沉思录:垫脚石
荣耀 2003
新技术往往以老技术为“垫脚石”。.net之于com,就是如此。
假如你已安装.net framework,系统目录中(可能是c:\winnt\system32)会有一个mscoree.dll,它就是微软.net运行时执行引擎(.net runtime execution engine),其重要性不言而喻—“sharpei”病毒就是通过查找它来确定计算机是否安装了.net。
让我们来观察观察这个dll到底都导出了些啥:
c:\winnt\system32>dumpbin /exports mscoree.dll
dump of file mscoree.dll
file type: dll
section contains the following exports for mscoree.dll
00000000 characteristics
3c368fbe time date stamp sat jan 05 13:31:42 2002
0.00 version
17 ordinal base
100 number of functions
94 number of names
ordinal hint rva name
36 0 0001161e callfunctionshim
21 1 000108e2 closectrs
37 2 0000b998 clrcreatemanagedinstance
38 3 00011163 coeeshutdowncom
39 4 0000b7c7 coinitializecor
40 5 00010ca1 coinitializeee
24 6 00011372 cologcurrentstack
41 7 00010d41 couninitializecor
42 8 00010cf3 couninitializeee
25 9 000108d8 collectctrs
43 a 0000a8b0 corbindtocurrentruntime
44 b 000118a9 corbindtoruntime
45 c 000108ff corbindtoruntimebycfg
46 d 0000fa0e corbindtoruntimebypath
47 e 00011826 corbindtoruntimeex
48 f 0000b9f9 corbindtoruntimehost
49 10 0000b25b corexitprocess
50 11 00011320 cormarkthreadinthreadpool
51 12 00008c2e createconfigstream
52 13 0000b2ab dllcanunloadnow
53 14 00007f2a dllgetclassobject
54 15 00011678 dllregisterserver
55 16 00010be9 dllunregisterserver
26 17 0000fa42 eedllgetclassobjectfromclass
56 18 0001156a eedllregisterserver
57 19 000115c0 eedllunregisterserver
58 1a 000023ac getassemblymdimport
59 1b 0000b2f4 getcorrequiredversion
60 1c 00002290 getcorsystemdirectory
61 1d 000092a1 getcorversion
62 1e 0001111a getcompileinfo
27 1f 00011513 getglobalcontextsperfcounters
63 20 00010054 gethashfromassemblyfile
64 21 000100bc gethashfromassemblyfilew
65 22 00010246 gethashfromblob
66 23 00010125 gethashfromfile
67 24 00010184 gethashfromfilew
68 25 000101e5 gethashfromhandle
69 26 0000b818 gethostconfigurationfile
70 27 00010e6b getmetadatainternalinterface
71 28 00010dfb getmetadatainternalinterfacefrompublic
72 29 00010d8a getmetadatapublicinterfacefrominternal
