32位dbg中编辑的: 7711E9D3 | 6A 33 | push 33 | 7711E9D5 | E8 00000000 | call ntdll.7711E9DA | call $0 7711E9DA | 830424 05 | add dword ptr ss:[esp],5 | 7711E9DE | CB | ret far | 6A 33 E8 00 00 00 00 83 04 24 05 CB 64位dbg中获取的: 00007FFC844B11DD | 48:B8 8877665544332211 | mov rax,1122334455667788 | 00007FFC844B11E7 | 50 | push rax | 00007FFC844B11E8 | 41:50 | push r8 | 00007FFC844B11EA | 41:51 | push r9 | 00007FFC844B11EC <ntdll.LdrpGetProcApphelp | 41:52 | push r10 | 00007FFC844B11EE | 41:53 | push r11 | 00007FFC844B11F0 | 41:54 | push r12 | 00007FFC844B11F2 | 41:55 | push r13 | 00007FFC844B11F4 | 41:56 | push r14 | r14:"minkernel\\ntdll\\ldrinit.c" 00007FFC844B11F6 | 41:57 | push r15 | 00007FFC844B11F8 | 50 | push rax | 00007FFC844B11F9 | E8 00000000 | call ntdll.7FFC844B11FE | call $0 00007FFC844B11FE | C74424 04 23000000 | mov dword ptr ss:[rsp+4],23 | 23:'#' 00007FFC844B1206 | 830424 0D | add dword ptr ss:[rsp],D | 00007FFC844B120A | CB | ret far | 00007FFC844B120B | 90 | nop | 48 B8 88 77 66 55 44 33 22 11 50 41 50 41 51 41 52 41 53 41 54 41 55 41 56 41 57 50 E8 00 00 00 00 C7 44 24 04 23 00 00 00 83 04 24 0D CB 90 合成: 7711E9D3 | 6A 33 | push 33 | 7711E9D5 | E8 00000000 | call ntdll.7711E9DA | call $0 7711E9DA | 830424 05 | add dword ptr ss:[esp],5 | 7711E9DE | CB | ret far | 7711E9DF | 48 | dec eax | 7711E9E0 | B8 88776655 | mov eax,55667788 | 7711E9E5 | 44 | inc esp | 7711E9E6 | 3322 | xor esp,dword ptr ds:[edx] | 7711E9E8 | 1150 41 | adc dword ptr ds:[eax+41],edx | 7711E9EB | 50 | push eax | 7711E9EC | 41 | inc ecx | 7711E9ED | 51 | push ecx | 7711E9EE | 41 | inc ecx | 7711E9EF | 52 | push edx | 7711E9F0 | 41 | inc ecx | 7711E9F1 | 53 | push ebx | 7711E9F2 | 41 | inc ecx | 7711E9F3 <ntdll._LdrpForkProcess@0> | 54 | push esp | 7711E9F4 | 41 | inc ecx | 7711E9F5 | 55 | push ebp | 7711E9F6 | 41 | inc ecx | 7711E9F7 | 56 | push esi | 7711E9F8 | 41 | inc ecx | 7711E9F9 | 57 | push edi | edi:"LdrpInitializeProcess" 7711E9FA | 50 | push eax | 7711E9FB | E8 00000000 | call ntdll.7711EA00 | call $0 7711EA00 | C74424 04 23000000 | mov dword ptr ss:[esp+4],23 | 23:'#' 7711EA08 | 830424 0D | add dword ptr ss:[esp],D | 7711EA0C | CB | ret far | 7711EA0D | 90 | nop | 6A 33 E8 00 00 00 00 83 04 24 05 CB 48 B8 88 77 66 55 44 33 22 11 50 41 50 41 51 41 52 41 53 41 54 41 55 41 56 41 57 50 E8 00 00 00 00 C7 44 24 04 23 00 00 00 83 04 24 0D CB 90 取回来的栈: win10_64 $ ==> 1122334455667788 0000000077063620 r15 $+10 0000000000A6E940 0000000000A6FDA0 $+20 0000000002C0A000 0000000000000246 $+30 0000000000000000 00000000770E1FCC $+40 000000000000002B 1122334455667788 取回来的栈: win7_64 $ ==> > 55667788 11223344 75062450 00000000 r15 $+10 > 0008EC80 00000000 0008FD20 00000000 $+20 > 7EFDB000 00000000 00000202 00000000 $+30 > 00000000 00000000 0018FD10 00000000 $+40 > 778B01C4 00000000 55667788 11223344
wow64 32位进程中切换64位模式,取回64位寄存器值
猜你喜欢
转载自www.cnblogs.com/hjbf/p/12045820.html
今日推荐
周排行