37. Other related principles and precautions for Windows APIs

1. The maximum difference between a 64-bit operating system and a 32-bit operating system is the size of the addressing space. A 32-bit operating system uses 32-bit data to represent the memory address, so there is 232 (4 GB) the 64-bit operating system can use 16 TB of memory address space. In a 64-bit operating system, the space referenced by pointers and basic data types (INT) is 64-bit.

There are many types of objects in windows. Kernel Object, GDI graphical object, user object, etc. The kernel object is related to the system management of the operating system, such as files, processes, events, and network communication sockets. The GDI object refers to the relevant objects in the graphic output. User objects refer to user controls, menus, and input devices.

ProgramWhen performing related operations, these objects are used as operation objects, usually using handles as parameters.

In the debug version of Vs, functions are called through jump tables in many cases. When a function is called, the call command is used to call a position in the jump table, which is usually a JMP force jump command to jump to the real function section. In the release version, functions are called directly without using function jump tables.CodeThe address.

The stack structure is shown in the function call process:

Each time a function is called, The EBP changes once. The stack stores parameters, return addresses, caller EBP, and local variables in sequence.

Each worker function call generates such a structure. As the call goes deeper in the stack, it is also called a stack frame. Each frame corresponds to a function call. EBP plays a key role in stack frames. Parameter addressing, local variable addressing, and function return all depend on EBP.

The call method affects the parameter transfer method and the Recovery Method of the post-return stack when the function is called. If the parameters are in the "_ cdecl" and "_ stdcall" modes, the parameters are all from right to left, and the "_ fastcall" is transferred using the ECX and EDX registers, the remaining parameters are saved in the stack from right to left.

After the function is returned, if the function is called using the "_ cdecl" method, the caller restores the ESP and EBP commands to the State before the call. If the function is returned using the "_ stdcall" method, then, the called function restores the stack to before calling, so that the called function can continue to be executed.

Use functions such as memcpy and strcpy to copy data to the buffer zone (from low memory address to high memory address ).

2. the executable program structure in Windows is called PE. EXE files, DLL files, sys files, and OCX files are all in PE format.

For detailed structure, see [1, p565.

3. When calling a function, you need to know the function address. Call uses the function address or pointer to save the function address as the parameter.In a function in the same module, the relative position of the Code is fixed. The parameters of the call statement have been calculated during compilation and embedded into the command (calledStatic link). However, when functions in different modules need to be called to each other, the address of the called function is not determined.

The system uses a Dynamic Link Mechanism to ensure that functions in different modules are correctly called. Importing and exporting tables are two important structures that need to be used in dynamic links.

The import table stores the functions of an external module to be called by a module, including the DLL function name of the function. The export table stores a function that can be called by other modules, including the function name.

During Process Creation and module loading, the system obtains information from the import table of the executable file, knows which DLL needs to be loaded, and then loads the DLL to be called, find the address of the function to be called from the loaded called DLL Based on the function name, then, assign the value of the address pointer array of each function specified in the import table to the actual DLL import function address.

Therefore, the position of a module's import table is relatively fixed, but the value of the function pointer in the import table is assigned a value during dynamic link. After the dynamic connection is completed, the program can call external functions through the function pointer in the import table.

4. NTDLL.The API function imported by DLL is called nativeapi ).

The structure for processing system calls in the kernel is called ssdt. The full name of ssdt is System Service Descriptor Table, which is also the system service Descriptor Table.

By NTDLL. the function interface exported by DLL is nativeapi. the native API exported by DLL is actually a series of stub functions, which realize the jump from the user State to the kernel state and call the system service to implement the final function of the API.

After the native API enters the kernel state, the system searches for corresponding table items in ssdt based on the service number to find the real address of the called system service function. Then, the system calls the corresponding system service functions based on this address and returns the function execution result.

5Hook is a relatively advanced application. The hook technique is to modify the API address or the code in the API so that the program can monitor the call or modify the parameters or return values when calling the API function.

There are two methods to achieve API hook. One is to traverse the import tables of each module in the process. If the import table calls the target function of the hook, modify the jump address to the custom function. The other is to write the jump command in the code of the function after the address of the target function. Once the API is called, it will jump to the custom function.

Therefore, two steps are required for api hook: first, compile the functions used for Hook and use these functions to "replace" normal API functions. In the hook function, the original API function needs to be called; the second is the hook program, which uses the address or code of the original API of the system.

6. The LIB file contains the information required for the link, indicating how the linker should handle these external functions (usually adding function calls to the import table ).

If you provide programming interfaces for third-party applications, you need a lib file that specifies how the linker handles these external variables and functions on time. If you need to call functions in DLL through the import table, you need to input the Lib file as the link during the link.

Provide header files, lib files, and DLL files for third-party developers.

Reference

[1] proficient in Windows API functions, interfaces, and programming instances

[2] http://msdn.microsoft.com/en-us/library/aa966039%28VS.85%29.aspx