订阅数:66185这是一波电脑病毒蔓延的狂潮.在两个多月的时间里,数百万电脑用户被卷将进去,那只憨态可掬、颔首敬香的“熊猫”除而不尽,成为人们噩梦般的记忆. 反病毒工程师们将它命名为“尼姆亚”.它还有一个更通俗的名字———“熊猫烧香”.它迅速化身数百种,不断入侵个人电脑,感染门户网站,击溃企业数据系统……它的蔓延考问着网络的公共安全,同时引发了一场虚拟世界里“道”与“魔”的较量.反病毒工程师和民间反病毒人士纷纷投身其中. 1月19日,一个最新的“熊猫烧香”变种病毒出现。病毒作者宣称,这将是“熊猫烧香”最后一次更新。 这场历时两个多月的较量结束了吗? “蜜罐”中发现病毒 2006年11月14日,中关村瑞星公司总部14楼。 一群反病毒工程师围着一台与网络隔绝的电脑。随着鼠标点动,数百个熊猫图标出现在屏幕上。这是工程师们当天捕获的病毒,命名为“尼姆亚”。 史瑀是瑞星公司研发部病毒组的反病毒工程师。他每天的工作就是,和数十名伙伴一起捕捉网上流传的病毒,然后将病毒“拆”开,研究其内部结构后,升级瑞星的病毒库。 当天下午,一名用户向他们提交了一份病毒样本。随后,他们又在病毒组的“蜜罐”内,发现了该病毒的踪影。 “蜜罐”是病毒组设立在互联网上的一些防卫性孱弱的服务器,工程师们故意在服务器上设置多种漏洞,诱使病毒侵入。“就像猎人做的沾满蜜糖的陷阱,专门吸引猎物上钩。” 从“蜜罐”里提取病毒后,史瑀和同事们将病毒移到公司14楼的一台与网络隔离的电脑上,这里是病毒的“解剖台”。 “运行病毒之后,系统所有的图标都变成了熊猫。”史瑀眼前的屏幕上,出现了一排排的熊猫图案,熊猫们手持三炷香,合十作揖。 经过分析,工程师们发现,在病毒卡通化的外表下,隐藏着巨大的传染潜力,它的传染模式和杀伤手段,与风行一时的“威金”病毒十分相像。瑞星公司随即发布病毒预警。 病毒蔓延涌向全国 “最开始的‘尼姆亚’不算厉害。”史瑀说,随着病毒作者的不断更新,它的破坏力和传染力也随之上升。 2006年11月底,“尼姆亚”只有不到十个变种,然而12月开始,病毒作者从数日一更新,变为一日数更新,它的变种数量成倍上升。这时候,“熊猫烧香”已经取代了“尼姆亚”这个名字。 12月中旬,“熊猫烧香”进入急速变种期,在几次大面积暴发之后,“熊猫烧香”成为众多电脑用户谈之色变的词汇。 圣诞节过后,“熊猫烧香”版本已达到近百个。 史瑀说,去年12月下旬,国内近千家大型企业感染“熊猫烧香”,向瑞星求助。“当病毒变种和感染人群超过一定数量时,病毒的传播就会以几何方式增长。” 12月26日,金山毒霸全球反病毒监测中心发布“熊猫烧香”正疯狂作案的病毒预警。 27日,江民科技发布关于“熊猫烧香”的紧急病毒警报。 2007年1月7日,国家计算机病毒应急处理中心紧急预警,“通过对互联网络的监测发现,一伪装成‘熊猫烧香’图案的蠕虫病毒传播,已有很多企业局域网遭受该蠕虫的感染。” 1月9日,“熊猫烧香”继续蔓延,开始向全国范围的电脑用户涌去。 这一天,“熊猫烧香”迎来了一次全国性的大规模暴发,它的的变种数量定格在306个。 各地用户纷纷中招 小江是黑龙江省一家网吧的网管。1月9日到1月10日的两天间,他所在的网吧内空空荡荡,并无顾客,打开网吧的40多台电脑,屏幕上布满了“熊猫烧香”图标,系统崩溃,无法运行。 “毒是9日早晨中的,一开始只是一台机器,我杀毒时候,局域网内其他机器陆续中招。”小江说。 同一天早晨,在北京一家IT公司工作的刘先生上班后发现,公司近30台电脑全部感染“熊猫烧香”,病毒破坏了电脑内的程序文件,并删除了电脑备份,公司正在研发中的半成品软件毁于一旦。 刘先生愤怒之下却又无奈。在年度总结报告中,他特意加上了一条:“以后重要程序必须备份,防范类似‘熊猫烧香’的流氓病毒。” 同一天晚上,北京的一家报社里,技术人员们东奔西跑,几十名编辑记者都在等待着他们清除电脑里的“熊猫烧香”。 1月10日,上海一家台资公司的员工张先生打开电脑,迎接他的是一排排拱手举香的熊猫。环顾四周,他发现同事们脸上有同样的惊诧表情。整整一天,公司业务陷于瘫痪。 …… 根据瑞星公司提供的“熊猫烧香”病毒用户求助数据,仅1月9日一天,瑞星用户向公司求助的人数已达1016人次,11日达到1002人次。因为是选择性求助,并仅限于瑞星杀毒软件的正版用户,这个数据只是冰山一角。 据了解,1月9日感染的电脑用户达数十万。其中北京、上海等电脑用户较集中的城市成为“重灾区”。 “熊猫”并未就此止步,它继续四处“烧香”。随着变种的不断增多,病毒洪潮蔓延无休,并且愈演愈烈。 截至目前,“熊猫烧香”病毒变种已达416个,受感染电脑用户达到数百万台。 1月22日,国家计算机病毒应急处理中心再次发出警报,在全国范围内通缉“熊猫烧香”。 门户网站遭遇感染 1月24日,北京市政府信息工作办公室在官方网站上设立了“熊猫烧香”病毒专题,其中撰文称:“一种伪装成‘熊猫烧香’图案的病毒正在疯狂作案……目前已有多家企业局域网和网站遭受重创,多数网民也深受其害。” “熊猫烧香”因何难退? “‘熊猫烧香’和以往的病毒不同,它采用了一种新的传播手段。”