📄 subject_30309.htm
字号:
<p>
序号:30309 发表者:XiaoQi 发表日期:2003-02-21 19:23:14
<br>主题:???#pragma pack(....)的作用
<br>内容:有一防火墙源程序,有如下代码。我在MSDN中查#pragma pack(n),<BR>#pragma pack(push),#pragma pack(pop)的用法,说明让人费解。查了好多英文网站的资料,还是弄不明的。小弟不得以,打扰各位高人了,谢谢!!!<BR>#pragma pack(push)<BR>#pragma pack(1)<BR>typedef struct _HOOK_CONTEXT_STRUCT<BR>{<BR> //runtime code<BR> ubyte code1_0x58; //0x58 | pop eax | pop caller IP from stack to eax<BR> ubyte code2_0x68; //0x68 | push IMM | push our hook context address<BR> struct _HOOK_CONTEXT_STRUCT *m_pHookContext;//point this <BR> ubyte code3_0x50; //0x50 | push eax | push caller IP from eax to stack <BR> ubyte code4_0xE9; //0xE9 | jmp HookProc | jump our hook proc<BR> udword m_pHookProcOffset;<BR><BR> //our context data<BR><BR> PVOID m_pOriginalProc;<BR> PVOID m_pHookProc;<BR> PVOID m_pBindAdaptHandle;<BR> PVOID m_pProtocolContent;<BR> PVOID *m_ppOriginPtr;<BR><BR> struct _HOOK_CONTEXT_STRUCT *m_pHookNext;<BR> <BR>}HOOK_CONTEXT_STRUCT;<BR>#pragma pack(pop)<BR>
<br><a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p>
<hr size=1>
<blockquote><p>
回复者:dr0 回复日期:2003-02-21 19:29:51
<br>内容:如上结构按照一个字节对齐
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:dr0 回复日期:2003-02-21 19:41:19
<br>内容:// e.g. <BR>// code lines<BR>//<BR><BR>#ifndef __DR0_H__<BR>#define __DR0_H__<BR><BR>// begin<BR>pack(push)<BR> <BR> pack(4) // the following structures between this push/pop pair are<BR> ... // aligned by 4 bytes.<BR> <BR>pack(pop)<BR><BR>pack(push)<BR> pack(1) // now , the structures between this push/pop pair<BR> // are aligned by 1 byte.<BR> ...<BR>pack(pop)<BR><BR>#endif<BR>// end
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:XiaoQi 回复日期:2003-02-21 19:42:35
<br>内容:dr0老兄,请问#pragma pack(pop) and #pragma pack(push)??谢谢您的解答!!
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:XiaoQi 回复日期:2003-02-21 19:50:15
<br>内容:程序中有如下代码:HOOK_CONTEXT_STRUCT *HookNdisFunc(PVOID pHookProc,PVOID *ppOrigProc,PVOID pBindAdaptHandle,PVOID pProtocolContent)<BR>{<BR><BR> HOOK_CONTEXT_STRUCT *pHookContext;<BR> PVOID OrgFunc;<BR><BR> pHookContext = IsHookedNdisFunc(ppOrigProc[0]);<BR> if( pHookContext )<BR> OrgFunc = pHookContext->m_pOriginalProc;<BR> else<BR> OrgFunc = ppOrigProc[0];<BR> if( OrgFunc == NULL )<BR> return NULL;<BR><BR> pHookContext = IsHookedNdisFuncEx(ppOrigProc);<BR> if( pHookContext )<BR> return pHookContext;<BR> pHookContext = ExAllocatePoolWithTag(NonPagedPool,sizeof(HOOK_CONTEXT_STRUCT),'HCSP');<BR> if( pHookContext == NULL )<BR> return NULL;<BR> memset(pHookContext,0,sizeof(HOOK_CONTEXT_STRUCT));<BR><BR> pHookContext->code1_0x58 = 0x58;<BR> pHookContext->code2_0x68 = 0x68;<BR> pHookContext->code3_0x50 = 0x50;<BR> pHookContext->code4_0xE9 = 0xE9;<BR><BR> pHookContext->m_pHookContext = pHookContext;<BR> pHookContext->m_pHookProcOffset = ((udword)pHookProc) - (((udword)&pHookContext->m_pHookProcOffset) + sizeof(udword));<BR> pHookContext->m_pBindAdaptHandle = pBindAdaptHandle;<BR> pHookContext->m_pProtocolContent = pProtocolContent;<BR> pHookContext->m_pOriginalProc = OrgFunc;//ppOrigProc[0];<BR> pHookContext->m_ppOriginPtr = ppOrigProc;<BR> pHookContext->m_pHookProc = pHookProc;<BR> pHookContext->m_pHookNext = m_pOurAllOfHookContext;<BR> m_pOurAllOfHookContext = pHookContext;<BR><BR> ppOrigProc[0] = pHookContext;<BR> return pHookContext;<BR>}<BR><BR>dr0兄:你看以上pHookContext->code1_0x58 = 0x58;<BR> pHookContext->code2_0x68 = 0x68;<BR> pHookContext->code3_0x50 = 0x50;<BR> pHookContext->code4_0xE9 = 0xE9;<BR>中,ox58等是不是反编译之后,与#pragma pack(push),#pragma pack(pop)有关的Address?? 非常感激您!!<BR>
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:dr0 回复日期:2003-02-21 19:55:57
<br>内容:compiler 有个 "结构对齐字节"(compiler内部变量) 的栈,#pragma pack(push) 意指当前编译的<BR>代码的结构按照 #pragma pack(push)/(pop) 对之间的pack(n)中的n来对齐<BR>n是2的幂。也就是说把n push到compiler的这个stack上,这样compiler总是用<BR>当前栈顶的n来对其push/pop对中的结构,这样当 pop 之后,当前n就没用了<BR>compiler会用上一个已经push的n来对齐。<BR><BR>你想象一下N0,N1,N2...组成一个stack,Ni和Ni+1之间就是你的代码. <BR>每个Ni都是用push压进,pop退出的,编译器就 按照这个Ni来对齐Ni和Ni+1之间的结构。<BR>自己看看msdn吧
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
<font color=red>答案被接受</font><br>回复者:dr0 回复日期:2003-02-21 20:01:51
<br>内容: pHookContext->code1_0x58 = 0x58;<BR> pHookContext->code2_0x68 = 0x68;<BR> pHookContext->code3_0x50 = 0x50;<BR> pHookContext->code4_0xE9 = 0xE9;<BR><BR> 都是机器码,作者用pack()push()pop()防止编译器在_HOOK_CONTEXT_STRUCT<BR> 中会插入padding data, 以保证指令的正确性。<BR><BR> 慢慢你就知道了。如果去掉这些pack,push,pop,你反汇编一下就知道<BR> 了,上述的机器吗就不连续了.<BR> <BR> <BR>
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:XiaoQi 回复日期:2003-02-21 20:05:02
<br>内容:我了解了!<BR>dr0 sir:thanks!!
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:dr0 回复日期:2003-02-21 20:05:17
<br>内容:ox58等是不是反编译之后,与#pragma pack(push),#pragma pack(pop)有关的Address?? <BR>// 不是。pack,push,pop 都可以认为是编译器的内部设置,和地质没关系.
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:蛤蛤 回复日期:2003-02-21 20:12:37
<br>内容:编译器缺省是按偶数对齐呢? 还是按整型长度对齐? //忘了, 嘿嘿, 俺原来是知道地!
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:dr0 回复日期:2003-02-21 20:20:59
<br>内容:一定要是2的幂,VC缺省是8
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:XiaoQi 回复日期:2003-02-21 20:23:02
<br>内容:hunhun: you see (source to http://www.pdc.kth.se/doc/SP/manuals/ibmcxx-3.6.6/html/language/ref/rnpgpack.htm)<BR><BR> By default, structures and unions are aligned on 4 bytes on OS/2.<BR> By default, structures and unions are aligned on 8 bytes on Windows.<BR>The IBM C and C++ Compilers also lets you use the compiler options:<BR><BR><BR><BR>
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:蛤蛤 回复日期:2003-02-21 20:29:48
<br>内容:I not saw it, before i see U! 3x!
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:无形 回复日期:2003-02-22 10:43:53
<br>内容:郁闷,至到了
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -