl6 RKP, RARAAAM. (1) BRA AS BRA, (2) BA) Sk ik aT 8 A (3) RAAT RAH BABA se3b, A Windows AB PER LARA AA (_fasteall); 2 CHHsbit eR BH this call FA (_thiscall), RRSAG HOE PH eA, Baha CH CRS SWRES, HA Teme. 5a HER Bc FS void myfunction(int a, int b) t int © = a+b; ) 10HA CRESS CBS AR ALRHENN C RIN sk. SULLA. OD Wii ee see sE see. @ iwiine. BH iar a sea tat i. ARLE C GF AE EKUAAA_cdecl 7/3C, ii Windows API ARAL _stdcall WE Ria ARSE (ORS HR MAR SP). AT BEAMS A cox 'P, RIB. QQ windows 75 A FS A ean ae eax P @ #138 Bf —— ay deck i 20 F Bei FH ea RCA BLL BSE gt. CL) ERE ebp. ebp BEB RUTPRIR AT BH BDUTZ HIM esp MA. HMTsEF Ziv BAL ebp WES esp; Il. TAURUCAR A Ee CA ebp HURT RUSH. BT CUAAE ebp KAMER, GBIIZ ASR, i ebp HRA. (2) tR4F esp Hi ebp 4. Limb SLT Bs BH ebp, JHE esp HA ebp ‘P, skit ebp 5 esp Fl ABI A ART push ebp mov ebp, esp (3) TEER i 7° 38 OR 2 Jb REE, A BOY VP BE ORE TEREIAD NY. TURE: JE esp Wb — HEL, BORE TIA T HEE. SRST, JASEE esp HSE AK ebp "P ARFF EN BHR ATLL T (4) PREF ebx. esi, edi SUHERET, eR MCI SC a HSE. ALERT HB esp & F6a)—/MUM, SPORE PHL eT 1 AY) FF AB A sub esp, 0cch push ebx —; FINRA = 4M: ebx. esi edi push esiKAKIE— ‘MEST Windows ARE push edi (5) FEAT DK RIAL REE Ocecececch. Occh IIH int 3 IS AVHLARGY, 1X PATE. BN aE ATTA, RIT. RA AT. key REP WRB RY. BRE VC HVE Debug RAS NUEP ATER. HACER MF lea edi, [ebp-0cch) ; AIKIEE mov edi, ebp-Occh, {HE mov RF rebp-Occh ik RMB ott ebp-Occh RAVE, ili lea EAA MH, tae ebp-Occh INES edi s. FI OVLIL IRA ABE RE PANEL CK ebp-Occh FEMI) PMT iB occceccech mov ecx, 33h mov eax, 0ccecccech rep stos dword ptr [edi] ;#™A 6) AR HALA CE AHO Bits. SRM AE ebpr12 FH WR PSH, ebp+8 HP-AVBSR CERUEEAD, RUM. BUG ebped fb ie BB DALI HL (7) RM ebx, esi. edi, esp. ebp, ATEN. (HFM Fs pop edi iW edi, esi, ebx pop esi pop ebx mov esp, ebp ISLA ebp Blesp, ikk—Ma 7 ABBE pop ebp AT MPL, RNR RIA. WR SSBYA, PMMA CBIIZ AT. HIB FIA eax H. ShBiBL RL eax ALBEE. {teat JH VC 2003 #i¥¢ Debug ARAL, Se HEH ROI ATLAS MN Fs void myfunction(int a, int b) t push ebp ff ebp, HB esp LA ebp 4. JET ebp 4 esp mov ebp,esp ; MARR SAM MRT sub esp, Och ;# esp # LB ah—-MEM, SPER PHT 1S FE RAE AEAB: ebx. esi, edi push ebx push esi 121% CMOS CS push edi lea edi, [ebp-Occh) IRM “mov edi,ebp-Occh”, {HJ mov BE 22" SME, HAL ebp-Occh RAY, iii Lea AR jf, that ebp-0cch MRE edi PF. AMR HE BREABSE MLM DCR, A ebp-Occh FAME) 3 PIER Occcececch mov ecx, 33h mov eax, 0cccceccch rep stos dword ptr [edi] ;3A dcch di (Pi) int ¢ = a+b: mov eax,dword ptr (a) fA INR. SRLS RARE NE PRAISES. FBZ, 2b BURRS 2.1018 18 iit ida BIC TUBE, MARAT rmov eax, [ebp+8], add eax, (ebp+0ch] ; SEGRE obp MERPRAN. RLM VE VC RRA RMR, IT BIT > HM ET SRA add eax,dword ptr{b mov dword ptr{c],eax pop edi WEL edi, esi, ebx pop esi Pop ebx mov esp, ebp SLR ebp Ai esp. ik. — ‘MAHI de) pop ebp ret EREAE HP Rk PB BH TA Jy mov eax, dword ptr [b] Hb. a REAR push eax mov ecx,@wora