史瑀说,传统的蠕虫病毒是通过一台中毒电脑传至局域网内其他电脑,而“熊猫烧香”在整合了所有可利用的传播漏洞之外,还可以通过网站传播。 感染“熊猫烧香”的电脑,会在硬盘的所有网页文件上附加病毒。“如果被感染的是网站编辑和记者的电脑,那么通过中毒的网页,‘熊猫烧香’就可能附身在网站的所有网页上。”史瑀说,访问这种中毒的网站时,网民就会感染“熊猫烧香”病毒。 从传统的点对点,到现在的点对面,“熊猫烧香”借助中毒网站的惊人访问量急速传播。 据反病毒工程师称,他们曾监控到,“熊猫烧香”感染过天涯社区、硅谷动力、pconline等门户网站,在暴风影音等知名软件的下载链接中也曾有“熊猫烧香”附身的痕迹。同时,“熊猫烧香”还可借助搜索引擎进行病毒传播。 “借助局域网天女散花,借助门户网站星火燎原,借助U盘死灰复燃。”史瑀说,“熊猫烧香”的三项主要传播方式,成为病毒难以退去的主要原因。 反毒人士抗击病毒 史瑀说,自去年圣诞节之后,瑞星公司病毒组就开始不断加班,每当“熊猫烧香”发布新变种,工程师们就立即采集样本,解剖病毒,并升级相应的专杀工具。“这段时间里,通宵熬夜就有4次。” “‘熊猫烧香’技术谈不上高超,主要依赖于作者不断疯狂地更新,它更新,我们就随之更新专杀工具。”史瑀说,“熊猫烧香”善于利用新漏洞,比如1月8日的变种就利用了QQ一项最新的安全漏洞。 “熊猫烧香”诞生至今,病毒版本修改了400余次,史瑀和同事们开发的专杀工具也升级了10余次。 除杀毒软件公司外,散布在网民中的“反毒高手”在抗击“熊猫烧香”中同样发挥了重要作用。 在卡卡网络社区的反病毒论坛上,云集着不少电脑高手,他们大都是业余编程爱好者,时常一起研究杀毒技术。“熊猫烧香”刚现身,就引起了他们的注意。 2006年10月底,在瑞星公司尚未捕获“熊猫烧香”病毒时,程序高手“农夫”就已经拿到了当时的“熊猫烧香”病毒样本,并编写了专杀工具。此后,每当 “熊猫烧香”发布变种时,反病毒论坛的网友mopery和艾玛等人,就会写一份详细的变种分析报告,指出病毒的危险性和新特性。 “其实民间的杀毒高手很多。”史瑀说,他自己以前就是一名民间高手,高中时代起就爱好研究病毒,大学毕业后被杀毒软件公司招募。所以,他现在经常会浏览一些著名技术论坛,如果民间高手有一些好的想法,病毒组也会借鉴。 史瑀说,他手头掌握着一张“底牌”———“未知病毒查杀”。他说,这种杀毒办法可以判断病毒的“家族特征”,只要变种符合一系列特征,专杀工具就能有效查杀。 史瑀介绍了这种新专杀工具的工作原理,但他要求记者报道时隐藏该项内容,“让病毒作者知道了就麻烦了,这是我们取胜的杀手锏。” 一场未结束的战争 1月19日,“熊猫烧香”发布了一个新的变种,病毒作者同时宣称,这将是“熊猫烧香”最后一次更新。 消息传来,在卡卡社区上,饱受“熊猫烧香”折磨的网民们一片雀跃。高兴之余,他们开始反思得失。 在反病毒论坛上,网友tom2000发表了一篇名为《熊猫启示录———风波过后的反思》帖子,文中称:“以后有多少新的病毒/木马会借鉴熊猫的经验呢?一切才刚刚开始!” 业内专家认为,中国的互联网处于起步初期,大部分网民缺乏最基本的网络安全防范知识,也缺少良好的上网习惯。安全意识的薄弱,给病毒大面积传播带来可乘之机。同时,随着计算机在各个行业的普及,病毒造成的损害也将越来越严重。 1月24日下午,反病毒工程师们又发现了一种新型病毒,这种病毒和“熊猫烧香”十分相似,工程师怀疑它是“熊猫烧香”作者创作的新版本病毒。 这种病毒会把受感染用户电脑上的所有图标换成一个男子的头像,在头像的眼睛位置是两个电灯泡。 反病毒工程师们担心的是,“灯泡男子”会不会成为“熊猫烧香”的接班人。 “这是一场看不见硝烟的战争,对我们而言,战争还在继续。”史瑀说。 谁制造了“熊猫烧香”?他意欲何为?在“熊猫烧香”肆虐期间,关于作者身份的种种猜测流传于互联网上。在百度“熊猫烧香”贴吧中,数百名深受“熊猫”所害的网民发帖“通缉”病毒制造者,更有网民声称开出10万美元的悬赏花红。 昨天,反病毒工程师向记者透露,“熊猫烧香”的作者并非无迹可寻,在解剖病毒过程中,他们发现了留在病毒内的一些神秘留言。在这些留言里,“熊猫烧香”的作者自称whboy———“武汉男孩”。 “熊猫”体内暗藏留言 mopery是卡卡社区反病毒论坛的版主,也是一名反病毒高手。 2006年10月中旬,mopery接到网友求助。在帮忙解决电脑故障的过程中,他拿到了一个病毒样本,它就是“熊猫烧香”的原始版本。 将病毒“解剖”之后,在繁复的程序代码中,mopery看到了一段与程序无关的信息,其中有一行字母:“whboy”。 “whboy”这个名字,对于病毒研究者有着不一般的含义。2004年,whboy即发布了其创作的病毒“武汉男孩”,那是一种通过QQ传播的盗号木马,因为其变种的疯狂和传播的广泛,一年后,被江民反病毒中心列入2005年十大病毒之列。 此后,whboy还在一些病毒论坛和黑客论坛发帖,表示可以提供盗取QQ号服务,但不久后便销声匿迹,直至“熊猫”出现。 