Win32 API功能封装
Win64应用COOKIE的生成
2024-09-11
2
0
Win64 UI应用程序的函数调用流程如下:
- wWinMainCRTStartup()
- _security_init_cookie();
- _wmainCRTStartup();
- wWinMain
程序由mainCRTStartup开始执行。这里的启动函数wmainCRTStartup可能为下述四种之一。
#pragma comment( linker, "/subsystem:windows /entry:WinMainCRTStartup" )
#pragma comment( linker, "/subsystem:windows /entry:mainCRTStartup" )
#pragma comment( linker, "/subsystem:console /entry:mainCRTStartup" )
#pragma comment( linker, "/subsystem:console /entry:WinMainCRTStartup" )
在以上的调用流程中,可以看到会有一个初始化cookie的函数。
cookie是用于栈内存越界检查的。
初始化cookie的函数大致如下:
void __cdecl _security_init_cookie()
{
unsigned __int64 cookievalue; // rax
unsigned __int64 tim; // [rsp+30h] [rbp+10h] BYREF
struct _FILETIME SystemTimeAsFileTime; // [rsp+38h] [rbp+18h] BYREF
LARGE_INTEGER PerformanceCount; // [rsp+40h] [rbp+20h] BYREF
SystemTimeAsFileTime = 0i64;
cookievalue = _security_cookie;
if ( _security_cookie == 0x2B992DDFA232i64 )
{
GetSystemTimeAsFileTime(&SystemTimeAsFileTime);
tim = SystemTimeAsFileTime;
tim ^= GetCurrentProcessId();
tim ^= GetCurrentThreadId();
tim ^= GetTickCount() << 24;
tim ^= &tim ^ GetTickCount();
QueryPerformanceCounter(&PerformanceCount);
cookievalue = (tim ^ PerformanceCount.QuadPart ^ (PerformanceCount.LowPart << 32));
if ( cookievalue == 0x2B992DDFA232)
{
cookievalue = 0x2B992DDFA233;
}
_security_cookie = cookievalue;
}
_security_cookie_complement = ~v
}
补充资料:https://www.cnblogs.com/hed10ne/p/17527277.html