pty [al push ecx call myfunction ALB ME my Eunction ada esp,8 LE BOR Ok, BCR ARLE RR RIA Te BP. aE AT BC WARE, RMT CALE. x # & call, ret, push # pop, *#tF ebp # esp WHS, Bee BRO at fE 13B CBS itETWNe 24 22 23 24 CHANARRILA——~ 2A for HK 22 0 GE meen 2.1.3 while BE CHRARSPRORLR-~ 2.2.1 if-else HM4X- 2.2.2 switch-case H)IBESP oe CHB RRS Hy CHEM AMRERD2.1 CHT RIS Ay T PRS MPR LC CE A Be RATT AS EARL A BL FEWEST OEY AFTRA HB ADT EAUERL. TPE, HUI LEE Bl ERLE, (EI AEG PARE MASE). ESE EG HE BS A OT HE | {IH Debug (iBiKAG) FM Release (224TH) BERET LLG PM, RTRARLALA BA, HM SRR TT MRED, ARAL T . RRRAM RRA THAT OMS BET RR Hh, WHER ATSARARRAMEH, RAR TET HRIRG, TE TEM, EH RAE LAGE, TM RRA, BS KSA OAL, KLAR T . ERI OIA TE, TES RAR MIE, Ba. PRELMRT ADAM, bug RAM, TARR. Rio eit He RIG, BEALE BARRO EAE ERRAMER (KREMZM OAR RRR Fhe), RH AMR REA KR, KARA RES RRR IR, fe, PALM SLIN UR” fo ATI” BL, RMR ACR IL; AAT MAME NCEILIL, # Windows & MAL A AARP, —#AK% Debug MAA Release MA, WRENS FARA ZU i AL, edo Windows SFA, R—ALAKH Check MAA Free WA, PRELA—AH MH. 2.1.1 for fa PIRI RE Ae, HI I, ORE BULB int myfunction(int a,int b) ‘ int ¢ = avb; int i;RBRE— aici 16 El] Windows Atte return c; ) TERERBSE AY ALM RAL 1.3 RE BUM, DEE for (REA TPA Sie, SOR: for( 50;i+4) 00412BC7 mov word ptr [i],0 00412BCE jmp — myfunction+39h (4128D9h) 00412BD0 mov eax, dword ptr [i 00412BD3 add eax, 1 00412BD6 mov word ptr [i],eax 00412BD9 cmp — dword ptr [i], 32h 00412BDD jge myfunction+4ah (412BEAh) ¢ c= eri; 00412BDF mov 00412BE2 add 00412BE5 mov ) 00412BE8 jmp 00412BEA mov eax,dword ptr [c) eax,dword ptr [i] word ptr {cl,eax myfunction+30h (412BD0h) eax, dword ptr [c] Fa RSA A 1.3 WAIT]. OTLB BPH EEK LAGS REA: mov itt ATRL: jmp RELA AITE RG: cmp EBLE HINT: jge HUB MBE. FA imp FEUER EBT FR. AREA PE: 7 RE RUT BU — UAE AER mov , jmp B A: (BSDOURSER) Bs cmp , LAISERR> HARTER jge BRMORER (RH) mp A RT is OR 2.1.2 do fi HEF do (6%, AW do TMA EMH SE MAS + BRULEE for (ie BE fa24 Jae do ¢ 00421255 mov oo4i1ase add ASB mov } while(c< 100); 00411A5E cmp oogiia62 j2 return eax,dword ptr [el eax,dword ptr [4] @word ptr [c],eax Gword ptr [c],64h myfunction+35h (411A55h) LTBI do HF a A) cmp , 00411064 imp eax, dword ptr [c] eax, dword ptr [i] word ptr (c},eax 2K CoBMRENER AY A PE EAR RIES. RAIS: myfunction+35h (411A5Sh) return c; EAA RL while BMA si. AY while PRT FPR MIET HINT ME REZ OF cmp < OURS , jge B (TR) jmp A Bi (RRERT) BA ATE AR PEAS FL BA TERM, SC RASS: 17RAE — ca 18 Windows Atz@42 2.2 Cif ra AUT 3c Ie fA 2.2.1 if-else FETS X AY it PH: if(c>0 @& ce10) c printf (*c>0*); ) else if( c>10 && c<100) € printf("c>10 && c<100"); ) else t printf("c>10 && c<100*); ) if AUT ABEL (HY cmp FEILER AEBR HERS. OEE if A && BYTE, ALBA E ALAR. GUA ABRIL, SLRUBEE BAP. HEU. UR BARRE. ALPE) AEM. MASA. CEL C iT — RUA PRAY, TE RHI UR ELC, ULERY BLD Wy ee. emp jle