mopery对“熊猫烧香”进行了认真分析。他发现,这种病毒并不拥有最厉害的技术,却拥有最成熟的传播手段。 mopery对“熊猫烧香”产生了浓厚的兴趣,他联系了另一名民间反病毒高手农夫,在2006年10月25日推出了第一款专杀工具:尼姆亚蠕虫专杀。 “第一只熊猫没什么威力,厉害的是后面的变种。”mopery说,从发现第一版“熊猫烧香”后,一个月内,它的变种就达到了十几种。 在这些变种中,每隔一段时间,作者都有意在病毒中留下whboy字样。“他主要给我们这些分析病毒的人看,普通用户看不到代码。” 随着变种增多,反病毒人士在连续解剖病毒的同时,开始期待更多留言出现。 病毒内部列出“鸣谢单位” 2006年12月初,“熊猫烧香”变种加速,代码中除了whboy字样外,又多了一行汉字:“武汉男孩感染下载者。”随着变种的增多,代码内附带的信息也越来越多。 此时,mopery和艾玛已经加入抗击“熊猫烧香”的大军当中。他们分析熊猫的新变种,并在卡卡社区反病毒论坛上,贴出一份份详细的病毒分析报告。 他们的举动,吸引了病毒作者“武汉男孩”的注意力。在1月初一份病毒变种中,神秘留言再次更新。 “感谢mopery对此木马的关注。”留言中新添的这句话,让mopery啼笑皆非。随后,武汉男孩似乎迷恋上了这种病毒内部列出“鸣谢单位”的模式,在1月5日的病毒留言中,感谢名单上添加了艾玛的名字。1月9日,感谢名单中又多了杀毒高手“海色之月”的名字,文末还添加了一句“服了……艾玛…… ” 此后,武汉男孩开始频繁用这种方式与对手“交流”。 1月15日,武汉男孩还在留言中和反毒者taylor77打起了招呼:“taylor77,不知道找我啥事啊?”并且戏言:“我制作的病毒已经‘满城尽烧国宝香’。” 网络世界高手对决一个月 1月16日,武汉男孩发布了新的病毒变种,反毒者们习惯称之为“艾玛”版本。因为在这个病毒内部的留言中,写了22次艾玛的名字。 1月19日晚,“熊猫烧香”发布了最后一次更新。这个版本可称为传染手段最全面的版本。 在“熊猫烧香”的最后一个版本中,武汉男孩写下了临别赠语:“在此对各位中过此木马的网友和各位网管人员表示深深的歉意!对不起,你们辛苦了!mopery,很想和你们交流下!某某原因,我想还是算了!” 面对“熊猫烧香”停止更新的消息,反病毒工程师史瑀显得很平静:“我们希望熊猫风波就此结束,但是武汉男孩有失言的先例。总之他只要更新,我们就奉陪到底。” 对于持续对决一个多月,却不知藏身何处的武汉男孩,mopery的赠言是:“我希望他能好好利用自己的技术来服务广大网民,而不是给网民带来痛苦。” “武汉男孩”身份存仨版本 虽然武汉男孩表示不再更新“熊猫烧香”,但这场席卷全国的病毒狂潮却余波难平。网民们纷纷猜测武汉男孩的真实身份。 经调查,目前在业内人士中,关于武汉男孩的身份有三种猜测。其一,武汉男孩是一名15岁的武汉少年,证据是网络上流传的他和反毒者农夫的QQ对话。其二,武汉男孩是桂林一家软件公司的副总裁,曾编写过流氓软件,消息来源是反病毒论坛。其三,武汉男孩是国内杀毒软件公司的员工,故意编写病毒,促销相应的杀毒产品。 为核证传言,记者分别采访了mopery和瑞星公司反病毒工程师史瑀。 mopery称,经过他和农夫的核证,证实流传的QQ聊天片断的主人公,是另外一种病毒的作者,而非武汉男孩。至于公司副总的说法,属空穴来风。 作为杀毒软件公司的员工,史瑀说,每次大型病毒流传后,总有各种对杀毒软件公司不利的传言,但杀毒软件界的程序员不会编写病毒、扰乱网络。他反问道:“流感病毒是医生制作的么?” mopery和史瑀都表示,从留言的内容和程序代码来看,武汉男孩是一位有丰富病毒编写经验的熟手,经常浏览卡卡社区反病毒论坛,随时关注mopery 等人的病毒分析。卡卡社区有59万余名会员,武汉男孩一定身在其中,但这个范围却再难缩小。“武汉男孩本身精通网络技术和入侵技术,通过他上网的痕迹追查真身很难实现。”mopery说。 “熊猫烧香”带有商业目的 史瑀说,他们经过分析认为,“熊猫烧香”带有强烈的商业目的,“用户感染病毒后,会从后台点击国外的网站,部分变种中含有盗号木马,病毒作者可借此牟利。” “现在的病毒作者和上世纪90年代的不同,他们不再以炫耀技术为目的,而是带有明确商业目的,病毒和流氓软件界限越来越模糊了。”史瑀说。 昨天下午,瑞星公司工作人员表示,已将病毒作者的相关证据和病毒特性提交给国家计算机病毒应急处理中心。国家计算机病毒应急处理中心工作人员称,关于这场“熊猫烧香”病毒风暴,受波及的电脑数字以及造成的经济损失等相关数据,目前正在统计,将于近日在其主页上公布。 关于是否向公安机关报案,这名工作人员表示,目前不便透露。 “我相信总有一天会见到武汉男孩真面目的。”mopery说。 ■链接 计算机信息系统安全保护条例 第二十三条故意输入计算机病毒以及其他有害数据危害计算机信息系统安全的,或者未经许可出售计算机信息系统安全专用产品的,由公安机关处以警告或者对个人处以 5000元以下的罚款、对单位处以15000元以下的罚款;有违法所得的,除予以没收外,可以处以违法所得1至3倍的罚款。 第二十四条 违反本条例的规定,构成违反治安管理行为的,依照《中华人民共和国治安管理处罚条例》的有关规定处罚;构成犯罪的,依法追究刑事责任。 消息原载《京华时报》
