DWORD dwMagic;
DWORD i;
BYTE dwCode;
DWORD dwAddr;
dwStartMap = SH->VirtualAddress + (DWORD)MapOfFile;//段现在首地址
dwEndMap = SH->Misc.VirtualSize + dwStartMap;//段现在末地址
i = 0;
for (dwMagic=1; dwMagic <0xFF; dwMagic++)
{
if (i == dwEndMap)
break ;
for (i=dwStartMap; i <dwEndMap; i++)
{
dwCode = *(LPBYTE)i;
if (dwCode == 0xE8 || dwCode == 0xE9)//call或jmp
{
dwAddr = i + 5 + *(LPDWORD)(i+1);//跳转的目的地址
if (dwAddr>dwStartMap && dwAddr <dwEndMap)
continue ; //段内转移
dwCode = *(LPBYTE)(i+1);//段间转移,*(LPBYTE)(i+1)是偏移量的低字节吧,保存到dwCode有什么用?什么逻辑?
if (dwCode == dwMagic)
break ; //为什么这样做,偏移量的低字节为循环的dwMagic的概率很小啊,而且比较类型也不一致
}
}
}//这个两层for完了,没有做任何操作,唯有dwAddr保存了最后个call或jmp的跳转地址,dwCode恰好是dwMagic的值-可能性很小
DWORD dwMagic;
DWORD i;
BYTE dwCode;
DWORD dwAddr;
dwStartMap = SH->VirtualAddress + (DWORD)MapOfFile;//段现在首地址
dwEndMap = SH->Misc.VirtualSize + dwStartMap;//段现在末地址
i = 0;
for (dwMagic=1; dwMagic <0xFF; dwMagic++)
{
if (i == dwEndMap)
break ;