FLA SPAR A if(e>0 && c<10) 00411A66 cmp dword ptr [c],0 00411A6A le myfunction+6ih (411A81h) BIE —Pelse if AU 00411A6C cmp dword ptr [c], 0Rh 00411A70 jge —myfunction+61h (411A81n) ‘BEF —eise if i UE (GOHRAR A SNIP print£(*c>0"); 00411872 push offset string *e>0* (4240Dch) 0041177 call. @ULT+1300(_print£) (411519h) ooaia7c add esp.4 > else if Helse RFRA. (FPR. MRA. BRAS SLM ET Re. BILAL ATTA AS} SHAT SPA IT LHR AG 9) SE ADT FES SP AAT ME “RHE LA TUT AR EAA else IUZE jmp ZG FLED SERIE. if else if SN FFM HEIL if ZG AUBETE HH cmp LEAR. TAH AEBS TE HE AT BEE else if( c>10 && c<100) 00411A7° jmp myfunction+89h (411AA9n) ALAR BRED HINES ot 0041181 cmp dword ptr [c],0ah Hee RR 1A Eh a jle myfunction+7ch (421A9ch) cmp dword ptr (c],64h 00421A8B jge — myfunction+7Ch (411A9Ch) 2.2.2 switch-case #1) B33 TERED MiB, TELL BA IRAVIE switch. switch MIRE RUE BAHT. lI. switch BRA HUITA Pt, TCLABAE je. APHIBESIAE TS case Wh. JIT -AAE ICA BH. FLREBES! default Zb. WL FARAH: switch(c) t case 0: £00"); print£("c>10 && c<100"); break; > default: printf ("c>10 && c<100"); ) 1920 BAL Roe switch(c) 00411066 mov eax, dword ptr [cl 00411069 mov word ptr [ebp-OE8h] ,eax OO411A6F cmp dword ptr [ebp-0B8h],0 00411A76 je — myfunction+63h (411A83h) 00411A78 emp — dword ptr [ebp-O88h),1 oo4i1a7F je — myfunction+70h (411A90h) 00411A81 jmp — myfunction+7Fh (411A9Fh) G on EAE HL REALL ATR ASAI switch, LTRS #5 SBIR JE TE LEA cL ATE 0. 1 GAVE. EP SEIE c Ho) H ebp-Oe8h SRAM, PRAT ELC, GRE RAE A BB default Ab, LALFT defaule, BEB) switch 25h. o FURR AEA HH. BI A ALF case #il default ARIE HEM ML. WURAT break, WHEN —TACA PHBE: FEB AT break (tii F, BLA AE ICAL. case 0: print£(*c>0"); 00411083 push offset string "c>0* (4240DCh) 00412A88 call @ILT+1300(_printf) (411519h) 00411A8D add esp, 4 case 1: ‘ print£("c>10 && c<100"); 00411090 push offset string "c>10 6& c<100" 0042A95 call @ILT+1300(_printf) (411519h) 00411094 ada esp, 4 break; 00411A9D jmp — myfunction+8Ch (411AACh) ) default: print£("c>10 && c<100"); 00411A9F push offset string *c>10 && c<100* 00421AA4 call @ILT+1300(_printf) (411519h) 00411AA9 add esp, 4 ) (424288h) (424288h)2K CweMRB AN “RE583) FIBA. ARIE PF AMAR CY. MSRP AAT AEA, BSL F RMA. ROR TABOTC RA ERE, MATE RATHAES BAI ike DCA HRB AREA. Hae, RET AZ 00411A20 push ebp 00411a21 mov —ebp, esp 00411A23 sub esp, OE8h 00411a29 push ebx 00411A2A push esi 00411A2B push edi 00411A2c lea edi, (ebp-0E8h] 00411832 mov —ecx, 3A 00411a37 mov eax, occcecccch 00411a3c rep stos dword ptr (edi) 00411A3E mov eax, dword ptr (a) 00411a41 add eax, dword ptr (b] 00411A44 mov dword ptr [dl,eax 00411A47 mov dword ptr [i],1 00411A4E mov dword ptr [e],0 00411055 cmp dword ptr [c], 64h 00411059 jge —myfunction+46h (411A66h) 00411A5B mov eax, dword ptr [c] 00411A5E add eax, dword ptr [i] 00411A61 mov adword ptr [c],eax 00411A64 jmp — myfunction+35h (411A55h) 00411A66 mov eax, dword ptr [c] 00411A69 mov