FS:[0x00] Win9x and NT Current SEH frame
FS:[0x04] Win9x and NT Top of stack
FS:[0x08] Win9x and NT Current bottom of stack
FS:[0x10] NT Fiber data
FS:[0x14] Win9x and NT Arbitrary data slot
FS:[0x18] Win9x and NT Linear address of TIB
FS:[0x20] NT Process ID
FS:[0x24] NT Current thread ID
FS:[0x2C] Win9x and NT Linear address of the thread local
storage array
FS:[0x30] Pointer to PEB
FS:[0x34] NT Current error number
FS:[0x38] CountOfOwnedCriticalSections
FS:[0x3c] CsrClientThread
FS:[0x40] Win32ThreadInfo
FS:[0x44] Win32ClientInfo[0x1f]
FS:[0xc0] WOW32Reserved
FS:[0xc4] CurrentLocale
FS:[0xc8] FpSoftwareStatusRegister
FS:[0xcc] SystemReserved1[0x36]
FS:[0x1a4] Spare1
FS:[0x1a8] ExceptionCode
FS:[0x1ac] SpareBytes1[0x28]
FS:[0x1d4] SystemReserved2[0xA]
FS:[0x1fc] GDI_TEB_BATCH
FS:[0x6dc] gdiRgn
FS:[0x6e0] gdiPen
FS:[0x6e4] gdiBrush
FS:[0x6e8] CLIENT_ID
FS:[0x6f0] GdiCachedProcessHandle
FS:[0x6f4] GdiClientPID
FS:[0x6f8] GdiClientTID
FS:[0x6fc] GdiThreadLocaleInfo
FS:[0x700] UserReserved[5]
FS:[0x714] glDispatchTable[0x118]
FS:[0xb74] glReserved1[0x1A]
FS:[0xbdc] glReserved2
FS:[0xbe0] glSectionInfo
FS:[0xbe4] glSection
FS:[0xbe8] glTable
FS:[0xbec] glCurrentRC
FS:[0xbf0] glContext
FS:[0xbf4] NTSTATUS
FS:[0xbf8] StaticUnicodeString
FS:[0xc00] StaticUnicodeBuffer[0x105]
FS:[0xe0c] DeallocationStack
FS:[0xe10] TlsSlots[0x40]
FS:[0xf10] TlsLinks
FS:[0xf18] Vdm
FS:[0xf1c] ReservedForNtRpc
FS:[0xf20] DbgSsReserved[0x2]
FS:[0xf28] HardErrorDisabled
FS:[0xf2c] Instrumentation[0x10]
FS:[0xf6c] WinSockData
FS:[0xf70] GdiBatchCount
FS:[0xf74] Spare2
FS:[0xf78] Spare3
FS:[0xf7c] Spare4
FS:[0xf80] ReservedForOle
FS:[0xf84] WaitingOnLoaderLock
FS:[0xf88] StackCommit
FS:[0xf8c] StackCommitMax
FS:[0xf90] StackReserve
??? MessageQueue
CLIENT_ID struct
UniqueProcess
UniqueThread
CLIENT_ID ends
游戏规则:
一、被点到名的博客要在自己的博客上回答本人问题的答案,并自己拟定五个问题
传到其他几个人的博客上,还要到这几个人的博客上留言通知对方“你被点名了”。
二、并且这几个人要在博客上注明是在哪接到的题目,我是被“小米”点的名。
三、再将自己的拟定的五个问题传给其他几个人,让游戏继续下去,不许回传。小米给的问题
1.你是否会选择和你的女(男)朋友一起创业?
不会 因为偶喜欢人妖
2.最长可以接受在一个城市呆多长时间?
