按地址从jitted代码调用cfunction

from peachpy import * from peachpy.x86_64 import * import ctypes putchar_address = ctypes.addressof(ctypes.cdll.msvcrt.putchar) c = Argument(uint64_t) with Function("p", (c,), int64_t) as asm_function: LOAD.ARGUMENT(rcx, c) MOV(r8, putchar_address) CALL(r8) RETURN(rax) raw = asm_function.finalize(abi.detect()).encode() python_function = raw.load() print(python_function(48))

0: 48 83 ec 28 sub rsp,0x28 4: 49 b8 a8 98 ad 9e ac movabs r8,0x1ac9ead98a8 b: 01 00 00 e: 41 ff d0 call r8 11: 48 83 c4 28 add rsp,0x28 15: c3 ret

0: 48 89 54 24 10 mov QWORD PTR [rsp+0x10],rdx 5: 48 89 4c 24 08 mov QWORD PTR [rsp+0x8],rcx a: 48 83 ec 28 sub rsp,0x28 e: 48 8b 4c 24 38 mov rcx,QWORD PTR [rsp+0x38] 13: ff 54 24 30 call QWORD PTR [rsp+0x30] 17: 48 83 c4 28 add rsp,0x28 1b: c3 ret

1条回答

网友

1楼 · 发布于 2024-05-16 01:53:47

在@PeterCordes的帮助下，我解决了重要的问题

我误解了windows呼叫约定。您需要保留阴影空间并对齐堆栈，因此需要“sub-rsp，40”
ctypes.addressof(ctypes.cdll.msvcrt.putchar)给出的不是代码的开头，而是指向代码开头的指针的地址

问题1很容易解决，问题2需要稍加修改。最后，该代码起作用：

c_void_p_p = ctypes.POINTER(ctypes.c_void_p)

putchar_address = ctypes.addressof(ctypes.cast(ctypes.cdll.msvcrt.putchar, c_void_p_p).contents)
func_ptr = Argument(ptr())
c = Argument(uint64_t)

with Function("p", (c,), int64_t) as asm_function:
    MOV(r12, putchar_address)
    SUB(rsp, 40)
    CALL(r12)
    ADD(rsp, 40)
    RETURN()

raw = asm_function.finalize(abi.detect()).encode()
print(raw.code_section.content.hex())
python_function = raw.load()
print(python_function(54))

这将生成此程序集：

0:  41 54                   push   r12
2:  49 bc 90 77 75 4d fa    movabs r12,0x7ffa4d757790
9:  7f 00 00
c:  48 83 ec 28             sub    rsp,0x28
10: 41 ff d4                call   r12
13: 48 83 c4 28             add    rsp,0x28
17: 41 5c                   pop    r12
19: c3                      ret

并且完全按照预期工作

（只需记住哪些寄存器已保存/需要保存。）

相关问题更多 >

编程相关推荐

热门问题

热门文章