dword ptr [ebp-0B8h],eax 00411A6F cmp dword ptr [ebp-OE8h] ,0 00411A76 je —myfunction+63h (411A83h) 00411478 cmp dword ptr [ebp-OE8h],1 00411A7F je — myfunction+6ah (411A8Ah) 00411A81 jmp —myfunction+72h (411A92h) 00411A83 mov dword ptr [d],1 00411A8A mov eax, dword ptr [cl] 00411A8D mov dword ptr [dJ,eax 00412A90 jmp —myfunction+79h (411A99h) 21_ RABI ccmisee Windows meee 00411092 mov word ptr (a],0 eax,dword ptr [a] edi 00411A9D pop esi 00411A9E pop — ebx QO411A9F mov esp, ebp o4i1aA1 pop — ebp OO411AA2 ret 2.3 CHT WRAL Sa BIDS ASF T St Hs a A 9 18 typedef struct { int a; BL int b; int ¢; ) mystruct; int myfunction(int a, int b) unsigned char *buf (100); mystruct *strs = (mystruct *)buf; for (is0;icSrive) ‘ strs[i).a strs[il.b strs[il.c = ) return 0; ? SSA Ha AI SECALiT] BRABEAG ©ALSKGAN BH Si IR C for (i=0;i<5:it+) 00413674 mov dword ptr [i],0 UY for AE 00413684 jmp — myfunction+45h (413695h) 00413686 mov eax, dword ptr [i] 0041368C add eax, 1 00413687 mov dword ptr [i],eax00413695 0041369c i emp jge strs[i].a 0041369E 004136a4 0041367 004136aD mov imal mov strs[i}.b 004136B4 004136Ba 004136BD imu dword ptr (41,5 { myfunction+94h (413684h) OF , ~ eax,dword ptr (i) FABRE ivoch AB peax 10h SHAE 48 strs MIBIERA cox HEB ocr (1 HOHE IHR O eax, eax, 0Ch ecx,dword ptr [strs] dword ptr [ecx+eax],0 as eax,dword ptr [i] eax, eax, 0Ch ecx,dword ptr (strs) RBS, MINER b ONE 004136¢3 mov dword ptr [ecx+eaxed] ,1 strslil.c = 2; 004136c8 004136D1 00413604 004136DA d 00413682 004136E4 mov imal imp eax,dword ptr (i) eax,eax, 0Ch ecx,dword ptr (strs] Gword ptr [ecx+eax+8],2 myfunction+36h (413686h) ; RAINE eax, eax peax ee immul 4 ik AAR 24 HS A BAL, RE EP EU Ua — 2 HT EER RGB RTE TCR FRADE. LIN, ASTOR NRE A= F< BP TCR MCT A HR STORET AE AE Ba RES EE — PR tn EACH SLA OCH, kT PEAR. DEG, RRP eA imul 184, HTC PRET RR. BRA RI HE LA FE 5h HE — NTE, TKN a) a5 HEADS PR RAS EA AAR ZS TA Sn AN RO AMER HWS, OMAR b BICEMIERE 4 (4H). TERE ICMAT OR, AE IRAE. DDS SEP HOA AR SE TERE OR) ORE WDK JPL PHO PER 4 TPA A SARL ATES) TIT ARM BB A IT CEA eS aa RT EA ES 23KA RIE— ici | Windows itz fe#? Bue Wks, 2.4 CHR TERJE KBE FRAT COWIE) BUHASSE MY ABAL CE CIB Oy TA ee bn oT AA SRL. RA HiT AEA SR AU LOT, BELLI aa, es i TAS WRAILT. WT iRR, BIEN ALHO BY RUIRE, RIG BOIS — FR. Lf EAI typedef enum ( ENUM_1 = 1, ENUM_2 = 2, ENUM_3, ENUMA, ) myenum; J) hE typedef struct ( int a; int b; int ¢; } mystruct; “typedef union { mystruct s; myenum (3); } myunion; int myfunction(int a, int b) i unsigned char buf(100] = { 0 }; myunion *uns = (myunion *)buf; int 1) ia SE A, Git, (URE ORICA Se for (i=0;i<5;i++) uns[i].s.a = 0; 24uns(i].s.b = 1; uns(i].e(2] = ENUM4; ) return 0; ) BABA RAN 2.3 HEAL ARS. for (i=0;i<5;i++) 00411857 mov 00411A5E jmp 00411a60 mov 00411063 add 00411A66 mov 00411469 cmp o04i1a6D ge ‘ @word ptr (41,0 myfunction+49h (411A69h) eax, dword ptr [i] eax,1 