最多七八年,至少现在这么想
3.5年后希望自己在什么地方,干什么?
M78星云,靠还用问吗,偶是奥特筷,当然要回家歇着了
4.通常情况下几点钟睡觉?
毒害晚青少年偶就睡觉
5.此时此刻钱包里有多少钱?
偶没钱包
偶的问题还没想好,想好了再说哈
前两天,闲来无事找了个网游耍耍。名曰《蒸汽幻想》,NND游戏里面的NPC简直不是人,把偶当狗一样的溜,有什么话你不能一气说完捏?完成了一个NPC的任务,马上那个混蛋NPC有让你去完成其他任务,而且任务地点就是做上个任务的地方
ft~~。让偶宝贵的时间花在无聊的压马路上。
再说说装备,40多级的基本都要上QW,极品几乎上E。看到一个20多级的技师,在那里摆摊卖西西,本以为能掏到一把偶能用的武器,看到人家标价上那些炫目的0,偶连砍价的勇气都没了。一个矿石就要几万,真黑哇~~简直不考虑劳动人民挣钱的血泪历程。
从该游戏里,偶重新认识了为什么科学技术是第一生产力(看看技师们上E的家产你就清楚了)。
一怒之下,把人物删了,游戏卸了
游戏名称 《蒸汽幻想》
所选职业 :武器大师 L23
所用NICK :靠这都能重
游戏时间:3天
hello,i want play a game with you!!
Better hurry up. Live or die, make your
choice!!!
GAME OVER!!!!
以下命令适用于 OllyDbg 的命令行插件
Cmdline.dll(显示于程序的插件菜单中)
===============================================================
命令行插件支持的命令
CALC
判断表达式
WATCH
添加监视表达式
AT
在指定地址进行反汇编
FOLLOW
跟随命令
ORIG
反汇编于 EIP
DUMP
在指定地址进行转存
DA
转存为反汇编代码
DB
使用十六进制字节格式转存
DC
使用 ASCII 格式转存
DD
转存在堆栈格式
DU
转存在 UNICODE 格式
DW
使用十六进制字词格式转存
STK
前往堆栈中的地址
AS
(AS + 地址 + 字符串)
在指定地址进行汇编
BP
进行条件中断(有条件的断点)
BPX
中断在全部调用 (Call)
BPD
清除全部调用中的断点
BC
清除断点
MR
内存断点于访问时
MW
内存断点于写入时
MD
清除内存断点
HR
访问时进行硬件中断
HW
写入时进行硬件中断
HE
执行时进行硬件中断
HD
清除硬件断点
STOP
停止运行程序调试
PAUSE
暂停执行程序调试
RUN
运行程序进行调试
GE
运行和通过例外
SI
单步进入 Call 中
SO
步过 Call
TI
跟踪进入直到地址
TO
跟踪步过直到地址
TC
跟踪进入直到满足条件
TOC
跟踪步过直到满足条件
TR
运行直到返回
TU
运行直到用户代码
LOG
查看记录窗口
MOD
查看模块窗口
MEM
查看内存窗口
CPU
查看 CPU 窗口
CS
查看 Call 堆栈
BRK
查看断点窗口
OPT
打开选项设置窗口
EXIT
退出 OllyDbg
QUIT
退出 OllyDbg
OPEN
打开一个可执行文件
CLOSE
关闭可执行文件
RST
重新运行当前程序
HELP
查看 API 函数的帮助
原理很简单,就用了三个记者API,完成列进程的任务。本想让他能检测隐藏进程,可是发现要利用驱动
.386p
.Model Flat,StdCall
Option CaseMap:None
;###########################################
;# API函数列表
;###########################################
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
pformat db "%x",9,"%s",13,10,0
.code
start:
mov eax,0xfffffff5
push eax
call GetstdHandle
xor eax,eax
jz proend
mov [stdHandle],eax
xor ebx,ebx
push ebx
push DWORD ptr 2
call Createtoolhelp32snapshot
inc eax
jz proend
dec eax
mov [snapHandle],eax
mov [procentry.dwsize],sizeof PROCESSENTRY32
push offset procentry
push DWORD ptr [snaphandle]
call Process32First
xor eax,eax
jz proend
loopfind:
text eax,eax
jz findend
push offset procentry.szExeFile
push DWORD ptr procentry.th32ProcessID
push offset pformat
push offset buffer
call wsprintf
push offset buffer
call lstrlen
xchg eax,ecx
push DWORD ptr 0
push offset tmp
push offset buffer
push [stdHandle]
call WriteConsole
push offset procentry
push [snapHandle]
call Process32Next
jmp loopfind
findend:
push [snapHandle]
call closeHandle
proend:
push dword ptr 0
call ExitProcess
end start
(此人极懒,有的变量根本没声明,也没有调试,如果要测试自己声明下变量先)
REQUIREMENTS:
-> Should know Inheritance in C++
That's it. But in the end I explain how the compiler implements polymorphism and
so knowledge of Assembly Language will be a great help in understanding
Polymorphism. Nevertheless I will still try to make the assembly explanation as
simple as possible.So even if you don't know Assembly,try understanding it.
I. WHAT IS POLYMORPHISM?
Polymorphism is in short the ability to call different functions by just using
one type of function call.It is a lot useful since it can group classes and
their functions together.Polymorphism is the most important part of Object-
Oriented Programming. Some people feel that if they have an idea of what classes
are they have stepped in the object-oriented world.But this is not true.
