因此,我有一个汇编代码块,用于初始化程序,解析kernel32,找到GetProcAddress,然后找到LoadLibarayA来加载User32.dll。它可以工作到LoadLibraryA的地步。它在函数调用中崩溃,但是我可以看到调试器中加载了User32.dll。如果我尝试在另一个模块(例如Kernel32.dll)上使用LoadLibraryA,它将返回并成功。
如果您想看一下,这里是完整的资源
https://gist.github.com/mojobojo/921a5af897e86bb940a2
Exception thrown at 0x00007FFAFAE8E91C (ntdll.dll) in Small.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF.
这是尝试加载user32的代码段。
mov rcx, ActualAddress + User32DllStr ; ActualAddress is the program address in memory
call rax ; LoadLibararyA
cmp rax, 0
je EndFunction ; Failed to open user32.dll
LoadLibraryAStr:
db "LoadLibraryA", 0
看一下调用堆栈。
ntdll.dll!RtlDosPathNameToRelativeNtPathName() Unknown
ntdll.dll!LdrpResolveDllName() Unknown
ntdll.dll!LdrpFindLoadedDll() Unknown
ntdll.dll!LdrGetDllHandleEx() Unknown
ntdll.dll!LdrGetDllHandle() Unknown
KernelBase.dll!00007ffaf82d2984() Unknown
KernelBase.dll!00007ffaf82d29ef() Unknown
user32.dll!00007ffaf934e7e8() Unknown
user32.dll!00007ffaf934dc92() Unknown
ntdll.dll!LdrpCallInitRoutine() Unknown
ntdll.dll!LdrpInitializeNode() Unknown
ntdll.dll!LdrpInitializeGraph() Unknown
ntdll.dll!LdrpPrepareModuleForExecution() Unknown
ntdll.dll!LdrpLoadDll() Unknown
ntdll.dll!LdrLoadDll() Unknown
KernelBase.dll!00007ffaf82d8e4a() Unknown
KernelBase.dll!00007ffaf82d97e5() Unknown
kernel32.dll!00007ffaf8b5499a() Unknown
Small.exe!0000000140010253() Unknown
最佳答案
我想到了。我的堆栈未对齐16字节。
关于windows - 带有User32.dll的LoadLibraryA在ntdll.dll(x64程序集)中崩溃,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/32160792/