adword ptr [iJ],eax dword ptr (i],5 myfunction+83h (411AA3h) uns[il.s.a = 0; 00411A6F mov eax,dword ptr [i] ;ARAKS, Bit 12H. 2 HSE 00411472 imal 00411A75 mov ecx,dword ptr [uns] 00411A78 mov —dword ptr [ecx+eax] ,0 uns[{i].s-b = 1; O0413A7F mov eax,dword ptr [i] 00412a82 imul eax, eax, 0Ch 00411a85 mov ecx,dword ptr [uns] 00411A88 mov dword ptr [ecx+eax+4],1 uns(i].e(2] = ENUM_4; 00411A90 mov eax, dword ptr (i) 00411493 imul eax, eax, 0Ch 00411A96 mov ecx, dword ptr [uns] 00411A99 mov dword ptr [ecx+eax+8],4 ) 00421Aa1 jmp eax, eax, 0Ch myfunction+40h (411A60h) RIK CRRA CR OEM PEI AAT, SB. FAK AER ALA AAS BA A EAT Si, SEAL ARR ALE Ty REE A WEA, RPP aR ae eh HH OR BE. EMTIIE ARS] AHSB35 SIV CBSES 31 BSR BY BELA mo nnnnnnnnnnnnnnansnsnnnnsnananene BF 3.1 SRR RIC ~ 27 3.1.2 SR RIC AAD EG. 28 8.2 RAT RRED RIL rrr 29 3.3 (CMR C BEB om rrrmnnrnenenenennerees BS,TS SARTRE 3.1 SHRI CHG TANS ES ALTE RICH PL A RRS), TN LP AYRES 6 ANOLE IE AN BIC MARGARET ERIS, SEAS SL A SET. 3.1.1 BARI T BOA MADRE BGA TE, REREAD AI) TY. FTE 3x3 HE SHR HT int myfunction(int a{3](3),int b(3](3],int ¢(31(31) co ‘ / int i,3; | for (i=0;i<3;i++) € for (5=0;5<3;5++) . Li] (3) = a4) (0) *b(0) (5) +a fi) (1) *bI2] (5) +aCi) [2] *bL ) return 0; ) JAB U A Tih M, ASL, IC Ga STC AE int i, for (i0;ic3site) 00411A3E mov @word ptr [i],0 00411A45 jmp — myfunction+30h (411A50h) 00411A47 mov eax, dword ptr [i] O0411M4A add eax,1 00411A4D mov dword ptr [i],eax 00411050 cmp dword ptr [il,3 00411054 jge myfunction+0AEh (411ACEh) c for(j=0;5<3;5++) 00411056 mov dword ptr [31,0 00411AsD jmp myfunction+48h (411A68h) 0O411ASF mov eax,dword ptr [3] 00411a62 add eax, 1 27KARE ic 8s 8 Windows WEAR 00421465 mov dword ptr [4] eax 0o421A68 cmp adword ptr [4],3 ooaiia6c jge — myfunction+0agh (411ACcSh) eli] {5} = afi} (0]*b{0] [5] +aCi) (1) *b(2] (5) ali) (21 B12) (5); WORE FHI S RA mov, add A imal HEAT BI SC 0041162 mov eax,dword ptr (4) 00411471 imul eax, eax, 0Ch 00411474 mov ecx,dword ptr [a] 00411477 mov ex, dword ptr [3] 00411A7A mov esi, dword ptr (b] 00411A7D mov eax, dword ptr [ecx+eax] 00411A80-—tmlul eax, dword ptr [esi+edx*4] 0041384 mov ecx,dword ptr [3] 00441a87 imal ecx,ecx, 0ch OOR1IABA mov edx,dword ptr [a] Odd11aeD mov esi, dword ptr [3] 00811090 mov edi, dword ptr [b} 00413493 mov _-ecx;dvord ptr [edx+ecx+4) 00411097—tul ecx,dword ptr [editesi*4+0ch] oo4i1asc add eax,ecx 0041192 mov edx,dword ptr [i] O04i1AA1 imal edx,edx, Och 00411AA4 mov ecx,dword ptr {a} 00411AA7 mov esi, dvord ptr [3] O0421AAA mov edi ,dvord ptr (b) 00411AAD mov edx,dword ptr [ecx+edx+8) 00411AB1 iml ‘edx,dword ptr [edi+esi*d+i8h] 00411AB6 add eax, edx 00411AB8 mov ecx,dword ptr [i] 00411ABB imul ecx,ecx,0Ch 00411A88 add ecx,dword ptr (ec) 00411AC1 mov eax, dword ptr [3] 00411AC4 mov dword ptr [ecx+edx*4] ,eax 00411AC7 jmp myfunction+3Fh (411A5Fh) ) 00411Ac9 jmp —myfunction+27h (421A47h) 3.1.2 BARROS SERIE EAE AES, A EAE TE ES OOS 5 BA SLO} PE DA SEA TRT AR BEE HRA HO FBI. PBUH SEARS AND Ja, se A(ARR BE UR, BES A AE AH. Rend MRE Did A BIR HIRTBCY EI BRS AE REE £421) mov ABR — AAT C Rik. AR, KAA IE AEX GUE OT LLB], SABA ally] ARBRE AK A Hy aly SEH SHE XML. PTDL, AUTRE BIN RR DARA TT EL. MARI vt R imal mov eax, < REM TORO F t> eax, eax, ocx, UNICODE_STRING str = RTL_CONSTANT_STRING(L*my first string!