Polymorphism is the core of object-oriented programming and if anybody stops
here he's missing out the best part of Object Oriented Programming(OOP).All this
may seem a lot hard to understand but read on......you'll understand better as
you keep reading.
Let us now try to understand polymorphism with the help of an example.Suppose we
want to draw a picture consisting of circles,squares,lines and triangles.So we
can make a class Shape and create an instance of it like this:
Shape *s[100];
Now all the addresses of the objects of the other classes(line,circle etc.) are
stored in the Shape Array.And then to draw the Picture all we have to do is this:
for(int i=0;i<=100;i++)
s->draw();
Now as the loop runs different draw functions of each class is called. This is
great because:
i. Functions from different classes are executed through the same function call.
i. The Array s[] has been defined to contain shape pointers and not square or
triangle pointers.
This can be done by using Virtual Functions.
II. VIRTUAL FUNCTIONS????????
The Literal Meaning of Virtual means to appear like something while in reality
it is something else ie. when virtual functions are used, a program appears to
call a function of one class but actually it may be calling a function from
another class.In the previous example draw() is a virtual function since it
calls different draw functions from different classes by using the same function
call draw();
Now how do we know which version of draw() would be called during execution?
Which draw() function would get used depends on the contents of s.But for
this polymorphic approach to work we must satisfy the following conditions:
->The Base class must contain a draw() function which is declared virtual.
->All other classes(line,circle etc.) should be derived from the base class.
Well, all this may be hard to understand in just one go so we'll start using
programs that'll help us understand better.Here's the First One.
#include <iostream.h>
class base //Base Class
{
public:
void func()
{
cout<<"In base::func()\n";
}
};
class d1:public base // Derived Class 1
{
public:
void func()
{
cout<<"In d1::func()\n";
}
};
class d2:public base // Derived Class 2
{
public:
void func()
{
cout<<"In d2::func()\n";
}
};
void main()
{
d1 d;
base *b=&d;
b->func();
d2 e;
b=&e;
b->func();
}
Run this program and you would see that the output would be:
In base::func()
In base::func()
Shouldn't this statement give an error? (b=&e;) No. Since the compiler allows a
pointer of a base class to accept addresses of derived class objects.This is
known as UPCASTING.Here the Compiler looks at the type of pointer b and since it
belongs to the base class it calls the base class function.
But now, let's make a slight modification in our program. Precede the
declaration of func() in the base class with the keyword virtual so that it
looks like this:
virtual void func()
{
cout<<"In base::func()\n";
}
Now Compile and Run the Program. Now the Output is:
In d1::func()
In d2::func()
This time the Compiler looks at the contents of the pointer instead of it's type.
Hence since addresses of objects of d1 and d2 classes are stored in *b the
respective func() is called.But this way how does the compiler know which
function to compile when it doesn't know which object's address 'b' might
contain?Which version does the compiler call?
Actually even the compiler does not know which function to call at compile-time.
Hence it decides which function to call at run-time with the help of a table
called VTABLE. Using this table the compiler finds what object is pointed by
the pointer b and then calls the appropriate function. VTABLE is explained later.
The method by which the compiler decides which function to call at run-time is
known as late-binding or dynamic-binding. It slows down the program but makes it
a lot more flexible.
III. PURE VIRTUAL FUNCTIONS
Now we realise that since the base class virtual function never gets called
anyway we'd better keep it's body blank.But there's a better way to do this.
We can change the virtual function func() in the base class to the following:
virtual void func()=0;
The =0 is not an assignment operator here but it is just a way of telling the
compiler that the function has no body.But there is another side of this. An
object of a class which contains a pure virtual function cannot be created.It
seems logical enough ie. If you have classes triangle,square,circle derived from
shape class we wouldn't want to make an object of the shape class.Hence the
shape class should be provided with a pure virtual function.If you even try to
create an object of a class containing a pure virtual function the compiler
would report an error even pointing out which pure virtual function prevents you
from creating an object.
IV. HOW VIRTUAL FUNCTIONS WORK
Using Virtual Functions is just one part of polymorphism and knowing how they
work completes the other half.When the keyword 'virtual' is inserted in the
declaration of the function the compiler inserts all mechanisms in the program
to use Virtual Functions. Each Class has a VTABLE that stores the functions that
it can access and Each class contains a VPTR which can access the VTABLE.Look at
this program and the table below it and you will understand the VTABLE and the
VPTR.
#include <stdio.h>
class item
{
public:
virtual void price()
{
printf("In item::price()\n");
}
virtual void type()
{
printf("In item::type()\n");
}
void display();
};
void item::display(){printf("In item::display()\n");}
class microwave:public item
{
public:
void price()
{
printf("Microwave::Price()\n");
}
void type()
{
printf("Microwave::type()\n");
}
};
class computer:public item
{
public:
void price()
{
printf("Compuer::Price()\n");
}
};
class radio:public item
{
public:
void type()
{
printf("radio::type()\n");
}
};
void main()
{
microwave m1;
computer c1;
radio r1;
item *i=&m1;
i->price();
i->type();
printf("\n");
i=&c1;
i->price();
i->type();
i->display();
printf("\n");
i=&r1;
i->price();
i->type();
printf("\n");
microwave m2;
i=&m2;
i->price();
i->type();
i->display();
printf("\n");
}
The Output of this Program would be:
Microwave::Price()
Microwave::type()
Compuer::Price()
In item::type()
In item::display()
In item::price()
radio::type()
Microwave::Price()
Microwave::type()
In item::display()
Now here is how the VTABLE of each class Looks Like:
-------------------------------------------------------------------------------|
ITEM POINTERS | OBJECTS | VTABLES |
-------------------------------------------------------------------------------|
i-------------> | item{VPTR}----> | &item::price() |
| | &item::type() |
-------------------------------------------------------------------------------|
| | |
i-------------> |microwave m1,m2{VPTR}| µwave::price() |
| | µwave::type() |
-------------------------------------------------------------------------------|
| | |
i-------------> | computer c1{VPTR}-> | &computer::price() |
| | &item::type() |
-------------------------------------------------------------------------------|
| | |
i-------------->| radio r1{VPTR}----> | &item::price() |
| | &radio::type() |
-------------------------------------------------------------------------------|
First the VPTR Pointer is initialised to it's proper VTABLE by the contructor
which is automatically done by the compiler.When a Virtual Function is being
called the VPTR looks up the VTABLE and calls the virtual function.If the
function is not present in the VTABLE [like here display()] then the function of
the base class is called. So everywhere where the display function is called
item::display() is called everytime.No matter how many objects of a class are
created they all point to the same VTABLE of the class.
