Call Cdecl by VB Function why Stack was trashed by 4 bytes?
Call Cdecl by VB Function
why Stack was trashed by 4 bytes?
Code:
Function VB_CdeclAPI_Sum(ByVal a As Long, ByVal b As Long, Optional NullArg As Long) As Long
' now it'S OK,how to remove 【Optional NullArg As Long】?
MsgBox 1
MsgBox 2
End Function
Function VB_Sum(ByVal a As Long, ByVal b As Long) As Long
'can't bind here
MsgBox 1
MsgBox 2
MsgBox 2
MsgBox 2
MsgBox 2
End Function
Sub FixCdecl(VbFunction As Long, CdeclApi As Long, args As Long)
'ESP堆栈不平衡 Stack was trashed by 4 bytes
Dim asm() As String, stub() As Byte
Dim i As Long, argSize As Long
argSize = args * 4
' 0: 58 pop eax
' 1: 89 84 24 XX XX XX XX mov dword ptr [esp+Xh],eax
push asm(), "58 89 84 24 " & lng2Hex(argSize + 0) '&H24848958
push asm(), "B8 " & lng2Hex(CdeclApi) 'B8 90807000 MOV EAX,708090
push asm(), "FF D0" 'FFD0 CALL EAX
push asm(), "83 C4 " & Hex(argSize + 0) '83 C4 XX add esp, XX 'cleanup args
'push asm(), "C2 10 00"
push asm(), "C3"
stub() = toBytes(Join(asm, " "))
Dim THUNK_SIZE As Long
THUNK_SIZE = UBound(stub) + 1
VirtualProtect2 VbFunction, THUNK_SIZE, PAGE_EXECUTE_READWRITE, 0 '更改函数地址所在页面属性
WriteProcessMemory2 -1, VbFunction, VarPtr(stub(0)), THUNK_SIZE, 0
'Vblegend.VirtualProtect VbFunction, THUNK_SIZE, PAGE_EXECUTE_READWRITE, 0 '更改函数地址所在页面属性
'Vblegend.WriteProcessMemory -1, VbFunction, stub(0), THUNK_SIZE, 0
End Sub
form1 code:
Code:
Dim startESP As Long, endEsp As Long
startESP = getESP
Dim h As Long, ret As Long
Dim CdeclApi As Long, lpfnAdd As Long, lpfnVoid As Long, lpfnSub As Long
h = LoadLibrary("cdecl.dll")
CdeclApi = GetProcAddress(h, "Add")
Dim a As Long, b As Long, c As Long
a = 44
b = 55
FixCdecl AddressOf VB_CdeclAPI_Sum, CdeclApi, 2
' FixCdecl AddressOf VB_CdeclAPI_Sum, CdeclApi, 8
startESP = getESP
c = VB_CdeclAPI_Sum(a, b)
endEsp = getESP
MsgBox "c=" & c
'ESP堆栈不平衡
MsgBox "Stack was trashed by " & (endEsp - startESP) & " bytes"
Last edited by xiaoyao; Mar 2nd, 2021 at 05:30 PM.
Re: Call Cdecl by VB Function why Stack was trashed by 4 bytes?
USE FIX2, Stack was trashed by (-4) bytes?
Code:
Public Function Fix2(VbFunction As Long, ByVal CdeclApi As Long, ByVal parameterCount As Long) As Long
'能把CDECL的API绑定到VB函数,2个参数的结果不平衡(-8)
Dim lRet As Long, i As Long, n As Long, m As Long
Dim asmBuf() As Byte '7
ReDim asmBuf(20 + 3 * parameterCount)
'lRet = VirtualAlloc(ByVal 0&, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
asmBuf(0) = &H55
asmBuf(1) = &H89
asmBuf(2) = &HE5
n = 3
m = 8
For i = 1 To parameterCount
asmBuf(n) = &HFF
asmBuf(n + 1) = &H75
asmBuf(n + 2) = m
n = n + 3
m = m + 4
Next
asmBuf(n) = &HB8
n = n + 1
CopyMemory VarPtr(asmBuf(n)), VarPtr(CdeclApi), 4
n = n + 4
asmBuf(n) = &HFF
asmBuf(n + 1) = &HD0
asmBuf(n + 2) = &H89
asmBuf(n + 3) = &HEC
asmBuf(n + 4) = &H5D
asmBuf(n + 5) = &HC3
'CopyMemory lRet, VarPtr(asmBuf(0)), UBound(asmBuf) + 1
Dim THUNK_SIZE As Long
THUNK_SIZE = UBound(asmBuf) + 1
VirtualProtect2 VbFunction, THUNK_SIZE, PAGE_EXECUTE_READWRITE, 0 '更改函数地址所在页面属性
WriteProcessMemory2 -1, VbFunction, VarPtr(asmBuf(0)), THUNK_SIZE, 0
Fix2 = lRet
End Function
Re: Call Cdecl by VB Function why Stack was trashed by 4 bytes?
now it's ok:
must add args (Optional NullArg As Long),how to remove it?
Code:
Function VB_CdeclAPI_Sum(ByVal a As Long, ByVal b As Long, Optional NullArg As Long) As Long
'用汇编调用 CdeclAPI_Sum这个地址,2个,然后清理堆栈 8
MsgBox 1
MsgBox 2
MsgBox 2
MsgBox 2
MsgBox 2
End Function