*); JERE TERE MIRAE NO OE. OT BB EE, AT RillnitUnicodeString. av fi 4 F: UNICODE_STRING str; RtlInitUnicodestring(estr,L'my first string!*); FLATTER ALN FER SLA A ARCH UL, BL SEMAN ME Bite. a142 41.3 FRB TWF FFB ATE ORI. TUL AEF wescpy He #6 TL 1 BE AB AT AY. UNICODE_STRING ®J Li RUCopyUnicodeString KBEATH MN, CEDEATIX APSE OL HT BREE RN Ae: EULA MEE BY Buffer BAA EE (6). MR Buffer ¢ 18) FR, PIERRE WATER. ETP HR HT RS Finis — Mol F UNICODE_STRING dst; 11 BREE WCHAR dst_buf (256); 1) BATRA SENT, FUSE LK UNICODE_STRING src = RTL_CONST_STRING(L"My source string!*); J 1 CRF BPG HAA KH 256 ff) UNICODE_STRING 2H RULInitemptyString (dst ,dst_buf, 256*sizeot (WCHAR) ); Rt 1lCopyUnicodestring (adst,asrc); // FRR CLERK ASU Z ALLEL, JEDI 256 EC L"My source string! "HUG AEBEK. SR cy SUS OLA IH ROAR. (ELIS ULAR, SRA ELMAR. ei ch Lk T BH SIL — MAL BLT IH RellnitEmptySwing, HOR dst F7FB MAR VARMEKEA 0. RAAF AME, Hi LRA UE AR. FERN, BUENO TT BY PAT AEa ASST ACTA). 164.2 48 “AE SHR" F. RARAAMATACA GST BM IK. 414 PRR AERE UNICODE_STRING RHEM POF, PATE ER HOE EEE ST L. LRSM MRR: BAAS BSR. BMI IN— TEER SEASRME, HEE RT HORA ERIE BRE AERA AAS. RTL BA: NSTATUS status: UNICODE_STRING dst; 1) BFE WCHAR dst_buf (2561; 1) BATBAGERE ENE, HOE UNICODE_STRING src = RTL_CONST_STRING(L*My source string!*);RAR BSH SAR 11 REAR EUNICE 256 fH) UNTCODE_STRING 48 Rt1InitEmptyString (det ,dst_buf, 256*sizeof (WCHAR) } RtlCopyUnicodestring(sdst,asre); // FARE status = RtlAppendunicodeTostring( dst, L'my second string!"); if (status != STATUS_SUCCESS) ‘ ) NTSTATUS J&:7 WARMER A, WSR eR HeweIH, ile] STATUS_SUCCESS; FM, S2—“MARA.. RlAppendUnicodeToString 4 Ei bre 7 8 27) 7S AE EAI BY HR ARIAT DAS PATH, (LA ie] — 4 a te HR STATUS_BUFFER_TOO_SMALL. 5B 9b ~ Fe ti OR JE A HME BE PY 1) UNICODE_STRING , ik AF 1H 02 1A iAH RuAppendUnicodeStringToString. X “SHUN 38 — 784k t 4 UNICODE_STRING HEFT. 41.5 FRAT SPREE 5 — APT TREE FE RE OS 6 A EN TER, AN BET FA PRAMAS. BIMEATAG A SHR, A SPUR AAEA. MEATS, URS. WAR CSN SEH sprint, APRN TAN swprintl. RE DUTP RT AIR OY CM, HAN, ROKR ReStringCbPrintfW RAH E. RulStringCbPrinttW ij 3 40 KK FE mtstrsafeh. (EE REAV MT AR. A EE misafestrlib. FARES — PEE, PER PE HORE AA TK. include 11 AEP, ERE MME AA MARA. BBA HATE 1 WE. GRASIPRA GOEL, HERMAN S IE) 1) EERE, UR BTIN) “debe” WCHAR buf[512] = ( 0); UNICODE_STRING dst; NTSTATUS status; 43RABE — Wc wi8s 8 Windows ewes 11 FRB MRAZ HB. BIKE 512*8izeof (WCHAR) RtLinitemptyString(dst , dst_buf, 512*sizeof (WCHAR)) ; 11 WAI ReAStringCbPrint fw AMATITED status = RtiStringCbPrint£W( dst->Buffer, 512*sizeof (WCHAR) ,L* file path = 8w2 file size = $4 \r\n"» &file_path, filesize); // SMW wesien WAM, RMB ReistringchPrint £w ITE A FRB ROE ERS ast->Length = weslen(dst->Buffer) * sizeof (CHAR); RulStringCbPrintfW EF PREMERA FEAR LES PRAT AFT EN, (LARS ABE ¥AKA T . iB LEIAY status {88 STATUS_BUFFER_OVERFLOW. i iX (S08 38-2 HiT (HE MERRBES MBER, ORAM. RAE A— PY WRG RE 2 FERRI, HBX} ee HORI] STATUS_SUCCESS % 1h. {AERA UNICODE_STRING A HUHET. Hi dowZ ATED MT LAET ED FAT 0 CEASE RET AEB WEA RMIT IR, LARA Sows AGS. HAWNOET EDN AF 8 5 (EK CRSP print BBP, AUREL. Fab AL MS SLATE AT ED. printf PBR FTE MMR FAA, te Ra ea Hil &, (UE Windows MBPT itis UN OL, BT LUE WinDbg PATON. BES) 'P A] LLY DbgPrint()Ph MOKAT ED A. XS ELAN print SEACH I, RAPE RRS IE. DbgPrintQ i) —MiRA CEP, RATHI SK AD REE AAA EPR, FRR A J DbgPrint() Cie fe RTCKELAREARERSAM, WTAE PE: #if DBC KaPrint (a) DbgPrint##a felse KaPrint (a) fendif ARAM RE, AF KePrint @) ARH 1 TSR, Awd DbgPrint MF HERMEERA MT SUED. FR KePrint ARRIBA HEA T HTL: 7 WA Kaprine tT a status = KéPrint (( L*file path = twz file size = $d \r\n",RAR ARPES AT &£ile_path, file_size)); ay AQT GER. WOK WPL, HELM LLB KeaPrint ACE DbgPrint $i Jy MEIN BCR 4.2 Die SHER 42.1 ASRS RA AFARRLE CPS PZ. REA BR, Bee ee CORTE TEESE CHEAT P. GMC TE REM BEF (PR BUE malloc. 3X “eA BME SADE eA KES MRR IL PEATE. CES PI 2 SPIE 5 AS AT MANS LE, HH) ALIBI] ExAllocatePoolWithTag. S(thAt) 7S 7E ART LH BB 2 6 [ATI WHET FAG AB AE PD AE PE SS HN) 95 AEF TA SOPH ABYC be eR AIRE. PII, REE sre PE ULSI TER dst. 1) EAP SpA, define MEM_TAG ‘MyTt' 1) URE TEB, PRE RENE UNICODE_STRING dst = { 0); 11 SPIN REE , IRP TT RE dst.Buffer = (PHCHAR) ExAl locat ePoolWithTag (NonpagedPool, src->Length, MEM_TAG) ; if(dst.Buffer == NULL) 17 Sue status = STATUS_INSUFFICTENT_RESOUCRES; det.Length = dst.Maximunbength = src->Length; status lcopyUnicodestring(adst ,&8re) + ASSERT (status == STATUS_SUCCESS) ; ExAllocatePoolWithTag ff —7+ 28 NonpagedPool 2255 4} 89 42 22 BLE I FF 5 BEY fp ce CTE ME PN £6 I, WEDD ERIE be. BOP BREE DBE NITTBIN “AAP SP Abs ic”. 45‘46 RBRE— wicwees) windows oesare PSE SPAR ie FA Tea A PHL ASR ERAT A OK AR 19 AN TF brid, PLEA iH MRR. A a BE LO OA tei, heh TERE MA Te bRiC. AFPRRIC ALBIN) 32 ARCH, WAAR ASH thi Bi. QD | Pte eRe th oR LAI ssa iocaerooiwititas Heabte A LASHALAY SULA FE, fEHY PagedPool BAT. ExAllocatePoolWithTag J} 82 (tA ## 8] LEH] ExFreePool RFE, Ww RARE IK. Wy TGR HER, FPAMQHLP REPEAL Aaa RETA STACI T8) . RAR AEF AS UA, HAN ERR I), ME RIN AE I SL. ExFreePool 547 S528 Or RE RLMUIR ET ERAT. 486K: ExFreePool (dst .Buffer) ; dst Buffer = NULL; Ast.Length = dst.MaximumLength = ExFreePool FE RFE ME TINGE, AU ASE TAU. (REL E MARES: UNICODE_STRING src = RTL_CONST_STRING(L"My source string!