V. ARE VIRTUAL FUNCTIONS OPTIONAL?
Normal Function calls are called by the Assembly instruction 'call' while
virtual functions require complex instructions. This takes up code space as well
as execution time.
Virtual Functions reduce the code's speed. Some languages like SmallTalk perform
Late Binding everytime a function is called and hence SmallTalk Programs aren't
fast enough. But C++ is a Superset of C where Efficiency is important and hence
C++ allows both static binding as well as late binding. The default convention
used is static binding so that there is no loss in speed.
Don't stop using Virtual Functions in your classes just because they reduce
execution speed. Infact it makes it easier to manage and code and it's
advantages are more than it's disadvantages. So wherever possible use Virtual
Functions in your classes.
VI. MISCELLENEOUS
1) If a Virtual Function is called within a derived classes constructor or
destructor then the derived function is always called.
2) If b is a base class pointer and d is a derived class pointer then b=d will
copy only the base class contents and remove the derived class contents.This
is known as Object Slicing and should be avoided.
3) For a Virtual Function to work the function must be present in tha base
class even though it is declared virtual in the derived class.
4) Virtual Destructors can also be used and they allow execution of the derived
destructor first and then it calls itself.
VII. VIRTUAL BASE CLASSES
Consider a situation when a 'base' class has two classes derived from it.For
example derived1 and derived2.
Suppose we create another class which derives itself from both the derived
classes ie. derived3.Now suppose a member function of derived3 wants to access
data or functions in a base class.Since derived1 and derived2 are are derived
from base each inherits a copy of base.This copy is referred to as a subobject.
Now when derived3 refers to the data in the base class, which of the two copies
should it access? The compiler notices this ambiguous situation and reports an
error. To get rid of this we should make derived1 and derived2 as virtual base
classes.This is shown in the following program.
#include <iostream.h>
class base
{
protected:
int data;
public:
base()
{
data=10;
}
};
class derived1 : virtual public base
{};
class derived2 : virtual public base
{};
class derived3 : public derived1,public derived2
{
public:
int getdata()
{
return data;
}
};
void main()
{
derived3 d3;
int val=d3.getdata();
cout<<val<<endl;
}
Using the keyword virtual in the two classes derived1 and derived2 makes them
share a single subobject of the base class hence eliminating all ambiguity since
there is only one subobject for derived3 to access.Hence derived1 and derived2
are known as virtual base classes.
VIII. VTABLE COMPILATION PROOF
THIS PROGRAM IS COMPILED BY BORLAND C++ 5.02
Lot of people know that the compiler uses a VTABLE to implement Virtual
Functions but few get to see the actual code that the compiler generates.To save
space I shall Compile the same program which uses the item,microwave,computer
and radio class and explain how the compiler implements Virtual Functions. I
have used IDA Pro to disassemble this program. Here is the disassembled listing
followed by the explanation. I have included line numbers so that I can just
refer to the line numbers while explaining how the program works.
