1
因此,我有一個程序集塊,它初始化一個程序,解析kernel32,找到GetProcAddress,然後找到LoadLibarayA加載User32.dll。它工作到LoadLibraryA。它在函數調用中崩潰,但我可以看到調試器中加載User32.dll。如果我嘗試在不同的模塊(如Kernel32.dll)上使用LoadLibraryA,它將返回併成功。在ntdll.dll(x64程序集)中發生User32.dll崩潰的LoadLibraryA
下面是完整的源代碼,如果你想看看它在 https://gist.github.com/mojobojo/921a5af897e86bb940a2
Exception thrown at 0x00007FFAFAE8E91C (ntdll.dll) in Small.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF.
這裏是改掉加載USER32片段。
mov rcx, ActualAddress + User32DllStr ; ActualAddress is the program address in memory
call rax ; LoadLibararyA
cmp rax, 0
je EndFunction ; Failed to open user32.dll
LoadLibraryAStr:
db "LoadLibraryA", 0
這是看看調用堆棧。
ntdll.dll!RtlDosPathNameToRelativeNtPathName() Unknown
ntdll.dll!LdrpResolveDllName() Unknown
ntdll.dll!LdrpFindLoadedDll() Unknown
ntdll.dll!LdrGetDllHandleEx() Unknown
ntdll.dll!LdrGetDllHandle() Unknown
KernelBase.dll!00007ffaf82d2984() Unknown
KernelBase.dll!00007ffaf82d29ef() Unknown
user32.dll!00007ffaf934e7e8() Unknown
user32.dll!00007ffaf934dc92() Unknown
ntdll.dll!LdrpCallInitRoutine() Unknown
ntdll.dll!LdrpInitializeNode() Unknown
ntdll.dll!LdrpInitializeGraph() Unknown
ntdll.dll!LdrpPrepareModuleForExecution() Unknown
ntdll.dll!LdrpLoadDll() Unknown
ntdll.dll!LdrLoadDll() Unknown
KernelBase.dll!00007ffaf82d8e4a() Unknown
KernelBase.dll!00007ffaf82d97e5() Unknown
kernel32.dll!00007ffaf8b5499a() Unknown
Small.exe!0000000140010253() Unknown
仔細檢查當時'rcx'確實指向了一個有效的零終止字符串。這是在'調用rax'上放置一個斷點並使用調試器檢查內存。 – Jester
我已經確認指針位於正確的位置,並且是空的。 – mojobojo
在我看來,好像在user32.dll中的DllMain在嘗試引用另一個DLL時崩潰了。也許有一個先決條件DLL需要先加載? –