*); ExFreePool (src.Buffer); 2 PROTA. LLNS LHR ExAllocatePoolWithTag All ExFreePool it) Mtl X Ro 4.2.2 {$74 LIST_ENTRY Windows HART R AA CHR T MBAR Hit, bel LISTLENTRY. LIST_ENTRY J&P 0000) 82244 #4) iJ CAE FAL BO AAA I HD Hh, FTA MAT. RSME, MERRIE, EOE BAI EE KANT AE RAL RA EH. ESE 4S FILE_OBJECT BSRET MIR, CEDAR BEAST RE CAFS TAT AY ET Ze EAE) MRREIII PRA: RET SCPE MA AEIE. RBA FILE_OBJECT fsiftt, (1/0 25 98 01 DL Ds SE AAR SEY BC FRE. typedef struct ( PPILE_OBJECT file_object; UNICODE_STRING file_name; LARGE_INTEGER file_length:) MY_PILE_INFOR, *PMY_PILB_INFOR; HEE ETE REBISCPFIN RRA LARGE_INTEGER 22%, 3KFE—-MRRKK SNARE. MMR CE FA “AB ea” PTH. QD [Windows #4 GA LIST_ENTRY fe HA, NEAL PHASE TR Jy T ik LASS Pe ERR, SL AE BLT —4* LIST_ENTRY it. BT FAME RICHTA, TVR ER AT, HAT DUET, BRR. (AES EAA RE LAE LIST_ENTRY JA GEFP LAE EN BE: typedef struct ( LIST_ENTRY list_entry: PFILE_OBJECT file_object UNICODE_STRING file_name; LARGE_INTEGER file_length; } MY_PILE_INFOR, *PMY_FILE_INFOR; LIST_ENTRY SURE (EY BERETA, TEAS HT, QL InitializeListHead 34) Hite. FIA AAR 11 BANNERS LIST_ENTRY my_list_head; 1) SIAN. —ROMNT CREA DSF void MyFilernforinilt () ‘ InitializeListHead(&my_list_head); y 1) RAVER B A, BMRA TART, typedef struct ( LIST_ENTRY list_entry; PFILE_OBJECT file_object; PUNICODE_STRING file_name; LARGE_INTEGER file length; } MY_PILE_INFOR, *PMY_FILE_INFOR; 1/ sit 45 8, HEMMER A. HEME £ile_name RSMEAE 1) ARRAS, ARI EDE NISTATUS MyFileInforAppendNode( PFILE_OBJECT file_object, PUNICODE_STRING file name, PLARGE_INTEGER file_length) 4748 KAKI — ic WBS HI Windows ARE PMY_FILE_INFOR my_file_infor = (PMY_PTLE_INFOR) Pxal locatePoolWithTag( PagedPool, sizeof (MY_FILE_INFOR) ,MEM_TAG) ; if (my_file_infor == NULL) return STATUS_INSUPFICIENT_RESOURES; Ht RBBB my_file_infor->file_object ny_file_infor->file_nam my_file_infor->file_lengt file_object; file_nane; file_length; 1) QPRRAR. MEBRERA REAR. FU, BEBE 11 SRRAR AA 5 EFT MeO ARF PPE TORIES RAE InsertHeadList (&my_list_head, (PLIST_ENTRY)& my_file_infor); return STATUS_SUCCESS; ) DERRY A. PLLA HB) LIST_ENTRY 441A 2] MY_FILE_INFOR #4 #5ff) KABA. IPE —3R, 7S MY_FILE_INFOR Gi 29t{@—7 LISTLENTRY. it PRELDE, SESE ATA ATTA ABT LHF. Leda MS (VES SHREK TP Sk aE OIE BE, BULZEML LISTLENTRY SFU (LALOR BT CET ABE, AME ES i BEALE. ATLA 7h i A Bs for(p = my_list_head.Flink; p != &my_list_head.Flink; p = p->Flink) ‘ PMY_PILE_INFOR elem = ‘CONTAINING_RECORD(p,MY_PILE_INFOR, list_entry); // 70 do something here. ) 3th) CONTAINING_RECORD 2é—4* WDK POE MME, (EA iict—“ LIST_ENTRY S404 61, HRB MA MT ZER TH ET. ECR: define CONTAINING_RECORD(address, type, field) ((type *)( \ (BCHAR) (address) - \ (ULONG_PTR) (&((type *)0)->field))) ATI AYNS FT BUS StF LIST_ENTRY ‘'(f9348 5 & Flink 4816] F —4* LIST_ENTRY . 84-88 24) (tsi 4 LIST_ENTRY ff) Flink REZ, OHA e. GE) LISTENTRY 21, BA CONTAINING_RECORD 244 #842641 53 HSE.