; THE FUNCTION main()
_main proc near
m2_VPTR = dword ptr -10h
r1_VPTR = dword ptr -0Ch
c1_VPTR = dword ptr -8
m1_VPTR = dword ptr -4
argc = dword ptr 8
argv = dword ptr 0Ch
envp = dword ptr 10h
1 push ebp
2 mov ebp, esp
3 add esp, 0FFFFFFF0h ; 16 bytes allocated on the stack
4 push ebx ; Register Saved
5 mov [ebp+m1_VPTR], offset item_VTABLE
6 mov [ebp+m1_VPTR], offset microwve_VTABLE
7 mov [ebp+c1_VPTR], offset item_VTABLE
8 mov [ebp+c1_VPTR], offset computer_VTABLE
9 mov [ebp+r1_VPTR], offset item_VTABLE
10 mov [ebp+r1_VPTR], offset radio_VTABLE
11 lea ebx, [ebp+m1_VPTR]
12 push ebx ; this* pushed
13 mov eax, [ebx]
14 call dword ptr [eax] ; Calls microwve_price
15 pop ecx ; 4 bytes freed used up by this*
16 push ebx ; this* pushed
17 mov edx, [ebx]
18 call dword ptr [edx+4] ; Calls microwve_type
19 pop ecx ; 4 bytes freed used up by this*
20 push offset newline ; __va_args
21 call _printf
22 pop ecx ; 4 bytes cleared used up by argument
23 lea ebx, [ebp+c1_VPTR]
24 push ebx ; this* pushed
25 mov eax, [ebx]
26 call dword ptr [eax]
27 pop ecx
28 push ebx
29 mov edx, [ebx]
30 call dword ptr [edx+4]
31 pop ecx
32 push ebx
33 call item_display
34 pop ecx
35 push offset newline1 ; __va_args
36 call _printf
37 pop ecx
38 lea ebx, [ebp+r1_VPTR]
39 push ebx
40 mov eax, [ebx]
41 call dword ptr [eax]
42 pop ecx
43 push ebx
44 mov edx, [ebx]
45 call dword ptr [edx+4]
46 pop ecx
47 push offset newline2 ; __va_args
48 call _printf
49 pop ecx
50 mov [ebp+m2_VPTR], offset item_VTABLE
51 mov [ebp+m2_VPTR], offset microwve_VTABLE
52 lea ebx, [ebp+m2_VPTR]
53 push ebx
54 mov eax, [ebx]
55 call dword ptr [eax]
56 pop ecx
57 push ebx
58 mov edx, [ebx]
59 call dword ptr [edx+4]
60 pop ecx
61 push ebx
62 call item_display
63 pop ecx
64 push offset newline3 ; __va_args
65 call _printf
66 pop ecx
67 pop ebx
68 mov esp, ebp
69 pop ebp
70 retn
_main endp
item_price proc near ; Function item::price()
1 push ebp
2 mov ebp, esp
3 push offset aInItemPrice ;__va_args
4 call _printf
5 pop ecx
6 pop ebp
7 retn
item_price endp
radio_type proc near ; Function radio::type()
1 push ebp
2 mov ebp, esp
3 push offset aRadioType ; __va_args
4 call _printf
5 pop ecx
6 pop ebp
7 retn
radio_type endp
computer_price proc near ; Function computer::price()
1 push ebp
2 mov ebp, esp
3 push offset aCompuerPrice ; __va_args
4 call _printf
5 pop ecx
6 pop ebp
7 retn
computer_price endp
item_type proc near ; Function item::type()
1 push ebp
2 mov ebp, esp
3 push offset aInItemType ; __va_args
4 call _printf
5 pop ecx
6 pop ebp
7 retn
item_type endp
microwve_price proc near ;Function microwave::price()
1 push ebp
2 mov ebp, esp
3 push offset aMicrowavePrice ; __va_args
4 call _printf
5 pop ecx
6 pop ebp
7 retn
microwve_price endp
microwve_type proc near ;Function microwave::type()
1 push ebp
2 mov ebp, esp
3 push offset aMicrowaveType ; __va_args
4 call _printf
5 pop ecx
6 pop ebp
7 retn
microwve_type endp
; THE DATA SECTION
aInItemDisplay db 'In item::display()',0Ah,0
newline db 0Ah,0
newline1 db 0Ah,0
newline2 db 0Ah,0
newline3 db 0Ah,0
aInItemPrice db 'In item::price()',0Ah,0
aRadioType db 'radio::type()',0Ah,0
aCompuerPrice db 'Compuer::Price()',0Ah,0
aInItemType db 'In item::type()',0Ah,0
aMicrowavePrice db 'Microwave::Price()',0Ah,0
aMicrowaveType db 'Microwave::type()',0Ah,0
; THE VTABLES
radio_VTABLE dd offset item_price
dd offset radio_type
computer_VTABLE dd offset computer_price
dd offset item_type
item_VTABLE dd offset item_price
dd offset item_type
microwve_VTABLE dd offset microwve_price
dd offset microwve_type
----------------------------EXPLANATION-----------------------------------------
For those who know nothing about Assembly but still dared to read till here
should remember that in Assembly code anything after the semicolon ';' is a
Remark. So between code I have inserted remarks so that it is easier to read.
Since we did not include the constructor in our code the compiler automatically
inserts it between the main() section.Hence we can see in LINE 5. that m1_VPTR
is first initialised to the VTABLE of item. Then in the next LINE m1_VPTR points
to the address of the VTABLE of Microwave class.The same process continues till
LINE 9.
Now in LINE 13. EAX contains the address pointed to by EBX ie. microwave_VTABLE.
In LINE 14. it calls the function which is located at the address of eax ie.
microwave::price(). This is the call of a virtual function.Look through the data
Section and see how the VTABLES are set.
In LINE 33. there is a straight-forward call to item::display() and this is how
a non-virtual function is called. Now compare the calling process of a non-
virtual function to that of a virtual function. You will notice that the calling
of a virtual function includes the following process:
1) Initialise the VPTR to that of the Base class VTABLE
2) Set the VPTR to the Derived class VTABLE
3) Load the address of the VTABLE in a Register
4) Call the Function located at the address pointed to by the VTABLE
But you require just one step to call a non-virtual function ie. the call
instruction followed by the function name.
You should notice that the other microwave object also points to the same VTABLE
but has a different VPTR. Each Class has it's own VTABLE and is shared among all
VPTR's of the Same class.
In LINE 30. the instruction call dword ptr [edx+4] calls the function located
at the (address+4 bytes) pointed by the EDX Register. This means that the 2nd
Function in the VTABLE is called.
Notice that in the VTABLE of the radio class the address of item::price() is
present.I hope you understand and appreciate the implementation of virtual
functions by the compiler.
This is the end of our tutorial. I hope you use Virtual Functions in your
programs since it is easier to code your programs using these functions. If you
have any doubts regarding Polymorphism feel free to contact me via email at
born2c0de@hotmail.com
Powered by Haiwit
